From sip-security-admin@ietf.org Thu Aug 2 07:47:12 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA22953 for ; Thu, 2 Aug 2001 07:47:12 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA02933; Thu, 2 Aug 2001 07:24:58 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA02900 for ; Thu, 2 Aug 2001 07:24:55 -0400 (EDT) Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.110]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA22192 for ; Thu, 2 Aug 2001 07:23:37 -0400 (EDT) Received: from fogerty.lmf.ericsson.se (fogerty.lmf.ericsson.se [131.160.11.6]) by penguin.wise.edt.ericsson.se (8.11.0/8.10.1/WIREfire-1.3) with ESMTP id f72B0tO14437; Thu, 2 Aug 2001 13:00:55 +0200 (MEST) Received: from lmf.ericsson.se (lmf4ws450.lmf.ericsson.se [131.160.38.50]) by fogerty.lmf.ericsson.se (8.11.3/8.11.3) with ESMTP id f72B0q505217; Thu, 2 Aug 2001 14:00:52 +0300 (EET DST) Message-ID: <3B6932E4.7EC50609@lmf.ericsson.se> Date: Thu, 02 Aug 2001 14:00:52 +0300 From: Jari Arkko Organization: Oy L M Ericsson Ab X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: brian.rosen@marconi.com, jari@arkko.com, jdrosen@dynamicsoft.com, baruch@deltathree.com, jundery@ubiquity.net, bindignavile.srinivas@nokia.com, mat@cisco.com CC: sip-security@ietf.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Subject: [Sip-security] New drafts for SIP security Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Hi, Who is updating the team page (http://www.softarmor.com/sipwg/teams/sipsec/)? It is missing at least three directly relevant ones: HTTP Authentication with EAP http://www.arkko.com/draft-torvinen-http-eap-00.txt Diameter support for Basic and Digest authentication http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-digest-00.txt Request Header Integrity in SIP and HTTP Digest using Predictive Nonces http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-pnonce-00.txt  Also, when do we discuss these in IETF-51? There is a slot under the AAA group to discuss some drafts, but what about the rest? See the link http://www.ietf.org/ietf/01aug/aaa.txt Then the SIP WG agenda contains the discussion of two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) Finally, some of the 3GPP presentation will briefly discuss one of the drafts (http://www.ietf.org/ietf/01aug/sipping.txt). Seems like a place for a real SIP Security BOF, but that's too late now to reserve... Looking at the list of drafts, I'll try to summarize their content and where they are handled in the upcoming meeting. (It seems that much of the related work is spread over in different places. Can we do something about this? Is everything covered?) [Ste] draft-sterman-sip-radius-00.txt [Tor] draft-torvinen-http-eap-00.txt [Sri] draft-srinivas-aaa-basic-digest-00.txt [Ros] draft-rosenberg-sip-http-pnonce-00.txt [Tho] draft-thomas-sip-sec-framework-00.txt [Und] draft-undery-sip-digest-00.txt [Bye] draft-byerly-sip-radius-00.txt DRAFT WG AREA --------------------------------------------------------------------------- [Ste] AAA Using RADIUS to implement Digest [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER [Sri] AAA Using DIAMETER NASREQ to implement Digest [Ros] SIP Digest to support more headers [Tho] - New headers to select right external security protocol [Und] SIP Digest to support more headers [Bye] (old) CHAP auth to SIP/HTTP There are also additional items such as draft-carrara-mm-kmgt-sol-00.txt which are not directly related to SIP security, but use SIP to establish security for the media sessions. Jari Arkko Ericsson _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Thu Aug 2 10:40:44 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA29479 for ; Thu, 2 Aug 2001 10:40:44 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id KAA06637; Thu, 2 Aug 2001 10:18:16 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id KAA06605 for ; Thu, 2 Aug 2001 10:18:15 -0400 (EDT) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA28421 for ; Thu, 2 Aug 2001 10:17:07 -0400 (EDT) Received: from mira-sjc5-7.cisco.com (mira-sjc5-7.cisco.com [171.71.163.27]) by sj-msg-core-1.cisco.com (8.11.3/8.9.1) with ESMTP id f72EHag13342; Thu, 2 Aug 2001 07:17:36 -0700 (PDT) Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by mira-sjc5-7.cisco.com (Mirapoint) with ESMTP id ABO05626; Thu, 2 Aug 2001 07:17:35 -0700 (PDT) Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id HAA13346; Thu, 2 Aug 2001 07:17:34 -0700 (PDT) From: Michael Thomas MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15209.24830.804542.551095@thomasm-u1.cisco.com> Date: Thu, 2 Aug 2001 07:17:34 -0700 (PDT) To: Jari Arkko Cc: brian.rosen@marconi.com, jari@arkko.com, jdrosen@dynamicsoft.com, baruch@deltathree.com, jundery@ubiquity.net, bindignavile.srinivas@nokia.com, mat@cisco.com, sip-security@ietf.org In-Reply-To: <3B6932E4.7EC50609@lmf.ericsson.se> References: <3B6932E4.7EC50609@lmf.ericsson.se> X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid X-Face: &,heK/V66p?[2!i|tVn,9lN0TUvEv7:9FzXREj/AuzN4mu!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a),-7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d,g">$%B!0w{W)qIhmwhye104zd bUcI'1! Content-Transfer-Encoding: 7bit Subject: [Sip-security] New drafts for SIP security Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Jari, Thanks for compiling this list. There is clearly a lot of common ground amongst many of these drafts, and it seems clear that some of us feel that taking a neutral/extensible approach to the various authentication mechanisms may be the right overall approach (myself, HTTP EAP, the carrara draft). It seems to me that we may well have a critical mass of drafts which define the various requirements and make first pass attempts to solve various pieces of the overall solution. If we can manage to agree upon a clear set of priorities and a baseline for interoperability, I think we can merge many of these drafts together into a more coherent whole. I personally am attracted to the HTTP EAP draft as well as the Carrara draft as they provide what my draft did not attempt to solve other than some handwaving for example's sake. Henning has drafted an initial note on relative prioritization which I think we can use as the basis to flesh out what we need to deliver and at what priority; this could be used as a determination of, say, what needs to be modified in 2543bis vs. what should go into a formalized SIP security draft. I think it would be extremely productive if we could carve out 3-4 hours this coming week to come to consensus of what goes where, priorities, and trying to consolidate the concepts in these drafts. Anybody want to suggest a time? Also: Dean/Bryan it may be useful to discuss some of the high level requirements/prioritization in one of the general meetings. Mike Jari Arkko writes: > Hi, > > Who is updating the team page > (http://www.softarmor.com/sipwg/teams/sipsec/)? > It is missing at least three directly relevant > ones: > > HTTP Authentication with EAP > http://www.arkko.com/draft-torvinen-http-eap-00.txt > > Diameter support for Basic and Digest authentication > http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-digest-00.txt > > Request Header Integrity in SIP and HTTP Digest using Predictive Nonces > http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-pnonce-00.txt >  > Also, when do we discuss these in IETF-51? There > is a slot under the AAA group to discuss some > drafts, but what about the rest? See the link > http://www.ietf.org/ietf/01aug/aaa.txt Then > the SIP WG agenda contains the discussion of > two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) > Finally, some of the 3GPP presentation will > briefly discuss one of the drafts > (http://www.ietf.org/ietf/01aug/sipping.txt). > > Seems like a place for a real SIP Security > BOF, but that's too late now to reserve... > > Looking at the list of drafts, I'll try to summarize > their content and where they are handled in the upcoming > meeting. (It seems that much of the related work > is spread over in different places. Can we do > something about this? Is everything covered?) > > [Ste] draft-sterman-sip-radius-00.txt > [Tor] draft-torvinen-http-eap-00.txt > [Sri] draft-srinivas-aaa-basic-digest-00.txt > [Ros] draft-rosenberg-sip-http-pnonce-00.txt > [Tho] draft-thomas-sip-sec-framework-00.txt > [Und] draft-undery-sip-digest-00.txt > [Bye] draft-byerly-sip-radius-00.txt > > DRAFT WG AREA > --------------------------------------------------------------------------- > [Ste] AAA Using RADIUS to implement Digest > [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER > [Sri] AAA Using DIAMETER NASREQ to implement Digest > [Ros] SIP Digest to support more headers > [Tho] - New headers to select right external security protocol > [Und] SIP Digest to support more headers > [Bye] (old) CHAP auth to SIP/HTTP > > There are also additional items such as draft-carrara-mm-kmgt-sol-00.txt > which are not directly related to SIP security, but use SIP to > establish security for the media sessions. > > Jari Arkko > Ericsson _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Thu Aug 2 12:00:10 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA03348 for ; Thu, 2 Aug 2001 12:00:10 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA08964; Thu, 2 Aug 2001 11:47:11 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA08928 for ; Thu, 2 Aug 2001 11:47:09 -0400 (EDT) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA02524 for ; Thu, 2 Aug 2001 11:46:04 -0400 (EDT) X-Envelope-Sender-Is: Dirk.Kroeselberg@mchp.siemens.de (at relayer david.siemens.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11]) by david.siemens.de (8.11.0/8.11.0) with ESMTP id f72Fl5c16734; Thu, 2 Aug 2001 17:47:06 +0200 (MET DST) Received: from mchp9daa.mch.sbs.de (mchp9daa.mch.sbs.de [139.25.137.99]) by mail2.siemens.de (8.11.4/8.11.4) with ESMTP id f72Fl5n13419; Thu, 2 Aug 2001 17:47:05 +0200 (MET DST) Received: by mchp9daa.mch.sbs.de with Internet Mail Service (5.5.2653.19) id ; Thu, 2 Aug 2001 17:47:06 +0200 Message-ID: <12D31B803B18D4119958009027FD42B81AD8B7@mchp952a.mch.sbs.de> From: Kroeselberg Dirk To: jari@arkko.com, mat@cisco.com Cc: sip-security@ietf.org Subject: AW: [Sip-security] New drafts for SIP security Date: Thu, 2 Aug 2001 17:47:05 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-MIME-Autoconverted: from quoted-printable to 8bit by optimus.ietf.org id LAA08929 Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org X-MIME-Autoconverted: from 8bit to quoted-printable by optimus.ietf.org id LAA08964 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id MAA03348 Hi, it looks like this list finally comes back into live, so I think it is a very good idea to spend some time in London on this topic, and get some understanding of what a common solution should look like. Or at least to figure out what state can be reached in the near future. The framework draft and the drafts listed in Jari's mail seem to form a good basis for this. Dirk > -----Ursprüngliche Nachricht----- > Von: Michael Thomas [mailto:mat@cisco.com] > Gesendet am: Donnerstag, 2. August 2001 16:18 > An: Jari Arkko > Cc: brian.rosen@marconi.com; jari@arkko.com; jdrosen@dynamicsoft.com; > baruch@deltathree.com; jundery@ubiquity.net; > bindignavile.srinivas@nokia.com; mat@cisco.com; sip-security@ietf.org > Betreff: [Sip-security] New drafts for SIP security > > > Jari, > > Thanks for compiling this list. There is clearly a > lot of common ground amongst many of these drafts, > and it seems clear that some of us feel that > taking a neutral/extensible approach to the > various authentication mechanisms may be the > right overall approach (myself, HTTP EAP, the > carrara draft). > > It seems to me that we may well have a critical > mass of drafts which define the various > requirements and make first pass attempts to solve > various pieces of the overall solution. If we can > manage to agree upon a clear set of priorities and > a baseline for interoperability, I think we can > merge many of these drafts together into a more > coherent whole. I personally am attracted to the > HTTP EAP draft as well as the Carrara draft as > they provide what my draft did not attempt to > solve other than some handwaving for example's > sake. > > Henning has drafted an initial note on relative > prioritization which I think we can use as the > basis to flesh out what we need to deliver and at > what priority; this could be used as a > determination of, say, what needs to be modified > in 2543bis vs. what should go into a formalized > SIP security draft. > > I think it would be extremely productive if we > could carve out 3-4 hours this coming week to come > to consensus of what goes where, priorities, and > trying to consolidate the concepts in these > drafts. > > Anybody want to suggest a time? Also: Dean/Bryan > it may be useful to discuss some of the high level > requirements/prioritization in one of the general > meetings. > > Mike > > Jari Arkko writes: > > Hi, > > > > Who is updating the team page > > (http://www.softarmor.com/sipwg/teams/sipsec/)? > > It is missing at least three directly relevant > > ones: > > > > HTTP Authentication with EAP > > http://www.arkko.com/draft-torvinen-http-eap-00.txt > > > > Diameter support for Basic and Digest authentication > > > http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-d > igest-00.txt > > > > Request Header Integrity in SIP and HTTP Digest using > Predictive Nonces > > > http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-p > nonce-00.txt > >  > > Also, when do we discuss these in IETF-51? There > > is a slot under the AAA group to discuss some > > drafts, but what about the rest? See the link > > http://www.ietf.org/ietf/01aug/aaa.txt Then > > the SIP WG agenda contains the discussion of > > two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) > > Finally, some of the 3GPP presentation will > > briefly discuss one of the drafts > > (http://www.ietf.org/ietf/01aug/sipping.txt). > > > > Seems like a place for a real SIP Security > > BOF, but that's too late now to reserve... > > > > Looking at the list of drafts, I'll try to summarize > > their content and where they are handled in the upcoming > > meeting. (It seems that much of the related work > > is spread over in different places. Can we do > > something about this? Is everything covered?) > > > > [Ste] draft-sterman-sip-radius-00.txt > > [Tor] draft-torvinen-http-eap-00.txt > > [Sri] draft-srinivas-aaa-basic-digest-00.txt > > [Ros] draft-rosenberg-sip-http-pnonce-00.txt > > [Tho] draft-thomas-sip-sec-framework-00.txt > > [Und] draft-undery-sip-digest-00.txt > > [Bye] draft-byerly-sip-radius-00.txt > > > > DRAFT WG AREA > > > -------------------------------------------------------------- > ------------- > > [Ste] AAA Using RADIUS to implement Digest > > [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER > > [Sri] AAA Using DIAMETER NASREQ to implement Digest > > [Ros] SIP Digest to support more headers > > [Tho] - New headers to select right external > security protocol > > [Und] SIP Digest to support more headers > > [Bye] (old) CHAP auth to SIP/HTTP > > > > There are also additional items such as > draft-carrara-mm-kmgt-sol-00.txt > > which are not directly related to SIP security, but use SIP to > > establish security for the media sessions. > > > > Jari Arkko > > Ericsson > > _______________________________________________ > Sip-security mailing list > Sip-security@ietf.org > http://www.ietf.org/mailman/listinfo/sip-security > _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Thu Aug 2 12:25:33 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA05063 for ; Thu, 2 Aug 2001 12:25:32 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA09040; Thu, 2 Aug 2001 11:51:51 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA09003 for ; Thu, 2 Aug 2001 11:51:50 -0400 (EDT) Received: from beamer.mchh.siemens.de (beamer.mchh.siemens.de [194.138.158.163]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA02848 for ; Thu, 2 Aug 2001 11:50:41 -0400 (EDT) Received: from blues.mchh.siemens.de (mail2.mchh.siemens.de [194.138.158.227]) by beamer.mchh.siemens.de (8.9.3/8.9.3) with ESMTP id RAA12437; Thu, 2 Aug 2001 17:51:30 +0200 (MET DST) Received: from mchh273e.demchh201e.icn.siemens.de ([139.21.200.83]) by blues.mchh.siemens.de (8.9.1/8.9.1) with ESMTP id RAA15113; Thu, 2 Aug 2001 17:51:29 +0200 (MET DST) Received: by MCHH273E with Internet Mail Service (5.5.2653.19) id ; Thu, 2 Aug 2001 17:51:35 +0200 Message-ID: <5316E8083EC4D411957F0008C71EEE3473A986@MCHH227E> From: Euchner Martin To: "'Michael Thomas'" , Jari Arkko Cc: brian.rosen@marconi.com, jari@arkko.com, jdrosen@dynamicsoft.com, baruch@deltathree.com, jundery@ubiquity.net, bindignavile.srinivas@nokia.com, sip-security@ietf.org Subject: AW: [Sip-security] New drafts for SIP security Date: Thu, 2 Aug 2001 17:51:32 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" X-MIME-Autoconverted: from quoted-printable to 8bit by optimus.ietf.org id LAA09004 Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org X-MIME-Autoconverted: from 8bit to quoted-printable by optimus.ietf.org id LAA09040 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id MAA05063 Michael and all, yes I'm glad to see that SIP security is really lifting off. There are quite a couple of SIP security related drafts around; thanks to Jari for compiling and updating the list. While I've already seen the SIP Security Framework, the SRTP and associated key management drafts which look quite good in my eyes. There are several other items which I have to look into. I found mm-kmgt requirements especially useful and I believe that such basic foundation really helps in progressing work and facilitates technical work later on. Certainly, there are many pieces already on the table now. Now we should consider the overall picture and look where and how the current pieces fit in, where some white spots remain and how we can complete the landscape. It might help to approach this by thinking of requirements and it could turn out that there might be real reasons to have complementary security solutions in certain cases. Thus, I would like to join this kind of discussion with all of you. I feel we can produce some good results on this. I'm looking forward to meeting you in London. Kind Regards Martin Euchner. ----------------------------------------------------------------------- | Dipl.-Inf. Phone: +49 89 722 55790 | Martin Euchner Fax : +49 89 722 46841 | Siemens AG | ICN M SR 3 mailto:Martin.Euchner@icn.siemens.de | mailto:martin.euchner@ties.itu.int | Hofmannstr. 51 Intranet: http://intranet.icn.siemens.de/marketing/cs27/ | D-81359 Muenchen Internet: http://www.siemens.de | __________________ | Germany ----------------------------------------------------------------------- -----Ursprüngliche Nachricht----- Von: Michael Thomas [SMTP:mat@cisco.com] Gesendet am: Donnerstag, 2. August 2001 16:18 An: Jari Arkko Cc: brian.rosen@marconi.com; jari@arkko.com; jdrosen@dynamicsoft.com; baruch@deltathree.com; jundery@ubiquity.net; bindignavile.srinivas@nokia.com; mat@cisco.com; sip-security@ietf.org Betreff: [Sip-security] New drafts for SIP security Jari, Thanks for compiling this list. There is clearly a lot of common ground amongst many of these drafts, and it seems clear that some of us feel that taking a neutral/extensible approach to the various authentication mechanisms may be the right overall approach (myself, HTTP EAP, the carrara draft). It seems to me that we may well have a critical mass of drafts which define the various requirements and make first pass attempts to solve various pieces of the overall solution. If we can manage to agree upon a clear set of priorities and a baseline for interoperability, I think we can merge many of these drafts together into a more coherent whole. I personally am attracted to the HTTP EAP draft as well as the Carrara draft as they provide what my draft did not attempt to solve other than some handwaving for example's sake. Henning has drafted an initial note on relative prioritization which I think we can use as the basis to flesh out what we need to deliver and at what priority; this could be used as a determination of, say, what needs to be modified in 2543bis vs. what should go into a formalized SIP security draft. I think it would be extremely productive if we could carve out 3-4 hours this coming week to come to consensus of what goes where, priorities, and trying to consolidate the concepts in these drafts. Anybody want to suggest a time? Also: Dean/Bryan it may be useful to discuss some of the high level requirements/prioritization in one of the general meetings. Mike Jari Arkko writes: > Hi, > > Who is updating the team page > (http://www.softarmor.com/sipwg/teams/sipsec/)? > It is missing at least three directly relevant > ones: > > HTTP Authentication with EAP > http://www.arkko.com/draft-torvinen-http-eap-00.txt > > Diameter support for Basic and Digest authentication > http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-digest-00.txt > > Request Header Integrity in SIP and HTTP Digest using Predictive Nonces > http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-pnonce-00.txt > _ > Also, when do we discuss these in IETF-51? There > is a slot under the AAA group to discuss some > drafts, but what about the rest? See the link > http://www.ietf.org/ietf/01aug/aaa.txt Then > the SIP WG agenda contains the discussion of > two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) > Finally, some of the 3GPP presentation will > briefly discuss one of the drafts > (http://www.ietf.org/ietf/01aug/sipping.txt). > > Seems like a place for a real SIP Security > BOF, but that's too late now to reserve... > > Looking at the list of drafts, I'll try to summarize > their content and where they are handled in the upcoming > meeting. (It seems that much of the related work > is spread over in different places. Can we do > something about this? Is everything covered?) > > [Ste] draft-sterman-sip-radius-00.txt > [Tor] draft-torvinen-http-eap-00.txt > [Sri] draft-srinivas-aaa-basic-digest-00.txt > [Ros] draft-rosenberg-sip-http-pnonce-00.txt > [Tho] draft-thomas-sip-sec-framework-00.txt > [Und] draft-undery-sip-digest-00.txt > [Bye] draft-byerly-sip-radius-00.txt > > DRAFT WG AREA > --------------------------------------------------------------------------- > [Ste] AAA Using RADIUS to implement Digest > [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER > [Sri] AAA Using DIAMETER NASREQ to implement Digest > [Ros] SIP Digest to support more headers > [Tho] - New headers to select right external security protocol > [Und] SIP Digest to support more headers > [Bye] (old) CHAP auth to SIP/HTTP > > There are also additional items such as draft-carrara-mm-kmgt-sol-00.txt > which are not directly related to SIP security, but use SIP to > establish security for the media sessions. > > Jari Arkko > Ericsson _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Fri Aug 3 07:35:50 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA13677 for ; Fri, 3 Aug 2001 07:35:50 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA20980; Fri, 3 Aug 2001 07:36:27 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA20949 for ; Fri, 3 Aug 2001 07:36:25 -0400 (EDT) Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.110]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA13669 for ; Fri, 3 Aug 2001 07:35:22 -0400 (EDT) Received: from fogerty.lmf.ericsson.se (fogerty.lmf.ericsson.se [131.160.11.6]) by penguin.wise.edt.ericsson.se (8.11.0/8.10.1/WIREfire-1.3) with ESMTP id f73BaAO13346; Fri, 3 Aug 2001 13:36:10 +0200 (MEST) Received: from lmf.ericsson.se (lmf4ws450.lmf.ericsson.se [131.160.38.50]) by fogerty.lmf.ericsson.se (8.11.3/8.11.3) with ESMTP id f73BaA503280; Fri, 3 Aug 2001 14:36:10 +0300 (EET DST) Message-ID: <3B6A8CAA.24C9158A@lmf.ericsson.se> Date: Fri, 03 Aug 2001 14:36:10 +0300 From: Jari Arkko Organization: Oy L M Ericsson Ab X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Michael Thomas CC: brian.rosen@marconi.com, jari@arkko.com, jdrosen@dynamicsoft.com, baruch@deltathree.com, jundery@ubiquity.net, bindignavile.srinivas@nokia.com, sip-security@ietf.org, Elisabetta.Carrara@era.ericsson.se, Fredrik.Lindholm@era.ericsson.se References: <3B6932E4.7EC50609@lmf.ericsson.se> <15209.24830.804542.551095@thomasm-u1.cisco.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Subject: [Sip-security] Re: New drafts for SIP security Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit >Anybody want to suggest a time? In the meetings of course, but if we are also going to meet inofficially then I'll just list some possible times for me below: Wednesday 09:00-13:00 (other times better though) Wednesday 17:30- Thursday 09:00-13:00 Thursday 17:30- Friday 12:00-15:00 (other times better though) How about Wednesday after the SIPPING meeting i.e. 17:30 onwards? An agenda for such a meeting? Maybe like this: 1. Short presentations on various pieces of work 2. Identification of commonalities, holes, etc 3. Priority order discussion 4. Way forward Jari _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Sun Aug 5 15:10:58 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA18408 for ; Sun, 5 Aug 2001 15:10:58 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA10402; Sun, 5 Aug 2001 15:10:24 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA10367 for ; Sun, 5 Aug 2001 15:10:21 -0400 (EDT) Received: from bdsl.66.12.12.130.gte.net (bdsl.66.12.12.130.gte.net [66.12.12.130]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA18325 for ; Sun, 5 Aug 2001 15:09:14 -0400 (EDT) Received: from plate (localhost.localdomain [127.0.0.1]) by bdsl.66.12.12.130.gte.net (8.11.2/8.11.2) with SMTP id f75JAYJ11878; Sun, 5 Aug 2001 14:10:35 -0500 Message-ID: <011501c11de2$5b2bdc20$3b8821d9@ietf.ignite.net> From: "Dean Willis" To: "Jari Arkko" , , , , , , , Cc: References: <3B6932E4.7EC50609@lmf.ericsson.se> Subject: Re: [Sip-security] New drafts for SIP security Date: Sun, 5 Aug 2001 14:10:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Content-Transfer-Encoding: 8bit Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 8bit Actually, the page is generated programattically from the same source that generates the "drafts" page. If you look at the "drafts" page, you'll notice that there is no subteam listed for the rosenberg draft. This is an oversight, and I will attempt to correct it. The other drafts mentioned do not, at least to my knowledge, fall explicitly within the scope of the SIP working group and are therefore not referenced in the drafts page, do not have an associated deliverable on the SIP charter, and as a consequence are not assigned to the SIP security subteam. Question: Should the rosenberg draft be moved to SIPPING? -- Dean ----- Original Message ----- From: "Jari Arkko" To: ; ; ; ; ; ; Cc: Sent: Thursday, August 02, 2001 6:00 AM Subject: [Sip-security] New drafts for SIP security > Hi, > > Who is updating the team page > (http://www.softarmor.com/sipwg/teams/sipsec/)? > It is missing at least three directly relevant > ones: > > HTTP Authentication with EAP > http://www.arkko.com/draft-torvinen-http-eap-00.txt > > Diameter support for Basic and Digest authentication > http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-digest-00.txt > > Request Header Integrity in SIP and HTTP Digest using Predictive Nonces > http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-pnonce-00.txt >  > Also, when do we discuss these in IETF-51? There > is a slot under the AAA group to discuss some > drafts, but what about the rest? See the link > http://www.ietf.org/ietf/01aug/aaa.txt Then > the SIP WG agenda contains the discussion of > two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) > Finally, some of the 3GPP presentation will > briefly discuss one of the drafts > (http://www.ietf.org/ietf/01aug/sipping.txt). > > Seems like a place for a real SIP Security > BOF, but that's too late now to reserve... > > Looking at the list of drafts, I'll try to summarize > their content and where they are handled in the upcoming > meeting. (It seems that much of the related work > is spread over in different places. Can we do > something about this? Is everything covered?) > > [Ste] draft-sterman-sip-radius-00.txt > [Tor] draft-torvinen-http-eap-00.txt > [Sri] draft-srinivas-aaa-basic-digest-00.txt > [Ros] draft-rosenberg-sip-http-pnonce-00.txt > [Tho] draft-thomas-sip-sec-framework-00.txt > [Und] draft-undery-sip-digest-00.txt > [Bye] draft-byerly-sip-radius-00.txt > > DRAFT WG AREA > -------------------------------------------------------------------------- - > [Ste] AAA Using RADIUS to implement Digest > [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER > [Sri] AAA Using DIAMETER NASREQ to implement Digest > [Ros] SIP Digest to support more headers > [Tho] - New headers to select right external security protocol > [Und] SIP Digest to support more headers > [Bye] (old) CHAP auth to SIP/HTTP > > There are also additional items such as draft-carrara-mm-kmgt-sol-00.txt > which are not directly related to SIP security, but use SIP to > establish security for the media sessions. > > Jari Arkko > Ericsson > > _______________________________________________ > Sip-security mailing list > Sip-security@ietf.org > http://www.ietf.org/mailman/listinfo/sip-security > _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Sun Aug 5 17:50:27 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22284 for ; Sun, 5 Aug 2001 17:50:27 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id RAA12921; Sun, 5 Aug 2001 17:50:19 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id RAA12890 for ; Sun, 5 Aug 2001 17:50:18 -0400 (EDT) Received: from bdsl.66.12.12.130.gte.net (bdsl.66.12.12.130.gte.net [66.12.12.130]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22225 for ; Sun, 5 Aug 2001 17:49:13 -0400 (EDT) Received: from plate (localhost.localdomain [127.0.0.1]) by bdsl.66.12.12.130.gte.net (8.11.2/8.11.2) with SMTP id f75LobJ12011; Sun, 5 Aug 2001 16:50:37 -0500 Message-ID: <002d01c11df8$b58a01e0$728821d9@ietf.ignite.net> From: "Dean Willis" To: "Jari Arkko" , , , , , , , Cc: References: <3B6932E4.7EC50609@lmf.ericsson.se> Subject: Re: [Sip-security] New drafts for SIP security Date: Sun, 5 Aug 2001 16:50:52 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Content-Transfer-Encoding: 8bit Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 8bit More followup: The pnonce topic is under discussion in the Tuesday morning session. The agenda item reads: 0910 Message Integrity via Digest draft-undery-sip-digest-00.txt -- James Undery draft-rosenberg-sip-http-pnonce-00.txt -- Jonathan Rosenberg The other drafts you mention are not on the SIP or SIPPING agendas to the best of my knoweldge. There is some thought on holding a SIP Security BOF, and I suspect that the these drafts and their implications to SIP would be a worthwhile topic. Scheduling of BOFS will be discussed during the agenda bash in the first SIP session. -- Dean ----- Original Message ----- From: "Jari Arkko" To: ; ; ; ; ; ; Cc: Sent: Thursday, August 02, 2001 6:00 AM Subject: [Sip-security] New drafts for SIP security > Hi, > > Who is updating the team page > (http://www.softarmor.com/sipwg/teams/sipsec/)? > It is missing at least three directly relevant > ones: > > HTTP Authentication with EAP > http://www.arkko.com/draft-torvinen-http-eap-00.txt > > Diameter support for Basic and Digest authentication > http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-digest-00.txt > > Request Header Integrity in SIP and HTTP Digest using Predictive Nonces > http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-pnonce-00.txt >  > Also, when do we discuss these in IETF-51? There > is a slot under the AAA group to discuss some > drafts, but what about the rest? See the link > http://www.ietf.org/ietf/01aug/aaa.txt Then > the SIP WG agenda contains the discussion of > two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) > Finally, some of the 3GPP presentation will > briefly discuss one of the drafts > (http://www.ietf.org/ietf/01aug/sipping.txt). > > Seems like a place for a real SIP Security > BOF, but that's too late now to reserve... > > Looking at the list of drafts, I'll try to summarize > their content and where they are handled in the upcoming > meeting. (It seems that much of the related work > is spread over in different places. Can we do > something about this? Is everything covered?) > > [Ste] draft-sterman-sip-radius-00.txt > [Tor] draft-torvinen-http-eap-00.txt > [Sri] draft-srinivas-aaa-basic-digest-00.txt > [Ros] draft-rosenberg-sip-http-pnonce-00.txt > [Tho] draft-thomas-sip-sec-framework-00.txt > [Und] draft-undery-sip-digest-00.txt > [Bye] draft-byerly-sip-radius-00.txt > > DRAFT WG AREA > -------------------------------------------------------------------------- - > [Ste] AAA Using RADIUS to implement Digest > [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER > [Sri] AAA Using DIAMETER NASREQ to implement Digest > [Ros] SIP Digest to support more headers > [Tho] - New headers to select right external security protocol > [Und] SIP Digest to support more headers > [Bye] (old) CHAP auth to SIP/HTTP > > There are also additional items such as draft-carrara-mm-kmgt-sol-00.txt > which are not directly related to SIP security, but use SIP to > establish security for the media sessions. > > Jari Arkko > Ericsson > > _______________________________________________ > Sip-security mailing list > Sip-security@ietf.org > http://www.ietf.org/mailman/listinfo/sip-security > _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Mon Aug 6 04:07:21 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA18892 for ; Mon, 6 Aug 2001 04:07:17 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id DAA01925; Mon, 6 Aug 2001 03:43:22 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id DAA01895 for ; Mon, 6 Aug 2001 03:43:21 -0400 (EDT) Received: from bdsl.66.12.12.130.gte.net (bdsl.66.12.12.130.gte.net [66.12.12.130]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA18470 for ; Mon, 6 Aug 2001 03:42:15 -0400 (EDT) Received: from plate (localhost.localdomain [127.0.0.1]) by bdsl.66.12.12.130.gte.net (8.11.2/8.11.2) with SMTP id f767ZAJ12795; Mon, 6 Aug 2001 02:35:10 -0500 Message-ID: <002d01c11e4a$5f2bbe40$728821d9@ietf.ignite.net> From: "Dean Willis" To: "Dean Willis" , "Jari Arkko" , , , , , , , Cc: References: <3B6932E4.7EC50609@lmf.ericsson.se> <002d01c11df8$b58a01e0$728821d9@ietf.ignite.net> Subject: Re: [Sip-security] New drafts for SIP security Date: Sun, 5 Aug 2001 17:56:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Content-Transfer-Encoding: 8bit Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 8bit Whoops, I meant to say a SIP Security Bar BOF -- that is, an unofficial meeting of interested parties occurring after-hours at an IETF meeting. There are several bar BOF topics under discussion for IETF 51 -- see the posted agenda for more. My apologies. -- Dean ----- Original Message ----- From: "Dean Willis" To: "Jari Arkko" ; ; ; ; ; ; ; Cc: Sent: Sunday, August 05, 2001 4:50 PM Subject: Re: [Sip-security] New drafts for SIP security > More followup: > > The pnonce topic is under discussion in the Tuesday morning session. The > agenda item reads: > > 0910 Message Integrity via Digest > draft-undery-sip-digest-00.txt -- James Undery > draft-rosenberg-sip-http-pnonce-00.txt -- Jonathan Rosenberg > > > The other drafts you mention are not on the SIP or SIPPING agendas to the > best of my knoweldge. There is some thought on holding a SIP Security BOF, > and I suspect that the these drafts and their implications to SIP would be a > worthwhile topic. Scheduling of BOFS will be discussed during the agenda > bash in the first SIP session. > > -- > Dean > > ----- Original Message ----- > From: "Jari Arkko" > To: ; ; ; > ; ; > ; > Cc: > Sent: Thursday, August 02, 2001 6:00 AM > Subject: [Sip-security] New drafts for SIP security > > > > Hi, > > > > Who is updating the team page > > (http://www.softarmor.com/sipwg/teams/sipsec/)? > > It is missing at least three directly relevant > > ones: > > > > HTTP Authentication with EAP > > http://www.arkko.com/draft-torvinen-http-eap-00.txt > > > > Diameter support for Basic and Digest authentication > > > http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-digest-00.txt > > > > Request Header Integrity in SIP and HTTP Digest using Predictive Nonces > > > http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-pnonce-00.txt > >  > > Also, when do we discuss these in IETF-51? There > > is a slot under the AAA group to discuss some > > drafts, but what about the rest? See the link > > http://www.ietf.org/ietf/01aug/aaa.txt Then > > the SIP WG agenda contains the discussion of > > two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) > > Finally, some of the 3GPP presentation will > > briefly discuss one of the drafts > > (http://www.ietf.org/ietf/01aug/sipping.txt). > > > > Seems like a place for a real SIP Security > > BOF, but that's too late now to reserve... > > > > Looking at the list of drafts, I'll try to summarize > > their content and where they are handled in the upcoming > > meeting. (It seems that much of the related work > > is spread over in different places. Can we do > > something about this? Is everything covered?) > > > > [Ste] draft-sterman-sip-radius-00.txt > > [Tor] draft-torvinen-http-eap-00.txt > > [Sri] draft-srinivas-aaa-basic-digest-00.txt > > [Ros] draft-rosenberg-sip-http-pnonce-00.txt > > [Tho] draft-thomas-sip-sec-framework-00.txt > > [Und] draft-undery-sip-digest-00.txt > > [Bye] draft-byerly-sip-radius-00.txt > > > > DRAFT WG AREA > > -------------------------------------------------------------------------- > - > > [Ste] AAA Using RADIUS to implement Digest > > [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER > > [Sri] AAA Using DIAMETER NASREQ to implement Digest > > [Ros] SIP Digest to support more headers > > [Tho] - New headers to select right external security > protocol > > [Und] SIP Digest to support more headers > > [Bye] (old) CHAP auth to SIP/HTTP > > > > There are also additional items such as draft-carrara-mm-kmgt-sol-00.txt > > which are not directly related to SIP security, but use SIP to > > establish security for the media sessions. > > > > Jari Arkko > > Ericsson > > > > _______________________________________________ > > Sip-security mailing list > > Sip-security@ietf.org > > http://www.ietf.org/mailman/listinfo/sip-security > > > > > _______________________________________________ > Sip-security mailing list > Sip-security@ietf.org > http://www.ietf.org/mailman/listinfo/sip-security > _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Tue Aug 7 10:45:42 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA05291 for ; Tue, 7 Aug 2001 10:45:38 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id KAA00859; Tue, 7 Aug 2001 10:46:14 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id KAA00823 for ; Tue, 7 Aug 2001 10:46:12 -0400 (EDT) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA05228 for ; Tue, 7 Aug 2001 10:45:06 -0400 (EDT) Received: from mira-sjc5-7.cisco.com (mira-sjc5-7.cisco.com [171.71.163.27]) by sj-msg-core-2.cisco.com (8.11.3/8.9.1) with ESMTP id f77EjLY17006; Tue, 7 Aug 2001 07:45:21 -0700 (PDT) Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by mira-sjc5-7.cisco.com (Mirapoint) with ESMTP id ABU10707; Tue, 7 Aug 2001 07:45:03 -0700 (PDT) Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id HAA15214; Tue, 7 Aug 2001 07:45:03 -0700 (PDT) From: Michael Thomas MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15215.65262.863460.112210@thomasm-u1.cisco.com> Date: Tue, 7 Aug 2001 07:45:02 -0700 (PDT) To: "Dean Willis" Cc: "Jari Arkko" , , , , , , , , Subject: Re: [Sip-security] New drafts for SIP security In-Reply-To: <011501c11de2$5b2bdc20$3b8821d9@ietf.ignite.net> References: <3B6932E4.7EC50609@lmf.ericsson.se> <011501c11de2$5b2bdc20$3b8821d9@ietf.ignite.net> X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid X-Face: &,heK/V66p?[2!i|tVn,9lN0TUvEv7:9FzXREj/AuzN4mu!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a),-7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d,g">$%B!0w{W)qIhmwhye104zd bUcI'1! Content-Transfer-Encoding: 7bit Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Dean Willis writes: > Question: Should the rosenberg draft be moved to SIPPING? It seems that if Jonathan's doesn't actually require any bits on the wire guidance (or just sanity shouldn'ts) it would be more of a BCP kind of thing. In fact, I think that the SIP state blobs could use similar guidance so that implementors are aware of the attacks they need to guard against even though they it's an implementation issue. Mike _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Tue Aug 7 10:58:44 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA05615 for ; Tue, 7 Aug 2001 10:58:39 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id KAA01437; Tue, 7 Aug 2001 10:58:48 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id KAA01391 for ; Tue, 7 Aug 2001 10:58:46 -0400 (EDT) Received: from ws2.piuha.net (ws2.piuha.net [195.165.196.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA05583; Tue, 7 Aug 2001 10:57:38 -0400 (EDT) Received: from piuha.net (ws4.piuha.net [195.165.196.4]) by ws2.piuha.net (Postfix) with ESMTP id 0EE776A904; Tue, 7 Aug 2001 17:58:44 +0300 (EEST) Message-ID: <3B70033A.4070407@piuha.net> Date: Tue, 07 Aug 2001 18:03:22 +0300 From: Jari Arkko Reply-To: jari.arkko@piuha.net Organization: None User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.3-ipsec i686; en-US; m18) Gecko/20001107 Netscape6/6.0 X-Accept-Language: en MIME-Version: 1.0 To: sip@ietf.org Cc: sip-security@ietf.org References: <3B6FD3FB.7CD72853@cs.columbia.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Subject: [Sip-security] Extended HTTP authentication draft for SIP Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Hi, I'd like to announce a draft we have produced on the use of an extensible authentication scheme for SIP. We hope to be able to talk about this in the SIP Security Bar BOF on Wednesday, and I believe it will also be touched upon in the 3GPP presentation in the SIPPING WG. Currently, SIP can use external security schemes such as IPSec/IKE or TLS also for authentication, or one of the HTTP and PGP methods within the protocol itself. As you know, there is some ongoing work in the group to extend the HTTP methods to better fit the requirements in the SIP case. Also, AAA protocol extensions are under discussion in the AAA WG in order to handle cases where the SIP node doesn't store the authentication passwords by itself and needs to talk to an authentication server over a protocol. What we intend to add to this is one new HTTP/SIP authentication method called HTTP EAP. Here we leverage an existing protocol EAP (RFC 2284), originally developed for the PPP world but nowadays being adopted also for WLANs and possibly other places. EAP supports many authentication methods, such password or token-card based, as well as PKI, GSM, and UMTS AKA-based authentication schemes. Originally, we started to think about an approach like this as the 3G networks required the use of the UMTS AKA authentication scheme (due to the deployed operator infrastructure for handing out the authentication tokens for GSM/UMTS, and the existence of the necessary technical components such as the SIM cards already for other reasons). We could add UMTS AKA authentication directly to SIP, but somehow we feel that it would be better to add generic authentication to SIP in one go, allowing various parties to use different kinds of authentication methods they find suitable in their situation. At the same time, an added benefit of the EAP approach is that existing AAA protocols such as DIAMETER and RADIUS can be used with less extension work, as they already support EAP. Likewise, most SIP equipment could in the future stay unchanged even if new authentication methods are invented. Draft: http://www.arkko.com/draft-torvinen-http-eap-00.txt Presentation: http://www.arkko.com/sip_eap_ietf51.ppt Feedback on this approach would be greatly appreciated, particularly on its SIP applicability, soundness of security, how to proceed with this in the IETF process, and the relationship of this to the various security proposals that the WG is now getting. We also look forward to interesting discussions in general about the SIP security framework. Jari Arkko Ericsson _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Wed Aug 8 12:42:18 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16807 for ; Wed, 8 Aug 2001 12:42:18 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA24188; Wed, 8 Aug 2001 12:37:36 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA24153 for ; Wed, 8 Aug 2001 12:37:34 -0400 (EDT) Received: from sj-msg-core-3.cisco.com (sj-msg-core-3.cisco.com [171.70.157.152]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16608 for ; Wed, 8 Aug 2001 12:36:21 -0400 (EDT) Received: from mira-sjc5-7.cisco.com (mira-sjc5-7.cisco.com [171.71.163.27]) by sj-msg-core-3.cisco.com (8.11.3/8.9.1) with ESMTP id f78GYuJ17239; Wed, 8 Aug 2001 09:34:57 -0700 (PDT) Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by mira-sjc5-7.cisco.com (Mirapoint) with ESMTP id ACA09389; Wed, 8 Aug 2001 09:36:43 -0700 (PDT) Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id JAA15645; Wed, 8 Aug 2001 09:36:43 -0700 (PDT) From: Michael Thomas MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15217.27291.571223.806065@thomasm-u1.cisco.com> Date: Wed, 8 Aug 2001 09:36:43 -0700 (PDT) To: "Dean Willis" Cc: "Jari Arkko" , , , , , , , , In-Reply-To: <011501c11de2$5b2bdc20$3b8821d9@ietf.ignite.net> References: <3B6932E4.7EC50609@lmf.ericsson.se> <011501c11de2$5b2bdc20$3b8821d9@ietf.ignite.net> X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid X-Face: &,heK/V66p?[2!i|tVn,9lN0TUvEv7:9FzXREj/AuzN4mu!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a),-7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d,g">$%B!0w{W)qIhmwhye104zd bUcI'1! Content-Transfer-Encoding: 7bit Subject: [Sip-security] where is the meeting? Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit where is today's security meeting? I'm in the front lobby if people want to meet there if the place hasn't been set. Mike Dean Willis writes: > Actually, the page is generated programattically from the same source that > generates the "drafts" page. If you look at the "drafts" page, you'll notice > that there is no subteam listed for the rosenberg draft. This is an > oversight, and I will attempt to correct it. > > The other drafts mentioned do not, at least to my knowledge, fall explicitly > within the scope of the SIP working group and are therefore not referenced > in the drafts page, do not have an associated deliverable on the SIP > charter, and as a consequence are not assigned to the SIP security subteam. > > Question: Should the rosenberg draft be moved to SIPPING? > > -- > Dean > > ----- Original Message ----- > From: "Jari Arkko" > To: ; ; ; > ; ; > ; > Cc: > Sent: Thursday, August 02, 2001 6:00 AM > Subject: [Sip-security] New drafts for SIP security > > > > Hi, > > > > Who is updating the team page > > (http://www.softarmor.com/sipwg/teams/sipsec/)? > > It is missing at least three directly relevant > > ones: > > > > HTTP Authentication with EAP > > http://www.arkko.com/draft-torvinen-http-eap-00.txt > > > > Diameter support for Basic and Digest authentication > > > http://www.ietf.org/internet-drafts/draft-srinivas-aaa-basic-digest-00.txt > > > > Request Header Integrity in SIP and HTTP Digest using Predictive Nonces > > > http://www.ietf.org/internet-drafts/draft-rosenberg-sip-http-pnonce-00.txt > >  > > Also, when do we discuss these in IETF-51? There > > is a slot under the AAA group to discuss some > > drafts, but what about the rest? See the link > > http://www.ietf.org/ietf/01aug/aaa.txt Then > > the SIP WG agenda contains the discussion of > > two of the drafts (http://www.ietf.org/ietf/01aug/sip.txt) > > Finally, some of the 3GPP presentation will > > briefly discuss one of the drafts > > (http://www.ietf.org/ietf/01aug/sipping.txt). > > > > Seems like a place for a real SIP Security > > BOF, but that's too late now to reserve... > > > > Looking at the list of drafts, I'll try to summarize > > their content and where they are handled in the upcoming > > meeting. (It seems that much of the related work > > is spread over in different places. Can we do > > something about this? Is everything covered?) > > > > [Ste] draft-sterman-sip-radius-00.txt > > [Tor] draft-torvinen-http-eap-00.txt > > [Sri] draft-srinivas-aaa-basic-digest-00.txt > > [Ros] draft-rosenberg-sip-http-pnonce-00.txt > > [Tho] draft-thomas-sip-sec-framework-00.txt > > [Und] draft-undery-sip-digest-00.txt > > [Bye] draft-byerly-sip-radius-00.txt > > > > DRAFT WG AREA > > -------------------------------------------------------------------------- > - > > [Ste] AAA Using RADIUS to implement Digest > > [Tor] AAA, SIPPING Generic auth via EAP in SIP/HTTP, and DIAMETER > > [Sri] AAA Using DIAMETER NASREQ to implement Digest > > [Ros] SIP Digest to support more headers > > [Tho] - New headers to select right external security > protocol > > [Und] SIP Digest to support more headers > > [Bye] (old) CHAP auth to SIP/HTTP > > > > There are also additional items such as draft-carrara-mm-kmgt-sol-00.txt > > which are not directly related to SIP security, but use SIP to > > establish security for the media sessions. > > > > Jari Arkko > > Ericsson > > > > _______________________________________________ > > Sip-security mailing list > > Sip-security@ietf.org > > http://www.ietf.org/mailman/listinfo/sip-security > > > _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Mon Aug 13 09:27:42 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA19532 for ; Mon, 13 Aug 2001 09:27:42 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA05525; Mon, 13 Aug 2001 09:28:00 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA05489 for ; Mon, 13 Aug 2001 09:27:58 -0400 (EDT) Received: from drago1.ubiquity.net (news.ubiquity.net [194.202.146.92]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA19497 for ; Mon, 13 Aug 2001 09:26:47 -0400 (EDT) Received: from mailhost.ubiquity.net by drago1.ubiquity.net via smtpd (for odin.ietf.org [132.151.1.176]) with SMTP; 13 Aug 2001 13:27:58 UT Received: from ubiquity.net ([193.195.52.206]) by GBNEWP0758M.eu.ubiquity.net with Microsoft SMTPSVC(5.0.2195.1600); Mon, 13 Aug 2001 14:28:29 +0100 Message-ID: <3B77D5E1.642787FC@ubiquity.net> Date: Mon, 13 Aug 2001 14:28:01 +0100 From: James Undery X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: sip-security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 13 Aug 2001 13:28:29.0381 (UTC) FILETIME=[D6FDDF50:01C123FB] Content-Transfer-Encoding: 7bit Subject: [Sip-security] SIP Security Framework Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Hi, In order to try and keep up the momentum we got in London, I'll post my thoughts on sections 1-3 (I assume I was right in thinking section 4 will go from the framework I hope). Section 1.1 (Nits about terminology) Crypto-System seems a bit wide in scope, I'd expect it to only cover privacy. Message-Intergrity is a little too strong for SIP, some parts need to be changed (draft-undery-sip-digest include the headers I'd expect to change en route). _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Mon Aug 13 09:51:30 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA20218 for ; Mon, 13 Aug 2001 09:51:30 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA06256; Mon, 13 Aug 2001 09:52:14 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA06221 for ; Mon, 13 Aug 2001 09:52:12 -0400 (EDT) Received: from drago1.ubiquity.net (news.ubiquity.net [194.202.146.92]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA20191 for ; Mon, 13 Aug 2001 09:51:02 -0400 (EDT) Received: from mailhost.ubiquity.net by drago1.ubiquity.net via smtpd (for odin.ietf.org [132.151.1.176]) with SMTP; 13 Aug 2001 13:52:14 UT Received: from ubiquity.net ([193.195.52.206]) by GBNEWP0758M.eu.ubiquity.net with Microsoft SMTPSVC(5.0.2195.1600); Mon, 13 Aug 2001 14:52:46 +0100 Message-ID: <3B77DB92.8729497A@ubiquity.net> Date: Mon, 13 Aug 2001 14:52:18 +0100 From: James Undery X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: sip-security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 13 Aug 2001 13:52:46.0465 (UTC) FILETIME=[3B7B3F10:01C123FF] Content-Transfer-Encoding: 7bit Subject: [Sip-security] SIP Security Framework Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Hi, Ooops this time I'll try not to post, until I've finished this time. In order to try and keep up the momentum we got in London, I'll post my thoughts on sections 1-3 (I assume I was right in thinking section 4 will go from the framework I hope). Section 1.1 (Nits about terminology) Crypto-System seems a bit wide in scope, I'd expect it to only cover privacy. Message-Intergrity is a little too strong for SIP, some parts need to be changed (draft-undery-sip-digest include the headers I'd expect to change en route). Challange, this is authentication only really (see Crypto Systems) Transform, This is a bit vague, should digest and encryption/decryption be separated. Section 2 One of my main concerns with the outside / inside taxonomy is that the scariest outside attacks are ones that lead to inside attacks. (I realise most of the outside concerns are designed to prevent this, but it's the way I'd be trying to attack SIP networks!) Section 3.1 Are these supposed to be in order of significance, because confidentiality from outside, rates way higher than inside in my book. Also Integrity from outside attacks is surely forgery, inside attacks are more integrity based. MITM "as must as possible" should go from the requirements. The firewall requirements are outside the scope of this frame work in my opinion too. Cached credentials are asking for trouble using Authenticate-Info server can provide the next nonce in responses (and one time nonces are really desirable). Section 3.2 (Real Nit) The 3rd Sentence I would be better stating, A trusts B does not imply B trusts A. Also The JITB model potentially is missing a scenario (Assuming I has no direct trust relationship with either end point) that is the case where it's proxy to proxy (neither has a direct trust relationship with either endpoint). This is where I'd be most worried about info leakage. Section 3.2.5 A simple (contrived) case where this could apply is, given a central trusted certificate store. I offers to route to entities in the strore. H doesn't trust I will find J and wants H to check J is really the owner of the certificate. James Undery _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Mon Aug 13 14:32:38 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA26718 for ; Mon, 13 Aug 2001 14:32:38 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA17056; Mon, 13 Aug 2001 14:33:13 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA16987 for ; Mon, 13 Aug 2001 14:33:10 -0400 (EDT) Received: from face.sentitonetworks.com (user9.sentito.com [65.202.222.9] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA26713 for ; Mon, 13 Aug 2001 14:31:59 -0400 (EDT) Received: (qmail 12529 invoked from network); 13 Aug 2001 18:29:57 -0000 Received: from unknown (HELO overhill) (relay@65.202.222.2) by face.sentitonetworks.com with SMTP; 13 Aug 2001 18:29:57 -0000 From: "Frank W. Miller" To: Date: Mon, 13 Aug 2001 14:31:53 -0400 Message-ID: <000501c12426$397fab70$d200000a@overhill> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0006_01C12404.B26E0B70" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Subject: [Sip-security] Official Minutes from SIP Security Adhoc at 51st IETF Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C12404.B26E0B70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 Been trying to send out the combined minutes but they are bouncing for size. Sending them one piece at a time=85 =20 FM =20 =20 Frank W. Miller, Ph.D. Chief Technical Officer sentitO Networks, Inc. www.sentito.com =20 =20 SIP Security Adhoc Meeting Minutes =20 Meeting held on Wednsday August 8, 2001 at 51st IETF located at the Hilton Metropole in London, England. =20 =20 Some early comments: =20 * Removal of Signal Header (?) means that some way of passing security information transitively is required =20 * Security information must be handed from one UA to another =20 Meeting proper: =20 * A threat model and analysis must be developed =20 * Mike?s draft could be used as a starting point (Henning pointed out that the draft would be alright as a starting point but that it is incomplete) =20 * Mike?s draft discusses ?inside? vs. ?outside? threats =20 * Oran asked for these to defined =20 * Mike defined them as follows: an outside threat is one that is presented by an entity that is not participating and has no visibility into a conversation and an inside threat is one that is presented by a participant in a conversation =20 * For outside threats, the use of TLS etc. vs. http digest may suffice =20 * Some discussion about inside vs. outside being an instance of thread prioritization =20 * Mention of possible use of call control model as a way to model inside vs. outside and to breakdown the description of inside threats to the next level =20 * Jonathan described an example (which I didn?t get to write down) of what he referred to as a ?SIP-specific? threat =20 * The relationship between entities needs to be defined: Henning referred to the relationship between a UA and a gateway as ?semi-adverserial? =20 * At this point in the meeting, the question of whether the remainder of the meeting would focus on the threat model or would also include mechanisms came up. =20 * An immediate mention of several mechanisms was made: authentication, authorization, and integrity checking =20 * The discussion of mechanisms was agreed to a bit later =20 * A list of threats was proposed and some examples of use included =20 List of Threats Examples of Use Identical Replay Hangup, Service Theft, Modified Replay Registration Hijacking, Message Forgery User Impersonation Disclosure of Call Signaling Information Denial of Service (DoS) - Message Injection - Message Deletion - Message Amplification =20 It was noted that the list of threats constitutes a different taxonomy for describing the threats than Mike?s taxonomy =20 Henning commented that this approach may be superior since it seemed intuitively easier to show completeness for =20 Also noted that this new taxonomy does not capture descriptions of level of trust =20 Dave described an example where a UA uses a RADIUS sever for authentication but that anyone that can compromise the RADIUS server also compromises the UA, allowing it to be impersonated (not sure I copied this right Dave) =20 A description of the ?Pentagon? described in Mike?s draft was presented =20 The Pentagon is used to describe boundaries of trust =20 Mike?s draft presents a fully connected graph and describes the level of trust between each pair of endpoints =20 Discussion centered on the possibility that this approach may imply that all mechanisms are necessary for all types of connections =20 Dave mentioned that the saving grace was that it would probably possible to also describe when those mechanisms would and would not actually be used =20 The question was raised about whether conformance to security requirements and any mechanisms necessary to indicate this was or was not the case was necessary all along the signaling path? =20 The question was asked but never answered, ?where are the keys for SRTP handled?? =20 It was noted that the ability to do end-to-end body encryption will be necessary! =20 The question was asked, ?will parties along a signaling path need to be able to authenticate a UAC?? =20 Discussion then ensued about whether authentication should be wrt UAs or users. Some agreement emerged that UA (i.e. domain level) authentication might be valuable but that user level authentication would probably be impractical =20 This agreement came from a discussion about whether authentication was necessary for unsolicited calls. In this case, domain-level authentication would probably provide some additional value but that user level authentication might be difficult if not impossible =20 The discussion then turned to what mechanisms will be included the bis regarding security given the looming Dec. deadline =20 Some agreement on the hop-by-hop discussion only that more complex mechanisms will need to be put in a separate draft =20 The point was made that mechanisms should only be proposed for the separated draft after at least one round of requirements had been circulated =20 Backward compatibility is important, additional security features cannot force a wholesale change to the existing bis mechanisms =20 Henning mentioned a potential practical problem: a separate draft will require a separate implementation. The group did not see this as a serious problem =20 The discussion then turned to whether TLS or IPSec should be specified for hop-by-hop security =20 Mike?s main issue was that TLS does not work with UDP =20 Henning made the point that TCP works well for ?signaling trunks?, nailed up signaling connections that persist. There was some question about the implications of HOL blocking in this situation. SCTP solves that potential problem =20 Main issue with IPSec is that it is somewhat decoupled from the application since it is done at Layer 3. It is harder to do ?automatically? =20 Some agreement that TLS is appropriate for some cases and IPSec for others =20 It was noted that something must be made mandatory implementation, which is the quandary given the difficulties that the MobileIP group had =20 Dave noted that the UA to Proxy and Proxy to Proxy security can be different =20 A proposal was made to use TLS for Proxy to Proxy only as a mandatory implementation =20 Another potential bis problem was noted, ?how is a UA-to-UA with no previous trust relationship handled?? I did not gather any additional notes from that discussion =20 The meeting ended with a short discussion on the question of what the IESG would accept for a mandatory implementation ------=_NextPart_000_0006_01C12404.B26E0B70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 

Been trying to send out the combined minutes but they = are bouncing for size.=A0 Sending = them one piece at a time…

 

FM

 

 

Frank W. Miller, Ph.D.
Chief Technical Officer
sentitO Networks, Inc.
www.sentito.com

=

 

 

SIP Security Adhoc Meeting Minutes

 

Meeting held on Wednsday August 8, 2001 at 51st IETF located at the = Hilton Metropole in London, = England.<= /p>

 

 

Some early comments:

 

* Removal of Signal Header (?) means that some way of passing = security information transitively is required

 

* Security information must be handed from one UA to = another

 

Meeting proper:

 

* A threat model and analysis must be = developed

 

* Mike?s draft could be used as a = starting point (Henning pointed out that the draft would be alright as a starting = point but that it is incomplete)

 

* Mike?s draft discusses ?inside? = vs. ?outside? threats

 

* Oran = asked for these to defined

 

* Mike defined them as follows: an outside threat is one that is presented by an entity that is not participating and has no visibility = into a conversation and an inside threat is one that is presented by a = participant in a conversation

 

* For outside threats, the use of TLS etc. vs. http digest may = suffice

 

* Some discussion about inside vs. outside being an instance of = thread prioritization

 

* Mention of possible use of call control model as a way to = model inside vs. outside and to breakdown the description of inside threats to = the next level

 

* Jonathan described an example (which I didn?t get to write down) of what he referred to as a ?SIP-specific? threat

 

* The relationship between entities needs to be defined: Henning referred to the relationship between a UA and a gateway as ?semi-adverserial?

 

* At this point in the meeting, the question of whether the = remainder of the meeting would focus on the threat model or would also include = mechanisms came up.

 

* An immediate mention of several mechanisms was made: = authentication, authorization, and integrity checking

 

* The discussion of mechanisms was agreed to a bit = later

 

* A list of threats was proposed and some examples of use = included

 

List of Threats=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 Examples of Use

Identical Replay=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0 Hangup, Service Theft,

Modified Replay=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Registration Hijacking,

Message Forgery=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 User Impersonation

Disclosure of Call Signaling = Information

Denial of Service (DoS)

=A0=A0=A0 - Message = Injection

=A0=A0=A0 - Message = Deletion

=A0=A0=A0 - Message = Amplification

 

It was noted that the list of threats constitutes a different = taxonomy for describing the threats than Mike?s = taxonomy

 

Henning commented that this approach may be superior since it = seemed intuitively easier to show completeness for

 

Also noted that this new taxonomy does not capture descriptions = of level of trust

 

Dave described an example where a UA uses a RADIUS sever for authentication but that anyone that can compromise the RADIUS server = also compromises the UA, allowing it to be impersonated (not sure I copied = this right Dave)

 

A description of the ?Pentagon? described in Mike?s draft was = presented

 

The Pentagon is used to describe boundaries of = trust

 

Mike?s draft presents a fully = connected graph and describes the level of trust between each pair of = endpoints

 

Discussion centered on the possibility that this approach may = imply that all mechanisms are necessary for all types of = connections

 

Dave mentioned that the saving grace was that it would probably possible to also describe when those mechanisms would and would not = actually be used

 

The question was raised about whether conformance to security requirements and any mechanisms necessary to indicate this was or was = not the case was necessary all along the signaling = path?

 

The question was asked but never answered, = ?where are the keys for SRTP handled??

 

It was noted that the ability to do end-to-end body encryption = will be necessary!

 

The question was asked, ?will parties = along a signaling path need to be able to authenticate a = UAC??

 

Discussion then ensued about whether authentication should be = wrt UAs or users.=A0 Some agreement = emerged that UA (i.e. domain level) authentication might be valuable but that user level authentication would probably be = impractical

 

This agreement came from a discussion about whether = authentication was necessary for unsolicited calls.=A0 = In this case, domain-level authentication would probably provide some additional = value but that user level authentication might be difficult if not = impossible

 

The discussion then turned to what mechanisms will be included = the bis regarding security given the looming Dec. = deadline

 

Some agreement on the hop-by-hop discussion only that more complex mechanisms will need to be put in a separate = draft

 

The point was made that mechanisms should only be proposed for = the separated draft after at least one round of requirements had been = circulated

 

Backward compatibility is important, additional security = features cannot force a wholesale change to the existing bis mechanisms

 

Henning mentioned a potential practical problem: a separate = draft will require a separate implementation.=A0 = The group did not see this as a serious problem

 

The discussion then turned to whether TLS or IPSec should be = specified for hop-by-hop security

 

Mike?s main issue was that TLS does = not work with UDP

 

Henning made the point that TCP works well for ?signaling trunks?, nailed up signaling connections that persist.=A0 There was some question about the implications of HOL blocking in this situation. SCTP solves that = potential problem

 

Main issue with IPSec is that it is somewhat decoupled from the application since it is done at Layer 3.=A0 It is harder to do = ?automatically?

 

Some agreement that TLS is appropriate for some cases and IPSec = for others

 

It was noted that something must be made mandatory = implementation, which is the quandary given the difficulties = that the MobileIP group had

 

Dave noted that the UA to Proxy and Proxy to Proxy security can = be different

 

A proposal was made to use TLS for Proxy to Proxy only as a = mandatory implementation

 

Another potential bis problem was noted, = ?how is a UA-to-UA with no previous trust relationship handled??=A0 I did not gather any additional = notes from that discussion

 

The meeting ended with a short discussion on the question of = what the IESG would accept for a mandatory = implementation

------=_NextPart_000_0006_01C12404.B26E0B70-- _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Mon Aug 13 14:36:34 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA26803 for ; Mon, 13 Aug 2001 14:36:29 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA17138; Mon, 13 Aug 2001 14:35:43 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA17104 for ; Mon, 13 Aug 2001 14:35:42 -0400 (EDT) Received: from face.sentitonetworks.com (user9.sentito.com [65.202.222.9] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA26762 for ; Mon, 13 Aug 2001 14:34:30 -0400 (EDT) Received: (qmail 12541 invoked from network); 13 Aug 2001 18:32:27 -0000 Received: from unknown (HELO overhill) (relay@65.202.222.2) by face.sentitonetworks.com with SMTP; 13 Aug 2001 18:32:27 -0000 From: "Frank W. Miller" To: Date: Mon, 13 Aug 2001 14:34:24 -0400 Message-ID: <000c01c12426$93584f80$d200000a@overhill> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01C12405.0C46AF80" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Subject: [Sip-security] Second part of minutes from SIP Security Adhoc at 51st IETF Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org This is a multi-part message in MIME format. ------=_NextPart_000_000D_01C12405.0C46AF80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 This set was taken by Charles Kalmenek=85 =20 =20 Frank W. Miller, Ph.D. Chief Technical Officer sentitO Networks, Inc. www.sentito.com =20 =20 SIP Security Ad-hoc, Wednesday evening =20 Start with threat model. Start with Mike?s draft. =20 =20 Hop by hop vs. end to end is different from inside vs. outside. Inside means participants in the call itself; keeping outsiders out is easier; may degenerate into hop by hop security. =20 =20 If your threat is an outsider, may be better using a hop by hop model rather than http digest. Is the cost of these other methods significantly higher? =20 Threats =20 Identical message replay Modified message replay Message forgery (e.g., impersonation) Disclosure of signaling information Denial of service (message injection, message deletion) =20 Theft of service (e.g., through replay attack of intercepted signaling) Hang up somebody?s call Bill diversion Registration hijacking User identity masquerading/spoofing Impersonate another user Impersonate a proxy Create a registration that shouldn?t exist Resource consumption (e.g., creation of state) =20 Authentication Authorization Confidentiality Integrity =20 Pyramid picture can be used for analyzing trust boundaries =20 P-bg / \ P-a P-b / \ UAa ----------- Uab =20 This doesn?t help you understand which mechanisms are needed; it?s useful to know when to invoke a particular mechanism. =20 =20 Henning: how do we convey desires and requirements for security along the way? =20 End-to-end body confidentiality is needed, since bodies may be used to carry end-to-end keys. =20 Mike: Parties along the path need to be able to authenticate UAC. Henning: No, I don?t care that someone unknown to me makes a call to me. It is useful to know it came from the Gas & Electric company. Brian: Do we need to be able to authenticate domains? Chuck: similar to behavior of caller id from PBXs where general number is provided as caller id. =20 Relationship between anonymity, authenticity and privacy. =20 Brian wants to have a simple hop by hop security mechanism (e.g., TLS) in the bis document, and not much else. =20 =20 EAP authentication is being proposed for 3GPP. =20 Henning would like to use TLS; Mike would like to IPSec. Mike?s concern about TLS is that it doesn?t work with UDP. Henning: TCP may not be so bad for signaling trunks. Dave: but you get HOL blocking. Henning: you are likely to have trust relationships with entities that you communicate with a lot. Brian: this is not a reason for distinguishing between IPSec and TLS. =20 Problems with IPSec: keying is harder to do automatically; because it?s built into the OS, you end up assuming that because a message came from a particular IP address, you should trust it. Henning: we don?t need to make this an either-or choice. Dave: UA-proxy and proxy-proxy may be different. UA?s are currently not required to implement TCP. Brian: IPSec is not in any OS but SunOS. Need to pick one that is mandatory to implement. There is no mandatory to use requirement. =20 =20 ------=_NextPart_000_000D_01C12405.0C46AF80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 

This set was taken by Charles Kalmenek

 

 

Frank W. Miller, Ph.D.
Chief Technical Officer
sentitO Networks, Inc.
www.sentito.com

=

 

 

SIP Security Ad-hoc, Wednesday = evening

 

Start with threat model.=A0 = Start with Mike?s = draft.=A0

 

Hop by hop vs. end to end is different from inside vs. = outside.=A0=A0 Inside means participants in = the call itself; keeping outsiders out is easier; may degenerate into hop by hop security.=A0 =

 

If your threat is an outsider, may be better using a hop by hop = model rather than http digest. Is the cost of these other methods = significantly higher?

 

Threats

 

Identical message replay

Modified message replay

Message forgery (e.g., = impersonation)

Disclosure of signaling information

Denial of service (message injection, message = deletion)

 

Theft of service (e.g., through replay attack of intercepted = signaling)

Hang up somebody?s call

Bill diversion

Registration hijacking

User identity masquerading/spoofing

Impersonate another user

Impersonate a proxy

Create a registration that shouldn?t exist

Resource consumption (e.g., creation of = state)

 

Authentication

Authorization

Confidentiality

Integrity

 

Pyramid picture can be used for analyzing trust = boundaries

 

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0=A0 P-bg

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0/=A0=A0=A0=A0=A0 = \

=A0=A0=A0=A0=A0=A0=A0 = P-a=A0=A0=A0=A0 = P-b

=A0=A0=A0=A0=A0=A0 = /=A0=A0=A0=A0=A0=A0 =A0=A0=A0=A0=A0=A0=A0=A0\

=

=A0UAa ----------- Uab

 

This doesn?t help you understand which mechanisms are needed; it?s useful to know when to invoke a particular mechanism.=A0

 

Henning: how do we convey desires and requirements for security = along the way?

 

End-to-end body confidentiality is needed, since bodies may be = used to carry end-to-end keys.

 

Mike: Parties along the path need to be able to authenticate = UAC.=A0 Henning: No, I don?t care that someone unknown to me makes a = call to me.=A0 It is useful to know it = came from the Gas & Electric company.=A0 Brian: Do we need to be able to = authenticate domains?=A0 Chuck: similar to = behavior of caller id from PBXs where general number is provided as caller = id.

 

Relationship between anonymity, authenticity = and privacy.

 

Brian wants to have a simple hop by hop security mechanism = (e.g., TLS) in the bis = document, and not much else.=A0 =

 

EAP authentication is being proposed for = 3GPP.

 

Henning would like to use TLS; Mike would like to IPSec.=A0 Mike?s concern about TLS is that it doesn?t work = with UDP.=A0 Henning: TCP may not be = so bad for signaling trunks.=A0 Dave: but = you get HOL blocking.=A0 Henning: you are = likely to have trust relationships with entities that you communicate with a = lot.=A0 Brian: this is not a reason for distinguishing between IPSec and TLS.

 

Problems with IPSec: keying is harder to do automatically;=A0 = because it?s built into the OS, you end up assuming = that=A0 because a message came from a = particular IP address, you should trust it. Henning: we don?t need to make this an either-or = choice.=A0=A0 Dave: UA-proxy and proxy-proxy = may be different.=A0 UA?s are currently not required to implement = TCP.=A0=A0 Brian: IPSec is not in any OS = but SunOS.=A0 Need to pick one that = is mandatory to implement.=A0 There = is no mandatory to use requirement.

 

 

------=_NextPart_000_000D_01C12405.0C46AF80-- _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Mon Aug 13 15:38:42 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27587 for ; Mon, 13 Aug 2001 15:38:41 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA18563; Mon, 13 Aug 2001 15:39:18 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA28374 for ; Fri, 10 Aug 2001 14:37:31 -0400 (EDT) Received: from face.sentitonetworks.com (user9.sentito.com [65.202.222.9] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA09507 for ; Fri, 10 Aug 2001 14:36:18 -0400 (EDT) Received: (qmail 3069 invoked from network); 10 Aug 2001 18:34:22 -0000 Received: from unknown (HELO overhill) (relay@65.202.222.2) by face.sentitonetworks.com with SMTP; 10 Aug 2001 18:34:22 -0000 From: "Frank W. Miller" To: Cc: Date: Fri, 10 Aug 2001 19:36:16 -0400 Message-ID: <001101c121f5$3fe5bf50$d000000a@overhill> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_01C121D3.B8D41F50" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Subject: [Sip-security] Minutes from SIP Security meeting at 51st IETF Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C121D3.B8D41F50 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0013_01C121D3.B8D5A5F0" ------=_NextPart_001_0013_01C121D3.B8D5A5F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit As promised, here are the minutes from the SIP Security Adhoc Meeting held at the 51st IETF. The first document is the minutes Taken by me, the appointed recorder. The second document Was provided by Charles Kalmanek who provide some also took Notes in the hope that the union of the two was better than either One alone. Enjoy! FM Frank W. Miller, Ph.D. Chief Technical Officer sentitO Networks, Inc. www.sentito.com ------=_NextPart_001_0013_01C121D3.B8D5A5F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 

As promised, here are the minutes from the SIP = Security Adhoc

Meeting held at the 51st IETF.=A0 The first document is the = minutes

Taken by me, the appointed = recorder.=A0 The second document =

Was provided by Charles Kalmanek who provide some also took

Notes in the hope that the union of the two was = better than either

One = alone.

 

Enjoy!

FM

 

 

Frank W. Miller, Ph.D.
Chief Technical Officer
sentitO Networks, Inc.
www.sentito.com

=

 

------=_NextPart_001_0013_01C121D3.B8D5A5F0-- ------=_NextPart_000_0012_01C121D3.B8D41F50 Content-Type: application/msword; name="SIP Security Adhoc Meeting Minutes.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="SIP Security Adhoc Meeting Minutes.doc" Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAQAAAAAAAAAAA EAAAQgAAAAEAAAD+////AAAAAEEAAAD///////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////s pcEANUAJBAAA8BK/AAAAAAAAEAAAAAAABgAAZB8AAA4AYmpias8yzzIAAAAAAAAAAAAAAAAAAAAA AAAJBBYALi4AAK1YAACtWAAAZBcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAA AAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAAAAAAAAAAAAIgAAAAAADYBAAAAAAAANgEAADYB AAAAAAAANgEAAAAAAAA2AQAAAAAAADYBAAAAAAAANgEAABQAAAAAAAAAAAAAAEoBAAAAAAAADg8A AAAAAAAODwAAAAAAAA4PAAAAAAAADg8AAAwAAAAaDwAALAAAAEoBAAAAAAAA5R8AADIBAABSDwAA AAAAAFIPAAAAAAAAUg8AAAAAAABSDwAAAAAAAFIPAAAAAAAAUg8AAAAAAABSDwAAAAAAAFIPAAAA AAAAZB8AAAIAAABmHwAAAAAAAGYfAAAAAAAAZh8AAAAAAABmHwAAAAAAAGYfAAAAAAAAZh8AACQA AAAXIQAAUgIAAGkjAACmAAAAih8AABUAAAAAAAAAAAAAAAAAAAAAAAAANgEAAAAAAACCEQAAAAAA AAAAAAAAAAAAAAAAAAAAAABSDwAAAAAAAFIPAAAAAAAAghEAAAAAAACCEQAAAAAAAIofAAAAAAAA AAAAAAAAAAA2AQAAAAAAADYBAAAAAAAAUg8AAAAAAAAAAAAAAAAAAFIPAAAAAAAAnx8AABYAAACg EgAAAAAAAKASAAAAAAAAoBIAAAAAAACCEQAAmgAAADYBAAAAAAAAUg8AAAAAAAA2AQAAAAAAAFIP AAAAAAAAZB8AAAAAAAAAAAAAAAAAAKASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAghEAAAAAAABkHwAAAAAAAKASAAAmAAAAoBIAAAAAAADGEgAA cgAAADgeAABUAAAANgEAAAAAAAA2AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOB8AAAAAAABSDwAAAAAAAEYPAAAMAAAAoNlbbmog wQEAAAAAAAAAAA4PAAAAAAAAHBIAAFgAAACMHgAADgAAAAAAAAAAAAAAZB8AAAAAAAC1HwAAMAAA AOUfAAAAAAAAmh4AAJ4AAAAPJAAAAAAAAHQSAAAWAAAADyQAABwAAAA4HwAAAAAAAAAAAAAAAAAA SgEAAAAAAABKAQAAAAAAADYBAAAAAAAANgEAAAAAAAA2AQAAAAAAADYBAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA8kAAAAAAAAAAAAAAAAAAA2AQAAAAAAADgfAAAsAAAAUg8AAFoAAACsDwAAQAAAAKAS AAAAAAAA7A8AADQAAAAgEAAAYgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUg8A AAAAAABSDwAAAAAAAFIPAAAAAAAAih8AAAAAAACKHwAAAAAAAEoBAAAAAAAASgEAAMQNAAAODwAA AAAAAAAAAAAAAAAAihIAABYAAABKAQAAAAAAAEoBAAAAAAAADg8AAAAAAAACAAEBAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFNJUCBT ZWN1cml0eSBBZGhvYyBNZWV0aW5nIE1pbnV0ZXMNDU1lZXRpbmcgaGVsZCBvbiBXZWRuc2RheSBB dWd1c3QgOCwgMjAwMSBhdCA1MXN0IElFVEYgbG9jYXRlZCBhdCB0aGUgSGlsdG9uIE1ldHJvcG9s ZSBpbiBMb25kb24sIEVuZ2xhbmQuDQ0NU29tZSBlYXJseSBjb21tZW50czoNDVJlbW92YWwgb2Yg U2lnbmFsIEhlYWRlciAoPykgbWVhbnMgdGhhdCBzb21lIHdheSBvZiBwYXNzaW5nIHNlY3VyaXR5 IGluZm9ybWF0aW9uIHRyYW5zaXRpdmVseSBpcyByZXF1aXJlZA0NU2VjdXJpdHkgaW5mb3JtYXRp b24gbXVzdCBiZSBoYW5kZWQgZnJvbSBvbmUgVUEgdG8gYW5vdGhlcg0NTWVldGluZyBwcm9wZXI6 DQ1BIHRocmVhdCBtb2RlbCBhbmQgYW5hbHlzaXMgbXVzdCBiZSBkZXZlbG9wZWQNDU1pa2WScyBk cmFmdCBjb3VsZCBiZSB1c2VkIGFzIGEgc3RhcnRpbmcgcG9pbnQgKEhlbm5pbmcgcG9pbnRlZCBv dXQgdGhhdCB0aGUgZHJhZnQgd291bGQgYmUgYWxyaWdodCBhcyBhIHN0YXJ0aW5nIHBvaW50IGJ1 dCB0aGF0IGl0IGlzIGluY29tcGxldGUpDQ1NaWtlknMgZHJhZnQgZGlzY3Vzc2VzIJNpbnNpZGWU IHZzLiCTb3V0c2lkZZQgdGhyZWF0cw0NT3JhbiBhc2tlZCBmb3IgdGhlc2UgdG8gZGVmaW5lZA0N TWlrZSBkZWZpbmVkIHRoZW0gYXMgZm9sbG93czogYW4gb3V0c2lkZSB0aHJlYXQgaXMgb25lIHRo YXQgaXMgcHJlc2VudGVkIGJ5IGFuIGVudGl0eSB0aGF0IGlzIG5vdCBwYXJ0aWNpcGF0aW5nIGFu ZCBoYXMgbm8gdmlzaWJpbGl0eSBpbnRvIGEgY29udmVyc2F0aW9uIGFuZCBhbiBpbnNpZGUgdGhy ZWF0IGlzIG9uZSB0aGF0IGlzIHByZXNlbnRlZCBieSBhIHBhcnRpY2lwYW50IGluIGEgY29udmVy c2F0aW9uDQ1Gb3Igb3V0c2lkZSB0aHJlYXRzLCB0aGUgdXNlIG9mIFRMUyBldGMuIHZzLiBodHRw IGRpZ2VzdCBtYXkgc3VmZmljZQ0NU29tZSBkaXNjdXNzaW9uIGFib3V0IGluc2lkZSB2cy4gb3V0 c2lkZSBiZWluZyBhbiBpbnN0YW5jZSBvZiB0aHJlYWQgcHJpb3JpdGl6YXRpb24NDU1lbnRpb24g b2YgcG9zc2libGUgdXNlIG9mIGNhbGwgY29udHJvbCBtb2RlbCBhcyBhIHdheSB0byBtb2RlbCBp bnNpZGUgdnMuIG91dHNpZGUgYW5kIHRvIGJyZWFrZG93biB0aGUgZGVzY3JpcHRpb24gb2YgaW5z aWRlIHRocmVhdHMgdG8gdGhlIG5leHQgbGV2ZWwNDUpvbmF0aGFuIGRlc2NyaWJlZCBhbiBleGFt cGxlICh3aGljaCBJIGRpZG6SdCBnZXQgdG8gd3JpdGUgZG93bikgb2Ygd2hhdCBoZSByZWZlcnJl ZCB0byBhcyBhIJNTSVAtc3BlY2lmaWOUIHRocmVhdA0NVGhlIHJlbGF0aW9uc2hpcCBiZXR3ZWVu IGVudGl0aWVzIG5lZWRzIHRvIGJlIGRlZmluZWQ6IEhlbm5pbmcgcmVmZXJyZWQgdG8gdGhlIHJl bGF0aW9uc2hpcCBiZXR3ZWVuIGEgVUEgYW5kIGEgZ2F0ZXdheSBhcyCTc2VtaS1hZHZlcnNlcmlh bJQNDUF0IHRoaXMgcG9pbnQgaW4gdGhlIG1lZXRpbmcsIHRoZSBxdWVzdGlvbiBvZiB3aGV0aGVy IHRoZSByZW1haW5kZXIgb2YgdGhlIG1lZXRpbmcgd291bGQgZm9jdXMgb24gdGhlIHRocmVhdCBt b2RlbCBvciB3b3VsZCBhbHNvIGluY2x1ZGUgbWVjaGFuaXNtcyBjYW1lIHVwLg0NQW4gaW1tZWRp YXRlIG1lbnRpb24gb2Ygc2V2ZXJhbCBtZWNoYW5pc21zIHdhcyBtYWRlOiBhdXRoZW50aWNhdGlv biwgYXV0aG9yaXphdGlvbiwgYW5kIGludGVncml0eSBjaGVja2luZw0NVGhlIGRpc2N1c3Npb24g b2YgbWVjaGFuaXNtcyB3YXMgYWdyZWVkIHRvIGEgYml0IGxhdGVyDQ1BIGxpc3Qgb2YgdGhyZWF0 cyB3YXMgcHJvcG9zZWQgYW5kIHNvbWUgZXhhbXBsZXMgb2YgdXNlIGluY2x1ZGVkDQ1MaXN0IG9m IFRocmVhdHMJCQkJCUV4YW1wbGVzIG9mIFVzZQ1JZGVudGljYWwgUmVwbGF5CQkJCQlIYW5ndXAs IFNlcnZpY2UgVGhlZnQsDU1vZGlmaWVkIFJlcGxheQkJCQkJUmVnaXN0cmF0aW9uIEhpamFja2lu ZywNTWVzc2FnZSBGb3JnZXJ5CQkJCQlVc2VyIEltcGVyc29uYXRpb24NRGlzY2xvc3VyZSBvZiBD YWxsIFNpZ25hbGluZyBJbmZvcm1hdGlvbg1EZW5pYWwgb2YgU2VydmljZSAoRG9TKQ1NZXNzYWdl IEluamVjdGlvbg1NZXNzYWdlIERlbGV0aW9uDU1lc3NhZ2UgQW1wbGlmaWNhdGlvbg0NSXQgd2Fz IG5vdGVkIHRoYXQgdGhlIGxpc3Qgb2YgdGhyZWF0cyBjb25zdGl0dXRlcyBhIGRpZmZlcmVudCB0 YXhvbm9teSBmb3IgZGVzY3JpYmluZyB0aGUgdGhyZWF0cyB0aGFuIE1pa2WScyB0YXhvbm9teQ0N SGVubmluZyBjb21tZW50ZWQgdGhhdCB0aGlzIGFwcHJvYWNoIG1heSBiZSBzdXBlcmlvciBzaW5j ZSBpdCBzZWVtZWQgaW50dWl0aXZlbHkgZWFzaWVyIHRvIHNob3cgY29tcGxldGVuZXNzIGZvcg0N QWxzbyBub3RlZCB0aGF0IHRoaXMgbmV3IHRheG9ub215IGRvZXMgbm90IGNhcHR1cmUgZGVzY3Jp cHRpb25zIG9mIGxldmVsIG9mIHRydXN0DQ1EYXZlIGRlc2NyaWJlZCBhbiBleGFtcGxlIHdoZXJl IGEgVUEgdXNlcyBhIFJBRElVUyBzZXZlciBmb3IgYXV0aGVudGljYXRpb24gYnV0IHRoYXQgYW55 b25lIHRoYXQgY2FuIGNvbXByb21pc2UgdGhlIFJBRElVUyBzZXJ2ZXIgYWxzbyBjb21wcm9taXNl cyB0aGUgVUEsIGFsbG93aW5nIGl0IHRvIGJlIGltcGVyc29uYXRlZCAobm90IHN1cmUgSSBjb3Bp ZWQgdGhpcyByaWdodCBEYXZlKQ0NQSBkZXNjcmlwdGlvbiBvZiB0aGUgk1BlbnRhZ29ulCBkZXNj cmliZWQgaW4gTWlrZZJzIGRyYWZ0IHdhcyBwcmVzZW50ZWQNDVRoZSBQZW50YWdvbiBpcyB1c2Vk IHRvIGRlc2NyaWJlIGJvdW5kYXJpZXMgb2YgdHJ1c3QNDU1pa2WScyBkcmFmdCBwcmVzZW50cyBh IGZ1bGx5IGNvbm5lY3RlZCBncmFwaCBhbmQgZGVzY3JpYmVzIHRoZSBsZXZlbCBvZiB0cnVzdCBi ZXR3ZWVuIGVhY2ggcGFpciBvZiBlbmRwb2ludHMNDURpc2N1c3Npb24gY2VudGVyZWQgb24gdGhl IHBvc3NpYmlsaXR5IHRoYXQgdGhpcyBhcHByb2FjaCBtYXkgaW1wbHkgdGhhdCBhbGwgbWVjaGFu aXNtcyBhcmUgbmVjZXNzYXJ5IGZvciBhbGwgdHlwZXMgb2YgY29ubmVjdGlvbnMNDURhdmUgbWVu dGlvbmVkIHRoYXQgdGhlIHNhdmluZyBncmFjZSB3YXMgdGhhdCBpdCB3b3VsZCBwcm9iYWJseSBw b3NzaWJsZSB0byBhbHNvIGRlc2NyaWJlIHdoZW4gdGhvc2UgbWVjaGFuaXNtcyB3b3VsZCBhbmQg d291bGQgbm90IGFjdHVhbGx5IGJlIHVzZWQNDVRoZSBxdWVzdGlvbiB3YXMgcmFpc2VkIGFib3V0 IHdoZXRoZXIgY29uZm9ybWFuY2UgdG8gc2VjdXJpdHkgcmVxdWlyZW1lbnRzIGFuZCBhbnkgbWVj aGFuaXNtcyBuZWNlc3NhcnkgdG8gaW5kaWNhdGUgdGhpcyB3YXMgb3Igd2FzIG5vdCB0aGUgY2Fz ZSB3YXMgbmVjZXNzYXJ5IGFsbCBhbG9uZyB0aGUgc2lnbmFsaW5nIHBhdGg/DQ1UaGUgcXVlc3Rp b24gd2FzIGFza2VkIGJ1dCBuZXZlciBhbnN3ZXJlZCwgk3doZXJlIGFyZSB0aGUga2V5cyBmb3Ig U1JUUCBoYW5kbGVkP5QNDUl0IHdhcyBub3RlZCB0aGF0IHRoZSBhYmlsaXR5IHRvIGRvIGVuZC10 by1lbmQgYm9keSBlbmNyeXB0aW9uIHdpbGwgYmUgbmVjZXNzYXJ5IQ0NVGhlIHF1ZXN0aW9uIHdh cyBhc2tlZCwgk3dpbGwgcGFydGllcyBhbG9uZyBhIHNpZ25hbGluZyBwYXRoIG5lZWQgdG8gYmUg YWJsZSB0byBhdXRoZW50aWNhdGUgYSBVQUM/lA0NRGlzY3Vzc2lvbiB0aGVuIGVuc3VlZCBhYm91 dCB3aGV0aGVyIGF1dGhlbnRpY2F0aW9uIHNob3VsZCBiZSB3cnQgVUFzIG9yIHVzZXJzLiAgU29t ZSBhZ3JlZW1lbnQgZW1lcmdlZCB0aGF0IFVBIChpLmUuIGRvbWFpbiBsZXZlbCkgYXV0aGVudGlj YXRpb24gbWlnaHQgYmUgdmFsdWFibGUgYnV0IHRoYXQgdXNlciBsZXZlbCBhdXRoZW50aWNhdGlv biB3b3VsZCBwcm9iYWJseSBiZSBpbXByYWN0aWNhbA0NVGhpcyBhZ3JlZW1lbnQgY2FtZSBmcm9t IGEgZGlzY3Vzc2lvbiBhYm91dCB3aGV0aGVyIGF1dGhlbnRpY2F0aW9uIHdhcyBuZWNlc3Nhcnkg Zm9yIHVuc29saWNpdGVkIGNhbGxzLiAgSW4gdGhpcyBjYXNlLCBkb21haW4tbGV2ZWwgYXV0aGVu dGljYXRpb24gd291bGQgcHJvYmFibHkgcHJvdmlkZSBzb21lIGFkZGl0aW9uYWwgdmFsdWUgYnV0 IHRoYXQgdXNlciBsZXZlbCBhdXRoZW50aWNhdGlvbiBtaWdodCBiZSBkaWZmaWN1bHQgaWYgbm90 IGltcG9zc2libGUNDVRoZSBkaXNjdXNzaW9uIHRoZW4gdHVybmVkIHRvIHdoYXQgbWVjaGFuaXNt cyB3aWxsIGJlIGluY2x1ZGVkIHRoZSBiaXMgcmVnYXJkaW5nIHNlY3VyaXR5IGdpdmVuIHRoZSBs b29taW5nIERlYy4gZGVhZGxpbmUNDVNvbWUgYWdyZWVtZW50IG9uIHRoZSBob3AtYnktaG9wIGRp c2N1c3Npb24gb25seSB0aGF0IG1vcmUgY29tcGxleCBtZWNoYW5pc21zIHdpbGwgbmVlZCB0byBi ZSBwdXQgaW4gYSBzZXBhcmF0ZSBkcmFmdA0NVGhlIHBvaW50IHdhcyBtYWRlIHRoYXQgbWVjaGFu aXNtcyBzaG91bGQgb25seSBiZSBwcm9wb3NlZCBmb3IgdGhlIHNlcGFyYXRlZCBkcmFmdCBhZnRl ciBhdCBsZWFzdCBvbmUgcm91bmQgb2YgcmVxdWlyZW1lbnRzIGhhZCBiZWVuIGNpcmN1bGF0ZWQN DUJhY2t3YXJkIGNvbXBhdGliaWxpdHkgaXMgaW1wb3J0YW50LCBhZGRpdGlvbmFsIHNlY3VyaXR5 IGZlYXR1cmVzIGNhbm5vdCBmb3JjZSBhIHdob2xlc2FsZSBjaGFuZ2UgdG8gdGhlIGV4aXN0aW5n IGJpcyBtZWNoYW5pc21zDQ1IZW5uaW5nIG1lbnRpb25lZCBhIHBvdGVudGlhbCBwcmFjdGljYWwg cHJvYmxlbTogYSBzZXBhcmF0ZSBkcmFmdCB3aWxsIHJlcXVpcmUgYSBzZXBhcmF0ZSBpbXBsZW1l bnRhdGlvbi4gIFRoZSBncm91cCBkaWQgbm90IHNlZSB0aGlzIGFzIGEgc2VyaW91cyBwcm9ibGVt DQ1UaGUgZGlzY3Vzc2lvbiB0aGVuIHR1cm5lZCB0byB3aGV0aGVyIFRMUyBvciBJUFNlYyBzaG91 bGQgYmUgc3BlY2lmaWVkIGZvciBob3AtYnktaG9wIHNlY3VyaXR5DQ1NaWtlknMgbWFpbiBpc3N1 ZSB3YXMgdGhhdCBUTFMgZG9lcyBub3Qgd29yayB3aXRoIFVEUA0NSGVubmluZyBtYWRlIHRoZSBw b2ludCB0aGF0IFRDUCB3b3JrcyB3ZWxsIGZvciCTc2lnbmFsaW5nIHRydW5rc5QsIG5haWxlZCB1 cCBzaWduYWxpbmcgY29ubmVjdGlvbnMgdGhhdCBwZXJzaXN0LiAgVGhlcmUgd2FzIHNvbWUgcXVl c3Rpb24gYWJvdXQgdGhlIGltcGxpY2F0aW9ucyBvZiBIT0wgYmxvY2tpbmcgaW4gdGhpcyBzaXR1 YXRpb24uICBTQ1RQIHNvbHZlcyB0aGF0IHBvdGVudGlhbCBwcm9ibGVtDQ1NYWluIGlzc3VlIHdp dGggSVBTZWMgaXMgdGhhdCBpdCBpcyBzb21ld2hhdCBkZWNvdXBsZWQgZnJvbSB0aGUgYXBwbGlj YXRpb24gc2luY2UgaXQgaXMgZG9uZSBhdCBMYXllciAzLiAgSXQgaXMgaGFyZGVyIHRvIGRvIJNh dXRvbWF0aWNhbGx5lA0NU29tZSBhZ3JlZW1lbnQgdGhhdCBUTFMgaXMgYXBwcm9wcmlhdGUgZm9y IHNvbWUgY2FzZXMgYW5kIElQU2VjIGZvciBvdGhlcnMNDUl0IHdhcyBub3RlZCB0aGF0IHNvbWV0 aGluZyBtdXN0IGJlIG1hZGUgbWFuZGF0b3J5IGltcGxlbWVudGF0aW9uLCB3aGljaCBpcyB0aGUg cXVhbmRhcnkgZ2l2ZW4gdGhlIGRpZmZpY3VsdGllcyB0aGF0IHRoZSBNb2JpbGVJUCBncm91cCBo YWQNDURhdmUgbm90ZWQgdGhhdCB0aGUgVUEgdG8gUHJveHkgYW5kIFByb3h5IHRvIFByb3h5IHNl Y3VyaXR5IGNhbiBiZSBkaWZmZXJlbnQNDUEgcHJvcG9zYWwgd2FzIG1hZGUgdG8gdXNlIFRMUyBm b3IgUHJveHkgdG8gUHJveHkgb25seSBhcyBhIG1hbmRhdG9yeSBpbXBsZW1lbnRhdGlvbg0NQW5v dGhlciBwb3RlbnRpYWwgYmlzIHByb2JsZW0gd2FzIG5vdGVkLCCTaG93IGlzIGEgVUEtdG8tVUEg d2l0aCBubyBwcmV2aW91cyB0cnVzdCByZWxhdGlvbnNoaXAgaGFuZGxlZD+UICBJIGRpZCBub3Qg Z2F0aGVyIGFueSBhZGRpdGlvbmFsIG5vdGVzIGZyb20gdGhhdCBkaXNjdXNzaW9uDQ1UaGUgbWVl dGluZyBlbmRlZCB3aXRoIGEgc2hvcnQgZGlzY3Vzc2lvbiBvbiB0aGUgcXVlc3Rpb24gb2Ygd2hh dCB0aGUgSUVTRyB3b3VsZCBhY2NlcHQgZm9yIGEgbWFuZGF0b3J5IGltcGxlbWVudGF0aW9uDQAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAABRCAAAUwgAAJgMAAAK DQAACw0AAB4PAAAtDwAAMg8AAEEPAAB5EQAAVhIAAFcSAAAdFQAAHhUAAMQVAAAoFgAAKRYAABUd AACgHQAAoR0AAGQfAAD89Pzw/PDo8Ojw5PDk8OTg5ODc4NwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhZoejSIAAAGFmgmHawAAAYWaIE0ewAADxVoOVHUABZo OVHUAD4qAQYWaDlR1AAADxVoPgZoABZoPgZoAEgqAQYWaD4GaAAVAAYAACMIAAAkCAAAjQgAAI4I AACPCAAApAgAAKUIAAAPCQAAEAkAAEsJAABMCQAAXAkAAF0JAACLCQAAjAkAAB8KAAAgCgAAVgoA AFcKAAB3CgAAeAoAAGMLAABkCwAAqQsAAKoLAAD+CwAA/wsAAP0AAAAAAAAAAAAAAAD9AAAAAAAA AAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAA AP0AAAAAAAAAAAAAAAD1AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAPUAAAAAAAAAAAAAAAD9AAAA AAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAADtAAAAAAAAAAAAAAAA6AAAAAAAAAAA AAAAAO0AAAAAAAAAAAAAAADoAAAAAAAAAAAAAAAA7QAAAAAAAAAAAAAAAOgAAAAAAAAAAAAAAADt AAAAAAAAAAAAAAAA6AAAAAAAAAAAAAAAAO0AAAAAAAAAAAAAAADoAAAAAAAAAAAAAAAA7QAAAAAA AAAAAAAAAOgAAAAAAAAAAAAAAADtAAAAAAAAAAAAAAAA6AAAAAAAAAAAAAAAAAAABAAAZ2Q5UdQA CAAACiYAC0YEAGdkOVHUAAgAAAomAAtGAQBnZD4GaAAAAQAAABsABgAAZB8AAP0AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAEBAf8LAACXDAAAmAwAAAsNAAAMDQAA mQ0AAJoNAAA3DgAAOA4AAKMOAACkDgAA2w4AANwOAAAdDwAAHg8AAEIPAABuDwAAmg8AAMEPAADq DwAAAhAAABQQAAAlEAAAOxAAADwQAAD3AAAAAAAAAAAAAAAA8gAAAAAAAAAAAAAAAPcAAAAAAAAA AAAAAADyAAAAAAAAAAAAAAAA9wAAAAAAAAAAAAAAAPIAAAAAAAAAAAAAAAD3AAAAAAAAAAAAAAAA 8gAAAAAAAAAAAAAAAPcAAAAAAAAAAAAAAADyAAAAAAAAAAAAAAAA9wAAAAAAAAAAAAAAAPIAAAAA AAAAAAAAAAD3AAAAAAAAAAAAAAAA8AAAAAAAAAAAAAAAAOcAAAAAAAAAAAAAAADnAAAAAAAAAAAA AAAA5wAAAAAAAAAAAAAAAOcAAAAAAAAAAAAAAADnAAAAAAAAAAAAAAAA5wAAAAAAAAAAAAAAANYA AAAAAAAAAAAAAADWAAAAAAAAAAAAAAAA1gAAAAAAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAEQAACiYAC0YCAA3GBwE4BAFwCAYPhHAIXoRwCGdkOVHUAAAIAAAPhDgEXoQ4BGdk OVHUAAABAAAABAAAZ2Q5UdQACAAACiYAC0YEAGdkOVHUAAAYPBAAALMQAAC0EAAAJREAACYRAAB4 EQAAeREAAFcSAABYEgAAoBIAAKESAADWEgAA1xIAAEUTAABGEwAAyRMAAMoTAABfFAAAYBQAAB0V AAAeFQAAcBUAAHEVAADDFQAAxBUAACkWAAAqFgAAEBcAABEXAAAZGAAA/QAAAAAAAAAAAAAAAP0A AAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAA AAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAA AP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAA AAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAA AAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9 AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAA AAAAAAAAAP0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAB0ZGAAAGhgAAJQYAACVGAAACxkAAAwZ AACcGQAAnRkAAB4aAAAfGgAAuhoAALsaAAAaGwAAGxsAAFEbAABSGwAAOhwAADscAADIHAAAyRwA ABQdAAAVHQAAoR0AAKIdAADvHQAA8B0AAEUeAABGHgAA7B4AAO0eAAD9AAAAAAAAAAAAAAAA/QAA AAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAA AAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA /QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAA AAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAA AAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0A AAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAA AAAAAAAA/QAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAHe0eAABkHwAA/QAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAABLAAmUAEAMZDpAB+w0C8gsOA9IbAIByKw CAcjkAgHJJBwCCWwAAAXsHAIGLCgBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAA8AEgABAJwADwADAAAAAAAAAAAAQAAA QPH/AgBAAAwAAAAAAAAAAAAGAE4AbwByAG0AYQBsAAAAAgAAABgAQ0oYAF9IAQRhShgAbUgJBHNI CQR0SAkEAAAAAAAAAAAAAAAAAAAAAAAARABBQPL/oQBEAAwBAAAAAAAAAAAWAEQAZQBmAGEAdQBs AHQAIABQAGEAcgBhAGcAcgBhAHAAaAAgAEYAbwBuAHQAAAAAAFYAaUDz/7MAVgAMAQAAAAAAAAAA DABUAGEAYgBsAGUAIABOAG8AcgBtAGEAbAAAACAAOlYLABf2AwAANNYGAAEFAwAANNYGAAEKA2wA YfYDAAACAAsAAAAoAGtA9P/BACgAAAEAAAAAAAAAAAcATgBvACAATABpAHMAdAAAAAIADAAAAAAA AAAAAGQXAAAFAAAuAAAAAP////8AAAAAIwAAACQAAACNAAAAjgAAAI8AAACkAAAApQAAAA8BAAAQ AQAASwEAAEwBAABcAQAAXQEAAIsBAACMAQAAHwIAACACAABWAgAAVwIAAHcCAAB4AgAAYwMAAGQD AACpAwAAqgMAAP4DAAD/AwAAlwQAAJgEAAALBQAADAUAAJkFAACaBQAANwYAADgGAACjBgAApAYA ANsGAADcBgAAHQcAAB4HAABCBwAAbgcAAJoHAADBBwAA6gcAAAIIAAAUCAAAJQgAADsIAAA8CAAA swgAALQIAAAlCQAAJgkAAHgJAAB5CQAAVwoAAFgKAACgCgAAoQoAANYKAADXCgAARQsAAEYLAADJ CwAAygsAAF8MAABgDAAAHQ0AAB4NAABwDQAAcQ0AAMMNAADEDQAAKQ4AACoOAAAQDwAAEQ8AABkQ AAAaEAAAlBAAAJUQAAALEQAADBEAAJwRAACdEQAAHhIAAB8SAAC6EgAAuxIAABoTAAAbEwAAURMA AFITAAA6FAAAOxQAAMgUAADJFAAAFBUAABUVAAChFQAAohUAAO8VAADwFQAARRYAAEYWAADsFgAA 7RYAAGYXAACYAAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAIAAmAAAAAAwAAAAAAAAAIAAAACAAAAA AAAAAACAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAgACYAAAAADAAAAAAAAAAgAAAAIAAAAAA AAAAAIAAmAAAAAAwAAAAAAAAAIAAAACAAAAAAAAAAACAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAA AAAAgACYAAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAIAAmAABIAAwAAAAAAAAAIAAAACAAAAAAAAA AACAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAEgADABAAAAAAAAgAAAAIAAAAAAAAAA AAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAAAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAA AACYAAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAEIAAwAAAAAAAAAIAAAACAAAAAAAAAAAAA AJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAQgADAAAAAAAAAAgAAAAIAAAACIAAAAAAAA mAAAAAAwAAAAAAAAAIAAAACAAAAAAAAAAAAAAJgABCAAMAAAAAAAAACAAAAAgAAAAIgAAAAAAACY AAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAEIAAwAAAAAAAAAIAAAACAAAAAiAAAAAAAAJgA AAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAQgADAAAAAAAAAAgAAAAIAAAAAgAAAAAIAAmAAA AAAwAAAAAAAAAIAAAACAAAAAAAAAAAAAAJgABCAAMAAAAAAAAACAAAAAgAAAACAAAAAAgACYAAAA ADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAEIAAwAAAAAAAAAIAAAACAAAAAGAAAAACAAJgAAAAA MAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAQgADAAAAAAAAAAgAAAAIAAAAAQAAAAAIAAmAAAAAAw AAAAAAAAAIAAAACAAAAAAAAAAAAAAJgABCAAMAAAAAAAAACAAAAAgAAAACAAAAAAgACYAAAAADAA AAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAEIAAwAAAAAAAAAIAAAACAAAAAIAAAAACAAJgAAAAAMAAA AAAAAACAAAAAgAAAAAAAAAAAAACYAAQgADAAAAAAAAAAgAAAAIAAAAAoAAAAAIAAmAAAAAAwAAAA AAAAAIAAAACAAAAAAAAAAAAAAJgABCAAMAAAAAAAAACAAAAAgAAAAHAAAAAAAACYAAAAADAAAAAA AAAAgAAAAIAAAAAAAAAAAAAAmAAEIAAwAAAAAAAAAIAAAACAAAAAcAAAAAAAAJgAAAAAMAAAAAAA AACAAAAAgAAAAAAAAAAAAACYAAQgADAAAAAAAAAAgAAAAIAAAABwAAAAAAAAmAAAAAAwAAAAAAAA AIAAAACAAAAAAAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAAAADAAAAAAAAAA gAAAAIAAAAAAAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAAAAAAAAAAJgAAAAAMAAAAAAAAACA AAAAgAAAAAAAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAAAAAwAAAAAAAAAIAA AACAAAAAAAAAAAAAAJgAAiAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAIgADAAAAAAAAAAgAAA AIAAAAAAAAAAAAAAmAACIAAwAAAAAAAAAIAAAACAAAAAAAAAAAAAAJgAAAAAMAAAAAAAAACAAAAA gAAAAAAAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACA AAAAiAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAgAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAA AAAIAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAACAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAA AAgAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAAAgAAAAAIAAmAAAAAAwAAAAAAAAAIAAAACAAAAA CAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAACAAAAAAgACYAAAAADAAAAAAAAAAgAAAAIAAAAAg AAAAAIAAmAAAAAAwAAAAAAAAAIAAAACAAAAAIAAAAACAAJgAAAAAMAAAAAAAAACAAAAAgAAAABAA AAAAgACYAAAAADAAAAAAAAAAgAAAAIAAAAAgAAAAAIAAmAAAAAAwAAAAAAAAAIAAAACAAAAAGAAA AACAAJgAAAAAMAAAAAAAAACAAAAAgAAAABAAAAAAgACYAAAAADAAAAAAAAAAgAAAAIAAAAAgAAAA AIAAmAAAAAAwAAAAAAAAAIAAAACAAAAACAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAHAAAAAA AACYAAAAADAAAAAAAAAAgAAAAIAAAAAIAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAACAAAAAAA AJgAAAAAMAAAAAAAAACAAAAAgAAAAAgAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAABwAAAAAAAA mAAAAAAwAAAAAAAAAIAAAACAAAAACAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACY AAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAcAAAAAAAAJgA AAAAMAAAAAAAAACAAAAAgAAAAAgAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAABwAAAAAAAAmAAA AAAwAAAAAAAAAIAAAACAAAAACAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAAA ADAAAAAAAAAAgAAAAIAAAAAQAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAAAAAAAAAAJgAAAAA MAAAAAAAAACAAAAAgAAAABAAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAABwAAAAAAAAmAAAAAAw AAAAAAAAAIAAAACAAAAAiAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAAAADAA AAAAAAAAgAAAAIAAAAAQAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAcAAAAAAAAJgAAAAAMAAA AAAAAACAAAAAgAAAAIgAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAACIAAAAAAAAmAAAAAAwAAAA AAAAAIAAAACAAAAAiAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAIgAAAAAAACYAAAAADAAAAAA AAAAgAAAAIAAAACIAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAcAAAAAAAAJgAAAAAMAAAAAAA AACAAAAAgAAAAIgAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAABwAAAAAAAAmAAAAAAwAAAAAAAA AIAAAACAAAAAcAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAABAAAAAAAACYAAAAADAAAAAAAAAA gAAAAIAAAAAQAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAEAAAAAAAAJgAAAAAMAAAAAAAAACA AAAAgAAAABAAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAAAAAwAAAAAAAAAIAA AACAAAAAEAAAAAAAAJgAAAAAMAAAAAAAAACAAAAAgAAAAAAAAAAAAACYAAAAADAAAAAAAAAAgAAA AIAAAAAQAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACAAAAAiAAAAAAAAJgAAAAAMAAAAAAAAACAAAAA gAAAAAAAAAAAAACYAAAAADAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAmAAAAAAwAAAAAAAAAIAAAACA AAAAEAAAAAAABwAGAABkHwAAEAAAAAAGAAD/CwAAPBAAABkYAADtHgAAZB8AABEAAAATAAAAFAAA ABUAAAAWAAAAAAYAAGQfAAASAAAA//8GAAAABgBpGAcAAAABAKwfFwAGAGoYBwAAAAEAbMcWAAYA axgHAAEAAQBkJhYABgBsGAcAAQABAGwfFwAGAG0YBwAAAAEAfFQaAAYAbhgHAAEAAQA8HBcAPQAA AHwAAAB8AAAAhAAAAFcCAABXAgAAZhcAAAAAAAABAAIAAAACAAEAAAACAAMAAAACAAQAAAACAAUA AAACAEsAAACCAAAAiwAAAIsAAABbAgAAWwIAAGYXAAAAAAAAAgABAAEAAAADAAAABAAAAAUAAAAE AAAAQgAAAAMAAAAqgHVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOnNtYXJ0dGFncw6A Y291bnRyeS1yZWdpb24AgDgAAAAEAAAAKoB1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmlj ZTpzbWFydHRhZ3MEgENpdHkAgDkAAAAFAAAAKoB1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9m ZmljZTpzbWFydHRhZ3MFgHBsYWNlAIA4AAAABgAAACqAdXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNv bTpvZmZpY2U6c21hcnR0YWdzBIBkYXRlAIAMAAABAQAAAAUAAAAEgDIwMDEBgDgDgERheQWATW9u dGgEgFllYXIGAAMAAAAEAAAAAAAAAAIAAAABAAAAAwAAAAEAAAAFAAAAAAAEAAAAAAADAAAAAAAF AAAAAAAEAAAAAAAAAAAADQAAABIAAAA0AAAAPAAAAG8AAAB4AAAAjAUAAJcFAAD9BwAAAAgAAGgO AABrDgAAbA4AAG8OAABdEAAAYBAAAA8SAAASEgAAjhUAAJYVAABYFgAAWxYAAFUXAABjFwAAZhcA AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAEAAcAAAAAAEoN AABPDQAA3Q0AAOENAADGEAAA4hAAAA8SAAASEgAAXhUAAG0VAABYFgAAWxYAAO0WAABmFwAABwAz AAcAMwAHADMABwAzAAcAMwAHADMABwAEAAAAAADvFQAAYxcAAGYXAAADAAQABwAAAAAAVRcAAGMX AABmFwAABwAEAAcA//8CAAAADgBGAHIAYQBuAGsAIABXACAATQBpAGwAbABlAHIAAAAEAFddGSlw E+JP/w//D/8P/w//D/8P/w//D/8PEAAdLfosiuxAvf8P/w//D/8P/w//D/8P/w//DxAAcWnPLjxb wtP/D/8P/w//D/8P/w//D/8P/w8QAD4QCC/u18JO/w//D/8P/w//D/8P/w//D/8PEAABAAAAFxAA AAAAAAAAAAAAaAEAAAAAAAAVGAAAD4TQAhGEmP4VxgUAAdACBl6E0AJghJj+T0oBAFFKAQBvKACH aAAAAACISAAAAQC38AEAAAAXkAAAAAAAAAAAAABoAQAAAAAAABkYAAAPhKAFEYSY/hXGBQABoAUG XoSgBWCEmP5PSgMAUUoDAF5KAwBvKACHaAAAAACISAAAAQBvAAEAAAAXkAAAAAAAAAAAAABoAQAA AAAAABUYAAAPhHAIEYSY/hXGBQABcAgGXoRwCGCEmP5PSgQAUUoEAG8oAIdoAAAAAIhIAAABAKfw AQAAABeQAAAAAAAAAAAAAGgBAAAAAAAAFRgAAA+EQAsRhJj+FcYFAAFACwZehEALYISY/k9KAQBR SgEAbygAh2gAAAAAiEgAAAEAt/ABAAAAF5AAAAAAAAAAAAAAaAEAAAAAAAAZGAAAD4QQDhGEmP4V xgUAARAOBl6EEA5ghJj+T0oDAFFKAwBeSgMAbygAh2gAAAAAiEgAAAEAbwABAAAAF5AAAAAAAAAA AAAAaAEAAAAAAAAVGAAAD4TgEBGEmP4VxgUAAeAQBl6E4BBghJj+T0oEAFFKBABvKACHaAAAAACI SAAAAQCn8AEAAAAXkAAAAAAAAAAAAABoAQAAAAAAABUYAAAPhLATEYSY/hXGBQABsBMGXoSwE2CE mP5PSgEAUUoBAG8oAIdoAAAAAIhIAAABALfwAQAAABeQAAAAAAAAAAAAAGgBAAAAAAAAGRgAAA+E gBYRhJj+FcYFAAGAFgZehIAWYISY/k9KAwBRSgMAXkoDAG8oAIdoAAAAAIhIAAABAG8AAQAAABeQ AAAAAAAAAAAAAGgBAAAAAAAAFRgAAA+EUBkRhJj+FcYFAAFQGQZehFAZYISY/k9KBABRSgQAbygA h2gAAAAAiEgAAAEAp/ABAAAAFxAAAAAAAAAAAAAAaAEAAAAAAAAVGAAAD4TQAhGEmP4VxgUAAdAC Bl6E0AJghJj+T0oBAFFKAQBvKACHaAAAAACISAAAAQC38AEAAAAXkAAAAAAAAAAAAABoAQAAAAAA ABkYAAAPhKAFEYSY/hXGBQABoAUGXoSgBWCEmP5PSgMAUUoDAF5KAwBvKACHaAAAAACISAAAAQBv AAEAAAAXkAAAAAAAAAAAAABoAQAAAAAAABUYAAAPhHAIEYSY/hXGBQABcAgGXoRwCGCEmP5PSgQA UUoEAG8oAIdoAAAAAIhIAAABAKfwAQAAABeQAAAAAAAAAAAAAGgBAAAAAAAAFRgAAA+EQAsRhJj+ FcYFAAFACwZehEALYISY/k9KAQBRSgEAbygAh2gAAAAAiEgAAAEAt/ABAAAAF5AAAAAAAAAAAAAA aAEAAAAAAAAZGAAAD4QQDhGEmP4VxgUAARAOBl6EEA5ghJj+T0oDAFFKAwBeSgMAbygAh2gAAAAA iEgAAAEAbwABAAAAF5AAAAAAAAAAAAAAaAEAAAAAAAAVGAAAD4TgEBGEmP4VxgUAAeAQBl6E4BBg hJj+T0oEAFFKBABvKACHaAAAAACISAAAAQCn8AEAAAAXkAAAAAAAAAAAAABoAQAAAAAAABUYAAAP hLATEYSY/hXGBQABsBMGXoSwE2CEmP5PSgEAUUoBAG8oAIdoAAAAAIhIAAABALfwAQAAABeQAAAA AAAAAAAAAGgBAAAAAAAAGRgAAA+EgBYRhJj+FcYFAAGAFgZehIAWYISY/k9KAwBRSgMAXkoDAG8o AIdoAAAAAIhIAAABAG8AAQAAABeQAAAAAAAAAAAAAGgBAAAAAAAAFRgAAA+EUBkRhJj+FcYFAAFQ GQZehFAZYISY/k9KBABRSgQAbygAh2gAAAAAiEgAAAEAp/AAAAAAFxAAAAAAAAAAAAAA0AIAAAAA AAATGAAAD4Q4BBGEmP4VxgUAATgEBl6EOARghJj+T0oAAFBKAABRSgAAXkoAAG8oAAEALQABAAAA F5AAAAAAAAAAAAAA0AIAAAAAAAAZGAAAD4SgBRGEmP4VxgUAAaAFBl6EoAVghJj+T0oDAFFKAwBe SgMAbygAh2gAAAAAiEgAAAEAbwABAAAAF5AAAAAAAAAAAAAA0AIAAAAAAAAVGAAAD4RwCBGEmP4V xgUAAXAIBl6EcAhghJj+T0oEAFFKBABvKACHaAAAAACISAAAAQCn8AEAAAAXkAAAAAAAAAAAAADQ AgAAAAAAABUYAAAPhEALEYSY/hXGBQABQAsGXoRAC2CEmP5PSgEAUUoBAG8oAIdoAAAAAIhIAAAB ALfwAQAAABeQAAAAAAAAAAAAANACAAAAAAAAGRgAAA+EEA4RhJj+FcYFAAEQDgZehBAOYISY/k9K AwBRSgMAXkoDAG8oAIdoAAAAAIhIAAABAG8AAQAAABeQAAAAAAAAAAAAANACAAAAAAAAFRgAAA+E 4BARhJj+FcYFAAHgEAZehOAQYISY/k9KBABRSgQAbygAh2gAAAAAiEgAAAEAp/ABAAAAF5AAAAAA AAAAAAAA0AIAAAAAAAAVGAAAD4SwExGEmP4VxgUAAbATBl6EsBNghJj+T0oBAFFKAQBvKACHaAAA AACISAAAAQC38AEAAAAXkAAAAAAAAAAAAADQAgAAAAAAABkYAAAPhIAWEYSY/hXGBQABgBYGXoSA FmCEmP5PSgMAUUoDAF5KAwBvKACHaAAAAACISAAAAQBvAAEAAAAXkAAAAAAAAAAAAADQAgAAAAAA ABUYAAAPhFAZEYSY/hXGBQABUBkGXoRQGWCEmP5PSgQAUUoEAG8oAIdoAAAAAIhIAAABAKfwAAAA ABcAAAAAAAAAAAAAAAAAAAAAAAAAExgAAA+EOAQRhJj+FcYFAAE4BAZehDgEYISY/k9KAABQSgAA UUoAAF5KAABvKAABAC0AAQAAABcAAAAAAAAAAAAAAAAAAAAAAAAAGRgAAA+ECAcRhJj+FcYFAAEI BwZehAgHYISY/k9KAwBRSgMAXkoDAG8oAIdoAAAAAIhIAAABAG8AAQAAABeAAAAAAAAAAAAAAAAA AAAAAAAAFRgAAA+E2AkRhJj+FcYFAAHYCQZehNgJYISY/k9KBABRSgQAbygAh2gAAAAAiEgAAAEA p/ABAAAAF4AAAAAAAAAAAAAAAAAAAAAAAAAVGAAAD4SoDBGEmP4VxgUAAagMBl6EqAxghJj+T0oB AFFKAQBvKACHaAAAAACISAAAAQC38AEAAAAXgAAAAAAAAAAAAAAAAAAAAAAAABkYAAAPhHgPEYSY /hXGBQABeA8GXoR4D2CEmP5PSgMAUUoDAF5KAwBvKACHaAAAAACISAAAAQBvAAEAAAAXgAAAAAAA AAAAAAAAAAAAAAAAABUYAAAPhEgSEYSY/hXGBQABSBIGXoRIEmCEmP5PSgQAUUoEAG8oAIdoAAAA AIhIAAABAKfwAQAAABeAAAAAAAAAAAAAAAAAAAAAAAAAFRgAAA+EGBURhJj+FcYFAAEYFQZehBgV YISY/k9KAQBRSgEAbygAh2gAAAAAiEgAAAEAt/ABAAAAF4AAAAAAAAAAAAAAAAAAAAAAAAAZGAAA D4ToFxGEmP4VxgUAAegXBl6E6BdghJj+T0oDAFFKAwBeSgMAbygAh2gAAAAAiEgAAAEAbwABAAAA F4AAAAAAAAAAAAAAAAAAAAAAAAAVGAAAD4S4GhGEmP4VxgUAAbgaBl6EuBpghJj+T0oEAFFKBABv KACHaAAAAACISAAAAQCn8AQAAABXXRkpAAAAAAAAAAAAAAAAPhAILwAAAAAAAAAAAAAAAHFpzy4A AAAAAAAAAAAAAAAdLfosAAAAAAAAAAAAAAAA////////////////////////BAAAAAAAAAAAAAAA //8EAAAAEgABAAkEAwAJBAUACQQBAAkEAwAJBAUACQQBAAkEAwAJBAUACQQSAAEACQQDAAkEBQAJ BAEACQQDAAkEBQAJBAEACQQDAAkEBQAJBBIAqm9qEQMACQQFAAkEAQAJBAMACQQFAAkEAQAJBAMA CQQFAAkEEgCqb2oRAwAJBAUACQQBAAkEAwAJBAUACQQBAAkEAwAJBAUACQQFAAAABAAAAAgAAADl AAAAAAAAAAQAAAA+BmgAgTR7AHo0iAAmHawAOVHUAP9AA4ABAGMXAABjFwAAeECrASgBKAFjFwAA AAAAAGMXAAAAAAAAAhAAAAAAAAAAZBcAAFAAABAAQAAA//8BAAAABwBVAG4AawBuAG8AdwBuAP// AQAIAAAAAAAAAAAAAAD//wEAAAAAAP//AAACAP//AAAAAP//AAACAP//AAAAAAUAAABHFpABAAAC AgYDBQQFAgMEh3oAIAAAAIAIAAAAAAAAAP8BAAAAAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8A bQBhAG4AAAA1FpABAgAFBQECAQcGAgUHAAAAAAAAABAAAAAAAAAAAAAAAIAAAAAAUwB5AG0AYgBv AGwAAAAzJpABAAACCwYEAgICAgIEh3oAIAAAAIAIAAAAAAAAAP8BAAAAAAAAQQByAGkAYQBsAAAA PzWQAQAAAgcDCQICBQIEBId6ACAAAACACAAAAAAAAAD/AQAAAAAAAEMAbwB1AHIAaQBlAHIAIABO AGUAdwAAADsGkAECAAUAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAgAAAAABXAGkAbgBnAGQA aQBuAGcAcwAAACIABAAxCIgYAPDQAgAAaAEAAAAA7URYZh5FWGYAAAAAAQAtAAAAfQMAAOcTAAAB AAsAAAAEAAMQKgAAAH0DAADnEwAAAQALAAAAKgAAAAAAAAAhAwDwEAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAIBwgHqwDpAIGAEjQAAAAAAAAAAAAAAAAAAFkXAABZFwAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAA AAQyg1EA8BAACNwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAAAAAACfD/DwEAAT8AAOQE AAD///9/////f////3////9/////f////3////9/PgZoAP//EgAAAAAAAAAiAFMASQBQACAAUwBl AGMAdQByAGkAdAB5ACAAQQBkAGgAbwBjACAATQBlAGUAdABpAG4AZwAgAE0AaQBuAHUAdABlAHMA AAAAAAAADgBGAHIAYQBuAGsAIABXACAATQBpAGwAbABlAHIADgBGAHIAYQBuAGsAIABXACAATQBp AGwAbABlAHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAABgAAAAQAAAAAAAwAAQAMAAIADAADAAwA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAP7/AAAFAAIAAAAAAAAAAAAAAAAAAAAAAAEAAADghZ/y+U9oEKuRCAArJ7PZ MAAAAJQBAAARAAAAAQAAAJAAAAACAAAAmAAAAAMAAADEAAAABAAAANAAAAAFAAAA6AAAAAYAAAD0 AAAABwAAAAABAAAIAAAAEAEAAAkAAAAoAQAAEgAAADQBAAAKAAAAUAEAAAwAAABcAQAADQAAAGgB AAAOAAAAdAEAAA8AAAB8AQAAEAAAAIQBAAATAAAAjAEAAAIAAADkBAAAHgAAACMAAABTSVAgU2Vj dXJpdHkgQWRob2MgTWVldGluZyBNaW51dGVzAHIeAAAAAQAAAABJUCAeAAAADwAAAEZyYW5rIFcg TWlsbGVyAGgeAAAAAQAAAAByYW4eAAAAAQAAAAByYW4eAAAABwAAAE5vcm1hbAAgHgAAAA8AAABG cmFuayBXIE1pbGxlcgBoHgAAAAIAAAAxAGFuHgAAABQAAABNaWNyb3NvZnQgV29yZCAxMC4wAEAA AAAATlNJBgAAAEAAAAAApg0jZCDBAUAAAAAA9GBsaiDBAQMAAAABAAAAAwAAAH0DAAADAAAA5xMA AAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAD+/wAABQACAAAAAAAAAAAAAAAAAAAAAAABAAAAAtXN1ZwuGxCTlwgAKyz5rjAAAAAgAQAA DAAAAAEAAABoAAAADwAAAHAAAAAFAAAAkAAAAAYAAACYAAAAEQAAAKAAAAAXAAAAqAAAAAsAAACw AAAAEAAAALgAAAATAAAAwAAAABYAAADIAAAADQAAANAAAAAMAAAA/wAAAAIAAADkBAAAHgAAABUA AABzZW50aXRPIE5ldHdvcmtzIEluYwAAaAADAAAAKgAAAAMAAAALAAAAAwAAAFkXAAADAAAAQQoK AAsAAAAAAAAACwAAAAAAAAALAAAAAAAAAAsAAAAAAAAAHhAAAAEAAAAjAAAAU0lQIFNlY3VyaXR5 IEFkaG9jIE1lZXRpbmcgTWludXRlcwAMEAAAAgAAAB4AAAAGAAAAVGl0bGUAAwAAAAEAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA AAIAAAADAAAABAAAAAUAAAAGAAAABwAAAAgAAAAJAAAACgAAAAsAAAAMAAAADQAAAA4AAAAPAAAA EAAAABEAAAASAAAAEwAAABQAAAAVAAAAFgAAABcAAAD+////GQAAABoAAAAbAAAAHAAAAB0AAAAe AAAAHwAAACAAAAAhAAAAIgAAACMAAAAkAAAAJQAAACYAAAAnAAAAKAAAACkAAAAqAAAA/v///ywA AAAtAAAALgAAAC8AAAAwAAAAMQAAADIAAAD+////NAAAADUAAAA2AAAANwAAADgAAAA5AAAAOgAA AP7////9////PQAAAP7////+/////v////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////9SAG8A bwB0ACAARQBuAHQAcgB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAFgAFAf//////////AwAAAAYJAgAAAAAAwAAAAAAAAEYAAAAAAAAAAAAAAADQ1m9uaiDBAT8A AACAAAAAAAAAADEAVABhAGIAbABlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAOAAIB/////wUAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAGAAAACskAAAAAAAAVwBvAHIAZABEAG8AYwB1AG0AZQBuAHQAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoAAgEBAAAA//////////8AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALi4AAAAAAAAFAFMAdQBtAG0AYQByAHkASQBu AGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAACAQIAAAAEAAAA /////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsAAAAAEAAAAAAAAAUARABv AGMAdQBtAGUAbgB0AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAA AAA4AAIB////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMwAA AAAQAAAAAAAAAQBDAG8AbQBwAE8AYgBqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAABIAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAagAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//////////// ////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP7/ //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////8BAP7/AwoA AP////8GCQIAAAAAAMAAAAAAAABGGAAAAE1pY3Jvc29mdCBXb3JkIERvY3VtZW50AAoAAABNU1dv cmREb2MAEAAAAFdvcmQuRG9jdW1lbnQuOAD0ObJxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFIAbwBvAHQA IABFAG4AdAByAHkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW AAUB//////////8DAAAABgkCAAAAAADAAAAAAAAARgAAAAAAAAAAAAAAAHCMvD/1IcEBRQAAAMAD AAAAAAAAMQBUAGEAYgBsAGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA4AAgH/////BQAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAYAAAAKyQAAAAAAABXAG8AcgBkAEQAbwBjAHUAbQBlAG4AdAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGgACAQEAAAD//////////wAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuLgAAAAAAAAUAUwB1AG0AbQBhAHIAeQBJAG4AZgBv AHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAIBAgAAAAQAAAD///// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKwAAAAAQAAAAAAAAAQAAAAIAAAAD AAAABAAAAAUAAAAGAAAABwAAAAgAAAAJAAAACgAAAAsAAAAMAAAADQAAAA4AAAAPAAAAEAAAABEA AAASAAAAEwAAABQAAAAVAAAAFgAAABcAAAD+////GQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAA ACAAAAAhAAAAIgAAACMAAAAkAAAAJQAAACYAAAAnAAAAKAAAACkAAAAqAAAA/v///ywAAAAtAAAA LgAAAC8AAAAwAAAAMQAAADIAAAD+//////////////////////////////////////////////// /////////////////////////0QAAAD9/////v////7////+////QwAAAP////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////8BAAAA/v///wMA AAAEAAAABQAAAAYAAAAHAAAACAAAAAkAAAAKAAAACwAAAAwAAAANAAAADgAAAP7///////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////wAAAACAAAABAEA AAMAAAAMAQAABAAAAHQBAAAFAAAApAEAAAQAAAACAAAAFAAAAF8AQQBkAEgAbwBjAFIAZQB2AGkA ZQB3AEMAeQBjAGwAZQBJAEQAAAADAAAADgAAAF8ARQBtAGEAaQBsAFMAdQBiAGoAZQBjAHQAAAAE AAAADQAAAF8AQQB1AHQAaABvAHIARQBtAGEAaQBsAAAAAAAFAAAAGAAAAF8AQQB1AHQAaABvAHIA RQBtAGEAaQBsAEQAaQBzAHAAbABhAHkATgBhAG0AZQAAAAIAAACwBAAAEwAAAAkEAAADAAAASrCl tR8AAAAvAAAATQBpAG4AdQB0AGUAcwAgAGYAcgBvAG0AIABTAEkAUAAgAFMAZQBjAHUAcgBpAHQA eQAgAG0AZQBlAHQAaQBuAGcAIABhAHQAIAA1ADEAcwB0ACAASQBFAFQARgAAAAAAHwAAABQAAABm AG0AaQBsAGwAZQByAEAAcwBlAG4AdABpAHQAbwAuAGMAbwBtAAAAHwAAABAAAABGAHIAYQBuAGsA IABXAC4AIABNAGkAbABsAGUAcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQBEAG8AYwB1AG0A ZQBuAHQAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAADgAAgH/ //////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAMAMAAAAA AAABAEMAbwBtAHAATwBiAGoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAEgACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAABqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////8AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAP7/AwoAAP////8G CQIAAAAAAMAAAAAAAABGGAAAAE1pY3Jvc29mdCBXb3JkIERvY3VtZW50AAoAAABNU1dvcmREb2MA EAAAAFdvcmQuRG9jdW1lbnQuOAD0ObJxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AP7/AAAFAAIAAAAAAAAAAAAAAAAAAAAAAAIAAAAC1c3VnC4bEJOXCAArLPmuRAAAAAXVzdWcLhsQ k5cIACss+a5kAQAAIAEAAAwAAAABAAAAaAAAAA8AAABwAAAABQAAAJAAAAAGAAAAmAAAABEAAACg AAAAFwAAAKgAAAALAAAAsAAAABAAAAC4AAAAEwAAAMAAAAAWAAAAyAAAAA0AAADQAAAADAAAAP8A AAACAAAA5AQAAB4AAAAVAAAAc2VudGl0TyBOZXR3b3JrcyBJbmMAAGgAAwAAACoAAAADAAAACwAA AAMAAABZFwAAAwAAAEEKCgALAAAAAAAAAAsAAAAAAAAACwAAAAAAAAALAAAAAAAAAB4QAAABAAAA IwAAAFNJUCBTZWN1cml0eSBBZGhvYyBNZWV0aW5nIE1pbnV0ZXMADBAAAAIAAAAeAAAABgAAAFRp dGxlAAMAAAABAAAAAAAAzAEAAAcAAAAAAAAAQAAAAAEAAAD0AAAAAAAAgA== ------=_NextPart_000_0012_01C121D3.B8D41F50 Content-Type: application/msword; name="ietf51-sipsec-adhoc.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ietf51-sipsec-adhoc.doc" Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAALAAAAAAAAAAA EAAALgAAAAEAAAD+////AAAAAC0AAAD///////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////s pcEAVyAJBAAA8BK/AAAAAAAAEAAAAAAABAAAMg8AAA4AYmpiaqp5qnkAAAAAAAAAAAAAAAAAAAAA AAAJBBYAIhgAAMgTAQDIEwEAMgsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAA AAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAAAAAAAAAAAAGwAAAAAANoAAAAAAAAA2gAAANoA AAAAAAAA2gAAAAAAAADaAAAAAAAAANoAAAAAAAAA2gAAABQAAAAAAAAAAAAAAO4AAAAAAAAAwgUA AAAAAADCBQAAAAAAAMIFAAAAAAAAwgUAAAwAAADOBQAAFAAAAO4AAAAAAAAAVRAAALYAAADuBQAA AAAAAO4FAAAAAAAA7gUAAAAAAADuBQAAAAAAAO4FAAAAAAAA7gUAAAAAAADuBQAAAAAAAO4FAAAA AAAA1A8AAAIAAADWDwAAAAAAANYPAAAAAAAA1g8AAAAAAADWDwAAAAAAANYPAAAAAAAA1g8AACQA AAALEQAAIAIAACsTAACuAAAA+g8AABUAAAAAAAAAAAAAAAAAAAAAAAAA2gAAAAAAAADuBQAAAAAA AAAAAAAAAAAAAAAAAAAAAADuBQAAAAAAAO4FAAAAAAAA7gUAAAAAAADuBQAAAAAAAPoPAAAAAAAA 0gYAAAAAAADaAAAAAAAAANoAAAAAAAAA7gUAAAAAAAAAAAAAAAAAAO4FAAAAAAAADxAAABYAAADS BgAAAAAAANIGAAAAAAAA0gYAAAAAAADuBQAAdgAAANoAAAAAAAAA7gUAAAAAAADaAAAAAAAAAO4F AAAAAAAA1A8AAAAAAAAAAAAAAAAAANIGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA7gUAAAAAAADUDwAAAAAAANIGAAACCQAA0gYAAAAAAAAAAAAA AAAAANQPAAAAAAAA2gAAAAAAAADaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1A8AAAAAAADuBQAAAAAAAOIFAAAMAAAAcHOlYVAg wQHuAAAA1AQAAMIFAAAAAAAAZAYAAFgAAADUDwAAAAAAAAAAAAAAAAAA1A8AAAAAAAAlEAAAMAAA AFUQAAAAAAAA1A8AAAAAAADZEwAAAAAAALwGAAAWAAAA2RMAAAAAAADUDwAAAAAAANIGAAAAAAAA 7gAAAAAAAADuAAAAAAAAANoAAAAAAAAA2gAAAAAAAADaAAAAAAAAANoAAAAAAAAAAgDZAAAADVNJ UCBTZWN1cml0eSBBZC1ob2MsIFdlZG5lc2RheSBldmVuaW5nDQ1TdGFydCB3aXRoIHRocmVhdCBt b2RlbC4gIFN0YXJ0IHdpdGggTWlrZZJzIGRyYWZ0LiAgDQ1Ib3AgYnkgaG9wIHZzLiBlbmQgdG8g ZW5kIGlzIGRpZmZlcmVudCBmcm9tIGluc2lkZSB2cy4gb3V0c2lkZS4gICBJbnNpZGUgbWVhbnMg cGFydGljaXBhbnRzIGluIHRoZSBjYWxsIGl0c2VsZjsga2VlcGluZyBvdXRzaWRlcnMgb3V0IGlz IGVhc2llcjsgbWF5IGRlZ2VuZXJhdGUgaW50byBob3AgYnkgaG9wIHNlY3VyaXR5LiAgDQ1JZiB5 b3VyIHRocmVhdCBpcyBhbiBvdXRzaWRlciwgbWF5IGJlIGJldHRlciB1c2luZyBhIGhvcCBieSBo b3AgbW9kZWwgcmF0aGVyIHRoYW4gaHR0cCBkaWdlc3QuICBJcyB0aGUgY29zdCBvZiB0aGVzZSBv dGhlciBtZXRob2RzIHNpZ25pZmljYW50bHkgaGlnaGVyPw0NVGhyZWF0cw0NSWRlbnRpY2FsIG1l c3NhZ2UgcmVwbGF5DU1vZGlmaWVkIG1lc3NhZ2UgcmVwbGF5DU1lc3NhZ2UgZm9yZ2VyeSAoZS5n LiwgaW1wZXJzb25hdGlvbikNRGlzY2xvc3VyZSBvZiBzaWduYWxpbmcgaW5mb3JtYXRpb24NRGVu aWFsIG9mIHNlcnZpY2UgKG1lc3NhZ2UgaW5qZWN0aW9uLCBtZXNzYWdlIGRlbGV0aW9uKQ0NVGhl ZnQgb2Ygc2VydmljZSAoZS5nLiwgdGhyb3VnaCByZXBsYXkgYXR0YWNrIG9mIGludGVyY2VwdGVk IHNpZ25hbGluZykNSGFuZyB1cCBzb21lYm9keZJzIGNhbGwNQmlsbCBkaXZlcnNpb24NUmVnaXN0 cmF0aW9uIGhpamFja2luZw1Vc2VyIGlkZW50aXR5IG1hc3F1ZXJhZGluZy9zcG9vZmluZw1JbXBl cnNvbmF0ZSBhbm90aGVyIHVzZXINSW1wZXJzb25hdGUgYSBwcm94eQ1DcmVhdGUgYSByZWdpc3Ry YXRpb24gdGhhdCBzaG91bGRuknQgZXhpc3QNUmVzb3VyY2UgY29uc3VtcHRpb24gKGUuZy4sIGNy ZWF0aW9uIG9mIHN0YXRlKQ0NQXV0aGVudGljYXRpb24NQXV0aG9yaXphdGlvbg1Db25maWRlbnRp YWxpdHkNSW50ZWdyaXR5DQ1QeXJhbWlkIHBpY3R1cmUgY2FuIGJlIHVzZWQgZm9yIGFuYWx5emlu ZyB0cnVzdCBib3VuZGFyaWVzDQ0JICBQLWJnDQkvICAgICAgICBcDSAgICAgICAgUC1hICAgICAg IFAtYg0gICAgICAgLwkJXA1VQWEgLS0tLS0tLS0tLS0gVWFiDQ1UaGlzIGRvZXNuknQgaGVscCB5 b3UgdW5kZXJzdGFuZCB3aGljaCBtZWNoYW5pc21zIGFyZSBuZWVkZWQ7IGl0knMgdXNlZnVsIHRv IGtub3cgd2hlbiB0byBpbnZva2UgYSBwYXJ0aWN1bGFyIG1lY2hhbmlzbS4gIA0NSGVubmluZzog aG93IGRvIHdlIGNvbnZleSBkZXNpcmVzIGFuZCByZXF1aXJlbWVudHMgZm9yIHNlY3VyaXR5IGFs b25nIHRoZSB3YXk/DQ1FbmQtdG8tZW5kIGJvZHkgY29uZmlkZW50aWFsaXR5IGlzIG5lZWRlZCwg c2luY2UgYm9kaWVzIG1heSBiZSB1c2VkIHRvIGNhcnJ5IGVuZC10by1lbmQga2V5cy4NDU1pa2U6 IFBhcnRpZXMgYWxvbmcgdGhlIHBhdGggbmVlZCB0byBiZSBhYmxlIHRvIGF1dGhlbnRpY2F0ZSBV QUMuICBIZW5uaW5nOiBObywgSSBkb26SdCBjYXJlIHRoYXQgc29tZW9uZSB1bmtub3duIHRvIG1l IG1ha2VzIGEgY2FsbCB0byBtZS4gIEl0IGlzIHVzZWZ1bCB0byBrbm93IGl0IGNhbWUgZnJvbSB0 aGUgR2FzICYgRWxlY3RyaWMgY29tcGFueS4gIEJyaWFuOiBEbyB3ZSBuZWVkIHRvIGJlIGFibGUg dG8gYXV0aGVudGljYXRlIGRvbWFpbnM/ICBDaHVjazogc2ltaWxhciB0byBiZWhhdmlvciBvZiBj YWxsZXIgaWQgZnJvbSBQQlhzIHdoZXJlIGdlbmVyYWwgbnVtYmVyIGlzIHByb3ZpZGVkIGFzIGNh bGxlciBpZC4NDVJlbGF0aW9uc2hpcCBiZXR3ZWVuIGFub255bWl0eSwgYXV0aGVudGljaXR5IGFu ZCBwcml2YWN5Lg0NQnJpYW4gd2FudHMgdG8gaGF2ZSBhIHNpbXBsZSBob3AgYnkgaG9wIHNlY3Vy aXR5IG1lY2hhbmlzbSAoZS5nLiwgVExTKSBpbiB0aGUgYmlzIGRvY3VtZW50LCBhbmQgbm90IG11 Y2ggZWxzZS4gIA0NRUFQIGF1dGhlbnRpY2F0aW9uIGlzIGJlaW5nIHByb3Bvc2VkIGZvciAzR1BQ Lg0NSGVubmluZyB3b3VsZCBsaWtlIHRvIHVzZSBUTFM7IE1pa2Ugd291bGQgbGlrZSB0byBJUFNl Yy4gIE1pa2WScyBjb25jZXJuIGFib3V0IFRMUyBpcyB0aGF0IGl0IGRvZXNuknQgd29yayB3aXRo IFVEUC4gIEhlbm5pbmc6IFRDUCBtYXkgbm90IGJlIHNvIGJhZCBmb3Igc2lnbmFsaW5nIHRydW5r cy4gIERhdmU6IGJ1dCB5b3UgZ2V0IEhPTCBibG9ja2luZy4gIEhlbm5pbmc6IHlvdSBhcmUgbGlr ZWx5IHRvIGhhdmUgdHJ1c3QgcmVsYXRpb25zaGlwcyB3aXRoIGVudGl0aWVzIHRoYXQgeW91IGNv bW11bmljYXRlIHdpdGggYSBsb3QuICBCcmlhbjogdGhpcyBpcyBub3QgYSByZWFzb24gZm9yIGRp c3Rpbmd1aXNoaW5nIGJldHdlZW4gSVBTZWMgYW5kIFRMUy4gIFByb2JsZW1zIHdpdGggSVBTZWM6 IGtleWluZyBpcyBoYXJkZXIgdG8gZG8gYXV0b21hdGljYWxseTsgIGJlY2F1c2UgaXSScyBidWls dCBpbnRvIHRoZSBPUywgeW91IGVuZCB1cCBhc3N1bWluZyB0aGF0ICBiZWNhdXNlIGEgbWVzc2Fn ZSBjYW1lIGZyb20gYSBwYXJ0aWN1bGFyIElQIGFkZHJlc3MsIHlvdSBzaG91bGQgdHJ1c3QgaXQu ICBIZW5uaW5nOiB3ZSBkb26SdCBuZWVkIHRvIG1ha2UgdGhpcyBhbiBlaXRoZXItb3IgY2hvaWNl LiAgIERhdmU6IFVBLXByb3h5IGFuZCBwcm94eS1wcm94eSBtYXkgYmUgZGlmZmVyZW50LiAgVUGS cyBhcmUgY3VycmVudGx5IG5vdCByZXF1aXJlZCB0byBpbXBsZW1lbnQgVENQLiAgIEJyaWFuOiBJ UFNlYyBpcyBub3QgaW4gYW55IE9TIGJ1dCBTdW5PUy4gIE5lZWQgdG8gcGljayBvbmUgdGhhdCBp cyBtYW5kYXRvcnkgdG8gaW1wbGVtZW50LiAgVGhlcmUgaXMgbm8gbWFuZGF0b3J5IHRvIHVzZSBy ZXF1aXJlbWVudC4NDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAL4FAAC/ BQAAMg8AAAD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjUIgVwIgQMABAAAAQQAACgE AAApBAAAXgQAAF8EAAAbBQAAHAUAALUFAAC2BQAAvgUAAL8FAADYBQAA8AUAABYGAAA6BgAAcgYA AHMGAAC7BgAA0wYAAOIGAAD5BgAAHQcAADYHAABKBwAAdQcAAKQHAAClBwAAtAcAAMIHAAD9AAAA AAAAAAAAAAAA+wAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAA AAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD7 AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAA AAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAA AAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAA AAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAA AAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAAAAAAAAAAEBAAABAAAAHQAEAAAyDwAA/QAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAQEBwgcAANIHAADcBwAA 3QcAABgIAAAZCAAAIQgAAC0IAABDCAAATwgAAGMIAABkCAAA3wgAAOAIAAAvCQAAMAkAAI4JAACP CQAA8woAAPQKAAAuCwAALwsAAKALAAChCwAA0AsAANELAAAxDwAAMg8AAP0AAAAAAAAAAAAAAAD9 AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAA AAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAA AAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAA AAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAA AAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA /QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABsgADGQaAEfsNAvILDg PSGwCAcisAgHI5CgBSSQoAUlsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQADwAKAAEAaQAPAAMA AAAAAAAAAAA4AABA8f8CADgADAAGAE4AbwByAG0AYQBsAAAAAgAAABgAQ0oYAF9IAQRhShgAbUgJ BHNICQR0SAkEMgABQAEAAgAyAAwACQBIAGUAYQBkAGkAbgBnACAAMQAAAAgAAQAGJAFAJgAGADUI gVwIgQAAAAAAAAAAAAAAAAAAAAA8AEFA8v+hADwADAAWAEQAZQBmAGEAdQBsAHQAIABQAGEAcgBh AGcAcgBhAHAAaAAgAEYAbwBuAHQAAAAAAAAAAAAAAAAAAAAAADILAAAQAAAYAAAMAP////8AAAAA AQAAACgAAAApAAAAXgAAAF8AAAAbAQAAHAEAALUBAAC2AQAAvgEAAL8BAADYAQAA8AEAABYCAAA6 AgAAcgIAAHMCAAC7AgAA0wIAAOICAAD5AgAAHQMAADYDAABKAwAAdQMAAKQDAAClAwAAtAMAAMID AADSAwAA3AMAAN0DAAAYBAAAGQQAACEEAAAtBAAAQwQAAE8EAABjBAAAZAQAAN8EAADgBAAALwUA ADAFAACOBQAAjwUAAPMGAAD0BgAALgcAAC8HAACgBwAAoQcAANAHAADRBwAAMQsAADQLAACYAAAA ADAAAAAAAAAAgAAAAIAIAAAAATAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAA AAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAA AAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAIAIAAAAATAAAAAAAAAA gAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAA AICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICY AAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAA ADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAA AAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAA AAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAA gAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAA AICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICY AAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAA ADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAA AAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAA AAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAA gAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAA AICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICYAAAAADAAAAAAAAAAgAAAAICY AAAAADAAAAAAAAAAgAAAAICaAAAAADAAAAAAAAAAgAAAAIAABAAAMg8AAAgAAAAABAAAwgcAADIP AAAJAAAACwAAAAAEAAAyDwAACgAAAAAAAAAeBAAAIAQAAE8EAABSBAAAXwQAAGIEAAB9BwAAgAcA AAMIAAAICAAAOQkAAD4JAABXCQAAXAkAAHcKAAB7CgAAsgoAALcKAAA0CwAABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAAAAAABAEAAA4BAABRAQAAWwEAAFEGAABYBgAA9AYA AC0HAABMBwAAVgcAAIIJAACMCQAAMQsAADQLAAAHADMABwAzAAcAMwAHADMABwAzAAcAMwAHAAQA AAAAABkGAAAxCwAANAsAAAMABAAHAP//FAAAABMAQwBoAGEAcgBsAGUAcwAgAFIALgAgAEsAYQBs AG0AYQBuAGUAawBSAEMAOgBcAEQAbwBjAHUAbQBlAG4AdABzACAAYQBuAGQAIABTAGUAdAB0AGkA bgBnAHMAXABjAHIAawBcAE0AeQAgAEQAbwBjAHUAbQBlAG4AdABzAFwAcAByAG8AagBlAGMAdABc AEkALQBEAFwAcwBpAHAAXABpAGUAdABmADUAMQAtAHMAaQBwAHMAZQBjAC0AYQBkAGgAbwBjAC4A ZABvAGMAEwBDAGgAYQByAGwAZQBzACAAUgAuACAASwBhAGwAbQBhAG4AZQBrAFIAQwA6AFwARABv AGMAdQBtAGUAbgB0AHMAIABhAG4AZAAgAFMAZQB0AHQAaQBuAGcAcwBcAGMAcgBrAFwATQB5ACAA RABvAGMAdQBtAGUAbgB0AHMAXABwAHIAbwBqAGUAYwB0AFwASQAtAEQAXABzAGkAcABcAGkAZQB0 AGYANQAxAC0AcwBpAHAAcwBlAGMALQBhAGQAaABvAGMALgBkAG8AYwATAEMAaABhAHIAbABlAHMA IABSAC4AIABLAGEAbABtAGEAbgBlAGsAUgBDADoAXABEAG8AYwB1AG0AZQBuAHQAcwAgAGEAbgBk ACAAUwBlAHQAdABpAG4AZwBzAFwAYwByAGsAXABNAHkAIABEAG8AYwB1AG0AZQBuAHQAcwBcAHAA cgBvAGoAZQBjAHQAXABJAC0ARABcAHMAaQBwAFwAaQBlAHQAZgA1ADEALQBzAGkAcABzAGUAYwAt AGEAZABoAG8AYwAuAGQAbwBjABMAQwBoAGEAcgBsAGUAcwAgAFIALgAgAEsAYQBsAG0AYQBuAGUA awBSAEMAOgBcAEQAbwBjAHUAbQBlAG4AdABzACAAYQBuAGQAIABTAGUAdAB0AGkAbgBnAHMAXABj AHIAawBcAE0AeQAgAEQAbwBjAHUAbQBlAG4AdABzAFwAcAByAG8AagBlAGMAdABcAEkALQBEAFwA cwBpAHAAXABpAGUAdABmADUAMQAtAHMAaQBwAHMAZQBjAC0AYQBkAGgAbwBjAC4AZABvAGMAEwBD AGgAYQByAGwAZQBzACAAUgAuACAASwBhAGwAbQBhAG4AZQBrAHoAQwA6AFwARABvAGMAdQBtAGUA bgB0AHMAIABhAG4AZAAgAFMAZQB0AHQAaQBuAGcAcwBcAGMAcgBrAC4ATABBAFAAVABPAFAALQBL AEEATABNAEEATgBFAEsAXABBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABEAGEAdABhAFwATQBpAGMA cgBvAHMAbwBmAHQAXABXAG8AcgBkAFwAQQB1AHQAbwBSAGUAYwBvAHYAZQByAHkAIABzAGEAdgBl ACAAbwBmACAAaQBlAHQAZgA1ADEALQBzAGkAcABzAGUAYwAtAGEAZABoAG8AYwAuAGEAcwBkABMA QwBoAGEAcgBsAGUAcwAgAFIALgAgAEsAYQBsAG0AYQBuAGUAawBSAEMAOgBcAEQAbwBjAHUAbQBl AG4AdABzACAAYQBuAGQAIABTAGUAdAB0AGkAbgBnAHMAXABjAHIAawBcAE0AeQAgAEQAbwBjAHUA bQBlAG4AdABzAFwAcAByAG8AagBlAGMAdABcAEkALQBEAFwAcwBpAHAAXABpAGUAdABmADUAMQAt AHMAaQBwAHMAZQBjAC0AYQBkAGgAbwBjAC4AZABvAGMAEwBDAGgAYQByAGwAZQBzACAAUgAuACAA SwBhAGwAbQBhAG4AZQBrAFIAQwA6AFwARABvAGMAdQBtAGUAbgB0AHMAIABhAG4AZAAgAFMAZQB0 AHQAaQBuAGcAcwBcAGMAcgBrAFwATQB5ACAARABvAGMAdQBtAGUAbgB0AHMAXABwAHIAbwBqAGUA YwB0AFwASQAtAEQAXABzAGkAcABcAGkAZQB0AGYANQAxAC0AcwBpAHAAcwBlAGMALQBhAGQAaABv AGMALgBkAG8AYwATAEMAaABhAHIAbABlAHMAIABSAC4AIABLAGEAbABtAGEAbgBlAGsAUgBDADoA XABEAG8AYwB1AG0AZQBuAHQAcwAgAGEAbgBkACAAUwBlAHQAdABpAG4AZwBzAFwAYwByAGsAXABN AHkAIABEAG8AYwB1AG0AZQBuAHQAcwBcAHAAcgBvAGoAZQBjAHQAXABJAC0ARABcAHMAaQBwAFwA aQBlAHQAZgA1ADEALQBzAGkAcABzAGUAYwAtAGEAZABoAG8AYwAuAGQAbwBjABMAQwBoAGEAcgBs AGUAcwAgAFIALgAgAEsAYQBsAG0AYQBuAGUAawB6AEMAOgBcAEQAbwBjAHUAbQBlAG4AdABzACAA YQBuAGQAIABTAGUAdAB0AGkAbgBnAHMAXABjAHIAawAuAEwAQQBQAFQATwBQAC0ASwBBAEwATQBB AE4ARQBLAFwAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAARABhAHQAYQBcAE0AaQBjAHIAbwBzAG8A ZgB0AFwAVwBvAHIAZABcAEEAdQB0AG8AUgBlAGMAbwB2AGUAcgB5ACAAcwBhAHYAZQAgAG8AZgAg AGkAZQB0AGYANQAxAC0AcwBpAHAAcwBlAGMALQBhAGQAaABvAGMALgBhAHMAZAATAEMAaABhAHIA bABlAHMAIABSAC4AIABLAGEAbABtAGEAbgBlAGsAegBDADoAXABEAG8AYwB1AG0AZQBuAHQAcwAg AGEAbgBkACAAUwBlAHQAdABpAG4AZwBzAFwAYwByAGsALgBMAEEAUABUAE8AUAAtAEsAQQBMAE0A QQBOAEUASwBcAEEAcABwAGwAaQBjAGEAdABpAG8AbgAgAEQAYQB0AGEAXABNAGkAYwByAG8AcwBv AGYAdABcAFcAbwByAGQAXABBAHUAdABvAFIAZQBjAG8AdgBlAHIAeQAgAHMAYQB2AGUAIABvAGYA IABpAGUAdABmADUAMQAtAHMAaQBwAHMAZQBjAC0AYQBkAGgAbwBjAC4AYQBzAGQA/0ADgAEAMQsA ADELAACQSGwHAQABADELAAAAAAAAMQsAAAAAAAACEAAAAAAAAAAyCwAAAAEACABAAAD//wEAAAAH AFUAbgBrAG4AbwB3AG4A//8BAAgAAAAAAAAAAAAAAP//AQAAAAAA//8AAAIA//8AAAAA//8AAAIA //8AAAAAAwAAAEcWkAEAAAICBgMFBAUCAwSHegAgAAAAgAgAAAAAAAAA/wEAAAAAAABUAGkAbQBl AHMAIABOAGUAdwAgAFIAbwBtAGEAbgAAADUWkAECAAUFAQIBBwYCBQcAAAAAAAAAEAAAAAAAAAAA AAAAgAAAAABTAHkAbQBiAG8AbAAAADMmkAEAAAILBgQCAgICAgSHegAgAAAAgAgAAAAAAAAA/wEA AAAAAABBAHIAaQBhAGwAAAAiAAQAcQiIGADw0AIAAGgBAAAAAFJDWGaXQ1hmAAAAABAAQwAAAJ4B AAA7CQAAAQAEAAAABAADEBMAAAAAAAAAAAAAAAEAAQAAAAEAAAAAAAAAJAMA8BAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAApQbAB7QAtACBgTIwAAAAAAAAAAAAAAAAAABVCwAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIA AAAAAAAAAAAAMoMRAPAQAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8SAAAAAAAA ABwATQB1AHMAdAAgAHMAdABhAHIAdAAgAHcAaQB0AGgAIAB0AGgAcgBlAGEAdAAgAG0AbwBkAGUA bAAAAAAAAAATAEMAaABhAHIAbABlAHMAIABSAC4AIABLAGEAbABtAGEAbgBlAGsAEwBDAGgAYQBy AGwAZQBzACAAUgAuACAASwBhAGwAbQBhAG4AZQBrAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v8AAAUAAgAAAAAAAAAAAAAAAAAAAAAA AQAAAOCFn/L5T2gQq5EIACsns9kwAAAAmAEAABEAAAABAAAAkAAAAAIAAACYAAAAAwAAAMAAAAAE AAAAzAAAAAUAAADoAAAABgAAAPQAAAAHAAAAAAEAAAgAAAAQAQAACQAAACwBAAASAAAAOAEAAAoA AABUAQAADAAAAGABAAANAAAAbAEAAA4AAAB4AQAADwAAAIABAAAQAAAAiAEAABMAAACQAQAAAgAA AOQEAAAeAAAAHQAAAE11c3Qgc3RhcnQgd2l0aCB0aHJlYXQgbW9kZWwAAE1pHgAAAAEAAAAAdXN0 HgAAABQAAABDaGFybGVzIFIuIEthbG1hbmVrAB4AAAABAAAAAGhhch4AAAABAAAAAGhhch4AAAAH AAAATm9ybWFsACAeAAAAFAAAAENoYXJsZXMgUi4gS2FsbWFuZWsAHgAAAAMAAAAxNgByHgAAABMA AABNaWNyb3NvZnQgV29yZCA5LjAAAEAAAAAAUhtcCQAAAEAAAAAADCg4RyDBAUAAAAAA0rxMUCDB AQMAAAABAAAAAwAAAJ4BAAADAAAAOwkAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP7/AAAFAAIAAAAAAAAAAAAAAAAAAAAAAAEAAAAC1c3V nC4bEJOXCAArLPmuMAAAABQBAAAMAAAAAQAAAGgAAAAPAAAAcAAAAAUAAACMAAAABgAAAJQAAAAR AAAAnAAAABcAAACkAAAACwAAAKwAAAAQAAAAtAAAABMAAAC8AAAAFgAAAMQAAAANAAAAzAAAAAwA AAD1AAAAAgAAAOQEAAAeAAAAFAAAAEFUJlQgTGFicyBSZXNlYXJjaCAAAwAAABMAAAADAAAABAAA AAMAAABVCwAAAwAAABcQCQALAAAAAAAAAAsAAAAAAAAACwAAAAAAAAALAAAAAAAAAB4QAAABAAAA HQAAAE11c3Qgc3RhcnQgd2l0aCB0aHJlYXQgbW9kZWwADBAAAAIAAAAeAAAABgAAAFRpdGxlAAMA AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAABAAAAAgAAAAMAAAAEAAAABQAAAAYAAAAHAAAACAAAAAkAAAAKAAAA CwAAAAwAAAD+////DgAAAA8AAAAQAAAAEQAAABIAAAATAAAAFAAAABUAAAAWAAAA/v///xgAAAAZ AAAAGgAAABsAAAAcAAAAHQAAAB4AAAD+////IAAAACEAAAAiAAAAIwAAACQAAAAlAAAAJgAAAP7/ ///9////KQAAAP7////+/////v////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////1IAbwBvAHQAIABFAG4AdAByAHkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAUB//////////8DAAAABgkCAAAAAADAAAAAAAAARgAA AAAAAAAAAAAAABAvs2FQIMEBKwAAAIAAAAAAAAAAMQBUAGEAYgBsAGUAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAgD///////////////8AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAA2RMAAAAAAABXAG8AcgBkAEQAbwBj AHUAbQBlAG4AdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGgACAQUA AAD//////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiGAAAAAAA AAUAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAoAAIBAgAAAAQAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAFwAAAAAQAAAAAAAABQBEAG8AYwB1AG0AZQBuAHQAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIA bQBhAHQAaQBvAG4AAAAAAAAAAAAAADgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAfAAAAABAAAAAAAAABAEMAbwBtAHAATwBiAGoAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgACAQEAAAAGAAAA/////wAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABqAAAAAAAAAE8AYgBqAGUAYwB0AFAA bwBvAGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAEA//// ////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAQL7NhUCDBARAvs2FQIMEBAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAABAAAA/v////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////wEA/v8DCgAA/////wYJAgAAAAAAwAAAAAAAAEYYAAAATWljcm9zb2Z0IFdv cmQgRG9jdW1lbnQACgAAAE1TV29yZERvYwAQAAAAV29yZC5Eb2N1bWVudC44APQ5snEAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAUgBvAG8AdAAgAEUAbgB0AHIAeQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAABYABQH//////////wMAAAAGCQIAAAAAAMAAAAAAAABGAAAAAAAA AAAAAAAA0DrHP/UhwQExAAAAwAMAAAAAAAAxAFQAYQBiAGwAZQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgACAP///////////////wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAADZEwAAAAAAAFcAbwByAGQARABvAGMAdQBt AGUAbgB0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAIBBQAAAP// ////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIYAAAAAAAABQBT AHUAbQBtAGEAcgB5AEkAbgBmAG8AcgBtAGEAdABpAG8AbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAACgAAgECAAAABAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX AAAAABAAAAAAAAABAAAAAgAAAAMAAAAEAAAABQAAAAYAAAAHAAAACAAAAAkAAAAKAAAACwAAAAwA AAD+////DgAAAA8AAAAQAAAAEQAAABIAAAATAAAAFAAAABUAAAAWAAAA/v///xgAAAAZAAAAGgAA ABsAAAAcAAAAHQAAAB4AAAD+//////////////////////////////////////////////////// /////////////////////zAAAAD9/////v////7////+////LwAAAP////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////wEAAAD+////AwAAAAQAAAAFAAAABgAAAAcAAAAIAAAACQAAAAoAAAALAAAADAAA AA0AAAAOAAAA/v////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////AwAAAAwBAAAEAAAAdAEAAAUAAACkAQAABAAAAAIAAAAUAAAAXwBBAGQASABvAGMA UgBlAHYAaQBlAHcAQwB5AGMAbABlAEkARAAAAAMAAAAOAAAAXwBFAG0AYQBpAGwAUwB1AGIAagBl AGMAdAAAAAQAAAANAAAAXwBBAHUAdABoAG8AcgBFAG0AYQBpAGwAAAAAAAUAAAAYAAAAXwBBAHUA dABoAG8AcgBFAG0AYQBpAGwARABpAHMAcABsAGEAeQBOAGEAbQBlAAAAAgAAALAEAAATAAAACQQA AAMAAACofe49HwAAAC8AAABNAGkAbgB1AHQAZQBzACAAZgByAG8AbQAgAFMASQBQACAAUwBlAGMA dQByAGkAdAB5ACAAbQBlAGUAdABpAG4AZwAgAGEAdAAgADUAMQBzAHQAIABJAEUAVABGAAAAAAAf AAAAFAAAAGYAbQBpAGwAbABlAHIAQABzAGUAbgB0AGkAdABvAC4AYwBvAG0AAAAfAAAAEAAAAEYA cgBhAG4AawAgAFcALgAgAE0AaQBsAGwAZQByAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAFAEQAbwBjAHUAbQBlAG4AdABTAHUAbQBtAGEAcgB5AEkAbgBmAG8AcgBtAGEAdABp AG8AbgAAAAAAAAAAAAAAOAACAf///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAIAAAAkAwAAAAAAAAEAQwBvAG0AcABPAGIAagAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAIBAQAAAAYAAAD/////AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGoAAAAAAAAATwBiAGoAZQBjAHQAUABvAG8AbAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYAAQD///////////// //8AAAAAAAAAAAAAAAAAAAAAAAAAABAvs2FQIMEBEC+zYVAgwQEAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAEA/v8DCgAA/////wYJAgAAAAAAwAAAAAAAAEYYAAAATWljcm9zb2Z0IFdvcmQgRG9j dW1lbnQACgAAAE1TV29yZERvYwAQAAAAV29yZC5Eb2N1bWVudC44APQ5snEAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA/v8AAAUAAgAAAAAAAAAAAAAAAAAAAAAAAgAAAALVzdWcLhsQ k5cIACss+a5EAAAABdXN1ZwuGxCTlwgAKyz5rlgBAAAUAQAADAAAAAEAAABoAAAADwAAAHAAAAAF AAAAjAAAAAYAAACUAAAAEQAAAJwAAAAXAAAApAAAAAsAAACsAAAAEAAAALQAAAATAAAAvAAAABYA AADEAAAADQAAAMwAAAAMAAAA9QAAAAIAAADkBAAAHgAAABQAAABBVCZUIExhYnMgUmVzZWFyY2gg AAMAAAATAAAAAwAAAAQAAAADAAAAVQsAAAMAAAAXEAkACwAAAAAAAAALAAAAAAAAAAsAAAAAAAAA CwAAAAAAAAAeEAAAAQAAAB0AAABNdXN0IHN0YXJ0IHdpdGggdGhyZWF0IG1vZGVsAAwQAAACAAAA HgAAAAYAAABUaXRsZQADAAAAAQAAAADMAQAABwAAAAAAAABAAAAAAQAAAPQAAAAAAACA/AAAAAIA AAAEAQAA ------=_NextPart_000_0012_01C121D3.B8D41F50-- _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Mon Aug 13 15:39:10 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27599 for ; Mon, 13 Aug 2001 15:39:05 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA18639; Mon, 13 Aug 2001 15:39:24 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA16653 for ; Mon, 13 Aug 2001 14:30:00 -0400 (EDT) Received: from face.sentitonetworks.com (user9.sentito.com [65.202.222.9] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA26654 for ; Mon, 13 Aug 2001 14:28:49 -0400 (EDT) Received: (qmail 12521 invoked from network); 13 Aug 2001 18:26:46 -0000 Received: from unknown (HELO overhill) (relay@65.202.222.2) by face.sentitonetworks.com with SMTP; 13 Aug 2001 18:26:46 -0000 From: "Frank W. Miller" To: Date: Mon, 13 Aug 2001 14:28:42 -0400 Message-ID: <000001c12425$c7c6d0d0$d200000a@overhill> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C12404.40B530D0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Subject: [Sip-security] Minutes from SIP Security Adhoc at 51st IETF Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C12404.40B530D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 Greetings, =20 Here are the minutes from the SIP Security Adhoc meeting held at the 51st IETF in London. I sent these to the list last week as word docs but the list bounced the message because the attachments were larger than 40K. So I reformatted the thing as text and hopefully it will make it through this time=85 =20 FM =20 =20 =20 =20 Frank W. Miller, Ph.D. Chief Technical Officer sentitO Networks, Inc. www.sentito.com =20 =20 =20 =20 SIP Security Adhoc Meeting Minutes =20 Taken By Frank Miller =20 Meeting held on Wednsday August 8, 2001 at 51st IETF located at the Hilton Metropole in London, England. =20 =20 Some early comments: =20 * Removal of Signal Header (?) means that some way of passing security information transitively is required =20 * Security information must be handed from one UA to another =20 Meeting proper: =20 * A threat model and analysis must be developed =20 * Mike?s draft could be used as a starting point (Henning pointed out that the draft would be alright as a starting point but that it is incomplete) =20 * Mike?s draft discusses ?inside? vs. ?outside? threats =20 * Oran asked for these to defined =20 * Mike defined them as follows: an outside threat is one that is presented by an entity that is not participating and has no visibility into a conversation and an inside threat is one that is presented by a participant in a conversation =20 * For outside threats, the use of TLS etc. vs. http digest may suffice =20 * Some discussion about inside vs. outside being an instance of thread prioritization =20 * Mention of possible use of call control model as a way to model inside vs. outside and to breakdown the description of inside threats to the next level =20 * Jonathan described an example (which I didn?t get to write down) of what he referred to as a ?SIP-specific? threat =20 * The relationship between entities needs to be defined: Henning referred to the relationship between a UA and a gateway as ?semi-adverserial? =20 * At this point in the meeting, the question of whether the remainder of the meeting would focus on the threat model or would also include mechanisms came up. =20 * An immediate mention of several mechanisms was made: authentication, authorization, and integrity checking =20 * The discussion of mechanisms was agreed to a bit later =20 * A list of threats was proposed and some examples of use included =20 List of Threats Examples of Use Identical Replay Hangup, Service Theft, Modified Replay Registration Hijacking, Message Forgery User Impersonation Disclosure of Call Signaling Information Denial of Service (DoS) - Message Injection - Message Deletion - Message Amplification =20 It was noted that the list of threats constitutes a different taxonomy for describing the threats than Mike?s taxonomy =20 Henning commented that this approach may be superior since it seemed intuitively easier to show completeness for =20 Also noted that this new taxonomy does not capture descriptions of level of trust =20 Dave described an example where a UA uses a RADIUS sever for authentication but that anyone thatcan compromise the RADIUS server also compromises the UA, allowing it to be impersonated (not sure I copied this right Dave) =20 A description of the ?Pentagon? described in Mike?s draft was presented =20 The Pentagon is used to describe boundaries of trust =20 Mike?s draft presents a fully connected graph and describes the level of trust between each pair of endpoints =20 Discussion centered on the possibility that this approach may imply that all mechanisms are necessary for all types of connections =20 Dave mentioned that the saving grace was that it would probably possible to also describe when those mechanisms would and would not actually be used =20 The question was raised about whether conformance to security requirements and any mechanisms necessary to indicate this was or was not the case was necessary all along the signaling path? =20 The question was asked but never answered, ?where are the keys for SRTP handled?? =20 It was noted that the ability to do end-to-end body encryption will be necessary! =20 The question was asked, ?will parties along a signaling path need to be able to authenticate a UAC?? =20 Discussion then ensued about whether authentication should be wrt UAs or users. Some agreement emerged that UA (i.e. domain level) authentication might be valuable but that user level authentication would probably be impractical =20 This agreement came from a discussion about whether authentication was necessary for unsolicited calls. In this case, domain-level authentication would probably provide some additional value but that user level authentication might be difficult if not impossible =20 The discussion then turned to what mechanisms will be included the bis regarding security given the looming Dec. deadline =20 Some agreement on the hop-by-hop discussion only that more complex mechanisms will need to be put in a separate draft =20 The point was made that mechanisms should only be proposed for the separated draft after at least one round of requirements had been circulated =20 Backward compatibility is important, additional security features cannot force a wholesale change to the existing bis mechanisms =20 Henning mentioned a potential practical problem: a separate draft will require a separate implementation. The group did not see this as a serious problem =20 The discussion then turned to whether TLS or IPSec should be specified for hop-by-hop security =20 Mike?s main issue was that TLS does not work with UDP =20 Henning made the point that TCP works well for ?signaling trunks?, nailed up signaling connections that persist. There was some question about the implications of HOL blocking in this situation. SCTP solves that potential problem =20 Main issue with IPSec is that it is somewhat decoupled from the application since it is done at Layer 3. It is harder to do ?automatically? =20 Some agreement that TLS is appropriate for some cases and IPSec for others =20 It was noted that something must be made mandatory implementation, which is the quandary given the difficulties that the MobileIP group had =20 Dave noted that the UA to Proxy and Proxy to Proxy security can be different =20 A proposal was made to use TLS for Proxy to Proxy only as a mandatory implementation =20 Another potential bis problem was noted, ?how is a UA-to-UA with no previous trust relationship handled?? I did not gather any additional notes from that discussion =20 The meeting ended with a short discussion on the question of what the IESG would accept for a mandatory implementation =20 =20 =20 Minutes taken by Charles Kalmenek =20 =20 SIP Security Ad-hoc, Wednesday evening =20 Start with threat model. Start with Mike?s draft. =20 =20 Hop by hop vs. end to end is different from inside vs. outside. Inside means participants in the call itself; keeping outsiders out is easier; may degenerate into hop by hop security. =20 =20 If your threat is an outsider, may be better using a hop by hop model rather than http digest. Is the cost of these other methods significantly higher? =20 Threats =20 Identical message replay Modified message replay Message forgery (e.g., impersonation) Disclosure of signaling information Denial of service (message injection, message deletion) =20 Theft of service (e.g., through replay attack of intercepted signaling) Hang up somebody?s call Bill diversion Registration hijacking User identity masquerading/spoofing Impersonate another user Impersonate a proxy Create a registration that shouldn?t exist Resource consumption (e.g., creation of state) =20 Authentication Authorization Confidentiality Integrity =20 Pyramid picture can be used for analyzing trust boundaries =20 P-bg / \ P-a P-b / \ UAa ----------- Uab =20 This doesn?t help you understand which mechanisms are needed; it?s useful to know when to invoke a particular mechanism. =20 =20 Henning: how do we convey desires and requirements for security along the way? =20 End-to-end body confidentiality is needed, since bodies may be used to carry end-to-end keys. =20 Mike: Parties along the path need to be able to authenticate UAC. Henning: No, I don?t care that someone unknown to me makes a call to me. It is useful to know it came from the Gas & Electric company. Brian: Do we need to be able to authenticate domains? Chuck: similar to behavior of caller id from PBXs where general number is provided as caller id. =20 Relationship between anonymity, authenticity and privacy. =20 Brian wants to have a simple hop by hop security mechanism (e.g., TLS) in the bis document, and not much else. =20 =20 EAP authentication is being proposed for 3GPP. =20 Henning would like to use TLS; Mike would like to IPSec. Mike?s concern about TLS is that it doesn?t work with UDP. Henning: TCP may not be so bad for signaling trunks. Dave: but you get HOL blocking. Henning: you are likely to have trust relationships with entities that you communicate with a lot. Brian: this is not a reason for distinguishing between IPSec and TLS. =20 Problems with IPSec: keying is harder to do automatically; because it?s built into the OS, you end up assuming that because a message came from a particular IP address, you should trust it. Henning: we don?t need to make this an either-or choice. Dave: UA-proxy and proxy-proxy may be different. UA?s are currently not required to implement TCP. Brian: IPSec is not in any OS but SunOS. Need to pick one that is mandatory to implement. There is no mandatory to use requirement. =20 =20 =20 =20 ------=_NextPart_000_0001_01C12404.40B530D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 

Greetings,

 

Here are the minutes from the SIP Security Adhoc meeting held at the 51st =A0IETF in = London.=A0 I sent these to the list last week = as word docs but the list bounced the message because the attachments were = larger than 40K.=A0 So I reformatted the = thing as text and hopefully it will make it through this = time…

 

FM

 

 

 

 

Frank W. Miller, Ph.D.

Chief Technical Officer

sentitO= Networks, Inc.

www.sentito.com

 

 

 

 

SIP Security Adhoc = Meeting Minutes

 

Taken By Frank Miller

 

Meeting held on Wednsday = August 8, 2001 at 51st = IETF located at the Hilton Metropole in = London, = England.

 

 

Some early comments:

 

* Removal of Signal Header (?) means that some way of passing security information transitively is = required

 

* Security information must be handed from one UA to = another

 

Meeting proper:

 

* A threat model and analysis must be = developed

 

* Mike?s draft could be used as a starting point (Henning pointed out that the = draft would be alright as a starting point but that it is = incomplete)

 

* Mike?s draft discusses ?inside? vs. ?outside? threats

 

* Oran asked for these to defined

 

* Mike defined them as follows: an outside threat is = one that is presented by an entity that is not participating and has no = visibility into a conversation and an inside threat is one that is presented by a participant in a conversation

 

* For outside threats, the use of TLS etc. vs. http = digest may suffice

 

* Some discussion about inside vs. outside being an = instance of thread prioritization

 

* Mention of possible use of call control model as a = way to model inside vs. outside and to breakdown the description of inside = threats to the next level

 

* Jonathan described an example (which I didn?t get to write down) of what he referred to = as a ?SIP-specific? threat

 

* The relationship between entities needs to be = defined: Henning referred to the relationship between a UA and a gateway as ?semi-adverserial?

 

* At this point in the meeting, the question of = whether the remainder of the meeting would focus on the threat model or would also = include mechanisms came up.

 

* An immediate mention of several mechanisms was = made: authentication, authorization, and integrity = checking

 

* The discussion of mechanisms was agreed to a bit = later

 

* A list of threats was proposed and some examples of = use included

 

List of Threats=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Examples of Use

Identical Replay=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = Hangup, Service Theft,

Modified Replay=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0 Registration Hijacking,

Message Forgery=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 User Impersonation

Disclosure of Call Signaling = Information

Denial of Service (DoS)

=A0=A0=A0 - = Message Injection

=A0=A0=A0 - = Message Deletion

=A0=A0=A0 - = Message Amplification

 

It was noted that the list of threats constitutes a different taxonomy for describing the threats than Mike?s taxonomy

 

Henning commented that this approach may be superior = since it seemed intuitively easier to show completeness = for

 

Also noted that this new taxonomy does not capture descriptions of level of trust

 

Dave described an example where a UA uses a RADIUS = sever for authentication but that anyone thatcan = compromise the RADIUS server also compromises the UA, allowing it to be impersonated = (not sure I copied this right Dave)

 

A description of the = ?Pentagon? described in Mike?s = draft was presented

 

The Pentagon is used to describe boundaries of = trust

 

Mike?s draft presents a fully connected graph and describes the level of trust = between each pair of endpoints

 

Discussion centered on the possibility that this = approach may imply that all mechanisms are necessary for all types of = connections

 

Dave mentioned that the saving grace was that it = would probably possible to also describe when those mechanisms would and would = not actually be used

 

The question was raised about whether conformance to security requirements and any mechanisms necessary to indicate this was = or was not the case was necessary all along the signaling = path?

 

The question was asked but never answered, ?where are the keys for SRTP = handled??

 

It was noted that the ability to do end-to-end body encryption will be necessary!

 

The question was asked, = ?will parties along a signaling path need to be able to authenticate a = UAC??

 

Discussion then ensued about whether authentication = should be wrt UAs or = users.=A0 Some agreement emerged that UA = (i.e. domain level) authentication might be valuable but that user level = authentication would probably be impractical

 

This agreement came from a discussion about whether authentication was necessary for unsolicited calls.=A0 In this case, domain-level = authentication would probably provide some additional value but that user level = authentication might be difficult if not impossible

 

The discussion then turned to what mechanisms will be included the bis regarding security given = the looming Dec. deadline

 

Some agreement on the hop-by-hop discussion only = that more complex mechanisms will need to be put in = a separate draft

 

The point was made that mechanisms should only be = proposed for the separated draft after at least one round of requirements had = been circulated

 

Backward compatibility is important, additional = security features cannot force a wholesale change to the existing bis mechanisms

 

Henning mentioned a potential practical problem: a = separate draft will require a separate

implementation= .=A0 The group did not see this as a = serious problem

 

The discussion then turned to whether TLS or IPSec = should be specified for hop-by-hop security

 

Mike?s main issue was that TLS does not work with UDP

 

Henning made the point that TCP works well for ?signaling trunks?, nailed up signaling = connections that persist.=A0 There was some = question about the implications of HOL blocking in this situation. SCTP solves that = potential problem

 

Main issue with IPSec is that it is somewhat = decoupled from the application since it is done at Layer 3.=A0 It is harder to do = ?automatically?

 

Some agreement that TLS is appropriate for some cases = and IPSec for others

 

It was noted that something must be made mandatory implementation, which is the quandary given = the difficulties that the MobileIP group = had

 

Dave noted that the UA to Proxy and Proxy to Proxy = security can be different

 

A proposal was made to use TLS for Proxy to Proxy = only as a mandatory implementation

 

Another potential bis = problem was noted, ?how is a UA-to-UA with no previous = trust relationship handled??=A0 I did = not gather any additional notes from that discussion

 

The meeting ended with a short discussion on the = question of what the IESG would accept for a mandatory = implementation

 

 

 

Minutes taken by Charles Kalmenek

 

 

SIP Security Ad-hoc, Wednesday = evening

 

Start with threat model.=A0 Start with Mike?s draft.=A0 =

 

Hop by hop vs. end to end is different from inside = vs. outside.=A0=A0 Inside means = participants in the call itself; keeping outsiders out is easier; may degenerate into hop by = hop security.=A0 =

 

If your threat is an outsider, may be better using a = hop by hop model rather than http digest. Is the cost of these other methods significantly higher?

 

Threats

 

Identical message replay

Modified message replay

Message forgery (e.g., = impersonation)

Disclosure of signaling = information

Denial of service (message injection, message = deletion)

 

Theft of service (e.g., through replay attack of = intercepted signaling)

Hang up somebody?s call

Bill diversion

Registration hijacking

User identity = masquerading/spoofing

Impersonate another user

Impersonate a proxy

Create a registration that shouldn?t exist

Resource consumption (e.g., creation of = state)

 

Authentication

Authorization

Confidentiality

Integrity

 

Pyramid picture can be used for analyzing trust = boundaries

 

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = P-bg

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0/=A0=A0=A0=A0=A0=A0 = \

=A0=A0=A0=A0=A0=A0=A0=A0=A0 P-a=A0=A0=A0=A0 = P-b

=A0=A0=A0=A0=A0=A0=A0=A0 / =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0\<= /p>

=A0=A0=A0 = UAa ----------- Uab

 

This doesn?t help you understand which mechanisms are needed; it?s useful to know when to invoke a particular mechanism.=A0

 

Henning: how do we convey desires and requirements = for security along the way?

 

End-to-end body confidentiality is needed, since = bodies may be used to carry end-to-end keys.

 

Mike: Parties along the path need to be able to = authenticate UAC.=A0 Henning: No, I don?t care that someone unknown to me makes a = call to me.=A0 It is useful to know it = came from the Gas & Electric company.=A0 Brian: Do we need to be able to = authenticate domains?=A0 Chuck: similar to = behavior of caller id from PBXs where general number is provided as caller = id.

 

Relationship between = anonymity, authenticity and privacy.

 

Brian wants to have a simple hop by hop security = mechanism (e.g., TLS) in the bis document, and not much else.=A0 =

 

EAP authentication is being proposed for = 3GPP.

 

Henning would like to use TLS; Mike would like to IPSec.=A0 Mike?s concern about TLS is that it doesn?t work with UDP.=A0 Henning: TCP = may not be so bad for signaling trunks.=A0 = Dave: but you get HOL blocking.=A0 = Henning: you are likely to have trust relationships with entities that you communicate = with a lot.=A0 Brian: this is not a = reason for distinguishing between IPSec and TLS.

 

Problems with IPSec: keying is harder to do = automatically;=A0 = because it?s built into the OS, you end up assuming = that=A0 because a message came from a = particular IP address, you should trust it. Henning: we don?t need to make this an either-or = choice.=A0=A0 Dave: UA-proxy and proxy-proxy = may be different.=A0 UA?s are currently not required to implement = TCP.=A0=A0 Brian: IPSec is not in any OS = but SunOS.=A0 Need to pick one that = is mandatory to implement.=A0 There = is no mandatory to use requirement.

 

 

 

 

------=_NextPart_000_0001_01C12404.40B530D0-- _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Tue Aug 21 09:56:47 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA13545 for ; Tue, 21 Aug 2001 09:56:47 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA23201; Tue, 21 Aug 2001 09:57:26 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA23118 for ; Tue, 21 Aug 2001 09:57:22 -0400 (EDT) Received: from ws2.piuha.net (ws2.piuha.net [195.165.196.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA13519; Tue, 21 Aug 2001 09:56:03 -0400 (EDT) Received: from piuha.net (ws4.piuha.net [195.165.196.4]) by ws2.piuha.net (Postfix) with ESMTP id E57FB6A904; Tue, 21 Aug 2001 16:57:19 +0300 (EEST) Message-ID: <3B8269E2.9030605@piuha.net> Date: Tue, 21 Aug 2001 17:02:10 +0300 From: Jari Arkko Organization: None User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.3-ipsec i686; en-US; m18) Gecko/20001107 Netscape6/6.0 X-Accept-Language: en MIME-Version: 1.0 To: sipping@ietf.org, sip-security@ietf.org Cc: jari.arkko@ericsson.fi Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Subject: [Sip-security] Requirements rather than solutions: security Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Hi. In the SIPPING meeting in London it was expressed that the IETF would rather see requirements than solutions from other organizations such as the 3GPP. I'd like to start the requirements discussion by a few security-related requirements that I think are central to how we could proceed in the authentication work. As a background, both current and future mobile networks have an existing authentication procedure which is based on smart-card like devices called SIMs. As these devices and algorithms are already used even to get network access, the operators have built an infrastructure to hand out and manage hundreds of millions of these cards. A primary function of the cards is to offer secure storage for the long-term keys (to avoid cloning etc). So, I'd like to propose the following requirements related to SIP authentication in this context: - Authentication MUST allow for global roaming. - It MUST be possible to provide secure storage of long-term keys used in SIP clients. - Authentication MUST be efficient in terms of CPU, bandwidth, and roundtrip usage. There isn't an infinite amount of CPU on these devices, and it is also very much necessary to avoid too many roundtrips to get registration/call setup times acceptable. In particular, public key cryptography may not be mandated for all nodes. - It MUST be possible to reuse 'legacy authentication'. In other words, existing authentication infrastructure and devices used in current networks shouldn't have to be rebuilt just to add IP multimedia service. Naturally not just the 3GPP but also other schemes could be allowed. There are of course other requirements as well, but this particular set of requirements is interesting in the sense that I don't see how the current protocols allow the above. In particular, external security protocols such as TLS and IKE are not likely to fullfill the third nor the fourth requirement, and current HTTP authentication schemes don't fulfill at least the fourth. Any comments on the requirements? Any proposals on how to fulfill the requirements? (We have one but would be very interested in hearing also other proposals!) Also, I'd like to note that [1] exists, and gives a fuller picture. I believe the above requirements are also a part of the draft. Dirk, how up-to-date is this draft and does it contain all 3GPP requirements? Jari Arkko Ericsson [1] draft-kroeselberg-sip-3g-security-req-00.txt _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Wed Aug 29 04:05:28 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA18054 for ; Wed, 29 Aug 2001 04:05:28 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA24387; Wed, 29 Aug 2001 04:05:29 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA24356 for ; Wed, 29 Aug 2001 04:05:27 -0400 (EDT) Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [194.237.142.116]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA18046 for ; Wed, 29 Aug 2001 04:04:07 -0400 (EDT) Received: from fogerty.lmf.ericsson.se (fogerty.lmf.ericsson.se [131.160.11.6]) by albatross.wise.edt.ericsson.se (8.11.0/8.11.0/WIREfire-1.3) with ESMTP id f7T85PK24560; Wed, 29 Aug 2001 10:05:25 +0200 (MEST) Received: from lmf.ericsson.se (lmf4ws450.lmf.ericsson.se [131.160.38.50]) by fogerty.lmf.ericsson.se (8.11.3/8.11.3) with ESMTP id f7T85PC26052; Wed, 29 Aug 2001 11:05:25 +0300 (EET DST) Message-ID: <3B8CA245.387F5E2B@lmf.ericsson.se> Date: Wed, 29 Aug 2001 11:05:25 +0300 From: Jari Arkko Organization: Oy L M Ericsson Ab X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: mat@cisco.com CC: sip-security@ietf.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Subject: [Sip-security] Proxy routed requirements in draft-thomas-sip-sec-framework-00.txt Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Michael (cc list), Reading section 3.2 in your draft, am I correct in concluding that the requirements for the four different cases (UA->Proxy, UA->Intermediate, UA->UA, Proxy->Proxy) are the same? There seems to be quite a bit of discussion using different language in the subsections, but it seems to me that the four basic requirements of mutual authentication, integrity, confidentiality, and authorization are relevant for all cases. Jari _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Wed Aug 29 07:16:09 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA19806 for ; Wed, 29 Aug 2001 07:16:04 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA28435; Wed, 29 Aug 2001 07:16:26 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA28402 for ; Wed, 29 Aug 2001 07:16:25 -0400 (EDT) Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.110]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA19788 for ; Wed, 29 Aug 2001 07:15:04 -0400 (EDT) Received: from fogerty.lmf.ericsson.se (fogerty.lmf.ericsson.se [131.160.11.6]) by penguin.wise.edt.ericsson.se (8.11.0/8.10.1/WIREfire-1.3) with ESMTP id f7TBGMv09862; Wed, 29 Aug 2001 13:16:22 +0200 (MEST) Received: from lmf.ericsson.se (lmf4ws450.lmf.ericsson.se [131.160.38.50]) by fogerty.lmf.ericsson.se (8.11.3/8.11.3) with ESMTP id f7TBGMC02378; Wed, 29 Aug 2001 14:16:22 +0300 (EET DST) Message-ID: <3B8CCF06.994675EA@lmf.ericsson.se> Date: Wed, 29 Aug 2001 14:16:22 +0300 From: Jari Arkko Organization: Oy L M Ericsson Ab X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: mat@cisco.com CC: sip-security@ietf.org References: <3B8CA245.387F5E2B@lmf.ericsson.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Subject: [Sip-security] Re: Proxy routed requirements in draft-thomas-sip-sec-framework-00.txt Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Some further discussion: comparing Michael's draft and draft-ietf-sip-security-requirements-00.txt, I see that the former doesn't handle availability and non-repudiation requirements at all. Yet these are mentioned in the latter. I believe availability and DoS is a concern, and should perhaps be treated somewhere. Non-repudiation on the other hand is propably a can of worms we don't want to open... Also, in 3.2.5 you talk about the case for non-adjacent proxies, and wonder if there is any need for security measures in this interface. My comment on this is that protocol-wise you wouldn't even know if someone who e.g. sent some protected bits to you was a proxy or an end-node. So, if we provide tools to get security on the user->intermediate interface, then non-adjacent proxies can take advantage of the same mechanisms. (This comment doesn't of course say anything about the requirements for such use. It is perhaps not unthinkable to have a proxy that would handle security for you in certain situations.) Jari _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Wed Aug 29 08:30:42 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA23156 for ; Wed, 29 Aug 2001 08:30:41 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id IAA01001; Wed, 29 Aug 2001 08:30:48 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id IAA00964 for ; Wed, 29 Aug 2001 08:30:46 -0400 (EDT) Received: from mail1.dynamicsoft.com ([63.113.40.10]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA23085 for ; Wed, 29 Aug 2001 08:29:24 -0400 (EDT) Received: from DYN-EXCH-001.dynamicsoft.com (dyn-exch-001 [63.113.44.7]) by mail1.dynamicsoft.com (8.12.0.Beta7/8.12.0.Beta7) with ESMTP id f7TCTFob026787; Wed, 29 Aug 2001 08:29:15 -0400 (EDT) Received: by DYN-EXCH-001.dynamicsoft.com with Internet Mail Service (5.5.2653.19) id ; Wed, 29 Aug 2001 08:30:06 -0400 Message-ID: From: Jonathan Rosenberg To: "'Jari Arkko'" , mat@cisco.com Cc: sip-security@ietf.org Subject: RE: [Sip-security] Re: Proxy routed requirements in draft-thomas- sip-sec-framework-00.txt Date: Wed, 29 Aug 2001 08:30:05 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org > -----Original Message----- > From: Jari Arkko [mailto:Jari.Arkko@lmf.ericsson.se] > Sent: Wednesday, August 29, 2001 7:16 AM > To: mat@cisco.com > Cc: sip-security@ietf.org > Subject: [Sip-security] Re: Proxy routed requirements in > draft-thomas-sip-sec-framework-00.txt > > > > Also, in 3.2.5 you talk about the case for > non-adjacent proxies, and wonder if there is > any need for security measures in this > interface. My comment on this is that > protocol-wise you wouldn't even know if > someone who e.g. sent some protected bits > to you was a proxy or an end-node. So, > if we provide tools to get security on the > user->intermediate interface, then non-adjacent > proxies can take advantage of the same > mechanisms. Not necessarily. There are things a UA can do that a proxy can't (like initiate a request). Thus, certain SIP mechanisms that you would be able to do with a UA won't work to a proxy. -Jonathan R. --- Jonathan D. Rosenberg, Ph.D. 72 Eagle Rock Ave. Chief Scientist First Floor dynamicsoft East Hanover, NJ 07936 jdrosen@dynamicsoft.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.dynamicsoft.com _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Fri Aug 31 12:08:36 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA08946 for ; Fri, 31 Aug 2001 12:08:35 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA17260; Fri, 31 Aug 2001 12:09:27 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA17229 for ; Fri, 31 Aug 2001 12:09:24 -0400 (EDT) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA08922 for ; Fri, 31 Aug 2001 12:08:01 -0400 (EDT) Received: from mira-sjc5-7.cisco.com (mira-sjc5-7.cisco.com [171.71.163.27]) by sj-msg-core-2.cisco.com (8.11.3/8.9.1) with ESMTP id f7VG9Av24934; Fri, 31 Aug 2001 09:09:11 -0700 (PDT) Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by mira-sjc5-7.cisco.com (Mirapoint) with ESMTP id AAY07432; Fri, 31 Aug 2001 09:08:49 -0700 (PDT) Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id JAA22979; Fri, 31 Aug 2001 09:08:49 -0700 (PDT) From: Michael Thomas MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15247.46737.95753.252518@thomasm-u1.cisco.com> Date: Fri, 31 Aug 2001 09:08:49 -0700 (PDT) To: Jari Arkko Cc: mat@cisco.com, sip-security@ietf.org In-Reply-To: <3B8CA245.387F5E2B@lmf.ericsson.se> References: <3B8CA245.387F5E2B@lmf.ericsson.se> X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid X-Face: &,heK/V66p?[2!i|tVn,9lN0TUvEv7:9FzXREj/AuzN4mu!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a),-7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d,g">$%B!0w{W)qIhmwhye104zd bUcI'1! Content-Transfer-Encoding: 7bit Subject: [Sip-security] Proxy routed requirements in draft-thomas-sip-sec-framework-00.txt Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Jari Arkko writes: > > Michael (cc list), > > Reading section 3.2 in your draft, am I correct in > concluding that the requirements for the four > different cases (UA->Proxy, UA->Intermediate, > UA->UA, Proxy->Proxy) are the same? > > There seems to be quite a bit of discussion using > different language in the subsections, but it > seems to me that the four basic requirements of > mutual authentication, integrity, confidentiality, > and authorization are relevant for all cases. Yeah, I wrote it at different times and was rather rushed to get it submitted before cutoff. I also cut out a DoS bullet too, which should probably be reinserted. I believe that they all have similar if not identical requirements. I couldn't think of anything different off the top of my head, but it's probably worth testing more to see if that is actually the case. Mike _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security From sip-security-admin@ietf.org Fri Aug 31 12:25:57 2001 Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA09492 for ; Fri, 31 Aug 2001 12:25:52 -0400 (EDT) Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA17989; Fri, 31 Aug 2001 12:23:26 -0400 (EDT) Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA17951 for ; Fri, 31 Aug 2001 12:23:24 -0400 (EDT) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA09406 for ; Fri, 31 Aug 2001 12:22:01 -0400 (EDT) Received: from mira-sjc5-7.cisco.com (mira-sjc5-7.cisco.com [171.71.163.27]) by sj-msg-core-2.cisco.com (8.11.3/8.9.1) with ESMTP id f7VGNCv04364; Fri, 31 Aug 2001 09:23:12 -0700 (PDT) Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by mira-sjc5-7.cisco.com (Mirapoint) with ESMTP id AAZ00026; Fri, 31 Aug 2001 09:22:49 -0700 (PDT) Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id JAA22985; Fri, 31 Aug 2001 09:22:49 -0700 (PDT) From: Michael Thomas MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15247.47577.479555.589197@thomasm-u1.cisco.com> Date: Fri, 31 Aug 2001 09:22:49 -0700 (PDT) To: Jari Arkko Cc: mat@cisco.com, sip-security@ietf.org In-Reply-To: <3B8CCF06.994675EA@lmf.ericsson.se> References: <3B8CA245.387F5E2B@lmf.ericsson.se> <3B8CCF06.994675EA@lmf.ericsson.se> X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid X-Face: &,heK/V66p?[2!i|tVn,9lN0TUvEv7:9FzXREj/AuzN4mu!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a),-7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d,g">$%B!0w{W)qIhmwhye104zd bUcI'1! Content-Transfer-Encoding: 7bit Subject: [Sip-security] Re: Proxy routed requirements in draft-thomas-sip-sec-framework-00.txt Sender: sip-security-admin@ietf.org Errors-To: sip-security-admin@ietf.org X-Mailman-Version: 1.0 Precedence: bulk List-Id: Security Issues for the SIP protocol X-BeenThere: sip-security@ietf.org Content-Transfer-Encoding: 7bit Jari Arkko writes: > > Some further discussion: comparing Michael's > draft and draft-ietf-sip-security-requirements-00.txt, > I see that the former doesn't handle availability > and non-repudiation requirements at all. Yet these > are mentioned in the latter. I believe availability > and DoS is a concern, and should perhaps be treated > somewhere. Non-repudiation on the other hand is > propably a can of worms we don't want to open... Yes, I really don't want to go down the non-repudiation path. Maybe we just need to say that it is an explicit non-goal. DoS is a more fertile ground, but as we all know is an open ended problem. In order to include discussion of DoS requirements, I think we first need to create some artificials bounds on the discussion so that we have some chance of creating a set of requirements which a potential solution can objectively measure whether it meets. Ie, open ended statements like "should be DoS resistant" aren't helpful. How we frame this is an interesting question. For outside attackers, we clearly need go no farther than countering a pure flooding attack. From the inside, however, is a lot trickier, and involves potential tradeoffs (tradeoffs that we probably don't want to make at this point, I'll add). Maybe if we rounded up a bunch of potential DoS attacks we could see a pattern so that we could extract what our expectations are for SIP's resilience to them is? > Also, in 3.2.5 you talk about the case for > non-adjacent proxies, and wonder if there is > any need for security measures in this > interface. My comment on this is that > protocol-wise you wouldn't even know if > someone who e.g. sent some protected bits > to you was a proxy or an end-node. So, > if we provide tools to get security on the > user->intermediate interface, then non-adjacent > proxies can take advantage of the same > mechanisms. (This comment doesn't of course > say anything about the requirements for such use. > It is perhaps not unthinkable to have a > proxy that would handle security for you > in certain situations.) If there are no requirements, or the requirements are identical, that's fine -- good even, I'd say. The reason I created the fully connected graph was to assess whether that was indeed the case. It appears to me to be the case, but I'd like to see if other people have sceanrios I hadn't considered, or don't fit that model well. Mike _______________________________________________ Sip-security mailing list Sip-security@ietf.org http://www1.ietf.org/mailman/listinfo/sip-security