From jari.arkko@lmf.ericsson.se Fri Nov 1 12:27:22 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA24068 for ; Fri, 1 Nov 2002 12:27:21 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gA1HT9Q1022097; Fri, 1 Nov 2002 18:29:09 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gA1HT9Z22040; Fri, 1 Nov 2002 18:29:09 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id SAA16986; Fri, 1 Nov 2002 18:28:37 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id SAA16977 for ; Fri, 1 Nov 2002 18:28:35 +0100 (MET) Message-ID: <01fc01c281cb$e2009b70$3c6015ac@T23KEMPF> From: "James Kempf" To: Subject: Progress on Design Date: Fri, 1 Nov 2002 09:26:58 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Progress is being made on a strawman design by the SEND design team. The team is Bill Sommerfeld, Perry Metzger, and Bill Arbaugh. Though we have unfortunately missed the 00 draft deadline, Perry is working on a draft and the intent is to have something available prior to the meeting. Perry has also volunteered to present and lead a discussion at the meeting. jak -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Nov 1 12:52:25 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA25468 for ; Fri, 1 Nov 2002 12:52:25 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gA1HsEQ1023726; Fri, 1 Nov 2002 18:54:14 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gA1HsE204430; Fri, 1 Nov 2002 18:54:14 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id SAA20392; Fri, 1 Nov 2002 18:54:05 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from mailhost.iprg.nokia.com (mailhost.iprg.nokia.com [205.226.5.12]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id SAA20388 for ; Fri, 1 Nov 2002 18:54:04 +0100 (MET) Received: from darkstar.iprg.nokia.com (darkstar.iprg.nokia.com [205.226.5.69]) by mailhost.iprg.nokia.com (8.9.3/8.9.3-GLGS) with ESMTP id JAA09868 for ; Fri, 1 Nov 2002 09:54:02 -0800 (PST) X-Delivered-For: Received: (from root@localhost) by darkstar.iprg.nokia.com (8.11.0/8.11.0-DARKSTAR) id gA1Hs1m09144 for ; Fri, 1 Nov 2002 09:54:01 -0800 X-mProtect: <200211011754> Nokia Silicon Valley Messaging Protection Received: from UNKNOWN (205.226.2.67, claiming to be "iprg.nokia.com") by darkstar.iprg.nokia.com smtpdvPY6aJ; Fri, 01 Nov 2002 09:53:59 PST Message-ID: <3DC2C090.4060409@iprg.nokia.com> Date: Fri, 01 Nov 2002 09:57:36 -0800 From: "Fred L. Templin" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020610 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-send@standards.ericsson.net Subject: New draft with possible SEND implications Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Hello, I recently posted a personal draft that proposes extensions to IPv6 neighbor discovery for operation on IPv6-over-(foo)-over-IPv4 links, i.e., IPv6 tunneled over IPv4 with arbitrarily-many additional layers of (foo) encapsulation between. I believe this document could benefit from comments from the SEND working group regarding mechanisms for establishing security associations between neighbors. The document should soon appear in the I-D repository, but is available for immediate perusal at: http://www.geocities.com/osprey67/neighbor_affiliation-01.txt The document abstract appears below: Fred Templin ftemplin@iprg.nokia.com P.S. The document has also been announced in the IETF V6OPS and NGTRANS mailing lists. Abstract This document proposes extensions to IPv6 Neighbor Discovery for IPv6-over-(foo)-over-IPv4 links, where (foo) is either an encapsulating layer (e.g., UDP) or a NULL layer. It is essentially a lightweight, link-layer mechanism for neighbors to establish security associations, discover and dynamically re-adjust maximum receive unit (MRU) estimates, and perform unreachability detection. The protocol makes no attempt to ensure reliable message delivery; this function is performed by higher-layer protocols, e.g. TCP. -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sun Nov 3 12:13:02 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA10811 for ; Sun, 3 Nov 2002 12:13:02 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gA3HF1Q1022276; Sun, 3 Nov 2002 18:15:02 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gA3HF1227502; Sun, 3 Nov 2002 18:15:01 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id SAA00382; Sun, 3 Nov 2002 18:14:28 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id SAA00378 for ; Sun, 3 Nov 2002 18:14:27 +0100 (MET) Received: from nomadiclab.com (cube.local.nikander.com [192.168.0.33]) by n97.nomadiclab.com (Postfix) with ESMTP id D18911C for ; Sun, 3 Nov 2002 19:21:01 +0200 (EET) Message-ID: <3DC55970.8000707@nomadiclab.com> Date: Sun, 03 Nov 2002 19:14:24 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.2b) Gecko/20021101 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-send@standards.ericsson.net Subject: The Use of RSA Signatures within ESP and AH Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit This seems to be related to our work. I haven't had time to read through it yet. --Pekka Nikander -------------------------------------------------------------------------- A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : The Use of RSA Signatures within ESP and AH Author(s) : B. Weis Filename : draft-bew-ipsec-signatures-00.txt Pages : 7 Date : 2002-10-28 This memo describes the use of the RSA Signature algorithm [RSA] as an authentication algorithm within the revised IPSEC Encapsulating Security Payload [ESP] and the revised IPSEC Authentication Header [AH]. The use of a digital signature algorithm such as RSA provides origin authentication, even when ESP and AH are used to secure group data flows. Further information on the other components necessary for ESP and AH implementations is provided by [ROADMAP]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-bew-ipsec-signatures-00.txt -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Nov 7 15:14:52 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09354 for ; Thu, 7 Nov 2002 15:14:52 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gA7KGuQ1029878; Thu, 7 Nov 2002 21:16:56 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gA7KGtZ14973; Thu, 7 Nov 2002 21:16:55 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id VAA26417; Thu, 7 Nov 2002 21:16:29 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id VAA26413 for ; Thu, 7 Nov 2002 21:16:27 +0100 (MET) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA08965 for <1timer>; Thu, 7 Nov 2002 15:11:40 -0500 (EST) Message-Id: <200211072011.PAA08965@ietf.org> From: The IESG To: All IETF Working Groups: ; Subject: Note Well Statement x-msg: NoteWell Date: Thu, 07 Nov 2002 15:11:40 -0500 Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk From time to time, especially just before a meeting, this statement is to be sent to each and every IETF working group mailing list. =========================================================================== NOTE WELL All statements related to the activities of the IETF and addressed to the IETF are subject to all provisions of Section 10 of RFC 2026, which grants to the IETF and its participants certain licenses and rights in such statements. Such statements include verbal statements in IETF meetings, as well as written and electronic communications made at any time or place, which are addressed to - the IETF plenary session, - any IETF working group or portion thereof, - the IESG, or any member thereof on behalf of the IESG, - the IAB or any member thereof on behalf of the IAB, - any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list functioning under IETF auspices, - the RFC Editor or the Internet-Drafts function Statements made outside of an IETF meeting, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not subject to these provisions. -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Nov 12 06:35:36 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA27658 for ; Tue, 12 Nov 2002 06:35:35 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gACBbVQ1022867; Tue, 12 Nov 2002 12:37:31 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gACBbU209985; Tue, 12 Nov 2002 12:37:31 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id MAA13024; Tue, 12 Nov 2002 12:37:11 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from w8k2x7 (98.c210-85-172.ethome.net.tw [210.85.172.98]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with SMTP id MAA12999; Tue, 12 Nov 2002 12:37:06 +0100 (MET) Date: Tue, 12 Nov 2002 12:37:06 +0100 (MET) Received: from iris by tcts.seed.net.tw with SMTP id uz0Gv42FekfPef; Tue, 12 Nov 2002 19:37:07 +0800 Message-ID: From: e6t5@ms83.url.com.tw To: 2@standards.ericsson.net Subject: =?big5?Q?=A5=FE=B0=EA=A6=CA=B7~=B5=B2=B7=F9=AA=BA=B3s=C2=EA=A4j=A8=C6=B7~?= MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_07OO8TVQw16QdzbP0oY" X-Mailer: FROKns44zEZ5tjKynxo X-Priority: 3 X-MSMail-Priority: Normal Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_07OO8TVQw16QdzbP0oY Content-Type: multipart/alternative; boundary="----=_NextPart_07OO8TVQw16QdzbP0oYAA" ------=_NextPart_07OO8TVQw16QdzbP0oYAA Content-Type: text/html; charset="big5" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiDQp4bWxuczpvPSJ1 cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTpvZmZpY2UiDQp4bWxuczp3PSJ1cm46c2No ZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIg0KeG1sbnM9Imh0dHA6Ly93d3cudzMub3Jn L1RSL1JFQy1odG1sNDAiPg0KDQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9Q29udGVudC1UeXBl IGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1CaWc1Ij4NCjxtZXRhIG5hbWU9UHJvZ0lkIGNv bnRlbnQ9V29yZC5Eb2N1bWVudD4NCjxtZXRhIG5hbWU9R2VuZXJhdG9yIGNvbnRlbnQ9Ik1pY3Jv c29mdCBXb3JkIDkiPg0KPG1ldGEgbmFtZT1PcmlnaW5hdG9yIGNvbnRlbnQ9Ik1pY3Jvc29mdCBX b3JkIDkiPg0KPGxpbmsgcmVsPUZpbGUtTGlzdCBocmVmPSIuL3NoaW4wODhAMTYzLmNvbSUyMCUy MK/BqPqnS7ZPqrqz0Ld+pfq60C5maWxlcy9maWxlbGlzdC54bWwiPg0KPGxpbmsgcmVsPUVkaXQt VGltZS1EYXRhIGhyZWY9Ii4vc2hpbjA4OEAxNjMuY29tJTIwJTIwr8Go+qdLtk+qurPQt36l+rrQ LmZpbGVzL2VkaXRkYXRhLm1zbyI+DQo8IS0tW2lmICFtc29dPg0KPHN0eWxlPg0Kdlw6KiB7YmVo YXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZN TCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlv cjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPg0KPCFbZW5kaWZdLS0+PCEtLVtpZiBndGUg bXNvIDldPjx4bWw+DQogPG86RG9jdW1lbnRQcm9wZXJ0aWVzPg0KICA8bzpBdXRob3I+QUFBPC9v OkF1dGhvcj4NCiAgPG86VGVtcGxhdGU+Tm9ybWFsPC9vOlRlbXBsYXRlPg0KICA8bzpMYXN0QXV0 aG9yPkFBQTwvbzpMYXN0QXV0aG9yPg0KICA8bzpSZXZpc2lvbj4yMDwvbzpSZXZpc2lvbj4NCiAg PG86VG90YWxUaW1lPjExPC9vOlRvdGFsVGltZT4NCiAgPG86Q3JlYXRlZD4yMDAyLTAzLTA4VDE5 OjIwOjAwWjwvbzpDcmVhdGVkPg0KICA8bzpMYXN0U2F2ZWQ+MjAwMi0xMC0yNFQwNzo1MzowMFo8 L286TGFzdFNhdmVkPg0KICA8bzpQYWdlcz4xPC9vOlBhZ2VzPg0KICA8bzpXb3Jkcz4xMTY8L286 V29yZHM+DQogIDxvOkNoYXJhY3RlcnM+NjYzPC9vOkNoYXJhY3RlcnM+DQogIDxvOkxpbmVzPjU8 L286TGluZXM+DQogIDxvOlBhcmFncmFwaHM+MTwvbzpQYXJhZ3JhcGhzPg0KICA8bzpDaGFyYWN0 ZXJzV2l0aFNwYWNlcz44MTQ8L286Q2hhcmFjdGVyc1dpdGhTcGFjZXM+DQogIDxvOlZlcnNpb24+ OS4yODEyPC9vOlZlcnNpb24+DQogPC9vOkRvY3VtZW50UHJvcGVydGllcz4NCjwveG1sPjwhW2Vu ZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KIDx3OldvcmREb2N1bWVudD4NCiAgPHc6 Q29tcGF0aWJpbGl0eT4NCiAgIDx3OlVzZUZFTGF5b3V0Lz4NCiAgPC93OkNvbXBhdGliaWxpdHk+ DQogPC93OldvcmREb2N1bWVudD4NCjwveG1sPjwhW2VuZGlmXS0tPg0KPHN0eWxlPg0KPCEtLQ0K IC8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6t3Oy06n6 xek7DQoJcGFub3NlLTE6MiAyIDMgMCAwIDAgMCAwIDAgMDsNCgltc28tZm9udC1hbHQ6UE1pbmdM aVU7DQoJbXNvLWZvbnQtY2hhcnNldDoxMzY7DQoJbXNvLWdlbmVyaWMtZm9udC1mYW1pbHk6cm9t YW47DQoJbXNvLWZvbnQtcGl0Y2g6dmFyaWFibGU7DQoJbXNvLWZvbnQtc2lnbmF0dXJlOjEgMTM0 NzQyMDE2IDE2IDAgMTA0ODU3NiAwO30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IlxAt3Oy 06n6xekiOw0KCXBhbm9zZS0xOjIgMiAzIDAgMCAwIDAgMCAwIDA7DQoJbXNvLWZvbnQtY2hhcnNl dDoxMzY7DQoJbXNvLWdlbmVyaWMtZm9udC1mYW1pbHk6cm9tYW47DQoJbXNvLWZvbnQtcGl0Y2g6 dmFyaWFibGU7DQoJbXNvLWZvbnQtc2lnbmF0dXJlOjEgMTM0NzQyMDE2IDE2IDAgMTA0ODU3NiAw O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IrXYsWSy07bqxelcKFBcKSI7DQoJcGFub3Nl LTE6MCAwIDAgMCAwIDAgMCAwIDAgMDsNCgltc28tZm9udC1hbHQ6t3Oy06n6xek7DQoJbXNvLWZv bnQtY2hhcnNldDoxMzY7DQoJbXNvLWdlbmVyaWMtZm9udC1mYW1pbHk6cm9tYW47DQoJbXNvLWZv bnQtZm9ybWF0Om90aGVyOw0KCW1zby1mb250LXBpdGNoOmF1dG87DQoJbXNvLWZvbnQtc2lnbmF0 dXJlOjEgMTM0NzQyMDE2IDE2IDAgMTA0ODU3NiAwO30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1p bHk6IlxAtdixZLLTturF6VwoUFwpIjsNCglwYW5vc2UtMTowIDAgMCAwIDAgMCAwIDAgMCAwOw0K CW1zby1mb250LWNoYXJzZXQ6MTM2Ow0KCW1zby1nZW5lcmljLWZvbnQtZmFtaWx5OnJvbWFuOw0K CW1zby1mb250LWZvcm1hdDpvdGhlcjsNCgltc28tZm9udC1waXRjaDphdXRvOw0KCW1zby1mb250 LXNpZ25hdHVyZToxIDEzNDc0MjAxNiAxNiAwIDEwNDg1NzYgMDt9DQogLyogU3R5bGUgRGVmaW5p dGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bXNv LXN0eWxlLXBhcmVudDoiIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsN Cgltc28tcGFnaW5hdGlvbjp3aWRvdy1vcnBoYW47DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250 LWZhbWlseTq3c7LTqfrF6TsNCgltc28taGFuc2ktZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21h biI7DQoJbXNvLWJpZGktZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiI7fQ0KcA0KCXttYXJn aW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCgltc28tcGFnaW5hdGlvbjp3aWRvdy1v cnBoYW47DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseTq3c7LTqfrF6TsNCgltc28t aGFuc2ktZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiI7DQoJbXNvLWJpZGktZm9udC1mYW1p bHk6IlRpbWVzIE5ldyBSb21hbiI7fQ0KIC8qIFBhZ2UgRGVmaW5pdGlvbnMgKi8NCkBwYWdlDQoJ e21zby1wYWdlLWJvcmRlci1zdXJyb3VuZC1oZWFkZXI6bm87DQoJbXNvLXBhZ2UtYm9yZGVyLXN1 cnJvdW5kLWZvb3Rlcjpubzt9DQpAcGFnZSBTZWN0aW9uMQ0KCXtzaXplOjU5NS4zcHQgODQxLjlw dDsNCgltYXJnaW46NzIuMHB0IDkwLjBwdCA3Mi4wcHQgOTAuMHB0Ow0KCW1zby1oZWFkZXItbWFy Z2luOjQyLjU1cHQ7DQoJbXNvLWZvb3Rlci1tYXJnaW46NDkuNnB0Ow0KCW1zby1wYXBlci1zb3Vy Y2U6MDt9DQpkaXYuU2VjdGlvbjENCgl7cGFnZTpTZWN0aW9uMTt9DQotLT4NCjwvc3R5bGU+DQo8 IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCiA8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBz cGlkbWF4PSIxMDI3Ii8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHht bD4NCiA8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQogIDxvOmlkbWFwIHY6ZXh0PSJlZGl0 IiBkYXRhPSIxIi8+DQogPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFk Pg0KDQo8Ym9keSBsYW5nPVpILVRXIHN0eWxlPSd0YWItaW50ZXJ2YWw6MjQuMHB0Jz4NCg0KPGRp diBjbGFzcz1TZWN0aW9uMT4NCg0KPHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVm dDo0OC4wcHQ7dGV4dC1pbmRlbnQ6LTQ4LjBwdDttc28tY2hhci1pbmRlbnQtY291bnQ6DQotNC4w O21zby1jaGFyLWluZGVudC1zaXplOjEyLjBwdDtsYXlvdXQtZ3JpZC1tb2RlOmNoYXI7bXNvLWNo YXItaW5kZW50LXNpemU6DQoxMnB0Jz6hXaRAoV6hQqZwqke7oaazPHNwYW4gbGFuZz1FTi1VUz5+ PHNwYW4gc3R5bGU9J2NvbG9yOnJlZCc+pECl96jGt348L3NwYW4+uOqq9yCpsa2xILHAvlAgsGWz ZiCmrLFiDQqnebNmIK23wEkgt37BWrNxs3Gko6XOfrzLvMuko7vdPHNwYW4gc3R5bGU9J2NvbG9y OnJlZCc+p1akT7hnwOc2LTEyrdOk6zwvc3Bhbj60Tq/gvtamszxzcGFuDQpzdHlsZT0nY29sb3I6 cmVkJz41LTEwuFWkuKv5xPKpyqq6stelzaaspEo8L3NwYW4+s2+78qZuqrq+97d8sXqko6jTuNW4 1bbcoUa8eKX+rNmltKv3udmm8aFDIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCg0KPHAgY2xhc3M9 TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDo0OC4wcHQ7dGV4dC1pbmRlbnQ6LTQ4LjBwdDtt c28tY2hhci1pbmRlbnQtY291bnQ6DQotNC4wO21zby1jaGFyLWluZGVudC1zaXplOjEyLjBwdDts YXlvdXQtZ3JpZC1tb2RlOmNoYXI7bXNvLWNoYXItaW5kZW50LXNpemU6DQoxMnB0Jz6hXaRHoV6h QqZwqkexcatLp1Gw06mxpVio06N4pEihRrOjuPKxeqazw/arWaFDPHNwYW4gc3R5bGU9J2NvbG9y OmZ1Y2hzaWEnPqXYq2Wl/qzZpHemszxzcGFuDQpsYW5nPUVOLVVTPjQwrmGpsa2xPC9zcGFuPjwv c3Bhbj6hRrF6pKOlsqVYut6+UKFGqEOuYTxzcGFuIGxhbmc9RU4tVVM+MTCkSLROpm6je6FGMTCk SCo0MKS4KLROubO5TLj0tk8pKjQwrmE9PHNwYW4NCnN0eWxlPSdjb2xvcjpmdWNoc2lhJz4xNjAw MKS4s2+8y6N4pqykSqFDPC9zcGFuPqSjrW6xeqN4pVu3+ar3u1CrT8PSqvehRqV1rW6xeq7jpsyq b8ZRwua+TK/5tKujfKZhpOiu+LZPs7qkXaVppUio07ftPHNwYW4NCnN0eWxlPSdjb2xvcjpmdWNo c2lhJz6zc8Lqtlew06N4ptHB86FDPC9zcGFuPiA8L3NwYW4+PC9wPg0KDQo8cCBjbGFzcz1Nc29O b3JtYWwgc3R5bGU9J2xheW91dC1ncmlkLW1vZGU6Y2hhcic+oV2kVKFeoUI8c3BhbiBzdHlsZT0n Y29sb3I6YmxhY2snPqXYq2XB2Twvc3Bhbj6mszxzcGFuDQpsYW5nPUVOLVVTIHN0eWxlPSdjb2xv cjpibHVlJz4zMDCmaK5htbK3+amxPC9zcGFuPqFdplWm5rd+s6Oms6FerbmhQqbnoUKm7aFCpuah Qqh8oUK81rzLvMu79KX+oUY8c3Bhbg0Kc3R5bGU9J2NvbG9yOmJsdWUnPrOjuPKxeqazw/arWaFD PC9zcGFuPiA8L3A+DQoNCjxmb3JtIGFjdGlvbj0ibWFpbHRvOnNoaW4wODhAMTYzLmNvbT9zdWJq ZWN0PafarW6w0aVbpf6lwbNzwuq2V7DTqMa3frnOtqQiIG1ldGhvZD1wb3N0DQplbmN0eXBlPSJ0 ZXh0L3BsYWluIj4NCg0KPHAgYWxpZ249Y2VudGVyIHN0eWxlPSdtYXJnaW46MGNtO21hcmdpbi1i b3R0b206LjAwMDFwdDt0ZXh0LWFsaWduOmNlbnRlcic+PGI+PHNwYW4NCnN0eWxlPSdmb250LXNp emU6MjQuMHB0O21zby1hc2NpaS1mb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjtjb2xvcjpm dWNoc2lhOw0KbXNvLWZvbnQta2VybmluZzoxLjBwdDttc28tYW5zaS1sYW5ndWFnZTpaSC1UVyc+ pf6lwbNzwuqoxrd+PC9zcGFuPjwvYj48L3A+DQoNCjxwIGFsaWduPWNlbnRlciBzdHlsZT0nbWFy Z2luLXRvcDo0LjVwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NC41cHQ7DQptYXJn aW4tbGVmdDowY207dGV4dC1hbGlnbjpjZW50ZXI7bGluZS1oZWlnaHQ6MjAwJSc+PGI+PHNwYW4g bGFuZz1FTi1VUw0Kc3R5bGU9J2ZvbnQtc2l6ZToxMy41cHQ7Zm9udC1mYW1pbHk6IrXYsWSy07bq xelcKFBcKSI7Y29sb3I6Ymx1ZSc+PElOUFVUIFRZUEU9ImNoZWNrYm94IiBOQU1FPSKn2q1ur8Go +qdLtk+qurPQt36l+rrQIiBWQUxVRT0ivdCn1qRAwkkiPjwvc3Bhbj48L2I+PGI+PHNwYW4NCnN0 eWxlPSdmb250LXNpemU6MTMuNXB0O2NvbG9yOnJlZCc+p9qtbq/BqPqnS7ZPqrq7oan6pfq60Dwv c3Bhbj48L2I+PHNwYW4gbGFuZz1FTi1VUz48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQoNCjxkaXYg YWxpZ249Y2VudGVyPg0KDQo8dGFibGUgYm9yZGVyPTEgY2VsbHNwYWNpbmc9MSBjZWxscGFkZGlu Zz0wIHdpZHRoPTUwMiBzdHlsZT0nd2lkdGg6Mzc2LjZwdDsNCiBtc28tY2VsbHNwYWNpbmc6Ljdw dDttYXJnaW4tbGVmdDo2OS41cHQ7bXNvLXBhZGRpbmctYWx0OjBjbSAwY20gMGNtIDBjbScNCiBo ZWlnaHQ9MT4NCiA8dHIgc3R5bGU9J2hlaWdodDoxNS4wcHQnPg0KICA8dGQgd2lkdGg9MTY5IHN0 eWxlPSd3aWR0aDoxMjcuMDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBo ZWlnaHQ6MTUuMHB0JyBib3JkZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3Rl eHQtYWxpZ246anVzdGlmeTt0ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48Yj48c3Bhbg0K ICBzdHlsZT0nY29sb3I6IzY2OTkzMyc+pKSk5altplc8L3NwYW4+PC9iPjxzcGFuIGxhbmc9RU4t VVM+PG86cD48L286cD48L3NwYW4+PC9wPg0KICA8L3RkPg0KICA8dGQgd2lkdGg9MzMwIHN0eWxl PSd3aWR0aDoyNDcuNDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBoZWln aHQ6MTUuMHB0JyBib3JkZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQt YWxpZ246anVzdGlmeTt0ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48c3BhbiBsYW5nPUVO LVVTDQogIHN0eWxlPSdjb2xvcjp5ZWxsb3cnPjxJTlBVVCBUWVBFPSJ0ZXh0IiBTSVpFPSIxNCIg TkFNRT0ipKSk5altplciPjwvc3Bhbj48L3A+DQogIDwvdGQ+DQogPC90cj4NCiA8dHIgc3R5bGU9 J2hlaWdodDouNzVwdCc+DQogIDx0ZCB3aWR0aD0xNjkgc3R5bGU9J3dpZHRoOjEyNy4wNXB0O3Bh ZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1cHQ7DQogIGhlaWdodDouNzVwdCcgYm9yZGVyY29s b3JsaWdodD0iIzgwODA4MCI+DQogIDxwIHN0eWxlPSd0ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1q dXN0aWZ5OmludGVyLWlkZW9ncmFwaDttc28tbGluZS1oZWlnaHQtYWx0Og0KICAuNzVwdCc+PGI+ PHNwYW4gc3R5bGU9J2NvbG9yOiM2Njk5MzMnPqZ+xNY8L3NwYW4+PC9iPjxzcGFuIGxhbmc9RU4t VVM+PG86cD48L286cD48L3NwYW4+PC9wPg0KICA8L3RkPg0KICA8dGQgd2lkdGg9MzMwIHN0eWxl PSd3aWR0aDoyNDcuNDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBoZWln aHQ6Ljc1cHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0KICA8cCBzdHlsZT0ndGV4dC1h bGlnbjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGg7bXNvLWxpbmUtaGVpZ2h0 LWFsdDoNCiAgLjc1cHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOnllbGxvdyc+PElO UFVUIFRZUEU9InRleHQiIFNJWkU9IjQiIE5BTUU9IqZ+xNYiPjwvc3Bhbj48Yj48c3Bhbg0KICBz dHlsZT0nZm9udC1zaXplOjEwLjBwdDtjb2xvcjojNjY5OTMzJz63szxzcGFuIGxhbmc9RU4tVVM+ KDE4t7OlSKRXKTwvc3Bhbj48L3NwYW4+PC9iPjwvcD4NCiAgPC90ZD4NCiA8L3RyPg0KIDx0ciBz dHlsZT0naGVpZ2h0Oi43NXB0Jz4NCiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3LjA1 cHQ7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0Oi43NXB0JyBib3Jk ZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQtYWxpZ246anVzdGlmeTt0 ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48Yj48c3Bhbg0KICBzdHlsZT0nY29sb3I6IzY2 OTkzMyc+wXC1uLlxuNw8c3BhbiBsYW5nPUVOLVVTPiA6PC9zcGFuPjwvc3Bhbj48L2I+PC9wPg0K ICA8cCBzdHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3Jh cGg7bXNvLWxpbmUtaGVpZ2h0LWFsdDoNCiAgLjc1cHQnPjxiPjxzcGFuIHN0eWxlPSdjb2xvcjoj NjY5OTMzJz6m5rDKuXG43KFHPC9zcGFuPjwvYj48c3BhbiBsYW5nPUVOLVVTPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCiAgPC90ZD4NCiAgPHRkIHdpZHRoPTMzMCBzdHlsZT0nd2lkdGg6MjQ3LjQ1 cHQ7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0Oi43NXB0JyBib3Jk ZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J21hcmdpbi10b3A6Mi4yNXB0O21h cmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbToyLjI1cHQ7bWFyZ2luLWxlZnQ6DQogIDBjbTt0 ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1qdXN0aWZ5OmludGVyLWlkZW9ncmFwaDtsaW5lLWhlaWdo dDoxNTAlJz48c3Bhbg0KICBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjp5ZWxsb3cnPjxJTlBVVCBU WVBFPSJ0ZXh0IiBTSVpFPSIxNCIgTkFNRT0iwXC1uLlxuNwtpdWk0SI+PC9zcGFuPjwvcD4NCiAg PHAgc3R5bGU9J21hcmdpbi10b3A6Mi4yNXB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRv bToyLjI1cHQ7bWFyZ2luLWxlZnQ6DQogIDBjbTt0ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1qdXN0 aWZ5OmludGVyLWlkZW9ncmFwaDttc28tbGluZS1oZWlnaHQtYWx0Oi43NXB0Jz48c3Bhbg0KICBs YW5nPUVOLVVTIHN0eWxlPSdjb2xvcjp5ZWxsb3cnPjxJTlBVVCBUWVBFPSJ0ZXh0IiBTSVpFPSIx NCIgTkFNRT0iwXC1uLlxuNwtpu2uYSI+PC9zcGFuPjwvcD4NCiAgPC90ZD4NCiA8L3RyPg0KIDx0 ciBzdHlsZT0naGVpZ2h0Oi43NXB0Jz4NCiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3 LjA1cHQ7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0Oi43NXB0JyBi b3JkZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQtYWxpZ246anVzdGlm eTt0ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoO21zby1saW5lLWhlaWdodC1hbHQ6DQogIC43 NXB0Jz48Yj48c3BhbiBzdHlsZT0nY29sb3I6IzY2OTkzMyc+s8yk6KtLwXC1uK7JtqE8L3NwYW4+ PC9iPjxzcGFuIGxhbmc9RU4tVVM+PG86cD48L286cD48L3NwYW4+PC9wPg0KICA8L3RkPg0KICA8 dGQgd2lkdGg9MzMwIHN0eWxlPSd3aWR0aDoyNDcuNDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43 NXB0IC43NXB0Ow0KICBoZWlnaHQ6Ljc1cHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0K ICA8cCBzdHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3Jh cGg7bXNvLWxpbmUtaGVpZ2h0LWFsdDoNCiAgLjc1cHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9 J2NvbG9yOnllbGxvdyc+PFNFTEVDVCBOQU1FPSKzzKToq0vBcLW4rsm2oS2sULTBIj4NCjxPUFRJ T04gU0VMRUNURUQ+vdC/777cDQo8T1BUSU9OPqxQtMGkQA0KPE9QVElPTj6sULTBpEcNCjxPUFRJ T04+rFC0waRUDQo8T1BUSU9OPqxQtMGlfA0KPE9QVElPTj6sULTBpK0NCjxPUFRJT04+rFC0waS7 DQo8T1BUSU9OPqxQtMGk6Q0KPE9QVElPTj6zo6VppUgNCjwvU0VMRUNUPjxTRUxFQ1QgTkFNRT0i s8yk6KtLwXC1uK7JtqEtrsmscSI+DQo8T1BUSU9OIFNFTEVDVEVEPr3Qv+++3A0KPE9QVElPTj6k V6TIOS0xMg0KPE9QVElPTj6kpKTIMTItMQ0KPE9QVElPTj6kVaTIMS01DQo8T1BUSU9OPrHfpFc4 LTEwDQo8T1BUSU9OPrHfpFc5LTExDQo8T1BUSU9OPrOjpWmlSA0KPC9TRUxFQ1Q+PC9zcGFuPjwv cD4NCiAgPC90ZD4NCiA8L3RyPg0KIDx0ciBzdHlsZT0naGVpZ2h0OjE4LjBwdCc+DQogIDx0ZCB3 aWR0aD0xNjkgc3R5bGU9J3dpZHRoOjEyNy4wNXB0O3BhZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQg Ljc1cHQ7DQogIGhlaWdodDoxOC4wcHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0KICA8 cCBzdHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGgn PjxiPjxzcGFuDQogIHN0eWxlPSdjb2xvcjojNjY5OTMzJz6mYad9PC9zcGFuPjwvYj48c3BhbiBs YW5nPUVOLVVTPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCiAgPC90ZD4NCiAgPHRkIHdpZHRoPTMz MCBzdHlsZT0nd2lkdGg6MjQ3LjQ1cHQ7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsN CiAgaGVpZ2h0OjE4LjBwdCcgYm9yZGVyY29sb3JsaWdodD0iIzgwODA4MCI+DQogIDxwIHN0eWxl PSd0ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1qdXN0aWZ5OmludGVyLWlkZW9ncmFwaCc+PHNwYW4g bGFuZz1FTi1VUw0KICBzdHlsZT0nY29sb3I6eWVsbG93Jz48SU5QVVQgVFlQRT0idGV4dCIgU0la RT0iNDkiIE5BTUU9IqZhp30iPjwvc3Bhbj48L3A+DQogIDwvdGQ+DQogPC90cj4NCiA8dHIgc3R5 bGU9J2hlaWdodDoxMi43NXB0Jz4NCiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3LjA1 cHQ7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0OjEyLjc1cHQnIGJv cmRlcmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0KICA8cCBzdHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5 O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGgnPjxiPjxzcGFuDQogIHN0eWxlPSdjb2xvcjoj NjY5OTMzJz65caRstmyl8zwvc3Bhbj48L2I+PHNwYW4gbGFuZz1FTi1VUz48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQogIDwvdGQ+DQogIDx0ZCB3aWR0aD0zMzAgc3R5bGU9J3dpZHRoOjI0Ny40NXB0 O3BhZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1cHQ7DQogIGhlaWdodDoxMi43NXB0JyBib3Jk ZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQtYWxpZ246anVzdGlmeTt0 ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48c3BhbiBsYW5nPUVOLVVTDQogIHN0eWxlPSdj b2xvcjp5ZWxsb3cnPjxJTlBVVCBUWVBFPSJ0ZXh0IiBTSVpFPSI0OSIgTkFNRT0iuXGkbLZspfMi Pjwvc3Bhbj48L3A+DQogIDwvdGQ+DQogPC90cj4NCiA8dHIgc3R5bGU9J2hlaWdodDozMi4yNXB0 Jz4NCiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3LjA1cHQ7cGFkZGluZzouNzVwdCAu NzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0OjMyLjI1cHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4 MDgwODAiPg0KICA8cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J3RleHQtYWxpZ246anVzdGlmeTt0 ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48Yj48c3Bhbg0KICBzdHlsZT0nY29sb3I6IzY2 OTkzMyc+q9jEs6jGtrU8L3NwYW4+PC9iPjxzcGFuIGxhbmc9RU4tVVM+PG86cD48L286cD48L3Nw YW4+PC9wPg0KICA8L3RkPg0KICA8dGQgd2lkdGg9MzMwIHN0eWxlPSd3aWR0aDoyNDcuNDVwdDtw YWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBoZWlnaHQ6MzIuMjVwdCcgYm9yZGVy Y29sb3JsaWdodD0iIzgwODA4MCI+DQogIDxwIHN0eWxlPSd0ZXh0LWFsaWduOmp1c3RpZnk7dGV4 dC1qdXN0aWZ5OmludGVyLWlkZW9ncmFwaCc+PHNwYW4gbGFuZz1FTi1VUw0KICBzdHlsZT0nY29s b3I6eWVsbG93Jz48SU5QVVQgVFlQRT0idGV4dCIgU0laRT0iNDkiIE5BTUU9IqvYxLOoxra1Ij48 L3NwYW4+PC9wPg0KICA8L3RkPg0KIDwvdHI+DQo8L3RhYmxlPg0KDQo8L2Rpdj4NCg0KPHAgYWxp Z249Y2VudGVyIHN0eWxlPSdtYXJnaW4tdG9wOjIuMjVwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdp bi1ib3R0b206Mi4yNXB0Ow0KbWFyZ2luLWxlZnQ6MGNtO3RleHQtYWxpZ246Y2VudGVyO2xpbmUt aGVpZ2h0OjE1MCUnPjxzcGFuIGxhbmc9RU4tVVMNCnN0eWxlPSdjb2xvcjojNjYwMENDJz48SU5Q VVQgVFlQRT0ic3VibWl0IiBBQ1RJT049Im1haWx0bzpzaGluMDg4QDE2My5jb20/c3ViamVjdD2n 2q1usNGlW6X+pcGzc8Lqtlew06jGt365zrakIiBWQUxVRT0ip9qtbqVbpEqoxrd+peum8aFBsGWl WLjqrsYiIEVOQ1RZUEU9InRleHQvcGxhaW4iIE1FVEhPRD0icG9zdCIgTkFNRT0ivVS7eyINCkFD VElPTj0ibWFpbHRvOnNoaW4wODhAMTYzLmNvbT9zdWJqZWN0PafarW6w0aVbpf6lwbNzwuq2V7DT qMa3frnOtqQiIEVOQ1RZUEU9InRleHQvcGxhaW4iDQpNRVRIT0Q9cG9zdCBBQ1RJT049Im1haWx0 bzpzaGluMDg4QDE2My5jb20/c3ViamVjdD2n2q1usNGlW6X+pcGzc8Lqtlew06jGt365zrakIg0K RU5DVFlQRT0idGV4dC9wbGFpbiIgTUVUSE9EPXBvc3QNCkFDVElPTj0ibWFpbHRvOnNoaW4wODhA MTYzLmNvbT9zdWJqZWN0PafarW6w0aVbpf6lwbNzwuq2V7DTqMa3frnOtqQiIEVOQ1RZUEU9InRl eHQvcGxhaW4iDQpNRVRIT0Q9cG9zdCBBQ1RJT049Im1haWx0bzpzaGluMDg4QDE2My5jb20/c3Vi amVjdD2n2q1usNGlW6X+pcGzc8Lqtlew06jGt365zrakIg0KRU5DVFlQRT0idGV4dC9wbGFpbiIg TUVUSE9EPXBvc3QNCkFDVElPTj0ibWFpbHRvOnNoaW4wODhAMTYzLmNvbT9zdWJqZWN0PafarW6w 0aVbpf6lwbNzwuq2V7DTqMa3frnOtqQiIEVOQ1RZUEU9InRleHQvcGxhaW4iDQpNRVRIT0Q9cG9z dCBBQ1RJT049Im1haWx0bzpzaGluMDg4QDE2My5jb20/c3ViamVjdD2n2q1usNGlW6X+pcGzc8Lq tlew06jGt365zrakIg0KRU5DVFlQRT0idGV4dC9wbGFpbiIgTUVUSE9EPXBvc3QNCkFDVElPTj0i bWFpbHRvOnNoaW4wODhAMTYzLmNvbT9zdWJqZWN0PafarW6w0aVbpf6lwbNzwuq2V7DTqMa3frnO tqQiIEVOQ1RZUEU9InRleHQvcGxhaW4iDQpNRVRIT0Q9cG9zdCBBQ1RJT049Im1haWx0bzpzaGlu MDg4QDE2My5jb20/c3ViamVjdD2n2q1usNGlW6X+pcGzc8Lqtlew06jGt365zrakIg0KRU5DVFlQ RT0idGV4dC9wbGFpbiIgTUVUSE9EPXBvc3Q+PElOUFVUIFRZUEU9InJlc2V0IiBWQUxVRT0irau2 8SIgTkFNRT0irau28SI+PC9zcGFuPjwvcD4NCg0KPC9mb3JtPg0KDQo8L2Rpdj4NCg0KPC9ib2R5 Pg0KDQo8L2h0bWw+ ------=_NextPart_07OO8TVQw16QdzbP0oYAA-- ------=_NextPart_07OO8TVQw16QdzbP0oY-- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Wed Nov 13 06:39:35 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA27926 for ; Wed, 13 Nov 2002 06:39:34 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gADBfSQ1029335; Wed, 13 Nov 2002 12:41:28 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gADBfSZ22919; Wed, 13 Nov 2002 12:41:28 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id MAA04651; Wed, 13 Nov 2002 12:40:50 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id MAA04647 for ; Wed, 13 Nov 2002 12:40:49 +0100 (MET) Received: from nomadiclab.com (n100.nomadiclab.com [131.160.193.100]) by n97.nomadiclab.com (Postfix) with ESMTP id 8A50F1C for ; Wed, 13 Nov 2002 13:47:54 +0200 (EET) Message-ID: <3DD23A40.2040303@nomadiclab.com> Date: Wed, 13 Nov 2002 13:40:48 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021112 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-send@standards.ericsson.net Subject: Anybody willing to act as a text conferecing scribe at Atlanta? Content-Type: multipart/mixed; boundary="------------040702050504060505010804" Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk This is a multi-part message in MIME format. --------------040702050504060505010804 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit For the first time, there will be text conferencing available at the IETF meeting (see the attached note). Now, due to family reasons I will not be personally present at Atlanta. Instead, I'm planning to stay up in the night to participate to the WG meeting remotely. (I'm some 8 time zones east from Atlanta, so it will be night for me.) Now, text conferencing seems to be the best option for me to participate from home, and therefore I'd appreciate if someone would volunteer to act as a scribe. --Pekka Nikander Send WG co-chair --------------040702050504060505010804 Content-Type: text/plain; name="text-conferencing.txt" Content-Disposition: inline; filename="text-conferencing.txt" Content-Transfer-Encoding: 7bit Remote Access for the 55th IETF meeting in Atlanta: Text Conferencing At each IETF meeting, two of the working group meeting rooms are equipped for video multicast and remote participation. That is, for every IETF meeting slot, two of the working groups can see and hear the meeting. For the 55th IETF, in *addition* to the usual network A/V, text conferencing will be provided for every working group that meets. All of the conference rooms will be hosted on conference.ietf.jabber.com and each is named using the official IETF abbreviation found in the agenda (e.g., "apparea", "dhc", "forces", and so on -- for all the examples that follow, we'll use "foobar" as the abbreviation). Each conference room also has a 'bot which records everything that gets sent. So, the minute taker can review this information right after the meeting. 1. Before the meeting: 1.1. If you want to participate If you don't already have one, get yourself a Jabber client, here are some suggestions: platform suggestion -------- ---------- win32 http://exodus.jabberstudio.org 'nix http://gabber.sf.net macos http://jabberfox.sf.net When you start the client for the first time, it will eventually ask if you want to register on a public server. Go ahead and do that. If you want to find out more, instead of choosing these defaults, here are pointers to some additional information: list of clients: http://www.jabber.org/user/clientlist.php howto: http://www.jabber.org/user/userguide/ server list: http://www.jabber.org/user/publicservers.php To make sure everything is running ok, do a "Join Group Chat" with your Jabber client: Group/Room: testing Server: conference.ietf.jabber.com This conference room is up and running right now (although probably no one will be in it when you connect). 1.2. What the Chair does If you want to make text conferencing available, you'll need to have a volunteer scribe in the meeting room. The scribe will be typing in a running commentary as to what's going on in the room (who's presenting, what question is being asked, etc.) So, why not send an email out on the mailing list now, before the meeting, to ask for volunteers? 2. At the meeting 2.1. What the Chair does When a session starts, the chair asks if someone in the room is willing to act as "scribe". If no one volunteers, read no further, we're done! Otherwise, the scribe should do a "Join Group Chat" with their Jabber client, e.g., Group/Room: foobar Server: conference.ietf.jabber.com 2.2. What the Scribe does The scribe types in a running commentary as to what's going on in the room. For example, if a speaker makes a presentation, the scribe types in the URL for the presentation (more on this in a bit). Simlarly, during question time, a remote participant can type a question into the room and the scribe can pass it on to the speaker. 2.3. What each Presenter does Each presenter should put a copy of their presentation on a web server somewhere, so remote participants can follow along. If you don't have a server available, email your presentation to To: presentations@ietf.org Subject: foobar and the Secretariat will put the presentation in a server so it can be accessed under: http://atlanta.ietf.org/presentations/foobar/ Don't wait until the last minute to send the email. 2.4. Where to find the conference log http://www.jabber.com/chatbot/logs/conference.ietf.jabber.com/foobar/ 2.5. Finally This is an experiment. Let's see how well it works and discuss it after the meeting. ####### --------------040702050504060505010804-- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Wed Nov 13 11:01:37 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA05995 for ; Wed, 13 Nov 2002 11:01:36 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gADG25KV026664; Wed, 13 Nov 2002 17:02:05 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gADG25Z06377; Wed, 13 Nov 2002 17:02:05 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id RAA09770; Wed, 13 Nov 2002 17:01:44 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from chinapolyglot.com ([202.106.155.97]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id RAA09762 for ; Wed, 13 Nov 2002 17:01:40 +0100 (MET) Received: from DellXP [210.21.107.131] by chinapolyglot.com with ESMTP (SMTPD32-7.06) id A6BAA88016A; Wed, 13 Nov 2002 23:58:50 +0800 Message-ID: <4110-220021131316130669@DellXP> Organization: Polyglot Ltd From: "Polyglot" To: ietf-send@standards.ericsson.net Subject: Polyglot Translation Date: Thu, 14 Nov 2002 00:01:30 +0800 MIME-Version: 1.0 Content-type: text/plain; charset=utf-7 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by prdxweb.sw.ericsson.se id RAA09766 Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 8bit Polyglot Translation Polyglot is a professional multilingual solutions provider. Our rich experience and professional team established us as a leader in the field of multilingual solutions. Polyglot can provide fast and accurate translations of financial, legal and technical documents on over 30 languages, such as English, German, Spanish, French, Italian, Chinese, Japanese, Korean, etc. We also provide software localization, website localization, simultaneous and consecutive interpretation for international meetings. For further information, please visit our website: http://www.polyglot.com.cn Contact us at: E-mail: info+AEA-polyglot.com.cn Tel: +-86 20 8657-3608 Fax: +-86 20 8657-3965 Add: 968 Office Tower, Central Hotel 33 Airport Road Guangzhou, China The message below is written in Chinese characters: +T916y0/hf/uL0VFsU/g- +T916y0/hf/uL0VFsU/hmL04AW7Zj0E+bWRp5zYvtigCJ41GzZbloSHaEThNOGmc6Z4QwAk4wW8x2hH7PmoxTyg- +ThNOGnaElh9PDXhuestOhmIRTuxXKFkaec2L7YoAieNRs2W5aEiYhlffdoSYhlFIVzBPTTAC- +YhFO7ID9Y9BPmw-30+WRp5zYvtigB2hFHGeG4wAV/rY3d2hH/7i9FnDVKh/wx/+4vRmIZX322JU8qR0YeNZYdO9jAB- +bNVfi2WHTvZTymKAZy9lh072/wx/+4vRi+15zVMFYuz/GoLxMAFftzABiX8wAWzVMAFhDzABTi0wAWXlMAGX6XtJe0kwAg- +a2RZFv8MYhFO7I/YY9BPm49vTvZnLFcwUxYwAX9RetlnLFcwUxYwAVb9lkVPGouudoRUDFjwTyCL0VSMTqRm/08gi9EwAg- +UXNOjovmYMX/DIv3i7+V7mIRTux2hH9RV0D/Gg- http://www.polyglot.com.cn +gFR8+2W5Xw//Gg- +dTWQrg-: info+AEA-polyglot.com.cn +dTWL3Q-: (86-20) 8657 3608 +TyB3Hw-: (86-20) 8657 3965 +VzBXQP8aTi1W/V5/Xd5nOlc6je8-33+U/c- +Ti1ZLpFSXpdRmVtXaXw-968 +kK5/Fv8a-510403 -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sun Nov 17 08:52:38 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA18391 for ; Sun, 17 Nov 2002 08:52:37 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAHDsRQ1012335; Sun, 17 Nov 2002 14:54:27 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAHDsRZ25356; Sun, 17 Nov 2002 14:54:27 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id OAA19976; Sun, 17 Nov 2002 14:53:34 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id OAA19972 for ; Sun, 17 Nov 2002 14:53:33 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gAHDrXD08126 for ; Sun, 17 Nov 2002 15:53:33 +0200 Date: Sun, 17 Nov 2002 15:53:32 +0200 (EET) From: Pekka Savola To: ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt In-Reply-To: <200210181510.LAA29565@ietf.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk On Fri, 18 Oct 2002 Internet-Drafts@ietf.org wrote: > Title : IPv6 Neighbor Discovery trust models and threats > Author(s) : P. Nikander > Filename : draft-ietf-send-psreq-00.txt > Pages : 13 > Date : 2002-10-17 > > The existing IETF standards specify that IPv6 Neighbor Discovery > and Address Autoconfiguration mechanisms MAY be protected with > IPsec AH. However, the current specifications limit the security > solutions to manual keying due to practical problems faced with > automatic key management. This document specifies three different > trust models and discusses the threats pertient to IPv6 Neighbor > Discovery. The purpose of this discussion is to define the > requirements for Securing IPv6 Neigbor Discovery. Hopefully the comments aren't completely ignored as the last two times (for netaccess-threats). Anyway.. Substantial: 1) I think there should be another trust model, or s subcategory of one: "semi Editorial: -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sun Nov 17 09:14:19 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA18690 for ; Sun, 17 Nov 2002 09:14:18 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAHEGZKV007523; Sun, 17 Nov 2002 15:16:35 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAHEGZ220488; Sun, 17 Nov 2002 15:16:35 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id PAA23281; Sun, 17 Nov 2002 15:16:22 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id PAA23277 for ; Sun, 17 Nov 2002 15:16:21 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gAHEGLh08281 for ; Sun, 17 Nov 2002 16:16:21 +0200 Date: Sun, 17 Nov 2002 16:16:20 +0200 (EET) From: Pekka Savola To: ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Ooops sent the previous by accident, let's try again.. On Fri, 18 Oct 2002 Internet-Drafts@ietf.org wrote: > Title : IPv6 Neighbor Discovery trust models and threats > Author(s) : P. Nikander > Filename : draft-ietf-send-psreq-00.txt > Pages : 13 > Date : 2002-10-17 > > The existing IETF standards specify that IPv6 Neighbor Discovery > and Address Autoconfiguration mechanisms MAY be protected with > IPsec AH. However, the current specifications limit the security > solutions to manual keying due to practical problems faced with > automatic key management. This document specifies three different > trust models and discusses the threats pertient to IPv6 Neighbor > Discovery. The purpose of this discussion is to define the > requirements for Securing IPv6 Neigbor Discovery. Hopefully the comments aren't completely ignored as the last two times (for netaccess-threats). Anyway.. Substantial: 1) I think there should be another trust model, or s subcategory of one: "semi-trusted". Model 1 is useless other than as a trust model of the current state. E.g. intranet nodes really _should_ be semi-trusted, not completely trusted. Semi-trusted network would have to be protected from packet hijacking, MITM, etc. -- but not necessarily DoS attacks. Another possible way to tackle this would be to add "Trusted Host Goes Bad" threat -- ie. a node in a "trusted" network is compromised. 2) Bogus On-Link Prefix threat appears to be much worse than DoS, rather a redirect: why couldn't the attacker just fabricate the NA responses for bogus On-Link prefixes and claim the traffic (and perform MITM or whatever)? (E.g. to capture www.hotmail.com traffic, advertise their prefixes as on-link) 3) Bogus Address Configuration Prefix threat appears to be a bit more complex than that. If a dynamic DNS update is done, this can be made to do very much harm; in particular, to spoof forward + reverse DNS checks. Example: 1. figure out the EUI64 address of the victim node, here :: 2. make your own node (somewhere in the internet) be a ::. 3. configure the reverse of the attackers node, above, be :: --> "secure.victim.com". 4. advertise an address config prefix of ::/64 5. victim configures ::, and updates DNS so that "secure.victim.com" (also) points to :: Reverse DNS spoof is ready. Editorial: ==> many places: the "The threat involves XXX" is written in many forms (with/without "/" and with/without "messages") -- make more uniform. There are two general types of threats: 1) Redirect attacks in which a malicious node redirects packets away from the last hop router to another node on the link. ==> generalize "Redirect attacks" ==> generalize "last hop router": in the threats any node can be compromised like this A redirect attack can be used for DoS purposes by having the node to ==> s/can be/can also be/ 4.1 Non router/routing related threats In this section we discuss attacks against "pure" Neighbor Discovery functions, i.e., Neighbor Discovery, Neigbor Unreachability Discovery, and Address Autoconfiguration. ==> "Duplicate Address Detection in Address Autoconfiguration" (else "router" -related threats isn't really applicable) Nodes on the link use Neighbor Solicitation and Adverticement ==> s/Adverticement/Advertisement Nodes on the link monitor the reachability of local destinations and routers with the Neighbor Unreachability procedure [RFC2461]. ==> s/NU/NUD/ ? could launch a DoS attack by responding to every duplicate address detection attempt by an entering host. If the attacker claims the ==> s/by/made by/ (or tried by) or not. In the trusted operator case, the operator may acts as an ==> s/may acts/may act/ to answer the stateful configuration queries of a legitmate ==> s/legitmate/legitimate/ remains as a research question. 4.3 Remotely exploitable attacks ==> add an empty line here that the attacker may be off link. The resource being attacked in ==> s/off link/off-link/ ? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sun Nov 17 09:17:23 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA18746 for ; Sun, 17 Nov 2002 09:17:23 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAHEJfQ1013433; Sun, 17 Nov 2002 15:19:41 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAHEJf220560; Sun, 17 Nov 2002 15:19:41 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id PAA23396; Sun, 17 Nov 2002 15:19:35 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id PAA23392 for ; Sun, 17 Nov 2002 15:19:34 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gAHEJYe08296 for ; Sun, 17 Nov 2002 16:19:34 +0200 Date: Sun, 17 Nov 2002 16:19:34 +0200 (EET) From: Pekka Savola To: ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk On Sun, 17 Nov 2002, Pekka Savola wrote: > 1. figure out the EUI64 address of the victim node, here :: > 2. make your own node (somewhere in the internet) be a ::. > 3. configure the reverse of the attackers node, above, be > :: --> "secure.victim.com". > 4. advertise an address config prefix of ::/64 > 5. victim configures ::, and updates DNS so that > "secure.victim.com" (also) points to :: Note typo in 3. -- it should have been ::, of course. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sun Nov 17 15:25:54 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA24709 for ; Sun, 17 Nov 2002 15:25:53 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAHKS3Q1027964; Sun, 17 Nov 2002 21:28:03 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAHKS1Z02219; Sun, 17 Nov 2002 21:28:02 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id VAA06305; Sun, 17 Nov 2002 21:27:40 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id VAA06301 for ; Sun, 17 Nov 2002 21:27:39 +0100 (MET) Received: from nomadiclab.com (cube.local.nikander.com [192.168.0.33]) by n97.nomadiclab.com (Postfix) with ESMTP id DFA571C; Sun, 17 Nov 2002 22:34:43 +0200 (EET) Message-ID: <3DD7FBBD.5050606@nomadiclab.com> Date: Sun, 17 Nov 2002 22:27:41 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021114 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pekka Savola Cc: ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pekka Savola wrote: > Substantial: > > 1) I think there should be another trust model, or s subcategory of one: > "semi-trusted". Model 1 is useless other than as a trust model of the > current state. E.g. intranet nodes really _should_ be semi-trusted, not > completely trusted. Semi-trusted network would have to be protected from > packet hijacking, MITM, etc. -- but not necessarily DoS attacks. That would be interesting. Do you care to contribute some text to be included? > Another possible way to tackle this would be to add "Trusted Host Goes > Bad" threat -- ie. a node in a "trusted" network is compromised. I can do that, but I'd prefer to have some text for your semi-trusted model, if possible. > 2) Bogus On-Link Prefix threat appears to be much worse than DoS, rather a > redirect: why couldn't the attacker just fabricate the NA responses for > bogus On-Link prefixes and claim the traffic (and perform MITM or > whatever)? (E.g. to capture www.hotmail.com traffic, advertise their > prefixes as on-link) I'll check this and come back later. > 3) Bogus Address Configuration Prefix threat appears to be a bit more > complex than that. If a dynamic DNS update is done, this can be made to > do very much harm; in particular, to spoof forward + reverse DNS checks. ... > Reverse DNS spoof is ready. Good catch! Will add to the next version. > Editorial: I'll return to these once I have proper time to go through the text. Thanks!! --Pekka Nikander -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Nov 18 02:54:14 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA15309 for ; Mon, 18 Nov 2002 02:54:13 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAI7u1Q1013847; Mon, 18 Nov 2002 08:56:02 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAI7u1210544; Mon, 18 Nov 2002 08:56:01 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id IAA21826; Mon, 18 Nov 2002 08:55:41 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from leonis.nus.edu.sg (leonis.nus.edu.sg [137.132.1.18]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id IAA21812 for ; Mon, 18 Nov 2002 08:55:24 +0100 (MET) Received: from lothlorien.icr.a-star.edu.sg ([137.132.31.151]) by leonis.nus.edu.sg (8.12.1/8.12.1) with ESMTP id gAI7uIBK023391; Mon, 18 Nov 2002 15:56:23 +0800 (SGT) Received: by lothlorien.icr.a-star.edu.sg (Postfix, from userid 501) id 6E78918104; Mon, 18 Nov 2002 15:53:49 +0800 (SGT) Date: Mon, 18 Nov 2002 15:53:49 +0800 From: Parijat Mishra To: Pekka Savola Cc: ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt Message-ID: <20021118075348.GE23230@icr.a-star.edu.sg> Mail-Followup-To: Parijat Mishra , Pekka Savola , ietf-send@standards.ericsson.net References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk A question: On Sun, Nov 17, 2002 at 04:16:20PM +0200, Pekka Savola wrote: > 3) Bogus Address Configuration Prefix threat appears to be a bit more > > 3. configure the reverse of the attackers node, above, be > :: --> "secure.victim.com". (a) Presumably configuring the reverse DNS mapping requires at least as much (administrative) privileges as forward DNS mapping. Right? > 5. victim configures ::, and updates DNS so that > "secure.victim.com" (also) points to :: If (a) is true, then attackers could perhaps simply spead poop all over the DNS records of the victim. Why would they need to wait for the victim to update his/her DNS record? > > Reverse DNS spoof is ready. ---end quoted text--- -- Sincerely, Parijat Mishra R & D Engineer, Institute for Communications Research Tel: (65)68709353 -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Nov 18 09:34:24 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21995 for ; Mon, 18 Nov 2002 09:34:23 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAIEaYKV026430; Mon, 18 Nov 2002 15:36:34 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAIEaY222419; Mon, 18 Nov 2002 15:36:34 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id PAA14491; Mon, 18 Nov 2002 15:35:59 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id PAA14476 for ; Mon, 18 Nov 2002 15:35:56 +0100 (MET) Received: from eastmail1bur.East.Sun.COM ([129.148.9.49]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id HAA16443; Mon, 18 Nov 2002 07:35:40 -0700 (MST) Received: from thunk.east.sun.com (thunk.East.Sun.COM [129.148.174.66]) by eastmail1bur.East.Sun.COM (8.12.2+Sun/8.12.2/ENSMAIL,v2.2) with ESMTP id gAIEZe9x026348; Mon, 18 Nov 2002 09:35:40 -0500 (EST) Received: from thunk (localhost [127.0.0.1]) by thunk.east.sun.com (8.12.6+Sun/8.12.6) with ESMTP id gAIEZdfR021048; Mon, 18 Nov 2002 09:35:39 -0500 (EST) Message-Id: <200211181435.gAIEZdfR021048@thunk.east.sun.com> From: Bill Sommerfeld To: Parijat Mishra cc: Pekka Savola , ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt In-Reply-To: Your message of "Mon, 18 Nov 2002 15:53:49 +0800." <20021118075348.GE23230@icr.a-star.edu.sg> Reply-to: sommerfeld@east.sun.com Date: Mon, 18 Nov 2002 09:35:39 -0500 Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk > > 3. configure the reverse of the attackers node, above, be > > :: --> "secure.victim.com". > > (a) Presumably configuring the reverse DNS mapping requires at least > as much (administrative) privileges as forward DNS mapping. Right? There was a followup -- this was supposed to be :: i.e., something in the attacker's space with the IID of the victim. so, it's worth noting that the ATTACKER can't do this "anonymously". - we are assuming end-to-end security at or above IP, so redirecting secure.victim.com is at most a DoS - problem fixes itself when the mobile server wanders back to a well-behaved network. - this this particular attack may be indistinguishable from an ISP which allows you to join their network and then suffers a failure. In terms of remedies for repeat offenders: - you can blacklist prefixes. - you can revoke/blacklist whatever certification chain is used to certify the routers of the attacker. -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Nov 18 09:39:17 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA22117 for ; Mon, 18 Nov 2002 09:39:16 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAIEfTQ1024300; Mon, 18 Nov 2002 15:41:30 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAIEfT222648; Mon, 18 Nov 2002 15:41:29 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id PAA14741; Mon, 18 Nov 2002 15:41:23 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id PAA14737 for ; Mon, 18 Nov 2002 15:41:22 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gAIEf6l19081; Mon, 18 Nov 2002 16:41:06 +0200 Date: Mon, 18 Nov 2002 16:41:05 +0200 (EET) From: Pekka Savola To: Bill Sommerfeld cc: Parijat Mishra , Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt In-Reply-To: <200211181435.gAIEZdfR021048@thunk.east.sun.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk On Mon, 18 Nov 2002, Bill Sommerfeld wrote: > - we are assuming end-to-end security at or above IP, so redirecting > secure.victim.com is at most a DoS Where has this assumption been made? Nowhere, I believe. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Nov 18 10:27:21 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA23498 for ; Mon, 18 Nov 2002 10:27:21 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAIFTSKV014803; Mon, 18 Nov 2002 16:29:28 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAIFTRZ26535; Mon, 18 Nov 2002 16:29:27 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id QAA20761; Mon, 18 Nov 2002 16:29:14 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from w8k2x7 (98.c210-85-172.ethome.net.tw [210.85.172.98]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with SMTP id QAA20748 for ; Mon, 18 Nov 2002 16:28:51 +0100 (MET) Date: Mon, 18 Nov 2002 16:28:51 +0100 (MET) Received: from sky by mars.seed.net.tw with SMTP id DrqAmwALueYoZSp; Mon, 18 Nov 2002 23:28:54 +0800 Message-ID: From: a8b878@yahoo.com.tw To: 3@standards.ericsson.net Subject: =?big5?Q?=A7Y=A8=CF=A7A=A6b=BA=CE=C4=B1=A4]=A6=B3=BF=FA=C1=C8?= MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_ImvQplYhpjbTdHPLK1wrjpAmK08" X-Mailer: 0hhRU9dXU5nYsBxZg6 X-Priority: 3 X-MSMail-Priority: Normal Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_ImvQplYhpjbTdHPLK1wrjpAmK08 Content-Type: multipart/alternative; boundary="----=_NextPart_ImvQplYhpjbTdHPLK1wrjpAmK08AA" ------=_NextPart_ImvQplYhpjbTdHPLK1wrjpAmK08AA Content-Type: text/html; charset="big5" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiDQp4bWxuczpvPSJ1 cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTpvZmZpY2UiDQp4bWxuczp3PSJ1cm46c2No ZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIg0KeG1sbnM9Imh0dHA6Ly93d3cudzMub3Jn L1RSL1JFQy1odG1sNDAiPg0KDQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9Q29udGVudC1UeXBl IGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1CaWc1Ij4NCjxtZXRhIG5hbWU9UHJvZ0lkIGNv bnRlbnQ9V29yZC5Eb2N1bWVudD4NCjxtZXRhIG5hbWU9R2VuZXJhdG9yIGNvbnRlbnQ9Ik1pY3Jv c29mdCBXb3JkIDkiPg0KPG1ldGEgbmFtZT1PcmlnaW5hdG9yIGNvbnRlbnQ9Ik1pY3Jvc29mdCBX b3JkIDkiPg0KPGxpbmsgcmVsPUZpbGUtTGlzdCBocmVmPSIuL3NoaW44OEAxNjMuY29tJTIwJTIw r8Go+qdLtk+qurPQt36l+rrQLmZpbGVzL2ZpbGVsaXN0LnhtbCI+DQo8bGluayByZWw9RWRpdC1U aW1lLURhdGEgaHJlZj0iLi9zaGluODhAMTYzLmNvbSUyMCUyMK/BqPqnS7ZPqrqz0Ld+pfq60C5m aWxlcy9lZGl0ZGF0YS5tc28iPg0KPCEtLVtpZiAhbXNvXT4NCjxzdHlsZT4NCnZcOioge2JlaGF2 aW9yOnVybCgjZGVmYXVsdCNWTUwpO30NCm9cOioge2JlaGF2aW9yOnVybCgjZGVmYXVsdCNWTUwp O30NCndcOioge2JlaGF2aW9yOnVybCgjZGVmYXVsdCNWTUwpO30NCi5zaGFwZSB7YmVoYXZpb3I6 dXJsKCNkZWZhdWx0I1ZNTCk7fQ0KPC9zdHlsZT4NCjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KIDxvOkRvY3VtZW50UHJvcGVydGllcz4NCiAgPG86QXV0aG9yPkFBQTwvbzpB dXRob3I+DQogIDxvOlRlbXBsYXRlPk5vcm1hbDwvbzpUZW1wbGF0ZT4NCiAgPG86TGFzdEF1dGhv cj5BQUE8L286TGFzdEF1dGhvcj4NCiAgPG86UmV2aXNpb24+MjA8L286UmV2aXNpb24+DQogIDxv OlRvdGFsVGltZT4xMTwvbzpUb3RhbFRpbWU+DQogIDxvOkNyZWF0ZWQ+MjAwMi0wMy0wOFQxOToy MDowMFo8L286Q3JlYXRlZD4NCiAgPG86TGFzdFNhdmVkPjIwMDItMTAtMjRUMDc6NTM6MDBaPC9v Okxhc3RTYXZlZD4NCiAgPG86UGFnZXM+MTwvbzpQYWdlcz4NCiAgPG86V29yZHM+MTE2PC9vOldv cmRzPg0KICA8bzpDaGFyYWN0ZXJzPjY2MzwvbzpDaGFyYWN0ZXJzPg0KICA8bzpMaW5lcz41PC9v OkxpbmVzPg0KICA8bzpQYXJhZ3JhcGhzPjE8L286UGFyYWdyYXBocz4NCiAgPG86Q2hhcmFjdGVy c1dpdGhTcGFjZXM+ODE0PC9vOkNoYXJhY3RlcnNXaXRoU3BhY2VzPg0KICA8bzpWZXJzaW9uPjku MjgxMjwvbzpWZXJzaW9uPg0KIDwvbzpEb2N1bWVudFByb3BlcnRpZXM+DQo8L3htbD48IVtlbmRp Zl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCiA8dzpXb3JkRG9jdW1lbnQ+DQogIDx3OkNv bXBhdGliaWxpdHk+DQogICA8dzpVc2VGRUxheW91dC8+DQogIDwvdzpDb21wYXRpYmlsaXR5Pg0K IDwvdzpXb3JkRG9jdW1lbnQ+DQo8L3htbD48IVtlbmRpZl0tLT4NCjxzdHlsZT4NCjwhLS0NCiAv KiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OrdzstOp+sXp Ow0KCXBhbm9zZS0xOjIgMiAzIDAgMCAwIDAgMCAwIDA7DQoJbXNvLWZvbnQtYWx0OlBNaW5nTGlV Ow0KCW1zby1mb250LWNoYXJzZXQ6MTM2Ow0KCW1zby1nZW5lcmljLWZvbnQtZmFtaWx5OnJvbWFu Ow0KCW1zby1mb250LXBpdGNoOnZhcmlhYmxlOw0KCW1zby1mb250LXNpZ25hdHVyZToxIDEzNDc0 MjAxNiAxNiAwIDEwNDg1NzYgMDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQLdzstOp +sXpIjsNCglwYW5vc2UtMToyIDIgMyAwIDAgMCAwIDAgMCAwOw0KCW1zby1mb250LWNoYXJzZXQ6 MTM2Ow0KCW1zby1nZW5lcmljLWZvbnQtZmFtaWx5OnJvbWFuOw0KCW1zby1mb250LXBpdGNoOnZh cmlhYmxlOw0KCW1zby1mb250LXNpZ25hdHVyZToxIDEzNDc0MjAxNiAxNiAwIDEwNDg1NzYgMDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiK12LFkstO26sXpXChQXCkiOw0KCXBhbm9zZS0x OjAgMCAwIDAgMCAwIDAgMCAwIDA7DQoJbXNvLWZvbnQtYWx0OrdzstOp+sXpOw0KCW1zby1mb250 LWNoYXJzZXQ6MTM2Ow0KCW1zby1nZW5lcmljLWZvbnQtZmFtaWx5OnJvbWFuOw0KCW1zby1mb250 LWZvcm1hdDpvdGhlcjsNCgltc28tZm9udC1waXRjaDphdXRvOw0KCW1zby1mb250LXNpZ25hdHVy ZToxIDEzNDc0MjAxNiAxNiAwIDEwNDg1NzYgMDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5 OiJcQLXYsWSy07bqxelcKFBcKSI7DQoJcGFub3NlLTE6MCAwIDAgMCAwIDAgMCAwIDAgMDsNCglt c28tZm9udC1jaGFyc2V0OjEzNjsNCgltc28tZ2VuZXJpYy1mb250LWZhbWlseTpyb21hbjsNCglt c28tZm9udC1mb3JtYXQ6b3RoZXI7DQoJbXNvLWZvbnQtcGl0Y2g6YXV0bzsNCgltc28tZm9udC1z aWduYXR1cmU6MSAxMzQ3NDIwMTYgMTYgMCAxMDQ4NTc2IDA7fQ0KIC8qIFN0eWxlIERlZmluaXRp b25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21zby1z dHlsZS1wYXJlbnQ6IiI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ bXNvLXBhZ2luYXRpb246d2lkb3ctb3JwaGFuOw0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1m YW1pbHk6t3Oy06n6xek7DQoJbXNvLWhhbnNpLWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4i Ow0KCW1zby1iaWRpLWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iO30NCnANCgl7bWFyZ2lu LXJpZ2h0OjBjbTsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowY207DQoJbXNvLXBhZ2luYXRpb246d2lkb3ctb3Jw aGFuOw0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6t3Oy06n6xek7DQoJbXNvLWhh bnNpLWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iOw0KCW1zby1iaWRpLWZvbnQtZmFtaWx5 OiJUaW1lcyBOZXcgUm9tYW4iO30NCiAvKiBQYWdlIERlZmluaXRpb25zICovDQpAcGFnZQ0KCXtt c28tcGFnZS1ib3JkZXItc3Vycm91bmQtaGVhZGVyOm5vOw0KCW1zby1wYWdlLWJvcmRlci1zdXJy b3VuZC1mb290ZXI6bm87fQ0KQHBhZ2UgU2VjdGlvbjENCgl7c2l6ZTo1OTUuM3B0IDg0MS45cHQ7 DQoJbWFyZ2luOjcyLjBwdCA5MC4wcHQgNzIuMHB0IDkwLjBwdDsNCgltc28taGVhZGVyLW1hcmdp bjo0Mi41NXB0Ow0KCW1zby1mb290ZXItbWFyZ2luOjQ5LjZwdDsNCgltc28tcGFwZXItc291cmNl OjA7fQ0KZGl2LlNlY3Rpb24xDQoJe3BhZ2U6U2VjdGlvbjE7fQ0KLS0+DQo8L3N0eWxlPg0KPCEt LVtpZiBndGUgbXNvIDldPjx4bWw+DQogPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3Bp ZG1heD0iMTAyNyIvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+ DQogPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KICA8bzppZG1hcCB2OmV4dD0iZWRpdCIg ZGF0YT0iMSIvPg0KIDwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4N Cg0KPGJvZHkgbGFuZz1aSC1UVyBzdHlsZT0ndGFiLWludGVydmFsOjI0LjBwdCc+DQoNCjxkaXYg Y2xhc3M9U2VjdGlvbjE+DQoNCjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6 NDguMHB0O3RleHQtaW5kZW50Oi00OC4wcHQ7bXNvLWNoYXItaW5kZW50LWNvdW50Og0KLTQuMDtt c28tY2hhci1pbmRlbnQtc2l6ZToxMi4wcHQ7bGF5b3V0LWdyaWQtbW9kZTpjaGFyO21zby1jaGFy LWluZGVudC1zaXplOg0KMTJwdCc+oV2kQKFeoUKmcKpHu6GmszxzcGFuIGxhbmc9RU4tVVM+fjxz cGFuIHN0eWxlPSdjb2xvcjpyZWQnPqRApfeoxrd+PC9zcGFuPrjqqvcgqbGtsSCxwL5QILBls2Yg pqyxYg0Kp3mzZiCtt8BJILd+wVqzcbNxpKOlzn68y7zLpKO73TxzcGFuIHN0eWxlPSdjb2xvcjpy ZWQnPqdWpE+4Z8DnNi0xMq3TpOs8L3NwYW4+tE6v4L7WprM8c3Bhbg0Kc3R5bGU9J2NvbG9yOnJl ZCc+NS0xMLhVpLir+cTyqcqqurLXpc2mrKRKPC9zcGFuPrNvu/Kmbqq6vve3fLF6pKOo07jVuNW2 3KFGvHil/qzZpbSr97nZpvGhQyA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQoNCjxwIGNsYXNzPU1z b05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6NDguMHB0O3RleHQtaW5kZW50Oi00OC4wcHQ7bXNv LWNoYXItaW5kZW50LWNvdW50Og0KLTQuMDttc28tY2hhci1pbmRlbnQtc2l6ZToxMi4wcHQ7bGF5 b3V0LWdyaWQtbW9kZTpjaGFyO21zby1jaGFyLWluZGVudC1zaXplOg0KMTJwdCc+oV2kR6FeoUKm cKpHsXGrS6dRsNOpsaVYqNOjeKRIoUazo7jysXqms8P2q1mhQzxzcGFuIHN0eWxlPSdjb2xvcjpm dWNoc2lhJz6l2Ktlpf6s2aR3prM8c3Bhbg0KbGFuZz1FTi1VUz40MK5hqbGtsTwvc3Bhbj48L3Nw YW4+oUaxeqSjpbKlWLrevlChRqhDrmE8c3BhbiBsYW5nPUVOLVVTPjEwpEi0TqZuo3uhRjEwpEgq NDCkuCi0TrmzuUy49LZPKSo0MK5hPTxzcGFuDQpzdHlsZT0nY29sb3I6ZnVjaHNpYSc+MTYwMDCk uLNvvMujeKaspEqhQzwvc3Bhbj6ko61usXqjeKVbt/mq97tQq0/D0qr3oUalda1usXqu46bMqm/G UcLmvkyv+bSro3ymYaTorvi2T7O6pF2laaVIqNO37TxzcGFuDQpzdHlsZT0nY29sb3I6ZnVjaHNp YSc+s3PC6rZXsNOjeKbRwfOhQzwvc3Bhbj4gPC9zcGFuPjwvcD4NCg0KPHAgY2xhc3M9TXNvTm9y bWFsIHN0eWxlPSdsYXlvdXQtZ3JpZC1tb2RlOmNoYXInPqFdpFShXqFCPHNwYW4gc3R5bGU9J2Nv bG9yOmJsYWNrJz6l2Ktlwdk8L3NwYW4+prM8c3Bhbg0KbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6 Ymx1ZSc+MzAwpmiuYbWyt/mpsTwvc3Bhbj6hXaZVpua3frOjprOhXq25oUKm56FCpu2hQqbmoUKo fKFCvNa8y7zLu/Sl/qFGPHNwYW4NCnN0eWxlPSdjb2xvcjpibHVlJz6zo7jysXqms8P2q1mhQzwv c3Bhbj4gPC9wPg0KDQo8Zm9ybSBhY3Rpb249Im1haWx0bzpzaGluODhAMTYzLmNvbT9zdWJqZWN0 PafarW6w0aVbpf6lwbNzwuq2V7DTqMa3frnOtqQiIG1ldGhvZD1wb3N0DQplbmN0eXBlPSJ0ZXh0 L3BsYWluIj4NCg0KPHAgYWxpZ249Y2VudGVyIHN0eWxlPSdtYXJnaW46MGNtO21hcmdpbi1ib3R0 b206LjAwMDFwdDt0ZXh0LWFsaWduOmNlbnRlcic+PGI+PHNwYW4NCnN0eWxlPSdmb250LXNpemU6 MjQuMHB0O21zby1hc2NpaS1mb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjtjb2xvcjpmdWNo c2lhOw0KbXNvLWZvbnQta2VybmluZzoxLjBwdDttc28tYW5zaS1sYW5ndWFnZTpaSC1UVyc+pf6l wbNzwuqoxrd+PC9zcGFuPjwvYj48L3A+DQoNCjxwIGFsaWduPWNlbnRlciBzdHlsZT0nbWFyZ2lu LXRvcDo0LjVwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NC41cHQ7DQptYXJnaW4t bGVmdDowY207dGV4dC1hbGlnbjpjZW50ZXI7bGluZS1oZWlnaHQ6MjAwJSc+PGI+PHNwYW4gbGFu Zz1FTi1VUw0Kc3R5bGU9J2ZvbnQtc2l6ZToxMy41cHQ7Zm9udC1mYW1pbHk6IrXYsWSy07bqxelc KFBcKSI7Y29sb3I6Ymx1ZSc+PElOUFVUIFRZUEU9ImNoZWNrYm94IiBOQU1FPSKn2q1ur8Go+qdL tk+qurPQt36l+rrQIiBWQUxVRT0ivdCn1qRAwkkiPjwvc3Bhbj48L2I+PGI+PHNwYW4NCnN0eWxl PSdmb250LXNpemU6MTMuNXB0O2NvbG9yOnJlZCc+p9qtbq/BqPqnS7ZPqrq7oan6pfq60Dwvc3Bh bj48L2I+PHNwYW4gbGFuZz1FTi1VUz48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQoNCjxkaXYgYWxp Z249Y2VudGVyPg0KDQo8dGFibGUgYm9yZGVyPTEgY2VsbHNwYWNpbmc9MSBjZWxscGFkZGluZz0w IHdpZHRoPTUwMiBzdHlsZT0nd2lkdGg6Mzc2LjZwdDsNCiBtc28tY2VsbHNwYWNpbmc6LjdwdDtt YXJnaW4tbGVmdDo2OS41cHQ7bXNvLXBhZGRpbmctYWx0OjBjbSAwY20gMGNtIDBjbScNCiBoZWln aHQ9MT4NCiA8dHIgc3R5bGU9J2hlaWdodDoxNS4wcHQnPg0KICA8dGQgd2lkdGg9MTY5IHN0eWxl PSd3aWR0aDoxMjcuMDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBoZWln aHQ6MTUuMHB0JyBib3JkZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQt YWxpZ246anVzdGlmeTt0ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48Yj48c3Bhbg0KICBz dHlsZT0nY29sb3I6IzY2OTkzMyc+pKSk5altplc8L3NwYW4+PC9iPjxzcGFuIGxhbmc9RU4tVVM+ PG86cD48L286cD48L3NwYW4+PC9wPg0KICA8L3RkPg0KICA8dGQgd2lkdGg9MzMwIHN0eWxlPSd3 aWR0aDoyNDcuNDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBoZWlnaHQ6 MTUuMHB0JyBib3JkZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQtYWxp Z246anVzdGlmeTt0ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48c3BhbiBsYW5nPUVOLVVT DQogIHN0eWxlPSdjb2xvcjp5ZWxsb3cnPjxJTlBVVCBUWVBFPSJ0ZXh0IiBTSVpFPSIxNCIgTkFN RT0ipKSk5altplciPjwvc3Bhbj48L3A+DQogIDwvdGQ+DQogPC90cj4NCiA8dHIgc3R5bGU9J2hl aWdodDouNzVwdCc+DQogIDx0ZCB3aWR0aD0xNjkgc3R5bGU9J3dpZHRoOjEyNy4wNXB0O3BhZGRp bmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1cHQ7DQogIGhlaWdodDouNzVwdCcgYm9yZGVyY29sb3Js aWdodD0iIzgwODA4MCI+DQogIDxwIHN0eWxlPSd0ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1qdXN0 aWZ5OmludGVyLWlkZW9ncmFwaDttc28tbGluZS1oZWlnaHQtYWx0Og0KICAuNzVwdCc+PGI+PHNw YW4gc3R5bGU9J2NvbG9yOiM2Njk5MzMnPqZ+xNY8L3NwYW4+PC9iPjxzcGFuIGxhbmc9RU4tVVM+ PG86cD48L286cD48L3NwYW4+PC9wPg0KICA8L3RkPg0KICA8dGQgd2lkdGg9MzMwIHN0eWxlPSd3 aWR0aDoyNDcuNDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBoZWlnaHQ6 Ljc1cHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0KICA8cCBzdHlsZT0ndGV4dC1hbGln bjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGg7bXNvLWxpbmUtaGVpZ2h0LWFs dDoNCiAgLjc1cHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOnllbGxvdyc+PElOUFVU IFRZUEU9InRleHQiIFNJWkU9IjQiIE5BTUU9IqZ+xNYiPjwvc3Bhbj48Yj48c3Bhbg0KICBzdHls ZT0nZm9udC1zaXplOjEwLjBwdDtjb2xvcjojNjY5OTMzJz63szxzcGFuIGxhbmc9RU4tVVM+KDE4 t7OlSKRXKTwvc3Bhbj48L3NwYW4+PC9iPjwvcD4NCiAgPC90ZD4NCiA8L3RyPg0KIDx0ciBzdHls ZT0naGVpZ2h0Oi43NXB0Jz4NCiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3LjA1cHQ7 cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0Oi43NXB0JyBib3JkZXJj b2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQtYWxpZ246anVzdGlmeTt0ZXh0 LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48Yj48c3Bhbg0KICBzdHlsZT0nY29sb3I6IzY2OTkz Myc+wXC1uLlxuNw8c3BhbiBsYW5nPUVOLVVTPiA6PC9zcGFuPjwvc3Bhbj48L2I+PC9wPg0KICA8 cCBzdHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGg7 bXNvLWxpbmUtaGVpZ2h0LWFsdDoNCiAgLjc1cHQnPjxiPjxzcGFuIHN0eWxlPSdjb2xvcjojNjY5 OTMzJz6m5rDKuXG43KFHPC9zcGFuPjwvYj48c3BhbiBsYW5nPUVOLVVTPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCiAgPC90ZD4NCiAgPHRkIHdpZHRoPTMzMCBzdHlsZT0nd2lkdGg6MjQ3LjQ1cHQ7 cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0Oi43NXB0JyBib3JkZXJj b2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J21hcmdpbi10b3A6Mi4yNXB0O21hcmdp bi1yaWdodDowY207bWFyZ2luLWJvdHRvbToyLjI1cHQ7bWFyZ2luLWxlZnQ6DQogIDBjbTt0ZXh0 LWFsaWduOmp1c3RpZnk7dGV4dC1qdXN0aWZ5OmludGVyLWlkZW9ncmFwaDtsaW5lLWhlaWdodDox NTAlJz48c3Bhbg0KICBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjp5ZWxsb3cnPjxJTlBVVCBUWVBF PSJ0ZXh0IiBTSVpFPSIxNCIgTkFNRT0iwXC1uLlxuNwtpdWk0SI+PC9zcGFuPjwvcD4NCiAgPHAg c3R5bGU9J21hcmdpbi10b3A6Mi4yNXB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbToy LjI1cHQ7bWFyZ2luLWxlZnQ6DQogIDBjbTt0ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1qdXN0aWZ5 OmludGVyLWlkZW9ncmFwaDttc28tbGluZS1oZWlnaHQtYWx0Oi43NXB0Jz48c3Bhbg0KICBsYW5n PUVOLVVTIHN0eWxlPSdjb2xvcjp5ZWxsb3cnPjxJTlBVVCBUWVBFPSJ0ZXh0IiBTSVpFPSIxNCIg TkFNRT0iwXC1uLlxuNwtpu2uYSI+PC9zcGFuPjwvcD4NCiAgPC90ZD4NCiA8L3RyPg0KIDx0ciBz dHlsZT0naGVpZ2h0Oi43NXB0Jz4NCiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3LjA1 cHQ7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0Oi43NXB0JyBib3Jk ZXJjb2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQtYWxpZ246anVzdGlmeTt0 ZXh0LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoO21zby1saW5lLWhlaWdodC1hbHQ6DQogIC43NXB0 Jz48Yj48c3BhbiBzdHlsZT0nY29sb3I6IzY2OTkzMyc+s8yk6KtLwXC1uK7JtqE8L3NwYW4+PC9i PjxzcGFuIGxhbmc9RU4tVVM+PG86cD48L286cD48L3NwYW4+PC9wPg0KICA8L3RkPg0KICA8dGQg d2lkdGg9MzMwIHN0eWxlPSd3aWR0aDoyNDcuNDVwdDtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0 IC43NXB0Ow0KICBoZWlnaHQ6Ljc1cHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0KICA8 cCBzdHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGg7 bXNvLWxpbmUtaGVpZ2h0LWFsdDoNCiAgLjc1cHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2Nv bG9yOnllbGxvdyc+PFNFTEVDVCBOQU1FPSKzzKToq0vBcLW4rsm2oS2sULTBIj4NCjxPUFRJT04g U0VMRUNURUQ+vdC/777cDQo8T1BUSU9OPqxQtMGkQA0KPE9QVElPTj6sULTBpEcNCjxPUFRJT04+ rFC0waRUDQo8T1BUSU9OPqxQtMGlfA0KPE9QVElPTj6sULTBpK0NCjxPUFRJT04+rFC0waS7DQo8 T1BUSU9OPqxQtMGk6Q0KPE9QVElPTj6zo6VppUgNCjwvU0VMRUNUPjxTRUxFQ1QgTkFNRT0is8yk 6KtLwXC1uK7JtqEtrsmscSI+DQo8T1BUSU9OIFNFTEVDVEVEPr3Qv+++3A0KPE9QVElPTj6kV6TI OS0xMg0KPE9QVElPTj6kpKTIMTItMQ0KPE9QVElPTj6kVaTIMS01DQo8T1BUSU9OPrHfpFc4LTEw DQo8T1BUSU9OPrHfpFc5LTExDQo8T1BUSU9OPrOjpWmlSA0KPC9TRUxFQ1Q+PC9zcGFuPjwvcD4N CiAgPC90ZD4NCiA8L3RyPg0KIDx0ciBzdHlsZT0naGVpZ2h0OjE4LjBwdCc+DQogIDx0ZCB3aWR0 aD0xNjkgc3R5bGU9J3dpZHRoOjEyNy4wNXB0O3BhZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1 cHQ7DQogIGhlaWdodDoxOC4wcHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0KICA8cCBz dHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5O3RleHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGgnPjxi PjxzcGFuDQogIHN0eWxlPSdjb2xvcjojNjY5OTMzJz6mYad9PC9zcGFuPjwvYj48c3BhbiBsYW5n PUVOLVVTPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCiAgPC90ZD4NCiAgPHRkIHdpZHRoPTMzMCBz dHlsZT0nd2lkdGg6MjQ3LjQ1cHQ7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAg aGVpZ2h0OjE4LjBwdCcgYm9yZGVyY29sb3JsaWdodD0iIzgwODA4MCI+DQogIDxwIHN0eWxlPSd0 ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1qdXN0aWZ5OmludGVyLWlkZW9ncmFwaCc+PHNwYW4gbGFu Zz1FTi1VUw0KICBzdHlsZT0nY29sb3I6eWVsbG93Jz48SU5QVVQgVFlQRT0idGV4dCIgU0laRT0i NDkiIE5BTUU9IqZhp30iPjwvc3Bhbj48L3A+DQogIDwvdGQ+DQogPC90cj4NCiA8dHIgc3R5bGU9 J2hlaWdodDoxMi43NXB0Jz4NCiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3LjA1cHQ7 cGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0OjEyLjc1cHQnIGJvcmRl cmNvbG9ybGlnaHQ9IiM4MDgwODAiPg0KICA8cCBzdHlsZT0ndGV4dC1hbGlnbjpqdXN0aWZ5O3Rl eHQtanVzdGlmeTppbnRlci1pZGVvZ3JhcGgnPjxiPjxzcGFuDQogIHN0eWxlPSdjb2xvcjojNjY5 OTMzJz65caRstmyl8zwvc3Bhbj48L2I+PHNwYW4gbGFuZz1FTi1VUz48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQogIDwvdGQ+DQogIDx0ZCB3aWR0aD0zMzAgc3R5bGU9J3dpZHRoOjI0Ny40NXB0O3Bh ZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1cHQ7DQogIGhlaWdodDoxMi43NXB0JyBib3JkZXJj b2xvcmxpZ2h0PSIjODA4MDgwIj4NCiAgPHAgc3R5bGU9J3RleHQtYWxpZ246anVzdGlmeTt0ZXh0 LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48c3BhbiBsYW5nPUVOLVVTDQogIHN0eWxlPSdjb2xv cjp5ZWxsb3cnPjxJTlBVVCBUWVBFPSJ0ZXh0IiBTSVpFPSI0OSIgTkFNRT0iuXGkbLZspfMiPjwv c3Bhbj48L3A+DQogIDwvdGQ+DQogPC90cj4NCiA8dHIgc3R5bGU9J2hlaWdodDozMi4yNXB0Jz4N CiAgPHRkIHdpZHRoPTE2OSBzdHlsZT0nd2lkdGg6MTI3LjA1cHQ7cGFkZGluZzouNzVwdCAuNzVw dCAuNzVwdCAuNzVwdDsNCiAgaGVpZ2h0OjMyLjI1cHQnIGJvcmRlcmNvbG9ybGlnaHQ9IiM4MDgw ODAiPg0KICA8cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J3RleHQtYWxpZ246anVzdGlmeTt0ZXh0 LWp1c3RpZnk6aW50ZXItaWRlb2dyYXBoJz48Yj48c3Bhbg0KICBzdHlsZT0nY29sb3I6IzY2OTkz Myc+q9jEs6jGtrU8L3NwYW4+PC9iPjxzcGFuIGxhbmc9RU4tVVM+PG86cD48L286cD48L3NwYW4+ PC9wPg0KICA8L3RkPg0KICA8dGQgd2lkdGg9MzMwIHN0eWxlPSd3aWR0aDoyNDcuNDVwdDtwYWRk aW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ow0KICBoZWlnaHQ6MzIuMjVwdCcgYm9yZGVyY29s b3JsaWdodD0iIzgwODA4MCI+DQogIDxwIHN0eWxlPSd0ZXh0LWFsaWduOmp1c3RpZnk7dGV4dC1q dXN0aWZ5OmludGVyLWlkZW9ncmFwaCc+PHNwYW4gbGFuZz1FTi1VUw0KICBzdHlsZT0nY29sb3I6 eWVsbG93Jz48SU5QVVQgVFlQRT0idGV4dCIgU0laRT0iNDkiIE5BTUU9IqvYxLOoxra1Ij48L3Nw YW4+PC9wPg0KICA8L3RkPg0KIDwvdHI+DQo8L3RhYmxlPg0KDQo8L2Rpdj4NCg0KPHAgYWxpZ249 Y2VudGVyIHN0eWxlPSdtYXJnaW4tdG9wOjIuMjVwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1i b3R0b206Mi4yNXB0Ow0KbWFyZ2luLWxlZnQ6MGNtO3RleHQtYWxpZ246Y2VudGVyO2xpbmUtaGVp Z2h0OjE1MCUnPjxzcGFuIGxhbmc9RU4tVVMNCnN0eWxlPSdjb2xvcjojNjYwMENDJz48SU5QVVQg VFlQRT0ic3VibWl0IiBBQ1RJT049Im1haWx0bzpzaGluODhAMTYzLmNvbT9zdWJqZWN0PafarW6w 0aVbpf6lwbNzwuq2V7DTqMa3frnOtqQiIFZBTFVFPSKn2q1upVukSqjGt36l66bxoUGwZaVYuOqu xiIgRU5DVFlQRT0idGV4dC9wbGFpbiIgTUVUSE9EPSJwb3N0IiBOQU1FPSK9VLt7Ig0KQUNUSU9O PSJtYWlsdG86c2hpbjg4QDE2My5jb20/c3ViamVjdD2n2q1usNGlW6X+pcGzc8Lqtlew06jGt365 zrakIiBFTkNUWVBFPSJ0ZXh0L3BsYWluIg0KTUVUSE9EPXBvc3QgQUNUSU9OPSJtYWlsdG86c2hp bjg4QDE2My5jb20/c3ViamVjdD2n2q1usNGlW6X+pcGzc8Lqtlew06jGt365zrakIg0KRU5DVFlQ RT0idGV4dC9wbGFpbiIgTUVUSE9EPXBvc3QNCkFDVElPTj0ibWFpbHRvOnNoaW44OEAxNjMuY29t P3N1YmplY3Q9p9qtbrDRpVul/qXBs3PC6rZXsNOoxrd+uc62pCIgRU5DVFlQRT0idGV4dC9wbGFp biINCk1FVEhPRD1wb3N0IEFDVElPTj0ibWFpbHRvOnNoaW44OEAxNjMuY29tP3N1YmplY3Q9p9qt brDRpVul/qXBs3PC6rZXsNOoxrd+uc62pCINCkVOQ1RZUEU9InRleHQvcGxhaW4iIE1FVEhPRD1w b3N0DQpBQ1RJT049Im1haWx0bzpzaGluODhAMTYzLmNvbT9zdWJqZWN0PafarW6w0aVbpf6lwbNz wuq2V7DTqMa3frnOtqQiIEVOQ1RZUEU9InRleHQvcGxhaW4iDQpNRVRIT0Q9cG9zdCBBQ1RJT049 Im1haWx0bzpzaGluODhAMTYzLmNvbT9zdWJqZWN0PafarW6w0aVbpf6lwbNzwuq2V7DTqMa3frnO tqQiDQpFTkNUWVBFPSJ0ZXh0L3BsYWluIiBNRVRIT0Q9cG9zdA0KQUNUSU9OPSJtYWlsdG86c2hp bjg4QDE2My5jb20/c3ViamVjdD2n2q1usNGlW6X+pcGzc8Lqtlew06jGt365zrakIiBFTkNUWVBF PSJ0ZXh0L3BsYWluIg0KTUVUSE9EPXBvc3QgQUNUSU9OPSJtYWlsdG86c2hpbjg4QDE2My5jb20/ c3ViamVjdD2n2q1usNGlW6X+pcGzc8Lqtlew06jGt365zrakIg0KRU5DVFlQRT0idGV4dC9wbGFp biIgTUVUSE9EPXBvc3Q+PElOUFVUIFRZUEU9InJlc2V0IiBWQUxVRT0irau28SIgTkFNRT0irau2 8SI+PC9zcGFuPjwvcD4NCg0KPC9mb3JtPg0KDQo8L2Rpdj4NCg0KPC9ib2R5Pg0KDQo8L2h0bWw+ ------=_NextPart_ImvQplYhpjbTdHPLK1wrjpAmK08AA-- ------=_NextPart_ImvQplYhpjbTdHPLK1wrjpAmK08-- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Nov 19 15:20:48 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA15471 for ; Tue, 19 Nov 2002 15:20:47 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAJKMXKV026989; Tue, 19 Nov 2002 21:22:33 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAJKMW201680; Tue, 19 Nov 2002 21:22:32 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id VAA20089; Tue, 19 Nov 2002 21:22:03 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id VAA20085 for ; Tue, 19 Nov 2002 21:22:02 +0100 (MET) Received: from nomadiclab.com (cube.local.nikander.com [192.168.0.33]) by n97.nomadiclab.com (Postfix) with ESMTP id 32DF11C for ; Tue, 19 Nov 2002 22:28:19 +0200 (EET) Message-ID: <3DDA9D3F.9060402@nomadiclab.com> Date: Tue, 19 Nov 2002 22:21:19 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021114 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-send@standards.ericsson.net Subject: Re: Anybody willing to act as a text conferecing scribe at Atlanta? References: <3DD23A40.2040303@nomadiclab.com> In-Reply-To: <3DD23A40.2040303@nomadiclab.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pekka Nikander wrote: > > For the first time, there will be text conferencing > available at the IETF meeting (see the attached note). > ... Instead, I'm planning to stay up in > the night to participate to the WG meeting remotely. Unfortunately jabber does not seem to work for me from home. It worked OK from office. Thus, I will *not* be at the jabber text conference during the WG meeting. Sorry. I hope you all have a productive meeting! --Pekka Nikander -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Nov 19 23:30:00 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA16862 for ; Tue, 19 Nov 2002 23:29:59 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAK4W7Q1001285; Wed, 20 Nov 2002 05:32:07 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAK4W6Z05322; Wed, 20 Nov 2002 05:32:06 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id FAA08366; Wed, 20 Nov 2002 05:31:33 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id FAA08362 for ; Wed, 20 Nov 2002 05:31:31 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gAK4VUH06341; Wed, 20 Nov 2002 06:31:30 +0200 Date: Wed, 20 Nov 2002 06:31:30 +0200 (EET) From: Pekka Savola To: Pekka Nikander cc: ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt In-Reply-To: <3DD7FBBD.5050606@nomadiclab.com> Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1589707168-1921005933-1037766690=:6282" Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1589707168-1921005933-1037766690=:6282 Content-Type: TEXT/PLAIN; charset=US-ASCII On Sun, 17 Nov 2002, Pekka Nikander wrote: > > Substantial: > > > > 1) I think there should be another trust model, or s subcategory of one: > > "semi-trusted". Model 1 is useless other than as a trust model of the > > current state. E.g. intranet nodes really _should_ be semi-trusted, not > > completely trusted. Semi-trusted network would have to be protected from > > packet hijacking, MITM, etc. -- but not necessarily DoS attacks. > > That would be interesting. Do you care to contribute some text to > be included? I've included a diff of some required changes this trust model would bring. Some further analysis would be needed, of course, but this should be enough to be able to see whether this is something that will need consideration. Note that I *don't* assume the traffic must be enscrypted, as suggested in an earlier message. If I'm wrong this has a few implications, at least: 1) this threat model doesn't seem to be useful 2) wording has to be clarified wrt. encryption etc. 3) "redirect" attacks should be clarified to be _bombing_ attacks against someone else in the subnet, not redirects to yourself. I don't believe we can assume full encryption: it may be something that may be a required item for the protections to work in Public LAN or Adhoc case, but I don't see this being realistic in corporate cases. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords --1589707168-1921005933-1037766690=:6282 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; name="send-4th-threat-model.diff" Content-ID: Content-Description: Content-Disposition: attachment; filename="send-4th-threat-model.diff" Content-Transfer-Encoding: BASE64 LS0tIGRyYWZ0LWlldGYtc2VuZC1wc3JlcS0wMC50eHQJV2VkIE5vdiAyMCAw NDowNTo1NiAyMDAyDQorKysgZHJhZnQtaWV0Zi1zZW5kLXBzcmVxLTAwLnR4 dC5iaXMJV2VkIE5vdiAyMCAxMDoyMDoxMCAyMDAyDQpAQCAtMzQsNyArMzQs NyBAQA0KICAgIGFuZCBBZGRyZXNzIEF1dG9jb25maWd1cmF0aW9uIG1lY2hh bmlzbXMgTUFZIGJlIHByb3RlY3RlZCB3aXRoDQogICAgSVBzZWMgQUguICBI b3dldmVyLCB0aGUgY3VycmVudCBzcGVjaWZpY2F0aW9ucyBsaW1pdCB0aGUg c2VjdXJpdHkNCiAgICBzb2x1dGlvbnMgdG8gbWFudWFsIGtleWluZyBkdWUg dG8gcHJhY3RpY2FsIHByb2JsZW1zIGZhY2VkIHdpdGgNCi0gICBhdXRvbWF0 aWMga2V5IG1hbmFnZW1lbnQuICBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyB0 aHJlZSBkaWZmZXJlbnQNCisgICBhdXRvbWF0aWMga2V5IG1hbmFnZW1lbnQu ICBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyBmb3VyIGRpZmZlcmVudA0KICAg IHRydXN0IG1vZGVscyBhbmQgZGlzY3Vzc2VzIHRoZSB0aHJlYXRzIHBlcnRp ZW50IHRvIElQdjYgTmVpZ2hib3INCiAgICBEaXNjb3ZlcnkuICBUaGUgcHVy cG9zZSBvZiB0aGlzIGRpc2N1c3Npb24gaXMgdG8gZGVmaW5lIHRoZQ0KICAg IHJlcXVpcmVtZW50cyBmb3IgU2VjdXJpbmcgSVB2NiBOZWlnYm9yIERpc2Nv dmVyeS4NCkBAIC00OCw4ICs0OCw5IEBADQogICAgMi4wIFByZXZpb3VzIFdv cmsNCiAgICAzLjAgVHJ1c3QgbW9kZWxzDQogICAgICAgIDMuMSBDb3Jwb3Jh dGUgSW50cmFuZXQgTW9kZWwNCi0gICAgICAgMy4yIFB1YmxpYyBXaXJlbGVz cyBOZXR3b3JrIHdpdGggYW4gT3BlcmF0b3INCi0gICAgICAgMy4zIEFkIEhv YyBOZXR3b3JrDQorICAgICAgIDMuMiBTZW1pLXRydXN0ZWQgQ29ycG9yYXRl IE5ldHdvcmsgTW9kZWwNCisgICAgICAgMy4zIFB1YmxpYyBXaXJlbGVzcyBO ZXR3b3JrIHdpdGggYW4gT3BlcmF0b3INCisgICAgICAgMy40IEFkIEhvYyBO ZXR3b3JrDQogICAgNC4wIFRocmVhdHMgb24gYSAoUHVibGljKSBNdWx0aS1B Y2Nlc3MgTGluaw0KICAgICAgICA0LjEgTm9uIHJvdXRlci9yb3V0aW5nIHJl bGF0ZWQgdGhyZWF0cw0KICAgICAgICAgICAgNC4xLjEgTmVpZ2hib3IgU29s aWNpdGF0aW9uL0FkdmVydGlzZW1lbnQgU3Bvb2ZpbmcgDQpAQCAtOTAsOSAr OTEsMTAgQEANCiANCiAgICBUaGUgcHVycG9zZSBvZiB0aGlzIGRvY3VtZW50 IGlzIHRvIGRlZmluZSB0aGUgdHlwZXMgb2YgbmV0d29ya3MgdGhlDQogICAg U2VjdXJlIElQdjYgTmVpZ2hib3IgRGlzY292ZXJ5IG1lY2hhbmlzbXMgYXJl IGV4cGVjdGVkIHRvIHdvcmssIGFuZA0KLSAgIHRoZSB0aHJlYXRzIHRoYXQg dGhlIHNlY3VyaXR5IHByb3RvY29sKHMpIG11c3QgYWRkcmVzcy4gIFRvIGZ1 bGZpbA0KLSAgIHRoaXMgcHVycG9zZSwgdGhpcyBkb2N1bWVudCBmaXJzdCBk ZWZpbmVzIHRocmVlIGRpZmZlcmVudCB0cnVzdA0KKyAgIHRoZSB0aHJlYXRz IHRoYXQgdGhlIHNlY3VyaXR5IHByb3RvY29sKHMpIG11c3QgYWRkcmVzcy4g IFRvIGZ1bGZpbGwNCisgICB0aGlzIHB1cnBvc2UsIHRoaXMgZG9jdW1lbnQg Zmlyc3QgZGVmaW5lcyBmb3VyIGRpZmZlcmVudCB0cnVzdA0KICAgIG1vZGVs cywgcm91Z2hseSBjb3JyZXNwb25kaW5nIHRvIHNlY3VyZWQgY29ycG9yYXRl IGludHJhbmV0cywNCisgICBzZW1pLXRydXN0ZWQgY29ycG9yYXRlIG5ldHdv cmtzLA0KICAgIHB1YmxpYyB3aXJlbGVzcyBhY2Nlc3MgbmV0d29ya3MsIGFu ZCBwdXJlIGFkIGhvYyBuZXR3cm9rcy4gIEFmdGVyDQogICAgdGhhdCwgYSBu dW1iZXIgb2YgdGhyZWF0cyBpcyBhcmUgZGlzY3Vzc2VkIGluIHRoZSBsaWdo dCBvZiB0aGVzZQ0KICAgIHRydXN0IG1vZGVscy4gIFRoZSB0aHJlYXQgY2F0 YWxvZyBpcyBhaW1lZCB0byBiZSBleGhhdXN0aXZlLCBidXQgaXQNCkBAIC0x NTYsMjAgKzE1OCwzMiBAQA0KIAwNCiBkcmFmdC1pZXRmLXNlbmQtcHNyZXEt MDAudHh0ICAgICAgICAgICAgICAgICAgICAgICAgUC4gTmlrYW5kZXIgKGVk aXRvcikNCiANCi0gICBUaHJlZSBkaWZmZXJlbnQgdHJ1c3QgbW9kZWxzIGFy ZSBzcGVjaWZpZWQ6DQorICAgRm91ciBkaWZmZXJlbnQgdHJ1c3QgbW9kZWxz IGFyZSBzcGVjaWZpZWQ6DQogDQogICAgICAxLiBBIG1vZGVsIHdoZXJlIGFs bCBhdXRoZW50aWNhdGVkIG5vZGVzIHRydXN0IGVhY2ggb3RoZXIuDQogICAg ICAgICBUaGlzIG1vZGVsIGlzIHRob3VnaHQgdG8gcmVwcmVzZW50IGEgc2l0 dWF0aW9uIHdoZXJlIHRoZSBub2Rlcw0KICAgICAgICAgYXJlIHVuZGVyIGEg c2luZ2xlIGFkbWluaXN0cmF0aW9uIGFuZCBmb3JtIGEgY2xvc2VkIG9yDQog ICAgICAgICBzZW1pLWNsb3NlZCBncm91cC4gIEEgY29ycG9yYXRlIGludHJh bmV0IGlzIGEgZ29vZCBleGFtcGxlLg0KIA0KLSAgICAgMi4gQSBtb2RlbCB3 aGVyZSB0aGVyZSBpcyBhIHJvdXRlciB0cnVzdGVkIGJ5IHRoZSBvdGhlciAN CisgICAgIDIuIEEgbW9kZWwgd2hlcmUgYWxsIGF1dGhlbnRpY2F0ZWQgbm9k ZXMgdHJ1c3QgZWFjaCBvdGhlciwgYnV0DQorICAgICAgICBvbmx5IHRvIGEg Y2VydGFpbiBleHRlbnQuICBIZXJlLCB0aGUgYXV0aGVudGljYXRlZCBub2Rl cw0KKyAgICAgICAgYXJlIHBhcnRpYWxseSB0cnVzdGVkLCB0aGF0IGlzLCBp dCBpcyBhc3N1bWVkIHRoZXkgYmVoYXZlIA0KKyAgICAgICAgcHJvcGVybHks IGJ1dCBpdCBpcyBkZWVtZWQgZGVzaXJhYmxlIHRvIGxpbWl0IHRoZSBleHRl bnQgb2YgDQorICAgICAgICBkYW1hZ2UgdGhleSdyZSBhYmxlIHRvIGluZmxp Y3QgdG8gdGhlIGxvY2FsIG5ldHdvcmsgaWYgdGhleQ0KKyAgICAgICAgc3Rh cnQgbWlzYmVoYXZpbmcgKGUuZy4gdGhyb3VnaCBhIHNlY3VyaXR5IGNvbXBy b21pc2UpLg0KKyAgICAgICAgVGhpcyBtb2RlbCBpcyB0aG91Z2h0IHRvIHJl cHJlc2VudCBhIHNpdHVhdGlvbiB3aGVyZSB0aGUgbm9kZXMNCisgICAgICAg IGFyZSB1bmRlciBhIHNpbmdsZSBhZG1pbmlzdHJhdGlvbiBhbmQgZm9ybSBh IGNsb3NlZCBvcg0KKyAgICAgICAgc2VtaS1jbG9zZWQgZ3JvdXAsIGJ1dCB3 aGVyZSB0aGUgcmlzayBvZiBzZWN1cml0eSBjb21wcm9taXNlIGlzDQorICAg ICAgICBzdGlsbCBzaWduaWZpY2FudC4gIEEgY29ycG9yYXRlIG5ldHdvcmsg Y29udGFpbmluZyBtYW55IHB1YmxpYw0KKyAgICAgICAgc2VydmljZXMgaXMg YSBnb29kIGV4YW1wbGUuDQorDQorICAgICAzLiBBIG1vZGVsIHdoZXJlIHRo ZXJlIGlzIGEgcm91dGVyIHRydXN0ZWQgYnkgdGhlIG90aGVyIA0KICAgICAg ICAgbm9kZXMgaW4gdGhlIG5ldHdvcmsuICBUaGlzIG1vZGVsIGlzIHRob3Vn aHQgdG8gcmVwcmVzZW50DQogICAgICAgICBhIHB1YmxpYyBuZXR3b3JrIHJ1 biBieSBhbiBvcGVyYXRvci4gIFRoZSBjbGllbnRzIHBheSB0bw0KICAgICAg ICAgdGhlIG9wZXJhdG9yLCBoYXZlIGl0cyBjcmVkZW50aWFscywgYW5kIHRy dXN0IGl0IHRvIHByb3ZpZGUNCiAgICAgICAgIHRoZSBzZXJ2aWNlLiAgVGhl IGNsaWVudHMgZG8gbm90IHRydXN0IGVhY2ggb3RoZXIuDQogDQotICAgICAz LiBBIG1vZGVsIHdoZXJlIHRoZSBub2RlcyBkbyBub3QgZGlyZWN0bHkgdHJ1 c3QgZWFjaCBvdGhlcg0KKyAgICAgNC4gQSBtb2RlbCB3aGVyZSB0aGUgbm9k ZXMgZG8gbm90IGRpcmVjdGx5IHRydXN0IGVhY2ggb3RoZXINCiAgICAgICAg IGF0IHRoZSBJUCBsYXllci4gIFRoaXMgbW9kZWwgaXMgY29uc2lkZXJlZCBz dWl0YWJsZSBmb3INCiAgICAgICAgIGUuZy4sIGFkIGhvYyBuZXR3b3Jrcy4N CiANCkBAIC0yMDMsNyArMjE3LDI2IEBADQogICAga2V5IGRpc3RyaWJ1dGlv biBtZWNoYW5pc21zIHdvcmsgcmlnaHQgb3V0LW9mLXRoZS1ib3guICBGb3Ig ZnVydGhlcg0KICAgIGRldGFpbHMsIHNlZSBbSUtFLU5EXS4NCiANCi0zLjIg ICAgICAgICBQdWJsaWMgV2lyZWxlc3MgTmV0d29yayB3aXRoIGFuIE9wZXJh dG9yDQorMy4yICAgICAgICAgU2VtaS10cnVzdGVkIENvcnBvcmF0ZSBOZXR3 b3JrIE1vZGVsDQorDQorICAgSW4gc29tZSBjb3Jwb3JhdGUgbmV0d29ya3Ms IGV2ZW4gdGhvdWdoIGFsbCBub2RlcyBhcmUgdW5kZXINCisgICBvbmUgYWRt aW5pc3RyYXRpdmUgZG9tYWluLCB0aGUgY29zdCBvZiBhIG5vZGUgc3RhcnRp bmcgdG8gYmVoYXZlDQorICAgYmFkbHkgKGUuZy4gYWZ0ZXIgYW4gaW50cnVz aW9uIHRocm91Z2ggYSBzZWN1cml0eSB2dWxuZXJhYmlsaXR5KQ0KKyAgIG1h eSBiZSB0b28gaGlnaC4gIA0KKw0KKyAgIFRoZSBub2RlcyBtYXkgYmUgY29u c2lkZXJlZCB0byBiZSB1c3VhbGx5IHJlbGlhYmxlIGF0IHRoZSBJUCBsYXll ci4gIA0KKyAgIFRodXMsIG9uY2UgYSBub2RlIGhhcyBiZWVuIGFjY2VwdGVk IHRvIGJlIGEgbWVtYmVyIG9mIHRoZSBuZXR3b3JrLCANCisgICBpdCBpcyBh c3N1bWVkIHRvIGJlaGF2ZSBpbiBhIHNlbWktdHJ1c3R3b3J0aHkgbWFubmVy Lg0KKw0KKyAgIEhlcmUsIGl0IGlzIGFzc3VtZWQgdGhhdCBhIG5vZGUtZ29u ZS1yb2d1ZSBiZWluZyBhYmxlIHRvIHBlcmZvcm0gDQorICAgRGVuaWFsLW9m LVNlcnZpY2UgaXMgc3RpbGwgYWNjZXB0YWJsZSwgYnV0IGhpamFja2luZyBj b25uZWN0aW9ucywNCisgICBsYXVuY2hpbmcgbWFuLWluLXRoZS1taWRkbGUg YXR0YWNrcyBldGMuIGlzIG5vdC4NCisNCisgICBUaGUgYXBwcm9hY2ggdG8g c2VjdXJlIHRoaXMgZW52aXJvbm1lbnQgaXMgYXMgZGVzY3JpYmVkIGluIHRo ZSBuZXh0DQorICAgc2VjdGlvbjsgb25lIG1heSBiZSBhYmxlIHRvIHRha2Ug c29tZSBzaG9ydGN1dHMsIGFzIGEgY2VydGFpbiBsZXZlbA0KKyAgIG9mIHRy dXN0IGlzIHN0aWxsIGFzc3VtZWQgKHNlZSBzZWN0aW9uIGFib3ZlKS4NCisN CiszLjMgICAgICAgICBQdWJsaWMgV2lyZWxlc3MgTmV0d29yayB3aXRoIGFu IE9wZXJhdG9yDQogDQogICAgQSBzY2VuYXJpbyB3aGVyZSBhbiBvcGVyYXRv ciBydW5zIGEgcHVibGljIHdpcmVsZXNzIChvciB3aXJlbGluZSkNCiAgICBu ZXR3b3JrLCBlLmcuLCBhIFdMQU4gaW4gYSBob3RlbCwgYWlyIHBvcnQsIG9y IGNhZmUsIGhhcyBhIGRpZmZlcmVudA0KQEAgLTI0Myw3ICsyNzYsNyBAQA0K ICAgIGNyeXB0b2dyYXBoaWMgcHJvdGVjdGlvbiB0byB0aGUgSUNNUHY2IHBh Y2tldHMgY2FycnlpbmcgTkQNCiAgICBtZXNzYWdlcy4gIA0KIA0KLTMuMyAg ICAgICAgICAgQWQgSG9jIE5ldHdvcmsNCiszLjQgICAgICAgICAgIEFkIEhv YyBOZXR3b3JrDQogDQogICAgSW4gYW4gYWQgaG9jIG5ldHdvcmssIG9yIGFu eSBuZXR3b3JrIHdpdGhvdXQgYSB0cnVzdGVkIG9wZXJhdG9yLA0KICAgIG5v bmUgb2YgdGhlIG5vZGVzIHRydXN0IGVhY2ggb3RoZXIuICBTaW5jZSB0aGVy ZSBhcmUgbm8gYSBwcmlvcmkNCkBAIC0zMzEsNyArMzY0LDggQEANCiAgICBB ZHZlcnRpc2VtZW50IG1lc3NhZ2VzLg0KIA0KICAgIFRoaXMgYXR0YWNrIGlz IG5vdCBhIGNvbmNlcm4gaWYgYWNjZXNzIHRvIHRoZSBsaW5rIGlzIHJlc3Ry aWN0ZWQgdG8NCi0gICB0cnVzdGVkIG5vZGVzLiAgSW4gdGhlIGNhc2UganVz dCB0aGUgb3BlcmF0b3IgaXMgdHJ1c3RlZCwgdGhlIG5vZGVzDQorICAgY29t cGxldGVseSB0cnVzdGVkIG5vZGVzLiAgSW4gdGhlIGNhc2UganVzdCB0aGUg b3BlcmF0b3IgaXMgdHJ1c3RlZCwgb3INCisgICB0aGUgb3RoZXIgbm9kZXMg YXJlIG9ubHkgc2VtaS10cnVzdGVkLCB0aGUgbm9kZXMNCiAgICBtYXkgcmVs eSBvbiB0aGUgb3BlcmF0b3IgdG8gY2VydGlmeSB0aGUgYWRkcmVzcyBiaW5k aW5ncyBmb3Igb3RoZXINCiAgICBsb2NhbCBub2Rlcy4gIEluIHRoZSBhZCBo b2MgbmV0d29yayBjYXNlLCBhbmQgb3B0aW9uYWxseSBpbiB0aGUNCiAgICB0 cnVzdGVkIG9wZXJhdG9yIGNhc2UsIHRoZSBub2RlcyBtYXkgdXNlIHNlbGYg Y2VydGlmeWluZyB0ZWNobmlxdWVzDQpAQCAtMzYyLDcgKzM5Niw3IEBADQog ICAgVGhpcyB0aHJlYXQgaW52b2x2ZXMgTmVpZ2hib3IgU29saWNpdGF0aW9u L0FkdmVydGlzZW1lbnQuDQogDQogICAgVGhpcyBhdHRhY2sgaXMgbm90IGEg Y29uY2VybiBpZiBhY2Nlc3MgdG8gdGhlIGxpbmsgaXMgcmVzdHJpY3RlZCB0 bw0KLSAgIHRydXN0ZWQgbm9kZXMuICBVbmRlciB0aGUgdHdvIG90aGVyIHRy dXN0IG1vZGVscywgYSBzb2x1dGlvbg0KKyAgIHRydXN0ZWQgb3Igc2VtaS10 cnVzdGVkIG5vZGVzLiAgVW5kZXIgdGhlIHR3byBvdGhlciB0cnVzdCBtb2Rl bHMsIGEgc29sdXRpb24NCiAgICByZXF1aXJlcyB0aGF0IHRoZSBub2RlIHBl cmZvcm1pbmcgTlVEIGlzIGFibGUgdG8gbWFrZSBhDQogICAgZGlzY3RpbmN0 aW9uIGJldHdlZW4gZ2VudWluZSBhbmQgZmFicmljYXRlZCBOQSByZXNwb25z ZXMuDQogICAgDQpAQCAtMzgxLDcgKzQxNSw3IEBADQogZHJhZnQtaWV0Zi1z ZW5kLXBzcmVxLTAwLnR4dCAgICAgICAgICAgICAgICAgICAgICAgIFAuIE5p a2FuZGVyIChlZGl0b3IpDQogICAgIA0KICAgIFRoaXMgYXR0YWNrIGlzIG5v dCBhIGNvbmNlcm4gaWYgYWNjZXNzIHRvIHRoZSBsaW5rIGlzIHJlc3RyaWN0 ZWQgdG8NCi0gICB0cnVzdGVkIG5vZGVzLiAgVW5kZXIgdGhlIHR3byBvdGhl ciB0cnVzdCBtb2RlbHMsIGEgc29sdXRpb24NCisgICB0cnVzdGVkIG9yIHNl bWktdHJ1c3RlZCBub2Rlcy4gIFVuZGVyIHRoZSB0d28gb3RoZXIgdHJ1c3Qg bW9kZWxzLCBhIHNvbHV0aW9uDQogICAgcmVxdWlyZXMgdGhhdCB0aGUgbm9k ZSBwZXJmb3JtaW5nIERBRCBpcyBhYmxlIHRvIHZlcmlmeSB3aGV0aGVyIHRo ZQ0KICAgIHNlbmRlciBvZiB0aGUgTkEgcmVzcG9uc2UgaXMgYXV0aG9yaXpl ZCB0byB1c2UgdGhlIGdpdmVuIElQIGFkZHJlc3MNCiAgICBvciBub3QuICBJ biB0aGUgdHJ1c3RlZCBvcGVyYXRvciBjYXNlLCB0aGUgb3BlcmF0b3IgbWF5 IGFjdHMgYXMgYW4NCkBAIC00MjYsNyArNDYwLDggQEANCiAgICBTb2xpY2l0 YXRpb24uIA0KIA0KICAgIFRoaXMgYXR0YWNrIGlzIG5vdCBhIGNvbmNlcm4g aWYgYWNjZXNzIHRvIHRoZSBsaW5rIGlzIHJlc3RyaWN0ZWQgdG8NCi0gICB0 cnVzdGVkIG5vZGVzLiAgSW4gdGhlIGNhc2Ugb2YgYSB0cnVzdGVkIG9wZXJh dG9yLCB0aGVyZSBtdXN0IGJlIGENCisgICBjb21wbGV0ZWx5IHRydXN0ZWQg bm9kZXMuICBJbiB0aGUgY2FzZSBvZiBhIHRydXN0ZWQgb3BlcmF0b3IsIG9y DQorICAgdGhlIG90aGVyIG5vZGVzIGFyZSBvbmx5IHNlbWktdHJ1c3RlZCwg dGhlcmUgbXVzdCBiZSBhDQogICAgbWVhbnMgZm9yIHRoZSBub2RlcyB0byBt YWtlIGEgZGlzdGluY3Rpb24gYmV0d2VlbiB0cnVzdHdvcnRoeQ0KICAgIHJv dXRlcnMsIHJ1biBieSB0aGUgb3BlcmF0b3IsIGFuZCBvdGhlciBub2Rlcy4g IFRoZXJlIGFyZSBjdXJyZW50bHkNCiAgICBubyBrbm93biBzb2x1dGlvbnMg Zm9yIHRoZSBhZCBob2MgbmV0d29yayBjYXNlLCBhbmQgdGhlIGlzc3VlDQpA QCAtNDQyLDcgKzQ3Nyw3IEBADQogICAgaW4gU2VjdGlvbiA0LjIuMS4gIFRo aXMgaXMgYSByZWRpcmVjdC9Eb1MgYXR0YWNrLg0KIA0KICAgIFRoZXJlIGFy ZSBjdXJyZW50bHkgbm8ga25vd24gc29sdXRpb25zIGZvciBhbnkgb2YgdGhl IHByZXNlbnRlZA0KLSAgIHRocmVlIHRydXN0IG1vZGVscy4gIE9uIHRoZSBv dGhlciBoYW5kLCBvbiBhIG11bHRpLXJvdXRlciBsaW5rIG9uZQ0KKyAgIGZv dXIgdHJ1c3QgbW9kZWxzLiAgT24gdGhlIG90aGVyIGhhbmQsIG9uIGEgbXVs dGktcm91dGVyIGxpbmsgb25lDQogICAgY291bGQgaW1hZ2luZSBhIHNvbHV0 aW9uIGludm9sdmluZyByZXZvY2F0aW9uIG9mIHJvdXRlciByaWdodHMuDQog ICAgVGhlIHNpdHVhdGlvbiByZW1haW5zIGFzIGEgcmVzZWFyY2ggcXVlc3Rp b24uDQogICAgIA0KQEAgLTQ2MSw3ICs0OTYsOCBAQA0KICAgIFRoaXMgdGhy ZWF0IGludm9sdmVzIFJlZGlyZWN0IG1lc3NhZ2VzLiANCiANCiAgICBUaGlz IGF0dGFjayBpcyBub3QgYSBjb25jZXJuIGlmIGFjY2VzcyB0byB0aGUgbGlu ayBpcyByZXN0cmljdGVkIHRvDQotICAgdHJ1c3RlZCBub2Rlcy4gIEluIHRo ZSBjYXNlIG9mIGEgdHJ1c3RlZCBvcGVyYXRvciwgdGhlcmUgbXVzdCBiZSBh DQorICAgY29tcGxldGVseSB0cnVzdGVkIG5vZGVzLiAgSW4gdGhlIGNhc2Ug b2YgYSB0cnVzdGVkIG9wZXJhdG9yLCBvcg0KKyAgIHRoZSBvdGhlciBub2Rl cyBiZWluZyBvbmx5IHNlbWktdHJ1c3RlZCwgdGhlcmUgbXVzdCBiZSBhDQog ICAgbWVhbnMgZm9yIHRoZSBub2RlcyB0byBtYWtlIGEgZGlzdGluY3Rpb24g YmV0d2VlbiB0cnVzdHdvcnRoeQ0KICAgIHJvdXRlcnMsIHJ1biBieSB0aGUg b3BlcmF0b3IsIGFuZCBvdGhlciBub2Rlcy4gIFRoZXJlIGFyZSBjdXJyZW50 bHkNCiAgICBubyBrbm93biBzb2x1dGlvbnMgZm9yIHRoZSBhZCBob2MgbmV0 d29yayBjYXNlLCBhbmQgdGhlIGlzc3VlDQpAQCAtNDg4LDcgKzUyNCw3IEBA DQogICAgVGhpcyB0aHJlYXQgaW52b2x2ZXMgUm91dGVyIEFkdmVydGlzZW1l bnQgbWVzc2FnZXMuIA0KICAgICANCiAgICBUaGlzIGF0dGFjayBpcyBub3Qg YSBjb25jZXJuIGlmIGFjY2VzcyB0byB0aGUgbGluayBpcyByZXN0cmljdGVk IHRvDQotICAgdHJ1c3RlZCBub2Rlcy4gIEluIHRoZSBjYXNlIG9mIGEgdHJ1 c3RlZCBvcGVyYXRvciwgdGhlcmUgbXVzdCBiZSBhDQorICAgdHJ1c3RlZCBv ciBzZW1pLXRydXN0ZWQgbm9kZXMuICBJbiB0aGUgY2FzZSBvZiBhIHRydXN0 ZWQgb3BlcmF0b3IsIHRoZXJlIG11c3QgYmUgYQ0KICAgIG1lYW5zIGZvciB0 aGUgbm9kZXMgdG8gbWFrZSBhIGRpc3RpbmN0aW9uIGJldHdlZW4gdHJ1c3R3 b3J0aHkNCiAMDQogZHJhZnQtaWV0Zi1zZW5kLXBzcmVxLTAwLnR4dCAgICAg ICAgICAgICAgICAgICAgICAgIFAuIE5pa2FuZGVyIChlZGl0b3IpDQpAQCAt NTE5LDcgKzU1NSw3IEBADQogICAgVGhpcyB0aHJlYXQgaW52b2x2ZXMgUm91 dGVyIEFkdmVydGlzZW1lbnQgbWVzc2FnZXMuIA0KICAgICANCiAgICBUaGlz IGF0dGFjayBpcyBub3QgYSBjb25jZXJuIGlmIGFjY2VzcyB0byB0aGUgbGlu ayBpcyByZXN0cmljdGVkIHRvDQotICAgdHJ1c3RlZCBub2Rlcy4gIEluIHRo ZSBjYXNlIG9mIGEgdHJ1c3RlZCBvcGVyYXRvciwgdGhlcmUgbXVzdCBiZSBh DQorICAgdHJ1c3RlZCBvciBzZW1pLXRydXN0ZWQgbm9kZXMuICBJbiB0aGUg Y2FzZSBvZiBhIHRydXN0ZWQgb3BlcmF0b3IsIHRoZXJlIG11c3QgYmUgYQ0K ICAgIG1lYW5zIGZvciB0aGUgbm9kZXMgdG8gbWFrZSBhIGRpc3RpbmN0aW9u IGJldHdlZW4gdHJ1c3R3b3J0aHkNCiAgICByb3V0ZXJzLCBydW4gYnkgdGhl IG9wZXJhdG9yLCBhbmQgb3RoZXIgbm9kZXMuICBUaGVyZSBhcmUgY3VycmVu dGx5DQogICAgbm8ga25vd24gc29sdXRpb25zIGZvciB0aGUgYWQgaG9jIG5l dHdvcmsgY2FzZSwgYW5kIHRoZSBpc3N1ZQ0KQEAgLTU1Myw3ICs1ODksNyBA QA0KICAgIFRoaXMgYXR0YWNrIGludm9sdmVzIFJvdXRlciBBZHZlcnRpc2Vt ZW50cy4gDQogICAgDQogICAgVGhpcyBhdHRhY2sgaXMgbm90IGEgY29uY2Vy biBpZiBhY2Nlc3MgdG8gdGhlIGxpbmsgaXMgcmVzdHJpY3RlZCB0bw0KLSAg IHRydXN0ZWQgbm9kZXMuICBJbiB0aGUgY2FzZSBvZiBhIHRydXN0ZWQgb3Bl cmF0b3IsIHRoZXJlIG11c3QgYmUgYQ0KKyAgIHRydXN0ZWQgb3Igc2VtaS10 cnVzdGVkIG5vZGVzLiAgSW4gdGhlIGNhc2Ugb2YgYSB0cnVzdGVkIG9wZXJh dG9yLCB0aGVyZSBtdXN0IGJlIGENCiAgICBtZWFucyBmb3IgdGhlIG5vZGVz IHRvIG1ha2UgYSBkaXN0aW5jdGlvbiBiZXR3ZWVuIHRydXN0d29ydGh5DQog ICAgcm91dGVycywgcnVuIGJ5IHRoZSBvcGVyYXRvciwgYW5kIG90aGVyIG5v ZGVzLiAgVGhlcmUgYXJlIGN1cnJlbnRseQ0KICAgIG5vIGtub3duIHNvbHV0 aW9ucyBmb3IgdGhlIGFkIGhvYyBuZXR3b3JrIGNhc2UsIGFuZCB0aGUgaXNz dWUNCkBAIC01NzcsNyArNjEzLDcgQEANCiAgICBUaGlzIGF0dGFjayBpbnZv bHZlcyBOZWlnaGJvciBTb2xpY2l0YXRpb24uIA0KIA0KICAgIFRoaXMgYXR0 YWNrIGRvZXMgbm90IGRpcmVjdGx5IGludm9sdmUgdGhlIHRydXN0IG1vZGVs cyBwcmVzZW50ZWQuDQotICAgSG93ZXZlciwgaWYgYWNjZXNzIHRvIHRoZSBs aW5rIGlzIHJlc3RyaWN0ZWQgdG8gcmVnaXN0ZWQgbm9kZXMsIGFuZA0KKyAg IEhvd2V2ZXIsIGlmIGFjY2VzcyB0byB0aGUgbGluayBpcyByZXN0cmljdGVk IHRvIHJlZ2lzdGVyZWQgbm9kZXMsIGFuZA0KICAgIHRoZSBhY2Nlc3Mgcm91 dGVyIGtlZXBzIHRyYWNrIG9mIG5vZGVzIHRoYXQgaGF2ZSByZWdpc3RlcmVk IGZvcg0KICAgIGFjY2VzcyBvbiB0aGUgbGluaywgdGhlIGF0dGFjayBtYXkg YmUgdHJpdmlhbGx5IHBsdWdnZWQuICBIb3dldmVyLA0KICAgIG5vIHN1Y2gg bWVjaGFuaXNtcyBhcmUgY3VycmVudGx5IHN0YW5kYXJkaXplZC4gIA0KQEAg LTU5NSw4ICs2MzEsOSBAQA0KICAgICAgUi9EICAgUmVkaXJlY3QvRG9TIChS ZWRpcikgb3IganVzdCBEb1MgYXR0YWNrDQogICAgICBNc2dzICBNZXNzYWdl cyBpbnZvbHZlZCBpbiB0aGUgYXR0YWNrOiBOQSwgTlMsIFJBLCBSUywgUmVk aXINCiAgICAgIDEgICAgIFByZXNlbnQgaW4gdHJ1c3QgbW9kZWwgMSAoY29y cG9yYXRlIGludHJhbmV0KQ0KLSAgICAgMiAgICAgUHJlc2VudCBpbiB0cnVz dCBtb2RlbCAyIChwdWJsaWMgb3BlcmF0b3IgcnVuIG5ldHdvcmspDQotICAg ICAzICAgICBQcmVzZW50IGluIHRydXN0IG1vZGVsIDMgKGFkIGhvYyBuZXR3 b3JrKQ0KKyAgICAgMiAgICAgUHJlc2VudCBpbiB0cnVzdCBtb2RlbCAyIChz ZW1pLXRydXN0ZWQgY29ycG9yYXRlIG5ldHdvcmspDQorICAgICAzICAgICBQ cmVzZW50IGluIHRydXN0IG1vZGVsIDMgKHB1YmxpYyBvcGVyYXRvciBydW4g bmV0d29yaykNCisgICAgIDQgICAgIFByZXNlbnQgaW4gdHJ1c3QgbW9kZWwg NCAoYWQgaG9jIG5ldHdvcmspDQogDQogICAgU3ltYm9scyBpbiB0cnVzdCBt b2RlbCBjb2x1bW5zOg0KIA0KQEAgLTYwNCwyMiArNjQxLDIyIEBADQogICAg ICArICAgICBUaGUgdGhyZWF0IGlzIHByZXNlbnQgYW5kIGF0IGxlYXN0IG9u ZSBzb2x1dGlvbiBpcyBrbm93bg0KICAgICAgUiAgICAgVGhlIHRocmVhdCBp cyBwcmVzZW50IGJ1dCBzb2x2aW5nIGl0IGlzIGEgcmVzZWFyY2ggcHJvYmxl bQ0KIA0KLSAgICstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0tLSstLS0rLS0tKw0KLSAgIHwg U2VjICAgfCBBdHRhY2sgbmFtZSAgICAgICAgICAgICAgICB8IE4vUiB8IFIv RCAgIHwgTXNncyAgfCAxIHwgMiB8IDMgfA0KLSAgICstLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0tLSstLS0tLS0t Ky0tLSstLS0rLS0tKw0KLSAgIHwgNC4xLjEgfCBOUy9OQSBzcG9vZmluZyAg ICAgICAgICAgICB8IE5EICB8IFJlZGlyIHwgTkEgTlMgfCAtIHwgKyB8ICsg fA0KLSAgIHwgNC4xLjIgfCBOVUQgZmFpbHVyZSAgICAgICAgICAgICAgICB8 IE5EICB8IERvUyAgIHwgTkEgTlMgfCAtIHwgKyB8ICsgfA0KLSAgIHwgNC4x LjMgfCBEQUQgRG9TICAgICAgICAgICAgICAgICAgICB8IE5EICB8IERvUyAg IHwgTkEgTlMgfCAtIHwgKyB8ICsgfA0KLSAgICstLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0t LSstLS0rLS0tKw0KLSAgIHwgNC4yLjEgfCBNYWxpY2lvdXMgcm91dGVyICAg ICAgICAgICB8IFJEICB8IFJlZGlyIHwgUkEgUlMgfCAtIHwgKyB8IFIgfA0K LSAgIHwgNC4yLjIgfCBHb29kIHJvdXRlciBnb2VzIGJhZCAgICAgICB8IFJE ICB8IFJlZGlyIHwgUkEgUlMgfCBSIHwgUiB8IFIgfA0KLSAgIHwgNC4yLjMg fCBTcG9vZmVkIHJlZGlyZWN0ICAgICAgICAgICB8IFJEICB8IFJlZGlyIHwg UmVkaXIgfCAtIHwgKyB8IFIgfA0KLSAgIHwgNC4yLjQgfCBCb2d1cyBvbi1s aW5rIHByZWZpeCAgICAgICB8IFJEICB8IERvUyAgIHwgUkEgICAgfCAtIHwg KyB8IFIgfA0KLSAgIHwgNC4yLjUgfCBCb2d1cyBhZGRyZXNzIGNvbmZpZyBw cmVmaXh8IFJEICB8IERvUyAgIHwgUkEgICAgfCAtIHwgKyB8IFIgfA0KLSAg IHwgNC4yLjYgfCBQYXJhbWV0ZXIgc3Bvb2ZpbmcgICAgICAgICB8IFJEICB8 IERvUyAgIHwgUkEgICAgfCAtIHwgKyB8IFIgfCAgIA0KLSAgICstLS0tLS0t Ky0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0tLSst LS0tLS0tKy0tLSstLS0rLS0tKw0KLSAgIHwgNC4zLjEgfCBSZW1vdGUgTkQg RG9TICAgICAgICAgICAgICB8IE5EICB8IERvUyAgIHwgTlMgICAgfCArIHwg KyB8ICsgfA0KLSAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0tLSstLS0rLS0tKyAgICAN CisgKy0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0t LSstLS0tLS0tKy0tLS0tLS0rLS0tKy0tLSstLS0rLS0tKw0KKyB8IFNlYyAg IHwgQXR0YWNrIG5hbWUgICAgICAgICAgICAgICAgfCBOL1IgfCBSL0QgICB8 IE1zZ3MgIHwgMSB8IDIgfCAzIHwgNCB8IA0KKyArLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tKy0tLS0tLS0rLS0tLS0tLSst LS0rLS0tKy0tLSstLS0rDQorIHwgNC4xLjEgfCBOUy9OQSBzcG9vZmluZyAg ICAgICAgICAgICB8IE5EICB8IFJlZGlyIHwgTkEgTlMgfCAtIHwgKyB8ICsg fCArIHwNCisgfCA0LjEuMiB8IE5VRCBmYWlsdXJlICAgICAgICAgICAgICAg IHwgTkQgIHwgRG9TICAgfCBOQSBOUyB8IC0gfCAtIHwgKyB8ICsgfA0KKyB8 IDQuMS4zIHwgREFEIERvUyAgICAgICAgICAgICAgICAgICAgfCBORCAgfCBE b1MgICB8IE5BIE5TIHwgLSB8IC0gfCArIHwgKyB8DQorICstLS0tLS0tKy0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0tLSstLS0t LS0tKy0tLSstLS0rLS0tKy0tLSsNCisgfCA0LjIuMSB8IE1hbGljaW91cyBy b3V0ZXIgICAgICAgICAgIHwgUkQgIHwgUmVkaXIgfCBSQSBSUyB8IC0gfCAr IHwgKyB8IFIgfA0KKyB8IDQuMi4yIHwgR29vZCByb3V0ZXIgZ29lcyBiYWQg ICAgICAgfCBSRCAgfCBSZWRpciB8IFJBIFJTIHwgUiB8IFIgfCBSIHwgUiB8 DQorIHwgNC4yLjMgfCBTcG9vZmVkIHJlZGlyZWN0ICAgICAgICAgICB8IFJE ICB8IFJlZGlyIHwgUmVkaXIgfCAtIHwgKyB8ICsgfCBSIHwNCisgfCA0LjIu NCB8IEJvZ3VzIG9uLWxpbmsgcHJlZml4ICAgICAgIHwgUkQgIHwgRG9TICAg fCBSQSAgICB8IC0gfCAtIHwgKyB8IFIgfA0KKyB8IDQuMi41IHwgQm9ndXMg YWRkcmVzcyBjb25maWcgcHJlZml4fCBSRCAgfCBEb1MgICB8IFJBICAgIHwg LSB8IC0gfCArIHwgUiB8DQorIHwgNC4yLjYgfCBQYXJhbWV0ZXIgc3Bvb2Zp bmcgICAgICAgICB8IFJEICB8IERvUyAgIHwgUkEgICAgfCAtIHwgLSB8ICsg fCBSIHwgICANCisgKy0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tKy0tLSstLS0rLS0tKw0K KyB8IDQuMy4xIHwgUmVtb3RlIE5EIERvUyAgICAgICAgICAgICAgfCBORCAg fCBEb1MgICB8IE5TICAgIHwgKyB8ICsgfCArIHwgKyB8DQorICstLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0tLSst LS0tLS0tKy0tLSstLS0rLS0tKy0tLSsgICAgDQogDA0KIGRyYWZ0LWlldGYt c2VuZC1wc3JlcS0wMC50eHQgICAgICAgICAgICAgICAgICAgICAgICBQLiBO aWthbmRlciAoZWRpdG9yKQ0KICAgICANCkBAIC02MzMsNyArNjcwLDcgQEAN CiAgICBUaGFua3MgdG8gQWxwZXIgWWVnaW4gb2YgRG9Db01vIENvbW11bmlj YXRpb25zIExhYm9yYXRvcmllcyBVU0EgZm9yDQogICAgaWRlbnRpZnlpbmcg dGhlIE5laWdoYm9yIERpc2NvdmVyeSBET1MgYXR0YWNrLiAgV2Ugd291bGQg YWxzbyBsaWtlDQogICAgdG8gdGhhbmsgVHVvbWFzIEF1cmEgYW5kIE1pY2hh ZWwgUm9lIG9mIE1pY3Jvc29mdCBSZXNlYXJjaA0KLSAgIENhbWJyaWRnZSBh cyB3ZWxsIGFzIEphcmkgQXJra28gYW5kIFZlc2EtTWF0dGkgTYRudHlshCBv ZiBFcmljc3Nvbg0KKyAgIENhbWJyaWRnZSBhcyB3ZWxsIGFzIEphcmkgQXJr a28gYW5kIFZlc2EtTWF0dGkgTeRudHls5CBvZiBFcmljc3Nvbg0KICAgIFJl c2VhcmNoIE5vbWFkaWNsYWIgZm9yIGRpc2N1c3Npbmcgc29tZSBvZiB0aGUg dGhyZWF0cyB3aXRoIHVzLg0KIA0KIDcuMCAgICAgUmVmZXJlbmNlcyANCg== --1589707168-1921005933-1037766690=:6282-- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Wed Nov 20 07:41:07 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA17587 for ; Wed, 20 Nov 2002 07:41:07 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAKChAKV028157; Wed, 20 Nov 2002 13:43:10 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAKChAZ22994; Wed, 20 Nov 2002 13:43:10 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id NAA12520; Wed, 20 Nov 2002 13:42:43 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id NAA12516 for ; Wed, 20 Nov 2002 13:42:41 +0100 (MET) Message-ID: <003601c29092$0f393eb0$656015ac@T23KEMPF> From: "James Kempf" To: "Pekka Savola" , "Pekka Nikander" Cc: References: Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt Date: Wed, 20 Nov 2002 04:40:49 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit I'm wondering how useful this particular point is for SEND. It seems like a more general point. SEND is specifically directed at threats to ND, so whether or not traffic is encrypted isn't particularly relevent. That said, it might be worthwhile expanding out this discussion on trust models to a more general draft, like the IPv6 node requirements draft, as a guide to when to use what level of security. Does this make sense? jak ----- Original Message ----- From: "Pekka Savola" To: "Pekka Nikander" Cc: Sent: Tuesday, November 19, 2002 8:31 PM Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt > On Sun, 17 Nov 2002, Pekka Nikander wrote: > > > Substantial: > > > > > > 1) I think there should be another trust model, or s subcategory of one: > > > "semi-trusted". Model 1 is useless other than as a trust model of the > > > current state. E.g. intranet nodes really _should_ be semi-trusted, not > > > completely trusted. Semi-trusted network would have to be protected from > > > packet hijacking, MITM, etc. -- but not necessarily DoS attacks. > > > > That would be interesting. Do you care to contribute some text to > > be included? > > I've included a diff of some required changes this trust model would > bring. > > Some further analysis would be needed, of course, but this should be > enough to be able to see whether this is something that will need > consideration. > > Note that I *don't* assume the traffic must be enscrypted, as suggested in > an earlier message. If I'm wrong this has a few implications, at least: > 1) this threat model doesn't seem to be useful > 2) wording has to be clarified wrt. encryption etc. > 3) "redirect" attacks should be clarified to be _bombing_ attacks against > someone else in the subnet, not redirects to yourself. > > I don't believe we can assume full encryption: it may be something that > may be a required item for the protections to work in Public LAN or Adhoc > case, but I don't see this being realistic in corporate cases. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Wed Nov 20 08:01:53 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA18005 for ; Wed, 20 Nov 2002 08:01:52 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAKD4AKV006339; Wed, 20 Nov 2002 14:04:11 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAKD4AZ16492; Wed, 20 Nov 2002 14:04:10 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id OAA16013; Wed, 20 Nov 2002 14:04:00 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id OAA16007 for ; Wed, 20 Nov 2002 14:03:58 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gAKD3s210003; Wed, 20 Nov 2002 15:03:54 +0200 Date: Wed, 20 Nov 2002 15:03:54 +0200 (EET) From: Pekka Savola To: James Kempf cc: Pekka Nikander , Subject: encypted vs plaintext [Re: I-D ACTION:draft-ietf-send-psreq-00.txt] In-Reply-To: <003601c29092$0f393eb0$656015ac@T23KEMPF> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk On Wed, 20 Nov 2002, James Kempf wrote: > I'm wondering how useful this particular point is for SEND. It seems like a more > general point. SEND is specifically directed at threats to ND, so whether or not > traffic is encrypted isn't particularly relevent. I fear it's relevant: the implications of the first (and this new second) threat model are significantly different depending on whether a redirect attack is also a DoS (but on someone else in the subnet) or could be used for hijacking clear-text traffic. People have a *very* different level of urgency to fix things if it's about more than just DoS attacks. (Personally, I'm not particularly interested in SEND if it's only about patching DoS attacks in ND.) Perhaps this is questionable because SEND originated from worries against _wireless_ links where there is no difference if no encryption is used -- you don't ned to use vulnerabilities in ND to eavesdrop clear-text traffic. But this has been generalized now. On e.g. wireline network, eavesdropping clear-text traffic without ND should be relatively difficult. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Nov 21 05:49:57 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA27713 for ; Thu, 21 Nov 2002 05:49:41 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gALAowQ1010536; Thu, 21 Nov 2002 11:50:58 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gALAov229503; Thu, 21 Nov 2002 11:50:57 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id LAA19829; Thu, 21 Nov 2002 11:50:21 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from p2.piuha.net ([131.160.192.2]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id LAA19816 for ; Thu, 21 Nov 2002 11:50:16 +0100 (MET) Received: from lmf.ericsson.se (p4.piuha.net [131.160.192.4]) by p2.piuha.net (Postfix) with ESMTP id 6BCA86A907; Sun, 17 Nov 2002 23:53:21 +0200 (EET) Message-ID: <3DD7F3B7.8010506@lmf.ericsson.se> Date: Sun, 17 Nov 2002 21:53:27 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pekka Nikander Cc: ietf-send@standards.ericsson.net Subject: draft-ietf-send-psreq-00.txt References: <01fc01c281cb$e2009b70$3c6015ac@T23KEMPF> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Hi Pekka, (This is a 3rd resend. I may have an e-mail problem; hopefully you didn't receive this many times...) I read this document on my way to Atlanta. Thanks for writing it, it looks very good! I do have a few comments though: - The consequences of sending packets to the wrong address on the link aren't fully described in 4.1.1. It might be helpful to adopt the upper-layer-security-present-or-not distiction, if you remember we did that back in manual-icmpv6-sas-01... - 4.1.1 s/attack results/attack succeeds/ - In 4.1.1 the subnet router anycast address capture attack: Perhaps you should clarify that attackers can see all such communications in any case, but what this attack does is that it prevents the real nodes from receiving the traffic. - In 4.1.2 you talk about the NUD attack. You say that communications can be disrupted for a long time. Isn't it the case that we can only spoof NUDs in the case that the node in question isn't really up? So the effect that we get is that the sender believes the peer is up when he really isn't. The effects of this depend on the specific application. Sometimes this has no effect since the communications would have been lost anyway. Sometimes a user could have been told about the problem, or an alternate server tried. - In 4.1.3 you suggest that the operator could act as an authorizer for DAD. Without seeing further details I'm not yet convinced we can do this. What specifically does the router do to effect this? Does the router have to know the mac address of the client, and are you assuming the mac addresses can't be faked? Or perhaps this was a part of the trusted operator case definition. And if the router can do all this and limits the addresses to some number, will that help victims if the number of victims is less than this number? - 4.2.1 last paragraph: You say that there are no solutions for the ad hoc case. It may be the case there are no perfect solutions, but there appears to be at least partial solutions if we assume an SA to a known peer in the Internet. (I don't think such assumption precludes calling the local network ad hoc.) - In 4.2.3 you say that there are no solutions for the Redirect problem in the ad hoc case. Again, I believe there's at least a partial solution that relies on address ownership proofs and comparison of the source address of the Redirect to our current routing table for the offending address. - In 4.2.4-5 isn't this attack also a potential mitm attack? - The attack described in paragraph 2 of 4.2.5 is really interesting! I guess this could also be used as a bombing attack against the real owner of the prefix? There's a related possibility of advertising the victims prefix as an autoconf prefix on a busy WLAN link, and then have all nodes on this link try to communicate to the external world with this address. If the local router doesn't have ingress filtering on, then the victim will get all the replies for those initial communication attempts. - The attack in 4.3.1 is also really interesting and possibly serious. OTOH, some care in using the caches in implementations should fix this, assuming the implementation knows which side of the network is the Internet and which one is local. Of course the attack can come from either side, but www.cnn.com probably doesn't want its internal ND made inoperational by outside attackers. Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Nov 21 06:42:15 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA27712 for ; Thu, 21 Nov 2002 05:49:41 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gALAp0KV016188; Thu, 21 Nov 2002 11:51:00 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gALAp0229521; Thu, 21 Nov 2002 11:51:00 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id LAA19825; Thu, 21 Nov 2002 11:50:17 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from p2.piuha.net ([131.160.192.2]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id LAA19817 for ; Thu, 21 Nov 2002 11:50:16 +0100 (MET) Received: from kolumbus.fi (p4.piuha.net [131.160.192.4]) by p2.piuha.net (Postfix) with ESMTP id 44DB16A901; Sun, 17 Nov 2002 19:31:10 +0200 (EET) Message-ID: <3DD7B642.7060203@kolumbus.fi> Date: Sun, 17 Nov 2002 17:31:14 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pekka Nikander Cc: ietf-send@standards.ericsson.net Subject: draft-ietf-send-psreq-00.txt References: <01fc01c281cb$e2009b70$3c6015ac@T23KEMPF> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Hi Pekka, I read this document on my way to Atlanta. Thanks for writing it, it looks very good! I do have a few comments though: - The consequences of sending packets to the wrong address on the link aren't fully described in 4.1.1. It might be helpful to adopt the upper-layer-security-present-or-not distiction, if you remember we did that back in manual-icmpv6-sas-01... - 4.1.1 s/attack results/attack succeeds/ - In 4.1.1 the subnet router anycast address capture attack: Perhaps you should clarify that attackers can see all such communications in any case, but what this attack does is that it prevents the real nodes from receiving the traffic. - In 4.1.2 you talk about the NUD attack. You say that communications can be disrupted for a long time. Isn't it the case that we can only spoof NUDs in the case that the node in question isn't really up? So the effect that we get is that the sender believes the peer is up when he really isn't. The effects of this depend on the specific application. Sometimes this has no effect since the communications would have been lost anyway. Sometimes a user could have been told about the problem, or an alternate server tried. - In 4.1.3 you suggest that the operator could act as an authorizer for DAD. Without seeing further details I'm not yet convinced we can do this. What specifically does the router do to effect this? Does the router have to know the mac address of the client, and are you assuming the mac addresses can't be faked? Or perhaps this was a part of the trusted operator case definition. And if the router can do all this and limits the addresses to some number, will that help victims if the number of victims is less than this number? - 4.2.1 last paragraph: You say that there are no solutions for the ad hoc case. It may be the case there are no perfect solutions, but there appears to be at least partial solutions if we assume an SA to a known peer in the Internet. (I don't think such assumption precludes calling the local network ad hoc.) - In 4.2.3 you say that there are no solutions for the Redirect problem in the ad hoc case. Again, I believe there's at least a partial solution that relies on address ownership proofs and comparison of the source address of the Redirect to our current routing table for the offending address. - In 4.2.4-5 isn't this attack also a potential mitm attack? - The attack described in paragraph 2 of 4.2.5 is really interesting! I guess this could also be used as a bombing attack against the real owner of the prefix? There's a related possibility of advertising the victims prefix as an autoconf prefix on a busy WLAN link, and then have all nodes on this link try to communicate to the external world with this address. If the local router doesn't have ingress filtering on, then the victim will get all the replies for those initial communication attempts. - The attack in 4.3.1 is also really interesting and possibly serious. OTOH, some care in using the caches in implementations should fix this, assuming the implementation knows which side of the network is the Internet and which one is local. Of course the attack can come from either side, but www.cnn.com probably doesn't want its internal ND made inoperational by outside attackers. Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Nov 25 16:04:25 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25626 for ; Mon, 25 Nov 2002 16:04:24 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAPL6fQ1001506; Mon, 25 Nov 2002 22:06:41 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAPL6cZ26160; Mon, 25 Nov 2002 22:06:39 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id WAA22310; Mon, 25 Nov 2002 22:06:06 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from pheriche.sun.com (pheriche.sun.com [192.18.98.34]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id WAA22306 for ; Mon, 25 Nov 2002 22:06:05 +0100 (MET) Received: from eastmail2bur.East.Sun.COM ([129.148.13.40]) by pheriche.sun.com (8.9.3+Sun/8.9.3) with ESMTP id OAA09011; Mon, 25 Nov 2002 14:05:56 -0700 (MST) Received: from thunk.east.sun.com (thunk.East.Sun.COM [129.148.174.66]) by eastmail2bur.East.Sun.COM (8.12.2+Sun/8.12.2/ENSMAIL,v2.2) with ESMTP id gAPL5tig003455; Mon, 25 Nov 2002 16:05:55 -0500 (EST) Received: from thunk (localhost [127.0.0.1]) by thunk.east.sun.com (8.12.6+Sun/8.12.3) with ESMTP id gAPL5tMf003644; Mon, 25 Nov 2002 16:05:55 -0500 (EST) Message-Id: <200211252105.gAPL5tMf003644@thunk.east.sun.com> From: Bill Sommerfeld To: Pekka Savola cc: Pekka Nikander , ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt In-Reply-To: Your message of "Wed, 20 Nov 2002 06:31:30 +0200." Reply-to: sommerfeld@east.sun.com Date: Mon, 25 Nov 2002 16:05:55 -0500 Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk I'd be inclined to remove the "corporate intranet" model and replace it with your "semi-trusted network", unless you want a "null hypothesis" threat model -- one where the existing insecure ND is appropriate. That said, I think the document could be tightened up considerably by qualifying/scoping all intances of "trust" -- or finding a better word to replace it. Never just say "X trusts Y", but rather "X trusts that Y will send reasonable router advertisements" or (better still) "X believes RA messages from Y are legitimate because they are signed by Y's key and Y's key is signed by ..." - Bill -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Nov 26 08:32:28 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA00496 for ; Tue, 26 Nov 2002 08:32:27 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAQDSSKV001974; Tue, 26 Nov 2002 14:28:28 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAQDSRZ29410; Tue, 26 Nov 2002 14:28:27 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id OAA20992; Tue, 26 Nov 2002 14:28:04 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id OAA20988 for ; Tue, 26 Nov 2002 14:28:03 +0100 (MET) Received: from nomadiclab.com (n100.nomadiclab.com [131.160.193.100]) by n97.nomadiclab.com (Postfix) with ESMTP id 104BB1C for ; Tue, 26 Nov 2002 15:35:06 +0200 (EET) Message-ID: <3DE376E1.7020209@nomadiclab.com> Date: Tue, 26 Nov 2002 15:28:01 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021125 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-send@standards.ericsson.net Subject: [Fwd: I-D ACTION:draft-moore-ipv6-optimistic-dad-01.txt] Content-Type: multipart/mixed; boundary="------------040400020007030209000704" Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk This is a multi-part message in MIME format. --------------040400020007030209000704 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Anyone any opinion how this fits into the SEND ideas? --Pekka --------------040400020007030209000704 Content-Type: message/rfc822; name="I-D ACTION:draft-moore-ipv6-optimistic-dad-01.txt" Content-Disposition: inline; filename="I-D ACTION:draft-moore-ipv6-optimistic-dad-01.txt" X-Sieve: cmu-sieve 2.0 Return-Path: Received: from n2.nomadiclab.com (n2.nomadiclab.com [131.160.193.2]) by n97.nomadiclab.com (Postfix) with ESMTP id D5D841C for ; Tue, 26 Nov 2002 15:26:42 +0200 (EET) Received: by n2.nomadiclab.com (Postfix) id 2798522E18; Tue, 26 Nov 2002 15:19:38 +0200 (EET) Delivered-To: pnr@nomadiclab.com Received: from d2.nomadiclab.com (bastion [131.160.194.2]) by n2.nomadiclab.com (Postfix) with ESMTP id D6E8422E15 for ; Tue, 26 Nov 2002 15:19:37 +0200 (EET) Received: from pheriche.sun.com (pheriche.sun.com [192.18.98.34]) by d2.nomadiclab.com (Postfix) with ESMTP id A6FE06CEC1 for ; Tue, 26 Nov 2002 15:19:36 +0200 (EET) Received: from engmail1mpk.Eng.Sun.COM ([129.146.1.45]) by pheriche.sun.com (8.9.3+Sun/8.9.3) with ESMTP id GAA20375; Tue, 26 Nov 2002 06:18:23 -0700 (MST) Received: from sunroof.eng.sun.com (sunroof.Eng.Sun.COM [129.146.168.88]) by engmail1mpk.Eng.Sun.COM (8.12.2+Sun/8.12.2/ENSMAIL,v2.2) with ESMTP id gAQDI1N2022720; Tue, 26 Nov 2002 05:18:20 -0800 (PST) Received: from sunroof.eng.sun.com (localhost [127.0.0.1]) by sunroof.eng.sun.com (8.12.7.Beta0+Sun/8.12.7.Beta0) with ESMTP id gAQDHPUu009186; Tue, 26 Nov 2002 05:17:25 -0800 (PST) Received: (from majordomo@localhost) by sunroof.eng.sun.com (8.12.7.Beta0+Sun/8.12.7.Beta0/Submit) id gAQDHPnH009185; Tue, 26 Nov 2002 05:17:25 -0800 (PST) X-Authentication-Warning: sunroof.eng.sun.com: majordomo set sender to owner-ipng@sunroof.eng.sun.com using -f Received: from engmail1mpk.Eng.Sun.COM (engmail1mpk [129.146.1.45]) by sunroof.eng.sun.com (8.12.7.Beta0+Sun/8.12.7.Beta0) with ESMTP id gAQDHLUu009178; Tue, 26 Nov 2002 05:17:21 -0800 (PST) Received: from kathmandu.sun.com (kathmandu.Central.Sun.COM [129.147.5.36]) by engmail1mpk.Eng.Sun.COM (8.12.2+Sun/8.12.2/ENSMAIL,v2.2) with ESMTP id gAQDHVMq022634; Tue, 26 Nov 2002 05:17:31 -0800 (PST) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by kathmandu.sun.com (8.9.3+Sun/8.9.3) with ESMTP id GAA18031; Tue, 26 Nov 2002 06:17:25 -0700 (MST) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA29650; Tue, 26 Nov 2002 08:14:41 -0500 (EST) Message-Id: <200211261314.IAA29650@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: mobile-ip@sunroof.eng.sun.com, ipng@sunroof.eng.sun.com From: Internet-Drafts@ietf.org Reply-To: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-moore-ipv6-optimistic-dad-01.txt Date: Tue, 26 Nov 2002 08:14:41 -0500 Sender: owner-ipng@sunroof.eng.sun.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Optimistic Duplicate Address Detection Author(s) : N. Moore Filename : draft-moore-ipv6-optimistic-dad-01.txt Pages : 10 Date : 2002-11-25 Optimistic DAD is an interoperable modification of the existing IPv6 Neighbour Discovery (RFC2461) and Stateless Address Autoconfiguration (RFC2462) process. The intention is to minimize address configuration delays in the successful case without greatly increasing disruption in the less likely failure case. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-moore-ipv6-optimistic-dad-01.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-moore-ipv6-optimistic-dad-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-moore-ipv6-optimistic-dad-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2002-11-25134612.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-moore-ipv6-optimistic-dad-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-moore-ipv6-optimistic-dad-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2002-11-25134612.I-D@ietf.org> --OtherAccess-- --NextPart-- -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to majordomo@sunroof.eng.sun.com -------------------------------------------------------------------- --------------040400020007030209000704-- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Nov 28 07:29:50 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA26481 for ; Thu, 28 Nov 2002 07:29:50 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gASCWDQ1010570; Thu, 28 Nov 2002 13:32:13 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gASCWC216393; Thu, 28 Nov 2002 13:32:12 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id NAA10392; Thu, 28 Nov 2002 13:30:06 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id NAA10373 for ; Thu, 28 Nov 2002 13:30:05 +0100 (MET) Received: from nomadiclab.com (n100.nomadiclab.com [131.160.193.100]) by n97.nomadiclab.com (Postfix) with ESMTP id 5C16A1C; Thu, 28 Nov 2002 14:37:08 +0200 (EET) Message-ID: <3DE60C4C.20304@nomadiclab.com> Date: Thu, 28 Nov 2002 14:30:04 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: sommerfeld@east.sun.com Cc: Pekka Savola , ietf-send@standards.ericsson.net Subject: Re: I-D ACTION:draft-ietf-send-psreq-00.txt References: <200211252105.gAPL5tMf003644@thunk.east.sun.com> In-Reply-To: <200211252105.gAPL5tMf003644@thunk.east.sun.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Bill, (I'm now working on the next version of the psreq draft.) Bill Sommerfeld wrote: > I'd be inclined to remove the "corporate intranet" model and replace > it with your "semi-trusted network", unless you want a "null > hypothesis" threat model -- one where the existing insecure ND is > appropriate. I more or less adopted this approach, considering what happens if a node becomes compromised in a corporate intranet. > That said, I think the document could be tightened up considerably by > qualifying/scoping all intances of "trust" -- or finding a better word > to replace it. > > Never just say "X trusts Y", but rather "X trusts that Y will send > reasonable router advertisements" or (better still) "X believes RA > messages from Y are legitimate because they are signed by Y's key and > Y's key is signed by ..." I changed the language somewhat. However, it turned out to be hard to start talking about keys or beliefs since we do not have any specific solution in mind yet. Thus, when we are speaking about trust, we are really trying to denote beliefs about future behaviour, not authentication or authorization in the technical sense. Thus, when we write that "a node trusts the other nodes to behave correctly at the IP layer and not to send any ND or RD messages containing false information", that is a belief about the node's future behaviour. On this level, there is no way of enforcing it, and the reasons for this trust most probably lie outside of the IP layer and are due to e.g. physical protection or other means. I added the following text to the introduction: It should be noted that the term "trust" is used here in a rather non-technical and loose manner. The most appropriate interpretation is to consider it as an expression of an organizational or collective belief, i.e., an expression of commonly shared beliefs about the future behaviour of the other involved parties. Conversely, the term "trust relationship" denotes a mutual a priori relationship between the involved organizations or parties where the parties believe that the other parties will behave correctly even in the future. A trust relationship makes it possible to configure authentication and authorization information between the parties, while the lack of such a relationship makes it impossible to pre-configure such information. Would you consider this satisfactory? --Pekka -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Nov 28 07:48:39 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA26855 for ; Thu, 28 Nov 2002 07:48:39 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gASCp4Q1015331; Thu, 28 Nov 2002 13:51:04 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gASCp3Z10750; Thu, 28 Nov 2002 13:51:03 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id NAA13518; Thu, 28 Nov 2002 13:49:17 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id NAA13514 for ; Thu, 28 Nov 2002 13:49:16 +0100 (MET) Received: from nomadiclab.com (n100.nomadiclab.com [131.160.193.100]) by n97.nomadiclab.com (Postfix) with ESMTP id 4C3401C; Thu, 28 Nov 2002 14:56:19 +0200 (EET) Message-ID: <3DE610CB.3070600@nomadiclab.com> Date: Thu, 28 Nov 2002 14:49:15 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bill Sommerfeld , Jari Arkko , Pekka Savola Cc: ietf-send@standards.ericsson.net Subject: New version of draft-ietf-send-psreq to be posted Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Bill, Jari, Pekka, I'll be posting a revised version of the psreq draft in a few days. In the meanwhile the revised version is available at http://www.tml.hut.fi/~pnr/publications/draft-ietf-send-psreq-01-pre.txt If you have time it would be excellent if you can have a look to see if your concerns have been addressed. --Pekka Nikander -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Nov 28 08:02:29 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA27145 for ; Thu, 28 Nov 2002 08:02:28 -0500 (EST) Received: from fnatte.sw.ericsson.se (fnatte.sw.ericsson.se [153.88.242.8]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gASD4tQ1019664; Thu, 28 Nov 2002 14:04:55 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gASD4sZ11136; Thu, 28 Nov 2002 14:04:54 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id OAA15511; Thu, 28 Nov 2002 14:03:08 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id OAA15505 for ; Thu, 28 Nov 2002 14:03:07 +0100 (MET) Received: from nomadiclab.com (n100.nomadiclab.com [131.160.193.100]) by n97.nomadiclab.com (Postfix) with ESMTP id 8A77E1C for ; Thu, 28 Nov 2002 15:10:10 +0200 (EET) Message-ID: <3DE6140B.7090407@nomadiclab.com> Date: Thu, 28 Nov 2002 15:03:07 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-send@standards.ericsson.net Subject: Should SEND deal with Remote ND DoS attack ? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Folks, I want to reach consensus on whether we shall address the remote ND DoS attack described in Section 4.3.1 in the threat and trust model draft. It is very different in nature from the rest of the threats. Thus, if we address it, I think that is should be addressed more or less separately from the rest of the effort. On the other hand, I personally think that it might be better addressed as a part of the eventual process of revising RFC 2461. Well formulated opinions, please, clearly arguing why we should address, or why we should not address, this threat. --Pekka Nikander -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Nov 28 13:17:01 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA01905 for ; Thu, 28 Nov 2002 13:17:00 -0500 (EST) Received: from tjatte.sw.ericsson.se (tjatte.sw.ericsson.se [153.88.242.9]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gASIHwKV000532; Thu, 28 Nov 2002 19:17:58 +0100 (MET) Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gASIHv226234; Thu, 28 Nov 2002 19:17:57 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id TAA27763; Thu, 28 Nov 2002 19:16:11 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id TAA27752 for ; Thu, 28 Nov 2002 19:16:10 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gASIG1h13776; Thu, 28 Nov 2002 20:16:01 +0200 Date: Thu, 28 Nov 2002 20:16:01 +0200 (EET) From: Pekka Savola To: Pekka Nikander cc: Bill Sommerfeld , Jari Arkko , Subject: Re: New version of draft-ietf-send-psreq to be posted In-Reply-To: <3DE610CB.3070600@nomadiclab.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk On Thu, 28 Nov 2002, Pekka Nikander wrote: > I'll be posting a revised version of the psreq draft > in a few days. In the meanwhile the revised version > is available at > > http://www.tml.hut.fi/~pnr/publications/draft-ietf-send-psreq-01-pre.txt > > If you have time it would be excellent if you can have > a look to see if your concerns have been addressed. Thanks for the quick update. A few more substantial comments: 1) is there a need to clarify the stance wrt. the use of encryption somehow? 2) perhaps this: This threat is partially mitigated in RFC2462; in Section 5.5.3 of RFC2462 it is required that if the advertised prefix lifetime is less than 2 hours and less than the stored lifetime, the stored lifetime is not reduced unless the packet was authenticated. should be augmented by the fact that as per RFC2461 6.3.6 there is no such 2-hour-rule for _default router selection_ (it is unclear which parts of the threat the "partial mitigation" refers to). 3) | 4.2.4 | Bogus on-link prefix | RD | DoS | RA | - | + | R ==> with the new threat addition, I believe this is also a problem in the first case. 4) it's a bit cornercase whether 4.2.5 could be counted as + in the first case, at least if we assume the DynDNS vulnerability to be possible? Editorial: ==> references are a bit out-of-date, no biggie (at least MIP_TH, DHCPv6, ABK) 1. A model where all authenticated nodes trust each other to behave correctly at the IP layer and not to send any ND or RD messages that contain false information. ==> RD has not been defined yet. For example, it might still be acceptable that a compromised node is able to launch a denial-of-service attack, but it is undesirable if it is able to hijack existing connections or establish man-in-the-middle attacks on new connections. ==> reword: s/if it is/to be/ ? (sorry..) This threat involves Neighbor Solicitation and Neighbor Advertisement messages. ==> s/messages// This attack can be extended into a redirect / man-in-the-middle attack if the attacker replies to the Neighbor Solicitations with spoofed Neighbor Advertisements, thereby luring the nodes on the link to send the traffic to it or to some other node. ==> should "man-in-the-middle" be removed -- I think all redirect attacks can be used for MITM? There is also a related possibility of advertising the a target prefix as an autoconfiguration prefix on a busy link, and then have ==> s/the a/the/ -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Nov 29 14:52:37 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06646 for ; Fri, 29 Nov 2002 14:52:36 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se (esealnt610.al.sw.ericsson.se [153.88.254.69]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gATJt0Q1001742; Fri, 29 Nov 2002 20:55:00 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id XZ57PAJZ; Fri, 29 Nov 2002 20:55:00 +0100 Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gATJjPZ23645; Fri, 29 Nov 2002 20:45:25 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id UAA01389; Fri, 29 Nov 2002 20:43:26 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id UAA01384 for ; Fri, 29 Nov 2002 20:43:19 +0100 (MET) Received: from sandelman.ottawa.on.ca (1Cust171.tnt24.toronto.on.da.uu.net [64.10.101.171]) by noxmail.sandelman.ottawa.on.ca (8.11.6/8.11.6) with ESMTP id gATJex605723 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK); Fri, 29 Nov 2002 14:41:48 -0500 (EST) Received: from sandelman.ottawa.on.ca (marajade [127.0.0.1]) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id gATJe5FR001673 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Fri, 29 Nov 2002 14:40:11 -0500 Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian -4) with ESMTP id gATHWaS1004483; Fri, 29 Nov 2002 12:33:37 -0500 Message-Id: <200211291733.gATHWaS1004483@sandelman.ottawa.on.ca> To: ietf-send , pekka.nikander@iki.fi cc: rgb@conscoop.ottawa.on.ca, Bart Trojanowski Subject: some bizarre thoughts on 802.11 equipped trains, MIPv6 and SEND. Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Fri, 29 Nov 2002 12:32:36 -0500 From: Michael Richardson Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Background: Richard and I are on a VIA rail train, with laptops, on the way to Toronto for some meetings. I am complaining that the train doesn't go fast enough, or at least that there isn't the view out the window doesn't really impress me how fast it goes, but that seeing out the front would help. We decided that the engine needs an 802.11 equipped webcam on the front of the locomotive. Geeks like me can then hit Shift-Reload, or use streaming media to see where we are going. We then discussed the fact that the train system ought to be using IP for management (talking to the virtual caboose, telemetry back to HQ, etc.). Wouldn't it be nice if the infrastruture was really secure enough that passenger train operators felt comfortable sharing their management infrastructure with the passengers. (I know that some trains in Japan have 802.11, but I'm sure it is seperate from the operator's networks) Is this a new model for SEND? Or just a combination of models? It is quite possible that the train would contain a mobile *network* of some kind. My laptop, using the train's mobile network, would actually want to be mobile from its home. I think that this is just a complicated form of roaming.... I'm on a network that itself is moving. Whether the train is getting new prefixes as it travels along vs doing some layer 2 thing is debatable. ====== We then had an interesting thought - some guy (in the middle of Montana, i.e. nowhere) with a laptop, waiting for a train to zip past. Assuming that he can actually hear the train long enough to do 802.11, this guy, despite being stationary, may in fact manage to get some packets in/out. First observation - if the train operator lets me roam onto his network for free (well, included in my ticket) there is likely little reasonable ways for them to keep the hill-billie from accesing things. More curious - if the prefixes for the train are not mobile (they remain geographically attached to cell towers), and the train moves from tower to tower (say using 802.11a to talk to the tower, and 802.11b for inside the train). The hill-billie is actually moving from base station to base station (i.e. it is getting a new default router), but actually isn't moving at all - neither physically, nor from prefix to prefix. ===== Just some random thoughts. There is no point. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPeeksIqHRg3pndX9AQFZywP/bSTgtvzCg2LBSj+dz5FUWO5tcEFMwGK+ 2XRLC9mdcTSqxrkXp+EnVeZZcVgtPP6OPKg10qVtYn7OZdl5DvNximGU2aExSn5z qb09u2Z3JTyhQSgGr9MlHeXwz8FDUitKNo7Iyb9X+xMzTe3iopco/H8TmnDG7dRX 5l9k7Y7lRxQ= =CT0W -----END PGP SIGNATURE----- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Nov 29 15:12:14 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA07105 for ; Fri, 29 Nov 2002 15:12:13 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se (esealnt611.al.sw.ericsson.se [153.88.254.68]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gATKESKV011318; Fri, 29 Nov 2002 21:14:28 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id XZ6MRY53; Fri, 29 Nov 2002 21:14:27 +0100 Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gATBAmZ11349; Fri, 29 Nov 2002 12:10:48 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id MAA23735; Fri, 29 Nov 2002 12:08:50 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id MAA23731 for ; Fri, 29 Nov 2002 12:08:49 +0100 (MET) Received: from nomadiclab.com (n100.nomadiclab.com [131.160.193.100]) by n97.nomadiclab.com (Postfix) with ESMTP id DBA401C; Fri, 29 Nov 2002 13:15:51 +0200 (EET) Message-ID: <3DE74AC3.2040703@nomadiclab.com> Date: Fri, 29 Nov 2002 13:08:51 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pekka Savola Cc: Bill Sommerfeld , Jari Arkko , ietf-send@standards.ericsson.net Subject: Re: New version of draft-ietf-send-psreq to be posted References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pekka Savola wrote: > 1) is there a need to clarify the stance wrt. the use of encryption > somehow? Jari proposed this too. This is covered in Section 7 in [MAN-SA]. I just don't know how to include it sufficiently briefly. For now I've just added a reference to [MAN-SA] in the end of Sect 4. Maybe we should publish [MAN-SA] as informational, too? > 2) perhaps this: > > This threat is partially mitigated in RFC2462; in Section 5.5.3 of > RFC2462 it is required that if the advertised prefix lifetime is > less than 2 hours and less than the stored lifetime, the stored > lifetime is not reduced unless the packet was authenticated. > > should be augmented by the fact that as per RFC2461 6.3.6 there is no such > 2-hour-rule for _default router selection_ (it is unclear which parts > of the threat the "partial mitigation" refers to). Added the following text: However, the default router selection procedure, as defined in Section 6.3.6. of RFC2461, does not contain such a rule. > 3) > > | 4.2.4 | Bogus on-link prefix | RD | DoS | RA | - | + | R > > ==> with the new threat addition, I believe this is also a problem in the > first case. Actually no, IMHO. The redirect version of 4.2.4 requires NA/NS spoofing. If we prevent NA/NS spooring, 4.2.4 alone is reduced to DoS only (or is it?). Anyway, I added the following footnote to the table: 1) Note that the extended attack defined in 4.2.4. combines sending a bogus on-link prefix and performing NS/NA spoofing as per 4.1.1. Thus, if the NA/NS exchange is secured, the ability to use 4.2.4. for redirect is most probably blocked, too. > 4) it's a bit cornercase whether 4.2.5 could be counted as + in the first > case, at least if we assume the DynDNS vulnerability to be possible? I agree that this is a borderline case. On the other hand, I'd like to see a genuine host-zeroconf design for the corporate intranet case. That is, I'd like to make it possible to plug in a host to a corporate intranet without any configuration (just as today), and let it work securely even in the case that another host is compromised *later*. I'm not sure if we can easily protect against this without any host config. Note that IMHO router config is perfectly OK even in the corporate intranet case. > Editorial: > > ==> references are a bit out-of-date, no biggie (at least MIP_TH, DHCPv6, > ABK) Fixed, tnx. > 1. A model where all authenticated nodes trust each other to > behave correctly at the IP layer and not to send any ND or RD > messages that contain false information. > > ==> RD has not been defined yet. Fixed. > For example, it might still be acceptable that a compromised node > is able to launch a denial-of-service attack, but it is undesirable > if it is able to hijack existing connections or establish > man-in-the-middle attacks on new connections. > > ==> reword: s/if it is/to be/ ? (sorry..) I think that the current wording is less ambiguous (and still grammatically correct). > > This threat involves Neighbor Solicitation and Neighbor > Advertisement messages. > > ==> s/messages// I give up and sacrifice readability to uniformity. Fixed. > This attack can be extended into a redirect / man-in-the-middle > attack if the attacker replies to the Neighbor Solicitations with > spoofed Neighbor Advertisements, thereby luring the nodes on the > link to send the traffic to it or to some other node. > > ==> should "man-in-the-middle" be removed -- I think all redirect attacks > can be used for MITM? Ditto. > > There is also a related possibility of advertising the a target > prefix as an autoconfiguration prefix on a busy link, and then have > > ==> s/the a/the/ > Fixed. --Pekka -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sat Nov 30 02:05:09 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA25649 for ; Sat, 30 Nov 2002 02:05:08 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se (esealnt610.al.sw.ericsson.se [153.88.254.69]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAU77MQ1005719; Sat, 30 Nov 2002 08:07:22 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id XZ57QVB9; Sat, 30 Nov 2002 08:07:22 +0100 Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAU77LZ05943; Sat, 30 Nov 2002 08:07:21 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id IAA17493; Sat, 30 Nov 2002 08:05:25 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id IAA17489 for ; Sat, 30 Nov 2002 08:05:21 +0100 (MET) Received: from nomadiclab.com (cube.local.nikander.com [192.168.0.33]) by n97.nomadiclab.com (Postfix) with ESMTP id 3D0D01C; Sat, 30 Nov 2002 09:12:23 +0200 (EET) Message-ID: <3DE86332.9080903@nomadiclab.com> Date: Sat, 30 Nov 2002 09:05:22 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Richardson Cc: ietf-send , rgb@conscoop.ottawa.on.ca, Bart Trojanowski Subject: Re: some bizarre thoughts on 802.11 equipped trains, MIPv6 and SEND. References: <200211291733.gATHWaS1004483@sandelman.ottawa.on.ca> In-Reply-To: <200211291733.gATHWaS1004483@sandelman.ottawa.on.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Michael Richardson wrote: > ... Wouldn't it be nice if the infrastruture was really secure enough > that passenger train operators felt comfortable sharing their > management infrastructure with the passengers. ... > > Is this a new model for SEND? Or just a combination of models? Hmm. To me it sounds basically like the second trust model, with some extensions. That is, everybody trusts the operator (the train router), and most probably the rest of security is on application layer. At the ND level it seems enough that the passangers can't cause DoS preventing the train instrumentation system from working. And speaking about that, IMHO it would not be very wise to use 802.11(a/b) for something like instrumentation in a fast moving vehicle... > It is quite possible that the train would contain a mobile *network* > of some kind. My laptop, using the train's mobile network, would > actually want to be mobile from its home. I think that this is just a > complicated form of roaming.... I'm on a network that itself is > moving. Whether the train is getting new prefixes as it travels along > vs doing some layer 2 thing is debatable. That sounds very much like a NEMO. Have you checked the NEMO charter and discussions? > More curious - if the prefixes for the train are not mobile (they > remain geographically attached to cell towers), and the train moves > from tower to tower (say using 802.11a to talk to the tower, and > 802.11b for inside the train). The hill-billie is actually moving > from base station to base station (i.e. it is getting a new default > router), but actually isn't moving at all - neither physically, nor > from prefix to prefix. This one I didn't get. Are you assuming a very long train or what? Anyway, didn't make much sense to me. --Pekka -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sat Nov 30 11:21:23 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA07504 for ; Sat, 30 Nov 2002 11:21:22 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se (esealnt610.al.sw.ericsson.se [153.88.254.69]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAUGNKKV003965; Sat, 30 Nov 2002 17:23:20 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id XZ57RYFT; Sat, 30 Nov 2002 17:23:19 +0100 Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAUGNIZ16392; Sat, 30 Nov 2002 17:23:18 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id RAA28115; Sat, 30 Nov 2002 17:22:49 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from parsmtp1.rd.francetelecom.com (parsmtp1.rd.francetelecom.com [194.167.105.13]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id RAA28111 for ; Sat, 30 Nov 2002 17:22:48 +0100 (MET) Received: from pdico (p-dico.rd.francetelecom.fr [10.193.165.17]) by p-grive.rd.francetelecom.fr with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id XGX5CA3P; Sat, 30 Nov 2002 17:23:10 +0100 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2988C.C5BAEB00" Subject: RE: some bizarre thoughts on 802.11 equipped trains, MIPv6 and SEND. X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Sat, 30 Nov 2002 17:21:19 +0100 Message-ID: Thread-Topic: some bizarre thoughts on 802.11 equipped trains, MIPv6 and SEND. Thread-Index: AcKYjMXpxLcSegO1EdeOjQCAXzHsRg== From: "Jean-Michel COMBES" To: "Michael Richardson" , "ietf-send" , Cc: , "Bart Trojanowski" Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk This is a multi-part message in MIME format. ------_=_NextPart_001_01C2988C.C5BAEB00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, > -----Message d'origine----- > De : owner-ietf-send@standards.ericsson.net > [mailto:owner-ietf-send@standards.ericsson.net]De la part de Michael > Richardson > Envoye : vendredi 29 novembre 2002 18:33 > A : ietf-send; pekka.nikander@iki.fi > Cc : rgb@conscoop.ottawa.on.ca; Bart Trojanowski > Objet : some bizarre thoughts on 802.11 equipped trains, MIPv6 and SEND. > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Background: > Richard and I are on a VIA rail train, with laptops, on the way to Toronto > for some meetings. > > I am complaining that the train doesn't go fast enough, or at least that > there isn't the view out the window doesn't really impress me how fast it > goes, but that seeing out the front would help. We decided that the engine > needs an 802.11 equipped webcam on the front of the locomotive. Geeks like > me can then hit Shift-Reload, or use streaming media to see where we are > going. > > We then discussed the fact that the train system ought to be using IP for > management (talking to the virtual caboose, telemetry back to HQ, > etc.). Wouldn't it be nice if the infrastruture was really secure > enough that > passenger train operators felt comfortable sharing their > management infrastructure with > the passengers. (I know that some trains in Japan have 802.11, > but I'm sure > it is seperate from the operator's networks) > > Is this a new model for SEND? Or just a combination of models? > > It is quite possible that the train would contain a mobile > *network* of some > kind. My laptop, using the train's mobile network, would actually > want to be > mobile from its home. I think that this is just a complicated form of > roaming.... I'm on a network that itself is moving. Whether the train is > getting new prefixes as it travels along vs doing some layer 2 thing is > debatable. This is typically a NEMO architecture with a MR (Mobile Router) in our train and our laptop is a VMN (Visiting Mobile Node). For more details, see draft-ernst-nemo-terminology.txt (http://www.nal.motlabs.com/nemo/drafts/draft-ernst-nemo-terminology.txt ). Regards. JMC. France Telecom R&D - DTL/SSR Jean-Michel COMBES, Internet/Intranet Security E-Mail : jeanmichel.combes@francetelecom.com Phone +33 (0)1 45 29 45 94, Fax +33 (0)1 45 29 65 19 ------_=_NextPart_001_01C2988C.C5BAEB00 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable RE: some bizarre thoughts on 802.11 equipped trains, MIPv6 and = SEND.

Hi,


> -----Message d'origine-----
> De : = owner-ietf-send@standards.ericsson.net
> [mailto:owner-ietf-= send@standards.ericsson.net]De la part de Michael
> Richardson
> Envoye : vendredi 29 novembre 2002 18:33
> A : ietf-send; pekka.nikander@iki.fi
> Cc : rgb@conscoop.ottawa.on.ca; Bart = Trojanowski
> Objet : some bizarre thoughts on 802.11 equipped = trains, MIPv6 and SEND.
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> Background:
> Richard and I are on a VIA rail train, with = laptops, on the way to Toronto
> for some meetings.
>
> I am complaining that the train doesn't go fast = enough, or at least that
> there isn't the view out the window doesn't = really impress me how fast it
> goes, but that seeing out the front would help. = We decided that the engine
> needs an 802.11 equipped webcam on the front of = the locomotive. Geeks like
> me can then hit Shift-Reload, or use streaming = media to see where we are
> going.
>
> We then discussed the fact that the train system = ought to be using IP for
> management (talking to the virtual caboose, = telemetry back to HQ,
> etc.). Wouldn't it be nice if the infrastruture = was really secure
> enough that
> passenger train operators felt comfortable = sharing their
> management infrastructure with
> the passengers.  (I know that some trains = in Japan have 802.11,
> but I'm sure
> it is seperate from the operator's = networks)
>
> Is this a new model for SEND? Or just a = combination of models?
>
> It is quite possible that the train would = contain a mobile
> *network* of some
> kind. My laptop, using the train's mobile = network, would actually
> want to be
> mobile from its home. I think that this is just = a complicated form of
> roaming.... I'm on a network that itself is = moving. Whether the train is
> getting new prefixes as it travels along vs = doing some layer 2 thing is
> debatable.

This is typically a NEMO architecture with a MR = (Mobile Router) in our train
and our laptop is a VMN (Visiting Mobile Node). For = more details, see
draft-ernst-nemo-terminology.txt
(http://www.nal.motlabs.com/nemo/drafts/draft-ernst-nemo-terminolo= gy.txt).

Regards.

JMC.

France Telecom R&D - DTL/SSR
Jean-Michel COMBES, Internet/Intranet Security
E-Mail : jeanmichel.combes@francetelecom.com
Phone +33 (0)1 45 29 45 94, Fax +33 (0)1 45 29 65 = 19

------_=_NextPart_001_01C2988C.C5BAEB00-- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sat Nov 30 11:33:50 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA07712 for ; Sat, 30 Nov 2002 11:33:50 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se (esealnt610.al.sw.ericsson.se [153.88.254.69]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAUGa8KV004865; Sat, 30 Nov 2002 17:36:08 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id XZ57RYYB; Sat, 30 Nov 2002 17:36:07 +0100 Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAUGa7227011; Sat, 30 Nov 2002 17:36:07 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id RAA29841; Sat, 30 Nov 2002 17:35:58 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from netcore.fi (netcore.fi [193.94.160.1]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id RAA29837 for ; Sat, 30 Nov 2002 17:35:57 +0100 (MET) Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id gAUGZlc32242; Sat, 30 Nov 2002 18:35:48 +0200 Date: Sat, 30 Nov 2002 18:35:47 +0200 (EET) From: Pekka Savola To: Pekka Nikander cc: Bill Sommerfeld , Jari Arkko , Subject: Re: New version of draft-ietf-send-psreq to be posted In-Reply-To: <3DE74AC3.2040703@nomadiclab.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk On Fri, 29 Nov 2002, Pekka Nikander wrote: > Pekka Savola wrote: > > 1) is there a need to clarify the stance wrt. the use of encryption > > somehow? > > Jari proposed this too. This is covered in Section 7 in [MAN-SA]. > I just don't know how to include it sufficiently briefly. For now > I've just added a reference to [MAN-SA] in the end of Sect 4. IMO, section 7 of [MAN-SA] is not specific to manual ICMP SA's and should be removed to either separate draft or here. There might be more, other generic security discussion there. Perhaps Jari might have an opinion? > Maybe we should publish [MAN-SA] as informational, too? btw. s/drat-/draft-/g > > | 4.2.4 | Bogus on-link prefix | RD | DoS | RA | - | + | R > > > > ==> with the new threat addition, I believe this is also a problem in the > > first case. > > Actually no, IMHO. The redirect version of 4.2.4 requires NA/NS > spoofing. If we prevent NA/NS spooring, 4.2.4 alone is reduced to DoS > only (or is it?). Anyway, I added the following footnote to the table: > > 1) Note that the extended attack defined in 4.2.4. combines sending > a bogus on-link prefix and performing NS/NA spoofing as per > 4.1.1. Thus, if the NA/NS exchange is secured, the ability to > use 4.2.4. for redirect is most probably blocked, too. Agree. > > 4) it's a bit cornercase whether 4.2.5 could be counted as + in the first > > case, at least if we assume the DynDNS vulnerability to be possible? > > I agree that this is a borderline case. On the other hand, I'd like > to see a genuine host-zeroconf design for the corporate intranet case. > That is, I'd like to make it possible to plug in a host to a corporate > intranet without any configuration (just as today), and let it work > securely even in the case that another host is compromised *later*. > I'm not sure if we can easily protect against this without any host > config. Agree -- I really don't have ideas how to deal with this case. IMO, nodes should not just blindly register addresses, but whether they do it (like that) is another issue. Perhaps another footnote.. > Note that IMHO router config is perfectly OK even in the corporate > intranet case. Agree. > > For example, it might still be acceptable that a compromised node > > is able to launch a denial-of-service attack, but it is undesirable > > if it is able to hijack existing connections or establish > > man-in-the-middle attacks on new connections. > > > > ==> reword: s/if it is/to be/ ? (sorry..) > > I think that the current wording is less ambiguous (and still > grammatically correct). Ok by me. :-) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sat Nov 30 16:06:26 2002 Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA12211 for ; Sat, 30 Nov 2002 16:06:26 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se (esealnt610.al.sw.ericsson.se [153.88.254.69]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAUL8TQ1006137; Sat, 30 Nov 2002 22:08:29 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id XZ57S2G3; Sat, 30 Nov 2002 22:08:29 +0100 Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAUL8S202162; Sat, 30 Nov 2002 22:08:28 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id WAA03349; Sat, 30 Nov 2002 22:07:59 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id WAA03344 for ; Sat, 30 Nov 2002 22:07:57 +0100 (MET) Message-ID: <005201c298b4$4b0291b0$096015ac@AlperVAIO> From: "Alper E. YEGIN" To: "Pekka Nikander" , References: <3DE6140B.7090407@nomadiclab.com> Subject: Re: Should SEND deal with Remote ND DoS attack ? Date: Sat, 30 Nov 2002 13:06:01 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Hi Pekka, Being the one who proposed the threat in the draft, I have to admit, it's a different beast than the other ones. A possible solution is to rely on a complete table of IPv6 addresses used on a link on the access routers (i.e, like a neighbor table instead of a neighbor cache). I wouldn't mind if this threat was left outside the scope of SEND. But even than, there is a possibility that the SEND solution might end up paving the road to solving this particular problem as well. That'd be a nice side benefit. alper ----- Original Message ----- From: "Pekka Nikander" To: Sent: Thursday, November 28, 2002 5:03 AM Subject: Should SEND deal with Remote ND DoS attack ? > Folks, > > I want to reach consensus on whether we shall address > the remote ND DoS attack described in Section 4.3.1 > in the threat and trust model draft. > > It is very different in nature from the rest of the > threats. Thus, if we address it, I think that is > should be addressed more or less separately from the > rest of the effort. On the other hand, I personally > think that it might be better addressed as a part of > the eventual process of revising RFC 2461. > > Well formulated opinions, please, clearly arguing why > we should address, or why we should not address, this > threat. > > --Pekka Nikander > > > -------------------------------------------------------------------- > To unsubscribe from this list, send email with "UNSUBSCRIBE" in the > body to . > Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html > -------------------------------------------------------------------- > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sat Nov 30 16:30:59 2002 Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA12771 for ; Sat, 30 Nov 2002 16:30:59 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se (esealnt613.al.sw.ericsson.se [153.88.254.72]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id gAULXDKV021130; Sat, 30 Nov 2002 22:33:13 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id XZ775C6Z; Sat, 30 Nov 2002 22:33:13 +0100 Received: from prdxweb.sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.10.0/8.10.0/extranet-1.1) with ESMTP id gAULXCZ21749; Sat, 30 Nov 2002 22:33:12 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) id WAA06827; Sat, 30 Nov 2002 22:33:00 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by prdxweb.sw.ericsson.se (8.9.1/8.9.1/uc-1.0) with ESMTP id WAA06821 for ; Sat, 30 Nov 2002 22:32:58 +0100 (MET) Message-ID: <006701c298b7$d6808820$096015ac@AlperVAIO> From: "Alper E. YEGIN" To: "ietf-send" , , "Michael Richardson" Cc: , "Bart Trojanowski" References: <200211291733.gATHWaS1004483@sandelman.ottawa.on.ca> Subject: Re: some bizarre thoughts on 802.11 equipped trains, MIPv6 and SEND. Date: Sat, 30 Nov 2002 13:30:13 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Hello, > We then discussed the fact that the train system ought to be using IP for > management (talking to the virtual caboose, telemetry back to HQ, > etc.). Wouldn't it be nice if the infrastruture was really secure enough that > passenger train operators felt comfortable sharing their management infrastructure with > the passengers. This has more to do with application-layer security. Unless, getting on the network means getting to every bit of resources on the network (which is not the best model for this scenario). But even than, this wouldn't be related to SEND, but to PANA. > (I know that some trains in Japan have 802.11, but I'm sure > it is seperate from the operator's networks) We had that at the Yokohama IETF. Trains had FOMA (3G) for Internet connectivity, and WLAN for the access networks for passengers. > > Is this a new model for SEND? Or just a combination of models? > I think the problems in this scenario are missing the SEND scope. > More curious - if the prefixes for the train are not mobile (they remain > geographically attached to cell towers), and the train moves from tower > to tower (say using 802.11a to talk to the tower, and 802.11b for inside > the train). (again, this is out-of-scope, but) using 802.11a for train-to-Internet connection is not a good idea, unless the train is stationary. Range of 802.11a is limited, and a moving train is too fast to utilize the network. alper > The hill-billie is actually moving from base station to base > station (i.e. it is getting a new default router), but actually isn't > moving at all - neither physically, nor from prefix to prefix. > > ===== > > Just some random thoughts. > There is no point. > > ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ > ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ > ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > Comment: Finger me for keys > > iQCVAwUBPeeksIqHRg3pndX9AQFZywP/bSTgtvzCg2LBSj+dz5FUWO5tcEFMwGK+ > 2XRLC9mdcTSqxrkXp+EnVeZZcVgtPP6OPKg10qVtYn7OZdl5DvNximGU2aExSn5z > qb09u2Z3JTyhQSgGr9MlHeXwz8FDUitKNo7Iyb9X+xMzTe3iopco/H8TmnDG7dRX > 5l9k7Y7lRxQ= > =CT0W > -----END PGP SIGNATURE----- > -------------------------------------------------------------------- > To unsubscribe from this list, send email with "UNSUBSCRIBE" in the > body to . > Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html > -------------------------------------------------------------------- > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html --------------------------------------------------------------------