From nobody Mon Jul 2 16:01:48 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 708B413143A for ; Mon, 2 Jul 2018 16:01:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id id5E6b9il0pJ for ; Mon, 2 Jul 2018 16:01:37 -0700 (PDT) Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41571130E30 for ; Mon, 2 Jul 2018 16:01:37 -0700 (PDT) Received: by mail-io0-x22d.google.com with SMTP id l7-v6so49721ioj.1 for ; Mon, 02 Jul 2018 16:01:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=bHhOk5TBZj1PfaoPl4cr0DvzibwfnGPACPF3jHhwvSs=; b=VFhv2+sTP9WON6d9EoonxU5JPYMt+SJV+aSdvn46UNc9WkPGh+Kaffb2STbNErUxhn 8I1gL6+5UGwNwgeL7lHpOMlMZtFBxQy08h5tnvqjuC5WPjzLuxL6qf3cY60w+OHJTEkQ H9YVO0yag1oUnaMWzN5harLnelGzFZZ+lEpy9eYew43y8tHDLToWutoRgRbB9md6qY5J RdVKNAu3MLkLTsV06GJOCYQz5Q0c916Y6MvLbuNB1fvA5RTA9Z6rBfLY/Er1Og4aVyRe 70uBPvKbsfTceMu+v78GeED84PaO29z7JY0Bn9+n+olZDIy6X80KYpNTh3l658+xtdMI 4gOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bHhOk5TBZj1PfaoPl4cr0DvzibwfnGPACPF3jHhwvSs=; b=pCsIkXxiW8q/un6j46Aa046Vp+SM0D5dCxbpJ9kjUQ/VFIVF8Mi5xt3caqeBu6azF+ w4LqYpceJwCyH1garY/R0oy1u+CERmikx3ofF9/m6ja8KAYkJE+/0jl9wRsE8dyDm1xQ svcBscjtw5Y6MKWdX+S8WCWBzgT8X46E5+D3xRJvFgtqXETI5PAzTUlNMUqVs8vwsC/M HqTMeuxRWKL4wJnrY6fvVXvk/AEbgEGlNNUbNSH+QT9yyu7hbwGi71spDF/03w8cKIh+ 0kZ4QgbjFsfBEozsH5GvknlZN1AYTdaOG2QbU1omYs/NP1lhPVMgza7s0kK9qc6LHKwZ 44hQ== X-Gm-Message-State: APt69E3Oh4dgBQ1rx8o/twRtt9xvx0RE+adxDKHxCaZdYoWFKFbZ9TkM PW0c+4m904NJU+X9kTpXzfRV2pLsBLOHfVkQJdkQVA== X-Google-Smtp-Source: AAOMgpd2mfL8So9wK2IW3eSsuKCmV6nPH5MphG+lXu1QFMKiVpH7LgIKsRx1d4jJKeXKV3UlPtFpx8joNq2lIvFYcYw= X-Received: by 2002:a6b:b387:: with SMTP id c129-v6mr23652771iof.32.1530572496234; Mon, 02 Jul 2018 16:01:36 -0700 (PDT) MIME-Version: 1.0 From: Justin Uberti Date: Mon, 2 Jul 2018 16:01:24 -0700 Message-ID: To: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000f1548f05700c2dfb" Archived-At: Subject: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2018 23:01:47 -0000 --000000000000f1548f05700c2dfb Content-Type: text/plain; charset="UTF-8" https://tools.ietf.org/html/draft-mdns-ice-candidates-00 has a section where it talks about the privacy implications of being able to determine that two browser contexts are running on the same machine by making a host-host connection and analyzing the connection RTT: A successful WebRTC connection between two peers is also a potential thread to user privacy. When a WebRTC connection latency is close to zero, the probability is high that the two peers are running on the same device. Browsers often isolate contexts one from the other. Private browsing mode contexts usually do not share any information with regular browsing contexts. The WebKit engine isolates third- party iframes in various ways (cookies, ITP) to prevent user tracking. Enabling a web application to determine that two contexts run in the same device would defeat some of the protections provided by modern browsers. I would think that this concern would still exist even without host candidates, through either a) IP matching + user-agent fingerprinting b) srflx-srflx connections and NAT hairpinning FWIW, this topic does not appear to be noted in the rtcweb security docs. --000000000000f1548f05700c2dfb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
https://tools.ietf.org/html/draft-mdns-ice-candidates-00 has= a section where it talks about the privacy implications of being able to d= etermine that two browser contexts are running on the same machine by makin= g a host-host connection and analyzing the connection RTT:

   A successful WebRTC connecti=
on between two peers is also a potential
   thread to user privacy.  When a WebRTC connection latency is close to
   zero, the probability is high that the two peers are running on the
   same device.  Browsers often isolate contexts one from the other.
   Private browsing mode contexts usually do not share any information
   with regular browsing contexts.  The WebKit engine isolates third-
   party iframes in various ways (cookies, ITP) to prevent user
   tracking.  Enabling a web application to determine that two contexts
   run in the same device would defeat some of the protections provided
   by modern browsers.

= 
I would think that this concern w=
ould still exist even without host candidates, through either
a) IP matching=C2=A0+ user-age=
nt fingerprinting=C2=A0
b) srflx-srflx connections and NAT =
hairpinning

FWIW, this topic does not appe=
ar to be noted in the rtcweb security docs.

--000000000000f1548f05700c2dfb-- From nobody Mon Jul 2 16:08:47 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E9313142B for ; Mon, 2 Jul 2018 16:08:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsQKbrbwB2ao for ; Mon, 2 Jul 2018 16:08:32 -0700 (PDT) Received: from mail-it0-x243.google.com (mail-it0-x243.google.com [IPv6:2607:f8b0:4001:c0b::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1335B130E60 for ; Mon, 2 Jul 2018 16:08:32 -0700 (PDT) Received: by mail-it0-x243.google.com with SMTP id p4-v6so577117itf.2 for ; Mon, 02 Jul 2018 16:08:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J6jQ9eBwWE4bcRUr/tENGR2+X1KD9qEXc8bV8B64Q9U=; b=ngcOVL06Y2rDmFb4OCN0yu0+8Z84RI3l1k0yh9CtHBYL3+n3dbh/uO2mjJ0u8P/SAB 9nZMcrx+PfPaL9B0S5k0DqumuqwNA0YG3m842I40DPrf2Us1Yc8heOgSw+YyzEXP1+JZ eYANfvn7Uj6EPbH0bJgcq9bpvxOUYzw1FrlMS/x536Rnir/I180DDjnHH7KhYBPHdi9D OwOoNdFjWa+yEeFE6fwCAxFXVWFdhFRz7JckmmqCideAPbiFomax/1T1clw8xHdwpvd/ B8CGwxrbLSVqd2B/vtkgN/KA+jKqPUmAKUDZzpXnXT2Eo5QBD5F4KQyBFb6nFduz7rRQ 28Cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J6jQ9eBwWE4bcRUr/tENGR2+X1KD9qEXc8bV8B64Q9U=; b=XrXbhV2n6ayvkXbB6Ad0Z8lxxVvfW+x+mH9lPbAzIruAo4XGsx8uybL68EX9yd7EkU KT8gW6vrSrgR5jcZpik2P41L9f/m9BS6xzh/CkPso+0PuTglMflqdZ1/5NovALsoXUN2 yJusl6fN4jkutFrfPa+q+ilvyzhXz+9/2Ixhl9ESPl9VnG83wB/4qMJir5ynqad0J9or lTR4Zp8wOYMFht8aYVoEvRFlp34LTSe9L8LuQbsNAfnGFRiCMEKWiDOU4cPHbep/k/bd EfI+uPcdLj9Cz8qbPhzg/wY0nC6bkx/jYokxnG8CJBj5mlIWbpMHh2VVJgmV9WVunLNT 4fGA== X-Gm-Message-State: APt69E3WoZESFDarGLG1YrowAdTIMqJEGhL7tpAkgHdPmxvwcxJW9hbw F73tiqZZWqGVhBgcN3zw3nLw89wk2+UXpiMX65yRvw== X-Google-Smtp-Source: AAOMgpeyKCnCA/lSTSjxvXV90qnWYuuq16cKY1jNt9iKOfPrZ74Ye14Ii6WHwbl4DzK8lAv/tX0KsXmjHXR7dRxXTp8= X-Received: by 2002:a24:2246:: with SMTP id o67-v6mr7284347ito.25.1530572910983; Mon, 02 Jul 2018 16:08:30 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: Justin Uberti Date: Mon, 2 Jul 2018 16:08:19 -0700 Message-ID: To: Eric Rescorla Cc: youennf@gmail.com, RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000aa175205700c466d" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2018 23:08:43 -0000 --000000000000aa175205700c466d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable That's the approach we plan to take in Chrome. There is a substantial amount of datachannel traffic, and a quick calculation suggests that most of that is non-permissioned, so we should be able to measure the effects of this change. On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla wrote: > I haven't thought about it too much, but I think that I would probably do > is an A/B test where I randomly set clients to this strategy or the curre= nt > strategy and measured success rates, time to connect, and (maybe) some so= rt > of call quality stat. It's not going to be easy because I don't know how > much non-permissioned WebRTC there is in the wild. > -Ekr > > > On Fri, Jun 29, 2018 at 6:06 PM, youenn fablet wrote: > >> A draft describing the Safari/WebKit approach is available at >> https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt >> >> Eric, can you precise the kind of information you would like to have? >> Some testing has been done to validate the approach but I do not think >> this is representative of the actual state of the affair. Safari/WebKit = is >> not gathering any related statistic. >> >> Y >> >> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti > 40google.com@dmarc.ietf.org> a =C3=A9crit : >> >>> I believe such data will be forthcoming from the Safari team. We are >>> also working on this. >>> >>> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla wrote: >>> >>>> It seems like this is something one could A/B test and measure >>>> connection rates. Has someone done so? >>>> >>>> -Ekr >>>> >>> > --000000000000aa175205700c466d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
That's the approach we plan to take in Chrome. There i= s a substantial amount of datachannel traffic, and a quick calculation sugg= ests that most of that is non-permissioned, so we should be able to measure= the effects of this change.

On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla <ekr@rtfm.com> wrote:
I haven't thought about it too much, b= ut I think that I would probably do is an A/B test where I randomly set cli= ents to this strategy or the current strategy and measured success rates, t= ime to connect, and (maybe) some sort of call quality stat. It's not go= ing to be easy because I don't know how much non-permissioned WebRTC th= ere is in the wild.
-Ekr


On Fri, Jun 29, 2018 at 6:0= 6 PM, youenn fablet <youennf@gmail.com> wrote:
A draft describing the Safari/WebKit = approach is available at=C2=A0https://www.ietf.org/id/draft-mdn= s-ice-candidates-00.txt

Eric, can you precise the ki= nd of information you would like to have?
Some testing has been don= e to validate the approach but I do not think this is representative of the= actual state of the affair. Safari/WebKit is not gathering any related sta= tistic.

=C2=A0 =C2=A0Y

<= div class=3D"gmail_quote">
Le=C2=A0ven. 29 juin 2018 =C3=A0= =C2=A011:10, Justin Uberti <juberti=3D40google.com@dmarc.ietf.org> a =C3=A9= crit=C2=A0:
I beli= eve such data will be forthcoming from the Safari team. We are also working= on this.

On Fri, = Jun 29, 2018 at 7:03 AM Eric Rescorla <ekr@rtfm.com> wrote:
It seems like this is something one could A= /B test and measure connection rates. Has someone done so?
-Ekr

--000000000000aa175205700c466d-- From nobody Mon Jul 2 17:04:56 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34000130EBF for ; Mon, 2 Jul 2018 17:04:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6oXnjZrnBFa for ; Mon, 2 Jul 2018 17:04:51 -0700 (PDT) Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F100124C04 for ; Mon, 2 Jul 2018 17:04:51 -0700 (PDT) Received: by mail-lf0-x22e.google.com with SMTP id j8-v6so118025lfb.4 for ; Mon, 02 Jul 2018 17:04:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D68IrX7YUKOtC9p+zpgLi7nj8sYPfbFFdIiygD+HCHU=; b=ecFfEUuYmB+53yaLBjtTVeyQ0LGS/bM17cr2/7xSw4Vt77Hw0uDLLiYaHECkIhydca sls/uej7RsvBRwqtcRHO/2PUi6RiEgtJwlyAtF+QeAkp328z/e/mpTke3ftm6dUqVYB0 KvetwLJVsYUlqPv2P5mXlaiwbuW0PEk1SO1p+kNyqJwbs/Mqv7eIyw3++PEdcQncCNzw 3aOZz2sk5Xtzp068QEJo9ThHvv85tk4EiYIyx2lIJwAIQfi9GNGnOmByoT8Esigtk6x+ 0nb+mpECEbY7FBQvMrhN9wwHaCjhNrUJQModiq1ekmuyLFqlTInFjNCyiJ7uVkyGylRE /Tfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D68IrX7YUKOtC9p+zpgLi7nj8sYPfbFFdIiygD+HCHU=; b=Be8tSgX+IP0RuxP+oh4l4MIqwLF3CyGeAm1zQN0RhSBer9st9gTh8+RhSttGjeqQOY NdZV3ikI0YCBlWYVgx5EF02XkMB73EwdzIxX65V9ceIJDf2QyJ980o3Z7HbZNm62E/9z Cn1Uc0BZBCnZMiOksq9i2P9o1AoMLiDSeRVwOm9KlLSjwde80LHAIhRvwXdsdMwSlfJu /RsB9x55lsnaT8IcruVAChVnZwX1dLqLfm79Fp4dn92dSSqMXDXYMpjFRlN02cE4abDM X3cJvdjaX7MzgiPlM0fRpmVjZQC472OqodA79++sU/ilkysbLL2YE9E88V5ZIzBcXowy 4bGA== X-Gm-Message-State: APt69E1jpugcydOgaym7qWsyCFmcyCtJ74ig/FYZCPdxThzfvfIQgTrM SlI3m35BkhoZ/qTE34HVhFgonBIHhN5JjsFhwHw= X-Google-Smtp-Source: AAOMgpd7/umDeqIf9HfqsS+QgcF48c4RgQDet9SbeoiZwQ8ijxn2owUDVNzUGmQ0AJWWNqcPNtnzk3dhf2aLQGa20QE= X-Received: by 2002:a19:4419:: with SMTP id r25-v6mr18875043lfa.144.1530576289397; Mon, 02 Jul 2018 17:04:49 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: youenn fablet Date: Mon, 2 Jul 2018 17:04:37 -0700 Message-ID: To: Justin Uberti Cc: Eric Rescorla , RTCWeb IETF Content-Type: multipart/alternative; boundary="0000000000000803a405700d1062" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 00:04:55 -0000 --0000000000000803a405700d1062 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Good to know that Chrome can do some measurements there. >From the feedback I received from web developers, some applications that care about this are games and applications like editors that exchange large data between devices of a single user. Some other applications like WebTorrent are less in need for host candidates. Y Le lun. 2 juil. 2018 =C3=A0 16:08, Justin Uberti a =C3= =A9crit : > That's the approach we plan to take in Chrome. There is a substantial > amount of datachannel traffic, and a quick calculation suggests that most > of that is non-permissioned, so we should be able to measure the effects = of > this change. > > On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla wrote: > >> I haven't thought about it too much, but I think that I would probably d= o >> is an A/B test where I randomly set clients to this strategy or the curr= ent >> strategy and measured success rates, time to connect, and (maybe) some s= ort >> of call quality stat. It's not going to be easy because I don't know how >> much non-permissioned WebRTC there is in the wild. >> -Ekr >> >> >> On Fri, Jun 29, 2018 at 6:06 PM, youenn fablet wrote= : >> >>> A draft describing the Safari/WebKit approach is available at >>> https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt >>> >>> Eric, can you precise the kind of information you would like to have? >>> Some testing has been done to validate the approach but I do not think >>> this is representative of the actual state of the affair. Safari/WebKit= is >>> not gathering any related statistic. >>> >>> Y >>> >>> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti >> 40google.com@dmarc.ietf.org> a =C3=A9crit : >>> >>>> I believe such data will be forthcoming from the Safari team. We are >>>> also working on this. >>>> >>>> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla wrote: >>>> >>>>> It seems like this is something one could A/B test and measure >>>>> connection rates. Has someone done so? >>>>> >>>>> -Ekr >>>>> >>>> >> --0000000000000803a405700d1062 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Good to know that Chrome can do some measurements there.From the feedback I received from web developers, some applications that= care about this are games and applications like editors that exchange larg= e data between devices of a single user.
Some other applications = like WebTorrent are less in need for host candidates.

=C2=A0 =C2=A0 =C2=A0Y

Le=C2=A0lun. 2 juil. 2018 =C3=A0=C2=A016:08, Justin Uberti <= juberti@google.com> a =C3=A9cr= it=C2=A0:
That'= ;s the approach we plan to take in Chrome. There is a substantial amount of= datachannel traffic, and a quick calculation suggests that most of that is= non-permissioned, so we should be able to measure the effects of this chan= ge.

On Sat, Jun 30= , 2018 at 5:44 AM Eric Rescorla <ekr@rtfm.com> wrote:
I haven't thought about it too much, but I t= hink that I would probably do is an A/B test where I randomly set clients t= o this strategy or the current strategy and measured success rates, time to= connect, and (maybe) some sort of call quality stat. It's not going to= be easy because I don't know how much non-permissioned WebRTC there is= in the wild.
-Ekr


On Fri, Jun 29, 2018 at 6:06 PM, = youenn fablet <youennf@gmail.com> wrote:
A draft describing the Safari/WebKit approa= ch is available at=C2=A0https://www.ietf.org/id/draft-mdns-ice-= candidates-00.txt

Eric, can you precise the kind of = information you would like to have?
Some testing has been done to v= alidate the approach but I do not think this is representative of the actua= l state of the affair. Safari/WebKit is not gathering any related statistic= .

=C2=A0 =C2=A0Y
<= span>

Le=C2=A0ven. 29 j= uin 2018 =C3=A0=C2=A011:10, Justin Uberti <juberti=3D40google.com@dmarc.ietf.org> a =C3=A9crit=C2=A0:

It seems like this is some= thing one could A/B test and measure connection rates. Has someone done so?=

-Ekr

--0000000000000803a405700d1062-- From nobody Mon Jul 2 17:05:34 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D30130EDD for ; Mon, 2 Jul 2018 17:05:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zfrIW7ZnwrkJ for ; Mon, 2 Jul 2018 17:05:26 -0700 (PDT) Received: from mail-lf0-x243.google.com (mail-lf0-x243.google.com [IPv6:2a00:1450:4010:c07::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB30B124C04 for ; Mon, 2 Jul 2018 17:05:20 -0700 (PDT) Received: by mail-lf0-x243.google.com with SMTP id u202-v6so112616lff.9 for ; Mon, 02 Jul 2018 17:05:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4gxXsWvGEKR7bkFnctZ0PqkpGpqgbGeNSf4w7NmXFEQ=; b=Bq/YGkcMLKYpJJJFrtPMCPYYuLVbFMpkR67//s9vT1Tgc0GAY1T69SnkVqWcpqYfFI 2V25mpJMKvbOnaoXaQi0rW+hQGEXyWhhw53caXPcsn7telQdkghg4FXIrzKJBMOa09eO ontY04Xae/ZrFKExvVU11o7P65DQoygIbia3lFr6A4mkdH5Lfj0GrvE0HFOj0rIpwy/M fOX4qap1QyRE6VFtOR2FcXA0vfwcNbgOogxbC6MN7XiBhczhKYbVqTibwutrBHMo99VH LComT66QZbmOYbZ3Qou5mVMJvQlpPVuD5GK65SebHfIn1p6OYpYmWnlZ6xzV2QePkpkv tYYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4gxXsWvGEKR7bkFnctZ0PqkpGpqgbGeNSf4w7NmXFEQ=; b=OuSgtC3TOn1IBXNIrmqQdxWQvlr+mp/ESmR/4nZv/VMMqTOT1YOamyB5q/a6KkADCc U3+xxHqW4qFQPuB843JhquiyMgVZy0tCdcVMxCpNWBvuyM8eZzon4bohQrxXxgTc6NtN 4UmH/ci1/699KLGTjFWjsVZAs36E2YoSiSNo3JX6vXr3s+IICuIDhWCL8DL05Rvsklj3 +1n870LaKLS4i+6xeQ0aLeoQ2dWtfOdwVIQhczhkfrhvtZjmQeXOz8DHKEg52kXXIykU czMTxUU9pT7GPalp8/Dtg+sSJqKWcuiXUcR6q2ze70ZNdIUL5PCQq2o9z0PgYcDldsUD jHzA== X-Gm-Message-State: APt69E0UWDk7wbhO+HKFayZ6cJ7rTbm48Cpg/UuN/Zlqj2qwjrlrr6UF 7HpA+kGAr7jmqGHb00hECJxeVSzph4ae0rCpZwM= X-Google-Smtp-Source: AAOMgpd+Fj1T0pcvWMKgqQkYFE4gdb3mDBsGCz6WzAdNPwu63PCEUrts84QgTL2Gv9oZxpNhYRDhjUbXJRIpIfqYvOI= X-Received: by 2002:a19:19ca:: with SMTP id 193-v6mr9092001lfz.25.1530576319112; Mon, 02 Jul 2018 17:05:19 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: youenn fablet Date: Mon, 2 Jul 2018 17:05:07 -0700 Message-ID: To: Justin Uberti Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000cd694b05700d11a2" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 00:05:32 -0000 --000000000000cd694b05700d11a2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le lun. 2 juil. 2018 =C3=A0 16:04, Justin Uberti a =C3=A9crit : > https://tools.ietf.org/html/draft-mdns-ice-candidates-00 has a section > where it talks about the privacy implications of being able to determine > that two browser contexts are running on the same machine by making a > host-host connection and analyzing the connection RTT: > > A successful WebRTC connection between two peers is also a potential > thread to user privacy. When a WebRTC connection latency is close to > zero, the probability is high that the two peers are running on the > same device. Browsers often isolate contexts one from the other. > Private browsing mode contexts usually do not share any information > with regular browsing contexts. The WebKit engine isolates third- > party iframes in various ways (cookies, ITP) to prevent user > tracking. Enabling a web application to determine that two contexts > run in the same device would defeat some of the protections provided > by modern browsers. > > > I would think that this concern would still exist even without host candi= dates, through either > > a) IP matching + user-agent fingerprinting > > It is true that one can probably try breaking this protection using fingerprinting, and public IP is a great way to converge more quickly. That said, this is something we should try to fight against. b) srflx-srflx connections and NAT hairpinning > > Aren't the packets supposed to go through the router? In such a case, I would hope the latency to be roughly the same, no matter whether the devices are the same or not. That is indeed something that should be tested= . > FWIW, this topic does not appear to be noted in the rtcweb security docs. > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --000000000000cd694b05700d11a2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


Le=C2= =A0lun. 2 juil. 2018 =C3=A0=C2=A016:04, Justin Uberti <juberti=3D40google.com@dmarc.ietf.org>= a =C3=A9crit=C2=A0:
https://tools.ietf.org/html/draft-mdns-ice-candidates-00= has a section where it talks about the privacy implications of being able = to determine that two browser contexts are running on the same machine by m= aking a host-host connection and analyzing the connection RTT:

= 
   A s=
uccessful WebRTC connection between two peers is also a potential
   thread to user privacy.  When a WebRTC connection latency is close to
   zero, the probability is high that the two peers are running on the
   same device.  Browsers often isolate contexts one from the other.
   Private browsing mode contexts usually do not share any information
   with regular browsing contexts.  The WebKit engine isolates third-
   party iframes in various ways (cookies, ITP) to prevent user
   tracking.  Enabling a web application to determine that two contexts
   run in the same device would defeat some of the protections provided
   by modern browsers.

I would think that this concern would still exist even without hos=
t candidates, through either
a) IP matching=C2=A0+ user-agent fingerpri=
nting=C2=A0

It is = true that one can probably try breaking this protection using fingerprintin= g, and public IP is a great way to converge more quickly.
That sa= id, this is something we should try to fight against.

<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">
b) srflx-srflx connections and NAT hairpinning
<= /div>

Aren't the packets supposed to go= through the router? In such a case, I would hope the latency to be roughly= the same, no matter whether the devices are the same or not. That is indee= d something that should be tested.


FWIW, this to=
pic does not appear to be noted in the rtcweb security docs.<=
/pre>
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--000000000000cd694b05700d11a2-- From nobody Mon Jul 2 17:32:53 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0BB130E99 for ; Mon, 2 Jul 2018 17:32:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJrNmzI50HIX for ; Mon, 2 Jul 2018 17:32:49 -0700 (PDT) Received: from mail-it0-x243.google.com (mail-it0-x243.google.com [IPv6:2607:f8b0:4001:c0b::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 140B3130EBF for ; Mon, 2 Jul 2018 17:32:49 -0700 (PDT) Received: by mail-it0-x243.google.com with SMTP id 188-v6so747103ita.5 for ; Mon, 02 Jul 2018 17:32:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ge24ix+aOvY/tane0ojvi9dJs8LyD9nFLgOAnVkNsls=; b=DCzugxX4cgL5I51Nbf6BIK/pXaqN3RbjlYl78nSzbIhoCTjuJPe/9E0C75ROeLZ0mY KN8GvaObUJVCEx5ARfEPIVw0ewTAAhEyz2wvBYSI8CA/mcRgPb8GaJjepiB0GvrVUSkY oP2YdEERrpEvZ2GNsQGYaQnplQ0RUwWUmRtPEuGhxMv6tlkb+WIGyc/lWi7wySrYp26L f/hA7xxlCk+J0+CYanGMIvAP2dsKDOBcLtbQ12UmmouZwTKkv83OlDvdIGQqKFXM6LhS DmwFCPSc+nXW3dba1KzdaQek+4iVa34eW6iHu3e1LfprirteeUQU7TGg20FR+8p+t1jn oZoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ge24ix+aOvY/tane0ojvi9dJs8LyD9nFLgOAnVkNsls=; b=Pqb4wLbhPxLfj/m81a8GXk29hpksaHgREgNMEF/N+jt8ccqoUoz1lDfXoedo0p6eFD lrjsi9XQItUJLisi1ezBL3D++P5o5WsutbkKohrbaDkhYS2BiZTX9dft+dc07wITfwPS za+JFr1UN5GKNLJOOZGKAo5No+HlBah3BqxtH9H9qZr4RC7S6rayz35+UVduXYamcHdz O+ssFcki5W/NdS3RxIzXvO9waEg9KVH5VQoLU1xAowodJPVY/CzpkroANOKSmNAI/STH RyxRt7PhO83JCjDtDgNRAAdF09zaEaqDTMcibmqZMu9N6L72sP0V53qw+0ukXrec2M8E 6MnQ== X-Gm-Message-State: APt69E3xi1Jiu5e7WnUERAxv/MyZt9g6E8pzVvKqHLSwJywmIiifq/Mj 1nAW4Rgs5F/nNjusyK1t4GR3ClnX6dQd5fW8zcqIbw== X-Google-Smtp-Source: AAOMgpeT/txc19FcfUk3eLLrZiyj8zAdApRAXt45mlKdY2SKYhBQepOBDsBHFRlL2vz90GWbnfx6tVesS4C2sZTcYLU= X-Received: by 2002:a24:2246:: with SMTP id o67-v6mr7430244ito.25.1530577968005; Mon, 02 Jul 2018 17:32:48 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Justin Uberti Date: Mon, 2 Jul 2018 17:32:35 -0700 Message-ID: To: youenn fablet Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="00000000000016246705700d741c" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 00:32:52 -0000 --00000000000016246705700d741c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jul 2, 2018 at 5:05 PM youenn fablet wrote: > > > Le lun. 2 juil. 2018 =C3=A0 16:04, Justin Uberti 40google.com@dmarc.ietf.org> a =C3=A9crit : > >> https://tools.ietf.org/html/draft-mdns-ice-candidates-00 has a section >> where it talks about the privacy implications of being able to determine >> that two browser contexts are running on the same machine by making a >> host-host connection and analyzing the connection RTT: >> >> A successful WebRTC connection between two peers is also a potential >> thread to user privacy. When a WebRTC connection latency is close to >> zero, the probability is high that the two peers are running on the >> same device. Browsers often isolate contexts one from the other. >> Private browsing mode contexts usually do not share any information >> with regular browsing contexts. The WebKit engine isolates third- >> party iframes in various ways (cookies, ITP) to prevent user >> tracking. Enabling a web application to determine that two contexts >> run in the same device would defeat some of the protections provided >> by modern browsers. >> >> >> I would think that this concern would still exist even without host cand= idates, through either >> >> a) IP matching + user-agent fingerprinting >> >> > It is true that one can probably try breaking this protection using > fingerprinting, and public IP is a great way to converge more quickly. > That said, this is something we should try to fight against. > > b) srflx-srflx connections and NAT hairpinning >> >> > Aren't the packets supposed to go through the router? In such a case, I > would hope the latency to be roughly the same, no matter whether the > devices are the same or not. That is indeed something that should be test= ed. > Maybe I don't understand the attack well enough, but if a page running in a private browsing context tried to communicate with a page not running in a private browsing context, they would probably see < 1ms RTTs for both host-host and srflx-srflx candidates in many cases (including cases where the contexts are on different machines). --00000000000016246705700d741c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon= , Jul 2, 2018 at 5:05 PM youenn fablet <youennf@gmail.com> wrote:


Le= =C2=A0lun. 2 juil. 2018 =C3=A0=C2=A016:04, Justin Uberti <juberti=3D40google.com@d= marc.ietf.org> a =C3=A9crit=C2=A0:
https://tools.ietf.org/html/draft-mdns-= ice-candidates-00 has a section where it talks about the privacy implic= ations of being able to determine that two browser contexts are running on = the same machine by making a host-host connection and analyzing the connect= ion RTT:

   A successful WebRTC connection betwe=
en two peers is also a potential
   thread to user privacy.  When a WebRTC connection latency is close to
   zero, the probability is high that the two peers are running on the
   same device.  Browsers often isolate contexts one from the other.
   Private browsing mode contexts usually do not share any information
   with regular browsing contexts.  The WebKit engine isolates third-
   party iframes in various ways (cookies, ITP) to prevent user
   tracking.  Enabling a web application to determine that two contexts
   run in the same device would defeat some of the protections provided
   by modern browsers.

I would think that this =
concern would still exist even without host candidates, through either
a) IP matching=C2=A0+ user-agent fingerprinting=C2=A0<=
/span>

It is true that on= e can probably try breaking this protection using fingerprinting, and publi= c IP is a great way to converge more quickly.
That said, this is = something we should try to fight against.

b) srflx-srflx connections and NAT hairpinning

Aren't the packets suppo= sed to go through the router? In such a case, I would hope the latency to b= e roughly the same, no matter whether the devices are the same or not. That= is indeed something that should be tested.
<= div>
Maybe I don't understand the attack well enough, but= if a page running in a private browsing context tried to communicate with = a page not running in a private browsing context, they would probably see &= lt; 1ms RTTs for both host-host and srflx-srflx candidates in many cases (i= ncluding cases where the contexts are on different machines).=C2=A0
--00000000000016246705700d741c-- From nobody Tue Jul 3 02:18:44 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2828131208 for ; Tue, 3 Jul 2018 02:18:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jn5ivREJbl8e for ; Tue, 3 Jul 2018 02:18:39 -0700 (PDT) Received: from smtp002.apm-internet.net (smtp002.apm-internet.net [85.119.248.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34F8113123A for ; Tue, 3 Jul 2018 02:18:38 -0700 (PDT) Received: (qmail 84201 invoked from network); 3 Jul 2018 09:18:36 -0000 X-APM-Authkey: 255286/0(159927/0) 455 Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp002.apm-internet.net with SMTP; 3 Jul 2018 09:18:36 -0000 Received: from localhost (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id D026918A0587; Tue, 3 Jul 2018 10:18:36 +0100 (BST) Received: from zimbra003.verygoodemail.com ([127.0.0.1]) by localhost (zimbra003.verygoodemail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id VbJdFNfOpJpF; Tue, 3 Jul 2018 10:18:36 +0100 (BST) Received: from [192.67.4.84] (unknown [192.67.4.84]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id 9BF9E18A01FD; Tue, 3 Jul 2018 10:18:36 +0100 (BST) From: westhawk Message-Id: <9EB00E21-6D1B-4090-B7C4-4C5ADA9E2D44@westhawk.co.uk> Content-Type: multipart/alternative; boundary="Apple-Mail=_C18B8FF7-1B73-465E-B33E-8A983F0AE82A" Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Date: Tue, 3 Jul 2018 10:18:35 +0100 In-Reply-To: Cc: Eric Rescorla , RTCWeb IETF To: Justin Uberti References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> X-Mailer: Apple Mail (2.3445.8.2) Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 09:18:43 -0000 --Apple-Mail=_C18B8FF7-1B73-465E-B33E-8A983F0AE82A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Slightly off topic - but if an origin was permissioned once but does not = do GUM on this particular page, which ruleset applies ? > On 3 Jul 2018, at 00:08, Justin Uberti = wrote: >=20 > That's the approach we plan to take in Chrome. There is a substantial = amount of datachannel traffic, and a quick calculation suggests that = most of that is non-permissioned, so we should be able to measure the = effects of this change. >=20 > On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla > wrote: > I haven't thought about it too much, but I think that I would probably = do is an A/B test where I randomly set clients to this strategy or the = current strategy and measured success rates, time to connect, and = (maybe) some sort of call quality stat. It's not going to be easy = because I don't know how much non-permissioned WebRTC there is in the = wild. > -Ekr >=20 >=20 > On Fri, Jun 29, 2018 at 6:06 PM, youenn fablet > wrote: > A draft describing the Safari/WebKit approach is available at = https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt = >=20 > Eric, can you precise the kind of information you would like to have? > Some testing has been done to validate the approach but I do not think = this is representative of the actual state of the affair. Safari/WebKit = is not gathering any related statistic. >=20 > Y >=20 > Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti = > a =C3=A9crit : > I believe such data will be forthcoming from the Safari team. We are = also working on this. >=20 > On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla > wrote: > It seems like this is something one could A/B test and measure = connection rates. Has someone done so? >=20 > -Ekr >=20 > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb --Apple-Mail=_C18B8FF7-1B73-465E-B33E-8A983F0AE82A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Slightly off topic - but if an origin was permissioned once = but does not do GUM on this particular
page, which = ruleset applies ?

On 3 Jul 2018, at 00:08, Justin = Uberti <juberti=3D40google.com@dmarc.ietf.org> wrote:

That's the approach we plan to take in Chrome. There is a = substantial amount of datachannel traffic, and a quick calculation = suggests that most of that is non-permissioned, so we should be able to = measure the effects of this change.

On = Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla <ekr@rtfm.com> wrote:
I haven't thought about it too much, but I = think that I would probably do is an A/B test where I randomly set = clients to this strategy or the current strategy and measured success = rates, time to connect, and (maybe) some sort of call quality stat. It's = not going to be easy because I don't know how much non-permissioned = WebRTC there is in the wild.
-Ekr


On Fri, = Jun 29, 2018 at 6:06 PM, youenn fablet <youennf@gmail.com> wrote:
A draft describing the Safari/WebKit approach is available = at https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt
Eric, can you precise = the kind of information you would like to have?
Some testing has been done to validate the approach but I do = not think this is representative of the actual state of the affair. = Safari/WebKit is not gathering any related statistic.

  =  Y

Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti = <juberti=3D40google.com@dmarc.ietf.org> a = =C3=A9crit :
I believe such data = will be forthcoming from the Safari team. We are also working on = this.

On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla = <ekr@rtfm.com> wrote:
It = seems like this is something one could A/B test and measure connection = rates. Has someone done so?

-Ekr

_______________________________________________
rtcweb = mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb

= --Apple-Mail=_C18B8FF7-1B73-465E-B33E-8A983F0AE82A-- From nobody Tue Jul 3 08:54:19 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35D7130E66 for ; Tue, 3 Jul 2018 08:54:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDCYnhtdQZQF for ; Tue, 3 Jul 2018 08:54:13 -0700 (PDT) Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88C20130E80 for ; Tue, 3 Jul 2018 08:54:12 -0700 (PDT) Received: by mail-lf0-x22b.google.com with SMTP id u14-v6so2034850lfu.0 for ; Tue, 03 Jul 2018 08:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MP+G/3ZsowrTQkQ1SjG0G51scx3uYztZWlourW81Ey4=; b=A3k5oSlX1y2dZLENlo+lzA0VZUoypNGtXIbrWHq4OsZzqPhIQ7o2cKnM41ZvOKgrSr pjS7B9nbUjexohLCZeeEuiq/tx3G0LrTLtFkZE7o4h5P/qsgKk0zMGbRSYgPaI3dnIgi t3zFzY23s2Xird9ic4hpnKCapM6qvzvcZfKjJTGUQN82nwR+ZJNPWN+W2Ae0P9N0QBpB HjHlcup+rDiWes0vnmLXYKre3ETP+CwVOcSH2znGYvf/AnGBGiWGSKgpqEu4YBGtXkG0 wNoyHfcWEFMWfQOTtRN3aDSbCQoFalXqf0Mztxn/VQOOP5tYHkNl7Mj6uCPIqOIEcXnq pEyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MP+G/3ZsowrTQkQ1SjG0G51scx3uYztZWlourW81Ey4=; b=HPgDCshXM8QqpoSGm/Nx1123UFnMdH4QOAC46JXvfZd7tfua+neDhplp5J3NnJ+nIU EcSo0VlemKTcotaH5YIZ36p5aTwSq8BaG8rpGBEA0QH17iz693QrV83Waec2mmvlK6fn eiXKrIIeE5ri/jHwLveoHBw8ub2GvONnjlP+RzryJ/2G/m/zbEbsbInlh0AvIsR5VmAc nFGcJHbDbkSlvcMWoTJz9VqbMZ6RDl2L2DCFa41yVUvgnM+7gjKsriQ/T6BJl3AN9NYt 6XLQpstPvmh/FhudkwimR97jeu3t1HcMseX43kkNibNC1J7XVLyxnfbxISwe9b6kEvl1 QuhA== X-Gm-Message-State: APt69E1C8JL8Zj82liA7m+/HBf4IdSTIBAVYBXKeWPc3ooqvkkrtM6cS 1O4Aco5Kuh65zuEnWTV3MKBDDsx/jQpyzLuyiig= X-Google-Smtp-Source: AAOMgpfHN9YHfWu5DtjBALXe+rXY/+P1HYmUnzDX7JAvrHSykk6n+gSh/DblH9kqQWbG5x1WPwu1jAZFgnYfw3deLTg= X-Received: by 2002:a19:19ca:: with SMTP id 193-v6mr11126322lfz.25.1530633250560; Tue, 03 Jul 2018 08:54:10 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> <9EB00E21-6D1B-4090-B7C4-4C5ADA9E2D44@westhawk.co.uk> In-Reply-To: <9EB00E21-6D1B-4090-B7C4-4C5ADA9E2D44@westhawk.co.uk> From: youenn fablet Date: Tue, 3 Jul 2018 08:53:58 -0700 Message-ID: To: westhawk Cc: Justin Uberti , RTCWeb IETF Content-Type: multipart/alternative; boundary="0000000000002e602f05701a538d" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 15:54:17 -0000 --0000000000002e602f05701a538d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable If GUM is not used at least once for the lifetime of the page, WebKit is currently using mode 3. There is the possibility for a user to grant persistent access to camera/microphone for an origin through Safari UI. In that case, the user will no longer be prompted for any page of that origin. Mode 2 could be used by default for these pages since user actually opted in. Le mar. 3 juil. 2018 =C3=A0 02:18, westhawk a =C3=A9cr= it : > Slightly off topic - but if an origin was permissioned once but does not > do GUM on this particular > page, which ruleset applies ? > > On 3 Jul 2018, at 00:08, Justin Uberti < > juberti=3D40google.com@dmarc.ietf.org> wrote: > > That's the approach we plan to take in Chrome. There is a substantial > amount of datachannel traffic, and a quick calculation suggests that most > of that is non-permissioned, so we should be able to measure the effects = of > this change. > > On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla wrote: > >> I haven't thought about it too much, but I think that I would probably d= o >> is an A/B test where I randomly set clients to this strategy or the curr= ent >> strategy and measured success rates, time to connect, and (maybe) some s= ort >> of call quality stat. It's not going to be easy because I don't know how >> much non-permissioned WebRTC there is in the wild. >> -Ekr >> >> >> On Fri, Jun 29, 2018 at 6:06 PM, youenn fablet wrote= : >> >>> A draft describing the Safari/WebKit approach is available at >>> https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt >>> >>> Eric, can you precise the kind of information you would like to have? >>> Some testing has been done to validate the approach but I do not think >>> this is representative of the actual state of the affair. Safari/WebKit= is >>> not gathering any related statistic. >>> >>> Y >>> >>> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti >> 40google.com@dmarc.ietf.org> a =C3=A9crit : >>> >>>> I believe such data will be forthcoming from the Safari team. We are >>>> also working on this. >>>> >>>> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla wrote: >>>> >>>>> It seems like this is something one could A/B test and measure >>>>> connection rates. Has someone done so? >>>>> >>>>> -Ekr >>>>> >>>> >> _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --0000000000002e602f05701a538d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If GUM is not used at least once for the lifetime of the p= age, WebKit is currently using mode 3.

There is the= possibility for a user to grant persistent access to camera/microphone for= an origin through Safari UI.
In that case, the user will no long= er be prompted for any page of that origin.
Mode 2 could be used = by default for these pages since user actually opted in.

Le=C2=A0mar. 3 juil. 2018 =C3=A0=C2= =A002:18, westhawk <thp@westhawk.c= o.uk> a =C3=A9crit=C2=A0:
Slightly off= topic - but if an origin was permissioned once but does not do GUM on this= particular
page, which ruleset applies ?

On = 3 Jul 2018, at 00:08, Justin Uberti <juberti=3D40google.com@dmarc.ietf.o= rg> wrote:

That's the approach we plan to take in Chrome. There is a= substantial amount of datachannel traffic, and a quick calculation suggest= s that most of that is non-permissioned, so we should be able to measure th= e effects of this change.

On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla <ekr@rtfm.com> wrote:
I haven't thought a= bout it too much, but I think that I would probably do is an A/B test where= I randomly set clients to this strategy or the current strategy and measur= ed success rates, time to connect, and (maybe) some sort of call quality st= at. It's not going to be easy because I don't know how much non-per= missioned WebRTC there is in the wild.
-Ekr


On Fri, = Jun 29, 2018 at 6:06 PM, youenn fablet <youennf@gmail.com> w= rote:
A draft describ= ing the Safari/WebKit approach is available at=C2=A0https://www= .ietf.org/id/draft-mdns-ice-candidates-00.txt

Eric, = can you precise the kind of information you would like to have?
Som= e testing has been done to validate the approach but I do not think this is= representative of the actual state of the affair. Safari/WebKit is not gat= hering any related statistic.

=C2=A0= =C2=A0Y

Le=C2=A0ven. 29 juin 2018 =C3=A0=C2=A011:10, Justin Uberti <= juberti=3D= 40google.com@dmarc.ietf.org> a =C3=A9crit=C2=A0:
I believe such data will be forthcomi= ng from the Safari team. We are also working on this.


--0000000000002e602f05701a538d-- From nobody Tue Jul 3 08:58:52 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0311D130E66 for ; Tue, 3 Jul 2018 08:58:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tjf02opyjakL for ; Tue, 3 Jul 2018 08:58:47 -0700 (PDT) Received: from smtp001.apm-internet.net (smtp001-out.apm-internet.net [85.119.248.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E195E12DD85 for ; Tue, 3 Jul 2018 08:58:45 -0700 (PDT) Received: (qmail 81822 invoked from network); 3 Jul 2018 15:58:43 -0000 X-APM-Authkey: 255286/0(159927/0) 1872 Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp001.apm-internet.net with SMTP; 3 Jul 2018 15:58:43 -0000 Received: from localhost (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id D22C918A0512; Tue, 3 Jul 2018 16:58:43 +0100 (BST) Received: from zimbra003.verygoodemail.com ([127.0.0.1]) by localhost (zimbra003.verygoodemail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0g11gjllbJNv; Tue, 3 Jul 2018 16:58:43 +0100 (BST) Received: from [192.67.4.84] (unknown [192.67.4.84]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id 964FB18A04FB; Tue, 3 Jul 2018 16:58:43 +0100 (BST) From: westhawk Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_A4849746-E438-420A-9545-6023B76A85F4" Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Date: Tue, 3 Jul 2018 16:58:35 +0100 In-Reply-To: Cc: Justin Uberti , RTCWeb IETF To: youenn fablet References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> <9EB00E21-6D1B-4090-B7C4-4C5ADA9E2D44@westhawk.co.uk> X-Mailer: Apple Mail (2.3445.8.2) Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 15:58:51 -0000 --Apple-Mail=_A4849746-E438-420A-9545-6023B76A85F4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 3 Jul 2018, at 16:53, youenn fablet wrote: >=20 > If GUM is not used at least once for the lifetime of the page, WebKit = is currently using mode 3. >=20 > There is the possibility for a user to grant persistent access to = camera/microphone for an origin through Safari UI. > In that case, the user will no longer be prompted for any page of that = origin. > Mode 2 could be used by default for these pages since user actually = opted in. In one of my workflows that would actually be quite useful.=20 We scan a QR to establish an identity pairing, then subsequent = connections don=E2=80=99t use the camera just data and received video. T. >=20 > Le mar. 3 juil. 2018 =C3=A0 02:18, westhawk > a =C3=A9crit : > Slightly off topic - but if an origin was permissioned once but does = not do GUM on this particular > page, which ruleset applies ? >=20 >=20 >> On 3 Jul 2018, at 00:08, Justin Uberti = > wrote: >>=20 >=20 >> That's the approach we plan to take in Chrome. There is a substantial = amount of datachannel traffic, and a quick calculation suggests that = most of that is non-permissioned, so we should be able to measure the = effects of this change. >>=20 >> On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla > wrote: >> I haven't thought about it too much, but I think that I would = probably do is an A/B test where I randomly set clients to this strategy = or the current strategy and measured success rates, time to connect, and = (maybe) some sort of call quality stat. It's not going to be easy = because I don't know how much non-permissioned WebRTC there is in the = wild. >> -Ekr >>=20 >>=20 >> On Fri, Jun 29, 2018 at 6:06 PM, youenn fablet > wrote: >> A draft describing the Safari/WebKit approach is available at = https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt = >>=20 >> Eric, can you precise the kind of information you would like to have? >> Some testing has been done to validate the approach but I do not = think this is representative of the actual state of the affair. = Safari/WebKit is not gathering any related statistic. >>=20 >> Y >>=20 >> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti = > a =C3=A9crit : >> I believe such data will be forthcoming from the Safari team. We are = also working on this. >>=20 >> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla > wrote: >> It seems like this is something one could A/B test and measure = connection rates. Has someone done so? >>=20 >> -Ekr >>=20 >=20 >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb = > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb = --Apple-Mail=_A4849746-E438-420A-9545-6023B76A85F4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 3 Jul 2018, at 16:53, youenn fablet <youennf@gmail.com> = wrote:

If GUM is not used at least once for the lifetime = of the page, WebKit is currently using mode 3.

There is the = possibility for a user to grant persistent access to camera/microphone = for an origin through Safari UI.
In that case, the = user will no longer be prompted for any page of that origin.
Mode 2 could be used by default for these pages since user = actually opted in.

In one of my workflows that would actually be quite = useful. 
We scan a QR to establish an identity pairing, = then subsequent connections don=E2=80=99t use the camera
just = data and received video.

T.



Le mar. 3 juil. = 2018 =C3=A0 02:18, westhawk <thp@westhawk.co.uk> a =C3=A9crit :
Slightly off topic - but if an origin was permissioned once = but does not do GUM on this particular
page, which = ruleset applies ?

On 3 Jul 2018, at 00:08, Justin Uberti <juberti=3D40google.com@dmarc.ietf.org> wrote:

That's the = approach we plan to take in Chrome. There is a substantial amount of = datachannel traffic, and a quick calculation suggests that most of that = is non-permissioned, so we should be able to measure the effects of this = change.

On Sat, Jun 30, 2018 at 5:44 AM Eric Rescorla = <ekr@rtfm.com> wrote:
I = haven't thought about it too much, but I think that I would probably do = is an A/B test where I randomly set clients to this strategy or the = current strategy and measured success rates, time to connect, and = (maybe) some sort of call quality stat. It's not going to be easy = because I don't know how much non-permissioned WebRTC there is in the = wild.
-Ekr


On Fri, Jun 29, 2018 at 6:06 PM, youenn fablet = <youennf@gmail.com> wrote:
A= draft describing the Safari/WebKit approach is available at https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt
Eric, can you precise = the kind of information you would like to have?
Some testing has been done to validate the approach but I do = not think this is representative of the actual state of the affair. = Safari/WebKit is not gathering any related statistic.

   Y

Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti = <juberti=3D40google.com@dmarc.ietf.org> a = =C3=A9crit :
I believe such data = will be forthcoming from the Safari team. We are also working on = this.

On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla = <ekr@rtfm.com> wrote:
It = seems like this is something one could A/B test and measure connection = rates. Has someone done so?

-Ekr

_______________________________________________
rtcweb = mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb
__________________________= _____________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb
=
= --Apple-Mail=_A4849746-E438-420A-9545-6023B76A85F4-- From nobody Tue Jul 3 09:05:45 2018 Return-Path: X-Original-To: rtcweb@ietf.org Delivered-To: rtcweb@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 74B8F131090; Tue, 3 Jul 2018 09:00:23 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: "\"IETF Secretariat\"" To: , Cc: adam@nostrum.com, rtcweb@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.81.3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <153063362347.4893.12196103026022997746.idtracker@ietfa.amsl.com> Date: Tue, 03 Jul 2018 09:00:23 -0700 Archived-At: Subject: [rtcweb] rtcweb - Requested session has been scheduled for IETF 102 X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 16:00:34 -0000 Dear Liz Flynn, The session(s) that you have requested have been scheduled. Below is the scheduled session information followed by the original request. rtcweb Session 1 (1:00 requested) Tuesday, 17 July 2018, Afternoon Session I 1330-1530 Room Name: Centre Ville size: 200 --------------------------------------------- Special Note: 1430 - 1530 iCalendar: https://datatracker.ietf.org/meeting/102/sessions/rtcweb.ics Request Information: --------------------------------------------------------- Working Group Name: Real-Time Communication in WEB-browsers Area Name: Applications and Real-Time Area Session Requester: Liz Flynn Number of Sessions: 1 Length of Session(s): 1 Hour Number of Attendees: 50 Conflicts to Avoid: People who must be present: Sean Turner Adam Roach Cullen Jennings Ted Hardie Resources Requested: Special Requests: --------------------------------------------------------- From nobody Tue Jul 3 09:29:42 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9B6130FF9 for ; Tue, 3 Jul 2018 09:29:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YrSJAaJuvJVp for ; Tue, 3 Jul 2018 09:29:35 -0700 (PDT) Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AC241310BF for ; Tue, 3 Jul 2018 09:21:36 -0700 (PDT) Received: by mail-lj1-x22a.google.com with SMTP id t7-v6so2018742ljj.6 for ; Tue, 03 Jul 2018 09:21:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FcTmTOm9XxBOWOzygXc/spdWjPrVLDPKF+DaCQJG4gE=; b=BRNfgaUD14FWD9rN6MLyeFKvp1ZympmM0MyUjym4UVye4TOkW6hx8LIjAE/ShuDc6H 63O4TBmV2VKqAVJ6T90PF6UYyNJNKNjNY45gJUREylXcmwReSKCagP++Oxmo17DT9HcX WnVxAVU2xJZRnzKjupjIn1QjLZTOCG8v7jgfsaawLeyf8i8OmSWGIOhPAtwGiDqehRIW cL3WJXHFXgwWhJyaXqORi9ow26U4r+PSyHpSwQ82jHotv6lHBtyVkwo5CqxV5cz/JZ4Z UnusZxuAAiVw+NMIomjAczntZnJ0UJbR/RK55G+SIwfIxv3jMbHKDTKJyrjyL/jIljgt /POg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FcTmTOm9XxBOWOzygXc/spdWjPrVLDPKF+DaCQJG4gE=; b=toba8vrHR9rRmZjuPxY3cTAaf5HNa/GbnKw52B9aLMYUnOredSl+MF8k/ugVr77bNH oFT5M3UPnHyOpa2D1tCW36GaggA5/rIvIdBmZvhEDxEq1dKi1Qle5nbCzHAWDyGNRgNU zU8H5QOfrcZs7qZuIQuyOji9+C42+au53mxlUJdrm3een/QN2FgFxkDZwV1lecpsktnv hC6x9/PLp0+9TpMHsDWvtt5kaXcEtdNqfCRTC7Jp8ujbGzFyfaQQfD9WP+lJ7WJHibY1 7uDf1s2jTFX4ZZat2Oz8t2NtqMjERDMKSAz5zXRuswIvLLg2bFt5RNm7qlgmOQIt3LMi DuqQ== X-Gm-Message-State: APt69E3xJrCScwjTlg+0Rfz0RQb7QB3motwHp+5jMphi+lwAGotx8GBL XeGjerYACbwATo9/fgqQuDjB3aKyWwd1OOlOj6g= X-Google-Smtp-Source: AAOMgpcu7qyICWBLreYN8pAlIwxQfvbUDzHX2KBklkNj4q6ZBz/pIHMY/roN0cVBKlH2dH8fh4dqf5p2D46aaR67/4E= X-Received: by 2002:a2e:9b52:: with SMTP id o18-v6mr19675111ljj.49.1530634894234; Tue, 03 Jul 2018 09:21:34 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: youenn fablet Date: Tue, 3 Jul 2018 09:21:22 -0700 Message-ID: To: Justin Uberti Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="00000000000026d6f905701ab55b" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 16:29:40 -0000 --00000000000026d6f905701ab55b Content-Type: text/plain; charset="UTF-8" > > Maybe I don't understand the attack well enough, but if a page running in > a private browsing context tried to communicate with a page not running in > a private browsing context, they would probably see < 1ms RTTs for both > host-host and srflx-srflx candidates in many cases (including cases where > the contexts are on different machines). > This is probably true for good ethernet connections. Connections over wifi have usually a bigger/less stable latency than local loop connections. I uploaded a small example ( https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/) that computes ping-pong host-host latency through data channel. --00000000000026d6f905701ab55b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Maybe I don't und= erstand the attack well enough, but if a page running in a private browsing= context tried to communicate with a page not running in a private browsing= context, they would probably see < 1ms RTTs for both host-host and srfl= x-srflx candidates in many cases (including cases where the contexts are on= different machines).=C2=A0

This is probably true for good ethernet connections.
Connectio= ns over wifi have usually a bigger/less stable latency than local loop conn= ections.
I upl= oaded a small example (https://e= vening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b= 2b/) that computes ping-pong host-host latency through data channel.
--00000000000026d6f905701ab55b-- From nobody Tue Jul 3 11:16:58 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C432130DC7 for ; Tue, 3 Jul 2018 11:16:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjQ86Bj4jI4f for ; Tue, 3 Jul 2018 11:16:51 -0700 (PDT) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA7BA12E039 for ; Tue, 3 Jul 2018 11:16:51 -0700 (PDT) Received: by mail-it0-x22f.google.com with SMTP id p17-v6so4485060itc.2 for ; Tue, 03 Jul 2018 11:16:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1N8fBWkxgtIlHXHsfTBiF9EobCdwah52VgkLlgU48uY=; b=oB7opt4dShGoSsKUf+6/dqH35vHfh4jGXTSuDL+YviTIL9qfO/WSBkAvvkJi+TZ/Zp a6iJzlT53rNRXG3A2/iRKwZCsmxCZcSLfnhcGwlYAbJVTALmHLkxklso8hi3tFjLJxYO ZImtbSI+GWw7MlZfQniCoF/qqrBmglxgxOyND+Y3ThR0fR6DuzzM0aGl8zSMOz12cv6R vZnBeYI9a7Xg0DLbNnbt7I4qB0UF86tNWIn2YSSDkcxbsy1k4Ie5f5N224rbwIb7pQ4A 6xpehwiSHR17VmRNevziGEGSqxSl9T7TsAZktc/V5pl0Qb5JKzg0CKG4HpEhAfZIrEus J6Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1N8fBWkxgtIlHXHsfTBiF9EobCdwah52VgkLlgU48uY=; b=m2rKBHnu2CUk/dvxQ5QhCtCey6vM6LuP6Y/93+nDU08EfGk1OwK4RXrs+Zrx/wh9CB 7ljBKGC4DSJCDJ/9jVy+gPYAQPgXU2uuWYEdMONAKVYcKBmuLngd4sQd/acD+JAMR6ND vsNU5j4jVvGHqFnrUci8A22/Ih10sh+5/kfndkdi1PxubPXiMMn+q3B3cfjWUILrnTNu Y/TMc2x4ip+4dNgwInK53fF9fWTS8m2v+rO1ZfwBU82NdQo5GoP7nmbm2hw201f+UyWd 2K9ck7F9OqQLC6FtWRtyEV/4w3W0OMeePvgaRltuLgGrTNe2J215I2VJZAThVIvBW/QB TRXg== X-Gm-Message-State: APt69E0DsdGt1dxBApof3cE5ePvyMTZT3XvLO7NcfMW/gF0Qmq4TfZ4l o6XpXl6+pQiz/zw7peTLpEmQFjndQTvaZazZmNQAdg== X-Google-Smtp-Source: AAOMgpcELHVNJR4Q5XbyBdT8JXQhyk6hP/A8yHbovgLYZmgi1Pp+3ufZWYQ99t9+CaoxItj4aeiZRHnZByKXWlQQ8To= X-Received: by 2002:a24:19d5:: with SMTP id b204-v6mr1321846itb.25.1530641810569; Tue, 03 Jul 2018 11:16:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Justin Uberti Date: Tue, 3 Jul 2018 11:16:38 -0700 Message-ID: To: youenn fablet Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="00000000000066437405701c513c" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 18:16:54 -0000 --00000000000066437405701c513c Content-Type: text/plain; charset="UTF-8" I wasn't able to get that example to work (tried with 2 Chrome and 2 Safari instances, got a setRemoteDescription error both times), but I was able to make a JSFiddle which does something similar in a single page. At present, even host-host connections were seeing a 2 ms RTT, possibly because of the clamping that has been applied to performance.now() to deal with Spectre et al. On Tue, Jul 3, 2018 at 9:21 AM youenn fablet wrote: > Maybe I don't understand the attack well enough, but if a page running in >> a private browsing context tried to communicate with a page not running in >> a private browsing context, they would probably see < 1ms RTTs for both >> host-host and srflx-srflx candidates in many cases (including cases where >> the contexts are on different machines). >> > > This is probably true for good ethernet connections. > Connections over wifi have usually a bigger/less stable latency than local > loop connections. > I uploaded a small example ( > https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/) > that computes ping-pong host-host latency through data channel. > --00000000000066437405701c513c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I wasn't able to get that example to work (tried with = 2 Chrome and 2 Safari instances, got a setRemoteDescription error both time= s), but I was able to make a JSFiddle which does something similar in a single page. At pres= ent, even host-host connections were seeing a 2 ms RTT, possibly because of= the clamping that has been applied to performance.now() to deal with= Spectre et al.




=

On Tue, Jul 3, 2018 a= t 9:21 AM youenn fablet <youennf@gm= ail.com> wrote:
Maybe I don't understand the = attack well enough, but if a page running in a private browsing context tri= ed to communicate with a page not running in a private browsing context, th= ey would probably see < 1ms RTTs for both host-host and srflx-srflx cand= idates in many cases (including cases where the contexts are on different m= achines).=C2=A0

This is p= robably true for good ethernet connections.
Connections over wifi= have usually a bigger/less stable latency than local loop connections.
I uploaded a smal= l example (https://evening-thick= et-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/) tha= t computes ping-pong host-host latency through data channel.
--00000000000066437405701c513c-- From nobody Tue Jul 3 14:40:52 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C27BE130EE6 for ; Tue, 3 Jul 2018 14:40:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYB9udXUQKtC for ; Tue, 3 Jul 2018 14:40:45 -0700 (PDT) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99186130ED1 for ; Tue, 3 Jul 2018 14:40:45 -0700 (PDT) Received: by mail-io0-x22a.google.com with SMTP id l25-v6so3045077ioh.12 for ; Tue, 03 Jul 2018 14:40:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+d1Gw5iJaQeSSdfUQ05AIlG+NBTMDtclsHmE0mY+f2I=; b=cBZkT8plk1G5SvPqHELcRi8YPb8x6NtkK1kAGl0fJfvslyQZRbpOFH+5ABFD9YEHIP w7usEImCbMwPeCjZNBNt0vas4EwtseK3ts1kbGkTLg31Vz9nJZB5SNhea4GVL86sqrRN Fnc0Gn7OBUrtV1NCZ1l6JNifk8kRqszsMsWXIkSzds1d+ye7WFzhdF3lhiR6O+y16krS LKp5wnBLaHw+7h2aUG65FaCd2ABTDwMSVaUWlWhiXZrnHVK/1MJPfQKMhjMCOh1Pcc+Q 7OGNFR2iMaFbyLKpIBQFPKPepA74ingAiaXtET7V9kXm+oyAk8r/pyEBtkmoShZdPDso SHxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+d1Gw5iJaQeSSdfUQ05AIlG+NBTMDtclsHmE0mY+f2I=; b=JBXvwLjUwqbeIRVChedmtyPopV+lUh1Z1/K7V8p6LV7ybTOapycHNeGniO0NOlJtdP 8oOyGeTjNvCWw+/eR4iApYfa/+9IMsa00JbHIriL+BpWLDlDHICG8+EI31bQJZUl8ANh XLsqEE9kGAJ3S2cAWdimYHJkNU+Eqp4DNwF3hIAjnHVY6vD2YRqAyihe8EuYG1i6dqKH 8kPR4TworOmzvVGFgCCb4cJ334LYD73ttmRODgrtcEFFQBuUHwgCzDk9oAxOdZF6fcl4 icYzz+/YuS+IVFBs/y6HGizmgLX4BAJ5GeSsRbqCgbpGAZVNs7mY6PaIs6nEDFSCMStM Zowg== X-Gm-Message-State: APt69E3AIhEpVdgg1tV1sKmpD3yDV12IIWQWJa9CXCuVb8GIp9YguEEf DwPCebebMqeLA2UgzWSIMIxhXjHiny/YIQMuEg8hPQ== X-Google-Smtp-Source: AAOMgpfkR1V4K5uyu++1Orucvk4v4DAiu+Ee/SfmzReH07U1pwcuba9LacJGpN42xC3nzfTiaNF5imPS5aSbvDpld3Y= X-Received: by 2002:a6b:b387:: with SMTP id c129-v6mr27147290iof.32.1530654044577; Tue, 03 Jul 2018 14:40:44 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Justin Uberti Date: Tue, 3 Jul 2018 14:40:31 -0700 Message-ID: To: youenn fablet Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="0000000000009a640b05701f2a15" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 21:40:50 -0000 --0000000000009a640b05701f2a15 Content-Type: text/plain; charset="UTF-8" Updated fiddle (outputs to display as well as console): https://jsfiddle.net/juberti/x7a8ut0q/37/ On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti wrote: > I wasn't able to get that example to work (tried with 2 Chrome and 2 > Safari instances, got a setRemoteDescription error both times), but I was > able to make a JSFiddle which > does something similar in a single page. At present, even host-host > connections were seeing a 2 ms RTT, possibly because of the clamping > that > has been applied to performance.now() to deal with Spectre et al. > > > > > > On Tue, Jul 3, 2018 at 9:21 AM youenn fablet wrote: > >> Maybe I don't understand the attack well enough, but if a page running in >>> a private browsing context tried to communicate with a page not running in >>> a private browsing context, they would probably see < 1ms RTTs for both >>> host-host and srflx-srflx candidates in many cases (including cases where >>> the contexts are on different machines). >>> >> >> This is probably true for good ethernet connections. >> Connections over wifi have usually a bigger/less stable latency than >> local loop connections. >> I uploaded a small example ( >> https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/) >> that computes ping-pong host-host latency through data channel. >> > --0000000000009a640b05701f2a15 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Updated fiddle (outputs to display as well as console): https://jsfiddle.net/ju= berti/x7a8ut0q/37/

On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com> wrote:
I wasn't able to get that example to = work (tried with 2 Chrome and 2 Safari instances, got a setRemoteDescriptio= n error both times), but I was able to make a JSFiddle which does somethin= g similar in a single page. At present, even host-host connections were see= ing a 2 ms RTT, possibly because of the clamping th= at has been applied to performance.now() to deal with Spectre et al.




On Tue, Jul 3, 2018 at 9:21 AM youenn fab= let <youennf@gmai= l.com> wrote:
Maybe I don't understand the a= ttack well enough, but if a page running in a private browsing context trie= d to communicate with a page not running in a private browsing context, the= y would probably see < 1ms RTTs for both host-host and srflx-srflx candi= dates in many cases (including cases where the contexts are on different ma= chines).=C2=A0

This is pr= obably true for good ethernet connections.
Connections over wifi = have usually a bigger/less stable latency than local loop connections.
I uploaded a small= example (https://evening-thicke= t-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/) that= computes ping-pong host-host latency through data channel.
--0000000000009a640b05701f2a15-- From nobody Wed Jul 4 07:57:07 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80484130DED for ; Wed, 4 Jul 2018 07:57:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.31 X-Spam-Level: X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flnDubrn50Pi for ; Wed, 4 Jul 2018 07:57:02 -0700 (PDT) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E93BC12F1AC for ; Wed, 4 Jul 2018 07:57:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1530716215; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=GRhPQxjedQT4K6Mett+cpCSBxV0hTHk95xM759d2uME=; b=VpPxCGVdHoizHmhEC1FQ3e8sPo+mRpoeGhqNpvk627+LqNOLBqnu6cVvjGOZI+82 4KHgsyM9YmHuwSA9Voj7iFSxSPJaprQr6Q90LvVu3S3weiL/AflRoBTiATywem4A U/Yfw1Y7o4HcpE1nzjxgegUDiEmA0JRZUzb31jE7zto=; X-AuditID: c1b4fb2d-223ff700000055ff-b8-5b3ce037b2ee Received: from ESESSMB502.ericsson.se (Unknown_Domain [153.88.183.120]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 85.A2.22015.730EC3B5; Wed, 4 Jul 2018 16:56:55 +0200 (CEST) Received: from [147.214.163.236] (153.88.183.153) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 4 Jul 2018 16:56:54 +0200 To: "rtcweb@ietf.org" , From: Magnus Westerlund Message-ID: Date: Wed, 4 Jul 2018 16:56:54 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB X-Originating-IP: [153.88.183.153] X-ClientProxiedBy: ESESSMB505.ericsson.se (153.88.183.166) To ESESSMB502.ericsson.se (153.88.183.163) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrFLMWRmVeSWpSXmKPExsUyM2J7ha75A5tog6db2S0mrljHZrH2Xzu7 A5PHkiU/mQIYo7hsUlJzMstSi/TtErgy1vzaxFawSq9i06rTrA2MZ1W7GDk5JARMJBbP28va xcjFISRwlFHiXMsZZgjnA6PEhkNTmUCqRAQ8Jaau3gNmswlYSNz80cgGYgsLWEl0/1/NAmLz CthLPPjxlRnEZhFQkXhy7h5YXFQgRmL1xsvsEDWCEidnPgGKc3Awg9RvLQMJMwvISzRvnc0M YYtLNH1ZyQpiCwloSzQ0dbBCHKokcX3edRYIO13iQ9dZlgmMArOQTJ2FMHUWkqmzkExdwMiy ilG0OLW4ODfdyFgvtSgzubg4P08vL7VkEyMwRA9u+a27g3H1a8dDjAIcjEo8vLXnbKKFWBPL iitzDzFKcDArifBWbwYK8aYkVlalFuXHF5XmpBYfYpTmYFES59VbtSdKSCA9sSQ1OzW1ILUI JsvEwSnVwGgXzuetkb6Db/5b/td2h/1aXTdqvV3Q6XS9glPWnj1FNG6J6Eqf2yZ9/Y1dzPvq Sl5N+FOaIXEyjImh4sasnVZ5E3lsLy24byRXvf8Ru/Xu/e2X/SbLyCfk1EwoZl609A1fKucx xi5bZs3bzJ6zGh/Pb1HSixZxczv+8Geexf7vHfu91G/oKLEUZyQaajEXFScCAGFeUF5NAgAA Archived-At: Subject: [rtcweb] Review of Section 5.3 of draft-ietf-rtcweb-sdp-10 X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2018 14:57:05 -0000 Hi, I have reviewed Section 5.3 only with a focus on the simulcast and multi-stream aspects. For example I have not cared if the ICE details are correct in these examples. A. Section 5.3.1: BUNDLE grouping framework enables multiplexing of all the 5 streams    (1 audio stream + 4 video streams) over a single RTP Session. It might be good to use RFC 7656 terminology and be specific in that this results in 5 source RTP streams. B. Section 5.3.1. As 5.3 says that this will use FEC or RTX and this one doesn't maybe be explicit that it is not added, or rewrite 5.3. C. section 5.3.1:    | a=group:LS m0 m1                            | [RFC5888]           | Is it intentional that video 2 is not included in the lip-synch group? May require a intention comment for this case. D. 5.3.1:    One video source corresponds to VP8 encoding, while the other    corresponds to H.264 encoding. As the m= block represents a media source, if the need is to provide one video camera's images (the media  source) as both VP8 and H.264 where each are in two different resolutions, then simulcast can handle that fine within a single m= block. So from my perspective this is a wrongly constructed example from that premise. Can you please clarify if you want two media source, i.e. two cameras, or two encoder formats VP8 and H.264, or two resolutions, or any combination of them? I would recommend this example to be two media sources, with encoding simulcast. The resolution can be skipped as the later example includes resolution simulcasting. E. Section 5.3.1:    | a=rtcp-fb:* nack                            | [RFC5104]           |    | a=rtcp-fb:* nack pli                        | [RFC5104]           | I would note that generalized NACK as well as picture loss indication (PLI) is defined in RFC4585. F. Section 5.3.2:    This section shows an SDP Offer/Answer for a session with an audio    and a single video source.  The video source is encoded as layered    coding at 3 different resolutions based on [RFC5583].  The video    m=line shows 3 streams with last stream (payload 100) dependent on    streams with payload 96 and 97 for decoding. Also here use of RFC 7656 terminology to talk about (source) RTP streams when applicable would be good. G. Section 5.3.2:   | a=rtpmap:96 H264/90000                      | [RFC6184]           |    | a=fmtp:96 profile-level-id=4d0028;          | [RFC6184]H.264      |    | packetization-mode=1;max-fr=30;max-fs=8040  | Layer 1             |    | a=rtpmap:97 H264/90000                      | [RFC6184]           |    | a=fmtp:97 profile-level-                    | [RFC6184] H.264     |    | id=4d0028;packetization-mode=1; max-        | Layer 2             |    | fr=15;max-fs=1200 |                     |    | a=rtpmap:100 H264-SVC/90000                 | [RFC6184]           |    | a=fmtp:100 profile-level-                   | [RFC6184]           |    | id=4d0028;packetization-mode=1; max- |                     |    | fr=30;max-fs=8040 |                     |    | a=depend:100 lay m1:96,97                   | [RFC5583]Layer 3    | I have my doubts about this configuration. First of all as it is SVC in Single RTP session mode (SST) I don't think it results in multiple RTP streams. I think the answerer will interpret this, which of these encodings can support. A non scalable H.264, another non-scalable H.264 or SVC that can contain a number of layers. Secondly a=depend is only defined for MST mode in RFC 6190. You also have the wrong reference for the H-264-SVC a=rtpmap and a=fmtp line. H. Section 5.3.3:    | a=extmap:3 urn:ietf:params:rtp-             | [I-D.ietf-avtext-ri |    | hdrext:sdes:rtp-stream-id                   | d]                  | After this line you should have also this line:    | a=extmap:4 urn:ietf:params:rtp-             | [I-D.ietf-avtext-ri |    | hdrext:sdes:repaired-rtp-stream-id                   | d]                  | This to enable the RTX streams to indicate which source RTP stream they are repairing. Add to both offer and answer. I. Section 5.3.3 Why isn't RTX enabled for the audio also? J. Section 5.3.3. Answer:   | m=video 0 UDP/TLS/RTP/SAVPF 98 100 101 103  | BUNDLE accepted     | Payload types 100 and 101 are undefined in this media description. K. Section 5.3.4 Answer:    | a=rtpmap:101 VP8/90000                      | [RFC7741]           | Wrong media type for the payload should be RTX. L. Section 5.3.4 Answer: Missing rtcp-fb definitions to enable use of NACK which RTX depends on. M. Section 5.3.5:  | a=fmtp:101 L=5; D=10; ToP=2; repair-        | [I-D.ietf-payload-f |    | window=200000                               | lexible-fec-scheme] |    | a=fmtp:103 L=5; D=10; ToP=2; repair-        | [I-D.ietf-payload-f |    | window=200000                               | lexible-fec-scheme] | As the parameters are the same, I don't see a point with having two payload types. Two different RTP repair streams can use the same payload type. As Flex-FEC can do all the binding using the CSRC field, there are also no need to have the repaired-rtp-stream-id header extension for this one. N. Section 5.3.5: Does it make sense to still have NACK for a session with FEC. If it fails isn't PLI or FIR Cheers Magnus Westerlund ---------------------------------------------------------------------- Network Architecture & Protocols, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ---------------------------------------------------------------------- From nobody Wed Jul 4 10:35:24 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096C7130E6D for ; Wed, 4 Jul 2018 10:35:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RwMsDPTRirFu for ; Wed, 4 Jul 2018 10:35:19 -0700 (PDT) Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32F113105F for ; Wed, 4 Jul 2018 10:35:19 -0700 (PDT) Received: by mail-it0-x236.google.com with SMTP id l16-v6so8962324ita.0 for ; Wed, 04 Jul 2018 10:35:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O2UaOuNoIT/38DYXudD/dWpJmLdChNhdPedQ8IhrOBM=; b=EhmyrRM9DIFnr8iL8yZQm33mfNIrAcwwqihn5AYZw8/YCdzz62iMukfoXytP6aGisU Nj+AyHWztTLh5rUgJ5SLfFgQHKNIcVw2k62bQ7aSQxCvIU/frz1xvtVubnwGvuEHSmzW 0WgVNpHkqxM8p0ID5m2RxGdagsNi9CybrPG0h2RSnFxGyrjLY6kDz8dtP3nVFFBdcAoe YZmAQUDgvO1eKaJL7DPa1lxjw95TETftuUCT0dQL/CS0mbraqGV5nSsGIdpZOqRLCxB2 Tw/CTnulpJ7heYXc+59pY15TcXCEqVvtuLXz4vm+EDtXfmgrzxGg6DCaP5YZK0Pk95ML rKgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O2UaOuNoIT/38DYXudD/dWpJmLdChNhdPedQ8IhrOBM=; b=Fsdu9jiQ9Qf6RGKC9F6Gp8MSdduuGm0/OGWCBbJvNxrNpwEpnREfyxxzBtbw6ru+qt sONPUoB04bs0chcZF4FIm37I9AKDUj+0CbTA7BZMhrQ1khZyWvXis6Nb2Br0xD+wCsvf Cu/NiE685lNx/yMj4joxR552TCj7zMuf4vLuCuMYonNMwyeSFfR7CC7X6D6l1/Gy1x3L ryUEHzvDf0NQKdniKpX+1wp9fLToC2OheXTXYHOqzsuD6FzM3bOy4fhoFSIMnwUmctcD 8dqePxM17+idRuh2kJ9UoUQ6jK4jZPPpe6S1rdzs413LgeInshWpdErpQJP1/ZX9xMcC zgbQ== X-Gm-Message-State: APt69E1tZtH5PmuHqY/+wP6FW+M77ho1n91gF2amAGw2SbTsG45BW8JI AUKTwJCvUTBkJouc2hTAjzCAwtiGXRCgFMFAWOGBMQ== X-Google-Smtp-Source: AAOMgpce1p/579U5D14FpC1DZAqaquKYVZZqi4e7Dv4Yy52xVhPF/8kTL/cEZfdU0flfNeEd2j6sOKuwoNLD4gY3+f4= X-Received: by 2002:a24:ce81:: with SMTP id v123-v6mr2342703itg.119.1530725718519; Wed, 04 Jul 2018 10:35:18 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Justin Uberti Date: Wed, 4 Jul 2018 10:35:06 -0700 Message-ID: To: youenn fablet Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000b4179405702fdac7" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2018 17:35:23 -0000 --000000000000b4179405702fdac7 Content-Type: text/plain; charset="UTF-8" One other potential complication: while S 4.3 indicates that mDNS names should not be registered when running in a private browsing context, it would still be possible for an endpoint running in a private browsing context to connect to an mDNS address registered by an endpoint running in a normal browsing context. On Tue, Jul 3, 2018 at 2:40 PM Justin Uberti wrote: > Updated fiddle (outputs to display as well as console): > https://jsfiddle.net/juberti/x7a8ut0q/37/ > > On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti wrote: > >> I wasn't able to get that example to work (tried with 2 Chrome and 2 >> Safari instances, got a setRemoteDescription error both times), but I was >> able to make a JSFiddle >> which does something similar in a single page. At present, even host-host >> connections were seeing a 2 ms RTT, possibly because of the clamping >> that >> has been applied to performance.now() to deal with Spectre et al. >> >> >> >> >> >> On Tue, Jul 3, 2018 at 9:21 AM youenn fablet wrote: >> >>> Maybe I don't understand the attack well enough, but if a page running >>>> in a private browsing context tried to communicate with a page not running >>>> in a private browsing context, they would probably see < 1ms RTTs for both >>>> host-host and srflx-srflx candidates in many cases (including cases where >>>> the contexts are on different machines). >>>> >>> >>> This is probably true for good ethernet connections. >>> Connections over wifi have usually a bigger/less stable latency than >>> local loop connections. >>> I uploaded a small example ( >>> https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/) >>> that computes ping-pong host-host latency through data channel. >>> >> --000000000000b4179405702fdac7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
One other potential complication: while S 4.3 in= dicates that mDNS names should not be registered when running in a private = browsing context, it would still be possible for an endpoint running in a p= rivate browsing context to connect to an mDNS address registered by an endp= oint running in a normal browsing context.=C2=A0

On Tue, Jul 3, 2018 at 2:40 PM Justin Uberti= <juberti@google.com> wrote= :
Updated fiddle (= outputs to display as well as console): https://jsfiddle.net/juberti/x7a8ut0q/= 37/

On Tue, Ju= l 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com> wrote:
I wasn't able to get that example = to work (tried with 2 Chrome and 2 Safari instances, got a setRemoteDescrip= tion error both times), but I was able to make a JSFiddle which does somet= hing similar in a single page. At present, even host-host connections were = seeing a 2 ms RTT, possibly because of the clamping= that has been applied to performance.now() to deal with Spectre et al.




On Tue, Jul 3, 2018 at 9:21 AM youenn fa= blet <youennf@gma= il.com> wrote:
Maybe I don't understand the a= ttack well enough, but if a page running in a private browsing context trie= d to communicate with a page not running in a private browsing context, the= y would probably see < 1ms RTTs for both host-host and srflx-srflx candi= dates in many cases (including cases where the contexts are on different ma= chines).=C2=A0

This is pr= obably true for good ethernet connections.
Connections over wifi = have usually a bigger/less stable latency than local loop connections.
I uploaded a small= example (https://evening-thicke= t-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/) that= computes ping-pong host-host latency through data channel.
--000000000000b4179405702fdac7-- From nobody Wed Jul 4 14:12:42 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 423EA130DE2 for ; Wed, 4 Jul 2018 14:12:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kELPX61GqGIA for ; Wed, 4 Jul 2018 14:12:38 -0700 (PDT) Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3CE130DC0 for ; Wed, 4 Jul 2018 14:12:37 -0700 (PDT) Received: by mail-lf0-x236.google.com with SMTP id l16-v6so5249301lfc.13 for ; Wed, 04 Jul 2018 14:12:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZA1GgNCRpOukiatcTesNXjn2I9sJAY4HZgLWtf7MgVE=; b=U5SoCT+L7jdkRIF+UO+gd1VW8MJtyjpZTISN79yvdeBk6p4zuV2Xefkjyb7Lc5KF5D goRIvLEy1nZufid5t/SBSkpLHv7+KYe4NBfVMDQ4q12VSMlMg1+v4LPOv32ntBuNfxPj +MDozkSMIHNWHPWisEUrn7ZXb5IEw0G512aJVFiERngeEFwR6K9gEWHnZzDZBF/JhTpV ABKaaKACIYdhK44NwOnUD1e4OgLkVkKCG+k1wjEM7mUFQILal4vaw6A0CrOxMVkp24N4 Ki7NRj2H9qxunZnzDHjImDYkHtIVbZAD9zLS43UQ4Z79AbOU2MkpsU2poJslBYWpzDps JJrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZA1GgNCRpOukiatcTesNXjn2I9sJAY4HZgLWtf7MgVE=; b=KAFdGuBWssgMUdE7r7nsmkLnq2BCZoUwQ4WAODlzzPN4Cnmc5AMElFsMMKzIHQ88JT won3ga+XJRkDHmS5oquLVFnEdRDDCoKmvxW1IERQMlIdpw8RmpGYfHNuiswrTty8VIjn 8XIB8nTxHZ4FQiei00MLxlWlnXa2rApQGaWus9uApRbzGn6qnbj4MSsKLKgFbXIAolpA opy9pWqzWv7egeNnl9zACzL+/V+ksJWqEoqnAogU5PEJH/we8iAoJezwXir5obOGCPWu Cm/m523OAy88WtdjyvN0yl+W5KsbSRJ/G6akkljglO+IeHvi+lEWG6J/yimHvyfrCkRe owiQ== X-Gm-Message-State: APt69E1Liv6dO7zlpiMeM6baMo5rZqAGeGgAw6gOw4gI/RjdVm1zVoJy AdzNMmeYH/4RipquZ7PS60LMl/pS+m4+Pt4xjZA= X-Google-Smtp-Source: AAOMgpepiylOhPsSiLM/JYhnR2j2/7jSa6FGhPLPiQBQijaOPEGnLFcaJbLPTp6tdVHKxoY4hklJzkHY2Af8g3jgwao= X-Received: by 2002:a19:9646:: with SMTP id y67-v6mr2378006lfd.130.1530738755960; Wed, 04 Jul 2018 14:12:35 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: youenn fablet Date: Wed, 4 Jul 2018 14:12:24 -0700 Message-ID: To: Justin Uberti Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000cb0634057032e30a" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2018 21:12:41 -0000 --000000000000cb0634057032e30a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mar. 3 juil. 2018 =C3=A0 14:40, Justin Uberti a =C3= =A9crit : > Updated fiddle (outputs to display as well as console): > https://jsfiddle.net/juberti/x7a8ut0q/37/ > Right, this shows the local loopback latency. > On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti wrote: > >> I wasn't able to get that example to work (tried with 2 Chrome and 2 >> Safari instances, got a setRemoteDescription error both times), but I wa= s >> able to make a JSFiddle >> which does something similar in a single page. At present, even host-hos= t >> connections were seeing a 2 ms RTT, possibly because of the clamping >> that >> has been applied to performance.now() to deal with Spectre et al. >> > I updated https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/data= channel-b2b/, it should hopefully be more intuitive to use this time: 1. load the page in one device 2. load the link provided by the page on another device 3. click 'call' on the first page 4. a latency value should appear on the page and be continuously updated --000000000000cb0634057032e30a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Le=C2=A0ma= r. 3 juil. 2018 =C3=A0=C2=A014:40, Justin Uberti <juberti@google.com> a =C3=A9crit=C2=A0:
Updated fiddle (outputs to dis= play as well as console): https://jsfiddle.net/juberti/x7a8ut0q/37/
<= /blockquote>

Right, this shows the local loopback=C2=A0latency.
=C2=A0
On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti <<= a href=3D"mailto:juberti@google.com" target=3D"_blank">juberti@google.com> wrote:
I wa= sn't able to get that example to work (tried with 2 Chrome and 2 Safari= instances, got a setRemoteDescription error both times), but I was able to= make a JSFiddle which does something similar in a single page. At present= , even host-host connections were seeing a 2 ms RTT, possibly because of th= e clamping that has been applied to performance.now= () to deal with Spectre et al.
I updated https://evening-thicket-984= 46.herokuapp.com/src/content/peerconnection/datachannel-b2b/, it should= hopefully be more intuitive to use this time:
1. load the page i= n one device
2. load the link provided by the page on another dev= ice
3. click 'call' on the first page
4. a late= ncy value should appear on the page and be continuously updated
=
--000000000000cb0634057032e30a-- From nobody Fri Jul 6 10:15:46 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCC0B130EEB for ; Fri, 6 Jul 2018 10:15:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqm6QvS87Xy5 for ; Fri, 6 Jul 2018 10:15:42 -0700 (PDT) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCFAA130EE3 for ; Fri, 6 Jul 2018 10:15:42 -0700 (PDT) Received: by mail-it0-x22f.google.com with SMTP id u4-v6so17447214itg.0 for ; Fri, 06 Jul 2018 10:15:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GdVmdrsIUkCT0hhSYM+WHXStCFZPyf3m6k7d/AxPIJE=; b=MDFltDZtrBspJLTwi94GSTSW2zF2Nz0zNL19YOTtx+SrPx53fa7tX/9JU2MDOq+peM 2vS+h15bHMA7QUSTctpSyEtmsyQI1ISpkvayKKUqrrfjN66E0NVI82O1VV4uJkOVj1Pt tMDs615hHXpKlL46WuxLSXCuhgu2xWjjJQCCMIUnrBYC7RM09YbZ6GRwSDjV9GWrdyWm qCZgxHUCMzR/PpZRaGpeZbxDIxkMbvKjCuCJKoVkrm1gIsmms4r1Iawo+grAc91mwoTk HLjmDZ40Su5YU3QLehIttYM29OQ5iRho92MXxbV6cZ/NhBA1e7fJog2O4Cm05DLInC2s rwQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GdVmdrsIUkCT0hhSYM+WHXStCFZPyf3m6k7d/AxPIJE=; b=J6SF4dvDCVceZqAqlhWCSO/wGIMsQwMup6fk+cQTReyUSlFtcbAhHmQpXiQwOxRbDp NXebWgTMO3FTNgj9r3nqUFXQggvPA11UB25WGSjEFgLf4W5TB9eHSo+tuZbk4uCPwVwX e3WwzyJpUfvI36QluDzMtrPO3Xx4kO4K1eYy5kSrR/dEyEEPk+UJ178/yT8R7k71UZeS VsTbDvS/TjvWuW1BkwzlXEqlJHCrZwbjpmTXKnf6GNUrQq+sZrNA6rVpNTy0X01Utyph 1nJdjAcxL6j8mZ+qnBYje5kz8SCFr4rKTeR7o+dfwveFJ5RTdnNfHjQ1iRlx5pkscYZp ytIQ== X-Gm-Message-State: APt69E2+JMxUcU8uDGcntTzijp9eoa95DtyrzZvfL9Ez25Ohx5RarSAP ZsBcv4Ut0oqkEm1kOQHydC6wnsnpTgSe9STTOmWXaA== X-Google-Smtp-Source: AAOMgpcj/NB/Ott5NkwoU34b4EII66sKDOid/UQloukals4te8KYqEBjXXEX1ufTkwPu7b9KtXeRZvoG8X9jr34K3Ow= X-Received: by 2002:a24:19d5:: with SMTP id b204-v6mr8568869itb.25.1530897341421; Fri, 06 Jul 2018 10:15:41 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Justin Uberti Date: Fri, 6 Jul 2018 10:15:29 -0700 Message-ID: To: youenn fablet Cc: youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="00000000000039b90a057057d086" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2018 17:15:45 -0000 --00000000000039b90a057057d086 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks for the new version. I tried a few scenarios and agree that this technique can identify a same-host situation fairly reliably, especially in wireless environments; I typically saw ~2 ms latency for same-host and 5-10 ms latency (with occasional spikes) for over-the-air connections. I'm still not quite sure what we should do about it; as noted, public IPv4 + user-agent (http://www.whatsmyua.info/) is probably unique in the vast majority of cases, and the situation is unavoidable with IPv6. On Wed, Jul 4, 2018 at 2:12 PM youenn fablet wrote: > > Le mar. 3 juil. 2018 =C3=A0 14:40, Justin Uberti a = =C3=A9crit : > >> Updated fiddle (outputs to display as well as console): >> https://jsfiddle.net/juberti/x7a8ut0q/37/ >> > > Right, this shows the local loopback latency. > > >> On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti wrote= : >> >>> I wasn't able to get that example to work (tried with 2 Chrome and 2 >>> Safari instances, got a setRemoteDescription error both times), but I w= as >>> able to make a JSFiddle >>> which does something similar in a single page. At present, even host-ho= st >>> connections were seeing a 2 ms RTT, possibly because of the clamping >>> that >>> has been applied to performance.now() to deal with Spectre et al. >>> >> > I updated > https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/da= tachannel-b2b/, > it should hopefully be more intuitive to use this time: > 1. load the page in one device > 2. load the link provided by the page on another device > 3. click 'call' on the first page > 4. a latency value should appear on the page and be continuously updated > --00000000000039b90a057057d086 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for the new version. I tried a few scenarios and ag= ree that this technique can identify a same-host situation fairly reliably,= especially in wireless environments; I typically saw ~2 ms latency for sam= e-host and 5-10 ms latency (with occasional spikes) for over-the-air connec= tions.

I'm still not quite sure what we should do ab= out it; as noted, public IPv4=C2=A0+ user-agent (http://www.whatsmyua.info/) is probably unique in the vast= majority of cases, and the situation is unavoidable with IPv6.


On Wed, Jul 4, 2018 at 2:12 PM youenn fablet <youennf@gmail.com> wrote:

Le=C2=A0mar. 3 juil. 2018 =C3=A0=C2=A014:40, Justin Uberti <juberti@google.com= > a =C3=A9crit=C2=A0:
Updated fiddle (outputs to display as well as console): https://jsfid= dle.net/juberti/x7a8ut0q/37/

Righ= t, this shows the local loopback=C2=A0latency.
=C2=A0
On Tue, Jul = 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com> wrote:
I wasn't able to get that example to= work (tried with 2 Chrome and 2 Safari instances, got a setRemoteDescripti= on error both times), but I was able to make a JSFiddle which does somethi= ng similar in a single page. At present, even host-host connections were se= eing a 2 ms RTT, possibly because of the clamping t= hat has been applied to performance.now() to deal with Spectre et al.
=

I updated https://evening-thicket-98446.herokuapp.com/s= rc/content/peerconnection/datachannel-b2b/, it should hopefully be more= intuitive to use this time:
1. load the page in one device
=
2. load the link provided by the page on another device
3. c= lick 'call' on the first page
4. a latency value should a= ppear on the page and be continuously updated
--00000000000039b90a057057d086-- From nobody Fri Jul 6 10:53:47 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11D7130EDC for ; Fri, 6 Jul 2018 10:53:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tn8zoweY2mPU for ; Fri, 6 Jul 2018 10:53:41 -0700 (PDT) Received: from smtp001.apm-internet.net (smtp001-out.apm-internet.net [85.119.248.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64BAA130E52 for ; Fri, 6 Jul 2018 10:53:39 -0700 (PDT) Received: (qmail 34870 invoked from network); 6 Jul 2018 17:53:37 -0000 X-APM-Authkey: 255286/0(159927/0) 1701 Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp001.apm-internet.net with SMTP; 6 Jul 2018 17:53:37 -0000 Received: from localhost (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id BBFBF18A0C5E; Fri, 6 Jul 2018 18:53:37 +0100 (BST) Received: from zimbra003.verygoodemail.com ([127.0.0.1]) by localhost (zimbra003.verygoodemail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6AtjFyKdpUWu; Fri, 6 Jul 2018 18:53:37 +0100 (BST) Received: from [192.67.4.84] (unknown [192.67.4.84]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id 84A3D18A0203; Fri, 6 Jul 2018 18:53:37 +0100 (BST) From: westhawk Message-Id: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> Content-Type: multipart/alternative; boundary="Apple-Mail=_6EC6A34E-98CC-4379-B799-B9B46571516A" Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Date: Fri, 6 Jul 2018 18:53:36 +0100 In-Reply-To: Cc: youenn fablet , RTCWeb IETF , youenn fablet To: Justin Uberti References: X-Mailer: Apple Mail (2.3445.8.2) Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2018 17:53:46 -0000 --Apple-Mail=_6EC6A34E-98CC-4379-B799-B9B46571516A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I think perhaps we should step back and see if we can block the threat = earlier on. If I understand correctly the issue is that 2 pages of different origin = could include 3rd party javascript that connects to a web service to exchange OA and establish a = data channel between the pages. It then looks at the latency and figures out that the = two are on the same network/device. Is there a way we can make this prohibitively expensive or inaccurate? It sorta feels like a same origin policy on the data channel might help. -Perhaps sign the webRTC certificates with the origin and have DTLS = refuse a handshake if the two ends don=E2=80=99t have a common signature. I=E2=80=99m obviously very keen to avoid forcing all data channel = traffic through TURN. T. > On 6 Jul 2018, at 18:15, Justin Uberti = wrote: >=20 > Thanks for the new version. I tried a few scenarios and agree that = this technique can identify a same-host situation fairly reliably, = especially in wireless environments; I typically saw ~2 ms latency for = same-host and 5-10 ms latency (with occasional spikes) for over-the-air = connections. >=20 > I'm still not quite sure what we should do about it; as noted, public = IPv4 + user-agent (http://www.whatsmyua.info/ = ) is probably unique in the vast majority of = cases, and the situation is unavoidable with IPv6. >=20 >=20 >=20 > On Wed, Jul 4, 2018 at 2:12 PM youenn fablet > wrote: >=20 > Le mar. 3 juil. 2018 =C3=A0 14:40, Justin Uberti > a =C3=A9crit : > Updated fiddle (outputs to display as well as console): = https://jsfiddle.net/juberti/x7a8ut0q/37/ = >=20 > Right, this shows the local loopback latency. > =20 > On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti > wrote: > I wasn't able to get that example to work (tried with 2 Chrome and 2 = Safari instances, got a setRemoteDescription error both times), but I = was able to make a JSFiddle = which does something similar in a single page. At present, even = host-host connections were seeing a 2 ms RTT, possibly because of the = clamping = that = has been applied to performance.now() to deal with Spectre et al. >=20 > I updated = https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/dat= achannel-b2b/ = , it should hopefully be more intuitive to use this time: > 1. load the page in one device > 2. load the link provided by the page on another device > 3. click 'call' on the first page > 4. a latency value should appear on the page and be continuously = updated > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb --Apple-Mail=_6EC6A34E-98CC-4379-B799-B9B46571516A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I = think perhaps we should step back and see if we can block the threat = earlier on.

If I = understand correctly the issue is that 2 pages of different origin could = include 3rd party
javascript that connects to a web = service to exchange OA and establish a data channel
between the pages. It then looks at the latency and figures = out that the two are on
the same = network/device.

Is there a way we can make this prohibitively expensive or = inaccurate?

It = sorta feels like a same origin policy on the data channel might = help.
-Perhaps sign the webRTC certificates with = the origin and have DTLS refuse a handshake if
the = two ends don=E2=80=99t have a common signature.

I=E2=80=99m obviously very keen to = avoid forcing all data channel traffic through TURN.

T.



On 6 Jul 2018, at 18:15, Justin = Uberti <juberti=3D40google.com@dmarc.ietf.org> wrote:

Thanks for the new version. I tried a few scenarios and agree = that this technique can identify a same-host situation fairly reliably, = especially in wireless environments; I typically saw ~2 ms latency for = same-host and 5-10 ms latency (with occasional spikes) for over-the-air = connections.

I'm = still not quite sure what we should do about it; as noted, public = IPv4 + user-agent (http://www.whatsmyua.info/) is probably unique in the = vast majority of cases, and the situation is unavoidable with IPv6.



On Wed, Jul 4, 2018 at = 2:12 PM youenn fablet <youennf@gmail.com> wrote:

Le mar. 3 juil. 2018 =C3=A0 14:40, Justin Uberti = <juberti@google.com> a =C3=A9crit :
Updated fiddle (outputs to display as well as console): https://jsfiddle.net/juberti/x7a8ut0q/37/

Right, this shows = the local loopback latency.
 
On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com> wrote:
I wasn't able to get that example to work (tried with 2 = Chrome and 2 Safari instances, got a setRemoteDescription error both = times), but I was able to make a JSFiddle which does something similar in a single page. = At present, even host-host connections were seeing a 2 ms RTT, possibly = because of the clamping that has been applied to = performance.now() to deal with Spectre et = al.

I updated https://evening-thicket-98446.herokuapp.com/src/content/peercon= nection/datachannel-b2b/, it should hopefully be more intuitive to = use this time:
1. load the page in one = device
2. load the link provided by the page on = another device
3. click 'call' on the first = page
4. a latency value should appear on the page = and be continuously updated
_______________________________________________
rtcweb = mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb

= --Apple-Mail=_6EC6A34E-98CC-4379-B799-B9B46571516A-- From nobody Fri Jul 6 12:35:48 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F84E130EF6 for ; Fri, 6 Jul 2018 12:35:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5zmcZYSrFBi for ; Fri, 6 Jul 2018 12:35:43 -0700 (PDT) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A92A130EF3 for ; Fri, 6 Jul 2018 12:35:43 -0700 (PDT) Received: by mail-it0-x22b.google.com with SMTP id 16-v6so17863696itl.5 for ; Fri, 06 Jul 2018 12:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PVn4qyvoxZc88G/4C7Kg11pcX5eXT6Bw7JFqDOCGW9Y=; b=lExS/RhLJtW46qKDIHOZ00cVxRd307qR43uHvrptUI3Pb8mYnQUni/GgX34JbImXG6 BM91DrdhXCHNpcJzOsGkSf4+4NtVTzGLVXBNaOYKOmANu1p0WD2sXrah7S69lOA5wmPT rPb9PH8acEPwxNC3izH/e06uQ6VBh8zUep2/bVldg50sxBpe5L4CNjrfF1lkAgq2RddJ a9HsZnK/kARCbFd0u0Lub9PuxrvLXKL2bdYp8Khaa6WzouF/gnMMJC/NuzYqx8S78ymB LR59H/tnNsWx2H2xMK/O0IY6cJAa6hza75MjzZiGUR9ejKiTIonet2kioYI2pZ3rXoHp MTYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PVn4qyvoxZc88G/4C7Kg11pcX5eXT6Bw7JFqDOCGW9Y=; b=og3i21891u1j+ozpmkxlU7Ndw20QUVAQIvm1BlU5W5DLzh2AeojO+n/SvV2ZzOrrx0 PIKYfibtSd2c+tyDQkjxhW/NXXTOWNkqnBLZeIMLU9negfPR2QbGtA1nTzyc0vXEpKh+ tdS6QEE67qQOuFuWd/t4vEOMLX3DZJaXKLNAOORhG15Yn4t4j6i3jQdGqt9UWTOJg0Zz ONXXFrXRgpGf8KYQmo7kTvW/IlWtZmeTzNFRmt0Lxp0XD7Y+La5P0/eLCkio9IDC5n6g EjqQ4bIaTLYvuGVYglrvOkxrga9VULiGBg0T/yG2HHWv8iulI+iCuEyQkF2esiY8noCa hbug== X-Gm-Message-State: APt69E0hl3VyLmcm9wz7LhyYnDKA2cuJxr04wcG04dizdhPwH1BCb3sN m3sTw4Gj/oDoVqoq76meqLpzUBIlkgB70WmMfSM5lA== X-Google-Smtp-Source: AAOMgpdWNLJhIecCDwC75wl8K44uXT/k4pUgNwn7S/3/B6W0HSbVAumuhveSkH+Y5Mq+BZcQ4BEuJI+m3gsm7bdolbE= X-Received: by 2002:a24:19d5:: with SMTP id b204-v6mr8907498itb.25.1530905742122; Fri, 06 Jul 2018 12:35:42 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> From: Justin Uberti Date: Fri, 6 Jul 2018 12:35:30 -0700 Message-ID: To: Tim Panton Cc: youenn fablet , RTCWeb IETF , youenn fablet Content-Type: multipart/alternative; boundary="000000000000f26f70057059c462" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2018 19:35:47 -0000 --000000000000f26f70057059c462 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Jul 6, 2018 at 10:53 AM westhawk wrote: > I think perhaps we should step back and see if we can block the threat > earlier on. > > If I understand correctly the issue is that 2 pages of different origin > could include 3rd party > javascript that connects to a web service to exchange OA and establish a > data channel > between the pages. It then looks at the latency and figures out that the > two are on > the same network/device. > > Is there a way we can make this prohibitively expensive or inaccurate? > > It sorta feels like a same origin policy on the data channel might help. > -Perhaps sign the webRTC certificates with the origin and have DTLS refus= e > a handshake if > the two ends don=E2=80=99t have a common signature. > The issue is that two pages (probably of the same origin) can determine that they are on the same host even when running in different browsing contexts (e.g., one being in private browsing mode), by establishing a p2p connection and measuring latency. The key questions are a) whether this gives up information that is not already present (e.g., by looking at your own IPv6 address), and b) what mitigations might exist. We'll have some time to discuss in Montreal. > I=E2=80=99m obviously very keen to avoid forcing all data channel traffic= through > TURN. > > > > On 6 Jul 2018, at 18:15, Justin Uberti < > juberti=3D40google.com@dmarc.ietf.org> wrote: > > Thanks for the new version. I tried a few scenarios and agree that this > technique can identify a same-host situation fairly reliably, especially = in > wireless environments; I typically saw ~2 ms latency for same-host and 5-= 10 > ms latency (with occasional spikes) for over-the-air connections. > > I'm still not quite sure what we should do about it; as noted, public > IPv4 + user-agent (http://www.whatsmyua.info/) is probably unique in the > vast majority of cases, and the situation is unavoidable with IPv6. > > > > On Wed, Jul 4, 2018 at 2:12 PM youenn fablet wrote: > >> >> Le mar. 3 juil. 2018 =C3=A0 14:40, Justin Uberti a >> =C3=A9crit : >> >>> Updated fiddle (outputs to display as well as console): >>> https://jsfiddle.net/juberti/x7a8ut0q/37/ >>> >> >> Right, this shows the local loopback latency. >> >> >>> On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti >>> wrote: >>> >>>> I wasn't able to get that example to work (tried with 2 Chrome and 2 >>>> Safari instances, got a setRemoteDescription error both times), but I = was >>>> able to make a JSFiddle >>>> which does something similar in a single page. At present, even host-h= ost >>>> connections were seeing a 2 ms RTT, possibly because of the clamping >>>> >>>> that has been applied to performance.now() to deal with Spectre et al. >>>> >>> >> I updated >> https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/d= atachannel-b2b/, >> it should hopefully be more intuitive to use this time: >> 1. load the page in one device >> 2. load the link provided by the page on another device >> 3. click 'call' on the first page >> 4. a latency value should appear on the page and be continuously updated >> > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > --000000000000f26f70057059c462 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri= , Jul 6, 2018 at 10:53 AM westhawk <thp@westhawk.co.uk> wrote:
I think p= erhaps we should step back and see if we can block the threat earlier on.
If I understand correctly the issue is that 2 pages of differen= t origin could include 3rd party
javascript that connects to a we= b service to exchange OA and establish a data channel
between the= pages. It then looks at the latency and figures out that the two are on
the same network/device.

Is there a way we= can make this prohibitively expensive or inaccurate?

<= div>It sorta feels like a same origin policy on the data channel might help= .
-Perhaps sign the webRTC certificates with the origin and have = DTLS refuse a handshake if
the two ends don=E2=80=99t have a comm= on signature.

The issue i= s that two pages (probably of the same origin) can determine that they are = on the same host even when running in different browsing contexts (e.g., on= e being in private browsing mode), by establishing a p2p connection and mea= suring latency.=C2=A0

The key questions are a) whe= ther this gives up information that is not already present (e.g., by lookin= g at your own IPv6 address), and b) what mitigations might exist.

We'll have some time to discuss in Montreal.
=

I=E2=80=99m obviously ve= ry keen to avoid forcing all data channel traffic through TURN.
=



On 6 Jul 2018, at 18:15, Justi= n Uberti <juberti=3D40google.com@dmarc.ietf.org> wrote:

Thanks for the new version. I tried a few scenarios and agree that this= technique can identify a same-host situation fairly reliably, especially i= n wireless environments; I typically saw ~2 ms latency for same-host and 5-= 10 ms latency (with occasional spikes) for over-the-air connections.
I'm still not quite sure what we should do about it; as no= ted, public IPv4=C2=A0+ user-agent (http://www.whatsmyua.info/) is probably unique in the= vast majority of cases, and the situation is unavoidable with IPv6.



On Wed, Jul 4, 2018 at 2:12 PM youenn fablet <youennf@gmail.com> wrote:

Le=C2=A0mar. 3 juil. 2018 =C3=A0=C2=A014:= 40, Justin Uberti <juberti@google.com> a =C3=A9crit=C2=A0:
Updated fiddle (outputs to display as we= ll as console): https://jsfiddle.net/juberti/x7a8ut0q/37/

Right, this shows the local loopback=C2=A0latency.
=C2=A0
On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com> wro= te:
I wasn'= t able to get that example to work (tried with 2 Chrome and 2 Safari instan= ces, got a setRemoteDescription error both times), but I was able to make a= JS= Fiddle which does something similar in a single page. At present, even = host-host connections were seeing a 2 ms RTT, possibly because of the clamping that has been applied to performance.now() to d= eal with Spectre et al.

I updated https://evening-= thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/= , it should hopefully be more intuitive to use this time:
1. load= the page in one device
2. load the link provided by the page on = another device
3. click 'call' on the first page
4. a latency value should appear on the page and be continuously updated<= /div>
_______________________________________________
rtcweb mailing list
<= a href=3D"mailto:rtcweb@ietf.org" target=3D"_blank">rtcweb@ietf.org
= = https://www.ietf.org/mailman/listinfo/rtcweb

--000000000000f26f70057059c462-- From nobody Sat Jul 7 16:00:23 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0076B130EE9 for ; Sat, 7 Jul 2018 16:00:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=feross-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z23Bu_HNEIUW for ; Sat, 7 Jul 2018 16:00:18 -0700 (PDT) Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAE43130EE1 for ; Sat, 7 Jul 2018 16:00:17 -0700 (PDT) Received: by mail-ed1-x533.google.com with SMTP id e19-v6so11102023edq.7 for ; Sat, 07 Jul 2018 16:00:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=feross-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OoYZEUgbPHVjqKXMhEO+Y721tzO8H5bsTpoj9UY/Znc=; b=Jyn1uR74gR3C2zOHskh9PDUrX5aCmLWf+UCGv8VWPtJfufrXZMKk7TA0HTYbVPXpxf 9kjuSBYF+hkxQudWJq3CGFP7ob3xfc0v+kztOCJjULF7eqByQb5XgPsp1HQHJFibYAEe ZUAqOmPCGTRYaDwv/r4QUpqqp1AAMVWkwCuUjkZYhrY3ePgwT4Dgob3yfx+wQFDEImis Irhd+rjLt7geFVKMoU1NqI8rZleavjTgOQ0iI/DpY0t3fJ+LrstKDrGR6mRk2TLxtYL3 1XepdTVmqZPMZRyGXdFhA4fTHa9ByurBSMEds/L459W+wMt7xzBDn2dVzXk0fSg2K8MA 0UVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OoYZEUgbPHVjqKXMhEO+Y721tzO8H5bsTpoj9UY/Znc=; b=COmhV4QaLKKa738eIare5l5USl4xp4Sc7U3Z+OkaD7ZbPSDFwejNhQdpdyMFfltsDq G0fam2F9c4H5VrQrWY8DN/+RRmnwyJVZILdIZOtXIVSRVpbRycXS9uH+AUV3Hog113JB G+nAtJAa7IoIEQNs5s/Zb90fytyABTiESFyHvrHXeg+NZ6Q+kAschx9ApTv3HtN8L4nC KggWxYLqvMU1aLXUFCDSiYhz+sfJKqOMj8kzEjAUij6zlBSy3eZj6n+TwMyuSAXwkEUp YlQkYcwCLmsi4Vvf+nyxaJHL2TIQoT3E7W2iwsuqElUvwIJeQXZ0LDjSmr6vVdFROzQR S26w== X-Gm-Message-State: APt69E3DUJ4aR/ANPhpzyWMC/qTH0RKq/YiH2k5W36woIbdhWy2rVa/8 KJzWXZQWEipQBVGFAoYS19jOupl8gSc= X-Google-Smtp-Source: AAOMgpcmpB8yTEC11AtMPAUa79Bkeby/jM0JkqjhP8IYKlo4G1yqOyF7EZHgOzM2p7eykBD6QFBhSw== X-Received: by 2002:a50:87d2:: with SMTP id 18-v6mr4428558edz.1.1531004415925; Sat, 07 Jul 2018 16:00:15 -0700 (PDT) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com. [209.85.221.45]) by smtp.gmail.com with ESMTPSA id s21-v6sm5461236edr.62.2018.07.07.16.00.14 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 Jul 2018 16:00:14 -0700 (PDT) Received: by mail-wr1-f45.google.com with SMTP id k7-v6so7322594wrq.0 for ; Sat, 07 Jul 2018 16:00:14 -0700 (PDT) X-Received: by 2002:adf:f8c7:: with SMTP id f7-v6mr3169937wrq.237.1531004413910; Sat, 07 Jul 2018 16:00:13 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: Feross Aboukhadijeh Date: Sat, 7 Jul 2018 15:59:37 -0700 X-Gmail-Original-Message-ID: Message-ID: To: juberti=40google.com@dmarc.ietf.org Cc: thp@westhawk.co.uk, rtcweb@ietf.org, yfablet@apple.com Content-Type: multipart/alternative; boundary="0000000000003da6c6057070be81" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2018 23:00:21 -0000 --0000000000003da6c6057070be81 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > It sorta feels like a same origin policy on the data channel might help. This would break use cases like WebTorrent, and many other Decentralized Web projects that utilize the data channel to send data between cooperating pages hosted on different origins. Also, as Justin pointed out, this doesn't solve the issue since two pages on the same origin but in different browsing contexts could still communicate. Feross I write at feross.org and tweet as @feross . I work on WebTorrent , Standard , and Study Notes . On Fri, Jul 6, 2018 at 12:35 PM Justin Uberti wrote: > > > On Fri, Jul 6, 2018 at 10:53 AM westhawk wrote: > >> I think perhaps we should step back and see if we can block the threat >> earlier on. >> >> If I understand correctly the issue is that 2 pages of different origin >> could include 3rd party >> javascript that connects to a web service to exchange OA and establish a >> data channel >> between the pages. It then looks at the latency and figures out that the >> two are on >> the same network/device. >> >> Is there a way we can make this prohibitively expensive or inaccurate? >> >> It sorta feels like a same origin policy on the data channel might help.= . >> -Perhaps sign the webRTC certificates with the origin and have DTLS >> refuse a handshake if >> the two ends don=E2=80=99t have a common signature. >> > > The issue is that two pages (probably of the same origin) can determine > that they are on the same host even when running in different browsing > contexts (e.g., one being in private browsing mode), by establishing a p2= p > connection and measuring latency. > > The key questions are a) whether this gives up information that is not > already present (e.g., by looking at your own IPv6 address), and b) what > mitigations might exist. > > We'll have some time to discuss in Montreal. > > >> I=E2=80=99m obviously very keen to avoid forcing all data channel traffi= c through >> TURN. >> > >> >> >> On 6 Jul 2018, at 18:15, Justin Uberti < >> juberti=3D40google.com@dmarc.ietf.org> wrote: >> >> Thanks for the new version. I tried a few scenarios and agree that this >> technique can identify a same-host situation fairly reliably, especially= in >> wireless environments; I typically saw ~2 ms latency for same-host and 5= -10 >> ms latency (with occasional spikes) for over-the-air connections. >> >> I'm still not quite sure what we should do about it; as noted, public >> IPv4 + user-agent (http://www.whatsmyua.info/) is probably unique in the >> vast majority of cases, and the situation is unavoidable with IPv6. >> >> >> >> On Wed, Jul 4, 2018 at 2:12 PM youenn fablet wrote: >> >>> >>> Le mar. 3 juil. 2018 =C3=A0 14:40, Justin Uberti a >>> =C3=A9crit : >>> >>>> Updated fiddle (outputs to display as well as console): >>>> https://jsfiddle.net/juberti/x7a8ut0q/37/ >>>> >>> >>> Right, this shows the local loopback latency. >>> >>> >>>> On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti >>>> wrote: >>>> >>>>> I wasn't able to get that example to work (tried with 2 Chrome and 2 >>>>> Safari instances, got a setRemoteDescription error both times), but I= was >>>>> able to make a JSFiddle >>>>> which does something similar in a single page. At present, even host-= host >>>>> connections were seeing a 2 ms RTT, possibly because of the clamping >>>>> >>>>> that has been applied to performance.now() to deal with Spectre et al= . >>>>> >>>> >>> I updated >>> https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/= datachannel-b2b/, >>> it should hopefully be more intuitive to use this time: >>> 1. load the page in one device >>> 2. load the link provided by the page on another device >>> 3. click 'call' on the first page >>> 4. a latency value should appear on the page and be continuously update= d >>> >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb >> >> >> _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --0000000000003da6c6057070be81 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> It sorta feels like a same origin policy on the data = channel might help.

This would break use cases like WebT= orrent, and many other Decentralized Web projects that utilize the data cha= nnel to send data between cooperating pages hosted on different origins. Al= so, as Justin pointed out, this doesn't solve the issue since two pag= es on the same origin but in different browsing contexts could still commun= icate.

Fe= ross
=C2= =A0
I write at=C2=A0feross.org=C2=A0and tweet as=C2=A0@feross.
I work on=C2=A0WebTorrent,=C2=A0Standard, and=C2=A0Study Notes.
<= /div>


On Fri, Jul 6, 2018 at 12:35 PM Justin Uberti <juberti=3D40google.com@dmarc.ietf.org= > wrote:

On Fri, Jul 6, 2018 at 10:53 = AM westhawk <thp= @westhawk.co.uk> wrote:
I think perhap= s we should step back and see if we can block the threat earlier on.
If I understand correctly the issue is that 2 pages of different ori= gin could include 3rd party
javascript that connects to a web ser= vice to exchange OA and establish a data channel
between the page= s. It then looks at the latency and figures out that the two are on
the same network/device.

Is there a way we can = make this prohibitively expensive or inaccurate?

I= t sorta feels like a same origin policy on the data channel might help..
-Perhaps sign the webRTC certificates with the origin and have DTLS= refuse a handshake if
the two ends don=E2=80=99t have a common s= ignature.

The issue is th= at two pages (probably of the same origin) can determine that they are on t= he same host even when running in different browsing contexts (e.g., one be= ing in private browsing mode), by establishing a p2p connection and measuri= ng latency.=C2=A0

The key questions are a) whether= this gives up information that is not already present (e.g., by looking at= your own IPv6 address), and b) what mitigations might exist.
We'll have some time to discuss in Montreal.

=

I=E2=80=99m obviously very k= een to avoid forcing all data channel traffic through TURN.



=
On 6 Jul 2018, at 18:15, Justin Ub= erti <juberti=3D40google.com@dmarc.ietf.org> wrote:

<= div>
Thanks for the new version. I tried a few scenarios an= d agree that this technique can identify a same-host situation fairly relia= bly, especially in wireless environments; I typically saw ~2 ms latency for= same-host and 5-10 ms latency (with occasional spikes) for over-the-air co= nnections.

I'm still not quite sure what we should d= o about it; as noted, public IPv4=C2=A0+ user-agent (http://www.whatsmyua.info/) is proba= bly unique in the vast majority of cases, and the situation is unavoidable = with IPv6.



On Wed, Jul 4, 2018 at 2:12 PM youenn fablet &= lt;youennf@gmail.com= > wrote:

Le=C2=A0mar. 3 juil. 2018 = =C3=A0=C2=A014:40, Justin Uberti <juberti@google.com> a =C3=A9crit=C2=A0:
<= blockquote class=3D"gmail_quote">
Updated fiddle (outputs t= o display as well as console): https://jsfiddle.net/juberti/x7a8ut0q/37/

Right, this shows the local loopback=C2=A0latency.<= /font>
=C2=A0
On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti = <juberti@google.= com> wrote:
I wasn't able to get that example to work (tried with 2 Chrome and = 2 Safari instances, got a setRemoteDescription error both times), but I was= able to make a JSFiddle which does something similar in a single page. At= present, even host-host connections were seeing a 2 ms RTT, possibly becau= se of the clamping that has been applied to perform= ance.now() to deal with Spectre et al.

I updated h= ttps://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datac= hannel-b2b/, it should hopefully be more intuitive to use this time:
1. load the page in one device
2. load the link provided = by the page on another device
3. click 'call' on the firs= t page
4. a latency value should appear on the page and be contin= uously updated
_______________________________________________
rtcweb mailing list
<= a href=3D"mailto:rtcweb@ietf.org" target=3D"_blank">rtcweb@ietf.org
= = https://www.ietf.org/mailman/listinfo/rtcweb

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--0000000000003da6c6057070be81-- From nobody Sun Jul 8 23:35:04 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF38C130F36 for ; Sun, 8 Jul 2018 23:35:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tamVESOYsaVN for ; Sun, 8 Jul 2018 23:35:01 -0700 (PDT) Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D27130DE0 for ; Sun, 8 Jul 2018 23:35:01 -0700 (PDT) Received: by mail-oi0-x231.google.com with SMTP id w126-v6so33823124oie.7 for ; Sun, 08 Jul 2018 23:35:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z4Stw8KgQZk/IFL8Bmun7CMSXkduwtg1cJlWq6TVD1M=; b=DGniu04SYF4xi2BB5kgll3aDqHi/2LNUlrofnjO63H2oOSkNPF8Na2SFtFmyTPRbSN RxOC1v2AWdvbtq3EDKjd0jKQeOjZmMxhZlsCFly0nWp1wtGS2rN0FXTZacMKt3gdV2Nc zTbh/kYm8S0WBMAgAA2TD8n/QizLCvIwRcvba6IvWMZxqhLsbTQsiNJCVbUjRmywd7yK rpyNVreemxUTkpbHdlPFjK4OmA+UC7iyBwroRopUqgkCO+Woo+CmYaUdJ9bYZqkLkrU3 apu36TBFAQgK9iir9sUxwsdCVb3/INPRwVx8103GQQSLFZTUfBU/W2azrb9U0WdtG1oh VF1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z4Stw8KgQZk/IFL8Bmun7CMSXkduwtg1cJlWq6TVD1M=; b=pOIN3Mtg2h2XJRO9Iv+hZEfw1nhRXrlpa7gIQyjVZLv5VKIxhtKArme9tElIWx7+mz K9+XywyrVDbnM/tspZoy4vbehVta36ZCVd5Fr4VTfC0PcXPtC0orEzart884nKLKq4bl bEMz4NTsxZhRjf8vinYNlVB7c+d5sG+1ccMP2LqR5hLEjlpPwObBMVKEu0f7Z7uHClnA H2U3jIfVsYCZcwq/ZIJlX0MitBxvqBpga9+5S1O9f0CWUtyI6WRZp8KSiUB6PMt+HuJh w12i7j/IwKYJQrSL/r58thN0QRU2QnL7APFUXEotF95IvuclV0WCBik2SpMrvPYdrGsI RRcw== X-Gm-Message-State: AOUpUlECvZwkLtAyJ7hWUAlH5njHmFz4M7ltaO+hUApJnqvE7cGZLTgt WmrZDSLH7myMtQFJNmoSX3+6oPQ/cJNfw9VgQ0o= X-Google-Smtp-Source: AAOMgpfNdMUEmP5a0YCVg5ZjA62hM/PrHiOcyNT2RMguvST6sP4m/dqBmgSNhwQWEhRSfN7T+CM/LxjMmTZuqiSWIZs= X-Received: by 2002:aca:df42:: with SMTP id w63-v6mr3541960oig.295.1531118100173; Sun, 08 Jul 2018 23:35:00 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: Martin Thomson Date: Mon, 9 Jul 2018 16:34:49 +1000 Message-ID: To: juberti=40google.com@dmarc.ietf.org Cc: tim panton , RTCWeb IETF , youenn fablet Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 06:35:03 -0000 On Sat, Jul 7, 2018 at 5:36 AM Justin Uberti wrote: > The issue is that two pages (probably of the same origin) can determine that they are on the same host even when running in different browsing contexts (e.g., one being in private browsing mode), by establishing a p2p connection and measuring latency. > > The key questions are a) whether this gives up information that is not already present (e.g., by looking at your own IPv6 address), and b) what mitigations might exist. This seems like a fair analysis. I read the draft and thought a little about this angle, and I think that it's worth doing something about, even if I'm not 100% sure of what that would look like. Other signals, like sharing an address, don't seem to be as reliable as this. For instance, having to go to a NAT hairpin might add enough additional latency that it looks like you are on the same network, but not necessarily the same machine. That might be enough information for a tracker, anyway, so that's a big caveat on any mitigation we come up with. I'm not sure that what is proposed (limiting to a top-level browsing context that isn't also private browsing) is the best way to achieve the stated policy goals in the draft. And more fundamentally, there are probably several policies that browsers might reasonably adopt along those lines. For instance, we might reasonably be similarly concerned about different unrelated top-level browsing contexts using this to link each other. I know that Tor Browser would be concerned about this sort of isolation as much as it would worry about iframes on different pages. The best idea I have there is to fail resolution for .local names that the browser itself has minted for other origins[1]. That way, connections that are cross-origin and same-host would always at least hit a hairpin or relay. Of course, failing resolution so quickly might leak information, so additional caution might be necessary (I don't think that it does, provided that a candidate is not entered into a checklist before resolution occurs, but I'm not sure how that would be implemented). This suggests that you could share mDNS names for frames under the same top-level browsing context without leaking more information, which could be very useful. (The data channels thing isn't relevant here, because measuring connection setup should be enough to link two browsing contexts. RTP likely works as well, but it's less easy to use.) [1] The draft uses the term "execution context" here, which is probably the right phrase, but it's not really defined. From nobody Mon Jul 9 00:30:25 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 845B8130E20; Mon, 9 Jul 2018 00:30:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XngAjkWPYF10; Mon, 9 Jul 2018 00:30:21 -0700 (PDT) Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 780D61277CC; Mon, 9 Jul 2018 00:30:21 -0700 (PDT) Received: by mail-oi0-x22a.google.com with SMTP id b15-v6so34022810oib.10; Mon, 09 Jul 2018 00:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=TS+kkcepuKnQ6pazCofBathc+EVObYRT0cvoypFAG6c=; b=qKUZpNIO6gC/zYPp8Gn2HO0HyYijXX8azDNqz3+i0ei83mQwYkHS/p5x9rczdGRMIW nYosw/JTslRGs5BGdUL8rbeJ63MfPciISH818F07+JjkJr6K+61lrIXrmCIFeQy88ZkG A/XMqM+dTo2iHjk4Z/5vrUMJcDewa4s6rHYUKbslHULaxquVOJbuRtYg8xfoq6FVFHOl yligKOkF58E9oPwN67GC5VOF3sbo/FVqxKYb57KXmiRkNIjBE4oVtddE2sgL9ZlDg1LE t4bQSXpt1r9WgCUDBWyQurax57C8ZVErL/cJcsom5JL1NAx1KY14UJ7OvuMagfVurgkJ iTbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TS+kkcepuKnQ6pazCofBathc+EVObYRT0cvoypFAG6c=; b=JEBRNGvqMSwiRkVGf5INZ8KI5PSd5byPvktCNxnoMryARg+Xz8FwoKqVNPXKwROA39 zecBuds1PpZZ16hmUMtOFcQk/kuZt6OxGrJnpKXLuKBJAqZRo58v5HBQ/VSa+GD9fw6n 3K94BqUumEYXAY+exQ6sF0YtMDE54QSdmHveX8vdr9+kaxLj8TalgFJMDK3DdT3sQJnf Vl+57AWGbSGXDaa/QUIES6MkV+WVxIVhfwDJRWHg5cGu5AFI2XzfC+nr8u9xslStRTh0 6CybhYKUthlnT8clbnUC/GtlsgDwWdDKziC1VdJzrGZSpN6uu2D48hOSk0PkpupTv0+f ggLA== X-Gm-Message-State: APt69E0ywr/lYOjw6kuyLVxOWMW7qparHG8f4Emael6tHUpUmWex5eCW 8AmHJZTl8MUKmeXLmePtcafIEhDVqInmv93w2EA= X-Google-Smtp-Source: AAOMgpdvHPiKLrw779yOc+OQHLCAdvs2pepbLPTZUczkhzuY6iahYKIcvMF43armnKaulcndEd4v4e9p6rb+a/dcQ9M= X-Received: by 2002:aca:120e:: with SMTP id 14-v6mr8715707ois.144.1531121420763; Mon, 09 Jul 2018 00:30:20 -0700 (PDT) MIME-Version: 1.0 References: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se> In-Reply-To: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se> From: Martin Thomson Date: Mon, 9 Jul 2018 17:30:10 +1000 Message-ID: To: Christer Holmberg Cc: RTCWeb IETF , sdp-directorate-private@ietf.org, mmusic-chairs@ietf.org, rtcweb-chairs@ietf.org, Ben Campbell Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14) X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 07:30:24 -0000 Hi Christer, I went through this review, and there are some changes that I think are useful. I'm not sure if there isn't some misunderstanding on some others. I have PRs up on the repo for the simple ones. The suggestion to include the usual section headers might take some more time to sort out. On Thu, May 24, 2018 at 6:20 PM Christer Holmberg wrote: > As the SDP attribute definition should be able to stand on its own legs, = there should be a description/reference to the IdP solution that it is used= for. I believe that context is sufficient for that purpose. > Also, if the usage of the attribute is scoped to devices implementing the= WebRTC specification, that should be indicated. The mechanism isn't necessarily scoped to this particular usage domain. I've proposed some text, but I don't think that it's necessary. The use of JSON allows for many things, some of which might be extending this to other uses. > Q1 (Structure): > > The document lacks the offer/answer procedure structure used for SDP attr= ibutes. This is a fair criticism. That needs work. Not because the headings are valuable, but because there is missing information that those headings cause you to think about (which is why they exist, of course). For instance, we don't really say anything here about whether the value can change (it can, but the identity can't). > Q2. The mux category is missing. I couldn't find this in the draft or on the list, but I found a branch that adds this, so it's good. > Q3 (Grammar): > identity-attribute =3D "identity:" identity-assertion > *( SP identity-extension ) Sure. I'm going with this because anything else would break existing deployments (such as they are). ';' is now allowed in the extensions. > Q4 (Attribute definition): > Historically there have been problems with the definitions of new SDP att= ributes. Especially, the manner of defining the syntax was inconsistent. RF= C4566 gave insufficient guidance on how to do this. draft-ietf-mmusic-rfc45= 66bis (especially section 8.2.4.1) has provided more guidance on how to do = this. Please do your definitions in that style. For instance: How is the definition in the IANA considerations section insufficient? > Q5: > The draft says that, at minimum, the fingerprint needs to be bound to the= identity. > > First, I assume this means that, for each assertion, the associated SDP f= ingerprint attribute must be included in the offer/answer. If so, please in= clude text about that.. The text says: > The identity attribute attests to all "a=3Dfingerprint" attributes in the= session description. It is therefore a session-level attribute. > > Multiple "a=3Dfingerprint" values can be used to offer alternative certif= icates for a peer. The "a=3Didentity" attribute MUST include all fingerprint values that are inclu= ded in "a=3Dfingerprint" lines. That would seem to be sufficient for this purpose. > Second, it would be good to indicate that, in the SDP, there is no link b= etween a given assertion and the associated fingerprint. I don't know what you are looking for here. If you are saying that the SDP doesn't include a pointer from a=3Didentity to a=3Dfingerprint, or vice versa, that's right. But - as defined - a=3Didentity includes ALL a=3Dfingerprint instances, so any pointer would be redundant. > Q6: > Section 5.6.4.1 says: > "The "a=3Didentity" attribute MUST include all > fingerprint values that are included in "a=3Dfingerprint" lines." > It is unclear what =E2=80=9Cattribute MUST include all fingerprint values= =E2=80=9D means. The previous section describes the construction of the value that is used for a=3Didentity. I don't understand how that could be clearer. I've tried to clarify this in a PR. > It should also be clarified that, if the attribute is used on media-level= in an m- section, it contains the assertion for each fingerprint associate= d with that m- section. It's session-level only. > Q7: > Section 5.6.4.2 says: > =E2=80=9CThe semantics of multiple identity attributes are undefined.= =E2=80=9D > First, I don=E2=80=99t see the difference in having a single attribute wi= th multiple assertions, or multiple attributes with single assertions. Havi= ng said that, if we only want to allow one way, I would suggest to simply f= orbid multiple attributes. That's OK, but what is the usual policy for handling malformed attributes if you know the syntax of the attribute? What handling should we specify here? > Second, it needs to be clarified that the rule apply to a given m- sectio= n. It's session-level only. > Q8: > In the example in Section 5.6.4.1 the SDP fingerprint attribute is includ= ed as a session-level attribute. However, it is currently only defined as a= media-level attribute. I can't find any evidence of this being defined as media-level. It says session-level (only) in several places. From nobody Mon Jul 9 14:38:21 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 768801310BC for ; Mon, 9 Jul 2018 14:38:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qUjpANRRULK for ; Mon, 9 Jul 2018 14:38:08 -0700 (PDT) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8987131023 for ; Mon, 9 Jul 2018 14:38:05 -0700 (PDT) Received: by mail-it0-x22b.google.com with SMTP id 188-v6so28459176ita.5 for ; Mon, 09 Jul 2018 14:38:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jrT2qxPln4fqfvB7Vt/+0gk/blceRPUA4ZVLvdDAgmQ=; b=bgdHmgjP/cyvCnPcvppZXuBUMHEgl1LYh0JvPGbT9I8SBGZM/1MzTPAjwVh8N0BSAx a/nNqK4u7wRLqgQ4b86pU62iA0v8MjGNjPfI8j3m578DRW/Rv5yQbHKYFXuJ88oVD5Sa NFJ4Qdc1XVaapZTdBE0I5jp/855hpGcy2WHDGBttQMR7OYMf+FnMNHjWzRJmEwDZBeBn QBX37/XyRYDkA0uazbeJignzY8y/oYLsHd6rBIEa4e7LSG503zxH09P6K+ycB77z3OcH 7HaYEt1IPU3ssDMSjTGYmSlePWJXg6ubY7QKF9nIkgaUGlVOBI/Yxj9Vx0RgAjLFAW0x SItg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jrT2qxPln4fqfvB7Vt/+0gk/blceRPUA4ZVLvdDAgmQ=; b=AjEG2NWkYzcJ2JBxI5inNka6fL4x94NDwkb02iMix2CjmStBJ9dTpQogb9mGYxffZZ aP3oNl/V27oVEwJt8iPTwHVd1c8Rx3zuMbPViGMnVWPqXP+ZKXyjxe5KBSOH5xVqxiHf A1nssumkAW9Mr0JK3qG9w9hboI2cyLonPvMYqfeVdSN5yae17LA4Txd/uRvWrUOzqxs7 anjhE344HnqsX6vnkbT5d3LfrXP7at0XQNrn1ahNONRv8k3+XFUYxgldk6GYZ8vCPTC/ FCm6g3iZfvD/au/qfeTLLZTytj3yLcDdK0xfrf60LzW8KLTbSB0ThsK8tPArU4v/H584 JcjA== X-Gm-Message-State: APt69E2k/UpbG6HciRJdJDbvTJNCABNg4mKJU+htTWv/0VNHSsvGlbcK OUZUNFsJZf0/UHPVh+OM7YD1+5jaMURubWY/IjRIWQ== X-Google-Smtp-Source: AAOMgpcumwsFsaxFv0WrrbpduEMXmSATIUxKJXNDJZQzlXWHjkRTLgoev3yEVdpJo2sr9uxunDokG40mSEHl4JGMSHI= X-Received: by 2002:a24:1049:: with SMTP id 70-v6mr17032693ity.115.1531172284372; Mon, 09 Jul 2018 14:38:04 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: Justin Uberti Date: Mon, 9 Jul 2018 14:37:51 -0700 Message-ID: To: Martin Thomson Cc: Tim Panton , RTCWeb IETF , youenn fablet Content-Type: multipart/alternative; boundary="0000000000001a2b72057097d494" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 21:38:18 -0000 --0000000000001a2b72057097d494 Content-Type: text/plain; charset="UTF-8" On Sun, Jul 8, 2018 at 11:35 PM Martin Thomson wrote: > On Sat, Jul 7, 2018 at 5:36 AM Justin Uberti > wrote: > > The issue is that two pages (probably of the same origin) can determine > that they are on the same host even when running in different browsing > contexts (e.g., one being in private browsing mode), by establishing a p2p > connection and measuring latency. > > > > The key questions are a) whether this gives up information that is not > already present (e.g., by looking at your own IPv6 address), and b) what > mitigations might exist. > > This seems like a fair analysis. I read the draft and thought a > little about this angle, and I think that it's worth doing something > about, even if I'm not 100% sure of what that would look like. > > Other signals, like sharing an address, don't seem to be as reliable > as this. For instance, having to go to a NAT hairpin might add enough > additional latency that it looks like you are on the same network, but > not necessarily the same machine. That might be enough information > for a tracker, anyway, so that's a big caveat on any mitigation we > come up with. > I did some more testing in http://jsfiddle.net/juberti/8n9p5jxk/ (hairpin tester) and NAT hairpin doesn't always add significant latency. Obviously it depends a lot on your wifi, but I was able to get 2-3 ms RTT for hairpin on Ethernet and 6-8 ms RTT for wifi. Basically, the site can try to connect two contexts via: a) [existing] public IPv4 (indicates "same network") b) [existing] IPv6 (indicates "same endpoint") c) [existing] user-agent (indicates "same OS, same browser, same version") d) [existing] fonts, gpu, display resolution, etc e) [new] RTT < 5ms (indicates "probably same machine") As such, e) doesn't add a lot, and as noted above, has false positives and likely false negatives. I'm not sure that what is proposed (limiting to a top-level browsing > context that isn't also private browsing) is the best way to achieve > the stated policy goals in the draft. And more fundamentally, there > are probably several policies that browsers might reasonably adopt > along those lines. > > For instance, we might reasonably be similarly concerned about > different unrelated top-level browsing contexts using this to link > each other. I know that Tor Browser would be concerned about this > sort of isolation as much as it would worry about iframes on different > pages. > > The best idea I have there is to fail resolution for .local names that > the browser itself has minted for other origins[1]. That way, > connections that are cross-origin and same-host would always at least > hit a hairpin or relay. Of course, failing resolution so quickly > might leak information, so additional caution might be necessary (I > don't think that it does, provided that a candidate is not entered > into a checklist before resolution occurs, but I'm not sure how that > would be implemented). > If we decide to take action here, this seems like a reasonable approach. You'd still be able to link cross-browser usage, but not cross-context (intra-browser) usage. > > This suggests that you could share mDNS names for frames under the > same top-level browsing context without leaking more information, > which could be very useful. > > (The data channels thing isn't relevant here, because measuring > connection setup should be enough to link two browsing contexts. RTP > likely works as well, but it's less easy to use.) > > [1] The draft uses the term "execution context" here, which is > probably the right phrase, but it's not really defined. > --0000000000001a2b72057097d494 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Sun= , Jul 8, 2018 at 11:35 PM Martin Thomson <martin.thomson@gmail.com> wrote:
=
On Sat, Jul 7, 2018= at 5:36 AM Justin Uberti
<juberti=3D40google.com@dmarc.ietf.org> wrote:
> The issue is that two pages (probably of the same origin) can determin= e that they are on the same host even when running in different browsing co= ntexts (e.g., one being in private browsing mode), by establishing a p2p co= nnection and measuring latency.
>
> The key questions are a) whether this gives up information that is not= already present (e.g., by looking at your own IPv6 address), and b) what m= itigations might exist.

This seems like a fair analysis.=C2=A0 I read the draft and thought a
little about this angle, and I think that it's worth doing something about, even if I'm not 100% sure of what that would look like.

Other signals, like sharing an address, don't seem to be as reliable as this.=C2=A0 For instance, having to go to a NAT hairpin might add enough=
additional latency that it looks like you are on the same network, but
not necessarily the same machine.=C2=A0 That might be enough information for a tracker, anyway, so that's a big caveat on any mitigation we
come up with.

I did some more testing i= n=C2=A0http://jsfiddle.ne= t/juberti/8n9p5jxk/ (hairpin tester) and NAT hairpin doesn't always= add significant latency. Obviously it depends a lot on your wifi, but I wa= s able to get 2-3 ms RTT for hairpin on Ethernet and 6-8 ms RTT for wifi.

Basically, the site can try to connect two contexts= via:
a) [existing] public IPv4 (indicates "same network&quo= t;)
b) [existing] IPv6 (indicates "same endpoint")
c) [existing] user-agent (indicates "same OS, same browser, same= version")
d) [existing] fonts, gpu, display resolution, etc=
e) [new] RTT < 5ms (indicates "probably same machine&quo= t;)

As such, e) doesn't add a lot, and as note= d above, has false positives and likely false negatives.

I'm not sure that what is proposed (limiting to a top-level browsing context that isn't also private browsing) is the best way to achieve the stated policy goals in the draft.=C2=A0 And more fundamentally, there are probably several policies that browsers might reasonably adopt
along those lines.

For instance, we might reasonably be similarly concerned about
different unrelated top-level browsing contexts using this to link
each other.=C2=A0 I know that Tor Browser would be concerned about this
sort of isolation as much as it would worry about iframes on different
pages.

The best idea I have there is to fail resolution for .local names that
the browser itself has minted for other origins[1].=C2=A0 That way,
connections that are cross-origin and same-host would always at least
hit a hairpin or relay.=C2=A0 Of course, failing resolution so quickly
might leak information, so additional caution might be necessary (I
don't think that it does, provided that a candidate is not entered
into a checklist before resolution occurs, but I'm not sure how that would be implemented).

If we decide to = take action here, this seems like a reasonable approach. You'd still be= able to link cross-browser usage, but not cross-context (intra-browser) us= age.

This suggests that you could share mDNS names for frames under the
same top-level browsing context without leaking more information,
which could be very useful.

(The data channels thing isn't relevant here, because measuring
connection setup should be enough to link two browsing contexts.=C2=A0 RTP<= br> likely works as well, but it's less easy to use.)

[1] The draft uses the term "execution context" here, which is probably the right phrase, but it's not really defined.
--0000000000001a2b72057097d494-- From nobody Mon Jul 9 14:48:30 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4DA3131144 for ; Mon, 9 Jul 2018 14:48:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kVOiVTy0fz4 for ; Mon, 9 Jul 2018 14:48:21 -0700 (PDT) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3350013111A for ; Mon, 9 Jul 2018 14:48:21 -0700 (PDT) Received: by mail-oi0-x235.google.com with SMTP id k12-v6so38734212oiw.8 for ; Mon, 09 Jul 2018 14:48:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LJaZ7im2nSJw0ah2q5GM30SjcM8+p2dEYTtQ28idJmc=; b=X4IQLqpBNPih2rffUjJNKURxIjgCxtkCMFoIB8gMYFaGALb94/gG5tarA98M1fLYqP DElL8Gn5EE5r0Y9WpXzXqMZ42nR60XNbXKr3VOvvxHCSmVLldkZixUSG5FauyoKeabei CeP/itdO3hw+kglmeHpupNiKdLcAflvavIikVCTt8CQTNA7L43gpNEwiBURZR6P9fvcd wyy9X6WoMsl/hEmM1zOsVewpa5Wosv3IUK/vjhtM6ynu8THJjNyJaweqaNEimulI2Tse 4qNyFRwBgMWuV4b/dw9S44jlOHhvELL/U4Dr8F+c139i9FLBPOs6j0Cl61h+Org67VoL Y5Aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LJaZ7im2nSJw0ah2q5GM30SjcM8+p2dEYTtQ28idJmc=; b=Peq4c/SMInQsVvA2VNoUbkk5XLuS6ihjlKIqG3Dgy09qFwc34JHU7uj3LpaIS/gfli xDu6Ebw7e0CSFgc7xxZiaQyoxTJ/U9Gs/Qh2sgf/MH9hHIXT+v7xUiC3OHi8NaN98qcf AzEiNENI2oOxlnmmrwXPmrYivTArXl6CABJS+Ipp/ZODFAUBefoMJKUa9CXkkzvSLZ8q cAoAMGmUYwxDmg+IxtnrN1f9i8ro+Afut2FIjrushNjMzKW6cD32UfCQjbz63OmJGvBT 8owXsw30Mud4BXooNrOnywQnxOOmqM5L0fWP93tAwG3GoRwRPoFLln72Oqymkt5TvbAr artw== X-Gm-Message-State: APt69E1Q47v4gPvGVbL4BhVAMtysiYv/RdvqutW3O/YSudU9oCfLgaQD joZS1GPQZ3DkOHxzFoBoghTwmzlptawoIjt9h90= X-Google-Smtp-Source: AAOMgpexFH+b6HtnMaF9/7xft569LrFgSVl6ZMT2MkIs8nrCyc13q1up5P4Xj0nRPi5UMUQhvyS2OkH1yX78Hx1qgYQ= X-Received: by 2002:aca:3954:: with SMTP id g81-v6mr26654533oia.215.1531172900525; Mon, 09 Jul 2018 14:48:20 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: Martin Thomson Date: Tue, 10 Jul 2018 07:48:10 +1000 Message-ID: To: Justin Uberti Cc: tim panton , RTCWeb IETF , youenn fablet Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 21:48:30 -0000 On Tue, Jul 10, 2018 at 7:38 AM Justin Uberti wrote: > e) [new] RTT < 5ms (indicates "probably same machine") My thought was that this only creates a valid "same-network" signal. But the number of instances of one host per network is high enough that the distinction might be meaningless. But that's not the point, the point was to avoid creating a new signal. One thing that I found helpful in thinking about this was the question: "What would Tor Browser do?" And in that case, the proposed tweak does work: a hairpin over the Tor network expands the anonymity set considerably. From nobody Mon Jul 9 14:59:16 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6A613107D for ; Mon, 9 Jul 2018 14:59:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiQldf3nHn9e for ; Mon, 9 Jul 2018 14:59:06 -0700 (PDT) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6460613109B for ; Mon, 9 Jul 2018 14:58:41 -0700 (PDT) Received: by mail-lj1-x229.google.com with SMTP id r13-v6so15196222ljg.10 for ; Mon, 09 Jul 2018 14:58:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8wpm5a1UfAvBGw8Jf5UzKJE3Ae0/7WlvLcdrOg08H+s=; b=mDFeumpVI4RWWXh5I45XgYSIew5vNaQ0ClCYoiAt8qNBTx4X5LEEcywY2TcuG9ujqN prrTMKaYAAvFVlhIgIi4zBWrpAAmnZbbHmJxSGzzANZs4Zv4DkRidLrSQdNqbBQYcw31 UZcFNcyeP9Lc6hSSzW9MhJNTU/QmvK67Gu1Fz4YdI18iscp7a3JRrUWnPc5iITFFvw5h rwx5uUASTZ2prAiYpjXKbqcFGIzAj1Eo0rXpdK7xYKI1tx9YkMvgIuC19OslNJJJVThn Wkp9N+9lV0lA4T71VOX0Zf8wwbsHHWf4AkXtjDE7GZ4z8ihnHcKKEvNHeNL7Q6P89awq y/5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8wpm5a1UfAvBGw8Jf5UzKJE3Ae0/7WlvLcdrOg08H+s=; b=lcspWT3SnD21MNZTSeA0a2u6tyRlvijFK5lZWMpGBsk0WunkFWCYFPBIUCOyjbxkaw oErTgYbN8qBKcG7SVkmLunRIv2Sii4hm1hhb6wd+nPA3ldvf1ySJR70QTQBY19GlTsRn V1xNufGCxTyDCHXxDa9q7X28cbGk2KC7HkHMm96FftM+ouCpeBJb++dCs4nIWb0eVFAX CVFMXNGYVDsR5Gaf1/lbHkEODUaId5z+os8zBSYlaY0sezAl0i+Hb4Y14/vIY9U++ui3 wrDPQbic0axuMQW0gRaR1DwoZp6N+03Fhy7rOAkqCVEAbJVWIsC7N/bXyyMe7jkYW5IL CvJA== X-Gm-Message-State: APt69E2MmAcJW/q1kh4r0by7biH2HUmFQ1WdnThY9tsSsDl2B0mAueir Zu+jKt0bbFi9rhqrS4ZjjNBr45Y2jXa1M5n7YNk= X-Google-Smtp-Source: AAOMgpfpDWEpkytJScd0qfTZhR8A0Ioe2EmAzfcKng/gvQOH3WkOUzBrv4g6yXm4Z++Xg7sq45vDMa/VcJM3P9T4DcY= X-Received: by 2002:a2e:1b03:: with SMTP id b3-v6mr14375547ljb.24.1531173519487; Mon, 09 Jul 2018 14:58:39 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: youenn fablet Date: Mon, 9 Jul 2018 14:58:26 -0700 Message-ID: To: Martin Thomson Cc: juberti=40google.com@dmarc.ietf.org, RTCWeb IETF , youenn fablet Content-Type: multipart/alternative; boundary="000000000000b7f6310570981d0e" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 21:59:15 -0000 --000000000000b7f6310570981d0e Content-Type: text/plain; charset="UTF-8" Thanks for the feedback. I'm not sure that what is proposed (limiting to a top-level browsing > context that isn't also private browsing) is the best way to achieve > the stated policy goals in the draft. And more fundamentally, there > are probably several policies that browsers might reasonably adopt > along those lines. > Agreed, browsers might have different constraints and security rules (ITP in Safari for instance) that should be taken into consideration when solving that particular issue. It seems also that, given that this is quite tied to browsers and execution contexts, guidelines might better fit in W3C land if we think there is a need for such guidelines. For instance, W3C specs could use some IETF defined hooks to provide guidelines on how to set the MDNS policy/MDNS names to be used by a particular ICE agent. The best idea I have there is to fail resolution for .local names that > the browser itself has minted for other origins[1]. That way, > connections that are cross-origin and same-host would always at least > hit a hairpin or relay. Of course, failing resolution so quickly > might leak information, so additional caution might be necessary (I > don't think that it does, provided that a candidate is not entered > into a checklist before resolution occurs, but I'm not sure how that > would be implemented). > There is also the issue of detecting same browser clients by failing connections. Let's say a web site identifies three clients A, B and C behind a NAT. If A is able to connect to both B and C without TURN but B and C are not able to connect with each other without TURN, a web site could probably infer that B and C are running on the same browser and are not able to connect with each other because of this rule. While this case is not super likely for top level pages (and anyway, the user somehow trusts the page and might already be authenticated with), this might more often happen with third party tracking iframes. > This suggests that you could share mDNS names for frames under the > same top-level browsing context without leaking more information, > which could be very useful. > Agreed if these frames are same-origin with the top-level browsing context. --000000000000b7f6310570981d0e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for the feedback.

I'm not sure that what is pro= posed (limiting to a top-level browsing
context that isn't also private browsing) is the best way to= achieve
the stated policy goals in the draft.=C2=A0 And more fundamenta= lly, there
are probably several policies that browsers might reasonably = adopt
along those lines.

Agreed, browsers might have different constraints and securit= y rules (ITP in Safari for instance) that should be taken into consideratio= n when solving that particular issue.

It seems= also that, given that this is quite tied to browsers and execution context= s, guidelines might better fit in W3C land if we think there is a need for = such guidelines.
For instance, W3C specs could use some IETF defi= ned hooks to provide guidelines on how to set the MDNS policy/MDNS names to= be used by a particular ICE agent.

<= /div>
The best = idea I have there is to fail resolution for .local names that
the browse= r itself has minted for other origins[1].=C2=A0 That way,
connections th= at are cross-origin and same-host would always at least
hit a hairpin or= relay.=C2=A0 Of course, failing resolution so quickly
might leak inform= ation, so additional caution might be necessary (I
don't think that = it does, provided that a candidate is not entered
into a checklist befor= e resolution occurs, but I'm not sure how that
would be implemented)= .

There is also the issue of detecting same browser client= s by failing connections.
Let's say a web site identifies thr= ee clients A, B and C behind a NAT.
If A is able to connect to bo= th B and C without TURN but B and C are not able to connect with each other= without TURN, a web site could probably infer that B and C are running on = the same browser and are not able to connect with each other because of thi= s rule.

While this case is not super likely for to= p level pages (and anyway, the user somehow trusts the page and might alrea= dy be authenticated with), this might more often happen with third party tr= acking iframes.
=C2=A0
This suggests that you could share mDNS= names for frames under the
same top-level browsing context without leak= ing more information,
which could be very useful.
<= br>
Agree= d if these frames are same-origin with the top-level browsing context.

--000000000000b7f6310570981d0e-- From nobody Mon Jul 9 15:19:34 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88336130DC3 for ; Mon, 9 Jul 2018 15:19:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAqPCdHvEpG1 for ; Mon, 9 Jul 2018 15:19:30 -0700 (PDT) Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 852F4130E07 for ; Mon, 9 Jul 2018 15:19:30 -0700 (PDT) Received: by mail-io0-x236.google.com with SMTP id e13-v6so18504118iof.6 for ; Mon, 09 Jul 2018 15:19:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yYuNIAxofNR0hqYJq2wjAdCE/LTbRDfaaD2XblNJzPQ=; b=kkITGJYrNUGZ6XeTFuOUu+74IWzHEhDybm3dIaMtmwRG4GH7BaHVzx7f/hIchuFuwW zvIMzEvK4OAKE0M2R17JH69YGspocGUmL0etOafItqeVw9l6N5SvGRCUXCDdt9Pb2Cbj ilovafnzpa9MAPzs7YN+K1/57355hRSo7Ay2KPdB5I/MZv3JWlFHzsQjk+5PNLmK/813 QGpmopyEAOY0dhd1opBzrvv0Nn87t5N3WMWPK0mZLbhs/Ru6zJvT+CjWm6WIUfMfM9Dn uiZ2d6oP/NgaOFtvp5bJeLz39GCIXilyS7EcQz+0CXfAJCfmNb1qs/nVuicSfqA+y1qk spsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yYuNIAxofNR0hqYJq2wjAdCE/LTbRDfaaD2XblNJzPQ=; b=iUDG23JpQcM74FT8Azkm1690SdUW0QQD14ZDtlfMHC0g9DkLAIfklp940NDhiY25e7 A2tV7PRH+IZVVr0hb/ySm9vrM59x2PLJI8zHkZkpTXS1FAjy2JIDDtmV4+Qh+KRFB1r1 OHWlE2aVh0iDgLWGdVDY2h3iZihe2pVj4yQ+wunSH6JefGXgdHj0iO0H6IOBnl+5BICj ooyLtf6K/a5eX2y0DqkoUVEYacINVMGZEUfQ9AnKV9Go9SYv4yAB/RMGEFhyCcz4EchM oxIyPd2d3iENpiYetFHGI8FZ5sVakRj+SmY/HSioRS0ZYIkEghBto8quDkapnr7hT3SF GeVw== X-Gm-Message-State: AOUpUlFtkX0cViaDJGPZYUOQfVfPPic9s7SJ8ilivYmAjwF0eGPsDgtV sjv8NW74vPpAgngsnitqb5jzVwxDS0AbFWRtgcnl7hZ1 X-Google-Smtp-Source: AAOMgpdLLt5HxRFPZwlxO8rW7p9RgRxdLI95sqzU+yAHbgoqJHdXs5MwX1sImvfWFs5hPVXrP68Y3Xt3nBbpq2/Rwfs= X-Received: by 2002:a6b:b387:: with SMTP id c129-v6mr19531231iof.32.1531174769380; Mon, 09 Jul 2018 15:19:29 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: Justin Uberti Date: Mon, 9 Jul 2018 15:19:17 -0700 Message-ID: To: Martin Thomson Cc: Tim Panton , RTCWeb IETF , youenn fablet Content-Type: multipart/alternative; boundary="000000000000385dd305709868d9" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 22:19:33 -0000 --000000000000385dd305709868d9 Content-Type: text/plain; charset="UTF-8" On Mon, Jul 9, 2018 at 2:48 PM Martin Thomson wrote: > On Tue, Jul 10, 2018 at 7:38 AM Justin Uberti wrote: > > e) [new] RTT < 5ms (indicates "probably same machine") > > My thought was that this only creates a valid "same-network" signal. > But the number of instances of one host per network is high enough > that the distinction might be meaningless. But that's not the point, > the point was to avoid creating a new signal. > > One thing that I found helpful in thinking about this was the > question: "What would Tor Browser do?" And in that case, the proposed > tweak does work: a hairpin over the Tor network expands the anonymity > set considerably. > Well, Tor browser would really need all WebRTC traffic to flow through Tor, to prevent linking sessions via the srflx IPs. But let me get to the point. Adding the limitations discussed for .local has minimal downside, but what, if anything, should we do with IPv6 host candidates? If we decide that we want to prevent host-host IPv6 connections, there will be implications for datachannel applications. --000000000000385dd305709868d9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon= , Jul 9, 2018 at 2:48 PM Martin Thomson <martin.thomson@gmail.com> wrote:
On Tue, Jul 10, 2018 at 7:38 AM Justin Uberti <juberti@google.com>= wrote:
> e) [new] RTT < 5ms (indicates "probably same machine")
My thought was that this only creates a valid "same-network" sign= al.
But the number of instances of one host per network is high enough
that the distinction might be meaningless.=C2=A0 But that's not the poi= nt,
the point was to avoid creating a new signal.

One thing that I found helpful in thinking about this was the
question: "What would Tor Browser do?"=C2=A0 And in that case, th= e proposed
tweak does work: a hairpin over the Tor network expands the anonymity
set considerably.

Well, Tor browser wou= ld really need all WebRTC traffic to flow through Tor, to prevent linking s= essions via the srflx IPs.

But let me get to the p= oint. Adding the limitations discussed for .local has minimal downside, but= what, if anything, should we do with IPv6 host candidates? If we decide th= at we want to prevent host-host IPv6 connections, there will be implication= s for datachannel applications.

=C2=A0
=
--000000000000385dd305709868d9-- From nobody Mon Jul 9 15:42:55 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE6C7127333 for ; Mon, 9 Jul 2018 15:42:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhg4WNQ9f6nq for ; Mon, 9 Jul 2018 15:42:49 -0700 (PDT) Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A32A2130DF0 for ; Mon, 9 Jul 2018 15:42:49 -0700 (PDT) Received: by mail-oi0-x22b.google.com with SMTP id b15-v6so38942921oib.10 for ; Mon, 09 Jul 2018 15:42:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=lthKU+RKXLIbHTpid8p0a1+hTxoNGPKZ1vtlUDtBxgs=; b=gBYmrlRdNsti3nZGj2pNfmfpGPAfn2mNLh3lPru5Elvd7xky29o+G+p2s/RKGDY5qP AEARX1Fao5xZ5jkdO9BiBiCpYQRDMg9Mawd2ECRikAf6cHUMyzYZQueOAEXbqaH3DZYG qo0x3mQ29XgBShQntTSHXi46HvzGvcW+vMddnIqPXVYBWdulf8lMzIbVN4LC8r/C0lab HBWjUj0ecRK6h7ZwepFU+h7EzzoODKOGnhLAO66KRPuutmQfa4DusZQdD4PFpXqTMvao 0lf8COugTvlO6MTqVWSexwgjN+ZgpQLGE+JECidd6OrwAZKIQW4Bk2zE1Wg75bkZXrPV iHYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=lthKU+RKXLIbHTpid8p0a1+hTxoNGPKZ1vtlUDtBxgs=; b=KgNtbiyiF9yelZM3Cn5GPqrCaMFeU5kAVQ//loEEUjeu53zhCWO/5r5C5Vu7pYWXkk muO6NNWupTmBUmZSnh/gM+7HopjB2wsMqNpaS8TKyRWyf4dFJ3HOodiJBXLNQddgg3Yd 1v7FqXEZ8obUwowkdKVq7S4+UwBgQHLKfAY/8zhyNo6QM7K2j5njNzp+/FpsVHuot5XD AUFNtLnuOYOrTqw6hPoar9LAJYTMEbXv5i+/252QouII46BzllmDA6gmelkjyVdt1Qf+ Gq7uOCnsVz6zRsUtDaKwRlflUJOJGU7ixc+MYvGk6pCNNaO5Ak42M5Q/jsgILf13qvtO klfw== X-Gm-Message-State: APt69E2M1z/bOdzbXRQdzYTFh1XuTsj4Qek1eZT5ldOvYBYnkrITBBTJ AKb8KV1nC1aCBUGN6948iE+/+8KDIaZFAoidblL8sQ== X-Google-Smtp-Source: AAOMgpeEZTiKsvEnrrpFLuqye2KKcmqjB1GmCKJvsfIBiuQJeV7+7UHVaFHH1tnxy3FBZgotuUSmfXgRMV+FdiWpeEU= X-Received: by 2002:aca:3d43:: with SMTP id k64-v6mr23678920oia.166.1531176168783; Mon, 09 Jul 2018 15:42:48 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: Martin Thomson Date: Tue, 10 Jul 2018 08:42:36 +1000 Message-ID: To: Justin Uberti Cc: tim panton , RTCWeb IETF , youenn fablet Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 22:42:53 -0000 On Tue, Jul 10, 2018 at 8:19 AM Justin Uberti wrote: > Well, Tor browser would really need all WebRTC traffic to flow through To= r, to prevent linking sessions via the srflx IPs. The anonymity set would be the hosts on the same exit node, which I assume is >1. More to the point, different top-level contexts use different circuits, and therefore (likely) different exits. IOW, as proposed, the linking there is fine. > But let me get to the point. Adding the limitations discussed for .local = has minimal downside, but what, if anything, should we do with IPv6 host ca= ndidates? If we decide that we want to prevent host-host IPv6 connections, = there will be implications for datachannel applications. I don't think that we should treat v6 specially here. If it is a host candidate, use mDNS or don't provide it. That avoids making a judgment about the relative prevalence of v6 NAT and other such things. From nobody Mon Jul 9 16:42:17 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87E92130E80 for ; Mon, 9 Jul 2018 16:42:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cRM9MuEvdSDH for ; Mon, 9 Jul 2018 16:42:14 -0700 (PDT) Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FD3B127332 for ; Mon, 9 Jul 2018 16:32:34 -0700 (PDT) Received: by mail-it0-x231.google.com with SMTP id j185-v6so28530580ite.1 for ; Mon, 09 Jul 2018 16:32:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HmFdXCKtc9F43tVG8ZZlNFMWsRUHJe3oQ2OZSQz7V4s=; b=SMP4wPoTJJuMC3OHW8r/ZOMPdsGjI+58IadC+kFXJrNTsxJKUy6oPSIfCmw2Sltewy 06kHA9wmPsq6XDTv+1ErZN06PxcGSFiTpjZ5ozHxl++himnjUqdrbYD1Ljdf4al/QiGy BfM5i194EpInhyzgfhvcexlgEghinMapIxKPH9ftayY/gJVxmCr/Xs69WpMTz6jvRakK g1QrrDEVzv5GxNbCMXdEdTdZU5W1EZkGqcyohUhe4VlT29xNiu/YNjhuzTD4VqIsTe1i xQ3Heegaz+X+KGn4pKkraPRqIIwBooexVLb+XQS8VHQmHoLNygIImcXLWJZ3vJJ88zPt 0Skg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HmFdXCKtc9F43tVG8ZZlNFMWsRUHJe3oQ2OZSQz7V4s=; b=AZLfXXK5n1Wu3ZkuhHxLtD37ReZ0pHKUFh6TG6okqmhKAbB7p2Zda+2Vp4MJxuguaq pSdqBZvc5cxxeALJ0XsDxDTKx6nPWFklZjQCnQ3oqljagf2L9cQq4Frk6gaGy6ffxzrh c1NojDWrcCGeDX5ZzD41FpPW448RYNmFUzO3ljQgOEvPgYHbA8lkVGvmZnhviX4uSNWp 6jD+3Jp7PMCVCP1jH6J7/zPdJyNY1JwlmqFKYcw7VxcehG+xpeDl1kuHfyTvMBYVx/3i USnyM4V6wCVD8KANiYfx2445RQOQcLiLHgapuzrS1UXbZXasc45/QIOhJP/05/JIs/9I u1Mw== X-Gm-Message-State: APt69E20Ef4zx43YXVgDJ1maehed/aNceFMLUkKXzZzeX0DWuU7U7HXT J1y1HcDnPwfRLXpwvcQrGYLc8HG9kUVGp4Z2I5MaQw== X-Google-Smtp-Source: AAOMgpfhRHWQMT83vWuPbuzUdha5k4/6Rnbp5Xxm29tNSEg/q/5Bbx6RMLjIS6ExfxtP0F+dW3hVK0Cts3FlPGNfgwE= X-Received: by 2002:a24:1049:: with SMTP id 70-v6mr17281574ity.115.1531179153066; Mon, 09 Jul 2018 16:32:33 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> In-Reply-To: From: Justin Uberti Date: Mon, 9 Jul 2018 16:32:20 -0700 Message-ID: To: Martin Thomson Cc: Tim Panton , RTCWeb IETF , youenn fablet Content-Type: multipart/alternative; boundary="0000000000008211f50570996daf" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 23:42:16 -0000 --0000000000008211f50570996daf Content-Type: text/plain; charset="UTF-8" On Mon, Jul 9, 2018 at 3:42 PM Martin Thomson wrote: > On Tue, Jul 10, 2018 at 8:19 AM Justin Uberti wrote: > > Well, Tor browser would really need all WebRTC traffic to flow through > Tor, to prevent linking sessions via the srflx IPs. > > The anonymity set would be the hosts on the same exit node, which I > assume is >1. More to the point, different top-level contexts use > different circuits, and therefore (likely) different exits. IOW, as > proposed, the linking there is fine. > If Tor is already forcing all WebRTC traffic through a Tor proxy, it doesn't need this tweak; TURN is the only option. This is somewhat academic, but it points out an issue with the WWTBD framing. > > > But let me get to the point. Adding the limitations discussed for .local > has minimal downside, but what, if anything, should we do with IPv6 host > candidates? If we decide that we want to prevent host-host IPv6 > connections, there will be implications for datachannel applications. > > I don't think that we should treat v6 specially here. If it is a host > candidate, use mDNS or don't provide it. That avoids making a > judgment about the relative prevalence of v6 NAT and other such > things. > The reason for the different treatment is that it could be argued that v6 addresses, being already public and unique, don't constitute a new signal. That makes the tradeoff with datachannel impact less clear. --0000000000008211f50570996daf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon= , Jul 9, 2018 at 3:42 PM Martin Thomson <martin.thomson@gmail.com> wrote:
On Tue, Jul 10, 2018 at 8:19 AM Justin Uberti <juberti@google.com>= wrote:
> Well, Tor browser would really need all WebRTC traffic to flow through= Tor, to prevent linking sessions via the srflx IPs.

The anonymity set would be the hosts on the same exit node, which I
assume is >1.=C2=A0 More to the point, different top-level contexts use<= br> different circuits, and therefore (likely) different exits.=C2=A0 IOW, as proposed, the linking there is fine.

If= Tor is already forcing all WebRTC traffic through a Tor proxy, it doesn= 9;t need this tweak; TURN is the only option. This is somewhat academic, bu= t it points out an issue with the WWTBD framing.

> But let me get to the point. Adding the limitations discussed for .loc= al has minimal downside, but what, if anything, should we do with IPv6 host= candidates? If we decide that we want to prevent host-host IPv6 connection= s, there will be implications for datachannel applications.

I don't think that we should treat v6 specially here.=C2=A0 If it is a = host
candidate, use mDNS or don't provide it.=C2=A0 That avoids making a
judgment about the relative prevalence of v6 NAT and other such
things.

The reason for the different tr= eatment is that it could be argued that v6 addresses, being already public = and unique, don't constitute a new signal. That makes the tradeoff with= datachannel impact less clear.


--0000000000008211f50570996daf-- From nobody Mon Jul 9 17:24:31 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05C6F130EB2 for ; Mon, 9 Jul 2018 17:24:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eJAJyxxRiKq for ; Mon, 9 Jul 2018 17:24:27 -0700 (PDT) Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5048B12F1AB for ; Mon, 9 Jul 2018 17:24:27 -0700 (PDT) Received: by mail-io0-x22d.google.com with SMTP id y10-v6so3900294ioa.10 for ; Mon, 09 Jul 2018 17:24:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jNk/hOIH2DDggF2w+0JT226IiGNeCM9ccmKJqS8mVi4=; b=E9/D18rpHQqlxD8JbwIbzhujz4Vde6ckj8lRbybQ8sQeTKidFK0KCMn2MTVfszvEIa ooV7jdu01GHSI3GF3VsJmU5+b3k8sz22Z40IcY3ORH0iLLx1DO38Hx0IznX0pPz5JxfX Fq/v1NBHLftb05C3dgTbjnE5YA0iLuKYREnrfONL4TUXh1GXqNMBVmo8ZOpgA+sHvyEs eJSvcEv+2BtfSuZitIG6hWvqtT5Lghm4/iba+Z4s3A9Ws4kKSosJIEZK+V8YEYLzQGsp xKjs0NABay1Uk3R14eTeYvncFRNzE5W4uSFkU7kbV8an1nSMGdLZ5H3vvV6Bk6qvZ9U5 radg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jNk/hOIH2DDggF2w+0JT226IiGNeCM9ccmKJqS8mVi4=; b=WkiMk8/2xLrvaEr/n8Zm62H+W4eFMygNy60i6D7chgDOrAem7obszzHL9UIvcz99t0 LgmzgVV1WX8qlmX7gsfnnyuOoGT4nUr8hvIKXCNTTBWtP0dWW0OkVf3kURNBZDu1GJDo vcV+vxrPiXXjUFUf6AujK18HCypvcbo8bOrx5aAfHhZIcaMZndOpyK5f9HU+zq7ErQqh DWriqepr98sBwMfep/peqUsNvoH1cquToxaQr66XSj3A4idniGLANo6EINIXhEkP0r1y GLoMmor+rtxE/D3enlaXH57amMvThaC/hMrJYMf1f9CldcCEsDZDpthNKIPBffaTJbzm f/UA== X-Gm-Message-State: AOUpUlEo1986/5TMWoG6JtN5EnCi4Wy2kkmsgoiKByw7zTAlkwvjchJg zrl3jw4H78rdiLHAcV+fz79DalS9/dLcI9JQ/cL5/g== X-Google-Smtp-Source: AAOMgpcb7D40Jj632c5f0D1GcnmlUU0IwEOZXpXG7IWo4nm0L7aff1dJOlREOyCMlCgdOcjPDLk7KGf/shTakBPZy90= X-Received: by 2002:a6b:7516:: with SMTP id l22-v6mr14570089ioh.87.1531182266180; Mon, 09 Jul 2018 17:24:26 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> In-Reply-To: <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> From: Justin Uberti Date: Mon, 9 Jul 2018 17:24:14 -0700 Message-ID: To: youenn fablet Cc: Martin Thomson , Tim Panton , RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000106e8305709a27a4" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2018 00:24:29 -0000 --000000000000106e8305709a27a4 Content-Type: text/plain; charset="UTF-8" On Mon, Jul 9, 2018 at 4:35 PM youenn fablet wrote: > > > The reason for the different treatment is that it could be argued that > v6 addresses, being already public and unique, don't constitute a new > signal. That makes the tradeoff with datachannel impact less clear. > > > If they are public, cannot they be discovered and exposed as srflx? That's a good point; I had forgotten about NAT64. v6 STUN isn't widely deployed, but if we did want to hide NAT64 v6 addresses, we could make this work. However, if we consider NAT64 to be an entirely temporary situation, this may not make sense. --000000000000106e8305709a27a4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon= , Jul 9, 2018 at 4:35 PM youenn fablet <yfablet@apple.com> wrote:

> The reason for the different treatment is that it could be argued that= v6 addresses, being already public and unique, don't constitute a new = signal. That makes the tradeoff with datachannel impact less clear.


If they are public, cannot they be discovered and exposed as srflx?

That's a good point; I had forgotten about NAT= 64. v6 STUN isn't widely deployed, but if we did want to hide NAT64 v6 = addresses, we could make this work.

However, if we= consider NAT64 to be an entirely temporary situation, this may not make se= nse.
--000000000000106e8305709a27a4-- From nobody Tue Jul 10 00:35:32 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B803130E09 for ; Tue, 10 Jul 2018 00:35:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.198 X-Spam-Level: X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XplCpb3po08 for ; Tue, 10 Jul 2018 00:35:27 -0700 (PDT) Received: from mork.alvestrand.no (mork.alvestrand.no [158.38.152.117]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11BA9130DE0 for ; Tue, 10 Jul 2018 00:35:27 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id 7E7F37C0398 for ; Tue, 10 Jul 2018 09:35:25 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at alvestrand.no Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4TycRVPD6-dJ for ; Tue, 10 Jul 2018 09:35:23 +0200 (CEST) Received: from [192.168.8.115] (177-49-11.connect.netcom.no [176.11.49.177]) by mork.alvestrand.no (Postfix) with ESMTPSA id 216217C010D for ; Tue, 10 Jul 2018 09:35:23 +0200 (CEST) To: rtcweb@ietf.org References: <5e7eebae-a08e-8c21-5c22-3b26b7385a7a@alvestrand.no> <4A875994-54C3-422B-8E6F-9284D273BE0E@lurchi.franken.de> <85a4defc-e432-eed3-f5fb-e1d0df2bf326@alvestrand.no> <87B266DF-5AE5-4B22-B21F-B2FC37EB3FF2@lurchi.franken.de> <596309ba-2aeb-7699-6bc6-ef7e461b5295@alvestrand.no> <2C11444C-6CC8-45E7-B699-02738D845BF0@lurchi.franken.de> From: Harald Alvestrand Openpgp: preference=signencrypt Autocrypt: addr=harald@alvestrand.no; prefer-encrypt=mutual; keydata= xsFNBFRpbhYBEADXu8uE7LDQgrEB/zclYiwWRb50FnuJjIdK5Q7t68tSxx+LU8HTfxwOgHo9 vMyQvntoRBOHQZDJzvdAnZj/7vtl9RDfWvhUz+o9jSMyORzrt0kiW2QNICVkOkc0ZbI14Rn8 EjFRinK5m5+PXrng3PwZgK+sQJ1nzUxjE9oGTWClsAEqJw62z7JmzNqaEwAyHoHAZ1JAptSP ak91dUxjueJ2R+rFUBl6ParRZ2de7QKr3rN5Jbu/ikjHsAeTSo0R0BPKbzU23tXXxQ/dADvM V/PZp3hRFmXT7x05Q82O6k6hsGd5fJToBDRrlsC3jwWWhDhFhsWcdYKxFbYUsJVetPrWDtD4 6sjrbsQ+7kWRYgQWvL2EJ0s7QGpLxitopoISUEt0MlCcJhq7ZxiWhGnwM3GgADn+9W+aqwuk Y1tlUbdw0qdHyU0WM0k/yPd/eOghk3PLtlOizg4Q22VqfzNRXd3pwUmVjPYHQS0PwIjzuTEI em03qlVeJ8xn0X9W90E8PEnxZmREZBI90qCcUrxWOywEcLq21eLXurRzwnbY3oi6NxmSedcL xDWFdrVTHfPNNqh8zqXV/z9Ezz+7kSwgRygpG5+/sHfFq/YivoSHJdkL8xDzlNiqYCs8EL4A ipQWlKIuFH1F/pXLmXZlcDExw6aTlAP2rR+rw4Lc7kENZlMMMwARAQABzS9IYXJhbGQgQWx2 ZXN0cmFuZCAoMjAxNCkgPGhhcmFsZEBhbHZlc3RyYW5kLm5vPsLBfgQTAQIAKAUCVO3uHAIb IwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQawFW3omifDRKiA/+KtWpGwNa EaMMjxuVhdvMkQ6cS362iWydVbha03TBf/7HM380nO+2/t4S0kiSRtX89bY9lvrjS5oHd0tZ qS14vwBn8ZKbZl+k/NRiFlNNxhBx1PDRni1lfh/lU4xJraKI17h2h9mVJbMGk0kFuLqDUwMc 18mZZcfJEeUxSVUCndFMab4LQWSvRaqcwGrpDXuCxmWzMxtRjZzS2vkNX0oiBO7/NuEdQZL8 /CM3/GTqEd6kqY5Rkddvhr21KqhDyNT0NYRLgQ4yToTRDeXrHkjDD8cIQJhOHSNm6/3tuHB1 Bunxg1If3oEZxZirTGiuNZfBUAuXXJa//wEqhS+28/iQc6RE4bQXh2TyqtHs1mn3VDeKqbp7 lp31FfQ6GVGUaVfKfhg6UPSeczHTKWG3vX5UL7SOLXyaSniuYDkPIV/YR46GFPNhSsQ9YccU 5zAbn8ZhyONwO7524WjhIHgITiPVnCiSIHQKOw0S3+Ns0/5TIUgEc6+M97vsJTxTOqKfPthj xkHckF7VUFzu9ee6IMupJJp1wxVjpPQpJTjUG2aDnWk+E2OArulIjHER2dj0DEiOuqjjwTQH CKfrsWUMIs6TJ9jIKEfOSVOz5opGKLimQaOJ8Y1NYZKOy7fyJjofcC+dkAIpYBRzQTdDXm0A 4eryQBqLSpRldX4rvnU77i2/ryHOwU0EVGluFgEQAK2r1cmzqfJzOIielYx4OGVWlh3TmGdI mPgYI8yx/W8Uyvwknto7Qm5HaBBy9/33usNiovygYLFr7X5U/+ynXClkpAHaPOzS+bMCybpd UsS9Yq/jPmyq0Tlqn6b1tjSjFwysTiUVRS6nHufRlHQEOyxlYAjmePfjJI85g9J3iOa3eY87 +YSlF/rzhPrlvW0yD1YBGBmtuDdRnd4qSof8pcVmiN91QylbnTO5+/VtQtZydk2couaBHkf+ h0eDlJLB7igJ6Ks0ae2UoUNOBv2F1roQ1jZC8yMPScXygmjsoBSuTUirHatyR7AUiCHNymB+ EdhK4Vl+ZVHdCY9l269g5ocw0y6BZofHpqhE9K3RGBWQjWKTXuOk1fVjLfAum3wQqztYEhlD uKZgfEn7reDuzBq4cqzUe7CI6lZwCU7DnA0Dz2vBaqBhrZb7eKfTqmXddNm/dXmPn1nB554N fxWoxb3L8fHXwLgJiBgxLM6OYhJM51PxwW1qoQM1ax6gu+H101uEE4ZZq+s7c301HqwFwGMi SMmn1oJ7/+OquMkYHjeVAhxRE6blcRH2cmqxFSrpHsHgpXMVyWgTZRZsMmQathzCTUWKf5hC EOzwb4rp/UvU1LUHo1uPqbBafW62VB+iUaFp/zOg69Wo8/Z6urM5m+ldiWTbx+ivxKlPQDEA 332dABEBAAHCwWUEGAECAA8FAlRpbhYCGwwFCQlmAYAACgkQawFW3omifDRKhg//eHcjvxcA ENNe66f5R3ULi5pMbrHGLMGirVX9pHTRf5+5OFaGr8bwXeYkCHpptpxr2Kk/PUzpUWOL2uvL lh7QhPw3+GoEWubXOAgHiQW5iIzkA9wYw/nctZ+5veHN7InVqJ7djhtTN7K9Luj4nDR1T7Vf 61zpCKLlEW6W5MAp4slRVzRiFfaMfMYkxLm6MBxC961j8Lrqx2XNMGugaYh1QzcFYTbFmGKX 5SY4EQsETiB0PeE3IBVtXfiabrk8YX2IuL9BrEgD6GngXTd78hUMnZeqjvnS772bjRgwLCz7 Hab6hQESrFCNXfxzb39y5DLHwXtB/HruYqVD48XvPnNV0UNsWcS+7rtPFMmkd3MTvoAOWjkV zeQHpvF71IlwWginXbkf9aR/QsAbMIQDZWhsd+ma67V6g6KH41r6mNXAgK2JlA1CqgblM7iB hl01vL0V5bkbInZq2sB505Hn1DSc4NoP2WHlwe8Bm8vVG5oyfyPw9ReS9WLVY9w7fK4EKOgk VnOsIQuE0WIPT0Ak+hJ0UigOduuCX7s7NIVaOgWQe1q4Xytgj1RHjg9qlA6eQiTUrAx7Mu7s eliWCFuWsQXoaktVEDjoWVbP9dgozanL5kwWh/sJNtHVQbgu3IG4w8D3QvvOE83+jAdzgOzv pqHJkrqlWu+R9ZqBucZLqjQvQZk= Message-ID: <975c5654-292a-8e66-c539-ec5533b544ac@alvestrand.no> Date: Tue, 10 Jul 2018 09:35:22 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------6A6FB6EA2709190CB0D569C4" Content-Language: en-GB Archived-At: Subject: Re: [rtcweb] Data channel: Handling of packets on unknown channels X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2018 07:35:30 -0000 This is a multi-part message in MIME format. --------------6A6FB6EA2709190CB0D569C4 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 06/29/2018 05:57 AM, Justin Uberti wrote: > Taylor is correct. In that thread, we agreed that the PeerConnection > doc should say "tough luck". I read through that thread again (sorry for forgetting about it in my initial message), and couldn't figure out what the exact semantics of saying "tough luck" were. I think the simplest thing on the protocol level is to drop the packets. On the API level, we can add a warning saying "Note: If you don't make sure the receiver has configured the datachannel before you send packets, you risk losing some initial packets." But we need to make sure the protocol machinery does exactly that (and not, for instance, shut down the SCTP session), so that the warning is correct. > > On Thu, Jun 28, 2018 at 10:38 AM Taylor Brandstetter > > wrote: > > Note that I started a thread about this last > month: https://mailarchive.ietf.org/arch/msg/rtcweb/lIuiu91_L2nOh935eAqifrs_ius > > On Thu, Jun 28, 2018 at 8:19 AM, Michael Tuexen > > wrote: > > > > > On 28. Jun 2018, at 17:01, Harald Alvestrand > > wrote: > > > > Den 28. juni 2018 16:35, skrev Michael Tuexen: > >>> On 28. Jun 2018, at 16:22, Harald Alvestrand > > wrote: > >>> > >>> Den 28. juni 2018 14:51, skrev Michael Tuexen: > >>>>> On 28. Jun 2018, at 13:30, Harald Alvestrand > > wrote: > >>>>> > >>>>> In considering the datachannel API, we encountered one > interesting race > >>>>> condition: > >>>>> > >>>>> A: > >>>>> > >>>>> A: CreateOffer(), SetLocalDescription(), send SDP > >>>>> > >>>>> B: SetRemoteDescription, CreateAnswer, > SetLocalDescription, send SDP > >>>>> > >>>>> B: Configure an externally defined data channel, with #3249 > >>>>> > >>>>> B: Send a message on #3249 > >>>>> > >>>>> A: SetRemoteDescription > >>>>> > >>>>> A: Wait a while (THE PAUSE) > >>>>> > >>>>> A: Configure #3249 > >>>>> > >>>>> Now, if a message comes in to A on #3249 during THE > PAUSE, what is the > >>>>> implementation to do? > >>>> Isn't that some kind or error condition? > >>>> > >>>> If that it true, one could apply: > >>>> > >>>>  If a message with an unsupported PPID is received or > some error > >>>>  condition related to the received message is detected by > the receiver > >>>>  (for example, illegal ordering), the receiver SHOULD > close the > >>>>  corresponding data channel.  This implies in particular that > >>>>  extensions using additional PPIDs can't be used without > prior > >>>>  negotiation. > >>> > >>> > >>> The receiver can't close the datachannel if the > datachannel doesn't > >>> exist yet, so this doesn't work for that case. > >> I was assuming that the SCTP receives a user message on a > stream. When > >> this message is delivered to its upper layer, doesn't this > layer know > >> that there is no data channel? I would assume that this > layer triggers > >> the stream reset procedure. I'm not saying that the user > (for example > >> via a JS API) is involved... I'm more talking about > implementing this > >> iside the browser.. > > > > > > Exactly, it could close the stream, but it can't close the > data channel > > since it doesn't exist. > Well, I can run the procedure and the peer will get an > indication that > something isn't working well. > > > > I think closing the stream would be a mistake, since that > would make the > > outcome about whether you end up with the datachannel or not > racy; > > discarding data will give you a working datachannel once A > gets around > > to configuring it. > But if the user configures a reliable data channel, the user > does not > get the service that was required... > > Best regards > Michael > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb -- Surveillance is pervasive. Go Dark. --------------6A6FB6EA2709190CB0D569C4 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
On 06/29/2018 05:57 AM, Justin Uberti wrote:
Taylor is correct. In that thread, we agreed that the PeerConnection doc should say "tough luck".

I read through that thread again (sorry for forgetting about it in my initial message), and couldn't figure out what the exact semantics of saying "tough luck" were.

I think the simplest thing on the protocol level is to drop the packets.

On the API level, we can add a warning saying "Note: If you don't make sure the receiver has configured the datachannel before you send packets, you risk losing some initial packets."

But we need to make sure the protocol machinery does exactly that (and not, for instance, shut down the SCTP session), so that the warning is correct.



On Thu, Jun 28, 2018 at 10:38 AM Taylor Brandstetter <deadbeef=40google.com@dmarc.ietf.org> wrote:
Note that I started a thread about this last month: https://mailarchive.ietf.org/arch/msg/rtcweb/lIuiu91_L2nOh935eAqifrs_ius

On Thu, Jun 28, 2018 at 8:19 AM, Michael Tuexen <michael.tuexen@lurchi.franken.de> wrote:


> On 28. Jun 2018, at 17:01, Harald Alvestrand <harald@alvestrand.no> wrote:
>
> Den 28. juni 2018 16:35, skrev Michael Tuexen:
>>> On 28. Jun 2018, at 16:22, Harald Alvestrand <harald@alvestrand.no> wrote:
>>>
>>> Den 28. juni 2018 14:51, skrev Michael Tuexen:
>>>>> On 28. Jun 2018, at 13:30, Harald Alvestrand <harald@alvestrand.no> wrote:
>>>>>
>>>>> In considering the datachannel API, we encountered one interesting race
>>>>> condition:
>>>>>
>>>>> A: <configure for datachannel>
>>>>>
>>>>> A: CreateOffer(), SetLocalDescription(), send SDP
>>>>>
>>>>> B: SetRemoteDescription, CreateAnswer, SetLocalDescription, send SDP
>>>>>
>>>>> B: Configure an externally defined data channel, with #3249
>>>>>
>>>>> B: Send a message on #3249
>>>>>
>>>>> A: SetRemoteDescription
>>>>>
>>>>> A: Wait a while (THE PAUSE)
>>>>>
>>>>> A: Configure #3249
>>>>>
>>>>> Now, if a message comes in to A on #3249 during THE PAUSE, what is the
>>>>> implementation to do?
>>>> Isn't that some kind or error condition?
>>>>
>>>> If that it true, one could apply:
>>>>
>>>>  If a message with an unsupported PPID is received or some error
>>>>  condition related to the received message is detected by the receiver
>>>>  (for example, illegal ordering), the receiver SHOULD close the
>>>>  corresponding data channel.  This implies in particular that
>>>>  extensions using additional PPIDs can't be used without prior
>>>>  negotiation.
>>>
>>>
>>> The receiver can't close the datachannel if the datachannel doesn't
>>> exist yet, so this doesn't work for that case.
>> I was assuming that the SCTP receives a user message on a stream. When
>> this message is delivered to its upper layer, doesn't this layer know
>> that there is no data channel? I would assume that this layer triggers
>> the stream reset procedure. I'm not saying that the user (for example
>> via a JS API) is involved... I'm more talking about implementing this
>> iside the browser..
>
>
> Exactly, it could close the stream, but it can't close the data channel
> since it doesn't exist.
Well, I can run the procedure and the peer will get an indication that
something isn't working well.
>
> I think closing the stream would be a mistake, since that would make the
> outcome about whether you end up with the datachannel or not racy;
> discarding data will give you a working datachannel once A gets around
> to configuring it.
But if the user configures a reliable data channel, the user does not
get the service that was required...

Best regards
Michael
>

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb


_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb



-- 
Surveillance is pervasive. Go Dark.
--------------6A6FB6EA2709190CB0D569C4-- From nobody Tue Jul 10 00:56:32 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1BCE130DE0 for ; Tue, 10 Jul 2018 00:56:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.198 X-Spam-Level: X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCygUFylQ6Ka for ; Tue, 10 Jul 2018 00:56:26 -0700 (PDT) Received: from mork.alvestrand.no (mork.alvestrand.no [158.38.152.117]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B98D1294D0 for ; Tue, 10 Jul 2018 00:56:26 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id DDFC67C0303 for ; Tue, 10 Jul 2018 09:56:24 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at alvestrand.no Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDDbTN6b2_IJ for ; Tue, 10 Jul 2018 09:56:17 +0200 (CEST) Received: from [192.168.8.115] (177-49-11.connect.netcom.no [176.11.49.177]) by mork.alvestrand.no (Postfix) with ESMTPSA id B50387C010D for ; Tue, 10 Jul 2018 09:56:17 +0200 (CEST) To: rtcweb@ietf.org References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> From: Harald Alvestrand Openpgp: preference=signencrypt Autocrypt: addr=harald@alvestrand.no; prefer-encrypt=mutual; keydata= xsFNBFRpbhYBEADXu8uE7LDQgrEB/zclYiwWRb50FnuJjIdK5Q7t68tSxx+LU8HTfxwOgHo9 vMyQvntoRBOHQZDJzvdAnZj/7vtl9RDfWvhUz+o9jSMyORzrt0kiW2QNICVkOkc0ZbI14Rn8 EjFRinK5m5+PXrng3PwZgK+sQJ1nzUxjE9oGTWClsAEqJw62z7JmzNqaEwAyHoHAZ1JAptSP ak91dUxjueJ2R+rFUBl6ParRZ2de7QKr3rN5Jbu/ikjHsAeTSo0R0BPKbzU23tXXxQ/dADvM V/PZp3hRFmXT7x05Q82O6k6hsGd5fJToBDRrlsC3jwWWhDhFhsWcdYKxFbYUsJVetPrWDtD4 6sjrbsQ+7kWRYgQWvL2EJ0s7QGpLxitopoISUEt0MlCcJhq7ZxiWhGnwM3GgADn+9W+aqwuk Y1tlUbdw0qdHyU0WM0k/yPd/eOghk3PLtlOizg4Q22VqfzNRXd3pwUmVjPYHQS0PwIjzuTEI em03qlVeJ8xn0X9W90E8PEnxZmREZBI90qCcUrxWOywEcLq21eLXurRzwnbY3oi6NxmSedcL xDWFdrVTHfPNNqh8zqXV/z9Ezz+7kSwgRygpG5+/sHfFq/YivoSHJdkL8xDzlNiqYCs8EL4A ipQWlKIuFH1F/pXLmXZlcDExw6aTlAP2rR+rw4Lc7kENZlMMMwARAQABzS9IYXJhbGQgQWx2 ZXN0cmFuZCAoMjAxNCkgPGhhcmFsZEBhbHZlc3RyYW5kLm5vPsLBfgQTAQIAKAUCVO3uHAIb IwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQawFW3omifDRKiA/+KtWpGwNa EaMMjxuVhdvMkQ6cS362iWydVbha03TBf/7HM380nO+2/t4S0kiSRtX89bY9lvrjS5oHd0tZ qS14vwBn8ZKbZl+k/NRiFlNNxhBx1PDRni1lfh/lU4xJraKI17h2h9mVJbMGk0kFuLqDUwMc 18mZZcfJEeUxSVUCndFMab4LQWSvRaqcwGrpDXuCxmWzMxtRjZzS2vkNX0oiBO7/NuEdQZL8 /CM3/GTqEd6kqY5Rkddvhr21KqhDyNT0NYRLgQ4yToTRDeXrHkjDD8cIQJhOHSNm6/3tuHB1 Bunxg1If3oEZxZirTGiuNZfBUAuXXJa//wEqhS+28/iQc6RE4bQXh2TyqtHs1mn3VDeKqbp7 lp31FfQ6GVGUaVfKfhg6UPSeczHTKWG3vX5UL7SOLXyaSniuYDkPIV/YR46GFPNhSsQ9YccU 5zAbn8ZhyONwO7524WjhIHgITiPVnCiSIHQKOw0S3+Ns0/5TIUgEc6+M97vsJTxTOqKfPthj xkHckF7VUFzu9ee6IMupJJp1wxVjpPQpJTjUG2aDnWk+E2OArulIjHER2dj0DEiOuqjjwTQH CKfrsWUMIs6TJ9jIKEfOSVOz5opGKLimQaOJ8Y1NYZKOy7fyJjofcC+dkAIpYBRzQTdDXm0A 4eryQBqLSpRldX4rvnU77i2/ryHOwU0EVGluFgEQAK2r1cmzqfJzOIielYx4OGVWlh3TmGdI mPgYI8yx/W8Uyvwknto7Qm5HaBBy9/33usNiovygYLFr7X5U/+ynXClkpAHaPOzS+bMCybpd UsS9Yq/jPmyq0Tlqn6b1tjSjFwysTiUVRS6nHufRlHQEOyxlYAjmePfjJI85g9J3iOa3eY87 +YSlF/rzhPrlvW0yD1YBGBmtuDdRnd4qSof8pcVmiN91QylbnTO5+/VtQtZydk2couaBHkf+ h0eDlJLB7igJ6Ks0ae2UoUNOBv2F1roQ1jZC8yMPScXygmjsoBSuTUirHatyR7AUiCHNymB+ EdhK4Vl+ZVHdCY9l269g5ocw0y6BZofHpqhE9K3RGBWQjWKTXuOk1fVjLfAum3wQqztYEhlD uKZgfEn7reDuzBq4cqzUe7CI6lZwCU7DnA0Dz2vBaqBhrZb7eKfTqmXddNm/dXmPn1nB554N fxWoxb3L8fHXwLgJiBgxLM6OYhJM51PxwW1qoQM1ax6gu+H101uEE4ZZq+s7c301HqwFwGMi SMmn1oJ7/+OquMkYHjeVAhxRE6blcRH2cmqxFSrpHsHgpXMVyWgTZRZsMmQathzCTUWKf5hC EOzwb4rp/UvU1LUHo1uPqbBafW62VB+iUaFp/zOg69Wo8/Z6urM5m+ldiWTbx+ivxKlPQDEA 332dABEBAAHCwWUEGAECAA8FAlRpbhYCGwwFCQlmAYAACgkQawFW3omifDRKhg//eHcjvxcA ENNe66f5R3ULi5pMbrHGLMGirVX9pHTRf5+5OFaGr8bwXeYkCHpptpxr2Kk/PUzpUWOL2uvL lh7QhPw3+GoEWubXOAgHiQW5iIzkA9wYw/nctZ+5veHN7InVqJ7djhtTN7K9Luj4nDR1T7Vf 61zpCKLlEW6W5MAp4slRVzRiFfaMfMYkxLm6MBxC961j8Lrqx2XNMGugaYh1QzcFYTbFmGKX 5SY4EQsETiB0PeE3IBVtXfiabrk8YX2IuL9BrEgD6GngXTd78hUMnZeqjvnS772bjRgwLCz7 Hab6hQESrFCNXfxzb39y5DLHwXtB/HruYqVD48XvPnNV0UNsWcS+7rtPFMmkd3MTvoAOWjkV zeQHpvF71IlwWginXbkf9aR/QsAbMIQDZWhsd+ma67V6g6KH41r6mNXAgK2JlA1CqgblM7iB hl01vL0V5bkbInZq2sB505Hn1DSc4NoP2WHlwe8Bm8vVG5oyfyPw9ReS9WLVY9w7fK4EKOgk VnOsIQuE0WIPT0Ak+hJ0UigOduuCX7s7NIVaOgWQe1q4Xytgj1RHjg9qlA6eQiTUrAx7Mu7s eliWCFuWsQXoaktVEDjoWVbP9dgozanL5kwWh/sJNtHVQbgu3IG4w8D3QvvOE83+jAdzgOzv pqHJkrqlWu+R9ZqBucZLqjQvQZk= Message-ID: <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> Date: Tue, 10 Jul 2018 09:56:17 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------6CEA4822795294E65788B8A8" Content-Language: en-GB Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2018 07:56:29 -0000 This is a multi-part message in MIME format. --------------6CEA4822795294E65788B8A8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thoughts: - If I want to find out that I'm on the same host as another context that I can communicate with in *any* fashion, I've got lots of games I can play. Example: Measure memory pressure, allocate 1 Gbyte in one context, measure memory pressure again. This works for any measurement that's available to both contexts and relates to the whole system. Example: Measure the local clock's skew compared to some reference clock (NTP-fashion). If the skew is the same down to the nanosecond, same host is likely. Example: Allocate any resource that can only be accessed from one context at a time. Loop, asking for it, in the other context. Release it in the first context, and check the timing on when the other one gets it.= In general, anything that can potentially be used as a covert channel can be used more easily to figure out if we're on the same host. My conclusion: Defending against this attack isn't worth the trouble. We've already lost. - Nevertheless, we're finding that the MDNS mode has implications that we don't perceive fully yet. My conclusion: This is an additional mode, not a replacement for one of the other modes. We should continue to specify both. On 07/10/2018 02:24 AM, Justin Uberti wrote: > > > On Mon, Jul 9, 2018 at 4:35 PM youenn fablet > wrote: > > > > The reason for the different treatment is that it could be > argued that v6 addresses, being already public and unique, don't > constitute a new signal. That makes the tradeoff with datachannel > impact less clear. > > > If they are public, cannot they be discovered and exposed as srflx?= > > > That's a good point; I had forgotten about NAT64. v6 STUN isn't widely > deployed, but if we did want to hide NAT64 v6 addresses, we could make > this work. > > However, if we consider NAT64 to be an entirely temporary situation, > this may not make sense. > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb --=20 Surveillance is pervasive. Go Dark. --------------6CEA4822795294E65788B8A8 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
Thoughts:

- If I want to find out that I'm on the same host as another context that I can communicate with in *any* fashion, I've got lots of games I can play.

Example: Measure memory pressure, allocate 1 Gbyte in one context, measure memory pressure again. This works for any measurement that's available to both contexts and relates to the whole system.
Example: Measure the local clock's skew compared to some reference clock (NTP-fashion). If the skew is the same down to the nanosecond, same host is likely.
Example: Allocate any resource that can only be accessed from one context at a time. Loop, asking for it, in the other context. Release it in the first context, and check the timing on when the other one gets it.

In general, anything that can potentially be used as a covert channel can be used more easily to figure out if we're on the same host.

My conclusion: Defending against this attack isn't worth the trouble. We've already lost.

- Nevertheless, we're finding that the MDNS mode has implications that we don't perceive fully yet.

My conclusion: This is an additional mode, not a replacement for one of the other modes. We should continue to specify both.


On 07/10/2018 02:24 AM, Justin Uberti wrote:


On Mon, Jul 9, 2018 at 4:35 PM youenn fablet <yfablet@apple.com> wrote:

> The reason for the different treatment is that it could be argued that v6 addresses, being already public and unique, don't constitute a new signal. That makes the tradeoff with datachannel impact less clear.


If they are public, cannot they be discovered and exposed as srflx?

That's a good point; I had forgotten about NAT64. v6 STUN isn't widely deployed, but if we did want to hide NAT64 v6 addresses, we could make this work.

However, if we consider NAT64 to be an entirely temporary situation, this may not make sense.


_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb



-- 
Surveillance is pervasive. Go Dark.
--------------6CEA4822795294E65788B8A8-- From nobody Wed Jul 11 02:23:52 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D151130EEC for ; Wed, 11 Jul 2018 02:23:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.311 X-Spam-Level: X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQ71cDh0EsLE for ; Wed, 11 Jul 2018 02:23:48 -0700 (PDT) Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FB48130E20 for ; Wed, 11 Jul 2018 02:23:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1531301024; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=XeM6fKeeVwyHk//KwGajarD5sFWsLTG4LKJNYLJPpvY=; b=BVeZPdA9qbUy3D7wxT8h/01gdU0bCZ3czll/Wg5p83db5unvSCwwwot8fsIIQiLx Nx0zSKufAezgIIYPbiro5TjoC8UJD2WuZK+UuL1GUwSoZPQnaDqjyEyyF8h1IGtS eD+qLUDVEscRxvyrYjG8ELAHpsXsG44RRNJpXVwqCuk=; X-AuditID: c1b4fb30-93dff70000000a77-dd-5b45cca0ac8f Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 1B.34.02679.0ACC54B5; Wed, 11 Jul 2018 11:23:44 +0200 (CEST) Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 11 Jul 2018 11:23:44 +0200 Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Wed, 11 Jul 2018 11:23:43 +0200 From: Christer Holmberg To: Martin Thomson CC: RTCWeb IETF , "sdp-directorate-private@ietf.org" , "mmusic-chairs@ietf.org" , "rtcweb-chairs@ietf.org" , Ben Campbell Thread-Topic: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14) Thread-Index: AdPzN1wT5XjwzlheSrOwvOSQwMHuDgkDoskAAG8NVAA= Date: Wed, 11 Jul 2018 09:23:43 +0000 Message-ID: References: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.7.170905 x-originating-ip: [153.88.183.157] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <44DE26DE1B8F844D9D555F0D8CE9810D@ericsson.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrGIsWRmVeSWpSXmKPExsUyM2J7qe6CM67RBks/6FrM7zzNbnHtzD9G i/M71zNZ9Ly9wWKx9l87u8XTRztYHNg8ds66y+6xZMlPJo9ZO5+wBDBHcdmkpOZklqUW6dsl cGVMn3aIseC0csWKzi9sDYyvZLoYOTkkBEwkni54ztrFyMUhJHCUUWLK3LcsIAkhgW+MEmsu 1kEkljFKbLt0g6mLkYODTcBCovufNkiNiICuxKKzD9hBbGaBL4wS5/+XgtjCArkS3U1fWSBq 8iR+vdgKZVtJzH97hgnEZhFQlbh3rZ0VxOYVsJbY9fk9M8SuKYwSNy5OBktwCgRKzN1xFqyZ UUBM4vupNUwQy8Qlbj2ZzwTxgYDEkj3nmSFsUYmXj/+B9YoK6ElsOHGbHSKuJLGldwtUr57E jalT2CBsa4nV7StZIGxtiWULXzNDHCQocXLmE5YJjBKzkKybhaR9FpL2WUjaZyFpX8DIuopR tDi1OCk33chIL7UoM7m4OD9PLy+1ZBMjMHYPbvltsIPx5XPHQ4wCHIxKPLzGm1yjhVgTy4or cw8xSnAwK4nwmk13iRbiTUmsrEotyo8vKs1JLT7EKM3BoiTOa+G3OUpIID2xJDU7NbUgtQgm y8TBKdXAyMxvIKKq9cGvTFnswr+vX6dXRnpVuDKmTZBUefjr+pGwi2sW6a6/fm2yltxqZpNK bzmRHRvr//8M3blnqlqMxW93nddTu2UXWVn+1qzdwKMjzFO8akHHU7a4o9vnZNyz1DJljD/2 ICxJcW+f7KZfs06I9XowPkzq9RXxXhAv+kuTx1DkmkqZEktxRqKhFnNRcSIAmQjYzNkCAAA= Archived-At: Subject: Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14) X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2018 09:23:51 -0000 Hi, Some things are addressed by Martin=B9s pull request, so I will focus on th= e things that are not - or are, but that I think needs to be discussed on the list. >> Also, if the usage of the attribute is scoped to devices implementing >>the WebRTC specification, that should be indicated. > >The mechanism isn't necessarily scoped to this particular usage >domain. I've proposed some text, but I don't think that it's >necessary. The use of JSON allows for many things, some of which >might be extending this to other uses. True. But we normally define the syntax what goes into an attribute. The draft defines the JSON structure when the fingerprint is used. If someone wants to use another JSON structure I think the draft should say that the structure and associated procedures need to be specified. >> Q4 (Attribute definition): >> Historically there have been problems with the definitions of new SDP >>attributes. Especially, the manner of defining the syntax was >>inconsistent. RFC4566 gave insufficient guidance on how to do this. >>draft-ietf-mmusic-rfc4566bis (especially section 8.2.4.1) has provided >>more guidance on how to do this. Please do your definitions in that >>style. For instance: > >How is the definition in the IANA considerations section insufficient? In addition to the IANA considerations, there is a template for the section defining the attribute. See https://tools.ietf.org/html/draft-ietf-mmusic-mux-exclusive-12#page-3 for an example. This has been driven very much by Paul K, so I assume he can give further guidance. >> Q5: >> The draft says that, at minimum, the fingerprint needs to be bound to >>the identity. >> >> First, I assume this means that, for each assertion, the associated SDP >>fingerprint attribute must be included in the offer/answer. If so, >>please include text about that.. > >The text says: > >> The identity attribute attests to all "a=3Dfingerprint" attributes in th= e >>session description. It is therefore a session-level attribute. >> >> Multiple "a=3Dfingerprint" values can be used to offer alternative >>certificates for a peer. The >"a=3Didentity" attribute MUST include all fingerprint values that are >included in >"a=3Dfingerprint" lines. > >That would seem to be sufficient for this purpose. I think my comment was unclear, so I will try to re-phrase. The identity attribute will obviously include fingerprints. My point was that each of those fingerprints must also be placed in a fingerprint attribute. >> Second, it would be good to indicate that, in the SDP, there is no link >>between a given assertion and the associated fingerprint. > >I don't know what you are looking for here. If you are saying that >the SDP doesn't include a pointer from a=3Didentity to a=3Dfingerprint, or >vice versa, that's right. Correct, that=B9s what I meant. One should e.g., not assume that the first fingerprint attribute is linked to the first attribute listed in the identity attribute, etc. > But - as defined - a=3Didentity includes ALL >a=3Dfingerprint instances, so any pointer would be redundant. Correct. What if a fingerprint does exist in the identity attribute, but there is no associated fingerprint attribute? Should it be discarded? And, what if there is a fingerprint attribute, but the value does not exist in the identity attribute. In this case I guess we could simply say that the identity has not been asserted for that fingerprint. >> Q7: >> Section 5.6.4.2 says: >> =B3The semantics of multiple identity attributes are undefined.=B2 >> First, I don=B9t see the difference in having a single attribute with >>multiple assertions, or multiple attributes with single assertions. >>Having said that, if we only want to allow one way, I would suggest to >>simply forbid multiple attributes. > >That's OK, but what is the usual policy for handling malformed >attributes if you know the syntax of the attribute? What handling >should we specify here? One suggestion would be to simply discard all Identity attributes. >> Q8: >> In the example in Section 5.6.4.1 the SDP fingerprint attribute is >>included as a session-level attribute. However, it is currently only >>defined as a media-level attribute. > >I can't find any evidence of this being defined as media-level. It >says session-level (only) in several places. Note that in this comment I was talking about the *fingerprint* attribute :) Regards, Christer > From nobody Wed Jul 11 07:22:42 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B3F130E8D for ; Wed, 11 Jul 2018 07:22:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8Hil-090RR7 for ; Wed, 11 Jul 2018 07:22:38 -0700 (PDT) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 347DF130E0D for ; Wed, 11 Jul 2018 07:22:38 -0700 (PDT) Received: by mail-ed1-x52c.google.com with SMTP id s24-v6so3138010edr.8 for ; Wed, 11 Jul 2018 07:22:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:cc:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=22QZFRxqPVrprlSGoum6LaqIyWypeOz+JoqI28j0vfI=; b=k5IBnea5kxJGKMp0gWnNr5P3jhb6OYs5BAvlZRO2UoOIOnq/E49LGUkUThQ44qr8rq tl7yCGqmP6Am+rDDzpxxgbzL4nNy4I5vh53TlvKVwuc9PmknnZFIvnxpwyEkcdwWJMKs gzMkJRoesox9edEkFSiL8IftGRytfFWi4vYuv3n8cmQs7u93v8CYE3rXuEalxCvEPTnQ wUkCuPVBvXeinM5KBOhz5kAZQCK/jLkt9+XjpPv+8EfvO8z5aVbVGLPr0CnNYwCUhV8b WGP7BdFoZ/NBLpsRIs3064Csn1JvHZXrxrraI5YKCIE9H1xNxgUYu6o3wjoE76S5UTvW AASA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt:cc :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=22QZFRxqPVrprlSGoum6LaqIyWypeOz+JoqI28j0vfI=; b=tgb84NEEgK2JnSjC1ZX85n3sCdb7U9Cx9TYP1THedkYkdjIJcTIint9JMJvb6T0MT9 M2gMk7i/zlBUJOM4zisQAViq3QnDUFUDw7SN8P3wdjKSH73ns7qnjV4QgaxMbIebOtBw I9NzUQ2W++1cfeCRa5LvCTly+5iGOUqNyPvYRB4C6JIZikXUuwwCv3S+TKhiBVudJ0g3 1lqtch1P7jF8+DWJh5KGMsD2RQHhr6dnUB/6h7HEdKG7lxJ99dxK1krwzmthQIrCGKVp q9jhMJZJobvgVpKLbLhIT5HBxsqvM7p+MMmFLLubaohxBIRalI9FKxFITuBNFiq1fdrq j95A== X-Gm-Message-State: APt69E0dPOhEZ8CQhf1VxUUB/lncZwqfdvuCjAyeCUgt1yOOgIkmOnmL GYo8+YIsXFXDpsg3hKdc1hXm5Q== X-Google-Smtp-Source: AAOMgpdIgrSH2/78X9DCoZDsLkgLcoy7pT/kFYs9+/SnmVJZdU5pom9RcNxpjljq3BP3nQsRgRCs4w== X-Received: by 2002:a50:9182:: with SMTP id g2-v6mr32167003eda.24.1531318956780; Wed, 11 Jul 2018 07:22:36 -0700 (PDT) Received: from [192.168.11.149] ([185.41.76.142]) by smtp.gmail.com with ESMTPSA id h4-v6sm5242787edq.89.2018.07.11.07.22.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jul 2018 07:22:36 -0700 (PDT) To: rtcweb@ietf.org References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> From: Lennart Grahl Openpgp: preference=signencrypt Autocrypt: addr=lennart.grahl@gmail.com; keydata= xsBNBFMHjy4BCADZR/nHk6jzDsEA2+dPG13NiXyBl34TtChDsZekZyO5jBgwslLgHVksQxlS 79n1lvVH0MxcI8SFifwLAAIjMfukNLGPAjEyJEQhQVpfXxkJXyZgncM2Wq+nlVCDZTiZLg/E 6jJP1zx9vB7sf5dWaB/Dt0YDHLM86EcDChQur9lrJk9K0Jiwt27Oo3B4FFfIOaVNUXgnRPbr Vw1/+O2jLg87Fsib9LP7Ghyv0Z2/VV7wJ4NLsLmIu60vcZVDYDOvcQRH4FZ76VBvlmlO+2TL 5L6yZLGgXS9GZyF3QXKAwhYqu5ouWEOUgXHch5deryjbENanimj4ntZQmF1nkxSZayk9ABEB AAHNJ0xlbm5hcnQgR3JhaGwgPGxlbm5hcnQuZ3JhaGxAZ21haWwuY29tPsLAfwQTAQIAKQUC UwePLgIbIwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPmPvtEEgqumkk0H /2dMGPa9VmgR0kmr2inGODWuCy4WXNUxeEMfY/Hob/8Ou50os6iK35TQI9WtvvlAq23aIvoJ +1OjnqekgKmavPoQ0Uf1h2LegiQNKpDGC6/S33SLitQoQyELyJCU5Ato9lIL0AzpLvr+8UaF plWbPB4Z0GfZGBQSyp0Dmdeb00sld378m9qXHByJfHjPGiDFY+el1talbCuxS87+SvwIvM05 5m1/ceJbZDjx3trvgzbSQOHMT82/Hva7cSyVAch7mJc/lIq2Q0hjoZlD9nqS6gVJ9PQnEW8z dAXXVvBoy9DtomH18jimq+xUxeBwiFRB64gZx3Yyo1CKgULzeWaQ/qfOwE0EUwePLgEIAKP+ Dw5Ow5QuITKcI+ooXZAOBCBOitdsAGrGAEORjv1VyYU1jvjNb07UlRWmpjtaZsQoC2DwfEJy OaBphhErkOVEHCvetfBq8aJ718on4A49XwyQZeyh521BvLQUj0VY5D1iTYzgNVr4Ic39duH/ 00b489Wf9sM7TwzONJOCR5pSKUzYfGUIfQIJRc4tbzOM+bzSknLwbYAWRraOstbRjf2+V3pf 46mzv8tteLnsMm91qshFUwiBfeMNZiKAM3eid80ghlEbQo5J07FOrqK1GxqMi8LQT/oA5lpu +BB6UzGP5nQ5fip95zAq3vu+Iasz1DWj6F1HkHDEHfdtVpTAN70AEQEAAcLAZQQYAQIADwUC UwePLgIbDAUJCWYBgAAKCRD5j77RBIKrpihiCACQq7ARCPSzDrtUcq3uTdP+fMHp8YCYD4UD fdt3vcw4a5JESaknUcWi7CbQrdcLT7iIFYa3pk5I8w4n2lH29uUTWwt9boDtdYkBY5a4Rg+m Z9ndsLh0fHdZM6BXv/6gWMMdGbV5+xcV0FDcXZIlHLZIriDgeZQR3cDEa9lFWUYrI9KKmdoq ngaND7jPZaMCyvn9VDOAGBWxg49gQV/x1d+DiIyMbF9J+ya4YqaSZtu2y/H03eVCawmI6SMH UzdOo+Yqen3Udcdur0KnWMUOP3FIdjgxaPoIEKfFTBy7n8rlzrrTzyrv5Gouusxj0JHMwvuh ixK1bmVy/XYqoG0TVwBt Message-ID: <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> Date: Wed, 11 Jul 2018 16:22:34 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2018 14:22:41 -0000 On 10.07.2018 09:56, Harald Alvestrand wrote: > Thoughts: > > - If I want to find out that I'm on the same host as another context > that I can communicate with in *any* fashion, I've got lots of games I > can play. > > Example: Measure memory pressure, allocate 1 Gbyte in one context, > measure memory pressure again. This works for any measurement that's > available to both contexts and relates to the whole system. > Example: Measure the local clock's skew compared to some reference clock > (NTP-fashion). If the skew is the same down to the nanosecond, same host > is likely. > Example: Allocate any resource that can only be accessed from one > context at a time. Loop, asking for it, in the other context. Release it > in the first context, and check the timing on when the other one gets it. > > In general, anything that can potentially be used as a covert channel > can be used more easily to figure out if we're on the same host. > > My conclusion: Defending against this attack isn't worth the trouble. > We've already lost. > > - Nevertheless, we're finding that the MDNS mode has implications that > we don't perceive fully yet. > > My conclusion: This is an additional mode, not a replacement for one of > the other modes. We should continue to specify both. I'm treating this thread as a follow-up to the "IP handling: Using mDNS names for host candidates" thread, so this refers to both drafts and the PR for ip-handling (https://github.com/juberti/draughts/pull/103). Harald, I second your conclusions. Regarding mDNS, I see potential for the following three "intermediate" modes: - Mode 2.a: Enumerates all addresses but only the default route's interface addresses are exposed as host candidates. All other addresses are hidden via mDNS. - Mode 2.b: The mode 2 as described in ip-handling-09. - Mode 2.c: Only expose the default route's interface addresses hidden via mDNS. 2.a is a minor improvement but will fix issues for users who would be able to establish a direct connection over a different route but the default one. 2.c is a major restriction over 2.b and 2.a. since it will break the ability to establish direct connections in a corporate network. Regarding the ip-handling document: It's probably okay to restrict the default mode further from ip-handling-09's mode 2. FWIW, it might even be okay to give implementations the freedom to choose any of the available modes as their default (let's be honest, many browser vendors have already done so anyway). But only if all use cases have access to an adequate way to request consent to achieve mode 1 or at least 2.a. Specifically, this should be a MUST in the ip-handling document. Because if that is not guaranteed, some less obvious already existing use cases (think of sharedrop.io for example) will be further discriminated and without a TURN server can be completely broken. Not to mention the impact on delay and throughput caused by hairpinning or even relaying. Cheers Lennart From nobody Wed Jul 11 16:01:48 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CB15130EAF for ; Wed, 11 Jul 2018 16:01:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0pkm_vO2QVp for ; Wed, 11 Jul 2018 16:01:43 -0700 (PDT) Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D856130E73 for ; Wed, 11 Jul 2018 16:01:43 -0700 (PDT) Received: by mail-it0-x22d.google.com with SMTP id d191-v6so452320ite.1 for ; Wed, 11 Jul 2018 16:01:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NspjXuNg0wJk5AEB+qJfpBzWOeU4tYQ/0xORjx/0+a8=; b=DoeqSVM5fd4qp+GK0sJbc6fxCbipLVh+5juEe7QpJeQ4HiLlbFZITrWBK4qMk5gYuk i0ZUmXkMp87338Egcay5j68h0PkNyPRUNFgXwIwi29f5ZVx0SGqnZPyx8KxCYiKVnXVB suM+RMwGYsRxNGn4Bg1ZDLBsKH0JcVr7Sn/z8sP8Hnuzjfub+8lfEcO9bHBNKu1I2SYG iHI0ZTYBV+oVp+7n5OUEuR7wiA6gOypKp2nH4Zc0eRV/NOhglqaZ5fFnGDemVQT3IKXr ecL2yod/7IDsG7A5eKAXehnRZx1hGISALfiqX7g29NT+WxaC2ZZWRDADn8S8oMeBIxdn Z2hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NspjXuNg0wJk5AEB+qJfpBzWOeU4tYQ/0xORjx/0+a8=; b=eEPXaP4NZgQgK6FGovKRrmGufLfHTB9TSyYFDasaKrSOcaJowdWBnavD025kfc1MTQ bBlTjT01qvszhNfvyiFC4lzF2SaDlwc7MQVXQKHoWF1b0gZ0Bc4T5TbKP7XXnOtGJ0Ju FpyJXIFSzrBGDJ0CZwYKzKtmXQpmgTvuQeUELgbCnzchF3YaA6sxLNcbdXHiMMX7zqdk E30QZcYhlWjqfz5KOm7t4fAc2p8Mopgu0vb3b5hnPN2HVjb5CWOn/N68HWMyRIGvUoO6 0VHHddKawxL3ZzUlRbGG5Lj7qs4eq3gKIxtAcgHI1+6T+Q1gBNr7V/uqGNyptCaRwTce UF4Q== X-Gm-Message-State: AOUpUlFCIs2rM50d5DOiznmnVrQKfllji7t6nWi/BoGTEgNEk4XO6nY2 Z94DQr5OjCpg4VeGnNwCbCIBQyFtM1DaAZ5ttRmHxA== X-Google-Smtp-Source: AAOMgpfh7r1Yl/hutfHMXTFr+z1K9TjW8HfwGeKK1XFWpoX6QkoNOMnVKSIcOmdu4Ai1JNUh28GoGt+fW4kADXfFZE8= X-Received: by 2002:a02:94af:: with SMTP id x44-v6mr335018jah.121.1531350101997; Wed, 11 Jul 2018 16:01:41 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> In-Reply-To: <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> From: Justin Uberti Date: Wed, 11 Jul 2018 16:01:30 -0700 Message-ID: To: Lennart Grahl Cc: RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000dbcac80570c13a9f" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2018 23:01:47 -0000 --000000000000dbcac80570c13a9f Content-Type: text/plain; charset="UTF-8" Thanks for the suggestions on intermediate modes. I think we're converging on the following potential replacements for Mode 2: 2b) IPv4 mDNS + RFC 4941 IPv6 2d) mDNS of any private IPv4/IPv6 + any public v4/v6 (as determined via STUN query) 2d) is basically your 2c), but exposing any IPs that would already be visible to the server. This would basically give all the privacy benefits of Mode 3 (although, unlike Mode 3, it does allow host-host connections). Your 2a) probably makes more sense to consider as a derivative of Mode 1, essentially a 1b), since it exposes all interfaces. I don't know if that provides a lot of value, since Mode 1 already requires trust, but I'd be open to arguments for this. I think the main outstanding question is what we want the final Mode 2 to be (2b vs 2d), and the key sub-question is whether we think there's enough benefit in hiding private RFC 4941 addresses. However, we may need experimental data to properly consider the tradeoffs. On Wed, Jul 11, 2018 at 7:22 AM Lennart Grahl wrote: > On 10.07.2018 09:56, Harald Alvestrand wrote: > > Thoughts: > > > > - If I want to find out that I'm on the same host as another context > > that I can communicate with in *any* fashion, I've got lots of games I > > can play. > > > > Example: Measure memory pressure, allocate 1 Gbyte in one context, > > measure memory pressure again. This works for any measurement that's > > available to both contexts and relates to the whole system. > > Example: Measure the local clock's skew compared to some reference clock > > (NTP-fashion). If the skew is the same down to the nanosecond, same host > > is likely. > > Example: Allocate any resource that can only be accessed from one > > context at a time. Loop, asking for it, in the other context. Release it > > in the first context, and check the timing on when the other one gets it. > > > > In general, anything that can potentially be used as a covert channel > > can be used more easily to figure out if we're on the same host. > > > > My conclusion: Defending against this attack isn't worth the trouble. > > We've already lost. > > > > - Nevertheless, we're finding that the MDNS mode has implications that > > we don't perceive fully yet. > > > > My conclusion: This is an additional mode, not a replacement for one of > > the other modes. We should continue to specify both. > > I'm treating this thread as a follow-up to the "IP handling: Using mDNS > names for host candidates" thread, so this refers to both drafts and the > PR for ip-handling (https://github.com/juberti/draughts/pull/103). > > Harald, I second your conclusions. Regarding mDNS, I see potential for > the following three "intermediate" modes: > > - Mode 2.a: Enumerates all addresses but only the default route's > interface addresses are exposed as host candidates. All other addresses > are hidden via mDNS. > - Mode 2.b: The mode 2 as described in ip-handling-09. > - Mode 2.c: Only expose the default route's interface addresses hidden > via mDNS. > > 2.a is a minor improvement but will fix issues for users who would be > able to establish a direct connection over a different route but the > default one. > > 2.c is a major restriction over 2.b and 2.a. since it will break the > ability to establish direct connections in a corporate network. > > Regarding the ip-handling document: It's probably okay to restrict the > default mode further from ip-handling-09's mode 2. FWIW, it might even > be okay to give implementations the freedom to choose any of the > available modes as their default (let's be honest, many browser vendors > have already done so anyway). But only if all use cases have access to > an adequate way to request consent to achieve mode 1 or at least 2.a. > Specifically, this should be a MUST in the ip-handling document. Because > if that is not guaranteed, some less obvious already existing use cases > (think of sharedrop.io for example) will be further discriminated and > without a TURN server can be completely broken. Not to mention the > impact on delay and throughput caused by hairpinning or even relaying. > > Cheers > Lennart > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --000000000000dbcac80570c13a9f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for the suggestions on intermediate modes. I think = we're converging on the following potential replacements for Mode 2:2b) IPv4 mDNS=C2=A0+ RFC 4941 IPv6
2d) mDNS of any private IPv4= /IPv6=C2=A0 + any public v4/v6=C2=A0(as determined via STUN query)=

2d) is basically your 2c), but exposin= g any IPs that would already be visible to the server. This would basically= give all the privacy benefits of Mode 3 (although, unlike Mode 3, it does = allow host-host connections).

Your= 2a) probably makes more sense to consider as a derivative of Mode 1, essen= tially a 1b), since it exposes all interfaces. I don't know if that pro= vides a lot of value, since Mode 1 already requires trust, but I'd be o= pen to arguments for this.

I think the main outsta= nding question is what we want the final Mode 2 to be (2b vs 2d), and the k= ey sub-question is whether we think there's enough benefit in hiding pr= ivate RFC 4941 addresses. However, we may need experimental data to properl= y consider the tradeoffs.



On Wed, Jul 11, 2018 at 7:22 AM Len= nart Grahl <lennart.grahl@gma= il.com> wrote:
On 10.07.2018= 09:56, Harald Alvestrand wrote:
> Thoughts:
>
> - If I want to find out that I'm on the same host as another conte= xt
> that I can communicate with in *any* fashion, I've got lots of gam= es I
> can play.
>
> Example: Measure memory pressure, allocate 1 Gbyte in one context,
> measure memory pressure again. This works for any measurement that'= ;s
> available to both contexts and relates to the whole system.
> Example: Measure the local clock's skew compared to some reference= clock
> (NTP-fashion). If the skew is the same down to the nanosecond, same ho= st
> is likely.
> Example: Allocate any resource that can only be accessed from one
> context at a time. Loop, asking for it, in the other context. Release = it
> in the first context, and check the timing on when the other one gets = it.
>
> In general, anything that can potentially be used as a covert channel<= br> > can be used more easily to figure out if we're on the same host. >
> My conclusion: Defending against this attack isn't worth the troub= le.
> We've already lost.
>
> - Nevertheless, we're finding that the MDNS mode has implications = that
> we don't perceive fully yet.
>
> My conclusion: This is an additional mode, not a replacement for one o= f
> the other modes. We should continue to specify both.

I'm treating this thread as a follow-up to the "IP handling: Using= mDNS
names for host candidates" thread, so this refers to both drafts and t= he
PR for ip-handling (https://github.com/juberti/draughts/= pull/103).

Harald, I second your conclusions. Regarding mDNS, I see potential for
the following three "intermediate" modes:

- Mode 2.a: Enumerates all addresses but only the default route's
interface addresses are exposed as host candidates. All other addresses
are hidden via mDNS.
- Mode 2.b: The mode 2 as described in ip-handling-09.
- Mode 2.c: Only expose the default route's interface addresses hidden<= br> via mDNS.

2.a is a minor improvement but will fix issues for users who would be
able to establish a direct connection over a different route but the
default one.

2.c is a major restriction over 2.b and 2.a. since it will break the
ability to establish direct connections in a corporate network.

Regarding the ip-handling document: It's probably okay to restrict the<= br> default mode further from ip-handling-09's mode 2. FWIW, it might even<= br> be okay to give implementations the freedom to choose any of the
available modes as their default (let's be honest, many browser vendors=
have already done so anyway). But only if all use cases have access to
an adequate way to request consent to achieve mode 1 or at least 2.a.
Specifically, this should be a MUST in the ip-handling document. Because if that is not guaranteed, some less obvious already existing use cases
(think of sharedrop.io for example) will be further discriminated and
without a TURN server can be completely broken. Not to mention the
impact on delay and throughput caused by hairpinning or even relaying.

Cheers
Lennart

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--000000000000dbcac80570c13a9f-- From nobody Thu Jul 12 05:52:41 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20E9E130E3A for ; Thu, 12 Jul 2018 05:52:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4F_XlpBGqoHX for ; Thu, 12 Jul 2018 05:52:36 -0700 (PDT) Received: from mork.alvestrand.no (mork.alvestrand.no [158.38.152.117]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6951130DDE for ; Thu, 12 Jul 2018 05:52:35 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id 508887C0C4C for ; Thu, 12 Jul 2018 14:52:34 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at alvestrand.no Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HmPNP8QYaHJc for ; Thu, 12 Jul 2018 14:52:32 +0200 (CEST) Received: from [192.168.3.17] (unknown [188.113.75.166]) by mork.alvestrand.no (Postfix) with ESMTPSA id 783CB7C0C40 for ; Thu, 12 Jul 2018 14:52:32 +0200 (CEST) To: rtcweb@ietf.org References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> From: Harald Alvestrand Openpgp: preference=signencrypt Autocrypt: addr=harald@alvestrand.no; prefer-encrypt=mutual; keydata= xsFNBFRpbhYBEADXu8uE7LDQgrEB/zclYiwWRb50FnuJjIdK5Q7t68tSxx+LU8HTfxwOgHo9 vMyQvntoRBOHQZDJzvdAnZj/7vtl9RDfWvhUz+o9jSMyORzrt0kiW2QNICVkOkc0ZbI14Rn8 EjFRinK5m5+PXrng3PwZgK+sQJ1nzUxjE9oGTWClsAEqJw62z7JmzNqaEwAyHoHAZ1JAptSP ak91dUxjueJ2R+rFUBl6ParRZ2de7QKr3rN5Jbu/ikjHsAeTSo0R0BPKbzU23tXXxQ/dADvM V/PZp3hRFmXT7x05Q82O6k6hsGd5fJToBDRrlsC3jwWWhDhFhsWcdYKxFbYUsJVetPrWDtD4 6sjrbsQ+7kWRYgQWvL2EJ0s7QGpLxitopoISUEt0MlCcJhq7ZxiWhGnwM3GgADn+9W+aqwuk Y1tlUbdw0qdHyU0WM0k/yPd/eOghk3PLtlOizg4Q22VqfzNRXd3pwUmVjPYHQS0PwIjzuTEI em03qlVeJ8xn0X9W90E8PEnxZmREZBI90qCcUrxWOywEcLq21eLXurRzwnbY3oi6NxmSedcL xDWFdrVTHfPNNqh8zqXV/z9Ezz+7kSwgRygpG5+/sHfFq/YivoSHJdkL8xDzlNiqYCs8EL4A ipQWlKIuFH1F/pXLmXZlcDExw6aTlAP2rR+rw4Lc7kENZlMMMwARAQABzS9IYXJhbGQgQWx2 ZXN0cmFuZCAoMjAxNCkgPGhhcmFsZEBhbHZlc3RyYW5kLm5vPsLBfgQTAQIAKAUCVO3uHAIb IwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQawFW3omifDRKiA/+KtWpGwNa EaMMjxuVhdvMkQ6cS362iWydVbha03TBf/7HM380nO+2/t4S0kiSRtX89bY9lvrjS5oHd0tZ qS14vwBn8ZKbZl+k/NRiFlNNxhBx1PDRni1lfh/lU4xJraKI17h2h9mVJbMGk0kFuLqDUwMc 18mZZcfJEeUxSVUCndFMab4LQWSvRaqcwGrpDXuCxmWzMxtRjZzS2vkNX0oiBO7/NuEdQZL8 /CM3/GTqEd6kqY5Rkddvhr21KqhDyNT0NYRLgQ4yToTRDeXrHkjDD8cIQJhOHSNm6/3tuHB1 Bunxg1If3oEZxZirTGiuNZfBUAuXXJa//wEqhS+28/iQc6RE4bQXh2TyqtHs1mn3VDeKqbp7 lp31FfQ6GVGUaVfKfhg6UPSeczHTKWG3vX5UL7SOLXyaSniuYDkPIV/YR46GFPNhSsQ9YccU 5zAbn8ZhyONwO7524WjhIHgITiPVnCiSIHQKOw0S3+Ns0/5TIUgEc6+M97vsJTxTOqKfPthj xkHckF7VUFzu9ee6IMupJJp1wxVjpPQpJTjUG2aDnWk+E2OArulIjHER2dj0DEiOuqjjwTQH CKfrsWUMIs6TJ9jIKEfOSVOz5opGKLimQaOJ8Y1NYZKOy7fyJjofcC+dkAIpYBRzQTdDXm0A 4eryQBqLSpRldX4rvnU77i2/ryHOwU0EVGluFgEQAK2r1cmzqfJzOIielYx4OGVWlh3TmGdI mPgYI8yx/W8Uyvwknto7Qm5HaBBy9/33usNiovygYLFr7X5U/+ynXClkpAHaPOzS+bMCybpd UsS9Yq/jPmyq0Tlqn6b1tjSjFwysTiUVRS6nHufRlHQEOyxlYAjmePfjJI85g9J3iOa3eY87 +YSlF/rzhPrlvW0yD1YBGBmtuDdRnd4qSof8pcVmiN91QylbnTO5+/VtQtZydk2couaBHkf+ h0eDlJLB7igJ6Ks0ae2UoUNOBv2F1roQ1jZC8yMPScXygmjsoBSuTUirHatyR7AUiCHNymB+ EdhK4Vl+ZVHdCY9l269g5ocw0y6BZofHpqhE9K3RGBWQjWKTXuOk1fVjLfAum3wQqztYEhlD uKZgfEn7reDuzBq4cqzUe7CI6lZwCU7DnA0Dz2vBaqBhrZb7eKfTqmXddNm/dXmPn1nB554N fxWoxb3L8fHXwLgJiBgxLM6OYhJM51PxwW1qoQM1ax6gu+H101uEE4ZZq+s7c301HqwFwGMi SMmn1oJ7/+OquMkYHjeVAhxRE6blcRH2cmqxFSrpHsHgpXMVyWgTZRZsMmQathzCTUWKf5hC EOzwb4rp/UvU1LUHo1uPqbBafW62VB+iUaFp/zOg69Wo8/Z6urM5m+ldiWTbx+ivxKlPQDEA 332dABEBAAHCwWUEGAECAA8FAlRpbhYCGwwFCQlmAYAACgkQawFW3omifDRKhg//eHcjvxcA ENNe66f5R3ULi5pMbrHGLMGirVX9pHTRf5+5OFaGr8bwXeYkCHpptpxr2Kk/PUzpUWOL2uvL lh7QhPw3+GoEWubXOAgHiQW5iIzkA9wYw/nctZ+5veHN7InVqJ7djhtTN7K9Luj4nDR1T7Vf 61zpCKLlEW6W5MAp4slRVzRiFfaMfMYkxLm6MBxC961j8Lrqx2XNMGugaYh1QzcFYTbFmGKX 5SY4EQsETiB0PeE3IBVtXfiabrk8YX2IuL9BrEgD6GngXTd78hUMnZeqjvnS772bjRgwLCz7 Hab6hQESrFCNXfxzb39y5DLHwXtB/HruYqVD48XvPnNV0UNsWcS+7rtPFMmkd3MTvoAOWjkV zeQHpvF71IlwWginXbkf9aR/QsAbMIQDZWhsd+ma67V6g6KH41r6mNXAgK2JlA1CqgblM7iB hl01vL0V5bkbInZq2sB505Hn1DSc4NoP2WHlwe8Bm8vVG5oyfyPw9ReS9WLVY9w7fK4EKOgk VnOsIQuE0WIPT0Ak+hJ0UigOduuCX7s7NIVaOgWQe1q4Xytgj1RHjg9qlA6eQiTUrAx7Mu7s eliWCFuWsQXoaktVEDjoWVbP9dgozanL5kwWh/sJNtHVQbgu3IG4w8D3QvvOE83+jAdzgOzv pqHJkrqlWu+R9ZqBucZLqjQvQZk= Message-ID: Date: Thu, 12 Jul 2018 14:52:32 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2018 12:52:39 -0000 Den 12. juli 2018 01:01, skrev Justin Uberti: > Thanks for the suggestions on intermediate modes. I think we're > converging on the following potential replacements for Mode 2: > 2b) IPv4 mDNS + RFC 4941 IPv6 > 2d) mDNS of any private IPv4/IPv6  + any public v4/v6 (as determined via > STUN query) > > 2d) is basically your 2c), but exposing any IPs that would already be > visible to the server. This would basically give all the privacy > benefits of Mode 3 (although, unlike Mode 3, it does allow host-host > connections). > > Your 2a) probably makes more sense to consider as a derivative of Mode > 1, essentially a 1b), since it exposes all interfaces. I don't know if > that provides a lot of value, since Mode 1 already requires trust, but > I'd be open to arguments for this. > > I think the main outstanding question is what we want the final Mode 2 > to be (2b vs 2d), and the key sub-question is whether we think there's > enough benefit in hiding private RFC 4941 addresses. However, we may > need experimental data to properly consider the tradeoffs. > I must be missing something - if both endpoints hide public v4/v6 addresses using mdns (whether they are host addresses or learned via STUN), we preclude communication outside the local mDNS domain. Either there's an use case I haven't thought about, or this means that only local-to-local connections can be set up. If one endpoint reveals its public IP and the other doesn't, communication outside the local domain will only happen if initial packets can make it from the one who's hiding its IP to the one who isn't. That's a *severe* restriction. > > > On Wed, Jul 11, 2018 at 7:22 AM Lennart Grahl > wrote: > > On 10.07.2018 09:56, Harald Alvestrand wrote: > > Thoughts: > > > > - If I want to find out that I'm on the same host as another context > > that I can communicate with in *any* fashion, I've got lots of games I > > can play. > > > > Example: Measure memory pressure, allocate 1 Gbyte in one context, > > measure memory pressure again. This works for any measurement that's > > available to both contexts and relates to the whole system. > > Example: Measure the local clock's skew compared to some reference > clock > > (NTP-fashion). If the skew is the same down to the nanosecond, > same host > > is likely. > > Example: Allocate any resource that can only be accessed from one > > context at a time. Loop, asking for it, in the other context. > Release it > > in the first context, and check the timing on when the other one > gets it. > > > > In general, anything that can potentially be used as a covert channel > > can be used more easily to figure out if we're on the same host. > > > > My conclusion: Defending against this attack isn't worth the trouble. > > We've already lost. > > > > - Nevertheless, we're finding that the MDNS mode has implications that > > we don't perceive fully yet. > > > > My conclusion: This is an additional mode, not a replacement for > one of > > the other modes. We should continue to specify both. > > I'm treating this thread as a follow-up to the "IP handling: Using mDNS > names for host candidates" thread, so this refers to both drafts and the > PR for ip-handling (https://github.com/juberti/draughts/pull/103). > > Harald, I second your conclusions. Regarding mDNS, I see potential for > the following three "intermediate" modes: > > - Mode 2.a: Enumerates all addresses but only the default route's > interface addresses are exposed as host candidates. All other addresses > are hidden via mDNS. > - Mode 2.b: The mode 2 as described in ip-handling-09. > - Mode 2.c: Only expose the default route's interface addresses hidden > via mDNS. > > 2.a is a minor improvement but will fix issues for users who would be > able to establish a direct connection over a different route but the > default one. > > 2.c is a major restriction over 2.b and 2.a. since it will break the > ability to establish direct connections in a corporate network. > > Regarding the ip-handling document: It's probably okay to restrict the > default mode further from ip-handling-09's mode 2. FWIW, it might even > be okay to give implementations the freedom to choose any of the > available modes as their default (let's be honest, many browser vendors > have already done so anyway). But only if all use cases have access to > an adequate way to request consent to achieve mode 1 or at least 2.a. > Specifically, this should be a MUST in the ip-handling document. Because > if that is not guaranteed, some less obvious already existing use cases > (think of sharedrop.io for example) will be > further discriminated and > without a TURN server can be completely broken. Not to mention the > impact on delay and throughput caused by hairpinning or even relaying. > > Cheers > Lennart > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > From nobody Thu Jul 12 08:21:34 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF6D7130E78 for ; Thu, 12 Jul 2018 08:21:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W7YIT7AnrCiN for ; Thu, 12 Jul 2018 08:21:31 -0700 (PDT) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113AD130E5F for ; Thu, 12 Jul 2018 08:21:30 -0700 (PDT) Received: by mail-lj1-x236.google.com with SMTP id q127-v6so21680237ljq.11 for ; Thu, 12 Jul 2018 08:21:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J+ADCtm4TJHjBDTsBOoDkr/6QyMFQFg8fiRy/gqrXG8=; b=O/gxPlWL8QYU2DzzhRzjuLgzOvEvzq0AM9vlOnIgtUoSqkFIczziP3AHMs4wOnOx4u 6MRkCrjccQAoy1gV9UmSkWJHOBBtxhi+y5mUwdcYek+lv0plFpZL7Te8LuMfHEbMwchL 7ZvodVBexKMKK/TwDduV4PEN+cikShBCuVD991TXlt/fjlcCMwKiJ1p/M7HtlzHj9DjC XsdIW+Q83Jw+SvlpCPeRUGuFEoSF1b4upeOB+qKWDaEYFNK2rmuKrd+K6nsE3INm0Rjh 96yej2kx6ldTFTOwg3YJsZdlviRDaVqr5IvTsvbIKZldt4Vp8jSde6k6Q0frmHT0XwH9 KuBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J+ADCtm4TJHjBDTsBOoDkr/6QyMFQFg8fiRy/gqrXG8=; b=Pox8RYF12rNwifph72qdzVMpKrIZSS7w4cUJgggh/OXEVMvxHi7zLFki7mme2ppN5R khhRIJrYpjJMFXYq6qbBrJDW6BaNdXivxVHlYcMCrn5FT+TgNr8H9KZMUeeahCL1Fo+F vhZyGM2X97kG3V3k2RRTVYG8VErpjnQrUErIStqOYPUm2iJWNdmjQlk0doHfTKxfk220 hKWD78VohJ844rwrJ74wJwlII/3Ud1HlE+JEzzRdTmOf1d65hzoZhkrZSl4vX+6cHCJP kwudXExw8zoROGe9Os2TDNFkmPMIFCdef/sOTuZXhjkqkg+ctqaRoRrG6u1Z7UdZKmy8 kE/w== X-Gm-Message-State: AOUpUlG4IXjDBbREdEkH2XB8jF3clZVVltz+IjTdjMDhCAG7+bEjRwJ+ BLxeRZGoMz7pyeGKADJJ9StDtjJfJcm+9AR4nvQ= X-Google-Smtp-Source: AAOMgpd8C+Gehjq92KB32zua6S2t/lEmgHwpBEtG3yPCyWJSvtqqk55k41jotNTo5wEwLYoKJabxTEe0rotQRx5qrgE= X-Received: by 2002:a2e:6d11:: with SMTP id i17-v6mr888440ljc.116.1531408888182; Thu, 12 Jul 2018 08:21:28 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> In-Reply-To: From: youenn fablet Date: Thu, 12 Jul 2018 08:21:16 -0700 Message-ID: To: Harald Alvestrand Cc: rtcweb@ietf.org Content-Type: multipart/alternative; boundary="000000000000c93d620570ceeaf9" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2018 15:21:33 -0000 --000000000000c93d620570ceeaf9 Content-Type: text/plain; charset="UTF-8" > I must be missing something - if both endpoints hide public v4/v6 > addresses using mdns (whether they are host addresses or learned via > STUN), we preclude communication outside the local mDNS domain. > I do not think addresses learned via STUN are to be hidden, they are already known from any web site. --000000000000c93d620570ceeaf9 Content-Type: text/html; charset="UTF-8"

I must be missing something - if both endpoints hide public v4/v6
addresses using mdns (whether they are host addresses or learned via
STUN), we preclude communication outside the local mDNS domain.

I do not think addresses learned via STUN are to be hidden, they are already known from any web site.
--000000000000c93d620570ceeaf9-- From nobody Thu Jul 12 11:55:30 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFE81130DF2 for ; Thu, 12 Jul 2018 11:55:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y_zazZnHYV2L for ; Thu, 12 Jul 2018 11:55:25 -0700 (PDT) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59B67128BAC for ; Thu, 12 Jul 2018 11:55:25 -0700 (PDT) Received: by mail-it0-x234.google.com with SMTP id 188-v6so8174329ita.5 for ; Thu, 12 Jul 2018 11:55:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2qOz7tTWovJZjLDtgrXKyr4B2l39qeVholM6ut3B2NA=; b=ovlDGPTj3L6pnY7+RQQq5QVRW5X7bAGRzOzGSBn6etXE6a4AcFv5YxiGBfi7crvUeV e2OKUYef5qwN2k6ROpd9nFVUD0yCCyOfHlCgIruYXgRWZCZd4sIxb3hOgMBpf6WH/a07 iXljBi31u4ovj0SiFG3AynV+9vhKMdSMaFi2xrQ3fFf8/puS19kIWkxL0ys9t3m+toxq X+nbei3K+qXFMttrpcDwdTQYZChnrTPTlA6YLN+UBuBQ+Co8vwqrDOn9WtERPVjGk+C3 /mNhhUdOPhAlaovWFUOGxHPVis3GirKrTS5r8NfAtr9R5IHPEBxsWP5aQx9Z1V4/8zzw xd7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2qOz7tTWovJZjLDtgrXKyr4B2l39qeVholM6ut3B2NA=; b=sVJ995muRi7aeCNdjO4daZgNpjnxt/fWHjnUV6fsW/9RqoRIFhzlrG1Ay3/izRwGEc s+xAG+6+he9fPmqP0kqlVbrX9sef5utZbpUHE9mdymzcRlGSJ9VzhBUkQHL0Ucos167U Kl0+o2kttHWOS0gw1zNnz+L22IYAK8f6UMxGWc309n6B78kXclpU9VKKJdVT/QegaGs3 xyPxilNvsPb6riCHAHImWSMH97M3ExPmrTfR1hPe2ErX8fWXBLAq/ioOgMzxjYbW27gW ejqv2gcWF9Vq9tSX9HBetj1n2yKgPT7UUgmfTqEDCJi2B/aVHZOJ5YcczEbEeR/w+3+/ /Q4w== X-Gm-Message-State: AOUpUlFJy7uh+DxeDnlOfTLcqNNq0W04k24VlTlLMt/VjiVaogpuxdgt Xe1KFpXcTt+aKPpCSq/tSu67YH01h3JefNbqdyRvGjvtwxc= X-Google-Smtp-Source: AAOMgpeANUGCHOGpuD53luKS8objQCrpooC2wkc9fmCxbC8T91Liox00h+EhjdkoQpzIK9jbZvSAnF/OhJyzTrC02Co= X-Received: by 2002:a24:19d5:: with SMTP id b204-v6mr2274838itb.25.1531421724130; Thu, 12 Jul 2018 11:55:24 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> In-Reply-To: From: Justin Uberti Date: Thu, 12 Jul 2018 11:55:14 -0700 Message-ID: To: Harald Alvestrand Cc: RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000deb0060570d1e791" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2018 18:55:29 -0000 --000000000000deb0060570d1e791 Content-Type: text/plain; charset="UTF-8" On Thu, Jul 12, 2018 at 5:52 AM Harald Alvestrand wrote: > Den 12. juli 2018 01:01, skrev Justin Uberti: > > Thanks for the suggestions on intermediate modes. I think we're > > converging on the following potential replacements for Mode 2: > > 2b) IPv4 mDNS + RFC 4941 IPv6 > > 2d) mDNS of any private IPv4/IPv6 + any public v4/v6 (as determined via > > STUN query) > > > > 2d) is basically your 2c), but exposing any IPs that would already be > > visible to the server. This would basically give all the privacy > > benefits of Mode 3 (although, unlike Mode 3, it does allow host-host > > connections). > > > > Your 2a) probably makes more sense to consider as a derivative of Mode > > 1, essentially a 1b), since it exposes all interfaces. I don't know if > > that provides a lot of value, since Mode 1 already requires trust, but > > I'd be open to arguments for this. > > > > I think the main outstanding question is what we want the final Mode 2 > > to be (2b vs 2d), and the key sub-question is whether we think there's > > enough benefit in hiding private RFC 4941 addresses. However, we may > > need experimental data to properly consider the tradeoffs. > > > > I must be missing something - if both endpoints hide public v4/v6 > addresses using mdns (whether they are host addresses or learned via > STUN), we preclude communication outside the local mDNS domain. > > Either there's an use case I haven't thought about, or this means that > only local-to-local connections can be set up. > > If one endpoint reveals its public IP and the other doesn't, > communication outside the local domain will only happen if initial > packets can make it from the one who's hiding its IP to the one who isn't. > > That's a *severe* restriction. > > In neither case would we hide public addresses. The key distinction between 2b and 2d is that 2b does not hide *private* IPv6 addresses (e.g., NAT64 addresses) because they already have short lifetimes (unlike private IPv4s). > > > > > > On Wed, Jul 11, 2018 at 7:22 AM Lennart Grahl > > wrote: > > > > On 10.07.2018 09:56, Harald Alvestrand wrote: > > > Thoughts: > > > > > > - If I want to find out that I'm on the same host as another > context > > > that I can communicate with in *any* fashion, I've got lots of > games I > > > can play. > > > > > > Example: Measure memory pressure, allocate 1 Gbyte in one context, > > > measure memory pressure again. This works for any measurement > that's > > > available to both contexts and relates to the whole system. > > > Example: Measure the local clock's skew compared to some reference > > clock > > > (NTP-fashion). If the skew is the same down to the nanosecond, > > same host > > > is likely. > > > Example: Allocate any resource that can only be accessed from one > > > context at a time. Loop, asking for it, in the other context. > > Release it > > > in the first context, and check the timing on when the other one > > gets it. > > > > > > In general, anything that can potentially be used as a covert > channel > > > can be used more easily to figure out if we're on the same host. > > > > > > My conclusion: Defending against this attack isn't worth the > trouble. > > > We've already lost. > > > > > > - Nevertheless, we're finding that the MDNS mode has implications > that > > > we don't perceive fully yet. > > > > > > My conclusion: This is an additional mode, not a replacement for > > one of > > > the other modes. We should continue to specify both. > > > > I'm treating this thread as a follow-up to the "IP handling: Using > mDNS > > names for host candidates" thread, so this refers to both drafts and > the > > PR for ip-handling (https://github.com/juberti/draughts/pull/103). > > > > Harald, I second your conclusions. Regarding mDNS, I see potential > for > > the following three "intermediate" modes: > > > > - Mode 2.a: Enumerates all addresses but only the default route's > > interface addresses are exposed as host candidates. All other > addresses > > are hidden via mDNS. > > - Mode 2.b: The mode 2 as described in ip-handling-09. > > - Mode 2.c: Only expose the default route's interface addresses > hidden > > via mDNS. > > > > 2.a is a minor improvement but will fix issues for users who would be > > able to establish a direct connection over a different route but the > > default one. > > > > 2.c is a major restriction over 2.b and 2.a. since it will break the > > ability to establish direct connections in a corporate network. > > > > Regarding the ip-handling document: It's probably okay to restrict > the > > default mode further from ip-handling-09's mode 2. FWIW, it might > even > > be okay to give implementations the freedom to choose any of the > > available modes as their default (let's be honest, many browser > vendors > > have already done so anyway). But only if all use cases have access > to > > an adequate way to request consent to achieve mode 1 or at least 2.a. > > Specifically, this should be a MUST in the ip-handling document. > Because > > if that is not guaranteed, some less obvious already existing use > cases > > (think of sharedrop.io for example) will be > > further discriminated and > > without a TURN server can be completely broken. Not to mention the > > impact on delay and throughput caused by hairpinning or even > relaying. > > > > Cheers > > Lennart > > > > _______________________________________________ > > rtcweb mailing list > > rtcweb@ietf.org > > https://www.ietf.org/mailman/listinfo/rtcweb > > > > > > > > _______________________________________________ > > rtcweb mailing list > > rtcweb@ietf.org > > https://www.ietf.org/mailman/listinfo/rtcweb > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --000000000000deb0060570d1e791 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu= , Jul 12, 2018 at 5:52 AM Harald Alvestrand <harald@alvestrand.no> wrote:
Den 12. juli 2018 01:01, skrev Justin Uberti:
> Thanks for the suggestions on intermediate modes. I think we're > converging on the following potential replacements for Mode 2:
> 2b) IPv4 mDNS=C2=A0+ RFC 4941 IPv6
> 2d) mDNS of any private IPv4/IPv6=C2=A0 + any public v4/v6=C2=A0(as de= termined via
> STUN query)
>
> 2d) is basically your 2c), but exposing any IPs that would already be<= br> > visible to the server. This would basically give all the privacy
> benefits of Mode 3 (although, unlike Mode 3, it does allow host-host > connections).
>
> Your 2a) probably makes more sense to consider as a derivative of Mode=
> 1, essentially a 1b), since it exposes all interfaces. I don't kno= w if
> that provides a lot of value, since Mode 1 already requires trust, but=
> I'd be open to arguments for this.
>
> I think the main outstanding question is what we want the final Mode 2=
> to be (2b vs 2d), and the key sub-question is whether we think there&#= 39;s
> enough benefit in hiding private RFC 4941 addresses. However, we may > need experimental data to properly consider the tradeoffs.
>

I must be missing something - if both endpoints hide public v4/v6
addresses using mdns (whether they are host addresses or learned via
STUN), we preclude communication outside the local mDNS domain.

Either there's an use case I haven't thought about, or this means t= hat
only local-to-local connections can be set up.

If one endpoint reveals its public IP and the other doesn't,
communication outside the local domain will only happen if initial
packets can make it from the one who's hiding its IP to the one who isn= 't.

That's a *severe* restriction.


In neither case would we hide public a= ddresses. The key distinction between 2b and 2d is that 2b does not hide *p= rivate* IPv6 addresses (e.g., NAT64 addresses) because they already have sh= ort lifetimes (unlike private IPv4s).
=C2=A0
>
>
> On Wed, Jul 11, 2018 at 7:22 AM Lennart Grahl <lennart.grahl@gmail.com
> <mailto:lennart.grahl@gmail.com>> wrote:
>
>=C2=A0 =C2=A0 =C2=A0On 10.07.2018 09:56, Harald Alvestrand wrote:
>=C2=A0 =C2=A0 =C2=A0> Thoughts:
>=C2=A0 =C2=A0 =C2=A0>
>=C2=A0 =C2=A0 =C2=A0> - If I want to find out that I'm on the sa= me host as another context
>=C2=A0 =C2=A0 =C2=A0> that I can communicate with in *any* fashion, = I've got lots of games I
>=C2=A0 =C2=A0 =C2=A0> can play.
>=C2=A0 =C2=A0 =C2=A0>
>=C2=A0 =C2=A0 =C2=A0> Example: Measure memory pressure, allocate 1 G= byte in one context,
>=C2=A0 =C2=A0 =C2=A0> measure memory pressure again. This works for = any measurement that's
>=C2=A0 =C2=A0 =C2=A0> available to both contexts and relates to the = whole system.
>=C2=A0 =C2=A0 =C2=A0> Example: Measure the local clock's skew co= mpared to some reference
>=C2=A0 =C2=A0 =C2=A0clock
>=C2=A0 =C2=A0 =C2=A0> (NTP-fashion). If the skew is the same down to= the nanosecond,
>=C2=A0 =C2=A0 =C2=A0same host
>=C2=A0 =C2=A0 =C2=A0> is likely.
>=C2=A0 =C2=A0 =C2=A0> Example: Allocate any resource that can only b= e accessed from one
>=C2=A0 =C2=A0 =C2=A0> context at a time. Loop, asking for it, in the= other context.
>=C2=A0 =C2=A0 =C2=A0Release it
>=C2=A0 =C2=A0 =C2=A0> in the first context, and check the timing on = when the other one
>=C2=A0 =C2=A0 =C2=A0gets it.
>=C2=A0 =C2=A0 =C2=A0>
>=C2=A0 =C2=A0 =C2=A0> In general, anything that can potentially be u= sed as a covert channel
>=C2=A0 =C2=A0 =C2=A0> can be used more easily to figure out if we= 9;re on the same host.
>=C2=A0 =C2=A0 =C2=A0>
>=C2=A0 =C2=A0 =C2=A0> My conclusion: Defending against this attack i= sn't worth the trouble.
>=C2=A0 =C2=A0 =C2=A0> We've already lost.
>=C2=A0 =C2=A0 =C2=A0>
>=C2=A0 =C2=A0 =C2=A0> - Nevertheless, we're finding that the MDN= S mode has implications that
>=C2=A0 =C2=A0 =C2=A0> we don't perceive fully yet.
>=C2=A0 =C2=A0 =C2=A0>
>=C2=A0 =C2=A0 =C2=A0> My conclusion: This is an additional mode, not= a replacement for
>=C2=A0 =C2=A0 =C2=A0one of
>=C2=A0 =C2=A0 =C2=A0> the other modes. We should continue to specify= both.
>
>=C2=A0 =C2=A0 =C2=A0I'm treating this thread as a follow-up to the = "IP handling: Using mDNS
>=C2=A0 =C2=A0 =C2=A0names for host candidates" thread, so this ref= ers to both drafts and the
>=C2=A0 =C2=A0 =C2=A0PR for ip-handling (https://gith= ub.com/juberti/draughts/pull/103).
>
>=C2=A0 =C2=A0 =C2=A0Harald, I second your conclusions. Regarding mDNS, = I see potential for
>=C2=A0 =C2=A0 =C2=A0the following three "intermediate" modes:=
>
>=C2=A0 =C2=A0 =C2=A0- Mode 2.a: Enumerates all addresses but only the d= efault route's
>=C2=A0 =C2=A0 =C2=A0interface addresses are exposed as host candidates.= All other addresses
>=C2=A0 =C2=A0 =C2=A0are hidden via mDNS.
>=C2=A0 =C2=A0 =C2=A0- Mode 2.b: The mode 2 as described in ip-handling-= 09.
>=C2=A0 =C2=A0 =C2=A0- Mode 2.c: Only expose the default route's int= erface addresses hidden
>=C2=A0 =C2=A0 =C2=A0via mDNS.
>
>=C2=A0 =C2=A0 =C2=A02.a is a minor improvement but will fix issues for = users who would be
>=C2=A0 =C2=A0 =C2=A0able to establish a direct connection over a differ= ent route but the
>=C2=A0 =C2=A0 =C2=A0default one.
>
>=C2=A0 =C2=A0 =C2=A02.c is a major restriction over 2.b and 2.a. since = it will break the
>=C2=A0 =C2=A0 =C2=A0ability to establish direct connections in a corpor= ate network.
>
>=C2=A0 =C2=A0 =C2=A0Regarding the ip-handling document: It's probab= ly okay to restrict the
>=C2=A0 =C2=A0 =C2=A0default mode further from ip-handling-09's mode= 2. FWIW, it might even
>=C2=A0 =C2=A0 =C2=A0be okay to give implementations the freedom to choo= se any of the
>=C2=A0 =C2=A0 =C2=A0available modes as their default (let's be hone= st, many browser vendors
>=C2=A0 =C2=A0 =C2=A0have already done so anyway). But only if all use c= ases have access to
>=C2=A0 =C2=A0 =C2=A0an adequate way to request consent to achieve mode = 1 or at least 2.a.
>=C2=A0 =C2=A0 =C2=A0Specifically, this should be a MUST in the ip-handl= ing document. Because
>=C2=A0 =C2=A0 =C2=A0if that is not guaranteed, some less obvious alread= y existing use cases
>=C2=A0 =C2=A0 =C2=A0(think of sharedrop.io <http://sharedrop.io> for = example) will be
>=C2=A0 =C2=A0 =C2=A0further discriminated and
>=C2=A0 =C2=A0 =C2=A0without a TURN server can be completely broken. Not= to mention the
>=C2=A0 =C2=A0 =C2=A0impact on delay and throughput caused by hairpinnin= g or even relaying.
>
>=C2=A0 =C2=A0 =C2=A0Cheers
>=C2=A0 =C2=A0 =C2=A0Lennart
>
>=C2=A0 =C2=A0 =C2=A0_______________________________________________
>=C2=A0 =C2=A0 =C2=A0rtcweb mailing list
>=C2=A0 =C2=A0 =C2=A0rtcweb@ietf.org <mailto:rtcweb@ietf.org>
>=C2=A0 =C2=A0 =C2=A0https://www.ietf.org/mailman/lis= tinfo/rtcweb
>
>
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb >

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--000000000000deb0060570d1e791-- From manuel.kasper@threema.ch Tue Jul 17 04:27:15 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA861130E57 for ; Tue, 17 Jul 2018 04:27:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zA1TYmmszjXA for ; Tue, 17 Jul 2018 04:27:13 -0700 (PDT) Received: from mail.threema.ch (mail.threema.ch [5.148.175.219]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B5AC130DDB for ; Tue, 17 Jul 2018 04:27:13 -0700 (PDT) X-Footer: dGhyZWVtYS5jaA== Received: from localhost ([127.0.0.1]) by mail.threema.ch with ESMTPSA (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)) for rtcweb@ietf.org; Tue, 17 Jul 2018 13:27:11 +0200 From: Manuel Kasper Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Date: Tue, 17 Jul 2018 13:27:08 +0200 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> To: rtcweb@ietf.org In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3445.8.2) Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 11:27:58 -0000 Disclosure: I work for Threema GmbH, whose main product is the "Threema" = messenger (threema.ch), and would like to provide our view of the = consequences of this proposal. We use WebRTC data channels for our web client to establish a connection = between the app on a smartphone and a browser on a desktop/laptop. Most = of the time, the person who is using the web client connects to the same = network with both devices. The ability to send data (messages, audio, video, files, images) from = and to the app without relaying it via a server is the main reason why = we use WebRTC. We have around 5 million users, and a significant portion of them use = our enterprise product in corporate networks. Some of them will have = IPv6 disabled, and our experience also shows that NAT loopback support = is scarcer than one might think. Because of that, I think the current proposal is a threat for our use = case and would severely impact our users' experience. We are definitely = on privacy's side (it is in fact our main focus along with end-to-end = encryption), but at present we don't have an appropriate way to request = consent from the user. Unless that is ensured by this document, the = default mode should not be weakened. - Manuel > On 12 Jul 2018, at 01:01, Justin Uberti wrote: >=20 > Thanks for the suggestions on intermediate modes. I think we're = converging > on the following potential replacements for Mode 2: > 2b) IPv4 mDNS + RFC 4941 IPv6 > 2d) mDNS of any private IPv4/IPv6 + any public v4/v6 (as determined = via > STUN query) >=20 > 2d) is basically your 2c), but exposing any IPs that would already be > visible to the server. This would basically give all the privacy = benefits > of Mode 3 (although, unlike Mode 3, it does allow host-host = connections). >=20 > Your 2a) probably makes more sense to consider as a derivative of Mode = 1, > essentially a 1b), since it exposes all interfaces. I don't know if = that > provides a lot of value, since Mode 1 already requires trust, but I'd = be > open to arguments for this. >=20 > I think the main outstanding question is what we want the final Mode 2 = to > be (2b vs 2d), and the key sub-question is whether we think there's = enough > benefit in hiding private RFC 4941 addresses. However, we may need > experimental data to properly consider the tradeoffs. >=20 >=20 From nobody Tue Jul 17 07:33:17 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1EF3130DF9 for ; Tue, 17 Jul 2018 07:33:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJiKup9ayoXl for ; Tue, 17 Jul 2018 07:33:13 -0700 (PDT) Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8041D12D7F8 for ; Tue, 17 Jul 2018 07:33:13 -0700 (PDT) Received: by mail-it0-x232.google.com with SMTP id v71-v6so2173393itb.3 for ; Tue, 17 Jul 2018 07:33:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=cAdB8+/TnG2DLputSPa1F4fp3vwds/+abr9xTnj2LIE=; b=R9hcbOy9GZxmREKRAtPaZO1dsfzm0Veasiwmx1rPQz+SAh1SfPiH+TwFubknsPmgCz 4SMb1Gmoe62zeyWPXsDygGU1HwlCkJop84ERpK0shUj+TBidcaWfIKy1n5YHSK6HZUog 2AicLLXbLSjO4Bti+OJHt7IsI/HXsHZKp7bDM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=cAdB8+/TnG2DLputSPa1F4fp3vwds/+abr9xTnj2LIE=; b=BVsYDL8+ytjw8cUvj1gY0nw2vu8aufyMccclJbHCcoNR5OmdnWuMH4JEkWUCKMp46G H+XBmXEzMnWbagmEm7VG65DxRXWrDd/tSJcekmS+N8dILMA375M450aOShq9035k54Uu dbcxs3zlgNWNtMmhGoc/XXPQkbb+eTsVo5KWQYNrvVX8LRjhiGR8Z+LqQNYt86Jgy75Q i8Utuijf29QpsQayFGSGaVK9P9bHxEWLAwxC2dGjIYukE1f+Pe8JY+fUmw31wYKzL9fR Zc0B28ac2W/GT9fThAoPpGM7G1NIPzaq/vpArPUiuQduSYLU3brAlCyVeXeGV0+w7tkb tBog== X-Gm-Message-State: AOUpUlFzER/qnLaCQFDt5m5mB/JiF+V+xns12evY8wwxXqEkxXDWwRIa +pzzsH4tr47bVsvc/DeNGHCbXQ== X-Google-Smtp-Source: AAOMgpfxUVpVDzJliWUfrVbjd5ztCZP+6/m3vuT6OSSe5LR3/Gcd6MkTCJCsxd/Xk3+ER0/nywOB8w== X-Received: by 2002:a02:b70b:: with SMTP id g11-v6mr1764164jam.34.1531837992886; Tue, 17 Jul 2018 07:33:12 -0700 (PDT) Received: from ?IPv6:2001:67c:1232:144:c9a9:3ee:fb81:bd96? ([2001:67c:1232:144:c9a9:3ee:fb81:bd96]) by smtp.gmail.com with ESMTPSA id u129-v6sm734254ita.5.2018.07.17.07.33.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jul 2018 07:33:11 -0700 (PDT) From: Nils Ohlmeier Message-Id: <4712E24B-907F-40B3-A7E7-8FCBF46F6BC4@mozilla.com> Content-Type: multipart/signed; boundary="Apple-Mail=_8B39836B-7F53-41ED-82B5-19AD3ED6B685"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Tue, 17 Jul 2018 10:33:09 -0400 In-Reply-To: Cc: Lennart Grahl , RTCWeb IETF To: Justin Uberti References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 14:33:15 -0000 --Apple-Mail=_8B39836B-7F53-41ED-82B5-19AD3ED6B685 Content-Type: multipart/alternative; boundary="Apple-Mail=_97F00D16-A91C-4282-9D46-4E0AF19A473C" --Apple-Mail=_97F00D16-A91C-4282-9D46-4E0AF19A473C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Jul 11, 2018, at 19:01, Justin Uberti = wrote: >=20 > Thanks for the suggestions on intermediate modes. I think we're = converging on the following potential replacements for Mode 2: > 2b) IPv4 mDNS + RFC 4941 IPv6 > 2d) mDNS of any private IPv4/IPv6 + any public v4/v6 (as determined = via STUN query) Can you please explain what do you consider as a private IPv6 vs a = public IPv6 address? Thanks Nils Ohlmeier --Apple-Mail=_97F00D16-A91C-4282-9D46-4E0AF19A473C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
On = Jul 11, 2018, at 19:01, Justin Uberti <juberti=3D40google.com@dmarc.ietf.org> wrote:

Thanks for the suggestions on intermediate modes. I think = we're converging on the following potential replacements for Mode 2:
2b) IPv4 mDNS + RFC 4941 IPv6
2d) = mDNS of any private IPv4/IPv6  + any public v4/v6 (as determined via STUN = query)

Can = you please explain what do you consider as a private IPv6 vs a public = IPv6 address?

Thanks
  = Nils Ohlmeier

= --Apple-Mail=_97F00D16-A91C-4282-9D46-4E0AF19A473C-- --Apple-Mail=_8B39836B-7F53-41ED-82B5-19AD3ED6B685 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEQ5rmmyEsAeItlZquY2o/VmzJ+KEFAltN/iUACgkQY2o/VmzJ +KHaXxAAzmAIL9ziYDDzDrnVc7xVCAFGVPuJ19cNmJ+i4XDbdUz1d4lu7IIEuX/q Ni8kWhaO+11s+1tfWg5NzPNf3MYh3JDQgvboSoqBUYrcV7DxtILSZcCSuk6Mmqaz RhlOw8XQqT0hqj4NcfIu7KIlJhc1wInQVoSQIUmpso02wQ5pMRYb0hOTVZEqkL8O DNYgp0YiqJI8+fn+AAg3J05e7GS67FpwCulwj+ph/Itsju/NzPL4Q7h61JItzLT8 mkm0+cXp8942uQhh6Z4h0D5z2Ath7JDJC2Q3eRQ6Ubzxdd9+VV8uurcMWNkaBgKo IBo6QXhShKgnmrBoM2TrxkwVEM8m0rbvtgDcSrxEeUw3WBkdPnMu6FlYUFdEwuQs RxhEU1eukKmTZ6zPPbE3+NKXvwomrFFTT7npsw6lmMCpCzizz9xC8nhGJr/A/cg0 gI6//YN1VprLv55OpHoOzpMyQ/6EGmf1mnzV1G0LhspfHcWHnCzlBVTcnogZRBfu HlKABJZwieaZ3NkEZZxCj4NLQAk54ZL5wawtKgPZb8+iuCbIWz6j3mpye5rRwFvx MonSinYNamBsxOx0RaFJHA5czQTFUE6PImd6Ho/zJK5qne8Xsk/H1ajL+LCT09VP nNrDQK35T42qAj8CBEAxrFnTc6oOG/EPVju22wvMcb9/pzAvV7E= =Coa8 -----END PGP SIGNATURE----- --Apple-Mail=_8B39836B-7F53-41ED-82B5-19AD3ED6B685-- From nobody Tue Jul 17 09:05:01 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB2FD130DE4 for ; Tue, 17 Jul 2018 09:04:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.861 X-Spam-Level: X-Spam-Status: No, score=-15.861 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_IMAGE_ONLY_16=1.092, HTML_IMAGE_RATIO_04=0.556, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HhJ1Uz1hq6i1 for ; Tue, 17 Jul 2018 09:04:56 -0700 (PDT) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC3DC120049 for ; Tue, 17 Jul 2018 09:04:55 -0700 (PDT) Received: by mail-io0-x22a.google.com with SMTP id g11-v6so1431789ioq.9 for ; Tue, 17 Jul 2018 09:04:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bsdqu73fQk3TNYEACjdk9ULKV5zVOa5y/A6T17+2ggk=; b=iV/Ix7OxGZj6pwQwCxrpVgaEdYNmebKzUUajhHOJbGc5k4zY3W/QjLVgBiqbGmpEVN n8gEUPpkA94PyZjqodr7hD5pL9opL/UnAv/Lla1+bIIsPi7bZAOZ80D6sWloKme7R1zS VBijorxDTO8JM031Z07KhEJ2bhC4Nz5HU1ap5eK4jpV1A5coL+UMh/eNJsLaKPeBB9Eu hSMlz+fESX102Qq2K1IUXMl/E8b2bNZQNCZOPPM6TyMPgYSTDzSz5ip1scK3YUV4ZWky IC4WSqGNHE07lLJbOnC5pH3bEs2ar3VasWNoVtwdGT6dTS/gGFUk3CGbu1ODxJeJu40w DtcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bsdqu73fQk3TNYEACjdk9ULKV5zVOa5y/A6T17+2ggk=; b=j3NK8ig4eAJnOW9GbDCSYOA3EcXChQ8trT+2FhZVBPogfKG2KGwiGyaN0v8uKNSCeI /5O+yEW0PpemtRH11ab0+i6ujtKGZTmG3KaHXNvy4p0gr4XuIWmrecNhpbwgPwgmhW/M cEWiQEZ9J9emzNkQ0LUXPhR+DP4VdN7N7DzVQjyt/hZpi599KXJ0i4V8e5aS7U786bCt fh1/6b0g5YoH55xW9y9IOyy4h/OCBbMI7Rmx65llgqGPoE2xULPgLK2uXI+WIBKq/bL3 6q/PFJf0cZEqIaeC7VQvvDcMOLxDz6dgRJ7wrm/DGTtC7A+rYGtfWBo2VPUfmpO8XaAm yCng== X-Gm-Message-State: AOUpUlE1OvyAei/saVS7ufNILHUm7Jgm/S7CQuqG/2SDKwOOhRpvA2CR jI62s7LXGN4Pxv98yoh7Y3G0cmboPux+1UkGsOnQ0uo54p0= X-Google-Smtp-Source: AA+uWPyE1wyQtsmADMq5RqT1sUPT53q/eAX9c9JXKQVTZT74heGwnxfXnBKAk8wzWPGGDjWRa7L3BotHv/kLLywguF4= X-Received: by 2002:a6b:e913:: with SMTP id u19-v6mr2070667iof.38.1531843494371; Tue, 17 Jul 2018 09:04:54 -0700 (PDT) MIME-Version: 1.0 References: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> <4712E24B-907F-40B3-A7E7-8FCBF46F6BC4@mozilla.com> In-Reply-To: <4712E24B-907F-40B3-A7E7-8FCBF46F6BC4@mozilla.com> From: Justin Uberti Date: Tue, 17 Jul 2018 09:04:42 -0700 Message-ID: To: Nils Ohlmeier Cc: Lennart Grahl , RTCWeb IETF Content-Type: multipart/related; boundary="00000000000056227e0571341bad" Archived-At: Subject: Re: [rtcweb] Security implications of host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 16:04:58 -0000 --00000000000056227e0571341bad Content-Type: multipart/alternative; boundary="00000000000056227d0571341bac" --00000000000056227d0571341bac Content-Type: text/plain; charset="UTF-8" Private IPv6 would be one behind NAT, e.g. NAT64. The IPv6 is not exposed to the outside world. [image: image.png] On Tue, Jul 17, 2018 at 7:33 AM Nils Ohlmeier wrote: > > On Jul 11, 2018, at 19:01, Justin Uberti < > juberti=40google.com@dmarc.ietf.org> wrote: > > Thanks for the suggestions on intermediate modes. I think we're converging > on the following potential replacements for Mode 2: > 2b) IPv4 mDNS + RFC 4941 IPv6 > 2d) mDNS of any private IPv4/IPv6 + any public v4/v6 (as determined via > STUN query) > > > Can you please explain what do you consider as a private IPv6 vs a public > IPv6 address? > > Thanks > Nils Ohlmeier > > --00000000000056227d0571341bac Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Private IPv6 would be one behind NAT, e.g. NAT64. The IPv6= is not exposed to the outside world.

3D"image.png"


On Tue,= Jul 17, 2018 at 7:33 AM Nils Ohlmeier <nohlmeier@mozilla.com> wrote:

On Jul 11, 2018, at 19:01, Justin = Uberti <juberti=3D40google.com@dmarc.ietf.org> wrote:

Thanks for the suggestions on intermediate modes. I think we're conv= erging on the following potential replacements for Mode 2:
2b) IPv4 mDN= S=C2=A0+ RFC 4941 IPv6
2d) mDNS of any private IPv4/IPv6=C2=A0 + = any public v4/v6=C2=A0(as determined via STUN query)

Can you please explain what do you consider= as a private IPv6 vs a public IPv6 address?

Thank= s
=C2=A0 Nils Ohlmeier

--00000000000056227d0571341bac-- --00000000000056227e0571341bad Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_jjpw1ihw0 iVBORw0KGgoAAAANSUhEUgAAAu8AAAFMCAYAAAB741KMAAAgAElEQVR4Aey915Ncx3XAfSbHzREA ARBMokiKEhVIJVLZskRbKpUsyUH2931vrtKb/w6/+MlPcpWrLMlKLlnBshWsZEqkIiWKmQRAxI2z YfLOzM5Xv3Pvme0dzC4WwGIxu9u9Ndv39u0+3X26+/Tp06dPRx5++OH2U089Je12WyKRiHjnMeAx 4DHgMeAx4DHgMeAx4DHgMdCfGIj2Z7F8qTwGPAY8BjwGPAY8BjwGPAY8BjwGujEQ7w7w7x4DHgMe Ax4DHgOHDQO2+4zf7diV7hXeHc/eLf5u7mZvVz43X3v2vseAx8DBxYCXvB/ctvU18xjwGPAY8Bi4 CgaMKTeGu1d0Y5x7fesVZjDN7xXnWsIsf/O3Srtb+W0F34d7DHgM9AcGvOS9P9rBl+IWYcAmw92e 9IwRuBHJ27WWbTfyvEXN4LP1GLhlGHDHzXbj1cbjTgtq8V3ash38reC6cNyyXi3+Vt99uMeAx8D+ x4Bn3vd/G/oa3AAGuifD7SZa91uvLN2J2SbcXvF2GrZd2VwYlu9u5OnC9c8eA4cBAzZu3PHdarVk fX1dotGoxGKxjjEHwuwHbmzs8Wzx3DCDfSN47KYDwKIMlNHgu3m7+d9Ivj6tx4DHQP9iwDPv/ds2 vmR7gAGb/NyJ27LtFWbfevlufHfCtTx6pekV5sLhu/vePTHzzb67efaC68M8BjwGemPAxhD+6uqq PP/883LmzBm57bbb5K1vfatks1llmJeWluSPf/yjfms0Gh3mPR6PSy6Xk6GhIZmenpaTJ0/K4OCg fgfm9Y5NKxel5plfs9mUV155Rf7whz9IuVyWEydOyBve8AaZmJjQBUTvGvpQjwGPgYOEAc+8H6TW 9HW5bgy4k6QxyIT1eiYTC3cztMnV/WYwzHfj93q2ePhXuo1Dc24eV8bzIR4DHgPXigHGFBLt+fl5 +fa3vy3f/OY35UMf+pDce++9Heb98uXL8rWvfU2/ra2tSTqd7jDmjNl8Pi/333+//Omf/qmmPXLk iErvrSzuuLYx7IZZPHz7bmHE43f+/Hn513/9V/n6178ulUpF8/nc5z4nY2Njnnk3ZHnfY+CAY8Az 7we8gX31doYBm7iZDJeXl3XiHBkZkUwm05mcS6WSfkPy5bpEIiEDAwMqeeMZZxMycHnunojd9PZs 8bp9vpPnwsKCXLx4QYrFkiDpQ7I3NTUlo6OjQr6Wp8HzvseAx8C1YwB1lGKxKIVCQSXbMPTm7Bu0 4I477pB3vOMdyrDX63Vl+pHYf//735eXXnpJx+wnPvEJGR8f3zT+3fEN3K1oQ3c83tkV+MEPfiDf /e53tXzQBcraTZOsvN73GPAYOJgY8Mz7wWxXX6vrwADb4C+88IJKtFKplHzyk59UqRuMMlI2tsu/ 9a1vyezsrDLPTKb8YJwnJyfl1KlTun19991364RujDtFIZ7r3G9uuMUzv9lsyOXLM/KrX/1Kfv6L J+SF51+UpaVlSSTiyhQ8+OCDKnl7y1veIslk8op8XNj+2WPAY+DqGGBsouvei6m2cNRoHn30UfmH f/gHOXbsmOqfs+j/8Y9/LP/8z/8sTz/9tPzoRz+SN77xjUoL0ElnTENLgMGzwbexziIBJpxw4uHb N3wWCL/+9a/lP/7jP1SowMIBmoQjrsG7eg19DI8Bj4H9jgHPvO/3FvTl3zUMwLyfPn1avvzlL6sU HV1XGHEmUiZV9Ey/+tWvKvOOTitSeSZc9E6RiMHEk+av//qv5X3ve58MDw9fMaHaBNtr8u6uCAuG l19+Wb7yla/ohL2ysizT00eEHQHyPXfunEr70LNlqx7m3TuPAY+BG8cA49N+LjQLM2m8jWcYcsYl DD3Sd4QA0JILFy7ortwzzzyjKi7vfOc7laYAk7TAw1WrVZXWw5yzo/bYY4+p7rzlY7QAxn1ubk4+ 9rGP6XhHL584Bsctq38OhCYunvcKJ5an9Y+9ytfnc3gw4Jn3w9PWvqZXwcB2hNa+MUnD0MOgI2kn HMb9xRdflJ/85Cfys5/9TCdSDo8hGetWo7FJlnT2bMWyPAhnQka3Fcb937/875LLZOX//X/+P3nL W9/SYd5XVlaUIbj99ts9425I9L7HwE3GAOPUfoxVG8v4jHf03llIw3AjEOCQKzt2xsCzS8eC202L nv03vvEN3fV75JFHVGLPwVejBRcvXlRVGXbg3v72t8tHPvIRlcIbc3+Tq9zX4F089ioo37d2tGVb 2hLRKBGiRkS2SuF+j7DAixD5ytiWp/lu/m5/ccP9s8fAtWDAM+/Xgi0f91BhwAivTdRUnmf0zJGg PfTQQyqVZwJFwoak/V/+5V/kd7/7nUrfsACBDj1MNnrp6L6aSTeDRdparabSfLbFmdiBg07tU089 Jd/73vckFo3J33z2s7pg4LubljLys0WCfvT/PAY8Bm4aBmzMQQtsPLOoRx+ehfzMzIyquGB9BkYe enH06FFd2P/f//2fMt9vfvObdYFOenb12EVjvDPu77vvPqUVRn+gHz//+c/lhz/8oXAAFj16BAe/ /e1vrxAA3LRK9wFg8AHOYZa72WXD1UYxI8qE8w5bbt9Jr2kVFkw69DMiGkpE4OP1YMj51lawbYGJ h3G3eArTYeQ7+QAsyFDh6msI28qk+YXCHK1fJ6Z/8BjYGgOeed8aN/7LIcWAS1RBAe8WZr6hhkmb H4z56173Op2o2TZH/5Ufeq9PPPGESuH//M//XJlzYBiRRjKH1J7tcCb+T33qUzq5cziVLXQYgYcf flje//73y8joqCwuLmrWqOxg6QKVHpzBs3K5eViY9z0GPAZ2BwMsujnQ+uqrr3YOjMJkw1Az3mHk 77nnHmXaWbiz0EcfHh11VGpMzY1ximQeqTw7bZh9hLFHBQcYLOj5xiFYFvkf//jHhfMtyhw6dIRa GW2ysW/+7tT41kCxOrh1u6IkMNFaf8VC+BnuOmTcQ/6ZNmvya7Wk1VqX9fa6tLCXv97WZ/JQvjoi EhUk8qQPpPKEB4x+wN+Df+h+IsI9AFGJx2LBj7MS0aguMLRMXYXVpYEuEMK8rLRdDH2v9u0C5V8P OQY8837IO4Cv/s4w4DLH7nOv1DbR8A0mHAaeQ64w96jTGGHmO5YikMZhfg7pHLqsOJh0GININCKn 7jwlyyvL8u1vfUsldExCwMHaBT+k8a7k3SY8BeT/eQx4DOwqBhi/MNW//OUvlaFmIY2KDEw46i0s 2mGwP/zhDwsqbeiwP/DAA3r4HUsxLMpRfUF6DoNOGsLYpSPNnXfeqYyhSeTZfYMWkAbTlezMkRfl sJ9bQcJw5rvf9sOz0S+jo+YHddL/nYWK1seRxEMb682mVOt1qTUayqgTB+H3erstjVZTmq2AaV+H aQ8Zes0DdUUiwryzqxJw2poa3roVMvfK1EcjEo1EJc4lXtGAeU+ETLzhPRoRiUVikk4mJJ1MSSoR HFY2NZuglTbaKRDQ6/9O/VxcGFyts/936DHgmfdD3wU8AnaCAXcCcQkqk69NwL///e91ImZyxeYy eq1M4nfddZceRsMCBdYnMCsJIWZyxm402+VM+Ejm0acnnMmZ33prXc6fO6/qOKdfPa2TDfkx6aAT +973vlcef/xxlfK5Ungr407q5uN4DHgM7AwDRgcYg0jaUZfDMhVjlvEHQ84Yfs973qM7ZtACJLSo u7CDBsOP3jqmJDn0jpoMO2+8I21/17vepbt3wGf8//SnP9U0LNKhD8ePH9exT2mhIVYe3qEJ9m7f 9gPDZ7TKyk5dOs9wuOiqKPsNs80zUvO2NJotZdIra2tSbzSlLevSXm/LWqsla42G1JsNlapryyIp j0QkGY9LPB5IyVOJmMRh0tk9jUUlFi56FLdI3oOEAfPe+a+Bmn+z1ZbWekvWmk1ptFpS5YxDKNUP yiva9uSZSiQ0b7KgP2TiCcln0pJOJnUBEEDdYOSJFwrjO7hw8bQf2tXq5P2bgwHPvN8cvHqoBxQD EFAOl8Fw40OImYBhzNnaRvWFiRspOzqvr3/965VhZ6ucGxGZ7PmGriuSNrbRmbjZWofRR/pOODDZ Jmdr/hc//0VHLYdJHKnfs88+qz+kdjik76jueOcx4DFw8zBgTDEMO5alMCfLQh26gH47zDpjmTAk 8uaQvjO+kaqjBoNq3dve9jZl0H/zm9/oDh2qNdAGDruyGIBWoGqDOg2LAlToeCcvLFw999xz6rOr Bz2CXiDpR/XGFvKWf7/4LgPqlolw1xme22piP2DW1xpNWa1WpVyvKePeXG8p0w6T3mitq/45DHqa ezeyGRlPDUkiFgt0ZwRJekTioXQcus27+qi6qLQ96hZh62ck9OFiCZUbVcNR9ZuWSvVRx7HqwMxX 6jUpVmuyXC6roIe6JeJxySaTytRTZhYUg5mMDKoqJGZFKVO4DWBrFxYQIWDzrZCGL3zvDgcGPPN+ ONrZ13KXMIB0C8b5n/7pn3SShViitw5DjQ46kvC/+qu/0m1yJmEmc6TtqM7AqCNlQxIP8460HUnc pUuXVOLGxM2kC2E26TqTNIw5h9TQh4cpYGJnMfCFL3xBvvOd7+ihVg7QwjQwGXUT9l2qugfjMeAx EEq8Gdsw1Ix37LxDF+zwKkjqHoPEh6mGFkA/UJNBys74hplH7Q3rVLfddpviGLqCZB/awO+///u/ 9cCrMWnQB1TukM5DR9jBQ+L/mc98Rv7mb/6mr5h3cGHl7uDGmMyQGeW7cbywrKqL3lqXcq0mS+Vy R6pda9RlbQ0puyjjO5DJyOTgoKTTKWXGkZejvoK0GwZZ4W7ZawPm2NrK/C2jB5r1QfuIhAuBiKrD bJUGmI1mM5TOw9QHOvalek2WS2WZX11V/ftoFDgJySTiEovFJZdKyXAuJznqhQ59uHNAPpvKGeLR wvAN19vXfasS+/D9ggHPvO+XlvLl7BsMIGFj4kYtBmYbKRxb3jDl6KWi34rUHULKpMyEjQUJtsCZ qIlDfOxAI41n0mfiBiZMADDtMCqwkd5z3TqTszlUb5iwYQKAg4UbJHdcHuOdx4DHwM3HgEptYzFd MPOMMyaqV+6MecY+Z1yQmrNwZ5eN3TMWAG9605uUpsCYw3hhpeaDH/ygMvQs2AkHPj907JHMw/xD C6Ad0B8W9/3AtFFGYyI7eOkw6BuMun5Dit3iMGkguS7VqrJSqUqtsabqL7VGU9VU0lxMNzAog9mM JGNxtcKVTMRDdZTeEuft2iNoIxj4nbrNcYN1x+awbkjgIInKTHjztn0fW8/L1NCQMvXQ/PpaUxcp K+WyNFoVWY7FZLFYFOqXTaZkCEY+ldLDsarm07X40a2DELjV2W2DfugTVnfv7w4GPPO+O3j0UA4J BmC0MQHJzYrcbgqTTRgMN9I13t1Ji3CkaUzM6LpijQLpO4w4W92YiGPShcFnMcAEbRJ7FgBsvaMv yzccUn4YBX5M1Ej2YeL5MaF75v2QdERfzb7AAIwXDn8rBsmYKGgDVmagH9/97ndVzQ7pOWOa8Y8+ u+ugC3//93+v45rx7tIVpO3/+Z//KZ///OeVfnzuc59TtRwYeffwugtvr56tvspEhpZgyFvftRBq t0U4MIrKCTrjJVUrqaieegMmPsTnYCotx8fGJYsEOhaVVDwRSKK7KrMBu+vDNb4ajrvbclOdrgHm VuWiPbOplP4M3PjQgKw1W0L9K7WaLBZLUqrVpFSrK2OPyk+G3dxsVrIpLI3FVC0ItRt36eKW3S23 G255en//YsAz7/u37XzJ9xADRvjwYaiRisGUQ4S7XTfBJj6MPvquWI1A2g6cp3/3tKrAII1DZQZH OAw/zDo67DwjdeNn34kDs8Ckj8QKO/BM2L3Koon8P48Bj4EdY8DGL+OMXy9n4d0+cS2MZ4PFM+OT BTc7ZNhtf/LJJxU0JiUxD4kFKca1jWN23Qjr5dj9Q02Occ+CHdU6Fvnm3Hwt7Kb67AiAL0cnGzxQ Dg6XmmS4Dd1qtmSt1ZRKvS5LpbKU1+p60BRMIwgZzeVlOJ+TTCKhqi+owLhuq7qRXhVhtmgzF8Z2 z277WTwLM9/Cr8Wn3IaTK+oQEa0rqj64oUxGdxmwjqN4KpelXKvLag39+aoevs2k0jKSy0k2lQzU hGKxAD4AwrwsPyunlcHevb9/MbB5VOzfeviSewzsGQYggKbnzgRrziXsLtFkgoVxR/0FqTvb5ZiQ fPX0qzo5M3GzGDDpHWnZYicN0nm21TmUhrSeOBBmDrTOXL4sKyvLMjA4oAsJGH3vPAY8Bm4MAzCQ HDCFIcY3ZhqofGNhzXg1q1Hb5ebSAeLBaLMLh/SdA+8w4UjdkbK7u2Zuum5GDxrALht0hQU+5SE+ NIkwHO974YwZVOURM9lI3qF6jymVsKOoFlnqdVnh4rpKVXXBMYULc57PZZRphxHFZjpSdtd14yDI IrgdNTyRqtH3ptZuyXb+bG1i/qY6hXbkDRpxVCUoEZdcOi0j+bzuUsDIF8plKVYrgnpRsVJRpn84 l5WhbFat13BIF9UaaxNdOIXtAfxOm4UMvuXp/f2FAT/b76/28qXdAwwYcd0qKyO6xOuO2/0ODCZ/ mHGk7+i7wrwjfWfLHJ1WJG8wBQaXNEzKHEIlLjrtbLOjRkM4kzQHVv/3Rz+SwtKSbpdjyQIJvwtj q/L7cI8Bj4HeGGD8ItHmUjQOmKJLzrjDMY5h6D/ykY+o+gvjFgbexhxp7bk3dFHmmkX5Zz/7WR23 jFl23bAS49IOF44bbuWA0UeCj0Oaj5Uqd5FBODC602qCXf5nZdW8YBIRMIS4wKY69tbLtaoUyhVl NtUiTDIpQ4MDeigzH6oe6sFMp2wGlyBlykOYVqdgfdLP7LpTmR6PVo/uT9R7U93VSk5g3hLTkui/ cwgWRn6lXBEOv86vFmVueUWt7CCNz6czkkom1Ayl7oaArFC9pht+d/7+fX9gwDPv+6OdfCn3AAPd BNOIK75949nCu4u0VThpmWyRtjHho6uKWTcYAw6qMnG7jvhM6kzO3Kj4xS9+UW9ghWFHVQfLNjD0 6MvDCHCxE5I7K6f5Lkz/7DHgMbA1BtwxgyT7kUceUeYaSTZnUBiTMMcw9o8++qiqsRFu37Ya+26O RkOQ5gMDdTnSkYcrMbd43TAJt3KSLzt5mI5l4c97d/zud7csN/psZQSOlUnVY0LAzUZDsL++XKnJ QnFF7bFnk2mZGByUgUxapclcWoTKn1tOF67CDjIIFiJ7uKMQVuOWeYYT8OHihHAWObHQzORgNitr zYaaolytVNSUZmG1KBlUroYGZTCTlTRqNajUqIX8YCFkbQZsy+uWVdZnfF0Y8Mz7daHNJzqIGDAJ OUw2zLNtR0Pg+IaEC6sxMNBI43ZC9IxIMsEiHUOajgoMZuDYLkcaDywj0Bafdy5hwkQk0r1vf/vb cvbsWXnttdcU9Rx+e/e73y0f/ehH5bHHHtsE4yC2ja+Tx8BeYYCxyvi38a2qamHmfDNJvI1Z83dS PuJCSxi/5IHrld7y7gXTvsGwm9oeMOxn33ulvZEw4APbLe+m99AsIocsUe2YWVlWCfFYflCOTo8I Enb02MGhW0YXHuUzmG4c9/lG6rAf0nbX1fBB2Tu4CrYdlJHPJFOSTiRV/73aaOjh34ViUV6dmVXz kxNDQzKWz3d0421XxPYsDGZ3vvsBV4e5jJGHH364jV4tDegb7zB3hcNZd+v3+OhlYnoNfXQmWFRU bKJmAkfPfHFxUaVcMPJMnMQz4to9flzYBh9VGSxFcAAVaTySPJvErQUMHu/kizk5GH4Yd3x02zEt x48Dba6uLGksfXd5DL73PQY8BjYw4I7TjdBrf9pq3F0L/K1gUJqdwtnNcd8rT4NvOtXEQZ8dm+yL qyWZWVlSazHTw8MyMTAQStkTW/IXVmfqaLCvHfsHPwV4Nv31jt+j2tjIx4IPB1xnV5ZlbmVFErG4 TI8M684HVm7ioe14xXd4yNhAWXv4tjCM9Kfvmff+bBdfqj3CgDs5bUWsLE6vItk38904FoaPuxr8 7niW3mCyuDApINIrFg7m3Ljus333vseAx8DWGNiNMbMdjO2+uaW6WryrfQfWTuK4eV7tuRse7+bW 11uyWqurvvXl5SU9VHlsdFSOjoyo6gbqGspohgnctEYPu+EbbO9vjQEXZ71wageGG+vresHVhcVF ubi0JPlUSo6MjASLqmSSgxxXzEsu7K1L4L/cagx4tZlb3QI+/1uKASaQqxErm2R6FXS79Nt9c2F1 x7PydOcLw85vK2dEvBveVvF9uMeAx8AGs2vj53pxst24s29Xg23x8Lud0YWrlbNX2m5YV3t387Iy uWG6I7i2phcJza2sKoOIegZMez68FVTL0VUPt2xWD4Pvfrta+Q7zd7cdwMMVeDMJvYjagY+n03LP 9LRMDQ7JuYUFOTs7J+jFI4nnFtd0ItgVMTjWHgbb8jvMOO/HunvmvR9bxZdpTzFgROt6M90u/Xbf 3PzceO7zTghnrzguDDcf/+wx4DGwGQM2Vszf/PXa3raDsd03N5et4lm4+W6a3Xw2eoLf7VDJqDfW 1D773PKqFOs1Gcpm5K7pKeHwpKvPzvLDVGt6ldkNc5+78/TvmzFguDJ/89fNb8ShHSLxuIwO5CWf SUuhVJKLiwXVice85OTQkF78hGlKdzeXtG5f2El+m3P3bzcTA555v5nY9bA9Bm4QAzshmDuJc4PF 8Mk9BjwGDgEGXGaN6hoDhyUZzBNyQRCS9mXsi0djcufUlIwN5PVgpMv4dVDlz9J1ULFnDw7TrXka Ax+JaDtNhcz6zMqqXF5aksrcnB52ZedkIJtRO/vuvo/bJ/xcs2eteNWMPPN+VRT5CB4DHgMeAx4D HgMHFANYqkG9BUbbsWhijDvS9iKHUYtFWSqWZH29LdPDQzI1NCzZZEIizqF9xZDBwu9SmzmgGOy7 aimTHbYrdt5tD4Vwdkcy0aicGB9TKzQzSwW1wY+VoHEs0wzkJZNMqiUb6wPuLowx831X6UNWIM+8 H7IG99X1GPAY8BjwGPAYUAy4DB4SWwLNJCQqMs2WLJaCC4Bqa2tqN3xqZEhv8zQVGWP4jdFTqW3I tLsSXI/xPcZAKHE3yzTWPlYKbrLF5n4qOSUj5Yqa9rxUKAj24lGlGcnn9PZbjR/CMsbdfIPl/b3H gGfe9x7nPscbxIARDvyb7Yzg4XvnMeAx4DFwUDBgdFQtk8CchRJaaF2r3VbTj7PLyzJfLEoqHpfj SGoHBlT1okMPnTQdeAcFQQeoHp32clShrL1o2/GBvOTSKZlbXVXLQWdmZ6VSG5YjI8OSSiUFu2YW v9s/QGjaV1XxzPu+aq6DXViXKFytpsR1nUuc3PAbeSYPy8f8q8GjHMS9GeW5Wt7+u8eAx4DHwNUw 4NIne4aaGkXFJG2hVJbzi4vKwMOwHxkekXwmpfrQCh9hRkiDjdaZf7X8/fdbh4FOG4WLNUqi7R6N qmlPrAXlkimZWVqWS0sFqTTqctvYuAykgztNbB40X9P7+e6WNKhn3m8J2n2mnUmjiwnfKhyMdQjP TtDXhijZdGRS8+A9mHcIs+8BQI3lSNi3y88lXpo6nMws3Hwrt9VrJ0X3cTwGPAY8Bm4GBowOmU8e HVoVXraEtB2TgpC0E2OjMjU8LClsgruui3F3P/nn/seAzXXW9tFQ6JRECj/ExVopmVlelouFJanU 1uTkxLiMDgxIPLb5UkLrR+b3f80PTgk9835w2rLva2ID3AhG571TcuW4t5Zch1u0nfThDaRs8TZb LWk2W8Lhqs6vva6Hqyw+2RhvHsw9MO8RiUYjujCIR2NKnNAFTMRiepNpIhrtsPgQPBh68zvFdidA C3R0BDfyR5JPXkG+FtX7HgMeAx4De4EB6FeH7jqCE8Lqaw25tLQkFxYWJJNOyR1TUzKaz6v5wA0a FpTS4OxFmX0eNwcDbj9w25cZLpdOy+3c3p1MyZm5OXl1ZkZqjYZgqSaVTGiB3PRWQguzd+/fPAx4 5v3m4dZDDplal9ArkQil1CDIiIZKAmCLdTd2XVqttmCerN1eV+aZeGuNppTrNak2mtJabyl+Ccf6 AYx7cz1k3tttZeA17Xpb9TfJMhqJKuNt+cLkY95MGfpIRGDeY7GoxKNxgWlPxLnFNDjERflg6rOJ hOj10lxsETLzSC34KWOvdQvqZXJ94mHHIagrddISXNtOgtbW//MY8BjwGLh2DLALGWlDy1Dp26C7 Sj/bbSlVa2o2cKFUFEwGnpgYVwaOnAK6tZGn0XN87/YvBtz2sza12tDmzIW665JIyLn5Obm4uChr aw05MhbcnmvSeoNDGoNjYQbP+7uPAc+87z5ODz1EdxCDDJf42+AmvPPcFmm2YdjXlWGHMa/U16Rc q0u92dAJBxjN1rqsNRrClc/ER4ANAWErLx2P60EqLCDwDiMOAw5zrj+dZ5ApBBMOk5j+tUVa7fVA ct9al0arqYsE8sF0FguCQE7eVtNZiVhcuMwiFppHi0ejKp1gmzEVx2waknzyD7YXtY4BEoJ+YROe o09veMD3zmPAY8BjYDcx0KHHm/YQoX4izfV1WSmXlXEv1eoyPTSsB1O5ddMVPsDxGxzK5mnVbrbQ rYVlbenOQ7Q1QiampOFcVuKxabm4UBAWd812S46Ojko+k9H5l7jWJ9w+cmtrdfBz98z7wW/jPamh DVobyOaTOSypTQRuYdaaTWWaG82WVNbWpFStKnOOTB01mHVl5tc1CRLwZCIho4MDeqAmFo9pOAw8 jDRSghiSc2WekYRHO9JwN8+tntsqoQ9VblrrOqkFi4kg/3VZFy1nva6HuDCbhsSffIqxmsSL5B/8 Mqmk5NMZvXZaJfnhgoK8XbwEFTCJfFAyw+NW5fThHgMeAx4DO8WA0RP12f2LBEILaHKDg6nFojLu 9WZTpkeGhQOL6D0rvYZzg4kLfWPydpq3j4+c1kAAACAASURBVLf/MNDNwFMDwmDUj0+MS6wQkcVS SYVsx0ZHZSCb7exAu33N0u0/DOyfEnvmff+0VV+W1AYshdv0HARomY1x11v6Gk2VbtttfauVqk4i QRz+B+orA5mMDGKD1qTZXC4RjUoy1EW/GjJMNYUyaVHCRcSW6SKi0npUYyRQ6bsiKtMe6jksOlC5 ATYTYBmGvlILdgnaorsGi8WSRCOiuwFDuZzkUoGlhmQsLvF4LNh10IIFddbjtW5Zw0nTy+KvaAYf 4DHgMbADDBg9Nl858vAgf7O5LvOrq6rjDoN+2+iYTA4P6VmfgGI6QhdvTWQH2D44UXoy8CJ6iPW2 8XEVks2vFuXs/IJe9DScy22a+8GEC+PgYKa/auKZ9/5qj31Tms6E4EiTbcC6lTAGt95oCNLqlWpV ipWKqsCYpBpJTy6TlqFMRpldUzuBkQZmtwOmO8F0f+/17urnWdnxXdf9zjeLYaVIxOPCz3UjHJYd QmqP3v26MvPUkQM+/EqFgm5BshUNocunUpJKxCVpt9h1cgmhWv0oX9d2tZuvf/YY8BjwGNgKA0aP jYaqzD083I897/OLBVUxPD42LuNYEolHlU5BK3FGJ7eC78MPLgbcvuPOi+lkUo6OjeotrTNLS3J2 bl5OTLRlJJffOEvhzFm+D928PrKZC7l5+XjIBwQD7mC0QW0D3d6ZAZCyw7BX1xqyWinrVlu90dQt WXTGM6m0DGUzelMfzDsMe4xJw2HWgdeB2YU/lxnv+rTlq01i3f5WCcjb8rE4vcqDnj0/E9mzxTgx OKjS+eramiyVy3ogDCn9xUJB1W3y6aSMDQ5KPs3uQlxVbNy698qPvK3s9t37HgMeAx4D3RgwOmW0 me+EoQq4UCzKufkFpbknxydkdCCvtNdkGd1pPc3pxu7heLe+Yz61ZlmHEIrLmzjXdW5+Xs7MzolM RfRGVl34dQmd/Lx1c/qLZ95vDl4PFFQbfEbUzbdKwqjj0D+3w6ar1aosFFelWKnqViymp1idD2az MpjNqOUWBro7MShcm0EM+DZbcG5aJ/quPRp88w3w1fDBoVh2DfixUEEFqL2+LrVmQ5bL1cBiTr0u r83Oqcwdc2zo8udTaUknE6oeZHlBLMGu4dx8ymTlsLje9xjwGDjcGOimCbZzSDiqfqjKnJmblXgs LncfOaKHEV361k1X3G+HG7OHs/Zuf7C5B0yw+zw1PKRnzE7PzcnpuVm5MzKl/YlzYLqF4+zedPfL w4nN3a21Z953F58HDpoNOvOtgu5AhsHkwFOlWpNCpSwzyyuqIsMp9SOjoyphR12kW90EWC4cg43f PWl0v7tx9/rZymK+4WajLmYOMiiZLlLiccnzS2c0sFqvS6FcFnT+V8oVubi0JAPpjBwZHZahTFay 6aRg2YbjsuCXvJiIecZt5BU8W1nCz97zGPAYOIQYUDphwpRwgQ8aELAsFotydm5WhQP3HjsqnMVx 6Yil9bTkEHacbars9gub62DOEU5hSpId49Ozs3JmdlZOTYYMfGhtzVS1XBjbZOU/XQMGPPN+Dcg6 TFE7g7Rr9QwO9Fs4IaAaU4RpL5VUqgOzCaN+fGxUuFYbtRBz7kRhYeo7Fxrtx4nDymy+4c6tr/tM nTOplBzjNyqyXC7rxIp6DVuQWNWZGBiQEfTjM2lVNWLyVcY9VCvqlZeFbcKtf/EY8BjYEQZ6jdsd JdxBpL0am1YHimQ0B4k7ggJUZWC4Xnf0qKorrq+vd4QklM9Nu4Mq+SiHCANu/7B+RfUJnxocEvoS +u+o0UQikyqwQxVW+314r4A+HyKc3eyqeub9ZmN4H8E34m2D096pAs/GQOLr4dNKVRaLq7JUqkgy FpXp4WEZzud16ww9dkvnSoxddHQIQhh4UAa3Ww+ro1vvDl5CHXYWO/w43Ip0DPNts0tLMreyLOP5 Ab2WeiCb0UujAnXCwIQbcLrhu23Wnad/9xg47Biw8YHfy2l4KEzgu8baIm6v9BrmpFcYW5zdsbHr 0ostYe7gQ3fdkHpizpadvQvz83qfxV3T0zKYy+nFdaa2SDpLu4NsfJRDigG3v+o4CfGAPGlqaFiN UFxYXJRLBQ5CT0g+nQpihAIn38d2t+N45n138blvodnAMt8qwjsTGL601/V206VSICnmEiUuRDox Pioj+bzAYGJrHWeMPgMeiXE3XIO/WxOXwesn3+pmvpXNcEG44jfEMQeBsJ3LYVcuToGJL5TKKjUb M734TEYvn3IPtxp8baMwE8vD8vS+x8BhxYCNBRsf5tu4AS8WpjgyQYVzeP6acGc0UwGrVsFGcoex tzzNN3rglmsj4fZPBgOf9EhCeYZGYxUEYwG3jY8pnYY2u4z79eS3fWn814OKAesr+NbX4A9isYje E8ClhrMrK9rnjo+PCdZpULGxdJbmoOJnL+vlmfe9xHYf57VpMDqSJgYbDtvmy8WSzBWLUq3XVB/7 6OhwwLRz01oUM2Mb1mGYHHCW3oWvHw7xP8OFoUAJm4M7di24ohy1mbFyRRZWV6VQLkmhUtGwSQ63 ZlgohTgPdeEVzjYLJcvP+x4DhwkDNt5sfFB36BIMri2C7SyJixelZ0FkvY1Z2pw7CeihG4/nTnoM ZvEWMulunpomXBjYd03r0Mor4ndntMW7W0ejudDsueVlwXjAxNCgTA5xwDB6BQTiX2++VwDzAYcC A9ZnXJ95a3p4RNaaLbUuh7GGo6Mjen+KIkWHRWekHAo83cxKeub9ZmJ3n8A2Ym8TgL0zTbVaLT1U ObuyLKvliiQSCZkeGVG7wKyqMRdFPE2j4zK8lS9k+g0mqPATxEaHMLyYb/jp4FJE4vG4jA0OqIWe lUpFzxQsl0pSrJQV/+ODgyrZ0IUTDIDH+QaC/dOhx4DLWIAMJM4QKxOou2OP+xn4HtA+CFlgnWWt 0ZRqc01qjaa0mi212NIKx5khGHYYYUUivEBOTeEmEnpWJYLlDWXoRaISEW6KNsGGpXd1z432aiGv ganuriv1mVstqlnIoWxWjgwHN6eSp9FhS2Pl8L7HwE4xYGPH9Rk/mWRCjg4P603ps8srkk2mQlOk DKlwIOw0Ex9vWwx45n1b9Bz8j0bAO5NGuOXLhFKtr8nl5RXVa0c9hpPlatIwndaDT2DH0tkgZtKz Z3yc+Qcfm9dWQxdP4NHFJZDsHYnGOEx8Ji2rIROv7VIq6UKKg8HJeAzMb8K1C//aSuZjewzsPwyw 8I0wjpyFrI0hahOw5DDlgdSdg5zQOW57XipXZLlakdpaw9bAEo2gXhKVSBRZOox3TG9NZlwFYQFU g1NWqTqLBBYCwWIA87kw7NzlgKUpTOVm9HK24MZoJOEsvhWSYx3GCqHlD+uzFR21OlJ/0sFEoXZ3 uVCQVDIhR0ZHJJNKah5BFI15BZ3uRPAPHgM7wIDNL0SlD5rsjgsXkbhjfOH84oKaP8ZwBeOgEzfk DTSd2+93kC9RLO+txsQOwezraJ5539fNd2OF3zRwwgGEtZhGqynLpbJcWChIvdmQoXxOT5SP5LJ6 GZENHN363WIQHuZBdS2tYngynJoPDPtmkzNWaLjYKZPOyFKpKPMrK0ogaasTE+OS5YBQMC9rEdz2 NVjXUjYf12NgP2AgGB/GmgcMrJWbfg8zC5Pe5CbkZkuqjTW1jsV5kkaroed0ktGYJOMJNdcajJW2 XlyEeVsk6Syg49GYqp3AhBBH47UDib7ergz8VktVDNExR/rdbgfGXvnOwVHsrBNO2sFMVsYG8mqR KxEP7oVgJ1Ml8y5DE0r6txrPwNJv7JRGImpM4HJhSZrNptwxOan3TCiZdhYBAc42aIzhy/seA9eC AR0DxrxrPwwWq8PZrEwPD8m5hQW5uLAod0xPqRU1g239j3f32b5v+MG43ngPniyN+d3febey9fp2 EMI8834QWnGHdVDJlA0Wh+nW5KHEplKvy8XFgupKZlMpOTU5qTenpRKJQEIUSuZtwjBe0d4P+oDZ IaqvK5qLO8MngLqfs6mkpBMjMphOy/xqUWaXl2W5UpbbJydkYnBokz19I274LvzrKqBP5DHQBxiw vmx9OyiSUSIdMIEEGka61ZJ6syWr1YrMLi2rWdtYNCLQtqFMRuLxvKqn5ZNJySXTEk8gXQ8khMDV MWP66/beAweae0gb9RnGPYxHOWHquW25XK+rTjAH+5Dyn5mbk/paQw/+s4M2NTSkZePGZnbT7CyR ZWl17uCADw5zj5rjTGFJFkqlgHYP5DuSfTeepwWGUe9fDwY6/c9RIbO+yeih/44PDclKpSZzKysy lMvqzn1wE3nvHEmvqmt8Bq71ax1/qJsF4/FqfdfKYX7v3Dbm1avB2yr9rQ73zPutboE9zN+2lHVq Cicay15tAZfK8ursjNTrdVXHODo6qlIh29bVwRBKb5iY6PSEWec332B6//ow4OKxG8eKb/ThYzE1 +ZZNp2Uon5Xzcwvy3LmLcnS0Kicnx5UB0ImfdgoXbG5bXV/JfCqPgVuHAbf/2rMxzcGYaUur1ZY6 Oupra8I5kctLy+ojfBjP52VsckJVSXKplORQX4nFro9+OfST8aX5O0y/dB0MZdeMnbHR9oAiEHqL adhyrSbVRkMaa01dgP/27BlV1eFwKb+BdEqvo9dyktKRyIMDdeHiYr3V0h3TmeVlGc5k1PoHdCJI tplWBwn9f4+B68NAr3nJIPGNH/rvJycnpNZcE25hTSWSkkrEA7U1VbOx5a0q28p6a113pdjtX2s1 9XyJLgQiUUnG4pJIxCUej0kMVTbLLDxCzoKbvs6Psye2e+VE23zYvMc46q5TJ22fPnjmvU8bZreL pYSeQWXSIXtur6sEaHZ5VS4UFvUA6uuOHVP1DLaKzXUmipBZt3c6vHc3BwMuMenGty2e2NYfHRiU dCIp2UJBZpdWVC0ANRqs1UDMlESGEzxwfJvdnPbyUG8OBtw+644De8bHsgpS7WKlKoViSRn2WCyq lxEdGRmWTDIlg5mMMu69LK5YyQN+eIOpsHD1Q1qnFC8cT/ZdUxgzbYHmd+LC1ASBjMs8v3RaBSBI zEv1QSnWalKr1WWlWpUXLlxQ/fgJPbSeExYcyWRcmRegKH3gIZRYltc4o7Sk+vZ3HJlWNQWy4wyA 4dB8K9p+960++P3oXBrej+W73jJ14936P9aYmq22NBoN4QLHRmtdz3tcWFiUUvWV4I6B9ZaeM+EO gs5p7vAgOWNWz4HoQAnMTDOBkV+zva4MPc+kDFj44BB6LB7TsZJLpyWfSkoinlC1N5h9Fu78YoyD cNzAB1nbqPpvKOAyfFj97L0f/Q3urB9L58u0axhwO6ptSWE1oVSp6cGmudUVNT94++SUjOayEgkl R3Ric8Aw5z5bmPd3HwMunjttGGZjLYOUASYAFadcMiUXlwqqC782OipYpEHaoW0OE+FM5LtfWg/R Y2B3MWCTqNEh67+6vd5uS6PVknK1GtxSXCpJZW1NBlJpOTE+LrlMSscFKjLuOLIS6vhx6JuFb+mH cW3cbRmv+4MjpXc/WZnwsSw1HI/rYgMVm3K9pla+iuWK2sxGmj6Sy8tQLidDmbSkU6lNZh9Js7hS 1MXLkZERGeCAoEkXHUbF8nTLsZ+fqY/1kX6sRz+XbTfwxVjgPAmMOncK1JtNPTOH+m2xWlXBIFaa UBkr1arCTvH00JDuJmnbBey7FgX2Agabu2LgP2CwYe7bkbZeKgazz0Hw9nrAvBs3Ao4b6y0tA/lw HozxQFqYdgw95FKBkY1EIqYWcIyZpwy6wA2ZemDxZ/2Kgmk+Du+zG3jbDRieed8NLPY5DDokzjok 72zbYmHhwsKCVNfqAsE/EqrJWDyrFu/e3VoMWBt02saIDm0bTs7slGBZIp1MyPnFgpxbXNSteZM8 WjMaDNe/tbXzuXsMbGAA+mR9k1D3vb2+rhM5KicwB6jGYMIWyTU3h3LJ2UAmo2pjSLe7ndFCN9zy wt8TZ7ufIV0mT8sbn920oVhOD7TWBwelxOKkUpUl7noolwXp4hhMfC6rjAiWb5DYc9t1KplUOo7K XDdTYnnsSR33KBO3b5Al7xzUxWdB5Kp8Ig2G0STcVZciPj/C+EZfsrjd1eA75pJxxCMdMM2RH3H4 gW9+VkaLc2D8cBXLApqbwblTABUwDnZnU2k9v5GOJ5QRv3NtTXf2OfzNThKLUGubG8UH+IWfoRws ItiFa7UCOsE7i4ZLS0saB0k8Ai6sL2EBioU9Pw6MqzqOzqsBHbDxAnwVfoUF7Zc29cz7jfacPk6v RKOrwxGmg221KBcKBcidHJ+YkMnQZjjRtbP28Yqzj1G+J0UzokJm+gwzEDI8bDmO5vMSj8X14PH8 8opKIW4bHZFcJkMClWi4BCiQb+xJ0X0mHgNXxYD1TSLaM0w70naYdswgLlUqUqrWVEo2ks3pZXF5 JNJ2sL4rFxsfOl66vlk+PYJvTlC48O4GbmW08lDWTCqldznA7GAulguXFooB7V4sl2Q0mxNM8y2s rKqe8ImJCY1veOvO46C/F4tFee6556RWq8m9994rk5OT2odWV1flmWeekfn5ebnjjjvk7rvvlmw2 q8z3mTNn5OWXX5bbbrtN7rrrLuH92WefVRi6CAoZcJj748ePyxve8AZl9J9//nl55ZVXlNHnG3GT yaQcO3ZM4Y+MjHQYVLdtD0ob2LyBOVQYYe5/CXTOA/10xiL65/RFFjiYecf2O30YCXwyXNzcKD6A T778MMNqDpzbQXHua8DiE/c1kP9isaTzIAtldqZh4DHjmk2ichPXXSvg2s+FaW1pvn3ba98z73uN 8T3KzzqW67MdhPUFGLpLhYIe/jg+PqHbsdhxxxEfR6f1bp9gIGQGrK2ZRIayGYnHxuUSlidWVwTr FifHMScZbKertD5sb21p3977pLEPcDFd9RKHwaVfrzUaKn1Gn71cq+oiFOsso/mcTrxsg/eiWTYm en3rN0xaGa3MVj7COfAKUzGQSctoLh9I4UslmVlZkWahoNL5kYG87jroYT2Hhhs88w3uQfGpFw48 waT/9Kc/VQb805/+tMBAw1BfvHhRvvSlL8kf//hH+ehHPyqjo6OSyWQEZp/43//+9+Xxxx9XxvvJ J5+UL3zhC/odRpz0MJ8w6A899JAy5kjcf/CDH2g68piamlJJ/DKHhYeHNY9HH31U87d2PSj4tnow ZYB6pNajAwOKf4RHvepLGON1uVxWxpmLw2DszfVKY9+287fr08BkzPALXFsazXUZU138pmDOlXtT sERVqtdlqVTWccaO1nAmqyZi9fCro0IMTPJ083Wftyvrbn+zWu02XA/vVmGAjuUwc24xuLYYs4Iz hYLaND4+MS7DuZzqmbnx/PP+w4AREHwcDHw+lZJjY6N6OQbtjuTy9okJ1QNWIhRSX7vU5noJ6P7D li9xv2HA+q32waALaxEbzUCnfb64qmp+fBrOZWV8YFD7Mdvw7oRq9bKw/dinrcw2puGQDCXsqOUz MVWNg3YvrK7K8xcuysJqUVVmVitVlYLC7CucLhUk8NOBa8g6QH46nZZcLidzc3Py6quvyhvf+EZV c5mZmZGzZ8/KwsKCnDt3TgqFghw9elTfn3v2OVktrsrExISqu7AAqFQq8uCDD8oHPvAByefzHZwh yR8aGlL4Kysrirk3v/nN8ra3vU2ZdyT2P/zhD+V73/ue3H777R3m3fr3QUG1O75Y1Gyw4RsCQKur 9Wek4jDt3HUAE4/6F4w1uLE+ab6lvZpvsHvFuxLnMPMx/fGN+RBaovr69ZoUimW1/oS+/mJsVRfC I/mcHnZXs60RbpM3lb6Nem5Xhl7l2q0wz7zvFiZvMRzr9ErkQwZeiwQzh6pMsylc3HGpsKhWC05C hLK5jvUDdzDe4qr47K8DA2770ReUcEWiKpXk8F4iFpez83M6wZyanJKBbCawm+vstpCt9aPrKIJP 4jGwYwxYP9N+6qRyw5GMcREZC09U/dBl55bnwWymsx1PUoPhjgHCb9Wk6lTnhh6t/NB0k3JaXWGY YH5gPNB/R2UA+/XnFxf1AO/06Kjk0sGhVrOs4eLKxbPlc0OFvYWJrd2p0+DgoErGn3jiCWXeYdLR UUcVBkk7jDZS9MuXL8udd96p/rnz52Rqalped++9Ghd4AwMD+v2tb32rStINX+A9FR6A5hkp++tf /3p55JFHNC2SetRzWCywCCAvBCmG+/2Oa2tmwwd+L2dt4vr00bF8KH0vlWVkYEAGb6Ip0wDXzIWo vwRzoltcdqjSSe5MSaixjrGBQTUxCxNfKJV0Qby4WlQTr1ymhloNi2K0FALYG1J4Fwdund3w3X72 zPtuY/QWwbuiw4TSGog+EveLS8tyfmFBL/a5c2pK8tmsllQ74Q2sfG9RdX22PTAQEJTgQ6c/iOjt kFxXzZbm6ZkZefXyjGBKDiaIMFWhcQ5WGWHukYUP8hi4YQwEzGjvg3z0PfRUSzWsYC3JXHFV9VDR 5Z4YHFQmFZoW2IAIGAfr6xoafLzhMvYTgI1xbVK/QCCDXWxubcWm/AMnTqi+LwududWirFZrekU9 6gzo9JrlmQ1YB3OhjooLKizos8/OzsrS0pKqu6DTjqoM+uovvPCCvPbaa3L//fdrHFRn0IEfGR5W Rps+WC6XVQ/+qaee6kjeYcJPnDihevH0D+KhJoO0nfw45ArjjnQfif/09HSHcT9ofdP6kfm9xgvf wJE5hi0HRVmEo6KCWVd2h8Er8Sz+djAN1s59GHdi828jD0tv5aMM6OAHqmkZ3bHmgPjcyqqerVmp VlToOa6qenll+kljZVWaFgK9eXWxUge+Z94346Pnm9sYPSPsIPDmdMwgY+uAlodbnLXWul5Uwk1+ Q5ms3HlkWleZdGRcd1rrjC4M/7y/MGD9wHxKn4zF5LbRUa3Iq2whz80FV6dnM5uIptvXfV/YX+2+ H0q7qX+59AeTc6rb3tSJ/SJ63LWqTI0MycmJSeFWYYcP0ImY+lofP0x9la17cKHm+GpVZc4xhzeQ zerdDjO5ZTUV++rsrC6CpkeGVUqvC3UX586CfT/0nV5ltPa3b7yj1gIDf/r0aT2gClONGs2RI0f0 sCpSeCTvly5dUh/JPIdYkagjKcfB9P/85z/XOKbzjo9e/KlTp7TfERcJO/ryHJKF4Uc1Z3x8XFVu KINbPuv7VtbD4Nu4tLqb9L1YrQlSbSTanFfBWdybhReDb76VCd+IS8DnB+o17PLxY5FxsbCo0vgz WH0qldWSzmAuq4IxFsbAVDhdNMnyuBl18sx7iFVDsjVAN7LtO+HK9m6eSbqjbzLTpWnC+N3wrdGt Q10B6CoBVi4XroZhyqq9LgvLK3J2dlYGUim55yiMe3qjo3LghJKGZbveMlyliP7zLcCA26/oD3pR i6zLkeEhVZc5OzunajSoTyEJUaLVRXhuQbF9lgcYAy6t0v5JXUNmSe+cqNXUGsX8yqpK2O85ekyO jg7RK41EdbBj/ZuAw0C3XPrOBIS960K5pPazj4+NqSRQ40REzcWiW4zAZm51VRl4zr5woDUR3bhx tYPMffywCS/hwgRVFlRikLZjEQZd9rW1NTl58qQy6X/4wx9UOv7SSy+pag0HTrFMA/NerVa1P6F+ gzrMO97xDpWqkw/mH++55x6V5POO5HVsbEze8pa3yJve9CZVSbxw4YJK9n/3u9/JPffcrRL4eDzR Yez2Maqvu+huG7GAZCGOVResvpTra6qKYoesrzuT60jo0g2Xnhgoyg2vh4rpvdnb9FA4JidZdKyW qzI6gAWowUCNLzQNSlrSdcOzMIO9G/6hZN4Nkfius3AL6/XdvtkKzd67fUtrfvd33cRxVmtuPGt4 t3N1p7f3XnEJw+5poVSWC4uLup1695EjesArFLh3OpduKR3ArWbDz2H2tf/YwkwJSpRr6WRicEg4 CIipUKzRnBgPdOPdPmjPO+mDhxnHvu47wwD9yaVVvBv1hVatVKp6WRzqMlh7ODY+qlawkG5ukCel mgqHXA9T3zTcGc64ubJSX1Pk68E/dIfD+QTcop5w99Ejqno0s7ykuvCN9XWZGBhQaeHOWq3/Yxle zKfEHFhFvQWd9KefflqZdxhzzEASjrlHDq3+9re/VfUZGH101Ylv/RQVm/e85z3y2c9+Vq3NdGOC /IhPOqTxH/rQhzQK0vx//Md/lF/84hfywAP3y3333S8w74fZuW0DHpC+M8aLNUw2FmU4m5F2eC7g VuCJ8uHM55l+oGHhM2/5TEbuQeVnsCQzhWVdfGClhkOto/kByadToVrfZpVA61PmK+Bd+HeomHcX ee4zeOTd9Xl2G9P9Rlxim8+luxvrANOxCrSs9P6uSDesMP5GIiW8QRfaXBbr+N1lcctjcQjDIcVC F/L83AK1kDunpnWwhJ+1Xt31t2/eP2AYcC0PhdKiRCQiUyPDeghwfnUlUKkZG1UJCLW3/tSrzx0w 7Pjq7AEGjNa4vtLOSETtbGO3/DLWkJotOTYyKlOjw2oNy+JrEenH0MsNTn4PSt4/WYALdeEiiIub UJvB4oyqHfTAC2bubhsfU/OSl5aWpVytqQlZLnM7yA41GKTtqM/AoMNQo4MOo43lGNRnUKXBbCR4 feyxxzSu4YQwTEFy4BS78EjmDf9I31Gf4Z2FJRJ9rM7wIxyXzeb0e71e76jhGOxD7YfjF+ad3V76 J5essRBNwbzTh62f32JE2dxHO+szPF9YtpF8XoazueBiqtXVQBJfQRKf1ztWWEzbGROq4c6nHXi7 UL+DPYpDBtuQB76sAdwww2OnkcJ4SIS4kndDRhRcBYzlA6y3IMnQ73rrX6Arx712sVhUV2B0Uqx8 cDpZG1NZ6UA/CssAulVk0ndHEtVpcKe81ujmd+I4nd3qBpG+WFjSSztun5yQ4XzOzmts6khWb+8f bAxYn8G3PqKXagwPBczT6qoyANzOWITTrgAAIABJREFUGthFCPBhcXcTOzbudKztJmAPqy8x4PY9 a3vrh1hK4VbG2eUVPSh2fHJSJ0AkmnYmh0pZusPKuHcalrkiVDPiPEC1sSZHx0Ylndi4mEbx5WCP OQYGP51KSbPVlBQqHDoPdaDu+4dO/wj7ChVCnQU1GazOwGBjFhImHIYbnXQOmKIHjxQeyTuWaKxf kh799RdffFF+/OMfbzqwyqLgda97XYeOcmAV6T5lQI2GhcKzz/5RpqYmFTbMvncbYxgBJbiCcYeB h3kv1WuSTOSDxXmfIYuymrN+pv1E2jI2OKB1wDLN3OqKzCwtq2oNevLD+fwmE9yW1vUN7vX6B7pn gWSc+Yq4IKATZogjDtcdI7Xmud5s6pXTMMLNZiuw7xkSRXTJ2+tt0dBABC/r4SYwt41FlTEPTiLH 9DADuQRMO4M5i2midFq3NikTf2Z+yMpoZdaUznaoW173W5CDSLXZ1I5UrFbU2gAXI2j/6whuwpWk AfL+gceAEQztI2FfIiyXSuuteNxaeXlpSc1KsgVI32MicvvgDSEplP4Dw2Ca312mG8rHJ+4rDNDG 1vfMR7LGwdTq2ppeFId+O7eH3jY2KoOcvYgg/sDxPyRaDlPWVxXc68Iwn7Fb0WpJrdlU3KolmWiA sQ62wl0K911vnuWyIUfYs9fFv1n5uf3MnmHUH3jgAdVbJwzLMujC8wwDjj47B1dRpcHSDGo1fGPh CONPeizSYIkmWEwGd2dg+x1b79iTZxGAj4WZ8+fPd2gmN7W+/e1vlwceeIOajwTuYXcuBnhGsIm+ OLskxh5vHvH9hbEO/XJoEe2K3fip4SFVmcEyDbuIGIOYbjZkYmDwiouoSGOw8G/EHTjm3UUOiDEE Ec6vExZOIkjXkaLX1hqCOSCu3Eayvm49CWR3MIxUHUY7JslkYO8zGomqfV2IqkLX7bRgIQCcNST0 MP/kD6DGmpSqogeJKBuSkVwqpdKRbDoliWhUolGuWg6+kQ6CS1JrdKtHp1i2qFhfl+USN5gVVU1m cmhIy0rZLK3hw03rnw82Bugv1v7uM52KRSTWKM7MzatebC7N9dCbD1hdf59hzCnH7rBhG7g2uNaf zd+IcfOfDC/b5WRxrLzbxfXfggWa4crtbzzzQ9J2YaEgS8WSjA8OyG1IQlPJkMZt0DmD4XG6GQPl Wk3nq8FMViXpm7+Gb6EKguEQvNs8EkhzgnHZee4JZH8EWh3d0iJJ5xApjDd1h+k2qzGmz440nmeY bRNWwExiCx5mnouaCDdHPqjecJiV79ygijlIJPvEAz724dGrByYqOqThRxl6ldNgH3Tf2CmtJ8Ih bOmrADMVjHs+hH22X3Fh7derLVGVuS2OvfiUniN7bW5eqvWGHBkZ1sO5Vie3L/SCY/F24kcefvjh NrZMbxTQTjK72XGsDuaTH8/m6EAotyBhh6kuV+uyWFqVYrWqhI2T0DEkP5GoJBJcRZ3Rk8SpeEyi plAQ6q/T+UyfHfibOmeQsUrr19UKkXIwmkej0dLJq1ir6YEjtkGR2rOIwGXiCbUKMJzLSzqByk0s UK8JGXSN5HRy8qXT66GvclnoNM31ltw5Pa23mdFZ7OfiReH4f4cGAzYOlHhQ65CRQiWMnaWLS0ty YWFRLVXQd7RfheOHSZ/0/OirNqTo1W6/59nGBcJA8sLh6WhxJkKTwAbfLTf6qibp5LcBY8MUl9Ul iHnl/6ul6f5u7wYX38Lw3fcrc/MhvTDg4oxnfvQjDqSeW1jQK9JPjo2rPWVuSTXn4tuFYd8Pqw8u cPwvFEsqoBnJcVAup1ZQ9JvTbw13ls5GmIs/vYkbuDbo3I/78Lm7zrqT3mppTdjxtjFNAOoz6LXD dMPgG5MODDddNxosPrBIDxxzfLOfhRHP+jRhbhkszmHxu9tH8RFWXueSfUBr3TpYW+rIDGkc1eEQ 68X5RZkvFfWMCdagsP5kfcH6g+tfTx/YoJrXk7pP0hhCKQ7PECP1w/KBJAYk6gFcXrG4siqFSknY oOWwD79sKP1m6xZD/epCBl1l6t0EjsYK4W/lKcHclK4tkhTBPijlIz3lQpKyVOZq3rruAlxYLMhr 8wu6YjsyMqI3e7E9CiNvDW552tX2jUZT5pZXpFSry8nJcd2KJn/iWxp87w4fBq4YH06/ABvReFSm Bgf14M3p2Vm9Xh3GoNFcV/WGWnNN1hoNVSVjl6rZXFf1Mjh35FL0Y5j6eCQ468GBuFQsLqlkQk3Y cS02amE4mHg7E8Ji2e2TlJPFrvVSd0J16+Cm2ao1dXyFBBU43WnsO+E8m+Pd4nbHsXCL6/3eGABv Ll4NjxywPDe/oPaST05MyMnxsQ7TBM2m3d20Ht9d+AVH7baa+80kEzpOA8ky8TZwDt4U/+E4p3dv 9PANmIrvEO8bofv3yfqc+eCGXy/X/c3S4MPo70RXHSl9L0cfxgHLhdsr7mEK68aF9ksHVzb2+xkn bh2sna2trdwIfe86Oi2ZQkouLi7Iy5dn5MTEuHDBk9214MKxdNfq72vm3W1sF5Ed0aCINFswIHVZ KpXUogGHpNKxhErVURlA72ook9mYRELmP0BkKHHkxZngd4pkHcK90oXqMsBBUjmSH9CrgskD9R30 pjgEgV7oKzMzgmrO+NCATAwOqJ4yiw1rfNJQ9+VyoC7D4VRMAdJJDD/d/k7L7+PtfwxY21MTnu3X VHWxlu7YrK2xqK1ItV6TiwsFmV1aUasfiURMItGoxJFOhWpcTHocwqb/RQiDccfuNBJ5dpHaompn jLNmuST1Wk3hRmIxSacDCwMslFkcYFpLD3THY2q+jmfUxdrtdWExirUG8mGLGgYcSRdh+Fs54jGp Whrqy/Y39puRkjEp882+G5wOXlChq9U0P7bedzKJGwzvh8ITBxGKVxGpNhpyfmFR6fCR0VE5MTba oblGy6CX9ozv3WYMKLMtImmES4kN1TZQZdOMizfDoPmboQVv233rFb+fw+hrbv/h3XUubrq/db+7 6a71mXwsL4Nr/rXC2iq+W8+t4vRbODiwcneXzf1muOuO0y/vVj6ryxV+qAvPOR60Ns7NL8rZ2Xk1 bjLJLdHxDZOkN1Lvfcm8W4VpTJ5dBzGCkUDPvFSpSgGmtlSUVmtdMqmEjOcHVM9StzGcQ3mb4HTB dOHvynModTdYKoNHvUbaKq3EvBcNX6qvyezykt7wBTO/sLqq2y9cE075YeJh/itra3rSGXWf6eFh QSpj9TFcmW95ev/wYYA+AAOLytYs5s3KFR0nsYiohGogm9MbeNn5qTUbcmRsuLNYxDoNh3OQqqsq l6sCE6KSMcZiudFqqpSea8Kf+uMz8sSTT8rQ8LC8/wMfkJHpI6q6drlQ0ANhxLn95Em5+45TMpTB 7B3wo/LKSy/JEz/7mSTRLX33u+XUHXcIF6Bw6yEHyWy7GpNvEE9jsrHxjFm4t771rWpB4tVXXxXU AvFh+jm0xvdHHnlED6aBE344Dqf9+te/lt/85jdqneLDH/6wHk47fD3l+mpsNMbwabhlIcd9E9Aw ZdzHxzdJRC2d5WqTo717f/OiRnurM0cZ/sw/bPhy680zznwXF73C3O+79WzMnMHrfrfwG/HduvC8 H8aMldH8XvXf7luv+Lc6jPIa/q1NgvEpKkCdHB6WZCwuZ+fn5dzCvAqmCMPajsbvSn8t9d93zLuL KK1oyPTSiOhUossOU7JcKslypaIM8UA6o+YS2bbg1D0OBBuye3UAt1F6fb+RMLcOLpxAjrnBTORS SdVdhxkqlCp6wKtUq+jV19yUir1RmHgmxaVKWU5NTOpB1YB8uZAD4r85xL8dNgzQp1vrbVXPYoeH nSdUxJLxmKpoDWazgkQeH8n30eFRGcpnO2osbr/qNXaQmiejHOaOSw6J91JBFs6dk6d+8AMZHBqU B0+dkre//j5JZjMys7Ag/3f6VfnFz38h73nf+2R8YlwvFWPxHVlvyY9/+lP56pf+XS0ywZhz1TiM emFxUa8055AYV5hzSyIScsy34XNgjKvOkbZzZfnXvvY1ZfaxIIFlCGBgzo3vhFEPfsDDasSXvvQl vWDlbW97mzz88MOeeb+GQeLSTMWriNQbTbm4WFA97enhIRVKII2iUwWKMtvT4WvI/kBHBZ+G3+6K Wjj+YXMuXqz+hG3nDF/EsfTbxd9pPIPVy78a/Ov93p3X9cLx6a4fA9bvgOD2LVQB2ZkeHsjJ7dGI nvU5X1jUOZiDrBiGYMvM0rj+Tkqzb5h366RUyp7x9Y+t+mZTVUdgZJG4B+ooAXM7nAuk1JpWsQKR 2zzAeyGOsJvhDK6bJ3XpLpPljTrB5OCAjOZygn1f6oiazPmFBbkUjaqt1FwypRcEsKJznZuHG+6f Dx8G6GMw2Cz4YNzVulF4jsL23Tn4jP47Zy4uLS9JOpXQ3aCu4bIt8hg1LKQxaVepVlVffmFhUW0m cw35m974RhkfyEue7eVqRYaTCTk+OirtWExq9br8/pln5Ok/PiuZsVHJJlPy/Jmz8qZLl+Q4txn+ +Z/L+8plZcKV2f73f5fJiQm9CRHLDzD6mHnjgpVvfetbypA//vhH5X3ve5/edAgOYPKxMmEOKT43 LmITGtvPMPmEcR7Fu51hIKBfG5MX79Dk2eVlVQMcy+fl2Oio7hbqAUlH6GL0cGc5Hc5YhiPzu7Gw VXh3vIP2Tr3pa+Zb/Ri/qNihLlerVdUIBbbdGfumq76dGh7qgViPgZ5AB4Bl9IAwYBDHzuWYOh/q eHZZE2WxcUFepo7Hd4QICAwop9t2PJvaH+mBSzycqQSSP8/2szw0kv93yzBgfdB8m1NRe+ZSp8i4 BDxboaC8HucZ2cXGWZrA5/3q1dg3zPvmym3o7mJzvVipyUJxVc0kwgNzKQW3XQ1lsmrS8crOHTDu LkxD4NVRtrsxKIObdzchcsuOOgF1g/FCZ3hxtSgvXb6s9pJfd+yYVNbqKvVEtcHguukN9u7WwEPb DxhgXNAnIBb5DAeftdfpyl/LH06CTAhcXZ0vpdRsKtZBko4tXreu7vhx+5nF0f4WjarUnNsOL1++ rAzy7bffrhOc9UfUv0bzeb04pVgqyQ/PnZf5Cxfk4Te/WbIDA/LK6TPyxG9/J+/N51VafvT4cYHk VWtVGR0eVun4fffdpybayJsJD8aeGxSx6XzXXXdLuRyYfUOCj51mJnIcZeB2xF/+8pdqqxk4TI5M zL2clbnXt8MaZjjBp5+pQGW9rUKGmZVlNYU7PTqih5fpMy5tsufDijtf7xvDgNv3gMQ7jPHMzIy8 8MILuigvFlfV/DI0iAuZGOM8Ewc6ge/CoU+iXocteEw+8v0Pf/iD7vRBH2HQMQMJHYGWsdv38ssv q1ofwglsx5sDLgw6tO/ZZ5+T0dFhTXP27Gt6CRS0yh0DMO6U8Q1veIOq+UHDsEcP8883Fh8IJ06d OqVloyze9Q8GaEu3L1nJTGjWHhtTwdiFwpIuvlBz1rnGWYB25mZLvIXf98y7iwhDjMqouUhpraEm s7jiHR33wWxGD6By2lcPdXYqDaeyIWk3OHx2B04n+i18sPJYGc13iwQDxsUmWH9PLSzKbaNjutNw fnFRbdVPDQ1JPpPpnGyGU+vGowvPPx9cDFj/6UUQ6BPqzA/RgGoZl3udqy+ougOSetRrLL7BJDrP rm9xQlCqcsNE+Ja3vEUntyeffFIeeughvUCFOMTXNGEf1Un3uT/KUCYl73/nOwTZ98vPPSvP/uH3 cuqOU1JvrcscV5FHorJcLKuE30xZMkkyuXI74tmzZ2V2dlalZT/96U9VTYb8uFiFC1TQeWcSRH3m d7/7nfzqV7/SGxlRuWGiBVZ3XXi3+lr9vK+dwMGVcu+yVC6p6VH6zbHxMRU4gLvuvuNx6nvQbmOA 8fud73xHF+TG7JIHKnaozLHrxtmY06dPy1e+8hUd79zGyo4b/REaAmMOrUC1DvW7f/u3f1Nacs89 9+jigJtVkaC/613vkne84x3yyiuv6E4fdIV00DyjFaVSSVXx/vu//1t3AMn/Rz/6kXz/+99X4QIC Bhx5UwbgogbIeSDS/P73v+/YjUfQAM1iAfJnf/Zn6sPAk9a7/sCA0TjzKRWzJP1qMJeTEyLy2vy8 XFxc1MOr4/nBkFdjfqEfBPyq9Z+tatXXzLsRduuY+HRRtuNL1apuyS5XqpJNJGVqYkTVSvQQZ3iY Truz06k3ITNkOrZCTD+EW3nN1zIFravMBabXsLz94KmTKlHFSs1SCZOTNZkeGVXVBFOj6cDYB/Xu B9wfpDLQ9jgbR911s75hPkRGL9BIJNQud7lel2Ek0WHfs3HZDWerdyTZMMVcXvLlL39Z1WdQcbH8 rGyYo3z22Wfl5Zdfkfvue7284f77pVqryfGpKXnt3DlprqzI2F13y2q9rqZV5ysVacYSEosndTxY /kjeOHyKTjxbzkix+DFxMxHC1DMps4iAyWcipc6PPfaYgrBy4VvZ8LvD9eMh/9fdp3jn3gwsy3B+ 4o7JCd0tDOz/b/RBj8tD3nFuUvUZ+zDSv/jFL1RS/Sd/8ifKCNMvL168qBJsJOW8s8hHTY5Ll+xw uqmxsDPHJU7QLhhmhApc9PQXf/EXyjxDp/73f/9XfvCDH8iRI0d0dxFa85Of/EQ4L8OBeRz5wIRz EH5+fl7jpVJphQcTzoVQnK1hPJA30nUWDiwuKC9pKMP73/9+OXnipLx27jX5n//5H2X8WSAg+Tfm 3ejVTUKtB3sNGHDpG31AeVF2vqNR1ZrALNuZuTm5ML8oyUhMuNcnguUIdRtqYNu1ad8x71TUKk49 eO8wDSHjPru0rGYfYeK5oe/I8Ijq7zJBaJogoT53V777XSP18T8rr+GEGiJprNbrsri6KsPZrKoc sGhhx4ELPGaWl+Ts3Kzqxx8dGZEMpvaoY8h8qd/HdfZFuzkYsL7UDV3HmI218GM6mdR+dbGwpOb9 dCcn/Nbpi+F464bX/Q58JiO2k5n0fvvb3+q2L1vGMM2WP8w2zDWSM64sf+755wKTkbWaXL54US6+ 9po8+s53ytToiCwVi3Lx7BmRRFyK6y2ZWS3KWK0W0AHHXCST2+OPP66Sfxh1Jki2wJHCoULDBPz0 00/LBz7wAd3+xioNkjIcEzvb5pSdrU0rZ3f9Dus7+LC+YDjgLo1LS0uyWq0KttwxEmBTktEfS7NV fzRY3u8PDPRq51tVsqv1GZj3xcVFXbyzYL///vuVwYUpNqk5z1YnnhEkYIHq+PHjKl0nD+gSTDMM Pu9Iw6EFMNrQEG5ahZ6gdkN+73nPe1TN5nvf+56q6z3wwAMqRUfPHZrCmRoEGNBAYOFYNCBhh9kn D7dM5I/DR5LPwgFp+3333yeFQkHpJPlDQ73rTwy4bUrbBodTgzYdHRgQVL5h4NGYYH4ZyGb07iHo pfUF83vVsK+Ydyuo+VZg3vmtNRtybqEgM4UlSScTcnJyQiYHh9SEHXGJoy70Qd5BcYYTwwW3eHFw 9XXHjqr5PgY59rMx6Yf97AuFglxeWhKkpqcmJ/WQoh2gOCg48fXYHQzYOOmMHxE1ZZVPc/9BcPEX hw9jW1xKspNS0D9PnjwhH/jA+5VxZjsYCZM5DoMhMYORZksaJh7TkEyUSJ+QljNRMkkyIccGBmQq n5d4q6mSsMvLSxK/cFGmRkYkxd0JY2M66SHtZ9JE2sbky6Lg+eefV5hItsgH05OozjDBImFjmxyc fPWrX1XYSL220oG38h8m32gRdXb7DKZCF1aLatJ2YmhQjo4GB7LcOJbG+txhwtt+rKu1tfl6oiGU p21cp7Z3NdsoR+88YbhRS0EaDS1h3MPEQwNMok0cmHwc9AU6wGF1FvO80zdRqSMNjDbv5ItknR09 0iJNZ5GPWg4/pOAw4agFImV/97vfrekRSFAOpOxI45HSQ9+AyaF6BAmUB0cewEKfHam/OfTdWUQU V4tSWCxoehYd1M3SWlzv9xcGrO+YH3KoekcKJr/Xmi05t7Co5xZPxMaVh0PIYfHxt3J9w7zboHR9 nnH42DLndr655WUZGxyQExMTatKuI23vkgLtpPJbIaXfwl08UDa14hEedMml0x2pIHWGyUAfHkk8 zDwM/KVCQZ85yGqw+q2Ovjy3FgP0CxszWhIuR0om9Hpn1CBWymVJDQ1tjrPDIhsBYiJ88ME3qs75 N77xDZVcIX2CsWdyg6lmYkN9BUmTSbuRLjHJwczDWDOpMmlx26Q0GjIYj8kUW+GRiJxfXJBMPCFD Y2MyMjqqUiok6EzMTKSmB0++6Jq+973v1W+UARywXa6wIxGVuPsDYZsbGYrc6Sc2sahwZV37CPQ5 k0jK8bFxPejs9it73gzRv/UrBqy9XJ+ywuA2GmvKzAbfbk4N6Gtc/MZ4RNUkHg8uJ9wqN8oCjeGg KdalEBCg+w5jDuPOLtw73/lOedOb3qRMMnBgxNF9//rXv65jn7qRHwdP2bFDF57+DuPOjuHnP/95 ZaTZuYOuoONOXOgG0nYk69AoaBnSeegNB05h7pGyEw86hGMBgKQeoQSO8kOTUPVhAUK+lIfyYfIW VT9oILuX5PPoo4/qwVnS2pjE966/MOC2DW1sjjkHIUexXlMz4LlUWlJjCVWBDsZVsGgkfq927Qvm 3S2oVdQqiURupVrVSz5WKxW1E8xVs6lkcMra4tlWg1XUYBqi9rNvOKEO1Ktcq6tlnbH8gF4AYHXr 4CISUVWZE+PjaukBXWI/pA1L3u+FAbeP8Z2+xC4O1o2WyxUp19akPSgSYTd3g/70ArUpDLj2g24x OTGxIunmICkTGkw6+uhYh4DJ/tu//Vs9CAZxY/LC3BvqLV/4whdUas/kx1YyxYhFY5JJJNQM4ejk lC7uF8slieTzcuTUHfLiM8/If37zm3Lh4kU5f+6cXsDExEi+TMxIwj760Y9qfcmLiZTFAvVHv5VF BFIuXDeONlX0kLywYALvhgulOVwUx4VyqyvSbDVVsMI9FN3O0uB7198YoF3d9tJ2lraqlaysLMuF C2dkYXE2lFTfnLqgcoJ0e2rymDz44FtlbGy8Z0ZWVj7yjBrMJz7xCVWTwQoMO2rs6v3Xf/2X0pi/ /Mu/VKab+NAeduQQGEAXoAHUGxjQGL7jCIfZhimH/sCQEx9Bgp3fIT7naIiDlRhV/XvuORUgoNsO M+86LN4QDtNvuMaKDXTJaA71QUKP6g00knwRcKC+AwNv+u4uXBcfbrh/vnUYsPY1n5JAR1PJpBwZ Hpba2ppeJppPJ2UEVcNwt4d49ozvur5g3t3C0fHMceHSUrEk6N2utZpy++SkHB0dDW1jBmbJiOum t7TdFbXw/ejbYMTnxy4Et2TedWREb6Tcqk5YpZkcGgom260i+XCPgRADNo4MITDPuVRK9ZazqaSa ABTVygsP4FjELXwmFiZGtnzN+gIw0T392Mc+pnaPmfiYBImD1AxJFmoxWF0whySMCY5taRwTOosA Jr+777lbJ9l0KiUDmbRkkxMyXMlJIhKVN7/rXVJrNuWZF19UiRX1QwKHxArpHOXjx/azOSZG8sex kLBy2Bi0eIfVZ3fDGHij1AhYFotFvRQPK0Xoc7p9ycXdQaLLB7UPWHu5Ps+obywvL8pLL/1Rzp59 Xtbba2otY7fxQF7VSlXOXzgvly/PykMPvVPuvfeBLbNx+xqRoDGMc2gEknaYbVRjvv3tb6uk+2c/ +5nSINJBW2CCP/3pT+uBerPlzjfgoCZDeaBN0KC/+7u/U/qDKgwCCBYF58+fVwk4tAKmmlugkY4j GEAgASzSwtybAybvHJT90Ic+pHkRZuXH550yoEbzyU9+UnXyYeIRZLAgYYEADKT55khDft71HwZo F2sfa2tUmZm3UP/mMrv5YlEy6bRkwnMRbpruGt1y5t0qYYWkgIRxpfbc6orMLK1IPBrTm0bHBvLB loJGgmnnYQMh3ZU7SO82Ua63AxN2qMAgcWRwm9NBGzL4hIEewmwoW8ex+N73GOjGgI1D8yEi6C5H uBSEAccEY353Yued9OiNwiizTQ2TblIsmO4PfvCDOikhYYLBR7L1qU99Spl8todx9FfrsxwmYwJD Cs+kDCy2wT/zmc/oxDo0PKxpmIxhILmAigPcE2NjOtGx9LhtbEJO3HZMTpw8oYw/sLsdEy5SO75Z OSyOlcXeD6Xvtn+IvlK1JoulsqRiCZkYHFKVPRe31pfwvetvDFgfd32eUZMpFBbkxZeekXPnXpB4 vC2jwyPKvPcYRtdRyaAzkRcM89zckszPXZJarSyJRExisWD3azvApIX5RhDA7pnpo8PgMpZhsrEG wwIdNRhzpOMHDeLnOvvGPIvkHLOQxMEWOyo3MPEw69ANFgxIzWHUUddBbYcFDxJ4058Hto2D7jx5 5xvwLQ7xEW5AQxE4sBOIwOGLX/yiwudMjwkbSMPP4Lj18M/9gQG3fWgnHLvH8LZYCeTyzUKmJNMj IxJz2rJXm95S5r1XgQjjcNxCsSSXl1b04BxWC0bzuU7HpMKGBDYfeD4sjvZOJuIyNTysh3a76013 UNyEzI97SNVwdpjw1Y0f/749BmxMhnyZMsmZcOuYb1dz1seIh0QIBtucpScOEx0/17mHtAi3fooP LCT2OIPD4oCfOcIposZPpuT2qSnJ53Jy8tTtUl9bk6mBQSWK6PIHsKEbm+uELjxWHcxZXlYWCz+M vuGiU/eISKO1LgWYpbWmTI9wv0SaBggWeV1t2EnnH/oOA7St9XF7xucXHNCclVdeeU7On39JEgkW 5sO6aL7RigAfhw/TWqmUVUp+9uwZKZWWJZFI6x0TO8mH8psOOxJvaAaMOwt9ztT85te/UXUU7ovA ghSOPNFL55I2Dq7zjoNBhlm3eDDvwKecCAigVewEoo+OBB71F5hs8oTRRiUQHXmYeeiJS9uAATwW GUjoSWOwCafMSNtxvPMzPLFem2hGAAAgAElEQVRLSL6o9wGf+ylg4KFbxLE21MT+X19i4Io2ikSE u1WwnFiqVWV+ZUUvGEUi785O3e17y5h3K4jrg2kOY86vFtWAPRd8YCllOJ8V5MfWwa3y5vdlC+1y oYzNgBChh8yhVLta183KcKLLmR6LGvvupvHPHgOGgU7/6DER2Dcbs5aml29x3W+9wtzv7rPl0StN rzDSEk46Li+j/yfiMZkYHJB0Iq6HtmdXVgRVvCOjI3qJWZRIzs6Um79/vhIDhl/7Aq7L1aosl0uS TQW35Nq9EsTZqp0svff7AwM21lyfZ1yr1ZS5ec6jYML1jKTTMd21goG9UUcelg9MMxJ3mPYzp1+R UnlForG2RGPsLOtstuPs2J1D7xxVGXb2KGutWpNyuaSH5T/4gQ8qg4x+ORJzVFC++c1vKsNuOIAR x7IVTDkqfzDTMNVWZlRkkLBjrtHujkCaDyPOeRosy1AfDrMiMXdV8ygP+ZI/1mlefPHFTt34ht48 ebFzANPPggS1HXOmo8+BWRYe2KGHeccZPi2u9/sXAx16Gs61g9msjOTzMru8IgXUZ5IJXXhan7S+ Z3T1xkfgLuCGgUuBWpiFWy3KufBiAhj3kXywQrZsrOD2fhh8a2R8tlJijqoM9bfGPQy48HXcGwxs N862+0bprvZ9JzW4Xhik0wks9BkvQ5mMJCcm5HJ8SWDg682WcOidG5nd87eW1vWvtxw7qeN+iqM4 tQKHjB2XMGGFiAPxk2PDgdSdOOF3i+79/sWAzR2ub6VF5WNu7rI8++yvZWbmNcnlUjI4uGGesFca S7udb+PL0hvj/uqrr8jp0y9LtVpUVZl2O3qNbHsgMUeNBIk5+uiYmYX5hRFG9Q5G2lT4UGVB1x0G 2HgQKzfpkZrDYGNqMpVOy5Hp6Y6aKnWAwUb9jx1Bns2hovPxj39cmXAWAajNID03ByPPvRLAZ6EB LH6UAeEc4ZQX6T868YS7Knww8txYTRlREyKe4dLy8P7+wEBnLISHp8cHB2WlUpHLKysyPJDXucuV vhPfXOThhx9uP/XUU3va+HQ0nFvw9fW2Xjr00uXLkorH5K4jR3QV0ikokzEvPSSCFueg+jYwDW/d 9TQ8ug3bHce/ewwcJgy4Y8bGDTZ1Z5eX1XIVuvx3Tk/p/QdcesbYsXEEnuzZj6mNXqN4NJWYtujl XafnZvWeiTumpgSzteY83gwT/e/bWKGkPDM9t9ebMjPHjcRPyczl0zI0nFfprqlw0L42Rq6lhpbG 8jTG/eWXX5JXXnlR1tZMxz2qjGk0kpF3vetx+chHPi2Tk1M9szJYQdkD3oJnGFt+9h3G2N0xsDjd jDuZUE7qio8DDu/2s7wMhsUlPj/iG1zyNTj4hNt3K5tVjHfiAw9HXJzlS3riEM7P4hNuv26YCsD/ 60sM0FauQyByaXFRzi0uytHhERUyoYHSHY+23nPJuxXCOiEFj7RFVstleWnmsm5433P0mN42pZUK J4tOh3RWHm6lD/IzuMKZ36uu233rFd+HeQwcVAwYjbH6Ga1JxmPCjcMcvOVmu9Ozs3I329fpQLfQ 0ll8P6YCDCrtNWSy0ME+9npLliplqTYaev7GcLgRzevfGi762bc+Txl55ofEfX5+Rn7/+yfl0uXT MjY2pKoyFodxYWPD/Gupo6WB+VxZXpaXX3lZTp9+RdbqZUmmNhjXncB0y098g80zjLrLrBs8i4Nv z/at2+c7eRic7vi82zfS2ndjtl149g0fBp3fVs6N68K1+Aaj1zeL4/3+xwDtSP8yn7mJQ/+c+eSm ag6yoiaNszj4uD1l3q2QZKyDTvVTRUpcITw7K81mSx66/XYZyKZ1gu0urJbY//MY8BjwGNgGA0bc XHpjtCQWiyqziXjxzPycvDwzI/dMT+slZshALC3g3fTbZHfgPxnuzAdPXNy1UCzKQDojo7n8poNV Lg4PPHIOQAU77RoeTr148az85jf/J7Ozr8n4xIhekITN9d10jC10wrnsCB33Vqsq6YwdJN88DrfL 1/pa91i1OnWntfjd4b3eLa7BsnfLy30nvb3bM/HsGb/7XT9u8c+F1Q2Db/x6wbOybQHWB/chBty2 hHlPJxMyms1KqVJVFRqMAGBx0WT01sZ7xrxbhuDOOh3P2Cx/bWFBKvW63HvsmGTRQ9WbYDYmTzdt H+LeF8ljwGOgzzBgNMOlNTYhxmHgR0aUGL42P6eCgzumpySXDHRHqYoRVIPTZ9Xb0+J0cBgyI2ut lpo0q681ZHpoSHLplKB6hLSRuB5ne9o8N5yZtRmAisUVeeKJH8ofnnlKRkaGZL3dUJ3wG86kCwBq Ixy4vHz5oojUlXEP+g8RjU3pSrTFq/U3/Ku5ncQxGN1x7d1og8Uz377bu/kWbvTH3u17L787jr33 ytu+Ace+W169YPuw/sIA7WftZiWbGB6SQqUsMyurqj6O2WNTGbf23jPm3QpFxlpYEak1mjKzvKy3 hd72/7N3HnByFFf+/02e2RyVhSSQBAhEEiCRk4giGTiDwZyxMcbpzsY+p7PP8c7/O+yz77DPCRyw AZNMMhYmZyNyjhIiCOXNaWYn9f/zrZm32zvsrgIrIfDU5zNT3dVVr169rq7+1etXrxobnWcIHmAL 1qByRzSJlOOyBMoS2BgJ2JjhH0NskKQ8AH5cXa0z/1jZ1qYV61vcJnC47PIHo+NP+7s8Nk0fm8Ql k2rt6VF10TuCrRkw6FSW2Xu3h/Qle9Xevk7xWFDxeFCZTB+QcAwbVOglqVS/uro6lM2mlEiEByZ+ m1OR9TeLN4fGppZ5J3W9k7LwuaHyG7q+qW0t59+yEuB+GSC3mqpibDgY09rOLqfgZj2RHxuTf6uA d2PM//LEJWRbT49zi1NXUaGJjQ1DvKhYg8od0W5nOS5LoCyBzZGAfyxxYxGfnSW30HJifb1zT9vS 1aVoJKqpjQ3Or7SNWWgBUehta+OQfywd5HXjpGPy2LjcxVxFrSYewbqSSfWk+jWtucZthGW8GB8W l9LflHo3Nq/lI7YwUv12ndhfrpR/f77RjkvrNJobKmP1jZZva18r8F7w+lZVXSlPdWpoGNxDYaz4 MeV4MtnnNkvq7ga4+KlzH4ck+C+Wj8sSeF9KwMYOFxetU+orK9WRTKqzt885VrBdVxEA+bYKeB/C WFHz3p1MOc8P+AWe1NigGCtqbVZp2nnfgPy+vGPlRpUlUJbAVpFA6Rhk/t1jkYgmNzS4jeHWd3ao IhrRuNpat+udFxgE7tsK4DI+rD1+4ZFmgXyE0jQrZ+lGz8pZ7C/vz4OZY0dvnzMxqq8sbMvuaFpB X2x1WJLRMdqk+/P40/3HG8rn6h+mvVbvcHX46Vt5y1d6zeiUpnPuL+u/bmWMpp1bGTvfdmL39nWf 5vt6U1rx5mqtW9fGHdoiYDrTn1Fbe4cztypayRZFUQbu206fKHOyNSXgH0uY0dZXV2ltV6czURxf Vys/eGcc2Srg3QYsN7h5nrCVXIe/5Uxa2zWPc55lCpswDQ4VpYPe1hRiua6yBMoSeP9JwD842pgU 8DzFYzFNbGjQa2vXak1HpypjcecDnjGJLZ8s77stEePDjaMlwBfeLJ1jGz/9aZbH5GDtKc1j5Un3 X+O4t7/f+XZnglNbUeHAF/tOcM3qHKBbqNBOB4CuJVh+q8N/bseWt0CqUAfX/GX8dY92DA0ra/Qt v6VbHqvXX4+/jKVbfqNj5Sz259tQXivzbsTMfeDV8wLq6+vXK6+8ITYdcrvljiVDPjV7JBpUdW1s iDmA/z6MZbVlWmUJbOsSGBwreOvIKbRRaqPo7s9knWtQTGfsGdmi4H24AS3neWrv7VVrd7dzg9NU Xa1wgM0YGJiHfwls60Iv81eWQFkC7w0J2MBn3HIe9DzVJBIaV1OrlW3tWteJCU1YaOUt2MBK/ncr GO/GQwFseW6jlzVr1riFhf39/W7TFjaHGT9+vNuZsbW11W1Uw0Yyto06ZZ2rvs5Otbe3u01h2DyG TW3wAsJGNuTnZcGP7eXXrFunNR3tygdCqklUuPRcruCHGpkYTUAfNNva2hQIBjV+/DjV1dY513jW BvJSD7tgwh9u89h1Ep7ZdMbosYkNbYMv6LJpDrtOsmkNLvqgY3mJjb6lsQU9u2DCC7tisuU97bId Ky2/X6a4Suzq6nL10g7qoAz1IiPy+vP76yUvmwJRnnZBi7L8RnMNCI13M9CtEWUwGFBFZaUaGhuV zeQG2jkWvNm9ghbwJJdPKxjMFqxkio+VD9uPRZVlGmUJvGckMDAWgYaLzwMLVTGd6UkmVVuRUNy3 0+4WBe8DzPheeMl02mndI6Ggmmtr3UuyVLo85DY4ll4rn5clUJZAWQLvRAI2LvlpoD1urK5WR19S 67u7VJWIufHJtMrktXLv1thk46KBIMA3u0M+9NBDbpt1ji0P4P3www9327s/+eSTevbZZ7X//vvr gAMOcMCVfIDn++67Ty+88IL23XdfTZ8+XTfeeKOeeuopHXTQQTrxxBMdoCbv2rVrtPi229WeSumI ww5TQ021qwuwZ/wQv/XWW3rwwQddfWvXrFF9Y4OOP/4E7bvPPm5HSPLgaQRAftddd+mRRx5xfDBB YGfJww47zO0eyQ6TAOe//e1vuueeexx4BwiTzi6Z5JszZ44D5KX3gzqQTUtLi+69917XRraQB7yz Xf3BBx/straHlp936FDH8uXLdeedd7o2AMKhhTz32WcfV3a77bYbmDhYn7B2MUl49NFH9fjjj2vF ihVO1uySCb9MPKw+f9/bNo6ZkBTAe21ttXbffY6qMItCIz/mDAbEJPPNFW9o3bq35HlMAAs+z20S MeZVlgmWJfAekICNJ2ashmliS1e3cxnJmLtVwLsNUsYMcmOxU0dPrzp7et3OUXx2JZCHQBk7dgnl v7IEyhIoS2ALSMDGJRtvGHvisaiaa2vUu571OJ2qSiRUFY8NjEnb2viENpzdsa+88ko3du66665O M4y2GdAJYEXbW1FR4QA6YBYNMPnQYgPob7nlFtc+wCVpAP2bb75Zq1ev1tSpU9TUdJSj0dHZpWee e06pQFDHLVzofBEDagNBVLaFMZxzNORPPPGE3nzzTQeeX1m6VLvusqv22nNPdxfJA2+A6t/97neO n9133919PXjxxRcHNOS77babW9D40ksvOXDPVvZo2tHUA6xxM/ixj31MO+6445DewT3i19PT4yYH V199tdtgCKCPJvyBBx5wdfAFgm3ruf9MHChDsIkFAD4SiTiwD6BngnP55Ze7LxBnnHGGA/Ol/YHz jo4OPf/88062yBCQSj0HHnjgED63zZPCpCeXSyseD6i2rrhj7hii94JBgNTXl1Mo5CnvsUvoyJsV bZtyKnNVlsCWkYCNQ0Y9Fo2JdaG4Umds8o85W0zzbi9HmHAVSkr297tdo6oqEk5zEw6F3DVj2MrY C9UaUI7LEihLoCyBsZSADYIDYw+2hJ6nhspKdfVWan1Xl/OGxSKhUAGfOqA3kN/3NXEs+doYWoyP DORoeZ955hkHhk8//XSdcMIJTruM2YYB9/r6egGO99tvP9166636y1/+4sAs5ii33Xaby0c5tNmm uUdD3NKy3gFsNNXTpk1343Qu7ymv7IDjQCdD+75bVMJgWnLSSSc5/tDAA7TTmfRAs+B71apVDkQD is8++2z3NYCvAH/6059cfjTXM2fOVF1dnY444ggdd9xxzmQFkL1s2TJdcsklbpIBwIZvuydUYse0 5e6773Zg+/zzz3ftZ0Jx2WWXOXDN1wVMaEq14UwQZsyYIQPoaNzhE1rUC2+HHnqoA+/2vrLGcY45 D188kPmSJUt0//33u/LGl+XdFmP2zgWne/mc8nlsbAELTqqjs2vPwsbkLVIq0PbklO6u7xTMdkav qHy1LIH3twQM+9p4waZNjHuot1F8kO7ybElvM1aJxdhGtnX3qDvZpx0nTXFaLWPQfa8raj6M+ff3 LSq3riyBsgS2hgQYVob/FG/mHsUPlMXxJxwOqbGmRt39Ka3v7FRjVZUqizbYxu+2MkbZYI52HYCJ tpmAph3TDvhkjAVQHnnkkU5rjabezEWWLl3qzGUwI6mtrXWmLNiCA9ixPV+6dJmWLHlYTU3NCobD iiUSyiWT8rI5E8WQmPqwlR83bpzTpEMf7TWb7pnM4JmJBRp6wPMee+zhgDA8TZ061fELKEeDjRkN kw+/rThfDkgDZENruECbmdignUcOtIeJAHT22msvvfrqq25nz0MOOcSBdz8N8kyZMsXxYjwz4aBd yAjayLo0kJey8EZdTEYwIcJUh3SjVVpu2zrnYSkiabHWAY24PSejcOoeMpfV/kbJzOyAy+znUlg7 MPzzOTqJ8tWyBN6vEhjAxcUGsmgV883+bM5ZrxiY3yKad3/ldpzCxq21VQ1VVaqrrHDM2DWm9++N we392l3K7SpL4L0tgSL2HrYRA9eKOH0wEwmEwQtoOqoTcdVVVGp1e5vae3qciy7Gp8J4NRi7ksWF fqZ8LNDbsv/wwQAOSETzjPkLWvVXX12uceOaHWCdPXu2A6EATvIChI899lhnDnPdddc5UDl37lyn 2UZb7h9/AciYeWC3jT39LrvsIoVCCseiCvT1KZAbBK9WzsZyzqmPc0Ausf0K8go4O3AmGNi0o4UH 8DLxwKwHYE8M+MYGH3r2ubint8dpzQHFtAeQbfX6Jc6Xh46OTuVyhcWiTCDIR4wmnQkK9DFpId3f Bo75kW4gnUkApkDwhskRkxMCeaytfjpWHr5HmmD4+d2WjnlWwNa5HAuhC/evwJ89K4PcYgITCoYU i4SU93JKp01T//a8VornhAlyQc5MrB2St8vluCyBv3sJ2PhhguDrL+NMMt3v9iSJhAuwfYuAd3/l HLsNmXp71Jvu1/bjmlURjxUm30XuyFMOZQmUJVCWwMZIwCn6iqB5SH7D4Bb7LtoXfYMKFheycGaF AJ8h1VVVqb2vV6vbO4RHLGwPAStDRiofDzZBMC3i1hjS8Hwyf/58B0IfffQRvfbacqHtZhHohIkT dMjBh7iFp4BjPLhgR86CVey30QazgBWbcY4JNm6brTeAlMWijzz6qGbNmaM8YnLorkR6RQBMfoLF w43r1IVXGXi56aabdMMNNzgNOXb6jz32mLNLB5SnUqkhwBoznxdfeFH33nevA8R8LcC8ZbgAaE6l ksrnPddutPTwwgvQwDbAHGBdyqPxbjEgH/t8TID4MoC2ngkAweRlPFgZi0vT7ZyYPKV1+6+/W8fu Kchju9+rFW+2qr29s2A6M0yH9txC3nrN3nG6goGclr+2Sq0tncryZWbIg1JsjSfFEzFNmzZZdXWs d2OS9G61tFxvWQLvDQmwSDUUCqo/k3FY2rgec/A+MHAVtRec42FmRWuL2/yEl6J5cCgd/IypclyW QFkCZQn4JcBL3oAx6e6lj9bO2VwXQWO+oDUsAIKANHC9CM3NcwYu8Ypw3dHi830RmOecJjAgtqeu iSe0sqVVPem0232VWnLOpa2DHY485f04BT/ZcEFs/A6De/xN2+hjGy8N9AGEAZTHH3+8Mz9hgSRg 8/nnntPDjz6izo5Op9UG4GOWgn23aeQrKyvFIlAzoXFy8AFKNPYLFiwQC0YffuQR9eVy6urqVBBt egnHxldJ8gCI96cDnpubm51dOJr3N954Y2DRLJptJiTwBl8E3h8Ae2z7WVy7etVq5/EFEG1uL00e 5OVHHUxWSEe7Dpg3WqbFd+Y8I/mn93mrwdZ98eLF7ivHBz7wAe25555Og089pWEkOVjdpfm3tXN6 Ls8Bk57Ozj49+8xSvfjCcgcYhvRhmh7ABtfTzJkz3KLjysqwli59U089+bJ6enpd3y9tHyKrr6/T QQdJc3ebUczzdjmWliuflyXw9yyBaDjkxrRUJqusz1RwzMG7DWAMBFgkuu20+1Lq6ktp5sRJb9sl ygbev+ebU257WQJlCbxdArzsDQBz1eElh5QLoJ1ztOFOI1wszjGKv+68p568lPKktOcplQ+oOy+1 56W2nLQmL3WAG7zCOMU4FJKnmqA0LiA1BIPK5arUl+tRZl2nJjTHlQhHVBX0VBWUYkEJRyuOPxzd Ob4KkwCD847fIt/WjiEg6O1NHjUFwGjjqz8j5jP8MG9Bo4xdN187WVz5yiuvuHPMVAiYjACMOQfA +gO0bTxmYoBpCu4Rb1q8WA8sWaL2tjZNrC9onf3l/HxxbL/SPKQTzK4ebzGYwADO4ZsvAmjYMeMB 4MML55is4MIScxpAO64XsUGHHkCdgBbd6NMuvjYQUwYaXAPIM2GgLuQFwCfdTFugRZ2cs+CVxbYs 6sWMCOCOXJGb1WP1UoaypJf+TJ6W1+rw03AN2Eb+Ct+W7CtFRJ54Dvz+3g1sIyfaG1IwFFUoHCr2 J/IXvkoUptI0zD0cxQcYk5lQcbq8jTS6zEZZAtuwBHDsEgoEi2PcIKNjDt4ZlBiw3CCW95TMpLWq vVXjamtUE48PDLaWZ5CV8lFZAmUJ/L1LAHxnQBdZOLzHu7+IGRhX8h76wQJoz+alnqzUgrYw62lp JqA7kwGtTklsEJnJ4VdcyuY9pbJSMiclswGXN4l2gZ8B70BA8aCn6qBUEQkoEqhQsKdK8VUdirc3 Kx6XohFpStzT/hXSDhGpKeypPhxUVUhKBAtjX7Concd+3gUmGQP8D7bPLm/qPWfsBGDiKhKQiYkJ i1LNvt3oAV4xGfEHNy4XQaY/nWOuEaDPr7amxoH3F5ct091LHlZHy3qNq6py10rL2jnuJlmsyYJT XEJybgtUoYlWnRgADRBGkw04fO2115zZjPlixzQFsP3EE487DzGAfNxZMpkAAAPKTUtPPjzJUB8m OdikIw9ifK3joYYFuNjXsz4A2fEFgi8RyBDtP3xiY482Hx/0aNvxzMM53mWYyNAuZE05ZIudPnzB D6Y+pEObdOzk4Yf8xJwTyGObUJnMtpWYu88P95/1dTWaN2+upk2bWvhyUezKg7wGlM/lNW5ckyaM b1AglNGcObNUX9+k/lR/oZPbQztQKKCqqkpNnzZRsXjI93APZHjHB/Rh+pf15dEIbmy+0WgMd81P 1388XN7h0ja1jOUnJmyqDIbjoZy27UjA3Vd7OH3P1NCR/R3yaw/MYJxXMpVWS3e39pwxQzHf7lBu kNjct9c75LNcvCyBsgS2PQn4gbsNDW7MKpq7cB3gnsp7askEtCrr6Ymkp6vasupq63Qa3O5shVq9 WnnZqJTh2z4UisEGQAhZssVuOiAlA1KS7LmMlOqWkq1Spl1aEZOCcQlldUy6odJTTcxTLCrV11Xo 9PG12rUyqCnRgCZEpIpQQOEi4KEt1h6ShmunsbixMSARv+VsdIRfcbTVtoATgMpiU/yL498csEh+ e8nb+DxcXVyz60E8r0ye7NwsPr10mVa+/ppyeFqxxvgIWDlAKu4RX375ZbfZE37ZsRcHYO+9997O Rh8AD6DGnt5MX9C6A+AB82wYBYh/660VuuGGG525zA477OAAMD7oAftozgHV2M4DlgHa0Dj55JO1 cOFCB9yx78fPOy4oAe7whqywlceVI5MHPNvgJx9Z4lISzzTI79prr3X84A0HzT9pgHRAPOZEeMph wgB9viT8wz/8gytLO/nigQyefvppB+7x8IP8oQ1P0NiWQygYUF19QjvMbHJ9lf46UmCTLpZM5L2g Zs2arJkzJw9MVIcrwy7qfCzp7e0aeA6Gy7e5adbH/UB2OFr+fNbfh8tH2oZoWTl/vpGOLW9pbPlJ hx873xBv/vyl5aAxUnk/fTsu5al8/u5JwO6d3RvnpNfLOV2TcTWm4N1fIYNVOptVZzKpykhMFbHY gNbdjQX2BjNOynFZAmUJ/F1LAExowwIx4wQx+DvtSeuz0mspT4u7pJs7WFSXVM+aNerpbFci36u9 oml1xurVnutSLhWVAjUKRKtRJRYAZyBftGx3ENp5uijgEs4LaW50pNL+jAI9rQok1yqvNkXyHZpT 06DKQFTg12ynlA94ygYDer2jSl/riKguUa2KCk+H1AX0wVpPs2LShEhgiIkNN7i0ncNg4RH7gb2g AZKAYMxHAMoARUAj1wHr+HUHxAJu/ZpeNNIGjtFcG6inQrTC8+bNc+AYUE1IVFZq51120f4HHqCm 6irtNnu26mpr3TV7sbiTIujABAZt9Ouvvz6gWccEB6CLfT6eYChHTBo/eKY+NOu4tBz0MpN35jO0 BTCPe0l+gHfMagD6BL4uAObRrtMG6PMVgvYT2EUWTTogG9OXo446ygF4ZIgGHZlAw+QEqEczD03q pS3IiTyUQaYE8mNSAw1oE/iiAI+0C/Mk8lr7oUv923LgKSg8eTkFg1kBtkcCgIV28GWr+BQ586EC hZHa6Hl4sMk7P/KFPKPnH4nOSOn2fBD7+eb+2TXuhx1bHmLLY9e41/z8efz54MHyGPYhbbhjo0Ed /Cwf5cnvD/7ypPv5Mt7IY2VL8xtt8vp/VgflLJTWbenl+N2VgPUXd/9cnwoWXO762Arsu+++HpoB Mr3TG2k08u7N66m9u0cvrl6l5qpqTRs/TvGijaXl8/FRPixLoCyBv2MJMGQQDNi6IURSKi+9mZae 7pX+1C490OappVPKdknq7JTan9PRVS06e7dp2nf6FOUD0vNrWvTA2j4tTlVpVW9EqVREmXC9FI47 W1tXibPXLford95WfC80dy2jgLrlpVZoj+TLOmlyhU6et7vGNza6CQDmOimvYDrQ1pfST9/I6I+r aqRgQoGqgBprpXn1AZ1WL82vkraPSdGgFGIe4WtnyXt71B7AuFmQUdEs0fOcuQdmGQBG7Ll5MQNG Dcia2YyVRTOMppp8gH+Ap437AGqukRdgzzVs51e1t+v11atVG4lqclOjampr3VdUG8f9MfblmMkQ A5KoB7BNAFgD0uEJc5/yd7QAACAASURBVBI04ZioGBjH5MXAN4DFTHDISx5rA7SgDbi2CQgmLfAP QOZngAY+WMi7bt1aJRIV7usEJjnwBT3qoM3UZ22mjNEz4OQaUATsTAwA9dSH2Q11USfygk/aT3nS rR7qAuzDsy0SNrkb7Xcj9suU3U5XrVqhO+64Vn19a9XUZOsb6HdDAebm8lqoz1NfX1Ivv7xcq1e/ pVgs6O4n1+y+ETMRCgYSOuCARTr22A9q3LjxG6zWT4Py3B+eC/oa95rngi9UtiCa+8uP+8VXIvoK 5VgzwWSTZ8kmZkxM+YJDn6XPcL+ZRPIVhvtKv4Zvfxvghx91UAYTLergnLJ8hbH+SOP85TmHF/iH N0zFaAN9jTr52kY76GMW/HVTh7WfshzTLsrxHPrLWflyvG1IgD5jIZPNaRl9LpnUzIkT1VBd5S6N nea9WJfVSeWpbEap/rRqxiUUK7ojo1Y6WDmUJVCWQFkCJgED7ZwzlAD3erPSo33S5eulxeul9W0k Fi46pzDxGmniXD1Xm9S9sQp19Ye1Z7Wn/WZup/13yOkjXT16cU277mrr0719/eruDmptrkJ5xaVU lypTrcqGg+qvnSIB7kHkuX55mV5FU61qDHSosTqrAxMVmlUd0/jKhKorKrUuw2TC08t9QWUyOY33 8ppbnda9lX1a1RGRl46opUu6tcXT32oDOmi89LFmab8qbOQ1xJyG8XJjh0MbNxlb7SUPiORnvsdN nv7Y8hMDIMnv5FyinQSMmBtE8hL4eoq3MF72UxubCi+OYjnjx2Us/hl49qf5j40u+dCw8ysNlsfP a2keOycvIATwZMHKc049mNzwKw3kA5gB0AhWjgkEv9ECef38cc4PAIc2nt9oYTjZjZb/3bhmPJrn pLHlYctjAEyh+BrFbrpszMWkjAXPp5xyigO9gFt+APu//e1vbtdf1mrQbp4RFoDzNQjzMwIejzDb YqLMJJjAc8EXIEy46Mt+QGz9iTrwAoUpFV+BmNwRmCzyJYYdeQHjTEhN5sSUoy7K4P4VGoB5rjHR pS18lQKQDxfgkS9y1It5GBMUzMXYUZn+7ed1uPLltG1FAr5FUz6Wxgy8e84tG8i88J2bQb+vv1+J WFQxNO4b+4byMVc+LEugLIG/Dwm4F13RRhMzmVROur0noJ+u9PTQyoAyaNozyKLw0nfQ0rl4qdXK 3lr9+rWcIiv7tFe9dGC9tH91TntVVejYnap1RN7TG62denhtt+7pzuit7hZVVvRpbjijhwJRPYyG L5VSvrdN9f2rNCGW1G6Nng5tCGqv7cYpGJ2sN7p69XgyrKdXZPRcV0D3twe0tkfK9+eUiAQ0vbJK fZGwFAlI7GHEr1vq7pMW90jL+qQLJkkn1EvjIhIDb1HfsdE32MCAveDt3EnFN77604cj7r9utCyf /xpp2VxeqXRGzuMB2mqfb3Tybqi80S2NrR4rb+eWb6R0u14al5a365Y+HL3h0ihnZYzGaLE/70j0 SsuTj3KWv/T6tnfOxOSdc7W124umGS05GnOAMJ6XMDPjS44Fvp6wnuGaa65x4B5TK75IsTYC//4A ajTkAG2015Rloy7AL0Cf9RDsVwCIR6NtE2Ojz31GWw498gGoWfdAPvY1YHM1JpiYctkE1PoGMdp6 wD7XcO1KOdaGMClh0gFwxwwOPkuDgX/y8UWIrwaUP+igg5w8SvOXz7dNCeCxkb6Ai/UBJwiYC44V uwE8QBiAV8Bpa9p7elVXUSGczJdDWQJlCZQlMLIECgbvuKrDhPappPTfKz09/HrAgeBBpIuqGipF A3nnV13KZ4Pq76/UQz0ZPbayS3+OdOjAmqTO2a5ScyY2a86kcZrR1KCj+/rU0dWtaLhG7fFaPbEu Li3zFEi2akpktY4f369jJ9Zop8njVFlTp45ARA+s69JfO/Ja1ZrTUxkpnQpJaRbDwkdEvamInueL AO9PAzn2KYFPCJ3SKxnpv/MSTjZOqZOqNwO9+8GPveBNnpz7g+W1fBb782zomDLZfE7pTEZ10agz ezS6lLVj4lL6nJcGy2/p5PHnG44Oef15rCxxKT3/NcrYdX89lubPO9zx5tTppzNceavbz5u/zLZ8 bLxvLo/DyWNzaW1sOUD3EUcc4TTbAHQz0bLy8ATAZy8DTFlOPPFEnXnmmU4rDzj+/e9/ryeffNKt A2HtAutBWHSM1psvNpizAOrZaAzNNpr9UvBOXZi1sYAcEM3CZhZV84UG/i6//HIHxNGIG3g3WRMz 2TjmmGNcfsy1qJf1FEwIMHeGd8oy4QCsW1nqJS+LxPlyQNtZmE2byVcO7x0JpHM553I9EsQMcfCL 1ZiB98LugwHleaOxwAzNezqt5ppaxYruyt6Lg9Z75xaXOS1L4L0sAcBewQVkKufpio6AHl4DcOeT YXHDJQC7AfcBlFwo5y7k8lI6qUymUy9FklolqbHF01P5fkWibMyEWQw+pmvVmgvrrvUxPbE66gzr 87FKJSsm6c1G6Y36hLLBhB5oCevpzpBeX1+h19f3K5/JSlF4GLQxHZA470N+A2Orz+cl/Pd5WrZO urJK2jkh7cvIawB/sNAAudEObBwlHinYNV7mG5N/KJ3CBlOk8RUkl/cUDGGXPLTdfrpWz1A6Q8+M p6Gpg2d+eoOpIx+NRm8kfja1jtLaR6uzNG/puZU13oi3VLC6RqK/Jeseqc6tnQ6gRauNVhqbcczC aLe/7WjCMSfhGqDc1j0ArNGmo61H0z137lynWfeXBxxDm7L8RjJDQfNP/eRnITSmadwf7N0B5IB6 AD5pxpsdww9afn+91EW90MN0y+q1siZnJgi0CTt/AhML/1cHy1eOty0JlD67KXZW9fKqjMYUDg5+ YRkz8E7zXYdzmrO8Mrm8U/FHIiHnN3bbEk+Zm7IEyhLYViWwJqOCJjslhcDbzsDdB+AdcC8CHyJA rAP4ASmSkELNUthTjxfRb1vDCrZgh9MtZToVCHkKRGJKelG154NSnq+CQXnharX2hfTXpe167I0O JSI9WpNmh86AlM6rYLeTkqJpKVwlxSqkMO4jAbRF1zgI1DeXGJSvV9jsNRXQI73S8xlpvmPZMg/m 3Jgje0lbvKEyls/i0fK7F8cwmJLtp0qTjV5pPBx9AyOlL6bSvBu6Tl1Gi7J2XFqu9Nxfz3DXSumO RttPa2OOTT6W1+q32NI3JR6OX8obzdI6/ddKjzel3m09r7/dHPvPh+MdQAuARpMNSAdIA/jRbuM1 Ce06Zitoqw0kI2NAP8AejT6LRnfccUdXrrQO6reFzQBtWyhLPs6pC3BP/cOF0jbAC65Xn3vuOadR Z1JBG+y+E1PGzjn28z1cHeW0bUsC/vsHZ8n+fuc4ABP0cHiMwbt1FCridZTOZtSTSqoiHlMiEnMu bty1URY6bVviK3NTlkBZAltdAljCANZzRXMK7DiddtI0zA6pF4G6DygDK51SGHcugPGoy5PvzWpd S5uU7lA4v057Rdp1SFOFsqG4HuiL6PH8OOXdepy4lOyT2l5WJL9a6YiUCwZV5UmV2BbmPeWyvWpP p5QPNEiJcZKmSsHmAn/wGCzhEeHZpIJRkTxhqSEsVblR0qS7cfbEDOgWSl/Qlr45sb0o/PT9dKh1 qL598Kp/3B9MLRyV0i09J9do5f30/LxZ2+36O6ELDaNdSteu+dM3ll8razyW0rA6ub4pNP10/TQ3 pp7Ssna+qfVbXdtybLLZUNu4D4BnTGFYMAooRquN+Qp7BrDIFeALcIeW0WPRKO5Z2VsAjTo25Cxa RdPtD34+DPz77z3HZqvuN2Wxevx5ScP+/YEHHtBf//pXN+E47rjjnMtT8lkZ6vcfD3fu57F8vO1J oPT+9Wcy7gtoPBJVuOhZiFfL0N62me3wdx4Ge9T8Xck+1VZUqipetnffTLGWi5Ul8PclgSL+jSqv SKZPyoekSKWULdq3I40ifle6H3sOKRyRIoPaCOemJt0n9bYqkGtXfXa1jq7u0Uk7TtEe2++lhsq4 2nIBLeiRfr4+qHvW5BXqTMnrWq6Talbp0/O319QJ44W7WwdaixOKl9as0dVLV+qmbKN6NUkCxDN8 wrPD1WSEwaJNPsd2jjkQmztF05oRyGtSIKycQsKAx5kb+oD5aDecQZ2x1sZb4ncajOZIdFwzXDWu MQPZNlR3KV07J7awIRqWr7SM0eK6HVseaG4sXStPTBmjZfWWpm8K3VLadm71WB2bSrOUzkjlAYMs qESTjHkFphOYkZDfylh7TXbG03s53tQ2AdaxZUc7fsstt7gFqIBwZAWgx44dgA+IR27IFeDO5lzY m++///46/vjjB7w9+eVrcqQsNAH9BtLhk0WkaNwp4wf+dn+sPHkxq3nwgQfdwlqun3766Tr44IMH bN1Nu+4vY8el9Dj3p5nMLH85fvckwL2wYMeYLXKMvfvAfSvogizr5sdWiVHI4qM3k3W27hGfvTvX Byq3zOW4LIGyBMoScBIAnGJn7SnX0iqt7pOqJ0nRuuJuqUVAnM9JyU4p167qiqD6M1GlM2FnoB3I 9qgi367mYIvOmRDQkbvO1IyJzYrG4lqlmO7rlW7p9PT7lqAybUEFk55yvWtUHVqvXWdPVnLc9nrA iyufyas2nNXuibymV0Xl5dM6pLVVsb6Mbk33qCsl9abjUrha4lOms4Mv6qjd+Fu0z8fkJ4aNTI+0 Zo2isYRi0yYMLDzamPHQxlfLyznHpemb2on8dIz2AN3ixIDpBQGjmSEvj1EqM7ojZdnQ9ZHKbUy6 yWRj8m4oj5/PzaHrL19al10zuhaX5is9t/tUmm70SOcYMLpkyRJdddVVzqwCDydoh7fbbjtnQ20a 31I676dzk+lAny42ztI55RpmM7h6xG0j9u+YxGAyc/3117sFrfh7B1wjU0xlWGRKjBvJY4891vmD 98sTgA4wJwCqMY/Bdh1THCZUXKdezGXQpmNKYwtdKcd1myzAK6Y7aNz//Oc/u/QPfOADDrhD0wL5 KEtMWX7WTostLzFp/OCDXzlsGxLgXgzcL2dyVZjwRYp7ZgzcK9zSjhXLELVZJYucmEA4O0lfxxio eKwqLdMpS6AsgfeXBPA0q4Dy2IC++YZU0SZN3l5KNEpeVMJOXUEFYgl5wdX6ZF2bsuG4Hk7HlO1N a5rXpWMnVuqAmbtpfH2dkoGQnkoFdd/qoJZ05HVPR0heb0hB3DTn2WQJcB1TvG66rsnV6j9ejirf F5AyQSmc1dF1GR06ThqfSqm5vk5f3WWSPpfO6Z6Vrbq1LaDlfV16vTeodKheihR3c+WOwCYG+8GM 1N8hrXpdam9Rtmaqkn1V6sEkaFDJ8rZ7yFgJYEAzyDEv45EC4y4aPMCFAQN/XntJW4wmll/peGzX KcsxtLIZ9uroV29frzo6os5dmZ+2HUMLXqFrvPrpWT6jzcI5tJrkGS1AF/ADuAEgDZff0gAveA/h h5ZztACPgCYWA/q1nsOVgT6aT0DUcPK1MuSDX2gCCO3e2XV/TD7uF3QBdCPZPFPG2gddvI8gD0vz 07T6ifFxjj02HknWrl2re+65x2mY8QsOSMXvPW4G4dHul5/W++EYmWIjjoyxZ+cYuSxdutQ1j4Wj aNUB0LiBJCBb8mNTTto+++wz4OedtIsvvth5oEGOM2fOdGAfesjSduplIybAPeY32MKz8HXOnDnO FOehhx4a2CQKTzbUjUcY9gWgP+C1BnpMGPASw3Ny11136aqrr3J5jzryKFcPEwGeNdrAj/6OO0om HdxbynJf8Q1PmzEBIkYm1EEZFrOO5CP+/XD/34tt8D/XTKk6k0lhNlMdjw84frF2jRl4LyibAs4P MNsfB1Dx+9zaUKENLlZ5OS5LoCyB97cE7Jn3D0obbnER0PUlpZYOCb/MzROk2mYpVlOwaw/GpEyj VlZG9KXZtfp0okLJ/rTiAammsrAwLJ3J6ZkVa3TRa926patW8poUUEVhKwqYYHREuRCr03rVaH1r UAEvqBDKhzyfyRO6tS+hW9sy2imX17wKqaMuqHn1lTplTpUW9af19NoO/XpVt57qj2lNrqLocQa3 M/iU7Ja6WqX1q6S165zz99UvdujO1ie1NJBRzty2+QCsyQlgiV9nXNQBBEcLgGBsdNmQxbxJGB0r B1gkDbAGTQCcf6Gb5SO2vIBg6D745NPy+lOqCmPoM3yAXwADbusAMaX1U4o0fvAIr9gYAzqob7gA UAagwC++rAFBI+WlPKALuvjeBhAThssPD7SdxX7YKwOyhuPXeIJHNui54447XB2A/ZHyA/7glw10 zMuH0SH2l0PziktCtKpMDEYKyIE6kS1uBvGEMlogPwAQOaBFRt6AN+yzAfNo4HGhiNkFQC8Wj7ln YjSaW+uaXz7vtE6AMfcNkAzwpn8AetFgI0vuPV8i2AiJjYxWrlzlFgQC2nEdOWPGDOeTHWBNH2Cz JzZMou8AigHVNgncY489XF6e1WXLljmf7siWPoD5DZMAAD39E1o8LzxbAGhMb6gDYM2EC3/w9B+u UQ8bNC1/dbnrp9xH+KVf0295LhYsWOC07uRjcsDXADaMos9QJ88Z5Wg7fQO+ad+RRx5ZBu/vtJON YXnr+9xb7hN9qzvZ5zw3VifiirGPiC8MPfNd2ORDtA68nliJnSls6oGq3x+GG0j918vHZQmUJfD+ kgDPPIPShp59G7iGth6fs2lp7VoJMFa7RqpvlKrr5SVqpWilrunNaeJ6T3uNC4sPiTkvoFyXlO9M qy+Z0nNv9ejlVjzNSMFQQnk8xATCBeDuPg8WXT96QQWyhbWw7oO3W4AaUiDjKZiJ6aV0tV7q6Ne9 WU97jAtoQUNIcxMx5RonaFpEWtaelVp6pKQnJbukng6pvVUClKWSBfv8XEqvPvac/rj6SSV6O515 PpseMVD75cMxGjH8OwMuhgPvfnkBAnlx/+EPf3DaxaEyLJxBk3qw5T3rrLPc7pGAkNLgv1fQffbp Z3THrbdq/aqVyif7imb8hcmV8UwZ+GWjGfgFiPj589dBOmASUIUfbcDlcBp1aKNJB+ScdtppTnOJ mYDV6afJMXThF0DEQkI2pBktL1ps+MDeGRA0WoAPNLeAd4AdEyBkWRoMyHENgDwceKcMfMEvYA26 AC5s001mFpPP8nKv0BIjr40J0MM2G20rYBGemIyRjoy4R+wgCkDlpo7+/WNjatz28iA7+hb3i37J JkqkMcEC2HJMQLbV1TVKp19TWxtmLBUO2DPB3XnnnV1+5I42fNGiRa4sdLnf3CsmmJwTSGO3Y+4/ X0l43qgLMH3qqac6II12nHvBJI/+RwwP9EfqAJBzX+CTe86mUFxnfUyENT7F4K+XOpjsc6+hYc8U MXToi2jbCZYGr+Ww7UjAnnXjCPNRNsjj2YzRx4puIm18GDvwXqyRgQ4NGL7d3eZMI2hVjMH3SozA SoW7sbzbIGFC39hypfmsfqNXer18XpbAtiaB0udmpL7r+jbAxjXAFn86pCMBlJJJKZmSWlukikoJ bXQirmw8ol/2VWj8usLi1XwwpLwXVt4jjiuZm66u+pzTiOezYTnETB24lmRUdBUWaiWpNHiASEwA 8Q+fjemtngq9lQ3qgdZeTYlllFFYr3ZllW3rRPUr9aakrk6pt0fCdMOBvKK3mVBQ1Y2N2r5qthpz qYLWv7TCIrhDy8xLmJf2hgIv8SlTpjjtHlp4Gyf85SwNeqaV818f7piX/rTp07XbHrsruf0MJUaB eIBhTAOIRwvwAb/4u2ahH2DDQJC/HPkAnORFQw6IIW2kwDXqBpACtDCRGCk/fRI5kBdwtaEAMKJt Z5xxhjNdMGBUWo506PIFwoBSaR54svcAbQIg0kYmHpZuZchrAMvAGf1iQ4FyyBdtLxpWQCHl0AAD BDHTMGAKv05OfBXZEOGtcN0vn4HqfF+mBtI24oBJLzKgzaWTLQA98icGZB911JHad9956utLuQkj Ze06PJEPDTd90X+fOOYeIUfro3iv4RmjPzD5pDwxZQHlTKjgh0kj9XD/ycPzxhcBylOf0TzppJPc RK+0XuhTp5VHg8+9hQ7lCbSdLwDgMgvQoeyGnlXLX463jgTs/ro4EFB3Mumcv1TFYor6JptwQ38Z W/COHV8+r2QmLRaqAuBHHm63jkDeaS0IEkERTLgcW5rRt2uW7j+3Y8tbmsfSh6PrvwYdK+tPfy8d O1mgUfLyznepgmGFMK/KF3YRCwTDhYVxg8jqvdS8Mq8jSIB+a9o/PgWjdQSQ8BIJR8IKhyPunDiX G0EjxEscTTw/AHIwIC8eV09llXriMYkXVjQhxYt+2KOxgjca+pd7hLNSgK3Rg4MbLQ0BhMXFOq7v FXddKviulJdrlZdPKtC3XoHOrDpSXepIJ6VMRkqlFejuldePhj3HQFH4GW0Ws7IQKJbQDnP315k7 L9KcCngqjCvDjZHIBgA4klYYefIs8QOAYoMLaOQlPdIYQV6ABmYtvOCHC/6yvNx3330PBWvrVBOP akJNzZDtuf3l4Zf8gBHqMf78eYw2QAaNIzbD5B0tUAa6pnUfiS50yAN4AZT7wcpw9P2Ai+vD0bVy tA3ghXxH4pfy/OjPACfKcD5a4L4BoqHNs1HKg7+80QaojRQsP22DVxZUon1nESYyoY+gEUbu9Cv4 tDKuL27gXoxU71imm3yJ3U/DbxC2MXVyL+gT/IYLVhebj9FvmeCQNiCTYiHSkCn3azTAa/R4tkqf L2gib75Q2TNdWg918Gzws0AbDJxbmj+2OkkDyPPzh+F4tjYS27G/TPl460tg4D4yrjMWSGrp6nQ+ 3sc3NytR8tyTf0zBOxXmvcIGTYlo4cW89cUwtjXygPk7uP/YX1Ppg2jXLD+xP1i6pdl1i0m3ui2P nQ/WxcPHS6Mwscjnsg4juPxOaxMSmyK6qouAmZcaOGIgBNg5MaRgoLBHrgPRufwQLQyAGoAdsM1y eOjzOWUhZOULTu8MjwyQLz1wvHt5eQHcZxVBmpfDpmFw9zDos9zZvfv8bcwr/zb+AwqGwgrBv1Nw jv7CNH6cnKkgn1UW1aovBEJhwZrjwdklM7Hw5XEv6fCAzJiIvE2urj3YTQ/la+C+QzeXdVpdq9q1 Y8j9YtFg1nlEtDwD8i7SdUIqTnzoC0H3OZel4oNyGyj7Lh0MtFkSi7mw6UQjyIuFlw1xZVWlKiuq NGnyJIWmFEFSoWMPAm3/hI6bnc1LPb3u5/oV+fmsjLY6FpWwTTZf8QD4ULhgLx+KuGtMHBUq9hdu rwPqedcnlE3L/XLY0mSkPJp0ycutlJfOOjv8YCZTBBiF529AvPDBj2Ax/IbCqpkwSbPnztQeNUU3 kwOF3n7Ay3zwWX/79QL5wsJWzCAA5RsToMnP7ot7FnwF7TwEIK+pVnNzk5pqajR9XLMD76PxNNo1 q2JDoMryWbwxNMkLXetTVna0eGPpQmM4QLaxtE3O1GfHlOUcQMdvc8Jo/MMvk4Kzzz7b0Qe8Y1YB SEVOVv/m1Ls1yiAnzwuquqZRzc2TFI8PAtrR6vfLuECjMG5z7A8mO8tvhkOFdPIOvkcsLzRKNfhG 0/IM0rMrw7/HB68Wjqx8KZ+Wb7h6rYzF/rL+NNJLr9m55bN6yvHWlwD3gvvg7kmxn6azWXX1Fb6i ViXiBf/u3Mfi+4T8YwreQU95NjTJ5dw7MVSsyDrK1hfLO69xiGCL2nezHeRTJ4GZMbN2m7mzMAbN i71M7QFBLmhBKM8MnjwsrKIOZuO8eAg8qPbpl1k4mgNe5KWB+4yIKQ9wC4UjGrrKIKesF1KYcQiQ GkDDGSzJQ6MAkWGFvIyywcggiPZVmM3li54m8spl805bOuheG7Af9A13voIlh8wq2ZUy0Pqi7njg CQVmHqUDdmlWZNWjumXJq2rY6yQtmJ5gz0s3gA5tY1Ch4fhXVtk8gBs5DOKlkqoHTgfuaS4jLxRR 5G2iZQIaUCSYd+A6FAoztygJWWXyYUWoOziCXAHV+PMu3iPrB+5+IYZwpGQDnLyyXrBwv7yccl5I oVBk2LoL7ZXymX7lIjFF/AzSHwYmPyVsv4untBubYTxfsHDLDUDhsHt+eIYaGht1xMKFmreoSQoU BF589RZepgaEh2mDy8cEC//v/IYLaMABLjxLyAtAb88VHQci9E9APO4oAe7Ol3xWCmWkbFTKYS/P A+XJWT0bTxZTr//Y3yGdG0ye10Bh4zqHD2ySOhzDhTR/v+GYn/Vhctix5RuZ0uAVy2tluWJ04d+x luelMpjOuASgd3kLBdxx6Z/RsToKWQd59tdZWna0842ha3WNRqf02nB0LY/xSrwpwfJD2+SwubRG qtfocd3fBo55X6Bhx86bZ4v3iE0GjZ+R6L5b6fao0C4+YNXXTdLeex+mXXedt9Hg3WRC7A8jtbk0 X6GM6/3u0ORqtEaiY9eHo2c8kWe466V1GC1/PFq9w9EsTRupvJ83f33l460jAZO//35xr1q6utWD h7OaWrE5kz9Y7xxb8F7snLl8zmloQvZi9Nf8HjxGsPwA32vWrHEr9h977DG3ep0BES0HC2KwiQOw s3isu7tLRx99jKZNm+bAOOVx2YVnAQA7nzAJixcvdnaUCxcu1Pz5891Aix0oC5nuvvtuZ/9GXgP2 fvHZQ0/MS3b54v/T9c90K6Og6mburgOPOlq71uScZtlpk9Wn1+69Wtc+vNaB01gsrAn7n65/WDBZ UaWUDsQV7X5Bt918lx57vVvywqpqbNDso87VMTNAuAyIQYVBu2/cqotvW6mq+lk68OSDNDWUV15B p41GO57N5hXAJKLoocJj8pDNKZdNy6uoVujxX+qsk/9X4c/+VY/95GjV3/sdnXDmXzT/v1/VHf+0 vRJKu8WHaEeZJBTamNWL1/9Kd7zRq56+nHsZ1e+8n444+iDtEAfAhxT0MspkPQXCgPmC5juXzSoH CENIzHLDUYVZ81/1XgAAIABJREFUnQgwXveQrvnzw1q6tk/MZasnb6c9jjlDB47POzlGAlLyuev0 69uXqyuVdRObhrmH6JiF+2pKNKWU4ornW/Xc7dfrL0+1KJfn02dMkw7+sE7fq1EhsSARLMiisYBC kYJZENhxzT2/1dWPrFZvLqyaqTto72NO1fymvNPyB4KAfk/rH/mjLrvvLSUznqLhkJrmLdJJh+2s +mBO/f2FxUhBrdB9f75Lz74R07zjj9Pe02vE8k37KuPvM2N1TH+2/jccTa6VBtJ4PrDBxKsCXhNw j0aIxePO9nTWrJmqa2iStwZvIczEuFqkVfJCdvfTKqFr2pchV6SkflfWKwByvAjaObQp5wzeiy/8 AmIt5AHwQ8p1f/Jy7iqzmgv9avCsSLuYYHIostOd89TrzE83DNqNpMnaZGrnxJsbrKzdQ6M9hJ6b 2wQVCbN+gH6ZV8SA/ZCMQ0/8/Bldf9rQ3Bt/5qexpekaVyYfO9+Y2MoYj1bGzi229M2JR6NhcjIz Cs4tbXPq2hpl4I/n3c2bvYAaGyZr/vyF2n//hZowYXLh2jAmLaW8mVwsLr2+Oedbg9ZY1rE5bSyX eXckwH13fb+ITXgKkum01qLUzUvNtTWKRyMOeRl+QfvO62TMwTtEi3qbwZcuR/YSe3dk9I5rRcBo DQHbN998s9OcswCIT5Bo0jEHYIEZn69ZLIXHg56eXp1zzjnuUyXaeFw2YTJgLqhwKXXdddc536zQ YJU6tooAGuhRFwvQsA8FvBcGuMGmcF6Qa1qPXfJBnXrejQoce4bmtN+nW5as0kHffFS3fWdvhfMo HNNadvWndcD5l2pd9WE696gmPXrVNXom8Cs99rub9f2TZirR/6qu+fYJ+uCP2rXb/vO145SsHrj6 Dq3Z/wlde/EPdcqchLzcK7rh67/UZX/6ka5bBuo6VleuP0inV2TlBSIOcKOpjg5oqjF1AShHFYmG FcEOmTBjhmaOkzINCfclIFA1XpPi0sztZ6jKfUWODXwhSOelaCCt567+pM44/bd6fvpCnT6/Qm89 c7cefLFbR/3nvbr6Xw4Wlo3BUMRXd07Z/qDCsYizmBiUHArWsIItj+jHnz9GX/hjvRYeM1fxwBrd e8tjCp32pm7+8Zd1wBSp49H/0VkfvUCLX5+vj542Va88dIsefKVXR1x4t/7wmUM1Md6pJy45R/t+ 7i+KTTlcpx9cqyWXXqcXm67U0j9cr68fyYY8KHiHzp5fufETOvXki7X2wBO1T3SZ7r7rBU057xY9 /KtjVFP4OKHVt31VR3/sQj2bOlAfP2minlp8jR5b8z2dcfG9+sWH91BtvFVP3niHFv/08/rGHWtc 886sfV6/nD5HVe5xLyJGf8PfwbH1N+uHFpeStAHJ/8xbWZvkFiaxna4oC7OwVf74x89zbs5WBCqV 8zocoC6MJUWwXBzgBurzg1fX1FHa6x9/NpSXCgZwcQFUFOos0vfTcnkHMg+wZgNt4VOQJQfUmcmp I1tYPGbN8cvJco4WW36LR8u7MddK6filGAkG3WIpJt7pbE7x6OCnrdJypXX5r9uxxaV5N+XcT8OO Ld4UOqV5S2nYucWl+Uc735wyo9HbmGvUac8Z+f3P53D8WP6Nob0l88Cne4L4C4Q1ftw07bvPEVqw 4BA14yK2+DAav8O1ZUvyV6ZdlsCWkIA9n9aveZ1l8zkH3HvTaU1qaFAV6x8A6/4JOBnH3Gym+Jjh 4ub9GFasWOH8vKKBP++889wiIG4AwBtzGExhcMm0334L3IYJbLfMqvPDDz9cL774ou69914H9tnt Du8Q+J5l4R43D/dd+OClPJp8tO/QxXym9Ca/TbaZtHo7o1r07b/oP791nGr0mn44f3t96Xff1Y2f uUmnj5Pal/xc/3z6pVo3/3tasuQbmg+Rr/9R5yw4U//zuf/SYUdcrL0v/Yw+/KPlmvb/HtHTX93H VbNm0Ye1/0d+pg/959Fa//sTVZ3r0FvLVipx6Pk61vulHvImqLoI1FlmEQn26LX7r9X//eJxTVz0 IZ35of01MRSV2l/Q4qt+oztfzipdMUnTeu7TGy3SlKL5gZftVyYnPXn1t/XtR/rV259XxYQpGn/I x/TpfauU61yjm/79t3p+5jm6celvdaLjrkM/m1evz/z4K7ryQw/p/O1W6fGbbtAf/viKdvrHj+u0 o3ZVU0x6884/68+336Pl+bgqEyHNP/trWjQzofu+8iF94Y8RHXbtQ7r91ImO4lPf2U8Lvv0VnbvH cXrpi136wYkXaHH7SfrfFTfon5175Rd10cFz9Lkvf07/c9gT+q/+H+jc829W7sRf6Kkbz9csqHz2 Ip188Of0b1/5Px0093s6ZMIL+sP3/qBHV9Zo0dc+r6OnJdS7NqX9v3ipvvbDf9R09enqUybp9Mu+ oiu+dow+M0PqW/4nfWPRhXp28md0zcqf6jTmPB136esHHKHvf/lrmr/rn/X5BRF1LX1My+tP1UdP vkM33NCh6vjgpMc1aAz+6H/2wrRj65N27q+mNM0GJ2KeETYuwaMCfqdZLIarNLb7PuKIw1VdU6Pa 3oxqa6JSRUzq6iks9vQjSgPP/nFm4O3v5+SdHBtQzxU07W5zKDTvDhWNTNh48+fwsNAJKB9nc6Sw oqz5cNcdMX/Obe6Yr6d4OuhNpdWf5SvJUNvj0nu9zTXg74whe9aGa7ZdI97UYM/7ppYbmn8UXMCl QETjx0/XfguO0rx5B6qpqdnNgY1Gua+ZJMrx+0EC9jxaW+jf3cmUWru63QLViQ11bux1/b6Yyf8M vM3a1wi9s5jlckNfTFT6Xg7wD5Dmh/0gC3+wU2f1OJp0XDyxIIhPlbNn7yjcO3GNLZZvv/125yMY F1FsjoH7KrSNBMAMmnXMCQDvbK7B5ABzHLT6trhoONnZzfciVTrki1frZwD3vJTrqdB22xe+gGSd 2Nfq6fv+qls0S5/5/NkOuLesyUgzDtMxi3aV3npKy5bepN8tfkFpfUy/PW8P4VOvpzuvCf94rg6r Dit99W16EnOU6L76p2uv1GUX/0Jn7yp1JTFH8XPnKdffp662TnX39rKJpdT+ki796nwd/8Wf687X Impe9ht96aK/aGVeqkkEne0wC2DDFdILf/yuLnlspdq7l+p3X/6cPvPRT+nGF7IK1dZowUmzpGV/ 0XUXPy22NHnxojN04aqImhaeo1OmwkNAXrpXne0d6u5NObPp9Gu/1ddOPlGf/fH9Wpl5U5d993v6 4KkX65XOW3X5zSul6RfoN6dOVC6XEXb9e1zwKS2QtOaGm/XQ67fp8jVR7X7e5x1wb2/Blnq6Fp5/ loJaqdeWXK/rHnpIT2kvffdzH3DAvXVtVtrzBB1zyAzpyXv0+FrMPwLqdzspditV8FqoPT/xe/0S 4J7PqL8/oikzWNAYLC5g7dIbTyzWVdlmnfRP5zvg3ro2LdXN09EfPlpqf0bPvPKScqrRIf/yA/36 6p/qlx+dpWq1qic95Gb4b8wmHdvzWhpDhDT7cU5/5bngi1Hpwirro1Y55zwvbELCxJbNTc4880wd d9xx7qsVuGJcIqxFk+vVNH2ccpXxwiJJI1BgoGjS4gyy/VcGjw2gEG/MzzrxgPh4cEDd/HioQm5H 1iLqHqzHjqwOxjn7Fa8xt83HogpOatS+U+u0c4V98Nx2xkS7z7Dsv7dh3N1Fo8IUkkVUfo7Jx/0s h21LAtyT4X5w+W7eL8z4CH4oYI8KXyYnTpypAw44Rvvsc5AD7rwD3Vus2MfeTd63rTtc5ua9LgEb Y+nTNvYyvq7r7FQ2n9ek+no37troyrhrz7S13d4idj4Gsb0si5/CxoDitkACweEPllX77LJ2ySWX uA0ccOeGFh1Aws53gHLAPYCc3fAuu+wy/eIXv3BgH9BuO/oZ0AGco4XEBAe6S5YsceYzdnPtxg4n A665AQ17/GxK/dmwKhIR6aXf6YLrpYkf/KhOGU9JT+rulSqaFB1f2JAkUQOkqNX4yXO1k5Yr0N2q 9nxWWjBVNVmuYbtNl5msXXeco9lru9XpbH2pK6hsz+ta31tY8+d4Y5FUwFMuX62ZCz+tXy389ADL L1z5dX3pVz3a4at368H/d6gq9V3N3/sfddqXr1VPP0tdMSUOC9fXM0/+pW6+/hPaUdKbe56geZ++ TB+59ivq+OYcHfyNO3Vj4vv6n39bqMOu2lW9T9yjxi88pPu/tkDNgZT6chO192lf0m9Ps6pX6fJv /VBX9MT0qVvu1M+Oqdbqs87SzfeGVNe2Tl2YACyYprqkpxByk9Qf3F77TNhBqZo2tayXkqpQ3Ry0 8p7i1QXTl1jdLjpYj6ghu17ru/ul2nGK1xb8W1fU0JoGTZm2m3ZSi7xwr9LaWR//wf/p48aWu19p ZXKewmx7vOoyff73XQrM/5TO3J5MntTRrd5AnULTUfd7iuOdRJWqaZ6rBXpVsXCP+pj8dXUoU1On N9YllS2uObBqNice6FPUav2reOzvixzTh/k6ZDsSsmAbsy8mpBaMBrEdM6nlOeDrUl1drQ499DDX /ylDfw6HpBPHVer1uVN0aSqtttfWSL1JBXMsEnXDWIG8oYDhAKRds9gYIi9ppWUYJQfs3i0PjwGT U08yzTv1l5aFdmk9RTN5FsXmEnFpSpOOmztZZ02v13ZVUbdWdpgixuUWj+1eEFsYSCOheL/QvFey WUws5r6SWF5i7pWV8aeXj9+rEjCoMLjItnCfx6o9jAGFflOg6x46BQIxTZ48S/vvd7T23HO+6uoa C++1kj5W7mtjdR/KdN5NCVg/JrbhlzV57T096uzrU21FhRqKTkqG5h2qLBlz8M57DbeCeJ0xzyLv pqDGqm5eVADsE044wYFzFtyhUScd0MJmCGgTMQEwzTznbE986aWXOp+77EBou7xRzl5+eJNhVzUW qbKVs+2UZtdHakNh6CsqvgN4FAhJ7TfpU6d+Vatm/Itu/tGJxY/cbGvOS5qRE2r2ws4rl+lXGtMV wIn1pGKFhVxZZdP9yqDRdQl4fMGEPepA1gBvbs1fwHl8wcY9k8HFYUIVFS1apWpV6yidv99kJZRV t5fQ0UfM086116ovXfBpSltzaWmPD31Is8FKuZy2+/gndMiPXtfrLzyvfu2q2KrHtPjZpVqbrdas WTsq0/aCnrj5ct06K6mjTz9MU71+ZbJB5TMZZUMVqoyu07r1HdKkc3Xs7IJtz8S9j9F5e0vqvE75 /oyTh5uTDDQko0x/WpkMgmIRbilYw8VjWmlllc/ZHXD6oYJcnYyGyhU4n0+llMY9Jj6ggwVvEEGO vUf03dPO1aP5D+tXvzpbTY4P24be7heJRX5y3K+cW/zqUsMRMaWIhgetwweashkH1ueICYUBptAT OEbLnkql3KLr119/3Zl+Yf6F60d8SLPGww/ejQ60jDYaNTaR4Xkirbq6CPaLz0TIkyZUhPSRWY1K hIK6vrZCr7y+Vrn1XQr0ZxTM55VznbHAY2m/dYwPB7ALDXKX3V8BSRT7dVHWBuBdpwC4430GQRTr gm7JczJI0FVQ+FIQDCoXjUj1VWqc2qSFO03U52Y3ao/aqCKhwWffL5+hdMb+zP8icJyWTM5Iw+Sx 2FJ3bzjGVdlE3KMGg25vBvdVkMXgY89imeK7JoHifS+6xmX8ZnJOoN+MdWDizi8YiGn6tF108CHH afe5+6i6pnagKhsv/PHAxfJBWQLvUQlYf3ZKoCKA702l1IKXQnbora1xzince2YUBcmYg/dgIKho KOQ+s2ZzuYHNKrbEALC17p29YNGq4zt34sSJWr58ubPZxfsMgNsWl2KzjocZXnAsXkWrTkwaXjZw 22UBuvbjOt5mMLNhYSvnFoaXXcHnJwsZgL8h1JUdN+icfc/UpV3n6IY7v6FFTRl19MRUVxVVYnyz on3PqXv5aunQWqW6sqqs6ND6ta9ouRIKNDZqSmWddMdSrRXmIVGl+gKqqlmp5994Ta9lFqrJAaK8 spmAcv39cuvuvJzSKfBN2oEV2KDTeUze3JgfUCDdr5R61ZstgGGX7vzGWwuL2JQoVAAF+FUPZtJK 9qXUHfGUXf5HnX/q53Rp/Gz9+Q8/0oHH7qbAU3voKxf9ST+64GfK1c3WJ46erEAyVfDu47B6EXj3 Z5XB24yyyilcWAhbW6dmlrje/pJWVQRUidtIL6RY+nU91v6WXk7Xa9JkT82UWbJU+uRspbr6lWjO Kt35iv6mHk2qaNJ2sQapc4U61rZImqq+7pwSFS1auQq5TlXCi7pV4dmiJpMWcz9xURnN/03fPPgE fe/Jo/WLhy7UeduH1dUn1VSEFZ3YpCavR8nn3pBOmaBUV1qViR51t7ysJ5TR7vlKt0A3k2HqVan+ bEEnnc+k1c9+QLj5Y9awiV5n4G1gcCneHtJYm4FrVLZXZ+L6xBNPuHUaTDhZjI0JGYAccL+hAH2e A9Z2OFn4QaQD+VIsFNDONVF9fHajdq6Pa/GkOv3ttRa9sbJVufZuhfozCuTzrp8BOAvY2gcnRwIc Buq5bscUM9BuzNN3Q9i75yV2ZgWqOvKlQMZzinm3D1QwqHwopDygvbZKTRPrtft2DTpmRqOOnVit 2ZW2AZlVUugLyGNLB/999ddXKv/C/gByJmTOTMbLO0DP89OVTMrr6VE9mzFVVGwRULel5VCmP5IE 6IOMkQHnIbW3t1/hMN/23BAyUqFNTndObAMBJZP9zmnADjN31+GHL9Juu+1TdMowqJk34tZ37bwc lyXwXpaA9WdiQiaXVWtPj/oyaY2rqVV1orCbNFfdq6mIGfzjNuXGFLzjwgateyQUdq75MrmcNry5 93vrNrChBtpzPMMAVAA0+NP99a9/7Xaze+utt5wZDeYwAHh8uQNSACuj7bqHNxnsf5966im32JUF sLaYtfSmFSRWXIGMuQoJL/1GR3z0B3qh+Zt6bulXtUtRrHVOqVmrGXPn6SBdr0t+ea1O//A3tHBC RHr+Fl1++XPSgm9o/z2OV9Xu/6L4jVfo7J9+Rq3f219VNdKrF/1EN3emNfc752s3t6FNwO2DE66f oSkNUryyWdvX08kqFVNGmXxEkXBU8bBNUho1oz6hSj2on935kj55yo4aH1yhn/3udj3RIR1ShVND IGZIzB3u//539cAH/ksHRsN6/Fv/oTtWLdOBJy9SLHWhbnlqvWZ/+jAdf+xuhdbt8Ul949BrNPW3 T+n2l9p0/tGTFWZDg2LbpRmaMWOSArf8Slc9/m2dMqtKXTf9QT++5lkd8Ot/1aFHpPR/V/6vzvzN eXryY4XJ0v3f/YEelKeTLvi89mp8VEdW9eqiay/Rd76+SN+aFZMyz+vq/7xCqjtQR3zgNB3w2K2a q5v1Hz/9i0497pPac3xYmfuv0R//slwVp3xNh2xf2DgnnEj4+JICK67TWZ/8lm5cf47u7vtvHVp8 UGrcBnlxjZt1sBbq57ryd5fp15+ar3PHR6U1f9MVP7lN2ukjOu7QXV0rI7X1Lp49tV6Viqtpu1mq 44nHnzkLIz3cZQ4IZJMOGFzQvmEW89JLLwn3qExU+ZpEGn0c7fmhhx7qvhxhUsZEdbhAH7ZBi+sc Yx9Puv0svZBXzt/91IqQTpxSrT0bEnpier3uWjlez67q1OPrOqX1nXKznVxOETYW4wegL+INNzS6 tvsFUBwSS4VSmg/NO58ASPeYCboDB9Q5cr/ixk9ZtOzs6lVVoWBzreY01Wjm+GodMblW85srtH1l VI3RkJsf0DajRXsL58NJbGzSSmVekG3BhMk0P8S4gQSspzNZtzC1sy+p9t4e9aczznsYWncWF1cn 4qpzgh0b/spUtiUJsKC8RnPm7KX2jqmKDSiais/MO2bVOk7ATQ533NHTlMnTNWvWTqqoYI8TxoJC JdZPt/Tz8Y6bVCZQlsBmSMCeBJScXb19auspLFJtrK5WhJ01S8Jwz8EgzinJvFmnnuc+rUYjIaXS ADlm8mP14G8WR2NSiBcgv56eHqdlBMBjKkPMAlWOAeiA+VLNI0IvFTy0CKQD8C0PtvMHHnigcCHJ 4lUmBiMvWC1uxAOh1PP63w+fq7sex4z99/rskTepc3W7euIzdNBHvq2L/2lfNe/3JV148UNa9Ml/ 05Hj/6Sj51fqqVsfVO/ck/S7S77jFmnmvrBYv1gxS+f8+wGactU8TR+X0ZMPPqNpn/i1rvjcXDEP yKXu1ncWfFF/Dma04kmpRxfp6J1u1ewd5+nTP/m9Tt9urR6/4of61KcXa4d/+jd973tnaOY/flP/ /vid+tBFJ2v2nQdrQfhJ3fZ8t5PB+q4UG1cq371ab7IKtf1CHbb9rdqtqU/PPr5UDedcoksXVSsc /4Su/MoDOvy/TlDt/fO1U1zyWpfq0eVtavzMVbroE3MlrdQdF31HX/zGw9rv+z/WNz97uE7+0fd0 weJj9KMP7ahnfr6HWu67XxUn/K+O76/TYT+5X99vm69/PXdXzf3JTop66/XM02/o4O/dqZ99IK5A 9CB96eb/0CtnfV3f3mknPXBog5Y/8ZBeT43Tl66/QedOkCJH/Ug/vfBpHfXlT2mvcb/SkXsm9MRt f5N3wLn64w8/rrkIrfduff30b+mmFxv02Rsu1/lz+3TVJ07VFX8FZPfpW8cvUffaTqUijdrxpG/p j986XFU7nKFv/+luvXDOT/Xx7e7RNQfX6vm7HtS6pt114W9+rlNwfay1+uvXv6ILr3laK3qeEp47 l394L91V36+jv3unvvuBKarw7fBq/c4J3vdH/+Oa9VN/PvYmuOKKK3TjjTcKb0tMKAHoeExi/wEm nHwlYjLLM1BKy6ox+hZbn/df53ho+cLWX9XhgObURLVDVUSHjK/Wqp3G6d62Pj29ultvtvdpWXdS a1t7pLYuqa8ftbHzUBNm8sLuuQXn0a6NbnthEIKhBGOA2D2W/AHcs1IgqwCbMvGths0GAOmBYGGX O84TUamuWo0N1dqhJqEJtTHtNaFaBzVVakplVBPiIVUXdxFGsWFDMlUXFP9FpOLnYQyOTcZ2Hy02 2brzIhPpTMb5Fe5OpbS+q1udLDJndUUiprpEhWJF28tIKOSUMrFoRIlIxMmSsctojwHbZRLvkgSs X1B9VVW19txzgXK4993CwbkUjrKWIjQw9sALgX5lfFnaFmanTL4sga0ngSIG7M9ltb6nW/3ZrCaw UWe88A7l/cSTMNpzMLbgnddcIKhYOKKeFPbHWTPb2XpC2UI1IURANT7eAdUszMNDTHdXlx56+GGt WrXKLcLDgwYadguUG84DB9dJ919jIoBZDgtbn3nmGbW3g2Y3HPLhSVr4g5t0p5dQurtN6zvTCoc9 9XtVmrzLNAV4HUej2uujV+qhXW/Ro296SmdyOuej/6wZ+52o+dsFpXyfQrXb6yMXPqmdP/SSlq3P uU1+El+t1dzDj9UspxHGDe9MHfPFL2h2OKyK6kZVRVLOZMSrm6w9nRK4WlP2OkEXfH+uavecpyY3 d5uuU791vx45domWdmSUVoUuaKhRKJ9U3ex5Yklm+MgLdfcdFyjtScn2Nuc1pbJxnHaYf7imxCEy VYf95+V68IBHtbqvR6kcYMiTxu2k+QvmaRIe7Lxa7XTwB/Wl/3ewJh44W9WgkNjR+sYtT2vRs89r bTag8Oc/rx0POUW74RS+el99+df3a/9nVuutduw7g6oeN1F7HX6IJoXSyiuqKYf8q664ZRfdvzSj 7mRagXP/WRN2WaAFuzcq4vUoH63Wwf98s57Z7x49tdJzG0R9/LwvaOaBp2gv56LYk6KztOjjn9VO 7XHtPpEvEgHt+a9/0Z3/ElG2r1Pr2lNuw8+soqrfYbbbYIltWXc85ef667Sj9NBreSX7swqe81lN 2esILdgxoWAefmu186Kz9OntD1a6YYIaqsLKdHeoq7tHU+bWqXTTdXsZ+nuUpY30gqR/2q7A9HlA Oz9MZDAR89u309dHCv56hstn10uv+fmKhwLarjKo7SrD2rM+rtapdWrL5PRGMqNHW/q0vD2ptt60 2lJZvZVKa0V3UuLXl5JSaSmTLbidLOJzx6vj2XXSgkKcRI99CdJSJC6FqiT2JqiIS5VxNdUkNC0R VUM8orp4WFPr4tqvuVI7VsXFJKM+ElQtO3sVN6gzkTAQW1too7XX0kaS26amD0fb3RUbh9wur3n1 JtPqTiXV3t2j1t4eeV5etRWVmj6u2X0lrIxGVRWPC9D+tokOyoxNZaycf5uXAH2RdxdKqa0VCs9H oTfZM0HddjzWz8fWale5nrIENkYCbMjU098/4F3QmRzzUPArKn7dmM5rieeimA7twL777uuh5bVB f2Mq9OehnD/g5mZdR6feWLdOU5uaNKWpsHLc8r3XHkbjGxCz7NVlwnf7M08/M2DSwvVgKKSdd9pJ /5+9926O7LjO/w8GaZCBBTYxB4k5iLRIRVKiRFlZVqItWcm2ylWu8hvwS7D//lV9ZZerVCXLkqlo ZVOZIikxiRQpkrvcyM27WOQcBhj86nPuPIPGxR1ggMUud4Fu1KDv7XD69Ll9u58+93T3+973Pgff aCBxmBywewx27CxIZftIbRFJ3JNPPumHObHQT3EsBty3b59rO48dO2YPPfSQvf/97zcWteIob1GG iV354r0nWf7P19zN+5Hwmbq+4pwVc3VWM1+wmtqsjpsFkon5xcplzdv8AieDhixwSBNFS+8YxpWu F7AtThaULo9d8O0TPXdpNpqVZm4++eqzVKFa9J1xWGC73LHwdN5ymZFzNr+AbTw2+uyis6RCCamF ghVr6i1XnLMFZLe8AGP7y+REzsVjy0gWvH8ZuXzVoC3UFG2hprasrV2ScGHOijU8rxXE5hloH3z5 8dfe247aM9F6lvhheFgWX5toj5yGym5LHETGDktoXXHpfKK5tJ2GFKu7Tuf3Xqbc1bC4LrBBLy7Y 1PyCDc9yOIzjAAAgAElEQVQt2JRfF61vZt72jc3Y6fFZG50u2Fhh3mbmFqxQXPD1D/RTc1xjZlPa hx2TP8xH5idGrHlhxto6e6yxqcWa6nIO1He1NNh1HY12eVOdteRqrTFn1lZb42C9prSt3VKZlFpF iVXJSvKWrKqTyOqpJLPQX7zmg8ScH7k9Mj5h/WPjNlGYsebGvG1rbXGg3pbPW3NDgyV1Scor56e9 pFhQXCo43l5iEkg/R+4vpNN7ID7kX0geYllRAhdKAv5+lb58zhQKdnpo2M4MD/li1V1dXYbpTJ4J tPBOKS38hWPHusC7Xi5nIqix7gfHx+1I71nb3dVll3VvK4MEkipvkO2ivlSdYJK9rDk9lf3a8QE2 APXubdusZ/t239cdrYU6I2ktBwcHXUMJ6OETITSJI//w8LCb3hCnfCxCPHu2z09XRbvPnvL6tLgo PwGzRKay9Q2F6ZCtJmc5Foe67BObYACpD8SOWnLGImNfqEYjKc77ArVwqGYwh7eERrKL0NLu3Uuy mlytbxeJHRe7DbEfntPGTICvDJgvLIEAzC5ZG+AJkjxhBbiuyfk6CuadidyWl0wZTsOP1+ZrBkp0 6pUAV2S9WHSpTI+DL+q7tFDVA14pkzSLe3CQmPICmbGoz22tQ7kii5INZ+l5O2ivhS/EnNhmLy05 qe/i80rKrvS8EKXLNS1WuK1JPkUD3L3cEkDHrEs7PaBlYy2GzB/U/tTGEnkXk10hcrmyRo7w1Zxo rZYuKz4sPys+aUMJD/ynXS7Or0o2KQssBCraZHHBOKG3sMDJBcmSPBa48szRH/u1vw+JtoOFQ30D A9bR2GBX7NhpTY0NvsC5sWbBmnI5yzMRDIA6/C2Xh79dxCxhH5mobksiNuBGdENffDEhmZiZtaGx MRsYG3MzmfbmZutpb7PWpmZraWTnqGTyrDzVsHQ+61NN+THNuUsgbC/nTu3cKMT2dG7yi7kvDQmE 7xzXWKiAmc8MD9vUbMG621pLJjT5BGckA3gyyIVfbavVvIcFpkWkl45w0k3NzNjgxIS1NOYNbQ4L nUiDk5+mcSneA4QcxC0ih2UDeVZ9kVGWLKoJ13O4FOUVed54Cag9qO2EJRCmcF2/8sorxhaP7M9+ 8803+09fisK84TutNixaYTpdK73SKnwjfS+fdy2cPOjdK+Pk8sVSQF+REUfxDrSnZ2bstbNnHdxe uX279bS1B1po6Fb6QnHhwXpYHeQSyt+ftXHmwoJNA9onJsqgnf4Y0A545/ClJV9Qggl6SD+kHYbH 6yiBKIEogSiBtUkg7K+V0xUs09N2ZnjE93uvr6uzHZ0d1tPaao2BQljp6ZMzDQqUAF8FMRJyLacO nXt2lZmbSzS2zCImZmZsambWRienbLi+wXZv67J8w6JGWjQuFb8sgxTD6cWkSic/ldxvV4pDpjhN tJR/MTw0mVFs9LeyBPQeqo2EssgK+7d/+zc/TwDzrc997nN+ymkI3pUn3U65T7t02cqbTrdR92X6 gQY7iy+h9uUch5wkYBzlODToPHtHxmxkctp2dnRYe7BdV2JsWALo5clCSJ33EjqLJkoqqcyzAjbY 13NyOZTkwjU7xwyOjVvf6KhNFwpuDnM1XwdbW/yTrEB7mZ2kAuVvBWm+0/flfPEiSiBKIEogSqBq CdCXqt9WJnbzamtqcqDOjl6A+ON9/TY+OWm7OjuspanZv46W1UQLC5XBu4iT2AeGktaca34AdoA6 gwQgnV0KuGYUwxpWpgzzdXzTDwc6sXtp+Kq7/NW4Jp0Guqw8enCr01meQnlFf3mKGLLVJKD2prbG 1yC06ix2RsPOFo979+61AwcO+B7tmHBhonXjjTfaVVddtWRxtWSXpqlw+WqH3L9ebVHlyhdvLoeM iYbil/qL/RJ9WP/YqJ8k2s1OUnXJFqZJ1yXt/GLudLnEJLhe3eti2vN1FT4n+OEe8y0WQfUOD7td O4d+7O7osG3tbZZvbHS7SvHjtU/JSnSUJvpRAlECUQJRAhsngbDfhqrGEhQqaNk5pIkTrftHRn0L SUwed7S3ex/OmiQpXpZo3n3gC3jUvXfobBNYLDpgZ3AYm0p2Kpj2U9LY273WGurqrK6u1rU8LIRC 2+7hpdXrYjoo4qK/lGBhVPxLLiHzGvTC9OF1Om14v5brSjTXQiOmvTQkUKmdZXFPWn4covSHP/xh 2SFKrMVgS0dO+ZW5DCf5ssMRTu1X16HvCVL/LtZ2WC1foWzp14bHJ2xsesau3tHm23WxXiGB9osm KavJJCWi83Yr3vXM5LMId2xy0k4PDfnewe0tzW47iUaHfrm0IsPbiZiTvKCpa/lKE/0ogSiBKIEo gY2RQNi/cq2+V35trta18Jg1tuTzdmZo2Pt0LFp2dnZaW3OTK2GWgPeQaMgm2hxWxY5OTlr/2Jj7 6NcB5+1NTW7X3tnSYvX1kKvx3UZY5Jgs2Es0URpwQrqX2rXkIz/Nf6XwdLp4HyVQSQLhe6L2FIbp mjhdhz47FD388MP23HPP+Qyd04Dvu+8+Y0cjtO0A9q6uLte469Aw5a/E06YNL5mK8GWQ5cOFwrxv oYhyQvbgknP4LHT9esiFZ6Xyy9clMxlMZE4NDroJI3sG7+zq9HqQnp8/55Km3XvlYOAQzdejTrHM KIEogSiBrSYB9cnyw/pjRgN+RgvPpgl9wyN+CisAfkdnp21vb1tqNqNBXB05O1lgCjMyNW19/hl2 1JrqG6yzudVnBl1tif0k6ZMfxWd/Ni7TDAafkNl4HSWwVSWg9071510hjJ/eLcXJV1yYl7TYr3MC MD4HKN1xxx1+JgFh2llGNOSrPPyt5Kgtu81Qbz5LFgpzvud54VTBLtvWZdva2pbZGUpWyOlCy0vP nLKTndZpJ2YzhTkH7ScHB/zr59U7ttuOjo7yDjLieZn/OtRhK7WvWNcogSiBKIGVJBCOIcv659Ih nr65QH29tTbl7eTgkB07e9Ymp6YX93lHuy5CfC7Gnh3TmL6RUTs7Nmp1uVrb3tZmPW1t1tHa4iep rsRUGBcOOmF4vI4S2OoSEPgOX9xQJorXOxSmU1iYhu1HOTCMMPZl7+zsLL/XId0tfw3qTWmjWdh5 enjYzg6N+LamaK5ZvIr9ofpG8gD6JfPweZxPmepZU4bK5npqpuDA/czQoLU2NdmV23uss7XVagOt uvKU63A+GY20owSiBKIEogTOSQJhfy9CxeK8jU6yI82Q9Y+OLtW8kwgQz+moA+Nj1j88aoXivG1v a7ft7e2+/yTG8uHgIcLyswqNg4akE/0ogUQCeocE/sL3RnEsPp2amvKzAMi1ffv28iFfoRz1fuG3 t7f7L4xPX4dlpeO2zH0AblFWAMjzDQ12RXe3tTY22unBQTs1NGiTM9O2u7PLOlparY6DxvgiEmis JUv550N+ag/Q1jVcsKMXmpizIyPW2dZqV/X0uI1kBO7n4ylEmlECUQJRAhdGAsIFGtvp93O5Wuto aXZz9RY2HwhZmS0UbGhi0s6MjNjk9LQPYld3bfcTnzjEAwIaPMjHtYiLTvpe4dGPEogSSCSQfm/0 ohLOAUqcsstuMSdPnrSDBw/6bjEc1PWpT33K3vCGNyx778J3MkvG6XcyfZ+VZ9OHlfoufxb0ZaUK s+h+e0nb3js8Yv2jY3aot9d2tk97P+iHNgUHGunZhf5GyS5sJ6IPbUx9JmbQwAzbwNi4m/dc3d1t zY0N/jVB5St/fN6SSPSjBKIEogQuDQmo31Y/jo+TkqkM3ufm512Lw4JUDOUv37bNte1N+QYf2ZQx HERE/NIQReQySuDikwDvlS8In5mx0dFRO3HihG/ryBaPL774orEAdWJiwhecvuc97/EKkEfvIwHx PVzHcy3Z94f9WdmMxsxa83nLb683FuLzmfLU8LCNTk9ZT3u7dbW0uvaDUnkOohH66+BoWZY0Pdno T87M2OnBId8hh0M8LuvpLvETLEwtmfcsIxoDogSiBKIEogQuGQloHBDDPvaHhzRNzxbs1NCQD1aX dXX5gtTkM3GSJSTAdXRRAlECa5eAwB45MYvBRv306dOuYQewv/TSS7Zv3z43leEQMBaavv3tb7c3 v/nNbjajtSnh+7h2LmKOUALqz/Rs8NFxIP9tba3WnG80tPDs5nJiYNAmp2dsu+/Fm7e62mTRqJ5H 6IdlrPXaO+hSpvB6ZrbgW4dxnHZHc7Ndtm1bsqNMaRIX1qG08fxai47powSiBKIEogQuIglkjVFl zXsuV+Oa9it7tlm+vmGJNm+jBqSLSBaRlSiBDZPAEsCUQbXS+wNwf/zxx+2Xv/yla9lZaAo4x7b9 3nvvtdtvv913i2GLx+7ubt9BRi9xRjEx6BwlED6nEDDn6+vt8u5t1t6UdxDP10nfsqujw9cB+YFO KQ38ubAStid48gkbmwgUi24qwyYC2D7ydbQp35js7xXa8GeYM54LPzFvlECUQJRAlMDrLwGN//hl 8N7U2GjX7tjuJwuGLIYDWhger6MEtqIEQmAV1j8EewrXi1YpD7bte/bssccee8zt3AHpbO0IaL/h hhvsiiuusLa2NgftWiiepqmyor8xEgj7u/CZclIpJjScgIcdPJr4E4MDDqzZd7c2t/g1Mnzeel7V cpfOq3u+0gyOjfnOMq35Jru8u9sP6yiXuoGTh2p5jemiBKIEogSiBF4fCZTBO3butfX1y2xpNXi8 PuzFUqMEXn8J6B3Ax+lenClc9/KVrhIgbGlpcXMY0gPS77zzTrv++ut9e0cOUAoBu8qQH9JUedHf GAmEgFty1haRbBt5eXe9m6oA3o8PDBgH0u3o7LCc7wiQcyb07OVXy5nKk08+NO8jk5P2Wu9Za6iv s6t39Fh7c1OicQ/MZUgb8l5tmTFdlECUQJRAlMClJYEyeIdtAQO3lSwBlTgYXFoPNHK7cRIIgVd4 veRdySgOsEV6wLdcCMYU1tTUZG9729vsnnvuMa4B7Mqr9y700zwoTvSiv7ES0DNL+5x+193G1pG1 dvjMGTvYe8YaSvbxPCNcmKdarpSX9H5dsr3nxNdjff02PTdnt+26wvdzL2vcMyaT1ZYX00UJRAlE CUQJXJoSWALel4CBuCj10nyikesNk0AagC0DV4Gmky0esWEfGBiwwcFBt1u/8sorfdFjFkPQAtzn 83mPBrTzo8wl7+E6gWBWmTFs7RII20D4/Hl22J1fs2OH7Tt50g6dPmP5+ivdBp0pGxBeeSk1/Uyz OFF695kAlg7Lw0RnaGrSrt2+wzp1QB79MxOFuKtMlihjWJRAlECUwKaWwBLwvqlrGisXJbBGCQDW BKiUNQRwXE9OTlpfX58dPXrU7ddfeOEFB/Af/ehH7eMf/7ibwJBO+UQPH6fwUEuvspSWe6VXXPQv nARC2S95JmYOpq/ZtdMOnD5jR/r67NodO4y94EHe0n+E+VfimrYg+gs1NTZfLNrw5KT1jgzZjrZW 29XZ4dp+pxGkLRe0EvEYFyUQJRAlECWwaSQQwfumeZSxIudTAgLZ+DMzM65dZ3cYtnV87rnn7JVX XvFDlQDzu3bt8r3ZZ2dny+A85E0ALQzjWuEh2Auv0+nj/YWVQPh8BLTRsne3tflpp5zImh/mlNZt vrBVaeSvxC1pyq5kLjM9M2Nnh0YsV5Ozy7t7rLFusbsOeSnnixdRAlECUQJRAltCAoujwZaobqxk lMD6JYBZzJEjR/zEU8D6yy+/bIcPH7axsTFj8SmLTW+77Ta7++67ffFpe3t7uTCBLQVUAuWVwpUv +q+vBPQcw+eEvfuurg6bLhTs7MiINTfU+ymt2MbLrQbgRZf0wPjZuTkbGBuzselpu6Jnm7Xk874w tlp6Shf9KIEogSiBKIHNJ4EI3jffM4012kAJSCOKPTqa9h/84Af2yCOP2NmzZ72Uyy+/3A9RYovH W2+91a6++mrbtm2bNTc3R1OXDXwOFxMpAW0MnwTim+ob3KxlpjBrvcPDxq407c3Ny9jOAvFqYyTm GiX8xPS0sZ88B0Rta201tqokDvOqLBrLCooBUQJRAlECUQKbVgIRvG/aRxsrliWBECgpXmBIQEzh 8hWuE1HZFeYtb3mL3XLLLb4v+xvf+Ebr6enx7R4bGho8W1hOGezJCFqEo19RAqH8wkTpcD0b+aRV GvlhXEhL13o+Yd4wLrwWTcKKoOySiQv37U1NtqO93U4ODdnZ0THj7IyGwNRFC5KhoTLxda1dvpgA DI5PWGF+3nZ3bbN8w9JD88RP9KMEogSiBKIEtqYEInjfms99S9U6BEuquEAYmkzAEy5MpzCFk273 7t32sY99zN7xjne4hh2te2tra+bJpwJlyi+AFtL1QuO/TAlUkleW/ADFenYQUxr5hIXx6QLVFgjP WjisvGG6rLTk3dbWZiNT0zY0Pu4nsu7o6PCVq5yjUYmfMt2FBSsuFG1satpNZlqbmqyrpdkwv8GU BhriJV2HeB8lECUQJRAlsHUkEMH71nnWW6KmAjdlQFSqte7lA7QAfSwwRaPOlo319fWeOgRZXCtP Z2ena9zJR1qlU3xawAoXDaVPp4v3yyWA7CQ3rnlGnEjLlpw44mpra/05NDY2ltMSx/MhHenJyx76 PC89j0KhYCwmJj951RYoY2pqyuOgo3il8YJLEwFoQB8fXkhDG8rX19v29labmJ6yvpFR62xpdtA9 Mz3jfJGGrzOqG37oZgpzNjQ56WC9u6XVGuvZuWbB7d2d/wjgQ3HF6yiBKIEogS0pgQjet+Rj35yV BtyEoEhgTbUljh+Aa2RkxHp7z9gLL7zoAB5tOuYvADnRUT58gSwBfNIoneKUnnvFhWG6jn51EkCG OJ4XW3E+88wzdvz4cZctABhQvnPnTrvxxhv9SwiLhgHcAHcWFj/++OP+bO+//35fj6DnBI0//elP 1t3dbffee6+vTxgdHfWtPtk5iK0/KRv611xzjafBhzYAn338n3/+efvzn/9sQ0NDDsZvuukm/yJz 2WWXWXtzi3U2T9jgxIT1DY/a9PCwPf7E4z4puO+++4y00MJ5HQHwtKcas4mZGdfat+Xz1tnSarW1 pfaILErp4taQLrr4L0ogSiBKYMtKIIL3LfvoN1/FQ9AMKBL4o6aALgAaYOvAgQP2xz/+0V566c92 6NBhB3Fo1TlUiYWmciE9wtI0AfoKx1d6XXtk/HfOEgC8s6vPD3/4Q+vt7XXzJTTYaNh5rm1tbXbX XXfZe97zHgfbhL322mv27W9/2/3+/n5j5x8AOHGA9x//+Mc+WWORMc/1t7/9rf3kJz/x9sGCYyZp aOFPnjzp9DGR4nlzz4Llxx57zOM1YYCXG264wbcJZUtHto8cHB+3Vw8fthd//4T9zze/6Tzs2LHD yxV4D9sMk46RiQmvV0dzs+UbF78E+TSmBOCX6urPWbyRQJRAlECUQJTAJSaBCN4vsQcW2a0sAUBY CIYAVBMTEwZ4A7CxteOLL75o+/fvL2lwi7Z792UOprq6upYRTtNLJyAeF5bJdXQbJwFkzA8TFbbq RGv9kY98xIEw++2fPn3annzySQfjPOtPfvKTvngY4D08POzP/qmnnrKbb77ZtfQsNoYW2nO+vtBG 0LT/6le/cmD+iU98wicCgGvKgw7adJ4r908//bT9+te/9jI4hIs4+IMuayIA+KRlsWquWLTnnnvW XnjuOZsrFPwrAGZaajeSEvfkmZqe9R1mWPjKDjPYuOOUPrYtSSz6UQJRAlECW1sCEbxv7ee/6Wov oCPTCcwb0LLv3bvXATsArKOjw/dhv/POOx2ooZG94oor3G45FIjAkvwwLn1dTZp0nnhfvQSQL3bl 1113nZunoB3nWQPYr7rqKvvqV7/qZjJo0vmKQhyLiQHt5HviiSd8D35Mo3DQ0w9AzdafaPNJz179 gHHiocOPa7YKxXSHScOb3vQmQxsPbbT627dv9/KkUZ+fm7P+Eyds/0sv246du6y1pdn27d3ndMJa M/2DNl8EhicmbLYwZ7s7u5JTWiNwD0UVr9chAbVd/I10ejdCmllhYXx4rbT40UUJRAmsXQIRvK9d ZjHHBZRANYNPegDgHvD+0ksv2Te/+U0/BRWQhVkM4A3QDkgDfAG6tL3jBaxWLGodEtBzlnabe0xm 2LKT5/nLX/7STpw44YdkQZ7nqonZnj17DA08p9+mHSCfCQBfZX7xi184kGdywPaftBHAORp6AD7m O0wY8LHDZ+Er+THbYftQ7OgB4kdfe82ef+YZt2W//S/utoN79ljxlT1etOrBjbdvM5uanbUzI8PW 1pRPdpiJoCb9mOL9OiRAW1Mfqva2DjJLsoTtN4yoZoKgvCFPIY14HSUQJVCdBCJ4r05OMdXrKIGs QSEclNIDAfcAPDSwgC/822+/3bWlHKIEYAeQkSbt0rTS8fH+9ZMAz4YfQBrHNQ4tOc8Yny8rAGq1 D0A4i1IxjeELDJp5JnbEKw3t4X3ve5+D7ldffdX4oYXHPh1Q/ra3vc3NYzC3wRTnzJkzbmLDVwA0 7aTnxF2u3/3ud3uaZ5991s6cPm13v/nNtuOqq+3pZ561XM3SNRLOv4Orok3OzNjE9Iz1bG+z5nwe dXy5fvAZXZTAeiRAG1M7Jz/vDu1f7xBhxNN2+amtKY/SQ4f3izR67xRHP6q8xCkcn3vFKw20RV/l raduMU+UwFaWQATvW/npX4R1p7NXx55mjzj9NBAofTotAw0adsAbaQFiADw08KEjf+hUdhxUQqlc XNfpZ8MzRNuNIw6woOfKwtPrr7/e3vzmN/tCU+zjaRM4tR0WKb/1rW91gI6GnsWugH006+woMzAw YJ/97Ge9HdGWaEcAeoA69LGX/9rXvmYAdk7aBcxjG88E8eY33mCnx8btTF+/FQqzbmePrb0mG8By tofsHx235oZG62husbpcshON6iM+nen4L0pgnRLgHWGtB+2bhft6V+gTMSVUH6mtTCmG9AcPHvT3 C8UHX67oW8kLDXZ14usXXzWZ8GJSxuSWcCa6AHhNhPm6xZcp3iG9n+usSswWJbDlJRDB+5ZvAheH AMLOPLyGO2ly0HwCfABnaNQJF1AToMMX2GERKiBJg1RY07AM5VV8+l7h0b/4JEAbYFEpYBtwwjMH fOj54gNM7rnnHjejYitIFpmG2nlqBdDG1h1tOvTGxsbsD3/4g33lK1/xnWXYyQYQAn3APyD9DW94 g7c/tPmAEsxqADvsZrRv3z4HOo89+ls70ddvRw/st9G+s764lu0tMbHZtXu3AdMB72dHR2xnZ6e1 NzeZpRTtsT1efO3uUuJI/SEad9rmww8/7BNT2jFAnD6UCSwAHIWHlB68W4Dwr3/9696uP/CBD9iH PvQhNyejTRL3ne98xyfHHF5Heia/LOhmUwDu5QD9733ve+3tb3+7m5np/VR89KMEogTWJoEI3tcm r5j6PEkgDVDo3On8ZarAQIEWlMGHLfk+//nP+z7clQYB6GXRDNlXvAa3MC5eXzwS4PnoB0CnTfBj C0nszwHkmK0AELBxB5CEDk0fWkMA8/e+9z0H0AB0QAsOmmgJyQdARxPJFpDXXnutg3JMcSgPsAPA YeciJpGEQRugz2SAfOwNzwQAzTwLYcdGR62+OG+NOXaTmXZ+SQ/v7O1erKmx6cKsFYrz1tLYYPUl 3tWuY9sMn2S8Xo8E1M/RzpnksusWbZ1F17R33gUWY7P9KQuyP/3pT9uDDz7o7wDaddIDxsnPVywm w7R13hnWFUGf95C0bLeKedrdd9/tJmqUQzrej/R7uZ66xDxRAlECiQSWjnJRKlECF4EE6OgZUNjT m8GBA3VYTAh4B0h99KMf9cEFoBY6BpE02BEIykqnMA1uuo/+xScBniOAl0/+7BwDuKYtsEBVO8Cw hSQHNoUggXz8+LQPoHjhhRe8PUFLX23QmLNQlXZHmyItYATTF+LQyMukgLUThw4dskcffdTzYzbD HvGkRxPPBIKvQpjpAHYoY3hkxP6///f/nD7aS7SUaPprcjmbmS3Y4MSksT1kc1N+2YQzts2Lry1e ahzR/mlH6h+ZcLLIG1MwJqTE88WId+Ab3/iGn6fABJSvS8TxrvEFk21ZMQ0DwGv7VMkCRQvmMihX eFc+85nP+CJy2j9xvG/44Vcx5Y1+lECUwNolEMH72mUWc2yQBBgY5PikK+0NO3kAsgDrgHe0Qgw4 aD3RFmFrzGdeaU5FAz8NdtL3SlspXPHRv3gkwHMG7AIKOCSJw5poD1p4B2B+5zvf6T8Wn2J3S3ra C3lIi2Mf9gceeMCOHTvmdEgL+EYTDiBHw8jOMWgjoYF2HZMYNJHkZVKARh1Azxak//M//+NtkHSY BEAbzTs0ATxy+eZm23355XbFVVc56IE3aAFmZuYK1jcyajs6Oqw932S8EbKaiW1UEoz+RkpA7Qqf dojPO0T7xewFDTzrNgD4xPFOAOR5j+iXmcBiJiZHGn4Ac94dNO3k510gLz4/tPVypKf/58d1dFEC UQJrk0AE72uTV0xdQQLqhENAnpVUnXbYYQNi0Pz8/ve/t9/85jcOojBNAEABvrA3xg6TAYRDetBs ApDkQloKi/7mkADPFlCARv1LX/qSf/anjQHoaQNoDlkIB7gmHekJZ+vIL37xi64xBEDgANTYvqNZ 5xM/pjSEMRF86KGHfFca2iHtDlCDthEtI9uLQhuHRhKtIgAGTSMOG3bKgw/4Ct8F+KnN5ez2u++2 rl077YabbnIe9Z7Mzc1bYX7OmhrqrLHUppXficd/UQLnQQK0MX70veo/eReY8NL2aduYfRFHmyac 94WvUXz5wnRR7RQfYE88C79//vOfu109kwC9n3y94l3SGiSqBG3yRhclECWwdglE8L52mcUcgQTU gROUvg6SlQeIMI3iCcMEAk07HT+DByCdbfrQtGOOADAKO37yqvPPoina0b90JaDnCxhnwsZBWlmO 5wRsDdMAACAASURBVC/HNUCCz/rkwSkeeiw4ZdGcnOIA4/y4VxjpxYPS0zYBMrRHgA9OgJ1rpRcN 7Nrr6uvthhtvtB1XXGGdPT3ld2GuOG+TM7PWWFdftnVXOeSHVnRRAhdKArQ3Jqm0Z0zI+LKFIxxg j/IErTr9NKaMmiwrDZPYD37wg76gFbt3FDB85eIa0M9iV76aMnmO7ftCPdVYzmaVQATvm/XJnsd6 qeMVQNE9RSqM6xB8KJywMD3pGCwA5oCnD3/4ww7c+WQLQGJA4FNsFu00HU8U/20KCaTbCc9abahS BdPtLUyvuEp0ssKVX3lVLuEC7oRJexnyrLxMK9C8tzU22cDomI1MTtm2tnary9X4LjOjk5O+ULUl MCmAZrpMlR39KIGNkIDaV+gD1gHn+Jh2Yeaidkw6zMw4MwGTGLZc5YuU3gPimdgywcakhvUl/f39 bmLGF1V+fOHiCxpfwkgv2htRn0gjSmCrSSCC9632xDegvup48XF0wlkdMR074aRT2nTxCmcHA2wu 0bTT+aOdUZxohBpOhclP0433l7YE9Fzxq3UrpV0pTvRpX2lHvqy86bRKR5tVel3X1tRYc2NidjM9 O8sL48UU5uZsbGbatmEXXDLLSZcf76MEzpcE1Gbx0bSzo5ds1Vm4jZ26HO0dJQoKFvpotlFl55rR 0dEyEGeBNj808pjQsFsTEwHAOgvNWbsEoMf0DKAfXZRAlMD6JRDfoPXLbkvmFDCh8uF1CLTpsOnU +WTKdnp05GjQQ/CdFh6mDmjfMWtI0xUIIlzXKk9+ml68v7QloOcq/3zWJmxXWeXAg9IoPmyjhClN +trTl06wJE2RyQB/rr1fsLn5eT+UCe28ebhKiH6UwPmRAP0zIJrtH7FtZ2cv/KeeespNXbBbx2yR /hoFTKiE6enpsfvuu8/27t3rtu+AdRxp2B2M3WZwrFUCtNP/c8gTi7pZFFtpowHPFP9FCUQJVC2B CN6rFlVMmAVYJBU6bxb6MQigvWGXGGwdycNiQLbI41NsSEOABz90ulc8eXRNOsWHeeJ1lMB6JaD2 JD+LTjoufU+erDDRIg59O8DdHeB9oWQzX2OW83eA96D6Lw2iHf0ogWolwPoRNOMAaraFRAMOeOdH G73//vt9K17MX+h3iUfjLlt47lmsSjr6d9YqybwG8M4BTZxMzEJVwDuLXtk9jHzs1MR6EX218ndi DV/Wqq1jTBclsBUkEMH7VnjKG1BHAeg0KTQv2EkyGLAXOwuZ2AuYDhzHLgN08HyWTTvRxM9y6fiV wFFW/hgWJfB6SSANTADtgHW1dTTwM4WC1dXWWn193ZItIl8vnmO5m1sCAGhMVj75yU+6hp2vnfwA 35gqYsOOxh3gTTgKGdYdsQgVTTrKF9o1X0hZeAowp+//i7/4Cz+4Ca36O97xDo9Hs0+/T5ns8IS5 DWcf8GUVF/vyzd3WYu3OvwRq7r333gVWggsonf8iYwmXmgTCtsE1nTqfQzm0g5Mt2fuXg3LQtvN5 lA6ahUnsFkPHjo0kgwDaG7nYeUsS0d+MEhBIp2609YnpaXvhtSPW1FBvd1x9tRXm5+1oX59Nzcza Vdt7bBtrPFzvXvqf+hq1GWUU63T+JaC+W+2RvhuFSxhO++SHRlzX4oz0/MJ44kI6AH1p05UeZQ0/ wDuTgzCNyhAPKiv6UQJRAtVLIGreq5fVpkypDlSduypJB4tLhxNGpwxo//73v2+/+tWv3FSGThqA zqE2gHW2FUOTg5Ym3XFn0VS50Y8S2AwS4P1Z1s4dJOVcyz47X9omsqHO8kxqF8wWagD65fWsm0EM sQ6vswTUDtWfC6DDlsLEIu01DOOa9ALmSodfiQ59PT/Mc9heUk60RV/38pUu+lECUQLVSSCC9+rk tKlS0WGGLn2vuJXC+WSK5p2Omk+oHKLEQTXYQ7K/tmwkw46fjjt21pJu9DezBNTOw3eIXWcEXorz RZudm7OWfN7q/QRY3slkwryZ5RLrdmEloHZIqWqLaoNpTsJw9dXpNNwrLkyflS4MU9qQh5C3MG28 jhKIElhdAhG8ry6jTZFCHaU6z9UqlZVeeQHmmMX87d/+re8qgx0lO8qw3aM0Muqsw3JCmlnxYdp4 HSWwaSSwsGDzRXaYAZ6XvmjZgs0vFK0ul7PaXG2ict80FY4VuVgkEPaz4XU1/K2UPisu7N9D+qRV XDo8vI/XUQJRAtVLIIL36mV1SaYMO02uKznsINGmk4bPnZjBpJ06YQA6B3a8853v9CTYNAq0p/OE 9+rw5Ydx8TpKYLNJQO8be8qwOBXXUF/nQN3fRFe2Y6qw2Wq+sfVRHyZ5pqmrX4r9SloyF/Ze8pcf lp4VFsbH6yiBKIG1SWA5Qltb/pj6IpWABjzYqzToAdjZ3nFgYMD3ZOcgDWzU733LvbZzx85yzeh4 RU+dMOYy7C5QyYV5KqWJ4VECm1EC6feN92zMt+JbsNZ8o+koKEC7NPHJ+5K8q3rH0nSQld7DLLkp X1bcpRyW7kskF9V3JZlcKvVWHVQ38a1w3ctPy0Th0Y8SiBLYGhKI4H2TPud0565Bgd0AwkOU2OKR xads8cge7diu79i5wzXruRrBjEU7R8Ql2quJToPraulifJTAZpJA+H5wPV8s2ujUlPE+tTc1+fuD sj1JlwByvZ/pvMglBHDEKyxLZmHarPhLMUx1kozwFYY8JDPJ5lKsY1gH1VN1U33CcNVfcdGPEogS 2FoSiOB9kz5vde74+qFl50hrAPvLL7/sh2zs2bPHwxgosFu/7LLLrLGhMTkrJvicn6YXii0ceMLw eB0lsBUlEL4r1L9YXLDJ6Rmrr6+1lsZGN5thz3fM1M5MTlpPc5PvoU1a8srpvcXXFnz4vG98+cJU LTRXU7lpOqK3GXz6sMHBQd/ukL3Jm5qayjILZZeua9hHrZQune9834svygmvpWQJnzfPXGnkK99G 8ql2dDHISfXEjy5KIEpgUQIRvC/KYtNeMeBxyt3zzz/vByk999xzhokMWz4yAL7lLW/xrR05RIOt HrFnT3eWupefFlal8HS6eB8lsJklkAY83APU54vz1mB1Cdg2s7m5eTt65IgdP3jAmh580N5055uW vXPk5TyFY8eO+anFmLdxj7kaJ1WyaHz37t0O5JEp76DK1/uo+2plHtKoNk+67LXkqzYv9YC30dFR e+yxx2xiYsLe+973usKhmvKUX77yrCSfamRRTRqVlfaVV75446wMTqk+dOiQ1xfQzja8HHS0c+dO f97im7wb7cSPaKusjS5nJXph2bpeKX2MixLYahKI4H0TP3ENBoD3P/zhD/af//mffrIe2qprrrnG TWR0iBJggBP0GCjklF/3G+WL7kqDQrrDrpSHdIrbKP4uVjqqZyW5bSZZrFTXi7me4k36czSnHNBE eHNJ607dinPz1nv6jP3x2T/am2+51e56012ZwJsTLB999FEHrNjO835ylD07PrFg/GMf+5hvzYoG Xk486F6+2g3xlZzSKF605BOuNCEdhSmf/HR4SEf502mUV1pn5cHn1E5OcuYET86T4GshLqTBdSgP 4kMaYVqVFdIgrdIrPsxDnFwYrjD8MDxNS/lJk44j79mzZ+2RRx6x/fv3+37ptAH2TX//+9/vp6Ny AqqcaOj+XH3xneaLKvtuSYtVP9eiluQPPjjxtMryEx+S2ZJM8SZKYAtLIIL3Tfjw1QGranT8bW1t dsUVV7hm/e677y4fooTmnd1i5DRgcn++Os6QbppXddIalML48Fr8KixMLxpKs1n8SnJTfSWDS7m+ YR30bNP1UbjSyk+nez3uxYt45DCmvtExq63N2Y7O9oClGvO93mcLDsZPnTrlR83zrnJCMRNpdnwC rKNdf+CBB/yIet5jvpr9+te/tt/85jf+Tvf09Lj5CMTVRriGB+0iNTQ05FpcaLKlKwvT8/m8x6PF Jh27TNEX0AcwQUDLTxom+6yTGRsb8xOUMfeBT3jkRzxguVAouCkQaeEDLTlpW1tbDcBJGFpl6MAH YVIYUCZpUTTANyCdH18ZqB+8qW7QpyzJWPxCmx91QU7IkfyURVryS0bkkXzgB17FVygf0sAXAJo0 uPb2Duvq6vR6QxNe4JW0/OCBeiBjfoRJ/siKPpf6SFGiejlxM5f5TTfdZPzQtHNy9Q9/+EP73e9+ Z/fff7/LTWk3yodHySekubCQrJGanp6y+fm5ZIH1BgN4gHsC3pOLfFOTNTbSphYVSSFP8TpKIErA LIL3DWoF6vzwLzbHgPH2t7/dNXSYxHCIEoOHtFPwLP7pwDWYKGyj6yO6+Dj5YTniQQNKmCa8Vrzo pPOFNC/1a+qt+qm+YZ0UF8okjL9UrsN6hs8a/lU3+Up7MdRNvIY9QGFu3kYnJ62xvs66WlqFUmyB vxpzgPznP//Zzpw+Y2d6T7t9PF/FeF85oRiA+573vMeBHkCad/bkyZMOJgHvHJQGeOQdDx28EM6k ADO5vXv3OgglP+D0rrvuMibxAN0//vGPTpNTkW+77TYH7oQxSSAdpnSslXnmmWfswIEDZYAN8CY9 ZneA1N7eXvv973/vZRIH4CUfQJoD3ADSmO+RDgD+hje8wU1fUCoAkJ966ilfPA+oBQwDlrmmfORB OhzPnnC1AYAxJoHIEXt46k7/Rpn33nuvT34A8HJ6TjInpNzjx4+7GSGTEsq55557/MA5AD3x0GaS wySsra3dlR/Ij+dDXr6OkJZy0ZzDPyAd+SBj1hkhC/i+5ZZb7L777nO+VB/58LZr1y77yEc+4mnJ y0SKiYgOvlM9NsqnTGQpH7pcA9yR0cmTR+3osUM2NTXu7Q/sHrbxc+bDJ5lFm5gYt7n5Bbvt1jfZ TTfdbvn84nqGcy4jEogS2GQSWOzRNlnFLnR11PlRbnh9oflIl4eGCX4YkADtDB5ydNBypAn55vp8 OpXN4ISGj8EccMIAFfKhdPDCYALL1Il8DMjiW36YPsmzODCdz/pcaNoAMwZ16h1qF1XnLH5Im3bI i/C03MJ0ylcpzWr5Q1rpa+VVGcQrjGvK5Kd2DPjMShuGpcu4UPfi28FNjdn8fNEmp6e9zbY0Nllt LmdFGrC/d8B3s9GxUQeGgOSurm1u5/zzn//cgTcaZ4AcgFKO9wSQiHaX5w54zAKmyAwb+ccff9we ffR31tTUaBymNjU17eVhR8/7dv311zutJ554wicC0AIM/+AHP/AiAZ84wChlwguglDQA2iNHjvhk APM7wOlvf/tb37kKYMtpy2jyAdZMIDBxIS98YxKC+Qtg96/+6q+8DyAN5ZKOcknLwnrS4j7wgQ8k 7dRFmPRdhdmCvfjCi/a///u//j5ce+21PpFh4oHNOHL4y7/8S9fwQ4N7+UxsfvSjH/mkhK8byIL+ kbVAAHV+8P6d73zHw26//Q4H7+zOJdpMKpiMYOYCiGeyQF9Le0VTTn42AeA58QWC+jABAoyjSEHe 4skZM/Mw5AxwBvQzkaJfZEIBnY10lF1ut6V+QPwgB4D7y6/80fr7Txibj/mBYhvEAE+ixhZ8/cfI 8LC9duSIzc8vWGdHl73xjbdsUCmRTJTA5pRABO8b8FzV2UEq6Qg5lqU0RjNEu8HgBhRUJQkvrjTA iTcGpVDTXonUhQZBDJBoBbFhZUEWAx98im/4YSAErAIYSIdGDsDPwA/A4cfAqPolsk8GpfBaNMO6 q75hXBjGteLC65CGrpVPZSo89FeiofwqL8yna8UBlAACDOoAPzSfqznyhuVXUx40VWYl+qK7Utqw 3JCO8soPadA2qCcglGvqCuAB0KJpTk9EK5URlnfer4P2MlOYs77RUaurq7Xtne0ux7LWknS2YLW1 dXbd9de77TptH7D3X//1X24qgU07dUU2/HgP0Oqi3WZBI2AcbTkgPO14XwB+AMiZmWl78MH3OiBG jtB58skn7YUXXnCtNprzEydOOMDm3QKoo8H+xCc+4XmgDx+kY8IIsESrzjvIFrOYdWDiAY+Ekf5t b3ubve9973Na3/rWt+wnP/mJL7IFSFNP1uD8+7//u08AAOU4wCq83XLrLfbXf/3XDlSffvpp++// /m9jcoEmnXeeQ2pJx/Nm8vP4Y4/bgf0H7MH3PWj3v+t+a8o3OV9MBFjcykSCLwGhA5jS7yBL+OG0 aOqAow60NepIPJOWT37yk14fygWo8wNUwxP1hh59EGAe0xa23f3KV77iskHT/qlPfcq/QDAxwwSG CQDyTPNF+ZSB46vKr371Kwf7APcHH3xwWXq9w55hjf/gW++MfLWzQmHWjh07ZK+88pyNjfdbd3dH 2UxojcVkJk/mUAD3OX+/R0aHbGJiyJqb262ufukEPZNADIwS2OISiOD9HBtAdgfIbhKzNjw8ZOPj fPqtS5D8csXnOZaenT3RLZnNzyVa7abmZrvi8qt9QIJfnDrrc+n8s0uvPpRBCqDw7LPPunaNz/lo qdI8kQ7Q8uijv7WnnnraB0oNMjt27LB3P/CAHyzV2d5RzpuuH+lVd/lZaeCeePGggTSslfKHaUVL 6bLShHSVTn6YP8yreOVVOg3smCSgMZRtbTq97smnvPg4laNw7lVOVj6lD9OEdEOayq8wlRmGKyyk q3i+rKChBOygJWaQByDx9QiTAgAZ4F15VQfyh9eidyH8cn1KAGxyZtoPZ2prbrLO5uZAtjVWw5x+ wayjo93uKe3yBGBEc8wEhUkqQFv1ox0yeZWtO2Aa0Ev69NcI6gp4B5CjgQZMy2wDuTIhAihDj3Ts ZAIwxKTlpz/9qYPQv/mbv3GwSrsiDbxAi0kDJi7UFfoAXNoi7zFhAHvAMDtX8ax4ZuyKw2SBRfG0 VTTq8A1tJgvwhCMv7//tt93u2ncmaABc8rKlLZpyJixlV2M2MjxiBw4esL7+PgfMzzz9jEcjP0A4 /QYTjtAhU/jlqwH8AYw53yIE0vBEPG2P+rzrXe9y/mmHtD0mLWjcZaaDjOGdiTTp+eKAD8+YB8E3 9QPsM6FiQgpfYZlpHo8ePeoTdPo4TKcwpwrbPOmpi9pdmH+1a+ULfa5pZ9i3Hz16wF56+Vmbnh6x bV3t1hzY6K9Ge7V4ysHwplCY8zZ46NBBO3XquC0sFCyfb/TxMuMj4WpkY3yUwJaSQATv5/i46TjD DpDOD03XiZNHbe+e521w8Kw1sCBUiPocy1s1u+OyxN51YGDQB1bsB//mr/+uDN6loV5Pp79q+WtM wGAIAGCQBRQw4AIsGOgYvPmsjEyJGx+f8AGfgR8tF5/TGdgZCLs6O41P99LGhs8ElrhnQIY2gyYy gIZMDiiDH444ASKFIyuFwTM0ADXkF5+Sp8qSKOCdshng+REPHwAH+CVMfIR5uUYelAMYIJ0Gb8oH hEEDfnCkx6mO8EMeQCG84whTOl2r3vAIr6H8eQ7kJQ8/ypX80IIqHtrk50d6aEKLPMgHHgijPvDM PeF6Xs5c6Z/4EiDEhAKgh5kFmlgmLAAZTB2UlnLCa0gRtuzAgrCgDbumnKUz8xk0imMJoN3e1r5o MuNlJs8JMxpk0N7RUX7+1EFtAXlRB36AUbSwmIcACh966CEHishRTmmhgUPOamOY2tCOcLR7ACtA krIoh/YFLZ4t8ZhnwBsOgI1NNzb2gE3yMdHm2WN/T3uBBo6yCYeeHPeYytAWiSctbST97AkjDb/k 2ZnzRF7aFeUo3GkvmM3MzthsYdbDaW/0BTjS0W6YQNBeFEbZ8MA7Q1uEN+oCL2EdyI/skBntHB5w 8CEeaZ/QEM0wHWHQRoaSBTSRN2VRPrSynPhjwkR+zI+oB3nD+pNuPQ4a5A19ruGZ53/w4Cv2yivP 2nxxynp6upY8t/WUF+ZJ+Ee2BevtPWuvvrrHzpw5YbncvJ+DUMOMVpZlYcZ4HSUQJbBEAhG8LxHH 2m+WdoB0fpO+uGfPnudsbKzPurraS8BpfR3t2jlKBu2hoQE7dnS/a4euvPLq8jHs66F3vvJo8MFn oESzxydqPjkz4DL4orVj4ESr9dGPftQHHYFutFoMoM8/95wdO3rUt45LD3DwzqBEOuxU9+3b5xMF BlYWBFIGQIV4tJMMqHw+Z0AHLMATEwsAEwMo/PHJG60YeeANG13tuQ0AQRtHWZTLIA1dBmImHXxC p658skdjSTksyIMXBmpAFnmlkQQcUSaaVngFtAIecMhNMuQefkkPf9jfEgfP0IfHEOgRlwykCSBB C4umG/lwjYzRFpIXTTA8o5nFVAeNI/IjnvrAG/fko148A+qB5hIZUDc0rtQJDSoAC1MntvpDJiFf XjEzBziUTX2RMfzSJtD8MmkBqIUulANlMoEeHOq36akpt1MuzWvCLOd8nQCeOTdh7+zstp4ezkdg 4rJgUzOzNjIxac35RutsbbGiW88t7QNqS0A3F6xDgamwLpQBcH/k/x6xH/zwB/48P/OZz7js1A7I ozYO+AJESl60bTTrH//4xz2v6BNPOn5MnrVoE80x7Yh72hvPiPaH3AGy7K2OWQjXgHkmz5Qd0g35 94jSP4Wr3eleaaBDWbQj3kPSwRvvE22Ad4X3S478tFMmdkzk4A2Nv/oA4mlbyAB+eV+hCy3eNcJp 17wzyI0wHOWSl/bGZAV+aPPs/EIc7Re+4Id4eE470vGr5FR3+VnpeO+QP5r7rHdEfGblrRSmPKHP NeuJpqcn7NChvfbyy89YcWHaenq2lfsa6MEradfqlC8pJ1EsIc9X9+21M2eOl4A7UGTp+7HWcmL6 KIGtJIEI3jfoaReL8zYyMmQvvfQne/75J/1z444dPTY6OuZd0nLd3AYVXCKTdKk1PjgxsBw/fsyG R/ot31TnnyItGPQ2tuT1UwsHAoAsdqQMxoQD0Phc/I//+I/+6ZzwUIPGgMDAyUDs4CcFZIkXqABI Yvv6ve99z4GQBm0Wq2nvZNJikoD97qc//Wk3I+CTOXvjMzh//vOfd34At2g/CQM8DQ0P+cD/7ne9 27WhgAjAN/a8GvAFSgAIAFJAAhMP7pkYAG7/6Z/+yT/HI4evfe1rbn/M4A1AQLuHPNB4/v3f/73b OYey4xpQAm/f+MY3HLyTDwdgAWB/4Qtf8DUF4dNCRkwu4OFnP/uZLxaEDnUQPYAQMmZxInwByAEx 8PTjH//Y9xrHxAIgz0TnX//1Xz0vphHQpy0CuOCdsgBCPA/qg0nEl7/8ZdcshnxxTV4W9fEjHxM6 Jhc4wAzPUI60kgeyHp8Ys337XrL9+1+w2ZnpMphT+o3wwTCFuUJpIjFt77r/A/bAA++3XK7GCtRz bBwUaN1tbV5+iEuAKFi81zl4b0jabwZT1An5/d///Z/9+1e+4rvTAFBpN5iaodHlWTBBo97Yy/MD 8CFb5ITWlmfGVwvaK8+SiSTPgAkxsoMWbR+zFkA+E9Pvfve7/r5IzqTjmQOkadeYzLA4FeCLyQlO zyCjKkvi9bxIH+bhOTPpxB4e3mjDXDNxYFLBBFR5RIP2gd0/7yoTS9ouE0NAOXVkckLfwYQE+3WA 91vf+laXDZN08lMP5EgbhT6y1FoaJuWYEn3/+98vf0lCVrwzyJk+ikmp+ArrDo+VHOlVh6x08IA8 eA/5kT50WXnC+ErXYZniGX9ycsL27XvZNe61tfO2c0eymDZNZy3lhnX0sizRuJ85fco17r1nT1ld 3YLV1yfAPVXFdNHxPkogSiCQQATvgTDO5ZKO9siRg/b0M7+xs2dPOGA+eWLSF6WdC9215KWDnJiY tLN9fTY3N2WNjWhm632QKA8j5Yu1UD6/aeGbwZUB9O/+7u/cx0SAhW5o9tAAAjx8ACj18Ghe2Z2C gR2QAgDmczRpcPIZ+AB9ACDK+NznPucmAwzsX//61x20oJnEphSNIkAHcA7AgTaAmIV7nIAJ6L7q 6qvsM3/7Wetq77DWtjYHOuxGwTZ6aJexHWbgBXQBVD/0oQ+57TDgk4kA9aKsf/iHf3AASlloMMlP PWlHAAzysuCPhW4AaCYav/jFL9wGnK8AAGLJAx8wAchg8kGZgDy0jb/85S994kK5TBzSgy9yRMsK EAfICEwDEJmgAGIA2sgPcI65BosOAXAAGsxY4IeJBrKGD3j74he/6GZMaOK/+tWvutnFBz/4QQ8n /uGHH3ZACahE/shWz0w+zxGayA7bd0Ami5qxP2biFj5n8iD3kZFh27v3T7b/wAtWW1u0nu2LC3lX wFJOa8V/pdn3wkIyUUCzf+pUrx0/fsCwfpgtzPjnfvgdnpywfoBjY4P1tLUZuuL0a1dfW2fdHZ22 ffduy5dMMiifLxjIkufkk8PS14y54ryDUAAozwvHBIk2y3MjH8CXd4JnBninPX7owx/yxaK0MeKQ MyAc2jxHQC5fagDpfNlioSmglkkfdt08H8AuZja0A9rg83963suHDmUAYGmj0OYrDDSlKaYegGcm GJQhUxnSEgbvhCE3TRSZGNA+eJ60M0A7vALo4QH5QJ8f4JwJOPwycWHiDE3oUTb26bQveOULGJMN JjSUST2ZeLKAlPJEF00+bYydY3hXaX/Igr4BmvQNxCF7JhjUBd6QA88BR114Prwb1F9OEy7ilFZx oQ//fHGBZ/LzLoeO9g4va3XKh693Zmxs1A4ceMX27fuT1dXPW3f30h2MVAbp1+qUB5/+F/nv2/eq DQ70OnBnMTdvB1VZB/m1shPTRwlsGglE8L5Bj5KBBpOZhoacXXfd5dbQWH/BeyM+1/f3D9rgUJ93 hnV1fMLfoAqeZzJozNhdAw0bgzLaNAAHmr70wMXgCdj9wQ/+14EioBDwDihMO0AoAByTDwZYBhEG eEAyIAeNMgMku0RQ5oc//GHXMLNTBGnZxo6wnu09nqelucUXGr78yis+GMELwIGBFtABcIEPBmnq wgCP9g5AAWhg8KIc7POpJyAL0AEwYELBgMygjjkJ8kAbCNAAfMArEwrAPWHhwAhwA9hRPtpVG/QP yQAAIABJREFU8UIa5Ic2VaAqlBPgHflQNhMFDgOiLePwARHwh2YTngAzADZAGhpHysEUhnrCO2CK eiJPQBM0MH0hjvpoAkH9AYbIg7oBgOAV3sJ6wTMaVRb5MblDM8xkLZ0OPoeG+u3VV1+0w4dfsaYm DgFKgOF6QE66Hek+ec9Zb3DWjhw5bOPjg7Z9++XWUN9g8wsLNjo9ZaeHhqwmV2M92IUH+4vDB3Vj f/fmpia79dZbbD7faB0920XeAS7PgHaLJpy2AHClHVC2aJABWfMsaEeARdobkxq+ghBWX1fv7Qu5 vfTnlxwIQ4P2AW1o4ngWgFXaKe0WEAuQ556vXZTD8+V9of3BG88fYMqzA+zSvqHLIlqeBWE4nhPv Ju8R7x/PmTB4Igw+KRNgRx3U7imXd5+JAwAcXphwQBf5kB4ekAd5mJTzXvEeEQdN+hQAOrQoh/ZH m6Vdkg+emSBTD9oYk1XSEQ/P1IevVkxoaat8LYN30lOWng/31AU5aVJJXt4B+OZ58L5SJjKgP6Eu gHLCshzPXXWmntALXaV8YZpK13q/iB8eHrRX9vzJDhx4yWprCtbV3mlz83O+2cGyGWclgquEUx7v MV8VDx7cb0NDfZarxf4/kUkFEaxCNUZHCWxtCUTwvoHPnw61sbHBWltZ8IhJQqL92cAiKpBKtCic SNfczALFeh9UKyS+6IKRGwMZoIEBHIDB4MsABxAIBxuAMtreb3/72/4ZGzD3tre91ZqbFw+pgR55 8Bk0ZKPKwMwgLI0XwJsBGI0gaRkgGWjRigGEAQVo2AAa0JO2H+0j1wzUDMpo2SenksW2Kpdw6gMt aDPoM7gDGNDWUU/CBSwARPBKGPxBmx/5CEM+pEUjDzgJHWUiF+qJvNCkAmKQI3wCugAAgHhkEDrS Uzbh1BMHPYEN8gB44A0NqMxxSI+mkToRD0/wyXOjLEAajnqq3oTr+fJsKYN88JnloEf5aD7hEa07 EwPKlpzxqcPAwFnbu/cFO358n+Wbaq2zc1HGWbTXEkYZOHz4YCJz4MCrNjzcZ3V1LDDNOSAfm5qy U4NDNjVTsMu7t1l3e6vlAmQiOjWGVr3R294YILykmSUeWWGGwrWewTve8Y6yjEQDfpAP8uSHA6hq Eqs23tzUbDfecKNde8215XeJNkUe0iB7QK7CoEO5aMVpDyoDX0AaHlSu+OGe9webcxy0iSMf7xig lTJUJ0A44DZMS3raDfVA06/0tCnoQ4v3AOCMg5bywy/tkUk5dRLf4hN+mNwQJ1rk5Z1i8kLboh3h iKeNUT50kCltH9qKh57ieb+oi8qkHrRvTbigJ155/+lTlBafn+QIfe6hT/9DuZKD5BmmdYbW8Y8y mHhhXvbkk7+2sbFh6+xos9GxkfPytZgDmM6cOW2jo4P+RUzAfR2sxyxRAlEC9FNRChsnATpEQDud 69jYtE1MFKyzs+u8fg5Eb4Pt7dTkpDU0YvOeDYQ2rpYbRwl5yTG4aWDX4BTGM+gCXLGB5TM3oA7b dDSCDIgyTCAvg5KAKjQBFQz6aMjQdANAScePQRLwwiAOCGUHG8oRCMIMBQ0YQAaTEEA9Wna2KwRk QIM9rPt/3p9oq1ShEoBh4JZL2sfiTjbcK0z8cE9dqQM/ARFALr8QCIguPmAD4Ec8mkp9ZYAuTp/0 ASjQJRxQRHnIgHC072kHcCAdPvHkxcEXkx/kjOxUT+hxjY+jHK55DmG44j3RCv8olwkQGnuADPWU gzaAqq/vjO3Z8yc7efKga9zbOxb5Ia14UL61+OTFIZ/JSbbQ4/CfAyUQkmiWMaWZmJqxYwP9NlkC 7ru6Og3TGDnVV/S4x9aXiTYa+3l2JymBPGQVuvR9GBdeIyueZdohdz2fdBy0q81DO+C3kgt5pa7w xC9dfsgT6cjHJJp3kfeTthw+a5VJurCM1cIVj7yz6BFeSW7KS3majCos9MO6KLxSeVlpyUN65ICv e/jKckqTFbeWsNnZGTtz9oRNsr96Uy2bN/ruPWuhsXrapD9jA4XhYb4YJpMn9ddJXdZujrN6uTFF lMDmlsDi6LK563nBakfXSyc8NTVj+Xy33X3XAw6oN6rDzaoI2sBDh/bY0NBRBzPns6ys8tcbhpxw +IBB3YuewgjnkzaLTjmwBU03n/UZ6NHK8nkdgMegD5gEcGMmgqYNrR9mFgB3gCdAhc/iDMgCsYAG QCBaeWzD0QpiioO9NmUyOcAcgPQAfECAQAaf0vkcDJAtLiQTJ/hN10X1DH3VM0zLNXWAJvUAdDPg Y3PLpAFtHvygaVc5PG/SYTOPCRDh8AfQghZacwA2dUeOmD7AL+lJgzyI49AZQDITHcke7T9fEJi8 YG6ECQ2ygxdsrwH0aC6RGWHkSzvxqXD4JQyXjlMa+QAYgBzPCAAVtm2eWW8vu+s8Z729R6ylpcHa 2tucP9KlyxHNtfrUiW1KjxwBuO+3iYlhY04Gb1SjwDkEY+O2bWrGruzpsd2dndaQmrSpvmHZ9bU5 a2pstKnZWZuenS2b2GSlDfNdSter1UXPk2fMFwY04EzSaGPpvOHzvJRksBqvqpf8ldIrDf65uwX/ MtTa1mzt7c3ez7DrzEY6+OTUVCa+fBnO5ZjQ8f5rwoK/kSVGWlECW0MCEbxv+HOmJ2IfY8wmdtod d9xbAtTZWpRzLZ6Oj0+SbPM1NnbapmcmN8pU8VxZqyo/gzSacUCiNGN0+ABWwhjUGcQByTqsBaCO aQgLKHHcs0CTT+0AVRbmoaEnHJtgTC2wd8VuGq09AJTP2gBggCqLTPGhz0QI+1WABECWyYIWozIB QCMPoGehKYAZMIzdN+ASgIwT7yHYpE5ez452a2hc1B6TlnyUL00bPuAafgDEAHCAM2W8+93vdjMY bMWRD/mgAbhmoSqLZ1mkih07ccgD+aGNx/YcfgHpfEXgcz9fFZAbpiDI5T/+4z+cFoCV/MgBcH/f fff5YkHqje09ssPOHprkl/adCRT1VF14vjxDaHEtx7OG/zCt4kIfjTcH8FB/zAg0OQC4nz5zwl5+ 6WnrPXvcOjqSryuUi6z54eSHNKu9Rm6UxwTlwIGD9tprB2x6mhNT+ZKQSxaoWs6mauos19BoV3Z3 22VdXdbgu2ckpVA+dMQH13KNdfXW1dxiZzC7mpm1tsCuWemVdjP6oSx4H3lPcTxDPcdQdsRtVrmo XvJXet7VpFkpv+Kgw0F+vb0Ddvp0b+aESWnPxecZYr7nh4371wTegQTAnwvdmDdKYCtLIIL38/T0 wQ65mkVTkI3qcNPsQhfwBjAql3GJaDIYoAFvaIABpthEy6FdxsYWAMzArsGdnSWoLz8cAwNpuKf+ yAGTETTUaIMJE7iHJgvT0J4DPqEJ6AV4AhIpH7BPudL0ciw6CzIBi6QDPAPoALsA4Z07d9h1113r h45gRoMmWzawgHvKwBF+0803Wb4pb1deeVUZnCgtQJZ6KC02vIBVHLzCFyY//KCFNpydQcgDX/jY 0iIHwDmgHzMbQDL1kmxJxyQEMM0PjTt2/tQTWbAzD7bzlAH/pAGQY9Mr7TxfPrimPIA7i/ooBzmz mJAvHeRH9vCmvcK5luPLAIskqSNpceX2q0Qlu+ZdO3c5sGPRsG/F6KeHHrGXXn7GBvpPWmdni+/8 E+YPgWFAbk2XAu779x+ww4f328zMuNXX56zWNYc1tsCaitq81dc1W09ri2vc6+tyPnnmFSQ+DT4T BjzW6mrrrIXFmrMFm5lbupsI6bLzrqkKF3VinpfqyHX4/MK4i7oSlzRzybqs06fPWv/ZPleBL04t N6hiC8n6gyZOGe5sNp/zlsKCeewGFRbJRAlsXgkkU16fA3slI3jfTM+6xvvfNdvYawDFX69b72AL aAWQAjQBdwB6+ACcsssG96RBe4udObudpB2AFaAOcAcsoyWWKQe0AJZ8iocmYBMwTDigkXwAVMA5 4B5wyz208AHygHLAKvyhqYYOABZwJ+0x2nHoMRmhPMxs8PXlgMHr7rvutltvudXDpFkEVKMxpw5K C2+AeiYKaL0x16FsyoU+8YD7UD7IBP6pO2CaiQX8iW/qqTSAZuoL79STH3Vk0gPoR1sPP4B28lEP +OQLBUAc+UnmxAt8A8iZBPAM4JM2AU9o75kcUR68Ew5opz7k1QQH/ogPHfGUecONN1hrC1vu1djh w/vsiSd+Yb1nj1l3d5dNTuVsqmSLH+Y9l2v4QA584Th8mO0gp/wESIA76LxoOZvLNVkx12ANNUVr qctZHRPo0ncv72ipS4ZNAEFEMREhD47nwfOiXeAkJ7/ZpP9Ux/QzD+uvNJtUBK97tbyfa2m1Yk9x yeLqjWIseZ0XrK4ehQtUZ/0d3ij6kU6UwFaRQI3vVFZj+LgI3s/nk09pwAEtG+XCQe1c6ZJf9LIG 0pV4VtnKr7S6X42eQGCYDwADaAPcyQFCpT1WWCUfrTk/nPiAT8B4qP1N51dcyDNgHiAqRxx8rMQL dQoBKXnRsgpAixY+6cK0DKaUCb9osjHTkRNfyIc0/NIOuQHs+WU54vmFDrqUG8otjOeaNDJ/CePE E2FZPAH89SzCfNDiJxfSIUztSu1DshsbH7U/v/SMvbrveWtqarSRYQ4yGhCZDfHpG+GHCdDJkyes pmbW8vnF8xKIL+bqrFhTZ7XFgjXOTVvOmJQsmsfAiHexpY42ZEx1Jb6+rtY6mptsbHrGJmdmrLX0 7EnDT3II82+Wa9VNfla9VorLSr8Vw9RO1K4kA2SnOIWFPnGY8N108/XW0ZF8hWMCuVEy9wmsL/ZO 9us/evSwzc2xYPX8mJCGdYvXUQKbTQJ8yRWAp24RvG+2J7yO+qiDz+r8IZcOD4tQXHqgSN8rXZg3 pE28Bo1KacP0aTrKq/CQnsLwGZxCl84Xxuk6PaCth4ZoZfkhr4BUNNVoYgHvaKxx8CleV5IPadP8 Kb8TWuEfdEPaKi/MkqYdpgnzhnnCa9JnpUuHp9Nw72l87/mC9fR02vbtnCILEBBMCEta7zUySHgs FCZtfn7OmppYaEdYYu5CaXSktlCw+rkpqzHMgYhb4+Qcky8OZerssMOne21kctJa8vmy9p4aqN66 Xm+tJN+0vxH0QhriN/38wjSrXYc8knYtNNN5VyvrUo9fSTZ6BpXTLPhJvw2NrLvJ++5HyftduR0v 0T8xyV1RgLyzOd+wob+fr0uFUt+ULPReMWuMjBKIElgqARRBwfgZwftS8Wz5OzpvATQGQpx8XWsw kLDCeIUpjfysNEoruuE9+bLCFbZSvNI4gdQ/+AjzZl2H+YkPTRkUp/qk8ytcxRIflqnw0A/zANg5 OAaHZlplcx+m4160dY2PS6crBS/xlCakobxhGNehU74wLH1NmpAG8bpP01MckxUmKmja+QqQdtDk l5iacBbAgs1Mz1pNji5sKY/pvOu55x2YLy64fXv25EC27cUSZk/eFdVTclJ90/fOE+tVauustTFv heK8TczM+JaRMr8RLfnrqUdYrq7x0zTF53rKCPOkaa+Vbjo/tNNhK9FUnPyQt0q0RD+ddi33ooGP o3yFrYVOOq1opP0wXVjXsPxKacJwVBm8ezOzbB/bUOr7K4P35e/aymnhh/e6UJgNaCsP762uQ67i dZRAlEAlCfDW8M5H8F5JQlswnE6W48g5gpzGIeBIB8w1wEph+JiZoCnGNCIcQNKiY3BgFxd2HAAU aYCRH6aHLmYdmLiorDA+vKZM7MH5cZ2mx73C8DG9gdcwPKTHteoBz/x0n84T3sMngJOwLD5URjqO 9GkHf/zkwvLD/LoO45WnGj/MJ1rk03UYL3oK4168p9OHNJRP6ZVWaRRPm6DdsQgYEyUW1GJvT3tL O+YSHH527OhJOzg7YzUV9sJO51vPfaHA808mDA5aeF6leUKxJmfFGiYZoQlAEkl99JPMwvYiXghj MuKmMy0tNjY1bRPT09ZeWi9AOslMvvJW64fli0boi46ep+5X8kOa6XRp2iFdxSmP7kWP8DBMecMw 5V2rn6al/ISLvspXXDV+NXTD+lVDkzRZdNO8ki6kzTXrNPhhwsb7E8ZXKpvTgGsw/HJzsUqpknDn i36Vo5yqSA84R/vO7msJUC+9QHqRVi4uxkYJRAlkSIA1dstHx4yEMWhrSAAQzPaEP/vZz8o7lVBz BgAAqrSi3KMV5jRFFpBim67BJpSUBg4WOLJ9IyejstOLgC40w3yEA9zZfQbtcwhi03TJxyDFTjDs gc6CV9FVufCrAQy6LJJkYSbAkPxKJ9riBVpsTXn48GEvg3DVH1+O8uCRXVkAnCvxSx4mRyx0RQaU na4/acQXcciYRZ5MOtK8igd8gCITI+TMtZx4FU3VA1lAG/5XctASGOCa/HJchz/CkTW8ZtEN+eca evj8aHdsP/n973/f72lX7NHPNpQseJVcExosGM3ZyMik74rjdYQtYQIxuB5/CZ0ayzc2WEdXs9Xk klN+g+pj4W4LAPdFkTg4oV6JrfxJP+yLexyy0vsj1uCdSequyy6zXR0ddqD3jA1NTFhbaj975UdO nGlA+wyfhejpeXCPzJhcA+Ky0ioPMuUZ037w005tSOE8X9oO9Mm7Em0mv9DEx5E2TY970ZB8dK8y Qz9pA2HI4nWatmLIo3zQDvnWdRivfNX4YT7RIp+uFS9aYd3COPGldIpTeNpXOvmk5xlyhgOnK7Pt Jn0S/UcoY6WXT/MtznOOwZRNTXJIU2GJ2ZbS8XqxWLu5pck6O1p8d63h4XGb9Qlu6jXw1zF5IZM+ jEX2UNqIl1QcRT9KYItKgDEzgvct+vArVBuggdadw4nY2xoQpkFEWbjnBwAGWLFdIffhoKS08tG6 Q5OTSNGwZoFR8vMDbDAIseWgQJvopH2AAaDvG9/4hoNiBinxR1r414AOv0wI2BFFix/T9HRP+c8+ +6w9/PDDLgf4go7oqb6EoSlmF5aHHnpoVUDD3u2PP/647xNPGdBLy033DHrsmMPOMCyOpcy0U10B dRzo9OijjzqAF13xK5rkR77sRsPWj9r9JYsuYdBl60gAAfwCrkQLn/rzLLnGBywAGrTwN01X97Qz tqNE0w4QpRz20n/iiSf8cCoOf2ICx1aU/Nh6kufHwl4ANGVdeeUVdvnlu8vPV7Q3wk8kvWCzM7M2 PjFsCwtzFszZHKnkFuZtwbXvi/oPeOOrAAeE/ehHP/JDv9CQyAmcco/M+F119dX2uc99zq6/4Uar zeVsfHraZgoFP7yJ+PC5cyDZN7/5Td9fX/lFG1/Ph+fO4WScPsxZBUzWQjqk1T3AGrrInHMTmGDK iV/xgc/7w5kJ7N4EDcLSTrQ5qZj3k3cel6YHnzxL2hFthska25Vmvfeiic97xDkF9FHklRN93eND C+UC71OYNkyja9ohEy/auuqWlrPu4VuTo9XoImN4Tk+6RCuUITKR1nwluvDHe8Tz0o/36ZFHHvFz Hljozk5Z9CEsXqfPg+e04+nNF+bt1ECf7d9/0gb6R8pJ1OP4Ey69d9ded4W96c4bbXR0wp57fq/1 9yW7boXwnfT+vGpq7JprrrK7777JcjWJZj+sa7mgeBElECVQvQQ4BJQd4arPEVNudgkwyAPGAXUM ZAwK0hxSdwYhwAgdMwNMqMVeSTaALgAYWnpp3qELPYEFaPKjc0dDvtLApbJIw6DEdopoMDWIaYDQ 4IbP4A3PDI4rOfHBhAMtJ/yG9KDFj7JJi8w4FZK6rORIy2QDYMfXDcCryhJ97qGNz8QIuaGFTqcL yyEOUMChTN/73vd8q0cN0tDlRxoc18jhwx/+sGu2AR8qO6SpawAHe8Z/97vfdQBGncP03Eue0GXC xVeI1cA7bYivJUy6JAcAngAZkwWApA7bot1o/3jqkqtZsMsu327d2zqMT/4b6RbQDpbMATi4Zu/e Pqu1ebNcnesNKY0V/7mFOZtfqLP5mvol+kQ9D+rFIVY8Gzni9EN2OGQxNjpq+YZ6297ebiMTEzYy NWX5knmX8uIDVvl6xVkFOLUVpVGb5JnccccdfjYA7+hKjncG8P6b3/zGfv/73y8BmNAJ2w90mFQB sgXes2j7M8rlfCJGm+TwL8rR5EI01X4I11kD4ZeWLNrQ4VA0DgujDYXtEX7FM7SRDxNfJke8o5J5 Fl3C+NrGCcsoGnifxa/yURb0CWcSAzhGHryn1LmSow/hneegsSxahKldsOZFJ0MTFtYvpE8c7QHA ru1daW/IRD/eXcA7E2D6EZ4ZfbvkJHrzxaINDY3anj0cRHYysy7wQV/HOpAbb7jORkcn7dW9h+zQ oeO+IFW05MMf9SoUFuzmm69P3tOayjJSvuhHCUQJrCyBpK+Iu82sLKUtFouWikGfAYmBLwQHNBju GTxxdOaARPJwzY80WQ5gzV7uaHzJT1rRx5dLGuWCDzACoIrL8hlMGEABEwBj0VRa8Uw4fKLVY3AU n1k8EwYQZb90NFbQlRM9fNWBayYP5MERXsmhpYdf5IGJC8BN8iQPfKoepOVZMNjiKtElnLqhaUWb jlkO4AIHbUBIKGPiqBd5VnMMvkx40HozmZN8VX98ysAnDr8aRzoADRMZaWWZKFB3yoQWkyfAFHyy /7xAI/SLRdrQnNXVY8oDCK6u3Op4I5XaMuseCn6kezmvA3AzNO+UO5+rM2ESqo98mah+4QtfMA4U C58v1zxz6qd68nw5gKuhrtZ6Wtusb2TURicnbVtrqzWkbP7Z+5999GlDyJBnG04aoYsMiaNN8iUE oFbJkY72w2SLLyY847C9Qy9sP6SnndEmqnHQ5j120FdSBEBTjmtpo9F2UxZlrObgE9DK1yY58oU/ yoY+igAmq3Ir0WfCpS9AyAEaokl+7nlu/JgUMVHl3AfAeyVHfpQAP//5z+0Xv/hFORm09FMgadGY Q493lHLS/Iof6sYZBN/61rd8YoBMkCV1wKed6RRqvqoA4jkng7Mj6ANDl6vBRIzD3tqtoyM5AyOM 13VjY95aWpITnevq6q2ltc37hvn5xWeqtPCJnTttq76+wQrJ6xIq6JU0+lECUQJrkAD9QntzU9S8 r0FmmzapBikNJvjSYKnSdMaEhy49sIRxXIsugAaNGr9qnQapdJkhXXhEA8ZvLa4S3wpn8ARQ8avW KW9WetUBQM4gyqFDDL76KQ80BIZ5QQE9/FZy0AZMoV1j4A/BIvQoI+SN9Ayo/MRXFn3iAO06mAlA AJ2Qlu7xeRbs5x7uzZ9FlzAAHYdl/cu//IubEwDcMFP66U9/6oAeOQHY77zzTjf9oG5M0Mg3P48Z StIOhfPkVyqP5Gq5q6Z1ItQzoZY0+VJuwgBdWLxzSiRXvmh1seTa2pzLoBo5kEsyZBLSms9bR3Oz jU5OOYDvTj0jaH76058ug9z0s4WW2g+yQo74hKednj2TIwAu2umPf/zj3l6UlnxhGdzzbjAJxtFG sxy0SQvdf/7nf/aJapqW8ok+k1/e49UmBrQzJiaf//znvW2E7Z3rcEJMmXyZ4z2uxKv4wEe+TNrR 1kNHkyN4lOOaH+0TfuFnNad+Cj5EC974wTM/ZIYPv6u98yoPWryXvD8yy8GHb9FDSYApJBNhfCbF lBs6gPiVV19uf9naZWPjE0kUTd7bO35yU1fP+p5u6+xqtbr6nD3wnrfb1PgUS1cXXzDPnTx/3o+d u3ZYz452O37sbFhkvI4SiBJYpwR4t1vyjRG8r0d+dH4aoNaT//XOk+68xU86fLV75ZMs8OXCMOiI lnyly/LJK1qk1zVps+hWQ1N5Qz+knb4m3VrpkiftQn65rkbjnaaRdR/KBHCABlda+qz01YaJLnUH +AHUBNaqpSG5iZbycU8c/ALG+eG0vgJNKhM8JjeAKD71k4YvFXLTskLxLW8x48G0YykYUVr5Dj3c GgaTmwDJK0HKT7ANWn0iEuCiJH5QhocCTRK3tPSl2lrlk5+WCeGSC6YzO9rb7PDZPhsYG7eOpmar q1sEh0yC+Z2rU3n4/AD5/NbieI7kTbswjAkimum1uiza0FU4mmPaB+CVMDmuAcBhGPmQWZg/jFde fLTdTGD09YJ0AttKpzKhSbusBmgD8r/0pS/ZJz7xCZFxH/r6EcA19NDo847As/hWRu5xTEZ4N778 5S/71xg07wcPHrQf//jHvvYFOTAJufnmm32izFc5ngVfb0TDy4RWXc66u1ts965tieyWP1YvM+GH rwHz1tFRbx0dly+h5YlS/6gHE+7ka1kFwqk88TZKIEpguQTUF/h7aDURvC8X0eohoRD1yb48hiyO JcsI0TlvpINaNd0hxZbLXiGT6rVWHqGtvPi4MCykp/gwLOta+dPpFY4vl06j8Eq+8pJP9HQd5lkr 3TCvrlWWfMLDa6XL8rPKV1gWjTTQyKJJGDRER2l0H9LlOvwpbSUfGoAK0aqUjnDRhWeAEMDis5/9 rIMLNO4AKWlhASI4326upOQrLtTYyMiETUzMVnwHKKOWfdRbm60xX2eTk1M2OTHje8Rn4E4vg1YF kG1rbfaJgQeG/5KXKTmkyYpUxBeupt/DamQQkuWaiQUnrLY2NtrY1KSNTU9ZZ8kcC7lKZul8le6z eCAMOjj5ug7vK9EkXM+Y9Oky0jQEdleiRxx0wl8WbaXDV3y6/KzJTZqnkBfyK56J9Von1+QVL6KT pk87pj3zq9Zl0QrzwjeTI0wR5fgawA5ZrAkA2HPYGz80/nxV4LnhQtq0W9/20eZc0V709k2qsEVr 0FCfy7MiDWuinGIqPWE4ZFPji7iTMskkGqUk0YsSiBKoSgK8Q2F/de5qnKqK3TyJ1PGFQqRDojPj 518YS9UVvpTQN1wKSwbhZKFdugzxUOpt09FL7sWn/CWRVdwgEzldy1f4ufqiJ3+j6EFnI2imaaTv z1c50EXLda4uzW/6fr30oRO2K10DKABM2LRj9oPmUTbEgHbyCXSUm1fptNPXXjtlzz2WNTxoAAAg AElEQVT3qk1NSh2/lDvKwEb3tttvtBveeIUdO3rK/vzSfgf9Oi1VORL+AKY19sYbrrd77rmtZE+v FCXfmWCjSBauFn2b94UaFrMuBSVrkRt84sBBTQ0N1tPWZscGBqx/fNxNaeqD/bpFV36Ku6pus/Jm ha1GLCtPOmy9bTKkw7XaCzxJXln8VYoTvZCOaIVxCsuinQ4jX5hX16TjWmXh65emkb4XTdESjax0 hGlyhI/GnnUW2OOzXgYAjxkOzwA6pBHdZfRK+7EnX7EW+/Fl6YIomm35nUwn9PsEbECTdPjl8Sgz fQyMEogSqCQBvbvyI3ivJKkK4QiOjhAX+rOzBf/cWvTPtkkPp34OQLBKL1ehtCqDNYi4+UBSKryp w3a7yIkJq8vVWhFbXfW4C2ZoWrDTxUQiOUijyjJjsiiBNUiAthi+O2RVO8QHsAu0C2QIdITFCCKT Z3Jyxg4dOmGnTp4t0wrTcg142b5jh1137WU2Mjph+/cft1Onem1+XpQWc/BaoKmvb2CxMLu06A1e TKOrZMeZRPPOjjPnrFHkHS4WfbvIjuYma5vM28jEpI22TFtXa4tr5SU/yU28bHY/q+2stc7QwFWS oeKVplr6ypemm+aZ+LU8tyy66TLEo2hjcoZ5DGtEWEOg9Hqfqi9/+buhshIx8l5UTqO0aT+ZMKdD 432UQJTAeiQQwfsapJbuUMmKdnBoaMCOHj1orx05YBOT49bU3OrAmSOnx8ZGbA4N4gZvabfIdo1N Tkz4QiSOjPdOtQTcZ2fmbGRk1l59dZ89+eTvrLtnm2dzSMKe1IV5GxsbtZ7uHXbzLXdYR0f1C0oX y49XUQKrS0DAQYAi9Mmtd4trpVWY0npcqSgmxNu2ddkNb7zOOju3lWB2ArYB4eTl19HRaVdesdua W5qts6PdrrvuGmtv73QNYJIuIahrtPxXXnm5NTc3+bshHkrFlrwEvLDjDCYH7DhzLi6htji5yTc2 uvb9SH+/9Y+N+eKkRvboDiZAktG5lHup5FVd5Z8r3yEdXcs/F9ohDV3L3wi6tEXoZbVJlaMJMGnW DtoTLnkXVpq4llKtWKUsHlfMECOjBKIE1iSBcxt11lTUpZ046Th9/CwDA7aR6+s7Y6/ufdFOnT5i ff2nrFDgE36r1dbWWG/vUfvVr/+3ZGObAIvzIYXC7Kz1D/SWDpPJ+V6801MA90kbHJyxpqYhO33m gE1NdzjvdPTspsA+1pzGd+ed99h119/grMVO93w8oUgzlIAAiPwwLryuGO8ghm0Ld1p7W5vNzAKi lzvaMiY53T2d1tRUZ1dfe5l1dW+zudn5FbBJjbW3t1pra72NjmDIkkDr5dSZcSS2+EXfcSaLg8xc ywJZBJvYzieLYOtYgNzcbF3NLTY4Pm5dLS3W3VbrWvllmWPAlpEA7wNOviqejE0JqA/7byaiuq/4 LolI9KMEogQuKQlE8F7F4wo7R5JzD/g903vS9ux53vr6jhubQDQ21NrsTKLxy+cbbH5+2k6c2Osl lPrdKkpbexI0LLh8vt5mZ6aNkyH7+kdtdKRgu3ZfZnfdfavt3t3tO1fw6bJQmLWBgSE7ceI1Gxnp Q3e4IfbSa+c85tiqEhAAkV9JDlnx/n1poWitrQ3W1sbR6yt/wmed3sJCwdrb89bRwa4qKwNtYosL cyUTs0qcYfee2L6b7zVfKd3q4ZjgYFYX9jMc0sRWkSOTU9Y7MmKt+Ua3h5f5ndKuTj2m2MwSUDvI egfScRHAb+aWEOu21SQQwXsVTzzd6aFdP3HimL3yyrM2MnrWOjparLGxwffaPXXqpPuy113EFQCM lUFDFaxkJBFwSXYAGBkZtTO9wzY5wQEl19k777vXbrjhWucPk5rp6Vnr7T1rhw7tt9HRfmtoqLXG jNMcMwqKQVECF4cEvMkzSZYGXe9ANnvMbRMgQ/zKaUnBOpAEDCWT4mVU/aVOtOSr7FK5LGtmQGAK IRDGzjPtTU2+deTxgQEbbGm2XRxxjza1pH0VOMukGQO3hAQ0uZWfVemV4rLSx7AogSiBi18CEbxX 8Yw0oOJPTk7YgQN77Omnf2eTU0PW09PlWngWhc7NzdvAwJgdOHDUzWaSTvN8AHYx7cN46QYbR/MD OtineNeu3fYXb77Ndu7ssomJcZucROM+Z729Z+zAgQM2Ovr/s/cecJId1b3/bzr39OS0Oa9WaZXD KsuAhBIfMDLJthAZ2RgMDz8HwO9jPRts//1sPwM2zzYYW4AAEyQkRFBcSSggCUmgjKSVNqfJuWem u+f/+dbt01PT2zM7szsbdevz6a66dU+dOnXuvVWnTp061SXMaKsiUaf1OzATC6MzjEMOzC0Hgq8q 0HzvXRzf09RgOmr4bu2brwjH5kMEfHdIU/HzqQg480wTsEwgJ07EY2qtr1Nvdlgb29tVHU+ooa5W 7kxZz/7Zys68thAy5EDIgZADIQeOZA5MEt5LA1bRBjMcFCY/WsxTduzYqoceWq8NG55WXX1GY2PD RW0ex5UXnBZ+9eolxSPVD5zgPqHRn0wjV9FIRDU1GY0XRrVp08YSQF9fvzuOfnR0QIkELvg4QjwU 20sMChNHKAfM7/T+k1/qA6dCVTRxmezzbibTh6kQTuT7grtNIHAduaihUS8ODWtTR7uSibiqk8nS xkWDC/vqCT6GqZADIQdCDhztHJgkvNtAELhiCGTScXy0HhBzjyORtYHmvVAY1rLl85VOB0fXmyDN nKetrb7oH3puBvQ9ucSEIMBNvVZ3Ca54gOT4eHD6YCBrBJrEgYFeZbNDzj4/Ho+6yUZQDnwHit4S ZWEi5MAB4gBmLgcI9YzQzs0kvdT/8jUWG8Smw/pMtRY3N+nVjg5t7+rWkpbmwNStCGflQgF+Rg8r BAo5EHIg5MARz4GS8I6dJ24P48VjmRkNOXAosOkkHSwV24apI77l+9gABsh0OuW8VySScedJxlAF m1LnZiA3nOUxgzrmL729A+rt7XemOlPVaAJNbV2N2toa3UmT8TgnYAa2vNCLe0mDK68rvA45cKRw YK4EVxOaZ97uuZ34Wjt8LTyHNM1raNBILqddvX1uc/nCxkanhXdT+TITGis78zaEkCEHQg6EHAg5 cCRxoCS8Z0dGtbOnRwuaGoVPYUwqENyDE0MDV2a+R4QjqZFzR2tw2FIV7iuKErMNtnNXx9SYELIZ mAcHh/X006/omadf0tBQduoCTjMnHXf8cr3hDWcVl9oDG13wILjHYnElEylF9tNX9bREhDdDDhyV HBh3tu94nZnLwLdJsJg0m8oXNjdrJJfXrt4ed2jT/MYG11eHAvxccj/EFXIg5EDIgcOfAyXhfSyf 1/auLnegUFtDvTLplOKRqDOZYRBBSLX48G/WgaWQrWqmrT64PAkGdWzvEeC7uvo0ODg0rRcb6Ovv G1QhjxlNwBfySEejKS1ZeqyWLz+2dLrlTDhH+fIQvh/lHAmvj34OlJxFzmlTTSFQ6lv43qqqnK37 4qZGbWqfLMAn8FPrhVI5Ly9MhhwIORByIOTA0cOBUq+fSsTVUlenbk7rHB1Va12dmmprlHIuSQLd kq/hOXpYMPuWwIfARIayRRX87NHMuoQN6tjaH3PMYmUySY2OjlWgIKCJMZ+BfP6CZiVTHOEeBCe4 R1JauGiNzj/3Eh177ImKxxN2e8rYF9qNFgMOBQbjRBi/djiAUoOPbN9abN+M/12ByZ8IGwz5uI+s TVdrQVOTtnZ2amdvrzNzbKmrFQc7+WUNZ/l36oDCv5ADhykH3JilKVy0HqY0h2SFHDgUHCgJ72hv ls9rUwd+wnt6tamjQ/3Dw1rU3OwOCGF8cgMBX9drNjhpWOOT7MQLzmMLBx/hbSYIB1qgH9fChS2a P7+p4pPgEbF/AdOnVCqpeDymaDQ4bY978Xhay5afqHPPuVQnn3ymamvrxcY4CyY82HV5XC4QmIBh AkM5/Eyurc5KuGdSfiqYSnjngl6rz+idC5wHilaj0WgmNnot7d+bTboSzfuL0+qfCrfdP5Ji4zex H8qv/Tb7ZSyf77i5NuMm7Fu7urSlq9OZNrbU1jlBnpmEwVKPq81WTg+qqsFv5ezSfrtnV3IytPGB 2A/lPPfvzSRdjvdA0jsXuMvpnUkbDxYMj8Y+CdoajcYUi8Y95djBoiSsJ+TAkcWBkvAO2WjZsXmv SaWc/Xv3wIDyhYJWzGtTOpmcZIN5ZDVzrqgNXNLl8gUNDw8rlxtTcGJpTv39gxobywsvLlX7eeLi /lEb2MR3dHQpnUpq+YrFriMcGSkomx1TLJrSypXH6+KL3qQTTjhVNTW1e1RnAwY3SBP8AZA8TpjF fCfu9kdMCP57INtLhuH167Qi5Xnl1wY3XVypzFwMZuV4DwRO2jVXeA2X8crHS3pfQzkfwFMpb1/w zxWefal7xmX4PKb53v02lKepo5z3BkNM8GN7ZtFIVM21NYpUybmP3NLe4eDa6hDgY6XFQIfb8FCX h2/G7fMArX6f5nJ6PfBZJX2cleopR2Z8Kc/38RhtPkx53lR4/DKWNtzlOCrROxd4qdfHPRucPs3l 9Nq9Qxu7t7FEQj5fUCJRoyVLVmv+/MWKRidWiktAYSLkQMiBEgdKwrt1TPgIb6zJqCad0o7uHm3p 6NSOzm6tWrTAnTy478N8qc4jOlFdXaOmxnnq6+9QPl+lbDarrq5exWNRNTe3KplK7TEgH6wG00lD T3t7r7Zu3aHmphYtXpxUPoHP97xqalq1du1inXvu63TKKWcqlUo70gLZbeJgGhswuGnvBWnwDw0N aefOndq4caNisZiOP/54tbS0lJrow5cyp0nYgGR1WnkbcPz7dm8adKVbfjnDZTft2mLLn0k8FV7D 5d+fCT6D8cv77fTzgfXvWdnp4qnomUu8hgs6LG31zpbm8nKGb7o2Hrp7VRqvihQ39U+mwqe7PG2Q 9iy5z0SYa8sjJt8P/jWrapg1snn+lZ27tGl3u9NgIsBzuBPBwRcnZsGhUhPCoI93b2mjCXyWtjJG p8WWP9PY8Pm4Le3onymiIpxfxmgqr8OHoZjd31tVVm4meGeKkzqnwmv3yuvbG53+fXDvT3kf19ym 3azXtR3BPR7PaM2a03X+eZdp2bJjnFLI+DK39YbYQg4cHRwoCe9+c/isnBCfyWhHd7d6shxEFAZM S+bPX6Rzz32DhoezGhkZ1osvPquRkVHNm9ekefPanEC7z0aws2axTaWCDagjI1lt3rxFg4P9amlp 1mmnnadz1l3stOt4limMF5ROZdTaOk/pdNpbrqTiCUHB7zRJI1gMDAxo27Zteuqpp3T//ffrmWee 0cqVK3XdddepqampZHZj8NYUGzi49gc04Li2n8FXioHN5XLuRxqToKkC+JhU8IsW7YCnggUXkxFW UUx4ApZ8i60unn0qlVImk3G4DcbHbXng6u/vdz/SBPDYfb8MNIKzvr5eicT0+w7gQW9vr7q6usQp uuW8M/zWlsbGRjexSiaD8wj8ei0NDlZROjs73QFe1l67Dy7DSx58aG5uVltbm3uHDK5SDF5o3bFj h+Oxj8eHJx+88+bN0+LFi/fKB7/sYZGe+HRK5MBX2kVMqNR2+MN3tX37dveu8D21traWYK1sCemk RKC5bKyp0TELI3p11y5tat+t0bFR51aSw53gqaOBcnxrRTqmxzupktKFtcXi0o3id10p34eZKk05 wlQ0+XgNxsqU4+T+VPfKYX28+1KmHJ9dG1777i1/utjaNR0M92aDE3jjx0zx763+ub4PrxDcU8k6 HXf8mbrooiu1Zs0JSiVNqTT5G5rr+kN8IQeOZA7sIbzTxXMwE30qHmjw/x7z7KGP5MbuK+3WCTIY VldnlMnUOOFp06aXVRgf1cKFrWpo4HCmqmkFy32tf2/l6AQR5rZu3arnnn/euY9cu/YMnX/e63Xc cSdV3IwaDFiBYMGmO8x/fHtZ7jNY9PX1adOmTXruuef04IMP6rHHHnOa97q6Oqd1hycE2j4yMuIE Eegw4RI89vPbgXA9f/58LV++XNXV1f6tSWnwgmvz5s164YUXNDg46OgK6J8E6i7Au2LFCp1wwglO KJ4KDmDoffbZZ91EhHZSlwXKISwjYBEQ3I899lide+65QiieDi/0PvHEE/r5z3/uJgfgBU+5YAxe JlGnnHKKLr744kkrGEYHsdXFRAP+r1+/3gnbxnsfljT1YM50/vnn64orrnACYTmMf81qzSOPPKJb brnFCZPQa3XCA/AZb5gIQOub3/xmLVq0yEezR5pn9fjjj+umm27Sli1bKr4HVhf0Quvv/M7vuMkB 9VudeyA+xBmONp8GJ39OluCNfuOjD867wCQMnjAZfvjhh9139p73vEe/8Ru/IXhMOX7lkycfj6Uz iYSWt7ZqM4c49fQqO5bTgsZ6t7nVJrBGD2V4nrMRBHnPpnrXKuE12o2+SjH4jLa9PWebuBvNxhfj jV8enPCP92mqYO8c3ymTJ2LDPVUZJtZMsukH/PrK4aENZUBPT49bBQWvwRtf/Lro+5gM0w9MFygL rbt37y5NhK39lcqBl8lwbe2eZpGV4A9unr3bUnV1o44/7iydf8GlOuaYE5VMpkqk0GZ7VsbD0s0w EXLgNc6BPYT3QD0TCGNR5+s9mB2/lvlEJ0IIOl9sx0e0ecur+tWvHtbgYKdaWhrd4OZ3ygePX1Uq FPLavbtdL7/8srLZUa098QxddOHlWrHiWGd/z/2SIWxR0EZOtXZxL7ieoJp7DBa/+MUv9IMf/EAP PfSQw4/Ae+qpp+ptb3ubE+LWrFnj2k7nCvy9996r733ve27wYoAOeBZoy0kDx4/B5Y1vfKOuvfba aYV3KEK4RBD+r//6Lye0TtA9Qa+lGGARLJcsWaKamhqvjQYxEYMXIfs73/mOm3RM3Anef+g0gRtc l19+udauXVsS3rlfKSCcPf3007r55psdHxAojA8+PHlMgnhvTj/99CmFdyuDkIHAh6CNttbw2n1i eA5dCANLly51gol/v1KaNqJ5//Wvf63u7m4HAg57fmRwDb0IL5hKQctU7QceWPAy4ejo6FB7e3sJ RyUawAssgpoFcByOwfHC3MWyh714qvFUtFo74Bn8feWVV/SrX/3KPUdWsFid4Fkh8PF9IXzyTiDg M3Hmu/J5zT1+4IVDvIWYrs1fuFDpRFKdA/3KooGvr1djba3by2Rvaj6X0+72dmf2xuqQj8vqMHp5 v1hVW7VqlYunah/54EGwfP755117DJeVMZwWI1ieeOKJ7lsqh6UMcOTzDqEMYJLNO2rtNoHe8FGG 9xW8Z5xxhvv+K+E1eohZSbznnnvcyhB4CZQxnH6a/uS8887T6tWrXT0+HtKU4Qe9KBqYYL/00kuO Xp8Oo5sy0Atvr7zySh1zzDGlyUwl3ODlXWAi/Oqrrzq84DJay8uwivOWt7zFKQaoZzYh+Ozm/tuz McatAhek2ppWnXTyeW4le8Xy1UolU97678Sz8Pk3m3aEsCEHjmYO7Cm8F1tLZ2/ux0YLxQGVr7rY ub0WP6igcy5o+/Yt+vlD67W7Y7NaWpo0MDDofofqRRkcHNDLL7+iwYERHX/cqbrwwjfq2DVrnU07 HbcNQuXPbArZ0zWDtjI4oEVCoOBHQMhCuAAvMD5O0gz4aL3MbAU4g6W8wSO8I2Byb2+BMmiQGEAb GhpK7SkvBxxCNhr96TRvVg4YzDTOPPNMJ2CSDw5+tMOnjXYfd9xxe9WQgYO2MxhfcsklTiDl2sdl 9cM/eMBkiEnHdAGagEXgufrqq51gZzjBY4G6+KEpZKKxN7yU43medtppev/73+/oJQ/c8IAfgfqp B9wIMLb6QH6lQD7P2NqGFh6cPq1WDlieBaswTGaAIY9fJXgrd/DjgC5ocix3wnOVMula1dU1+pZn e5DGt4TQxeQWwY5JI0I7ZjIXXXSRm8iyqgPPCEwAN2zYoG9+85tu0kwe/CBQP8KcCbLwdd26dXr3 u9/t3mf2K+3u6dW2ri71ZbPO7W9dOi1Oah3L5dxKExNWJvvgMDyG3+rgHeL5/e7v/u6UQrYjqCi8 g48JNhNXezftvuGkLt6ps846Sx/5yEfc9+zDlKeBf/HFF3XjjTe6iQF8NFzl7wbv0EknneRMuugr KgXK2HuF8M5qE5NWw+XzwMqDlwkBK3oIxdMFngsTVSbYjz76qOOtwcMTw298YGLGc7drgy2PoY/V QVZAmfDxHZJndPvwVgfw4D30YaJ/cqnxqBob5umUU853gvvixctdf2VQ9nxom7Xl0LchpCDkwOHF gWmFd/wKo1XCdMYPr+UPamhoUL/+9TP6xRMPKpNJaHR0KBjIfQYdxHQ+n1N7e6cGBrI67dSzdOEF l2rNMScUhczJgtVsOkOeMYIU2ia0WQh3mGygAUOzxGCKMPK+973P3QMeQRFTDQRitIwMViYAlg/m DD7YTWPrvbeA0MoAh9DI4Fjp/aNt1IEgimDpC4GVBjjqBC+CEwMzeP1QTi91IsCbNr8SDVYeGi64 4AKnTd8bzw3vdEI2MOCBXp4Dk4ipBmVg7Qcd0DxdAC9w4EQ48XlleMrzEOoQaKYLhnfZsmXOvIZr 8E0XeCf4Ha4B+mmH/Qrj7IOo0bJlq7V0yQpV4f5lmoCmG607wiIrJ+DhuSNoIhQyMeW9M/xMnHft 2uVWW0BrzwMYS5vQB24E/ng0qrb6emWSSe3u7VPX4KCGRkY1v77e5YMH/AjB/MBT/q4bDPl8v5Xu lzcTPLxHaOrpL6wMdVkd4CJNzLfPe8T96QLwfMtoqMHJd8o7Qpp7/CyQzzs8kz6FcqxW8J3Sr0wV gAMvz4d2+fWVl+EedKE8wLSMd99vn/ESOPKB5dkDT3q6QNmFCxfqqquucsoGvr9KtBi/oZXJ8N6+ p3F4GAnoxksaJpQeS6cjacb3gmcVcS6Vpaiamhfq1FMu0Lp1r9PChUsn9SXGm0ptm3GFIWDIgdcA ByaNlOUfjut4ULaXMcI6iLLso/6ScSaXG9Xo6IgS8aRisYRQBO1l/DmAfMHWHc0Zy6/H6bzz3uDs BtPpjDOXsQ5wX54XHS4DBgMcgyEDHAPdk08+6TRKCCBoU00jTx0MxgxYDDIWoMHosDyLwc9vOvq4 Z3RgG8r1VMHqmqq+8nK0EY0+wsFMg9VPHZa2spY3W7zleAxfeQxeBHh+swngn44n3EPI35ugP5s6 wckPmvcm6M8G76GEDZ6TaTujqqubr3mrTtHqVcc7T1PT8Zh3GAEUU4YFCxY4czQ01Jia3HbbbU5b +1u/9Vs655xz3DsJz/iW3v72t5dWhWg7dZjwarwgj/0HaPHhN9c16bTzOlOdSqq9r1/dgwNKJxOq LZo9oU3HLMfgDZcfQzM4ETCnaxtlwIOAC140vlz7gWufbr45+om94YUGJpZMCpjM8AzAQ355Wa55 h+mzyu8ZLZZPjKDPalP5xN1gLQaWvo3vjnorBWCgzZ4bfGMyVR6sfssHHrz2HIJ3zO4GMWW4zzPG JHAqBYZfCjqNXqPNv29pcGVHRjQ0PKy4c/87t8I7dbMpFVNTFgHa2pbq7DN/Q6edfr4WLlzi+AWM 0Uj7SYch5EDIgek5MEl4t44DS8rANwH/E0IKYpP7sKYRoKav7si+S5+CYIx/9Lq6hpLG4lC2Kp/L Ow1aW9sCrVp5rNtM63eG0GYd4946xXI43gd+DJYIzmgGEUAQ4tEgko9QbwMPdZHHby5DeXtmgntv bbV3HVxTabHL6zGc5XwCzs8z3LPFW17fVHjJtzqmKuPn+7RZfnnedPisTHlcjoP75XmzxUt5C5T1 ry3/UMXQE7QnprbWZVpz/NlqXXGC5rW0KsI779Hu02htYEUI8xY2U7Mx9Ze//KXbrMqmXvaWsGpl AeGLFSw0qJV4aDgN3oRj8u1eMhYXriOjVVXa2d2jvuFh1VWntXjRohJeYCvhBy/3wGvf995gaR8T /enwGb3EJggDbzTbfb8uBH1+htdgLbYylfDYPT82PDNZmfLLkbay5fl2DU3g5TfTsDechgdBnz7Y wkzLGXx5jKY9HksqPxZRb0/WPQ+Hc+ITLC8yu+vAylaFPCs9VVq4cJXOPutCnX32hWptne/GCfjF j3otnl0lIXTIgdcmByZJWaWPx0npQecdi0Y0wsYYds3Do9es4B70aOl0tVavPk6rVh17WL0xgdwQ dIT2HC2GUNJ7C5U6UAZu8vmRZpkfAZ6fwfv4yZtNMLp8XIbPz/PTe8NvOIGbqtxseePXaTgt9ush z4JPh+XNNrY6fLzgmA1uw+HXbXnleH2YvaV9HEaPn7e38pXu+/TYMzLcleDnNm/i2ZXjha7gF9PC Bat1zjmXatGK4zUciam2ulqYH5iu2ej1eWF5CKwIYHgYQqN84YUXOltu7KSxAzfzKeCBNQG3nJ7p rl1dvIfQxHfPictscC0ESplINKpEmWZ8OnwzvWeCvv8Mpypr/JjqvuUDx894afmVYsNpcTlMOR5w znaCbTh83JZn9Vr7LfZhy9NWphyHwfn54LOflTO4qWK/fDkMG0RxboDiZ3y8aI449SdQXnzG17x3 uUJB1WlMxJarsbFZkcieKye0babtmnHlIWDIgaOUA5OE91Ibi4IeB4FkUill+/ud7WQz3juKQK+l D61SB3j4djITA91sn5G1yW8vOAgmxJfekWLCynBpsOUw011bGb9Ow2V505WvdM9wcs9w+HRa2uJK OGaS55e3tMUzKV8Jpry8XVtcqcy+5Bk+i/cFh5XxcVjaYoPZ13imePxnvq91lZfz5mHFdzvmtIfn n3e5Tj51nQby0lBfv+rTadYnedscCqMF2klbG/w0gJg1sLGZ1Ss87aBZ5Tvz4ctp2tu11RnQEnij yRdwieNk+b0Vn/K+4TXaDNDP99tt96eLfVw+b3yclPfvTYfP7hneSuUMdzmsXWXSCGMAACAASURB VO8tNpzEFirlcc/oMLjpYh+HX87Pt/L+fcubKvbLWzli8uOJhFasWO1+U5Wf+3xbvZpYITIa576u EGPIgaOXAxWFd4YgPiiWWxszGWczyWmrzfiMLXZa1hEcvayZaBm8IFg8cedwTE3Quj/PyC9rnX15 aw3G7tt1OdxMr/3ylrZ4pjgqwc0Fjkp4w7yDz4GJBSQGfxNI976qNBtKg+88wE85bHUxL1iwaJXO O+8ynXbqOUpnatXZzqmmBafgcLI7G1YrCOuV+g17J03ziyBveZXgZ0r/RNkJ4TIaDc7uQPu+rwG8 0Gex4bHriXrtzt5jv4y1nVL7g9PKE1ei1/KJ9yf49Fra4rnCCx7DafG+4rbyxMZfZnTuGdj4Nref 0aQJo811AjqCb8ue/2Sa9rWFYbmQA68tDlQU3o0FnLJay2YaST0DAy7bPnyLDfZojq3jO5rbOFXb rO0W23O3jpdyfp7BTYUvzA85sD8cMCEAnTL+ogMBZH8w7lk2OLQMP+oI7uNKxFNasWKtzjnnEp18 8lmqr29U1m3uKzgFdzxWdKfpqJnAZ9+CxdzxvxWu/XsTJacWPH2YqdJ+HeBPxmJCbB8t8ws+Vd1T 4SW/vIxdWzxd2ZneM1wWz7RcJbi5wFEJ75Ga578bpTYUZ8RzLbv7ni4mJt1BrXxbPBvoIYTPqfQ0 wkTIgRlxoKLwPvFBRYTNO5qbkQo752dUQwh0VHHAOlmL/cZVyvPvh+mQA3PBAbxXjGTHNDg4okhk zBYD5wJ1CQd9YDabUzxRrWOOWauLL75Sxx9/imprg5OUXR/pBI8Jl4XWb5aQVEjYN0IMvMUGavft nuXva4ziJR4NuvnR4onZ+4prrstZG32+GT/K4/K6/fvl9/zrqerwYSqlpypn+ZXKHAl59n5ZfKhp PlzoONR8COsPOTBbDuwhvFunaJ4TuMbufTRfUP/gkDLpCb/RR3pHNltmhfAhB0IOHFoOsIGzqalN fX2LlU4nAo1dUXs3d5RhwT6u1taUGhqW6uyzLtDataeruhoXrIHQzWFHeXzkJ2KTtIazEUYM1mKf /kp5/v2ZpNFpgicajTglqJnoWNnp+m/uWZgKzmj0Ya0MseUbnMWWbzD+tZW3vPLY7lvMffBWin0Y w2N5xFauPG0wlKlUrlJdPi6/vOG2PIuNF3YdxiEHQg6EHJgNB/YQ3q2z8u3e2+rr1D+c1baubh27 2PPhPZuaQtiQAyEHQg7sJwcSiaRz1bpo0VLEr/3ENnVxxHc2eiaT1Zo/f6FzwQo0QheeMwazIy5u qJ58Mq4JdlNjPnh34A70up9z+juZX5UESKOfe37aqLY8Ygs+LHkGMxV+K0cMTDmc4fbz/bTVYeWt vkqxwVQq79djZYH3Q6Vy3Df48ti/V17Wv+fXEaZDDoQcCDkwWw7sIbzT4VinBjK8HzBAxaJRdQ4O ONtJc4nmNDuzrTGEDzkQciDkwD5yAM37vHkL1dIyfx8xzLwYdrq4tAvc2k1okjnYpj877Nwv1ldn AkEO14veZtWZ1zL3kOV9ODXQp3NStidzlwRQo8AE0RJ8gcN1su60ZDzhcAAS/LfxweD9mDQnt3LC MocUoe33DzgygRY4+IiXHeqgDOdD4CqTesy7lTtEKJt1MOCjvOEjNu884DO6/fZTnsOdOFCONP7X q6urXWxuOH36wQHN0ANdHEJHGljoYmMxvPDr8Mtbu6AVHlAnZamTcj6N7iL8CzkQciDkwD5wYA/h 3XBYZ4j5DJ1PbTqlzv5+9Q0Nqb66uqTzso7LyoVxyIGQAyEHDhwHODiIEzYPXA3lmOnjJgm9krK5 nNgvW50MBDK3Ulle8BBdl/ruYv3QFo1UOeE9n89hBb9XysDBSak///nPxWnKuLM844wz3OFOJoBb DDKrE4GXA9yeeuopbd++3QnOa9as0ete9zq1tbW5ek043rp1qx566CG9+uqrTtBFcD/++OOdv3tg wb9582Y98sgj2rRpkxP0QYCf/JNOOkmnnXaaO3m1UmOgh3qg4Wc/+5k2bNjg6uCk1rVr17qyHDxn bTD6iRH0aTOHaO3YscOVY5LAibBnn32288+PEE+gPGWsPII+7eL03I0bNzpctOWiiy5yPLT6KtEc 5oUcCDkQcmCmHKgovFuHZDHCe1tdvXoGBrWzu1v11bg1Cw7vMZiwU5opy0O4kAMhB2bLAb+fCYSl 2WKYA3hPUAsOPApOCTUt8RzUMCcojFeGjOvqZEoDw8MaGhlVdSo1Sei0vttiyiH4Irjecsstuuee e3Tuuec6oRmBFw251eGXodzAwIATen/yk584IXbnzp2uLIdSIcTy7Eyovummm3TXXXeptbXVneBs Qj84rrzySqflfumllxwM2nOEdjTanEbLj4nC61//eqetN+EZesBP2L17t6P/pz/9qVpaWlx58D3z zDNOIOeUWzsUyxUoTkKYtDz55JN64IEHnGaf0107OzvdRAOh/pprrnGHbMEHq9fKQ9/LL7+sO+64 w8XwcNGiRVq6dKkT3g0ujEMOhBwIObA/HIguWrTo+g996EMOh3XE1iHZNZqbWCSiroF+DY2OqrWu zl1bxQZn12EcciDkQMiBueQAfRL9jPVNc4l7priqFGivB7NZ9QwOKBmLB32huYos94c3U8QHGI7+ O1fIq2dwUJGqiOoz1U4opVq/7/Z5jLCMxnv9+vXO9AM4hG808JiPWDmLrQmYiYBn3rx5Dh7hvaam Rueff35J8452+oknntBXv/pVJ7R/4AMf0Bve8AYnYL/wwgtO275s2TItWLDACdkI3pS/+OKLdeqp pzra0YojvJ944olqbGy06ksxJivU8e1vf1u1tbV697vf7QR9BO5f/epXblWBskwICGZ+QxoBnOuV K1c6jTlac1YEOAUXnExgTjjhBGe+U6qwmKDttK++vl6LFy9WV1eXw8fpuRzIZfyyuLx8eB1yIORA yIGZcGBazbsNlHQ02Lw31NRoZ2+vOvr7taChoTQA+HAzqTSEmXsO8Ax4Tv6zsDy/Nrvv51naL09e +bXBWWz3Lbb88tjuExOmo8HKGqxdh/FrmwP2Plh8sLnh3tkqqZAvqHdwyG1mbanLOE8uRkul783u HYoYXjmaIhFlUml3jlTfSGCrT39OMJpd+zwie3p6nOkH5iFowTFtee6553TOOec4wdRArZzVhaB8 +umn68wzz3RCMkK22YhbGTTjCMIdHR1OoMYUhXII+Zjb3HfffXr++eedmc6xxx7rzFQMB4I1dvJM LNCGky4P0NTf369nn31Wvb09uuqqK532H/zYsKN537Jli9PML1myxJmFgsPagkCPsI0Az6ozbVu+ fLnTpNMe6kVA94O1Hzv84447TtCN+QxaeH7cD0PIgZADIQfmigO293QPfNbZWKdER8YJq/FIVB19 fRqp0HntgSTMOGgcsOdE7Kd9AhicuGfBYC3Pv+/j8OH8tMFb7N/z03af2NLQ4MOQ9vOAC0PIgcOB A/YuEnNK6dDIiDu8qYYNnJHAfBA67R0+HGg2GpxTATZ5RiPOOQ+eciqdtOrTjoCLCQt24mifMS9B eMV+HEEUrbYF+4a5Js04gXYboZe08c7gLTbBGE29bQq1Ta5oqxHsCQjD/MCN0N/d3e1oA3bFihUl zbnhtZiVg23btjnzzlWrVruJAfcwgWFVgHqpx4Rwo5N6oJ86iQnAsoKAwM8kA4HfNp9afcTGC9pO WX7khSHkQMiBkANzzYGKmncqsc7MYjqh6mRSDdVpdfUPqHtgUImGmDOfYYDw4eaayBDf3jkA/3lG /nOwPCtt9y1m2ZkfgwwaNgYdK29liRk00XgxyAIDLIOv4bGYeoAHFrzA4GXB8AJnMFbGNGnAYn9K TDBYd+H+EPwnH6s9cc+VUHAypiusKiYKkwGKV+DgXnCUfSUQo83RsAcejCeC8nsblx0vAfInImXX QV20F0r21kZgivQXTyisRH/lPHBXvuNIAu8ebTX4CZ5NDxM8f3t21Bc0t3LFJVYw4dxb3aAoFTC6 is/aPem5F5LsG/Bq0xjfQqHgNoBy+FHpXfGBDod0kVdwhR/fVTqRVHZ0VMMjo0oXBWLa6N7TIs2k 0VpjHoJwi005G06x3X7xxRedNp2Nq5iEmG15eXONb9z3cRsctMyfP9/ZgmMmg205JjlMDNCKs2HU JgiUt19vb6+zdWeTK6YrmLNgUlNeB88EgRutvN+vQA9CN30SZWgnwjtmQBbseRpO8DAJ+NGPfuTa ju0+WnnKGAxl/bThmqr9Bm/ficGHcciBkAMhB6biAH2M9U/ATCm8W8dinRJxPBJRU02NugeH1Nnf p8ZMtWLJ5ERdDBhhOCw5YM8R4kgzaLEMzjI1tqUMyAyE/sthZRDE2ajFQIt9qcFWaigCPpvCsCtl +RlbVTw8WL1WBtwI7mj3GIwNlkHcBHhgJt7DCcHd8gxXEE8Ivkip4wiEkwGKV0U4BL4p3lerN2h/ UO8EqqLgPpExZcrRaRKsQZVdW13c9icnldvooDy4KZtgtblnDR8C2bcSRyb4MROeTQnjhCx4ZRPI iecFn/eseZbPy82Bgmc2CRf1uglNqclzlphoS4CSZzWcHVG+kHfet8z0xN2d4l2aM2JmichNhooC PEVZIWjKZLRtOKuegQFn9270WzuJ+SbRsOMtBdMZBFyEajaR8iMfDzAI7+XB8Pj55JUHJvPYf2OO gycYNreiEUc4xyQFd44oFILvL+ivoOPJJ5/QXXfd6Wi87LLL3KZRNOTlwb4p6iEggFvgnruuCjYb G30WGxwxwjeTlttvv92Z8uBt5oorrnAaf+ujyssZzT6eSmnKGZ2V7od5IQdCDoQc8DlQ3mdMKbxT qNQRFQcBCtek02qorlbX4KAT4pNxfO0WO+iiYBJ2Sj7LD37a57+l7cEbNQySeET44Q9/6Gw00Xpj z8qg6QfKs1QNLIMsG8kQtBHiGRwZxIDhR0Bbh3eKH/zgB06zhieJdevW+ShdGniEg3vvvVf/+Z// 6dywQQNL9L4mzAoGr+CEMK9CXrl8wUmvVdGYos5cCDpMG8sLHMC41zISUQR6TXNNDEghp1zeFVIk GnHtMV4RB4HVBxMcfc17sT6PSIezyIvx/JjGYwllf/QHOv7tX9Jpn9+k//7QUnV8+TKt+cP1et/N Wf3L5ZNNCxytVm8h72yr8c8NLZFoTJFSO11NE9p0JyCX0VOiHjYF8IV8gBOBGv/luBC0lYigtQXl cwXnVhCPUo5nVmeRZ473TqtapSpnFxyswrgVieA1cNOFSW3hWeQKblIFzsrPq+CeKe+GqzvmPS+3 6hJQOD6ORrfYpmK7D8SBTQEdgZBFGnOTvuEh5XJ51TdWK1HcqAqbDdZehUMd2ySLxwFtOByg3946 3uk2ri7K590+JqPdYvMWw0Qdgfnhhx8uacOxUwcXAjwbR1mBI0x8J+6y9OfnW5qYPgPTld/8zd90 /QkmOgjUeGVBqcCEnj4GWARo6Hj00UeF1xjSl19+uVsRAMYCdNmPPDTs3Kc8fR2afPq2oeFh9fT2 KBqJuj6MPNOQQ5fRaRp36rz//vud2dCb3/xm52LS17pTlp+1ixg6DI/Rx7X9yDMYiw0ujEMOhBwI OVCJA9ZXEBOmtHnnZqmzKQJTJBGLqaWu1gkR7c72fQxAh8yJB8WOyypwN8K/g8oBBhMLPEP/WZDm Ppu5GJjRduFDGQ08A3d5YNBjsxqadIRtYNm0xSBK8HEz4KGVM1g0diyJI/yX0wEseLkPXty64VMa eiz4ZYJ6gves8+kb9O75McUb5qsuHld89Rv0f37O21nQ6GhxI9kTX9CbT0oqHs+ota1VqVhM8373 /+mZbke1q2LbDb+pmnRcyXSt6mrTTph53RdeKFaPRlfKbX9W3/jQfDdRWXPhn+l+V82Y8p6m2b4T p+0svv/kRWIJofuLV+U1kpVG3SRBGs+NKpsdU75qwkTIcIwXgjZ2PPkVvaMtpliqSS3NTUrH40qe /i59+amA/lwhEBCsXCA4TwgIpfyi0KDxET32uTMVjSXdhsOaRFyxuoV693ewLS7I6SZ3PaC/fWuT YvFqzZvXqnQ8ptRZ1+obz1NnTnB27P7/pXNWxB1fm1ualIxFtfwPvq/Ng8BUub7Ar5vcwe0/1cdX xRSvbXHPKzZvrT7+4+HgeY0Vn9crN+n3L+Igm6DuVDym+sv/l+7aEuAtFLIaHpN23HiNFjdEFY0e p+sf7gnoBuQgBOzFs2M5916kksnSChFV0+bDKRg1FtNHx7Hljsc0wsFFRbt1n26+MWzNH3/8cSdM 45sdExE2YLLahpkKNt+4aaQfoKzf11CeHwI4q3XYnfOd2zV9CWlgEJQxfWFl7h3veIfe+ta3Fjem xpxbRTTzKAfok9DOf+tb33J9BGY85513njN9AR/4CZjI0Pfwo142p65atcrVgwkQqwnQtHvXLm3f tt2Z6LHKh/BOX8aEgQ2mZn9P+1BA3Hnnnc7GnYkG3mmgGxjaQN1MDJh8wDd4Ye0Hhh8rGbSZNHRB s8+zw+mdCWkJORBy4PDkAP2KH+hDphXefWDr5IkzqZSa62o1kM0KAb68M6Ii4Mor9PGF6QPHAXtW 1GDPgNjSDCIMwAjKuGjDB7G5aKOMlSdmUMQOlQEOWDauIZyznOwHYPGPbDarDPzgfeyxx9zg5sNC BwMpHiXA88ZLL3UeKqCBgZABz4LRguEH8tF493P6j4+9Vz9Z8hk9Odipnif/WZe/co8+/7n/q18q qiSH5jz7NV37to/rhyMf1LefHVRPd4/u+6srlPnmR3Tux7+hV3IRDf33O3Xqe2/R0Du/o8FcVsPZ jfqXi6O67+Nr9fovbXY86N7wFb190Vp98CYETWkk5yzl4aoTVKuq8soOdGvX9l3qHhhR3mn1cUky osGedu3asU07enPq7B91cq0tUAmNdpU00t+l7o527drVrs7efvWPjisSZcLwqD7/vg/pu5k36R8f 61NvX7+2PvBFve6X/60/+pPP6N6eiOLRIfV1d2rX9t3qHWYyEZip5IYG1dOxW7t3t6uzq0vZ4jzu 2b+9UGf/+dNq+/QD7pkO9TyiTy/YqW+8/2x96KdRxYYe1z+9+0J96ifH66O37VBXV49evO16XfT4 1/Xu93xUN++MK/7U3+uKt35Wj7R8WvdtHlFfb59+/PEzNPilt2ndp36qLtfMYXXv3q1du7o0DJtG e/S9j1+h/xz/gO7I9mp426167+hz+upnPq31o1ElE3FVbb5df/6u39K//vpK/d2D3a7uX371w1p1 +2d16e/9nX62GROHrfrKJSfqpGv+W90Fui3cNtpbMvexfStgphquEXhHcmNKJxOKH8xTouaieWjf oxG11Ne5HRscuMfKlbGQ74xvkm8QQRbN+nXXXSfcCH/4wx92v/e///1OmMcGnG/XBGd4Y/xCUEXw vfXWW91KHQIx16zaYX5iBzIhlNMH3XbbbU6zzWodduUIwwjnCMqMK2j5v/a1r7mJPbh37drlVgG/ 973vOaEeeGhn8v/jH//YrSTSp7CKd/LJJ7sNtygpbr75ZnefFURWBzmoiVVBykLTjTfe6OijT0TZ cPfdd+v73/++E+hpG/0aOKgXRQfCOPQw0aGsTXigmYkC5eEB+wTY7IoHHcqjNIHP7r0qG5Dn4jGH OEIOhBw4+jgwIQfJrYrjsn1GwjsF6cAMAdr3ttpaJRMx7erpcUI8SjcGAmDK4Y8+Vh7eLUI75Ad7 bpaHgIwAzjL1m970JjeQMcgyIDMoEXjeDEQMiti7Y7eO5o1Bj8GIAd4fhBjIgQUHG8KwSWUQJg/N Fxon6AAnuBlgGZgb6ur11quv1vkXnO8mE2j1K7l/Kx0K1niC/uTecXU8/lmdwkrQ8gv0+kulbdue 0bZdUL5bd37nRn371cX68P/+uN52Qlyjg9L5f369rl3XoIGv364Xhh7Q5//6HnXoan3/n9+iYPF/ kT7y1X/UGcrr4e/+SDtUpcblH9TNTDQ2PaS/OE3qHUsqDmvHC8o5qWebfvLX79KSRct0zT/cqa1F NedTX3qjTlzYpvlLT9KJ8+Na+K7/1O6ClE6gHy9+I5L+6+3NalqyUquXtamloU6rPnVXwPuoFE1I yeQqrT3WZamtsVltJ1A4rmp3QOav9bVPXKkFi9boD7/5S3W5uh/V505bqMbWeVp27Aq1NDfr6n/Z rKzu0j9++jHFGj6u2z53LtZEitadrk/8+yfVMrhTj91zs1588Qf6wp3SGdf8mT53VbNG+6UVV31Q f/jJM6THHtYz2x/Vj799i+7uOk6f+fvrdNGSKo1lpcv+8W/1tpVp7fz6D/TLwYLU8X1de/xqrVz1 Dn1tIw+oQe/57rj6Xv2KLqUpTWfqsjclNND+pDZuI6NHv7jrG/rXx2r05k/+T/3heRmN9Etr3/dH uu7qFdKPf6rHdrRLWq2P3fesOsbH9MT1q1WjQY3mK9nSB/za3/9J3wxaVigdGtLo6Jiaa2qUiMeP jH6uuCLAe4cmu7Em40yWcDgwms9N2ovAt48wzN6XCy64wAm+CMF8z8TYufNNYzqHCQ0CeHlfw/eN cI+gjtCMZpvvnTQ+49GMMzmnLgRbDoFC+EWwpe6LL/6Nks93+hTqQdkATb09vc7MDqEYoR93kQja BPAh2POjX+L5oWhAo493GIRnfL6zGogry0suucT1acDR39D/URf9FNesBmIew48+jYkBtDIJ4Zo2 UBZhn/YCTzuhGRpYUcQkEFzgQPiHJ7TZV07s73salg85EHLg6OcAfQuBGDNazuyYbOA8BQ8oQEdl CEinUyktbmrSi9t2aFtnl6oTC4qeZyaEfAfvbFKnQBxmzxkH7PkQE8qfmVXE4ISAzGCF7SgaLvIY CNG6sfyLUE9gEGTQwUUay+Z4WmAgAhatGUeU466NuoBlYESwxzsFh5qwmYwTFLFXvfTSS0uwaKyo C3iWx5kQoK1iGR3NFIMfy9624cx/71za2bJj1xrT2I5f6mdPSssuvkBr5kF1jzo3b9FY69k6de0K Z7YyUiUltEir2xYooi3a9sKLemFkWLryUl0Yn9jwll98jE5VQhteeFnInQsKoxqPJpQfHNYo0pt9 LVVRxSJ8REv11r++XaN/Tb3B8v2rX71aV3/sfvW+/zva/B9v15LOb+nySz+p25/cKY0Xn43zKiNl 5r9LX9/wLb21+iX933Vr9MnPv1NXr9uim95xoq757PW66bK/1EffXKM//dgSrf/I7+nGBf9TX/27 T+nszLiGc6frozc8oo/e4B4VZ1vq5g9+QH/zYp9+84Z23XxtTv/vY5/Urd//vja9IaYXUzFFr32j zsJYBesWxRRfukanaly7n3pez1+wRRu1TKdcvk51YIvAsya1LV6pRj2qrqef13O726WlF+rMZQtc pU6pH1mq45pbFX/lVW0aHZbmXaMfdl5TJAqNbDDZYXtCDBvx3pe1/tFR1Sy6RKesAGxQfa9uVGdi rY47d63Y/k7dSbVp6cKlqtVWbevu1ZhaFR8e1Hg6o6FRNMbFmZI1f45je+csxr87XlroOPGZjg25 BWDsu7O8wyb2tLtwDMVLJpnUwMiohoazSseYCQb7Odgoin92vmlcRHJtbSNGiOekVcxNbFOp9TvW Xr5Zyr7zne90q3UmvAPHwUWGF5t0JgjsnUEABh+TAvoD208DTgRt+gIEeJ8W6oEOtOcEvNe85S1v cTBMMqiPTbAc7MQ1CghwYGuPD3bgoQ04zGve9773OZMg6qYe+kb6N1M6kMePPo1JATE04KOe/hJ8 1l9RH5tx2etDGQu0Ed7Sh4Yh5EDIgZADs+KAMz0Y1zguc/sHSuLItDj8DtrSbDhrytRoQWOjtnV1 qSaZ1OKW5kD9XtQu0nFhB2w28dNWEt7cLw44XpdNsGzg8GOEazThaH8YjNEaIUwzsKAJx1OMeXxB m8RyMGUYcLgGlneA/AsvvNANZOA3W1m0V6eddprTuOPyDY0dQjqTAMxoCGjYWHoGHwMsEwlMbhjc qR868IDDoE1dFhgGuSqMRxRDBT78uP79z/5It45eob/547fpGAfI5tVxZi/eu4hg3ajW5afo1OZe pVIFOVNZBmRDTly1RCtPOlEntI7LCabFiSeeOjwyghLjbLwbV7ABNK/8WFKp6h167JHd2q5z9Ofv XacFKmik+bf10797UIuu+BcndLrWFBvy/m8juHOxQh/698/pX0//gja/hM39GVr9xv+hr94k/a8P XK/r3hVTZvVl+ovPfEzXHjOqISVVHckrn6f+nHKRlNJ6VD97bLNGFnxCH78sIymt3//iN/X7UPvq l1TI5Uv8sCbHEqt03IJjVL86p9yYabEDjmASBI7alrU6NbFRLc1jGstBvcexKrjUqgXHnKxTd+If O+Dn+NiYMyGKxmKKFN1qRmMRaXyTfnz9+/TvG87Sh3/4IZ3uCOF5gXYCb1B3rRoXnaxTM0Oqq825 qRHergBl0+4kOqxBcxzz7qFJJgyOZJUdHVFdOq14LDi4h3z//Zzj6ucGXfEd5htlEyvmPvMaGjS0 e7d28v1Vp51Az302oDKZJ1ifYZp1rmkrE2zfPaPlWxkEWDTdCLDlgfKGl3uc1srPeMg9flYnMX0G Qr1fzsdLWZ4R/Qj9jgXDSb/FaagoCAg+HmD42WmwVpYYkxuE96mC4Yc2fgTywI8gz688WBmjweDL 4cLrkAMhB0IO7MGBoryCAmmEU6D3AJgig47GOhtLx6IxLWhqEoeVbO3oUld/fzC0+520n54Cd5i9 /xzgmRDs2Vjax4wW6dnnntXTzzztlplZ/mVTFt4UELqx/cR9JMvhLP8idKMJR8hG+MYGFNtUbEYR uBGy0ZoBi3aeazOzYYmZZWOEcgR7tO/UAX3U44T33h6XZskcrw5MEviBZ5Ed7gAAIABJREFUhzps kCs2zE0EC8LrCkLcS/rGH31IH711iT751X/Wn62rU7/bNBlVJB6XOkedYE3ZsRFe83ZteeEBPdE5 qJFCQmmMy3cPK+88nWIiJEWrXtLjTz+ph56IyunGCoEwipeRQLYM4AA2UdN5RamKYMbutO+5hQu1 OHOMVqaTbmbMU8GbjcH7zyPv9mo6cVRVi5dq9ZKlWrBpu5R/Wv/+3jN11tX/rJoP/lBbB3frPy/b pP999Rqd+fZ/07O0E1mYCQR1gxQ7emYkC1vU6tzneXUmo4rnoqrqDE6jxJuMC6NP68EdT+vxF1Kq rcGzS14aCA7gybFcgVZ858+1fnSbdvSkVZuKSbtHZK3PjdLo7drwqwf12JYRjecCWhxPnGYaGgKP NFXaoXv+9oO66l/H9Ntf/LL+7cp5GnDkRFWViEtsBB0J9joEz6tHu159UD9jX0Nvwmnkx/MFN6mi 8yKggXDrHRPztKBd+/lv752LEQ7Hx9U7OOgOZ2quq1OK96sYDNauD8e4ROP4uNMO16WrlY4nNDQ6 okE2X1Yg2voTyvLjGmHa8ontVw5TAV0py8djuKYqb/Vxv1Kw8sAZrNEEvKW5Z3VYvsEbboO1uFJ9 lgeM4TF4iw2vwVgZYqvLYLiuBOeXCdMhB0IOvLY5YP0GfQXpEcZKlByzYYshKZWpwo43rpVtbVLV uF7d3a6+oYnlTeAoY5WWyoWJQ8IBBO1nnn7GLQWjpUJjhHYbe3Y0bmjVEOixR8dWE9MYBG80UCx3 A8syNeYzaMmffPJJbdy40R2qgtCPkA8elobRuKOhQ4PFsjLL1sCy8ZU0sMcfd7yDxYMFbt1YzkbT hnDPb8I21A7xQVjFnuc5fe1TH9EH/6NZn33oYf3Db610/KxF4aylWnHiKjWN/0g3/OgJ9XGqYkOV 1PmkHn5hq7R8nU445XU6b15eevy/9Pnn8LCDYCL13nWPHpW08G2vF6bm4/GEE4xjLU2qSUqxRI2a +WLiKcXRfLNJFFeJsbiSTtpvVtP2X+ulwe/qlo2BhI1RzrMbO5XNS3GnYkao4Nj1Ku1+foOCHQYR td9yk+7Z9KT633Ci+m+6XtfdsENX3/yKvvt3b9K8SKPe+vfP66VbrtHW227Rzd95FgtmZ4YSjSeE TK1ojdLpqPTEHXq0Bx83Vcpv3aTnfvGsOhaeoXX1OWW/eYP+tVeKJ2jEuLbccbeeUkIrfusqnb7s WJ2qrVr/9dv0jKT6RmC26JcPPCRpjY67+AqtW9qoePa/9W/3vOCE5kytpE2P6KHN3dKZr9MpmaLr wBjeYNiUi4DH7GmjfvRPf6i3frpLv/e9R/TNj7BbQaqp5r9FC088QcfocX3/u/dpq6SGxipp7Nd6 7BdPSI3rdPrKhe45VFVnXIfVUpvA6Ec1TU1yRk/U44RMh3a//8oFqtFcTgPZEedeMJNKOp/pVkk5 rOUfTrFPI2Iw5ktNtbWub0bhkvP8oPt0Wzli+vE9+n+vfy+H4br8Z7h9PD6M3bfY4HwYP10OZ9cW W3muy8txz79vZfzYL+OnDaa8fDlOv4ylKWtw5JXjMNxhHHIg5EDIAThAP2GBVcbeoSGnxIouWrTo ejwKlAMZsB9bB0SH49JORJCS8ZjThnb09zt1fnUq6ZZi/UpJWzkfZ5g+8ByA92jH2aSKX/e2eW26 7veu06WXXOq8SiDIs7SMcI/WmyVvnhWeFbDt/OAHPyh8HGP3zg97dmAR9BH4WW5Hc45mH9tRYPFW AV5iAngR6FlWxw4e/O95z3scLHatwCHok49NPjhxUYdpD++u070hEAw+rxuvOUnXfmWDjnnnH+gD p/fo5+sf0a827NJQrFZLmmvU2JBW9vlv69tff1ivZGu1OPOK/v7dv6MbXorqui/fqPeesESLmjbq iQd+ohu/tUVLWgva/PJP9am3f1Yvrr1K//cLf6GzmvIaGXhFj9zygB56dL1u/dY9eqY7qaaltRrZ 1a7Y/OVqSvRr8y8f0k9++KjaYxnNm9+q5UuyeuWuH+nbt29WVV2L0nd/VGd+/AfCv8TyKz+hd5zZ oIEHv6h/+PF2PfeTf9MLLWs1/szX9Mcf+LK2n/Xb+vJffUArWnPa/sVv65s3363e5Ys08sqv9fSt /6hP/PGXteH039Yff+KdOrapX889dK/uuv1J9WVatajlGC2peUnrv3+LfvDrpOY3btbnr7pCf31f QWe97wM6d/7Dun39j/SNWwd09pIhPXzPV/Xpj9yg3BV/oH+6/lqtzTQp1fkVffumn+qOl5t03uJ2 /ddnPq6//c6rOvezX9Kn33SyVtWOaPcTt+q/v/aEuiJpZfScPveOa3XzwHz96Zdv1DuPSygy/Iru u/UuPfrMLiVXrlBTZLfu/dipuuxzv1Di9R/Wp68a12PrH9XTL29Vx1iNVsyvVW1tk6Jb/0Pf/OZ9 eqy9QSe1btP/+/0P6ov39+qtX7hR/+PSRUpX9eiFO+7QA798VXff+q/68QudirUsU6Jrg0bq12hB HaYsc/EtIdRN4GHtoKtvQLt6e9VaW+vc5NrhRg5wbiqdqPAgpJiWof0dGB52J67iPSyZSBQnWwET re/2Y9KVfkZypXthXmWewReCxcbDMA45EHIg5IDPAWQiC7gr3tndLRRKsxLeQQAiOhyLyeO6unjc Ni7IQFydTDr7Sr9z8tNGTBgfeA7Ad2zVEYrRkHMYExtI0XYjUPNDSMZjA27d0KpjOsOmUmCvuuoq p3EHhh+acgZ/TGWYFCDgUw6N+xvf+EanaQcnmnpwAYt3Gt4ZbOvRqqPJxyMNpxYaDcTQiUcKcKKJ h8bgvQm0uINdL+reO59XYvVpqt7+M333u3fr8cfW67YHtiqx6nxdsrZB8Zbj9bpzTlK6+36tf/BJ /fi2B7R1vEnX/vuT+v/evEDxQr9qj3+brlq5U9s2PaVbb79X6+99WrHTztf13/iBrlmBMUZUw+33 6J/e9ce64YUtSqw8TScsGtTj3/+6Hu9O64TXXaJVmR166Btf1Gf+9FvqO/Z8rTt7uZrmn6szl6Q0 tOF+3bH+Tt3yfETrzjhFK5fM04Vv+l1dsCqj8a6NeqG3RquPXa7OB36oux7coJoLr9An/s8Netey ccXqT9bFVy/V5od+oacfvVN33b1eD//qVQ1d/D91wxf/Qm9aGZEKm3T3l/5e1//lbao6740647g2 LTn5dTpmeEDbnvqhfrr+F+pbtETXfeW7+u0F0rzT360rmn+hDS+/oJtvu0sPPbJBbVe8S//nPz6v Sxp6lU8v1mlveI9OGbtbv3j8ed1yy116duuQLv7UDfrCn1ypRfl2VS28WJedMU/59od1x32P6faf PqyOmiX6yNee0V9cnAqW8bru1d/8wef0zfU7dMzb3qoTElt0xw8eUdXyk7Vw8HF9/zt36tFH79NP 7n9evU1n683r5itWt0TrLrpKi/rv0oOPPqMf3nqvXuqN6Df/4W7943tPVmNuVIp26c6//Cv9/Ze/ pqfjp+nUtas0/PS9uvOO2xU5+8P6jRWxwHxoPz8nTJGCEPRxuFPc0dOtvuFhrWhrc5s9S/3YESS4 l2imcZjAOFtxqWcwWHmqTafcxNoNFAjp+8nHsHjIgZADIQdCDswtB7JjY9pdPAun6uyzzx7He4gv jO+tOtfBF4V20naN0L65o8NpqdgUtbS52dmHTswbQk3D3ng71/ftuSIUY8OOYIy5DMIzWnB7dizH YCLDhlE2eTHYY6MOHJvKfFhoxEUbEwFMWzC7wbYdTw3AW3ngwI+JDLAEhHE2rBLjWcJOaQSOH3ih gfq5D26Ef3Tv4xyoWnKW7tDt8QeMxrMqRFPO00w5QD43pio8bIwNKxIPzDwmw2Q1VkgphrX2tHWN aawQD1xHlhAUlB/NK4oN91QhaMQUd3MaK8QUHS+oytn1VwLLayTHgTuRMpu3vMayEcVT5WJXXoXx KncwVDRewcvF+LDGlFZ8fEw5xcW+0j1CLqt8LKVIbljjsXRZvUBzkq0Cc5JJgh9ffjk9ZdgLvCOj KkSDA63K7jq6OaWWE6Ii5u2nHIhr3h/nZ7/SzZnl8f4hj6PoIGavQ3f/oF7aucOdbbFmwQIlcREJ uiNIcLfWB+3zNuFmR/TKrp0ay+e1Yt48NWYyxW8t+G4nCfyGJIxDDoQcCDkQcuCgcIA+2wJ7rzr6 +rSlo0O16bT2SXg3ZDYYEFslbIDa1N6u7sEhLWps1KLmJjfg+bAMfm5YPwIHQGv7kRYb/41ue14M 0JbmXvmAzT0ruzdYyhuumcJafeX1+HQGuAJ5aRw3kZzUiL25ATmPJhHFYnEn1Do68nhHyQV26QFh isRZDWJTZSCdFXIjGg0ctpcwIeDGMRl3k4W8xkbGVPDfUz6maFTxeELRqoLyYzmNjRUUSVB31OEu 5Kg7X+bOcFwRh7tKynHYT3HTaKlmOfoSgesV50XGnRZbqhtvIVHFY3HFHExBudExjeXHhd07wnyV CsqNjInTVwPmcC/l4GlzfmxEY26HZ9A+NrnG4knn9tK5XizklRvzeIswG+U01aLXGGjJj2p0LC82 Djv+s3HG+Oo+7LxG4ZkiiiWxTYdOcHoNddytUtThDja5jhfweDM28VypO0a72EhLe8Zde9GElwvO UdoQ9d+HyXXN5ip4f2lIwR1itHH3br3a3q5Tl61wB9NFixM6+yZmg/tQwxrNQRvZSJ3X7p4ebe7s dDbwy1tblYwVZ0il9+5QUx3WH3Ig5EDIgdcuB6zfRjm+cdcud94Iq8DT6bKm5ZYhtNiAMZdZ3Nzs Br5t3d1OSF/sCfDAmeBeXtZwHO2xtZu4PJjQa0Jt+f3ZXltdhte/BpddW9pc41k9lAs033uHpQzw VhdxOV67Z7DGA7+c0eDnGa4qBNhkWtPotl2dCJ2J6FRQAV2RWDLY7OlKlP+xGTWmRHq6TyTiBOfJ 1VQpEksoOV2xWHGTaXmVpWs86sSVSk9FP4ARxRKBR5tSMScwl+fZ3SonyE+mdeKe40hkOt4WheNo Qkk3ubGyZXFVVImUD4AQz0rG9AFex5NsQ60UoK6qQnsrwe5bnr2HQWl8+MsdPsfBTPWYgGFWEilO dIvv+L7VdOhK2bdnMS5Q66ozqu4fUN/AkPoyQ2oumsQdOirDmkMOhBwIORBywB+TSGPvnh3LOQE6 lUxWWAGfIc9sAPBjNGLYUqLSR4tTm0pre1eXU/NztLgfIMbK+vmvhbS1m5ifCxWE3rnkhb0IVh/X /jPw7xtdPiy0cG3l7NqH9eGngvXL+elKeLnv08h1GEIOHAgO2LtLH8aUOp8vqKuv3x1ktLS5Ral4 MP1wcBUm3QeCprnG6X9LtINfKpnQvPp65Qt5tff2OocD1AusH881LSG+kAMhB0IOhByYmgM2JhFj wjmUHXGrpRyyx3kde1OITY3ZE+ZAbp09BRDgOfxjRVurtnR1aEd3j6t8UVOT0ng1KJ5O6JexgWXa Co+Sm9ZWv/2Bze6EgGwPrlKTK5W3Z1Bezq4troRvunvl8IcKdjb1ltMcXoccmI4De3yHhXHniaVn cEg16bQaM9Wuz7Lvbjpch/M9vqFJbWVbdlVEDZmMGmtr3Tkd7b19WtDUqHgsFkycbaUUYd4UDYdz I0PaQg6EHAg5cBRwwPpqYqwRugcHnUXL/IYaJ7xX2p42q2ZPEqq8zp18PBgsa21Ta12ddvX0adPu DmevwyyiFNwGsdeuFp4HAz/MVMT4Yg/Oron9PD9tg/KkZ+EXDNMhB0IO7MEB/xvyb7JXonNgQMO5 Uc1valSsaAd+NHxntGFyO8aViMfUVl/v3Pty6mrf0FAguCPs06cXBfep+OXzLkyHHAg5EHIg5MD+ ccDva3HFwB46TvimO84k2W9Xte9mM+WkOcGxaApj98hDxb+stUULGhvUNzzkvNG09wbuJB1c0ex7 ErFH6LK0tXsmMe2FP86jxeCAc0Xnl3P8LGbsjTeGy4fzcYXpkAMhB/bkAN+YfTv2vbnTVIeH1DM4 qEwypcaaGudFx/+2/PSeWA//HJ9+2s2PU7LxEIb5DCulg9kRd7Ish1/5fPLLHv4tDSkMORByIOTA kccBG4+gHHF4YATnGnk3JrEqSthvzbvPFr+Td/kMDJLSyYQT4PE8k8vltbmzXdu7ujU8MjpJm+zs Tb3Bwsd9tKZx07a1s0u7e/sm8cIGSeJJfPVWNxD8R8fGJpU7WvkUtivkwFxygO/K/7bctTh6ekyd A4POfSLaaLyvFHellDTQfsc6lzQdLFzQP6lP4dTVaMQdQNVcV+tWHdirhHvZcj4d6W0/WDwO6wk5 EHIg5MC+cMD6XCuLVQanqiIr1meqlYjHnQnjftm8G3I/9gcFiDCBnAoXNjY6m3eWZnd0d2t4dETz Gxvcxlb8iKPlIbhybshkgGWg8Ws4ytLj4xoaGVWhMO42I8S9xsKHcn7ag8VZf2f/gCu3sKlRieI+ gqOMO2FzQg4cEA7Yd2XI3XclqXdwSP1DQ27TPX7PsQm3/sh5ki/2aVbuSI39voU2wI9ELKZ5DY0a yo5qd1+vqlNsZm0I/Pd7e5wM/khte0h3yIGQAyEHDlcOlI9NKJSGR0bEyd5YsuAljDCnmndjhlVO 7HT+RYEcAR1XZPiobKurdwPlhh27nBZ+Tw0ygjsYAw2ZG0DRlrmsoq2NVXgEx2zerU2lnICAj3xa 5vhWbFMgOMgtYZPGN3P3wKBe2blLWzs6lR0bdW7tjmAWhKSHHDjoHPCFV+tb0G5s6ex0+0/Quqec hsN9kK4fcv2aN7k+6ETPYYV+H4NuxPiB+cyy1lZVJ5La2tmprgEUBIWg3y2r3/GtLC+8DDkQciDk QMiBfeMAfar1q8iCpDkzCR/vjdXVSiWKhwSyWrpvVey9lD84+NDkZ1IpLW2NqzqV1LbOTm1ub9dA dlgLm5qcxitSFSkKsIGQbrjclafNt3wf/5GU5sEwm2qqrdHWrk63m7iuutqtVpTawciK02lJ2dFR 7erpdcfjIsRjo8rKBQf0hCHkQMiBfeOA60eK+3PWLFzgNBsI7qUTdr0VwSO9zynnkLWHVU82p7IR Ck9hS1tatGHnTm3u6FQiGnPLtfRCBk/fZelynOF1yIGQAyEHQg7MngP0qSa8I/rh271vaNDtjaxP V7vVUTNFOWDCu5FtHbx19kYYHg7mN9SrJpXUru5eYUrTO5xVa22tE0ircSmJlquqKtg4xcABUq9x XBpeq++IiYurEmjemcwU8gUNZrMqjBcU5Tj7osCAymskl1PP4ECwkWw46zaXrZw3Tw01GecyCMYE fDhiWh8SGnLgkHLAOknrnyAmGY+7nxFW+gY9odXuHU1xqQ8tCvD0SQ2Zai1pbdGr7R3a1NGhldE2 t2RbFQlOxDX+wQefh0cTX8K2hBwIORBy4GBxwMYb+lMcJyDvYsY5ODqqTDqlZBKZOFDUAnvAhXca boODxX5eXTrt7OAbaqq1zW3c7FHv0LCaazJuA1UqkXRCPLIuDiZpkA0c1lgf38Fi9L7U47efdjhN lqR4JOKEhrF8QSOjY4qmou7hjY3l1D887CY2/dlhYXa0uKXJmRxVp1KOBB5y8ECdRW4wwdkX4sIy IQdeQxywb9HvQyY3f/KmToOfDHN0XFl/6sfYVbbU1LgT/XZ0dWlrV5cWNzWVBPjylh/N/Clva3gd ciDkQMiBueaA9b/gdf2ppM7+wDPj4uZmpRNsVJ2o9aAI7xBF8IkzEhA+MR1pqatzJjMQi2kIP9y1 YVLCxrFUIuHgKIcNJrgMnw3AFls+8eEQ/IHNTxttyVhcTZka7errU0dfv5oL4xocHVF7X59z2cYK RGttvdoaAh4xsAaGNGU8LZoUGd4wDjkQcqAyB6xvsNig7PskDj6nCXeSBnM0xn6fSdtZ4cQl2fz6 Oo3lc25zPDp3nA5Up5OKykwbKytnjkYehW0KORByIOTAgeCA63M9GRnJdWA4q/5sVlih1BY3qtr4 BA0HRXj3G+sPEn4+aexM5zc2Crvv7oEBdfb1a2dXj7r7B9VYm1FddUbVibgbVIC3pQWHp+iWMhh0 A9HWb2h5XQfy2uoltmBpa79dM0jGYlFVJ5NOUN802q7eoUGNjuXcAIprIGzb2dTKJMfKg5c0weqz usI45EDIgX3jgH1TFoPFT+8b1iOjlLWT2PVPVVVOabKgsTE4j2Jg0DVkYVWTM3e0fsfg/fjIaHFI ZciBkAMhBw49B6zvhBL6VX67e3s1PDrq3KyjvAbG7hMfdOGdSn1CjSAjCi0zHg/SiYQ7IKVnYNDt tg02avY5wR57zHQyqXQ8XtLGoyZzwnxRIw8+gg0wxcuDEln7/LYZLe4kVR4CA2Sh4Dah4iqSyUrv 4KCyuTFnx47A3lhb43gRj0ZLdFt77AFzY6r6SoXCRMiBkAMhB2bAAetf6FOsP8U92ZKWFsUiXero 73eCPNec9Gch7IOME2EcciDkQMiB2XGAftf2c6LyRePOKd/IwQ2ZjJNzrW8GM/3tIRHejQhiR3QF 7RamIb4Qj+133/CwswHHfRnCe3067ZYUqpMJdxBUJBIIuYbT2Fd+bfkuRtgvMm5S/l4upsXpCdQ8 iHLjHezaeTjD2awGssHSSESRwH3m8KAyqaTw3c5sqzzYIEk+aQt+2vLCOOTAXHJgunc+fP/mktOH EFdR687zpHfhmTuFSiLhbN7pl3d197gDQ/BIU5dOiQ2uBMrYOxK+D5WfoVuL9VZkfSjjX8g7nyth OuTA0c0B6zNpJWl+7WjdR0aEYxKsMuiM6ZG5Z/3yIRHerXPyOytHlLcsYPcYLBBmEdCbMhl3TCyC LwepcNAT2z7x1lKTTDlzGuBq0yklYvFJwm2lx0+daOyn61ArlSvlFQe40nVZwrWhUHCaKtw8csTt 8OiYhkZH1TeE784xsWEXrzvO48z4uLZ3dmksV3AbxZigBH7uJwR1n09l1YWXIQcOCAfsnbPvtlIl DoYb3oSyElyYd3hzwA0MRRKdaqD4PHn2aIEWNTU5V5qcwPrKrp1iIxVnd7A66PpTr3mVFBfe7ddc 0vFjGkWRfWcW78EgxqqissmNWWUA032fZaDhZciBkAOHAQfsW3d9Z3FSj6K6e3DQeZhpqK0JDmXy O9Oi3FkmvCP1H9wTTZ2A650kCj9LnRADh+dPOJGIqzEecwJvtiajYU6eGh1RzyAeWXqdm0W01Rj3 c1ogp7oizKPBZ/OVBcNvseXvb8wD4JcvFNwx6/3DWUdfPo8wPuaE91whp1Qs7gY8JhlsRmBQxJ6d cti6b2pvV1f/QGDnHptYTYDeuaZ5f9sclj+6OTCpc/GayjkDfH/mKcm0rwbvgYbJI4wD9DE8RyZi ToD36E/GYlrY0OCEdQ602rS7Q/RvLfV1rs+1su49KJYzgfO1PLEzwR1euJ3QHLhXKLgVjFgk4viJ G87pvh/jo4u9Z1JKFhVR4RhR4kiYCDlw2HLAvnXX1xappE/A1h3rjFXz0bonSl4JyxsyIdE6Ha9T zCM+l8Md0GvrbCymMmuY3+HbfTZ41sTSyqTTzvNMS+2YRsZyzisCGm3sMhGWESwQ5nE3SZqAEI+b xdpU0rlnROiYqrWm3eC+P/Ex+rBf5+ja7OiYBkZHxSmxCODkkx7MjWlsbEwxZ8efFhu/8GvPxCIV iykWi5WEcfDTiXNASk06pa6+PjXXZtRQUxM8DrdIEB6M4h5i+HfQOMA3Z9+idTK8q7hz3dbVqeaa Gvde2zdx0AgLKzqgHLC+1n+u7l2gD43H3SZ6+q+tHR3a2NHu9uosaGhw5oyubFFLTHlnlmh96DSa 5wPaoMMJefGb4kTtjt5+dwAWXtUiRc2bfW9GcunahPMinD82Als+Rln5MA45EHLg8OOAja2OMvqE 4oFM+HbHIqM+U1Py626wrm8tNsUT3pEOnWHNYdFKn0jrvCw2AhGqI9Go01pXJwMTGIz75zc0KlfI O5uhnsEhDQwPaySfd8XwiY7wn4hFFY9EnR0R0vuEQmTCDr+U6UoGWm87idCtJo+PazSfVz6f11iB uCAOEnemPomUFjU2qaY6rXgVmpWI4jE22E64WLN2uLg4qGE+M7+hQb/evkO7e/tUk0o7ek1jU86D STjCi5ADc8gB3jU/mHDAZBW7Z2zyovX1pQmoDxumjx4OWF9s7wPX9HH4gU9Eo9ra0em8gmEayCnZ DDzcd0qPkhAf9M/0qa/pPqzYz6MmQ+HUOdDvxoammsweJmc+n1waAb04UPEtMtizAsbGYpRS8DwM IQdCDhz+HLC+tEQpsmQup919fcF+otYWp3U3xbHfF1gZJ7yjKcbyOxoJVvScYGoQh0HMYGHE79Fo n76qKqdNR7NNYBBpqq1VvjDutOGURSPel82qbwSTllHX8QHrM6lURzHThBYbxBiAuEVnGY/HnH96 tOW4umRyABxCOtp+Jhds+LIA7hJ+y3QEBMupdjx5a12d83WPj/vW+jof0qXBUaJnj7thRsiB/efA Ht8dHp0kdfT1qnuo3509wPtpJjPUGL6T+8/3wxGD9Td+/8Vzr6+uVnxe1PVV7X29emXXLrXV16ul ttb1h6X3AdkdgdPrt/z04djmuaTJxhdwBmnHDWfqiaIJAdwXvY03FlPOpYsxQnvP8LA7xCUVT7h9 U9EKDg7msg0hrpADIQf2nwP2TRNbQAbHs+LAUFYN1dWqr86UdMc2Dls5KxMjY1NHr5KxqBY27Skk GuChjm0QsNjosQYZIyzmPoNLqszNYqGQVC2+04saC8PjxyWemsw9wWPHUIOtGkfzH3H1YPLitE2+ oA5gBWE9ME6aEL4d+qJGhiIc2sQSNO4jt3R1uaVoNu3S67uy3h6Bcn4YbWEccmB/OOB/R356cHhY u3t7nClaa329MwGjHoMhDt/J/eH84VnWf6ak7XmTxhvCwuYmJRPHx9KBAAAgAElEQVRx7erp0dbO LmESMr++3q0cRiPFVctiOb+svTs+/sOTA/tHVWkIsfGBQ7CiUaWicbfPCaUS+54s+Dz2v6lg/9So uvr6tbuvV7nxcaUa9u6cwfCGcciBkAOHlgP+t22UsIrd0d/nLhlXk/FYYAmDWn2KMTVGp/Lwhm1q qU0f1sK7NbI8tk7fGGKxwdlAYde4k0xGo05Db3lzEhftEcvrA7dpXYzWIM9mBkWbUBsQi5tSEdaX Njfp5V27tL2zU8vaWpX0NCtTPdA5aUuI5DXNAXu3/Jg0+zs2d3S65f7lbW1ufwYTZO4R/Pf7UDDQ p8NoPxR0HM11Wv/qx7SXjawI62y+Z8MVWqTh7Iia6+rcCdnpZLAp394Rno//vI5mntG20hjgTXTZ j5VJJ9U7NBScpJhKldjg84a020eVywl72Pb+fg1mh905JwvrG9RQk3ETAbcR1iYHJUxhIuRAyIHD hQP2XRs99Aujubw7wXooO6LG2lpvXA2gyvtaK+vsS+rSSWWSccs7YmMbGCymITDLGh80jEHjwDXR r9uvZUJU93OLaRPci5086n20MC319cJjDXZQDH7zGhudbWOpPZ62vgLWMCvkwKw5UP692KfCMv3u nl63TM8BYs11tYoWz1WgEnsnp3r/Z03IDAv4naHVbW2YIYoQbJYc8J+18R9PKZj8YUaFAN+TGnT9 1vbuLndidEttneqr004BUVqh9BQe9uxmScoRDY55J+6A6d9xITzBS9ZXgxGDPGxh2bfF+Sbs4cLu HX7i4QcXyZHiygbMCN/9I/qVCIk/ijlg36b7zplkFw8W5fwi9r7gHbGlrlaJeKzUF0z3TcfoIs5e uVCxyLTi5RHLUhsULD5cG2L02QOGTjr3xa0tGs7ltLWr23mnwRYeEx2CCVY8OdJH5xM8XJ/Y0UeX vXuuc7Hm4dIuj2agX9u7u9WYqdYiTCRiTPYnJsJW1ood6LhSfS6Piosd4yQbtwNN0GsMP/2VPQNi 04iQj0Z5XlNMmeqUOvr63cnRuJXsHkypubZGtdXVztsWqzauz/K08MHjm8B9NLOVSQx9PJNgVrXG 8jl3PgmdOXvQxhDaR0bUMzDg/D6PFQqqT6XUUlfnbGJxvOAU7Y79wWhg48jRzLewbSEHjkQOWJ8Z LMMF3yvultkrNJbPa2FTcN6PTdxp43Tfc4ybbXUZjY+zaTUMh5IDbhD0Caiqcoc3LW5p1qs7dml7 V7dbKmWTGJouN2Ay8GFqE2rhfc6F6VlwwIQwilja3kVcn2ICsaWzy23CXtra6s5NANYmjUgQB2vi aPT5tAZNxbQg8P6UjMfDyWzAlAP67w8spYGp+F5UVUXcORVo4dmA1dHXp56hIbFnoi5TraZMjeoz Gef1y/VfRUp5vvbuWWy4/foOaMPmGHn5Owt6awv7BXAfPDCS1cAwZkYJZwM/lM2qaxBN+6DzZAbc /JoaxzfMJ0vfW3HQdkK8ncAYXMxxK0J0IQdCDuwLB+z7t/7MBG02qbvVtKEhpxRrqqmZ2PfCN1zs C62vKK/bcxUZDMChAF/OooN3bQ/JHrZ5H2iozmhBc5O2dnZoW1e3M53BJt65DYO8ogBPbDgOHtVh TUc0BzyzMnt3rJMpjBc0MJx1Gne078tbW5xnJWsvfQVlHPwBFhjsm6BuSxO7uot5g9msOvoHtGJe m5EYxgeBA/YOWOyqLE7oMP9rrMkok0yoYWjI2XZ29w+ob/D/b+/M19vKjTddEvedWiy73UsymZlb yP3/m2v4PZlOOnG3vFAU952a5y2cj4Jo2bLdWkgZ9CPjLDhYCgXgQ6FQNXbwflSvu44nEmgA6TYP sjCM25i0lY/iPkIV/3QWqoPKzj3XlULB+1Sv03H1olzu0Dr9vvVGE5stF64u+ZpzA426VQrFjd1n FUg0COld00/vU5gokCjwtBRQn6cU8fVgPLF33a6b233RbPmOpcZAjQ+fK3kE3j8XLb17LAqo0a5D s2Lu0F61mrZcLuz37qVbtfnLi1Mrl4quLyOGiMPHKm/KZ38pcM1j2+dCAkCezOaGzvJwNrHXR8d+ BgNVB37iNaXxUFSI09++Vp7L1dp1gX/vdowyJ/AuyjxeCD/oJ94IOzK+xHNd95elkgP23mjkhy6x TINFLYQTSONxUIe53Y1OfLYoU7ra4YEP+ClUfnEZNt884oX4U+VS1iqfyuyUyujFDiomhbGR/+vb t/ZhOHTvirViyX48PrHjZt1qSNpZxCjBLFS6hPylX6JAosBuUUBjgfqq7jFT/t9Ox82V/6+XL93k 7nYf1njyqRp9BN63E/jUh+n5w1BAjXwjtAOXtv9wfOROoZDMoPfuuseF7KDxlg5qaseHaZ/nkqoG Bh9Mook/HlxQ0+KA3Fmr7V5U5aU45s2HoofKR/rb13oGmMHEHnrV572e6wi/bLceqkgp3S+gQMwb 4iVAt7aAg8fronuO7tZH1h0M/DzF5Xjk6lgN9yxYdSkUIJ7FIn4y0AH3NKIyeF4RiFd+cRmi6Pd+ Kb5UvmSweRZuPE+9B17Ds6urta2WwXqTPIKza3QxHNn/KRTt/756ZfVKxVUmA+m89pGe2vXimbqm X6LAvlNg02+yhflt9Xmsfn1b3t/y7LY68YwD6G86XWMH8tVx23SOUZoU+u6uPD8C73d9kN4/PAU0 IG8za6lQtJ9PTnwGwPIHjYw+PBMiExv7zmp4hQ9f2pTDvlFAvLEJBYCygROpwJuLC3s/6NtJvW4/ HR27aVWARwwV9P1911/pKiR9rvXzw3yrlfXHE+v0cBg1dhvjP52duRUcxUvh01BA4xe5awxTSdSO nEtg4kKlpj8Z+7kK9LuxrtUZjVwCj5M9pPHFXN79aWDNxh3eZYIKpaW040UCz+L3Kkdcts13n7kg DX17WzTPI1uc6P0m30x1iHtU0LDRjvrZcDrzQ7zj+dwPqvLdSbNluVzeJXA4ucJ/CN9FbB+Qf0TT r62LypfCRIFdo4D6mHhafcjnm2yByjO937Xyb5dHZVU9FC7Xa3vf77s/DM4usruGd2Sf3bLOvk2L 7bR1n8C7KLGDYcwANCgKCxwA++nk2K7WV25ijAmLexykHFwFaCVGoUpKYwerl4r0BBQQPyj0IkS6 4+PZzLfzLkYDO6437KfTTD0Lp2cPOIiqPIT8tu/1jMGPMiJtR1K5Xq3ci/IPRy1rlCp2cJhZKvFU 0n9PSQFNtArjNlU7M269KLasXau5ZZXheOKWVQaTsWH3uDPoWz6Xz6Ty5Y11lkLmHI/VJM7y4snv Zp0ZE2+ejbj5/u47L2sExD/6QpMuL6KFBUDdAft6ZePZ3PrjkavHzAHx67U7Yjlrt9wTOMvi8+6l 23xn0XzWajpwlx8F0VB5b9/reQoTBfaNAhoL4Gldex10r/6V3e8y71N+lU/jhlbgGH/ggOrvON4s FuyXFydWKQXjCr67GH2rND7Xlgm8f446T/xOzKyQiYHBvFYu208vTuzg4tBXcOj8okKD1QI1+uab rA4xUz1xtVL2T0QB8cAmpBwZcOfkO1v3bz503CoI5uhen5y490wV1weje5L8bcqQDcyhKOweBbAV tCQyaTvmKh20z11H+gILHMuVH+Y7ax77IqOYD94p+UK8H5ayKn0Kn5oCGpsoh9pIPIX06Sift1al aieNhk3mM5fC9yYTQ0LNbhBAHlUaDm6iXsOZH+7zhzkDzOdymE68bvWQdsZDf7by9JMojTgf+tBq HUyqLtYrd6jkZh6nM3emhBOWlX9/ZfmDA2tWytaq1a1aLvkOAyqQdAO20y+GA5fMtWvVIJHL+ofo dCPfqDzpMlFgHylw2zzAXIRTMkJXndujMx0a19RPNWZQH3YWf+9cuBDs59MTa1ZrjISbsXD727va M4H3uyj0xO/jBhWjU6RaCQ+sJ5Y7MHvXG7iNYBiCSQ2Gj+PqWuETVyll/8gUiNtd14T8CJEQonuL qgzSzldHR4YjpjK7OUQCEG2B7Jgvv6Y6yl95h+QjiUsGkiSJAAQhtbycjK07HNlisQiHH09adlyv uTqPpJMqhwZM3adwtygQ807Mh5QSh0OA2mqpGFRIVisHtSM3pTgNZhRnM8OxCe2cOzi0SrlojVJp 4wAK3gEQ5/N5K6Byc08+TCgrgIL+wuIRSZqezbDJPp0abs4B4Uj74UtUfQq5nDVLJWtUK1YtFv2e xYrTIeuD1L2FCc1m0y4GA7sYjOxVu2VXB1duYUb9RuFutWgqTaLAt1HgtrGA/kUfWKzWPsZjJnUf fvRNfqqTyny1XruKJxJ36oSmBFa2XM2ZMc9Hi+vdZn13V5jA+10U2oH3MTPEDILX1Z9PTy1/mLfz Xtd+ffvOfjw+dr1fqThQfH1PmH7fHwXU/jEvcA0vAY7PL3v2z/O3Nl3M7X+/euW7OJju4z1gRSZL 9b2+jUOu9Yvz07M4jHnY81ivMwlEWCeAyqazmY1QNZiMrQNoXy1d4vrqCD3puu8IiMc36VEnpDQM oonXY5Lv3HU8FumadvQ/5wZzm8c4IkJVsFEu26oZgDMWhQaTiU3nC1uuV66KgroNvErT5w4PfFFX 49BnqRjZTs5mSZd26fwGejfX4yJXkrGH8kA6JuUDYxKGD8kX3sSUI0CDTKkDkn92gJRnrVS2eqXs EvTCYc7L5XXNtv8p73XO5mo0eC52azz9nnukxQMr5eA7hTvXmKlAiQLfSAHxNCE/+gSLYCxRYWYW Ac3jeRH5xkpkn6mPcss10nZ+4/nC/uhe+piBUOy00bgek7Jv9U10e+dlAu93kmg3IvigzzQS6UVx zcGvH0+PrVjIuS7Vr+/eueQHqxt5Dj1Z0JWnFvpW4W7ULJXiISlAW+sXDy48x7vb227Xfvvwwd0z 4zUVffJ3vb5LCLWtH74LoAYAA9iJQUdIn+2/wGPK07/jZVQGv80KRFrEQUJJHKSXo9nMVSbYYuyN xr7FyG4SplI54IMUxuNnaRCQhn5+Fd3reQp3kwJx21FC7tWazkcZ+9LmLCKRYmNOEik1kyPqKiw6 AdNIw6/WQSI+XS7dis3b7soBgWof+MNZ2B3dOf9tclSswMekHSZgwHNgY8pRBKTnCq6Hj2dyHFIx 1iJVB2xTRhaWhweHfgbjOtWwDPD+kJ1h4lo9lJq3KxU7bTXt/OLCzzT9dHKyOWtCWeO+FaebrhMF 9okC8PF236f87Kx+6PVtuljY60bdd9PoIdejwm7WMu6XXNOn+cNz8h/drvtwOGk2fR5j142f6v8p WtxV0wTe76LQDr1XIytU0ZCSvmq3Hcij+vDv9+9tspjbj0fH4UCECyLDlKhvFSqNFD4vCnzUvkgC ANEZkMb50m+dD66Hx2HBv56dOTBA6vfr+blLEZvVquvnIvmslsvB3nRm531DLQ1UeGiO+Iz3kjwI 7GuwisEZajrj2dQH69F0ZpgMnC2WLr08azZdDcz1m1HhOYj3AP784LepQ7p4cgqIXwn1E79wv/0c dRTUAzGUi3pXy/VHg+QePoeHpvOZh0HfPJO0w3xXwVyjS759sXBtQz0zSumHYB18i1kPAoDwPHN5 H2uLBdRygBWBLz3q5xaO2cLE6yLQnq0KqCvPGctfNBs2GI/tfa/v/H9UQzc2LJ4JFTemj0dI/yUK 7AkFtnmYew53X44nfuaqVq7YSb3p6m/XI8LuVk710TjFWDBbrlzHnV0EzvH8eHwUHDFFYwTx9S3h 1/wSeP8aaj1x3LiR1egUiWsmFdzrIpX6rXORbdPMXI2G50x2+onB9O3XMo3SSeFuUkC8EYcga9RJ 0NNFqv3vDx9cl/xlq2WvOexcKjm4HzWbrpIAkO6ORq57iNdH1BaIgx4xoKaQzzmAgd+QJOQB1lu6 xc5X5Hm1Ng7toQuMXfb5YukHUBeYzZtMbTiduAt4TJ6iEtMoo+5QcpUDVBH4xTzLvfqCrj1S+m9v KaAxSO2qUBXSe+59Mo9APs+c9RwAI/E250lUVm79uXUa+PLTsIDREul5nO92WnztKlrZi9tSi7+H h/2bSAVGfK2QpOrFkr1qtV0Ig0lgJPrBHPA138fpbpcr3ScK7DIFxOvwsK6ZnxDinF92vc8hjEQt mE0xrElttr4iHLMrdaQO2/0Rdbo/OhfunZw5Datt7MoJhanu+k7h19QpgfevodYOxI0bXYzvz7LJ Bucef3t5ZvVi0f647No/z89t2G7bq1bLgT0e/fTT99zfxoCKl8L9oEDchmpbhUgZOUz37vLS3g0G XqG/vjizs1bDioVgrgo+QsrdqJRtuVzZ2azlKix4f+xPpu4VE8BNPPQRsb9dKuTd2geLR8BOPM66 nrAF1QMsIs1XS1ssF+5oDJUE0mBB8PqYHaKiLwa4LxQYlsIw5+XPBmzy9R8gKANezvu3DJ770WKp lLdRQO0ct63aW/EVh3t4zt9zkT1wmCy+yR4rCNvw6MZfj4V6pxBOI03+tvNyLmeXKctb3xDeiBvx qd6pHoqnUPkQopqDwGUwndjFYGjvesXgJC2HPehrSZ3SjPNP14kCu0yBmM/jcjKvvO31XG3zh6Nj P+/hfSPrZ4D7XTvPpLpQD671Y77846Jrb7pdl7j/cnrqO8m8v62/65m+/9IwgfcvpdQOxVNjE8I0 20yENBTTkbVyyfWt/uh03Awg0pxWveY6mXF1YsaL04rjpOsdpoAGtq1BhBLTnkgB3EzVRdf5oFYp +44M6jIA6PgnXsC2dquG05iKf48OMVJzTDbicGa+wHY1agkc3pu5RB8UtcbKxsGhS/EBNygVYHu9 BNAv5q1ZLruJv8JhsAIC+EctRxJ2H6R9HLweDHmmuqis4n3u1R/0LoXPhwJqW4Uan8Snn62p+OaW SHBULDXfjhJx342JmXjxu4++iyZx3qncird97+ltfcMzVHJetJqGlR2cunDW47jRsEMOzmbxSUv0 UPopTBTYZQrEPCs+Rr2SRer7Xs/q5YrzPTu8+qm/+WI5OhOj908Rqt+pDpSBcgLc33Q6rvlw3Kjb Ly8A7sFajgQCxI3p8K3lv6bQt6aQvnsyCsQMFDMRBQIMMdizVcOK9v1l3/41e29Hk7Fhw7teKhvq EPEvTu+2SSaOm653gwLe7kgYMwC/AbpmtlwubTCdWrc/dF3yKwv+ADg44wc/JZmMty+pViZBV1rw Up3BtBzUEMhzhbm81crBPNdBn54BzBXffSQLg21Iz0335XJWwIQfB/puSD0zSTrlifWCMxJ/aqBL PLobPPiYpVCbK/yavOPxje8ECu5K41P8d9d3X/pe6Xt8ukAG0PEw+6p95E7Tzi8vfYcMlbLQba+B u+r1pfmleIkCT0EBn6si4EoZmDdQz/xP58Kt5vkubLEYFr3RIlXlZU55yl/c10J9fJbzRTQWsLAq gyMmdNz/cooTpgy4Zyp48fffMobFdU/gPabGnl3HjR9PALoGIOHQ6edCwfWIOcXNChe38mzLsjLE ogi2kvUTc/nEtrVlrDgpfHoK+MCRge8AsgOAZyhB0o40vIMX0vHIvfECBLBAxMFTrGHEvKM2p1ae biQJjOOp1jxDMhJLR/TuW8JgMO/6MK1AlfiYNG8rx7fklb75fikgHlL4NZT4lm++Nn31Q6nG5A6C AIbdLcy54kCNg+WuCxypz1A2ffs1eaa4iQKPSQHxKeM78xTAfTCe2H8+dNwEK7zNTq+bAI6A+y7x turgIcTLBFm9ydjedC78HNlZq2U/HLVdQCb63vjunnBVAu+i7h6H24zhACwDYrzD++BJo261Yskl sKwM3/V61puM7LjedNfkOEVBB5Rv9T3f8tulzrPHzXQvRb/RFhHIRo4Y9Nrn7qWRRRqS8Uq5ZCe1 urXrtXDmIZvo1cYUKuaf+Jo4cbwbFfgT25daGN5Ib6sceice1H0KEwWeIwXUr9Xf1A8xS/mi2XRr TDhuKne79tPpycb7quKlfvIcueJ51cl5PKsSFtCx5451PCzjYTThtPmx/XP1i12gxHbf5J6zXDiU Ou92bXm1NvyQAN45YO59M1uoqB4K76M+CbzfBxV3II148PZrgFcEvMHhlVLBCoWmS+MvR0N3Nf/f i45xfVxvuO1kLBsgsYfJ+OOntO+T8XaAZHtVhLgtNte0b9bGOK7B62RnOLTRZGKlYsEHkaN6zSUA LMzUjoRqy01akuJH7a34ItSNbzL+0ruvDeMyxN9u5xm/S9eJAs+VAnF/oJ/F/ZIzIVjfWCzXdt69 9APdqNO4H49MihfHf640SvXaTwpseJPiZyaLJ/O5O2LqjUd21mrby2YwC+k6YVu446lrTfldjMkc GfVN/KR86PcNi1DsFuCZHAdM+N6hHqo3c3Tcv++rPgm83xcldyQdgZ+YYZz5YCYLXguxJsLWK3a8 kcKjc/avt2/9HikPFmt4L2sMYkKqGF9zr/x2pPrPohjeXtA6GyziSm3aklW/m9eaW3808oXYYDIN dqJbTT/vgF47nh05MOqDDglFA6PSitP/3LXaWuHn4n7Ju/tK50vySnESBXadAuoPhJtxNnNihtrb zyfH9ut6af96/8EPhZ+1WzeMD+j7Xa9nKt/3QwHNMc7PGV/PAO7dS3eidlSt2euj4KMG/gUkx9jl qXg6LrfKxNxJeTC3jEfn37uXbggCrPT66MgQlMkAhL4hvvryfdclgfdn2o/ENApVTV9B4tzk4MA9 VmK/GycgncHALoYj+5/zczcXeFKvueMTdOLFkEojDsWYPFNe982kcX7P9Tqmo9dRaimRRFx15yAq W4698cTbbDiZWLmYd532dr1urWrZcofBioy3Nx9mCwG1UXi0eaukU5gokCjwxBSIgYMvtgXgqxX7 24sz+5+35/br27e+EH951PbxOe7XFD+NwU/ciN9x9jH/Ol9G2ADPqW+7PeMANlZYfjw9CT4MogOd kE5pPCYZladC8t6UP9PRp/yopP7e6bjfEoyCoN/OQfJD97YcwDoLEH5xWtmjewsSeL83Uu5eQhrA nQGjQxIO2bLOgooMTgSalaodNcZ2ORxZbzh06U6tNHB9+Gat6k56cMbDt0qXGsfXMKp+D8m0ymPf w5he1EW0FBU9zGhKXBwdYfsZL6j8oSqDbh2e29oNQHt1s1uyTZu4PZTPdpx0nyiQKPD0FFD/JPQx Ihu7Gasbtar97eVL++cf5+7Eid25l61mAPAUPVvsb/o748ctAoCnr2UqwXOkgPjuthBzw3gb/b13 6fPWz6en7ogvyNuvqSH+v37ysFcqK+BG13FI7pwfY2f7Xb9vnf6lFfIF+8vZi42aTFxm9dv42UPU IIH3h6DqDqYpRgIQun3jaEDnXT6fM6Tt7WrFBo2aXY4mrk7z+0XXuqOh219l67ZZrbhOl1yHK12q zDXpw/j8FPrzaPGwg+R5lCJtDwhkGtNPhaB9REcOobLNeDmZBG+kk4lNF3M/t4DXNgA7bbKxk65E olD5Ro/SZaJAosAeUEBjp4+lSODNrF2tOnD47UPHLVwgUHnRbPghVq4V11XltIO3B3VNRdxvCmie cf6LqsL9LAPumFIs5/P2y8mJn7EDR8Tf3TYfRknd22WcJ4mqzC7YzHLhmRuBmM/soj+094O+oeeO qg+OpBBqbmslbNKJ8NW9FXoroQTetwjy3G+dOSPpDPXVBGGGDe5Da9fq1qhU3Zwkhx+745Gr1SDt xfRkcF0fXNgTH+BIuqQTp0/aMLMYWqHye6yO+lRtSn1VV5VBz3QfFPzCHe8YLNbrlR9OG02n1p9O 3PwU3lF5D1D/4fjIVZvQad8+l6D8YtrG15t800WiQKLA3lBA/ZoCI4E/qdfdYdN/Oh232IGjmxft lpUy5zYSAEjt5qNxZ29qngq6DxQQfxHyE79yj6rJea/nh60xiPHLKcC95nNX/N1Dz1NxXpQxLmtM Y56j186CA8xz0R/YaDpzIxB/PX3hNtw5RC5Jveobh3F6D3WdwPtDUXYP0lVncSYG0DvQDgVnRQlQ bFQr7pV1PJ3ZYDZzyzSASqTxxXzenT2xAi3lCw78+Y7JRT/lwb1362cK5rcHBtVftI1X9HoXaAJY z5werdfuoW0wHjtgx74z23WFQt44nMb5BAB7uVjIBsebh2HIS+WI80jXiQKJAvtLAQEhhdQEgQnq joypb7p4dOw64HjZajnIIK7GXo0JCveXEqnku0aBmKe45ic+DaaLZ67f/q7Xd4ETZk6bFc5kBYk7 8fXdQ9VNZVS5VMbt/NjvXq3W7jW8N5m4CvF4OvWynh21fcGsM4BeZtdICzO78thO8yHvE3h/SOru SdqbQZ7ybkB81hHNNtL29mrlqjXj2dztxbMaxeQT1mpw2NMolR3wF/I5Z3h05PMcnMyQq6RBN/K7 BcyHYnwK7j49UdVRvQNHxQn3TJo+IgVaxoNTtOOBpGyxXNlivfIV/mA0tuFs6h5L16u1D4D1cjmY 7wSwFwrBskSmBxvGSdrI/TEm0B61Q7pMFHhuFBDwUEj98JB91Ki7Nak/LrquT8xi//XxkSHhVNzb wudGn1Sfx6dAPA86jzEbua897J+vXND3ptP13eMXjab7J2DXHrOKm28pdqRmG/Pqt9YozIrXwsKQ RcAzTM5heg674rxjLl4iOFssbDCa2OV4aNPZwufxdq1mJ82G1THc4VjmY4EZZebvsX8JvD82xXc4 PzGgM78OS0XgE4DezOXclCTeWZEMu9WT0cimi6V1ZgPrDPpmhwc+ebSqNWN7CWl8MZ8LOpm3Mbme ZZ0YEm0D45hs99HB4/Ruu94MLlGZ4nib8lF21GMoc3btn0iFyOF18Ca3yCTpbMmxAOqPxjaaz3zw YKTIHRxYuVy0o0rVF0xFB+x5YyODHDzPrDwhKwYNAfi4dOk6USBR4LlRIB73fCzgrNIhao41Kxwe GueTkHDOF0v7+fTYxxB2QTVWKYQuXGu8f250SvV5eAqIfyvuSiIAABAdSURBVOLQ+crMrbB8GAzs /52f2/ll107rTTtCPxxehPdcRngNgh1QI8SL5v2YV1WbmP89r1vUUhU3zIrXc3KQIGb22rNIq1UQ nE3nc7fcdjka22K5DKrD9aA2jJowuGcbmm+XRfk+ZpjA+2NSe0/y0qAeM6h3pgw4snLGEQFqM6hx HNfrbgkFk4U4CpovlzaZA+w73iGLubwfrKxXyg7k2TLjWwD9wcG1ig2d+LZOuyHbBhzTNT8P8Dff /ImLTVk83wyFb4P5aBL0Dp7VYYXe+mLpai+AdQYFLMVwYh2rMcRlMGM1X8Lmfq3m5qa0ayFd9lBP /z/UJKOBS9xDhn+ihunTRIFEgX2iwEdjcgbgG9iBPw3j6tvLns2XC/s50y2OD9Xpe+rM+KZ7wvRL FPgcBWJ+Id5t9+iJ470dZ2KozeBMLHdwaL91Lqw5nrgKLrtCHFplZ14qtgi+tDO/KUPMkplEX/kq zmaO1oModJQQzc/MmUjZZ4ul94/RDK2BoaESzI/y4OX1OHNsSL+5rV/sSp85+Pvf/371j3/8Y9MQ Ud3TZaLARxT4bGfJVGCW65WNpnM/7MFWFFu5s8XcFqu1sb4u5wvuEApnUW5+8uDAJUcsCHT/UcYR WPcORWf2pQEx6eXZRMRdBrADxD8Ir7cTpFNnzzyeQLFLzHkS3sb19Sfbk9yV2eqKLbelLZcL1ztd rTmkM3egzs4E6jGsUVjEoL+O4yQGMJxksY3IoV/qhDMlV4LZXiB4FTMJ/3b+2/VK94kCiQLPngI3 gFM2dvEMIcH7Xt84yMqY8/oIt/NN3wENo2TQSRaB4nRuAyqKl8LvlwIxj0CFmE9457+rKxvN54b6 1vt+3+c3V98qlaw3HrtqLSq28Gchl3P9d3aM2F3mkHXYZQ6+SW5QOp7no7nPN5yZ9Z2ps7k8er9J gz6xWtl0HnAIeIRDqP3J2JinyRvtAKy2tetVKxWunVNu0hDCyPpZXP84zmNfJ/D+2BTf8/zUkanG puNu1UlxNFmgXtMbjW0wmQRJ9Gpl48XCZvOFp8Hqu1oq+OHYeqni0nmk+3QSJNCYsWRbmOvPmUSM ixHBb6nUbcC6x0NCvoHo8Ze3X1Mnl6CvVr6zwJZbsAwTTtNzyBSgzq4D6VJOFiOlDKwXCgVrlcte R99xQA1GNPQFw+35QgPR8/YY6WmiQKLA90gBjQtxyPX6yhyg/Ov9O1fPO27U7cejYKFKkk7RS+ML 97omTL9EASgQ85b4gmfxD2k2O+5vOhcO0tmJ52AqZ7bYV+c74lyOJ+4JfDybuclF5n8EVhhiaNVr bvsd1VHmfub7PMIuPzd3GLyEx5luXVMm9OzRXQesMz8zX3M/nEzdEyr5UpZKseB51Utl94pKOcEW zOf8VE9lwb3ooGe7ECbwvgutsIdlEDNvd2SvSrZC9a6QbVvFHWK+Wlp/PLHRZBo6mUuuF+50iG03 Oh0SaDyWlQtF9x4KEMYhkW9l0cnc5jFxUD0JnZtOj93YwxzA/9AwYHmI4D2ajDTsUO4AvtkNuD60 Qqdfrq5sbesbrXK1vjLKzQDANhsr+KXXzayQO7RqnnKWfKFBuYvsLmBWs1y6seAgX9EslEtLnJDd rg4UN4iRbhIFEgV2ggKMJfGY4eMLAARJ6Gxubz507MNw4IIEnLkBrABE+vFtGIduB2qKl8LviwIx X1Fz8diGCmFyd2MLH/oD+717Ycvlyn44OrJXR0dWLuSDcCwDvj5fZ/MwIJv5H2EeO9RI5DkDhvEG 5lmAdKVQcIl4pVhy60k5JvKtH0Xw2ZPdbw6cLoNAECm77/Svg3oq2KFSKrvRB4RprUrV2PWXINBB e4RT4vlZdNjKeiduE3jfiWbY/0KIycX4mxplQJ57vYsnDI93deUdGBOUOEFgO4t/LulGQr9cbiyz oKICrj6k2x7Q0XO+Qs/lgpQe8E5HZwBwAJ+ponh07/8HAbSvVp51kKCbr9B95b4KeSG9Eqwm9EUA uvqFvFULRdfZZ+GA5AD9/Vqx5Pr/7BLEP+rsC/ot7Z3twVD3hOmXKJAokCjwpRSIx94wjmQqhZka DYcHcY6DysJpq2kvmy3D5J12N5VPGoNEiRRCAfGVrp0qmeCMuRLhG/rt7wdD32H+8fjYThp1P+BJ XM1k4iulw32Y5oJEfjSbGXM/HliZLJHSz1G1BYTPF4YaLqK0kB7/uy5NhifC4tXn/fyhq+QgOGNO RtCHRSYWAo1yxcqlolfB8wiF2SxcKVNcvrju4aPd+/96Cb57ZUsl2iMKiPnVURVudFYy5yJUKQDa IAPnmh9S9Yp3LnX5IA1nwtmA99XS9cvpu0jm11drW67WtlivvcPrngOh2E5nRU36LAJYDADow7bx lbEGQELOPQsBJjLspxfzFfNDowfB8ZRW9/RtFgqs3Ckrg4Pq7BUgLwsDD/fxO4B/qKXHzKKHJ3G8 +Po6ZrpKFEgUSBT4NAUYNwQ2PMzGH0YYpOwv220XLPzeRR95YKPxxM5aLTcziX8OBBD8NBYr5Fka kz5N9+f6Ru0vvorrCYjG9jmOi9jR4TwX3n3hMQxSMI/yi79VejxnvuWeaf+KSfjgwL23c+Bav6tM 9YVzZHM/KxfAu94r1Nk20AD5YhXGrdrlCPMO3BVXiwLxM6U8uMUSk8qteJvvd/AigfcdbJR9L5IY XyGdVZ1iu250IAH8gONvqpVwkKWIzeLtD7l3YB7AuavAXK2vVWGyASI8Zxq7MofpkXEbQHuYuIKK DuCerTT07VT227MFppsxyDD4XJdNh06vJ0IvJv8RjzLdiH9b6ulZokCiQKLA11FA49VmnM0kpIxN 6BFzIA/1gYvBwN73evafzgfDEc1po+EH5xFYAICCSOE6b7/Pxu/rp+nqOVJA8zQ84/NbJlgT+PbD nuOxfej3XcUVfnr9IkjbOYS6+UlVJgLx4kulRVwBeXJzMM/DjG9ZdLLLbXYN6jfp33GhPJDgq1/w SXwdsrrGJfG7+PqOrJ70dQLvT0r+7yNzdQaF1FoDhTpaTIkgHY8AsEu14xjZO3TcXXoeDxxBKn8z 9t132+XY7vjbKTDAxSv3zfuorNRX9fT3CbhvyJQuEgUSBe6fAhpvfDyLhSbsLBYKro/MAb23/b5d Dod+hgdP2ieNhjWq1eAILhufvXRRGvH4ff8lTyk+FQXEM5qvVA5v78xaCwdS2bXBMAPqKOzccBAa O+gC+8RXGgpJy9O5A8h7vK05NawdtpeTKt3dYSwYVGyVS2XyfLPdAsXZlzCB931pqWdWTnUehVRP g4hPPHfU11ft4aObMWPTUjfffPldduL9rnLo/W0DgjKL66dnKUwUSBRIFHgICsRjEeMTfz4GZRJN pPCYqC1hHq9ScUk8HrIH44m163W3cw0gYxdS45uHILRojH6Isqc0H5cC4g3xjHLXnIW6Kb5bPvSH bg+d/WYWeOzWtKrBKly886x04lBpKlTaCnmuchA6rynynw0D+t8sHpRcnLee7WOYwPs+ttozLbM6 lcLtaj5YJ/84I982pBzKczvK9v2nyrwdL90nCiQKJAo8JAXisUhjGPnpmhApfLHZdG/Z2L3uDkd+ +BAg/6LZzBzVlH1nk28dWEmpJlsIfOnY+JB1TWl/OwXED0qBe34YcRhOZw7YO/2+nytDn53dmWYF 9atr50rEVzriB4VK965Q+Sq8K356HyiQwHvihL2hgDq3wsco+GPm9Rj1SXkkCiQKfB8UYOwSkCLk T5JSrtm9rJaKDuTRiQfAXwyH9t8PHXvf79lps2XHtZqbu41VGaUHDxU9zQzAfR9U3c9a0k7ih+0a aI5brdbuBbwzGFinP7TFemmNUsletdt2VK/7bo0fGYsOpW7zgPLZziPd3z8FEni/f5qmFBMFEgUS BRIFEgWenAICZhRE4A3wrWuO2+cPsfhRdmtf7VrVPbRiSeTf79/Zu8tisExTB8QHdRrSEmhXBQXa FOp5Cp+OAmoLtZVClUi8gX324TQ4UEKvHX8mmD5+2TqyY3ZnIr12vnX5/C2HUv3dnuqPiyb7FCbw vk+tlcqaKJAokCiQKJAo8JUUEFDjsw1wz4CWgzq8WR/k3AM0jnFw5tQZDq03ntibiwu3MMKzVq3q NrPxZ6GDiiqKwCHhdh6Kk8KHp4Dak5zUJh/nim+VhR9AvRxN7HIysuVi6SZFX7ZbdlKvW7WUqU1t A/WQ8KaNuY356+O80pOHoEAC7w9B1ZRmokCiQKJAokCiwI5RIAbVN4CdrGS5veyctes1B/Kj6cwu RiPrjcf2rtd3QI+Kjbu0r1WDvwtM61LPCM3HaXOdwN3DMoJovKF7dlhTucpmC/rseAnHu2l/MrX+ eOztxq5KC9v/tbo78OJgMypWnkyUlufDooD3qV1F3icJE3h/ErKnTBMFEgUSBRIFEgUenwIC0gpv AL8MxPMOnxeNasXBHJLY/mRsmAy8HI/tEv340ciqxaK7mgf8FXI4rgtSWL4nXYHJOA/l+/g1f145 xjSlZqI114HGOA0Mzgpni6UDdjyZ4tF0Mp+7EyN2U3CQhBWZSrHg3slB8/G5BrVl3G5SnXleFN2v 2iTwvl/tlUqbKJAokCiQKJAocG8UuAHKtkA3mWDXG4BXLZesXavbcDq14WRqvcnYry9HI3c9Xy+V rVkp+8FGd3iXObsTqNwObwOF91apZ5rQXYCd9/wt1ytbLdc2ns+sP564tH06X7gTQzyE/9Bu+0Hk ernizpBiHlA7iYTKU/cp3A0KJPC+G+2QSpEokCiQKJAokCjwZBSIAZyANYUReMsdHDrgQ0Lbrlas PavZZDZzEI9EHlWMi2F+Y72mXqm40yeAPNZqPM2QoNdRIFHpK3wyAuxgxqKJaBXIJyWYTMJ+dWVr u7LVcmXL9dpmy6Xb7ac9ZsuFLZYr97IbJOwV12tnxyR3mMs8jIeKx3lIAyrmiR0kz3ddpATev+vm T5VPFEgUSBRIFEgUuKaAgLtC3gjY8QwgjpOnYqFgq2rFjuo1l+wikQcwcsh1MJla/jBn5RJAP1iq yecO3fkTYJ50bks/zodr4nwvP9VXNFC9t+9FE7yAL1cBsM8Xy41a03y5Mt5dra+sUirYaaPpiy4k 7sV8fqMac1v6mzZJ3sBFnp0NE3jf2aZJBUsUSBRIFEgUSBR4fAoIIArMYVISD5sCkjznD5UawHil WLR2rWbz1coms7l1h0MH8Khs8AcGL+TzHqdVCQddAfOH2ffbEF1A9vFr/nQ5bmj9iQULNFmhErNc GjbZ54uFXU7G1htN3Lyjny49MCvmA2DHC2qpWPDdD9op/n1Op51ypN/uUyCB991vo1TCRIFEgUSB RIFEgSehwAbMuY+nmwdR5fTpIFONAaAHIF91vWvMEV5mQH6xWtnby0v7o3PhgL+Wee1EhQNpPgAz H6vYfOeSdwfrLl1f22q9tvV6ZQM8nw5HNppOXH9diydo2K5W3ZQn0nWeH2YLrJhptPjSM7WtQj1P 4e5T4P8Dn3zEs3np8kYAAAAASUVORK5CYII= --00000000000056227e0571341bad-- From nobody Tue Jul 17 12:37:27 2018 Return-Path: X-Original-To: rtcweb@ietf.org Delivered-To: rtcweb@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C06A130E21; Tue, 17 Jul 2018 12:37:20 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: rtcweb@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.82.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: rtcweb@ietf.org Message-ID: <153185624059.12752.17683077424540699209@ietfa.amsl.com> Date: Tue, 17 Jul 2018 12:37:20 -0700 Archived-At: Subject: [rtcweb] I-D Action: draft-ietf-rtcweb-security-arch-15.txt X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 19:37:21 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Real-Time Communication in WEB-browsers WG of the IETF. Title : WebRTC Security Architecture Author : Eric Rescorla Filename : draft-ietf-rtcweb-security-arch-15.txt Pages : 40 Date : 2018-07-17 Abstract: This document defines the security architecture for WebRTC, a protocol suite intended for use with real-time applications that can be deployed in browsers - "real time communication on the Web". The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-15 https://datatracker.ietf.org/doc/html/draft-ietf-rtcweb-security-arch-15 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-rtcweb-security-arch-15 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Jul 17 13:46:40 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A02FD130E13 for ; Tue, 17 Jul 2018 13:46:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pW6gmVEQABfp for ; Tue, 17 Jul 2018 13:46:35 -0700 (PDT) Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06808130E5A for ; Tue, 17 Jul 2018 13:46:34 -0700 (PDT) Received: by mail-wr1-x435.google.com with SMTP id t6-v6so2491522wrn.7 for ; Tue, 17 Jul 2018 13:46:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dGI3XR76lKZH39K5jRnWPMU9x6qOW6xePNSsONSwrFg=; b=cuyNqWI47w364PW4AcSQf7DbJOeaDtLshbl65x/Oii9DEss1l2TSvHNtnexwd31am6 eMr/c0fwMmdpg7SUXiXBhHZ4QdnkQAMltmmqw0H8qbusz8EbqGzDy6s0tUnOfrJ2jVfd I4vRoTE22Sb9bS4CTFwSPfr76wjqBan7YAeyXYwsY56wFx9w0jmbTbfnNHG6VXs3SyKf lpuvMrNyhhmnA01rkmzA4s1gE6p/z4aNeDQ7NDxj+Vktx0FPajfB6uTvBxy6PW+xTPj/ f4oqUqZdEkLciCGlcSitPXZqdwtPgWEzXWLs33bPstXnMGhYgP6oeE+Q3BpQ3gB8q1qY PXGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dGI3XR76lKZH39K5jRnWPMU9x6qOW6xePNSsONSwrFg=; b=BFd9R1TMxtFJKmkQkdTVW45HAjhfWiltIev9+Qy2fbMeP45dSakNfTZmFr6herbRg4 XIsJzsow0ZGYOgttROFp4DD1aV0zrAly05GtFbEG4sSMkVu+pfwNGaPbl9N1TW4JbfIE lE2TktlAFTP72rbVVZ3IWrThLmXHLJgoNAMthgEUP98qS+8FXrLTdGCQTLuDESBnMSq/ Sqq9RDoIlbJ6lqCGyLBZTLrbjeialVCLOEYUHqViyAKotxkMH6FUHFwmwhOSvTedVFLD CntFPczkBQ2UcIdyHBBWeot27W3V9ixD/4vCtQGll3ph9a8GPJ5h+L5oDtfp46kJ6MX4 rR+A== X-Gm-Message-State: AOUpUlG7BJ1n+UbLhvBnVGschlTEI19hHjeXVAFTjqKuS3tDEZKgj3en c10NUywq8PVqberlPOkI4JagrSax0+yE9ep3lUccmA== X-Google-Smtp-Source: AAOMgpcPABTDJ2Tn0LNj/LMaqY+zbVTzNkfvLGz7l+kFbVlUvf0ju3ORmsyvQc9roO4HREPF4xdpbiZxST+trRE0IG4= X-Received: by 2002:adf:ffc7:: with SMTP id x7-v6mr2510728wrs.137.1531860392218; Tue, 17 Jul 2018 13:46:32 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: Peter Thatcher Date: Tue, 17 Jul 2018 13:46:20 -0700 Message-ID: To: youenn fablet Cc: Justin Uberti , RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000867c210571380a1d" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 20:46:39 -0000 --000000000000867c210571380a1d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Where is the right place to comment on draft-mdns-ice-candidates? I looked at it from an ICE WG perspective, and it seems to be that since (in RFC 5245), the candidate address can be a FQDN (section 15.1) you don't need the special steps you have in section 3.2, because a .local address is a FQDN (isn't it?). I think the only novel thing would be to perhaps make it clear that mDNS should be used for the name resolution. On Fri, Jun 29, 2018 at 6:07 PM youenn fablet wrote: > A draft describing the Safari/WebKit approach is available at > https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt > > Eric, can you precise the kind of information you would like to have? > Some testing has been done to validate the approach but I do not think > this is representative of the actual state of the affair. Safari/WebKit i= s > not gathering any related statistic. > > Y > > Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti 40google.com@dmarc.ietf.org> a =C3=A9crit : > >> I believe such data will be forthcoming from the Safari team. We are als= o >> working on this. >> >> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla wrote: >> >>> It seems like this is something one could A/B test and measure >>> connection rates. Has someone done so? >>> >>> -Ekr >>> >> _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --000000000000867c210571380a1d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Where is the right place to comment on=C2=A0draft-mdns-ice= -candidates?

I looked at it from an ICE WG perspective, = and it seems to be that since (in RFC 5245), the candidate address can be a= FQDN (section 15.1) you don't need the special steps you have in secti= on 3.2, because a .local address is a FQDN (isn't it?).=C2=A0 I think t= he only novel thing would be to perhaps make it clear that mDNS should be u= sed for the name resolution.

On Fri, Jun 29, 2018 at 6:07 PM youenn fablet <youennf@gmail.com> wrote:
A draft describing the Safari/WebKit approa= ch is available at=C2=A0https://www.ietf.org/id/draft-mdns-ice-= candidates-00.txt

Eric, can you precise the kind of = information you would like to have?
Some testing has been done to v= alidate the approach but I do not think this is representative of the actua= l state of the affair. Safari/WebKit is not gathering any related statistic= .

=C2=A0 =C2=A0Y=

Le=C2=A0ven. 29 juin 2018 =C3=A0=C2=A011:10, Justin Ubert= i <juberti=3D40google.com@dmarc.ietf.org> a =C3=A9crit=C2=A0:
I believe such data will be for= thcoming from the Safari team. We are also working on this.

On Fri, Jun 29, 2018 at 7:03 AM E= ric Rescorla <ekr@rtfm= .com> wrote:
It seems like this is something one could A/B test and measure conne= ction rates. Has someone done so?

-Ekr
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--000000000000867c210571380a1d-- From nobody Tue Jul 17 13:58:50 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7E8130DD2 for ; Tue, 17 Jul 2018 13:58:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtgvFjnRyrgL for ; Tue, 17 Jul 2018 13:58:47 -0700 (PDT) Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21638129C6B for ; Tue, 17 Jul 2018 13:58:47 -0700 (PDT) Received: by mail-vk0-x235.google.com with SMTP id y9-v6so1350192vky.3 for ; Tue, 17 Jul 2018 13:58:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+szVTIgTNSqLyDDYGIkhNiUypa1EsQYfu+8h0KIpz5U=; b=IW/wllrE61PbxD2JnuGMP5b1KCRGZ3oqCQBO8zpMEnocnlbPjKqBlCLDdczApRxdvi 1brF0Q0y0Tt+Oxx8q/MLoWfFHtdd6KEO2uh+eF2yOiP39BA+0p0Y00MVO050uuhBXC6N msQhHhD1nZxzHdUC437Gg7isE+UCjAxk+t1jWJkZdZiu4QlwsaDxHDZMsZNPraWNRCBP yCWU0mGE99bHvOXuk1rCytRy3QPtAZSa6Ym287IaFf0QRf1YXpaTbr/278N+d7q5IHpm 0DOoJ8cw/TAiXMn+y8afdYnVLkfFTo090hOHqUulrgJijj7AWl88D6C6qki9XoqFtujr Ay4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+szVTIgTNSqLyDDYGIkhNiUypa1EsQYfu+8h0KIpz5U=; b=DjTBG1DRMG+8FgdrvPHMdd6EVtcyfijESnF2SdyDkil0kIYddujtS1r32KotGqaGUQ jlGhmMs1EBvUz/Zu8qx66uasqyd86wPgGm3Qz/TSqgeFh/fWmSAYuT6eabQfglqy0ja2 qrs8s9M5xz5/C2Vq9F4uKrulhujQAO7V56zBNMy1VyYQDRzC/OXFn7g0wGztPd+/lWpl NRKqgY5hf90FgsLD2bLgI4BCf/FE2hPXFeP/C3PVUterrGz7NqOFgzj7/+atMPF5OAlZ bcZPGzS0IwRFZ5iFLKhiREoY00B6cbb/cMiInfgdjmd+iTcR7MxJTwxaQj0jwQzhreKX mb/Q== X-Gm-Message-State: AOUpUlHhK2wqxmqjZo//onwfZSanlN++8AaSBjowZoYkHAZvjT7WXEJG i1rbCGQKNr+8hJVmupK9zWCLXou/qCnsnmmuoOk= X-Google-Smtp-Source: AAOMgpe2RYw8yu9P8Q6EN4Arn243NyhwTGqm2uWKjwZWU2cw3hDr6YBeAprkWLuBFLz54tdh6rx7jXC+gAIbgW/AW/I= X-Received: by 2002:a1f:dc85:: with SMTP id t127-v6mr1974254vkg.120.1531861125947; Tue, 17 Jul 2018 13:58:45 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: Bernard Aboba Date: Tue, 17 Jul 2018 16:58:35 -0400 Message-ID: To: Peter Thatcher Cc: Justin Uberti , RTCWeb IETF , youenn fablet Content-Type: multipart/alternative; boundary="00000000000041e4870571383654" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 20:58:50 -0000 --00000000000041e4870571383654 Content-Type: text/plain; charset="UTF-8" Tue, Jul 17, 2018 at 16:46 Peter said: Where is the right place to comment on draft-mdns-ice-candidates? > I looked at it from an ICE WG perspective, and it seems to be that since > (in RFC 5245), the candidate address can be a FQDN (section 15.1) you don't > need the special steps you have in section 3.2, because a .local address is > a FQDN (isn't it?). I think the only novel thing would be to perhaps make > it clear that mDNS should be used for the name resolution. > [BA] Using mDNS for resolution does introduce potential failure modes. For example, in a multi-subnet enterprise network using private addresses, 10.1.1.1/24 and 10.2.1.1/24 could connect via a router whereas mDNS resolution will fail in the absence of proxies. Whether this matters in practice depends on the topologies where data channel applications are deployed. > --00000000000041e4870571383654 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Tue, Jul 17, 2018 at 16:46 Peter said:

Where is the right place to comment on=C2=A0draft-mdns-ice-candida= tes?

I looked at it from an ICE WG perspective, and= it seems to be that since (in RFC 5245), the candidate address can be a FQ= DN (section 15.1) you don't need the special steps you have in section = 3.2, because a .local address is a FQDN (isn't it?).=C2=A0 I think the = only novel thing would be to perhaps make it clear that mDNS should be used= for the name resolution.

[BA] Using mDNS for resolution does introduce potentia= l failure modes. For example, in a multi-subnet enterprise network using pr= ivate addresses, 10.1.1.1/24 and 10.2.1.1/24 could connect via a router whereas = mDNS resolution will fail in the absence of proxies. Whether this matters i= n practice depends on the topologies where data channel applications are de= ployed.=C2=A0
--00000000000041e4870571383654-- From nobody Tue Jul 17 15:11:21 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D74C13104D for ; Tue, 17 Jul 2018 15:11:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzWly-4soTcJ for ; Tue, 17 Jul 2018 15:11:04 -0700 (PDT) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA907131031 for ; Tue, 17 Jul 2018 15:11:03 -0700 (PDT) Received: by mail-oi0-x22d.google.com with SMTP id k81-v6so5005179oib.4 for ; Tue, 17 Jul 2018 15:11:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gI4wEbzVxquz1JmiYulgSV2uqzefLjsdZfGpeoXfXxA=; b=RJN6FmBwLbeZdOdscVCaFYhuWFSH8NPYI8yXXaEUgjSSj5tuq+YCuayLuQfKUMN1ma k6eRBxb1W8udAm9C5I5c8eOp+3IP9mQsR+1uhgf5qZyibvmyeM3a8wU44H8VfTWQKdsp u8ay/+FE4qD/D/ELnjgUXp84P0vIxrLAXtSYUlghrUy9jVVB4XaPNdKyfQ7fX7yuBkva CS/IZsJpDEtG4PQItSDPRmebkA5kxBpV49qs92GzQ0KRmPOxwg96n8sB+PDNLIvGeyhF VQ7pFKeDumD2glhr1ya0U4fT07FiOUEf6R66lx99YZN4BwvQJ+hL8RH0o5DmugzNco7d hX+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gI4wEbzVxquz1JmiYulgSV2uqzefLjsdZfGpeoXfXxA=; b=kAETmHKb02mPtlAP3Yh+zqgQNUfHNtZGkBWL/6oXuRgDVwpJH4G0G8GUssIORixMtW b3a3qmjYRI/7XLfKosBHGEnSAr2MIjdzRc7YMPq1n/Pvm8amvbYqLHpJ+pUw/GmZ4qXQ z3BI7CHdLv+VOgddTFM/tupnidoJTA/Dgrf6wpdYlD3Vn2uugWjjp0U+he8+5fRfd+8b KLFOp20SM7rxvZkIAzT0d4MMKQjQhuIi8y3KDCoUKCyDWZpK6PH5be62iMWWtLjEdVTS yNLxpfKbozREyX/PnX4VjnekA92hE21OOKOuRulA/MkfIsh099DgCMDslR84rWHYv2+t JdUQ== X-Gm-Message-State: AOUpUlGrsy4vwPrLtwpvFN4O62slyhTF6SD6KcB3+q48YOiZUcWo1Uhs Y9PSN7Zjz6oXenzWYW15iU17LxLSErSbU78tFqA= X-Google-Smtp-Source: AAOMgpc9tHtOYRVM6GyQf5I8pVNT53c7ehPl6lHgQqk5kokf3NrDgA24iEApL39D3qJMfxnhoP+mFKVKkjtAevNVtwU= X-Received: by 2002:aca:4782:: with SMTP id u124-v6mr3855122oia.45.1531865463081; Tue, 17 Jul 2018 15:11:03 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:66d9:0:0:0:0:0 with HTTP; Tue, 17 Jul 2018 15:10:32 -0700 (PDT) In-Reply-To: References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> From: Ted Hardie Date: Tue, 17 Jul 2018 18:10:32 -0400 Message-ID: To: Peter Thatcher Cc: youenn fablet , RTCWeb IETF , Justin Uberti Content-Type: multipart/alternative; boundary="000000000000c5514a0571393843" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 22:11:19 -0000 --000000000000c5514a0571393843 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher < pthatcher=3D40google.com@dmarc.ietf.org> wrote: > Where is the right place to comment on draft-mdns-ice-candidates? > > I looked at it from an ICE WG perspective, and it seems to be that since > (in RFC 5245), the candidate address can be a FQDN (section 15.1) you don= 't > need the special steps you have in section 3.2, because a .local address = is > a FQDN (isn't it?). > The use of a .local signals that this is a special use name within the context of multicast DNS (RFC 6762). One key difference there is that the uniqueness of a standard DNS name is derived from the hierarchical delegation of the DNS. Uniqueness in MDNS is achieved using a local probe and announce method. As Harald pointed out in the room, there are some latency consequences to that; those might be avoided by generating probable uniqueness in names via the UUID mechanism, but that still need to be worked out. That, I think means the work in 3.1 is definitely needed. > I think the only novel thing would be to perhaps make it clear that mDNS > should be used for the name resolution. > > You might treat the special steps as redundant (since .local should signal mDNS), but I personally think it is helpful, because it discourages coalescing with standard DNS responses (which is permitted by 6762). Just my personal opinion. Ted > On Fri, Jun 29, 2018 at 6:07 PM youenn fablet wrote: > >> A draft describing the Safari/WebKit approach is available at >> https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt >> >> Eric, can you precise the kind of information you would like to have? >> Some testing has been done to validate the approach but I do not think >> this is representative of the actual state of the affair. Safari/WebKit = is >> not gathering any related statistic.. >> >> Y >> >> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti > ietf.org> a =C3=A9crit : >> >>> I believe such data will be forthcoming from the Safari team. We are >>> also working on this. >>> >>> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla >> > wrote: >>> >>>> It seems like this is something one could A/B test and measure >>>> connection rates. Has someone done so? >>>> >>>> -Ekr >>>> >>> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb >> > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > --000000000000c5514a0571393843 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher <pthatcher=3D40google.com@dmarc.ietf.org> w= rote:
Where is the right place to comment o= n=C2=A0draft-mdns-ice-candidates?
=C2=A0
I looked at it from an ICE W= G perspective, and it seems to be that since (in RFC 5245), the candidate a= ddress can be a FQDN (section 15.1) you don't need the special steps yo= u have in section 3.2, because a .local address is a FQDN (isn't it?).= =C2=A0

The use of a .local sign= als that this is a special use name within the context of multicast DNS (RF= C 6762).=C2=A0 One key difference there is that the uniqueness of a standar= d DNS name is derived from the hierarchical delegation of the DNS.=C2=A0 Un= iqueness in MDNS is achieved using a local probe and announce method.=C2=A0= As Harald pointed out in the room, there are some latency consequences to = that; those might be avoided by generating probable uniqueness in names via= the UUID mechanism, but that still need to be worked out.=C2=A0 That, I th= ink means the work in 3.1 is definitely needed.=C2=A0
=C2=A0=
I think the onl= y novel thing would be to perhaps make it clear that mDNS should be used fo= r the name resolution.

=C2=A0
You might=20 treat the special steps as redundant (since .local should signal mDNS),=20 but I personally think it is helpful, because it discourages coalescing=20 with standard DNS responses (which is permitted by 6762).

Just my personal opinion.

Ted



=C2=A0
On Fri, Jun 29, 2018 at 6:07 PM youenn fablet <youennf@gmail.com&= gt; wrote:
= A draft describing the Safari/WebKit approach is available= at=C2=A0https://www.ietf.org/id/draft-mdns-ice-candidates= -00.txt

Eric, can you p= recise the kind of information you would like to have?
Some = testing has been done to validate the approach but I do not think this is r= epresentative of the actual state of the affair. Safari/WebKit is not gathe= ring any related statistic..
=C2=A0 =C2=A0Y
Le=C2=A0ven. = 29 juin 2018 =C3=A0=C2=A011:10, Justin Uberti <juberti=3D40google.com@dmarc.i= etf.org> a =C3=A9crit=C2=A0:
I believe such data will be forth= coming from the Safari team. We are also working on this.

On Fri, Jun= 29, 2018 at 7:03 AM Eric Rescorla <ekr@rtfm..com> wrote:
It seems like this is something one could A/B= test and measure connection rates. Has someone done so?

=
-Ekr
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb

--000000000000c5514a0571393843-- From nobody Wed Jul 18 07:18:10 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94878130DFF for ; Wed, 18 Jul 2018 07:18:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnyQgjt0U5dY for ; Wed, 18 Jul 2018 07:18:05 -0700 (PDT) Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92AA7130E14 for ; Wed, 18 Jul 2018 07:18:05 -0700 (PDT) Received: by mail-io0-x234.google.com with SMTP id k4-v6so4224235iob.3 for ; Wed, 18 Jul 2018 07:18:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nz/BF5voIJzTNzNQAXyVbjWeTORjE3Xv35emHR3r0zU=; b=cpL0SJSmmdpaW3AruB6pNqEVpCTeisR7wVbhWLoh1e9pOHC52XR1CFK+nOeXvW7vNy aw9B55LzOL3R0rxHomhEsFOJcFt6DaIrD+QialWDQYr1pdL/qcLvTRlNl2U8isCzIFmv JX1Kf5fH3NF31ex3rpEeWkDdThaGaUK6u3YA6rnfPDoMZfLVKPgreASIx6GYtWtjI/W0 dwCjslzI9JiNOnR7MZ0DhsBxFdJyrTEg64ehD4eQeoZ17Mtv1J7ZtfZjRCk5co6Os+XE 3l04jHN4Fqs075LWo7nE5ba/XjE6GhpdwnLLECbcE3V0XJGXT8A6NHvzYwaargnxjyim lDyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nz/BF5voIJzTNzNQAXyVbjWeTORjE3Xv35emHR3r0zU=; b=ix6A6GY2uhEfC/dyWBX/TipMwce8qAbO2/TVZn6n7oT7Nixe9ivoAi06YFGMOadyrj A1rZQR/uuDS6HTTlKgMyZW85AukSg8oZkYXoGgdKXZ3Q2uuGYTzJSpXe/5DTg568WHic upJ9O6AcfkEsql7ooDOZPKUG7Uw1INfpQIi9NpXTLegr5aeLmscdXxtQhoC5nP3SFQjF 7i0hw/n0IcMinrcPK51VUdJkkQ1AyIo+LZqFr84u+6uv2GBjR/kO8Ml4In9Plj3LMt3t Z/3ToWYY+QErLdA4JjecwyER1PkftRzBa/TWoswqkdGTfwFCR7ZkvXGF/jVFIxPa7coC HfRw== X-Gm-Message-State: AOUpUlHyL5vd/rsQ9C/VSf1mqsQPti1dBRpSSii2DHEt3409jO9dlY1/ FcjyzU3X+mjc3QOjOo3BfpN6hSd6Ob64I6JzE24ieA== X-Google-Smtp-Source: AAOMgpe+SA13ap6/wIMX4ZwNeHdKM/vDqGDbbuQBf0n6wM8h9ufMLkVzqatszrJqdqMoLLdfRxCRiuelhGH3LD295lc= X-Received: by 2002:a6b:4c5:: with SMTP id 188-v6mr5422824ioe.32.1531923484377; Wed, 18 Jul 2018 07:18:04 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: Justin Uberti Date: Wed, 18 Jul 2018 07:17:54 -0700 Message-ID: To: Ted Hardie Cc: Peter Thatcher , youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="0000000000001c95cc057146bb43" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 14:18:09 -0000 --0000000000001c95cc057146bb43 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Yeah, I think we just need to emphasize that the FQDN can be a mDNS name. Here's my current suggestion for updates to S 4.1 in ice-sip-sdp : > > > > > > > *: is taken from RFC 4566 [RFC4566]. It is theIP address of the candidate. When parsing this field, an agentcan differentiate an IPv4 address and an IPv6 address by presenceof a colon in its value -- the presence of a colon indicates IPv6.An agent MUST ignore candidate lines that include candidates withIP address versions that are not supported or recognized. An IPaddress SHOULD be used, but an FQDN (including a mDNS [RFC6762] name) MAY be used in place of an IP address. * In the case of receiving an candidate containing a FQDN, the hostname is > looked up via DNS or mDNS as appropriate, first using an AAAA record > (assuming the agent > supports IPv6), and if no result is found or the agent only > *supports IPv4, using an A record. * On Tue, Jul 17, 2018 at 3:11 PM Ted Hardie wrote: > On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher < > pthatcher=3D40google.com@dmarc.ietf.org> wrote: > >> Where is the right place to comment on draft-mdns-ice-candidates? >> > > >> I looked at it from an ICE WG perspective, and it seems to be that since >> (in RFC 5245), the candidate address can be a FQDN (section 15.1) you do= n't >> need the special steps you have in section 3.2, because a .local address= is >> a FQDN (isn't it?). >> > > The use of a .local signals that this is a special use name within the > context of multicast DNS (RFC 6762). One key difference there is that th= e > uniqueness of a standard DNS name is derived from the hierarchical > delegation of the DNS. Uniqueness in MDNS is achieved using a local prob= e > and announce method. As Harald pointed out in the room, there are some > latency consequences to that; those might be avoided by generating probab= le > uniqueness in names via the UUID mechanism, but that still need to be > worked out. That, I think means the work in 3.1 is definitely needed. > > >> I think the only novel thing would be to perhaps make it clear that mDNS >> should be used for the name resolution. >> >> > You might treat the special steps as redundant (since .local should signa= l > mDNS), but I personally think it is helpful, because it discourages > coalescing with standard DNS responses (which is permitted by 6762). > > Just my personal opinion. > > Ted > > > > > >> On Fri, Jun 29, 2018 at 6:07 PM youenn fablet wrote: >> >>> A draft describing the Safari/WebKit approach is available at >>> https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt >>> >>> Eric, can you precise the kind of information you would like to have? >>> Some testing has been done to validate the approach but I do not think >>> this is representative of the actual state of the affair. Safari/WebKit= is >>> not gathering any related statistic.. >>> >>> Y >>> >>> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti >> 40google.com@dmarc.ietf.org> a =C3=A9crit : >>> >>>> I believe such data will be forthcoming from the Safari team. We are >>>> also working on this. >>>> >>>> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla >>> > wrote: >>>> >>>>> It seems like this is something one could A/B test and measure >>>>> connection rates. Has someone done so? >>>>> >>>>> -Ekr >>>>> >>>> _______________________________________________ >>> rtcweb mailing list >>> rtcweb@ietf.org >>> https://www.ietf.org/mailman/listinfo/rtcweb >>> >> >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb >> >> > --0000000000001c95cc057146bb43 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Yeah, I think we just need to emphasize that the FQDN can = be a mDNS name. Here's my current suggestion for updates to S= 4.1 in ice-sip-sdp:

<connection-address>: =C2= =A0is taken from RFC 4566 [RFC4566].=C2=A0 It is the
IP address of the candidate.=C2=A0 When parsing t= his field, an agent
can diff= erentiate an IPv4 address and an IPv6 address by presence
of a colon in its value -- the presence of a = colon indicates IPv6.
An age= nt MUST ignore candidate lines that include candidates with
IP address versions that are not supported = or recognized.=C2=A0 An IP
a= ddress SHOULD be used, but an FQDN (including a mDNS [RFC6762] name)
MAY be used in place= of an IP address.

In the case of receiving an candidate containing a FQDN, = the hostname is looked up via DNS or mDNS as appropriate, first using an AAAA record (assu= ming the agent
suppo= rts IPv6), and if no result is found or the agent only
supports IPv4, using an A record. =C2=A0



On Tue, Jul 17, 2018 at 3:11 PM Ted= Hardie <ted.ietf@gmail.com>= ; wrote:
On T= ue, Jul 17, 2018 at 4:46 PM, Peter Thatcher <pthat= cher=3D40google.com@dmarc.ietf.org> wrote:
Where is the right place to comment on=C2=A0draft-mdns-ice-ca= ndidates?
=C2=A0
I looked at it from an ICE WG perspective, and it se= ems to be that since (in RFC 5245), the candidate address can be a FQDN (se= ction 15.1) you don't need the special steps you have in section 3.2, b= ecause a .local address is a FQDN (isn't it?).=C2=A0

The use of a .local signals that this is a specia= l use name within the context of multicast DNS (RFC 6762).=C2=A0 One key di= fference there is that the uniqueness of a standard DNS name is derived fro= m the hierarchical delegation of the DNS.=C2=A0 Uniqueness in MDNS is achie= ved using a local probe and announce method.=C2=A0 As Harald pointed out in= the room, there are some latency consequences to that; those might be avoi= ded by generating probable uniqueness in names via the UUID mechanism, but = that still need to be worked out.=C2=A0 That, I think means the work in 3.1= is definitely needed.=C2=A0
=C2=A0
I think the only novel thing would be = to perhaps make it clear that mDNS should be used for the name resolution.<= br>
=C2=A0
You might=20 treat the special steps as redundant (since .local should signal mDNS),=20 but I personally think it is helpful, because it discourages coalescing=20 with standard DNS responses (which is permitted by 6762).

Just my personal opinion.

Ted



=C2=A0
On Fri, Jun 29, 2018 at 6:07 PM youenn fablet <youennf@gmail.com> wrote:<= br>
A dra= ft describing the Safari/WebKit approach is available at=C2=A0h= ttps://www.ietf.org/id/draft-mdns-ice-candidates-00.txt

<= /span>
Eric, can you precise the kind of information you would li= ke to have?
Some testing has been done to validate the appro= ach but I do not think this is representative of the actual state of the af= fair. Safari/WebKit is not gathering any related statistic..

=C2=A0 =C2=A0Y

Le=C2=A0ven. 29 juin 2018 =C3=A0=C2=A011:10, Justin Uberti <jub= erti=3D40g= oogle.com@dmarc.ietf.org> a =C3=A9crit=C2=A0:
I believe such data will be= forthcoming from the Safari team. We are also working on this.
On Fri, Jun 29, = 2018 at 7:03 AM Eric Rescorla <ekr@rtfm..com> wrote:
It seems like this is something one could A/B test= and measure connection rates. Has someone done so?

-Ekr
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb


--0000000000001c95cc057146bb43-- From nobody Wed Jul 18 07:20:30 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7309712F1A2 for ; Wed, 18 Jul 2018 07:20:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bTmYg2Cdcb5t for ; Wed, 18 Jul 2018 07:20:24 -0700 (PDT) Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00998130E14 for ; Wed, 18 Jul 2018 07:20:23 -0700 (PDT) Received: by mail-it0-x22e.google.com with SMTP id j185-v6so4540688ite.1 for ; Wed, 18 Jul 2018 07:20:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ykw4qUY0gFbnzvoTXR1fhvpAZDKaDgsCy3UN3VG4feo=; b=dAr1E6suK/L8CZ/cNWHyfRIts+w6otC4nJVVN7z/Qjdq1izjJ4L9YRX6UuaM5Q5tpG TP3mGP0sj+IGGk34V++iWW5EUltm+5bjP7RWNygtOA9SUlPqnDvKeuyre/kDo0DjDASU oZA6AdGtk2R1w1Lv17e8Vx+MM9A68tbo3lnv2gBdz3ln08ZHd/MPyvfXJbc3rA8NfFgz pS6Dn5jawXYyZl5Ik3ZS7e7mD0lwpdjIDliwYbe76eNATU/TsSyf21T7vFTDb0P0ffjJ INt2F+nsq4HxBebOMA3IA4zfwJtwv+8R6bdJuYyW9U+EyYXPlGD+opgiRt0BSYm1zoob IKxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ykw4qUY0gFbnzvoTXR1fhvpAZDKaDgsCy3UN3VG4feo=; b=AUcRHLauoY60D9N7JyR+wrXuhL2wD9Y97cMVbvcITJ3BkrX3aeV8b4SGnpQar69IHB RisxloMUXaCXujVPfIRpDQGEj0GzoeyNCOg5vWfkFaP1vbdZAfL/RbFsyHiVUAJb/zrO RHM8bnfgagrO4W+hut+89RijKdsc3c/1/AqsCh6IBX1YORARywmS+jq28DiepK9APCdg Ex/5z77dZvHxwUeLVOsDGzqqL+0KdhbWE2R+DpDZKo4DQfPRCGgHsagrq/yN8/vjDYfQ p3JgKp3LwaSKUKqGRK7uaI1l0OgTEHe/ohHpM1nSMbq962DeI+iuJqiL9nqzFHapE5RS 4mdQ== X-Gm-Message-State: AOUpUlEeRZ8dJpOZHfN4+hPeIMtBbu7HSBKYsgkzAqkWZ1X8TW56gG2b 2gnfeBlDB+zld18MLtma+dUOru9azWBGSaJfbz1lEg== X-Google-Smtp-Source: AAOMgpdgtfrNgtsCysgl4mQfWzvaG8rIN/hb3AUukcl0NPzq8P2VgPgJt3X+QoefZiLfhKftJk7BmIlri/aenUH54CU= X-Received: by 2002:a24:1049:: with SMTP id 70-v6mr2107869ity.115.1531923622897; Wed, 18 Jul 2018 07:20:22 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: Justin Uberti Date: Wed, 18 Jul 2018 07:20:13 -0700 Message-ID: To: Ted Hardie Cc: Peter Thatcher , youenn fablet , RTCWeb IETF Content-Type: multipart/alternative; boundary="0000000000005e587d057146c3a8" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 14:20:29 -0000 --0000000000005e587d057146c3a8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Note that we are going to discuss the particulars here in the mmusic WG meeting on Thursday. On Wed, Jul 18, 2018 at 7:17 AM Justin Uberti wrote: > Yeah, I think we just need to emphasize that the FQDN can be a mDNS name. > Here's my current suggestion for updates to S 4.1 in ice-sip-sdp > > : > > >> >> >> >> >> >> >> *: is taken from RFC 4566 [RFC4566]. It is theIP > address of the candidate. When parsing this field, an agentcan > differentiate an IPv4 address and an IPv6 address by presenceof a colon i= n > its value -- the presence of a colon indicates IPv6.An agent MUST ignore > candidate lines that include candidates withIP address versions that are > not supported or recognized. An IPaddress SHOULD be used, but an FQDN > (including a mDNS [RFC6762] name) MAY be used in place of an IP address. = * > > In the case of receiving an candidate containing a FQDN, the hostname is >> looked up via DNS or mDNS as appropriate, first using an AAAA record >> (assuming the agent >> supports IPv6), and if no result is found or the agent only >> *supports IPv4, using an A record. * > > > > > On Tue, Jul 17, 2018 at 3:11 PM Ted Hardie wrote: > >> On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher < >> pthatcher=3D40google.com@dmarc.ietf.org> wrote: >> >>> Where is the right place to comment on draft-mdns-ice-candidates? >>> >> >> >>> I looked at it from an ICE WG perspective, and it seems to be that sinc= e >>> (in RFC 5245), the candidate address can be a FQDN (section 15.1) you d= on't >>> need the special steps you have in section 3.2, because a .local addres= s is >>> a FQDN (isn't it?). >>> >> >> The use of a .local signals that this is a special use name within the >> context of multicast DNS (RFC 6762). One key difference there is that t= he >> uniqueness of a standard DNS name is derived from the hierarchical >> delegation of the DNS. Uniqueness in MDNS is achieved using a local pro= be >> and announce method. As Harald pointed out in the room, there are some >> latency consequences to that; those might be avoided by generating proba= ble >> uniqueness in names via the UUID mechanism, but that still need to be >> worked out. That, I think means the work in 3.1 is definitely needed. >> >> >>> I think the only novel thing would be to perhaps make it clear that mDN= S >>> should be used for the name resolution. >>> >>> >> You might treat the special steps as redundant (since .local should >> signal mDNS), but I personally think it is helpful, because it discourag= es >> coalescing with standard DNS responses (which is permitted by 6762). >> >> Just my personal opinion. >> >> Ted >> >> >> >> >> >>> On Fri, Jun 29, 2018 at 6:07 PM youenn fablet wrote= : >>> >>>> A draft describing the Safari/WebKit approach is available at >>>> https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt >>>> >>>> Eric, can you precise the kind of information you would like to have? >>>> Some testing has been done to validate the approach but I do not think >>>> this is representative of the actual state of the affair. Safari/WebKi= t is >>>> not gathering any related statistic.. >>>> >>>> Y >>>> >>>> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti >>> 40google.com@dmarc.ietf.org> a =C3=A9crit : >>>> >>>>> I believe such data will be forthcoming from the Safari team. We are >>>>> also working on this. >>>>> >>>>> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla >>>> > wrote: >>>>> >>>>>> It seems like this is something one could A/B test and measure >>>>>> connection rates. Has someone done so? >>>>>> >>>>>> -Ekr >>>>>> >>>>> _______________________________________________ >>>> rtcweb mailing list >>>> rtcweb@ietf.org >>>> https://www.ietf.org/mailman/listinfo/rtcweb >>>> >>> >>> _______________________________________________ >>> rtcweb mailing list >>> rtcweb@ietf.org >>> https://www.ietf.org/mailman/listinfo/rtcweb >>> >>> >> --0000000000005e587d057146c3a8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Note that we are going to discuss the particulars here in = the mmusic WG meeting on Thursday.

=
On Wed, Jul 18, 2018 at 7:17 AM Justin Uberti <juberti@google.com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">
Yeah, I think we just need t= o emphasize that the FQDN can be a mDNS name. Here's my current suggest= ion for updates to S 4.1 in ice-sip-sdp:
<connection-address>: =C2=A0is = taken from RFC 4566 [RFC4566].=C2=A0 It is the
IP address of the candidate.=C2=A0 When parsing this fie= ld, an agent
can differentia= te an IPv4 address and an IPv6 address by presence
of a colon in its value -- the presence of a colon i= ndicates IPv6.
An agent MUST= ignore candidate lines that include candidates with
IP address versions that are not supported or rec= ognized.=C2=A0 An IP
address= SHOULD be used, but an FQDN (i= ncluding a mDNS [RFC6762] name)=
MAY be used in place of an= IP address.

In the case of receiving an candidate containing a FQDN, the h= ostname is looked up via DNS or mDNS as appropriate, first using an AAAA record (assuming = the agent
supports I= Pv6), and if no result is found or the agent only
supports IPv4, using an A record. =C2=A0
=



On Tue, Jul 17, 2018 at 3:11 PM Ted Hardi= e <ted.ietf@gmai= l.com> wrote:
On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher &= lt;pthatcher=3D40google.com@dmarc.ietf.org> wrote:
Where is the right place to comment on=C2=A0draft-m= dns-ice-candidates?
=C2=A0
I looked at it from an ICE WG perspective,= and it seems to be that since (in RFC 5245), the candidate address can be = a FQDN (section 15.1) you don't need the special steps you have in sect= ion 3.2, because a .local address is a FQDN (isn't it?).=C2=A0

The use of a .local signals that this i= s a special use name within the context of multicast DNS (RFC 6762).=C2=A0 = One key difference there is that the uniqueness of a standard DNS name is d= erived from the hierarchical delegation of the DNS.=C2=A0 Uniqueness in MDN= S is achieved using a local probe and announce method.=C2=A0 As Harald poin= ted out in the room, there are some latency consequences to that; those mig= ht be avoided by generating probable uniqueness in names via the UUID mecha= nism, but that still need to be worked out.=C2=A0 That, I think means the w= ork in 3.1 is definitely needed.=C2=A0
=C2=A0
I think the only novel thing w= ould be to perhaps make it clear that mDNS should be used for the name reso= lution.

=C2=A0
You might=20 treat the special steps as redundant (since .local should signal mDNS),=20 but I personally think it is helpful, because it discourages coalescing=20 with standard DNS responses (which is permitted by 6762).

Just my personal opinion.

Ted



=C2=A0
On Fri, Jun 29, 2018 at 6:07 PM youenn fablet <youennf@gmail.com> wrote:<= br>
A dra= ft describing the Safari/WebKit approach is available at=C2=A0h= ttps://www.ietf.org/id/draft-mdns-ice-candidates-00.txt

<= /span>
Eric, can you precise the kind of information you would li= ke to have?
Some testing has been done to validate the appro= ach but I do not think this is representative of the actual state of the af= fair. Safari/WebKit is not gathering any related statistic..

=C2=A0 =C2=A0Y

Le=C2=A0ven. 29 juin 2018 =C3=A0=C2=A011:10, Justin Uberti <jub= erti=3D40g= oogle.com@dmarc.ietf.org> a =C3=A9crit=C2=A0:
I believe such data will be= forthcoming from the Safari team. We are also working on this.
On Fri, Jun 29, = 2018 at 7:03 AM Eric Rescorla <ekr@rtfm..com> wrote:
It seems like this is something one could A/B test= and measure connection rates. Has someone done so?

-Ekr
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb


--0000000000005e587d057146c3a8-- From nobody Wed Jul 18 07:49:13 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B79130F9F for ; Wed, 18 Jul 2018 07:49:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MoaCx0AL74nu for ; Wed, 18 Jul 2018 07:49:07 -0700 (PDT) Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96587130DC7 for ; Wed, 18 Jul 2018 07:49:06 -0700 (PDT) Received: by mail-lj1-x233.google.com with SMTP id 203-v6so4326472ljj.13 for ; Wed, 18 Jul 2018 07:49:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m0VZ8klci0QA0MttYPtTQDW6mlz6WSrz35Gl7xGQ6Sw=; b=mS8XgqiCfBK+Z6ctm+NpK1fw6pJiyWxwYHXa6qqsYMhBLZLYDRD+DHZkwxurUr145A eTv5T14A5DPJP5+YieSy4frXmNzW7fJBOZE6vUUPj/OwiMx8Stw+nG+RKu9vwqqbWaVX CZd1nlM7LTioPETo/sfzJsQlrS7OT+GORTQS966/ZywKlKEe3ehFlCtnwgGJdCvD+gf6 aRDI82JZyTp5kt9RSYsAeARTvlka95RGFWSVOhxj81oGZt0CFvStXA7p5C0VP6HaoQNa 11POt7pTuoK8FFhf/I8upMQLGvz1XRMps8QuL9OQImBA2sXjQECa+ckIjnDHe7kden5/ QbnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m0VZ8klci0QA0MttYPtTQDW6mlz6WSrz35Gl7xGQ6Sw=; b=hWxQbW9Bwlv3i4d1r9Z62rW2+oe0TmTnM8jYbq/36XH5bzKvGLNCm0Pso3qH12j3MT qilPkXwytywB6wFFux5DZ8uw2Kw2LvVd1Nh6pA7Rxx8EpRvUbh14JJxGhYL/MflrRJpf pFk+yTHEL5iYjQfYUrveaBdwfqqJ/JLgpSXVXw8CkDFuyj4YrH5h/Qbdt64YHqpik3mP 6fVDH3q5f9yBaOxCq+J+BtRFbKwDjAVG/NJvatzS6aUPW2+Da/OtXWSpGd5aWbGYxCSB yCxTLdPV8QHppaIqMH8CVmyEpK2jRAdDUHgnbrx1Y1OHhgPCLAIZFVGigTBsRyXXHJXz pqsA== X-Gm-Message-State: AOUpUlFUc1z9RspCf+YXlc3ZM5YHtiug28B38DstvVnMlq3Zf9sUzh4U qCl0d3ZITibh+/V7FJwDUEt8qYDYBL/2Gkix0NU= X-Google-Smtp-Source: AAOMgpeIaucjkGplUBGu7UPin7OouJixrXwLYlSEVxwWbtxK1rdgRd9w4iIGvVnc3+yh3lvxGAnZqzISiqtKcu7mOco= X-Received: by 2002:a2e:5012:: with SMTP id e18-v6mr4756155ljb.22.1531925344816; Wed, 18 Jul 2018 07:49:04 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: youenn fablet Date: Wed, 18 Jul 2018 10:48:53 -0400 Message-ID: To: Peter Thatcher Cc: Ted Hardie , Justin Uberti , RTCWeb IETF Content-Type: multipart/alternative; boundary="00000000000000121a0571472a39" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 14:49:11 -0000 --00000000000000121a0571472a39 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Agreed that an explicit reference to MDNS would be good. DNS resolution can be used for both candidates as well as STUN/TURN server names. The proposal so far is to ensure that MDNS be supported for candidates. Le mer. 18 juil. 2018 =C3=A0 10:20, Justin Uberti a = =C3=A9crit : > Note that we are going to discuss the particulars here in the mmusic WG > meeting on Thursday. > > On Wed, Jul 18, 2018 at 7:17 AM Justin Uberti wrote: > >> Yeah, I think we just need to emphasize that the FQDN can be a mDNS name= . >> Here's my current suggestion for updates to S 4.1 in ice-sip-sdp >> >> : >> >> >>> >>> >>> >>> >>> >>> >>> *: is taken from RFC 4566 [RFC4566]. It is theIP >> address of the candidate. When parsing this field, an agentcan >> differentiate an IPv4 address and an IPv6 address by presenceof a colon = in >> its value -- the presence of a colon indicates IPv6.An agent MUST ignore >> candidate lines that include candidates withIP address versions that are >> not supported or recognized. An IPaddress SHOULD be used, but an FQDN >> (including a mDNS [RFC6762] name) MAY be used in place of an IP address.= * >> >> In the case of receiving an candidate containing a FQDN, the hostname is >>> looked up via DNS or mDNS as appropriate, first using an AAAA record >>> (assuming the agent >>> supports IPv6), and if no result is found or the agent only >>> *supports IPv4, using an A record. * >> >> >> >> >> On Tue, Jul 17, 2018 at 3:11 PM Ted Hardie wrote: >> >>> On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher < >>> pthatcher=3D40google.com@dmarc.ietf.org> wrote: >>> >>>> Where is the right place to comment on draft-mdns-ice-candidates? >>>> >>> >>> >>>> I looked at it from an ICE WG perspective, and it seems to be that >>>> since (in RFC 5245), the candidate address can be a FQDN (section 15.1= ) you >>>> don't need the special steps you have in section 3.2, because a .local >>>> address is a FQDN (isn't it?). >>>> >>> >>> The use of a .local signals that this is a special use name within the >>> context of multicast DNS (RFC 6762). One key difference there is that = the >>> uniqueness of a standard DNS name is derived from the hierarchical >>> delegation of the DNS. Uniqueness in MDNS is achieved using a local pr= obe >>> and announce method. As Harald pointed out in the room, there are some >>> latency consequences to that; those might be avoided by generating prob= able >>> uniqueness in names via the UUID mechanism, but that still need to be >>> worked out. That, I think means the work in 3.1 is definitely needed. >>> >>> >>>> I think the only novel thing would be to perhaps make it clear that >>>> mDNS should be used for the name resolution. >>>> >>>> >>> You might treat the special steps as redundant (since .local should >>> signal mDNS), but I personally think it is helpful, because it discoura= ges >>> coalescing with standard DNS responses (which is permitted by 6762). >>> >>> Just my personal opinion. >>> >>> Ted >>> >>> >>> >>> >>> >>>> On Fri, Jun 29, 2018 at 6:07 PM youenn fablet >>>> wrote: >>>> >>>>> A draft describing the Safari/WebKit approach is available at >>>>> https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt >>>>> >>>>> Eric, can you precise the kind of information you would like to have? >>>>> Some testing has been done to validate the approach but I do not thin= k >>>>> this is representative of the actual state of the affair. Safari/WebK= it is >>>>> not gathering any related statistic.. >>>>> >>>>> Y >>>>> >>>>> Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti >>>> 40google.com@dmarc.ietf.org> a =C3=A9crit : >>>>> >>>>>> I believe such data will be forthcoming from the Safari team. We are >>>>>> also working on this. >>>>>> >>>>>> On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla >>>>> > wrote: >>>>>> >>>>>>> It seems like this is something one could A/B test and measure >>>>>>> connection rates. Has someone done so? >>>>>>> >>>>>>> -Ekr >>>>>>> >>>>>> _______________________________________________ >>>>> rtcweb mailing list >>>>> rtcweb@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/rtcweb >>>>> >>>> >>>> _______________________________________________ >>>> rtcweb mailing list >>>> rtcweb@ietf.org >>>> https://www.ietf.org/mailman/listinfo/rtcweb >>>> >>>> >>> --00000000000000121a0571472a39 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Agreed that an explicit reference to MDNS would be good.DNS resolution can be used for both candidates as well as STUN/TURN serv= er names.
The proposal so far is to ensure that MDNS be supported= for candidates.

Le=C2=A0mer. 18 juil. 2018 =C3=A0=C2=A0= 10:20, Justin Uberti <juberti@goog= le.com> a =C3=A9crit=C2=A0:
Note that we are going to = discuss the particulars here in the mmusic WG meeting on Thursday.

On Wed, Jul 18, 2018 at 7:= 17 AM Justin Uberti <juberti@google.com> wrote:
Yeah, I think we just need to emphasize that the FQDN = can be a mDNS name. Here's my current suggestion for updates to S 4.1 in ice-sip-sdp:

<connection-address>: =C2=A0is take= n from RFC 4566 [RFC4566].=C2=A0 It is the
IP address of the candidate.=C2=A0 When parsing this field, = an agent
can differentiate a= n IPv4 address and an IPv6 address by presence
of a colon in its value -- the presence of a colon indic= ates IPv6.
An agent MUST ign= ore candidate lines that include candidates with
IP address versions that are not supported or recogniz= ed.=C2=A0 An IP
address SHOU= LD be used, but an FQDN (includ= ing a mDNS [RFC6762] name)
= MAY be used in place of an IP a= ddress.

In the case of receiving an candidate containing a FQDN, the hostnam= e is looked up via DNS or mDNS as appropriate, first using an AAAA record (assuming the ag= ent
supports IPv6), = and if no result is found or the agent only
supports IPv4, using an A record. =C2=A0



On Tue, Jul 17, 2018 at 3:11 PM Ted Hardie <<= a href=3D"mailto:ted.ietf@gmail.com" target=3D"_blank">ted.ietf@gmail.com> wrote:
On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher <pt= hatcher=3D40google.com@dmarc.ietf.org> wrote:
=
Where is the right place to comment on=C2=A0draft-mdns-ice= -candidates?
=C2=A0
I looked at it from an ICE WG perspective, and it= seems to be that since (in RFC 5245), the candidate address can be a FQDN = (section 15.1) you don't need the special steps you have in section 3.2= , because a .local address is a FQDN (isn't it?).=C2=A0

The use of a .local signals that this is a spe= cial use name within the context of multicast DNS (RFC 6762).=C2=A0 One key= difference there is that the uniqueness of a standard DNS name is derived = from the hierarchical delegation of the DNS.=C2=A0 Uniqueness in MDNS is ac= hieved using a local probe and announce method.=C2=A0 As Harald pointed out= in the room, there are some latency consequences to that; those might be a= voided by generating probable uniqueness in names via the UUID mechanism, b= ut that still need to be worked out.=C2=A0 That, I think means the work in = 3.1 is definitely needed.=C2=A0
=C2=A0
I think the only novel thing would be= to perhaps make it clear that mDNS should be used for the name resolution.=

=C2=A0
You might=20 treat the special steps as redundant (since .local should signal mDNS),=20 but I personally think it is helpful, because it discourages coalescing=20 with standard DNS responses (which is permitted by 6762).

Just my personal opinion.

Ted



=C2=A0
On Fri, Jun 29, 2018 at 6:07 PM youenn fablet <youennf@gmail.com> wrote:<= br>
A dra= ft describing the Safari/WebKit approach is available at=C2=A0h= ttps://www.ietf.org/id/draft-mdns-ice-candidates-00.txt

<= /span>
Eric, can you precise the kind of information you would li= ke to have?
Some testing has been done to validate the appro= ach but I do not think this is representative of the actual state of the af= fair. Safari/WebKit is not gathering any related statistic..

=C2=A0 =C2=A0Y

Le=C2=A0ven. 29 juin 2018 =C3=A0=C2=A011:10, Justin Uberti <jub= erti=3D40g= oogle.com@dmarc.ietf.org> a =C3=A9crit=C2=A0:
I believe such data will be= forthcoming from the Safari team. We are also working on this.
On Fri, Jun 29, = 2018 at 7:03 AM Eric Rescorla <ekr@rtfm..com> wrote:
It seems like this is something one could A/B test= and measure connection rates. Has someone done so?

-Ekr
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb


--00000000000000121a0571472a39-- From nobody Wed Jul 18 07:49:21 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88991130F34 for ; Wed, 18 Jul 2018 07:49:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.309 X-Spam-Level: X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyBiipGkDy_9 for ; Wed, 18 Jul 2018 07:49:09 -0700 (PDT) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8378F130EC0 for ; Wed, 18 Jul 2018 07:49:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1531925346; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=EfGqnCwtOf9Jo8+SCG4H4FJOIOJPtw1UTRwS5BGX34k=; b=fOj6bd94KI392W0K8p6KsIGFyZ/Qva/ivhEFa3yIAXS3rgsGsok22T1ub0gKmsWz tvPm/nME17NghxBRgwAIXl3jW/CKeuUqdqRJayjuUIgf+FqU/QTmu32JVBTq1FLP ig7SBcjHyea50XsjmyXFSxk4v2hinbTm2WXQU9F2JHA=; X-AuditID: c1b4fb2d-223ff700000055ff-3f-5b4f536231db Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 1B.34.22015.2635F4B5; Wed, 18 Jul 2018 16:49:06 +0200 (CEST) Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 18 Jul 2018 16:49:06 +0200 Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Wed, 18 Jul 2018 16:49:06 +0200 From: Christer Holmberg To: Justin Uberti , Ted Hardie CC: RTCWeb IETF Thread-Topic: [rtcweb] IP handling: Using mDNS names for host candidates Thread-Index: AQHUHg9Kl/rXQyx1OEGJeugnKutyHKST2E8AgAEORwCAACllYA== Date: Wed, 18 Jul 2018 14:49:06 +0000 Message-ID: References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [153.88.183.153] Content-Type: multipart/alternative; boundary="_000_ca8d7225c49f44d88dba899aeaed11b1ericssoncom_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFIsWRmVeSWpSXmKPExsUyM2J7sW5SsH+0wfy1BhYt3UdZLdb+a2e3 aJxr58DscWLZFVaPnbPusnssWfKTKYA5issmJTUnsyy1SN8ugSvjwrMWxoKmzYwV7V1trA2M C9YxdjFyckgImEhMmHCIvYuRi0NI4CijxKTeBjYI5xujRNPSS6wQzjJGiaOr+5m7GDk42AQs JLr/aYN0iwhESSxffp4ZxGYWUJT4snw+G4gtLOAuse9aGxNEjYfEvvmtbBC2k0Tvo11sIGNY BFQlFl61BgnzClhLLJr/FWrVflaJqZtbGEFqOAUCJY58BxvPKCAm8f3UGiaIVeISt57MZ4J4 QEBiyR6IEyQERCVePv7HCmErSew9dp0Foj5Z4uurRSwQuwQlTs58wjKBUXQWklGzkJTNQlI2 C+gKZgFNifW79GdBPTml+yE7hK0h0TpnLjuy+AJG9lWMosWpxcW56UbGeqlFmcnFxfl5enmp JZsYgTF4cMtv3R2Mq187HmIU4GBU4uH18vOPFmJNLCuuzD3EKMHBrCTCe/C9X7QQb0piZVVq UX58UWlOavEhRmkOFiVxXr1Ve6KEBNITS1KzU1MLUotgskwcnFINjGrb6llN5b8p3vBW+pnx 3tDx+jwp9y9neBYryTEIdVZerGLLzuU1SM66VT9xtrjNoXvP+X8zuf7d5VZZvoMv7sE8j/Me afITa0tirOZ5c4h1p8/KUg9Jvb9No7CtvDa3/nPN1Tk7jp5n7b8cXnRqp/bLtRNDs6OMflRO FX1eInhyenpLsfkHJZbijERDLeai4kQAFzwnfr0CAAA= Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 14:49:13 -0000 --_000_ca8d7225c49f44d88dba899aeaed11b1ericssoncom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RG9lcyB0aGF0IG1lYW4gdGhhdCBSVENXRUIgaXMgYWN0dWFsbHkgZ29pbmcgdG8gcmVmZXJlbmNl IGljZS1zaXAtc2RwIGFuZCBJQ0ViaXMgKGluc3RlYWQgb2YgUkZDIDUyNDUpPw0KDQpSZWdhcmRz LA0KDQpDaHJpc3Rlcg0KDQpGcm9tOiBydGN3ZWIgW21haWx0bzpydGN3ZWItYm91bmNlc0BpZXRm Lm9yZ10gT24gQmVoYWxmIE9mIEp1c3RpbiBVYmVydGkNClNlbnQ6IDE4IEp1bHkgMjAxOCAxMDox OA0KVG86IFRlZCBIYXJkaWUgPHRlZC5pZXRmQGdtYWlsLmNvbT4NCkNjOiBSVENXZWIgSUVURiA8 cnRjd2ViQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtydGN3ZWJdIElQIGhhbmRsaW5nOiBVc2lu ZyBtRE5TIG5hbWVzIGZvciBob3N0IGNhbmRpZGF0ZXMNCg0KWWVhaCwgSSB0aGluayB3ZSBqdXN0 IG5lZWQgdG8gZW1waGFzaXplIHRoYXQgdGhlIEZRRE4gY2FuIGJlIGEgbUROUyBuYW1lLiBIZXJl J3MgbXkgY3VycmVudCBzdWdnZXN0aW9uIGZvciB1cGRhdGVzIHRvIFMgNC4xIGluIGljZS1zaXAt c2RwPGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW1tdXNpYy1pY2Utc2lw LXNkcC0yMSNzZWN0aW9uLTQuMT46DQoNCjxjb25uZWN0aW9uLWFkZHJlc3M+OiAgaXMgdGFrZW4g ZnJvbSBSRkMgNDU2NiBbUkZDNDU2Nl0uICBJdCBpcyB0aGUNCklQIGFkZHJlc3Mgb2YgdGhlIGNh bmRpZGF0ZS4gIFdoZW4gcGFyc2luZyB0aGlzIGZpZWxkLCBhbiBhZ2VudA0KY2FuIGRpZmZlcmVu dGlhdGUgYW4gSVB2NCBhZGRyZXNzIGFuZCBhbiBJUHY2IGFkZHJlc3MgYnkgcHJlc2VuY2UNCm9m IGEgY29sb24gaW4gaXRzIHZhbHVlIC0tIHRoZSBwcmVzZW5jZSBvZiBhIGNvbG9uIGluZGljYXRl cyBJUHY2Lg0KQW4gYWdlbnQgTVVTVCBpZ25vcmUgY2FuZGlkYXRlIGxpbmVzIHRoYXQgaW5jbHVk ZSBjYW5kaWRhdGVzIHdpdGgNCklQIGFkZHJlc3MgdmVyc2lvbnMgdGhhdCBhcmUgbm90IHN1cHBv cnRlZCBvciByZWNvZ25pemVkLiAgQW4gSVANCmFkZHJlc3MgU0hPVUxEIGJlIHVzZWQsIGJ1dCBh biBGUUROIChpbmNsdWRpbmcgYSBtRE5TIFtSRkM2NzYyXSBuYW1lKQ0KTUFZIGJlIHVzZWQgaW4g cGxhY2Ugb2YgYW4gSVAgYWRkcmVzcy4NCg0KSW4gdGhlIGNhc2Ugb2YgcmVjZWl2aW5nIGFuIGNh bmRpZGF0ZSBjb250YWluaW5nIGEgRlFETiwgdGhlIGhvc3RuYW1lIGlzIGxvb2tlZCB1cCB2aWEg RE5TIG9yIG1ETlMgYXMgYXBwcm9wcmlhdGUsIGZpcnN0IHVzaW5nIGFuIEFBQUEgcmVjb3JkIChh c3N1bWluZyB0aGUgYWdlbnQNCnN1cHBvcnRzIElQdjYpLCBhbmQgaWYgbm8gcmVzdWx0IGlzIGZv dW5kIG9yIHRoZSBhZ2VudCBvbmx5DQpzdXBwb3J0cyBJUHY0LCB1c2luZyBhbiBBIHJlY29yZC4N Cg0KDQoNCk9uIFR1ZSwgSnVsIDE3LCAyMDE4IGF0IDM6MTEgUE0gVGVkIEhhcmRpZSA8dGVkLmll dGZAZ21haWwuY29tPG1haWx0bzp0ZWQuaWV0ZkBnbWFpbC5jb20+PiB3cm90ZToNCk9uIFR1ZSwg SnVsIDE3LCAyMDE4IGF0IDQ6NDYgUE0sIFBldGVyIFRoYXRjaGVyIDxwdGhhdGNoZXI9NDBnb29n bGUuY29tQGRtYXJjLmlldGYub3JnPG1haWx0bzpwdGhhdGNoZXI9NDBnb29nbGUuY29tQGRtYXJj LmlldGYub3JnPj4gd3JvdGU6DQpXaGVyZSBpcyB0aGUgcmlnaHQgcGxhY2UgdG8gY29tbWVudCBv biBkcmFmdC1tZG5zLWljZS1jYW5kaWRhdGVzPw0KDQpJIGxvb2tlZCBhdCBpdCBmcm9tIGFuIElD RSBXRyBwZXJzcGVjdGl2ZSwgYW5kIGl0IHNlZW1zIHRvIGJlIHRoYXQgc2luY2UgKGluIFJGQyA1 MjQ1KSwgdGhlIGNhbmRpZGF0ZSBhZGRyZXNzIGNhbiBiZSBhIEZRRE4gKHNlY3Rpb24gMTUuMSkg eW91IGRvbid0IG5lZWQgdGhlIHNwZWNpYWwgc3RlcHMgeW91IGhhdmUgaW4gc2VjdGlvbiAzLjIs IGJlY2F1c2UgYSAubG9jYWwgYWRkcmVzcyBpcyBhIEZRRE4gKGlzbid0IGl0PykuDQoNClRoZSB1 c2Ugb2YgYSAubG9jYWwgc2lnbmFscyB0aGF0IHRoaXMgaXMgYSBzcGVjaWFsIHVzZSBuYW1lIHdp dGhpbiB0aGUgY29udGV4dCBvZiBtdWx0aWNhc3QgRE5TIChSRkMgNjc2MikuICBPbmUga2V5IGRp ZmZlcmVuY2UgdGhlcmUgaXMgdGhhdCB0aGUgdW5pcXVlbmVzcyBvZiBhIHN0YW5kYXJkIEROUyBu YW1lIGlzIGRlcml2ZWQgZnJvbSB0aGUgaGllcmFyY2hpY2FsIGRlbGVnYXRpb24gb2YgdGhlIERO Uy4gIFVuaXF1ZW5lc3MgaW4gTUROUyBpcyBhY2hpZXZlZCB1c2luZyBhIGxvY2FsIHByb2JlIGFu ZCBhbm5vdW5jZSBtZXRob2QuICBBcyBIYXJhbGQgcG9pbnRlZCBvdXQgaW4gdGhlIHJvb20sIHRo ZXJlIGFyZSBzb21lIGxhdGVuY3kgY29uc2VxdWVuY2VzIHRvIHRoYXQ7IHRob3NlIG1pZ2h0IGJl IGF2b2lkZWQgYnkgZ2VuZXJhdGluZyBwcm9iYWJsZSB1bmlxdWVuZXNzIGluIG5hbWVzIHZpYSB0 aGUgVVVJRCBtZWNoYW5pc20sIGJ1dCB0aGF0IHN0aWxsIG5lZWQgdG8gYmUgd29ya2VkIG91dC4g IFRoYXQsIEkgdGhpbmsgbWVhbnMgdGhlIHdvcmsgaW4gMy4xIGlzIGRlZmluaXRlbHkgbmVlZGVk Lg0KDQpJIHRoaW5rIHRoZSBvbmx5IG5vdmVsIHRoaW5nIHdvdWxkIGJlIHRvIHBlcmhhcHMgbWFr ZSBpdCBjbGVhciB0aGF0IG1ETlMgc2hvdWxkIGJlIHVzZWQgZm9yIHRoZSBuYW1lIHJlc29sdXRp b24uDQoNCllvdSBtaWdodCB0cmVhdCB0aGUgc3BlY2lhbCBzdGVwcyBhcyByZWR1bmRhbnQgKHNp bmNlIC5sb2NhbCBzaG91bGQgc2lnbmFsIG1ETlMpLCBidXQgSSBwZXJzb25hbGx5IHRoaW5rIGl0 IGlzIGhlbHBmdWwsIGJlY2F1c2UgaXQgZGlzY291cmFnZXMgY29hbGVzY2luZyB3aXRoIHN0YW5k YXJkIEROUyByZXNwb25zZXMgKHdoaWNoIGlzIHBlcm1pdHRlZCBieSA2NzYyKS4NCg0KSnVzdCBt eSBwZXJzb25hbCBvcGluaW9uLg0KDQpUZWQNCg0KDQoNCg0KT24gRnJpLCBKdW4gMjksIDIwMTgg YXQgNjowNyBQTSB5b3Vlbm4gZmFibGV0IDx5b3Vlbm5mQGdtYWlsLmNvbTxtYWlsdG86eW91ZW5u ZkBnbWFpbC5jb20+PiB3cm90ZToNCkEgZHJhZnQgZGVzY3JpYmluZyB0aGUgU2FmYXJpL1dlYktp dCBhcHByb2FjaCBpcyBhdmFpbGFibGUgYXQgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWQvZHJhZnQt bWRucy1pY2UtY2FuZGlkYXRlcy0wMC50eHQNCg0KRXJpYywgY2FuIHlvdSBwcmVjaXNlIHRoZSBr aW5kIG9mIGluZm9ybWF0aW9uIHlvdSB3b3VsZCBsaWtlIHRvIGhhdmU/DQpTb21lIHRlc3Rpbmcg aGFzIGJlZW4gZG9uZSB0byB2YWxpZGF0ZSB0aGUgYXBwcm9hY2ggYnV0IEkgZG8gbm90IHRoaW5r IHRoaXMgaXMgcmVwcmVzZW50YXRpdmUgb2YgdGhlIGFjdHVhbCBzdGF0ZSBvZiB0aGUgYWZmYWly LiBTYWZhcmkvV2ViS2l0IGlzIG5vdCBnYXRoZXJpbmcgYW55IHJlbGF0ZWQgc3RhdGlzdGljLi4N Cg0KICAgWQ0KDQpMZSB2ZW4uIDI5IGp1aW4gMjAxOCDDoCAxMToxMCwgSnVzdGluIFViZXJ0aSA8 anViZXJ0aT00MGdvb2dsZS5jb21AZG1hcmMuaWV0Zi5vcmc8bWFpbHRvOjQwZ29vZ2xlLmNvbUBk bWFyYy5pZXRmLm9yZz4+IGEgw6ljcml0IDoNCkkgYmVsaWV2ZSBzdWNoIGRhdGEgd2lsbCBiZSBm b3J0aGNvbWluZyBmcm9tIHRoZSBTYWZhcmkgdGVhbS4gV2UgYXJlIGFsc28gd29ya2luZyBvbiB0 aGlzLg0KDQpPbiBGcmksIEp1biAyOSwgMjAxOCBhdCA3OjAzIEFNIEVyaWMgUmVzY29ybGEgPGVr ckBydGZtLi5jb208bWFpbHRvOmVrckBydGZtLmNvbT4+IHdyb3RlOg0KSXQgc2VlbXMgbGlrZSB0 aGlzIGlzIHNvbWV0aGluZyBvbmUgY291bGQgQS9CIHRlc3QgYW5kIG1lYXN1cmUgY29ubmVjdGlv biByYXRlcy4gSGFzIHNvbWVvbmUgZG9uZSBzbz8NCg0KLUVrcg0KX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCnJ0Y3dlYiBtYWlsaW5nIGxpc3QNCnJ0Y3dl YkBpZXRmLm9yZzxtYWlsdG86cnRjd2ViQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcv bWFpbG1hbi9saXN0aW5mby9ydGN3ZWINCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX18NCnJ0Y3dlYiBtYWlsaW5nIGxpc3QNCnJ0Y3dlYkBpZXRmLm9yZzxt YWlsdG86cnRjd2ViQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9ydGN3ZWINCg0K --_000_ca8d7225c49f44d88dba899aeaed11b1ericssoncom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxNw0K CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs c2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0K CW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXpl OjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30N CmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0t W2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRt YXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N CjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRh PSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJv ZHkgbGFuZz0iRU4tR0IiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0i V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5Eb2VzIHRoYXQgbWVhbiB0aGF0 IFJUQ1dFQiBpcyBhY3R1YWxseSBnb2luZyB0byByZWZlcmVuY2UgaWNlLXNpcC1zZHAgYW5kIElD RWJpcyAoaW5zdGVhZCBvZiBSRkMgNTI0NSk/PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3Qt bGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1 YWdlOkVOLVVTIj5SZWdhcmRzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdl OkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1V UyI+Q2hyaXN0ZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 YSBuYW1lPSJfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEO21z by1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L2E+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+ RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiBydGN3ZWIgW21h aWx0bzpydGN3ZWItYm91bmNlc0BpZXRmLm9yZ10NCjxiPk9uIEJlaGFsZiBPZiA8L2I+SnVzdGlu IFViZXJ0aTxicj4NCjxiPlNlbnQ6PC9iPiAxOCBKdWx5IDIwMTggMTA6MTg8YnI+DQo8Yj5Ubzo8 L2I+IFRlZCBIYXJkaWUgJmx0O3RlZC5pZXRmQGdtYWlsLmNvbSZndDs8YnI+DQo8Yj5DYzo8L2I+ IFJUQ1dlYiBJRVRGICZsdDtydGN3ZWJAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+ IFJlOiBbcnRjd2ViXSBJUCBoYW5kbGluZzogVXNpbmcgbUROUyBuYW1lcyBmb3IgaG9zdCBjYW5k aWRhdGVzPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+WWVhaCwgSSB0aGlu ayB3ZSBqdXN0IG5lZWQgdG8gZW1waGFzaXplIHRoYXQgdGhlIEZRRE4gY2FuIGJlIGEgbUROUyBu YW1lLiBIZXJlJ3MgbXkgY3VycmVudCBzdWdnZXN0aW9uIGZvciB1cGRhdGVzIHRvDQo8YSBocmVm PSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1tbXVzaWMtaWNlLXNpcC1z ZHAtMjEjc2VjdGlvbi00LjEiPg0KUyA0LjEgaW4gaWNlLXNpcC1zZHA8L2E+OjxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0 OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowY20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVm dDo0LjhwdDttYXJnaW4tcmlnaHQ6MGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjaztiYWNr Z3JvdW5kOiNGRkZERjUiPiZsdDtjb25uZWN0aW9uLWFkZHJlc3MmZ3Q7OiAmbmJzcDtpcyB0YWtl biBmcm9tIFJGQyA0NTY2IFtSRkM0NTY2XS4mbmJzcDsgSXQgaXMgdGhlPGJyPg0KSVAgYWRkcmVz cyBvZiB0aGUgY2FuZGlkYXRlLiZuYnNwOyBXaGVuIHBhcnNpbmcgdGhpcyBmaWVsZCwgYW4gYWdl bnQ8YnI+DQpjYW4gZGlmZmVyZW50aWF0ZSBhbiBJUHY0IGFkZHJlc3MgYW5kIGFuIElQdjYgYWRk cmVzcyBieSBwcmVzZW5jZTxicj4NCm9mIGEgY29sb24gaW4gaXRzIHZhbHVlIC0tIHRoZSBwcmVz ZW5jZSBvZiBhIGNvbG9uIGluZGljYXRlcyBJUHY2Ljxicj4NCkFuIGFnZW50IE1VU1QgaWdub3Jl IGNhbmRpZGF0ZSBsaW5lcyB0aGF0IGluY2x1ZGUgY2FuZGlkYXRlcyB3aXRoPGJyPg0KSVAgYWRk cmVzcyB2ZXJzaW9ucyB0aGF0IGFyZSBub3Qgc3VwcG9ydGVkIG9yIHJlY29nbml6ZWQuJm5ic3A7 IEFuIElQPGJyPg0KYWRkcmVzcyBTSE9VTEQgYmUgdXNlZCwgYnV0IGFuIEZRRE4gPC9zcGFuPjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFj aztiYWNrZ3JvdW5kOiNEOUVBRDMiPihpbmNsdWRpbmcgYSBtRE5TIFtSRkM2NzYyXSBuYW1lKTwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2s7YmFja2dyb3VuZDojRkZGREY1Ij4NCjxicj4NCk1BWSBiZSB1c2VkIGluIHBsYWNl IG9mIGFuIElQIGFkZHJlc3MuIDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDsiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvYmxvY2txdW90ZT4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjaztiYWNrZ3JvdW5kOiNEOUVB RDMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5 bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzow Y20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGNtIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVy IE5ldyZxdW90Oztjb2xvcjpibGFjaztiYWNrZ3JvdW5kOiNEOUVBRDMiPkluIHRoZSBjYXNlIG9m IHJlY2VpdmluZyBhbiBjYW5kaWRhdGUgY29udGFpbmluZyBhIEZRRE4sIHRoZSBob3N0bmFtZSBp cyBsb29rZWQgdXAgdmlhIEROUyBvciBtRE5TIGFzIGFwcHJvcHJpYXRlLDwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2s7YmFj a2dyb3VuZDojRkZGREY1Ij4NCiBmaXJzdCB1c2luZyBhbiBBQUFBIHJlY29yZCAoYXNzdW1pbmcg dGhlIGFnZW50PGJyPg0Kc3VwcG9ydHMgSVB2NiksIGFuZCBpZiBubyByZXN1bHQgaXMgZm91bmQg b3IgdGhlIGFnZW50IG9ubHk8YnI+DQpzdXBwb3J0cyBJUHY0LCB1c2luZyBhbiBBIHJlY29yZC4g Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIFR1ZSwgSnVsIDE3LCAyMDE4 IGF0IDM6MTEgUE0gVGVkIEhhcmRpZSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnRlZC5pZXRmQGdtYWls LmNvbSI+dGVkLmlldGZAZ21haWwuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAj Q0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7 bWFyZ2luLXJpZ2h0OjBjbSI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9u IFR1ZSwgSnVsIDE3LCAyMDE4IGF0IDQ6NDYgUE0sIFBldGVyIFRoYXRjaGVyICZsdDs8YSBocmVm PSJtYWlsdG86cHRoYXRjaGVyPTQwZ29vZ2xlLmNvbUBkbWFyYy5pZXRmLm9yZyIgdGFyZ2V0PSJf YmxhbmsiPnB0aGF0Y2hlcj00MGdvb2dsZS5jb21AZG1hcmMuaWV0Zi5vcmc8L2E+Jmd0OyB3cm90 ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHls ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBj bSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowY20iPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldoZXJlIGlzIHRoZSByaWdodCBwbGFjZSB0byBjb21t ZW50IG9uJm5ic3A7ZHJhZnQtbWRucy1pY2UtY2FuZGlkYXRlcz88bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9y ZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21h cmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowY20iPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5JIGxvb2tlZCBhdCBpdCBmcm9tIGFuIElDRSBXRyBwZXJzcGVjdGl2ZSwg YW5kIGl0IHNlZW1zIHRvIGJlIHRoYXQgc2luY2UgKGluIFJGQyA1MjQ1KSwgdGhlIGNhbmRpZGF0 ZSBhZGRyZXNzIGNhbiBiZSBhIEZRRE4gKHNlY3Rpb24gMTUuMSkgeW91IGRvbid0IG5lZWQgdGhl IHNwZWNpYWwgc3RlcHMgeW91IGhhdmUgaW4gc2VjdGlvbiAzLjIsIGJlY2F1c2UgYSAubG9jYWwg YWRkcmVzcyBpcyBhIEZRRE4gKGlzbid0DQogaXQ/KS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5UaGUgdXNlIG9mIGEgLmxvY2FsIHNpZ25hbHMgdGhhdCB0aGlzIGlzIGEgc3BlY2lhbCB1c2Ug bmFtZSB3aXRoaW4gdGhlIGNvbnRleHQgb2YgbXVsdGljYXN0IEROUyAoUkZDIDY3NjIpLiZuYnNw OyBPbmUga2V5IGRpZmZlcmVuY2UgdGhlcmUgaXMgdGhhdCB0aGUgdW5pcXVlbmVzcyBvZiBhIHN0 YW5kYXJkIEROUyBuYW1lIGlzIGRlcml2ZWQgZnJvbSB0aGUgaGllcmFyY2hpY2FsIGRlbGVnYXRp b24gb2YgdGhlIEROUy4mbmJzcDsNCiBVbmlxdWVuZXNzIGluIE1ETlMgaXMgYWNoaWV2ZWQgdXNp bmcgYSBsb2NhbCBwcm9iZSBhbmQgYW5ub3VuY2UgbWV0aG9kLiZuYnNwOyBBcyBIYXJhbGQgcG9p bnRlZCBvdXQgaW4gdGhlIHJvb20sIHRoZXJlIGFyZSBzb21lIGxhdGVuY3kgY29uc2VxdWVuY2Vz IHRvIHRoYXQ7IHRob3NlIG1pZ2h0IGJlIGF2b2lkZWQgYnkgZ2VuZXJhdGluZyBwcm9iYWJsZSB1 bmlxdWVuZXNzIGluIG5hbWVzIHZpYSB0aGUgVVVJRCBtZWNoYW5pc20sIGJ1dCB0aGF0IHN0aWxs DQogbmVlZCB0byBiZSB3b3JrZWQgb3V0LiZuYnNwOyBUaGF0LCBJIHRoaW5rIG1lYW5zIHRoZSB3 b3JrIGluIDMuMSBpcyBkZWZpbml0ZWx5IG5lZWRlZC4mbmJzcDsNCjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44 cHQ7bWFyZ2luLXJpZ2h0OjBjbSI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+SSB0aGluayB0aGUgb25seSBub3ZlbCB0aGlu ZyB3b3VsZCBiZSB0byBwZXJoYXBzIG1ha2UgaXQgY2xlYXIgdGhhdCBtRE5TIHNob3VsZCBiZSB1 c2VkIGZvciB0aGUgbmFtZSByZXNvbHV0aW9uLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPllvdSBtaWdo dCB0cmVhdCB0aGUgc3BlY2lhbCBzdGVwcyBhcyByZWR1bmRhbnQgKHNpbmNlIC5sb2NhbCBzaG91 bGQgc2lnbmFsIG1ETlMpLCBidXQgSSBwZXJzb25hbGx5IHRoaW5rIGl0IGlzIGhlbHBmdWwsIGJl Y2F1c2UgaXQgZGlzY291cmFnZXMgY29hbGVzY2luZyB3aXRoIHN0YW5kYXJkIEROUyByZXNwb25z ZXMgKHdoaWNoIGlzIHBlcm1pdHRlZCBieSA2NzYyKS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SnVzdCBteSBwZXJzb25hbCBvcGluaW9uLjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UZWQ8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVy Om5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNt IDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowY20iPg0KPGRpdj4NCjxkaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIEZyaSwgSnVuIDI5LCAyMDE4 IGF0IDY6MDcgUE0geW91ZW5uIGZhYmxldCAmbHQ7PGEgaHJlZj0ibWFpbHRvOnlvdWVubmZAZ21h aWwuY29tIiB0YXJnZXQ9Il9ibGFuayI+eW91ZW5uZkBnbWFpbC5jb208L2E+Jmd0OyB3cm90ZTo8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2Jv cmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowY20gMGNtIDBjbSA2LjBwdDtt YXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGNtIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5BIGRyYWZ0IGRlc2NyaWJpbmcgdGhlIFNhZmFyaS9XZWJLaXQgYXBwcm9hY2ggaXMg YXZhaWxhYmxlIGF0Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWQvZHJhZnQt bWRucy1pY2UtY2FuZGlkYXRlcy0wMC50eHQiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5p ZXRmLm9yZy9pZC9kcmFmdC1tZG5zLWljZS1jYW5kaWRhdGVzLTAwLnR4dDwvYT48bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkVyaWMsIGNhbiB5b3UgcHJlY2lz ZSB0aGUga2luZCBvZiBpbmZvcm1hdGlvbiB5b3Ugd291bGQgbGlrZSB0byBoYXZlPzxvOnA+PC9v OnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNvbWUgdGVzdGluZyBoYXMgYmVl biBkb25lIHRvIHZhbGlkYXRlIHRoZSBhcHByb2FjaCBidXQgSSBkbyBub3QgdGhpbmsgdGhpcyBp cyByZXByZXNlbnRhdGl2ZSBvZiB0aGUgYWN0dWFsIHN0YXRlIG9mIHRoZSBhZmZhaXIuIFNhZmFy aS9XZWJLaXQgaXMgbm90IGdhdGhlcmluZyBhbnkgcmVsYXRlZCBzdGF0aXN0aWMuLjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgJm5ic3A7WTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkxlJm5ic3A7dmVuLiAyOSBqdWluIDIwMTggw6AmbmJzcDsxMToxMCwgSnVzdGluIFViZXJ0 aSAmbHQ7anViZXJ0aT08YSBocmVmPSJtYWlsdG86NDBnb29nbGUuY29tQGRtYXJjLmlldGYub3Jn IiB0YXJnZXQ9Il9ibGFuayI+NDBnb29nbGUuY29tQGRtYXJjLmlldGYub3JnPC9hPiZndDsgYSDD qWNyaXQmbmJzcDs6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJi b3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGNtIDBj bSAwY20gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBjbSI+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBiZWxpZXZlIHN1Y2ggZGF0YSB3aWxsIGJlIGZvcnRoY29t aW5nIGZyb20gdGhlIFNhZmFyaSB0ZWFtLiBXZSBhcmUgYWxzbyB3b3JraW5nIG9uIHRoaXMuPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBGcmksIEp1biAy OSwgMjAxOCBhdCA3OjAzIEFNIEVyaWMgUmVzY29ybGEgJmx0OzxhIGhyZWY9Im1haWx0bzpla3JA cnRmbS5jb20iIHRhcmdldD0iX2JsYW5rIj5la3JAcnRmbS4uY29tPC9hPiZndDsgd3JvdGU6PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk ZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNi4wcHQ7bWFy Z2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBjbSI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPkl0IHNlZW1zIGxpa2UgdGhpcyBpcyBzb21ldGhpbmcgb25lIGNvdWxkIEEv QiB0ZXN0IGFuZCBtZWFzdXJlIGNvbm5lY3Rpb24gcmF0ZXMuIEhhcyBzb21lb25lIGRvbmUgc28/ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi1F a3I8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4N CjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X188YnI+DQpydGN3ZWIgbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOnJ0Y3dlYkBp ZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPnJ0Y3dlYkBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVm PSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3J0Y3dlYiIgdGFyZ2V0PSJf YmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vcnRjd2ViPC9hPjxv OnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCnJ0Y3dlYiBt YWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86cnRjd2ViQGlldGYub3JnIiB0YXJnZXQ9 Il9ibGFuayI+cnRjd2ViQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3Lmll dGYub3JnL21haWxtYW4vbGlzdGluZm8vcnRjd2ViIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9ydGN3ZWI8L2E+PG86cD48L286cD48L3A+DQo8 L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2JvZHk+DQo8L2h0bWw+DQo= --_000_ca8d7225c49f44d88dba899aeaed11b1ericssoncom_-- From nobody Wed Jul 18 08:09:38 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CAB130EC0 for ; Wed, 18 Jul 2018 08:09:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.509 X-Spam-Level: X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kE6IRJ46ZoYX for ; Wed, 18 Jul 2018 08:09:32 -0700 (PDT) Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DA72130E24 for ; Wed, 18 Jul 2018 08:09:32 -0700 (PDT) Received: by mail-it0-x230.google.com with SMTP id q20-v6so4793725ith.0 for ; Wed, 18 Jul 2018 08:09:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IH0yw7W+Zm5sQmbNgOu2epXMj4aE+vasFXHt8tGjKJU=; b=ncy07DJnZthN+fjkkDbY0tqK29EqEOePAK/t5Oucv55gjRzWqAkr2Lv3Lz/zNuPuqX B4U8aCnhAeAQFigDgaPP6sjQfmPduXC93TrGrhQQjUZy7L1fTkHzB9+QBxyIgKnIRSBx 1+QjBw5o8QbszNtzLRvyR6hKgrT4+vm5Q+uAI+rON5PDON+ZDwa/a2XeiEEJjTiY4bhq Ky6bt1s8ylgXnKayIa+PnN7ziyxjU4bVYrLqs5RvSShmT0IAoS0/7re8GrlIvZb7N0fb Sd3/UTgDnQ6vDoj2FosD4QtnGXgkxhfZmlTtwlyrwW3I4kvnCmX85Stl3c9tpe6XVueF bR9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IH0yw7W+Zm5sQmbNgOu2epXMj4aE+vasFXHt8tGjKJU=; b=tNqWZjdwRFIbDRzL8UHDzhAT0YntQDIILeLAB/RHwvwJ7SDnZ+1GA9NbdlCYNryo7h lut+NQan+/xkMhk/aVYV3FA7AGclV5U8mY+Pxlnwpbvo0veiwSRIkJklq5JhMUe9ComT BhF+8r6OaYnWTxJfilzov0oDiuUH56+i4qwQSfPjNvWsFspx9/5wQIcYApfJqgO4UjuW U0Y/JONKIM0dncpa7P8u5H0UtSmAEQ6/HkxZrMsDCRf509b1NSXHzTfyRkRSu4gSMkom jyf7xfKY9ZYfUigr+o+tqwF37mftKyIhaCgirqZTWkj3OkI1nv2OCeeiK7fBGpUfaYmK h8lA== X-Gm-Message-State: AOUpUlFjX04QipHjb+hT9Y4EteHW41qpgVXXCmkhqboP71MYHId8JOeN GDeXDkcwh5N1bz8BrJhxqzVvXJw2XmTi+f0kO6Qf/g== X-Google-Smtp-Source: AAOMgpfUvE5PCzON6QDJDmZzfKh2t7lU5qZsqKHQQylF22kgEmZrYg06py7jDloIh+oiqvcu7ZKiF9oYHr3Gjaq59Rg= X-Received: by 2002:a02:94af:: with SMTP id x44-v6mr5938144jah.121.1531926571343; Wed, 18 Jul 2018 08:09:31 -0700 (PDT) MIME-Version: 1.0 References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: From: Justin Uberti Date: Wed, 18 Jul 2018 08:09:19 -0700 Message-ID: To: Christer Holmberg Cc: Ted Hardie , RTCWeb IETF Content-Type: multipart/alternative; boundary="0000000000001c190805714773d4" Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 15:09:36 -0000 --0000000000001c190805714773d4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable As these changes are essentially clarifications of existing 5245 text, I don't see a need for existing docs (e.g. JSEP) to be updated. On Wed, Jul 18, 2018 at 7:49 AM Christer Holmberg < christer.holmberg@ericsson.com> wrote: > Does that mean that RTCWEB is actually going to reference ice-sip-sdp and > ICEbis (instead of RFC 5245)? > > > > Regards, > > > > Christer > > > > *From:* rtcweb [mailto:rtcweb-bounces@ietf.org] *On Behalf Of *Justin > Uberti > *Sent:* 18 July 2018 10:18 > *To:* Ted Hardie > *Cc:* RTCWeb IETF > *Subject:* Re: [rtcweb] IP handling: Using mDNS names for host candidates > > > > Yeah, I think we just need to emphasize that the FQDN can be a mDNS name. > Here's my current suggestion for updates to S 4.1 in ice-sip-sdp > > : > > > > : is taken from RFC 4566 [RFC4566]. It is the > IP address of the candidate. When parsing this field, an agent > can differentiate an IPv4 address and an IPv6 address by presence > of a colon in its value -- the presence of a colon indicates IPv6. > An agent MUST ignore candidate lines that include candidates with > IP address versions that are not supported or recognized. An IP > address SHOULD be used, but an FQDN (including a mDNS [RFC6762] name) > MAY be used in place of an IP address. > > > > In the case of receiving an candidate containing a FQDN, the hostname is > looked up via DNS or mDNS as appropriate, first using an AAAA record > (assuming the agent > supports IPv6), and if no result is found or the agent only > supports IPv4, using an A record. > > > > > > > > On Tue, Jul 17, 2018 at 3:11 PM Ted Hardie wrote: > > On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher < > pthatcher=3D40google.com@dmarc.ietf.org> wrote: > > Where is the right place to comment on draft-mdns-ice-candidates? > > > > I looked at it from an ICE WG perspective, and it seems to be that since > (in RFC 5245), the candidate address can be a FQDN (section 15.1) you don= 't > need the special steps you have in section 3.2, because a .local address = is > a FQDN (isn't it?). > > > > The use of a .local signals that this is a special use name within the > context of multicast DNS (RFC 6762). One key difference there is that th= e > uniqueness of a standard DNS name is derived from the hierarchical > delegation of the DNS. Uniqueness in MDNS is achieved using a local prob= e > and announce method. As Harald pointed out in the room, there are some > latency consequences to that; those might be avoided by generating probab= le > uniqueness in names via the UUID mechanism, but that still need to be > worked out. That, I think means the work in 3.1 is definitely needed. > > > > I think the only novel thing would be to perhaps make it clear that mDNS > should be used for the name resolution. > > > > You might treat the special steps as redundant (since .local should signa= l > mDNS), but I personally think it is helpful, because it discourages > coalescing with standard DNS responses (which is permitted by 6762). > > > > Just my personal opinion. > > > > Ted > > > > > > > > > > On Fri, Jun 29, 2018 at 6:07 PM youenn fablet wrote: > > A draft describing the Safari/WebKit approach is available at > https://www.ietf.org/id/draft-mdns-ice-candidates-00.txt > > > > Eric, can you precise the kind of information you would like to have? > > Some testing has been done to validate the approach but I do not think > this is representative of the actual state of the affair. Safari/WebKit i= s > not gathering any related statistic.. > > > > Y > > > > Le ven. 29 juin 2018 =C3=A0 11:10, Justin Uberti 40google.com@dmarc.ietf.org> a =C3=A9crit : > > I believe such data will be forthcoming from the Safari team. We are also > working on this. > > > > On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla > wrote: > > It seems like this is something one could A/B test and measure connection > rates. Has someone done so? > > > > -Ekr > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > > --0000000000001c190805714773d4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
As these changes are essentially clarifications of existin= g 5245 text, I don't see a need for existing docs (e.g. JSEP) to be upd= ated.

On Wed, Jul 18, = 2018 at 7:49 AM Christer Holmberg <christer.holmberg@ericsson.com> wrote:

Does that mean that RTCWEB is actuall= y going to reference ice-sip-sdp and ICEbis (instead of RFC 5245)?

=C2=A0

Regards,

=C2=A0

Christer

<= span style=3D"font-size:11.0pt;font-family:"Calibri",sans-serif;c= olor:#1f497d">=C2=A0

From: = rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Justin Uberti
Sent: 18 July 2018 10:18
To: Ted Hardie <ted.ietf@gmail.com>
Cc: RTCWeb IETF <rtcweb@ietf.org>
Subject: Re: [rtcweb] IP handling: Using mDNS names for host candida= tes

=C2=A0

Yeah, I think we just need to emphasize that the FQD= N can be a mDNS name. Here's my current suggestion for updates to S 4.1 in ice-sip-sdp:

=C2=A0

<connection-address>: =C2=A0is taken f= rom RFC 4566 [RFC4566].=C2=A0 It is the
IP address of the candidate.=C2=A0 When parsing this field, an agent
can differentiate an IPv4 address and an IPv6 address by presence
of a colon in its value -- the presence of a colon indicates IPv6.
An agent MUST ignore candidate lines that include candidates with
IP address versions that are not supported or recognized.=C2=A0 An IP
address SHOULD be used, but an FQDN (including a mDNS [RFC67= 62] name)
MAY be used in place of an IP address.

=C2=A0

In the case of receiving an candidate contai= ning a FQDN, the hostname is looked up via DNS or mDNS as appropriate, first using an AAAA record (assuming the agent
supports IPv6), and if no result is found or the agent only
supports IPv4, using an A record. =C2=A0

=C2=A0

=C2=A0

=C2=A0

On Tue, Jul 17, 2018 at 3:11 PM Ted Hardie <ted.ietf@gmail.com&g= t; wrote:

On Tue, Jul 17, 2018 at 4:46 PM, Peter Thatcher <= pthatcher=3D40google.com@dmarc.ietf.org> wrote:

Where is the right place to comment on=C2=A0draft-md= ns-ice-candidates?

=C2=A0

I looked at it from an ICE WG perspective, and it se= ems to be that since (in RFC 5245), the candidate address can be a FQDN (se= ction 15.1) you don't need the special steps you have in section 3.2, b= ecause a .local address is a FQDN (isn't it?).=C2=A0

=C2=A0

The use of a .local signals that this is a special u= se name within the context of multicast DNS (RFC 6762).=C2=A0 One key diffe= rence there is that the uniqueness of a standard DNS name is derived from t= he hierarchical delegation of the DNS.=C2=A0 Uniqueness in MDNS is achieved using a local probe and announce method.=C2= =A0 As Harald pointed out in the room, there are some latency consequences = to that; those might be avoided by generating probable uniqueness in names = via the UUID mechanism, but that still need to be worked out.=C2=A0 That, I think means the work in 3.1 is defini= tely needed.=C2=A0

=C2=A0

I think the only nove= l thing would be to perhaps make it clear that mDNS should be used for the = name resolution.

=C2=A0

You might treat the special steps as redundant (sinc= e .local should signal mDNS), but I personally think it is helpful, because= it discourages coalescing with standard DNS responses (which is permitted = by 6762).

=C2=A0

Just my personal opinion.

=C2=A0

Ted

=C2=A0

=C2=A0

=C2=A0

=C2=A0

On Fri, Jun 29, 2018 at 6:07 PM youenn fablet <youennf@gmail.com&= gt; wrote:

A draft describing the Safari/WebKit approach is ava= ilable at=C2=A0https://www.ietf.org/id/draft-mdns-ice-candidate= s-00.txt

=C2=A0

Eric, can you precise the kind of information you wo= uld like to have?

Some testing has been done to validate the approach = but I do not think this is representative of the actual state of the affair= . Safari/WebKit is not gathering any related statistic..

=C2=A0

=C2=A0 =C2=A0Y

=C2=A0

Le=C2=A0ven. 29 juin 2018 =C3=A0=C2=A011:10, Justin = Uberti <juberti=3D40google.com@dmarc.ietf.org> a =C3=A9crit=C2=A0:<= u>

I believe such data will be forthcoming from the Saf= ari team. We are also working on this.

=C2=A0

On Fri, Jun 29, 2018 at 7:03 AM Eric Rescorla <ekr@rtfm..com> wrote= :

It seems like this is something one could A/B test a= nd measure connection rates. Has someone done so?

=C2=A0

-Ekr

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org = https://www.ietf.org/mailman/listinfo/rtcweb


_______________________________________________
rtcweb mailing list
rtcweb@ietf.org = https://www.ietf.org/mailman/listinfo/rtcweb

=C2=A0

--0000000000001c190805714773d4-- From nobody Wed Jul 18 08:39:30 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76D3113118F for ; Wed, 18 Jul 2018 08:39:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.309 X-Spam-Level: X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaOMVdDQpdbR for ; Wed, 18 Jul 2018 08:39:24 -0700 (PDT) Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35D8C130F65 for ; Wed, 18 Jul 2018 08:39:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1531928362; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=NeAqPnhFKGUdJx53CwiNR899VMXNKGT9SN6QpmEKOPo=; b=DoDy/2SZvcLy1yD0jlThqNzXADHNU3Iql+LSgHE7lNqzNHAZDXlW+0ff3cq9E55+ 6Ei0fIGeuss8KLBnN2RFZaFsJGp6evWZLugcxELG8j6tS+AUWQjIruB3764U/G4i eHAkaEnNYieS9bliaRLuyqh46lZ/sP50YG2yK/ReESE=; X-AuditID: c1b4fb3a-dcb6e9c0000079c1-cb-5b4f5f2acf2a Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id EE.D0.31169.A2F5F4B5; Wed, 18 Jul 2018 17:39:22 +0200 (CEST) Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 18 Jul 2018 17:39:20 +0200 Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Wed, 18 Jul 2018 17:39:20 +0200 From: Christer Holmberg To: Justin Uberti CC: Ted Hardie , RTCWeb IETF Thread-Topic: [rtcweb] IP handling: Using mDNS names for host candidates Thread-Index: AQHUHg9Kl/rXQyx1OEGJeugnKutyHKST2E8AgAEORwCAACllYP//5PmAgAAoivA= Date: Wed, 18 Jul 2018 15:39:20 +0000 Message-ID: References: <092e15c3-3ae8-5b18-1195-498f9cef1488@alvestrand.no> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [153.88.183.153] Content-Type: multipart/alternative; boundary="_000_cd6ddc65c7254a4d80dec32b477c3df1ericssoncom_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrKIsWRmVeSWpSXmKPExsUyM2J7sa5WvH+0wcovChZbpwpZrP3Xzm7R ONfOgdlj56y77B4LNpV6LFnykymAOYrLJiU1J7MstUjfLoEro3t7F0vBkS6misdz3zE1MB5p Zupi5OSQEDCR2D61ix3EFhI4yijxZKZgFyMXkP2NUWLulcUsEM4yRonWaQ1AVRwcbAIWEt3/ tEEaRATUJB7O2sUKEmYWcJI4u70cJCws4C6x71obE0SJh8S++a1sICUiAn4SHQ1gnSwCqhLL L70FW8srYC3R+mkp1KYdbBL/WqeB9XIKBEo0vDjGDGIzCohJfD+1BizOLCAucevJfKj7BSSW 7DnPDGGLSrx8/I8VwlaS2HvsOgvEackSq1eYQewSlDg58wnLBEbRWUgmzUKomoWkCiKsKbF+ lz5EtaLElO6H7BC2hkTrnLnsyOILGNlXMYoWpxYX56YbGemlFmUmFxfn5+nlpZZsYgRG3sEt v612MB587niIUYCDUYmH95Svf7QQa2JZcWXuIUYJDmYlEd6D7/2ihXhTEiurUovy44tKc1KL DzFKc7AoifM6pVlECQmkJ5akZqemFqQWwWSZODilGhj7PwQ8/vSz9b6+29WGPK2prI7WLP+K 788/wdVw8NzV+gOPDqqp8uocn1N0MOfrfP9rG8L1vS8b+uk0X9g041h8tmrLVJXGNlbmmJVl r3baNwbm3I82XHSiTLDd4KmJiqf6obgPWeaH/0pNmHfVN1HyP49RfFXkNr2FZ8x2Tblhf+1F jFVJHIMSS3FGoqEWc1FxIgBOsepjuAIAAA== Archived-At: Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 15:39:29 -0000 --_000_cd6ddc65c7254a4d80dec32b477c3df1ericssoncom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGksDQoNCkFzIEkgaGF2ZSBzYWlkIGJlZm9yZSwgSSB0aGluayB3ZSBzaGFsbCBkbyB0aGUgdXBk YXRlcy4gRm9yIGV4YW1wbGUsIHdlIERPIHJlZmVyZW5jZSB0cmlja2xlLCB3aGljaCBpcyBiYXNl ZCBvbiBiaXMgcHJvY2VkdXJlcywgc28gaWYgeW91IHdhbnQgdG8gaW1wbGVtZW50IHRyaWNrbGUg Zm9sbG93aW5nIHRoZSBzcGVjIHlvdSBuZWVkIHRvIGltcGxlbWVudCBJQ0ViaXMuDQoNClNpbWls YXJseSwgd2hpbGUgaWNlLXNpcC1zZHAgZG9lcyBjbGFyaWZ5IDUyNDUgdGV4dCwgdGhlIHByb2Nl ZHVyZXMgYXJlIGJhc2VkIG9uIElDRWJpcy4NCg0KKEFuZCwgSUNFYmlzIHNob3VsZCBiZSBwdWJs aXNoZWQgYXMgUkZDIGFueSBkYXkgbm93LCBzbyByZWZlcmVuY2luZyBpdCB3aWxsIG5vdCBkZWxh eSB0aGUgcHVibGljYXRpb24gb2YgdGhlIFJUQ1dFQiBzcGVjcykuDQoNClJlZ2FyZHMsDQoNCkNo cmlzdGVyDQoNCkZyb206IEp1c3RpbiBVYmVydGkgW21haWx0bzpqdWJlcnRpQGdvb2dsZS5jb21d DQpTZW50OiAxOCBKdWx5IDIwMTggMTE6MDkNClRvOiBDaHJpc3RlciBIb2xtYmVyZyA8Y2hyaXN0 ZXIuaG9sbWJlcmdAZXJpY3Nzb24uY29tPg0KQ2M6IFRlZCBIYXJkaWUgPHRlZC5pZXRmQGdtYWls LmNvbT47IFJUQ1dlYiBJRVRGIDxydGN3ZWJAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW3J0Y3dl Yl0gSVAgaGFuZGxpbmc6IFVzaW5nIG1ETlMgbmFtZXMgZm9yIGhvc3QgY2FuZGlkYXRlcw0KDQpB cyB0aGVzZSBjaGFuZ2VzIGFyZSBlc3NlbnRpYWxseSBjbGFyaWZpY2F0aW9ucyBvZiBleGlzdGlu ZyA1MjQ1IHRleHQsIEkgZG9uJ3Qgc2VlIGEgbmVlZCBmb3IgZXhpc3RpbmcgZG9jcyAoZS5nLiBK U0VQKSB0byBiZSB1cGRhdGVkLg0KDQpPbiBXZWQsIEp1bCAxOCwgMjAxOCBhdCA3OjQ5IEFNIENo cmlzdGVyIEhvbG1iZXJnIDxjaHJpc3Rlci5ob2xtYmVyZ0Blcmljc3Nvbi5jb208bWFpbHRvOmNo cmlzdGVyLmhvbG1iZXJnQGVyaWNzc29uLmNvbT4+IHdyb3RlOg0KRG9lcyB0aGF0IG1lYW4gdGhh dCBSVENXRUIgaXMgYWN0dWFsbHkgZ29pbmcgdG8gcmVmZXJlbmNlIGljZS1zaXAtc2RwIGFuZCBJ Q0ViaXMgKGluc3RlYWQgb2YgUkZDIDUyNDUpPw0KDQpSZWdhcmRzLA0KDQpDaHJpc3Rlcg0KDQpG cm9tOiBydGN3ZWIgW21haWx0bzpydGN3ZWItYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86cnRjd2Vi LWJvdW5jZXNAaWV0Zi5vcmc+XSBPbiBCZWhhbGYgT2YgSnVzdGluIFViZXJ0aQ0KU2VudDogMTgg SnVseSAyMDE4IDEwOjE4DQpUbzogVGVkIEhhcmRpZSA8dGVkLmlldGZAZ21haWwuY29tPG1haWx0 bzp0ZWQuaWV0ZkBnbWFpbC5jb20+Pg0KQ2M6IFJUQ1dlYiBJRVRGIDxydGN3ZWJAaWV0Zi5vcmc8 bWFpbHRvOnJ0Y3dlYkBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW3J0Y3dlYl0gSVAgaGFuZGxp bmc6IFVzaW5nIG1ETlMgbmFtZXMgZm9yIGhvc3QgY2FuZGlkYXRlcw0KDQpZZWFoLCBJIHRoaW5r IHdlIGp1c3QgbmVlZCB0byBlbXBoYXNpemUgdGhhdCB0aGUgRlFETiBjYW4gYmUgYSBtRE5TIG5h bWUuIEhlcmUncyBteSBjdXJyZW50IHN1Z2dlc3Rpb24gZm9yIHVwZGF0ZXMgdG8gUyA0LjEgaW4g aWNlLXNpcC1zZHA8aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtbW11c2lj LWljZS1zaXAtc2RwLTIxI3NlY3Rpb24tNC4xPjoNCg0KPGNvbm5lY3Rpb24tYWRkcmVzcz46ICBp cyB0YWtlbiBmcm9tIFJGQyA0NTY2IFtSRkM0NTY2XS4gIEl0IGlzIHRoZQ0KSVAgYWRkcmVzcyBv ZiB0aGUgY2FuZGlkYXRlLiAgV2hlbiBwYXJzaW5nIHRoaXMgZmllbGQsIGFuIGFnZW50DQpjYW4g ZGlmZmVyZW50aWF0ZSBhbiBJUHY0IGFkZHJlc3MgYW5kIGFuIElQdjYgYWRkcmVzcyBieSBwcmVz ZW5jZQ0Kb2YgYSBjb2xvbiBpbiBpdHMgdmFsdWUgLS0gdGhlIHByZXNlbmNlIG9mIGEgY29sb24g aW5kaWNhdGVzIElQdjYuDQpBbiBhZ2VudCBNVVNUIGlnbm9yZSBjYW5kaWRhdGUgbGluZXMgdGhh dCBpbmNsdWRlIGNhbmRpZGF0ZXMgd2l0aA0KSVAgYWRkcmVzcyB2ZXJzaW9ucyB0aGF0IGFyZSBu b3Qgc3VwcG9ydGVkIG9yIHJlY29nbml6ZWQuICBBbiBJUA0KYWRkcmVzcyBTSE9VTEQgYmUgdXNl ZCwgYnV0IGFuIEZRRE4gKGluY2x1ZGluZyBhIG1ETlMgW1JGQzY3NjJdIG5hbWUpDQpNQVkgYmUg dXNlZCBpbiBwbGFjZSBvZiBhbiBJUCBhZGRyZXNzLg0KDQpJbiB0aGUgY2FzZSBvZiByZWNlaXZp bmcgYW4gY2FuZGlkYXRlIGNvbnRhaW5pbmcgYSBGUUROLCB0aGUgaG9zdG5hbWUgaXMgbG9va2Vk IHVwIHZpYSBETlMgb3IgbUROUyBhcyBhcHByb3ByaWF0ZSwgZmlyc3QgdXNpbmcgYW4gQUFBQSBy ZWNvcmQgKGFzc3VtaW5nIHRoZSBhZ2VudA0Kc3VwcG9ydHMgSVB2NiksIGFuZCBpZiBubyByZXN1 bHQgaXMgZm91bmQgb3IgdGhlIGFnZW50IG9ubHkNCnN1cHBvcnRzIElQdjQsIHVzaW5nIGFuIEEg cmVjb3JkLg0KDQoNCg0KT24gVHVlLCBKdWwgMTcsIDIwMTggYXQgMzoxMSBQTSBUZWQgSGFyZGll IDx0ZWQuaWV0ZkBnbWFpbC5jb208bWFpbHRvOnRlZC5pZXRmQGdtYWlsLmNvbT4+IHdyb3RlOg0K T24gVHVlLCBKdWwgMTcsIDIwMTggYXQgNDo0NiBQTSwgUGV0ZXIgVGhhdGNoZXIgPHB0aGF0Y2hl cj00MGdvb2dsZS5jb21AZG1hcmMuaWV0Zi5vcmc8bWFpbHRvOnB0aGF0Y2hlcj00MGdvb2dsZS5j b21AZG1hcmMuaWV0Zi5vcmc+PiB3cm90ZToNCldoZXJlIGlzIHRoZSByaWdodCBwbGFjZSB0byBj b21tZW50IG9uIGRyYWZ0LW1kbnMtaWNlLWNhbmRpZGF0ZXM/DQoNCkkgbG9va2VkIGF0IGl0IGZy b20gYW4gSUNFIFdHIHBlcnNwZWN0aXZlLCBhbmQgaXQgc2VlbXMgdG8gYmUgdGhhdCBzaW5jZSAo aW4gUkZDIDUyNDUpLCB0aGUgY2FuZGlkYXRlIGFkZHJlc3MgY2FuIGJlIGEgRlFETiAoc2VjdGlv biAxNS4xKSB5b3UgZG9uJ3QgbmVlZCB0aGUgc3BlY2lhbCBzdGVwcyB5b3UgaGF2ZSBpbiBzZWN0 aW9uIDMuMiwgYmVjYXVzZSBhIC5sb2NhbCBhZGRyZXNzIGlzIGEgRlFETiAoaXNuJ3QgaXQ/KS4N Cg0KVGhlIHVzZSBvZiBhIC5sb2NhbCBzaWduYWxzIHRoYXQgdGhpcyBpcyBhIHNwZWNpYWwgdXNl IG5hbWUgd2l0aGluIHRoZSBjb250ZXh0IG9mIG11bHRpY2FzdCBETlMgKFJGQyA2NzYyKS4gIE9u ZSBrZXkgZGlmZmVyZW5jZSB0aGVyZSBpcyB0aGF0IHRoZSB1bmlxdWVuZXNzIG9mIGEgc3RhbmRh cmQgRE5TIG5hbWUgaXMgZGVyaXZlZCBmcm9tIHRoZSBoaWVyYXJjaGljYWwgZGVsZWdhdGlvbiBv ZiB0aGUgRE5TLiAgVW5pcXVlbmVzcyBpbiBNRE5TIGlzIGFjaGlldmVkIHVzaW5nIGEgbG9jYWwg cHJvYmUgYW5kIGFubm91bmNlIG1ldGhvZC4gIEFzIEhhcmFsZCBwb2ludGVkIG91dCBpbiB0aGUg cm9vbSwgdGhlcmUgYXJlIHNvbWUgbGF0ZW5jeSBjb25zZXF1ZW5jZXMgdG8gdGhhdDsgdGhvc2Ug bWlnaHQgYmUgYXZvaWRlZCBieSBnZW5lcmF0aW5nIHByb2JhYmxlIHVuaXF1ZW5lc3MgaW4gbmFt ZXMgdmlhIHRoZSBVVUlEIG1lY2hhbmlzbSwgYnV0IHRoYXQgc3RpbGwgbmVlZCB0byBiZSB3b3Jr ZWQgb3V0LiAgVGhhdCwgSSB0aGluayBtZWFucyB0aGUgd29yayBpbiAzLjEgaXMgZGVmaW5pdGVs eSBuZWVkZWQuDQoNCkkgdGhpbmsgdGhlIG9ubHkgbm92ZWwgdGhpbmcgd291bGQgYmUgdG8gcGVy aGFwcyBtYWtlIGl0IGNsZWFyIHRoYXQgbUROUyBzaG91bGQgYmUgdXNlZCBmb3IgdGhlIG5hbWUg cmVzb2x1dGlvbi4NCg0KWW91IG1pZ2h0IHRyZWF0IHRoZSBzcGVjaWFsIHN0ZXBzIGFzIHJlZHVu ZGFudCAoc2luY2UgLmxvY2FsIHNob3VsZCBzaWduYWwgbUROUyksIGJ1dCBJIHBlcnNvbmFsbHkg dGhpbmsgaXQgaXMgaGVscGZ1bCwgYmVjYXVzZSBpdCBkaXNjb3VyYWdlcyBjb2FsZXNjaW5nIHdp dGggc3RhbmRhcmQgRE5TIHJlc3BvbnNlcyAod2hpY2ggaXMgcGVybWl0dGVkIGJ5IDY3NjIpLg0K DQpKdXN0IG15IHBlcnNvbmFsIG9waW5pb24uDQoNClRlZA0KDQoNCg0KDQpPbiBGcmksIEp1biAy OSwgMjAxOCBhdCA2OjA3IFBNIHlvdWVubiBmYWJsZXQgPHlvdWVubmZAZ21haWwuY29tPG1haWx0 bzp5b3Vlbm5mQGdtYWlsLmNvbT4+IHdyb3RlOg0KQSBkcmFmdCBkZXNjcmliaW5nIHRoZSBTYWZh cmkvV2ViS2l0IGFwcHJvYWNoIGlzIGF2YWlsYWJsZSBhdCBodHRwczovL3d3dy5pZXRmLm9yZy9p ZC9kcmFmdC1tZG5zLWljZS1jYW5kaWRhdGVzLTAwLnR4dA0KDQpFcmljLCBjYW4geW91IHByZWNp c2UgdGhlIGtpbmQgb2YgaW5mb3JtYXRpb24geW91IHdvdWxkIGxpa2UgdG8gaGF2ZT8NClNvbWUg dGVzdGluZyBoYXMgYmVlbiBkb25lIHRvIHZhbGlkYXRlIHRoZSBhcHByb2FjaCBidXQgSSBkbyBu b3QgdGhpbmsgdGhpcyBpcyByZXByZXNlbnRhdGl2ZSBvZiB0aGUgYWN0dWFsIHN0YXRlIG9mIHRo ZSBhZmZhaXIuIFNhZmFyaS9XZWJLaXQgaXMgbm90IGdhdGhlcmluZyBhbnkgcmVsYXRlZCBzdGF0 aXN0aWMuLg0KDQogICBZDQoNCkxlIHZlbi4gMjkganVpbiAyMDE4IMOgIDExOjEwLCBKdXN0aW4g VWJlcnRpIDxqdWJlcnRpPTQwZ29vZ2xlLmNvbUBkbWFyYy5pZXRmLm9yZzxtYWlsdG86NDBnb29n bGUuY29tQGRtYXJjLmlldGYub3JnPj4gYSDDqWNyaXQgOg0KSSBiZWxpZXZlIHN1Y2ggZGF0YSB3 aWxsIGJlIGZvcnRoY29taW5nIGZyb20gdGhlIFNhZmFyaSB0ZWFtLiBXZSBhcmUgYWxzbyB3b3Jr aW5nIG9uIHRoaXMuDQoNCk9uIEZyaSwgSnVuIDI5LCAyMDE4IGF0IDc6MDMgQU0gRXJpYyBSZXNj b3JsYSA8ZWtyQHJ0Zm0uLmNvbTxtYWlsdG86ZWtyQHJ0Zm0uY29tPj4gd3JvdGU6DQpJdCBzZWVt cyBsaWtlIHRoaXMgaXMgc29tZXRoaW5nIG9uZSBjb3VsZCBBL0IgdGVzdCBhbmQgbWVhc3VyZSBj b25uZWN0aW9uIHJhdGVzLiBIYXMgc29tZW9uZSBkb25lIHNvPw0KDQotRWtyDQpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KcnRjd2ViIG1haWxpbmcgbGlz dA0KcnRjd2ViQGlldGYub3JnPG1haWx0bzpydGN3ZWJAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3J0Y3dlYg0KDQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KcnRjd2ViIG1haWxpbmcgbGlzdA0KcnRjd2ViQGll dGYub3JnPG1haWx0bzpydGN3ZWJAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL3J0Y3dlYg0KDQo= --_000_cd6ddc65c7254a4d80dec32b477c3df1ericssoncom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxNw0K CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs c2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0K CW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXpl OjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30N CmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0t W2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRt YXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N CjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRh PSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJv ZHkgbGFuZz0iRU4tR0IiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0i V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5IaSw8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3 RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNv LWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkFzIEkgaGF2ZSBzYWlkIGJlZm9yZSwgSSB0aGluayB3 ZSBzaGFsbCBkbyB0aGUgdXBkYXRlcy4gRm9yIGV4YW1wbGUsIHdlIERPIHJlZmVyZW5jZSB0cmlj a2xlLCB3aGljaCBpcyBiYXNlZCBvbiBiaXMgcHJvY2VkdXJlcywgc28NCiBpZiB5b3Ugd2FudCB0 byBpbXBsZW1lbnQgdHJpY2tsZSBmb2xsb3dpbmcgdGhlIHNwZWMgeW91IG5lZWQgdG8gaW1wbGVt ZW50IElDRWJpcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz YW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPlNpbWls YXJseSwgd2hpbGUgaWNlLXNpcC1zZHAgZG9lcyBjbGFyaWZ5IDUyNDUgdGV4dCwgdGhlIHByb2Nl ZHVyZXMgYXJlIGJhc2VkIG9uIElDRWJpcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFzdC1s YW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6RU4tVVMiPihBbmQsIElDRWJpcyBzaG91bGQgYmUgcHVibGlzaGVkIGFzIFJGQyBhbnkgZGF5 IG5vdywgc28gcmVmZXJlbmNpbmcgaXQgd2lsbCBub3QgZGVsYXkgdGhlIHB1YmxpY2F0aW9uIG9m IHRoZSBSVENXRUIgc3BlY3MpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdl OkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1V UyI+UmVnYXJkcyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz YW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkNocmlz dGVyPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgbmFtZT0i X01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFz dC1sYW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9hPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9z cGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gSnVzdGluIFViZXJ0aSBbbWFp bHRvOmp1YmVydGlAZ29vZ2xlLmNvbV0NCjxicj4NCjxiPlNlbnQ6PC9iPiAxOCBKdWx5IDIwMTgg MTE6MDk8YnI+DQo8Yj5Ubzo8L2I+IENocmlzdGVyIEhvbG1iZXJnICZsdDtjaHJpc3Rlci5ob2xt YmVyZ0Blcmljc3Nvbi5jb20mZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBUZWQgSGFyZGllICZsdDt0ZWQu aWV0ZkBnbWFpbC5jb20mZ3Q7OyBSVENXZWIgSUVURiAmbHQ7cnRjd2ViQGlldGYub3JnJmd0Ozxi cj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW3J0Y3dlYl0gSVAgaGFuZGxpbmc6IFVzaW5nIG1ETlMg bmFtZXMgZm9yIGhvc3QgY2FuZGlkYXRlczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPkFzIHRoZXNlIGNoYW5nZXMgYXJlIGVzc2VudGlhbGx5IGNsYXJpZmljYXRpb25zIG9m IGV4aXN0aW5nIDUyNDUgdGV4dCwgSSBkb24ndCBzZWUgYSBuZWVkIGZvciBleGlzdGluZyBkb2Nz IChlLmcuIEpTRVApIHRvIGJlIHVwZGF0ZWQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5PbiBXZWQsIEp1bCAxOCwgMjAxOCBhdCA3OjQ5IEFNIENocmlzdGVy IEhvbG1iZXJnICZsdDs8YSBocmVmPSJtYWlsdG86Y2hyaXN0ZXIuaG9sbWJlcmdAZXJpY3Nzb24u Y29tIj5jaHJpc3Rlci5ob2xtYmVyZ0Blcmljc3Nvbi5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1s ZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowY20gMGNtIDBjbSA2LjBwdDttYXJnaW4t bGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGNtIj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+RG9lcyB0aGF0IG1lYW4g dGhhdCBSVENXRUIgaXMgYWN0dWFsbHkgZ29pbmcgdG8gcmVmZXJlbmNlIGljZS1zaXAtc2RwIGFu ZCBJQ0ViaXMgKGluc3RlYWQgb2YgUkZDIDUyNDUpPzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z LXNlcmlmO2NvbG9yOiMxRjQ5N0QiPlJlZ2FyZHMsPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7 PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMt c2VyaWY7Y29sb3I6IzFGNDk3RCI+Q2hyaXN0ZXI8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPjxhIG5hbWU9Im1fLTE4MzQ4Mjg1Nzk2MzExODQ5MjVfX01haWxF bmRDb21wb3NlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjwv YT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNwYW4gbGFuZz0i RU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssc2Fucy1zZXJpZiI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMt c2VyaWYiPiBydGN3ZWINCiBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzpydGN3ZWItYm91bmNlc0Bp ZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPnJ0Y3dlYi1ib3VuY2VzQGlldGYub3JnPC9hPl0NCjxi Pk9uIEJlaGFsZiBPZiA8L2I+SnVzdGluIFViZXJ0aTxicj4NCjxiPlNlbnQ6PC9iPiAxOCBKdWx5 IDIwMTggMTA6MTg8YnI+DQo8Yj5Ubzo8L2I+IFRlZCBIYXJkaWUgJmx0OzxhIGhyZWY9Im1haWx0 bzp0ZWQuaWV0ZkBnbWFpbC5jb20iIHRhcmdldD0iX2JsYW5rIj50ZWQuaWV0ZkBnbWFpbC5jb208 L2E+Jmd0Ozxicj4NCjxiPkNjOjwvYj4gUlRDV2ViIElFVEYgJmx0OzxhIGhyZWY9Im1haWx0bzpy dGN3ZWJAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5ydGN3ZWJAaWV0Zi5vcmc8L2E+Jmd0Ozxi cj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW3J0Y3dlYl0gSVAgaGFuZGxpbmc6IFVzaW5nIG1ETlMg bmFtZXMgZm9yIGhvc3QgY2FuZGlkYXRlczwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj5ZZWFoLCBJIHRoaW5rIHdlIGp1c3QgbmVlZCB0byBlbXBoYXNpemUgdGhhdCB0 aGUgRlFETiBjYW4gYmUgYSBtRE5TIG5hbWUuIEhlcmUncyBteSBjdXJyZW50IHN1Z2dlc3Rpb24g Zm9yIHVwZGF0ZXMgdG8NCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm dC1pZXRmLW1tdXNpYy1pY2Utc2lwLXNkcC0yMSNzZWN0aW9uLTQuMSIgdGFyZ2V0PSJfYmxhbmsi Pg0KUyA0LjEgaW4gaWNlLXNpcC1zZHA8L2E+OjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAx LjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10 b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrO2JhY2tncm91bmQ6I0ZGRkRGNSI+Jmx0O2Nvbm5lY3Rpb24tYWRk cmVzcyZndDs6ICZuYnNwO2lzIHRha2VuIGZyb20gUkZDIDQ1NjYgW1JGQzQ1NjZdLiZuYnNwOyBJ dCBpcyB0aGU8YnI+DQpJUCBhZGRyZXNzIG9mIHRoZSBjYW5kaWRhdGUuJm5ic3A7IFdoZW4gcGFy c2luZyB0aGlzIGZpZWxkLCBhbiBhZ2VudDxicj4NCmNhbiBkaWZmZXJlbnRpYXRlIGFuIElQdjQg YWRkcmVzcyBhbmQgYW4gSVB2NiBhZGRyZXNzIGJ5IHByZXNlbmNlPGJyPg0Kb2YgYSBjb2xvbiBp biBpdHMgdmFsdWUgLS0gdGhlIHByZXNlbmNlIG9mIGEgY29sb24gaW5kaWNhdGVzIElQdjYuPGJy Pg0KQW4gYWdlbnQgTVVTVCBpZ25vcmUgY2FuZGlkYXRlIGxpbmVzIHRoYXQgaW5jbHVkZSBjYW5k aWRhdGVzIHdpdGg8YnI+DQpJUCBhZGRyZXNzIHZlcnNpb25zIHRoYXQgYXJlIG5vdCBzdXBwb3J0 ZWQgb3IgcmVjb2duaXplZC4mbmJzcDsgQW4gSVA8YnI+DQphZGRyZXNzIFNIT1VMRCBiZSB1c2Vk LCBidXQgYW4gRlFETiA8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrO2JhY2tncm91bmQ6I0Q5RUFEMyI+KGluY2x1ZGluZyBh IG1ETlMgW1JGQzY3NjJdIG5hbWUpPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjaztiYWNrZ3JvdW5kOiNGRkZERjUiPg0KPGJy Pg0KTUFZIGJlIHVzZWQgaW4gcGxhY2Ugb2YgYW4gSVAgYWRkcmVzcy4gPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2s7YmFja2dyb3VuZDojRDlFQUQzIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44 cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQi Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2s7YmFja2dyb3VuZDojRDlFQUQzIj5JbiB0aGUg Y2FzZSBvZiByZWNlaXZpbmcgYW4gY2FuZGlkYXRlIGNvbnRhaW5pbmcgYSBGUUROLCB0aGUgaG9z dG5hbWUgaXMgbG9va2VkIHVwIHZpYSBETlMgb3IgbUROUyBhcyBhcHByb3ByaWF0ZSw8L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrO2JhY2tncm91bmQ6I0ZGRkRGNSI+DQogZmlyc3QgdXNpbmcgYW4gQUFBQSByZWNvcmQgKGFz c3VtaW5nIHRoZSBhZ2VudDxicj4NCnN1cHBvcnRzIElQdjYpLCBhbmQgaWYgbm8gcmVzdWx0IGlz IGZvdW5kIG9yIHRoZSBhZ2VudCBvbmx5PGJyPg0Kc3VwcG9ydHMgSVB2NCwgdXNpbmcgYW4gQSBy ZWNvcmQuICZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk9uIFR1 ZSwgSnVsIDE3LCAyMDE4IGF0IDM6MTEgUE0gVGVkIEhhcmRpZSAmbHQ7PGEgaHJlZj0ibWFpbHRv OnRlZC5pZXRmQGdtYWlsLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnRlZC5pZXRmQGdtYWlsLmNvbTwv YT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0i Ym9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAw Y20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJp Z2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj5PbiBUdWUsIEp1bCAxNywgMjAxOCBhdCA0OjQ2IFBNLCBQZXRlciBUaGF0Y2hl ciAmbHQ7PGEgaHJlZj0ibWFpbHRvOnB0aGF0Y2hlcj00MGdvb2dsZS5jb21AZG1hcmMuaWV0Zi5v cmciIHRhcmdldD0iX2JsYW5rIj5wdGhhdGNoZXI9NDBnb29nbGUuY29tQGRtYXJjLmlldGYub3Jn PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGJs b2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4w cHQ7cGFkZGluZzowY20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9w OjUuMHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj5XaGVyZSBpcyB0aGUgcmlnaHQgcGxhY2UgdG8gY29tbWVudCBv biZuYnNwO2RyYWZ0LW1kbnMtaWNlLWNhbmRpZGF0ZXM/PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy LWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdp bi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90 dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JIGxvb2tl ZCBhdCBpdCBmcm9tIGFuIElDRSBXRyBwZXJzcGVjdGl2ZSwgYW5kIGl0IHNlZW1zIHRvIGJlIHRo YXQgc2luY2UgKGluIFJGQyA1MjQ1KSwgdGhlIGNhbmRpZGF0ZSBhZGRyZXNzIGNhbiBiZSBhIEZR RE4gKHNlY3Rpb24gMTUuMSkgeW91IGRvbid0IG5lZWQgdGhlIHNwZWNpYWwgc3RlcHMgeW91IGhh dmUNCiBpbiBzZWN0aW9uIDMuMiwgYmVjYXVzZSBhIC5sb2NhbCBhZGRyZXNzIGlzIGEgRlFETiAo aXNuJ3QgaXQ/KS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2Nr cXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGhlIHVzZSBvZiBhIC5s b2NhbCBzaWduYWxzIHRoYXQgdGhpcyBpcyBhIHNwZWNpYWwgdXNlIG5hbWUgd2l0aGluIHRoZSBj b250ZXh0IG9mIG11bHRpY2FzdCBETlMgKFJGQyA2NzYyKS4mbmJzcDsgT25lIGtleSBkaWZmZXJl bmNlIHRoZXJlIGlzIHRoYXQgdGhlIHVuaXF1ZW5lc3Mgb2YgYSBzdGFuZGFyZCBETlMgbmFtZQ0K IGlzIGRlcml2ZWQgZnJvbSB0aGUgaGllcmFyY2hpY2FsIGRlbGVnYXRpb24gb2YgdGhlIEROUy4m bmJzcDsgVW5pcXVlbmVzcyBpbiBNRE5TIGlzIGFjaGlldmVkIHVzaW5nIGEgbG9jYWwgcHJvYmUg YW5kIGFubm91bmNlIG1ldGhvZC4mbmJzcDsgQXMgSGFyYWxkIHBvaW50ZWQgb3V0IGluIHRoZSBy b29tLCB0aGVyZSBhcmUgc29tZSBsYXRlbmN5IGNvbnNlcXVlbmNlcyB0byB0aGF0OyB0aG9zZSBt aWdodCBiZSBhdm9pZGVkIGJ5IGdlbmVyYXRpbmcgcHJvYmFibGUNCiB1bmlxdWVuZXNzIGluIG5h bWVzIHZpYSB0aGUgVVVJRCBtZWNoYW5pc20sIGJ1dCB0aGF0IHN0aWxsIG5lZWQgdG8gYmUgd29y a2VkIG91dC4mbmJzcDsgVGhhdCwgSSB0aGluayBtZWFucyB0aGUgd29yayBpbiAzLjEgaXMgZGVm aW5pdGVseSBuZWVkZWQuJm5ic3A7DQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9j a3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0 O3BhZGRpbmc6MGNtIDBjbSAwY20gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFy Z2luLWJvdHRvbToxMi4wcHQiPkkgdGhpbmsgdGhlIG9ubHkgbm92ZWwgdGhpbmcgd291bGQgYmUg dG8gcGVyaGFwcyBtYWtlIGl0IGNsZWFyIHRoYXQgbUROUyBzaG91bGQgYmUgdXNlZCBmb3IgdGhl IG5hbWUgcmVzb2x1dGlvbi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2Nr cXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+WW91IG1pZ2h0IHRyZWF0 IHRoZSBzcGVjaWFsIHN0ZXBzIGFzIHJlZHVuZGFudCAoc2luY2UgLmxvY2FsIHNob3VsZCBzaWdu YWwgbUROUyksIGJ1dCBJIHBlcnNvbmFsbHkgdGhpbmsgaXQgaXMgaGVscGZ1bCwgYmVjYXVzZSBp dCBkaXNjb3VyYWdlcyBjb2FsZXNjaW5nIHdpdGggc3RhbmRhcmQgRE5TIHJlc3BvbnNlcw0KICh3 aGljaCBpcyBwZXJtaXR0ZWQgYnkgNjc2MikuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5KdXN0IG15IHBlcnNvbmFsIG9waW5pb24uPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5U ZWQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6 MGNtIDBjbSAwY20gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJn aW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+T24gRnJpLCBKdW4gMjksIDIwMTggYXQgNjow NyBQTSB5b3Vlbm4gZmFibGV0ICZsdDs8YSBocmVmPSJtYWlsdG86eW91ZW5uZkBnbWFpbC5jb20i IHRhcmdldD0iX2JsYW5rIj55b3Vlbm5mQGdtYWlsLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxl ZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1s ZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9t OjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkEgZHJhZnQgZGVzY3JpYmlu ZyB0aGUgU2FmYXJpL1dlYktpdCBhcHByb2FjaCBpcyBhdmFpbGFibGUgYXQmbmJzcDs8YSBocmVm PSJodHRwczovL3d3dy5pZXRmLm9yZy9pZC9kcmFmdC1tZG5zLWljZS1jYW5kaWRhdGVzLTAwLnR4 dCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL2lkL2RyYWZ0LW1kbnMtaWNl LWNhbmRpZGF0ZXMtMDAudHh0PC9hPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPkVyaWMsIGNhbiB5b3UgcHJlY2lzZSB0aGUga2luZCBvZiBpbmZvcm1h dGlvbiB5b3Ugd291bGQgbGlrZSB0byBoYXZlPzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+U29tZSB0ZXN0aW5nIGhhcyBiZWVuIGRvbmUgdG8gdmFsaWRhdGUg dGhlIGFwcHJvYWNoIGJ1dCBJIGRvIG5vdCB0aGluayB0aGlzIGlzIHJlcHJlc2VudGF0aXZlIG9m IHRoZSBhY3R1YWwgc3RhdGUgb2YgdGhlIGFmZmFpci4gU2FmYXJpL1dlYktpdCBpcyBub3QgZ2F0 aGVyaW5nIGFueSByZWxhdGVkIHN0YXRpc3RpYy4uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj4mbmJzcDsgJm5ic3A7WTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5MZSZuYnNw O3Zlbi4gMjkganVpbiAyMDE4IMOgJm5ic3A7MTE6MTAsIEp1c3RpbiBVYmVydGkgJmx0O2p1YmVy dGk9PGEgaHJlZj0ibWFpbHRvOjQwZ29vZ2xlLmNvbUBkbWFyYy5pZXRmLm9yZyIgdGFyZ2V0PSJf YmxhbmsiPjQwZ29vZ2xlLmNvbUBkbWFyYy5pZXRmLm9yZzwvYT4mZ3Q7IGEgw6ljcml0Jm5ic3A7 OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7 Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0 O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJn aW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkkgYmVsaWV2 ZSBzdWNoIGRhdGEgd2lsbCBiZSBmb3J0aGNvbWluZyBmcm9tIHRoZSBTYWZhcmkgdGVhbS4gV2Ug YXJlIGFsc28gd29ya2luZyBvbiB0aGlzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPk9uIEZyaSwgSnVuIDI5LCAyMDE4IGF0IDc6MDMgQU0gRXJpYyBS ZXNjb3JsYSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmVrckBydGZtLmNvbSIgdGFyZ2V0PSJfYmxhbmsi PmVrckBydGZtLi5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJs b2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4w cHQ7cGFkZGluZzowY20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9w OjUuMHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SXQgc2VlbXMgbGlrZSB0aGlzIGlzIHNvbWV0aGlu ZyBvbmUgY291bGQgQS9CIHRlc3QgYW5kIG1lYXN1cmUgY29ubmVjdGlvbiByYXRlcy4gSGFzIHNv bWVvbmUgZG9uZSBzbz88bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPi1Fa3I8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Js b2NrcXVvdGU+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXzxicj4NCnJ0Y3dlYiBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBo cmVmPSJtYWlsdG86cnRjd2ViQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+cnRjd2ViQGlldGYu b3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vcnRjd2ViIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9s aXN0aW5mby9ydGN3ZWI8L2E+PG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxicj4NCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KcnRjd2ViIG1haWxpbmcgbGlzdDxi cj4NCjxhIGhyZWY9Im1haWx0bzpydGN3ZWJAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5ydGN3 ZWJAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1h bi9saXN0aW5mby9ydGN3ZWIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL3J0Y3dlYjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4N CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Js b2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_cd6ddc65c7254a4d80dec32b477c3df1ericssoncom_-- From nobody Fri Jul 20 07:15:46 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19023130DCE for ; Fri, 20 Jul 2018 07:15:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.31 X-Spam-Level: X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaQ13BoYqkCh for ; Fri, 20 Jul 2018 07:15:34 -0700 (PDT) Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C93DA130DF3 for ; Fri, 20 Jul 2018 07:15:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1532096129; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=CIzRS+MnerA5sV/199365mxyBiatAklxpKV0opHPbmo=; b=JImrdTm/0IoxMLxIG9OOSIpIqBE4U4d5JMJeADTGL2GWmSHO2pEpOwyEV990P3mN 2dCqTtFaS3zyZZrk+in9JfJVJmA7rPRpM36/2CRYXAuM3X9/x34JrCmZsJf3mzq9 TFsrkPn/DXmUXoT8XKkNr0Bltvv20rhvjiRAaQjCIKg=; X-AuditID: c1b4fb3a-dcb6e9c0000079c1-8a-5b51ee811bd5 Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 08.07.31169.18EE15B5; Fri, 20 Jul 2018 16:15:29 +0200 (CEST) Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 20 Jul 2018 16:15:26 +0200 Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Fri, 20 Jul 2018 16:15:26 +0200 From: Christer Holmberg To: RTCWeb IETF , "mmusic@ietf.org" , SIPCORE Thread-Topic: [Ice] RFC 8445 on Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal Thread-Index: AQHUH6/69R7hgK8pE0OKxVYGqS42HaSYKKow Date: Fri, 20 Jul 2018 14:15:26 +0000 Message-ID: References: <20180719222845.CF604B81B5E@rfc-editor.org> In-Reply-To: <20180719222845.CF604B81B5E@rfc-editor.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [153.88.183.153] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHLMWRmVeSWpSXmKPExsUyM2J7qW7ju8Bog5XrVS2mLn/MYrH2Xzu7 xdcfm9gcmD2WLPnJFMAYxWWTkpqTWZZapG+XwJXxfMcctoJ14hW3Py1jbmD8INjFyMkhIWAi 0d80gaWLkYtDSOAoo8TGRQvYIZxvQM6xR6wQzjJGietvbgJlODjYBCwkuv9pg3SLCKRIXNm+ iQnEFhboYJT4ejsFpF5EoJNRYu+/X6wQRUYSPz7NZAaxWQRUJd7OWQJm8wpYSzw9sxWsRkjA XGLD7U6wOCfQ/FUT57OB2IwCYhLfT60BW8AsIC5x68l8JoizBSSW7DnPDGGLSrx8/I8VwlaS 2HvsOgtEvY7Egt2f2CBsbYllC19D7RWUODnzCcsERtFZSMbOQtIyC0nLLCQtCxhZVjGKFqcW F+emGxnppRZlJhcX5+fp5aWWbGIExsrBLb+tdjAefO54iFGAg1GJh3fH/cBoIdbEsuLK3EOM EhzMSiK8E94GRAvxpiRWVqUW5ccXleakFh9ilOZgURLndUqziBISSE8sSc1OTS1ILYLJMnFw SjUw5t8xm6jBK+JpPvOLf2/MKpbtVpMZuYPWpZxdxHtvncqev0wJlW+LT9VYmdzrlJ2duX3l uhexrg6ZatZWNzS6uvc06uguk59++vCcmgN7H+WbWxZsl7pSMuOfUK0f+02bGXecg6X3B8+6 KPTDb4nFnY/8W2JEL/Rl7ne/6htXZ7dYT3uFS26/EktxRqKhFnNRcSIAAHygW5ECAAA= Archived-At: Subject: [rtcweb] FW: [Ice] RFC 8445 on Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 14:15:36 -0000 FYI, Regards, Christer -----Original Message----- From: Ice [mailto:ice-bounces@ietf.org] On Behalf Of rfc-editor@rfc-editor.= org Sent: 19 July 2018 18:29 To: ietf-announce@ietf.org; rfc-dist@rfc-editor.org Cc: drafts-update-ref@iana.org; ice@ietf.org; rfc-editor@rfc-editor.org Subject: [Ice] RFC 8445 on Interactive Connectivity Establishment (ICE): A = Protocol for Network Address Translator (NAT) Traversal A new Request for Comments is now available in online RFC libraries. =20 RFC 8445 Title: Interactive Connectivity Establishment (ICE):=20 A Protocol for Network Address Translator (NAT)=20 Traversal=20 Author: A. Keranen, C. Holmberg, J. Rosenberg Status: Standards Track Stream: IETF Date: July 2018 Mailbox: ari.keranen@ericsson.com,=20 christer.holmberg@ericsson.com,=20 jdrosen@jdrosen.net Pages: 100 Characters: 239713 Obsoletes: RFC 5245 I-D Tag: draft-ietf-ice-rfc5245bis-20.txt URL: https://www.rfc-editor.org/info/rfc8445 DOI: 10.17487/RFC8445 This document describes a protocol for Network Address Translator (NAT) traversal for UDP-based communication. This protocol is called Inter= active Connectivity Establishment (ICE). ICE makes use of the Session Trav= ersal Utilities for NAT (STUN) protocol and its extension, Traversal Using = Relay NAT (TURN). This document obsoletes RFC 5245. This document is a product of the Interactive Connectivity Establishment Wo= rking Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protoc= ol for the Internet community, and requests discussion and suggestions for = improvements. Please refer to the current edition of the Official Internet= Protocol Standards (https://www.rfc-editor.org/standards) for the standard= ization state and status of this protocol. Distribution of this memo is un= limited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For dow= nloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author = of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifical= ly noted otherwise on the RFC itself, all RFCs are for unlimited distributi= on. The RFC Editor Team Association Management Solutions, LLC _______________________________________________ Ice mailing list Ice@ietf.org https://www.ietf.org/mailman/listinfo/ice From nobody Thu Jul 26 11:10:21 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53588130E6E for ; Thu, 26 Jul 2018 11:10:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHwl65VM-1C1 for ; Thu, 26 Jul 2018 11:10:17 -0700 (PDT) Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F9A4130E29 for ; Thu, 26 Jul 2018 11:10:17 -0700 (PDT) Received: by mail-qt0-x236.google.com with SMTP id q12-v6so2483039qtp.6 for ; Thu, 26 Jul 2018 11:10:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=EZeliwWtlUrktrF75uanJyM+/VL2FIANNN4ht3FGzM4=; b=QIxBTnT7+WSw0aRxrqLNBmnuRT1JS4NvuTgNC+WaRN3ohkCIMQiHYs6hel4GI5Tmm+ aXS54YdrIwsqbFuDrzQftQSpaJAcA6w++2JnYbnhTOUgC+ra+uD5hTrYCJAFf0PBQQqg 9K9T6VZy/vBOx0GYrTAGYJGtnwyhJYiQWa/OA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=EZeliwWtlUrktrF75uanJyM+/VL2FIANNN4ht3FGzM4=; b=NI3aO+Bn6MczztGOcWjvGkNhabdNQ8wkjOR+IG+Nv5H96AE8fDa8ukuEwoVsAYShPx sQlxdMEMDqrRh4BpS65k9zo28d1gmFTtwaD8Nwy7N8Y2+N1z8OOr9ryvF57yAfwQaT7i Br3TQRKbIF5iJTQOiezCPEuaS5DS1l84k58GkoV8QgS6/zrvqv95wtgFFODOCV1SfaC5 4ZrkaGRgjhv1m1HSZEZOSY5ZAG18+YsUGUDbdzJL1oIaMWIDSCCZsn3AihLIk0Uu6Yxb TRpjWhO4dK/ZlZ2xHtxXh5kO/d2eD3HBLqnMFQYWBAbkztEaTkBksh7H6Uofc+HMMjCd lSng== X-Gm-Message-State: AOUpUlFOkyVC/6z52uV8drLB1LM6AVEEDhQlluWsRXe/LcQWAZVUrDK2 jNQGJQx2bghmU8DrWTskaTLtHjn3lR8= X-Google-Smtp-Source: AAOMgpeCgrddfEkZ8orxZSTrDtyl/RTxWXCmG3U8z1DJLMJxHE7JPPdy0oEsFAimFySQWy+EmQkSIA== X-Received: by 2002:ac8:395:: with SMTP id t21-v6mr2935672qtg.283.1532628616520; Thu, 26 Jul 2018 11:10:16 -0700 (PDT) Received: from [172.16.0.18] ([96.231.225.148]) by smtp.gmail.com with ESMTPSA id i128-v6sm1357947qke.36.2018.07.26.11.10.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 11:10:15 -0700 (PDT) From: Sean Turner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Message-Id: Date: Thu, 26 Jul 2018 14:10:14 -0400 To: RTCWeb IETF X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: [rtcweb] WGLC for draft-ietf-rtcweb-sdp X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2018 18:10:19 -0000 All, This is the working group last call for the "Annotated Example SDP for = WebRTC" draft available at = https://datatracker.ietf.org/doc/draft-ietf-rtcweb-sdp/. Please review = the document and send your comments to the list by 2359 UTC on 17 August = 2018. Thanks - spt= From nobody Thu Jul 26 11:28:01 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1951130DCB; Thu, 26 Jul 2018 11:27:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9eJt0uFwQmt; Thu, 26 Jul 2018 11:27:56 -0700 (PDT) Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB125124D68; Thu, 26 Jul 2018 11:27:55 -0700 (PDT) Received: by mail-vk0-x22e.google.com with SMTP id 125-v6so1261228vke.11; Thu, 26 Jul 2018 11:27:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h81W/pqKM/YMOBcIoib3xS/Z+RAQ9j9W2xZ2Zdi1fuY=; b=cjxvpIlWW+TuAO7zmITvVsRpX/AsCCwO5hvasVms58Wgat9X0ZG4k/v4WZZixg00aO /jdxTLLS1mCHE77f/HNQAlDKHuwCPGynhIW1nohYRCy6xU3ivzWv2yKHhbRfCt86DuBJ yWqlr4iiW0vG8apPn+5yqPSmeWe6OmMBYWUh428d5Rj4/1RYsTva17Zs8n2FPbKibsaW mqSeqnN0eMA8L5fv6zt4gbsDQ14mnHcbD78VKb1dI9t9RsuGH4wsIcSBbpJl3DZmBCdZ 4+JAmDvZ3Em5E7adlarrFFYCwHVFjIN/xYyeJEvoiadkIyWKgkIrYOXNucF3X4LbNG46 AygQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h81W/pqKM/YMOBcIoib3xS/Z+RAQ9j9W2xZ2Zdi1fuY=; b=BdKCMe7qMoZDFotOAo1reOxpc1EHQmMwS4b40lI7AyE/wvN8f6TqpxDyANc6w/K7/f zlEy1bG9q97OpfsLTnJlGSWfZWo7rrU+tlkoe67VrdRZJkWKdueQNEAkXvDdtLegQzzf 8Vqxg++MdKEnJZA7VS/ClL3i9VRA0r1zcYvSedoN4RD7Xb/tdSgQ2YOpmpgKlXFLuP0n HkQIupTF0rnQCNyjEiL2lPmeJb84+6z9Jb/a+wZUFjQcvooWsRgPIiHEwN3TjF+vVVys l+KBTOneh84ctzTdNAFuqBdVAeqQRG+tjWRUyqaFyatvQTpgVPD4J07/UtWFRcu2c+1p 9WIA== X-Gm-Message-State: AOUpUlHs6pBC/2LJviVQS+QvPiKjhPMDZv9NfizHgLmVbp/E+6sZOTC3 dlLnPWcyvJbxKWGgy60YwiDuLRKxe4mZILrhcKY= X-Google-Smtp-Source: AAOMgpcsBM5Rr4Yr7ALWgTcqfSJjx1M5sVM03nhTXN8BPpNPG1R/fjYqr9d2+XSTmKRxzgLyaEItIZm1YPXWSMKRd9Q= X-Received: by 2002:a1f:26ce:: with SMTP id m197-v6mr1924190vkm.115.1532629674749; Thu, 26 Jul 2018 11:27:54 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Suhas Nandakumar Date: Thu, 26 Jul 2018 11:27:43 -0700 Message-ID: To: Magnus Westerlund Cc: rtcweb@ietf.org, draft-ietf-rtcweb-sdp@ietf.org Content-Type: multipart/alternative; boundary="00000000000056047d0571eb279e" Archived-At: Subject: Re: [rtcweb] Review of Section 5.3 of draft-ietf-rtcweb-sdp-10 X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2018 18:28:00 -0000 --00000000000056047d0571eb279e Content-Type: text/plain; charset="UTF-8" Hello Magnus Thanks for the review. We will be working on your comments soon and post an update. cheers Suhas On Wed, Jul 4, 2018 at 7:57 AM Magnus Westerlund < magnus.westerlund@ericsson.com> wrote: > Hi, > > I have reviewed Section 5.3 only with a focus on the simulcast and > multi-stream aspects. For example I have not cared if the ICE details > are correct in these examples. > > > A. Section 5.3.1: > > BUNDLE grouping framework enables multiplexing of all the 5 streams > (1 audio stream + 4 video streams) over a single RTP Session. > > It might be good to use RFC 7656 terminology and be specific in that > this results in 5 source RTP streams. > > B. Section 5.3.1. > > As 5.3 says that this will use FEC or RTX and this one doesn't maybe be > explicit that it is not added, or rewrite 5.3. > > C. section 5.3.1: > > | a=group:LS m0 m1 | [RFC5888] | > > Is it intentional that video 2 is not included in the lip-synch group? > May require a intention comment for this case. > > D. 5.3.1: > > One video source corresponds to VP8 encoding, while the other > corresponds to H.264 encoding. > > As the m= block represents a media source, if the need is to provide one > video camera's images (the media source) as both VP8 and H.264 where > each are in two different resolutions, then simulcast can handle that > fine within a single m= block. So from my perspective this is a wrongly > constructed example from that premise. Can you please clarify if you > want two media source, i.e. two cameras, or two encoder formats VP8 and > H.264, or two resolutions, or any combination of them? > > I would recommend this example to be two media sources, with encoding > simulcast. The resolution can be skipped as the later example includes > resolution simulcasting. > > E. Section 5.3.1: > > | a=rtcp-fb:* nack | [RFC5104] | > > | a=rtcp-fb:* nack pli | [RFC5104] | > > I would note that generalized NACK as well as picture loss indication > (PLI) is defined in RFC4585. > > F. Section 5.3.2: > > This section shows an SDP Offer/Answer for a session with an audio > and a single video source. The video source is encoded as layered > coding at 3 different resolutions based on [RFC5583]. The video > m=line shows 3 streams with last stream (payload 100) dependent on > streams with payload 96 and 97 for decoding. > > Also here use of RFC 7656 terminology to talk about (source) RTP streams > when applicable would be good. > > G. Section 5.3.2: > > | a=rtpmap:96 H264/90000 | [RFC6184] | > | a=fmtp:96 profile-level-id=4d0028; | [RFC6184]H.264 | > | packetization-mode=1;max-fr=30;max-fs=8040 | Layer 1 | > | a=rtpmap:97 H264/90000 | [RFC6184] | > | a=fmtp:97 profile-level- | [RFC6184] H.264 | > | id=4d0028;packetization-mode=1; max- | Layer 2 | > | fr=15;max-fs=1200 | | > | a=rtpmap:100 H264-SVC/90000 | [RFC6184] | > | a=fmtp:100 profile-level- | [RFC6184] | > | id=4d0028;packetization-mode=1; max- | | > | fr=30;max-fs=8040 | | > | a=depend:100 lay m1:96,97 | [RFC5583]Layer 3 | > > I have my doubts about this configuration. First of all as it is SVC in > Single RTP session mode (SST) I don't think it results in multiple RTP > streams. I think the answerer will interpret this, which of these > encodings can support. A non scalable H.264, another non-scalable H.264 > or SVC that can contain a number of layers. > > Secondly a=depend is only defined for MST mode in RFC 6190. > > You also have the wrong reference for the H-264-SVC a=rtpmap and a=fmtp > line. > > H. Section 5.3.3: > > | a=extmap:3 urn:ietf:params:rtp- | [I-D.ietf-avtext-ri | > | hdrext:sdes:rtp-stream-id | d] | > > After this line you should have also this line: > > | a=extmap:4 urn:ietf:params:rtp- | [I-D.ietf-avtext-ri | > | hdrext:sdes:repaired-rtp-stream-id | > d] | > > This to enable the RTX streams to indicate which source RTP stream they > are repairing. Add to both offer and answer. > > I. Section 5.3.3 > > Why isn't RTX enabled for the audio also? > > J. Section 5.3.3. Answer: > > | m=video 0 UDP/TLS/RTP/SAVPF 98 100 101 103 | BUNDLE accepted | > > Payload types 100 and 101 are undefined in this media description. > > K. Section 5.3.4 Answer: > > | a=rtpmap:101 VP8/90000 | [RFC7741] | > > Wrong media type for the payload should be RTX. > > L. Section 5.3.4 Answer: > > Missing rtcp-fb definitions to enable use of NACK which RTX depends on. > > > M. Section 5.3.5: > > | a=fmtp:101 L=5; D=10; ToP=2; repair- | [I-D.ietf-payload-f | > | window=200000 | lexible-fec-scheme] | > | a=fmtp:103 L=5; D=10; ToP=2; repair- | [I-D.ietf-payload-f | > | window=200000 | lexible-fec-scheme] | > > As the parameters are the same, I don't see a point with having two > payload types. Two different RTP repair streams can use the same payload > type. As Flex-FEC can do all the binding using the CSRC field, there are > also no need to have the repaired-rtp-stream-id header extension for > this one. > > N. Section 5.3.5: > > Does it make sense to still have NACK for a session with FEC. If it > fails isn't PLI or FIR > > Cheers > > Magnus Westerlund > > ---------------------------------------------------------------------- > Network Architecture & Protocols, Ericsson Research > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Torshamnsgatan 23 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --00000000000056047d0571eb279e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Magnus
=C2=A0
=C2=A0Thanks for the rev= iew. We will be working on your comments soon and post an update.


cheers
Suhas

On Wed, Jul 4, 2018 at 7:57 AM Magnus= Westerlund <magnus.we= sterlund@ericsson.com> wrote:
magnus.westerlund@ericsson.com
----------------------------------------------------------------------

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--00000000000056047d0571eb279e-- From nobody Fri Jul 27 17:42:56 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36125130DF0 for ; Fri, 27 Jul 2018 17:42:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1w5oqgVbaJQg for ; Fri, 27 Jul 2018 17:42:52 -0700 (PDT) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D4A130DDB for ; Fri, 27 Jul 2018 17:42:52 -0700 (PDT) Received: by mail-qt0-x22e.google.com with SMTP id n6-v6so6892170qtl.4 for ; Fri, 27 Jul 2018 17:42:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=tbOuX+lK/2yHOdMLolY3I21XiN8hSaLI7X4BOL7dw0I=; b=D/VF+FlidpYZBFpCqW6eRRCb2y2FV5ckor2AwJcVBzCC0wcy82sCcWV897MvPD9His MXtR6p3q1dBms+nOf4tiJNydfxZdEDQE7kFBOGh85GbKSpZq7tFSagm0CetFf3Oo8kxm OE1EHbAt0jdqzxDdotYYjb64UEPqhcubekpO4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=tbOuX+lK/2yHOdMLolY3I21XiN8hSaLI7X4BOL7dw0I=; b=l5L0kCdg7nCcVNYaHIdppJXyhLC144NlFaiF6bItUvgZQg+e6nyxToZpUkFzX/+0Pf jbuHxAjkYW3uCI0EPcJa/uwingnkk/WmiyBZLhvkT6AS5YuTbwL4OJmeEJGP7u4BWZDA 8WiQQzBCpxaQg3udnN22pKjlEUeFj59nB0eBSXMiVcMQNTs9ftXlaIxTjp0xUFxpg+qU PKiijWBVyPayF3uM1YXTQ5/RxtBcjSedXojyxyWmwhLssmvPvsU84JV88jDoUa/6Gjrg Nz9XrF5G8AX6aVdByQx6KmY2g6ZcdOZFrQVVazcXjp4T9MFv8l63Fftso2icFcFPsfyM o+EA== X-Gm-Message-State: AOUpUlHr1Cpbs9JitNSXxKE+sxYDrBXENcTqO5JEJ1vU3GL8jBrmFRCC 0x84CZhugqiy9pL5cq6QUwHjxX/zuFI= X-Google-Smtp-Source: AAOMgpfPFtHXNXiNlF6aZioBufqloyNcrZNl3Y3cpvBtTVUQEfEVXHGE8wCJcbTyP8nSUoiMdW2nnA== X-Received: by 2002:a0c:9692:: with SMTP id a18-v6mr7798787qvd.16.1532738571140; Fri, 27 Jul 2018 17:42:51 -0700 (PDT) Received: from [172.16.0.18] ([96.231.225.148]) by smtp.gmail.com with ESMTPSA id x41-v6sm4377466qtj.71.2018.07.27.17.42.50 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 17:42:50 -0700 (PDT) From: Sean Turner Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Message-Id: Date: Fri, 27 Jul 2018 20:42:49 -0400 To: RTCWeb IETF X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: [rtcweb] WG adoption call: draft-mdns-ice-candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2018 00:42:54 -0000 The consensus in the RFCWEB@IETF102 room was that the WG should adopt = https://datatracker.ietf.org/doc/draft-mdns-ice-candidates/ as a WG = item. But, we need to confirm this on list. If you would like for this = draft to become a WG document and you are willing to review it as it = moves through the process, then please let the list know by 2359UTC = 20180810. If you are opposed to this being a WG document, please say so = (and say why). Note that the draft has been marked as a =E2=80=9CCall for Adoption by = WG Issued=E2=80=9D in the datatracker. Thanks - spt= From nobody Fri Jul 27 17:44:28 2018 Return-Path: X-Original-To: rtcweb@ietf.org Delivered-To: rtcweb@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AFA6B130E87; Fri, 27 Jul 2018 17:44:26 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IETF Secretariat To: , , X-Test-IDTracker: no X-IETF-IDTracker: 6.83.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <153273866671.32518.18087982358291259698.idtracker@ietfa.amsl.com> Date: Fri, 27 Jul 2018 17:44:26 -0700 Archived-At: Subject: [rtcweb] The RTCWEB WG has placed draft-mdns-ice-candidates in state "Call For Adoption By WG Issued" X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2018 00:44:27 -0000 The RTCWEB WG has placed draft-mdns-ice-candidates in state Call For Adoption By WG Issued (entered by Sean Turner) The document is available at https://datatracker.ietf.org/doc/draft-mdns-ice-candidates/ From nobody Fri Jul 27 17:48:48 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCF8130E36 for ; Fri, 27 Jul 2018 17:48:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.748 X-Spam-Level: X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Gwh8REFZx3D for ; Fri, 27 Jul 2018 17:48:44 -0700 (PDT) Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFC8D130DF0 for ; Fri, 27 Jul 2018 17:48:43 -0700 (PDT) Received: by mail-lj1-x233.google.com with SMTP id r13-v6so5835736ljg.10 for ; Fri, 27 Jul 2018 17:48:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SqgATRSMl+Itq8QXfgNno4AC8MV5WIaXHzIrYTiXJus=; b=uLkx0R5US12aQei1NiYk9zrsXYjiWlF62UvQW8T664TWfylkHdoZ2PTsdiRFLKBAFN ZePT/mcK9UujdLEgMGgLVkiSDm/+MpnMCiLjZk2m7iZ3YND95w2Qq2zOd/+qlEcFTdCB hIEo57XLMrbZlOIPi5XrS+UYFgJ0ymkUyLqBdkzeTanxdhwcidRo9REw/WFm7JnMbG6I Dc5pTEgbNLmsVn1Xm1zrDlJhCdsUiWze32u9FLeanImbTf/dgRUGnxxjKebPLfspOJHL qxlrUeZ3Yi2kMcQaN+1pk6IoXjVEjfu8teU61WnxUf2lqXHiEv9inpW9CPDaBPrAv0NF cfEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SqgATRSMl+Itq8QXfgNno4AC8MV5WIaXHzIrYTiXJus=; b=F73EHUN7K+kHXxjbj9U1KIH7/0xMvsu9t282hvglutRiOL+v0Wbt3oz5kUzCEGr97R R5C+i9qhCgM3yt6khJt+AWF2tzOXpzQrgKrMtD6TLsz5Pie5AQC+I3XBeuU5n+8AmHdo iR6DXFoQGE9nnxZQ5bptEbXy5Zm6ibDkgiTIn1DQCcq9w1lzEt+b2lbVkLqEkaljlXR1 mBe+WpMlSjDNfdxYZnflFLInuf51E+s9xCbpEpjiCOA7WGbAK01aRCNZzbf6E00h39Ab 0OaPlZX8nNm64YZ/f8xILsLGcWJvUwod0fFKXPJaKVIyIEVteaVrS0XTRexJtea9mc1G RacA== X-Gm-Message-State: AOUpUlEBwgJ+urwDDIGzX/o2qV1YRSY8w7ArrosBRmJT0BmpuJXwIwhX LfXykCs16mRddJibhm1mmXeEXfbIXasnJrjIsx5iR0Vp X-Google-Smtp-Source: AAOMgpeIQrAOTh5jWqDs37DQIXWC/XGQu/yh2y074bZJmCigVulwSKUplmS3DD3hlg29Fm+ZPtrNMvqINRjiEe3Wr/k= X-Received: by 2002:a2e:83cf:: with SMTP id s15-v6mr6174798ljh.117.1532738921691; Fri, 27 Jul 2018 17:48:41 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:9718:0:0:0:0:0 with HTTP; Fri, 27 Jul 2018 17:48:01 -0700 (PDT) In-Reply-To: References: From: Shivan Date: Fri, 27 Jul 2018 17:48:01 -0700 Message-ID: To: Sean Turner Cc: RTCWeb IETF Content-Type: multipart/alternative; boundary="000000000000f5fda10572049694" Archived-At: Subject: Re: [rtcweb] WG adoption call: draft-mdns-ice-candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2018 00:48:46 -0000 --000000000000f5fda10572049694 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Support adoption, and would be willing to review. On Fri, Jul 27, 2018 at 5:42 PM, Sean Turner wrote: > The consensus in the RFCWEB@IETF102 room was that the WG should adopt > https://datatracker.ietf.org/doc/draft-mdns-ice-candidates/ as a WG item. > But, we need to confirm this on list. If you would like for this draft t= o > become a WG document and you are willing to review it as it moves through > the process, then please let the list know by 2359UTC 20180810. If you a= re > opposed to this being a WG document, please say so (and say why). > > Note that the draft has been marked as a =E2=80=9CCall for Adoption by WG= Issued=E2=80=9D > in the datatracker. > > Thanks - spt > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --000000000000f5fda10572049694 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Support adoption, and would be willing= to review.

On Fri, Jul 27, 2018 at 5:42 PM, Sean Turner <sean@sn3rd.com> wrote:
The consensus in the RFCWEB@I= ETF102 room was that the WG should adopt=C2=A0 https://datatracker.ietf.org/doc/draft-mdns-ice-candidates/ = as a WG item. But, we need to confirm this on list.=C2=A0 If you would like= for this draft to become a WG document and you are willing to review it as= it moves through the process, then please let the list know by 2359UTC 201= 80810.=C2=A0 If you are opposed to this being a WG document, please say so = (and say why).

Note that the draft has been marked as a =E2=80=9CCall for Adoption by WG I= ssued=E2=80=9D in the datatracker.

Thanks - spt
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb

--000000000000f5fda10572049694-- From nobody Fri Jul 27 20:59:31 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B41131059 for ; Fri, 27 Jul 2018 20:59:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVzsh8Dem5as for ; Fri, 27 Jul 2018 20:59:27 -0700 (PDT) Received: from mail-pl0-x22d.google.com (mail-pl0-x22d.google.com [IPv6:2607:f8b0:400e:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C646131048 for ; Fri, 27 Jul 2018 20:59:27 -0700 (PDT) Received: by mail-pl0-x22d.google.com with SMTP id m1-v6so3102892plt.6 for ; Fri, 27 Jul 2018 20:59:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=9YXHDKQvyusJhC5BTqb8VRnbcJob0JzRJhVqoSh7YMw=; b=c4SJSVI9w/jkQJEARPHGGNdd7VmXTTsknlhORKlAfYjeGI3UIwuY9+ni5KUjaf/XQz NkLGTRcPSOPAlRH3L4DQ74c8BG5P/PtdQ9yCdH+myKS4Rc7hISk9WO6tpFFabs8YF8Zj S6kJONwBusQyaXDkFWYUm7jKIt+k+rYM1Lwp0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=9YXHDKQvyusJhC5BTqb8VRnbcJob0JzRJhVqoSh7YMw=; b=bQgov9jzbcWPLCyXCDLgzX8xiTljzROaYyGmBpdeilytPjhhSKpCi2p4piKff1veXz Gf9zSts2HjRpY2mcOtMqyGJhLrPvUD+9Xn8ctxf5EP7In6838XPV7T4TsIDc5WdJbh5A 8rpLpDej9dHDW44UWSKFLlwgLFHlSgyyY3UJWfnq7qcbBws7WDu8Gs9AkKNLO2QnpFeu av9iUXt6oHSPGUM+lgz2jacK44SG2b5uybaIcXGep1ZrfPonDbgCMnrTDfNY0p9ibXX3 M5ANez3agnsidVh6CzvPm5nWEVsmFTvTVpuMQsKHH2J92r/3KIaeODT0m3q04fedDom7 7KNw== X-Gm-Message-State: AOUpUlG02EqAFfHttzfl/iskFnrBvRxeLcOiH0tbIUmTkdYs8yEQbx7Y twnz+z3Q0bJ6akuv2KJoPDRSMBRJOxo= X-Google-Smtp-Source: AAOMgpcdxiQqxYkCGIZzUZ8wlJK8Avcphj4M1amxAS0vXaaCNoaAca3m/Ty3f68o5DDf64mltndJGg== X-Received: by 2002:a17:902:a989:: with SMTP id bh9-v6mr8464462plb.245.1532750366091; Fri, 27 Jul 2018 20:59:26 -0700 (PDT) Received: from ?IPv6:2601:647:4600:3f31:dc49:f557:255f:a62b? ([2601:647:4600:3f31:dc49:f557:255f:a62b]) by smtp.gmail.com with ESMTPSA id k6-v6sm6736055pgc.71.2018.07.27.20.59.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 20:59:24 -0700 (PDT) From: Nils Ohlmeier Content-Type: multipart/signed; boundary="Apple-Mail=_DA5ACB0A-6C9F-4AD3-A98C-F8027425994D"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Fri, 27 Jul 2018 20:59:22 -0700 References: To: RTCWeb IETF In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [rtcweb] WG adoption call: draft-mdns-ice-candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2018 03:59:29 -0000 --Apple-Mail=_DA5ACB0A-6C9F-4AD3-A98C-F8027425994D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I support adoption as a WG document and I=E2=80=99m willing to review. Nils Ohlmeier > On Jul 27, 2018, at 17:42, Sean Turner wrote: >=20 > The consensus in the RFCWEB@IETF102 room was that the WG should adopt = https://datatracker.ietf.org/doc/draft-mdns-ice-candidates/ as a WG = item. But, we need to confirm this on list. If you would like for this = draft to become a WG document and you are willing to review it as it = moves through the process, then please let the list know by 2359UTC = 20180810. If you are opposed to this being a WG document, please say so = (and say why). >=20 > Note that the draft has been marked as a =E2=80=9CCall for Adoption by = WG Issued=E2=80=9D in the datatracker. >=20 > Thanks - spt > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb --Apple-Mail=_DA5ACB0A-6C9F-4AD3-A98C-F8027425994D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEQ5rmmyEsAeItlZquY2o/VmzJ+KEFAltb6hoACgkQY2o/VmzJ +KF55BAA1StADOrZ3G6VBd2W5MPu80K0DJ7Dv/fIbvTZSQ2e+toWrZnYw59HMWHu NzgcfLPcSbNPziBgxSrn8u9YpNJeLlUxw0OSx3Jn6QuUH/XmC4S4jBbCdyOVg5sX lLCtp3eEdOiG6x1RscF7qvoW+tdMhKUQQ3koLSTRJcnYTUe1LjR3EMUVZGeCDaif K2vPu7xsCkapAgoBecFEOsZ6KCOmhB6EvbAoWCVyr8V88e+EPmhK3YTjqRGiDX4g jdhm9mOJT8X0tLew2RrVaT6IrxXjKw7cSuE8S/ZdO39BxyJorLxXCV98mZjxtwWs qWvmJT9Ep3qc+rpJgXSVR5Dp/vaVbYniD6WwQWoAw8ANi6q8q65eQbEL7CaLEqtq VsW8vdXHw1Ler3ZgvlkkmIPX6VocmxkJrGq9lB2oVTX9YB9YG6OWhYK94wj44SuP PlHXip7M1zZgJH+5dSbbWKPZ/Q0GQORf3bmV2c4X/ppDu4njhFZwD/49q9wNTM+I fBN+IihThxsIkssuAptUSFDX8qqUzNzwlr9BxUmKmbRwiXyd0FUmVVO4Ll4mCPDg vQvU1x1nT+plA+G5cjby2n648IMgtk6dZFUBZEgG4kHDedNMlw+y2VyOBpG76oG3 mbIInPaSbDojzw76hn84zAtYGHrf/PY207FJz2J4nBxEnB6c0s4= =y1iZ -----END PGP SIGNATURE----- --Apple-Mail=_DA5ACB0A-6C9F-4AD3-A98C-F8027425994D-- From nobody Sat Jul 28 03:10:14 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1EA9130E21 for ; Sat, 28 Jul 2018 03:10:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.31 X-Spam-Level: X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QU5b8v-JH6hK for ; Sat, 28 Jul 2018 03:10:09 -0700 (PDT) Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B555130E14 for ; Sat, 28 Jul 2018 03:10:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1532772606; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FO2wOuxtFEjpFr2j65EokU9sGelUHF2w3J5VYDBgDwE=; b=am9q9pp1pB75LlqX2yULJXUr3w8+4wEIcxc44AZ62FoqJho5AB52mWEBSH/kWlEC aGap5LmJqqVsBq4wkT1KBtRCR3DwIIsyP/xO6Z5OOyuGNUdcxXVm4AajJPC85w1Y M+jNvtWripM7KMJE4DwRbuJCcEcJA9xcXZP3aj5G6l4=; X-AuditID: c1b4fb25-b05ff70000006cb9-98-5b5c40fe7d8f Received: from ESESBMB501.ericsson.se (Unknown_Domain [153.88.183.114]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id CC.7C.27833.EF04C5B5; Sat, 28 Jul 2018 12:10:06 +0200 (CEST) Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sat, 28 Jul 2018 12:10:05 +0200 Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Sat, 28 Jul 2018 12:10:05 +0200 From: Christer Holmberg To: Sean Turner , RTCWeb IETF Thread-Topic: [rtcweb] WG adoption call: draft-mdns-ice-candidates Thread-Index: AQHUJgvztDAqqnNgKU61Ukau0VYD2qSkZb7g Date: Sat, 28 Jul 2018 10:10:05 +0000 Message-ID: <11b6f595e3104b8fa70de30a82e09571@ericsson.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [153.88.183.153] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrOLMWRmVeSWpSXmKPExsUyM2J7ke4/h5hog/OXxCzW/mtnt7iyqpHZ gcljyZKfTB4HDzIGMEVx2aSk5mSWpRbp2yVwZTy5MYG94Id4xav9/1kaGFeIdzFycEgImEgc OM/RxcjFISRwlFHiSutOli5GTiDnG6PEw3YmiMQyRomGfctZQRrYBCwkuv9pg9SICNhL3Nzd wgpiCws4Skx4uJcFIu4kce7+TSjbSOLcil5GEJtFQFXix7R/YDavgLXE0yebmSB22UhMPz6b DWQ8p4CtxNHdnCBhRgExie+n1oCVMAuIS9x6Mh/MlhAQkFiy5zwzhC0q8fLxP1YIW0li77Hr LCBjmAU0Jdbv0odoVZSY0v2QHWKroMTJmU9YJjCKzkIydRZCxywkHbOQdCxgZFnFKFqcWpyU m25krJdalJlcXJyfp5eXWrKJERgdB7f8Vt3BePmN4yFGAQ5GJR5eU2DUCLEmlhVX5h5ilOBg VhLh1fofHS3Em5JYWZValB9fVJqTWnyIUZqDRUmc96H55ighgfTEktTs1NSC1CKYLBMHp1QD o7xUdbKKaar8LO9An12FH5jmNmQWCiw/9OHoD/+HV1oLFjJYcRgZv965/uHDkvMuf2ddnvvn lHNWS4j/jTsP189wLPS5WfFgFu/mgr7GMz+1kgyt+Tge3Al6Wvl0H/cDx1N64ZsL7IWmOq04 b/kha66nYOb33uQ9/Yv6T/3qFdzE/evzjxN/8pVYijMSDbWYi4oTARIgY/OKAgAA Archived-At: Subject: Re: [rtcweb] WG adoption call: draft-mdns-ice-candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2018 10:10:13 -0000 SGksDQoNCkluIE1vbnRyZWFsIHRoaXMgd2FzIGRpc2N1c3NlZCBpbiBNTVVTSUMsIGFuZCB0aGUg b3V0Y29tZSB3YXMgdGhhdCB0aGlzIHdpbGwgcmVxdWlyZSBtb3JlIHdvcmssIGluIE1NVVNJQyBv ciBJQ0UuDQoNCkkgaGF2ZSBhbHNvIGdpdmVuIHNvbWUgaW5wdXQgd2h5IEkgdGhpbmsgSUNFIHN1 cHBvcnQgb2YgRlFETnMgaW4gZ2VuZXJhbCAobm90IHNwZWNpZmljIHRvIG1ETlMpIHJlcXVpcmVz IG1vcmUgd29yay4NCg0KRm9yIGV4YW1wbGUsIGFzIGFuIEZRRE4gY2FuIGJlIGFzc29jaWF0ZWQg d2l0aCBtdWx0aXBsZSBJUCBhZGRyZXNzZXMsIGRvZXMgdGhhdCBtZWFuIHRoYXQgdGhlIGVuZHBv aW50IHByb3ZpZGluZyB0aGUgRlFETiB3aWxsIGNyZWF0ZSBzZXBhcmF0ZSAic3ViIGNhbmRpZGF0 ZXMiIGZvciBlYWNoIElQIGFkZHJlc3MgdGhhdCB0aGUgRlFORCBjYW4gcmVzb2x2ZSB0byAoYXMg YSBjYW5kaWRhdGUgcGVyIGRlZmluaXRpb24gaXMgYXNzb2NpYXRlZCB3aXRoIE9ORSB0cmFuc3Bv cnQgKElQIGFkZHJlc3MgKyBwb3J0ICsgcHJvdG9jb2wpKT8uIElmIHNvLCBlYWNoIG9mIHRob3Nl IGxvY2FsIGNhbmRpZGF0ZXMgbWF5IGVuZCB1cCBpbiBkaWZmZXJlbnQgZm91bmRhdGlvbnMsIHNv bWUgbWF5IGJlIHBydW5lZCAob3IgcmVtb3ZlZCBiZWNhdXNlIG9mIG90aGVyIHJlYXNvbnMpLiBJ biBhZGRpdGlvbiwgaXMgdGhlIGVuZHBvaW50IHN1cHBvc2VkIHRvIHNlbmQgY2hlY2tzIG9uIGVh Y2ggb2YgdGhlc2UgY2FuZGlkYXRlcz8gRm9yIGhvdyBsb25nIHdpbGwgaXQgbWFpbnRhaW4gdGhl bT8gRXRjIGV0YyBldGMuDQoNClRoZSBjb25jZXB0IG9mICJtdWx0aS1hZGRyZXNzIGNhbmRpZGF0 ZXMiIGlzIGEgbmV3IHRoaW5nLCBjdXJyZW50bHkgbm90IGNvdmVyZWQgYnkgdGhlIElDRSBzcGVj aWZpY2F0aW9ucy4NCg0KTm93LCBJRiB3ZSBhc3N1bWUgYSAiRlFETiBjYW5kaWRhdGUiIHdpbGwg b25seSByZXNvbHZlIHRvIG9uZSBJUCBhZGRyZXNzLCB0aGUgaXNzdWUgaXMgZWFzaWVyIHRvIHNv bHZlLCBidXQgYmFzZWQgb24gY29tbWVudHMgZnJvbSBvdGhlcnMgd2UgY2Fubm90IG1ha2UgdGhh dCBhc3N1bXB0aW9uLg0KDQpTbywgd2hpbGUgSSBkbyBub3Qgb2JqZWN0IHRvIHdvcmtpbmcgb24g c3VwcG9ydCBvZiBtRE5TIGluIElDRSwgbXkgc3VnZ2VzdGlvbiB3b3VsZCBiZSB0aGF0IHRoZSBB RHMsIGFuZCB0aGUgUlRDV0VCL01NVVNJQy9JQ0UgY2hhaXJzLCBkaXNjdXNzIG9uIGhvdyB0byBt b3ZlIGZvcndhcmQsIGJlZm9yZSB3ZSBhZG9wdCB0aGlzIGRyYWZ0Lg0KDQpSZWdhcmRzLA0KDQpD aHJpc3Rlcg0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBydGN3ZWIgW21h aWx0bzpydGN3ZWItYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIFNlYW4gVHVybmVyDQpT ZW50OiAyOCBKdWx5IDIwMTggMDM6NDMNClRvOiBSVENXZWIgSUVURiA8cnRjd2ViQGlldGYub3Jn Pg0KU3ViamVjdDogW3J0Y3dlYl0gV0cgYWRvcHRpb24gY2FsbDogZHJhZnQtbWRucy1pY2UtY2Fu ZGlkYXRlcw0KDQpUaGUgY29uc2Vuc3VzIGluIHRoZSBSRkNXRUJASUVURjEwMiByb29tIHdhcyB0 aGF0IHRoZSBXRyBzaG91bGQgYWRvcHQgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9j L2RyYWZ0LW1kbnMtaWNlLWNhbmRpZGF0ZXMvIGFzIGEgV0cgaXRlbS4gQnV0LCB3ZSBuZWVkIHRv IGNvbmZpcm0gdGhpcyBvbiBsaXN0LiAgSWYgeW91IHdvdWxkIGxpa2UgZm9yIHRoaXMgZHJhZnQg dG8gYmVjb21lIGEgV0cgZG9jdW1lbnQgYW5kIHlvdSBhcmUgd2lsbGluZyB0byByZXZpZXcgaXQg YXMgaXQgbW92ZXMgdGhyb3VnaCB0aGUgcHJvY2VzcywgdGhlbiBwbGVhc2UgbGV0IHRoZSBsaXN0 IGtub3cgYnkgMjM1OVVUQyAyMDE4MDgxMC4gIElmIHlvdSBhcmUgb3Bwb3NlZCB0byB0aGlzIGJl aW5nIGEgV0cgZG9jdW1lbnQsIHBsZWFzZSBzYXkgc28gKGFuZCBzYXkgd2h5KS4NCg0KTm90ZSB0 aGF0IHRoZSBkcmFmdCBoYXMgYmVlbiBtYXJrZWQgYXMgYSDigJxDYWxsIGZvciBBZG9wdGlvbiBi eSBXRyBJc3N1ZWTigJ0gaW4gdGhlIGRhdGF0cmFja2VyLg0KDQpUaGFua3MgLSBzcHQNCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpydGN3ZWIgbWFpbGlu ZyBsaXN0DQpydGN3ZWJAaWV0Zi5vcmcNCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlz dGluZm8vcnRjd2ViDQo= From nobody Sat Jul 28 04:55:52 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1D4130EF4 for ; Sat, 28 Jul 2018 04:55:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.31 X-Spam-Level: X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rgOFh90-6g2g for ; Sat, 28 Jul 2018 04:55:48 -0700 (PDT) Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E2D2130ED9 for ; Sat, 28 Jul 2018 04:55:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1532778946; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=+5s7IrxXYB33qskalGWLeSSUOmjsJ9vSnE5ZHTW75FY=; b=M9FTvjDV03MTMM396WTGBWEaDs/3X/nevy4SGtqRK94s4cjNmsNtRjv00qXuNKL9 vUlq0dF+/DMufXhdBiSHMliTen2uXVXU5Mp4kCrZcOsZkfXGuiAL1zAeuSDLqkFg 8AK7B+oG2N03X0zJZ/ts7dpFa/YmJbJyaD/CuICERIY=; X-AuditID: c1b4fb30-1dfff700000059c2-e0-5b5c59c2ba24 Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 2A.39.22978.2C95C5B5; Sat, 28 Jul 2018 13:55:46 +0200 (CEST) Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sat, 28 Jul 2018 13:55:45 +0200 Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Sat, 28 Jul 2018 13:55:45 +0200 From: Christer Holmberg To: Sean Turner , RTCWeb IETF Thread-Topic: [rtcweb] WGLC for draft-ietf-rtcweb-sdp - Christer's review Thread-Index: AdQlFBFCoeP2SB4qTiyupXfADLWxPg== Date: Sat, 28 Jul 2018 11:55:45 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [153.88.183.153] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrELMWRmVeSWpSXmKPExsUyM2J7pe6hyJhogy0vWCzW/mtnt7iyqpHZ gcljyZKfTB4HDzIGMEVx2aSk5mSWpRbp2yVwZfxYeZit4DVHxYzbjcwNjOvYuxg5OSQETCQ+ Pj3N3MXIxSEkcJRRYsPztywQzjdGiYWb70FlljFKnLx0g62LkYODTcBCovufNki3iIC9xM3d LawgYWEBD4kZ2zMhwp4Sd6YdYoOw9SQaHh1nBLFZBFQlfu6dyQhSzitgLTH5iAZImFFATOL7 qTVMIDazgLjErSfzmSBuE5BYsuc8M4QtKvHy8T9WCFtJYu+x6ywQ9ToSC3Z/YoOwtSWWLXwN Vs8rIChxcuYTlgmMwrOQjJ2FpGUWkpZZSFoWMLKsYhQtTi1Oyk03MtJLLcpMLi7Oz9PLSy3Z xAgM+YNbfhvsYHz53PEQowAHoxIPr6x9TLQQa2JZcWXuIUYJDmYlEV6t/9HRQrwpiZVVqUX5 8UWlOanFhxilOViUxHkt/DZHCQmkJ5akZqemFqQWwWSZODilGhi9NlRsKf2jbb0mtvHtwg1O V5xiD2y7/7PRxmJSY/TW2rzja1us9jyJClkUbSbe4nKw+yJP04lUsUmGKpuipS+d6Ht7t5rF 3XJeh86HcP33Gl+uhBjVH31mfnR124HdM9Y5mvhPtdwv79uW8+Rk4UFfLz3vtDqtmTlp5ctW 7BPi+ylp9cEq76cSS3FGoqEWc1FxIgBp4ekgdQIAAA== Archived-At: Subject: Re: [rtcweb] WGLC for draft-ietf-rtcweb-sdp - Christer's review X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2018 11:55:50 -0000 Hi, Here are my comments: Q1: Regarding the ICE attributes (non-trickle), I think the draft shall ref= erence draft-ietf-mmusic-ice-sip-sdp. Q2: I think the examples shall include the 'ice2' ice-options value (define= d in RFC 8445), to indicate that aggressive nomination is not supported. Yes, this again brings up the what-ICE-version-to-reference-question. All t= he other ICE related drafts in the examples reference (directly or indirect= ly) RFC 8445. Regards, Christer -----Original Message----- From: rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Sean Turner Sent: 26 July 2018 21:10 To: RTCWeb IETF Subject: [rtcweb] WGLC for draft-ietf-rtcweb-sdp All, This is the working group last call for the "Annotated Example SDP for WebR= TC" draft available at https://datatracker.ietf.org/doc/draft-ietf-rtcweb-s= dp/. Please review the document and send your comments to the list by 2359= UTC on 17 August 2018. Thanks - spt _______________________________________________ rtcweb mailing list rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb From nobody Tue Jul 31 16:57:38 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F32D0130EA3 for ; Tue, 31 Jul 2018 16:57:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.61 X-Spam-Level: X-Spam-Status: No, score=-15.61 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEuhQik4Kmg6 for ; Tue, 31 Jul 2018 16:57:34 -0700 (PDT) Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3DDC128CF3 for ; Tue, 31 Jul 2018 16:57:34 -0700 (PDT) Received: by mail-it0-x22d.google.com with SMTP id v71-v6so6889115itb.3 for ; Tue, 31 Jul 2018 16:57:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QySgDP9CO5de/gEit0ko6+Qe/eSpmJnrinQoCEVEV/0=; b=WYpbeD1E7Js/lNA3F4MKVQXrKttiJyrgY40NF1yPZjl2GHMmsAmolxlSWz7P4f/42p PvjNOI5MqsPgNy6hNyVB9T80cHhwRmRIFoP2aWJgCaVbFlV+AnQepfOI5mG8MzKo57tA EMt4KkJpebS0L2j/3XzZuXUuwxg2MvZuxSb7zwZh8A0B7ZV9UFgFgVo7l/bFS/91JMev pjufln58ukxBGkjS63ycZBYTCEidLEk7LC483u2L/3zaa9FTMQhXBkZrx2JkU3T6T8Z3 h/zp3BCaFzCQ7auOhoZqXgKJLPLOOZvfGJZnNhjmOkrWJRb/59oLIioTl/PizkSJgS6s 3W/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QySgDP9CO5de/gEit0ko6+Qe/eSpmJnrinQoCEVEV/0=; b=PX8e1lZ0l1Q+CbDAYu8Iw30N36XPH4Ss1UcOq9T03YyynigAl+7pxAXVtKuZK4NRsi e3Y7zTDn76RUoRq0mMwUrvy5xJliHBv3YdDP1W0jhcT8J8cSQnvc0GF8MghXHibQmoPF xgmecJppiHplpTmnJS8Q8UFm/vjLx7sA/X5IvfPxZ58n93aSDmX4a/JS0/ypQHnH3Hzg Sxbek2eX6cmxRaKwx8Bga2xPk7N19NHOmhbEMa2IymcOo+yhaxTI7dFKWHejmQJPX7aj KgQSEmpkwKWK5RCQx+4x8N9KpQ7Sd2StcjpZOawa5YWWfjKpzkDV+g+hMlxsJyR8wsvo G9xQ== X-Gm-Message-State: AOUpUlGTnOvZaYMNegXneWL1pCc8MW2QC69XN2pZvbX8X/xiO7A+r8VX Gzqxl6hA5CZYdyDEEjn6qiGM38Pthy6rX4PGT02FSw== X-Google-Smtp-Source: AAOMgpeMCerIsZWKKO51DybOL9gQ47NvUnbgB8dPtUMEFMC2KOFb1JJ35KkXzgL9Axd7wt5jDX56bbymekU92bIm3vc= X-Received: by 2002:a24:19d5:: with SMTP id b204-v6mr1541977itb.25.1533081453485; Tue, 31 Jul 2018 16:57:33 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Justin Uberti Date: Tue, 31 Jul 2018 16:57:21 -0700 Message-ID: To: Sean Turner Cc: RTCWeb IETF Content-Type: multipart/alternative; boundary="00000000000073044605725457df" Archived-At: Subject: Re: [rtcweb] WG adoption call: draft-mdns-ice-candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jul 2018 23:57:37 -0000 --00000000000073044605725457df Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I agree that we should take on this work. I believe that we will need a separate doc that updates rtcweb/ip-handling (either as n extension, or a -bis) to include support for mDNS candidates. Do we expect that draft-mdns-ice-candidates will become that doc, or that it will stay as an independent item devoted specifically to the mDNS technique? On Fri, Jul 27, 2018 at 5:43 PM Sean Turner wrote: > The consensus in the RFCWEB@IETF102 room was that the WG should adopt > https://datatracker.ietf.org/doc/draft-mdns-ice-candidates/ as a WG item. > But, we need to confirm this on list. If you would like for this draft t= o > become a WG document and you are willing to review it as it moves through > the process, then please let the list know by 2359UTC 20180810. If you a= re > opposed to this being a WG document, please say so (and say why). > > Note that the draft has been marked as a =E2=80=9CCall for Adoption by WG= Issued=E2=80=9D > in the datatracker. > > Thanks - spt > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --00000000000073044605725457df Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I agree that we should take on this work.

I believe that we will need a separate doc that updates rtcweb/ip-handli= ng (either as n extension, or a -bis) to include support for mDNS candidate= s. Do we expect that draft-mdns-ice-candidates will become that doc, or tha= t it will stay as an independent item devoted specifically to the mDNS tech= nique?

On Fri, J= ul 27, 2018 at 5:43 PM Sean Turner <se= an@sn3rd.com> wrote:
The con= sensus in the RFCWEB@IETF102 room was that the WG should adopt=C2=A0 https://datatracker.ietf.org/doc/draft-mdns-ice= -candidates/ as a WG item. But, we need to confirm this on list.=C2=A0 = If you would like for this draft to become a WG document and you are willin= g to review it as it moves through the process, then please let the list kn= ow by 2359UTC 20180810.=C2=A0 If you are opposed to this being a WG documen= t, please say so (and say why).

Note that the draft has been marked as a =E2=80=9CCall for Adoption by WG I= ssued=E2=80=9D in the datatracker.

Thanks - spt
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--00000000000073044605725457df-- From nobody Tue Jul 31 17:03:46 2018 Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C759C130E96 for ; Tue, 31 Jul 2018 17:03:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.61 X-Spam-Level: X-Spam-Status: No, score=-15.61 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ghs0RBHgZ6FR for ; Tue, 31 Jul 2018 17:03:42 -0700 (PDT) Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E6E5130E93 for ; Tue, 31 Jul 2018 17:03:42 -0700 (PDT) Received: by mail-io0-x231.google.com with SMTP id l14-v6so14567727iob.7 for ; Tue, 31 Jul 2018 17:03:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lWzksle47qdDMxiqvNSyqEJiTrP2qHCwUuJF9X1qYKw=; b=lIj83I2u2edWqU8Ex+xZT5EgiAruz3ypTLmKKgSno3Ya0Ufq5f7/BfVxml5cdb48nw TUxc5ePrHPcbiIf+97jCAmfT9L7tF9Ca6dOol48TCED8H9RWnjcK8sGMaLPQ6iZMkt7p uAkyCWS71pmWRbWBuObYc/yptRJyD1N14aCxD3zhqfbz9WPZ+xQtdkhj2TyKz3uxYovo TJ3t+9Mzb7jpQLwHVHRL3VyACBWE87JUKkFJHNZUU8VXo3cWri0TtFFSlUimBZ6616wC rqsedfYzx4N6kxMCyUAG7Ubca6Ly0DV1VRwmMRQcEI5pnCopKIH835fM7rQNsK1Am50x 0/Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lWzksle47qdDMxiqvNSyqEJiTrP2qHCwUuJF9X1qYKw=; b=k63AdVzl8lswMmNT8ryZz5p7Y6LqfX/6+ySf8tR3qXLlHAXQDruoEwF0DhIUI5s+Lm lTuPNHdFcdUJRb8FMkcbXSQaJ4RhQucDo/poVaGEFBFx8KdEa2WkgR3E6Had2beZvdxY VmyeSI2vdcMFqZEU3DmhliyamqFFTnJ2GQduNQUMF+kd8y+OycuFfhwPcgZjpxalpJKS fS+JpXxhxiDeau7KxvcigmLANTDmqquSguwmTn/KMfT8Hq+5XkB2YmtEXkN9IBW/9nHe a2twcjg+NNvZNz4Wfw/b5K7vJU1Dgswm9Jo9fu9oCA+qfOntxSS2G7CNs310+r9zgOHj 7VhA== X-Gm-Message-State: AOUpUlF4A9vFW2egHcTxcMcXsIMb0E9gUEw0hZveCGriWTYY5s66ISyZ 6+89fnzMt4RoouHc7CkaMmJbxUeTpGykezpS+72Ztw== X-Google-Smtp-Source: AAOMgpfzid8tWqQjO+mH6zu9lMD9dCeTGt+PSrZvCdIww4j5RIdQPorxy3hfEU3pHN0IkBrBtFtb9HxMRTRT4vNcSWA= X-Received: by 2002:a6b:e913:: with SMTP id u19-v6mr1631142iof.38.1533081820913; Tue, 31 Jul 2018 17:03:40 -0700 (PDT) MIME-Version: 1.0 References: <11b6f595e3104b8fa70de30a82e09571@ericsson.com> In-Reply-To: <11b6f595e3104b8fa70de30a82e09571@ericsson.com> From: Justin Uberti Date: Tue, 31 Jul 2018 17:03:29 -0700 Message-ID: To: Christer Holmberg Cc: Sean Turner , RTCWeb IETF Content-Type: multipart/alternative; boundary="00000000000059b6050572546de0" Archived-At: Subject: Re: [rtcweb] WG adoption call: draft-mdns-ice-candidates X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2018 00:03:45 -0000 --00000000000059b6050572546de0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Regarding DNS resolution and associated complexity, I think we can sidestep most of that here in rtcweb given that we will be mandating 1:1 mapping between foo.local names and IP addresses. IOW, the mDNS name is simply an alias for the IP, and therefore the questions noted below are answered easily for this particular situation. We can continue to discuss the general case of this problem in mmusic. On Sat, Jul 28, 2018 at 3:10 AM Christer Holmberg < christer.holmberg@ericsson.com> wrote: > Hi, > > In Montreal this was discussed in MMUSIC, and the outcome was that this > will require more work, in MMUSIC or ICE. > > I have also given some input why I think ICE support of FQDNs in general > (not specific to mDNS) requires more work. > > For example, as an FQDN can be associated with multiple IP addresses, doe= s > that mean that the endpoint providing the FQDN will create separate "sub > candidates" for each IP address that the FQND can resolve to (as a > candidate per definition is associated with ONE transport (IP address + > port + protocol))?. If so, each of those local candidates may end up in > different foundations, some may be pruned (or removed because of other > reasons). In addition, is the endpoint supposed to send checks on each of > these candidates? For how long will it maintain them? Etc etc etc. > > The concept of "multi-address candidates" is a new thing, currently not > covered by the ICE specifications. > > Now, IF we assume a "FQDN candidate" will only resolve to one IP address, > the issue is easier to solve, but based on comments from others we cannot > make that assumption. > > So, while I do not object to working on support of mDNS in ICE, my > suggestion would be that the ADs, and the RTCWEB/MMUSIC/ICE chairs, discu= ss > on how to move forward, before we adopt this draft. > > Regards, > > Christer > > > -----Original Message----- > From: rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Sean Turner > Sent: 28 July 2018 03:43 > To: RTCWeb IETF > Subject: [rtcweb] WG adoption call: draft-mdns-ice-candidates > > The consensus in the RFCWEB@IETF102 room was that the WG should adopt > https://datatracker.ietf.org/doc/draft-mdns-ice-candidates/ as a WG item. > But, we need to confirm this on list. If you would like for this draft t= o > become a WG document and you are willing to review it as it moves through > the process, then please let the list know by 2359UTC 20180810. If you a= re > opposed to this being a WG document, please say so (and say why). > > Note that the draft has been marked as a =E2=80=9CCall for Adoption by WG= Issued=E2=80=9D > in the datatracker. > > Thanks - spt > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > --00000000000059b6050572546de0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Regarding DNS resolution and associated complexity, I thin= k we can sidestep most of that here in rtcweb given that we will be mandati= ng 1:1 mapping between foo.local names and IP addresses.

IOW, the mDNS name is simply an alias for the IP, and therefore the questi= ons noted below are answered easily for this particular situation.=C2=A0

We can continue to discuss the general case of t= his problem in mmusic.

On Sat, Jul 28, 2018 at 3:10 AM Christer Holmberg <christer.holmberg@ericsson.com>= ; wrote:
Hi,

In Montreal this was discussed in MMUSIC, and the outcome was that this wil= l require more work, in MMUSIC or ICE.

I have also given some input why I think ICE support of FQDNs in general (n= ot specific to mDNS) requires more work.

For example, as an FQDN can be associated with multiple IP addresses, does = that mean that the endpoint providing the FQDN will create separate "s= ub candidates" for each IP address that the FQND can resolve to (as a = candidate per definition is associated with ONE transport (IP address + por= t + protocol))?. If so, each of those local candidates may end up in differ= ent foundations, some may be pruned (or removed because of other reasons). = In addition, is the endpoint supposed to send checks on each of these candi= dates? For how long will it maintain them? Etc etc etc.

The concept of "multi-address candidates" is a new thing, current= ly not covered by the ICE specifications.

Now, IF we assume a "FQDN candidate" will only resolve to one IP = address, the issue is easier to solve, but based on comments from others we= cannot make that assumption.

So, while I do not object to working on support of mDNS in ICE, my suggesti= on would be that the ADs, and the RTCWEB/MMUSIC/ICE chairs, discuss on how = to move forward, before we adopt this draft.

Regards,

Christer


-----Original Message-----
From: rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Sean Turner
Sent: 28 July 2018 03:43
To: RTCWeb IETF <rt= cweb@ietf.org>
Subject: [rtcweb] WG adoption call: draft-mdns-ice-candidates

The consensus in the RFCWEB@IETF102 room was that the WG should adopt=C2=A0= https://datatracker.ietf.org/doc/draft-m= dns-ice-candidates/ as a WG item. But, we need to confirm this on list.= =C2=A0 If you would like for this draft to become a WG document and you are= willing to review it as it moves through the process, then please let the = list know by 2359UTC 20180810.=C2=A0 If you are opposed to this being a WG = document, please say so (and say why).

Note that the draft has been marked as a =E2=80=9CCall for Adoption by WG I= ssued=E2=80=9D in the datatracker.

Thanks - spt
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org https://www.ietf.org/mailman/listinfo/rtcweb
--00000000000059b6050572546de0--