From owner-ipdvb@erg.abdn.ac.uk Mon Jun 05 08:45:40 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnESi-0007pU-Hq for ipdvb-archive@ietf.org; Mon, 05 Jun 2006 08:45:40 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnDO6-00036w-Hq for ipdvb-archive@ietf.org; Mon, 05 Jun 2006 07:36:50 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FnDCn-0005xO-1u for ipdvb-archive@ietf.org; Mon, 05 Jun 2006 07:25:13 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k55BJ7tq009223 for ; Mon, 5 Jun 2006 12:19:07 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k55BJ7Ti009222 for ipdvb-subscribed-users; Mon, 5 Jun 2006 12:19:07 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [10.0.1.95] (maxp24.dialup.abdn.ac.uk [139.133.201.183]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k55BIHMS009152 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for ; Mon, 5 Jun 2006 12:18:52 +0100 (BST) User-Agent: Microsoft-Entourage/11.2.3.060209 Date: Fri, 02 Jun 2006 21:16:21 +0100 Subject: Re: Comments on draft-ietf-ipdvb-ar-03.txt From: Gorry Fairhurst To: Message-ID: Thread-Topic: Comments on draft-ietf-ipdvb-ar-03.txt Thread-Index: AcaGgWnEqDR1dPJ0EdqKgwAKlc/qXg== In-Reply-To: <9686D711-6E29-465D-AB34-D16E185FE409@netlab.nec.de> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -1.9 (-) X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024 Martin, other people on the list. Thank you very much for the feedback, your comments are useful and I have included responses on individual points in-line. The biggest issue is exactly as you say. This document now reads more like a BCP on how IP AR relates to MPEG-2, and less of a framework document, as chartered (in the IETF frameworks are most often a type of requirements document). I'd be most happy to receive opinions on this: Does anyone in the WG have thoughts on what could/should be added/changed? As one of the authors, it seems we may have used all the material we have. If anyone else believes they have an interest and energy to participate in taking this work forward, please do let us know quickly, so that we can shape the document appropriately! Gorry On 31/5/06 15:39, "Martin Stiemerling" wrote: > Dear All, > > I have read the draft Address Resolution for IP Datagrams over > MPEG-2 Networks (draft-ietf-ipdvb-ar-03.txt) and got to some > questions. > > Some nits: > - In Section 6.2, 6.3, and 6.4 it reads that the Ethernet Type > (EtherType) is > IANA assigned. This is IMO wrong, since the Ethernet Types are > allocated > by the IEEE. IANA only maintains a list of used (or once seen) types > (http://www.iana.org/assignments/ethernet-numbers). > Indeed, we shall address this in the next rev. > - The section heading of 5.1 is too long, i.e., it is wrapped into > two lines. > > - I assume the document should be the part on Submit AR Framework to > IESG of the WG charter. If so, it would be good if the document > title or > the introduction would reflect this. > > Overall comments: > > As stated in the above section about nits, I assume the document should > give the framework of address resolution for IP datagrams over MPEG-2 > networks. > Understood. > The document gives an excellent overview about the actuall problem > to be solved and the existing address resolution mechanisms in the IP > world plus their mapping to MPEG-2 networks. The coverage of not only > one technology but the inclusion of DVB, ATSC, DOCSIS and the > respective variants in system tables is very helpful to understand > the problem space and the trickiness of a fits all solution :-) > > After reading the whole document I have been nevertheless confused > about it. When reading the title, I would expect a solution and after > reading the document I did not know what the real conclusion of > the document is. There are recommendations for the single > technologies/techniques, which are fully OK, but what would be the > next steps towards the address resolution solution? Can we reuse > the existing protocols or do we need to go ahead with a new > AR protocol (as the WG charter would let assume)? > > Kind Regards, > > Martin Stiemerling > > NEC Europe Ltd. -- Network Laboratories stiemerling@netlab.nec.de > PGP Key at: http://www.stiemerling.org/stiemerling_nec.gpg > WWW: http://www.netlab.nec.de > > From owner-ipdvb@erg.abdn.ac.uk Wed Jun 07 09:23:40 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fny0a-0003Np-8z for ipdvb-archive@ietf.org; Wed, 07 Jun 2006 09:23:40 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fny0Z-0000Gw-Op for ipdvb-archive@ietf.org; Wed, 07 Jun 2006 09:23:40 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k57DDwOb024449 for ; Wed, 7 Jun 2006 14:13:58 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k57DDwSS024448 for ipdvb-subscribed-users; Wed, 7 Jun 2006 14:13:58 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [139.133.207.163] (dhcp-207-163.erg.abdn.ac.uk [139.133.207.163]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k57DDp0m024431 for ; Wed, 7 Jun 2006 14:13:51 +0100 (BST) Message-ID: <4486D10F.8090603@erg.abdn.ac.uk> Date: Wed, 07 Jun 2006 14:13:51 +0100 From: Gorry Fairhurst Organization: University of Aberdeen, UK User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipdvb@erg.abdn.ac.uk Subject: Repost: DVB-S2 GSE and IPv6 DAD Content-Type: text/plain; charset=ISO-8859-1; format=flowed X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by erg.abdn.ac.uk id k57DDwOb024449 X-Spam-Score: -2.8 (--) X-Scan-Signature: 3971661e40967acfc35f708dd5f33760 Thanks Tina, I'm forwarding this to the ipdvb list, although the context of your=20 email was DVB/S.2 (i.e. GSE) the issues you raise seem to be more=20 generic to the use of multicast with UDLR, and I think should be=20 discussed on this list and addressed in the chartered work on=20 address-resolution, i.e. in a revision to: draft-ietf-ipdvb-ar-03.txt Thoughts? Gorry Tina Strauf wrote: > Dear Gorry, > > I am very sorry, this took so long. But as promised in the following I > will try to summarize the results on the problem of GSE and IPv6 DAD w= e > discussed at DVB-GBS during the meeting we had on May 9th/10th. > > 1) Scenario: > > A DVB-S2 (terminal/set-top-box) receives regular (unicast) downstream > IP traffic via DVB-S2. The return-channel is similarly unidirectional > and configured in such a way, that downlink and return link "emulate" > one bidirectional link with only one link-layer and respectively > IP-layer interface on each side. This can be achieved i.e. by > implementing RFC 3077. > > 2) Problem Statement: > > 2.1 General > > A terminal sending out multicast packets to a group it is itself a > member of will also receive those packets (back) again, because on the > link layer they travel to the router/switch/tunnel-endpoint, where bot= h > the forward and return link are "fused" together, and are then relayed > down the DVB-S2 link (to possibly reach other receivers on the same > emulated link). Without a unique link-layer or IP-Layer source address > in the headers the terminal has then no way of knowing if the packets > were sent by itself or some other node. > > 2.2 In particular with regard to IPv6 DAD > > When performing IPv6 Duplicate Address Detection, a node sends out a > Neighbor Solicitation Message to the solicited node multicast address > for the address it wishes to configure. At this point this node itself > is also part of that multicast group and in our scenario receives its > own Neighbor Solicitation back again without being able to tell that t= he > message was the one it itself sent out (the IPv6 source address is the > unspecified address and a link-layer source address is not present in > the GSE header, if the original link-layer packet is not bridged (How > would the encapsulator know, when to bridge packets and when not?). > Regardless, we might not even know yet that the link-layer address is > unique (on the link) either, so the problem exists with or without > link-layer source field in the GSE header. > RFC 2462 actually mentions this problem and also offers the following > "advice": > > Implementor's Note: many interfaces provide a way for upper layers = to > selectively enable and disable the looping back of multicast packet= s. > The details of how such a facility is implemented may prevent > Duplicate Address Detection from working correctly. See the Append= ix > for further discussion. [not quoted here] > > The following tests identify conditions under which a tentative > address is not unique: > > - If a Neighbor Solicitation for a tentative address is > received prior to having sent one, the tentative address is a > duplicate. This condition occurs when two nodes run Duplicate > Address Detection simultaneously, but transmit initial > solicitations at different times (e.g., by selecting different > random delay values before transmitting an initial > solicitation). > > - If the actual number of Neighbor Solicitations received exceed= s > the number expected based on the loopback semantics (e.g., the > interface does not loopback packet, yet one or more > solicitations was received), the tentative address is a > duplicate. This condition occurs when two nodes run Duplicate > Address Detection simultaneously and transmit solicitations at > roughly the same time. > > So, if the receiver is implemented in such a way, that it counts sent > and received solicitations, compares the number and concludes that the > address is unique, if the same number was messages sent out as was > received, there only is a problem in case a message was lost or if two > receivers perform DAD for the same address at more or less the exact > same time. > > 3. "Results of Discussion" > > - For GBS the problem is particular to this scenario for integration o= f > DVB downlinks into an IPv6 network, meaning this particular > implementation of the return link. > - The problem is exactly the same with MPE and ULE. > - The problem is actually neither specific to GSE nor ULE or MPE but i= n > general exists in all cases in which looped back multicast packets > cannot be prevented/recognized by a network node. (Develop "IPv6 over > ***" for such a case?). > - A mandatory GSE link-layer source address field would only help, if > the link-layer ID was 100% sure to be unique on the link. In that case > it would not only solve the DAD problem but the general problem of > recognizing looped back MC packets. > > 4. Conclusion > > - No change to GSE will be made > - because the problem isn't really solved just with the address > field present, if we can't be absolutely sure that the ll-ID is unique > (link-layer dependent operational issue). > - because the problem is the same with ULE/MPE > - because we need GSE now! > - When/If IPDVB develops a solution for ULE, it can be adopted for GSE > as well. > - The issue might be mentioned in an informational annex of the GSE sp= ec. > > Please feel free to forward this e-mail to IPDVB on behalf of DVB > TM-GBS. Comments are of course welcome. > > Best Regards, > > Tina Strauf (on behalf of DVB TM-GBS) > > > -- > Tina Strauf > Institut f=FCr Nachrichtentechnik > Technische Universit=E4t Braunschweig > (Institute for Communications Technology > Braunschweig Technical University) > > Fon: +49 531 391 2417 > Fax: +49 531 391 5192 > E-Mail: strauf@ifn.ing.tu-bs.de > > Schleinitzstra=DFe 22 > D-38106 Braunschweig > From owner-ipdvb@erg.abdn.ac.uk Thu Jun 08 06:47:03 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FoI2Z-0003B8-OJ for ipdvb-archive@ietf.org; Thu, 08 Jun 2006 06:47:03 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FoHPe-0008C8-KO for ipdvb-archive@ietf.org; Thu, 08 Jun 2006 06:06:50 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FoHAT-0003CU-NZ for ipdvb-archive@ietf.org; Thu, 08 Jun 2006 05:51:11 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k589i2WT027219 for ; Thu, 8 Jun 2006 10:44:02 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k589i2u5027218 for ipdvb-subscribed-users; Thu, 8 Jun 2006 10:44:02 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from istanbul.uab.es (istanbul.uab.es [158.109.168.138]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k589hnVx027158 for ; Thu, 8 Jun 2006 10:43:49 +0100 (BST) Received: from istanbul.uab.es (localhost [127.0.0.1]) by istanbul.uab.es (Sun Java System Messaging Server 6.1 HotFix 0.10 (built Jan 6 2005)) with ESMTP id <0J0J008PZCF6WN60@istanbul.uab.es> for ipdvb@erg.abdn.ac.uk; Thu, 08 Jun 2006 11:45:06 +0200 (CEST) Received: from [127.0.0.1] ([158.109.69.162]) by istanbul.uab.es (Sun Java System Messaging Server 6.1 HotFix 0.10 (built Jan 6 2005)) with ESMTP id <0J0J008E9CF59500@istanbul.uab.es> for ipdvb@erg.abdn.ac.uk; Thu, 08 Jun 2006 11:45:06 +0200 (CEST) Date: Thu, 08 Jun 2006 11:43:00 +0200 From: Fausto Vieira Subject: Re: Repost: DVB-S2 GSE and IPv6 DAD In-reply-to: <4486D10F.8090603@erg.abdn.ac.uk> To: ipdvb@erg.abdn.ac.uk Message-id: <4487F124.2090403@sunaut.uab.es> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed References: <4486D10F.8090603@erg.abdn.ac.uk> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by erg.abdn.ac.uk id k589i2WT027219 X-Spam-Score: -2.6 (--) X-Scan-Signature: a8041eca2a724d631b098c15e9048ce9 Just a couple of thoughts on this issue... DaD can be treated as a special case of multicast or a generic multicast=20 solution should be able to support DaD. The most compatible solution would be: - having source and destination MAC addresses on the encapsulation=20 protocol for multicast traffic. - having source and destination IPv6 addresses on the encapsulation=20 protocol for multicast traffic. - having a unique MAC address (at least from a upper layers point-of-view= ) - having a multicast reflector proxy at the hub. A more efficient solution would be: - solving multicast and DaD independently - having at the hub a proxy agent that would keep records of the DaD=20 packets and would reply in the name of the terminals. - having a module in the terminal that would match sent and received=20 multicast packets and emulate the loopback by inserting the source IP=20 address. I don't know if this solves the problem completely. best regards Fausto Gorry Fairhurst wrote: > Thanks Tina, > > I'm forwarding this to the ipdvb list, although the context of your=20 > email was DVB/S.2 (i.e. GSE) the issues you raise seem to be more=20 > generic to the use of multicast with UDLR, and I think should be=20 > discussed on this list and addressed in the chartered work on=20 > address-resolution, > > i.e. in a revision to: > draft-ietf-ipdvb-ar-03.txt > > Thoughts? > > Gorry > > Tina Strauf wrote: > > > Dear Gorry, > > > > I am very sorry, this took so long. But as promised in the following = I > > will try to summarize the results on the problem of GSE and IPv6 DAD = we > > discussed at DVB-GBS during the meeting we had on May 9th/10th. > > > > 1) Scenario: > > > > A DVB-S2 (terminal/set-top-box) receives regular (unicast) downstream > > IP traffic via DVB-S2. The return-channel is similarly unidirectional > > and configured in such a way, that downlink and return link "emulate" > > one bidirectional link with only one link-layer and respectively > > IP-layer interface on each side. This can be achieved i.e. by > > implementing RFC 3077. > > > > 2) Problem Statement: > > > > 2.1 General > > > > A terminal sending out multicast packets to a group it is itself a > > member of will also receive those packets (back) again, because on th= e > > link layer they travel to the router/switch/tunnel-endpoint, where bo= th > > the forward and return link are "fused" together, and are then relaye= d > > down the DVB-S2 link (to possibly reach other receivers on the same > > emulated link). Without a unique link-layer or IP-Layer source addres= s > > in the headers the terminal has then no way of knowing if the packets > > were sent by itself or some other node. > > > > 2.2 In particular with regard to IPv6 DAD > > > > When performing IPv6 Duplicate Address Detection, a node sends out a > > Neighbor Solicitation Message to the solicited node multicast address > > for the address it wishes to configure. At this point this node itsel= f > > is also part of that multicast group and in our scenario receives its > > own Neighbor Solicitation back again without being able to tell that=20 > the > > message was the one it itself sent out (the IPv6 source address is th= e > > unspecified address and a link-layer source address is not present in > > the GSE header, if the original link-layer packet is not bridged (How > > would the encapsulator know, when to bridge packets and when not?). > > Regardless, we might not even know yet that the link-layer address is > > unique (on the link) either, so the problem exists with or without > > link-layer source field in the GSE header. > > RFC 2462 actually mentions this problem and also offers the following > > "advice": > > > > Implementor's Note: many interfaces provide a way for upper=20 > layers to > > selectively enable and disable the looping back of multicast=20 > packets. > > The details of how such a facility is implemented may prevent > > Duplicate Address Detection from working correctly. See the=20 > Appendix > > for further discussion. [not quoted here] > > > > The following tests identify conditions under which a tentative > > address is not unique: > > > > - If a Neighbor Solicitation for a tentative address is > > received prior to having sent one, the tentative address is a > > duplicate. This condition occurs when two nodes run Duplicat= e > > Address Detection simultaneously, but transmit initial > > solicitations at different times (e.g., by selecting differen= t > > random delay values before transmitting an initial > > solicitation). > > > > - If the actual number of Neighbor Solicitations received excee= ds > > the number expected based on the loopback semantics (e.g., th= e > > interface does not loopback packet, yet one or more > > solicitations was received), the tentative address is a > > duplicate. This condition occurs when two nodes run Duplicate > > Address Detection simultaneously and transmit solicitations a= t > > roughly the same time. > > > > So, if the receiver is implemented in such a way, that it counts sent > > and received solicitations, compares the number and concludes that th= e > > address is unique, if the same number was messages sent out as was > > received, there only is a problem in case a message was lost or if tw= o > > receivers perform DAD for the same address at more or less the exact > > same time. > > > > 3. "Results of Discussion" > > > > - For GBS the problem is particular to this scenario for integration = of > > DVB downlinks into an IPv6 network, meaning this particular > > implementation of the return link. > > - The problem is exactly the same with MPE and ULE. > > - The problem is actually neither specific to GSE nor ULE or MPE but = in > > general exists in all cases in which looped back multicast packets > > cannot be prevented/recognized by a network node. (Develop "IPv6 over > > ***" for such a case?). > > - A mandatory GSE link-layer source address field would only help, if > > the link-layer ID was 100% sure to be unique on the link. In that cas= e > > it would not only solve the DAD problem but the general problem of > > recognizing looped back MC packets. > > > > 4. Conclusion > > > > - No change to GSE will be made > > - because the problem isn't really solved just with the address > > field present, if we can't be absolutely sure that the ll-ID is uniqu= e > > (link-layer dependent operational issue). > > - because the problem is the same with ULE/MPE > > - because we need GSE now! > > - When/If IPDVB develops a solution for ULE, it can be adopted for GS= E > > as well. > > - The issue might be mentioned in an informational annex of the GSE=20 > spec. > > > > Please feel free to forward this e-mail to IPDVB on behalf of DVB > > TM-GBS. Comments are of course welcome. > > > > Best Regards, > > > > Tina Strauf (on behalf of DVB TM-GBS) > > > > > > -- > > Tina Strauf > > Institut f=FCr Nachrichtentechnik > > Technische Universit=E4t Braunschweig > > (Institute for Communications Technology > > Braunschweig Technical University) > > > > Fon: +49 531 391 2417 > > Fax: +49 531 391 5192 > > E-Mail: strauf@ifn.ing.tu-bs.de > > > > Schleinitzstra=DFe 22 > > D-38106 Braunschweig > > > > From owner-ipdvb@erg.abdn.ac.uk Thu Jun 08 08:21:21 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FoJVo-0001HA-W2 for ipdvb-archive@ietf.org; Thu, 08 Jun 2006 08:21:20 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FoJVo-0005bw-D9 for ipdvb-archive@ietf.org; Thu, 08 Jun 2006 08:21:20 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k58C8GYv008918 for ; Thu, 8 Jun 2006 13:08:16 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k58C8GS9008917 for ipdvb-subscribed-users; Thu, 8 Jun 2006 13:08:16 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [139.133.207.163] (dhcp-207-163.erg.abdn.ac.uk [139.133.207.163]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k58C858J008901; Thu, 8 Jun 2006 13:08:05 +0100 (BST) Message-ID: <44881325.905@erg.abdn.ac.uk> Date: Thu, 08 Jun 2006 13:08:05 +0100 From: Gorry Fairhurst Organization: University of Aberdeen, UK User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipdvb@erg.abdn.ac.uk CC: Tina Strauf Subject: Re: DVB: [TM-GBS] DVB-S2 GSE and IPv6 DAD References: <4486B2E7.6000407@gmx.de> In-Reply-To: <4486B2E7.6000407@gmx.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by erg.abdn.ac.uk id k58C8GYv008918 X-Spam-Score: -2.8 (--) X-Scan-Signature: bf422c85703d3d847fb014987125ac48 See comments in-line, and in particular it would be great to capture=20 some of this within the AR draft. Gorry ---- Tina Strauf wrote: > Dear Gorry, >=20 > I am very sorry, this took so long. But as promised in the following I > will try to summarize the results on the problem of GSE and IPv6 DAD we > discussed at DVB-GBS during the meeting we had on May 9th/10th. >=20 > 1) Scenario: >=20 > A DVB-S2 (terminal/set-top-box) receives regular (unicast) downstream > IP traffic via DVB-S2. The return-channel is similarly unidirectional > and configured in such a way, that downlink and return link "emulate" > one bidirectional link with only one link-layer and respectively > IP-layer interface on each side. This can be achieved i.e. by > implementing RFC 3077. > OK, that seems reasonable. >=20 > 2) Problem Statement: >=20 > 2.1 General >=20 > A terminal sending out multicast packets to a group it is itself a > member of will also receive those packets (back) again,=20 > Yes! - If UDLR had used L3 forwarding (as in PIM, etc) you'd normally=20 expect a multicast RPF check at the feed and receiver;-) I think this is the case where RFC3077 says: "Caution: a receiver which sends an encapsulated broadcast/multicast packet to a default feed will receive its own packet via the unidirectional link. Correct filtering as described in [RFC1112] must be applied." The reference to RFC1112 seems to be to section 7.2 which says: "An incoming datagram with an IP host group address in its source address field is quietly discarded." > because on the > link layer they travel to the router/switch/tunnel-endpoint, where both > the forward and return link are "fused" together, and are then relayed > down the DVB-S2 link (to possibly reach other receivers on the same > emulated link). Without a unique link-layer or IP-Layer source address > in the headers the terminal has then no way of knowing if the packets > were sent by itself or some other node. > Indeed (unless perhaps a Receiver understood the routing topology and=20 hence the significance of the L3 source address as in RFC1112). > 2.2 In particular with regard to IPv6 DAD >=20 > When performing IPv6 Duplicate Address Detection, a node sends out a > Neighbor Solicitation Message to the solicited node multicast address > for the address it wishes to configure. At this point this node itself > is also part of that multicast group and in our scenario receives its > own Neighbor Solicitation back again without being able to tell that th= e > message was the one it itself sent out (the IPv6 source address is the > unspecified address and a link-layer source address is not present in > the GSE header, if the original link-layer packet is not bridged (How > would the encapsulator know, when to bridge packets and when not?). > Regardless, we might not even know yet that the link-layer address is > unique (on the link) either,=20 > If you're suggesting that the 6 byte MAC/NPA address could be=20 non-unique, then this seems a configuration error that violates the L2=20 architecture in general. If this is so, several things may break, not=20 just the ND protocol. > so the problem exists with or without > link-layer source field in the GSE header. > RFC 2462 actually mentions this problem and also offers the following > "advice": >=20 > Implementor's Note: many interfaces provide a way for upper layers t= o > selectively enable and disable the looping back of multicast packets. > The details of how such a facility is implemented may prevent > Duplicate Address Detection from working correctly. See the Appendi= x > for further discussion. [not quoted here] >=20 > > The following tests identify conditions under which a tentative > address is not unique: >=20 > - If a Neighbor Solicitation for a tentative address is > received prior to having sent one, the tentative address is a > duplicate. This condition occurs when two nodes run Duplicate > Address Detection simultaneously, but transmit initial > solicitations at different times (e.g., by selecting different > random delay values before transmitting an initial > solicitation). >=20 > - If the actual number of Neighbor Solicitations received exceeds > the number expected based on the loopback semantics (e.g., the > interface does not loopback packet, yet one or more > solicitations was received), the tentative address is a > duplicate. This condition occurs when two nodes run Duplicate > Address Detection simultaneously and transmit solicitations at > roughly the same time. >=20 > So, if the receiver is implemented in such a way, that it counts sent > and received solicitations, compares the number and concludes that the > address is unique, if the same number was messages sent out as was > received, there only is a problem in case a message was lost or if two > receivers perform DAD for the same address at more or less the exact > same time. >=20 Seems so. > 3. "Results of Discussion" >=20 > - For GBS the problem is particular to this scenario for integration of > DVB downlinks into an IPv6 network, meaning this particular > implementation of the return link. > - The problem is exactly the same with MPE and ULE. Yes. > - The problem is actually neither specific to GSE nor ULE or MPE but in > general exists in all cases in which looped back multicast packets > cannot be prevented/recognized by a network node. (Develop "IPv6 over > ***" for such a case?). > - A mandatory GSE link-layer source address field would only help, if > the link-layer ID was 100% sure to be unique on the link. In that case > it would not only solve the DAD problem but the general problem of > recognizing looped back MC packets. >=20 There is always an option to choose to use IEEE-assigned addresses and=20 bridging mode. > 4. Conclusion >=20 > - No change to GSE will be made > - because the problem isn't really solved just with the address > field present, > if we can't be absolutely sure that the ll-ID is unique > (link-layer dependent operational issue). > > - because the problem is the same with ULE/MPE > Yes, although we SHOULD document it in the AR document, perhaps we can=20 work together on a few extra paragraphs. > - because we need GSE now! > - When/If IPDVB develops a solution for ULE, it can be adopted for GSE > as well. > Yes :-) > - The issue might be mentioned in an informational annex of the GSE spe= c. >=20 Or/and you could cite RFCxxxx on AR (when it is published). > Please feel free to forward this e-mail to IPDVB on behalf of DVB > TM-GBS. Comments are of course welcome. >=20 > Best Regards, >=20 > Tina Strauf (on behalf of DVB TM-GBS) >=20 >=20 > -- > Tina Strauf > Institut f=FCr Nachrichtentechnik > Technische Universit=E4t Braunschweig > (Institute for Communications Technology > Braunschweig Technical University) >=20 > Fon: +49 531 391 2417 > Fax: +49 531 391 5192 > E-Mail: strauf@ifn.ing.tu-bs.de >=20 > Schleinitzstra=DFe 22 > D-38106 Braunschweig >=20 From owner-ipdvb@erg.abdn.ac.uk Fri Jun 09 02:35:05 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FoaaH-0004D8-9P for ipdvb-archive@ietf.org; Fri, 09 Jun 2006 02:35:05 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FoaaC-0006S1-Kh for ipdvb-archive@ietf.org; Fri, 09 Jun 2006 02:35:05 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k596SnYV000558 for ; Fri, 9 Jun 2006 07:28:49 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k596Snec000557 for ipdvb-subscribed-users; Fri, 9 Jun 2006 07:28:49 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from mailout2.samsung.com (mailout2.samsung.com [203.254.224.25]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k596SZLe000536 for ; Fri, 9 Jun 2006 07:28:36 +0100 (BST) Received: from ep_mmp2 (mailout2.samsung.com [203.254.224.25]) by mailout2.samsung.com (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0J0K00F6BXY12E@mailout2.samsung.com> for ipdvb@erg.abdn.ac.uk; Fri, 09 Jun 2006 15:27:37 +0900 (KST) Received: from daniellaptop ([168.219.198.109]) by mmp2.samsung.com (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) with ESMTPA id <0J0K002IHXY1G4@mmp2.samsung.com> for ipdvb@erg.abdn.ac.uk; Fri, 09 Jun 2006 15:27:37 +0900 (KST) Date: Fri, 09 Jun 2006 15:27:45 +0900 From: Soohong Daniel Park Subject: text (please ignore) To: ipdvb@erg.abdn.ac.uk Message-id: <042101c68b8d$d220c390$6dc6dba8@daniellaptop> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-Mailer: Microsoft Outlook Express 6.00.2900.2869 Content-type: text/plain; charset=ks_c_5601-1987 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.0 (/) X-Scan-Signature: 8ac499381112328dd60aea5b1ff596ea Daniel (Soohong Daniel Park) Mobile Convergence Laboratory, SAMSUNG Electronics. From owner-ipdvb@erg.abdn.ac.uk Fri Jun 09 03:56:17 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fobqr-0003Y7-Bc for ipdvb-archive@ietf.org; Fri, 09 Jun 2006 03:56:17 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fobqp-00071T-UW for ipdvb-archive@ietf.org; Fri, 09 Jun 2006 03:56:17 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k597pDII007092 for ; Fri, 9 Jun 2006 08:51:13 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k597pDKs007091 for ipdvb-subscribed-users; Fri, 9 Jun 2006 08:51:13 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [10.0.1.108] (maxp25.dialup.abdn.ac.uk [139.133.201.184]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k597oV4A007057 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT); Fri, 9 Jun 2006 08:50:35 +0100 (BST) User-Agent: Microsoft-Entourage/11.2.3.060209 Date: Fri, 09 Jun 2006 08:53:37 +0100 Subject: Request for Agenda items for ipdvb WG (IETF-66 - July 2006) From: Gorry Fairhurst To: "ipdvb@erg.abdn.ac.uk" Message-ID: Thread-Topic: Request for Agenda items for ipdvb WG (IETF-66 - July 2006) Thread-Index: AcaLmdBxDsT7XPeNEdqyhAAKlc/qXg== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.4 (--) X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32 Dear ipdvb WG, The IETF ipdvb WG will be meeting at the 66th IETF meeting in Montreal next month. It is now time for me to ask for Agenda items on current documents and related work. Implementation experience is also welcome. If you will be attending and would like to speak or think some topic should be placed on the agenda please send an email to the WG Chair at: gorry@erg.abdn.ac.uk Best wishes, Gorry Fairhurst (Chair ipdvb WG) For more information see: http://www.ietf.org/meetings/cut_off_dates_66.html Meeting Deadlines: Initial -00 draft submissions before June 19th Revised >00 draft submissions before June 26th From owner-ipdvb@erg.abdn.ac.uk Mon Jun 19 11:13:24 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsLRM-0004qc-9J for ipdvb-archive@ietf.org; Mon, 19 Jun 2006 11:13:24 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FsLRJ-0008Q2-H5 for ipdvb-archive@ietf.org; Mon, 19 Jun 2006 11:13:24 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5JEwYVq000469 for ; Mon, 19 Jun 2006 15:58:34 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5JEwY5g000468 for ipdvb-subscribed-users; Mon, 19 Jun 2006 15:58:34 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from ads40.surrey.ac.uk (ads40.surrey.ac.uk [131.227.102.140]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5JEwOH4000442 for ; Mon, 19 Jun 2006 15:58:24 +0100 (BST) Received: from EVS-EC1-NODE1.surrey.ac.uk ([131.227.102.136]) by ads40.surrey.ac.uk with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Jun 2006 15:58:19 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C693B0.CD2DBB49" Subject: FW: I-D submission (draft-cruickshank-ipdvb-sec-req-02.txt) Date: Mon, 19 Jun 2006 15:58:19 +0100 Message-ID: X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: I-D submission (draft-cruickshank-ipdvb-sec-req-02.txt) Thread-Index: AcaTf23dRxDet/nvTeKlh80wESAkjQALg2qg From: To: X-OriginalArrivalTime: 19 Jun 2006 14:58:19.0777 (UTC) FILETIME=[CD7E4710:01C693B0] X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.2 (/) X-Scan-Signature: b4f8b2857a7a1a95c927652b5e03785d This is a multi-part message in MIME format. ------_=_NextPart_001_01C693B0.CD2DBB49 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable =20 Dear ipdvb WG, Many thanks to Gorry for submitting the above draft (draft-cruickshank-ipdvb-sec-req-02.txt) on our behalf. We would like the ipdvb WG to adopt this work as WG work item, please. First many thanks to Prashant for all his comments and his name is added to the new draft.=20 I will try to summarise the comments from ipdvb WG and our responses that added to the new draft: There were several questions related ULE source authentication and protection against replays attacks are they mandatory or optional. In order to clarify the security requirement, three scenarios are added to section 2.1: o Scenario 1: Monitoring (passive threat). Here the intruder monitors the ULE broadcasts in order to gain information about ULE data and/or tracking the communicating parties. o Scenario 2: Local high jacking of the MPEG-TS multiplex (active threat). Here we assume an intruder is sophisticated and able to block the original transmission from the ULE Encapsulation Gateway and deliver a modified version of the MPEG-TS transmission to a single ULE Receiver or a small group of Receivers (e.g. in a single company site o Scenario 3: Global high jacking of the MPEG-TS multiplex (active threat). Here we assume an intruder is very sophisticated and able to high jack the whole MPEG transmission multiplex. In addition, Section 3 analysis these scenarios further and extract the security requirements: o Scenario 1: Data confidentiality MUST be provided to prevent monitoring of the ULE data (such as IP packet and user information). Also ULE MAC address hiding MUST be provided to prevent access to communicating parties' identity and tracking their communications. These requirements are mandatory for a ULE security system. Identity hiding is used mobile phone networks such as GSM and UMTS. o Scenario 2: In addition to scenario 1 requirements, new measures are needed to be implemented such as source authentication and using sequence numbers to prevent replay attacks. However, scenario 2 threats can happen only in specific service cases and therefore source authentication and sequence numbers SHOULD be optional for the ULE security system because of the extra overheads it incurs. o Scenario 3: ULE security system can not protect against such attacks. This scenario is out of scope for this document. Finally and regarding ULE security implementation plans: We are in process of submitting a related draft that describes the actual ULE security format with extension headers. We intend and plan to have an implementation ready by the end of the year. Would any other people also be interested in collaborating or developing their own implementations? Haitham (& all co-authors) ---- Dr. Haitham S. Cruickshank Lecturer=20 Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK=20 Tel: +44 1483 686007 (indirect 689844)=20 Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk]=20 Sent: 19 June 2006 10:05 To: Internet-Drafts Administrator Cc: Gorry Fairhurst; Cruickshank HS Dr (CCSR) Subject: I-D submission (draft-cruickshank-ipdvb-sec-req-02.txt) I'm submitting this on behalf of the authors, Gorry Fairhurst (ipdvb WG Chair) ------_=_NextPart_001_01C693B0.CD2DBB49 Content-Type: text/plain; name="draft-cruickshank-ipdvb-sec-req-02.txt" Content-Transfer-Encoding: base64 Content-Description: draft-cruickshank-ipdvb-sec-req-02.txt Content-Disposition: inline; filename="draft-cruickshank-ipdvb-sec-req-02.txt" ICAgICBJbnRlcm5ldCBFbmdpbmVlcmluZyBUYXNrIEZvcmNlICAgICAgICAgICAgICAgICAgICAg ICBILkNydWlja3NoYW5rIA0KICAgICBJbnRlcm5ldCBEcmFmdCAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBTLiBJeWVuZ2FyIA0KICAgICBkcmFmdC1jcnVpY2tzaGFu ay1pcGR2Yi1zZWMtcmVxLTAyLnR4dCAgICAgVW5pdmVyc2l0eSBvZiBTdXJyZXksIFVLIA0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg TC4gRHVxdWVycm95IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBBbGNhdGVsIEFsZW5pYSBTcGFjZSwgRnJhbmNlIA0KICAgICBFeHBpcmVzOiBEZWNlbWJlciAy MDA2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUC4gUGlsbGFpIA0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVuaXZlcnNpdHkgb2YgQnJh ZGZvcmQsIFVLIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAg IENhdGVnb3J5OiBJbnRlcm5ldCBEcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp1 bmUgMTYsIDIwMDYgDQogICAgIA0KICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICANCiAgICAgICAgICAgIFNlY3VyaXR5IHJlcXVpcmVtZW50cyBmb3IgdGhlIFVu aWRpcmVjdGlvbmFsIExpZ2h0d2VpZ2h0IA0KICAgICAgICAgICAgICAgICAgICAgICAgIEVuY2Fw c3VsYXRpb24gKFVMRSkgcHJvdG9jb2wgDQogICAgICAgICAgICAgICAgICAgICBkcmFmdC1jcnVp Y2tzaGFuay1pcGR2Yi1zZWMtcmVxLTAyLnR4dCANCg0KDQogICAgU3RhdHVzIG9mIHRoaXMgRHJh ZnQgDQoNCiAgICAgICBCeSBzdWJtaXR0aW5nIHRoaXMgSW50ZXJuZXQtRHJhZnQsIGVhY2ggYXV0 aG9yIHJlcHJlc2VudHMgdGhhdCAgICAgICANCiAgICAgICBhbnkgYXBwbGljYWJsZSBwYXRlbnQg b3Igb3RoZXIgSVBSIGNsYWltcyBvZiB3aGljaCBoZSBvciBzaGUgaXMgICAgICAgDQogICAgICAg YXdhcmUgaGF2ZSBiZWVuIG9yIHdpbGwgYmUgZGlzY2xvc2VkLCBhbmQgYW55IG9mIHdoaWNoIGhl IG9yIHNoZSAgICAgICANCiAgICAgICBiZWNvbWVzIGF3YXJlIHdpbGwgYmUgZGlzY2xvc2VkLCBp biBhY2NvcmRhbmNlIHdpdGggU2VjdGlvbiA2IG9mICAgICAgIA0KICAgICAgIEJDUCA3OS4gDQoN CiAgICAgICBJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRl cm5ldCBFbmdpbmVlcmluZyANCiAgICAgICBUYXNrIEZvcmNlIChJRVRGKSwgaXRzIGFyZWFzLCBh bmQgaXRzIHdvcmtpbmcgZ3JvdXBzLiAgTm90ZSB0aGF0IA0KICAgICAgIG90aGVyIGdyb3VwcyBt YXkgYWxzbyBkaXN0cmlidXRlIHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0LQ0KICAgICAg IERyYWZ0cy4gDQoNCiAgICAgICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRyYWZ0IGRvY3VtZW50cyB2 YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCANCiAgICAgICBtb250aHMgYW5kIG1heSBiZSB1cGRh dGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVyIA0KICAgICAgIGRvY3VtZW50cyBh dCBhbnkgdGltZS4gIEl0IGlzIGluYXBwcm9wcmlhdGUgdG8gdXNlIEludGVybmV0LQ0KICAgICAg IERyYWZ0cyBhcyByZWZlcmVuY2UgbWF0ZXJpYWwgb3IgdG8gY2l0ZSB0aGVtIG90aGVyIHRoYW4g YXMgIndvcmsgDQogICAgICAgaW4gcHJvZ3Jlc3MuIiANCg0KICAgICAgIFRoZSBsaXN0IG9mIGN1 cnJlbnQgSW50ZXJuZXQtRHJhZnRzIGNhbiBiZSBhY2Nlc3NlZCBhdCANCiAgICAgICAgICAgIGh0 dHA6Ly93d3cuaWV0Zi5vcmcvaWV0Zi8xaWQtYWJzdHJhY3RzLnR4dCANCg0KICAgICAgIFRoZSBs aXN0IG9mIEludGVybmV0LURyYWZ0IFNoYWRvdyBEaXJlY3RvcmllcyBjYW4gYmUgYWNjZXNzZWQg YXQgDQogICAgICAgICAgICBodHRwOi8vd3d3LmlldGYub3JnL3NoYWRvdy5odG1sIA0KDQogICAg ICAgVGhpcyBJbnRlcm5ldC1EcmFmdCB3aWxsIGV4cGlyZSBvbiBEZWNlbWJlciAxNiwgMjAwNi4g DQoNCiAgICBBYnN0cmFjdCANCg0KICAgICAgIFRoaXMgZG9jdW1lbnQgcHJvdmlkZXMgYSB0aHJl YXQgYW5hbHlzaXMgYW5kIGRlcml2ZXMgc2VjdXJpdHkgDQogICAgICAgcmVxdWlyZW1lbnRzIGZv ciBNUEVHLTIgdHJhbnNtaXNzaW9uIGxpbmtzIHVzaW5nIHRoZSANCiAgICAgICBVbmlkaXJlY3Rp b25hbCBMaWdodHdlaWdodCBFbmNhcHN1bGF0aW9uIChVTEUpLiBJdCBhbHNvIHByb3ZpZGVzIA0K ICAgICANCiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAgIEV4cGlyZXMgRGVjZW1iZXIg MTUsIDIwMDYgICAgICAgICAgW1BhZ2UgMV0gDQogICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAg ICAgICAgIFNlY3VyaXR5IFJlcXVpcmVtZW50cyBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAg ICAgICANCg0KICAgICAgIHRoZSBtb3RpdmF0aW9uIGZvciBVTEUgbGluay1sZXZlbCBzZWN1cml0 eS4gVGhpcyB3b3JrIGlzIGludGVuZGVkIA0KICAgICAgIGFzIGEgd29yayBpdGVtIG9mIHRoZSBp cGR2YiBXRywgYW5kIGNvbnRyaWJ1dGlvbnMgYXJlIHNvdWdodCBmcm9tIA0KICAgICAgIHRoZSBJ RVRGIG9uIHRoaXMgdG9waWMuICANCg0KICAgIFJlcXVpcmVtZW50cyBub3RhdGlvbiANCg0KICAg ICAgIFRoZSBrZXkgd29yZHMgIk1VU1QiLCAiTVVTVCBOT1QiLCAiUkVRVUlSRUQiLCAiU0hBTEwi LCAiU0hBTEwgDQogICAgICAgTk9UIiwgIlNIT1VMRCIsICJTSE9VTEQgTk9UIiwgIlJFQ09NTUVO REVEIiwgIk1BWSIsIGFuZCANCiAgICAgICAiT1BUSU9OQUwiIGluIHRoaXMgZG9jdW1lbnQgYXJl IHRvIGJlIGludGVycHJldGVkIGFzIGRlc2NyaWJlZCBpbiANCiAgICAgICBSRkMyMTE5IFsxXS4g DQoNCiAgICBUYWJsZSBvZiBDb250ZW50cyANCg0KICAgICAgICANCiAgICAgICAxLiBJbnRyb2R1 Y3Rpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIA0K ICAgICAgICAgIDEuMS4gU3lzdGVtIENvbXBvbmVudHMgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIDQgDQogICAgICAgMi4gVGhyZWF0IEFuYWx5c2lzICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgNCANCiAgICAgICAgICAyLjEuIFRocmVhdCBT Y2VuYXJpb3MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1IA0KICAgICAg ICAgICAgIDIuMS4xLiBTY2VuYXJpbyAxOiBNb25pdG9yaW5nIChwYXNzaXZlIHRocmVhdCkgICAg ICAgICAgIDUgDQogICAgICAgICAgICAgMi4xLjIuIFNjZW5hcmlvIDI6IExvY2FsIGhpZ2hqYWNr aW5nIG9mIHRoZSBNUEVHLVRTIA0KICAgICAgICAgICAgIG11bHRpcGxleCAoYWN0aXZlIHRocmVh dCkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDYgDQogICAgICAgICAgICAgMi4xLjMu IFNjZW5hcmlvIDM6IEdsb2JhbCBoaWdoIGphY2tpbmcgb2YgdGhlIE1QRUctVFMgDQogICAgICAg ICAgICAgbXVsdGlwbGV4IChhY3RpdmUgdGhyZWF0KSAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgNiANCiAgICAgICAzLiBTZWN1cml0eSBSZXF1aXJlbWVudHMgZm9yIElQIG92ZXIgTVBF Ry0yIFRTICAgICAgICAgICAgICAgICA2IA0KICAgICAgIDQuIElQc2VjIGFuZCBNUEVHLTIgVHJh bnNtaXNzaW9uIE5ldHdvcmtzICAgICAgICAgICAgICAgICAgICAgIDggDQogICAgICAgICAgNC4x LiBUdW5uZWwgbW9kZSB1c2Ugb2YgSVBzZWMgZm9yIG11bHRpY2FzdCAgICAgICAgICAgICAgICAg OSANCiAgICAgICAgICA0LjIuIElQc2VjIGFuZCBMMiBzZWN1cml0eSAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICA5IA0KICAgICAgIDUuIE1vdGl2YXRpb24gZm9yIFVMRSBsaW5rLWxh eWVyIHNlY3VyaXR5ICAgICAgICAgICAgICAgICAgICAgMTAgDQogICAgICAgICAgNS4xLiBMaW5r IHNlY3VyaXR5IGJlbG93IHRoZSBFbmNhcHN1bGF0aW9uIGxheWVyICAgICAgICAgICAxMSANCiAg ICAgICAgICA1LjIuIExpbmsgc2VjdXJpdHkgYXMgYSBwYXJ0IG9mIHRoZSBFbmNhcHN1bGF0aW9u IGxheWVyICAgIDExIA0KICAgICAgIDYuIFN1bW1hcnkgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgMTIgDQogICAgICAgNy4gU2VjdXJpdHkgQ29uc2lk ZXJhdGlvbnMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAxMyANCiAgICAgICA4 LiBJQU5BIENvbnNpZGVyYXRpb25zICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIDEzIA0KICAgICAgIDkuIEFja25vd2xlZGdtZW50cyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgMTMgDQogICAgICAgMTAuIFJlZmVyZW5jZXMgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAxNCANCiAgICAgICAgICAxMC4x LiBOb3JtYXRpdmUgUmVmZXJlbmNlcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDE0 IA0KICAgICAgICAgIDEwLjIuIEluZm9ybWF0aXZlIFJlZmVyZW5jZXMgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgMTQgDQogICAgICAgQXV0aG9yJ3MgQWRkcmVzc2VzICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAxNSANCiAgICAgICBJbnRlbGxlY3R1YWwg UHJvcGVydHkgU3RhdGVtZW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDE2IA0KICAg ICAgIERpc2NsYWltZXIgb2YgVmFsaWRpdHkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgMTYgDQogICAgICAgQ29weXJpZ2h0IFN0YXRlbWVudCAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAxNiANCiAgICAgICAgDQogICAgMS4gSW50cm9kdWN0 aW9uIA0KDQogICAgICAgSW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24gb2Yg UkZDIDQyNTlbMl0sIHRoZXJlIGlzIA0KICAgICAgIGFuIGluaXRpYWwgYW5hbHlzaXMgb2YgdGhl IHNlY3VyaXR5IHJlcXVpcmVtZW50cyBpbiBNUEVHLTIgDQogICAgICAgdHJhbnNtaXNzaW9uIG5l dHdvcmtzLiBGb3IgZXhhbXBsZSwgd2hlbiB0aGUgTVBFRy0yIHRyYW5zbWlzc2lvbiANCiAgICAg DQogICAgIA0KICAgIENydWlja3NoYW5rICAgICAgICAgICBFeHBpcmVzIERlY2VtYmVyIDE1LCAy MDA2ICAgICAgICAgICBbUGFnZSAyXSANCiAgICAgICAgDQoMICAgIEludGVybmV0LURyYWZ0ICAg ICAgICAgU2VjdXJpdHkgUmVxdWlyZW1lbnRzIGZvciBVTEUgICAgICBKdW5lIDIwMDYgDQogICAg ICAgIA0KDQogICAgICAgbmV0d29yayBpcyBub3QgdXNpbmcgYSB3aXJlbGluZSBuZXR3b3JrLCB0 aGUgbm9ybWFsIHNlY3VyaXR5IA0KICAgICAgIGlzc3VlcyByZWxhdGluZyB0byB0aGUgdXNlIG9m IHdpcmVsZXNzIGxpbmtzIGZvciB0cmFuc3BvcnQgb2YgDQogICAgICAgSW50ZXJuZXQgdHJhZmZp YyBzaG91bGQgYmUgY29uc2lkZXJlZCBbMTZdLiBSRkMgNDI1OSByZWNvbW1lbmRzIA0KICAgICAg IHRoYXQgYW55IG5ldyBlbmNhcHN1bGF0aW9uIGRlZmluZWQgYnkgdGhlIElFVEYgYWxsb3dzIFRy YW5zcG9ydCANCiAgICAgICBTdHJlYW0gZW5jcnlwdGlvbiBhbmQgYWxzbyBzdXBwb3J0cyBvcHRp b25hbCBsaW5rIGxldmVsIA0KICAgICAgIGVuY3J5cHRpb24vYXV0aGVudGljYXRpb24gb2YgdGhl IFNORFUgcGF5bG9hZC4gSW4gVUxFIFszXSwgdGhpcyANCiAgICAgICBtYXkgYmUgcHJvdmlkZWQg aW4gYSBmbGV4aWJsZSB3YXkgdXNpbmcgRXh0ZW5zaW9uIEhlYWRlcnMuIFRoaXMgDQogICAgICAg cmVxdWlyZXMgZGVmaW5pdGlvbiBvZiBhIG1hbmRhdG9yeSBoZWFkZXIgZXh0ZW5zaW9uLCBidXQg aGFzIHRoZSANCiAgICAgICBhZHZhbnRhZ2UgdGhhdCBpdCBkZWNvdXBsZXMgc3BlY2lmaWNhdGlv biBvZiB0aGUgc2VjdXJpdHkgDQogICAgICAgZnVuY3Rpb25zIGZyb20gdGhlIGVuY2Fwc3VsYXRp b24gZnVuY3Rpb25zLiBUaGlzIG1ldGhvZCBhbHNvIA0KICAgICAgIHN1cHBvcnRzIGhpZGluZyBv ZiB0aGUgTlBBL01BQyBhZGRyZXNzZXMuIA0KDQogICAgICAgVGhpcyBkb2N1bWVudCBleHRlbmRz IHRoZSBhYm92ZSBhbmFseXNpcyBhbmQgZGVyaXZlcyB0aGUgc2VjdXJpdHkgDQogICAgICAgcmVx dWlyZW1lbnRzIGZvciBVTEUuIA0KDQogICAgICAgVGhlIG1haW4gb2JqZWN0aXZlIG9mIHRoaXMg ZG9jdW1lbnQgaXMgdG8gc3BlY2lmeSB0aGUgDQogICAgICAgcmVxdWlyZW1lbnRzIGZvciBzZWN1 cmluZyB0aGUgbGluayBiZXR3ZWVuIHRoZSBFbmNhcHN1bGF0aW9uIA0KICAgICAgIEdhdGV3YXlz IChVTEUgc291cmNlKSBhbmQgUmVjZWl2ZXJzIG9ubHkuIEluIGFkZGl0aW9uLCB0aGlzIA0KICAg ICAgIGRvY3VtZW50IHByb3ZpZGVzIGFuIG92ZXJ2aWV3IG9mIHRoZSB0aHJlYXQgYW5hbHlzaXMg Zm9yIGFuIElQIA0KICAgICAgIG5ldHdvcmsgdGhhdCB1dGlsaXNlcyBVTEUgb3ZlciBhbiB1bmRl cmx5aW5nIE1QRUctMiB0cmFuc21pc3Npb24gDQogICAgICAgbmV0d29yay4gDQoNCiAgICAgICBU aGUgTVBFRy0yIFRyYW5zcG9ydCBTdHJlYW0gKFRTKSBoYXMgYmVlbiB3aWRlbHkgYWNjZXB0ZWQg bm90IA0KICAgICAgIG9ubHkgZm9yIHByb3ZpZGluZyBkaWdpdGFsIFRWIHNlcnZpY2VzLCBidXQg YWxzbyBhcyBhIHN1Ym5ldHdvcmsgDQogICAgICAgdGVjaG5vbG9neSBmb3IgYnVpbGRpbmcgSVAg bmV0d29ya3MuIFRoZSBVbmlkaXJlY3Rpb25hbCANCiAgICAgICBMaWdodHdlaWdodCBFbmNhcHN1 bGF0aW9uIChVTEUpIG1lY2hhbmlzbSBkZXNjcmliZWQgaW4gWzNdIGNhbiBiZSANCiAgICAgICB1 c2VkIGZvciB0aGUgdHJhbnNwb3J0IG9mIElQdjQgYW5kIElQdjYgRGF0YWdyYW1zLCBicmlkZ2Vk IA0KICAgICAgIEV0aGVybmV0IGZyYW1lcyBhbmQgb3RoZXIgbmV0d29yayBwcm90b2NvbCBwYWNr ZXRzIGRpcmVjdGx5IG92ZXIgDQogICAgICAgdGhlIElTTyBNUEVHLTIgVHJhbnNwb3J0IFN0cmVh bSBhcyBUUyBQcml2YXRlIERhdGEuIFVMRSBzcGVjaWZpZXMgDQogICAgICAgYSBiYXNlIGVuY2Fw c3VsYXRpb24gZm9ybWF0IGFuZCBzdXBwb3J0cyBhbiBleHRlbnNpb24gZm9ybWF0IHRoYXQgDQog ICAgICAgYWxsb3dzIGl0IHRvIGNhcnJ5IGFkZGl0aW9uYWwgaGVhZGVyIGluZm9ybWF0aW9uIHRv IGFzc2lzdCBpbiANCiAgICAgICBuZXR3b3JrL1JlY2VpdmVyIHByb2Nlc3NpbmcuIA0KDQogICAg ICAgSW1wb3J0YW50IGNoYXJhY3RlcmlzdGljcyBvZiBNUEVHLTIgdHJhbnNtaXNzaW9uIG5ldHdv cmtzIGFyZSANCiAgICAgICB0aGF0IHRoZXkgbWF5IHByb3ZpZGUgbGluay1sZXZlbCBicm9hZGNh c3QgY2FwYWJpbGl0eSwgYW5kIHRoYXQgDQogICAgICAgbWFueSBzdXBwb3J0IGFwcGxpY2F0aW9u cyB0aGF0IHJlcXVpcmUgYWNjZXNzIHRvIGEgdmVyeSBsYXJnZSANCiAgICAgICBudW1iZXIgb2Yg c3VibmV0d29yayBub2RlcyBbMl0uIEluIGFkZGl0aW9uLCB0aGUgbWFqb3JpdHkgb2YgDQogICAg ICAgTVBFRy0yIHRyYW5zbWlzc2lvbiBuZXR3b3JrcyBhcmUgYmFuZHdpZHRoLWxpbWl0ZWQsIGVu Y2Fwc3VsYXRpb24gDQogICAgICAgcHJvdG9jb2xzIG11c3QgdGhlcmVmb3JlIGFkZCBtaW5pbWFs IG92ZXJoZWFkIHRvIGVuc3VyZSBnb29kIGxpbmsgDQogICAgICAgZWZmaWNpZW5jeSB3aGlsZSBw cm92aWRpbmcgYWRlcXVhdGUgbmV0d29yayBzZXJ2aWNlcy4gVGhleSBhbHNvIA0KICAgICAgIG5l ZWQgdG8gYmUgc2ltcGxlIHRvIG1pbmltaXplIHByb2Nlc3NpbmcsIHJvYnVzdCB0byBlcnJvcnMg YW5kIA0KICAgICAgIHNlY3VyaXR5IHRocmVhdHMsIGFuZCBleHRlbnNpYmxlIHRvIGEgd2lkZSBy YW5nZSBvZiBzZXJ2aWNlcy4gDQoNCiAgICAgICBJbiBNUEVHLTIgdHJhbnNtaXNzaW9uIG5ldHdv cmsgdGhlcmUgYXJlIHNldmVyYWwgc2lnbmFsbGluZyANCiAgICAgICBtZXNzYWdlcyB0aGF0IGFy ZSBicm9hZGNhc3QgYnkgdGhlIEVuY2Fwc3VsYXRvciBvciBNdWx0aXBsZXhvcg0KICAgICAgIGlu IHRoZSBmb3JtIG9mIHRhYmxlcy4gRXhhbXBsZXMgb2YgdGhlc2Ugc2lnbmFsbGluZyBtZXNzYWdl cyBvciANCiAgICAgICAoU0kgdGFibGVzKSBhcmUgUEFUIC0gUHJvZ3JhbSBBc3NvY2lhdGlvbiBU YWJsZSwgUE1UIC0gUHJvZ3JhbSANCiAgICAgDQogICAgIA0KICAgIENydWlja3NoYW5rICAgICAg ICAgICBFeHBpcmVzIERlY2VtYmVyIDE1LCAyMDA2ICAgICAgICAgICBbUGFnZSAzXSANCiAgICAg ICAgDQoMICAgIEludGVybmV0LURyYWZ0ICAgICAgICAgU2VjdXJpdHkgUmVxdWlyZW1lbnRzIGZv ciBVTEUgICAgICBKdW5lIDIwMDYgDQogICAgICAgIA0KDQogICAgICAgTWFwIFRhYmxlIGFuZCBO SVQgLSBOZXR3b3JrIEluZm9ybWF0aW9uIFRhYmxlLiAgSW4gZXhpc3RpbmcgTVBFRy0NCiAgICAg ICAyIHRyYW5zbWlzc2lvbiBuZXR3b3JrcywgdGhlc2UgbWVzc2FnZXMgYXJlIGJyb2FkY2FzdCBp biBjbGVhciANCiAgICAgICAobm8gZW5jcnlwdGlvbiBvciBpbnRlZ3JpdHkgY2hlY2tzKS4gVGhl IGludGVncml0eSBvZiB0aGVzZSANCiAgICAgICBtZXNzYWdlcyBpcyBpbXBvcnRhbnQgZm9yIHRo ZSBjb3JyZWN0IHdvcmtpbmcgb2YgdGhlIFVMRSBuZXR3b3JrLiANCiAgICAgICBIb3dldmVyLCBz ZWN1cmluZyB0aGVzZSBtZXNzYWdlcyBpcyBvdXQgb2Ygc2NvcGUgZm9yIFVMRSANCiAgICAgICBz ZWN1cml0eS4gDQoNCiAgICAxLjEuIFN5c3RlbSBDb21wb25lbnRzICANCg0KICAgICAgIFRoZXJl IGFyZSBzZXZlcmFsIGVudGl0aWVzIGluIHdpdGhpbiB0aGUgTVBFRy0yIHRyYW5zbWlzc2lvbiAN CiAgICAgICBuZXR3b3JrIGFyY2hpdGVjdHVyZSwgYXMgZGVmaW5lZCBpbiBbMl0pLiBUaGVzZSBp bmNsdWRlIChVTEUpIA0KICAgICAgIEVuY2Fwc3VsYXRpb24gR2F0ZXdheXMsIFRTIG11bHRpcGxl eGVycyAoaW5jbHVkaW5nIHJlLQ0KICAgICAgIG11bHRpcGxleGVycyksIG1vZHVsYXRvcnMgYW5k IFJlY2VpdmVycy4gDQoNCiAgICAgICBUaGUgVUxFIGxpbmsgc2VjdXJpdHkgZm9jdXNlcyBvbiBz ZWN1cml0eSBiZXR3ZWVuIHRoZSANCiAgICAgICBFbmNhcHN1bGF0aW9uIEdhdGV3YXlzIChVTEUg c291cmNlKSBhbmQgUmVjZWl2ZXJzIG9ubHkuIA0KDQogICAgMi4gVGhyZWF0IEFuYWx5c2lzIA0K DQogICAgICAgVGhlIHNpbXBsZXN0IHR5cGUgb2YgbmV0d29yayB0aHJlYXQgaXMgYSBwYXNzaXZl IHRocmVhdC4gUGFzc2l2ZSANCiAgICAgICBhdHRhY2tzIGluY2x1ZGUgZWF2ZXNkcm9wcGluZyBv ciBtb25pdG9yaW5nIG9mIHRyYW5zbWlzc2lvbnMsIA0KICAgICAgIHdpdGggYSBnb2FsIHRvIG9i dGFpbiBpbmZvcm1hdGlvbiB0aGF0IGlzIGJlaW5nIHRyYW5zbWl0dGVkLiBJbiANCiAgICAgICBi cm9hZGNhc3QgbmV0d29ya3MgKGVzcGVjaWFsbHkgdGhvc2UgdXRpbGlzaW5nIHdpZGVseSBhdmFp bGFibGUgDQogICAgICAgbG93LWNvc3QgcGh5c2ljYWwgbGF5ZXIgaW50ZXJmYWNlcywgc3VjaCBh cyBEVkIpIHBhc3NpdmUgdGhyZWF0cyANCiAgICAgICBhcmUgY29uc2lkZXJlZCB0aGUgbWFqb3Ig dGhyZWF0cy4gQW4gZXhhbXBsZSBvZiBzdWNoIGEgdGhyZWF0IGlzIA0KICAgICAgIGFuIGludHJ1 ZGVyIG1vbml0b3JpbmcgdGhlIE1QRUctMiB0cmFuc21pc3Npb24gYnJvYWRjYXN0IGFuZCANCiAg ICAgICBiZWluZyBhYmxlIHRvIGV4dHJhY3QgdHJhZmZpYyBjb21tdW5pY2F0ZWQgYmV0d2VlbiBJ UCBob3N0cy4gDQogICAgICAgQW5vdGhlciBleGFtcGxlIGFuIGludHJ1ZGVyIHRyeWluZyB0byBn YWluIGluZm9ybWF0aW9uIGFib3V0IHRoZSANCiAgICAgICBjb21tdW5pY2F0aW9uIHBhcnRpZXMg YnkgbW9uaXRvcmluZyB0aGVpciBMYXllciAyIE1BQy9OUEEgDQogICAgICAgYWRkcmVzc2VzOyBh biBpbnRydWRlciBjYW4gZ2FpbiBzb21lIGluZm9ybWF0aW9uIGJ5IGp1c3Qga25vd2luZyANCiAg ICAgICB0aGUgaWRlbnRpdHkgb2YgdGhlIGNvbW11bmljYXRpbmcgcGFydGllcyBhbmQgdGhlIHZv bHVtZSBvZiB0aGVpciANCiAgICAgICB0cmFmZmljLiBUaGlzIGlzIGEgd2VsbC1rbm93biBpc3N1 ZSBpbiB0aGUgc2VjdXJpdHkgZmllbGQ7IA0KICAgICAgIGhvd2V2ZXIgaXQgaXMgbW9yZSBwcm9i bGVtYXRpYyBpbiB0aGUgY2FzZSBvZiBicm9hZGNhc3QgbmV0d29ya3MgDQogICAgICAgc3VjaCBh cyBNUEVHLTIgdHJhbnNtaXNzaW9uIG5ldHdvcmtzLiANCg0KICAgICAgIEFjdGl2ZSB0aHJlYXRz IChvciBhdHRhY2tzKSBhcmUsIGluIGdlbmVyYWwsIG1vcmUgZGlmZmljdWx0IHRvIA0KICAgICAg IGltcGxlbWVudCBzdWNjZXNzZnVsbHkgdGhhbiBwYXNzaXZlIHRocmVhdHMsIGFuZCB1c3VhbGx5 IHJlcXVpcmUgDQogICAgICAgbW9yZSBzb3BoaXN0aWNhdGVkIHJlc291cmNlcyBhbmQgbWF5IHJl cXVpcmUgYWNjZXNzIHRvIHRoZSANCiAgICAgICB0cmFuc21pdHRlci4gRXhhbXBsZXMgb2YgYWN0 aXZlIGF0dGFja3MgYXJlOiAgDQoNCiAgICAgICBvIE1hc3F1ZXJhZGluZzogd2hlcmUgYW4gZW50 aXR5IHByZXRlbmRzIHRvIGJlIGEgZGlmZmVyZW50IA0KICAgICAgICAgIGVudGl0eS4gVGhpcyBp bmNsdWRlcyBtYXNxdWVyYWRpbmcgb3RoZXIgdXNlcnMgYW5kIHN1Ym5ldHdvcmsgDQogICAgICAg ICAgY29udHJvbCBwbGFuZSBtZXNzYWdlcy4gDQoNCiAgICAgICBvIE1vZGlmaWNhdGlvbiBvZiBt ZXNzYWdlcyBpbiBhbiB1bmF1dGhvcmlzZWQgbWFubmVyLiANCg0KDQogICAgIA0KICAgICANCiAg ICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAxNSwgMjAwNiAgICAgICAg ICAgW1BhZ2UgNF0gDQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAgICAgICAgIFNlY3Vy aXR5IFJlcXVpcmVtZW50cyBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAgICANCg0KICAg ICAgIG8gUmVwdWRpYXRpb246IFJlcHVkaWF0aW9uIG9mIG9yaWdpbiBvY2N1cnMgd2hlbiBhIHBh cnR5IGRlbmllcyANCiAgICAgICAgICBiZWluZyB0aGUgb3JpZ2luYXRvciBvZiBhIG1lc3NhZ2Ug YW5kIHJlcHVkaWF0aW9uIG9mIA0KICAgICAgICAgIGRlc3RpbmF0aW9uIG9jY3VycyB3aGVuIGEg cGFydHkgZGVuaWVzIHRoZSByZWNlcHRpb24gb2YgYSANCiAgICAgICAgICBtZXNzYWdlLiANCg0K ICAgICAgIG8gUmVwbGF5IGF0dGFja3M6IFdoZW4gYW4gaW50cnVkZXIgc2VuZHMgc29tZSBvbGQg KGF1dGhlbnRpYykgDQogICAgICAgICAgbWVzc2FnZXMgdG8gdGhlIFJlY2VpdmVyLiANCg0KICAg ICAgIG8gRGVuaWFsIG9mIHNlcnZpY2UgYXR0YWNrczogIFdoZW4gYW4gZW50aXR5IGZhaWxzIHRv IHBlcmZvcm0gDQogICAgICAgICAgaXRzIHByb3BlciBmdW5jdGlvbiBvciBhY3RzIGluIGEgd2F5 IHRoYXQgcHJldmVudHMgb3RoZXIgDQogICAgICAgICAgZW50aXRpZXMgZnJvbSBwZXJmb3JtaW5n IHRoZWlyIHByb3BlciBmdW5jdGlvbnMuIA0KDQogICAgICAgQWN0aXZlIHRocmVhdHMgc3VjaCBh cyBtYXNxdWVyYWRpbmcsIHJlcGxheSwgbW9kaWZpY2F0aW9uIG9mIA0KICAgICAgIG1lc3NhZ2Vz IGFuZCBpbmplY3RpbmcgSVAgcGFja2V0IGF0dGFja3MgYXJlIG1ham9yIHNlY3VyaXR5IA0KICAg ICAgIGNvbmNlcm5zIGZvciB0aGUgSW50ZXJuZXQgY29tbXVuaXR5IGFuZCBzZXZlcmFsIG9mIHRo ZXNlIGF0dGFja3MgDQogICAgICAgaGF2ZSBiZWVuIGRlc2NyaWJlZCBbNV0uIFRoZSBkZWZlbmNl IGFnYWluc3Qgc3VjaCBhdHRhY2tzIGlzIGRhdGEgDQogICAgICAgaW50ZWdyaXR5IHVzaW5nIGNy eXB0b2dyYXBoaWMgdGVjaG5pcXVlcyBhbmQgc2VxdWVuY2UgbnVtYmVycy4gDQoNCiAgICAgICBJ biB0aGUgY29udGV4dCBvZiBhY3RpdmUgdGhyZWF0cyBpbiBNUEVHLTIgdHJhbnNtaXNzaW9uIG5l dHdvcmtzLCANCiAgICAgICBVTEUgc291cmNlIGF1dGhlbnRpY2F0aW9uIChpLmUuIHZlcmlmaWNh dGlvbiB0aGF0IHBhY2tldHMgYXJlIA0KICAgICAgIGJlaW5nIHNlbnQgYnkgdGhlIGV4cGVjdGVk IEVuY2Fwc3VsYXRpb24gR2F0ZXdheSkgaXMgcmVxdWlyZWQgYnkgDQogICAgICAgdGhlIFVMRSBS ZWNlaXZlcnMsIGFsdGhvdWdoIGF0dGFja3Mgc3VjaCBhcyBtYXNxdWVyYWRpbmcsIA0KICAgICAg IG1vZGlmaWNhdGlvbiBvZiBtZXNzYWdlcyBhbmQgaW5qZWN0aW5nIElQIHBhY2tldHMgYXJlIG1v cmUgDQogICAgICAgZGlmZmljdWx0LiBIb3dldmVyIHN1Y2ggYXR0YWNrcyBvbiBpbmRpdmlkdWFs IFVMRSBSZWNlaXZlcnMgYXJlIA0KICAgICAgIHBvc3NpYmxlIGFuZCBjYW4gcGFzcyB1bm5vdGlj ZWQgYnkgdGhlIFVMRSBuZXR3b3JrIG9wZXJhdG9ycyBvciANCiAgICAgICBJU1BzLiBUaGVyZWZv cmUgVUxFIGF1dGhlbnRpY2F0aW9uIGFuZCBpbnRlZ3JpdHkgY2hlY2tzIGFyZSANCiAgICAgICBy ZXF1aXJlZC4gSVBzZWMgY2FuIGJlIHVzZWQgdG8gcHJvdmlkZSBzb3VyY2UgYXV0aGVudGljYXRp b24gYnV0IA0KICAgICAgIGhhcyBzb21lIGRpc2FkdmFudGFnZXM7IGZ1cnRoZXIgYW5hbHlzaXMg b24gSVBzZWMgaXMgcHJlc2VudGVkIGluIA0KICAgICAgIHNlY3Rpb24gNC4gDQoNCiAgICAyLjEu IFRocmVhdCBTY2VuYXJpb3MgDQoNCiAgICAgICBJbiBub3JtYWwgTVBFRyB0cmFuc21pc3Npb24g bmV0d29ya3MgcGFja2V0cyBhcmUgdHJhbnNtaXR0ZWQgYnkgDQogICAgICAgdGhlIFVMRSBFbmNh cHN1bGF0aW9uIEdhdGV3YXkgdG8gdGhlIFVMRSBSZWNlaXZlcnMuIFRoaXMgaXMgDQogICAgICAg c29tZXRpbWVzIGNhbGxlZCBhIHN0YXIgdG9wb2xvZ3kgd2hpY2ggaXMgdGhlIG1haW4gZm9jdXMg b2YgdGhpcyANCiAgICAgICBkb2N1bWVudC4gTWVzaCB0b3BvbG9naWVzIHdoZXJlIFVMRSBSZWNl aXZlcnMgYXJlIFVMRSBzb3VyY2VzIGFzIA0KICAgICAgIHdlbGwgYXJlIG91dCBvZiBzY29wZSBv ZiB0aGlzIGRvY3VtZW50LiANCg0KICAgICAgIEluIHRoZSBzdGFyIHRvcG9sb2d5LCB0aHJlZSB0 aHJlYXQgc2NlbmFyaW9zIGNhbiBiZSBlbnZpc2FnZWQ6IA0KDQogICAgMi4xLjEuIFNjZW5hcmlv IDE6IE1vbml0b3JpbmcgKHBhc3NpdmUgdGhyZWF0KSANCg0KICAgICAgIEhlcmUgdGhlIGludHJ1 ZGVyIG1vbml0b3JzIHRoZSBVTEUgYnJvYWRjYXN0cyBpbiBvcmRlciB0byBnYWluIA0KICAgICAg IGluZm9ybWF0aW9uIGFib3V0IFVMRSBkYXRhIGFuZC9vciB0cmFja2luZyB0aGUgY29tbXVuaWNh dGluZyANCiAgICAgICBwYXJ0aWVzLiBJbiB0aGlzIHNjZW5hcmlvLCBtZWFzdXJlcyBzaG91bGQg YmUgdGFrZW4gdG8gaGlkZSB0aGUgDQogICAgICAgVUxFIGRhdGEgYW5kIHRoZSBVTEUgUmVjZWl2 ZXJzIGlkZW50aXR5LiANCg0KICAgICANCiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAg IEV4cGlyZXMgRGVjZW1iZXIgMTUsIDIwMDYgICAgICAgICAgIFtQYWdlIDVdIA0KICAgICAgICAN CgwgICAgSW50ZXJuZXQtRHJhZnQgICAgICAgICBTZWN1cml0eSBSZXF1aXJlbWVudHMgZm9yIFVM RSAgICAgIEp1bmUgMjAwNiANCiAgICAgICAgDQoNCiAgICAyLjEuMi4gU2NlbmFyaW8gMjogTG9j YWwgaGlnaCBqYWNraW5nIG9mIHRoZSBNUEVHLVRTIG11bHRpcGxleCANCiAgICAgICAoYWN0aXZl IHRocmVhdCkgDQoNCiAgICAgICBIZXJlIHdlIGFzc3VtZSBhbiBpbnRydWRlciBpcyBzb3BoaXN0 aWNhdGVkIGFuZCBhYmxlIHRvIGJsb2NrIHRoZSANCiAgICAgICBvcmlnaW5hbCB0cmFuc21pc3Np b24gZnJvbSB0aGUgVUxFIEVuY2Fwc3VsYXRpb24gR2F0ZXdheSBhbmQgDQogICAgICAgZGVsaXZl ciBhIG1vZGlmaWVkIHZlcnNpb24gb2YgdGhlIE1QRUctVFMgdHJhbnNtaXNzaW9uIHRvIGEgDQog ICAgICAgc2luZ2xlIFVMRSBSZWNlaXZlciBvciBhIHNtYWxsIGdyb3VwIG9mIFJlY2VpdmVycyAo ZS5nLiBpbiBhIA0KICAgICAgIHNpbmdsZSBjb21wYW55IHNpdGUpLiBUaGUgTVBFRyB0cmFuc21p c3Npb24gbmV0d29yayBtaWdodCBub3QgYmUgDQogICAgICAgYXdhcmUgb2Ygc3VjaCBhdHRhY2tz LiBJbiBhZGRpdGlvbiB0byB0aGUgc2VjdXJpdHkgcmVxdWlyZW1lbnRzIA0KICAgICAgIGZvciBz Y2VuYXJpbyAxLCBoZXJlIGV4dHJhIG1lYXN1cmVzIHNob3VsZCBiZSB0YWtlbiB0byBlbnN1cmUg VUxFIA0KICAgICAgIHNvdXJjZSBhdXRoZW50aWNhdGlvbiBhbmQgcHJldmVudGluZyByZXBsYXkg b2Ygb2xkIG1lc3NhZ2VzLiANCg0KICAgIDIuMS4zLiBTY2VuYXJpbyAzOiBHbG9iYWwgaGlnaCBq YWNraW5nIG9mIHRoZSBNUEVHLVRTIG11bHRpcGxleCANCiAgICAgICAoYWN0aXZlIHRocmVhdCkg IA0KDQogICAgICAgSGVyZSB3ZSBhc3N1bWUgYW4gaW50cnVkZXIgaXMgdmVyeSBzb3BoaXN0aWNh dGVkIGFuZCBhYmxlIHRvIGhpZ2ggDQogICAgICAgamFjayB0aGUgd2hvbGUgTVBFRyB0cmFuc21p c3Npb24gbXVsdGlwbGV4LiBUaGUgcmVxdWlyZW1lbnRzIGhlcmUgDQogICAgICAgYXJlIHNpbWls YXIgdG8gc2NlbmFyaW8gMi4gVGhlIE1QRUcgdHJhbnNtaXNzaW9uIG5ldHdvcmsgY2FuIA0KICAg ICAgIHF1aWNrbHkgaWRlbnRpZnkgc3VjaCBhdHRhY2tzLiBUaGlzIHR5cGUgb2YgYXR0YWNrIGNh bm5vdCBiZSANCiAgICAgICBwcm90ZWN0ZWQgYWdhaW5zdCB3aXRoIGEgVUxFIHNlY3VyaXR5IHN5 c3RlbS4gVGhlIE1QRUcgDQogICAgICAgdHJhbnNtaXNzaW9uIG5ldHdvcmsgbXVzdCByZXNvcnQg dG8gb3RoZXIgbWVhbnMgdG8gcmVzdG9yZSB0aGUgDQogICAgICAgb3JpZ2luYWwgdHJhbnNtaXNz aW9ucy4gDQoNCiAgICAgICBJbiB0ZXJtcyBvZiBwcmlvcml0eSwgc2NlbmFyaW8gMSBpcyBjb25z aWRlcmVkIHRoZSBtYWpvciB0aHJlYXQgDQogICAgICAgaW4gTVBFRyB0cmFuc21pc3Npb24gc3lz dGVtcy4gU2NlbmFyaW8gMiBpcyBsaWtlbHkgdG8gYSBzbWFsbGVyIA0KICAgICAgIGRlZ3JlZSBp biBjZXJ0YWluIGNhc2VzIGFuZCBoZW5jZSB0aGUgZXh0cmEgcHJvdGVjdGlvbnMgc2hvdWxkIGJl IA0KICAgICAgIG9wdGlvbmFsIGFuZCB1c2VkIG9ubHkgd2hlbiBzdWNoIHRocmVhdCBpcyBhIHBv c3NpYmlsaXR5IHRvIHNvbWUgDQogICAgICAgTVBFRyB0cmFuc21pc3Npb24gc2VydmljZXMuIFNj ZW5hcmlvIDMgaXMgbm90IGVudmlzYWdlZCB0byBiZSBhIA0KICAgICAgIHByYWN0aWNhbCBiZWNh dXNlIGl0IHdpbGwgYmUgdmVyeSBkaWZmaWN1bHQgdG8gcGFzcyB1bm5vdGljZWQgYnkgDQogICAg ICAgdGhlIE1QRUcgdHJhbnNtaXNzaW9uIG9wZXJhdG9yLiBUaGVyZWZvcmUgc2NlbmFyaW8gMyBp cyBvdXQgb2YgDQogICAgICAgc2NvcGUgZm9yIHRoaXMgZG9jdW1lbnQuIA0KDQogICAgMy4gU2Vj dXJpdHkgUmVxdWlyZW1lbnRzIGZvciBJUCBvdmVyIE1QRUctMiBUUyANCg0KICAgICAgIEZyb20g dGhlIGFib3ZlIGFuYWx5c2lzLCB0aGUgZm9sbG93aW5nIHNlY3VyaXR5IHJlcXVpcmVtZW50cyBj YW4gDQogICAgICAgYmUgZGVyaXZlZDogDQoNCiAgICAgICBvIERhdGEgY29uZmlkZW50aWFsaXR5 IGlzIHRoZSBtYWpvciByZXF1aXJlbWVudCBhZ2FpbnN0IHBhc3NpdmUgDQogICAgICAgICAgdGhy ZWF0cyAodXNpbmcgZW5jcnlwdGlvbikuIEwyIGVuY3J5cHRpb24gb3IgTDMgKElQc2VjKSANCiAg ICAgICAgICBlbmNyeXB0aW9uIGNhbiBzYXRpc2Z5IHRoaXMgcmVxdWlyZW1lbnQuIA0KDQogICAg ICAgbyBIaWRpbmcgb2YgTGF5ZXIgMiBNQUMvTlBBIGFkZHJlc3MuIFRoaXMgaXMgbmVlZGVkIHBh cnRpY3VsYXJseSANCiAgICAgICAgICBpbiB0aGUgTVBFRy0yIGJyb2FkY2FzdCBuZXR3b3JrcyB0 byBzdG9wIGFuIGludHJ1ZGVyIGdhaW5pbmcgDQogICAgICAgICAgaW5mb3JtYXRpb24gYnkgb2Jz ZXJ2aW5nIHRoZSBpZGVudGl0eSBvZiB0aGUgY29tbXVuaWNhdGluZyANCiAgICAgICAgICBwYXJ0 aWVzIGFuZCB0aGUgdm9sdW1lIG9mIHRoZWlyIHRyYWZmaWMuIA0KDQogICAgICAgbyBGb3IgYWN0 aXZlIHRocmVhdHM6IFVMRSBzb3VyY2UgYXV0aGVudGljYXRpb24gYW5kIGRhdGEgDQogICAgIA0K ICAgICANCiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAxNSwgMjAw NiAgICAgICAgICAgW1BhZ2UgNl0gDQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAgICAg ICAgIFNlY3VyaXR5IFJlcXVpcmVtZW50cyBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAg ICANCg0KICAgICAgICAgIGludGVncml0eSBhcmUgcmVxdWlyZWQsIHVzaW5nIHRlY2huaXF1ZXMg c3VjaCBhcyBtZXNzYWdlIA0KICAgICAgICAgIGF1dGhlbnRpY2F0aW9uIGNvZGUgYW5kIGRpZ2l0 YWwgc2lnbmF0dXJlcy4gU2VxdWVuY2UgbnVtYmVycyANCiAgICAgICAgICBhcmUgcmVxdWlyZWQg dG8gc3RvcCByZXBsYXkgYXR0YWNrcy4gIFRoZXJlZm9yZSwgTDIgZGF0YSANCiAgICAgICAgICBp bnRlZ3JpdHkvYXV0aGVudGljYXRpb24gaXMgb3B0aW9uYWwsIGJ1dCBzdGlsbCBpbXBvcnRhbnQg aW4gDQogICAgICAgICAgZW52aXJvbm1lbnRzIGluIHdoaWNoIHNldmVyYWwgaW5kZXBlbmRlbnQg bmV0d29ya3Mgc2hhcmUgYSANCiAgICAgICAgICBzaW5nbGUgdHJhbnNtaXNzaW9uIHJlc291cmNl LiBJbiBhZGRpdGlvbiwgZnVuY3Rpb25zIHRvIA0KICAgICAgICAgIGRldGVybWluZSB0aGUgaW50 ZWdyaXR5IG9mIGNvbnRyb2wgYW5kIG1hbmFnZW1lbnQgbWVzc2FnZXMgaW4gDQogICAgICAgICAg TVBFRy0yIHRyYW5zbWlzc2lvbiBuZXR3b3JrcyBzdWNoIGFzIFNJIHRhYmxlcyBhcmUgYW5vdGhl ciANCiAgICAgICAgICBvcHRpb25hbCByZXF1aXJlbWVudCwgYnV0IGFyZSBvdXRzaWRlIHRoZSBz Y29wZSBvZiBVTEUgDQogICAgICAgICAgc2VjdXJpdHkuIA0KDQogICAgICAgbyBMYXllciBMMiBl bmRwb2ludCBhdXRoZW50aWNhdGlvbjogVGhpcyB3aWxsIGJlIHBhcnQgb2YgdGhlIGtleSANCiAg ICAgICAgICBtYW5hZ2VtZW50LiBJdCB3aWxsIGJlIHBlcmZvcm1lZCBkdXJpbmcgdGhlIGluaXRp YWwga2V5IA0KICAgICAgICAgIGV4Y2hhbmdlIGFuZCBhdXRoZW50aWNhdGlvbiBwaGFzZS4gDQoN CiAgICAgICBvIEVuZC10by1lbmQgc2VjdXJpdHkgKHN1Y2ggYXMgSVBzZWMgYW5kIFRMUyBbMTNd KSBhbmQgVUxFIGxpbmsgDQogICAgICAgICAgc2VjdXJpdHkgc2hvdWxkIHdvcmsgaW4gcGFyYWxs ZWwgd2l0aG91dCBvYnN0cnVjdGluZyBlYWNoIA0KICAgICAgICAgIG90aGVyLiANCg0KICAgICAg IG8gRGVjb3VwbGluZyBvZiBVTEUga2V5IG1hbmFnZW1lbnQgZnVuY3Rpb25zIGZyb20gVUxFIA0K ICAgICAgICAgIGVuY3J5cHRpb24uIFRoaXMgd2lsbCBhbGxvdyB0aGUgaW5kZXBlbmRlbnQgZGVm aW5pdGlvbiBvZiANCiAgICAgICAgICB0aGVzZSBzeXN0ZW1zIHN1Y2ggYXMgdGhlIHJlLXVzZSBv ZiBleGlzdGluZyBzZWN1cml0eSANCiAgICAgICAgICBtYW5hZ2VtZW50IHN5c3RlbXMgKGUuZy4g R1NBS01QIFs5XSBhbmQgR0RPSSBbMTBdKSwgcGx1cyBvdGhlciANCiAgICAgICAgICBzeXN0ZW1z IHN1Y2ggYXMgRFZCLVJDUyBbNl0gYW5kL29yIHRoZSBkZXZlbG9wbWVudCBvZiBuZXcgDQogICAg ICAgICAgc3lzdGVtcywgYXMgcmVxdWlyZWQuIA0KDQogICAgICAgbyBPdGhlciBnZW5lcmFsIHJl cXVpcmVtZW50cyBhcmU6IA0KDQogICAgICAgICAgICBvIFByb3RlY3Rpb24gb2YgdGhlIG1hbmFn ZW1lbnQgc3lzdGVtIGFuZCB0aGUgaW5mcmFzdHJ1Y3R1cmUgDQogICAgICAgICAgICAgIGZyb20g dW5hdXRob3JpemVkIHBlb3BsZS4gVUxFIGVuY3J5cHRpb24gd2lsbCBwcm92aWRlIA0KICAgICAg ICAgICAgICBwYXJ0aWFsIHByb3RlY3Rpb24gdGhyb3VnaCB0aGUga2V5IG1hbmFnZW1lbnQgcHJv Y2VkdXJlcyANCiAgICAgICAgICAgICAgYW5kIGRhdGEgZW5jcnlwdGlvbi4gDQoNCiAgICAgICAg ICAgIG8gT3BlcmF0aW9uYWwgaXNzdWVzOiBCZWNhdXNlIG9mIHRoZSBwb3NzaWJsZSBsYXJnZSBj b3ZlcmFnZSANCiAgICAgICAgICAgICAgb2YgYSBicm9hZGNhc3QgdHJhbnNtaXNzaW9uIG5ldHdv cmssIGl0IG1heSBiZSByZXF1aXJlZCB0byANCiAgICAgICAgICAgICAgZGVsaXZlciBkYXRhIHRv IG1hbnkgZGlmZmVyZW50IGNvdW50cmllcyB0aGF0IG1heSBoYXZlIA0KICAgICAgICAgICAgICBk aWZmZXJlbnQgc2VjdXJpdHkgbGVnaXNsYXRpb24gKHJlbGF0ZWQgdG8gYXV0aG9yaXplZCANCiAg ICAgICAgICAgICAgZW5jcnlwdGlvbiBhbGdvcml0aG1zIGFuZCB0aGUgbGVuZ3RoIG9mIGtleXMp LiBUaGVyZWZvcmUgDQogICAgICAgICAgICAgIHRoZSBVTEUgc2VjdXJpdHkgc3lzdGVtIHNob3Vs ZCBhbGxvdyBhIHdpZGUgcmFuZ2Ugb2YgDQogICAgICAgICAgICAgIHNlY3VyaXR5IHBhcmFtZXRl cnMgZHVyaW5nIHRoZSBuZWdvdGlhdGlvbiBwaGFzZSBpbiBvcmRlciANCiAgICAgICAgICAgICAg dG8gb2ZmZXIgZmxleGliaWxpdHkgdG8gb3BlcmF0b3JzLiBJbiBVTEUgc2VjdXJpdHksIHRoZSAN CiAgICAgICAgICAgICAgY2hvaWNlIG9mIHN1Y2ggYWxnb3JpdGhtcyB3aWxsIGJlIGRlY2lkZWQg YnkgdGhlIGtleSANCiAgICAgICAgICAgICAgbWFuYWdlbWVudCBzeXN0ZW0gaW4gdXNlLiANCg0K ICAgICAgICAgICAgbyBDb21wYXRpYmlsaXR5IHdpdGggb3RoZXIgbmV0d29ya2luZyBmdW5jdGlv bnM6IE90aGVyIA0KICAgICAgICAgICAgICBuZXR3b3JraW5nIGZ1bmN0aW9ucyBzdWNoIGFzIE5B VCAoTmV0d29yayBBZGRyZXNzIA0KICAgICAgICAgICAgICBUcmFuc2xhdGlvbikgWzEyXSBvciBU Q1AgYWNjZWxlcmF0aW9uIGNhbiBiZSB1c2VkIGluIGEgDQogICAgIA0KICAgICANCiAgICBDcnVp Y2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAxNSwgMjAwNiAgICAgICAgICAgW1Bh Z2UgN10gDQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAgICAgICAgIFNlY3VyaXR5IFJl cXVpcmVtZW50cyBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAgICANCg0KICAgICAgICAg ICAgICB3aXJlbGVzcyBEVkIgbmV0d29ya3MgKHNlZSBSRkMzMTM1KS4gVGhlIFVMRSBzZWN1cml0 eSANCiAgICAgICAgICAgICAgc29sdXRpb24gc2hvdWxkIGJlIGNvbXBhdGlibGUgd2l0aCBmdW5j dGlvbnMgc3VjaCBhcyANCiAgICAgICAgICAgICAgTkFUL05BUFQsIElQc2VjLCBUTFMsIGV0Yy4g DQoNCiAgICAgICAgICAgIG8gVHJhY2VhYmlsaXR5IChzdWNoIGFzIHVzaW5nIGludHJ1c2lvbiBk ZXRlY3Rpb24gc3lzdGVtcyk6IA0KICAgICAgICAgICAgICBUbyBtb25pdG9yIHRyYW5zbWlzc2lv biBuZXR3b3JrIChlLmcuIHVzaW5nIGxvZyBmaWxlcyB0byANCiAgICAgICAgICAgICAgcmVjb3Jk IHRoZSBhY3Rpdml0aWVzIG9uIHRoZSBuZXR3b3JrKS4gVGhpcyBpcyBvdXQgb2YgDQogICAgICAg ICAgICAgIHNjb3BlIGZvciBVTEUgc2VjdXJpdHkuIA0KDQogICAgICAgRXhhbWluaW5nIHNjZW5h cmlvcyAxIGFuZCAyIGluIHNlY3Rpb24gMi4xLiwgdGhlIHJlcXVpcmVtZW50cyBmb3IgDQogICAg ICAgZWFjaCBzY2VuYXJpbyBjYW4gYmUgc3VtbWFyaXNlZCBhczogDQoNCiAgICAgICBTY2VuYXJp byAxOiBEYXRhIGNvbmZpZGVudGlhbGl0eSBNVVNUIGJlIHByb3ZpZGVkIHRvIHByZXZlbnQgDQog ICAgICAgbW9uaXRvcmluZyBvZiB0aGUgVUxFIGRhdGEgKHN1Y2ggYXMgSVAgcGFja2V0IGFuZCB1 c2VyIA0KICAgICAgIGluZm9ybWF0aW9uKS4gQWxzbyBVTEUgTUFDIGFkZHJlc3MgaGlkaW5nIHNo b3VsZCBiZSBwcm92aWRlZCB0byANCiAgICAgICBwcmV2ZW50IGFjY2VzcyB0byBjb21tdW5pY2F0 aW5nIHBhcnRpZXMnIGlkZW50aXR5IGFuZCB0cmFja2luZyANCiAgICAgICB0aGVpciBjb21tdW5p Y2F0aW9ucy4gVGhlc2UgcmVxdWlyZW1lbnRzIGFyZSBtYW5kYXRvcnkgZm9yIGEgVUxFIA0KICAg ICAgIHNlY3VyaXR5IHN5c3RlbS4gDQoNCiAgICAgICBTY2VuYXJpbyAyOiBJbiBhZGRpdGlvbiB0 byBzY2VuYXJpbyAxIHJlcXVpcmVtZW50cywgYWRkaXRpb25hbCANCiAgICAgICBtZWFzdXJlcyBu ZWVkIHRvIGJlIGltcGxlbWVudGVkIHN1Y2ggYXMgc291cmNlIGF1dGhlbnRpY2F0aW9uIGFuZCAN CiAgICAgICB1c2luZyBzZXF1ZW5jZSBudW1iZXJzIHRvIHByZXZlbnQgcmVwbGF5IGF0dGFja3Mu IFRoaXMgd2lsbCBzdG9wIA0KICAgICAgIGludHJ1ZGVycyBmcm9tIGluamVjdGluZyB0aGVpciBv d24gZGF0YSBpbnRvIHRoZSBNUEVHLVRTIHN0cmVhbS4gDQogICAgICAgSG93ZXZlciwgc2NlbmFy aW8gMiB0aHJlYXRzIGNhbiBoYXBwZW4gb25seSBpbiBzcGVjaWZpYyBzZXJ2aWNlIA0KICAgICAg IGNhc2VzIGFuZCB0aGVyZWZvcmUgc291cmNlIGF1dGhlbnRpY2F0aW9uIGFuZCBzZXF1ZW5jZSBu dW1iZXJzIA0KICAgICAgIFNIT1VMRCBiZSBvcHRpb25hbCBmb3IgdGhlIFVMRSBzZWN1cml0eSBz eXN0ZW0gYmVjYXVzZSBvZiB0aGUgDQogICAgICAgZXh0cmEgb3ZlcmhlYWRzIGl0IGluY3Vycy4g DQoNCiAgICAgICBTY2VuYXJpbyAzOiBVTEUgc2VjdXJpdHkgc3lzdGVtIGNhbiBub3QgcHJvdGVj dCBhZ2FpbnN0IHN1Y2ggDQogICAgICAgYXR0YWNrcy4gDQoNCiAgICA0LiBJUHNlYyBhbmQgTVBF Ry0yIFRyYW5zbWlzc2lvbiBOZXR3b3JrcyAgDQoNCiAgICAgICBJUHNlYyBzdXBwb3J0cyB0d28g bW9kZXMgb2YgdXNlOiB0cmFuc3BvcnQgbW9kZSBhbmQgdHVubmVsIG1vZGUuIA0KICAgICAgIElu IHRyYW5zcG9ydCBtb2RlLCBBSCBhbmQgRVNQIHByb3ZpZGUgcHJvdGVjdGlvbiBwcmltYXJpbHkg Zm9yIA0KICAgICAgIG5leHQgbGF5ZXIgcHJvdG9jb2xzOyBpbiB0dW5uZWwgbW9kZSwgQUggYW5k IEVTUCBhcmUgYXBwbGllZCB0byANCiAgICAgICB0dW5uZWxsZWQgSVAgcGFja2V0cy4gSW4gYm90 aCBtb2RlcywgZGF0YSBpbnRlZ3JpdHkgaXMgcHJvdmlkZWQgDQogICAgICAgYW5kIGluIGFkZGl0 aW9uLCBFU1AgcHJvdmlkZXMgdGhlIGRhdGEgcHJpdmFjeSBzZXJ2aWNlIGFzIHdlbGwuIA0KDQog ICAgICAgSXQgaXMgcG9zc2libGUgdG8gdXNlIElQc2VjIHRvIHNlY3VyZSBVTEUgbGlua3MuIFRo ZSBtYWpvciANCiAgICAgICBhZHZhbnRhZ2Ugb2YgSVBzZWMgaXMgaXRzIHdpZGUgaW1wbGVtZW50 YXRpb24gaW4gSVAgcm91dGVycyBhbmQgDQogICAgICAgaG9zdHMuIFRoZSBzZWN1cml0eSBhcmNo aXRlY3R1cmUgZm9yIHRoZSBJbnRlcm5ldCBQcm90b2NvbCBbMTVdIA0KICAgICAgIGRlc2NyaWJl cyBzZWN1cml0eSBzZXJ2aWNlcyBmb3IgdHJhZmZpYyBhdCB0aGUgSVAgbGF5ZXIuIFRoYXQgDQog ICAgICAgYXJjaGl0ZWN0dXJlIHByaW1hcmlseSBkZWZpbmVzIHNlcnZpY2VzIGZvciBJbnRlcm5l dCBQcm90b2NvbCANCiAgICAgICAoSVApIHVuaWNhc3QgcGFja2V0cywgYXMgd2VsbCBhcyBtYW51 YWxseSBjb25maWd1cmVkIElQIG11bHRpY2FzdCANCiAgICAgICBwYWNrZXRzLiANCg0KICAgICAN CiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAgIEV4cGlyZXMgRGVjZW1iZXIgMTUsIDIw MDYgICAgICAgICAgIFtQYWdlIDhdIA0KICAgICAgICANCgwgICAgSW50ZXJuZXQtRHJhZnQgICAg ICAgICBTZWN1cml0eSBSZXF1aXJlbWVudHMgZm9yIFVMRSAgICAgIEp1bmUgMjAwNiANCiAgICAg ICAgDQoNCiAgICAgICBIb3dldmVyIElQc2VjIGlzIG5vdCB3ZWxsLXN1aXRlZCB0byBwcm90ZWN0 IHRoZSBpZGVudGl0eSBvZiB0aGUgDQogICAgICAgVUxFIGVuY2Fwc3VsYXRvci9SZWNlaXZlcnMg dG8gcHJvdmlkZSB0aGlzLiBUaGUgaW50ZXJmYWNlcyBvZiANCiAgICAgICB0aGVzZSBkZXZpY2Vz IGFsc28gZG8gbm90IG5lY2Vzc2FyaWx5IGhhdmUgSVAgYWRkcmVzc2VzICh0aGV5IGNhbiANCiAg ICAgICBiZSBMMiBkZXZpY2VzKS4gDQoNCiAgICAgICBJbiBhZGRpdGlvbiwgSVAgTXVsdGljYXN0 IGlzIGNvbnNpZGVyZWQgYXMgYSBtYWpvciBzZXJ2aWNlIG92ZXIgDQogICAgICAgTVBFRy0yIFRy YW5zbWlzc2lvbiBOZXR3b3Jrcy4gQSBkb2N1bWVudCBwcm9kdWNlZCBieSB0aGUgSUVURiANCiAg ICAgICBNdWx0aWNhc3QgU2VjdXJpdHkgKG1zZWMpIFs4XSBXb3JraW5nIEdyb3VwIG9uIElQc2Vj IGV4dGVuc2lvbnMgDQogICAgICAgZm9yIG11bHRpY2FzdCBbMTFdIGRlc2NyaWJlcyBleHRlbnNp b25zIHRvIFsxNV0gdGhhdCBmdXJ0aGVyIA0KICAgICAgIGRlZmluZSB0aGUgSVBzZWMgc2VjdXJp dHkgYXJjaGl0ZWN0dXJlIGZvciBwYWNrZXRzIHRoYXQgY2FycnkgYSANCiAgICAgICBtdWx0aWNh c3QgYWRkcmVzcyBpbiB0aGUgSVAgZGVzdGluYXRpb24gZmllbGQsIGFsbG93aW5nIHRoZXNlIHRv IA0KICAgICAgIHJlbWFpbiBJUCBtdWx0aWNhc3QgcGFja2V0cy4gIA0KDQogICAgNC4xLiBUdW5u ZWwgbW9kZSB1c2Ugb2YgSVBzZWMgZm9yIG11bHRpY2FzdCAgDQoNCiAgICAgICBJbiB0aGUgY29u dGV4dCBvZiBNUEVHLTIgdHJhbnNtaXNzaW9uIGxpbmtzLCBpZiBJUHNlYyBpcyB1c2VkIHRvIA0K ICAgICAgIHNlY3VyZSBhIFVMRSBsaW5rLCB0aGVuIHRoZSBVTEUgRW5jYXBzdWxhdG9ycyBhbmQg UmVjZWl2ZXJzIGFyZSANCiAgICAgICBlcXVpdmFsZW50IHRvIHRoZSBzZWN1cml0eSBnYXRld2F5 cyBpbiBJUHNlYyB0ZXJtaW5vbG9neS4gQSANCiAgICAgICBzZWN1cml0eSBnYXRld2F5IGltcGxl bWVudGF0aW9uIG9mIElQc2VjIHVzaW5nIHRoZSBtdWx0aWNhc3QgDQogICAgICAgZXh0ZW5zaW9u cyBNVVNUIHVzZSB0dW5uZWwgbW9kZS4gSW4gcGFydGljdWxhciwgdGhlIHNlY3VyaXR5IA0KICAg ICAgIGdhdGV3YXkgbXVzdCB1c2UgdGhlIHR1bm5lbCBtb2RlIHRvIGVuY2Fwc3VsYXRlIGluY29t aW5nIA0KICAgICAgIGZyYWdtZW50cy4gDQoNCiAgICAgICBXaXRoIElQc2VjIHR1bm5lbCBtb2Rl LCB0aGVyZSBhcmUgdHdvIGNoYWxsZW5nZXM6IEZpcnN0LCBpZiB0aGUgDQogICAgICAgZGVzdGlu YXRpb24gb2YgYW4gSVAgbXVsdGljYXN0IHBhY2tldCBpcyBjaGFuZ2VkIGl0IHdpbGwgbm8gDQog ICAgICAgbG9uZ2VyIGJlIHByb3Blcmx5IHJvdXRlZC4gU2Vjb25kbHksIElQIG11bHRpY2FzdCBy b3V0aW5nIA0KICAgICAgIHByb3RvY29scyBhbHNvIHR5cGljYWxseSBjcmVhdGUgbXVsdGljYXN0 IGRpc3RyaWJ1dGlvbiB0cmVlcyANCiAgICAgICBiYXNlZCBvbiB0aGUgc291cmNlIGFkZHJlc3Mu IEFuIElQc2VjIHNlY3VyaXR5IGdhdGV3YXkgdGhhdCANCiAgICAgICBjaGFuZ2VzIHRoZSBzb3Vy Y2UgYWRkcmVzcyBvZiBhbiBJUCBtdWx0aWNhc3QgcGFja2V0LCBhZ2FpbiB0aGlzIA0KICAgICAg IHdpbGwgY2F1c2UgbXVsdGljYXN0IHJvdXRpbmcgcHJvYmxlbXMuIFRoZSBkb2N1bWVudCByZWZl cmVuY2VkIGluIA0KICAgICAgIFsxMV0gZGVmaW5lcyBhIHdheSBmb3IgcmV0YWluaW5nIGJvdGgg dGhlIElQIHNvdXJjZSBhbmQgDQogICAgICAgZGVzdGluYXRpb24gYWRkcmVzc2VzIG9mIHRoZSBp bm5lciBJUCBoZWFkZXIgdG8gYWxsb3cgSVAgDQogICAgICAgbXVsdGljYXN0IHJvdXRpbmcgcHJv dG9jb2xzIHRvIHJvdXRlIHRoZSBwYWNrZXQgaXJyZXNwZWN0aXZlIG9mIA0KICAgICAgIHRoZSBw YWNrZXQgYmVpbmcgSVBzZWMgcHJvdGVjdGVkLiBUaGlzIGludGVycHJldGF0aW9uIG9mIHR1bm5l bCANCiAgICAgICBtb2RlIGlzIGtub3duIGFzIHR1bm5lbCBtb2RlIHdpdGggYWRkcmVzcyBwcmVz ZXJ2YXRpb24uIA0KDQogICAgNC4yLiBJUHNlYyBhbmQgTDIgc2VjdXJpdHkgIA0KDQogICAgICAg SVBzZWMgaW4gdHJhbnNwb3J0IG1vZGUgY2FuIGJlIHVzZWQgZm9yIGVuZC10by1lbmQgc2VjdXJp dHkgDQogICAgICAgdHJhbnNwYXJlbnRseSBvZiBNUEVHLTIgdHJhbnNtaXNzaW9uIGxpbmtzIHdp dGggbm8gaW1wYWN0LiANCg0KICAgICAgIEhvd2V2ZXIsIGlmIElQc2VjIGlzIHVzZWQgdG8gc2Vj dXJlIFVMRSBsaW5rcywgdGhlbiBpdCBtdXN0IGJlIA0KICAgICAgIHVzZWQgaW4gdHVubmVsIG1v ZGUuIFN1Y2ggdXNhZ2UgaGFzIHRoZSBmb2xsb3dpbmcgZGlzYWR2YW50YWdlczogDQoNCiAgICAg ICBvIFRoZXJlIGlzIGEgbmVlZCB0byBwcm90ZWN0IHRoZSBpZGVudGl0eSBvZiBVTEUgZW5jYXBz dWxhdG9yIC8gDQogICAgICAgICAgcmVjZWl2ZXJzIG92ZXIgdGhlIFVMRSBicm9hZGNhc3QgbWVk aXVtOyBJUHNlYyBpcyBub3Qgc3VpdGFibGUgDQogICAgICAgICAgZm9yIHByb3ZpZGluZyB0aGlz IHNlcnZpY2UuIA0KICAgICANCiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAgIEV4cGly ZXMgRGVjZW1iZXIgMTUsIDIwMDYgICAgICAgICAgIFtQYWdlIDldIA0KICAgICAgICANCgwgICAg SW50ZXJuZXQtRHJhZnQgICAgICAgICBTZWN1cml0eSBSZXF1aXJlbWVudHMgZm9yIFVMRSAgICAg IEp1bmUgMjAwNiANCiAgICAgICAgDQoNCiAgICAgICBvIFRoZXJlIGlzIGFuIGV4dHJhIG92ZXJo ZWFkcyBhc3NvY2lhdGVkIHdpdGggdXNpbmcgSVBzZWMgaW4gDQogICAgICAgICAgdHVubmVsIG1v ZGUsIGkuZS4gdGhlIGV4dHJhIElQIGhlYWRlciAoSVB2NCBvciBJUHY2KS4gDQoNCiAgICAgICBv IE11bHRpY2FzdCBpcyBjb25zaWRlcmVkIGFzIGEgbWFqb3Igc2VydmljZSBvdmVyIFVMRSBsaW5r cy4gVGhlIA0KICAgICAgICAgIGN1cnJlbnQgSVBzZWMgc3BlY2lmaWNhdGlvbnMgWzE1XSBvbmx5 IGRlZmluZSBhIHBhaXJ3aXNlIA0KICAgICAgICAgIHR1bm5lbCBiZXR3ZWVuIHR3byBJUHNlYyBk ZXZpY2VzIHdpdGggbWFudWFsIGtleWluZy4gV29yayBpbiANCiAgICAgICAgICBwcm9ncmVzcyBb MTFdIGlzIGRlZmluaW5nIHRoZSBleHRyYSBkZXRhaWwgbmVlZGVkIGZvciANCiAgICAgICAgICBt dWx0aWNhc3QgYW5kIHRvIHVzZSB0aGUgdHVubmVsIG1vZGUgd2l0aCBhZGRyZXNzIHByZXNlcnZh dGlvbiANCiAgICAgICAgICBhcyBkZXNjcmliZWQgaW4gc2VjdGlvbiA0LjEuIA0KDQogICAgICAg SW4gdGhlIFVMRSBsaW5rIGNvbnRleHQsIGluIGFkZGl0aW9uIHRvIHRoZSBJUHNlYyB0dW5uZWxs aW5nIA0KICAgICAgIG92ZXJoZWFkLCB0aGUgc291cmNlIGFuZCBkZXN0aW5hdGlvbiBhZGRyZXNz IHByZXNlcnZhdGlvbiBtZWFucyANCiAgICAgICB0aGF0IHRoZXNlIElQIGFkZHJlc3NlcyBhcmUg YnJvYWRjYXN0IGluIHRoZSBjbGVhci4gVGhpcyBwcm92aWRlcyANCiAgICAgICBhbiBvcHBvcnR1 bml0eSB0byBpbnRlcmNlcHQgdGhlIHRyYWZmaWMgaW5mb3JtYXRpb24gKHdlYWtlbmluZyANCiAg ICAgICB0aGUgYWJpbGl0eSB0byBwcm92aWRlIHRoZSBpZGVudGl0eSBoaWRpbmcpLiBIb3dldmVy IFsxMV0gDQogICAgICAgbWVudGlvbnMgdGhlIHBvc3NpYmlsaXR5IHRoYXQgbXVsdGljYXN0IGRh dGEgaXMgc2VudCB0aHJvdWdoIGEgDQogICAgICAgc2VydmljZSBwcm92aWRlciBuZXR3b3JrLCBh bmQgaXMgZW5jYXBzdWxhdGVkIHVuZGVyIGEgZGlmZmVyZW50IA0KICAgICAgIElQIG11bHRpY2Fz dCBhZGRyZXNzIHdoaWxlIGluIHRoZSBwcm92aWRlciBuZXR3b3JrLiBUaGUgc291cmNlIA0KICAg ICAgIGFkZHJlc3Mgb2YgdGhlIGVuY2Fwc3VsYXRpbmcgKG91dHNpZGUpIElQIGhlYWRlciBjb3Vs ZCBiZSBjaGFuZ2VkIA0KICAgICAgIHRvIHRoYXQgb2YgdGhlIFVMRSBnYXRld2F5LiANCg0KICAg IDUuIE1vdGl2YXRpb24gZm9yIFVMRSBsaW5rLWxheWVyIHNlY3VyaXR5IA0KDQogICAgICAgRXhh bWluYXRpb24gb2YgdGhlIHRocmVhdCBhbmFseXNpcyBhbmQgc2VjdXJpdHkgcmVxdWlyZW1lbnRz IGluIA0KICAgICAgIHNlY3Rpb25zIDIgYW5kIDMgaGFzIHNob3duIHRoYXQgdGhlcmUgaXMgYSBu ZWVkIHRvIHByb3ZpZGUgbGluay0NCiAgICAgICBsYXllciAoTDIpIHNlY3VyaXR5IGluIE1QRUct MiB0cmFuc21pc3Npb24gbmV0d29ya3MgZW1wbG95aW5nIA0KICAgICAgIFVMRSwgcGFydGljdWxh cmx5IHdoZW4gbmV0d29yay1sYXllciBhbmQgdHJhbnNwb3J0LWxheWVyIHNlY3VyaXR5IA0KICAg ICAgIChlLmcuIElQc2VjLCBUTFMgKSBhcmUgaW5zdWZmaWNpZW50LiANCg0KICAgICAgIFVMRSBs aW5rIHNlY3VyaXR5IGlzIHRoZXJlZm9yZSBjb25zaWRlcmVkIGFuIGFkZGl0aW9uYWwgc2VjdXJp dHkgDQogICAgICAgbWVjaGFuaXNtIHRvIElQLCB0cmFuc3BvcnQsIGFuZCBhcHBsaWNhdGlvbiBs YXllciBzZWN1cml0eSwgbm90IGEgDQogICAgICAgcmVwbGFjZW1lbnQuIEl0IHNob3VsZCBwcm92 aWRlIHNpbWlsYXIgZnVuY3Rpb25zIHRvIHRoYXQgb2YgSVBzZWMgDQogICAgICAgWzddLCBidXQg aW4gYWRkaXRpb24gcHJvdmlkZXMgbGluayBjb25maWRlbnRpYWxpdHkgYW5kIFJlY2VpdmVyIA0K ICAgICAgIGlkZW50aXR5IGhpZGluZy4gDQoNCiAgICAgICBFbmQtdG8tZW5kIHNlY3VyaXR5LCBJ UHNlYyBhbmQgVUxFIGxpbmsgc2VjdXJpdHkgKGJldHdlZW4gVUxFIA0KICAgICAgIEVuY2Fwc3Vs YXRpb24gR2F0ZXdheSB0byB0aGUgVUxFIFJlY2VpdmVycykgY2FuIHdvcmsgaW4gcGFyYWxsZWw6 IA0KICAgICAgIElQc2VjIHByb3ZpZGluZyB0aGUgZW5kLXRvLWVuZCBzZWN1cml0eSBiZXR3ZWVu IGhvc3RzIGFuZCBVTEUgDQogICAgICAgcHJvdmlkaW5nIHRoZSBzZWN1cml0eSBvdmVyIHRoZSBN UEVHLTIgdHJhbnNtaXNzaW9uIGxpbmsuIA0KICAgICAgIEhvd2V2ZXIsIG5vIGRpcmVjdCBpbnRl cmFjdGlvbiBiZXR3ZWVuIHRoZSBJUHNlYyBhbmQgdGhlIFVMRSANCiAgICAgICBzZWN1cml0eSBz eXN0ZW0gaXMgZW52aXNhZ2VkLiANCg0KICAgICAgIEEgbW9kdWxhciBkZXNpZ24gdG8gVUxFIFNl Y3VyaXR5IG1heSBhbGxvdyBpdCB0byB1c2UgYW5kIGJlbmVmaXQgDQogICAgICAgZnJvbSBJRVRG IGtleSBtYW5hZ2VtZW50IHByb3RvY29scywgc3VjaCBhcyB0aGUgTVNFQyBbOV0gYW5kIEdET0kg DQogICAgICAgWzEwXS4gVGhpcyBkb2VzIG5vdCBwcmVjbHVkZSB0aGUgdXNlIG9mIG90aGVyIGtl eSBtYW5hZ2VtZW50IA0KICAgICAgIG1ldGhvZHMgaW4gc2NlbmFyaW9zIHRoYXQgYmVuZWZpdCBm cm9tIHRoaXMuIA0KDQogICAgIA0KICAgICANCiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhw aXJlcyBEZWNlbWJlciAxNSwgMjAwNiAgICAgICAgICAgW1BhZ2UgMTBdIA0KICAgICAgICANCgwg ICAgSW50ZXJuZXQtRHJhZnQgICAgICAgICBTZWN1cml0eSBSZXF1aXJlbWVudHMgZm9yIFVMRSAg ICAgIEp1bmUgMjAwNiANCiAgICAgICAgDQoNCiAgICA1LjEuIExpbmsgc2VjdXJpdHkgYmVsb3cg dGhlIEVuY2Fwc3VsYXRpb24gbGF5ZXIgDQoNCiAgICAgICBMaW5rIGxheWVyIHNlY3VyaXR5IGNh biBiZSBwcm92aWRlZCBpbiB0aGUgTVBFRy1UUyBsZXZlbCAoYmVsb3cgDQogICAgICAgVUxFKS4g TVBFRy1UUyBlbmNyeXB0aW9uIGVuY3J5cHRzIGFsbCBUUyBQYWNrZXRzIHNlbnQgd2l0aCBhIA0K ICAgICAgIHNwZWNpZmljIFBJRCB2YWx1ZS4gSG93ZXZlciBNUEVHLVRTIG1heSBtdWx0aXBsZXgg c2V2ZXJhbCBJUCANCiAgICAgICBzdHJlYW1zIHVzaW5nIGEgY29tbW9uIFBJRC4gVGhlcmVmb3Jl IGFsbCBtdWx0aXBsZXhlZCB0cmFmZmljIA0KICAgICAgIHdpbGwgc2hhcmUgdGhlIHNhbWUgc2Vj dXJpdHkga2V5cy4gDQoNCiAgICAgICBUaGlzIGhhcyB0aGUgZm9sbG93aW5nIGFkdmFudGFnZXM6 IA0KDQogICAgICAgbyBUaGUgYml0IHN0cmVhbSBzZW50IG9uIHRoZSBicm9hZGNhc3QgbmV0d29y ayBkb2VzIG5vdCBleHBvc2UgDQogICAgICAgICAgYW55IEwyIG9yIEwzIGhlYWRlcnMsIHNwZWNp ZmljYWxseSBhbGwgYWRkcmVzc2VzLCB0eXBlIGZpZWxkcywgDQogICAgICAgICAgYW5kIGxlbmd0 aCBmaWVsZHMgYXJlIGVuY3J5cHRlZCBwcmlvciB0byB0cmFuc21pc3Npb24uIA0KDQogICAgICAg byBUaGlzIG1ldGhvZCBkb2VzIG5vdCBwcmVjbHVkZSB0aGUgdXNlIG9mIElQc2VjLCBvciBhbnkg b3RoZXIgDQogICAgICAgICAgZm9ybSBvZiBoaWdoZXItbGF5ZXIgc2VjdXJpdHkuIA0KDQogICAg ICAgSG93ZXZlciBpdCBoYXMgdGhlIGZvbGxvd2luZyBkaXNhZHZhbnRhZ2VzOiANCg0KICAgICAg IG8gRWFjaCBVTEUgUmVjZWl2ZXIgbmVlZHMgdG8gZGVjcnlwdCBhbGwgTVBFRy0yIFRTIFBhY2tl dHMgd2l0aCANCiAgICAgICAgICBhIG1hdGNoaW5nIFBJRCwgcG9zc2libHkgaW5jbHVkaW5nIHRo b3NlIHRoYXQgYXJlIG5vdCByZXF1aXJlZCANCiAgICAgICAgICB0byBiZSBmb3J3YXJkZWQuIFRo ZXJlZm9yZSBpdCBkb2VzIG5vdCBoYXZlIHRoZSBmbGV4aWJpbGl0eSB0byANCiAgICAgICAgICBz ZWN1cmUgZXZlcnkgaW5kaXZpZHVhbCBJUCBjb25uZWN0aW9uIHNlcGFyYXRlbHkuIA0KDQogICAg ICAgbyBVTEUgUmVjZWl2ZXJzIHdpbGwgYmUgYWJsZSB0byBzZWUgdGhlIHByaXZhdGUgdHJhZmZp YyBkZXN0aW5lZCANCiAgICAgICAgICB0byBvdGhlciBVTEUgUmVjZWl2ZXJzLCBzaW5jZSB0aGV5 IHNoYXJlIGEgY29tbW9uIGtleS4gDQoNCiAgICAgICBvIElmIHRoZSBrZXkgaXMgY29tcHJvbWlz ZWQsIHRoZW4gdGhpcyB3aWxsIGltcGFjdCBzZXZlcmFsIFVMRSANCiAgICAgICAgICBSZWNlaXZl cnMuIEV4aXN0aW5nIGFjY2VzcyBjb250cm9sIG1lY2hhbmlzbXMgaGF2ZSBsaW1pdGVkIA0KICAg ICAgICAgIGZsZXhpYmlsaXR5IGluIHRlcm1zIG9mIGNvbnRyb2xsaW5nIHRoZSB1c2Ugb2Yga2V5 IGFuZCANCiAgICAgICAgICByZWtleWluZy4gSUVURiBiYXNlZCBrZXkgbWFuYWdlbWVudCBhcmUg bm90IHVzZWQgaW4gZXhpc3RpbmcgDQogICAgICAgICAgc3lzdGVtcy4gDQoNCiAgICAgICBJbiBw cmFjdGljZSB0aGVyZSBhcmUgbm90IG1hbnkgTDIgc2VjdXJpdHkgc3lzdGVtcyBmb3IgTVBFRyAN CiAgICAgICB0cmFuc21pc3Npb24gbmV0d29ya3MuIENvbmRpdGlvbmFsIGFjY2VzcyBmb3IgZGln aXRhbCBUViANCiAgICAgICBicm9hZGNhc3RpbmcgaXMgb25lIGV4YW1wbGUgdGhhdCBleGlzdHMg dG9kYXkuIFRoaXMgc3lzdGVtIGlzIA0KICAgICAgIG9wdGltaXNlZCBmb3IgVFYgc2VydmljZXMg YW5kIHdpbGwgYmUgc3VpdGFibGUgdG8gSVAgcGFja2V0IA0KICAgICAgIHRyYW5zbWlzc2lvbnMu IFNvbWUgb3RoZXIgc3lzdGVtcyBhcmUgc3BlY2lmaWVkIGluIHN0YW5kYXJkcyBzdWNoIA0KICAg ICAgIHRoZSBNUEUgWzRdIHN5c3RlbS4gSG93ZXZlciwgdGhlcmUgYXJlIG5vIGtub3duIGltcGxl bWVudGF0aW9ucyANCiAgICAgICBvZiBzdWNoIHN5c3RlbXMuIA0KDQogICAgNS4yLiBMaW5rIHNl Y3VyaXR5IGFzIGEgcGFydCBvZiB0aGUgRW5jYXBzdWxhdGlvbiBsYXllciANCg0KICAgICAgIFRo ZXJlZm9yZSBtYWpvciBhZHZhbnRhZ2VzIGZvciBVTEUgbGluayBzZWN1cml0eSBhcmU6IA0KDQog ICAgICAgbyBUaGUgcHJvdGVjdGlvbiBvZiB0aGUgY29tcGxldGUgVUxFIFByb3RvY29sIERhdGEg VW5pdCAoUERVKSANCiAgICAgICAgICBpbmNsdWRpbmcgSVAgYWRkcmVzc2VzLiANCiAgICAgDQog ICAgIA0KICAgIENydWlja3NoYW5rICAgICAgICAgICBFeHBpcmVzIERlY2VtYmVyIDE1LCAyMDA2 ICAgICAgICAgICBbUGFnZSAxMV0gDQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAgICAg ICAgIFNlY3VyaXR5IFJlcXVpcmVtZW50cyBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAg ICANCg0KICAgICAgIG8gQWJpbGl0eSB0byBwcm90ZWN0IHRoZSBpZGVudGl0eSBvZiB0aGUgUmVj ZWl2ZXIgd2l0aGluIHRoZSANCiAgICAgICAgICBNUEVHLTIgdHJhbnNtaXNzaW9uIG5ldHdvcmsu IA0KDQogICAgICAgbyBFZmZpY2llbnQgcHJvdGVjdGlvbiBvZiBJUCBtdWx0aWNhc3Qgb3ZlciBV TEUgbGlua3MuIA0KDQogICAgICAgbyBUcmFuc3BhcmVuY3kgdG8gdGhlIHVzZSBvZiBOZXR3b3Jr IEFkZHJlc3MgVHJhbnNsYXRpb24gKE5BVHMpIA0KICAgICAgICAgIFsxMl0gYW5kIFRDUCBQZXJm b3JtYW5jZSBFbmhhbmNpbmcgUHJveGllcyAoUEVQKSBbMTRdLCB3aGljaCANCiAgICAgICAgICBy ZXF1aXJlIHRoZSBhYmlsaXR5IHRvIGluc3BlY3QgYW5kIG1vZGlmeSB0aGUgcGFja2V0cyBzZW50 IA0KICAgICAgICAgIG92ZXIgdGhlIFVMRSBsaW5rLiANCg0KICAgICAgIG8gVGhpcyBtZXRob2Qg ZG9lcyBub3QgcHJlY2x1ZGUgdGhlIHVzZSBvZiBJUHNlYy4gSVBzZWMgYWxzbyANCiAgICAgICAg ICBwcm92aWRlcyBhIHByb3ZlbiBzZWN1cml0eSBhcmNoaXRlY3R1cmUgZGVmaW5pbmcga2V5IGV4 Y2hhbmdlIA0KICAgICAgICAgIG1lY2hhbmlzbXMgYW5kIHRoZSBhYmlsaXR5IHRvIHVzZSBhIHJh bmdlIG9mIGNyeXB0b2dyYXBoaWMgDQogICAgICAgICAgYWxnb3JpdGhtcy4gVUxFIHNlY3VyaXR5 IGNhbiBtYWtlIHVzZSBvZiB0aGVzZSBtZWNoYW5pc21zIGFuZCANCiAgICAgICAgICBhbGdvcml0 aG1zLiAgDQoNCiAgICAgICBJbiBzb21lIGN1cnJlbnQgZW5jYXBzdWxhdGlvbiBtZXRob2RzLCBl LmcuIE1QRSBbNF0sIGVuY3J5cHRpb24gDQogICAgICAgb2YgdGhlIE1BQyBhZGRyZXNzIHJlcXVp cmVzIGVhY2ggUmVjZWl2ZXIgdG8gZGVjcnlwdCBhbGwgDQogICAgICAgZW5jcnlwdGVkIGRhdGEg c2VudCB1c2luZyBhIFRTIExvZ2ljYWwgQ2hhbm5lbCAoUElEKSwgYmVmb3JlIGl0IA0KICAgICAg IGNhbiB0aGVuIGZpbHRlciB0aGUgUERVcyB0aGF0IG1hdGNoIHRoZSBzZXQgb2YgTUFDL05QQSBh ZGRyZXNzZXMgDQogICAgICAgdGhhdCB0aGUgUmVjZWl2ZXIgd2lzaGVzIHRvIHJlY2VpdmUsIHRo ZXJlZm9yZSBlbmNyeXB0aW9uIG9mIHRoZSANCiAgICAgICBNUEUgTUFDIGFkZHJlc3MgaXMgbm90 IHBlcm1pdHRlZCBpbiBzdWNoIHN5c3RlbXMuIEZvciBVTEUgDQogICAgICAgc2VjdXJpdHksIHN1 cHBvcnQgZm9yIExheWVyIDIgTUFDL05QQSBhZGRyZXNzIGhpZGluZyBzaG91bGQgYmUgDQogICAg ICAgcHJvdmlkZWQuIA0KDQogICAgICAgRXhhbWluaW5nIHRoZSB0aHJlYXQgYW5hbHlzaXMgaW4g c2VjdGlvbiAyLCBoYXMgc2hvd24gdGhhdCANCiAgICAgICBwcm90ZWN0aW9uIG9mIFVMRSBsaW5r IGZyb20gZWF2ZXNkcm9wcGluZyBhbmQgVUxFIFJlY2VpdmVyIA0KICAgICAgIGlkZW50aXR5IGhp ZGluZyBhcmUgbWFqb3IgcmVxdWlyZW1lbnRzLiBTdWNoIHJlcXVpcmVtZW50cyBjYW4gYmUgDQog ICAgICAgbWV0IHVzaW5nIFVMRSBsaW5rIGVuY3J5cHRpb24uIA0KDQogICAgICAgSW4gdGhlIGNv bnRleHQgb2YgYWN0aXZlIHRocmVhdHMgaW4gTVBFRy0yIHRyYW5zbWlzc2lvbiBuZXR3b3Jrcywg DQogICAgICAgVUxFIHNvdXJjZSBhdXRoZW50aWNhdGlvbiBpcyByZXF1aXJlZCBieSB0aGUgVUxF IFJlY2VpdmVycy4gDQogICAgICAgQXR0YWNrcyBzdWNoIGFzIG1hc3F1ZXJhZGluZywgbW9kaWZp Y2F0aW9uIG9mIG1lc3NhZ2VzIGFuZCANCiAgICAgICBpbmplY3RpbmcgSVAgcGFja2V0cyBhcmUg bW9yZSBkaWZmaWN1bHQuIEhvd2V2ZXIsIHN1Y2ggYXR0YWNrcyBvbiANCiAgICAgICBpbmRpdmlk dWFsIFVMRSBSZWNlaXZlcnMgYXJlIHBvc3NpYmxlLCBhbmQgY2FuIHBhc3MgdW5ub3RpY2VkIGJ5 IA0KICAgICAgIHRoZSBVTEUgbmV0d29yayBvcGVyYXRvcnMgb3IgSVNQcy4gVGhlcmVmb3JlIHVz aW5nIEhNQUNzIGlzIG9uZSANCiAgICAgICBwb3NzaWJpbGl0eSB3aGljaCBhbiBhc3NvY2lhdGVk IG92ZXJoZWFkcyBwZXIgVUxFIHBhY2tldHMuIA0KICAgICAgIEFub3RoZXIgcG9zc2liaWxpdHkg aXMgdG8gdXNlIGxpZ2h0d2VpZ2h0IGRhdGEgaW50ZWdyaXR5IG1ldGhvZHMgDQogICAgICAgb3Ig cHJvY2VkdXJlcyBjYW4gYmUgcHJvdmlkZWQgYnkgdGhlIFVMRSBzZWN1cml0eSBzeXN0ZW0uIElu IA0KICAgICAgIGFkZGl0aW9uIHNlcXVlbmNlIG51bWJlcnMgY2FuIHByb3ZpZGUgcHJvdGVjdGlv biBhZ2FpbnN0IHJlcGxheSANCiAgICAgICBhdHRhY2tzLiANCg0KICAgIDYuIFN1bW1hcnkgDQoN CiAgICAgICBUaGlzIGRvY3VtZW50IGFuYWx5c2VzIGEgc2V0IG9mIHRocmVhdHMgYW5kIHNlY3Vy aXR5IA0KICAgICAgIHJlcXVpcmVtZW50cy4gSXQgYWxzbyBkZWZpbmVzIHRoZSByZXF1aXJlbWVu dHMgZm9yIFVMRSBzZWN1cml0eSANCiAgICAgICBhbmQgc3RhdGVzIHRoZSBtb3RpdmF0aW9uIGZv ciBsaW5rIHNlY3VyaXR5IGFzIGEgcGFydCBvZiB0aGUgDQogICAgIA0KICAgICANCiAgICBDcnVp Y2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAxNSwgMjAwNiAgICAgICAgICAgW1Bh Z2UgMTJdIA0KICAgICAgICANCgwgICAgSW50ZXJuZXQtRHJhZnQgICAgICAgICBTZWN1cml0eSBS ZXF1aXJlbWVudHMgZm9yIFVMRSAgICAgIEp1bmUgMjAwNiANCiAgICAgICAgDQoNCiAgICAgICBF bmNhcHN1bGF0aW9uIGxheWVyLiBJbiBzdW1tYXJ5LCB0aGVyZSBpcyBhIHN0cm9uZyBuZWVkIGZv ciBMMiANCiAgICAgICBlbmNyeXB0aW9uIGFuZCBVTEUgUmVjZWl2ZXIgaWRlbnRpdHkgaGlkaW5n LiANCg0KICAgICAgIFRoZXJlIGlzIGFuIGFkZGl0aW9uIG5lZWQgKG9wdGlvbmFsKSBmb3IgTDIg c291cmNlIGF1dGhlbnRpY2F0aW9uIA0KICAgICAgIGFuZCBwcm90ZWN0aW9uIGFnYWluc3QgaW5z ZXJ0aW9uIG9mIG90aGVyIGRhdGEgaW50byB0aGUgVUxFIA0KICAgICAgIHN0cmVhbSAoaS5lLiBk YXRhIGludGVncml0eSkuIFRoaXMgaXMgb3B0aW9uYWwgYmVjYXVzZSBvZiB0aGUgDQogICAgICAg YXNzb2NpYXRlZCBvdmVyaGVhZHMgZm9yIHRoZSBleHRyYSBmZWF0dXJlcyBhbmQgdGhleSBhcmUg b25seSANCiAgICAgICByZXF1aXJlZCBmb3Igc3BlY2lmaWMgc2VydmljZSBjYXNlcy4gDQoNCiAg ICA3LiBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyANCg0KICAgICAgIExpbmstbGV2ZWwgKEwyKSBl bmNyeXB0aW9uIG9mIElQIHRyYWZmaWMgaXMgY29tbW9ubHkgdXNlZCBpbiANCiAgICAgICBicm9h ZGNhc3QvcmFkaW8gbGlua3MgdG8gc3VwcGxlbWVudCBFbmQtdG8tRW5kIHNlY3VyaXR5IChlLmcu IA0KICAgICAgIHByb3ZpZGVkIGJ5IFRMUywgU1NILCBPcGVuIFBHUCwgUy9NSU1FLCBJUHNlYyku IEEgY29tbW9uIA0KICAgICAgIG9iamVjdGl2ZSBpcyB0byBwcm92aWRlIHRoZSBzYW1lIGxldmVs IG9mIHByaXZhY3kgYXMgd2lyZWQgbGlua3MuIA0KICAgICAgIEFuIElTUCBvciBVc2VyIG1heSBh bHNvIHdpc2ggdG8gcHJvdmlkZSBlbmQtdG8tZW5kIHNlY3VyaXR5IA0KICAgICAgIHNlcnZpY2Vz IHRvIHRoZSBlbmQtdXNlcnMgKGJhc2VkIG9uIHRoZSB3ZWxsIGtub3duIG1lY2hhbmlzbXMgDQog ICAgICAgc3VjaCBhcyBJUHNlYykuIA0KDQogICAgICAgVGhpcyBkb2N1bWVudCBwcm92aWRlcyBh IHRocmVhdCBhbmFseXNpcyBhbmQgZGVyaXZlcyB0aGUgc2VjdXJpdHkgDQogICAgICAgcmVxdWly ZW1lbnRzIHRvIHByb3ZpZGUgb3B0aW9uYWwgbGluayBlbmNyeXB0aW9uIGFuZCBsaW5rLWxldmVs IA0KICAgICAgIGludGVncml0eSAvIGF1dGhlbnRpY2F0aW9uIG9mIHRoZSBTTkRVIHBheWxvYWQu IA0KDQogICAgOC4gSUFOQSBDb25zaWRlcmF0aW9ucyANCg0KICAgICAgIFRoaXMgZG9jdW1lbnQg ZG9lcyBub3QgZGVmaW5lIGFueSBwcm90b2NvbCBhbmQgZG9lcyBub3QgcmVxdWlyZSANCiAgICAg ICBhbnkgSUFOQSBhc3NpZ25tZW50cy4gDQoNCiAgICA5LiBBY2tub3dsZWRnbWVudHMgDQoNCiAg ICAgICBUaGUgYXV0aG9ycyBhY2tub3dsZWRnZSB0aGUgaGVscCBhbmQgYWR2aWNlIGZyb20gR29y cnkgRmFpcmh1cnN0IA0KICAgICAgIChVbml2ZXJzaXR5IG9mIEFiZXJkZWVuKSwgU3RlcGhhbmUg Q29vbWJlcyAoRVNBKSBhbmQgWS5GLiBIdSANCiAgICAgICAoVW5pdmVyc2l0eSBvZiBCcmFkZm9y ZCkgaW4gdGhlIHByZXBhcmF0aW9uIG9mIHRoaXMgZHJhZnQuIA0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQogICAgIA0KICAgICANCiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBE ZWNlbWJlciAxNSwgMjAwNiAgICAgICAgICAgW1BhZ2UgMTNdIA0KICAgICAgICANCgwgICAgSW50 ZXJuZXQtRHJhZnQgICAgICAgICBTZWN1cml0eSBSZXF1aXJlbWVudHMgZm9yIFVMRSAgICAgIEp1 bmUgMjAwNiANCiAgICAgICAgDQoNCiAgICAxMC4gUmVmZXJlbmNlcyANCg0KICAgIDEwLjEuIE5v cm1hdGl2ZSBSZWZlcmVuY2VzIA0KDQogICAgICAgWzFdICBCcmFkbmVyLCBTLiwgIktleSBXb3Jk cyBmb3IgVXNlIGluIFJGQ3MgdG8gSW5kaWNhdGUgDQogICAgICAgICAgICAgUmVxdWlyZW1lbnQg TGV2ZWxzIiwgQkNQIDE0LCBSRkMgMjExOSwgTWFyY2ggMTk5Ny4gDQoNCiAgICAgICBbMl0gIE1v bnRwZXRpdCwgTS4tSi4sIEZhaXJodXJzdCwgRy4sIENsYXVzZW4sIEguLCANCiAgICAgICAgICAg ICBDb2xsaW5pLU5vY2tlciwgQi4sIGFuZCBILiBMaW5kZXIsICJBIEZyYW1ld29yayBmb3IgDQog ICAgICAgICAgICAgVHJhbnNtaXNzaW9uIG9mIElQIERhdGFncmFtcyBvdmVyIE1QRUctMiBOZXR3 b3JrcyIsIA0KICAgICAgICAgICAgIFJGQyA0MjU5LCBOb3ZlbWJlciAyMDA1Lg0KDQogICAgICAg WzNdICBGYWlyaHVyc3QsIEcuIGFuZCBCLiBDb2xsaW5pLU5vY2tlciwgIlVuaWRpcmVjdGlvbmFs DQogICAgICAgICAgICAgTGlnaHR3ZWlnaHQgRW5jYXBzdWxhdGlvbiAoVUxFKSBmb3IgVHJhbnNt aXNzaW9uIG9mIElQIA0KICAgICAgICAgICAgIERhdGFncmFtcyBvdmVyIGFuIE1QRUctMiBUcmFu c3BvcnQgU3RyZWFtIChUUykiLCBSRkMgNDMyNiwgDQogICAgICAgICAgICAgRGVjZW1iZXIgMjAw NS4NCg0KICAgICAgIFs0XSAgRU4gMzAxIDE5MiwgIkRpZ2l0YWwgVmlkZW8gQnJvYWRjYXN0aW5n IChEVkIpOyBEVkIgDQogICAgICAgICAgICAgU3BlY2lmaWNhdGlvbnMgZm9yIERhdGEgQnJvYWRj YXN0aW5nIiwgRXVyb3BlYW4gDQogICAgICAgICAgICAgVGVsZWNvbW11bmljYXRpb25zIFN0YW5k YXJkcyBJbnN0aXR1dGUgKEVUU0kpLiANCg0KICAgIDEwLjIuIEluZm9ybWF0aXZlIFJlZmVyZW5j ZXMgDQoNCiAgICAgICBbNV0gIEJlbGxvdmluLCBTLiwgIlByb2JsZW0gQXJlYSBmb3IgdGhlIElQ IFNlY3VyaXR5IHByb3RvY29scyIsIA0KICAgICAgICAgICAgIENvbXB1dGVyIENvbW11bmljYXRp b25zIFJldmlldyAyOjE5LCBwcC4gMzItNDgsIEFwcmlsIDk4OS4gDQogICAgICAgICAgICAgaHR0 cDovL3d3dy5jcy5jb2x1bWJpYS5lZHUvfnNtYi8gIA0KDQogICAgICAgWzZdICAiRGlnaXRhbCBW aWRlbyBCcm9hZGNhc3RpbmcgKERWQikgLS0gaW50ZXJhY3Rpb24gY2hhbm5lbCANCiAgICAgICAg ICAgICBmb3Igc2F0ZWxsaXRlIGRpc3RyaWJ1dGlvbiBzeXN0ZW1zIiwgRVRTSSBFTiAzMDEgNzkw IFYxLjQuMSANCiAgICAgICAgICAgICAoMjAwNS0wNCkgICANCg0KICAgICAgIFs3XSAgaHR0cDov L3d3dy5pZXRmLm9yZy9odG1sLmNoYXJ0ZXJzL3dnLQ0KICAgICAgICAgICAgIGRpci5odG1sI1Nl Y3VyaXR5JTIwQXJlYS4gUkZDcyAyNDAxLCAyNDAyIGFuZCAyNDA2ICAgDQoNCiAgICAgICBbOF0g IGh0dHA6Ly93d3cuaWV0Zi5vcmcvaHRtbC5jaGFydGVycy9tc2VjLWNoYXJ0ZXIuaHRtbCAgIA0K DQogICAgICAgWzldICBIIEhhcm5leSAoU1BBUlRBKSwgZXQgYWwsICJHU0FLTVA6IEdyb3VwIFNl Y3VyZSBBc3NvY2lhdGlvbiANCiAgICAgICAgICAgICBHcm91cCBNYW5hZ2VtZW50IFByb3RvY29s IiwgPGRyYWZ0LWlldGYtbXNlYy1nc2FrbXAtc2VjLQ0KICAgICAgICAgICAgIDEwLnR4dD4sIElF VEYgV29yayBpbiBQcm9ncmVzcy4gICANCg0KICAgICAgIFsxMF0gTS4gQmF1Z2hlciwgZXQgYWws ICJHRE9JOiBUaGUgR3JvdXAgRG9tYWluIG9mIA0KICAgICAgICAgICAgIEludGVycHJldGF0aW9u IiwgUkZDIDM1NDcuICAgDQoNCiAgICAgICBbMTFdIFdlaXMgQi4sIGV0IGFsLCAiTXVsdGljYXN0 IEV4dGVuc2lvbnMgdG8gdGhlIFNlY3VyaXR5IA0KICAgICAgICAgICAgIEFyY2hpdGVjdHVyZSBm b3IgdGhlIEludGVybmV0IiwgPGRyYWZ0LWlldGYtbXNlYy1pcHNlYy0NCiAgICAgICAgICAgICBl eHRlbnNpb25zLTAxLnR4dD4sIElFVEYgV29yayBpbiBQcm9ncmVzcy4gICANCg0KICAgICANCiAg ICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAgIEV4cGlyZXMgRGVjZW1iZXIgMTUsIDIwMDYg ICAgICAgICAgIFtQYWdlIDE0XSANCiAgICAgICAgDQoMICAgIEludGVybmV0LURyYWZ0ICAgICAg ICAgU2VjdXJpdHkgUmVxdWlyZW1lbnRzIGZvciBVTEUgICAgICBKdW5lIDIwMDYgDQogICAgICAg IA0KDQogICAgICAgWzEyXSBCLiBBYm9iYSBhbmQgVyBEaXhzb24sICJJUHNlYy1OZXR3b3JrIEFk ZHJlc3MgVHJhbnNsYXRpb24gDQogICAgICAgICAgICAgKE5BVCkgQ29tcGF0aWJpbGl0eSBSZXF1 aXJlbWVudHMiICAgDQoNCiAgICAgICBbMTNdIGh0dHA6Ly93d3cuaWV0Zi5vcmcvaHRtbC5jaGFy dGVycy90bHMtY2hhcnRlci5odG1sICAgDQoNCiAgICAgICBbMTRdIEJvcmRlciwgSi4sIEtvam8s IE0uLCBHcmluZXIsIEouLCBNb250ZW5lZ3JvLCBHLiwgYW5kIFouIA0KICAgICAgICAgICAgIFNo ZWxieSwgIlBlcmZvcm1hbmNlIEVuaGFuY2luZyBQcm94aWVzIEludGVuZGVkIHRvIE1pdGlnYXRl IA0KICAgICAgICAgICAgIExpbmstUmVsYXRlZCBEZWdyYWRhdGlvbnMiLCBSRkMgMzEzNSwgSnVu ZSAyMDAxLiAgIA0KDQogICAgICAgWzE1XSBLZW50LCBTLiBhbmQgU2VvIEsuLCAiU2VjdXJpdHkg QXJjaGl0ZWN0dXJlIGZvciB0aGUgDQogICAgICAgICAgICAgSW50ZXJuZXQgUHJvdG9jb2wiLCBS RkMgNDMwMSwgRGVjZW1iZXIgMjAwNi4gICANCg0KICAgICAgIFsxNl0gS2FybiwgUC4sIEJvcm1h bm4sIEMuLCBGYWlyaHVyc3QsIEcuLCBHcm9zc21hbiwgRC4sIEx1ZHdpZywgDQogICAgICAgICAg ICAgUi4sIE1haGRhdmksIEouLCBNb250ZW5lZ3JvLCBHLiwgVG91Y2gsIEouLCBhbmQgTC4gV29v ZCwgDQogICAgICAgICAgICAgIkFkdmljZSBmb3IgSW50ZXJuZXQgU3VibmV0d29yayBEZXNpZ25l cnMiLCBCQ1AgODksIFJGQyANCiAgICAgICAgICAgICAzODE5LCBKdWx5IDIwMDQuIA0KDQogICAg QXV0aG9yJ3MgQWRkcmVzc2VzIA0KDQogICAgICAgSGFpdGhhbSBDcnVpY2tzaGFuayAgICANCiAg ICAgICBDZW50cmUgZm9yIENvbW11bmljYXRpb25zIFN5c3RlbSBSZXNlYXJjaCAoQ0NTUikgICAg DQogICAgICAgVW5pdmVyc2l0eSBvZiBTdXJyZXkgICANCiAgICAgICBHdWlsZGZvcmQsIFN1cnJl eSwgR1UyIDdYSCAgICANCiAgICAgICBVSyAgICANCiAgICAgICBFbWFpbDogaC5jcnVpY2tzaGFu a0BzdXJyZXkuYWMudWsgICAgDQogICAgICAgICANCiAgICAgICBTdW5pbCBJeWVuZ2FyICAgIA0K ICAgICAgIENlbnRyZSBmb3IgQ29tbXVuaWNhdGlvbnMgU3lzdGVtIFJlc2VhcmNoIChDQ1NSKSAg ICANCiAgICAgICBVbml2ZXJzaXR5IG9mIFN1cnJleSAgIA0KICAgICAgIEd1aWxkZm9yZCwgU3Vy cmV5LCBHVTIgN1hIICAgIA0KICAgICAgIFVLICAgIA0KICAgICAgIEVtYWlsOiBTLkl5ZW5nYXJA c3VycmV5LmFjLnVrICAgIA0KICAgICAgICAgDQogICAgICAgTGF1cmVuY2UgRHVxdWVycm95ICAg IA0KICAgICAgIFJlc2VhcmNoIERlcGFydG1lbnQvQWR2YW5jZWQgVGVsZWNvbSBTYXRlbGxpdGUg U3lzdGVtcyAgIA0KICAgICAgIEFsY2F0ZWwgU3BhY2UsIFRvdWxvdXNlICAgDQogICAgICAgRnJh bmNlICAgDQogICAgICAgRS1NYWlsOiBMYXVyZW5jZS5EdXF1ZXJyb3lAc3BhY2UuYWxjYXRlbC5m ciANCiAgICAgICAgDQogICAgICAgUHJhc2hhbnQgUGlsbGFpICAgIA0KICAgICAgIE1vYmlsZSBh bmQgU2F0ZWxsaXRlIENvbW11bmljYXRpb25zIFJlc2VhcmNoIENlbnRyZSANCiAgICAgICBTY2hv b2wgb2YgRW5naW5lZXJpbmcsIERlc2lnbiBhbmQgVGVjaG5vbG9neSANCiAgICAgICBVbml2ZXJz aXR5IG9mIEJyYWRmb3JkICAgDQogICAgICAgUmljaG1vbmQgUm9hZCwgQnJhZGZvcmQgQkQ3IDFE UCAgICANCiAgICAgICBVSyAgICANCiAgICAgICBFbWFpbDogUC5QaWxsYWlAYnJhZGZvcmQuYWMu dWsgDQogICAgICAgIA0KICAgICANCiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAgIEV4 cGlyZXMgRGVjZW1iZXIgMTUsIDIwMDYgICAgICAgICAgIFtQYWdlIDE1XSANCiAgICAgICAgDQoM ICAgIEludGVybmV0LURyYWZ0ICAgICAgICAgU2VjdXJpdHkgUmVxdWlyZW1lbnRzIGZvciBVTEUg ICAgICBKdW5lIDIwMDYgDQogICAgICAgIA0KDQogICAgSW50ZWxsZWN0dWFsIFByb3BlcnR5IFN0 YXRlbWVudCANCg0KICAgICAgIFRoZSBJRVRGIHRha2VzIG5vIHBvc2l0aW9uIHJlZ2FyZGluZyB0 aGUgdmFsaWRpdHkgb3Igc2NvcGUgb2YgYW55IA0KICAgICAgIEludGVsbGVjdHVhbCBQcm9wZXJ0 eSBSaWdodHMgb3Igb3RoZXIgcmlnaHRzIHRoYXQgbWlnaHQgYmUgDQogICAgICAgY2xhaW1lZCB0 byBwZXJ0YWluIHRvIHRoZSBpbXBsZW1lbnRhdGlvbiBvciB1c2Ugb2YgdGhlIHRlY2hub2xvZ3kg DQogICAgICAgZGVzY3JpYmVkIGluIHRoaXMgZG9jdW1lbnQgb3IgdGhlIGV4dGVudCB0byB3aGlj aCBhbnkgbGljZW5zZSANCiAgICAgICB1bmRlciBzdWNoIHJpZ2h0cyBtaWdodCBvciBtaWdodCBu b3QgYmUgYXZhaWxhYmxlOyBub3IgZG9lcyBpdCANCiAgICAgICByZXByZXNlbnQgdGhhdCBpdCBo YXMgbWFkZSBhbnkgaW5kZXBlbmRlbnQgZWZmb3J0IHRvIGlkZW50aWZ5IGFueSANCiAgICAgICBz dWNoIHJpZ2h0cy4gIEluZm9ybWF0aW9uIG9uIHRoZSBwcm9jZWR1cmVzIHdpdGggcmVzcGVjdCB0 byANCiAgICAgICByaWdodHMgaW4gUkZDIGRvY3VtZW50cyBjYW4gYmUgZm91bmQgaW4gQkNQIDc4 IGFuZCBCQ1AgNzkuIA0KDQogICAgICAgQ29waWVzIG9mIElQUiBkaXNjbG9zdXJlcyBtYWRlIHRv IHRoZSBJRVRGIFNlY3JldGFyaWF0IGFuZCBhbnkgDQogICAgICAgYXNzdXJhbmNlcyBvZiBsaWNl bnNlcyB0byBiZSBtYWRlIGF2YWlsYWJsZSwgb3IgdGhlIHJlc3VsdCBvZiBhbiANCiAgICAgICBh dHRlbXB0IG1hZGUgdG8gb2J0YWluIGEgZ2VuZXJhbCBsaWNlbnNlIG9yIHBlcm1pc3Npb24gZm9y IHRoZSANCiAgICAgICB1c2Ugb2Ygc3VjaCBwcm9wcmlldGFyeSByaWdodHMgYnkgaW1wbGVtZW50 ZXJzIG9yIHVzZXJzIG9mIHRoaXMgDQogICAgICAgc3BlY2lmaWNhdGlvbiBjYW4gYmUgb2J0YWlu ZWQgZnJvbSB0aGUgSUVURiBvbi1saW5lIElQUiANCiAgICAgICByZXBvc2l0b3J5IGF0IGh0dHA6 Ly93d3cuaWV0Zi5vcmcvaXByLiANCg0KICAgICAgIFRoZSBJRVRGIGludml0ZXMgYW55IGludGVy ZXN0ZWQgcGFydHkgdG8gYnJpbmcgdG8gaXRzIGF0dGVudGlvbiANCiAgICAgICBhbnkgY29weXJp Z2h0cywgcGF0ZW50cyBvciBwYXRlbnQgYXBwbGljYXRpb25zLCBvciBvdGhlciANCiAgICAgICBw cm9wcmlldGFyeSByaWdodHMgdGhhdCBtYXkgY292ZXIgdGVjaG5vbG9neSB0aGF0IG1heSBiZSBy ZXF1aXJlZCANCiAgICAgICB0byBpbXBsZW1lbnQgdGhpcyBzdGFuZGFyZC4gIFBsZWFzZSBhZGRy ZXNzIHRoZSBpbmZvcm1hdGlvbiB0byANCiAgICAgICB0aGUgSUVURiBhdCBpZXRmLWlwckBpZXRm Lm9yZy4gDQoNCiAgICBEaXNjbGFpbWVyIG9mIFZhbGlkaXR5IA0KDQogICAgICAgVGhpcyBkb2N1 bWVudCBhbmQgdGhlIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBoZXJlaW4gYXJlIHByb3ZpZGVkIA0K ICAgICAgIG9uIGFuICJBUyBJUyIgYmFzaXMgYW5kIFRIRSBDT05UUklCVVRPUiwgVEhFIE9SR0FO SVpBVElPTiBIRS9TSEUgDQogICAgICAgUkVQUkVTRU5UUyBPUiBJUyBTUE9OU09SRUQgQlkgKElG IEFOWSksIFRIRSBJTlRFUk5FVCBTT0NJRVRZIEFORCANCiAgICAgICBUSEUgSU5URVJORVQgRU5H SU5FRVJJTkcgVEFTSyBGT1JDRSBESVNDTEFJTSBBTEwgV0FSUkFOVElFUywgDQogICAgICAgRVhQ UkVTUyBPUiBJTVBMSUVELCBJTkNMVURJTkcgQlVUIE5PVCBMSU1JVEVEIFRPIEFOWSBXQVJSQU5U WSANCiAgICAgICBUSEFUIFRIRSBVU0UgT0YgVEhFIElORk9STUFUSU9OIEhFUkVJTiBXSUxMIE5P VCBJTkZSSU5HRSBBTlkgDQogICAgICAgUklHSFRTIE9SIEFOWSBJTVBMSUVEIFdBUlJBTlRJRVMg T0YgTUVSQ0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgDQogICAgICAgRk9SIEEgUEFSVElDVUxBUiBQ VVJQT1NFLiANCg0KICAgIENvcHlyaWdodCBTdGF0ZW1lbnQgDQoNCiAgICAgICBDb3B5cmlnaHQg KEMpIFRoZSBJbnRlcm5ldCBTb2NpZXR5ICgyMDA2KS4gDQoNCiAgICAgICBUaGlzIGRvY3VtZW50 IGlzIHN1YmplY3QgdG8gdGhlIHJpZ2h0cywgbGljZW5zZXMgYW5kIHJlc3RyaWN0aW9ucyANCiAg ICAgICBjb250YWluZWQgaW4gQkNQIDc4LCBhbmQgZXhjZXB0IGFzIHNldCBmb3J0aCB0aGVyZWlu LCB0aGUgYXV0aG9ycyANCiAgICAgICByZXRhaW4gYWxsIHRoZWlyIHJpZ2h0cy4gDQoNCiAgICAg ICAgDQoNCg0KDQogICAgIA0KICAgICANCiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJl cyBEZWNlbWJlciAxNSwgMjAwNiAgICAgICAgICAgW1BhZ2UgMTZdIA0KICAgICAgICANCgw= ------_=_NextPart_001_01C693B0.CD2DBB49-- From owner-ipdvb@erg.abdn.ac.uk Mon Jun 19 12:10:40 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsMKm-0006di-0l for ipdvb-archive@ietf.org; Mon, 19 Jun 2006 12:10:40 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FsMKj-0008VT-I0 for ipdvb-archive@ietf.org; Mon, 19 Jun 2006 12:10:40 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5JG4tK3005777 for ; Mon, 19 Jun 2006 17:04:55 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5JG4t2H005776 for ipdvb-subscribed-users; Mon, 19 Jun 2006 17:04:55 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [139.133.207.159] (dhcp-207-159.erg.abdn.ac.uk [139.133.207.159]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5JG4m5h005755 for ; Mon, 19 Jun 2006 17:04:48 +0100 (BST) Message-ID: <4496CB25.4010508@erg.abdn.ac.uk> Date: Mon, 19 Jun 2006 17:04:53 +0100 From: Gorry Fairhurst Organization: University of Aberdeen, UK User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipdvb@erg.abdn.ac.uk Subject: Draft Agenda for IETF-66 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.8 (--) X-Scan-Signature: 00e94c813bef7832af255170dca19e36 The draft Agenda for the next meeting is below. If you would like to request any additions or changes, please do contact the WG Chair at: gorry@erg.abdn.ac.uk An updated Agenda will be published at: https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66 Best wishes, Gorry ----- IP over DVB ipdvb WG Chair: Gorry Fairhurst gorry@erg.abdn.ac.uk jabber: ipdvb@ietf.xmpp.org 1. Agenda Bashing (10 minutes) - Chair * Agenda changes * Election of Scribe for Proceedings * Jabber Scribe 2. Document Status (5 minutes) - Chair * Updated milestones. * Documents in Last Call - None. * Documents in IESG Review - None. * Documents in RFC Editor Queue - None. * Published RFCs: http://www.ietf.org/rfc/rfc4259.txt (Informational) http://www.ietf.org/rfc/rfc4326.txt (Proposed Standard) 3. Address Resolution (10 minutes) - M-J Montpetit http://www.ietf.org/internet-drafts/draft-ietf-ipdvb-ar-04.txt * Revisions since last IETF * WGLC? 4. IPDVB Security Requirements (15 minutes) - Haitham Cruickshank http://www.ietf.org/internet-drafts/draft-cruickshank-ipdvb-sec-req-02.txt * Requirements and threat analysis. * Adopt as a WG I-D? 5. ULE Security Extension (10 minutes) - Prashant Pillai http://www.ietf.org/internet-drafts/draft-ppillai-ipdvb-sule-00.txt * Update on document. 6. ULE Security Extension (5 minutes) - Haitham Cruickshank http://www.ietf.org/internet-drafts/draft-cruickshank-ipdvb-sec-02.txt * Future directions for this draft. 7. DVB-S2 Encapsulation: GBS Activities (5 minutes) - Axel Jahn * Future directions for this draft. 8. IP Encapsulation for DVB-S.2 (10 minutes) - Juan Cantillo http://www.ietf.org/internet-drafts/draft-cantillo-ipdvb-s2encaps-03.txt * Requirements and scenarios. * Future directions for this draft. 9. ULE Extension Formats to support GSE (DVB-S.2) (10 minutes) - Gorry Fairhurst http://www.ietf.org/internet-drafts/draft-fairhurst-ipdvb-ule-ext-00.txt * Future directions for this draft. 10. ULE Implementation Status (10 minutes) - Chair/Various * Current status of implementations. Other related drafts: None Last WG meeting: 6-11 November 2005 WG Archive: http://www.erg.abdn.ac.uk/ipdvb/archive From owner-ipdvb@erg.abdn.ac.uk Wed Jun 21 08:53:14 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ft2Co-0001xP-J0 for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 08:53:14 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ft2Co-0000zN-Ha for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 08:53:14 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Ft294-0004l0-QS for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 08:49:23 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5LCeje5000077 for ; Wed, 21 Jun 2006 13:40:45 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5LCejVu000076 for ipdvb-subscribed-users; Wed, 21 Jun 2006 13:40:45 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [10.0.1.2] (maxp4.dialup.abdn.ac.uk [139.133.201.163]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5LCW96l029120 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT); Wed, 21 Jun 2006 13:32:57 +0100 (BST) User-Agent: Microsoft-Entourage/11.2.3.060209 Date: Wed, 21 Jun 2006 11:07:23 +0100 Subject: Section 5.6.1: Use of IPv6 DAD with UDLR From: Gorry Fairhurst To: Tina Strauf CC: Bernhard Collini-Nocker , "ipdvb@erg.abdn.ac.uk" Message-ID: Thread-Topic: Section 5.6.1: Use of IPv6 DAD with UDLR Thread-Index: AcaVGn1Eu7HOOgENEduS6gAKlc/qXg== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.4 (--) X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca Following the issues you raised on the use of DAD for Ipv6 when using UDLR, The authors propose adding the following amendment to the next rev of draft-ietf-ipdvb-ar-03.txt. Does this seem to capture the issues that you describe? - Comments please to the ipdvb mailing list. - Other comments welcome. Best wishes, Gorry Fairhurst. ---- * A new subsection will be added to the end of section 5.6: 5.6.1 Multicast/Broadcast addressing for UDLR UDLR is a layer 2 solution, in which a Receiver may send multicast/broadcast frames that are subsequently forwarded natively by a Feed Router (using the topology in figure 2), and are finally received at the feed interface of the originating Receiver. This multicast forwarding does not include the normal L3 Reverse Path Forwarding (RPF) check or L2 spanning tree checks, the processing of the IP Time To Live (TTL) field, or the filtering of administratively scoped multicast addresses. This raises a need to carefully consider multicast support [. RFC3077 notes that a Receiver needs to be configured to discard these received packets. When the encapsulation includes an NPA/MAC source address, such packets may be filtered at the link-layer using a filter that discards L2 addresses that are local to the Receiver. In some circumstances, systems can send packets with an unknown (all zero) MAC source address (e.g. IGMP Proxy Queriers [RFC-IGMP-Proxy]), where the source at L2 can not be determined at the Receiver, these packets need to be silently discarded, which may prevent running the associated services on the Receiver. Some encapsulations do not include an NPA/MAC source address (Table 2). Multicast packets may therefore alternatively be discarded at the IP layer if their IP source address matches a local IP address (or address range). Systems can send packets with an all zero IP source address (e.g. BOOTP [RFC951], DHCP [RFC2131] and ND [RFC2461]), where the source at L3 can not be determined at the Receiver these packets need to be silently discarded. This may prevent running the associated services at a Receiver, e.g. participation in IPv6 Duplicate Address Detection, or running a DHCP server. * Some other minor updates to other sections will also aim to make this issue clearer. From owner-ipdvb@erg.abdn.ac.uk Wed Jun 21 09:58:08 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ft3Dc-00017e-AK for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 09:58:08 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ft2Co-0000z2-UR for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 08:53:14 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Ft26L-0004jI-8s for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 08:46:34 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5LCb4cv029653 for ; Wed, 21 Jun 2006 13:37:04 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5LCb4AE029652 for ipdvb-subscribed-users; Wed, 21 Jun 2006 13:37:04 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [10.0.1.2] (maxp4.dialup.abdn.ac.uk [139.133.201.163]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5LCakY6029626 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for ; Wed, 21 Jun 2006 13:36:52 +0100 (BST) User-Agent: Microsoft-Entourage/11.2.3.060209 Date: Wed, 21 Jun 2006 13:40:07 +0100 Subject: I-D ACTION:draft-fairhurst-ipdvb-ule-ext-00.txt From: Gorry Fairhurst To: "ipdvb@erg.abdn.ac.uk" Message-ID: Thread-Topic: I-D ACTION:draft-fairhurst-ipdvb-ule-ext-00.txt Thread-Index: AcaVL9NwEgvhMgEjEduS6gAKlc/qXg== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.3 (--) X-Scan-Signature: 97adf591118a232206bdb5a27b217034 A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Extension Formats for the ULE Encapsulation to support the Generic Stream Encapsulation (GSE) Author(s) : G. Fairhurst Filename : draft-fairhurst-ipdvb-ule-ext-00.txt Pages : Date : 2006-6-20 This document describes a set of Extension Headers. For the Unidirectional Lightweight Encapsulation (ULE). The Extension Header formats defined in this document provide new extensions that are common extensions to both ULE and the Generic Stream Encapsulation (GSE) defined by the second generation framing structure DVB-S2 standard (Channel coding and modulation systems for Broadcasting, Interactive Services, News Gathering and other broadband satellite applications). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-fairhurst-ipdvb-ule-ext-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-fairhurst-ipdvb-ule-ext-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt From owner-ipdvb@erg.abdn.ac.uk Wed Jun 21 10:52:02 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ft43m-00059l-Nx for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 10:52:02 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ft2Cp-0000zN-4l for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 08:53:15 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Ft26C-0004j1-O8 for ipdvb-archive@ietf.org; Wed, 21 Jun 2006 08:46:26 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5LCc1Mr029713 for ; Wed, 21 Jun 2006 13:38:01 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5LCc1LQ029712 for ipdvb-subscribed-users; Wed, 21 Jun 2006 13:38:01 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [10.0.1.2] (maxp4.dialup.abdn.ac.uk [139.133.201.163]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5LCbmAT029691 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for ; Wed, 21 Jun 2006 13:37:51 +0100 (BST) User-Agent: Microsoft-Entourage/11.2.3.060209 Date: Wed, 21 Jun 2006 13:41:09 +0100 Subject: I-D ACTION:draft-cruickshank-ipdvb-sec-req-02.txt From: Gorry Fairhurst To: "ipdvb@erg.abdn.ac.uk" Message-ID: Thread-Topic: I-D ACTION:draft-cruickshank-ipdvb-sec-req-02.txt Thread-Index: AcaVL/hkNtCGqAEjEduS6gAKlc/qXg== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.3 (--) X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3 A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Security requirements for the Unidirectional Lightweight Encapsulation (ULE) protocol Author(s) : H. Cruickshank, et al. Filename : draft-cruickshank-ipdvb-sec-req-02.txt Pages : 16 Date : 2006-6-20 This document provides a threat analysis and derives security requirements for MPEG-2 transmission links using the Unidirectional Lightweight Encapsulation (ULE). It also provides the motivation for ULE link-level security. This work is intended as a work item of the ipdvb WG, and contributions are sought from the IETF on this topic. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-cruickshank-ipdvb-sec-req-02.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-cruickshank-ipdvb-sec-req-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv at ietf.org. In the body type: "FILE /internet-drafts/draft-cruickshank-ipdvb-sec-req-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. From owner-ipdvb@erg.abdn.ac.uk Thu Jun 22 10:45:38 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FtQR8-00048c-Bp for ipdvb-archive@ietf.org; Thu, 22 Jun 2006 10:45:38 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FtQR8-0003FL-0F for ipdvb-archive@ietf.org; Thu, 22 Jun 2006 10:45:38 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5MEZllA002101 for ; Thu, 22 Jun 2006 15:35:47 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5MEZlFP002100 for ipdvb-subscribed-users; Thu, 22 Jun 2006 15:35:47 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [139.133.207.159] (dhcp-207-159.erg.abdn.ac.uk [139.133.207.159]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5MEZ921002041; Thu, 22 Jun 2006 15:35:09 +0100 (BST) Message-ID: <449AAB0F.3060104@erg.abdn.ac.uk> Date: Thu, 22 Jun 2006 15:37:03 +0100 From: Gorry Fairhurst Organization: University of Aberdeen, UK User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "H.Cruickshank" , ipdvb@erg.abdn.ac.uk, "S.Iyengar" , P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.8 (--) X-Scan-Signature: 1ac7cc0a4cd376402b85bc1961a86ac2 Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry From owner-ipdvb@erg.abdn.ac.uk Thu Jun 22 15:37:14 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FtUzK-0007Uu-HY for ipdvb-archive@ietf.org; Thu, 22 Jun 2006 15:37:14 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FtUzI-0003Gg-UH for ipdvb-archive@ietf.org; Thu, 22 Jun 2006 15:37:14 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5MJ2sNs023797 for ; Thu, 22 Jun 2006 20:02:54 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5MJ2sie023796 for ipdvb-subscribed-users; Thu, 22 Jun 2006 20:02:54 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from nab.org (foxtrot.nab.org [209.116.240.194]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5MJ2hwH023772 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT); Thu, 22 Jun 2006 20:02:44 +0100 (BST) Received: from ([199.29.3.25]) by maildc2.nab.org with ESMTP id 4028857.11279279; Thu, 22 Jun 2006 15:02:28 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: Security-Requirements: alternatives? Date: Thu, 22 Jun 2006 15:02:27 -0400 Message-ID: <33CB4DEADE8C734CAF59FA0B47E14C1701792A1F@morse.NAB.ORG> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCAAAIqs7A= From: "Allison, Art" To: , , , X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by erg.abdn.ac.uk id k5MJ2sbT023791 Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.0 (/) X-Scan-Signature: 8de5f93cb2b4e3bee75302e9eacc33db See below. _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 22, 2006 2:09 PM To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry From owner-ipdvb@erg.abdn.ac.uk Thu Jun 22 15:59:43 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FtVL5-0003EA-BI for ipdvb-archive@ietf.org; Thu, 22 Jun 2006 15:59:43 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FtUJH-0000td-Dw for ipdvb-archive@ietf.org; Thu, 22 Jun 2006 14:53:47 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FtUA6-0001Ol-7x for ipdvb-archive@ietf.org; Thu, 22 Jun 2006 14:44:20 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5MI8jcC019820 for ; Thu, 22 Jun 2006 19:08:45 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5MI8jnp019819 for ipdvb-subscribed-users; Thu, 22 Jun 2006 19:08:45 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from ads40.surrey.ac.uk (ads40.surrey.ac.uk [131.227.102.140]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5MI8b7s019801; Thu, 22 Jun 2006 19:08:37 +0100 (BST) Received: from EVS-EC1-NODE1.surrey.ac.uk ([131.227.102.136]) by ads40.surrey.ac.uk with Microsoft SMTPSVC(6.0.3790.1830); Thu, 22 Jun 2006 19:08:32 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Security-Requirements: alternatives? Date: Thu, 22 Jun 2006 19:08:32 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCA From: To: , , , X-OriginalArrivalTime: 22 Jun 2006 18:08:32.0674 (UTC) FILETIME=[DF596820:01C69626] X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by erg.abdn.ac.uk id k5MI8img019814 Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.6 (--) X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8 Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry From owner-ipdvb@erg.abdn.ac.uk Fri Jun 23 01:34:12 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FteJ2-0003sb-SK for ipdvb-archive@ietf.org; Fri, 23 Jun 2006 01:34:12 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FteJ1-0004u3-EG for ipdvb-archive@ietf.org; Fri, 23 Jun 2006 01:34:12 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5N5QMEg010298 for ; Fri, 23 Jun 2006 06:26:22 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5N5QMmr010297 for ipdvb-subscribed-users; Fri, 23 Jun 2006 06:26:22 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [10.0.1.2] (maxp28.dialup.abdn.ac.uk [139.133.201.187]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5N5Q4va010266 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NOT) for ; Fri, 23 Jun 2006 06:26:09 +0100 (BST) User-Agent: Microsoft-Entourage/11.2.3.060209 Date: Fri, 23 Jun 2006 06:29:24 +0100 Subject: I-D ACTION:draft-ietf-ipdvb-ar-04.txt From: Gorry Fairhurst To: "ipdvb@erg.abdn.ac.uk" Message-ID: Thread-Topic: I-D ACTION:draft-ietf-ipdvb-ar-04.txt Thread-Index: AcaWhfyjO0bmRgJ5EduS6gAKlc/qXg== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.4 (--) X-Scan-Signature: f607d15ccc2bc4eaf3ade8ffa8af02a0 ew Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP over DVB Working Group of the IETF. Title : Address Resolution Mechanisms for IP Datagrams over MPEG-2 Networks Author(s) : G. Fairhurst, M. Montpetit Filename : draft-ietf-ipdvb-ar-04.txt Date : 2006-6-22 This document describes the process of binding/associating IPv4/IPv6 addresses with MPEG-2 Transport Streams (TS). This procedure is known as Address Resolution (AR), or Neighbour Discovery (ND). Such address resolution complements the higher layer resource discovery tools that are used to advertise IP sessions. In MPEG-2 Networks, an IP address must be associated with a Packet ID (PID) value and a specific Transmission Multiplex. The document reviews current methods appropriate to a range of technologies (DVB, ATSC, DOCSIS, and variants). It also describes the interaction with well-known protocols for address management including DHCP, ARP, and the ND protocol, and provides guidance on usage. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipdvb-ar-04.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipdvb-ar-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv at ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipdvb-ar-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. From owner-ipdvb@erg.abdn.ac.uk Fri Jun 23 10:26:32 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FtmcC-0004xu-7A for ipdvb-archive@ietf.org; Fri, 23 Jun 2006 10:26:32 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FtmcA-0001B8-JC for ipdvb-archive@ietf.org; Fri, 23 Jun 2006 10:26:32 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5NEJw8V022374 for ; Fri, 23 Jun 2006 15:19:58 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5NEJwT0022373 for ipdvb-subscribed-users; Fri, 23 Jun 2006 15:19:58 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from smail3.alcatel.fr (smail3.alcatel.fr [64.208.49.56]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5NEJjt2022351; Fri, 23 Jun 2006 15:19:45 +0100 (BST) Received: from vzmta01.netfr.alcatel.fr (vzmta01.netfr.alcatel.fr [155.132.182.220]) by smail3.alcatel.fr (ALCANET/NETFR) with ESMTP id k5NEJSFB013416; Fri, 23 Jun 2006 16:19:28 +0200 In-Reply-To: Importance: Low Subject: =?iso-8859-1?Q?R=E9f=2E_=3A_RE=3A_Security-Requirements=3A_alternatives?= =?iso-8859-1?Q?=3F?= To: ipdvb@erg.abdn.ac.uk Cc: gorry@erg.abdn.ac.uk, owner-ipdvb@erg.abdn.ac.uk, P.Pillai@Bradford.ac.uk, S.Iyengar@surrey.ac.uk X-Mailer: Lotus Notes Release 6.5.3 September 14, 2004 Message-ID: From: Laurence.Duquerroy@alcatelaleniaspace.com Date: Fri, 23 Jun 2006 16:18:29 +0200 X-MIMETrack: Serialize by Router on VZMTA01/ALCANET/ALCATEL-SPACE(Release 5.0.13a HF167|July 08, 2005) at 23/06/2006 16:19:30 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 X-Alcanet-MTA-scanned-and-authorized: yes X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No X-MIME-Autoconverted: from quoted-printable to 8bit by erg.abdn.ac.uk id k5NEJrhX022368 Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by erg.abdn.ac.uk id k5NEJw8V022374 X-Spam-Score: 0.2 (/) X-Scan-Signature: d2b46e3b2dfbff2088e0b72a54104985 Hi, Just one remark in favour of ULE with regards to the other Layer 2 solutions for MPEG 2 transmission network: ULE is the only solution providing "Hiding of layer 2 MAC/NPA address". MPE does not provide it. Conditionnal Access (based on MPEG-2 TS scrambling) too : the destination MAC address is scrambled, however at reception , all receivers listening = to the same PID can see the MAC address of each packet (even it is not destined to them). This service is an important added value of ULE, particularly for militar= y systems. Regards, Laurence Duquerroy = =20 Pour : =20 Envoy=E9 par : = =20 owner-ipdvb@erg.a = =20 bdn.ac.uk = =20 cc : = =20 Objet : RE: Security-Req= uirements: alternatives? =20 22/06/2006 20:08 = =20 Veuillez r=E9pondre = =20 =E0 ipdvb = =20 = =20 Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry RT/ST Research Department / Advanced Telecom Satellite Systems Tel : 33 (0)5-34-35-63-06 / Fax : 33 (0)5-34-35-55-60 E-Mail : laurence.duquerroy@alcatelaleniaspace.com This message and any attachments (the "message") is intended solely for t= he addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partia= l, is prohibited except formal approval. The internet can not guarantee the integrity of this message. ALCATEL ALENIA SPACE (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiel= s. Si vous recevez ce message par erreur, merci de le detruire et d'en avert= ir immediatement l'expediteur. Toute utilisation de ce message non conforme = a sa destination, toute diffusion ou toute publication, totale ou partielle= , est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, ALCATEL ALENIA SPACE (et ses filiale= s) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. From owner-ipdvb@erg.abdn.ac.uk Sat Jun 24 04:39:18 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fu3fi-00047K-5r for ipdvb-archive@ietf.org; Sat, 24 Jun 2006 04:39:18 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fu3ff-0002UH-DA for ipdvb-archive@ietf.org; Sat, 24 Jun 2006 04:39:18 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5O8OP9t014146 for ; Sat, 24 Jun 2006 09:24:25 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5O8OPCQ014145 for ipdvb-subscribed-users; Sat, 24 Jun 2006 09:24:25 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from ads40.surrey.ac.uk (ads40.surrey.ac.uk [131.227.102.140]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5O8OGip014124 for ; Sat, 24 Jun 2006 09:24:16 +0100 (BST) Received: from EVS-EC1-NODE1.surrey.ac.uk ([131.227.102.136]) by ads40.surrey.ac.uk with Microsoft SMTPSVC(6.0.3790.1830); Sat, 24 Jun 2006 09:24:11 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C69767.91A542A3" Subject: FW: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) Date: Sat, 24 Jun 2006 09:24:10 +0100 Message-ID: X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) Thread-Index: AcaWnFonLma3I8cUQt2QxPhUWN3EFAAybClL From: To: X-OriginalArrivalTime: 24 Jun 2006 08:24:11.0248 (UTC) FILETIME=[91EFDF00:01C69767] X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.2 (/) X-Scan-Signature: 3adba28c47054ea827843deea22a7215 This is a multi-part message in MIME format. ------_=_NextPart_001_01C69767.91A542A3 Content-Type: multipart/alternative; boundary="----_=_NextPart_002_01C69767.91A542A3" ------_=_NextPart_002_01C69767.91A542A3 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear ipdvb WG, =20 Gorry has kindly submitted for our the Internet draft on security = extensions to ULE(version 2) . =20 This draft complements the ULE security requirements that was posted = recently. The main focus of the security extension is defining the = header format to carry secure data over ULE. =20 =20 We (the authors) feel this work fits well to the ipdvb current activity. = Many security related issues such as key management and security = algorithm are borrowed from existing work in IPsec and MSEC groups. The = main focus of this draft is the ULE header format for security. =20 Haitham =20 =20 ---- Dr. Haitham S. Cruickshank=20 Lecturer=20 Communications Centre for Communication Systems Research (CCSR)=20 School of Electronics, Computing and Mathematics=20 University of Surrey, Guildford, Surrey GU2 7XH, UK=20 =20 Tel: +44 1483 686007 (indirect 689844)=20 Fax: +44 1483 686011=20 e-mail: H.Cruickshank@surrey.ac.uk=20 http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=20 ________________________________ From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: Fri 23/06/2006 09:11 To: Internet-Drafts Administrator Cc: Cruickshank HS Dr (CCSR) Subject: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt = (enclosed) On behalf of the authors, I wish to submit the enclosed draft: Security Extension for Unidirectional Lightweight Encapsulation Protocol Best wishes, Gorry ------_=_NextPart_002_01C69767.91A542A3 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =0A= =0A= =0A= =0A= =0A= =0A= New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt = (enclosed)=0A= =0A= =0A=
=0A=
Dear ipdvb =0A= WG,
=0A=
 
=0A=
Gorry has kindly submitted for our the Internet draft on = security =0A= extensions to ULE(version 2) .
=0A=
 
=0A=
This draft complements the ULE security requirements that = was =0A= posted recently.  The main focus of the security extension is = defining the =0A= header format to carry secure data over ULE. 
=0A=
 
=0A=
We (the authors) feel this work fits well to the = ipdvb current =0A= activity.  Many security related issues such as key management =0A= and security algorithm are borrowed from existing work in = IPsec and =0A= MSEC groups.  The main focus of this draft is the ULE header format = for =0A= security.
=0A=
 
=0A=
Haitham  
=0A=
 
=0A=
=0A=
=0A=
----
=0A=
Dr. Haitham S. =0A= Cruickshank
=0A=
Lecturer =0A=
=0A=
Communications =0A= Centre for Communication Systems Research (CCSR)
=0A=
School of =0A= Electronics, Computing and Mathematics
=0A=
University of =0A= Surrey, Guildford, =0A= Surrey GU2 7XH, =0A= UK
=0A=
 
=0A=
Tel: +44 1483 =0A= 686007 (indirect 689844)
=0A=
Fax: +44 1483 =0A= 686011
=0A=
e-mail: H.Cruickshank@surrey.ac.uk
=0A=
http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ =0A=
=0A=

=0A=
=0A= From: Gorry Fairhurst =0A= [mailto:gorry@erg.abdn.ac.uk]
Sent: Fri 23/06/2006 = 09:11
To: =0A= Internet-Drafts Administrator
Cc: Cruickshank HS Dr =0A= (CCSR)
Subject: New Internet Draft rev: =0A= draft-cruickshank-ipdvb-sec-02.txt (enclosed)

=0A=

=0A=

On behalf of the authors, I wish to submit the = enclosed =0A= draft:

Security Extension for Unidirectional Lightweight =0A= Encapsulation
Protocol = <draft-cruickshank-ipdvb-sec-02.txt>

Best =0A= wishes,

Gorry



=0A= =0A= =0A= ------_=_NextPart_002_01C69767.91A542A3-- ------_=_NextPart_001_01C69767.91A542A3 Content-Type: text/plain; x-mac-type=54455854; x-mac-creator=74657874; name="draft-cruickshank-ipdvb-sec-02.txt" Content-Transfer-Encoding: base64 Content-Description: draft-cruickshank-ipdvb-sec-02.txt Content-Disposition: attachment; filename="draft-cruickshank-ipdvb-sec-02.txt" DQoNCg0KDQoNCg0KDQoNCiAgICAgDQogICAgIA0KICAgICBJbnRlcm5ldCBFbmdpbmVlcmluZyBU YXNrIEZvcmNlICAgICAgICAgICAgICAgICAgICAgIEguIENydWlja3NoYW5rIA0KICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVW5pdmVyc2l0eSBvZiBTdXJy ZXksIFVLIA0KICAgICBJbnRlcm5ldCBEcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgUC4gUGlsbGFpIA0KICAgICBkcmFmdC1jcnVpY2tzaGFuay1pcGR2Yi1z ZWMtMDIudHh0ICAgICAgIFVuaXZlcnNpdHkgb2YgQnJhZGZvcmQsIFVLIA0KICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTLiBJeWVu Z2FyIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVW5p dmVyc2l0eSBPZiBTdXJyZXksIFVLIA0KICAgICBFeHBpcmVzOiBEZWNlbWJlciAyMDA2ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgTC4gRHVxdWVycm95IA0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBbGNhdGVsIEFsZW5pYSBTcGFjZSwgRnJhbmNl IA0KICAgICBDYXRlZ29yeTogSW50ZXJuZXQgRHJhZnQgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBKdW5lIDIyLCAyMDA2IA0KICAgICANCiAgICAgDQogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgDQogICAgICAgIFNlY3VyaXR5IEV4dGVuc2lvbiBmb3IgVW5pZGly ZWN0aW9uYWwgTGlnaHR3ZWlnaHQgRW5jYXBzdWxhdGlvbiANCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgUHJvdG9jb2wgDQogICAgICAgICAgICAgICAgICAgICAgZHJhZnQtY3J1 aWNrc2hhbmstaXBkdmItc2VjLTAyLnR4dCANCg0KDQogICAgU3RhdHVzIG9mIHRoaXMgRHJhZnQg DQoNCiAgICAgICBCeSBzdWJtaXR0aW5nIHRoaXMgSW50ZXJuZXQtRHJhZnQsIGVhY2ggYXV0aG9y IHJlcHJlc2VudHMgdGhhdCAgICAgICANCiAgICAgICBhbnkgYXBwbGljYWJsZSBwYXRlbnQgb3Ig b3RoZXIgSVBSIGNsYWltcyBvZiB3aGljaCBoZSBvciBzaGUgaXMgICAgICAgDQogICAgICAgYXdh cmUgaGF2ZSBiZWVuIG9yIHdpbGwgYmUgZGlzY2xvc2VkLCBhbmQgYW55IG9mIHdoaWNoIGhlIG9y IHNoZSAgICAgICANCiAgICAgICBiZWNvbWVzIGF3YXJlIHdpbGwgYmUgZGlzY2xvc2VkLCBpbiBh Y2NvcmRhbmNlIHdpdGggU2VjdGlvbiA2IG9mICAgICAgIA0KICAgICAgIEJDUCA3OS4gDQoNCiAg ICAgICBJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5l dCBFbmdpbmVlcmluZyANCiAgICAgICBUYXNrIEZvcmNlIChJRVRGKSwgaXRzIGFyZWFzLCBhbmQg aXRzIHdvcmtpbmcgZ3JvdXBzLiAgTm90ZSB0aGF0IA0KICAgICAgIG90aGVyIGdyb3VwcyBtYXkg YWxzbyBkaXN0cmlidXRlIHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0LQ0KICAgICAgIERy YWZ0cy4gDQoNCiAgICAgICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRyYWZ0IGRvY3VtZW50cyB2YWxp ZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCANCiAgICAgICBtb250aHMgYW5kIG1heSBiZSB1cGRhdGVk LCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVyIA0KICAgICAgIGRvY3VtZW50cyBhdCBh bnkgdGltZS4gIEl0IGlzIGluYXBwcm9wcmlhdGUgdG8gdXNlIEludGVybmV0LQ0KICAgICAgIERy YWZ0cyBhcyByZWZlcmVuY2UgbWF0ZXJpYWwgb3IgdG8gY2l0ZSB0aGVtIG90aGVyIHRoYW4gYXMg IndvcmsgDQogICAgICAgaW4gcHJvZ3Jlc3MuIiANCg0KICAgICAgIFRoZSBsaXN0IG9mIGN1cnJl bnQgSW50ZXJuZXQtRHJhZnRzIGNhbiBiZSBhY2Nlc3NlZCBhdCANCiAgICAgICAgICAgIGh0dHA6 Ly93d3cuaWV0Zi5vcmcvaWV0Zi8xaWQtYWJzdHJhY3RzLnR4dCANCg0KICAgICAgIFRoZSBsaXN0 IG9mIEludGVybmV0LURyYWZ0IFNoYWRvdyBEaXJlY3RvcmllcyBjYW4gYmUgYWNjZXNzZWQgYXQg DQogICAgICAgICAgICBodHRwOi8vd3d3LmlldGYub3JnL3NoYWRvdy5odG1sIA0KDQogICAgICAg VGhpcyBJbnRlcm5ldC1EcmFmdCB3aWxsIGV4cGlyZSBvbiBEZWNlbWJlciAyMiwgMjAwNi4gDQoN CiAgICBBYnN0cmFjdCANCg0KICAgICAgIFRoaXMgZG9jdW1lbnQgZGVzY3JpYmVzIHRoZSBleHRl bnNpb24gZm9ybWF0IGZvciBVbmlkaXJlY3Rpb25hbCANCiAgICAgICBFbmNhcHN1bGF0aW9uIFBy b3RvY29sIChVTEUpIHRoYXQgc2VjdXJlcyB0aGUgSVAgdHJhZmZpYyANCiAgICAgICB0cmFuc3Bv cnRlZCB1c2luZyBVTEUgdG8gcHJvdmlkZSBzZWN1cml0eSBmZWF0dXJlcyBsaWtlIGRhdGEgDQoM ICAgICANCiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAgIEV4cGlyZXMgRGVjZW1iZXIg MjEsIDIwMDYgICAgICAgICAgW1BhZ2UgMV0gDQogICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAg ICAgICAgIFNlY3VyaXR5IEV4dGVuc2lvbiBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAg ICANCg0KICAgICAgIGNvbmZpZGVudGlhbGl0eSwgZGF0YSBpbnRlZ3JpdHksIGRhdGEgb3JpZ2lu IGF1dGhlbnRpY2F0aW9uIGFuZCANCiAgICAgICBtZWNoYW5pc21zIHRvIHByZXZlbnQgcmVwbGF5 IGF0dGFja3MuIA0KDQogICAgUmVxdWlyZW1lbnRzIG5vdGF0aW9uIA0KDQogICAgICAgVGhlIGtl eSB3b3JkcyAiTVVTVCIsICJNVVNUIE5PVCIsICJSRVFVSVJFRCIsICJTSEFMTCIsICJTSEFMTCAN CiAgICAgICBOT1QiLCAiU0hPVUxEIiwgIlNIT1VMRCBOT1QiLCAiUkVDT01NRU5ERUQiLCAiTUFZ IiwgYW5kIA0KICAgICAgICJPUFRJT05BTCIgaW4gdGhpcyBkb2N1bWVudCBhcmUgdG8gYmUgaW50 ZXJwcmV0ZWQgYXMgZGVzY3JpYmVkIGluIA0KICAgICAgIFJGQzIxMTkgWzJdLiANCg0KICAgIFRh YmxlIG9mIENvbnRlbnRzIA0KDQogICAgICAgIA0KICAgICAgIDEuIEludHJvZHVjdGlvbiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMyANCiAgICAgICAgICAx LjEuIEFiYnJldmlhdGlvbnMgdXNlZCBpbiB0aGlzIERvY3VtZW50ICAgICAgICAgICAgICAgICAg IDQgDQogICAgICAgMi4gVUxFIFNlY3VyaXR5IEV4dGVuc2lvbiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICA0IA0KICAgICAgICAgIDIuMS4gU2VjdXJpdHkgU2VydmljZXMgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgNSANCiAgICAgICAgICAyLjIuIFNlY3Vy ZSBVTEUgU05EVSBGb3JtYXQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDYgDQogICAg ICAgICAgICAgMi4yLjEuIERlc3RpbmF0aW9uIEFkZHJlc3MgQWJzZW50IChEKSBGaWVsZCAgICAg ICAgICAgICA4IA0KICAgICAgICAgICAgIDIuMi4yLiBMZW5ndGggRmllbGQgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgOCANCiAgICAgICAgICAgICAyLjIuMy4gVHlwZSBGaWVs ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDggDQogICAgICAgICAgICAg Mi4yLjQuIERlc3RpbmF0aW9uIE5QQSBBZGRyZXNzIEZpZWxkICAgICAgICAgICAgICAgICAgICA4 IA0KICAgICAgICAgICAgIDIuMi41LiBVTEUtU0lEIEZpZWxkICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgOCANCiAgICAgICAgICAgICAyLjIuNi4gU2VxdWVuY2UgTnVtYmVyIEZp ZWxkICAgICAgICAgICAgICAgICAgICAgICAgICAgIDkgDQogICAgICAgICAgICAgMi4yLjcuIE1l c3NhZ2UgQXV0aGVudGljYXRpb24gQ29kZSAoTUFDKSBGaWVsZCAgICAgICAgICA5IA0KICAgICAg ICAgICAgICAgIDIuMi43LjEuIFR5cGUgRmllbGQgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgOSANCiAgICAgICAgICAgICAgICAyLjIuNy4yLiBFbmNyeXB0ZWQgUERVICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDkgDQogICAgICAgICAgMi4zLiBUcmFuc21pdHRlciBQcm9j ZXNzaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDEwIA0KICAgICAgICAgIDIuNC4g UmVjZWl2ZXIgUHJvY2Vzc2luZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAxMCAN CiAgICAgICAzLiBLZXkgRXhjaGFuZ2UgUHJvY2VkdXJlICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgMTEgDQogICAgICAgICAgMy4xLiBJUHNlYyBLZXkgTWFuYWdlbWVudCBmb3Ig TDIgICAgICAgICAgICAgICAgICAgICAgICAgIDExIA0KICAgICAgICAgIDMuMi4gQWx0ZXJuYXRp dmUgS2V5IE1hbmFnZW1lbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAxMiANCiAgICAgICA0 LiBTZWN1cmUgVUxFIFNORFUgZXhhbXBsZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgMTIgDQogICAgICAgNS4gU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIDEzIA0KICAgICAgIDYuIElBTkEgQ29uc2lkZXJhdGlvbnMgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAxMyANCiAgICAgICA3LiBBY2tub3ds ZWRnbWVudHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMTMgDQog ICAgICAgOC4gUmVmZXJlbmNlcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIDE0IA0KICAgICAgICAgIDguMS4gTm9ybWF0aXZlIFJlZmVyZW5jZXMgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAxNCANCiAgICAgICAgICA4LjIuIEluZm9ybWF0aXZl IFJlZmVyZW5jZXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMTQgDQogICAgICAgQXV0 aG9yJ3MgQWRkcmVzc2VzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IDE1IA0KICAgICAgIEludGVsbGVjdHVhbCBQcm9wZXJ0eSBTdGF0ZW1lbnQgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAxNSANCiAgICAgICBEaXNjbGFpbWVyIG9mIFZhbGlkaXR5ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMTYgDQogICAgICAgQ29weXJpZ2h0IFN0 YXRlbWVudCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDE2IA0KICAg ICAgICANCg0KDQoNCiAgICAgDQogICAgIA0KICAgIENydWlja3NoYW5rICAgICAgICAgICBFeHBp cmVzIERlY2VtYmVyIDIxLCAyMDA2ICAgICAgICAgICBbUGFnZSAyXSANCiAgICAgICAgDQoMICAg IEludGVybmV0LURyYWZ0ICAgICAgICAgU2VjdXJpdHkgRXh0ZW5zaW9uIGZvciBVTEUgICAgICBK dW5lIDIwMDYgDQogICAgICAgIA0KDQogICAgMS4gSW50cm9kdWN0aW9uIA0KDQogICAgICAgVGhl IFVuaWRpcmVjdGlvbmFsIExpZ2h0d2VpZ2h0IEVuY2Fwc3VsYXRpb24gUHJvdG9jb2wgKFVMRSkg WzNdIA0KICAgICAgIGlzIHVzZWQgZm9yIHRoZSB0cmFuc3BvcnRhdGlvbiBvZiB1c2VyIHRyYWZm aWMgbGlrZSBJUCBkYXRhZ3JhbXMsIA0KICAgICAgIGV0aGVybmV0IGZyYW1lcywgZXRjLiBvdmVy IElTTyBNUEVHLTIgVHJhbnNwb3J0IFN0cmVhbXMgKFRTKSBbMV0uIA0KICAgICAgIFRoaXMgZG9j dW1lbnQgZGVzY3JpYmVzIGEgbmV3IFVMRSBNYW5kYXRvcnkgZXh0ZW5zaW9uIGhlYWRlciBmb3Ig DQogICAgICAgcHJvdmlkaW5nIGxpbmsgbGF5ZXIgc2VjdXJpdHkgZm9yIFVMRS4gDQoNCiAgICAg ICBJbiBNUEVHLTIgdHJhbnNtaXNzaW9uIG5ldHdvcmtzIGVtcGxveWluZyBVTEUsIHRoZXJlIGlz IGEgbmVlZCB0byANCiAgICAgICBwcm92aWRlIGxpbmstbGF5ZXIgc2VjdXJpdHksIHBhcnRpY3Vs YXJseSB3aGVyZSBuZXR3b3JrIGxheWVyIGFuZCANCiAgICAgICB0cmFuc3BvcnQtbGF5ZXIgc2Vj dXJpdHkgbWF5IG5vdCBiZSBzdWZmaWNpZW50LiBUaGUgc2VjdXJpdHkgDQogICAgICAgcmVxdWly ZW1lbnRzIGFyZSBwcmVzZW50ZWQgYW5kIGRpc2N1c3NlZCBpbiBkZXRhaWwgaW4gZHJhZnQtDQog ICAgICAgY3J1aWNrc2hhbmstaXBkdmItc2VjLXJlcS0wMi4gVGhlIHNldCBvZiBzZWN1cml0eSBz ZXJ2aWNlcyB0aGF0IA0KICAgICAgIHRoZSBzZWN1cml0eSBleHRlbnNpb24gZm9yIFVMRSBjYW4g cHJvdmlkZSBpbmNsdWRlcyBkYXRhIA0KICAgICAgIGNvbmZpZGVudGlhbGl0eSwgZGF0YSBpbnRl Z3JpdHksIGRhdGEgb3JpZ2luIGF1dGhlbnRpY2F0aW9uIGFuZCANCiAgICAgICByZWplY3Rpb24g b2YgcmVwbGF5ZWQgcGFja2V0cy4gVGhlIGZvY3VzIGlzIG9uIHByb3ZpZGluZyBzdWl0YWJsZSAN CiAgICAgICBsaW5rIGVuY3J5cHRpb24uICBIb3dldmVyLCBsaW5rIGxheWVyIGRhdGEgaW50ZWdy aXR5IGFuZCBkYXRhIA0KICAgICAgIG9yaWdpbiBhdXRoZW50aWNhdGlvbiBpcyBwcm92aWRlZCBh cyBhbiBvcHRpb25hbCBzZWN1cml0eSANCiAgICAgICBzZXJ2aWNlLCBlc3BlY2lhbGx5IGZvciBz eXN0ZW1zIHdoZXJlIHRoZXJlIGFyZSBzZXZlcmFsIFVMRSANCiAgICAgICB0cmFuc21pdHRlcnMg KGUuZy4gc2F0ZWxsaXRlIG1lc2hlZCBzeXN0ZW1zIHdpdGggT24tQm9hcmQgDQogICAgICAgUHJv Y2Vzc2luZykuIA0KDQogICAgICAgT24gU2VjdXJpbmcgdGhlIFVMRSBTTkRVcywgc2VjdXJpdHkg aXMgcHJvdmlkZWQgYXQgdGhlIGxpbmsgbGF5ZXIgDQogICAgICAgYXMgb3Bwb3NlZCB0byBvdGhl ciBleGlzdGluZyBtZWNoYW5pc21zIGxpa2UgSVAgU2VjdXJpdHkgKElQc2VjKSANCiAgICAgICBb N10gdGhhdCBwcm92aWRlcyBzZWN1cml0eSBhdCB0aGUgbmV0d29yay1sYXllciBvciBUTFMgWzEw XSB0aGF0IA0KICAgICAgIHByb3ZpZGVzIHRyYW5zcG9ydCBsYXllciBzZWN1cml0eS4gU2luY2Ug dGhlc2Ugc2VjdXJpdHkgc2VydmljZXMgDQogICAgICAgYXJlIHByb3ZpZGVkIGF0IHRoZSBsaW5r IGxheWVyIGFueSBuZXR3b3JrIGxheWVyIHByb3RvY29sIGxpa2UgSVAgDQogICAgICAgKGV2ZW4g d2l0aCBFdGhlcm5ldCBicmlkZ2luZykgbWF5IGJlIHVzZWQgd2l0aCBTZWN1cmUgVUxFLiANCg0K ICAgICAgIFVMRSBtYXkgdXNlIGFuZCBiZW5lZml0IGZyb20gSUVURiBrZXkgbWFuYWdlbWVudCBw cm90b2NvbHMsIHN1Y2ggDQogICAgICAgYXMgdGhlIE1TRUMgR0RPSSBbOF0gYW5kIEdTQUtNUCBb Nl0uIFRoaXMgZG9lcyBub3QgcHJlY2x1ZGUgdGhlIA0KICAgICAgIHVzZSBvZiBvdGhlciBrZXkg bWFuYWdlbWVudCBtZXRob2RzIGluIHNjZW5hcmlvcyB3aGljaCBiZW5lZml0IA0KICAgICAgIGZy b20gdGhpcy4gVGhlIGVuY3J5cHRpb24gYWxnb3JpdGhtcywga2V5IGxlbmd0aHMsIGV0Yy4gd2ls bCBiZSANCiAgICAgICBkZWZpbmVkIG1ha2luZyB1c2Ugb2YgdGhlIHN0YW5kYXJkIElQc2VjIHN1 aXRlcy4gIEZvciB0aGlzIA0KICAgICAgIHB1cnBvc2UgYSBzZWN1cml0eSBhc3NvY2lhdGlvbiBp ZGVudGl0eSBzaW1pbGFyIHRvIHRoZSBJUHNlYyBTUEkgDQogICAgICAgWzddIGlzIHVzZWQuIA0K DQogICAgICAgSW4gc29tZSBjdXJyZW50IGVuY2Fwc3VsYXRpb24gbWV0aG9kcyBsaWtlIE1QRSBb NF0sIGVuY3J5cHRpb24gb2YgDQogICAgICAgdGhlIE1BQyBhZGRyZXNzIHJlcXVpcmVzIGVhY2gg UmVjZWl2ZXIgdG8gZGVjcnlwdCBhbGwgZW5jcnlwdGVkIA0KICAgICAgIGRhdGEgc2VudCB1c2lu ZyBhIFRTIExvZ2ljYWwgQ2hhbm5lbCAoaWRlbnRpZmllZCBieSBhIFBJRCksIA0KICAgICAgIGJl Zm9yZSBpdCBjYW4gdGhlbiBmaWx0ZXIgdGhlIFBEVXMgdGhhdCBtYXRjaGVzIHRoZSBzZXQgb2Yg DQogICAgICAgTmV0d29yayBQb2ludCBvZiBBdHRhY2htZW50IChOUEEpIGFkZHJlc3NlcyB0aGF0 IHRoZSBSZWNlaXZlciANCiAgICAgICB3aXNoZXMgdG8gcmVjZWl2ZS4gIFRoZXJlZm9yZSBlbmNy eXB0aW9uIG9mIHRoZSBNUEUgTlBBIGFkZHJlc3MgDQogICAgICAgaXMgbm90IHBlcm1pdHRlZCBp biBzdWNoIHN5c3RlbXMuICBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyBhIA0KICAgICAgIG1ldGhv ZCB3aGljaCBwcm92aWRlcyBzdXBwb3J0IGZvciB1c2luZyB0ZW1wb3JhcnkgTGF5ZXIgMiBOUEEg DQogICAgICAgYWRkcmVzcy4gDQoNCiAgICAgDQogICAgIA0KICAgIENydWlja3NoYW5rICAgICAg ICAgICBFeHBpcmVzIERlY2VtYmVyIDIxLCAyMDA2ICAgICAgICAgICBbUGFnZSAzXSANCiAgICAg ICAgDQoMICAgIEludGVybmV0LURyYWZ0ICAgICAgICAgU2VjdXJpdHkgRXh0ZW5zaW9uIGZvciBV TEUgICAgICBKdW5lIDIwMDYgDQogICAgICAgIA0KDQogICAgMS4xLiBBYmJyZXZpYXRpb25zIHVz ZWQgaW4gdGhpcyBEb2N1bWVudCANCg0KICAgICAgIEFFUyAtIEFkdmFuY2VkIEVuY3J5cHRpb24g U3RhbmRhcmQgDQoNCiAgICAgICBEVkIgLSBEaWdpdGFsIFZpZGVvIEJyb2FkY2FzdGluZyANCg0K ICAgICAgIEdET0kgLSBHcm91cCBEb21haW4gb2YgSW50ZXJwcmV0YXRpb24gDQoNCiAgICAgICBH U0tBTVAgLSBHcm91cCBTZWN1cmUgQXNzb2NpYXRpb24gS2V5IE1hbmFnZW1lbnQgUHJvdG9jb2wg DQoNCiAgICAgICBJUHNlYyAtIEludGVybmV0IFByb3RvY29sIFNlY3VyaXR5IA0KDQogICAgICAg TVBFIC0gTXVsdGktUHJvdG9jb2wgRW5jYXBzdWxhdGlvbiANCg0KICAgICAgIE1BQyAtIE1lc3Nh Z2UgQXV0aGVudGljYXRpb24gQ29kZSANCg0KICAgICAgIE5BVCAtIE5ldHdvcmsgQWRkcmVzcyBU cmFuc2xhdGlvbiANCg0KICAgICAgIE5DQyAtIE5ldHdvcmsgQ29udHJvbCBDZW50cmUgDQoNCiAg ICAgICBOUEEgLSBOZXR3b3JrIFBvaW50IG9mIEF0dGFjaG1lbnQgDQoNCiAgICAgICBQRVAgLSBQ cm90b2NvbCBFbmhhbmNpbmcgUHJveHkgDQoNCiAgICAgICBQSUQgLSBQYWNrZXQgSWRlbnRpZmll ciANCg0KICAgICAgIFBEVSAtIFByb3RvY29sIERhdGEgVW5pdCANCg0KICAgICAgIFNBRCAtIFNl Y3VyaXR5IEFzc29jaWF0aW9uIERhdGFiYXNlIA0KDQogICAgICAgU0hBIC0gU3RhbmRhcmQgSGFz aCBBbGdvcml0aG0gDQoNCiAgICAgICBTTkRVIC0gU3ViTmV0d29yayBEYXRhIFVuaXQgDQoNCiAg ICAgICBTUEQgLSBTZWN1cml0eSBQb2xpY3kgRGF0YWJhc2UgDQoNCiAgICAgICBUTFMgLSBUcmFu c3BvcnQgTGF5ZXIgU2VjdXJpdHkgDQoNCiAgICAgICBVTEUgLSBVbmlkaXJlY3Rpb25hbCBMaWdo dHdlaWdodCBFbmNhcHN1bGF0aW9uIFByb3RvY29sIA0KDQogICAgMi4gVUxFIFNlY3VyaXR5IEV4 dGVuc2lvbiANCg0KICAgICAgIFRoaXMgc2VjdGlvbiBkZXNjcmliZXMgdGhlIHNlY3VyaXR5IHNl cnZpY2VzIG9mZmVyZWQgYW5kIHRoZSANCiAgICAgICBwYWNrZXQgZm9ybWF0IG9mIHRoZSBzZWN1 cml0eSBleHRlbnNpb24gZm9yIFVMRS4gIFRoZSBwcm9jZWR1cmVzIA0KICAgICAgIGZvciBwcm9j ZXNzaW5nIHRoZSBzZWN1cml0eSBleHRlbnNpb24gaGVhZGVyIGF0IHRoZSB0cmFuc21pdHRlciAN CiAgICAgICBhbmQgdGhlIHJlY2VpdmVyIGFyZSBhbHNvIGRlc2NyaWJlZC4gDQoNCiAgICAgDQog ICAgIA0KICAgIENydWlja3NoYW5rICAgICAgICAgICBFeHBpcmVzIERlY2VtYmVyIDIxLCAyMDA2 ICAgICAgICAgICBbUGFnZSA0XSANCiAgICAgICAgDQoMICAgIEludGVybmV0LURyYWZ0ICAgICAg ICAgU2VjdXJpdHkgRXh0ZW5zaW9uIGZvciBVTEUgICAgICBKdW5lIDIwMDYgDQogICAgICAgIA0K DQogICAgMi4xLiBTZWN1cml0eSBTZXJ2aWNlcyANCg0KICAgICAgIE1QRUctMiBiYXNlZCBuZXR3 b3JrcyBhcmUgc3VzY2VwdGlibGUgdG8gc2V2ZXJhbCBzZWN1cml0eSANCiAgICAgICBhdHRhY2tz LCBib3RoIHBhc3NpdmUgYW5kIGFjdGl2ZS4gU29tZSBvZiB0aGUgbWFpbiBzZWN1cml0eSANCiAg ICAgICBzZXJ2aWNlcyAobWFuZGF0b3J5IG9yIG9wdGlvbmFsKSB0aGF0IHRoZSBzZWN1cml0eSBl eHRlbnNpb24gZm9yIA0KICAgICAgIFVMRSBhaW1zIHRvIHByb3ZpZGUgZm9yIElQIHNlcnZpY2Vz IHJ1bm5pbmcgb24gTVBFRy0yIGJhc2VkIA0KICAgICAgIHN5c3RlbXMgYXJlOiANCg0KICAgICAg IG8gRGF0YSBDb25maWRlbnRpYWxpdHkgKE1hbmRhdG9yeSk6IERhdGEgY29uZmlkZW50aWFsaXR5 IGlzIA0KICAgICAgICAgIGFjaGlldmVkIGJ5IGVuY3J5cHRpbmcgdGhlIGhpZ2hlciBsYXllciBQ RFUgYmVmb3JlIA0KICAgICAgICAgIGVuY2Fwc3VsYXRpb24gaW4gdGhlIFVMRSBTTkRVLCBzbyB0 aGF0IG9ubHkgYXV0aG9yaXNlZCANCiAgICAgICAgICByZWNlaXZlcnMgY2FuIGRlY3J5cHQgdGhl IHRyYW5zbWl0dGVkIGluZm9ybWF0aW9uIHdoaWxlIGFuIA0KICAgICAgICAgIGFkdmVyc2FyeSB3 b3VsZCBub3QgYmUgYWJsZSB0byByZWNvdmVyIHRoZSBpbXBvcnRhbnQgDQogICAgICAgICAgaW5m b3JtYXRpb24gZXZlbiBpZiBpdCBnb3QgaG9sZCBvZiB0aGUgdHJhbnNtaXR0ZWQgZGF0YS4gDQoN CiAgICAgICBvIFJlY2VpdmVyIE5QQSBhZGRyZXNzIGhpZGluZyAobWFuZGF0b3J5KTogVGhpcyBp cyBhbiBpbXBvcnRhbnQgDQogICAgICAgICAgb2JqZWN0aXZlIGZvciBVTEUgc2VjdXJpdHkgdG8g cHJldmVudCBhbnkgcGFzc2l2ZSBhdHRhY2tzIGxpa2UgDQogICAgICAgICAgdHJhZmZpYyBhbmFs eXNpcy4gIFVzaW5nIG9wdGlvbiBEPTEgKG5vIE5QQSBhZGRyZXNzKSBpcyBPSyBhcyANCiAgICAg ICAgICBsb25nIGFzIHRoZSBVTEVfU2VjdXJpdHlfSURlbnRpZmllciAoVUxFLVNJRCkgaXMgdW5p cXVlIGluIHRoZSANCiAgICAgICAgICB3aG9sZSBVTEUgbmV0d29yay4gIFRoaXMgaW1wbGllcyB0 aGUgbmVlZCBmb3IgYSBjZW50cmFsaXNlZCANCiAgICAgICAgICBrZXkgbWFuYWdlbWVudCBzeXN0 ZW0gdGhhdCBnZW5lcmF0ZXMgdGhlIFVMRS1TSUQuIElmIE5QQSANCiAgICAgICAgICBhZGRyZXNz IGlzIHVzZWQgKG9wdGlvbiBEPTApIGluIHRoZSBiYXNlIFVMRSBoZWFkZXIsIHRoZW4gdGhlIA0K ICAgICAgICAgIE5ldHdvcmsgQ29udHJvbCBDZW50cmUgKE5DQykgaXMgcmVzcG9uc2libGUgZm9y IGdlbmVyYXRpbmcgYSANCiAgICAgICAgICB0ZW1wb3JhcnkgTlBBIGFkZHJlc3MuIFRoZSB0ZW1w b3JhcnkgTlBBIGFkZHJlc3Mgc2hvdWxkIGJlIA0KICAgICAgICAgIHVzZWQgZm9yIGFsbCBzZWN1 cmUgY29tbXVuaWNhdGlvbnMgd2l0aCB0aGF0IFJlY2VpdmVyLiBUaGUgVUxFIA0KICAgICAgICAg IGVuY2Fwc3VsYXRvciBzaG91bGQgYmUgbm90aWZpZWQgb2YgdGhlc2UgYWRkcmVzc2VzIGFzIHdl bGwuIEluIA0KICAgICAgICAgIGFkZGl0aW9uLCB0aGUgdGVtcG9yYXJ5IE5QQSBhZGRyZXNzIHdp bGwgY2hhbmdlIGZyb20gdGltZSB0byANCiAgICAgICAgICB0aW1lIGRlcGVuZGluZyBvbiB0aGUg c2VjdXJpdHkgcG9saWN5IGFuZCBpdCBpcyBub3QgZGlyZWN0bHkgDQogICAgICAgICAgcmVsYXRl ZCB0byBlYWNoIFVMRSBzZXNzaW9uLiBJdCBjYW4gY2hhbmdlIHBlcmlvZGljYWxseSAoZm9yIA0K ICAgICAgICAgIGV4YW1wbGUgYWZ0ZXIgYSBzcGVjaWZpZWQgcGVyaW9kIG9mIHRpbWUgYW5kL29y IGFmdGVyIGEgDQogICAgICAgICAgc3BlY2lmaWVkIHZvbHVtZSBvZiB0cmFmZmljIGhhcyBiZWVu IHNlbnQgdG8gdGhhdCB0ZXJtaW5hbCkuICANCiAgICAgICAgICBUaGUgdGVtcG9yYXJ5IE5QQSBh ZGRyZXNzIGlzIHVzZWQgaW4gYXNzb2NpYXRpb24gd2l0aCB0aGUgVUxFLQ0KICAgICAgICAgIFNJ RCBmb3Igc3BlY2lmaWMgc2Vzc2lvbiBzZWN1cml0eS4gSXQgaXMgZW52aXNhZ2VkIHRoYXQgdGhl cmUgDQogICAgICAgICAgd2lsbCBiZSBhIHNtYWxsIGltcGFjdCBvbiB0aGUgTkNDIGZvciBoYW5k bGluZyB0d28gTlBBIA0KICAgICAgICAgIGFkZHJlc3NlcyBmb3IgZWFjaCB0ZXJtaW5hbC4gDQoN CiAgICAgICBvIERhdGEgb3JpZ2luIGF1dGhlbnRpY2F0aW9uIChPcHRpb25hbCk6IERhdGEgb3Jp Z2luIChzb3VyY2UpIA0KICAgICAgICAgIGF1dGhlbnRpY2F0aW9uIGFsbG93cyBhIHJlY2VpdmVy IHRvIHZlcmlmeSB0aGF0IHRoZSBkYXRhIGlzIA0KICAgICAgICAgIHNlbnQgYnkgdGhlIGNsYWlt ZWQgc2VuZGVyLiBUbyBhY2hpZXZlIGRhdGEgb3JpZ2luIA0KICAgICAgICAgIGF1dGhlbnRpY2F0 aW9uLCBhIE1lc3NhZ2UgQXV0aGVudGljYXRpb24gQ29kZSAoTUFDKSBpcyANCiAgICAgICAgICBn ZW5lcmF0ZWQgZm9yIGVhY2ggbWVzc2FnZSB1c2luZyBhIHNoYXJlZCBzZWNyZXQga2V5IGFuZCBp cyANCiAgICAgICAgICBhbHNvIHRyYW5zbWl0dGVkIGFsb25nIHdpdGggdGhlIGRhdGEuICBUaGUg VUxFIHJlY2VpdmVyIHdvdWxkIA0KICAgICAgICAgIGFsc28gY2FsY3VsYXRlIHRoZSBNQUMgZm9y IHRoZSByZWNlaXZlZCBkYXRhIHVzaW5nIHRoZSBzaGFyZWQgDQogICAgICAgICAga2V5LCBhbmQg dGhlbiBjb21wYXJlIHRoaXMgY29tcHV0ZWQgTUFDIHZhbHVlIHRvIHRoZSBvbmUgc2VudCANCiAg ICAgICAgICBieSB0aGUgc2VuZGVyIGFsb25nIHdpdGggdGhlIGRhdGEuIElmIHRoZSB0d28gbWF0 Y2hlcywgdGhlbiANCiAgICAgICAgICB0aGUgcmVjZWl2ZXIga25vd3MgdGhhdCB0aGUgZGF0YSBo YWQgdG8gYmUgc2VudCBmcm9tIHRoZSANCiAgICAgICAgICBjbGFpbWVkIHNlbmRlci4gDQogICAg IA0KICAgICANCiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAyMSwg MjAwNiAgICAgICAgICAgW1BhZ2UgNV0gDQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAg ICAgICAgIFNlY3VyaXR5IEV4dGVuc2lvbiBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAg ICANCg0KICAgICAgIG8gRGF0YSBJbnRlZ3JpdHkgKE9wdGlvbmFsKTogRGF0YSBpbnRlZ3JpdHkg cHJvdmlkZXMgYSB3YXkgZm9yIA0KICAgICAgICAgIHRoZSByZWNlaXZlciBvZiB0aGUgZGF0YSBt ZXNzYWdlIHRvIGtub3cgaWYgdGhlIGRhdGEgaGFzIGJlZW4gDQogICAgICAgICAgdGFtcGVyZWQg aW4gdHJhbnNpdCBieSBhbiBhdHRhY2tlci4gVGhlIE1BQyB1c2VkIGZvciBkYXRhIA0KICAgICAg ICAgIGF1dGhlbnRpY2F0aW9uIGFsc28gcHJvdmlkZXMgZGF0YSBpbnRlZ3JpdHkuIFRoZSByZWNl aXZlciBvZiANCiAgICAgICAgICB0aGUgZGF0YSBjYWxjdWxhdGVzIHRoZSBNQUMgYW5kIGNvbXBh cmVzIGl0IHRvIHRoZSBvbmUgDQogICAgICAgICAgdHJhbnNtaXR0ZWQgYnkgdGhlIHNlbmRlci4g SWYgYW4gYWR2ZXJzYXJ5IGhhZCB0YW1wZXJlZCB3aXRoIA0KICAgICAgICAgIHRoZSBtZXNzYWdl IHRoZW4gdGhlIHR3byBNQUNzIHdvdWxkIG5vdCBtYXRjaC4gDQoNCiAgICAgICBvIFJlcGxheSBB dHRhY2tzIENvdW50ZXJtZWFzdXJlcyAoT3B0aW9uYWwpOiBNZXRob2RzIGFnYWluc3QgDQogICAg ICAgICAgcmVwbGF5IGF0dGFja3MgbmVlZCB0byBlbnN1cmUgdGhhdCB0aGUgcmVjZWl2ZWQgZGF0 YSBpcyByZWNlbnQgDQogICAgICAgICAgYW5kIHRoYXQgYW4gYWR2ZXJzYXJ5IGhhcyBub3QgcmVw bGF5ZWQgb2xkIG1lc3NhZ2VzIGF0IGEgbGF0ZXIgDQogICAgICAgICAgdGltZS4gQSBtb25vdG9u aWNhbGx5IGluY3JlYXNpbmcgc2VxdWVuY2UgbnVtYmVyIHdvdWxkIGJlIHVzZWQgDQogICAgICAg ICAgd2l0aCBldmVyeSBtZXNzYWdlIGFuZCBtZXNzYWdlcyB3aXRoIG9sZCBzZXF1ZW5jZSBudW1i ZXIgDQogICAgICAgICAgdmFsdWVzIHdvdWxkIGJlIHJlamVjdGVkLiBUaGUgY2hvaWNlIG9mIHVz aW5nIHNlcXVlbmNlIG51bWJlcnMgDQogICAgICAgICAgaXMgZGljdGF0ZWQgYnkgcG9saWN5IGFu ZCBpcyBkb25lIGJ5IHRoZSBrZXkgbWFuYWdlbWVudCANCiAgICAgICAgICBzeXN0ZW0uIA0KDQog ICAgICAgQW5vdGhlciBpc3N1ZSBpcyBrZXkgc3BhY2UsIHdoaWNoIG1lYW5zIHNlY3VyaXR5IGtl eSBzdG9yYWdlIGFuZCANCiAgICAgICB0aGUgcmVsYXRlZCBrZXkgZGF0YWJhc2VzLiBUaGVyZSBp cyBhIG5lZWQgZm9yIHRoZSBmb2xsb3dpbmcgdHdvIA0KICAgICAgIGRhdGFiYXNlcyBmb3IgdGhl IGNvcnJlY3QgcHJvY2Vzc2luZyBvbiBzZWN1cml0eSBpbiBVTEUgDQogICAgICAgdHJhbnNtaXR0 ZXJzIGFuZCByZWNlaXZlcnM6IA0KDQogICAgICAgbyBTZWN1cml0eSBQb2xpY3kgRGF0YWJhc2Ug KFNQRCk6IFRoaXMgZGF0YWJhc2UgY29udGFpbnMgdGhlIA0KICAgICAgICAgIHBvbGljaWVzIHRo YXQgZGV0ZXJtaW5lIHRoZSBwcm9jZXNzaW5nIG9mIGFsbCBVTEUgDQogICAgICAgICAgaW5ib3Vu ZC9vdXRib3VuZCB0cmFmZmljIChzdWNoIGFzIGVuY3J5cHRpbmcgYWxsIG91dGJvdW5kIFVMRSAN CiAgICAgICAgICB0cmFmZmljIGRlc3RpbmVkIHRvIGEgY2VydGFpbiB0ZXJtaW5hbCkuIA0KDQog ICAgICAgbyBTZWN1cml0eSBBc3NvY2lhdGlvbiBEYXRhYmFzZSAoU0FEKTogRWFjaCBlbnRyeSBk ZWZpbmVzIHRoZSANCiAgICAgICAgICBwYXJhbWV0ZXJzIGFzc29jaWF0ZWQgd2l0aCBvbmUgVUxF LVNJRCBzdWNoIGFzIGVuY3J5cHRpb24gDQogICAgICAgICAga2V5cywga2V5cyBhbmQgYWxnb3Jp dGhtcyB1c2VkIGZvciBjYWxjdWxhdGluZyB0aGUgTUFDLCANCiAgICAgICAgICBwcmVzZW5jZSBv ZiBTZXF1ZW5jZSBudW1iZXIgYW5kIE1BQy4gRWFjaCBVTEUtU0lEIGhhcyBhbiBlbnRyeSANCiAg ICAgICAgICBpbiB0aGUgU0FELiANCg0KICAgICAgIFRoaXMgZG9jdW1lbnQgcHJvcG9zZXMgdG8g cmUtdXNlIGV4aXN0aW5nIHRlY2huaXF1ZXMgaW4gSVBzZWMgDQogICAgICAgYXJjaGl0ZWN0dXJl IGFuZCB0aGVyZWZvcmUgdGhlIFNQRCBhbmQgdGhlIFNBRCB3aWxsIGZvbGxvdyB0aGUgDQogICAg ICAgZm9ybWF0IG9mIHRoZXNlIGRhdGFiYXNlcyBhcyBkZWZpbmVkIGluIFJGQyA0MzAxIFs3XS4g VGhlIA0KICAgICAgIHNlY3VyaXR5IHN1aXRlIG9mIGFsZ29yaXRobXMgZm9yIGRhdGEgZW5jcnlw dGlvbiBhbmQgZGF0YSANCiAgICAgICBhdXRoZW50aWNpdHkgLyBpbnRlZ3JpdHkgc3BlY2lmaWVk IGluIElQc2VjL01TRUMgd2lsbCBiZSB1c2VkIGZvciANCiAgICAgICBVTEUgc2VjdXJpdHkuIFRo ZSBkZXNpZ24gb2YgdGhlc2UgZGF0YWJhc2VzIHdpbGwgYmUgc2ltcGxlciBhbmQgDQogICAgICAg YWxzbyB0aGUgbG9va3VwcyBiZWNhdXNlIHVubGlrZSBpbiBJUHNlYyBvbmx5IHRoZSBVTEUtU0lE IGFsb25nIA0KICAgICAgIHdpdGggdGhlIE5QQSBhZGRyZXNzIGlzIG5lZWRlZCB0byByZXRyaWV2 ZSB0aGUgZGF0YSBmcm9tIHRoZXNlIA0KICAgICAgIGRhdGFiYXNlcy4gDQoNCiAgICAyLjIuIFNl Y3VyZSBVTEUgU05EVSBGb3JtYXQgDQoNCiAgICAgICBUaGUgc2VjdXJpdHkgZXh0ZW5zaW9uIGFp bXMgdG8gc2VjdXJlIHRoZSB0cmFuc21pc3Npb24gb2YgdXNlciANCiAgICAgICB0cmFmZmljIG92 ZXIgTVBFRy0yIFRyYW5zcG9ydCBTdHJlYW1zLiAgSW4gb3JkZXIgdG8gYWRkcmVzcyB0aGUgDQog ICAgIA0KICAgICANCiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAy MSwgMjAwNiAgICAgICAgICAgW1BhZ2UgNl0gDQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFm dCAgICAgICAgIFNlY3VyaXR5IEV4dGVuc2lvbiBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAg ICAgICANCg0KICAgICAgIHNlY3VyaXR5IGlzc3VlcywgRmlndXJlIDEgc2hvd3MgdGhlIFNORFUg Zm9ybWF0IHdpdGggdGhlIHNlY3VyaXR5IA0KICAgICAgIGV4dGVuc2lvbiBoZWFkZXIuIA0KDQog ICAgICAgVGhpcyBzZWN1cml0eSBleHRlbnNpb24gaXMgYSBzdGFuZGFyZCBleHRlbnNpb24gaGVh ZGVyIGFzIA0KICAgICAgIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDUgb2YgUkZDIDQzMjYgWzNdIGFu ZCBpdCBzaG91bGQgbm90IGFmZmVjdCANCiAgICAgICB0aGUgVUxFIGJhc2UgcHJvdG9jb2wuIFRo aXMgc2VjdXJpdHkgZXh0ZW5zaW9uIGhlYWRlciBNQVkgDQogICAgICAgZGlyZWN0bHkgZm9sbG93 IHRoZSBVTEUgYmFzZSBoZWFkZXIgYXMgc2hvd24gaW4gRmlndXJlIDEgb3IgaXQgDQogICAgICAg TUFZIGFsc28gZm9sbG93IGFub3RoZXIgc3BlY2lmaWMgZXh0ZW5zaW9uIGhlYWRlci4gDQoNCiAg ICAgICBUaGlzIHNlY3VyaXR5IGV4dGVuc2lvbiBoZWFkZXIgaXMgYSBNYW5kYXRvcnkgVUxFIEV4 dGVuc2lvbiANCiAgICAgICBoZWFkZXIuIFRoaXMgbWVhbnMgdGhhdCBhIHJlY2VpdmVyIE1VU1Qg ZWl0aGVyIHByb2Nlc3MgdGhpcyANCiAgICAgICBoZWFkZXIgYmVmb3JlIGl0IHByb2Nlc3NlcyB0 aGUgbmV4dCBleHRlbnNpb24gaGVhZGVyIG9yIHRoZSANCiAgICAgICBlbmNhcHN1bGF0ZWQgUERV LCBvdGhlcndpc2UgdGhlIGVudGlyZSBTTkRVIHNob3VsZCBiZSBkaXNjYXJkZWQuIA0KDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAwIDEgMiAzIDQgNSA2 IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgDQogICAg ICAgKy0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rIA0KICAgICAgIHxEfCAgICAgICAgICBMZW5ndGggICAgICAgICAgICB8ICAgICAg IFR5cGUgPSBTLVVMRSAgICAgICAgICAgfCANCiAgICAgICArLSstLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgICAgfCAgICAg ICAgICAgICAgUmVjZWl2ZXIgRGVzdGluYXRpb24gTlBBIEFkZHJlc3MgKiAgICAgICAgICAgICB8 IA0KICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tKyANCiAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg fCAgICAgIFVMRV9TZWN1cml0eV9JRCAgICAgICAgIHwgDQogICAgICAgKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rIA0KICAgICAg IHwgICAgICAgVUxFX1NlY3VyaXR5X0lEICAgICAgICB8ICAgICBTZXF1ZW5jZSBOdW0uKE9wdGlv bmFsKSAgfCANCiAgICAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgICAgfCAgU2VxdWVuY2UgTnVtYmVyIChPcHRp b25hbCkgIHwgICAgICAgIE1BQyAoT3B0aW9uYWwpICAgICAgICB8IA0KICAgICAgICstLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKyAN CiAgICAgICB8ICAgICAgICBNQUMgKE9wdGlvbmFsKSAgICAgICAgfCAgICAgVHlwZSA9IFR5cGUg b2YgUERVICAgICAgIHwgDQogICAgICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSst LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rIA0KICAgICAgIHwgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCANCiAgICAgICB8 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHwgDQogICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICBFbmNyeXB0ZWQgUERVICAg ICAgICAgICAgICAgICAgICAgICA9IA0KICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCANCiAgICAgICB8ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgDQog ICAgICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0rIA0KICAgICAgIHwgICAgICAgICAgICAgICAgICAgIEN5Y2xpYyBSZWR1bmRh bmN5IENvZGUgICAgICAgICAgICAgICAgICAgfCANCiAgICAgICArLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgICAgRmln dXJlIDEgR2VuZXJhbCBTTkRVIGZvcm1hdCB3aXRoIFNlY3VyaXR5IGV4dGVuc2lvbiBoZWFkZXIg KEQ9MCkgDQoNCiAgICAgICBJbiBGaWd1cmUgMSwgdGhlIFR5cGUgZmllbGQgaW4gdGhlIGJhc2Ug aGVhZGVyIGRlbm90ZXMgdGhhdCB0aGUgDQogICAgICAgbWFuZGF0b3J5IHNlY3VyaXR5IGV4dGVu c2lvbiBoZWFkZXIgaXMgcHJlc2VudC4gVGhlIHJlY2VpdmVyIA0KICAgICAgIGRlc3RpbmF0aW9u IE5QQSBhZGRyZXNzIGlzIG9wdGlvbmFsLiBBZnRlciB0aGUgYmFzZSBVTEUgaGVhZGVyIA0KICAg ICAgIHRoZSBzZWN1cml0eSBleHRlbnNpb24gaGVhZGVyIGlzIGZvbGxvd2VkLiBUaGlzIGhlYWRl ciBjb250YWlucyANCiAgICAgICB0aGUgVUxFLVNJRCwgdGhlIG9wdGlvbmFsIFNlcXVlbmNlIE51 bWJlciBmaWVsZCBhbmQgdGhlIG9wdGlvbmFsIA0KICAgICAgIE1lc3NhZ2UgQXV0aGVudGljYXRp b24gQ29kZSAoTUFDKSBmaWVsZC4gVGhlIG5leHQgdHlwZSBmaWVsZCANCiAgICAgICBkZW5vdGVz IHRoZSB0eXBlIG9mIHRoZSBlbmNsb3NlZCBQRFUuIFRoZSBoaWdoZXIgbGF5ZXIgUERVIGlzIA0K ICAgICAgIGVuY3J5cHRlZCBhbmQgdGhlbiBlbmNhcHN1bGF0ZWQgaW4gdGhlIFNORFUuIA0KICAg ICANCiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAgICAgICAgIEV4cGlyZXMgRGVjZW1iZXIgMjEs IDIwMDYgICAgICAgICAgIFtQYWdlIDddIA0KICAgICAgICANCgwgICAgSW50ZXJuZXQtRHJhZnQg ICAgICAgICBTZWN1cml0eSBFeHRlbnNpb24gZm9yIFVMRSAgICAgIEp1bmUgMjAwNiANCiAgICAg ICAgDQoNCiAgICAgICBUaGUgZm9ybWF0IG9mIHRoZSBEZXN0aW5hdGlvbiBBZGRyZXNzIEFic2Vu dCBmaWVsZCAoRCksIHRoZSANCiAgICAgICBMZW5ndGggZmllbGQgdGhlIFR5cGUgZmllbGQgYW5k IHRoZSBSZWNlaXZlciBEZXN0aW5hdGlvbiBOUEEgDQogICAgICAgYWRkcmVzcyBmaWVsZCBkaXJl Y3RseSBmb2xsb3cgYW5kIGFyZSB1c2VkIGluIHRoZSBzYW1lIHdheSBhcyANCiAgICAgICBkZWZp bmVkIGZvciBzdGFuZGFyZCBVTEUgWzNdLiANCg0KICAgIDIuMi4xLiBEZXN0aW5hdGlvbiBBZGRy ZXNzIEFic2VudCAoRCkgRmllbGQgDQoNCiAgICAgICBUaGUgbW9zdCBzaWduaWZpY2FudCBiaXQg b2YgdGhlIExlbmd0aCBGaWVsZCBjYXJyaWVzIHRoZSB2YWx1ZSBvZiANCiAgICAgICB0aGUgRGVz dGluYXRpb24gQWRkcmVzcyBBYnNlbnQgRmllbGQgKEQpIHdoaWNoIGZvbGxvd3MgdGhlIHNhbWUg DQogICAgICAgZGVmaW5pdGlvbiBhcyBpbiBzdGFuZGFyZCBVTEUgWzNdLiBXaGVuIEQgaXMgc2V0 IHRvIDAsIGl0IA0KICAgICAgIGluZGljYXRlcyB0aGUgcHJlc2VuY2Ugb2YgdGhlIERlc3RpbmF0 aW9uIEFkZHJlc3MgRmllbGQgd2hpbGUgRCANCiAgICAgICBzZXQgdG8gMSBpbmRpY2F0ZXMgdGhh dCBhIERlc3RpbmF0aW9uIEFkZHJlc3MgRmllbGQgaXMgbm90IA0KICAgICAgIHByZXNlbnQuIA0K DQogICAgMi4yLjIuIExlbmd0aCBGaWVsZCANCg0KICAgICAgIEEgMTUtYml0IExlbmd0aCBmaWVs ZCBkZW5vdGVzIHRoZSBsZW5ndGgsIGluIGJ5dGVzLCBvZiB0aGUgU05EVSANCiAgICAgICBjb3Vu dGVkIGZyb20gdGhlIGJ5dGUgZm9sbG93aW5nIHRoZSBUeXBlIGZpZWxkLCB1cCB0byBhbmQgDQog ICAgICAgaW5jbHVkaW5nIHRoZSBDUkMgWzNdLiANCg0KICAgIDIuMi4zLiBUeXBlIEZpZWxkIA0K DQogICAgICAgQSAxNi1iaXQgVHlwZSBGaWVsZCBpbmRpY2F0ZXMgdGhhdCB0aGlzIGlzIGEgU2Vj dXJlIFVMRSBTTkRVIFszXS4gDQoNCiAgICAgICBbWFhYIElBTkEgQUNUSU9OIFJFUVVJUkVEIFhY WF0gDQoNCiAgICAgICBJQU5BIGFjdGlvbiBpcyByZXF1aXJlZCB0byBhc3NpZ24gdGhlIFR5cGUg ZmllbGQgZm9yIHRoZSBzZWN1cml0eSANCiAgICAgICBleHRlbnNpb24gaGVhZGVyLiANCg0KICAg ICAgIFtYWFggRU5EIG9mIElBTkEgQUNUSU9OIFhYWF0gDQoNCiAgICAyLjIuNC4gRGVzdGluYXRp b24gTlBBIEFkZHJlc3MgRmllbGQgDQoNCiAgICAgICBUaGUgU05EVSBEZXN0aW5hdGlvbiBBZGRy ZXNzIEZpZWxkIGlzIG9wdGlvbmFsLiBUaGlzIGZpZWxkIGlzIA0KICAgICAgIE1VU1QgYmUgY2Fy cmllZCB3aGVuIGZpZWxkIEQgaXMgc2V0IHRvIDAgYW5kIG1heSBiZSBvbWl0dGVkIHdoZW4gDQog ICAgICAgRD0xIFszXS4gDQoNCiAgICAyLjIuNS4gVUxFLVNJRCBGaWVsZCANCg0KICAgICAgIEEg MzItYml0IHNlY3VyaXR5IGlkZW50aWZpZXIsIHRoZSBVTEUtU0lEIHNpbWlsYXIgdG8gdGhlIFNl Y3VyaXR5IA0KICAgICAgIFBhcmFtZXRlciBJbmRleCAoU1BJKSB1c2VkIGluIElQc2VjIGhhcyBi ZWVuIGFkZGVkIHRvIHVuaXF1ZWx5IA0KICAgICAgIGlkZW50aWZ5IHRoZSBzZWN1cmUgc2Vzc2lv bi4gVGhpcyBVTEUtU0lEIHdvdWxkIHJlcHJlc2VudCB0aGUgDQogICAgICAgc2VjdXJpdHkgYXNz b2NpYXRpb24gYmV0d2VlbiB0aGUgTVBFRy0yIHRyYW5zbWl0dGVyIGFuZCByZWNlaXZlciANCiAg ICAgICBmb3IgYSBwYXJ0aWN1bGFyIHNlc3Npb24gYW5kIHdpbGwgaW5kaWNhdGUgdGhlIGtleXMg YW5kIA0KICAgICAgIGFsZ29yaXRobXMgdXNlZCBmb3IgZW5jcnlwdGluZyB0aGUgZGF0YSBwYXls b2FkIGFuZCBjYWxjdWxhdGluZyANCiAgICAgICB0aGUgTUFDLiBUaGUgVUxFLVNJRCBjYW4gYmUg dXNlZCBieSBhIHJlY2VpdmVyIHRvIGZpbHRlciBQRFVzIA0KICAgICAgIGFsb25nIHdpdGggdGhl IE5QQSBhZGRyZXNzLiANCiAgICAgDQogICAgIA0KICAgIENydWlja3NoYW5rICAgICAgICAgICBF eHBpcmVzIERlY2VtYmVyIDIxLCAyMDA2ICAgICAgICAgICBbUGFnZSA4XSANCiAgICAgICAgDQoM ICAgIEludGVybmV0LURyYWZ0ICAgICAgICAgU2VjdXJpdHkgRXh0ZW5zaW9uIGZvciBVTEUgICAg ICBKdW5lIDIwMDYgDQogICAgICAgIA0KDQogICAgMi4yLjYuIFNlcXVlbmNlIE51bWJlciBGaWVs ZCANCg0KICAgICAgIEFuIG9wdGlvbmFsIDMyLWJpdCBzZXF1ZW5jZSBudW1iZXIgaGFzIGJlZW4g YWRkZWQgdG8gdGhlIFVMRSBTTkRVIA0KICAgICAgIHRvIHByZXZlbnQgcmVwbGF5IGF0dGFja3Mu IFRoZSBnYXRld2F5IHdvdWxkIG1vbm90b25pY2FsbHkgDQogICAgICAgaW5jcmVtZW50IHRoaXMg bnVtYmVyIHdoZW4gaXQgc2VuZHMgYSBwYWNrZXQgdG8gdGhlIHJlY2VpdmVyIGFuZCANCiAgICAg ICB0aGUgcmVjZWl2ZXIgd291bGQgdmVyaWZ5IHRoZSBjb3JyZWN0IHNlcXVlbmNlIG51bWJlci4g SWYgYW4gDQogICAgICAgYWR2ZXJzYXJ5IHRyaWVzIHRvIGluamVjdCBvciByZXBsYXkgb2xkIHBh Y2tldHMgdGhlIHNlcXVlbmNlIA0KICAgICAgIG51bWJlciB3b3VsZCBub3QgbWF0Y2guIFRoaXMg d291bGQgcmVzdWx0IGluIGRpc2NhcmRpbmcgdGhlIA0KICAgICAgIHBhY2tldC4gDQoNCiAgICAy LjIuNy4gTWVzc2FnZSBBdXRoZW50aWNhdGlvbiBDb2RlIChNQUMpIEZpZWxkIA0KDQogICAgICAg VG8gcHJvdmlkZSBib3RoIGRhdGEgb3JpZ2luIGF1dGhlbnRpY2F0aW9uIGFuZCBkYXRhIGludGVn cml0eSwgYSANCiAgICAgICBNZXNzYWdlIEF1dGhlbnRpY2F0aW9uIENvZGUgKE1BQykgaXMgdXNl ZCBpbiB0aGUgZXh0ZW5zaW9uIA0KICAgICAgIGhlYWRlci4gDQoNCiAgICAgICBUaGUgTUFDIGlz IGNhbGN1bGF0ZWQgb3ZlciB0aGUgc2VjdXJpdHkgZXh0ZW5zaW9uIGhlYWRlciBhbmQgdGhlIA0K ICAgICAgIGVuY3J5cHRlZCBkYXRhIHBheWxvYWQuIFRoZSByZWNlaXZlciB3b3VsZCBjYWxjdWxh dGUgdGhlIE1BQyBmb3IgDQogICAgICAgdGhlIHJlY2VpdmVkIHBhY2tldCBhbmQgY29tcGFyZSBp dCB3aXRoIHRoZSB0cmFuc21pdHRlZCB2YWx1ZS4gDQogICAgICAgVGhlIHR3byB3b3VsZCBub3Qg bWF0Y2ggaW4gb25seSAyIGNhc2VzLCBmaXJzdGx5IGVpdGhlciB0aGVyZSB3YXMgDQogICAgICAg YW4gZXJyb3IgZHVyaW5nIHByb2Nlc3Npbmcgb3IgdHJhbnNtaXNzaW9uIG92ZXIgdGhlIE1QRUct MiANCiAgICAgICBOZXR3b3JrLCBvciBzZWNvbmRseSB0aGUgcGFja2V0IGhhcyBub3QgYmVlbiBz ZW50IGZyb20gYW4gDQogICAgICAgYXV0aGVudGljYXRlZCBlbnRpdHkuIA0KDQogICAgICAgSW4g ZWl0aGVyIGNhc2UsIHRoZSBwYWNrZXQgc2hvdWxkIGJlIGRpc2NhcmRlZC4gIEhlbmNlIHRoZSBz YW1lIA0KICAgICAgIE1BQyBjYW4gYmUgdXNlZCBmb3IgZGF0YSBvcmlnaW4gYXV0aGVudGljYXRp b24gYW5kIHRvIHByb3ZpZGUgDQogICAgICAgZGF0YSBpbnRlZ3JpdHkgZm9yIHRyYW5zbWlzc2lv bi9wcm9jZXNzaW5nIGVycm9ycy4gDQoNCiAgICAyLjIuNy4xLiBUeXBlIEZpZWxkIA0KDQogICAg ICAgVGhpcyBzZWNvbmQgdHlwZSBmaWVsZCBkZW5vdGVzIHRoZSB0eXBlIG9mIHBhY2tldCB0aGF0 IGlzIA0KICAgICAgIGVuY3J5cHRlZCBhbmQgZW5jYXBzdWxhdGVkIGluIHRoZSBTZWN1cmUgVUxF IFNORFUuIA0KDQogICAgMi4yLjcuMi4gRW5jcnlwdGVkIFBEVSANCg0KICAgICAgIFRvIGFjaGll dmUgZGF0YSBjb25maWRlbnRpYWxpdHksIHRoZSB0cmFmZmljIGJldHdlZW4gdGhlIE1QRUctMiAN CiAgICAgICBUUyBUcmFuc21pdHRlciAoVUxFIEVuY2Fwc3VsYXRvcikgYW5kIFJlY2VpdmVyIG5l ZWRzIHRvIGJlIA0KICAgICAgIGVuY3J5cHRlZC4gIFRoZSBuZXR3b3JrIGxheWVyIFBEVXMgYXJl IGZpcnN0IGVuY3J5cHRlZCBhbmQgdGhlbiANCiAgICAgICBlbmNhcHN1bGF0ZWQgaW4gdGhlIFNl Y3VyZSBVTEUgU05EVS4gVGhlIHNlY3VyaXR5IGFzc29jaWF0aW9ucyANCiAgICAgICBiZXR3ZWVu IHRoZSB0d28gY29tbXVuaWNhdGluZyBwb2ludHMgd2lsbCBkZXNjcmliZSB0aGUgYWxnb3JpdGht cyANCiAgICAgICBhbmQga2V5cyB1c2VkIGZvciBlbmNyeXB0aW9uIHB1cnBvc2VzLiANCg0KICAg ICAgIFNlY3VyZSBVTEUgZG9lcyBub3QgaW1wb3NlIHRoZSB1c2Ugb2YgYW55IHNwZWNpZmljIGVu Y3J5cHRpb24gDQogICAgICAgYWxnb3JpdGhtIGFuZCBzaG91bGQgYmUgYWJsZSB0byBzdXBwb3J0 IHRoZSBjb21tb25seSB1c2VkIA0KICAgICAgIGFsZ29yaXRobXMgbGlrZSBERVMsIDNERVMgZXRj LiANCg0KICAgICAgICANCiAgICAgDQogICAgIA0KICAgIENydWlja3NoYW5rICAgICAgICAgICBF eHBpcmVzIERlY2VtYmVyIDIxLCAyMDA2ICAgICAgICAgICBbUGFnZSA5XSANCiAgICAgICAgDQoM ICAgIEludGVybmV0LURyYWZ0ICAgICAgICAgU2VjdXJpdHkgRXh0ZW5zaW9uIGZvciBVTEUgICAg ICBKdW5lIDIwMDYgDQogICAgICAgIA0KDQogICAgMi4zLiBUcmFuc21pdHRlciBQcm9jZXNzaW5n IA0KDQogICAgICAgVGhlIGZvbGxvd2luZyBwcm9jZWR1cmUgaXMgZm9sbG93ZWQgYXQgdGhlIGVu Y2Fwc3VsYXRvciBmb3IgDQogICAgICAgcHJvY2Vzc2luZyB0aGUgc2VjdXJpdHkgZXh0ZW5zaW9u IGhlYWRlciBmb3IgVUxFOiANCg0KICAgICAgIG8gVXBvbiByZWNlcHRpb24gb2YgdGhlIGhpZ2hl ciBsYXllciBQRFUsIHRoZSBTUEQgaXMgZmlyc3QgDQogICAgICAgICAgcXVlcmllZCB0byBjaGVj ayB0aGUgcG9saWN5IHRvIGJlIGFwcGxpZWQgdG8gdGhlIHBhY2tldC4gSWYgDQogICAgICAgICAg c2VjdXJpdHkgaXMgbmVlZGVkIHRoZW4gYW4gU0EgbXVzdCBleGlzdCBpbiB0aGUgU0FEICh0aGlz IGlzIA0KICAgICAgICAgIGRvbmUgYnkgdGhlIGtleSBtYW5hZ2VtZW50IHN5c3RlbSkuIFRoZSBw YXJhbWV0ZXJzIGFyZSANCiAgICAgICAgICByZXRyaWV2ZWQgZnJvbSB0aGUgU0FEIGFuZCB0aGUg UERVIGlzIGZpcnN0IGVuY3J5cHRlZCB1c2luZyANCiAgICAgICAgICB0aGUga2V5IGFuZCB0aGUg YWxnb3JpdGhtIGFzIGluZGljYXRlZCBpbiB0aGUgU0FEIA0KDQogICAgICAgbyBUaGUgaGVhZGVy IG9mIHRoZSBiYXNlIHByb3RvY29sIChhbmQgb3RoZXIgZXh0ZW5zaW9uIGhlYWRlcnMgDQogICAg ICAgICAgaWYgcHJlc2VudCkgd291bGQgYmUgYWRkZWQgdG8gdGhlIFNORFUuIA0KDQogICAgICAg byBUaGUgVUxFLVNJRCBmb3IgdGhlIHNlY3VyaXR5IGFzc29jaWF0aW9uIGJldHdlZW4gdGhlIA0K ICAgICAgICAgIHRyYW5zbWl0dGVyIGFuZCB0aGUgcmVjZWl2ZXIgd291bGQgYmUgYWRkZWQgbmV4 dC4gDQoNCiAgICAgICBvIFRoZSBTQUQgd291bGQgYmUgdXNlZCB0byBzZWUgaWYgdGhlIHNlcXVl bmNlIG51bWJlciBoYXMgdG8gYmUgDQogICAgICAgICAgYWRkZWQuIElmIHllcywgdGhlbiB0aGUg Y29ycmVzcG9uZGluZyBzZXF1ZW5jZSBudW1iZXIgaXMgYWRkZWQgDQogICAgICAgICAgdG8gdGhl IFNORFUuIA0KDQogICAgICAgbyBUaGUgU0FEIHdvdWxkIGFsc28gYmUgY2hlY2tlZCB0byBzZWUg aWYgdGhlIGRhdGEgb3JpZ2luIA0KICAgICAgICAgIGF1dGhlbnRpY2F0aW9uIGFuZCBkYXRhIGlu dGVncml0eSBoYXMgdG8gYmUgcHJvdmlkZWQuIElmIHllcywgDQogICAgICAgICAgdGhlbiB0aGUg TUFDIGhhcyB0byBiZSBjYWxjdWxhdGVkLiBUaGUgTUFDIGlzIGNhbGN1bGF0ZWQgb3ZlciANCiAg ICAgICAgICB0aGUgZW5jcnlwdGVkIFBEVSwgdGhlIFNlY3VyaXR5IGhlYWRlciBpLmUuIHRoZSBV TEUtU0lEIGFuZCANCiAgICAgICAgICB0aGUgU2VxdWVuY2UgTnVtYmVyIChpZiBwcmVzZW50KSBh bmQgdGhlIHNlY3JldCBrZXkuIFRoZSBNQUMgDQogICAgICAgICAgaXMgdGhlbiBhZGRlZCB0byB0 aGUgZXh0ZW5zaW9uIGhlYWRlciBpbiB0aGUgU05EVS4gDQoNCiAgICAgICBvIFRoZW4gdGhlIGVu Y3J5cHRlZCBoaWdoZXIgbGF5ZXIgUERVIGlzIGVuY2Fwc3VsYXRlZCB0byB0aGUgDQogICAgICAg ICAgU05EVS4gDQoNCiAgICAgICBvIEZpbmFsbHksIHRoZSBDUkMgaXMgY2FsY3VsYXRlZCBhcyBk ZWZpbmVkIGluIFNlY3Rpb24gNC42IG9mIA0KICAgICAgICAgIFJGQzQzMjYgWzNdIGFuZCBhZGRl ZC4gDQoNCiAgICAyLjQuIFJlY2VpdmVyIFByb2Nlc3NpbmcgDQoNCiAgICAgICBUaGUgZm9sbG93 aW5nIHByb2NlZHVyZSBpcyBmb2xsb3dlZCBhdCB0aGUgcmVjZWl2ZXIgZm9yIA0KICAgICAgIHBy b2Nlc3NpbmcgdGhlIHNlY3VyaXR5IGV4dGVuc2lvbiBoZWFkZXIgZm9yIFVMRTogDQoNCiAgICAg ICBvIFVwb24gcmVjZXB0aW9uIG9mIHRoZSBTZWN1cmUgVUxFIFNORFUsIHRoZSByZWNlaXZlciBt YXkgZmlyc3QgDQogICAgICAgICAgZmlsdGVyIHRoZSByZWNlaXZlZCBwYWNrZXRzIGFjY29yZGlu ZyB0byB0aGUgcmVjZWl2ZXIgDQogICAgICAgICAgZGVzdGluYXRpb24gTlBBIGFkZHJlc3MgKGlm IHByZXNlbnQpLiANCg0KICAgICAgIG8gVGhlIENSQyBpcyB2ZXJpZmllZCBhcyBkZWZpbmVkIGlu IFJGQzQzMjYgWzNdLiANCg0KICAgICAgIG8gSXQgd291bGQgdGhlbiB1c2UgdGhlIFVMRS1TSUQg dG8gb2J0YWluIHRoZSBzZWN1cml0eSANCiAgICAgDQogICAgIA0KICAgIENydWlja3NoYW5rICAg ICAgICAgICBFeHBpcmVzIERlY2VtYmVyIDIxLCAyMDA2ICAgICAgICAgICBbUGFnZSAxMF0gDQog ICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAgICAgICAgIFNlY3VyaXR5IEV4dGVuc2lvbiBm b3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAgICANCg0KICAgICAgICAgIGFzc29jaWF0aW9u cyBiZXR3ZWVuIHRoZSB0cmFuc21pdHRlciBhbmQgcmVjZWl2ZXIgYW5kIHJldHJpZXZlIA0KICAg ICAgICAgIHRoZSBkYXRhIGZyb20gdGhlIFNBRC4gIFdpdGggdGhpcyB0aGUgcmVjZWl2ZXIgd291 bGQga25vdyBpZiANCiAgICAgICAgICB0aGUgc2VxdWVuY2UgbnVtYmVyIGFuZCB0aGUgTUFDIGFy ZSBwcmVzZW50IG9yIG5vdC4gVGhpcyB3b3VsZCANCiAgICAgICAgICBhbHNvIGJlIHVzZWQgdG8g Z2V0IHRoZSBhbGdvcml0aG1zIGFuZCBrZXlzIHVzZWQgZm9yIGJvdGggDQogICAgICAgICAgZW5j cnlwdGlvbiBvZiB0aGUgZW5jYXBzdWxhdGVkIFBEVSBhbmQgZm9yIGdlbmVyYXRpb24gb2YgdGhl IA0KICAgICAgICAgIG1lc3NhZ2UgYXV0aGVudGljYXRpb24gY29kZS4gDQoNCiAgICAgICBvIEl0 IHdvdWxkIHRoZW4gdXNlIHRoZSBzZXF1ZW5jZSBudW1iZXIgZm9yIGZpbHRlcmluZyBvdXQgYW55 IA0KICAgICAgICAgIG91dCBvZi1zZXF1ZW5jZSBwYWNrZXRzLiANCg0KICAgICAgIG8gVGhlIG5l eHQgc3RlcCB3b3VsZCBiZSB0byBjaGVjayB0aGUgTUFDIHRvIHZlcmlmeSB0aGUgDQogICAgICAg ICAgYXV0aGVudGljaXR5IGFuZCBpbnRlZ3JpdHkgb2YgdGhlIHJlY2VpdmVkIHBhY2tldC4gIElm IHRoZSANCiAgICAgICAgICBjYWxjdWxhdGVkIE1BQyBkb2VzIG5vdCBtYXRjaCB0aGUgdHJhbnNt aXR0ZWQgTUFDLCB0aGVuIHRoZSANCiAgICAgICAgICBwYWNrZXQgaXMgZGlzY2FyZGVkLiANCg0K ICAgICAgIG8gRmluYWxseSB0aGUgZW5jYXBzdWxhdGVkIHBheWxvYWQgd2lsbCBiZSBkZWNyeXB0 ZWQuIA0KDQogICAgMy4gS2V5IEV4Y2hhbmdlIFByb2NlZHVyZSANCg0KICAgICAgIFRoaXMgc2Vj dGlvbiBkZXNjcmliZXMgdGhlIGtleSBleGNoYW5nZSBwcm9jZWR1cmUsIHVzZWQgdG8gDQogICAg ICAgaW5zdGFsbCBhbmQgbWFuYWdlIHRoZSBrZXlzIGF0IFJlY2VpdmVycy4gIFRoZXJlIGlzIGEg bmVlZCB0byANCiAgICAgICB0YWtlIGludG8gYWNjb3VudCB0aGUgdHdvIGNhc2VzIGRlc2NyaWJl ZCBpbiBbOV0sIGJvdGggDQogICAgICAgdW5pZGlyZWN0aW9uYWwgYW5kIGJpLWRpcmVjdGlvbmFs IHRyYW5zZmVycy4gIFRoZSBrZXkgbWFuYWdlbWVudCANCiAgICAgICBwcm9jZWR1cmVzIGFyZSBp bmRlcGVuZGVudCBmcm9tIHRoZSBVTEUgb3BlcmF0aW9ucy4gIER1cmluZyB0aGUgDQogICAgICAg a2V5IGV4Y2hhbmdlIHByb2NlZHVyZSwgdGhlIFVMRS1TSUQgd2lsbCBiZSBkZWZpbmVkLiANCg0K ICAgICAgIFRoZSBleGFjdCBkYXRhIGVuY3J5cHRpb24gYW5kIGRhdGEgaW50ZWdyaXR5IGNob2lj ZXMgYXJlIGxpbmtlZCANCiAgICAgICB0byB0aGUga2V5IG1hbmFnZW1lbnQgc3lzdGVtcyBpbiB1 c2UuIE9uZSBleGFtcGxlIGlzIHRoZSBzZWN1cml0eSANCiAgICAgICBzdWl0ZSAxIChkZWZpbmVk IGluIEdTQUtNUCBbNl0pLiBUaGlzIHVzZXMgQUVTIChDQkMgbW9kZSwgS2V5IA0KICAgICAgIExl bmd0aDogMTI4IGJpdHMpIGZvciBkYXRhIGVuY3J5cHRpb24gYW5kIERTUy1BU04xLURFUiBmb3Ig DQogICAgICAgZGlnaXRhbCBzaWduYXR1cmUgYW5kIFNIQS0xIGFzIHRoZSBIYXNoIGFsZ29yaXRo bS4gIE90aGVyIHN1aXRlcyANCiAgICAgICB3aWxsIGJlIGFkZGVkIGluIGZ1dHVyZSB2ZXJzaW9u cy4gDQoNCiAgICAgICBBIGRldGFpbGVkIGtleSBtYW5hZ2VtZW50IHN5c3RlbSBpcyBub3QgcHJl c2VudGVkIGluIHRoaXMgDQogICAgICAgZG9jdW1lbnQsIGJ1dCB0d28gYXBwcm9hY2hlcyBhcmUg b3V0bGluZWQuIA0KDQogICAgMy4xLiBJUHNlYyBLZXkgTWFuYWdlbWVudCBmb3IgTDIgDQoNCiAg ICAgICBFeGlzdGluZyBrZXkgbWFuYWdlbWVudCBzeXN0ZW1zIGNhbiBiZSB1c2VkIHN1Y2ggYXMg dGhlIE1TRUMga2V5IA0KICAgICAgIGV4Y2hhbmdlIHByb3RvY29scywgR0RPSSBhbmQgR1NBS01Q LiAgVGhlIGZvcm1hdCBvZiB0aGUgVUxFLVNJRCANCiAgICAgICB3aWxsIGJlIGlkZW50aWNhbCB0 byB0aGUgc2VjdXJpdHkgYXNzb2NpYXRpb24gYXMgZGVmaW5lZCBpbiBHRE9JIA0KICAgICAgIG9y IEdTQUtNUC4gVGhlIGluaXRpYWwga2V5IGV4Y2hhbmdlIGJldHdlZW4gdGhlIHNlY3VyaXR5IHNl cnZlciANCiAgICAgICAod2hpY2ggbWF5IHJlc2lkZSB3aXRoIHRoZSBOQ0MpIGFuZCB0aGUgVUxF IHJlY2VpdmVyIGNhbiBiZSANCiAgICAgICB0cmFuc3BvcnRlZCBlaXRoZXIgd2l0aGluIHRoZSBV TEUgbmV0d29yayBvciBtYXkgYmUgcGVyZm9ybWVkIGJ5IA0KICAgICAgIHNvbWUgb3RoZXIgbWVh bnMuICBUaGlzIGlzIGEgbWF0dGVyIG9mIHBvbGljeSBhbmQgYW4gYXJjaGl0ZWN0dXJlIA0KICAg ICAgIGRlY2lzaW9uLiBGb3IgZXhhbXBsZSwgZm9yIGJpLWRpcmVjdGlvbmFsIHRyYW5zZmVycyB0 aGUgd2hvbGUga2V5IA0KICAgICAgIGV4Y2hhbmdlIHByb2NlZHVyZXMgY291bGQgYmUgY2Fycmll ZCB3aXRoaW4gdGhlIFVMRSBuZXR3b3JrLCANCiAgICAgDQogICAgIA0KICAgIENydWlja3NoYW5r ICAgICAgICAgICBFeHBpcmVzIERlY2VtYmVyIDIxLCAyMDA2ICAgICAgICAgICBbUGFnZSAxMV0g DQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAgICAgICAgIFNlY3VyaXR5IEV4dGVuc2lv biBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAgICANCg0KICAgICAgIHdoaWxlIGZvciB1 bmlkaXJlY3Rpb25hbCB0cmFuc2ZlcnMsIHNvbWUgb3RoZXIgYmlkaXJlY3Rpb25hbCANCiAgICAg ICBjb25uZWN0aW9uIHNob3VsZCBiZSB1c2VkLiANCg0KICAgIDMuMi4gQWx0ZXJuYXRpdmUgS2V5 IE1hbmFnZW1lbnQgDQoNCiAgICAgICBUaGUgbWV0aG9kIGRlc2NyaWJlZCBoZXJlIGZvciBsaW5r IHNlY3VyaXR5IGNvdWxkIGJlIHVzZWQgd2l0aCANCiAgICAgICBhbHRlcm5hdGl2ZSBrZXkgbWFu YWdlbWVudCBzeXN0ZW1zIHdoZW4gdXNlZCBhcyBhIHBhcnQgb2YgYSANCiAgICAgICBzeXN0ZW0g dGhhdCBhbHJlYWR5IGltcGxlbWVudHMgYSBrZXkgbWFuYWdlbWVudCBpbmZyYXN0cnVjdHVyZSAN CiAgICAgICAoZS5nLiB0aGUgRFZCLVJDUyBzZWN1cml0eSBzeXN0ZW0gWzVdKS4gVGhlIGZvcm1h dCBvZiB0aGUgVUxFLVNJRCANCiAgICAgICB3aWxsIGJlIHRoZSBzYW1lIGZvcm1hdCBhcyBkZWZp bmVkIGluIERWQi1SQ1Mgc2VjdXJpdHkgDQogICAgICAgcHJvY2VkdXJlcy4gDQoNCiAgICA0LiBT ZWN1cmUgVUxFIFNORFUgZXhhbXBsZSANCg0KICAgICAgIFRoaXMgc2VjdGlvbiBzaG93cyB0aGUg VUxFIFNORFUgd2l0aCB0aGUgc2VjdXJpdHkgZXh0ZW5zaW9uIA0KICAgICAgIGhlYWRlciB3aGVu IElQIGRhdGFncmFtcyBhcmUgc2VjdXJlZCB1c2luZyBTZWN1cmUgVUxFLiANCg0KICAgICAgIDAg MSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5 IDAgMSANCiAgICAgICArLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgICAgfER8ICAgICAgTGVuZ3RoICgxNSBiaXRzKSAg ICAgIHwgICAgICAgVHlwZSA9IFMtVUxFICAgICAgICAgICB8IA0KICAgICAgICstKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKyANCiAg ICAgICB8ICAgICBUZW1wb3JhcnkgUmVjZWl2ZXIgRGVzdGluYXRpb24gTlBBIEFkZHJlc3MgKDQ4 IGJpdHMpICAgIHwgDQogICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rIA0KICAgICAgIHwgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICB8ICAgICAgVUxFX1NlY3VyaXR5X0lEICAgICAgICAgfCANCiAgICAgICArLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LSsgDQogICAgICAgfCAgICAgICBVTEVfU2VjdXJpdHlfSUQgICAgICAgIHwgICAgU2VxdWVuY2Ug TnVtLihPcHRpb25hbCkgICB8IA0KICAgICAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKyANCiAgICAgICB8ICBTZXF1ZW5jZSBO dW1iZXIgKE9wdGlvbmFsKSAgfCAgICAgICAgTUFDIChPcHRpb25hbCkgICAgICAgIHwgDQogICAg ICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rIA0KICAgICAgIHwgICAgICAgIE1BQyAoT3B0aW9uYWwpICAgICAgICB8ICAgICBU eXBlID0gVHlwZSBvZiBJUHY0ICAgICAgfCANCiAgICAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgICAgfCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8 IA0KICAgICAgID0gICAgICAgICAgICAgICAgICAgRW5jcnlwdGVkIElQIERhdGFncmFtICAgICAg ICAgICAgICAgICAgICAgPSANCiAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgDQogICAgICAgKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rIA0KICAgICAg IHwgICAgICAgICAgICAgICBDeWNsaWMgUmVkdW5kYW5jeSBDb2RlICgzMiBiaXRzKSAgICAgICAg ICAgICAgfCANCiAgICAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgICAgICAgICAgICAgICAgICAgIEZpZ3VyZSAy IFNlY3VyZSBVTEUgU05EVSB3aXRoIEQ9MCANCg0KICAgICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkg MCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSANCiAgICAgICArLSst LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LSsgDQogICAgICAgfDF8ICAgICAgTGVuZ3RoICgxNSBiaXRzKSAgICAgIHwgICAgICAgVHlwZSA9 IFMtVUxFICAgICAgICAgICB8IA0KICAgICAgICstKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKyANCiAgICAgICB8ICAgICAgICAgICAg ICAgICAgICAgVUxFX1NlY3VyaXR5X0lEICAgICAgICAgICAgICAgICAgICAgICAgIHwgDQogICAg ICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rIA0KICAgICAgIHwgICAgICAgICAgICAgICAgICAgU2VxdWVuY2UgTnVtYmVyIChP cHRpb25hbCkgICAgICAgICAgICAgICAgfCANCiAgICAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgIA0KICAgICAN CiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAyMSwgMjAwNiAgICAg ICAgICAgW1BhZ2UgMTJdIA0KICAgICAgICANCgwgICAgSW50ZXJuZXQtRHJhZnQgICAgICAgICBT ZWN1cml0eSBFeHRlbnNpb24gZm9yIFVMRSAgICAgIEp1bmUgMjAwNiANCiAgICAgICAgDQoNCiAg ICAgICB8ICAgICAgICAgIE1lc3NhZ2UgQXV0aGVudGljYXRpb24gQ29kZSAoT3B0aW9uYWwpICAg ICAgICAgICAgIHwgDQogICAgICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rIA0KICAgICAgIHwgICAgICAgICBUeXBlID0gSVB2 NCAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCANCiAgICAgICArLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IHwgDQogICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICB8IA0KICAgICAgID0gICAgICAgICAgICAgICAgICAgIEVuY3J5cHRl ZCBJUCBEYXRhZ3JhbSAgICAgICAgICAgICAgICAgICAgPSANCiAgICAgICB8ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgDQogICAg ICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rIA0KICAgICAgIHwgICAgICAgICAgICAgICAgICAgIEN5Y2xpYyBSZWR1bmRhbmN5 IENvZGUgICAgICAgICAgICAgICAgICAgfCANCiAgICAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgDQogICAgICAgICAgICAg ICAgICAgICAgIEZpZ3VyZSAzIFNlY3VyZSBVTEUgU05EVSB3aXRoIEQ9MSANCg0KICAgIDUuIFNl Y3VyaXR5IENvbnNpZGVyYXRpb25zIA0KDQogICAgICAgTGluay1sZXZlbCAoTDIpIGVuY3J5cHRp b24gb2YgSVAgdHJhZmZpYyBpcyBjb21tb25seSB1c2VkIGluIA0KICAgICAgIGJyb2FkY2FzdC9y YWRpbyBsaW5rcyB0byBzdXBwbGVtZW50IEVuZC10by1FbmQgc2VjdXJpdHkgKGUuZy4gDQogICAg ICAgcHJvdmlkZWQgYnkgVExTLCBTU0gsIE9wZW4gUEdQLCBTL01JTUUsIElQc2VjKS4gIEEgY29t bW9uIA0KICAgICAgIG9iamVjdGl2ZSBpcyB0byBwcm92aWRlIHRoZSBzYW1lIGxldmVsIG9mIHBy aXZhY3kgYXMgdGVycmVzdHJpYWwgDQogICAgICAgbGlua3MuIFRoaXMgZG9jdW1lbnQgZGVmaW5l cyBhIG1ldGhvZCB0byBwcm92aWRlIG9wdGlvbmFsIGxpbmsgDQogICAgICAgZW5jcnlwdGlvbi4g VGhlIG1ldGhvZCBtYXkgYWxzbyBzdXBwb3J0IG9wdGlvbmFsIGxpbmsgbGV2ZWwgDQogICAgICAg aW50ZWdyaXR5IC8gYXV0aGVudGljYXRpb24gb2YgdGhlIFNORFUgcGF5bG9hZCBwbHVzIHNlcXVl bmNlIA0KICAgICAgIG51bWJlcnMgZm9yIGFudGktcmVwbGF5IGF0dGFja3MuIFRoaXMgaXMgcHJv dmlkZWQgaW4gYSBmbGV4aWJsZSANCiAgICAgICB3YXkgdXNpbmcgYSBVTEUgTWFuZGF0b3J5IEV4 dGVuc2lvbiBIZWFkZXIuICBUaGlzIGRlY291cGxlcyANCiAgICAgICBzcGVjaWZpY2F0aW9uIG9m IHRoZSBzZWN1cml0eSBmdW5jdGlvbnMgZnJvbSB0aGUgZW5jYXBzdWxhdGlvbiANCiAgICAgICBm dW5jdGlvbnMuIFRoaXMgbWV0aG9kIGFsc28gc3VwcG9ydHMgZW5jcnlwdGlvbiBvZiB0aGUgTlBB IA0KICAgICAgIGFkZHJlc3Nlcy4gVGhlIGVuY3J5cHRpb24gYW5kIGludGVncml0eSBhbGdvcml0 aG1zIGFyZSBzaW1pbGFyIHRvIA0KICAgICAgIHRoZSBvbmVzIHVzZWQgaW4gSVBzZWMvTVNFQyBw cm90b2NvbHMuIA0KDQogICAgNi4gSUFOQSBDb25zaWRlcmF0aW9ucyANCg0KICAgICAgIElBTkEg YWN0aW9uIGlzIHJlcXVpcmVkIHRvIGFzc2lnbiB0aGUgVHlwZSBmaWVsZCBmb3IgdGhlIHNlY3Vy aXR5IA0KICAgICAgIGV4dGVuc2lvbiBoZWFkZXIgKFNlY3Rpb24gMi4yLjMpLiANCg0KICAgIDcu IEFja25vd2xlZGdtZW50cyANCg0KICAgICAgIFRoZSBhdXRob3JzIGFja25vd2xlZGdlIHRoZSBo ZWxwIGFuZCBhZHZpY2UgZnJvbSBHb3JyeSBGYWlyaHVyc3QgDQogICAgICAgKFVuaXZlcnNpdHkg b2YgQWJlcmRlZW4pLCBTdGVwaGFuZSBDb29tYmVzIChFU0EpIGFuZCBZaW0gRnVuIEh1IA0KICAg ICAgIChVbml2ZXJzaXR5IG9mIEJyYWRmb3JkKSBpbiB0aGUgcHJlcGFyYXRpb24gb2YgdGhpcyBk cmFmdC4gDQoNCg0KDQoNCg0KDQoNCg0KICAgICANCiAgICAgDQogICAgQ3J1aWNrc2hhbmsgICAg ICAgICAgIEV4cGlyZXMgRGVjZW1iZXIgMjEsIDIwMDYgICAgICAgICAgIFtQYWdlIDEzXSANCiAg ICAgICAgDQoMICAgIEludGVybmV0LURyYWZ0ICAgICAgICAgU2VjdXJpdHkgRXh0ZW5zaW9uIGZv ciBVTEUgICAgICBKdW5lIDIwMDYgDQogICAgICAgIA0KDQogICAgOC4gUmVmZXJlbmNlcyANCg0K ICAgIDguMS4gTm9ybWF0aXZlIFJlZmVyZW5jZXMgDQoNCiAgICAgICBbMV0gIElTTy9JRUMgRElT IDEzODE4LTEsICJJbmZvcm1hdGlvbiB0ZWNobm9sb2d5IC0gR2VuZXJpYyANCiAgICAgICAgICAg ICBjb2RlaW5nIG9mIG1vdmluZyBwaWN0dXJlcyBhbmQgYXNzb2NpYXRlZCBhdWRpbyBpbmZvcm1h dGlvbiANCiAgICAgICAgICAgICAtIFBhcnQxOiBTeXN0ZW1zIiwgSW50ZXJuYXRpb25hbCBTdGFu ZGFyZHMgT3JnYW5pc2F0aW9uIA0KICAgICAgICAgICAgIChJU08pICANCg0KICAgICAgIFsyXSAg QnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlIA0KICAg ICAgICAgICAgIFJlcXVpcmVtZW50IExldmVscyIsIEJDUCAxNCwgUkZDIDIxMTksIE1hcmNoIDE5 OTcuIA0KDQogICAgICAgWzNdICBGYWlyaHVyc3QsIEcuIGFuZCBCLiBDb2xsaW5pLU5vY2tlciwg IlVuaWRpcmVjdGlvbmFsIA0KICAgICAgICAgICAgIExpZ2h0d2VpZ2h0IEVuY2Fwc3VsYXRpb24g KFVMRSkgZm9yIFRyYW5zbWlzc2lvbiBvZiBJUCANCiAgICAgICAgICAgICBEYXRhZ3JhbXMgb3Zl ciBhbiBNUEVHLTIgVHJhbnNwb3J0IFN0cmVhbXMiLCBSRkMgNDMyNiwgDQogICAgICAgICAgICAg RGVjZW1iZXIgMjAwNS4gDQoNCiAgICA4LjIuIEluZm9ybWF0aXZlIFJlZmVyZW5jZXMgDQoNCiAg ICAgICBbNF0gICJEaWdpdGFsIFZpZGVvIEJyb2FkY2FzdGluZyAoRFZCKTogRFZCIFNwZWNpZmlj YXRpb25zIGZvciANCiAgICAgICAgICAgICBEYXRhIEJyb2FkY2FzdGluZyIsIEVUU0kgRU4gMzAx IDE5MiB2MS4zLjEsIDIwMDMuIA0KDQogICAgICAgWzVdICAiRGlnaXRhbCBWaWRlbyBCcm9hZGNh c3RpbmcgKERWQik6IEludGVyYWN0aW9uIENoYW5uZWwgZm9yIA0KICAgICAgICAgICAgIHNhdGVs bGl0ZSBkaXN0cmlidXRpb24gc3lzdGVtcyIsIEVUU0kgRU4gMzAxIDc5MCB2MS40LjEsIA0KICAg ICAgICAgICAgIDIwMDUuIA0KDQogICAgICAgWzZdICBIYXJuZXksIEguLCBNZXRoLCBVLiwgQ29s ZWdyb3ZlLCBBLiwgYW5kIEcuIEdyb3NzLCAiR1NBS01QOiANCiAgICAgICAgICAgICBHcm91cCBT ZWN1cmUgQXNzb2NpYXRpb24gS2V5IE1hbmFnZW1lbnQgUHJvdGNvbCIsIElFVEYgDQogICAgICAg ICAgICAgZHJhZnQgKHdvcmsgaW4gcHJvZ3Jlc3MpLCBNYXkgMjAwNS4gDQoNCiAgICAgICBbN10g IEtlbnQsIFMuIGFuZCBSLiBBdGtpbnNvbiwgIlNlY3VyaXR5IEFyY2hpdGVjdHVyZSBmb3IgdGhl IA0KICAgICAgICAgICAgIEludGVybmV0IFByb3RvY29sIiwgUkZDIDI0MDEsIE5vdmVtYmVyIDE5 OTguIA0KDQogICAgICAgWzhdICBCYXVnaGVyLCBNLiwgV2VpcywgQi4sIEhhcmRqb25vLCBULiwg YW5kIEguIEhhcm5leSwgIlRoZSANCiAgICAgICAgICAgICBHcm91cCBEb21haW4gb2YgSW50ZXJw cmV0YXRpb24iLCBSRkMgMzU0NywgSnVseSAyMDAzLiANCg0KICAgICAgIFs5XSAgTW9udHBldGl0 LCBNLiwgRmFpcmh1cnN0LCBHLiwgQ2xhdXNlbiwgSC4sIENvbGxpbmktTm9ja2VyLCANCiAgICAg ICAgICAgICBCLiwgYW5kIEguIExpbmRlciwgIkEgRnJhbWV3b3JrIGZvciBUcmFuc21pc3Npb24g b2YgSVAgDQogICAgICAgICAgICAgRGF0YWdyYW1zIG92ZXIgTVBFRy0yIE5ldHdvcmtzIiwgUkZD IDQyNTksIE5vdmVtYmVyIDIwMDUuIA0KDQogICAgICAgWzEwXSBodHRwOi8vd3d3LmlldGYub3Jn L2h0bWwuY2hhcnRlcnMvdGxzLWNoYXJ0ZXIuaHRtbCANCg0KDQoNCg0KDQoNCiAgICAgDQogICAg IA0KICAgIENydWlja3NoYW5rICAgICAgICAgICBFeHBpcmVzIERlY2VtYmVyIDIxLCAyMDA2ICAg ICAgICAgICBbUGFnZSAxNF0gDQogICAgICAgIA0KDCAgICBJbnRlcm5ldC1EcmFmdCAgICAgICAg IFNlY3VyaXR5IEV4dGVuc2lvbiBmb3IgVUxFICAgICAgSnVuZSAyMDA2IA0KICAgICAgICANCg0K ICAgIEF1dGhvcidzIEFkZHJlc3NlcyANCg0KICAgICAgIEhhaXRoYW0gQ3J1aWNrc2hhbmsgICAg DQogICAgICAgQ2VudHJlIGZvciBDb21tdW5pY2F0aW9ucyBTeXN0ZW0gUmVzZWFyY2ggKENDU1Ip ICAgIA0KICAgICAgIFVuaXZlcnNpdHkgb2YgU3VycmV5ICAgDQogICAgICAgR3VpbGRmb3JkLCBT dXJyZXksIEdVMiA3WEggICAgDQogICAgICAgVUsgICAgDQogICAgICAgRW1haWw6IGguY3J1aWNr c2hhbmtAc3VycmV5LmFjLnVrICAgIA0KICAgICAgICAgDQogICAgICAgUHJhc2hhbnQgUGlsbGFp ICAgIA0KICAgICAgIE1vYmlsZSBhbmQgU2F0ZWxsaXRlIENvbW11bmljYXRpb25zIFJlc2VhcmNo IENlbnRyZSANCiAgICAgICBTY2hvb2wgb2YgRW5naW5lZXJpbmcsIERlc2lnbiBhbmQgVGVjaG5v bG9neSANCiAgICAgICBVbml2ZXJzaXR5IG9mIEJyYWRmb3JkICAgDQogICAgICAgUmljaG1vbmQg Um9hZCwgQnJhZGZvcmQgQkQ3IDFEUCAgICANCiAgICAgICBVSyAgICANCiAgICAgICBFbWFpbDog cC5waWxsYWlAYnJhZGZvcmQuYWMudWsgDQogICAgICAgIA0KICAgICAgIFN1bmlsIEl5ZW5nYXIg ICAgDQogICAgICAgQ2VudHJlIGZvciBDb21tdW5pY2F0aW9ucyBTeXN0ZW0gUmVzZWFyY2ggKEND U1IpICAgIA0KICAgICAgIFVuaXZlcnNpdHkgb2YgU3VycmV5ICAgDQogICAgICAgR3VpbGRmb3Jk LCBTdXJyZXksIEdVMiA3WEggICAgDQogICAgICAgVUsgICAgDQogICAgICAgRW1haWw6IFMuSXll bmdhckBzdXJyZXkuYWMudWsgIA0KICAgICAgICANCiAgICAgICBMYXVyZW5jZSBEdXF1ZXJyb3kg ICAgDQogICAgICAgUmVzZWFyY2ggRGVwYXJ0bWVudC9BZHZhbmNlZCBUZWxlY29tIFNhdGVsbGl0 ZSBTeXN0ZW1zICAgDQogICAgICAgQWxjYXRlbCBTcGFjZSwgVG91bG91c2UgICANCiAgICAgICBG cmFuY2UgICANCiAgICAgICBFLU1haWw6IExhdXJlbmNlLkR1cXVlcnJveUBzcGFjZS5hbGNhdGVs LmZyIA0KICAgICAgICANCg0KICAgIEludGVsbGVjdHVhbCBQcm9wZXJ0eSBTdGF0ZW1lbnQgDQoN CiAgICAgICBUaGUgSUVURiB0YWtlcyBubyBwb3NpdGlvbiByZWdhcmRpbmcgdGhlIHZhbGlkaXR5 IG9yIHNjb3BlIG9mIGFueSANCiAgICAgICBJbnRlbGxlY3R1YWwgUHJvcGVydHkgUmlnaHRzIG9y IG90aGVyIHJpZ2h0cyB0aGF0IG1pZ2h0IGJlIA0KICAgICAgIGNsYWltZWQgdG8gcGVydGFpbiB0 byB0aGUgaW1wbGVtZW50YXRpb24gb3IgdXNlIG9mIHRoZSB0ZWNobm9sb2d5IA0KICAgICAgIGRl c2NyaWJlZCBpbiB0aGlzIGRvY3VtZW50IG9yIHRoZSBleHRlbnQgdG8gd2hpY2ggYW55IGxpY2Vu c2UgDQogICAgICAgdW5kZXIgc3VjaCByaWdodHMgbWlnaHQgb3IgbWlnaHQgbm90IGJlIGF2YWls YWJsZTsgbm9yIGRvZXMgaXQgDQogICAgICAgcmVwcmVzZW50IHRoYXQgaXQgaGFzIG1hZGUgYW55 IGluZGVwZW5kZW50IGVmZm9ydCB0byBpZGVudGlmeSBhbnkgDQogICAgICAgc3VjaCByaWdodHMu ICBJbmZvcm1hdGlvbiBvbiB0aGUgcHJvY2VkdXJlcyB3aXRoIHJlc3BlY3QgdG8gDQogICAgICAg cmlnaHRzIGluIFJGQyBkb2N1bWVudHMgY2FuIGJlIGZvdW5kIGluIEJDUCA3OCBhbmQgQkNQIDc5 LiANCg0KICAgICAgIENvcGllcyBvZiBJUFIgZGlzY2xvc3VyZXMgbWFkZSB0byB0aGUgSUVURiBT ZWNyZXRhcmlhdCBhbmQgYW55IA0KICAgICAgIGFzc3VyYW5jZXMgb2YgbGljZW5zZXMgdG8gYmUg bWFkZSBhdmFpbGFibGUsIG9yIHRoZSByZXN1bHQgb2YgYW4gDQogICAgICAgYXR0ZW1wdCBtYWRl IHRvIG9idGFpbiBhIGdlbmVyYWwgbGljZW5zZSBvciBwZXJtaXNzaW9uIGZvciB0aGUgDQogICAg ICAgdXNlIG9mIHN1Y2ggcHJvcHJpZXRhcnkgcmlnaHRzIGJ5IGltcGxlbWVudGVycyBvciB1c2Vy cyBvZiB0aGlzIA0KDQogICAgIA0KICAgICANCiAgICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhw aXJlcyBEZWNlbWJlciAyMSwgMjAwNiAgICAgICAgICAgW1BhZ2UgMTVdIA0KICAgICAgICANCgwg ICAgSW50ZXJuZXQtRHJhZnQgICAgICAgICBTZWN1cml0eSBFeHRlbnNpb24gZm9yIFVMRSAgICAg IEp1bmUgMjAwNiANCiAgICAgICAgDQoNCiAgICAgICBzcGVjaWZpY2F0aW9uIGNhbiBiZSBvYnRh aW5lZCBmcm9tIHRoZSBJRVRGIG9uLWxpbmUgSVBSIA0KICAgICAgIHJlcG9zaXRvcnkgYXQgaHR0 cDovL3d3dy5pZXRmLm9yZy9pcHIuIA0KDQogICAgICAgVGhlIElFVEYgaW52aXRlcyBhbnkgaW50 ZXJlc3RlZCBwYXJ0eSB0byBicmluZyB0byBpdHMgYXR0ZW50aW9uIA0KICAgICAgIGFueSBjb3B5 cmlnaHRzLCBwYXRlbnRzIG9yIHBhdGVudCBhcHBsaWNhdGlvbnMsIG9yIG90aGVyIA0KICAgICAg IHByb3ByaWV0YXJ5IHJpZ2h0cyB0aGF0IG1heSBjb3ZlciB0ZWNobm9sb2d5IHRoYXQgbWF5IGJl IHJlcXVpcmVkIA0KICAgICAgIHRvIGltcGxlbWVudCB0aGlzIHN0YW5kYXJkLiAgUGxlYXNlIGFk ZHJlc3MgdGhlIGluZm9ybWF0aW9uIHRvIA0KICAgICAgIHRoZSBJRVRGIGF0IGlldGYtaXByQGll dGYub3JnLiANCg0KICAgIERpc2NsYWltZXIgb2YgVmFsaWRpdHkgDQoNCiAgICAgICBUaGlzIGRv Y3VtZW50IGFuZCB0aGUgaW5mb3JtYXRpb24gY29udGFpbmVkIGhlcmVpbiBhcmUgcHJvdmlkZWQg DQogICAgICAgb24gYW4gIkFTIElTIiBiYXNpcyBhbmQgVEhFIENPTlRSSUJVVE9SLCBUSEUgT1JH QU5JWkFUSU9OIEhFL1NIRSANCiAgICAgICBSRVBSRVNFTlRTIE9SIElTIFNQT05TT1JFRCBCWSAo SUYgQU5ZKSwgVEhFIElOVEVSTkVUIFNPQ0lFVFkgQU5EIA0KICAgICAgIFRIRSBJTlRFUk5FVCBF TkdJTkVFUklORyBUQVNLIEZPUkNFIERJU0NMQUlNIEFMTCBXQVJSQU5USUVTLCANCiAgICAgICBF WFBSRVNTIE9SIElNUExJRUQsIElOQ0xVRElORyBCVVQgTk9UIExJTUlURUQgVE8gQU5ZIFdBUlJB TlRZIA0KICAgICAgIFRIQVQgVEhFIFVTRSBPRiBUSEUgSU5GT1JNQVRJT04gSEVSRUlOIFdJTEwg Tk9UIElORlJJTkdFIEFOWSANCiAgICAgICBSSUdIVFMgT1IgQU5ZIElNUExJRUQgV0FSUkFOVElF UyBPRiBNRVJDSEFOVEFCSUxJVFkgT1IgRklUTkVTUyANCiAgICAgICBGT1IgQSBQQVJUSUNVTEFS IFBVUlBPU0UuIA0KDQogICAgQ29weXJpZ2h0IFN0YXRlbWVudCANCg0KICAgICAgIENvcHlyaWdo dCAoQykgVGhlIEludGVybmV0IFNvY2lldHkgKDIwMDYpLiANCg0KICAgICAgIFRoaXMgZG9jdW1l bnQgaXMgc3ViamVjdCB0byB0aGUgcmlnaHRzLCBsaWNlbnNlcyBhbmQgcmVzdHJpY3Rpb25zIA0K ICAgICAgIGNvbnRhaW5lZCBpbiBCQ1AgNzgsIGFuZCBleGNlcHQgYXMgc2V0IGZvcnRoIHRoZXJl aW4sIHRoZSBhdXRob3JzIA0KICAgICAgIHJldGFpbiBhbGwgdGhlaXIgcmlnaHRzLiANCg0KICAg ICAgICANCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQogICAgIA0KICAgICANCiAg ICBDcnVpY2tzaGFuayAgICAgICAgICAgRXhwaXJlcyBEZWNlbWJlciAyMSwgMjAwNiAgICAgICAg ICAgW1BhZ2UgMTZdIA0KICAgICAgICANCgw= ------_=_NextPart_001_01C69767.91A542A3-- From owner-ipdvb@erg.abdn.ac.uk Sat Jun 24 05:14:09 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fu4DR-0006Bn-6d for ipdvb-archive@ietf.org; Sat, 24 Jun 2006 05:14:09 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fu4DN-0005Th-SU for ipdvb-archive@ietf.org; Sat, 24 Jun 2006 05:14:09 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5O90owc017229 for ; Sat, 24 Jun 2006 10:00:50 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5O90org017228 for ipdvb-subscribed-users; Sat, 24 Jun 2006 10:00:50 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from ads40.surrey.ac.uk (ads40.surrey.ac.uk [131.227.102.140]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5O90c4Z017210; Sat, 24 Jun 2006 10:00:38 +0100 (BST) Received: from EVS-EC1-NODE1.surrey.ac.uk ([131.227.102.136]) by ads40.surrey.ac.uk with Microsoft SMTPSVC(6.0.3790.1830); Sat, 24 Jun 2006 10:00:33 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C6976C.A6796C0D" Subject: RE: Security-Requirements: alternatives? Date: Sat, 24 Jun 2006 10:00:33 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCAAAIqs7AATokj0A== From: To: , , , , X-OriginalArrivalTime: 24 Jun 2006 09:00:33.0873 (UTC) FILETIME=[A6E20410:01C6976C] X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.3 (/) X-Scan-Signature: 85e99493ec37f9acef29c7843dbf2e68 This is a multi-part message in MIME format. ------_=_NextPart_001_01C6976C.A6796C0D Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Art, =20 Many thanks for your input: =20 ******************** * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. ******************* =20 I completely agree with you that A/70A (Conditional Access System for = Terrestrial Broadcast, Revision A) can interwork with ULE, where = encryption is based on PIDs, which sometimes means bundling many IP = flows with one PID. In our draft (ULE requirements), we aim for more = fine grain security and securing every IP flow individually and try to = re-use existing work in the IETF on key management. =20 Accidentally reading through A/70A, it looks much better than the DVB = Conditional Access. I personally do not have much faith in DVB = Conditional Access (DVB CA): You might probably know that DVB CA has = been surrounded by controversy for many years due to the spread of = counterfeit smart cards. For example, in late 1999, Italy was flooded = with cheap counterfeit cards that enabled viewers use Canal Plus for = free. In March 2002 Canal Plus Group filed a lawsuit against NDS = Group, accusing it of cracking its digital television smart cards and = putting the confidential information on the Internet. Since then, I = have not seen any major changes in DVB CA to cater for these challenges. = =20 Haitham ---- Dr. Haitham S. Cruickshank=20 Lecturer=20 Communications Centre for Communication Systems Research (CCSR)=20 School of Electronics, Computing and Mathematics=20 University of Surrey, Guildford, Surrey GU2 7XH, UK=20 =20 Tel: +44 1483 686007 (indirect 689844)=20 Fax: +44 1483 686011=20 e-mail: H.Cruickshank@surrey.ac.uk=20 http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=20 ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Thu 22/06/2006 20:02 To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); = P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? See below. _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 22, 2006 2:09 PM To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry ------_=_NextPart_001_01C6976C.A6796C0D Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =0A= =0A= =0A= =0A= =0A= =0A= RE: Security-Requirements: alternatives?=0A= =0A= =0A=
=0A=
Hi =0A= Art,
=0A=
 
=0A=
Many thanks for your input:
=0A=
 
=0A=
********************
=0A=
* Conditional access for digital TV = broadcasting is =0A= one example that
exists today.  This system is optimised for TV =0A= broadcast services only,
and is not suitable for IP packet = transmissions and =0A= difficult to
interwork with ULE.
AA> See ATSC A/70A. I strongly =0A= disagree with assertion about the
difficulty to interwork with ULE. = The ULE =0A= can be put in a virtual
channel in the ATSC system and the standard = directly =0A= applied.
*******************
=0A=
 
=0A=
I completely agree with you that  A/70A (Conditional = Access =0A= System for Terrestrial Broadcast, Revision A) can interwork with ULE, = where =0A= encryption is based on PIDs, which sometimes means bundling many IP = flows with =0A= one PID.  In our draft (ULE requirements), we aim for more fine = grain =0A= security and securing every IP flow individually and try to re-use = existing =0A= work in the IETF on key management.
=0A=
 
=0A=
Accidentally reading through A/70A, it looks much better = than =0A= the  DVB Conditional Access.  I personally do not have much faith in DVB Conditional Access (DVB CA): You might = probably know =0A= that DVB CA has =0A= been surrounded by controversy for many years due to the spread of = counterfeit =0A= smart cards.  For example, = in late =0A= 1999, Italy was flooded with = cheap =0A= counterfeit cards that enabled viewers use Canal Plus for free.  In March 2002 Canal Plus Group = filed =0A= a  lawsuit against NDS Group, accusing it of cracking its digital =0A= television smart cards and putting the confidential information on the =0A= Internet.  Since then, I have not seen any major changes in = DVB = CA to cater for these =0A= challenges. 
=0A=
 
=0A=
Haitham
=0A=
=0A=
=0A=
----
=0A=
Dr. Haitham S. =0A= Cruickshank
=0A=
Lecturer =0A=
=0A=
Communications =0A= Centre for Communication Systems Research (CCSR)
=0A=
School of =0A= Electronics, Computing and Mathematics
=0A=
University of =0A= Surrey, Guildford, =0A= Surrey GU2 7XH, =0A= UK
=0A=
 
=0A=
Tel: +44 1483 =0A= 686007 (indirect 689844)
=0A=
Fax: +44 1483 =0A= 686011
=0A=
e-mail: H.Cruickshank@surrey.ac.uk
=0A=
http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ =0A=
=0A=

=0A=
=0A= From: owner-ipdvb@erg.abdn.ac.uk on = behalf of =0A= Allison, Art
Sent: Thu 22/06/2006 20:02
To: =0A= ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); =0A= P.Pillai@Bradford.ac.uk
Subject: RE: Security-Requirements: =0A= alternatives?

=0A=
=0A=

See below.


_____________
Art = Allison
Director, =0A= Advanced Engineering
Science & Technology
National Association = of =0A= Broadcasters
1771 N Street, NW
Washington, D.C. 20036
Phone: =0A= 202.429.5418
Fax: 202.777.4981
aallison@nab.org

The = National =0A= Association of Broadcasters is a trade association that
advocates on = behalf =0A= of more than 8,300 free, local radio and television
stations and also =0A= broadcast networks before Congress, the Federal
Communications = Commission and =0A= the Courts.

-----Original Message-----
From: =0A= owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac= .uk] =0A= On
Behalf Of H.Cruickshank@surrey.ac.uk
Sent: Thursday, June 22, = 2006 2:09 =0A= PM
To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; =0A= S.Iyengar@surrey.ac.uk;
P.Pillai@Bradford.ac.uk
Subject: RE: =0A= Security-Requirements: alternatives?

 Hi Gorry,

This = issue =0A= has been addressed in the security draft.   Some text = has
been =0A= added to section 5.1 to this effect:

Basically, in practice there = are not =0A= many L2 security systems for MPEG
transmission networks.  Two = major =0A= examples are:

* Conditional access for digital TV broadcasting is = one =0A= example that
exists today.  This system is optimised for TV = broadcast =0A= services only,
and is not suitable for IP packet transmissions and = difficult =0A= to
interwork with ULE.
AA> See ATSC A/70A. I strongly disagree = with =0A= assertion about the
difficulty to interwork with ULE. The ULE can be = put in a =0A= virtual
channel in the ATSC system and the standard directly =0A= applied.

* Some other L2 security systems are specified in = standards such =0A= the MPE
for DVB system . However, MPE security incomplete and there = are no =0A= known
implementations of such security system.

* For DVB-S2 = Generic =0A= Streams, where IP encapsulation could be similar to
ULE. The authors = believe =0A= that ULE security format can be used for
Generic Streams as = well.

We =0A= would like to ask the ipdvb WG if anybody knows any other existing =0A= L2
security systems that might be suitable for ULE.

AA> See = ATSC =0A= A/70A for ULE when sent in conformance with ATSC =0A= Standards.

Haitham
----

Dr. Haitham S. =0A= Cruickshank

Lecturer
Communications Centre for Communication = Systems =0A= Research (CCSR) School
of Electronics, Computing and Mathematics = University =0A= of Surrey,
Guildford, Surrey GU2 7XH, UK

Tel: +44 1483 686007 =0A= (indirect 689844)
Fax: +44 1483 686011
e-mail: =0A= H.Cruickshank@surrey.ac.uk
http://www.ee= .surrey.ac.uk/Personal/H.Cruickshank/



-----Original =0A= Message-----
From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk]
= Sent: 22 =0A= June 2006 15:37
To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; = Iyengar S =0A= Mr (CCSR);
P.Pillai@Bradford.ac.uk
Subject: Security-Requirements: =0A= alternatives?

Haitham, I-D Authors, List,

One of the = issues we =0A= need to be clear about in preparing for a WG
adoption of the security =0A= requirements I-D is the possible alternatives
that have been =0A= proposed/implemented in other standards organisations.

Could you =0A= summarise the methods that have been proposed for MPEG-2
transmission =0A= networks that provide equivalent L2 security functions, and
say which = to your =0A= knowledge has actually have been implemented =0A= in
systems?

Thanks,

Gorry



=0A= =0A= =0A= ------_=_NextPart_001_01C6976C.A6796C0D-- From owner-ipdvb@erg.abdn.ac.uk Mon Jun 26 07:52:02 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FupdK-0001vx-Ar for ipdvb-archive@ietf.org; Mon, 26 Jun 2006 07:52:02 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FupdH-0001DH-Fj for ipdvb-archive@ietf.org; Mon, 26 Jun 2006 07:52:02 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5QBfisN002330 for ; Mon, 26 Jun 2006 12:41:44 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5QBfit5002329 for ipdvb-subscribed-users; Mon, 26 Jun 2006 12:41:44 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from ads40.surrey.ac.uk (ads40.surrey.ac.uk [131.227.102.140]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5QBfZlp002311 for ; Mon, 26 Jun 2006 12:41:36 +0100 (BST) Received: from EVS-EC1-NODE1.surrey.ac.uk ([131.227.102.136]) by ads40.surrey.ac.uk with Microsoft SMTPSVC(6.0.3790.1830); Mon, 26 Jun 2006 12:41:31 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C69915.778BF2D7" Subject: RE: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) Date: Mon, 26 Jun 2006 12:40:37 +0100 Message-ID: <018160DBE8D48349A0CABF4424C3DC21AAD3A2@EVS-EC1-NODE1.surrey.ac.uk> X-MS-Has-Attach: X-MS-TNEF-Correlator: <018160DBE8D48349A0CABF4424C3DC21AAD3A2@EVS-EC1-NODE1.surrey.ac.uk> Thread-Topic: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) Thread-Index: AcaWnFonLma3I8cUQt2QxPhUWN3EFAAybClLAGvTOb0= From: To: X-OriginalArrivalTime: 26 Jun 2006 11:41:31.0202 (UTC) FILETIME=[77ECFA20:01C69915] X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.2 (/) X-Scan-Signature: 21be852dc93f0971708678c18d38c096 This is a multi-part message in MIME format. ------_=_NextPart_001_01C69915.778BF2D7 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Haitham,=0A= What is satnex II cost code.=0A= =20=0A= Thanks=0A= Sunny=0A= =20=0A= =20=0A= ***********************************************************=0A= Sunil Iyengar,=0A= Research Fellow, Networks Group,=0A= Centre For Communication And Systems Research(CCSR),=0A= School of Electronics, Computing & Mathematics,=0A= University Of Surrey, Guildford GU2 7XH,=0A= Surrey, England, United Kingdom.=0A= Office: +44 (0)1483 686008=0A= ***********************************************************=0A= =0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk on behalf of H.Cruickshank@surrey.ac.uk=0A= Sent: Sat 24/06/2006 09:24=0A= To: ipdvb@erg.abdn.ac.uk=0A= Subject: FW: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (en= closed)=0A= =0A= =0A= Dear ipdvb WG,=0A= =20=0A= Gorry has kindly submitted for our the Internet draft on security extension= s to ULE(version 2) .=0A= =20=0A= This draft complements the ULE security requirements that was posted recent= ly. The main focus of the security extension is defining the header format= to carry secure data over ULE.=20=20=0A= =20=0A= We (the authors) feel this work fits well to the ipdvb current activity. M= any security related issues such as key management and security algorithm a= re borrowed from existing work in IPsec and MSEC groups. The main focus of= this draft is the ULE header format for security.=0A= =20=0A= Haitham=20=20=0A= =20=0A= ----=0A= Dr. Haitham S. Cruickshank=20=0A= Lecturer=20=0A= Communications Centre for Communication Systems Research (CCSR)=20=0A= School of Electronics, Computing and Mathematics=20=0A= University of Surrey, Guildford, Surrey GU2 7XH, UK=20=0A= =20=0A= Tel: +44 1483 686007 (indirect 689844)=20=0A= Fax: +44 1483 686011=20=0A= e-mail: H.Cruickshank@surrey.ac.uk=20=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=20=0A= =0A= ________________________________=0A= =0A= From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk]=0A= Sent: Fri 23/06/2006 09:11=0A= To: Internet-Drafts Administrator=0A= Cc: Cruickshank HS Dr (CCSR)=0A= Subject: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclos= ed)=0A= =0A= =0A= =0A= =0A= On behalf of the authors, I wish to submit the enclosed draft:=0A= =0A= Security Extension for Unidirectional Lightweight Encapsulation=0A= Protocol =0A= =0A= Best wishes,=0A= =0A= Gorry=0A= =0A= =0A= =0A= =0A= =0A= ------_=_NextPart_001_01C69915.778BF2D7 Content-Type: text/plain; name="msg-25512-61.txt" Content-Disposition: attachment; filename="msg-25512-61.txt" Content-Transfer-Encoding: 8bit Hi Haitham, What is satnex II cost code. Thanks Sunny *********************************************************** Sunil Iyengar, Research Fellow, Networks Group, Centre For Communication And Systems Research(CCSR), School of Electronics, Computing & Mathematics, University Of Surrey, Guildford GU2 7XH, Surrey, England, United Kingdom. Office: +44 (0)1483 686008 *********************************************************** ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of H.Cruickshank@surrey.ac.uk Sent: Sat 24/06/2006 09:24 To: ipdvb@erg.abdn.ac.uk Subject: FW: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) Dear ipdvb WG, Gorry has kindly submitted for our the Internet draft on security extensions to ULE(version 2) . This draft complements the ULE security requirements that was posted recently. The main focus of the security extension is defining the header format to carry secure data over ULE. We (the authors) feel this work fits well to the ipdvb current activity. Many security related issues such as key management and security algorithm are borrowed from existing work in IPsec and MSEC groups. The main focus of this draft is the ULE header format for security. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: Fri 23/06/2006 09:11 To: Internet-Drafts Administrator Cc: Cruickshank HS Dr (CCSR) Subject: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) On behalf of the authors, I wish to submit the enclosed draft: Security Extension for Unidirectional Lightweight Encapsulation Protocol Best wishes, Gorry ------_=_NextPart_001_01C69915.778BF2D7-- From owner-ipdvb@erg.abdn.ac.uk Mon Jun 26 12:53:28 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FuuL2-0002yO-7q for ipdvb-archive@ietf.org; Mon, 26 Jun 2006 12:53:28 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FutEt-0002fo-8i for ipdvb-archive@ietf.org; Mon, 26 Jun 2006 11:43:03 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Fut1w-0008Ot-Rn for ipdvb-archive@ietf.org; Mon, 26 Jun 2006 11:29:43 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5QFGd7k019994 for ; Mon, 26 Jun 2006 16:16:39 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5QFGdcp019993 for ipdvb-subscribed-users; Mon, 26 Jun 2006 16:16:39 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from nab.org (foxtrot.nab.org [209.116.240.194]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5QFGJ3E019947 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Mon, 26 Jun 2006 16:16:20 +0100 (BST) Received: from ([199.29.3.25]) by maildc2.nab.org with ESMTP id 4028857.11351294; Mon, 26 Jun 2006 11:15:59 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C69933.6D20E558" Subject: RE: Security-Requirements: alternatives? Date: Mon, 26 Jun 2006 11:15:57 -0400 Message-ID: <33CB4DEADE8C734CAF59FA0B47E14C1701792A34@morse.NAB.ORG> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCAAAIqs7AATokj0AByPPkg From: "Allison, Art" To: X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.6 (--) X-Scan-Signature: 9ce0328cdf9c90e4680655d09dccace5 This is a multi-part message in MIME format. ------_=_NextPart_001_01C69933.6D20E558 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Perhaps I misunderstood, but I thought that the approach chosen in ULE was for there to be one logical channel per PID ["...locate a specific ULE Stream (i.e., the PID value of the TS Logical Channel that carries a ULE Stream)"] as contrasted with multiple logical channels carried in MPEG-2 TS packets with a single PID. =20 The discovery of 'logical channels' carried in IP packets delivered via MPEG-2 TS packets with a single PID appears to not be standardized. Perhaps this falls into the general case of any IP delivery. If so, separate security access for each distinct element a functionality that A/70A would not provide. =20 But then it seems to me to not be different than the functionality provided for by existing RFCs for security of arbitrary content delivered using IP encapsulation, i.e., https: and such =20 If it is general purpose IP, then it seems to me that the proposal should make a case that the current RFCs fail to meet the requirements asserted to be needed. If it is 'logical channel' protection, then it is different that the general case. =20 But perhaps I have not been following this in adequate depth - and I waste your time, If so - no need to attempt to educate me. Regards,=20 Art _____________=20 Art Allison=20 Director, Advanced Engineering=20 Science & Technology=20 National Association of Broadcasters=20 1771 N Street, NW=20 Washington, D.C. 20036=20 Phone: 202.429.5418=20 Fax: 202.777.4981=20 aallison@nab.org =20 The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. =20 ________________________________ From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Saturday, June 24, 2006 5:01 AM To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? =09 =09 Hi Art, =20 Many thanks for your input: =20 ******************** * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. ******************* =20 I completely agree with you that A/70A (Conditional Access System for Terrestrial Broadcast, Revision A) can interwork with ULE, where encryption is based on PIDs, which sometimes means bundling many IP flows with one PID. In our draft (ULE requirements), we aim for more fine grain security and securing every IP flow individually and try to re-use existing work in the IETF on key management. =20 Accidentally reading through A/70A, it looks much better than the DVB Conditional Access. I personally do not have much faith in DVB Conditional Access (DVB CA): You might probably know that DVB CA has been surrounded by controversy for many years due to the spread of counterfeit smart cards. For example, in late 1999, Italy was flooded with cheap counterfeit cards that enabled viewers use Canal Plus for free. In March 2002 Canal Plus Group filed a lawsuit against NDS Group, accusing it of cracking its digital television smart cards and putting the confidential information on the Internet. Since then, I have not seen any major changes in DVB CA to cater for these challenges. =20 Haitham =09 ---- Dr. Haitham S. Cruickshank=20 Lecturer=20 Communications Centre for Communication Systems Research (CCSR)=20 School of Electronics, Computing and Mathematics=20 University of Surrey, Guildford, Surrey GU2 7XH, UK=20 =20 Tel: +44 1483 686007 (indirect 689844)=20 Fax: +44 1483 686011=20 e-mail: H.Cruickshank@surrey.ac.uk=20 http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=20 ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Thu 22/06/2006 20:02 To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? =09 =09 See below. =09 =09 _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org =09 The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. =09 -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 22, 2006 2:09 PM To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? =09 Hi Gorry, =09 This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: =09 Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: =09 * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. =09 * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. =09 * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. =09 We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. =09 AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards. =09 Haitham ---- =09 Dr. Haitham S. Cruickshank =09 Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK =09 Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ =09 =09 =09 -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? =09 Haitham, I-D Authors, List, =09 One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. =09 Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? =09 Thanks, =09 Gorry =09 =09 =09 =09 ------_=_NextPart_001_01C69933.6D20E558 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable RE: = Security-Requirements: alternatives?
Perhaps I misunderstood, but I thought that the approach = chosen in=20 ULE was for there to be one logical channel per PID ["...locate a = specific ULE=20 Stream (i.e., the PID value of the TS Logical Channel that carries = a ULE=20 Stream)"] as contrasted with multiple logical channels carried in MPEG-2 = TS=20 packets with a single PID.
 
The=20 discovery of 'logical channels' carried in IP packets delivered  = via MPEG-2=20 TS packets with a single PID appears to not be standardized.  = Perhaps=20 this falls into the general case of any IP delivery. If=20 so, =20 separate security access for each distinct element a=20 functionality that A/70A would not provide.
 
But=20 then it seems to me to not be different than the functionality provided = for=20 by existing RFCs for security of arbitrary content delivered = using IP=20 encapsulation, i.e., https: and such
 
If it=20 is general purpose IP, then it seems to me that the proposal should make = a case=20 that the current RFCs fail to meet the requirements asserted to be = needed. =20 If it is 'logical channel' protection, then it is different that = the=20 general case.
 
But=20 perhaps I have not been following this in adequate depth - and I waste = your=20 time,
If so=20 - no need to attempt to educate me.
Regards, 
Art

_____________
Art Allison
Director, Advanced Engineering =
Science=20 & Technology
National Association of Broadcasters
1771 N = Street, NW=20
Washington, D.C. 20036
Phone: 202.429.5418
Fax: 202.777.4981 =
aallison@nab.org

The National Association of Broadcasters is a trade association that=20 advocates on behalf of more than 8,300 free, local radio and television = stations=20 and also broadcast networks before Congress, the Federal Communications=20 Commission and the Courts.

 

From: owner-ipdvb@erg.abdn.ac.uk=20 [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of=20 H.Cruickshank@surrey.ac.uk
Sent: Saturday, June 24, 2006 = 5:01=20 AM
To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk;=20 gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk;=20 P.Pillai@Bradford.ac.uk
Subject: RE: Security-Requirements:=20 alternatives?

Hi=20 Art,
 
Many thanks for your input:
 
********************
* Conditional access for digital TV = broadcasting is=20 one example that
exists today.  This system is optimised for = TV=20 broadcast services only,
and is not suitable for IP packet = transmissions=20 and difficult to
interwork with ULE.
AA> See ATSC A/70A. I = strongly=20 disagree with assertion about the
difficulty to interwork with ULE. = The ULE=20 can be put in a virtual
channel in the ATSC system and the standard = directly applied.
*******************
 
I completely agree with you that  A/70A = (Conditional Access=20 System for Terrestrial Broadcast, Revision A) can interwork with ULE, = where=20 encryption is based on PIDs, which sometimes means bundling many IP = flows with=20 one PID.  In our draft (ULE requirements), we aim for more fine = grain=20 security and securing every IP flow individually and try to = re-use=20 existing work in the IETF on key management.
 
Accidentally reading through A/70A, it looks much = better than=20 the  DVB Conditional Access.  I personally do not have much faith in DVB Conditional Access (DVB CA): You might = probably know=20 that DVB = CA has been surrounded by = controversy for=20 many years due to the spread of counterfeit smart cards.  For example, in late 1999, = Italy=20 was flooded with cheap counterfeit cards that enabled viewers use = Canal Plus=20 for free.  In March 2002 = Canal=20 Plus Group filed a  lawsuit against NDS Group, accusing it of = cracking=20 its digital television smart cards and putting the confidential = information on=20 the Internet.  Since then, I have not seen any major = changes in=20 DVB = CA to cater for these=20 = challenges. 
 
Haitham
----
Dr. Haitham S.=20 Cruickshank
Lecturer=20
Communications=20 Centre for Communication Systems Research (CCSR)
School of=20 Electronics, Computing and Mathematics
University of=20 Surrey, Guildford, = Surrey GU2 7XH,=20 UK
 
Tel: +44 1483=20 686007 (indirect 689844)
Fax: +44 1483=20 686011
e-mail: H.Cruickshank@surrey.ac.uk
http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ =

From: owner-ipdvb@erg.abdn.ac.uk = on behalf of=20 Allison, Art
Sent: Thu 22/06/2006 20:02
To:=20 ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR);=20 P.Pillai@Bradford.ac.uk
Subject: RE: Security-Requirements:=20 alternatives?

See below.


_____________
Art=20 Allison
Director, Advanced Engineering
Science &=20 Technology
National Association of Broadcasters
1771 N Street,=20 NW
Washington, D.C. 20036
Phone: 202.429.5418
Fax:=20 202.777.4981
aallison@nab.org

The National Association of=20 Broadcasters is a trade association that
advocates on behalf of = more than=20 8,300 free, local radio and television
stations and also broadcast = networks=20 before Congress, the Federal
Communications Commission and the=20 Courts.

-----Original Message-----
From: = owner-ipdvb@erg.abdn.ac.uk=20 [mailto:owner-ipdvb@erg.abdn.ac= .uk]=20 On
Behalf Of H.Cruickshank@surrey.ac.uk
Sent: Thursday, June 22, = 2006=20 2:09 PM
To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk;=20 S.Iyengar@surrey.ac.uk;
P.Pillai@Bradford.ac.uk
Subject: RE:=20 Security-Requirements: alternatives?

 Hi = Gorry,

This issue=20 has been addressed in the security draft.   Some text = has
been=20 added to section 5.1 to this effect:

Basically, in practice = there are=20 not many L2 security systems for MPEG
transmission networks.  = Two=20 major examples are:

* Conditional access for digital TV = broadcasting is=20 one example that
exists today.  This system is optimised for = TV=20 broadcast services only,
and is not suitable for IP packet = transmissions=20 and difficult to
interwork with ULE.
AA> See ATSC A/70A. I = strongly=20 disagree with assertion about the
difficulty to interwork with ULE. = The ULE=20 can be put in a virtual
channel in the ATSC system and the standard = directly applied.

* Some other L2 security systems are = specified in=20 standards such the MPE
for DVB system . However, MPE security = incomplete=20 and there are no known
implementations of such security = system.

*=20 For DVB-S2 Generic Streams, where IP encapsulation could be similar = to
ULE.=20 The authors believe that ULE security format can be used = for
Generic=20 Streams as well.

We would like to ask the ipdvb WG if anybody = knows any=20 other existing L2
security systems that might be suitable for=20 ULE.

AA> See ATSC A/70A for ULE when sent in conformance = with ATSC=20 Standards.

Haitham
----

Dr. Haitham S.=20 Cruickshank

Lecturer
Communications Centre for Communication = Systems=20 Research (CCSR) School
of Electronics, Computing and Mathematics = University=20 of Surrey,
Guildford, Surrey GU2 7XH, UK

Tel: +44 1483 = 686007=20 (indirect 689844)
Fax: +44 1483 686011
e-mail:=20 H.Cruickshank@surrey.ac.uk
http://www.ee= .surrey.ac.uk/Personal/H.Cruickshank/



-----Original=20 Message-----
From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk]
= Sent:=20 22 June 2006 15:37
To: Cruickshank HS Dr (CCSR); = ipdvb@erg.abdn.ac.uk;=20 Iyengar S Mr (CCSR);
P.Pillai@Bradford.ac.uk
Subject:=20 Security-Requirements: alternatives?

Haitham, I-D Authors,=20 List,

One of the issues we need to be clear about in preparing = for a=20 WG
adoption of the security requirements I-D is the possible=20 alternatives
that have been proposed/implemented in other standards = organisations.

Could you summarise the methods that have been = proposed=20 for MPEG-2
transmission networks that provide equivalent L2 = security=20 functions, and
say which to your knowledge has actually have been=20 implemented=20 = in
systems?

Thanks,

Gorry



------_=_NextPart_001_01C69933.6D20E558-- From owner-ipdvb@erg.abdn.ac.uk Wed Jun 28 09:55:32 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FvaVw-00029G-JQ for ipdvb-archive@ietf.org; Wed, 28 Jun 2006 09:55:32 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fva15-0007YO-Oe for ipdvb-archive@ietf.org; Wed, 28 Jun 2006 09:23:39 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FvZW9-00073l-7p for ipdvb-archive@ietf.org; Wed, 28 Jun 2006 08:51:43 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5SCPLRm023424 for ; Wed, 28 Jun 2006 13:25:21 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5SCPLk9023423 for ipdvb-subscribed-users; Wed, 28 Jun 2006 13:25:21 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from [139.133.207.159] (dhcp-207-159.erg.abdn.ac.uk [139.133.207.159]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5SCPDh0023408 for ; Wed, 28 Jun 2006 13:25:13 +0100 (BST) Message-ID: <44A27543.3080504@erg.abdn.ac.uk> Date: Wed, 28 Jun 2006 13:25:39 +0100 From: Gorry Fairhurst Organization: University of Aberdeen, UK User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipdvb@erg.abdn.ac.uk Subject: Working Group Last Call (WGLC): draft-ietf-ipdvb-ar-04.txt Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.4 (--) X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581 This note starts the ipdvb WG Last Call for comments for the WG document named below: draft-ietf-ipdvb-ar-04.txt http://tools.ietf.org/wg/ipdvb/draft-ietf-ipdvb-ar/ This last call will end on 18th July 2006. The period of this last call has been extended because it also includes the week of the IETF meeting. You are asked to read the draft and send any issues, comments, or corrections to this mailing list. The WGLC procedure is the last chance for this working group to modify/correct this. Please do forward any comments to the ipdvb list. Best wishes, Gorry Fairhurst (ipdvb WG Chair) From owner-ipdvb@erg.abdn.ac.uk Wed Jun 28 11:12:53 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fvbin-00021l-Tp for ipdvb-archive@ietf.org; Wed, 28 Jun 2006 11:12:53 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fvbam-0000g5-Ep for ipdvb-archive@ietf.org; Wed, 28 Jun 2006 11:04:40 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5SEtB5H006372 for ; Wed, 28 Jun 2006 15:55:11 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5SEtBtC006371 for ipdvb-subscribed-users; Wed, 28 Jun 2006 15:55:11 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from ads40.surrey.ac.uk (ads40.surrey.ac.uk [131.227.102.140]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5SEsvFC006110 for ; Wed, 28 Jun 2006 15:54:59 +0100 (BST) Received: from EVS-EC1-NODE1.surrey.ac.uk ([131.227.102.136]) by ads40.surrey.ac.uk with Microsoft SMTPSVC(6.0.3790.1830); Wed, 28 Jun 2006 15:54:52 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C69AC2.CFA553D9" Subject: RE: Security-Requirements: alternatives? Date: Wed, 28 Jun 2006 15:54:52 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCAAAIqs7AATokj0AByPPkgAGQNTCo= From: To: X-OriginalArrivalTime: 28 Jun 2006 14:54:52.0790 (UTC) FILETIME=[CFD65160:01C69AC2] X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.2 (/) X-Scan-Signature: a38f40f81e96f7c17c0b6f9de20b7099 This is a multi-part message in MIME format. ------_=_NextPart_001_01C69AC2.CFA553D9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi again Art,=0A= =20=0A= May be we should get the terminology right first.=20=0A= =20=0A= A typical usage is for the ULE Stream sent on a single PID to carry unicast= or multicast packets with several different IP destination addresses (and = therefore corresponding different MAC addresses). The aim of ULE security i= s therefore to secure the L2 conversations between each Receiver and the En= capsulator that generates the corresponding ULE stream.=20=20=0A= =20=0A= Also it is possible to do a more fine grain security (per IP flow), dependi= ng on the security association which is part of a key management system.=0A= Haitham=20=0A= =0A= =20=0A= ----=0A= Dr. Haitham S. Cruickshank=20=0A= Lecturer=20=0A= Communications Centre for Communication Systems Research (CCSR)=20=0A= School of Electronics, Computing and Mathematics=20=0A= University of Surrey, Guildford, Surrey GU2 7XH, UK=20=0A= =20=0A= Tel: +44 1483 686007 (indirect 689844)=20=0A= Fax: +44 1483 686011=20=0A= e-mail: H.Cruickshank@surrey.ac.uk=20=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=20=0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art=0A= Sent: Mon 26/06/2006 16:15=0A= To: ipdvb@erg.abdn.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =0A= =0A= Perhaps I misunderstood, but I thought that the approach chosen in ULE was = for there to be one logical channel per PID ["...locate a specific ULE Stre= am (i.e., the PID value of the TS Logical Channel that carries a ULE Stream= )"] as contrasted with multiple logical channels carried in MPEG-2 TS packe= ts with a single PID.=0A= =20=0A= The discovery of 'logical channels' carried in IP packets delivered via MP= EG-2 TS packets with a single PID appears to not be standardized. Perhaps = this falls into the general case of any IP delivery. If so, separate secur= ity access for each distinct element a functionality that A/70A would not p= rovide.=0A= =20=0A= But then it seems to me to not be different than the functionality provided= for by existing RFCs for security of arbitrary content delivered using IP = encapsulation, i.e., https: and such=0A= =20=0A= If it is general purpose IP, then it seems to me that the proposal should m= ake a case that the current RFCs fail to meet the requirements asserted to = be needed. If it is 'logical channel' protection, then it is different tha= t the general case.=0A= =20=0A= But perhaps I have not been following this in adequate depth - and I waste = your time,=0A= If so - no need to attempt to educate me.=0A= Regards,=20=0A= Art=0A= =0A= _____________=20=0A= Art Allison=20=0A= Director, Advanced Engineering=20=0A= Science & Technology=20=0A= National Association of Broadcasters=20=0A= 1771 N Street, NW=20=0A= Washington, D.C. 20036=20=0A= Phone: 202.429.5418=20=0A= Fax: 202.777.4981=20=0A= aallison@nab.org =20=20=0A= =0A= The National Association of Broadcasters is a trade association that advoca= tes on behalf of more than 8,300 free, local radio and television stations = and also broadcast networks before Congress, the Federal Communications Com= mission and the Courts.=0A= =0A= =20=0A= =0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Be= half Of H.Cruickshank@surrey.ac.uk=0A= Sent: Saturday, June 24, 2006 5:01 AM=0A= To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; S.Iy= engar@surrey.ac.uk; P.Pillai@Bradford.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =09=0A= =09=0A= Hi Art,=0A= =09=20=0A= Many thanks for your input:=0A= =09=20=0A= ********************=0A= * Conditional access for digital TV broadcasting is one example that=0A= exists today. This system is optimised for TV broadcast services only,=0A= and is not suitable for IP packet transmissions and difficult to=0A= interwork with ULE.=0A= AA> See ATSC A/70A. I strongly disagree with assertion about the=0A= difficulty to interwork with ULE. The ULE can be put in a virtual=0A= channel in the ATSC system and the standard directly applied.=0A= *******************=0A= =09=20=0A= I completely agree with you that A/70A (Conditional Access System for Ter= restrial Broadcast, Revision A) can interwork with ULE, where encryption is= based on PIDs, which sometimes means bundling many IP flows with one PID. = In our draft (ULE requirements), we aim for more fine grain security and s= ecuring every IP flow individually and try to re-use existing work in the I= ETF on key management.=0A= =09=20=0A= Accidentally reading through A/70A, it looks much better than the DVB Con= ditional Access. I personally do not have much faith in DVB Conditional Ac= cess (DVB CA): You might probably know that DVB CA has been surrounded by c= ontroversy for many years due to the spread of counterfeit smart cards. Fo= r example, in late 1999, Italy was flooded with cheap counterfeit cards tha= t enabled viewers use Canal Plus for free. In March 2002 Canal Plus Group = filed a lawsuit against NDS Group, accusing it of cracking its digital tel= evision smart cards and putting the confidential information on the Interne= t. Since then, I have not seen any major changes in DVB CA to cater for th= ese challenges.=20=0A= =09=20=0A= Haitham=0A= =09=0A= ----=0A= Dr. Haitham S. Cruickshank=20=0A= Lecturer=20=0A= Communications Centre for Communication Systems Research (CCSR)=20=0A= School of Electronics, Computing and Mathematics=20=0A= University of Surrey, Guildford, Surrey GU2 7XH, UK=20=0A= =09=20=0A= Tel: +44 1483 686007 (indirect 689844)=20=0A= Fax: +44 1483 686011=20=0A= e-mail: H.Cruickshank@surrey.ac.uk=20=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=20=0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art=0A= Sent: Thu 22/06/2006 20:02=0A= To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pil= lai@Bradford.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =09=0A= =09=0A= =0A= See below.=0A= =09=0A= =09=0A= _____________=0A= Art Allison=0A= Director, Advanced Engineering=0A= Science & Technology=0A= National Association of Broadcasters=0A= 1771 N Street, NW=0A= Washington, D.C. 20036=0A= Phone: 202.429.5418=0A= Fax: 202.777.4981=0A= aallison@nab.org=0A= =09=0A= The National Association of Broadcasters is a trade association that=0A= advocates on behalf of more than 8,300 free, local radio and television=0A= stations and also broadcast networks before Congress, the Federal=0A= Communications Commission and the Courts.=0A= =09=0A= -----Original Message-----=0A= From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On=0A= Behalf Of H.Cruickshank@surrey.ac.uk=0A= Sent: Thursday, June 22, 2006 2:09 PM=0A= To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk;=0A= P.Pillai@Bradford.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =09=0A= Hi Gorry,=0A= =09=0A= This issue has been addressed in the security draft. Some text has=0A= been added to section 5.1 to this effect:=0A= =09=0A= Basically, in practice there are not many L2 security systems for MPEG=0A= transmission networks. Two major examples are:=0A= =09=0A= * Conditional access for digital TV broadcasting is one example that=0A= exists today. This system is optimised for TV broadcast services only,=0A= and is not suitable for IP packet transmissions and difficult to=0A= interwork with ULE.=0A= AA> See ATSC A/70A. I strongly disagree with assertion about the=0A= difficulty to interwork with ULE. The ULE can be put in a virtual=0A= channel in the ATSC system and the standard directly applied.=0A= =09=0A= * Some other L2 security systems are specified in standards such the MPE= =0A= for DVB system . However, MPE security incomplete and there are no known= =0A= implementations of such security system.=0A= =09=0A= * For DVB-S2 Generic Streams, where IP encapsulation could be similar to= =0A= ULE. The authors believe that ULE security format can be used for=0A= Generic Streams as well.=0A= =09=0A= We would like to ask the ipdvb WG if anybody knows any other existing L2= =0A= security systems that might be suitable for ULE.=0A= =09=0A= AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards.= =0A= =09=0A= Haitham=0A= ----=0A= =09=0A= Dr. Haitham S. Cruickshank=0A= =09=0A= Lecturer=0A= Communications Centre for Communication Systems Research (CCSR) School=0A= of Electronics, Computing and Mathematics University of Surrey,=0A= Guildford, Surrey GU2 7XH, UK=0A= =09=0A= Tel: +44 1483 686007 (indirect 689844)=0A= Fax: +44 1483 686011=0A= e-mail: H.Cruickshank@surrey.ac.uk=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=0A= =09=0A= =09=0A= =09=0A= -----Original Message-----=0A= From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk]=0A= Sent: 22 June 2006 15:37=0A= To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR);= =0A= P.Pillai@Bradford.ac.uk=0A= Subject: Security-Requirements: alternatives?=0A= =09=0A= Haitham, I-D Authors, List,=0A= =09=0A= One of the issues we need to be clear about in preparing for a WG=0A= adoption of the security requirements I-D is the possible alternatives=0A= that have been proposed/implemented in other standards organisations.=0A= =09=0A= Could you summarise the methods that have been proposed for MPEG-2=0A= transmission networks that provide equivalent L2 security functions, and= =0A= say which to your knowledge has actually have been implemented in=0A= systems?=0A= =09=0A= Thanks,=0A= =09=0A= Gorry=0A= =09=0A= =09=0A= =09=0A= =09=0A= =0A= ------_=_NextPart_001_01C69AC2.CFA553D9 Content-Type: text/plain; name="msg-6061-11.txt" Content-Disposition: attachment; filename="msg-6061-11.txt" Content-Transfer-Encoding: 8bit Hi again Art, May be we should get the terminology right first. A typical usage is for the ULE Stream sent on a single PID to carry unicast or multicast packets with several different IP destination addresses (and therefore corresponding different MAC addresses). The aim of ULE security is therefore to secure the L2 conversations between each Receiver and the Encapsulator that generates the corresponding ULE stream. Also it is possible to do a more fine grain security (per IP flow), depending on the security association which is part of a key management system. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Mon 26/06/2006 16:15 To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Perhaps I misunderstood, but I thought that the approach chosen in ULE was for there to be one logical channel per PID ["...locate a specific ULE Stream (i.e., the PID value of the TS Logical Channel that carries a ULE Stream)"] as contrasted with multiple logical channels carried in MPEG-2 TS packets with a single PID. The discovery of 'logical channels' carried in IP packets delivered via MPEG-2 TS packets with a single PID appears to not be standardized. Perhaps this falls into the general case of any IP delivery. If so, separate security access for each distinct element a functionality that A/70A would not provide. But then it seems to me to not be different than the functionality provided for by existing RFCs for security of arbitrary content delivered using IP encapsulation, i.e., https: and such If it is general purpose IP, then it seems to me that the proposal should make a case that the current RFCs fail to meet the requirements asserted to be needed. If it is 'logical channel' protection, then it is different that the general case. But perhaps I have not been following this in adequate depth - and I waste your time, If so - no need to attempt to educate me. Regards, Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. ________________________________ From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Saturday, June 24, 2006 5:01 AM To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Art, Many thanks for your input: ******************** * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. ******************* I completely agree with you that A/70A (Conditional Access System for Terrestrial Broadcast, Revision A) can interwork with ULE, where encryption is based on PIDs, which sometimes means bundling many IP flows with one PID. In our draft (ULE requirements), we aim for more fine grain security and securing every IP flow individually and try to re-use existing work in the IETF on key management. Accidentally reading through A/70A, it looks much better than the DVB Conditional Access. I personally do not have much faith in DVB Conditional Access (DVB CA): You might probably know that DVB CA has been surrounded by controversy for many years due to the spread of counterfeit smart cards. For example, in late 1999, Italy was flooded with cheap counterfeit cards that enabled viewers use Canal Plus for free. In March 2002 Canal Plus Group filed a lawsuit against NDS Group, accusing it of cracking its digital television smart cards and putting the confidential information on the Internet. Since then, I have not seen any major changes in DVB CA to cater for these challenges. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Thu 22/06/2006 20:02 To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? See below. _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 22, 2006 2:09 PM To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry ------_=_NextPart_001_01C69AC2.CFA553D9-- From owner-ipdvb@erg.abdn.ac.uk Wed Jun 28 12:47:27 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FvdCJ-0002xD-6Q for ipdvb-archive@ietf.org; Wed, 28 Jun 2006 12:47:27 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FvdCH-0002WQ-Gp for ipdvb-archive@ietf.org; Wed, 28 Jun 2006 12:47:27 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5SGaLrV014139 for ; Wed, 28 Jun 2006 17:36:21 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5SGaL5D014138 for ipdvb-subscribed-users; Wed, 28 Jun 2006 17:36:21 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from nab.org (foxtrot.nab.org [209.116.240.194]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5SGa7h4014120 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Wed, 28 Jun 2006 17:36:08 +0100 (BST) Received: from ([199.29.3.25]) by maildc2.nab.org with ESMTP id 4028857.11400600; Wed, 28 Jun 2006 12:35:44 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: Security-Requirements: alternatives? Date: Wed, 28 Jun 2006 12:35:43 -0400 Message-ID: <33CB4DEADE8C734CAF59FA0B47E14C1701792A51@morse.NAB.ORG> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCAAAIqs7AATokj0AByPPkgAGQNTCoAA8R4kA== From: "Allison, Art" To: X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by erg.abdn.ac.uk id k5SGaKdB014135 Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.0 (/) X-Scan-Signature: f5932bfc8385127f631fc458a872feb1 Thanks. I agree that to secure some of the flows carried by packets with a single PID and not others; one could not apply A/70A. Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Wednesday, June 28, 2006 10:55 AM To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Hi again Art, May be we should get the terminology right first. A typical usage is for the ULE Stream sent on a single PID to carry unicast or multicast packets with several different IP destination addresses (and therefore corresponding different MAC addresses). The aim of ULE security is therefore to secure the L2 conversations between each Receiver and the Encapsulator that generates the corresponding ULE stream. Also it is possible to do a more fine grain security (per IP flow), depending on the security association which is part of a key management system. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Mon 26/06/2006 16:15 To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Perhaps I misunderstood, but I thought that the approach chosen in ULE was for there to be one logical channel per PID ["...locate a specific ULE Stream (i.e., the PID value of the TS Logical Channel that carries a ULE Stream)"] as contrasted with multiple logical channels carried in MPEG-2 TS packets with a single PID. The discovery of 'logical channels' carried in IP packets delivered via MPEG-2 TS packets with a single PID appears to not be standardized. Perhaps this falls into the general case of any IP delivery. If so, separate security access for each distinct element a functionality that A/70A would not provide. But then it seems to me to not be different than the functionality provided for by existing RFCs for security of arbitrary content delivered using IP encapsulation, i.e., https: and such If it is general purpose IP, then it seems to me that the proposal should make a case that the current RFCs fail to meet the requirements asserted to be needed. If it is 'logical channel' protection, then it is different that the general case. But perhaps I have not been following this in adequate depth - and I waste your time, If so - no need to attempt to educate me. Regards, Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. ________________________________ From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Saturday, June 24, 2006 5:01 AM To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Art, Many thanks for your input: ******************** * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. ******************* I completely agree with you that A/70A (Conditional Access System for Terrestrial Broadcast, Revision A) can interwork with ULE, where encryption is based on PIDs, which sometimes means bundling many IP flows with one PID. In our draft (ULE requirements), we aim for more fine grain security and securing every IP flow individually and try to re-use existing work in the IETF on key management. Accidentally reading through A/70A, it looks much better than the DVB Conditional Access. I personally do not have much faith in DVB Conditional Access (DVB CA): You might probably know that DVB CA has been surrounded by controversy for many years due to the spread of counterfeit smart cards. For example, in late 1999, Italy was flooded with cheap counterfeit cards that enabled viewers use Canal Plus for free. In March 2002 Canal Plus Group filed a lawsuit against NDS Group, accusing it of cracking its digital television smart cards and putting the confidential information on the Internet. Since then, I have not seen any major changes in DVB CA to cater for these challenges. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Thu 22/06/2006 20:02 To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? See below. _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 22, 2006 2:09 PM To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry From owner-ipdvb@erg.abdn.ac.uk Thu Jun 29 11:11:17 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FvyAn-0003ch-4R for ipdvb-archive@ietf.org; Thu, 29 Jun 2006 11:11:17 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FvyAj-0007nM-4d for ipdvb-archive@ietf.org; Thu, 29 Jun 2006 11:11:17 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5TEx6IL027590 for ; Thu, 29 Jun 2006 15:59:06 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5TEx6Rw027589 for ipdvb-subscribed-users; Thu, 29 Jun 2006 15:59:06 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from nab.org (foxtrot.nab.org [209.116.240.194]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5TEwt42027568 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Thu, 29 Jun 2006 15:58:55 +0100 (BST) Received: from ([199.29.3.25]) by maildc2.nab.org with ESMTP id 4028857.11423012; Thu, 29 Jun 2006 10:58:45 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: Security-Requirements: alternatives? Date: Thu, 29 Jun 2006 10:58:45 -0400 Message-ID: <33CB4DEADE8C734CAF59FA0B47E14C1701792A64@morse.NAB.ORG> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCAAAIqs7AATokj0AByPPkgAGQNTCoAA8R4kAAtn8eaAAFd3ZA= From: "Allison, Art" To: X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by erg.abdn.ac.uk id k5TEx6cf027586 Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.0 (/) X-Scan-Signature: e95407604bef3289cd27cb4f3b3a35b4 I am willing to so check. Will try to catch it as it goes by, but a tickle would increase the probability. (and I am out-of-office July 10-14) Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 29, 2006 10:23 AM To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Hi again Art, Many thanks Art for your opinion and input about ATSC security system (ATSC A/ 70A). We will provide an update for the next rev of the requirements I-D that clarifies this point and to include refs to how ATSC provides its security services. Would Art be willing to help check the paragraphs correctly reflect ATSC's specs. Many thanks Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Wed 28/06/2006 17:35 To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Thanks. I agree that to secure some of the flows carried by packets with a single PID and not others; one could not apply A/70A. Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Wednesday, June 28, 2006 10:55 AM To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Hi again Art, May be we should get the terminology right first. A typical usage is for the ULE Stream sent on a single PID to carry unicast or multicast packets with several different IP destination addresses (and therefore corresponding different MAC addresses). The aim of ULE security is therefore to secure the L2 conversations between each Receiver and the Encapsulator that generates the corresponding ULE stream. Also it is possible to do a more fine grain security (per IP flow), depending on the security association which is part of a key management system. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Mon 26/06/2006 16:15 To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Perhaps I misunderstood, but I thought that the approach chosen in ULE was for there to be one logical channel per PID ["...locate a specific ULE Stream (i.e., the PID value of the TS Logical Channel that carries a ULE Stream)"] as contrasted with multiple logical channels carried in MPEG-2 TS packets with a single PID. The discovery of 'logical channels' carried in IP packets delivered via MPEG-2 TS packets with a single PID appears to not be standardized. Perhaps this falls into the general case of any IP delivery. If so, separate security access for each distinct element a functionality that A/70A would not provide. But then it seems to me to not be different than the functionality provided for by existing RFCs for security of arbitrary content delivered using IP encapsulation, i.e., https: and such If it is general purpose IP, then it seems to me that the proposal should make a case that the current RFCs fail to meet the requirements asserted to be needed. If it is 'logical channel' protection, then it is different that the general case. But perhaps I have not been following this in adequate depth - and I waste your time, If so - no need to attempt to educate me. Regards, Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. ________________________________ From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Saturday, June 24, 2006 5:01 AM To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Art, Many thanks for your input: ******************** * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. ******************* I completely agree with you that A/70A (Conditional Access System for Terrestrial Broadcast, Revision A) can interwork with ULE, where encryption is based on PIDs, which sometimes means bundling many IP flows with one PID. In our draft (ULE requirements), we aim for more fine grain security and securing every IP flow individually and try to re-use existing work in the IETF on key management. Accidentally reading through A/70A, it looks much better than the DVB Conditional Access. I personally do not have much faith in DVB Conditional Access (DVB CA): You might probably know that DVB CA has been surrounded by controversy for many years due to the spread of counterfeit smart cards. For example, in late 1999, Italy was flooded with cheap counterfeit cards that enabled viewers use Canal Plus for free. In March 2002 Canal Plus Group filed a lawsuit against NDS Group, accusing it of cracking its digital television smart cards and putting the confidential information on the Internet. Since then, I have not seen any major changes in DVB CA to cater for these challenges. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Thu 22/06/2006 20:02 To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? See below. _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 22, 2006 2:09 PM To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry From owner-ipdvb@erg.abdn.ac.uk Thu Jun 29 11:15:05 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FvyET-0004Q4-Q3 for ipdvb-archive@ietf.org; Thu, 29 Jun 2006 11:15:05 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FvyER-0007vK-WC for ipdvb-archive@ietf.org; Thu, 29 Jun 2006 11:15:05 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5TF8wIt028549 for ; Thu, 29 Jun 2006 16:08:58 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5TF8wJE028548 for ipdvb-subscribed-users; Thu, 29 Jun 2006 16:08:58 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from www.erg.abdn.ac.uk (blake.erg.abdn.ac.uk [139.133.210.30]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5TF8pTY028530; Thu, 29 Jun 2006 16:08:52 +0100 (BST) Received: from 161.30.211.131 (SquirrelMail authenticated user gorry); by www.erg.abdn.ac.uk with HTTP; Thu, 29 Jun 2006 16:08:50 +0100 (BST) Message-ID: <50797.161.30.211.131.1151593730.squirrel@161.30.211.131> In-Reply-To: <33CB4DEADE8C734CAF59FA0B47E14C1701792A64@morse.NAB.ORG> References: <33CB4DEADE8C734CAF59FA0B47E14C1701792A64@morse.NAB.ORG> Date: Thu, 29 Jun 2006 16:08:50 +0100 (BST) Subject: RE: Security-Requirements: alternatives? From: gorry@erg.abdn.ac.uk To: ipdvb@erg.abdn.ac.uk Cc: ipdvb@erg.abdn.ac.uk User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.6 (--) X-Scan-Signature: e3901bdd61b234d82da85cc76f05a7e8 Thank you for the offer. Gorry > I am willing to so check. > Will try to catch it as it goes by, but a tickle would increase the > probability. > (and I am out-of-office July 10-14) > Art > _____________ > Art Allison > Director, Advanced Engineering > Science & Technology > National Association of Broadcasters > 1771 N Street, NW > Washington, D.C. 20036 > Phone: 202.429.5418 > Fax: 202.777.4981 > aallison@nab.org > > The National Association of Broadcasters is a trade association that > advocates on behalf of more than 8,300 free, local radio and television > stations and also broadcast networks before Congress, the Federal > Communications Commission and the Courts. > > -----Original Message----- > From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On > Behalf Of H.Cruickshank@surrey.ac.uk > Sent: Thursday, June 29, 2006 10:23 AM > To: ipdvb@erg.abdn.ac.uk > Subject: RE: Security-Requirements: alternatives? > > Hi again Art, > > Many thanks Art for your opinion and input about ATSC security system > (ATSC A/ 70A). > > We will provide an update for the next rev of the requirements I-D that > clarifies this point and to include refs to how ATSC provides its > security services. > > Would Art be willing to help check the paragraphs correctly reflect > ATSC's specs. > > Many thanks > Haitham > > ---- > Dr. Haitham S. Cruickshank > Lecturer > Communications Centre for Communication Systems Research (CCSR) School > of Electronics, Computing and Mathematics University of Surrey, > Guildford, Surrey GU2 7XH, UK > > Tel: +44 1483 686007 (indirect 689844) > Fax: +44 1483 686011 > e-mail: H.Cruickshank@surrey.ac.uk > http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ > > ________________________________ > > From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art > Sent: Wed 28/06/2006 17:35 > To: ipdvb@erg.abdn.ac.uk > Subject: RE: Security-Requirements: alternatives? > > > > Thanks. > I agree that to secure some of the flows carried by packets with a > single PID and not others; one could not apply A/70A. > Art > _____________ > Art Allison > Director, Advanced Engineering > Science & Technology > National Association of Broadcasters > 1771 N Street, NW > Washington, D.C. 20036 > Phone: 202.429.5418 > Fax: 202.777.4981 > aallison@nab.org > > The National Association of Broadcasters is a trade association that > advocates on behalf of more than 8,300 free, local radio and television > stations and also broadcast networks before Congress, the Federal > Communications Commission and the Courts. > > -----Original Message----- > From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On > Behalf Of H.Cruickshank@surrey.ac.uk > Sent: Wednesday, June 28, 2006 10:55 AM > To: ipdvb@erg.abdn.ac.uk > Subject: RE: Security-Requirements: alternatives? > > Hi again Art, > > May be we should get the terminology right first. > > A typical usage is for the ULE Stream sent on a single PID to carry > unicast or multicast packets with several different IP destination > addresses (and therefore corresponding different MAC addresses). The aim > of ULE security is therefore to secure the L2 conversations between each > Receiver and the Encapsulator that generates the corresponding ULE > stream. > > Also it is possible to do a more fine grain security (per IP flow), > depending on the security association which is part of a key management > system. > Haitham > > > ---- > Dr. Haitham S. Cruickshank > Lecturer > Communications Centre for Communication Systems Research (CCSR) School > of Electronics, Computing and Mathematics University of Surrey, > Guildford, Surrey GU2 7XH, UK > > Tel: +44 1483 686007 (indirect 689844) > Fax: +44 1483 686011 > e-mail: H.Cruickshank@surrey.ac.uk > http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ > > ________________________________ > > From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art > Sent: Mon 26/06/2006 16:15 > To: ipdvb@erg.abdn.ac.uk > Subject: RE: Security-Requirements: alternatives? > > > Perhaps I misunderstood, but I thought that the approach chosen in ULE > was for there to be one logical channel per PID ["...locate a specific > ULE Stream (i.e., the PID value of the TS Logical Channel that carries a > ULE Stream)"] as contrasted with multiple logical channels carried in > MPEG-2 TS packets with a single PID. > > The discovery of 'logical channels' carried in IP packets delivered via > MPEG-2 TS packets with a single PID appears to not be standardized. > Perhaps this falls into the general case of any IP delivery. If so, > separate security access for each distinct element a functionality that > A/70A would not provide. > > But then it seems to me to not be different than the functionality > provided for by existing RFCs for security of arbitrary content > delivered using IP encapsulation, i.e., https: and such > > If it is general purpose IP, then it seems to me that the proposal > should make a case that the current RFCs fail to meet the requirements > asserted to be needed. If it is 'logical channel' protection, then it > is different that the general case. > > But perhaps I have not been following this in adequate depth - and I > waste your time, If so - no need to attempt to educate me. > Regards, > Art > > _____________ > Art Allison > Director, Advanced Engineering > Science & Technology > National Association of Broadcasters > 1771 N Street, NW > Washington, D.C. 20036 > Phone: 202.429.5418 > Fax: 202.777.4981 > aallison@nab.org > > The National Association of Broadcasters is a trade association that > advocates on behalf of more than 8,300 free, local radio and television > stations and also broadcast networks before Congress, the Federal > Communications Commission and the Courts. > > > > > ________________________________ > > From: owner-ipdvb@erg.abdn.ac.uk > [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of > H.Cruickshank@surrey.ac.uk > Sent: Saturday, June 24, 2006 5:01 AM > To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; > gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk > Subject: RE: Security-Requirements: alternatives? > > > Hi Art, > > Many thanks for your input: > > ******************** > * Conditional access for digital TV broadcasting is one example > that > exists today. This system is optimised for TV broadcast > services only, > and is not suitable for IP packet transmissions and difficult to > interwork with ULE. > AA> See ATSC A/70A. I strongly disagree with assertion about the > difficulty to interwork with ULE. The ULE can be put in a > virtual > channel in the ATSC system and the standard directly applied. > ******************* > > I completely agree with you that A/70A (Conditional Access > System for Terrestrial Broadcast, Revision A) can interwork with ULE, > where encryption is based on PIDs, which sometimes means bundling many > IP flows with one PID. In our draft (ULE requirements), we aim for more > fine grain security and securing every IP flow individually and try to > re-use existing work in the IETF on key management. > > Accidentally reading through A/70A, it looks much better than > the DVB Conditional Access. I personally do not have much faith in DVB > Conditional Access (DVB CA): You might probably know that DVB CA has > been surrounded by controversy for many years due to the spread of > counterfeit smart cards. For example, in late 1999, Italy was flooded > with cheap counterfeit cards that enabled viewers use Canal Plus for > free. In March 2002 Canal Plus Group filed a lawsuit against NDS > Group, accusing it of cracking its digital television smart cards and > putting the confidential information on the Internet. Since then, I > have not seen any major changes in DVB CA to cater for these challenges. > > > Haitham > > ---- > Dr. Haitham S. Cruickshank > Lecturer > Communications Centre for Communication Systems Research (CCSR) > School of Electronics, Computing and Mathematics > University of Surrey, Guildford, Surrey GU2 7XH, UK > > Tel: +44 1483 686007 (indirect 689844) > Fax: +44 1483 686011 > e-mail: H.Cruickshank@surrey.ac.uk > http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ > > ________________________________ > > From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art > Sent: Thu 22/06/2006 20:02 > To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr > (CCSR); P.Pillai@Bradford.ac.uk > Subject: RE: Security-Requirements: alternatives? > > > > See below. > > > _____________ > Art Allison > Director, Advanced Engineering > Science & Technology > National Association of Broadcasters > 1771 N Street, NW > Washington, D.C. 20036 > Phone: 202.429.5418 > Fax: 202.777.4981 > aallison@nab.org > > The National Association of Broadcasters is a trade association > that > advocates on behalf of more than 8,300 free, local radio and > television > stations and also broadcast networks before Congress, the > Federal > Communications Commission and the Courts. > > -----Original Message----- > From: owner-ipdvb@erg.abdn.ac.uk > [mailto:owner-ipdvb@erg.abdn.ac.uk] On > Behalf Of H.Cruickshank@surrey.ac.uk > Sent: Thursday, June 22, 2006 2:09 PM > To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; > S.Iyengar@surrey.ac.uk; > P.Pillai@Bradford.ac.uk > Subject: RE: Security-Requirements: alternatives? > > Hi Gorry, > > This issue has been addressed in the security draft. Some text > has > been added to section 5.1 to this effect: > > Basically, in practice there are not many L2 security systems > for MPEG > transmission networks. Two major examples are: > > * Conditional access for digital TV broadcasting is one example > that > exists today. This system is optimised for TV broadcast > services only, > and is not suitable for IP packet transmissions and difficult to > interwork with ULE. > AA> See ATSC A/70A. I strongly disagree with assertion about the > difficulty to interwork with ULE. The ULE can be put in a > virtual > channel in the ATSC system and the standard directly applied. > > * Some other L2 security systems are specified in standards such > the MPE > for DVB system . However, MPE security incomplete and there are > no known > implementations of such security system. > > * For DVB-S2 Generic Streams, where IP encapsulation could be > similar to > ULE. The authors believe that ULE security format can be used > for > Generic Streams as well. > > We would like to ask the ipdvb WG if anybody knows any other > existing L2 > security systems that might be suitable for ULE. > > AA> See ATSC A/70A for ULE when sent in conformance with ATSC > Standards. > > Haitham > ---- > > Dr. Haitham S. Cruickshank > > Lecturer > Communications Centre for Communication Systems Research (CCSR) > School > of Electronics, Computing and Mathematics University of Surrey, > Guildford, Surrey GU2 7XH, UK > > Tel: +44 1483 686007 (indirect 689844) > Fax: +44 1483 686011 > e-mail: H.Cruickshank@surrey.ac.uk > http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ > > > > -----Original Message----- > From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] > Sent: 22 June 2006 15:37 > To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr > (CCSR); > P.Pillai@Bradford.ac.uk > Subject: Security-Requirements: alternatives? > > Haitham, I-D Authors, List, > > One of the issues we need to be clear about in preparing for a > WG > adoption of the security requirements I-D is the possible > alternatives > that have been proposed/implemented in other standards > organisations. > > Could you summarise the methods that have been proposed for > MPEG-2 > transmission networks that provide equivalent L2 security > functions, and > say which to your knowledge has actually have been implemented > in > systems? > > Thanks, > > Gorry > > > > > > > > > From owner-ipdvb@erg.abdn.ac.uk Thu Jun 29 12:07:16 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fvz2y-0008LC-G1 for ipdvb-archive@ietf.org; Thu, 29 Jun 2006 12:07:16 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fvxr5-00055D-0u for ipdvb-archive@ietf.org; Thu, 29 Jun 2006 10:50:55 -0400 Received: from dee.erg.abdn.ac.uk ([139.133.204.82] helo=erg.abdn.ac.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Fvxbo-0005iD-1G for ipdvb-archive@ietf.org; Thu, 29 Jun 2006 10:35:14 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5TENfxq024716 for ; Thu, 29 Jun 2006 15:23:41 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5TENfFB024715 for ipdvb-subscribed-users; Thu, 29 Jun 2006 15:23:41 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from ads40.surrey.ac.uk (ads40.surrey.ac.uk [131.227.102.140]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5TENVVK024681 for ; Thu, 29 Jun 2006 15:23:31 +0100 (BST) Received: from EVS-EC1-NODE1.surrey.ac.uk ([131.227.102.136]) by ads40.surrey.ac.uk with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Jun 2006 15:23:26 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C69B87.95DB1B4B" Subject: RE: Security-Requirements: alternatives? Date: Thu, 29 Jun 2006 15:23:26 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security-Requirements: alternatives? Thread-Index: AcaWCSTQqvFxBaMJR52aksYGDj5i3gAHCBCAAAIqs7AATokj0AByPPkgAGQNTCoAA8R4kAAtn8ea From: To: X-OriginalArrivalTime: 29 Jun 2006 14:23:26.0761 (UTC) FILETIME=[9616E190:01C69B87] X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: -2.6 (--) X-Scan-Signature: 38a35b5fc88e9b9a2affced027b040a4 This is a multi-part message in MIME format. ------_=_NextPart_001_01C69B87.95DB1B4B Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi again Art,=0A= =20=0A= Many thanks Art for your opinion and input about ATSC security system (ATSC= A/ 70A).=20=20=0A= =20=0A= We will provide an update for the next rev of the requirements I-D that cla= rifies this point and to include refs to how ATSC provides its security ser= vices.=0A= =20=0A= Would Art be willing to help check the paragraphs correctly reflect ATSC's = specs.=0A= =0A= Many thanks=0A= Haitham=0A= =20=0A= ----=0A= Dr. Haitham S. Cruickshank=20=0A= Lecturer=20=0A= Communications Centre for Communication Systems Research (CCSR)=20=0A= School of Electronics, Computing and Mathematics=20=0A= University of Surrey, Guildford, Surrey GU2 7XH, UK=20=0A= =20=0A= Tel: +44 1483 686007 (indirect 689844)=20=0A= Fax: +44 1483 686011=20=0A= e-mail: H.Cruickshank@surrey.ac.uk=20=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=20=0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art=0A= Sent: Wed 28/06/2006 17:35=0A= To: ipdvb@erg.abdn.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =0A= =0A= =0A= Thanks.=0A= I agree that to secure some of the flows carried by packets with a=0A= single PID and not others; one could not apply A/70A.=20=0A= Art=0A= _____________=0A= Art Allison=0A= Director, Advanced Engineering=0A= Science & Technology=0A= National Association of Broadcasters=0A= 1771 N Street, NW=0A= Washington, D.C. 20036=0A= Phone: 202.429.5418=0A= Fax: 202.777.4981=0A= aallison@nab.org=0A= =0A= The National Association of Broadcasters is a trade association that=0A= advocates on behalf of more than 8,300 free, local radio and television=0A= stations and also broadcast networks before Congress, the Federal=0A= Communications Commission and the Courts.=0A= =0A= -----Original Message-----=0A= From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On=0A= Behalf Of H.Cruickshank@surrey.ac.uk=0A= Sent: Wednesday, June 28, 2006 10:55 AM=0A= To: ipdvb@erg.abdn.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =0A= Hi again Art,=0A= =0A= May be we should get the terminology right first.=0A= =0A= A typical usage is for the ULE Stream sent on a single PID to carry=0A= unicast or multicast packets with several different IP destination=0A= addresses (and therefore corresponding different MAC addresses). The aim=0A= of ULE security is therefore to secure the L2 conversations between each=0A= Receiver and the Encapsulator that generates the corresponding ULE=0A= stream.=20=0A= =0A= Also it is possible to do a more fine grain security (per IP flow),=0A= depending on the security association which is part of a key management=0A= system.=0A= Haitham=0A= =0A= =0A= ----=0A= Dr. Haitham S. Cruickshank=0A= Lecturer=0A= Communications Centre for Communication Systems Research (CCSR) School=0A= of Electronics, Computing and Mathematics University of Surrey,=0A= Guildford, Surrey GU2 7XH, UK=0A= =0A= Tel: +44 1483 686007 (indirect 689844)=0A= Fax: +44 1483 686011=0A= e-mail: H.Cruickshank@surrey.ac.uk=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art=0A= Sent: Mon 26/06/2006 16:15=0A= To: ipdvb@erg.abdn.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =0A= =0A= Perhaps I misunderstood, but I thought that the approach chosen in ULE=0A= was for there to be one logical channel per PID ["...locate a specific=0A= ULE Stream (i.e., the PID value of the TS Logical Channel that carries a=0A= ULE Stream)"] as contrasted with multiple logical channels carried in=0A= MPEG-2 TS packets with a single PID.=0A= =0A= The discovery of 'logical channels' carried in IP packets delivered via=0A= MPEG-2 TS packets with a single PID appears to not be standardized.=0A= Perhaps this falls into the general case of any IP delivery. If so,=0A= separate security access for each distinct element a functionality that=0A= A/70A would not provide.=0A= =0A= But then it seems to me to not be different than the functionality=0A= provided for by existing RFCs for security of arbitrary content=0A= delivered using IP encapsulation, i.e., https: and such=0A= =0A= If it is general purpose IP, then it seems to me that the proposal=0A= should make a case that the current RFCs fail to meet the requirements=0A= asserted to be needed. If it is 'logical channel' protection, then it=0A= is different that the general case.=0A= =0A= But perhaps I have not been following this in adequate depth - and I=0A= waste your time, If so - no need to attempt to educate me.=0A= Regards,=0A= Art=0A= =0A= _____________=0A= Art Allison=0A= Director, Advanced Engineering=0A= Science & Technology=0A= National Association of Broadcasters=0A= 1771 N Street, NW=0A= Washington, D.C. 20036=0A= Phone: 202.429.5418=0A= Fax: 202.777.4981=0A= aallison@nab.org =20=0A= =0A= The National Association of Broadcasters is a trade association that=0A= advocates on behalf of more than 8,300 free, local radio and television=0A= stations and also broadcast networks before Congress, the Federal=0A= Communications Commission and the Courts.=0A= =0A= =0A= =0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk=0A= [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of=0A= H.Cruickshank@surrey.ac.uk=0A= Sent: Saturday, June 24, 2006 5:01 AM=0A= To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk;=0A= gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= Hi Art,=0A= =20=20=20=20=20=20=20=20=0A= Many thanks for your input:=0A= =20=20=20=20=20=20=20=20=0A= ********************=0A= * Conditional access for digital TV broadcasting is one example=0A= that=0A= exists today. This system is optimised for TV broadcast=0A= services only,=0A= and is not suitable for IP packet transmissions and difficult to=0A= interwork with ULE.=0A= AA> See ATSC A/70A. I strongly disagree with assertion about the=0A= difficulty to interwork with ULE. The ULE can be put in a=0A= virtual=0A= channel in the ATSC system and the standard directly applied.=0A= *******************=0A= =20=20=20=20=20=20=20=20=0A= I completely agree with you that A/70A (Conditional Access=0A= System for Terrestrial Broadcast, Revision A) can interwork with ULE,=0A= where encryption is based on PIDs, which sometimes means bundling many=0A= IP flows with one PID. In our draft (ULE requirements), we aim for more=0A= fine grain security and securing every IP flow individually and try to=0A= re-use existing work in the IETF on key management.=0A= =20=20=20=20=20=20=20=20=0A= Accidentally reading through A/70A, it looks much better than=0A= the DVB Conditional Access. I personally do not have much faith in DVB=0A= Conditional Access (DVB CA): You might probably know that DVB CA has=0A= been surrounded by controversy for many years due to the spread of=0A= counterfeit smart cards. For example, in late 1999, Italy was flooded=0A= with cheap counterfeit cards that enabled viewers use Canal Plus for=0A= free. In March 2002 Canal Plus Group filed a lawsuit against NDS=0A= Group, accusing it of cracking its digital television smart cards and=0A= putting the confidential information on the Internet. Since then, I=0A= have not seen any major changes in DVB CA to cater for these challenges.=0A= =0A= =20=20=20=20=20=20=20=20=0A= Haitham=0A= =20=20=20=20=20=20=20=0A= ----=0A= Dr. Haitham S. Cruickshank=0A= Lecturer=0A= Communications Centre for Communication Systems Research (CCSR)=0A= School of Electronics, Computing and Mathematics=0A= University of Surrey, Guildford, Surrey GU2 7XH, UK=0A= =20=20=20=20=20=20=20=20=0A= Tel: +44 1483 686007 (indirect 689844)=0A= Fax: +44 1483 686011=0A= e-mail: H.Cruickshank@surrey.ac.uk=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=0A= =0A= ________________________________=0A= =0A= From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art=0A= Sent: Thu 22/06/2006 20:02=0A= To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr=0A= (CCSR); P.Pillai@Bradford.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= =0A= See below.=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= _____________=0A= Art Allison=0A= Director, Advanced Engineering=0A= Science & Technology=0A= National Association of Broadcasters=0A= 1771 N Street, NW=0A= Washington, D.C. 20036=0A= Phone: 202.429.5418=0A= Fax: 202.777.4981=0A= aallison@nab.org=0A= =20=20=20=20=20=20=20=0A= The National Association of Broadcasters is a trade association=0A= that=0A= advocates on behalf of more than 8,300 free, local radio and=0A= television=0A= stations and also broadcast networks before Congress, the=0A= Federal=0A= Communications Commission and the Courts.=0A= =20=20=20=20=20=20=20=0A= -----Original Message-----=0A= From: owner-ipdvb@erg.abdn.ac.uk=0A= [mailto:owner-ipdvb@erg.abdn.ac.uk] On=0A= Behalf Of H.Cruickshank@surrey.ac.uk=0A= Sent: Thursday, June 22, 2006 2:09 PM=0A= To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk;=0A= S.Iyengar@surrey.ac.uk;=0A= P.Pillai@Bradford.ac.uk=0A= Subject: RE: Security-Requirements: alternatives?=0A= =20=20=20=20=20=20=20=0A= Hi Gorry,=0A= =20=20=20=20=20=20=20=0A= This issue has been addressed in the security draft. Some text=0A= has=0A= been added to section 5.1 to this effect:=0A= =20=20=20=20=20=20=20=0A= Basically, in practice there are not many L2 security systems=0A= for MPEG=0A= transmission networks. Two major examples are:=0A= =20=20=20=20=20=20=20=0A= * Conditional access for digital TV broadcasting is one example=0A= that=0A= exists today. This system is optimised for TV broadcast=0A= services only,=0A= and is not suitable for IP packet transmissions and difficult to=0A= interwork with ULE.=0A= AA> See ATSC A/70A. I strongly disagree with assertion about the=0A= difficulty to interwork with ULE. The ULE can be put in a=0A= virtual=0A= channel in the ATSC system and the standard directly applied.=0A= =20=20=20=20=20=20=20=0A= * Some other L2 security systems are specified in standards such=0A= the MPE=0A= for DVB system . However, MPE security incomplete and there are=0A= no known=0A= implementations of such security system.=0A= =20=20=20=20=20=20=20=0A= * For DVB-S2 Generic Streams, where IP encapsulation could be=0A= similar to=0A= ULE. The authors believe that ULE security format can be used=0A= for=0A= Generic Streams as well.=0A= =20=20=20=20=20=20=20=0A= We would like to ask the ipdvb WG if anybody knows any other=0A= existing L2=0A= security systems that might be suitable for ULE.=0A= =20=20=20=20=20=20=20=0A= AA> See ATSC A/70A for ULE when sent in conformance with ATSC=0A= Standards.=0A= =20=20=20=20=20=20=20=0A= Haitham=0A= ----=0A= =20=20=20=20=20=20=20=0A= Dr. Haitham S. Cruickshank=0A= =20=20=20=20=20=20=20=0A= Lecturer=0A= Communications Centre for Communication Systems Research (CCSR)=0A= School=0A= of Electronics, Computing and Mathematics University of Surrey,=0A= Guildford, Surrey GU2 7XH, UK=0A= =20=20=20=20=20=20=20=0A= Tel: +44 1483 686007 (indirect 689844)=0A= Fax: +44 1483 686011=0A= e-mail: H.Cruickshank@surrey.ac.uk=0A= http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= -----Original Message-----=0A= From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk]=0A= Sent: 22 June 2006 15:37=0A= To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr=0A= (CCSR);=0A= P.Pillai@Bradford.ac.uk=0A= Subject: Security-Requirements: alternatives?=0A= =20=20=20=20=20=20=20=0A= Haitham, I-D Authors, List,=0A= =20=20=20=20=20=20=20=0A= One of the issues we need to be clear about in preparing for a=0A= WG=0A= adoption of the security requirements I-D is the possible=0A= alternatives=0A= that have been proposed/implemented in other standards=0A= organisations.=0A= =20=20=20=20=20=20=20=0A= Could you summarise the methods that have been proposed for=0A= MPEG-2=0A= transmission networks that provide equivalent L2 security=0A= functions, and=0A= say which to your knowledge has actually have been implemented=0A= in=0A= systems?=0A= =20=20=20=20=20=20=20=0A= Thanks,=0A= =20=20=20=20=20=20=20=0A= Gorry=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= =20=20=20=20=20=20=20=0A= =0A= =0A= =0A= =0A= ------_=_NextPart_001_01C69B87.95DB1B4B Content-Type: text/plain; name="msg-10628-441.txt" Content-Disposition: attachment; filename="msg-10628-441.txt" Content-Transfer-Encoding: 8bit Hi again Art, Many thanks Art for your opinion and input about ATSC security system (ATSC A/ 70A). We will provide an update for the next rev of the requirements I-D that clarifies this point and to include refs to how ATSC provides its security services. Would Art be willing to help check the paragraphs correctly reflect ATSC's specs. Many thanks Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Wed 28/06/2006 17:35 To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Thanks. I agree that to secure some of the flows carried by packets with a single PID and not others; one could not apply A/70A. Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Wednesday, June 28, 2006 10:55 AM To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Hi again Art, May be we should get the terminology right first. A typical usage is for the ULE Stream sent on a single PID to carry unicast or multicast packets with several different IP destination addresses (and therefore corresponding different MAC addresses). The aim of ULE security is therefore to secure the L2 conversations between each Receiver and the Encapsulator that generates the corresponding ULE stream. Also it is possible to do a more fine grain security (per IP flow), depending on the security association which is part of a key management system. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Mon 26/06/2006 16:15 To: ipdvb@erg.abdn.ac.uk Subject: RE: Security-Requirements: alternatives? Perhaps I misunderstood, but I thought that the approach chosen in ULE was for there to be one logical channel per PID ["...locate a specific ULE Stream (i.e., the PID value of the TS Logical Channel that carries a ULE Stream)"] as contrasted with multiple logical channels carried in MPEG-2 TS packets with a single PID. The discovery of 'logical channels' carried in IP packets delivered via MPEG-2 TS packets with a single PID appears to not be standardized. Perhaps this falls into the general case of any IP delivery. If so, separate security access for each distinct element a functionality that A/70A would not provide. But then it seems to me to not be different than the functionality provided for by existing RFCs for security of arbitrary content delivered using IP encapsulation, i.e., https: and such If it is general purpose IP, then it seems to me that the proposal should make a case that the current RFCs fail to meet the requirements asserted to be needed. If it is 'logical channel' protection, then it is different that the general case. But perhaps I have not been following this in adequate depth - and I waste your time, If so - no need to attempt to educate me. Regards, Art _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. ________________________________ From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Saturday, June 24, 2006 5:01 AM To: ipdvb@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Art, Many thanks for your input: ******************** * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. ******************* I completely agree with you that A/70A (Conditional Access System for Terrestrial Broadcast, Revision A) can interwork with ULE, where encryption is based on PIDs, which sometimes means bundling many IP flows with one PID. In our draft (ULE requirements), we aim for more fine grain security and securing every IP flow individually and try to re-use existing work in the IETF on key management. Accidentally reading through A/70A, it looks much better than the DVB Conditional Access. I personally do not have much faith in DVB Conditional Access (DVB CA): You might probably know that DVB CA has been surrounded by controversy for many years due to the spread of counterfeit smart cards. For example, in late 1999, Italy was flooded with cheap counterfeit cards that enabled viewers use Canal Plus for free. In March 2002 Canal Plus Group filed a lawsuit against NDS Group, accusing it of cracking its digital television smart cards and putting the confidential information on the Internet. Since then, I have not seen any major changes in DVB CA to cater for these challenges. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ ________________________________ From: owner-ipdvb@erg.abdn.ac.uk on behalf of Allison, Art Sent: Thu 22/06/2006 20:02 To: ipdvb@erg.abdn.ac.uk; gorry@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? See below. _____________ Art Allison Director, Advanced Engineering Science & Technology National Association of Broadcasters 1771 N Street, NW Washington, D.C. 20036 Phone: 202.429.5418 Fax: 202.777.4981 aallison@nab.org The National Association of Broadcasters is a trade association that advocates on behalf of more than 8,300 free, local radio and television stations and also broadcast networks before Congress, the Federal Communications Commission and the Courts. -----Original Message----- From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On Behalf Of H.Cruickshank@surrey.ac.uk Sent: Thursday, June 22, 2006 2:09 PM To: gorry@erg.abdn.ac.uk; ipdvb@erg.abdn.ac.uk; S.Iyengar@surrey.ac.uk; P.Pillai@Bradford.ac.uk Subject: RE: Security-Requirements: alternatives? Hi Gorry, This issue has been addressed in the security draft. Some text has been added to section 5.1 to this effect: Basically, in practice there are not many L2 security systems for MPEG transmission networks. Two major examples are: * Conditional access for digital TV broadcasting is one example that exists today. This system is optimised for TV broadcast services only, and is not suitable for IP packet transmissions and difficult to interwork with ULE. AA> See ATSC A/70A. I strongly disagree with assertion about the difficulty to interwork with ULE. The ULE can be put in a virtual channel in the ATSC system and the standard directly applied. * Some other L2 security systems are specified in standards such the MPE for DVB system . However, MPE security incomplete and there are no known implementations of such security system. * For DVB-S2 Generic Streams, where IP encapsulation could be similar to ULE. The authors believe that ULE security format can be used for Generic Streams as well. We would like to ask the ipdvb WG if anybody knows any other existing L2 security systems that might be suitable for ULE. AA> See ATSC A/70A for ULE when sent in conformance with ATSC Standards. Haitham ---- Dr. Haitham S. Cruickshank Lecturer Communications Centre for Communication Systems Research (CCSR) School of Electronics, Computing and Mathematics University of Surrey, Guildford, Surrey GU2 7XH, UK Tel: +44 1483 686007 (indirect 689844) Fax: +44 1483 686011 e-mail: H.Cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ -----Original Message----- From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] Sent: 22 June 2006 15:37 To: Cruickshank HS Dr (CCSR); ipdvb@erg.abdn.ac.uk; Iyengar S Mr (CCSR); P.Pillai@Bradford.ac.uk Subject: Security-Requirements: alternatives? Haitham, I-D Authors, List, One of the issues we need to be clear about in preparing for a WG adoption of the security requirements I-D is the possible alternatives that have been proposed/implemented in other standards organisations. Could you summarise the methods that have been proposed for MPEG-2 transmission networks that provide equivalent L2 security functions, and say which to your knowledge has actually have been implemented in systems? Thanks, Gorry ------_=_NextPart_001_01C69B87.95DB1B4B-- From owner-ipdvb@erg.abdn.ac.uk Fri Jun 30 17:32:14 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FwQb0-0003RE-Ue for ipdvb-archive@ietf.org; Fri, 30 Jun 2006 17:32:14 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FwQay-0000u8-5z for ipdvb-archive@ietf.org; Fri, 30 Jun 2006 17:32:14 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k5ULIoln019311 for ; Fri, 30 Jun 2006 22:18:50 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k5ULIoWF019310 for ipdvb-subscribed-users; Fri, 30 Jun 2006 22:18:50 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from smtp-out1.oct.nac.net (smtp-out1.oct.nac.net [209.123.233.211]) by erg.abdn.ac.uk (8.13.4/8.13.4) with SMTP id k5ULIbDf019293 for ; Fri, 30 Jun 2006 22:18:38 +0100 (BST) Received: (qmail 44195 invoked by uid 0); 30 Jun 2006 17:18:39 -0400 Received: from unknown (HELO mail1.oct.nac.net) (209.123.233.241) by smtp-out1.oct.nac.net with SMTP; 30 Jun 2006 17:18:39 -0400 Received: (qmail 42003 invoked from network); 30 Jun 2006 17:18:38 -0400 Received: from unknown (HELO nsx.garage) (gmgross@66.246.164.81) by mail1.oct.nac.net with SMTP; 30 Jun 2006 17:18:38 -0400 Received: (from gmg@localhost) by nsx.garage (8.11.2/8.11.2) id k5UHbJ911093; Fri, 30 Jun 2006 13:37:19 -0400 Date: Fri, 30 Jun 2006 13:37:19 -0400 (EDT) From: George Gross To: "ipdvb@erg.abdn.ac.uk" Subject: Re: I-D ACTION:draft-cruickshank-ipdvb-sec-req-02.txt In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.5 (/) X-Scan-Signature: 2a76bcd37b1c8a21336eb0a1ea6bbf48 Hi Haitham and co-authors, since your ULE security requirements draft cites both GSAKMP and IPsec, I thought it merited a closer look. In parallel, I've also been looking at the ULE security extension header draft too, but I will comment on that in a separate e-mail. First off, let me qualify what I'm about to say, as my understanding of the IPDVB architecture is still imperfect. I'm coming from a MSEC perspective, and I'll need to verify some of my assumptions along the way, so please let know if I'm off the mark... ASSUMPTIONS: Viewed from 10,000 feet (or perhaps even better from a geosynchronous orbit ;o) the IPDVB network can be characterized a point to multi-point layer-2 network topology, which may or may not be capable of satellite based bi-directional Internet communication. In any case, terrestrial Internet UDLR communications will be available when the satellite link is one-way. Peer-to-peer communications between the subscribers is possible only via the MPEG Transmission Stream Multiplexor acting a layer-2 relay (or layer-3 router). The service model presented to each subscriber is effectively a private Layer-2 virtual Ethernet LAN. In the simplest topology, the VLAN has only two MAC station addresses: a Service Provider's edge router interface and the individual subscriber's DVB terminal. In a corporate setting, the VLAN would have a closed group of MAC station addresses, at least one of which would be an IP router. In this VLAN configuration, it is possible to send a layer-2 frame multicast from a MAC station to all other MAC stations on the same VLAN (i.e. MPEG-TS-Mux duplicates and issues the multicast on behalf of the subscriber terminal). It is also possible to send a unicast layer-2 frame between any two subscriber MAC stations belonging to the VLAN via the MPEG-TS-Mux. In other words, the VLAN maps into a secure group. QUESTIONS: If the above set of assumptions are accurate, then I have the following comments and questions about the IPDVB security requirements. 1) The IPDVB security requirements talk about "address hiding", but really that security service is better described as "identity protection using a pseudonym MAC address". Please add some words to that effect. I agree that this is a valuable service to provide for IPDVB. However, it does raise some questions in my mind: a. what conditions would trigger the pseudonym MAC address to change? policy defined lifetime? or is it quasi-permanent (i.e. changes only at node reboot)? if the TS-Mux reboots, do the pseudonym MAC addresses change? b. when a node's pseudonym MAC address changes, do all parties communicating with that node's MAC station have to go through address resolution again? how do they detect this event? c. doesn't this problem suggest the requirement that the pseudonym MAC address transitions be made transparent to all of the in the progress communications? 2) no where in the document is there a requirement expressed for group SA re-keying (e.g. LKH). I would expect that policy would be set to periodically change the VLAN's SA keys (or after X kilo-bytes sent per key). also, VLAN membership changes would imply a requirement for forward/backward secrecy. 3) the requierements were not precise about the definition of source authentication. Clearly for pair-wise SA then a MAC is sufficient. For groups, you would need to say whether group authentication or individual source authentication is required. if the answer is both mechanisms, would the requirements ask for per packet choice of that mechanism? 4) section 3 does not use the MUST and SHOULD keywords as often as I would have expected. then again, as a requierements document I don't know if that kind of normative language is necessary. what do people in the IPFVB WG think? 5) Scenario 1 on page 8 says "ULE MAC address hiding should be provided...". Does that mean that a solution that didn't offer that feature would still be compliant? i.e. "should" is not the same as "must" or "MUST". 6) Authentication costs bandwidth, which is at a premium on the satellite link. Would it not be more bandwidth efficient to do authentication at each layer-2 frame PDU boundary rather than for each 184 byte long SNDU unit within that frame? 7) I noticed that the authentication MAC field in your proposed security extension header is 32 bits long, whereas the minimum used with HMAC-SHA1 in the IPsec suite is 96 bits. In terms of cryptographic strength, 32 bits is weak. So I think a rationale for the 32-bit MAC would in order somewhere in this document. 8) the requirements should indicate whether 64-bit sequence numbers are to be supported (or not) as RFC4301 does define this capability. 9) it was not clear to me (being an IPDVB newbie) at what granularity does the Packet Identifier (PID) get assigned? is there one allocated to each Service Provider? BTW, that acronym is very loaded, usually in other circles it is interpreted to mean "protocol identifier". I would suggest a new acronym. how about "Transport Stream Logical Channel" (TSLC)? 10) ESP allows padding to deliberately lengthen the payload, with the intent of protecting against traffic analysis. IPDVB may not want to provide that service, but since this document refers to IPsec as its model, in general it would useful to systematically say what subset is being required for this feature or any other that IPsec offers. 11) it would be useful to enumerate what pre-configured or out of band installed parameters are assumed to be known to the subscriber terminal about its layer-2 environment, versus what parameters are discovered or setup by protocols. for example, I would expect certain trust anchor public keys would have to be pre-placed on the subscriber terminal. hth, George On Wed, 21 Jun 2006, Gorry Fairhurst wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : Security requirements for the Unidirectional Lightweight > Encapsulation (ULE) protocol > Author(s) : H. Cruickshank, et al. > Filename : draft-cruickshank-ipdvb-sec-req-02.txt > Pages : 16 > Date : 2006-6-20 > > This document provides a threat analysis and derives security > requirements for MPEG-2 transmission links using the > Unidirectional Lightweight Encapsulation (ULE). It also provides > the motivation for ULE link-level security. This work is intended > as a work item of the ipdvb WG, and contributions are sought from > the IETF on this topic. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-cruickshank-ipdvb-sec-req-02.txt > > > Internet-Drafts are also available by anonymous FTP. Login with the username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-cruickshank-ipdvb-sec-req-02.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv at ietf.org. > In the body type: > "FILE /internet-drafts/draft-cruickshank-ipdvb-sec-req-02.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > > From owner-ipdvb@erg.abdn.ac.uk Fri Jun 30 23:51:20 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FwWVs-0000uk-IX for ipdvb-archive@ietf.org; Fri, 30 Jun 2006 23:51:20 -0400 Received: from [2001:630:241:204:203:baff:fe9a:8c9b] (helo=erg.abdn.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FwWVm-0002Ny-Vl for ipdvb-archive@ietf.org; Fri, 30 Jun 2006 23:51:20 -0400 Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id k613jZGN017889 for ; Sat, 1 Jul 2006 04:45:35 +0100 (BST) Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id k613jZ8X017888 for ipdvb-subscribed-users; Sat, 1 Jul 2006 04:45:35 +0100 (BST) X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f Received: from smtp-out1.oct.nac.net (smtp-out1.oct.nac.net [209.123.233.211]) by erg.abdn.ac.uk (8.13.4/8.13.4) with SMTP id k613jO47017871 for ; Sat, 1 Jul 2006 04:45:25 +0100 (BST) Received: (qmail 33433 invoked by uid 0); 30 Jun 2006 23:45:23 -0400 Received: from unknown (HELO mail1.oct.nac.net) (209.123.233.241) by smtp-out1.oct.nac.net with SMTP; 30 Jun 2006 23:45:23 -0400 Received: (qmail 77285 invoked from network); 30 Jun 2006 23:45:23 -0400 Received: from unknown (HELO nsx.garage) (gmgross@66.246.164.81) by mail1.oct.nac.net with SMTP; 30 Jun 2006 23:45:23 -0400 Received: (from gmg@localhost) by nsx.garage (8.11.2/8.11.2) id k61041212131; Fri, 30 Jun 2006 20:04:01 -0400 Date: Fri, 30 Jun 2006 20:04:01 -0400 (EDT) From: George Gross To: Subject: Re: FW: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-ERG-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No Sender: owner-ipdvb@erg.abdn.ac.uk Precedence: bulk Reply-To: ipdvb@erg.abdn.ac.uk X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk X-Spam-Score: 0.1 (/) X-Scan-Signature: 057ebe9b96adec30a7efb2aeda4c26a4 Hi Haitham and co-authors, I reviewed your draft, and from what I can tell, the proposed ULE security extension header fits the requirements in many regards. I do have a few comments and clarifications: 1) the sequence number processing steps described in section 2.3 omits mention of updating of the transmitter's ULE-SA sequence number state variable. 2) section 2.4 omits mention of updating the receiver's sequence number state variable's update procedure. your procedure implicitly assumes in order delivery of the SNDUs, which is different than IPsec. as you may recall, IPsec defines an algorithm with a sliding window for acceptable sequence numbers that handles out of order delivery. I would suggest should pointing out the ULE dependency on the FIFO delivery order. 3) In reading over your description of the ULE-SPD, it seemed to me that it really augments the RFC4301 SPD with at least a traffic selector for the NPA address, and also temporary NPA. you may wish to consider whether other ULE header fields (e.g. the type field) can also participate in the ULE-SPD. also not explicitly mentioned is that the ULE-SPD does evaluate IP-v4 header fields or IP-v6 header fields beyond the ULE header, correct? this would be helpful to highlight in your intro about the ULE-SPD. 4) the focus of the document seems to be on the SNDU flow from the TS-Mux to the receiver(s). yet would not DVB-RCS require comparable security protections for the inverse SNDU traffic flow? in that case, does the inbound ULE-SPD within the TS-Mux need to know the source NPA address when decrypting a non-IP layer-3 PDU since it can't de-mux using the source IP address? 5) assuming there is a VLAN group within a DVB-RCS network, is there a distinct ULE SA with anti-replay state maintained by the TS-Mux SAD for each subscriber terminal within that VLAN? in other words, is there a ULE-SA per VLAN Group Speaker? 6) as mentioned in my earlier e-mail, I'm concerned about the 32-bit authenticator field length not being strong enough. BTW, in my earlier e-mail's list item #6, I mistakenly mixed up "TS packets" with SNDUs. plz disregard that statement. Clearly, there isn't a MAC computed per TS packet. 7) how would this S-ULE extension header encode a digital signature's data or handle TESLA for a multicast SNDU source authentication? I haven't thought this through entirely, but at first glance this seems like a possible feature for securing ARP or ND multicasts. A ULE-SA using this feature would have its own distinct ULE-SID allocated to it. It would be an example of when you might want more than one S-ULE extension header before the SNDU payload. br, George On Sat, 24 Jun 2006 H.Cruickshank@surrey.ac.uk wrote: > Dear ipdvb WG, > > Gorry has kindly submitted for our the Internet draft on security extensions to ULE(version 2) . > > This draft complements the ULE security requirements that was posted recently. The main focus of the security extension is defining the header format to carry secure data over ULE. > > We (the authors) feel this work fits well to the ipdvb current activity. Many security related issues such as key management and security algorithm are borrowed from existing work in IPsec and MSEC groups. The main focus of this draft is the ULE header format for security. > > Haitham > > ---- > Dr. Haitham S. Cruickshank > Lecturer > Communications Centre for Communication Systems Research (CCSR) > School of Electronics, Computing and Mathematics > University of Surrey, Guildford, Surrey GU2 7XH, UK > > Tel: +44 1483 686007 (indirect 689844) > Fax: +44 1483 686011 > e-mail: H.Cruickshank@surrey.ac.uk > http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ > > ________________________________ > > From: Gorry Fairhurst [mailto:gorry@erg.abdn.ac.uk] > Sent: Fri 23/06/2006 09:11 > To: Internet-Drafts Administrator > Cc: Cruickshank HS Dr (CCSR) > Subject: New Internet Draft rev: draft-cruickshank-ipdvb-sec-02.txt (enclosed) > > > > > On behalf of the authors, I wish to submit the enclosed draft: > > Security Extension for Unidirectional Lightweight Encapsulation > Protocol > > Best wishes, > > Gorry > > > > > >