From nobody Mon May  4 08:19:59 2015
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4041A710C for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 08:19:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level: 
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQzyBMB2ErkA for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 08:19:56 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0411A6FF1 for <ipsec@ietf.org>; Mon,  4 May 2015 08:19:49 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t44FJkcP026688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Mon, 4 May 2015 18:19:46 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t44FJkf9029885; Mon, 4 May 2015 18:19:46 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21831.36370.456872.844171@fireball.kivinen.iki.fi>
Date: Mon, 4 May 2015 18:19:46 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 23 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/fe3-XMHTyeE7_A4uCmFhmc9tDkQ>
Subject: [IPsec] My comments to draft-ietf-ipsecme-chacha20-poly1305-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 15:19:58 -0000

I have now read the latest draft-ietf-ipsecme-chacha20-poly1305-06 and
it seems to be ok. I have few nits that could be fixed, and and one
real mistake:

----------------------------------------------------------------------
In appendix B you say:

         The ciphertext is also 16 octets long, so the construction
   has no padding at all.

This is not true. The ciphertext was 13 bytes long (as can be seen
from the length), and there was 3 bytes of padding.
----------------------------------------------------------------------
Nits:

In section 2:

   The same key and nonce, along with a block counter of zero are passed
   to the ChaCha20 block function, and the top 256 bits of the result
   are used as the Poly1305 key.  The nonce passed to the block function
   here is the same nonce that is used in ChaCha20, including the 32-bit
   Salt, and the key passed is the same as the encryption key.

I think it is bit useless to first say that "The same key and nonce,
..." and then define that by the way the nonce is same and the key is
same ...

I would remove the second sentence, I think it is enough to say that
the same key and nonce are passed to block function.

--

In the draft you use "little-endian integer" and "network order
integer". I do not know what the order of the network is (most likely
it is messed up), but I assume you mean "integer in network byte
order" or something like that. You might want to talk about "byte
orders" in both cases.

Btw, I really hate to have system where we need to mix network byte
order and little-endia byte order stuff, but I think that is what cfrg
decided so better stick with that.

--

In section 2.1 you should expand ESN.

-- 
kivinen@iki.fi


From nobody Mon May  4 13:23:18 2015
Return-Path: <kathywan501@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32A9D1B29EB for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 13:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level: 
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WkPcrF4xgwD for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 13:23:14 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 816B71B29E9 for <ipsec@ietf.org>; Mon,  4 May 2015 13:23:14 -0700 (PDT)
Received: by wiun10 with SMTP id n10so122797004wiu.1 for <ipsec@ietf.org>; Mon, 04 May 2015 13:23:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:date:message-id:subject:from:to:content-type; bh=14MU6wZiu3Ink2C71R8hPyiPsKL2y2vNquB/g3s17+Y=; b=kQw+DI6wzVtx/EPJqeK+zEpuvhSmRb2jFpqeG9e1wbFpKiblRWBpthf3Ra/YAkl9nt wzZw/Fbl+OEV342SI596nXqCAX0fWA7jZmswnS5K4hCTyCRk3AWmQ+dL0h7sx4ilPgOO 6qpDoUR+Fz+Z1gwyAb/29+UpIPx+Weg8480fs6v/p48X76Y4iXCgdb/o7lr+zPhwV5Ge bL58vKO8ZrwW1UCv4jCa7EOWnp0BSfFSJZiYpSa0UUxRO4FSS94aqAXLBiPTJ7eWczQc Zsp9ue0VmE1VJPaRPmD4Eve9QAZhQoPxE7tiFXptqb0jFfa7JOM8kvBgtmq942nY19m1 UrAQ==
MIME-Version: 1.0
X-Received: by 10.194.242.101 with SMTP id wp5mr1070605wjc.4.1430770992444; Mon, 04 May 2015 13:23:12 -0700 (PDT)
Received: by 10.28.86.87 with HTTP; Mon, 4 May 2015 13:23:12 -0700 (PDT)
Date: Mon, 4 May 2015 16:23:12 -0400
Message-ID: <CA+kP6mn-a_HJXSAEZWtpWzowBWPAsQxzW+BOa5w4FX2t-N-q=A@mail.gmail.com>
From: Lihua Wan <kathywan501@gmail.com>
To: ipsec@ietf.org
Content-Type: multipart/alternative; boundary=089e01419f52c27b75051547548f
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/UcL7rJkIdndEm6CZxHa5UjJcQek>
Subject: [IPsec] [RFC5723] initiator flag setting in resume exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 20:23:16 -0000

--089e01419f52c27b75051547548f
Content-Type: text/plain; charset=UTF-8

Hi all,
In RFC5723 section 5, it mentions

 +--------------------------------+----------------------------------+
 | State Item                     | After Resumption                 |
 +--------------------------------+----------------------------------+

...

 | Which peer is the "original    | Determined by the initiator of   |
 | initiator"?                    | IKE_SESSION_RESUME.              |


If client is initiator of IKE_SESSION_RESUME, I understand client is the
original initiator AFTER resumption. So the initiator flag in the IKE
header should be set by client after resumption.
My question is what about the resume request packet during resume exchange?
Should client set the initiator flag in IKE header when it sends out resume
request?

The case is like blow:
1. Gateway initiated IKE rekey completed.
2. Connection is suspened.
3. Client sends a resume request to gateway in the RESUME exchange.

In step 3, should the IKE header sent by Client set the initiator flag? I
know if client sets the initiator flag, then gateway should response with
the initiator flag cleared.
But according to RFC7296 initiator flag explanation, Gateway is the
initiator of last IKE SA rekey. I am not sure which side should be set the
initiator flag during resume exchange.


Thanks.

Kathy

--089e01419f52c27b75051547548f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi all,<div>In RFC5723 section 5, it mentions=C2=A0</div><=
div><pre class=3D"" style=3D"font-size:13.3333330154419px;margin-top:0px;ma=
rgin-bottom:0px;color:rgb(0,0,0)"> +--------------------------------+------=
----------------------------+
 | State Item                     | After Resumption                 |
 +--------------------------------+----------------------------------+</pre=
><pre class=3D"" style=3D"font-size:13.3333330154419px;margin-top:0px;margi=
n-bottom:0px;color:rgb(0,0,0)">...</pre><pre class=3D"" style=3D"font-size:=
13.3333330154419px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"><pre =
class=3D"" style=3D"font-size:13.3333330154419px;margin-top:0px;margin-bott=
om:0px"> | Which peer is the &quot;original    | Determined by the initiato=
r of   |
 | initiator&quot;?                    | IKE_SESSION_RESUME.              |=
</pre></pre><div><br></div></div><div>If client is initiator of=C2=A0<span =
style=3D"color:rgb(0,0,0);font-size:13.3333330154419px">IKE_SESSION_RESUME,=
 I understand client is the original initiator AFTER resumption. So the ini=
tiator flag in the IKE header should be set by client after resumption.</sp=
an></div><div><font color=3D"#000000"><span style=3D"font-size:13.333333015=
4419px">My question is what about the resume request packet during resume e=
xchange? Should client set the initiator flag in IKE header when it sends o=
ut resume request?</span></font></div><div><br></div><div>The case is like =
blow:</div><div>1. Gateway initiated IKE rekey completed.</div><div>2. Conn=
ection is suspened.=C2=A0</div><div>3. Client sends a resume request to gat=
eway in the RESUME exchange.</div><div><br></div><div>In step 3, should the=
 IKE header sent by Client set the initiator flag? I know if client sets th=
e initiator flag, then gateway should response with the initiator flag clea=
red.</div><div>But according to RFC7296 initiator flag explanation, Gateway=
 is the initiator of last IKE SA rekey. I am not sure which side should be =
set the initiator flag during resume exchange.</div><div><br></div><div><br=
></div><div>Thanks.</div><div><br></div><div>Kathy</div></div>

--089e01419f52c27b75051547548f--


From nobody Mon May  4 14:04:30 2015
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C4611B2B2E for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 14:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91VXuMVb432X for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 14:04:26 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A7BE1B2B2D for <ipsec@ietf.org>; Mon,  4 May 2015 14:04:26 -0700 (PDT)
Received: by wgen6 with SMTP id n6so163068954wge.3 for <ipsec@ietf.org>; Mon, 04 May 2015 14:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=8n8n7XWaMC7Za/LkoCrM79n987SuhWvsxmUaG82cqjE=; b=aNsBRH3CnAV+m2wa9RlClIJ43LhGwRx7LBEh+HDGa3pDdXNIKw1f3UqUL2f03iytgA zDoulyBuEL2FdO256cQdk20SFGA+7FmQxZGw7nDorzZ7hohrgDYKVow3Txqq1F1pkMhK VJ11O5Spp/qivd28jBYDoDKAPyPmygqzYwxknzAG8gRRLJeSZAJDWCWl/Vdl1EHv3Ty3 G3joNi0bootHN2X529UoMKWlC08mWMov7T39py0esWKoLPoaPZkrGPKx2uBuUnDpTlzV 6K1gcDoaD/i+NBtBny63ZFzq3+U5eebBKhy5R/qImaK5o82sRzHZ/j/VcZg1Pv17paFk m8mg==
X-Received: by 10.180.92.161 with SMTP id cn1mr680169wib.91.1430773464997; Mon, 04 May 2015 14:04:24 -0700 (PDT)
Received: from [10.0.0.2] (bzq-109-67-132-217.red.bezeqint.net. [109.67.132.217]) by mx.google.com with ESMTPSA id e10sm12885989wij.11.2015.05.04.14.04.23 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 May 2015 14:04:24 -0700 (PDT)
Message-ID: <5547DED5.3090000@gmail.com>
Date: Tue, 05 May 2015 00:04:21 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Lihua Wan <kathywan501@gmail.com>, ipsec@ietf.org
References: <CA+kP6mn-a_HJXSAEZWtpWzowBWPAsQxzW+BOa5w4FX2t-N-q=A@mail.gmail.com>
In-Reply-To: <CA+kP6mn-a_HJXSAEZWtpWzowBWPAsQxzW+BOa5w4FX2t-N-q=A@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/6gA4y73TBvv8IjUsESVcXcdn9q8>
Subject: Re: [IPsec] [RFC5723] initiator flag setting in resume exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 21:04:28 -0000

Hi Kathy,

"Where not specified otherwise, the IKE_SESSION_RESUME exchange behaves 
exactly like the IKE_SA_INIT exchange."

This means in my opinion, that the client that sends the first 
IKE_SESSION_RESUME message should have the Initiator Flag set. And the 
table in Sec. 5 applies not only to "after resumption" but in this case, 
to the resumption exchange as well.

Thanks,
	Yaron

On 05/04/2015 11:23 PM, Lihua Wan wrote:
> Hi all,
> In RFC5723 section 5, it mentions
>
>   +--------------------------------+----------------------------------+
>   | State Item                     | After Resumption                 |
>   +--------------------------------+----------------------------------+
>
> ...
>
>   | Which peer is the "original    | Determined by the initiator of   |
>   | initiator"?                    | IKE_SESSION_RESUME.              |
>
>
> If client is initiator of IKE_SESSION_RESUME, I understand client is the
> original initiator AFTER resumption. So the initiator flag in the IKE
> header should be set by client after resumption.
> My question is what about the resume request packet during resume
> exchange? Should client set the initiator flag in IKE header when it
> sends out resume request?
>
> The case is like blow:
> 1. Gateway initiated IKE rekey completed.
> 2. Connection is suspened.
> 3. Client sends a resume request to gateway in the RESUME exchange.
>
> In step 3, should the IKE header sent by Client set the initiator flag?
> I know if client sets the initiator flag, then gateway should response
> with the initiator flag cleared.
> But according to RFC7296 initiator flag explanation, Gateway is the
> initiator of last IKE SA rekey. I am not sure which side should be set
> the initiator flag during resume exchange.
>
>
> Thanks.
>
> Kathy
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>


From nobody Mon May  4 19:21:31 2015
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6251B2DB4 for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 19:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.41
X-Spam-Level: 
X-Spam-Status: No, score=-1.41 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_32=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TtEkNe79jAvD for <ipsec@ietfa.amsl.com>; Mon,  4 May 2015 19:21:26 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E71AD1B2DA8 for <ipsec@ietf.org>; Mon,  4 May 2015 19:21:19 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lglCw5NYPz1K6; Tue,  5 May 2015 04:21:16 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=a00B9ctw
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id vnvoZ6b37M3Y; Tue,  5 May 2015 04:21:06 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue,  5 May 2015 04:21:06 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 053CB809FD; Mon,  4 May 2015 22:21:05 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1430792465; bh=lFrk27JG1gQZ/PgSWnd9RNJRZmCtQKViR9uFwHZYRZE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=a00B9ctw5jnEYO9MaU9Tx8IeSJmxpSL1G1SpjLTn0SoD1gnILl7m0Zql1m6kD4CbD mCzjlC9hEBEjHyY9lI8wfuSX2HKX12RpPn5bdD7K0UcI8zFAN2NXn2BiG5i3XeePX7 re7hlmuj+xsrdEdHEsAaS39ae6PXy6zh6vjuL3R8=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t452L4Co015619; Mon, 4 May 2015 22:21:04 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 4 May 2015 22:21:04 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Lihua Wan <kathywan501@gmail.com>
In-Reply-To: <CA+kP6mn-a_HJXSAEZWtpWzowBWPAsQxzW+BOa5w4FX2t-N-q=A@mail.gmail.com>
Message-ID: <alpine.LFD.2.10.1505042211300.7284@bofh.nohats.ca>
References: <CA+kP6mn-a_HJXSAEZWtpWzowBWPAsQxzW+BOa5w4FX2t-N-q=A@mail.gmail.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/0xXgf2DxUo-EYX0mE1ipPu1bmRs>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] [RFC5723] initiator flag setting in resume exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2015 02:21:28 -0000

On Mon, 4 May 2015, Lihua Wan wrote:

> Hi all,In RFC5723 section 5, it mentions 
>
>  +--------------------------------+----------------------------------+
>  | State Item                     | After Resumption                 |
>  +--------------------------------+----------------------------------+
> 
> ...
>
>  | Which peer is the "original    | Determined by the initiator of   |
>  | initiator"?                    | IKE_SESSION_RESUME.              |
> 
> If client is initiator of IKE_SESSION_RESUME, I understand client is the original initiator AFTER resumption. So the initiator flag in the IKE header should be set by client after resumption.
> My question is what about the resume request packet during resume exchange? Should client set the initiator flag in IKE header when it sends out resume request?
> 
> The case is like blow:
> 1. Gateway initiated IKE rekey completed.
> 2. Connection is suspened. 
> 3. Client sends a resume request to gateway in the RESUME exchange.
> 
> In step 3, should the IKE header sent by Client set the initiator flag? I know if client sets the initiator flag, then gateway should response with the initiator flag cleared.
> But according to RFC7296 initiator flag explanation, Gateway is the initiator of last IKE SA rekey. I am not sure which side should be set the initiator flag during resume exchange.


Remember that the Original Initiator flag is used to see whether you
use are the first (initiator) SPI or the second (responder) SPI in the
ISAKMP header.

So with that in mind read:

 	This document specifies a new IKEv2 exchange type called
 	IKE_SESSION_RESUME whose value is 38.  This exchange is equivalent to
 	the IKE_SA_INIT exchange

So when you initiate IKE_SESSION_RESUME, you have no responder SPI. There
is only your initiator SPI, and you must set the Original Initiator flag.

The responder receiving your resume exchange, sees the Original Initiator
flag. It also sees the lack of the Message Response flag, so it knows
it is a responder for this exchange. It looks up an IKE SA where it is
the responder SPI and the other end is the initiator SPI.  (and since
the responder SPI is zero it knows this will be a new exchange/state
and it will generate a responder SPI to use in the answer)

Paul


From nobody Tue May  5 07:55:47 2015
Return-Path: <kathywan501@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F5EC1B2CD0 for <ipsec@ietfa.amsl.com>; Tue,  5 May 2015 07:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level: 
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2inC4iN1tYE for <ipsec@ietfa.amsl.com>; Tue,  5 May 2015 07:55:18 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F071C1B2E1A for <ipsec@ietf.org>; Tue,  5 May 2015 07:55:12 -0700 (PDT)
Received: by wizk4 with SMTP id k4so164640526wiz.1 for <ipsec@ietf.org>; Tue, 05 May 2015 07:55:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=py+759lz4PieDhvsNC64rw7S6Wj/0hBAgKnGbgAqKJ8=; b=lRjquFTsdJu9X8o5JwX/LMD+ZsRHkd0zGobCc/hU46rvELxDmZwBGYQR8YOI/klMcU pAVLIWhsbdd6Q4BKhEauWalo8pBM03JkGeaSDGBIk+dFDJUm14/sUrKtX6/tLcKbV11I MQGU7pIlefsuVxlB2ed7BVJEVhlkBlVjKyBstrCABTcJ+PorEgx2zvKsbdOLKpLkATI1 RmFCnXfVGZ57gXdyGBFQBSOZxYuWUJDp8+sgIErnQpPBkxZHTlhyXH9FqSsZ6lLDxy+/ ZtnNSBgR3oW/IxaSDDKVyrMC0yl7cFW5BoWkwqnNz7m0ykcBZdRkbSY4+FThBSeYlkWF vUvQ==
MIME-Version: 1.0
X-Received: by 10.180.105.233 with SMTP id gp9mr4893980wib.83.1430837711600; Tue, 05 May 2015 07:55:11 -0700 (PDT)
Received: by 10.28.86.87 with HTTP; Tue, 5 May 2015 07:55:11 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.10.1505042211300.7284@bofh.nohats.ca>
References: <CA+kP6mn-a_HJXSAEZWtpWzowBWPAsQxzW+BOa5w4FX2t-N-q=A@mail.gmail.com> <alpine.LFD.2.10.1505042211300.7284@bofh.nohats.ca>
Date: Tue, 5 May 2015 10:55:11 -0400
Message-ID: <CA+kP6mnYtaz9QZ99_SFFHCMZLaA7TRxSm8hp03yoyL-9XXvZ7Q@mail.gmail.com>
From: Lihua Wan <kathywan501@gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary=f46d0442883e8801dd051556ddd4
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/6EsDO9vnzU6jtRzvQXkGwIx8Ot8>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] [RFC5723] initiator flag setting in resume exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2015 14:55:20 -0000

--f46d0442883e8801dd051556ddd4
Content-Type: text/plain; charset=UTF-8

Thanks all the helpful response. It is very clear now.

On Mon, May 4, 2015 at 10:21 PM, Paul Wouters <paul@nohats.ca> wrote:

> On Mon, 4 May 2015, Lihua Wan wrote:
>
>  Hi all,In RFC5723 section 5, it mentions
>>
>>  +--------------------------------+----------------------------------+
>>  | State Item                     | After Resumption                 |
>>  +--------------------------------+----------------------------------+
>>
>> ...
>>
>>  | Which peer is the "original    | Determined by the initiator of   |
>>  | initiator"?                    | IKE_SESSION_RESUME.              |
>>
>> If client is initiator of IKE_SESSION_RESUME, I understand client is the
>> original initiator AFTER resumption. So the initiator flag in the IKE
>> header should be set by client after resumption.
>> My question is what about the resume request packet during resume
>> exchange? Should client set the initiator flag in IKE header when it sends
>> out resume request?
>>
>> The case is like blow:
>> 1. Gateway initiated IKE rekey completed.
>> 2. Connection is suspened.
>> 3. Client sends a resume request to gateway in the RESUME exchange.
>>
>> In step 3, should the IKE header sent by Client set the initiator flag? I
>> know if client sets the initiator flag, then gateway should response with
>> the initiator flag cleared.
>> But according to RFC7296 initiator flag explanation, Gateway is the
>> initiator of last IKE SA rekey. I am not sure which side should be set the
>> initiator flag during resume exchange.
>>
>
>
> Remember that the Original Initiator flag is used to see whether you
> use are the first (initiator) SPI or the second (responder) SPI in the
> ISAKMP header.
>
> So with that in mind read:
>
>         This document specifies a new IKEv2 exchange type called
>         IKE_SESSION_RESUME whose value is 38.  This exchange is equivalent
> to
>         the IKE_SA_INIT exchange
>
> So when you initiate IKE_SESSION_RESUME, you have no responder SPI. There
> is only your initiator SPI, and you must set the Original Initiator flag.
>
> The responder receiving your resume exchange, sees the Original Initiator
> flag. It also sees the lack of the Message Response flag, so it knows
> it is a responder for this exchange. It looks up an IKE SA where it is
> the responder SPI and the other end is the initiator SPI.  (and since
> the responder SPI is zero it knows this will be a new exchange/state
> and it will generate a responder SPI to use in the answer)
>
> Paul
>

--f46d0442883e8801dd051556ddd4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks all the helpful response. It is very clear now.=C2=
=A0</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, =
May 4, 2015 at 10:21 PM, Paul Wouters <span dir=3D"ltr">&lt;<a href=3D"mail=
to:paul@nohats.ca" target=3D"_blank">paul@nohats.ca</a>&gt;</span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex">On Mon, 4 May 2015, Lihua Wan wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Hi all,In RFC5723 section 5, it mentions=C2=A0<br>
<br>
=C2=A0+--------------------------------+----------------------------------+=
<br>
=C2=A0| State Item=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0| After Resumption=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0|<br>
=C2=A0+--------------------------------+----------------------------------+=
<br>
<br>
...<br>
<br>
=C2=A0| Which peer is the &quot;original=C2=A0 =C2=A0 | Determined by the i=
nitiator of=C2=A0 =C2=A0|<br>
=C2=A0| initiator&quot;?=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 | IKE_SESSION_RESUME.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 |<br>
<br>
If client is initiator of=C2=A0IKE_SESSION_RESUME, I understand client is t=
he original initiator AFTER resumption. So the initiator flag in the IKE he=
ader should be set by client after resumption.<br>
My question is what about the resume request packet during resume exchange?=
 Should client set the initiator flag in IKE header when it sends out resum=
e request?<br>
<br>
The case is like blow:<br>
1. Gateway initiated IKE rekey completed.<br>
2. Connection is suspened.=C2=A0<br>
3. Client sends a resume request to gateway in the RESUME exchange.<br>
<br>
In step 3, should the IKE header sent by Client set the initiator flag? I k=
now if client sets the initiator flag, then gateway should response with th=
e initiator flag cleared.<br>
But according to RFC7296 initiator flag explanation, Gateway is the initiat=
or of last IKE SA rekey. I am not sure which side should be set the initiat=
or flag during resume exchange.<br>
</blockquote>
<br>
<br>
Remember that the Original Initiator flag is used to see whether you<br>
use are the first (initiator) SPI or the second (responder) SPI in the<br>
ISAKMP header.<br>
<br>
So with that in mind read:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 This document specifies a new IKEv2 exchange ty=
pe called<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 IKE_SESSION_RESUME whose value is 38.=C2=A0 Thi=
s exchange is equivalent to<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 the IKE_SA_INIT exchange<br>
<br>
So when you initiate IKE_SESSION_RESUME, you have no responder SPI. There<b=
r>
is only your initiator SPI, and you must set the Original Initiator flag.<b=
r>
<br>
The responder receiving your resume exchange, sees the Original Initiator<b=
r>
flag. It also sees the lack of the Message Response flag, so it knows<br>
it is a responder for this exchange. It looks up an IKE SA where it is<br>
the responder SPI and the other end is the initiator SPI.=C2=A0 (and since<=
br>
the responder SPI is zero it knows this will be a new exchange/state<br>
and it will generate a responder SPI to use in the answer)<span class=3D"HO=
EnZb"><font color=3D"#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>

--f46d0442883e8801dd051556ddd4--


From nobody Thu May  7 02:22:02 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024481A0054 for <ipsec@ietfa.amsl.com>; Thu,  7 May 2015 02:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKpsYzlqGxMW for <ipsec@ietfa.amsl.com>; Thu,  7 May 2015 02:22:00 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01BF41A000B for <ipsec@ietf.org>; Thu,  7 May 2015 02:22:00 -0700 (PDT)
Received: by widdi4 with SMTP id di4so52211990wid.0 for <ipsec@ietf.org>; Thu, 07 May 2015 02:21:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mwxFuaWJY2bvUq5ejETXYtTsPbbxZqjo9qrAYqjLR+A=; b=BwH9+GT6KEXo8sAXLUULRSrwNR5kPmMvbfF5bkZoJV7cVgBnKca+gniOb+1kJiuk4K PLnZxRgXWJi1vGjneZGXLXV+iZ/IpR5529ZeAAiw0rEpGMhdDhxsuLNaWQllYtA0hra8 GEWeaKR/LTEgDfsf9KC+yt+GJUnlN3vVu5xbehJP/++XdZRGv9oM6RPhlR9PsXf7+7PO 3TpEgSlWqTjYaRuVee6gG4gVffNqlCwZnU4ES6ibHk0VGA5gut4Zt54zh7G71WM0Zf6n OpaY7JPJwCdzRTQzOoOxGFClk+uevy1oy/7aoEmxEO5t6tWe++hvrfqXDeHi8T5FmvXp 0gFA==
X-Received: by 10.180.99.166 with SMTP id er6mr4875872wib.58.1430990518737; Thu, 07 May 2015 02:21:58 -0700 (PDT)
Received: from [172.24.248.84] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id k9sm6396294wia.6.2015.05.07.02.21.57 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 May 2015 02:21:57 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <21831.36370.456872.844171@fireball.kivinen.iki.fi>
Date: Thu, 7 May 2015 12:21:55 +0300
Content-Transfer-Encoding: 7bit
Message-Id: <65CB0CB5-44C2-4BFB-8710-3780DCD11B5E@gmail.com>
References: <21831.36370.456872.844171@fireball.kivinen.iki.fi>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/vzWXHSdUAL2Bdshjnu1gy3flwS4>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] My comments to draft-ietf-ipsecme-chacha20-poly1305-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2015 09:22:02 -0000

Thanks, Tero. 

Fixed in -07

Yoav

> On May 4, 2015, at 6:19 PM, Tero Kivinen <kivinen@iki.fi> wrote:
> 
> I have now read the latest draft-ietf-ipsecme-chacha20-poly1305-06 and
> it seems to be ok. I have few nits that could be fixed, and and one
> real mistake:
> 
> ----------------------------------------------------------------------
> In appendix B you say:
> 
>         The ciphertext is also 16 octets long, so the construction
>   has no padding at all.
> 
> This is not true. The ciphertext was 13 bytes long (as can be seen
> from the length), and there was 3 bytes of padding.
> ----------------------------------------------------------------------
> Nits:
> 
> In section 2:
> 
>   The same key and nonce, along with a block counter of zero are passed
>   to the ChaCha20 block function, and the top 256 bits of the result
>   are used as the Poly1305 key.  The nonce passed to the block function
>   here is the same nonce that is used in ChaCha20, including the 32-bit
>   Salt, and the key passed is the same as the encryption key.
> 
> I think it is bit useless to first say that "The same key and nonce,
> ..." and then define that by the way the nonce is same and the key is
> same ...
> 
> I would remove the second sentence, I think it is enough to say that
> the same key and nonce are passed to block function.
> 
> --
> 
> In the draft you use "little-endian integer" and "network order
> integer". I do not know what the order of the network is (most likely
> it is messed up), but I assume you mean "integer in network byte
> order" or something like that. You might want to talk about "byte
> orders" in both cases.
> 
> Btw, I really hate to have system where we need to mix network byte
> order and little-endia byte order stuff, but I think that is what cfrg
> decided so better stick with that.
> 
> --
> 
> In section 2.1 you should expand ESN.
> 
> -- 
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Thu May  7 02:22:15 2015
Return-Path: <internet-drafts@ietf.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85E4B1A005F; Thu,  7 May 2015 02:22:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUD8qAzM5xkD; Thu,  7 May 2015 02:22:06 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FC471A0062; Thu,  7 May 2015 02:22:06 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.2.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150507092206.28969.2466.idtracker@ietfa.amsl.com>
Date: Thu, 07 May 2015 02:22:06 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/MjT0hxKWVyGT3pdVb8YYPkX3Ioc>
Cc: ipsec@ietf.org
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-chacha20-poly1305-07.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2015 09:22:11 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the IP Security Maintenance and Extensions Working Group of the IETF.

        Title           : ChaCha20, Poly1305 and their use in IKE & IPsec
        Author          : Yoav Nir
	Filename        : draft-ietf-ipsecme-chacha20-poly1305-07.txt
	Pages           : 11
	Date            : 2015-05-07

Abstract:
   This document describes the use of the ChaCha20 stream cipher along
   with the Poly1305 authenticator, combined into an AEAD algorithm for
   the Internet Key Exchange protocol (IKEv2) and for IPsec.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-chacha20-poly1305/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-ipsecme-chacha20-poly1305-07

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-chacha20-poly1305-07


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu May  7 06:52:19 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA1E1A6FFE for <ipsec@ietfa.amsl.com>; Thu,  7 May 2015 06:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level: 
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IbMlmdsyZBfV for <ipsec@ietfa.amsl.com>; Thu,  7 May 2015 06:52:15 -0700 (PDT)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93B7E1A6FEC for <ipsec@ietf.org>; Thu,  7 May 2015 06:52:14 -0700 (PDT)
Received: by wgiu9 with SMTP id u9so44251657wgi.3 for <ipsec@ietf.org>; Thu, 07 May 2015 06:52:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=from:content-type:subject:message-id:date:to:mime-version; bh=k7fBT+ensAyBflEuEK44ch1LSyiA1GBx2lY1Bqw1MT0=; b=E01VneylXKQslDhHEVRXvp2BPKbNtjUrVmD0G+wTiCK0Wr8vw9c/66xOJVm97r4ebR Facg852QDkUj3SyqgZDVthRdVZy7cObSdVv8iMOXO30/XhVHdHj0SP7jbq1/EF4tdxjp RhK6lqLQumDMqNYq0am0I8sT5rPAkCVyQBjy4NlhxG0jiW+fXU3V4Scd45rnjZoLh/KH ZkiOAk00fLtreOOp2/xlChHDZiAY0IGR5ec4V2tvpGsEPksGMPj5bD58Gabqc5bn5hPT uQK40hl2wG55JoSHnCIYFtCby/EHJIoThfGfIHKfCrxp1PScJvkzy+NjXKh2s2WI8TQQ clHA==
X-Received: by 10.194.71.168 with SMTP id w8mr7595088wju.80.1431006733375; Thu, 07 May 2015 06:52:13 -0700 (PDT)
Received: from [172.24.248.84] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id r9sm3561797wjo.26.2015.05.07.06.52.11 for <ipsec@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 May 2015 06:52:11 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/mixed; boundary="Apple-Mail=_2570FBA2-2B1C-4A0B-9889-440B023AB790"
Message-Id: <6A72CE8C-FBB2-460D-9BBE-4528496E1DC4@gmail.com>
Date: Thu, 7 May 2015 16:52:09 +0300
To: IPsecME WG <ipsec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/K99NHBNk-CEpe2YZtoAJlTLHZ0Q>
Subject: [IPsec] Restarting the discussion about the puzzle
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2015 13:52:17 -0000

--Apple-Mail=_2570FBA2-2B1C-4A0B-9889-440B023AB790
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi.

As a reminder, there were two concerns about the difficulty of puzzles:
	=E2=80=A2 That some clients are weaker than others and therefore =
are able to try less keys in a unit of time
	=E2=80=A2 That individual puzzles might prove more difficult =
than other puzzles, so some =E2=80=9Cunlucky=E2=80=9D initiators might =
take too long to solve the puzzle.

This is about the second issue. I=E2=80=99d be glad if someone could =
make a measurement of solving the proposed puzzle on an ARM processor so =
that we can know how much of an issue #1 is.

As Tero has mentioned, there are no easy or hard puzzles. Depending on =
how you order your guesses you might stumble upon the solution very =
quickly, or you might be trying millions of keys before hitting the =
answer. Choose a different ordering of your guesses for the same puzzle, =
and you might get very different results.  Still, we don=E2=80=99t like =
that luck plays such a role.=20

One way to reduce the variance is to increase the sample size: instead =
of looking for one key for a hard puzzle, we can require the initiator =
to return several correct solutions for an easier puzzle.  The advantage =
is that it indeed reduces the variance. The disadvantage is that the =
responder=E2=80=99s job becomes more difficult, as it has to verify not =
one but several correct solutions.

I=E2=80=99ve run a test of 20 randomly-generated cookies, and set the =
puzzle difficulty to 20 bits when requiring 1 solutions, 19 bits when =
requiring 2 solutions, 18 bits when requiring 4 solutions, etc. The full =
results are in the attached Excel file (all results in seconds), but =
here=E2=80=99s a summary:

Bits | keys | median | % over twice median
-----+------+--------+--------------------
| 20 |   1  |  0.947 |  30.0%
| 19 |   2  |  1.309 |  15.0%
| 18 |   4  |  1.464 |   5.0%
| 17 |   8  |  1.516 |   1.5%
| 16 |  16  |  1.499 |   0.5%
| 15 |  32  |  1.507 |   0.0%
| 14 |  64  |  1.499 |   0.0%
-----+------+--------+=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=
=E2=80=94=E2=80=94=E2=80=94=E2=80=94

I could increase the sample to get more accurate results, or look for =
results that are 3 times the median or 3 times the average etc. But just =
looking at this it seems to me that either 8 or 16 keys is the sweet =
spot, where an initiator is not likely to get stuck, a packet is not too =
big, and the load on the responder is not too great.

Comments?

Yoav


--Apple-Mail=_2570FBA2-2B1C-4A0B-9889-440B023AB790
Content-Disposition: attachment;
	filename=data_20.xlsx
Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet;
	name="data_20.xlsx"
Content-Transfer-Encoding: base64

UEsDBBQABgAIAAAAIQCw3ybYdgEAAEQFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACs
lE1OwzAQhfdI3CHyFiVuWSCEmnZRYAmVKAcw9iQx9Z9st7S3Z+LSClUlEWo2sWJ73vtmNOPJbKtV
tgEfpDUlGRcjkoHhVkhTl+R9+ZzfkyxEZgRT1kBJdhDIbHp9NVnuHIQMo00oSROje6A08AY0C4V1
YPCksl6ziL++po7xFauB3o5Gd5RbE8HEPLYaZDp5hIqtVcyetri9J8Fwks3391qrkjDnlOQsIiht
T+nZOA8qdARujDihy3/ICoxM4qGRLtz87fDpoD5xkLpNLR0g1SuW00sB2YL5+MI0stOtol/Wrz6s
XRXdqZ0htFUlOQjL1xqrVgTngYnQAEStirQWmklzYO7wT5cDTct4YJA2vyTcwxGxR4Cm7+UISabH
MMSdgjB02ZNon3PDPIi36HGaBgf4rd3DwZni8wZbZOAiHHW7/LFvF966gFPv4f8Ah/Fso3OHQuCj
hOOAnmv2oyM+GRdnDO2bJECc8abpDZx+AwAA//8DAFBLAwQUAAYACAAAACEAfcxUngcBAADdAgAA
CwAIAl9yZWxzLy5yZWxzIKIEAiigAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAKySwUrEMBCG74LvEHLfpruKiGy6FxH2JlIfYDaZttk2mZBk
tfv2Rg9qoRTBPU5m8s/35892N9qBvWGIhpzk66LkDJ0ibVwr+Wv9tLrnLCZwGgZyKPkZI99V11fb
Fxwg5UuxMz6yrOKi5F1K/kGIqDq0EAvy6HKnoWAh5TK0woPqoUWxKcs7EX5r8GqiyfZa8rDXN5zV
Z583/0dbWEygIYFQFHDlQyYLyWQvrIbQYpJck3rOx/FrosjUXMwD3f4diJrGKHwkdbLo0oxngWNC
p1EvI4H3S0TrSxJNmX/eZxzEO4X+QNQvsWwuG1fqTvbgwAwzQX33iqPH9jMuMfmU1QcAAAD//wMA
UEsDBBQABgAIAAAAIQCW1flzAgEAAD8DAAAaAAgBeGwvX3JlbHMvd29ya2Jvb2sueG1sLnJlbHMg
ogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACskt1qhDAQhe8LfYcw9zW6/aGUjXvR
Utjb1j5AiKOR1UQy0x/fvsGCurDYG28CZ4ac880w+8NP14ovDNR4pyBLUhDojC8bVyv4KF5vHkEQ
a1fq1jtUMCDBIb++2r9hqzl+Itv0JKKLIwWWuX+SkozFTlPie3SxU/nQaY4y1LLX5qRrlLs0fZBh
6QH5mac4lgrCsbwFUQx9TP7f21dVY/DFm88OHV+IkMRDGwcQhQ41soI/nURGkJfj7zaNtzpg+c4h
bndJsSyvwdxvCWN0a56tbty8jqm0BpFtCfHtw4ksIs8QU4nk2MnWYHZbwnC8WpxBRinHd2KQZ2ef
/wIAAP//AwBQSwMEFAAGAAgAAAAhAB2wjdpZAgAAqQQAAA8AAAB4bC93b3JrYm9vay54bWykVE2P
2jAQvVfqf7B8Z50EQhEiWVFYVKSqQqvu7rEyjiEu/khtp4St+t87cTZ0Wy5UvcRjj/1m5r2ZzG4b
JdF3bp0wOsPxTYQR18wUQu8z/PB5NZhg5DzVBZVG8wyfuMO3+ds3s6Oxh60xBwQA2mW49L6aEuJY
yRV1N6biGjw7YxX1sLV74irLaeFKzr2SJImiMVFUaNwhTO01GGa3E4wvDasV174DsVxSD+m7UlSu
R1PsGjhF7aGuBsyoCiC2Qgp/CqAYKTZd77WxdCuh7CZOe2QwL6CVYNY4s/M3AEW6JC/qjSMSx13J
+WwnJH/saEe0qj5R1UaRGEnq/F0hPC8yPIatOfI/Dmxdva+FBG+STqIJJvlZio1FrjTHtT7MtTY+
kJJhUJTW3iygRsud2wjmazBaB7yFMufSc6up5wujPbD6osf/MhiwF6UBvdA9/1aLELQlMp/Bl7Ip
3boN9SWqrcwweXBAB3EnXZGNNV85845U9fOz5F88UEBe8U8vxf0HBShrCydQeZddZ//NQj5ru/tR
8KP7zXC7Rc2T0IU5BmZPvT0aA8/H4HgShS9becbR+ewDF/vSw4Cl4aKn2/tWngyncKfN5lWwMCEQ
NKxIh84oqKcwiO3srEH6GCM7FWDYdRGH9/0jRiWDPmiXcBHwI7jNjGa1taDuAjwv2vPGf3Q+n8EK
GogM/3iXJsO7dDkcJOlqOJind9EgHg+TwXi0StLRIklGafLzPGLNdXOgKCO8YTzM/KQfANVM55aV
6yVaSbqHdkxCHZALsNFnRvq/TP4LAAD//wMAUEsDBBQABgAIAAAAIQAKOag2sxUAAFUuAAAUAAAA
eGwvc2hhcmVkU3RyaW5ncy54bWyE2t3O5bZ1BuDzAr2HwZwnQ1IUJQa2gyJtzwIUSHoBlETGg9oz
qWeSpnffh258svkVRRIn+fbWlkSu9f4tfvPbv/34w7u/9p++fPz86dv38dfh/bv+6f78fPz0p2/f
//sf//VX5/t3X762T0/74fOn/u37/+5f3v/2u3/8h2++fPn6zrWfvnz7/vuvX//8mw8fvtzf9x/b
l19//nP/5JPx+acf21f/96c/ffjy5596e7583/vXH3/4kEIoH35sHz+9f3d//sunr9++Tym/f/eX
Tx//8y/9d3//Szzef/fNl4/fffP1uz/+yx/++O6H/tf+w2/epfDu+vj1yzcfvn73zYf58f9+5Xef
P//Hx/76179/+d2v3sV3P/Xlolh//i0fpzc/Pn/5OL/58fHLx+ebH5dfPo7lzc/3Xz7f3r57/uXz
8ubtr5xzG0fYWm7XeZWrnyHE0vsW7vCMu4a2XXcPr2vSY49XOq/neGIsrW8xbWe+8rGdZ99jCjU9
6drq63V32Maz3ef9bFva79bzeba77mdt+z1KLuncy76n1+u2cl8plprTNtyo5BxK31q9a0/liLXv
ud3bc79eF3rrMbW95Wf4djz36+z5SF64pvtpLe1xu9vzel08wn3kUb3gdo/8hJrHFc9eW3/qkWus
x37v67psOfXQn1zvvo+7t1z7uV3HqJ569KM97ru54+v9ajvOq5YndlfkWPPet1zddNvzdqZtb+e+
9xhfr9vPMx/3ftV+5XiOFkq4jtjOmo8c9i3sOe5HS8t1x1Ou7EmT/2rNg/lSLcfhxc5ta2e5j+3Z
nrLsQ77aGKd/72VuY7/iqG08V2r1innso9fSz2OplzpSa9e959LCc+73nfdSbHrt7ar1tFjXna99
6b2ccjrDOM6wt6ffV0uh5/vZw15Hvo+YZ4HuS51d9xb8sO2oue9Hv6469vuKd/GU9U7h6rltx/J+
z+3hn+M6SwzPfdx9O8IRnlDOOkrpIeSjBD/4+pxlxOMKW3qO9JzH7TabNjiO7WqnHqlxH/FsrS3r
MuLeWwtp7IrmyVtq6QkhPM81P7Ehj4dty/49Y/NJ0UHxsMWlnHe+wxjxju1yVemp2sDl/fqpqWML
4fChfu8Wv9U6xn4e7YrdNu36cblfqtc9jiuF8/J2z9B0232feQCPM+ZtqPE8xoITx55yC3e9Ly/R
tjCqhj1tTrQirYR769u+Xct1Jzi4juvR2xuw0LDjVJjKtYx23J69xHtPC07kDJA2eNSthW+FeNR2
79FyAqb7vCxpPsKyLtotpJBPm5xi3dIxtpLUThip3i1bzqzS84ITtc9u1Xh1sx5h5J9b6tbzl2p+
YivHc7VteU599pxbB7y9pP4Ee3Kr7q2lI47jyb3oiXQs16mmPe5PfZ59lHNo/LkN6Y5jb5ZG7W4w
dO2joKFTfo69aV59muoTTmCaGtzQHG024LnitUuOdh5lvwrktvv5vOuIBXKqwCNcMdSWw7ngZ3nu
uvVQ4HYbe67Wv+wPcLSdoG1DA3Bgua5e+hOqaGutpqryGfy8Be6Xqm5RHW3KYcF5gHJeKcX8pJLy
Bp23Pd1e77Tn8UgnvtqOpf/SM64tqpd9S/HwQPpQ549nV0SXqgChTxvLdRGlVCD0xLOosRzT3Jfj
Dg2qXOk+n7l/14qfLdZmTfY931EzzjXYt1KUsuU/t/z4r2Ms18UzFTy07Tp0L0/atieFHc3CtlRx
Ff4bda1PSHYrxWeE+JR6azxMD9mUdtxi7HjVjjzb63o2OHnBFhW1zaoECkoHX8MZPRRgbvSjq1aC
5aN5mIoetzud234kRDhwy11bSumpPaz4eZSmWUt/MCR4L7En9aNcTsV+9rQ9bT9beAPnr5g848BG
s05sQdmtUGn4piP+uEe8MxYdcgAvC664Yi6g1JvmLY7xPI9mwo3nCHdb+88ao4fSoWA8n54ujLvV
a7sg4d2JDA/anhWvW9JlEaj5mvs9WDuVpufqeVx5o4eeiyZ6fU5PtQf9Uyp9dcbe6mh29L4QWy/3
M1/+KnV9v9I1QE6wd+xbBAlbGYMymLSAROuou7df+BZxJW2tNME1sQMzQICW6rkcd+4XDOhv6RA/
dpEvzxmLKn20xE5ItkI1hdLydWz57CuPjRJyGdZs0u1wg/O2cUc5UhzbZnU2DNielR/0erEEs90R
PHDbalTRVe+pzYPsIxLHsi4hPZdNyOPY0u3WSIRK7VB6m630VCrGEiz9p9QDKUhnnm4Le8u1FyqC
FCwh7QNz02f3oguep9ww+zqpLOyVQ0r3jh1O6hn86j8ikyB83XeCTKeUrcXdP29ip/ZjH9Y+33lo
LzWxb2PZv42Symd+esAklkhtEOnPdbfSh5ptWwEwOb/eT1dG8sF2JRvw6DQ9S1ydcc/BSw4MjqKW
dQl2tsKYcGvTcd0UcpmGAAYf8eqFQti2vVyL7tnDMaGVZFdgQ+dHemncI/YObmMqiunYl+vIkKB3
rGMhroOVDGfF7xN0lBqIm1qyLPvQ6nQLCoR+hL+zJkkQfwopE7sj79czQNTrc1q8Qur0I9+XKt0v
WosFgC/nWbtOIcB1/qqzyBuEoqjSviE7orNPy5IL1H3C8I+Drln4L+3uQSI9bXbRfZTLxqvqo5U8
NWx2cY15wSVfoORg+kNmp+ipiSyyAgHeo4e7gKrzPBa8Zr36paHnbwLRB/0ycde4BmmoQ0AoLD6X
dYEsLtiOuZK7/4HfEVpsR6dick0NWA9Ce/UPYInHHE3b0XWDdrlC3a4Y4whhQht7l5Z+V+2Al0Vo
fZ+ASMmffBhTSEhwaXBbtW+LPlMdIV5sI3dU+wicDY0QLWR4yqDS0nZELnfREzEcpOMAD3MVKmxq
YS96sW/jDqgqdZ51qbMj4avCaebAAfA4+x3TcUXW5aAo1Sf2KytPPwhk4qvmC5fXKVRdr4EOIir9
4NQ0tM+CZ428VRtsOkWZj9YY45bvdl091KOPbRxDryzPGe+nM+gabzsVOFgLJPJD8tjHgaAyoLjj
G3XdEltbiDACKNiESbsQmEYENvniXcimZT1ZtUcTFZUSydND2x+d16JC28WcH7BCeLDwu2hCB4w6
/copUmgHfUwTcIEUeSkjURf7sfoVvpi+viuy2/GAMtHjvXjhPXhIwiIP/bXU5wl0iM0a9I5KPBAv
Xp+Gk7jj7J8ZM+QFl1Lg348z3yX7PqAEXlhbl8NODbH5y5nSoiN3Ekcz1LDR1qN7JigYbAxCC3lH
NfS8rGHRBePIjGYPriCtiSXsa016pZq0+80BPhzk63XuN4Vd9uGBd/wK41CfYe1xjULVWi3lpW/H
NFFduAHytgJsiNSUEaj1zFkZ6PjD7y68guU6dVOeEySx4WOHe2U/9MDolOWdHiZr2XfxCw7jFgG1
da/cAqcRERSZBh39K1Z6aunbhh7D3GYmBRXsY8u76okPFprQHYfneFZdB8drOpsMS4uS0vf0STUR
d53O2k+qhJxacYIWUonuEnh4rK6pJD5jr3vu0ib5U0hxX57TUgDPwzoczd4zUQ8uuS5SiYUQaJGF
O0Z8fb9pDKu6hJ88xwURrwQ4JEoXEWt97lNrxzd8zvWQDqnzsHIGPi7f94AvrTxHnS4c8UKRhf82
KYRy9CGoOZkiJR4S01MPtniCGsZfc7fhKiLpYYsTOUWt1q1RV5tn5yXvRw/G0d+os0iZ6+sSq4RJ
/0hSVLbQ5dgRHBlMC63+HU6wQycFcRAVIYJtPU5T0D1iMD1EylCIi8/RuCDlGCKNZ/q3TbsSniKG
DeD2FDeltPpGqdJ2XpjrmJ16UxNnZTyOttkajz3/cWCApR9uIqAxjY8w6QbX7M4YFp8RTPKmKRcO
xbbgkipCpzv8S0cl4oU+lEtC1oLGKmQ5ua284JnqyHTEKYZSUBZpOscpJCWTHMHWeEgtvDwnGp+O
dmuoTE4re233iYKR0l1Gp5bpVzzx+pwRvEL3fJGDdNJZn1jYMpmLX5nJRMB0JPPrdXetj8wmooln
5qz7eSdkn+dOwDmFLXZ8oz6FgZ2mxsVSE70R+QX5nahK11bpw2RdULP0kVSxWrQdJR98YCeQLadk
OYQ2U5LbcimJpR/oJU+ZiAf9dt3A/gbPzClXPijl6QNIo+X9uMIblWAkq8F8ANxHYjETaZcUgpKk
Wvshy6fL3CqdSu2KEKW0XpftqA8pYkfirpuX94termKW1lm5wK08D3dLEtoLCuQWLT/CnKXO6E8q
JEoXpQXRAwNFhK2qsQJhWeiJc83rLPXReRVgTck9M519qsXwdpI+eYyCUm3LPmghtQtSNERWVA8b
uROTsahw2UFVbn502QcExq8Ri9wfuQM9GXdOnqhEL35MSEU5LTxN8fP8LO4mXRJbTkWdIG+7UBs6
TIB1vJHb9GILxk6BMJ2EkqxIFENq1yixEAIgK1C/4JkasobIvSsRUHgJzWWpapIT3ZGOdxesLrhE
3p6iiSou6FhEjAoNPTZJ2ZJKg/xbZUAXfAknjD/ajLxh2C2zC4K3abI3Jqm2SP3s97LvuGOqVYph
zGSBrwaJ8Z6YnTPkkXVUnnzhMWUcLwEo+pvzIEEyOcOEyEzBvk5ke6d7en3OA7ZcxASXwlk2q4PG
kCfwCNn8QYXnepa1XvI5rf7MyVgwhoObxwfqtakWCtl2qKHVh8vMDtEwjTaXsxsGTOwlzZ/cEm1C
acwY9vU5u1zR2/wcmVSBJzZpbo2WWJXzJJNRE2+x9JFw9qqzpjZluUMhYYueLMx8jZcgjjh5g6et
xREkZNLAK4GaNDdFNLlfNpTctvvw/1zq+lZIfnMz12Aap6Wl0jgwK+J2nZYSZXqm1+fkl4c8fudP
xKWi86MphBsnyn5oLgJzuq5V13FDKYnMCV3OCnfRTFqYBynIwRDxnPSy9C2xt6EbGdagAFJ82jF6
9GiFKcPzotgs+FjzXeLIaugcvqabykGpSV5Kj+uF49TUZKrX97su/ncXgOZp6HgOcZJZoRhBKmwv
bnsHEJb3s7UJXGqfKDw2ArAHyuPwK6CaO96pZ3Jy4QftetLV1p+uMrET34hyRJ+KUjppbjOT+tUH
zCaTs2EefD4kI5WDQDMyaVKYG+tihn3ZP0U2Y3H6ZuPvZTtzHNHhBZtpiS8h+nF5jqWuPc6IISK8
VGKC0PoN/GJ8Q1gDrwgtVMDrdZSV9ZuBvCT/mYQ+Vxi1m5jJN70jKBQ9LusC9YyHz8bFVSqGNzZ6
Oo30ZFqmngSoyGlb9qGpKQ968S0mMjOwucppBIGrG2kTIVvSzWuOAiHtXw6gyfx3qlZjX9FDYFZ2
2USK6cZnr89pW89Ib+hr+a9knjzjtGQExShvB1vpgoOrb3ym758zg2kteaGD3+MW+ceIqSYDi7D7
cj+F0aW/3ECR13kgucot/7KSZpeoNtOmNnDZBw7Ighk8XNQiZ2NX8IsmgfnXHFfD62tf1oV9gpLW
06DWKyrpOVnu6k7mgPfAeWrWddETMxVUJVIhBlCiUubeSZYvc5ppUkkoHbnqkAT+DGOIO2M+XSNw
oT1Vl5SP7XTUAEuv/E7lzn7xSlsy/6WMdj1P/E7Jduh57Wuks/SRIdWEdXiegAOwMXYNxi1DvkGo
Jb5MGrvON0kp2VXqPwt53XRlJDsDjs084JoBp8RCLLCsyw5+5CYkmnkT0ek/JsCIE9jTUGJ0SrMs
OUqlbx9AaK4syj9Om0/sOiXA9sjkYJlsxBhwqU8ZJai7J7azEkxHm+HXQeSxiyTyDDmkagvOF3RD
VRlxCh5piRllzphdbSpdJy/w9LbqZMZXMloZasDC2Cb4wOhQsObVmONkKDzq6uPM/rqgTCQrrqbp
Z3cIXLNUnr8yF5rh4Zq74UvvY9bAQkgWDG2nzqF2kMRD5RdTdgWw6h4zKoVGEEBL2EmrypTSzgl0
nRTaDY1FKis/mFJx+8YXWhfOKvM5EG0HWfAQfDwIH7HsexAcS88q0SGyJuMYPvBmSbmjQXgJh5Xh
sg8IgLIxj2ERodEuDnSsRXJ6AFZWmnbtJOaa2xjO0ztga8aqVMzIecZwTpSoQEFQZs9B3IITpuw2
fMa5UiHBNYBTcZcZq3tKfoMZp9MDr9eBK49h0qds+MdOzTkfIhIGASpiEGlWvK/8Bxl+PphDEYpA
aaeZdM/E1UBPjeFdAeAb/SAm8h3cb1hbnPcQU8m2SFFjIai0yUSAzIK7Ti3M+EPLJxAxp68RuJG7
JA/0gIbAkLl7fb84Sce8R14ix+g8uQAV6M56FW9M32P4f6/+wfiGQnbowaIqFpxMohmmQ2tegFJA
N3tZ8dMvG6gV8p3z4lF1aqUI8YJiKKc4lY1Z50AzSJdDzbmvgxBWQhjBWRHApwpSYuaw00wude2t
JQowSRfZ7XESASY0xsxBtGzITuZJmhecgEeMTDM3buypNJoUJLiShH6evErOcFCWq86SBZmJc6mM
tCRN+NPmiQZnIihzoChApUWWekHphprm9pSuQQCUmvNtaEMH+RGQzB55g0VPBAdEtICjW4FpI+PF
CgbdzSEDAYU1Nqwx9V/6YXNAaosTXQn+5IxIM+LxSs8j0XQIaobl+GZZF9PNef7B6SBA26mdKqRz
PoiURaiGZrNPnuU5YZARYDLCnhrCEQ0qmwFglkWtP8c/YO1ZdasfZ2hgnW0QiGhA28/dKlthtqlC
lQsQN6/PSfpxN1Fxz6mxJMzSz1jKlqgd8b4NBCNrHzncIiJSkBqc9Qels+hwLpf980yOQ3DsYNkH
g5luQNL7LsksLIuzFBPfzVYkjOZ5j8FUW56TYqXZkbJdZ8XnURbY5vjhLhIxBQYeHnudI5AgMx41
nCdUEoUc6WblZjs7fQ9M50GjsehWCmkCvNMrdDlr5p6ECDnpzzM5zDBuzt1e349cF9cZ+s7hmPNi
pwKTtys1v8VwzCwAoq95lokBoTRBFJzM2WaYqVFF9cqPgCZ7scea09aBv4WzPdHIVISCTHjWW3Hx
m5Ux70rrua6Hl6ZLg/mYqchhUGLfrCkWFfOodWn7HtY50CXCCJvBDMFfGFUZJHYJPCZwagOUnqZZ
63WJUDHPNOsjPeY5EgcbWVxpssR1gDcHAqHhUmc6TuNudyStDG6wfSSSiaxT/4t7TNakqduCn6wF
BSncFh870DjD5XkUxdDQGx9jTmyYl2upT9z4SDOgyK4VzCwc2hTadMEP3oSJ3WEoVnvBz5kAOhYp
51HO1N/mkBzF425+SnxqAqLQV/w0x6YJnJArvjvP9KmrWzC5OQ0osIUwAHzVS4KuOdJiqpQZMOST
jQPVGFlIJnRzLAcF1vr8/cdPv3l99t+3v73+6Z+czW5/WtD39/352D69fvkPX59/7n99/eu/9Z/u
/umrX3n32a+92778f9/4+l8f7/7u6/f93Y9v3uf//vyDY+Hf/Y8AAAAA//8DAFBLAwQUAAYACAAA
ACEAi4JuWJMGAACOGgAAEwAAAHhsL3RoZW1lL3RoZW1lMS54bWzsWc+LGzcUvhf6Pwxzd/xrZmwv
8QZ7bGfb7CYh66TkqLVlj7KakRnJuzEhUJJjoVCall4KvfVQ2gYS6CX9a7ZNaVPIv9AnzdgjreVu
mm4gLVnDMqP59PTpvTffkzQXL92NqXOEU05Y0narFyqug5MRG5Nk2nZvDgelputwgZIxoizBbXeB
uXtp+/33LqItEeEYO9A/4Vuo7UZCzLbKZT6CZsQvsBlO4NmEpTEScJtOy+MUHYPdmJZrlUpQjhFJ
XCdBMZi9NpmQEXaG0qS7vTTep3CbCC4bRjTdl6ax0UNhx4dVieALHtLUOUK07cI4Y3Y8xHeF61DE
BTxouxX155a3L5bRVt6Jig19tX4D9Zf3yzuMD2tqzHR6sBrU83wv6KzsKwAV67h+ox/0g5U9BUCj
Ecw046Lb9Lutbs/PsRoou7TY7jV69aqB1+zX1zh3fPkz8AqU2ffW8INBCF408AqU4X2LTxq10DPw
CpThgzV8o9LpeQ0Dr0ARJcnhGrriB/VwOdsVZMLojhXe8r1Bo5YbL1CQDavskkNMWCI25VqM7rB0
AAAJpEiQxBGLGZ6gEWRxiCg5SImzS6YRJN4MJYxDc6VWGVTq8F/+PHWlPIK2MNJ6S17AhK81ST4O
H6VkJtruh2DV1SAvn33/8tkT5+WzxycPnp48+Onk4cOTBz9mtoyOOyiZ6h1ffPvZn19/7Pzx5JsX
j76w47mO//WHT375+XM7ECZbeOH5l49/e/r4+Vef/v7dIwu8k6IDHT4kMebOVXzs3GAxzE15wWSO
D9J/1mMYIWL0QBHYtpjui8gAXl0gasN1sem8WykIjA14eX7H4LofpXNBLCNfiWIDuMcY7bLU6oAr
cizNw8N5MrUPns513A2EjmxjhygxQtufz0BZic1kGGGD5nWKEoGmOMHCkc/YIcaW2d0mxPDrHhml
jLOJcG4Tp4uI1SVDcmAkUtFph8QQl4WNIITa8M3eLafLqG3WPXxkIuGFQNRCfoip4cbLaC5QbDM5
RDHVHb6LRGQjub9IRzquzwVEeoopc/pjzLmtz7UU5qsF/QqIiz3se3QRm8hUkEObzV3EmI7sscMw
QvHMypkkkY79gB9CiiLnOhM2+B4z3xB5D3FAycZw3yLYCPfZQnATdFWnVCSIfDJPLbG8jJn5Pi7o
BGGlMiD7hprHJDlT2k+Juv9O1LOqdFrUOymxvlo7p6R8E+4/KOA9NE+uY3hn1gvYO/1+p9/u/16/
N73L56/ahVCDhherdbV2jzcu3SeE0n2xoHiXq9U7h/I0HkCj2laoveVqKzeL4DLfKBi4aYpUHydl
4iMiov0IzWCJX1Ub0SnPTU+5M2McVv6qWW2J8Snbav8wj/fYONuxVqtyd5qJB0eiaK/4q3bYbYgM
HTSKXdjKvNrXTtVueUlA9v0nJLTBTBJ1C4nGshGi8Hck1MzOhUXLwqIpzS9DtYziyhVAbRUVWD85
sOpqu76XnQTApgpRPJZxyg4FltGVwTnXSG9yJtUzABYTywwoIt2SXDdOT84uS7VXiLRBQks3k4SW
hhEa4zw79aOT84x1qwipQU+6Yvk2FDQazTcRaykip7SBJrpS0MQ5brtB3YfTsRGatd0J7PzhMp5B
7nC57kV0CsdnI5FmL/zrKMss5aKHeJQ5XIlOpgYxETh1KInbrpz+KhtoojREcavWQBDeWnItkJW3
jRwE3QwynkzwSOhh11qkp7NbUPhMK6xPVffXB8uebA7h3o/Gx84Bnac3EKSY36hKB44JhwOgaubN
MYETzZWQFfl3qjDlsqsfKaocytoRnUUoryi6mGdwJaIrOupu5QPtLp8zOHTdhQdTWWD/ddU9u1RL
z2miWdRMQ1Vk1bSL6Zsr8hqroogarDLpVtsGXmhda6l1kKjWKnFG1X2FgqBRKwYzqEnG6zIsNTtv
Namd44JA80SwwW+rGmH1xOtWfuh3OmtlgViuK1Xiq08f+tcJdnAHxKMH58BzKrgKJXx7SBEs+rKT
5Ew24BW5K/I1Ilw585S03XsVv+OFNT8sVZp+v+TVvUqp6XfqpY7v16t9v1rpdWv3obCIKK762WeX
AZxH0UX+8UW1r32AiZdHbhdGLC4z9YGlrIirDzDV2uYPMA4B0bkX1AateqsblFr1zqDk9brNUisM
uqVeEDZ6g17oN1uD+65zpMBepx56Qb9ZCqphWPKCiqTfbJUaXq3W8RqdZt/r3M+XMTDzTD5yX4B7
Fa/tvwAAAP//AwBQSwMEFAAGAAgAAAAhADaxdMefAwAAgQwAAA0AAAB4bC9zdHlsZXMueG1sxFfL
bts4FN0PMP9AEBigs3Aku3ZiG5KKOqkwBdogQFKgW0qibCJ8CBSV2DOYf+8lJVlybTduErSbmKR4
D+/j3EMmeLcWHD1QXTIlQzw88zGiMlUZk8sQf7mLB1OMSkNkRriSNMQbWuJ30Z9/BKXZcHq7otQg
gJBliFfGFHPPK9MVFaQ8UwWV8CVXWhADU730ykJTkpXWSHBv5PvnniBM4hphLtJTQATR91UxSJUo
iGEJ48xsHBZGIp1/XEqlScLB1fVwTNIW20324AVLtSpVbs4AzlN5zlK67+XMm3mAFAWyErEwJUpV
JU2IR9slVH/5mEEKz8cY1UFfqgzc8M9838dea72zdbK39S+702sOioJcye48KIULY34v1aOM7Sc4
D5ywu6Kg/Bc9EA4rI4uRKq40MlAL8GHozieC1jsuCWeJZnYxJ4LxTb3s7Fz5mn2CQTKdQ/UJv+mc
6YnxoDcLlW3+3nM4gTi3yRm/EOwnsqwqzahG1/QRLRTP9vyq+n4dKFrNmleq2lOHvSpFjmVcL5MQ
xzE0RNsT30e3X0PP9QAwlXG+03p2IQpABAzVMoYJasZ3mwI4L0Gv6pS7fU/sXmqyGY4mPQPPHRgF
idIZ6GPb9Lbf6qUo4DQ3UEPNliv7a1QBfxNlDIhJFGSMLJUk3DZ0a9EMSuhPyvmt1dCv+RZ7DNjr
vKcQoMY2eqsrdgiBNMMar54A/o7RrDMaHjVCpCj4xmqIg65ngN/NFi7ubv6es6UUtG9wo5WhqXFX
hyPrMeetzh12vvbjuhIJ1bG7Kn6FP+e/yR+vX/WaA73yT59VfrTOD/OgR57R8Xhb6z4hnBYcq+Xb
V8SyV+URXpzm19AyvOmQk8F22QYIvV7YD7250J/qwm0ZDjH6EKq7+09EbX38Oc97BLh4RqIdWYGe
Pa3aUaotl5EEFQddV5yrR5qhf0B/NWfyHt4rjptAmaRi3DBpmQr6tGJZRu17013GrRI2OHvmwN6e
ObyCfmh+bVWEt0dDDnq2TqS+9/uG6hRkrbWAXPcs6hthawLJyNadYDs8Y5+bTsq36YFTM5qTipu7
7ccQd+PPNGOVgEQ0u27YgzIOIsTduN51YXNE1+ZTCW88+EXwqgjxfx8WF7OrD/FoMPUX08H4LZ0M
ZpPF1WAyvlxcXcUzf+Rf/t97/b7g7eve6HDJDMfzksMLWTfBNs7fdmsh7k0+2WvRVdgDt+ESbIPw
uv8dom8AAAD//wMAUEsDBBQABgAIAAAAIQBNz7G0t0IAAGVSAQAYAAAAeGwvd29ya3NoZWV0cy9z
aGVldDEueG1snJ1br9xWkqXfB5j/IOi9jpJ30rDd6JPXBuZhMDPd8yzLx2WhdPFIKlfVv59vM8nM
HSsYTJsH6Oqya3GTyeDeESuu3//bPz9+ePX7y5ev7z9/+uF18bR7/erl07vPP7//9NcfXv/n/zn9
pX/96uu3t59+fvvh86eXH17/6+Xr63/78b//t+//8fnL377++vLy7RUrfPr6w+tfv3377bs3b76+
+/Xl49uvT59/e/nE//LL5y8f337jH7/89c3X3768vP15vOjjhzflbte++fj2/afX1xW++/JH1vj8
yy/v370cPr/7+8eXT9+ui3x5+fD2G8//9df3v32dV/v47o8s9/Htl7/9/be/vPv88TeW+On9h/ff
/jUu+vrVx3ff/cdfP33+8vanD/zufxb123fz2uM/uOU/vn/35fPXz798e2K5N9cH9b95eDO8YaUf
v//5Pb8gvfZXX15++eH1vxffXcqiev3mx+/HN/Rf71/+8TX776++vf3pf798eHn37eVnBPX61bfP
v/2Pl1++7V8+fEhXD/XrV0kmP33+/Ld07X+A2nGbr+M16TZv3317//vLFf9c7pJg/9946/EfuO+b
243z/z4/xGmU5P/88uqnt19f9p8//N/3P3/7lSfhi/n55Ze3f//w7X99/sfl5f1ff/3Gv215V+mV
fffzvw4vX98hKx7nqUw/793nD6zJf776+D59c7zqt/8c//8/rks2xVPb1ru2bF6/evf3r98+f5zv
NV1+vbCcLgQ1XVjwDn56+frt9D49wurFPN94V97CfHHzVMx3XV/kzfUXjG/r8Pbb2x+///L5H6/4
fLnl19/eps1QfMfC6UWUPNLCi6iQzLt0yb+na67y/OH1V/7t7z/uvn/zOwJ4x/+x7m1xfq4uXgzL
b7m5rZ4u4iH4WubVi9vq4/2fPaK0iL1HVBZx8IjaIo4e0VjEySNaizh7RGcRF4/ol99ltfAuu0fv
Ml30w2v+8/YuB3mXV0R6+7//WDz1u6Yuht38Jy9+L+BmYAvLe80h5dOuqPpCVjkKpAYT3vIktyz7
odaXbCFd2e86kfbFQpqmaqvh/rf8wtkF7uN9+MLTRfaFF/e9cf16r5DrG989NVXdld39We7SH9H7
HF2y27uuKyL5HARcdnVTL/zMceVjDi6e6qIZ+i5a+STgsqrKNgKfLbgp2n6Qz+5iId1uqIv7l2TO
EI7KPy+GdJGIQQ+RK+QqhvKpaXfdgHqf/vQ8ycHV064dSlnuIIhh1xVF+OpzcPE01EO920Xgk4Cr
XdfJ2zxbSNsj9+yTkhPHgruir7rgyEHh/PlXny6SVy9v8/kKub765mlXd31/3466AXJw9VS15TDw
OU1/Aj7k4OKp21VDcReqnkMCrhq+UznhLaQd+l0frne24GbX9mV2yogUBFzX9bAkMrMVOH3+vDzS
RSIPOR2fr5BZB7S7vqrDzb234KZpm0F02kHWK/qiU+VqIV25a3fylZxklZLt1Eab5KzgZmjk27jI
gw/NUD9848ngFOuoeKgD0kXyxuXnP18hsw7o2rLt7m9c38Teotuir4dF9TWe6weLZmc1RYaWt3LM
0cUTgmpqNXMspG45q8PT5WzBHC11JfvuYiFlX+3K+xdpPnhsxT//+tNF8vrlFz1fIfMHX3bNrpSd
v88h9VPR9F1b3dSDGj12va6uOFMj7Xi04LavOc/Dw9+CeZllLfvkLDdn93ackfOfHDsWzBm1/CUZ
KSS69OfFMF4lchDL7XnCzILoag6T8F3sBd2zaZwaNhjspaFudrEJZNC7p77vuy7bK7oRFuBFf5Pz
Tr7zszxvVRdFr4eSYOoeFrlsjhYLTO3xWTReJVKQ4/p5wsymENuxbGJTSNFlOezuO0M+zoNBJ1MH
a1DUz1ExJfcPFedJ0G1d7CrMp+nPyeDKVW+6rSy6QsR60RX7gv2zsKLdFEvc9qFqKK50LydkhXwS
zxNmfuQaW/v+je2K41/UODUX4LBod1iz4Wd5EHhd7XLDX7/io8BbjKTyfrjt3B65/sJZtfVtWaIx
Qr0tP7Zg+UYpsmAwFerm/g6sVDaxZFxYTmUoT54w199VjYoye8flglQs56wx8NvQqjqY5WFjdY/R
FPIHQaMUhiYU+EnQ0McuoybKJRSN/Mpwf10EXXZdCUX32sdKaRO1Tp4yUeylcusJM399eAyLJvtY
1Z9h4Mn7gd0bKu6DojFZczeCuI8EXTWc7fJlnwTDoVPKfjoLBPZf6ha96DIFTsHAoio20enxKqtF
VPM+T5jrq6+fajwE0K/ADtkbdPlUVj1GZXSKHwwaPV3g48kORXlnRwNnM2EQZe9jtJJPgqmqzO21
86rckua6ajmpose96P3Z+Is/zm6KTWw7Oa11UyjdnjA3j1NTFrvsAFDCbeC4teu+651az+krbj58
RzEjOcqKTVOWhZiCJ8UU1kcnflV9xqHqGjHKL7oiqp8f7g0FK4VNHDvZYSoFJdkTZpYCjolucK8+
56i7p6Hqy9wroDxbluzQGPeTmrNETyTLgOESRR17/MzixVPV49CS33RWTNE3lbOuhJoPXdPfjeb7
iWzFsIl4F555l8q8J8xsXTVDWdVLj3P1viq6afBUisdbMWhAfQlHwaDeq/KusUUtnQx699Q1SCoz
NpyKEILeVEWt/lZ9yL7s68DrlyI0G+iep92qy57HlX94PRONgdBAJ+fA3mCSSh4WTh/LYuuGQISs
c5R1cLJzRkUn9knQ6blaZxjJXWGr/YphJDS/Q8MFL7zcxK/Hq0QnK7+eMLPRWpdDmRmKLmiWnmMW
D5GJoawz76la+gezeAogYHZk9F0OH0HjNOxUy54MBq1SdlVm1qrfQ1cs8FqGe+oiaGj2kMISzk1i
45ebOHd55Zw5ySuVc0+YWRvUdVlApENzycDLp4GDG6dVQHoPgsYS650yUMyu2XXqgTUY3OlV0Tj7
VDB9C88JA1RkC2SfGLYFZKEP/B3lJoI9XiW7Qgn2hJkt1ZLTVR3/e4PZof0wb2R3HQRDHBMj5C5C
9bQaOL9919WJFLov8GqfCnpoG6h0SKMFjfsE+0kjzTkzT/fHy7Lsaio3sejxKnn1yqInzPzZJ+9w
TqFEs+0F3icr/e6Z2qkm1tU5xPN3Jg9zFDgnY52FltQ4O+nDoJiazNyShzkbOElKuxqhqEisj6Co
KrZ1IJNNnDmlcohhWilnnjCzRZTIShunACi6bxt1qB0UUxftTp1+giFGXGYhELWIBI3jV9XRWSEt
ENmxF8EQH+SmD5XAJsqcEoH0zbs8lpxV7kgg4ljPdICaRtOSs6B488gqOhIOBl0+tXxaWZqFcgNF
tzU7Mz6cbPA8JXnE5uxZnxuHbewZuAi63sEW7m/CqudNlLm8cld2xi0pplLKPGGur7p7qngX6pbc
Gww6GXtiF7rNDwZd4KRF0k4IEhRumoIMm1BDWPRQJbdPZBOc5f6okx5dHVgQF0HjzCkec+dyE3ce
r7Jqo1LuPGFuTuV+gOOsWEuWcu7YVr1T3hKBxvXXhafe0TwA0oOSrZ1WQnl79umK7hY02UnIPZD6
RZ6k6hscxY+8GuUmOj1eJZJROj1hbr4lNFgW+nSRbAOHM+x2cNvYjhViC3nJsoSuWUyyInLp1w4u
uyLZC0RLxbekK+4S/453iqyIu3wx5cQeXJsodukptjoanifMzcBKwRL7+/YGwrlFRstKRo1BIzFy
YBpnSAkzLnCjh7vzpCt2pGqEIdqzorHEM8+vM6gkvl1gYj9kedUm/j1eJbtD+feEmaWBtuZ57n8q
GYEPPRo4e3o9wgwcVwnOqZV0P4PG405YTt26J1mxq3fw0pB0CLrmw6jizANFYzfikvHHnNko1SYC
Pl4lolECPmFm0VQVUc0VAm7gpAviwVbX1cFg8JjWA+Gn6O0dFc0xnoX+ryRQMOTmrqids6AxBojA
hAeXoPENdYtqx8pjEymvfNS7UlI+YWbfYMoIJLFg/lNXlUEn3xO+9KV9fs2IUjTU2yUhCAb3EGGS
0PYSNEk09YqG1/vjudEYt0Lq5H17uDs28fTKR7srlxUuxJTk2IzrurTwHA2PqXj6zGGtwaPpAW4u
+OT8inN0BD2UPTxd0jQF0w8Vel3Uut51SLkowscVw4mwi9LxN/HxyvPxWvn4hLnxcfh1pjMW8j/k
AqzBwaUjHAyIJBF+WJbu7bI+BE5akmbIneS2O7Iz8ekGjOIsaDIYuzh16iLoqiJ8vqRa7OG0iahX
nqjXStQnzHw4VUP6ndHhsBc0BRVV7tuV8JFBozXwAy/qxau5a9BEwndtYbKDdGPYuDXnDlfECt2i
q7IiZBoyEXlwWAtU5BETqTZR9vEqq9A1DfJ5wty2Dc6dzJd2DecpBpcqTpGAah0MmnhIUdR5YpWy
d1m84aNVh7renwDvYtb3+LRn97SQPac3JImdkFqW+Gy3xyZ6XvnQtuZSPE+YWzADRiHPuRcInwpu
nfubd6atJGuDxikZCOpoFifJEOusiZ1Xgu5JvW81pCqYFstLFcpFMSSQ3H+1ffOb6Hflo9m10u8J
M795PPpkh9/fk+YXGDhmU7dLZT/h9y/0m6+vELke5QFS+h75hLHdJOnhRCk0PfwsD4nJC1VRRS2P
VgxtpiWDpIJqE+ser5KzR/PJJ8wshiEZ03fjVZXrXuFkP5FXcPvTohYDHyl4oQxcIE3RNXFq2knQ
JYaQbtizYlhQbeaLYkoSQ5d8imYz1JvY9niVSEHZ9oS5UbqGQsCVzSBwspJ4C3dLSwu8FJ78EJnq
VW0gcJyLmDzh6ieBD/jftWbubDCj8wwfvWwMxTSctEGAtd7ErcerRBDKrSfMbTu0BLeVMxhMSngl
5VxrdAVTptorzfMQTApRV2Hi7EnvSgRP99JZMDhVCL7qa7ZxbAwfvP/Lgbt6E2Uer5LXrJR5wswW
T1fwOahLyWDKJ4JARCHDE1/RGH+E0QKT/ij3JyjHNy4GqD5jCjrHHiVB41HKN7CrIbUBbdxfy2WU
9vjZxJlrz5n1pz5PmKs4Wgz5PJY39Me/yOe9NxfsnuqB2oSMNrsDSDj5wN5WPWCWxBLaYQ3GpRSC
pnkB5ZVCmwXTlS2BEt0NUoFN/URkhNbbqqo9bW5cWbWtq65grFlgxOng8UHuyU6p+HeIDZeDgVMn
x2GV8VcR1VHQpE5CjUOjSNBklUPqVAy2YLpoSYEOzayLrEj4kuKjhfvbnbGJPteePqtb5XnC3M2j
mhI5iUoYTIGDtcUsCSNDBp3K4hHd3Z3gdLENV+OVxZ8Q+RZP8iRdX5AsqeIQplwk94TuCskZH6jd
f2wdbeLHtc8CzypkprYDOVPcPVFEijc5/IT205KzcsGHgbkjrgvB4Kjq46y0o6JTuvLK2WSJLdXR
vcs90xX5ZpRyXwRDFiZmRKCpNxHk2hNkTb16njA3y5QWDjmd1dpTgZOY1JLBd/tzYrBkuWp60mFD
smwWJ2pEHbTzpwomRXRrDZM6DJzHWaNC47HHH+fb1JvY8niVNZi0IuB5wtzPoYpSufuLcrZTTjLJ
xscYyVW62IQHszo5ApwIhIAin4WgsSCRQ3TenQTddeQza6mjrsgBqo7Mi2LKXV6JYdXBJrZc+xh1
o2x5wsxHS0/oRCORe8Ekr38W93WmkZRJk+zdq6dCVuRAI6tFrVVJ2sb61Wr4s6yTOhdg9gZivgia
/Nm+DI6fZhMxHq+S716J8YS5ffdlgycnPE/2Csdm55C4/el37+CpPOsOV8Jm4ORFpsxnLSIVTAVI
id9ZMMm+IV4dcJWLrtjRIyjIfm028eLxKpGD8uIJM3/45JQp+dwbCCnwO6oG7qLSSJosOOD5jFsp
HQVNlwL0r+wAwVQFVrGe/IKhvQde9PjNW6pMCTyp5o/CBM0m0jxeJTJQ0jxhbmGCqiIPLtq+e0WT
uhif6QeDJkkATbwLhXcUdEJm6Zzy3Cd5EnJ04XbRc58FXTYdW17sU8HQnIAqxUckodlEn8erRDAa
cp4wV8HgqdiR2XZ3x2kCgEGnIsXU6SF6HQdFl5CFuLpaniTlhSzG4q85GrI2Ope3LXRBMYmZrpxV
lk7jyGWjLpuszSY6PV5lxdEqnZ4ws87AD0PK6n3faqa+wpM7PsvUV4Vt4LC9oqbWx760o2DoG0Fe
WSTik6BrPh7fJksak1FLrUWj+mAkZD8uE2o2MefxKpGCBp4nzFUKNB7DCFqMg1/DmwZNyjfaowwT
gA4GjXmbSkay7DQnDqGzTYuzKhaHRZPcr76qs7k/1UW0YyIMEipwuyC+MtRXsCk2cejGc2h1hj1P
mPmMwsBvs02hLm5B9/hnsz3htoQtqUZ34NCMXsdRnwTPYZwudTJoOB+1b2qVnwUDiaTwOxaH0POW
nOWHHqZmE8Eer5J9ogniE2YWDCYTpWXiYTIYXHgpSTX2MCkaeahv4SgYmu4ZQ1lNKym/pnq00qIh
WRGKgq0eC0GIPwmHj6OgzSZ6PV4lQtBg9ISZVQYhe1za90/YySOn11hLRCG1PdLBLIk/m/KvuO/k
0aAxnkkawkwKTpSTQ9OGUf18cv+yw2W2sikkFzw1dXuYxNds4tnjVSIP5dkTZpZHys7Ns5Y0OUDh
hANyZ43YawcDT9vpGn+Z3rZ6xAVNt080q24QSSOn/tc14pB1qN0nbzdk34rmlFzMyDWOj3YTDx+v
EoEoD58wV4HQIoVYXGbQaLmXQfPtd2j+OHQnaHJ/XRMCXZCgQPZ1qjQEXbUEaDVNRm9KaE9Zhi4D
nw2qudpNvHu8St678u4JM28EOmq1We2TCw0ZePlE8Mbl6x5kSewsk0mmtb8KJ7UuT7ZWsmfgyTxG
Edw/cpHUWdAEgSHkodJQNKlVi80K7Z7YxMdbn/edRcmvYYkJc1MaFZ194hZ8e4XXKS8ldDYdDBwd
kwrnQ410NOhU746XVc4ogdQkPMW9Us+CRo7aVeIiEKKrpJI/YuHtJhY+XiVbRVn4hLltFXhcHhbV
tD4DT1E7EgxWzihLbNH3zgF2lBWLlM0Rd0rR+0NhMFwDZ+xZ0F1qFxErD0Fj6dOm+pHjqt1EyMer
rGQ6JeQTZjZxsQzHPoXzbxVjV9GcIK5XpsHwuSO4Ki6BFHRLpE/TEU+CqVKn2rhVrKJJIInvfxE0
fnSaWD0UxyZm3vqYdqfMfMLMGwUHhothCGTgbeQ5r2pQGTgZUakrY9hJ4yhoen7j+tXDynLmVBGv
CWNnXQeEy3QVDKqLepeHZ9QmFt56Fq5n8POEmV89JaecUvr922g31iYBtvDkP8iSpDrS3u3+C7XB
nIGPrW8IPYS+EEGTe6CSOgskmVrekrKUO9VrZSTequtNRLv1kWx1yj1PmPnd0yu8zZrueFMqZ6i0
UcGXmpucbgtYOJlGRGnu79VZVRYO2Uo1d7c/je7Jsw/Eteg9ffvTzCcDJ55LgmjWS1JLhwSdfAGL
+StWTpu4eOsTw7W/+vOEybj4rslKOZT7KTwlUmQ9ZLXRisKbHUf9il1leTHdtchxCnm5WRximSJa
zuSVFVuYUdx1SFYsGd/QRiRkExtvfdRba0+eJ8xM/ki6IJsg+vj2Bo3HjjNX0xkOBoNxiyUcF2Ad
dcVuRyvmWAgSUedjjpt7nWXtljIZbZN3EQz6knFJj/R3t4mLj1eJOaVcfMLcPIbUl2Stv3V/GHQa
9UTH/rj1ikFTD0nuUpF51lWb6OIkf2cN8a9RJsGQhelG75wFw8Yh1CpBP7fOgON42Y3ebeLj41Xy
7pWPT5jru+dkpZO7VnjsBUNzE7KL7Y85CGa05cOMsqOgeYGUCYnFJJg2VQSE7OMs6IY6Fe0mcXEY
mjU/HvSxiW53nm5nk12udHvCzK+eNDTHC/YGw+fLh5RbN1qrJfDUmZfS7duf+9ptg3DeBS8tZPAn
fWDG38TB2LOgKYarW9XUiqGyOcrd7zbx7PEq2QLKsyfMrJ87kitXerbvFZ6Uh9sNkoVN97OV4Tdm
RdJw8KPEjoyToJkAQsMuCXILpk0aWWyqi2AIrnLfR0yi28Spx6usFHrl1BPm5u2gCTUdd29/6u0w
8DReiICeYA6CoV0KNmykZo+CJj5IG6dQKRs08Q0CSGoY6SOmwyZUVBd92DSJbem4M0Zrt4lTj1eJ
OJRTT5hZHGWfWG3o99wLvOlomp+dJJqnZuB88QVNpMK0paNDkwSu/FowdJsnpTCS3lnR9L7UPXwR
DL+ejfbQSNrEtDvPtNWD8TxhZiOJ0h0KuSKeuzfolKwAQ40nHhg04Q2++5UuEIJmWRJX441iY+mM
xEmzveY/d3BZYk0WVD6EZdSbF7k/YScyoh8eXJtoeOdpuHpknifMzQXCCJa89beGWgVOIjNtkUKi
fDBw7DMEo9kgAqFtJdk5sTxsoJqk2pTTdPtTRWLRHEq9G+ioj0jyV1Tn2G0i2eNVcl5pwHvCzMYU
wS/yXMQRJRjC1/T+VjvWRsJxmeKZiKjhUVYkD8aU0qtFK5XSeI3jDKKzrE2dzkoDqIugaVeYhTes
zthEqztPq3sNck+YmwzQyc4RqxjSHNfYm6W+dHPn4441uKSM42fXrI6T3B97dxcPhzwLmvBHSWfJ
+c9Zs3J/xqll1UpGCP0mMj1eJRtByfSEuQmBmXNxJ7C9opO34H4YaV6UoOnWQGm7/ciPgoG2+VGO
uk6PAgk1yFnRyf8RN2UUNASIYu9lVt1vYtXjVSIEZdUTZtYJHEY4iENitTfw1A4a8IoUbBY3TRZT
fUtwgh/N2pTn0dNGXXgnuT8prnmzdy1uETSfgGuhJRCmvix7pu2e2MS0e8+0NXXpecLMe4KWylBt
UQ4GU9IOE3d3PAVHVqSklMII3Qk5u+bNM1oVkhIcHie5P4WRuPNDvSxoqtLqLEFIrKqLPC3ZYJiD
wZ7YRLN7X5OtFvrzhJn3BClQuc3vwhUCT/2Y88QL9XwYOC0VScnv7uENjVYoGq92XFx/MmjM47Ko
4pm+Z0GnwRTqQrwIhk+NOp1AIJsYd++rtAdl3BPmxrjpPJKXMaj1ZOBpPCkEL27YJGiK25CfbhCb
A86O6/PAiFhPen+4eZ4OIYaroBldgqFrMRfBMFvNJFgE8thEuXsfxtYO9M8TZpZHSvrNYvDqPt4b
+PCEryA7Lobat50zF3AeEdHOhiK7LSJl1ZifKyzPrD1GYbOxjS5zUJ6EI3GlH/pF1sayzem/VSGb
6Hfv6bf2A3+eMLMKacitcQ0+DKYi1gBZiwthDDplyKJEtFBS7sqsoiH2YJ0EjV4mUzD0geja1KvF
TRcugua8ovvvI29Iv4l0j1dZAyuz4K6+8wlzFcdA09G8/8+u9SMgzQVpjlOKH4cW2cHA6QSIcOJk
pqOgU2qvC2cIJtUmuVYGgqHCxLe7UQzByCBo1G8i2+NV8vaVbE+YG8cg5TJ+O3tBU57gugEedMUU
AAwZwVHRVT/2aJrFqYrDUvodtCyevHSWtQkjUSGmisMSeUyHLgpb9JvY9niVCEHZ9oS5Ez0MDS2b
N5gKxx5KeIVYWP5KhmTeCk08rkezNudXakcTOohPik7TVeI+/PLb0kka9865CDq52bNiXqMghk28
e7xKxKG8e8LM4mCOkReHYHi9ONSiA/pg0PS8ZI9laSxuipQ+AA5iLLqIbiiaMh3X5EwwNP+Dx8lW
8OvQYPWRXhg2Ee/xKpGCEu8JM0thh42apZdcS/MUQ9DRhbMNhnwOPD+x4+coK+KeWOmQcBI0xr/r
kHDWFRvXIOGiyxA2XCxps9//Jo49eI6tI5meJ8wtPkH91eKYkkkGlhuncU8uJ9asiFeEz1lLWQyE
LZLaw8Up6CeBwxEpXQzPrLPAYRsEcUOb4SLPyy5Y9stYgWzi28OVb+dzc3T3Pk+Ym8XKcbviCBQ0
oziJyUXuh4NBc/bjLYknOh5lbWIYDBwQJa0YrOt4CPFZfxsJdRreFkhdpo79y5Ru2ESxx6vsccRx
a3/W8wSaOV0arZWbnaJT9wInUzYV60bRsoPAxyq/uDvI0cAp66/IogzT3k6CTs0iyNaLAkWK5pfG
/fMuBk30HlWZpcfYDbKJbw+eb8N3VTg5xYUTYEnnuWHqIZzWnGWZ6obyyJ02BBF4yj7I3ojS+aOB
p2GrDTMeo9d9UjRsZnGS77V7taBJ+dTD9iIQehHjsnmoxzfR7cHTbZed8jyBri+7ekpDvrPZwE40
NmxMej8BBSvtg1kx1fDReU4b4hjMyMlHu2gSg5aGyYp8PZ1rNyEYKD75W2pDSQE31fdZBzu7GzYx
6sGHsSHMuhsk4bujJChO099Pa968h7yoLDSne+0gcOwp05JTM9MMHHduYxLDrnmYBnMdiRoXPJ0F
nYIm2lPgIhjSsHAaPtwEm2j24BPHC6VvzxPo5jKv0+i30F7ZG/g4iWWn4bmDYohJaKX10WCSnqDj
V9wyU1ck7z8vFBC/rKCxqjlEo2PuomunTRtkiw+biPZ4lSpxZdoTaBYDrbVTSUpErfYCp2cMRTF3
uNMTOetGC2E05l5DtzMsHJuOxmjhw5zMw+C1Z0vnJq9Kx3oAdpxWK40n3No8R9Dgmt+/aZL5eJnK
R6n3dfF7A9mCKHa+TdTKUnwHZc17smq2msXjOU+pVHEagoPjs43f+cnCOcdS8Dfs9HxWOFjy90Wj
KCi1BFmcrmGUCxbSNiH5Iduuif3zdfH7xHn+OaU4Bvbk3sLpyJxGQ2iyjoJSx9O8Gk7Vu8VzQrJz
8hkNwkkUzpRXmE5oAiscJe7lIkO32e3R5Gdsom3S8GS9yCYnXf3n18XvW6aFabhBIR6ETzZX22Jh
WfzYh4KARfS+jgonoMgQYCcD21mc3pPGzygHmK5JbwEGhrjdYdckzs6gn4XnlN2xiapjaLnpw/ja
xPiaUbP7hA4GZMLfjnW1dy2c+ASxv7hD0cHBqZ5ztq8FMc8Inn7XK0wHdZLJk9xpWlW3BOjvV8hm
5eCySfEpXJnnCDshCTyN+H7Y1ggbatum8fFyWmo5IeUB654+K4Tj7rpXC5Wuz3LfY/T0o8zx/oK0
aMDi6RlG/nsccmX75E9DbwzoaHY6KVmx8FTTnPqQR0YM0rLB+dQXNoZfFE79DUbM7f3JRtpE6eEX
fiOpRxA1Y0l9iYB0wCHKxQa38TQR3g69XQpPzuB4BB+CkdVh21mgXTPXHTy1aorDtgonTtZnBqDm
JDo4XZ/TvOv5LxLRJmZPrt+CiOTwQkS2IJxiFzOkVuvHHb4lXSbuf8hpZ/l0T0dUtZAQkoBwBWsZ
DaaZJK/TlCEb66rJ6wpPTvs4h4s9I49ABJ5Il4/YyO7Z5ALAIFsQjfoAZtQtB6WgT37cpYWNlDsN
iJNQuRlXiSAZ62PAG5KH9dRcQkgWn5rq5jpA7DvkJcnt7FOdNs7JZkGUS1PvFVJQhWOHLvfKFylt
8gpgqC1IScPvM+oqpZrISJc6Tsx/Xg/l4WryUrAssiiJwBGSwFMRxj1KonlCFg59SfwlniVg4Xh2
qFHUigJEJJnyhUnw8GecxOM5QbOe4yKYTX4CLLYFwaijYEbdHDb8urzJkYbnHZ7RFfmB4YmoJf80
Cc3TPhf2j0T0qcrKXNYag7GPg/3OhIbFMZJXr7LCx4ZDcWK2wmlugtYN9E+xzV0wXibugsK5CybU
LUiMQoy7ne6xA0fRz0Il84tjK6Q1B4dHPa+YfUeLx5ZnGq5aLCcF0VUMzhJbb/ITSYettQfdRdek
aUGdp9hGotnmJCgWnASaWPNcTKiZBqUU4bizLaLJ6TSHSWpxdDed1NNm4YQAYLNxdzYEY1enzA03
qLIgB2pT69HArXF2j0CQOMtT1siAwnHHMc7pofVWbPMcjJfp7pHzHhHl5JnSQg6JKvzBiCiH1/jO
KAW480rHgQw8RQah+6ExjIhsHgH+AzeIi72jdB+eFKbdICILxzNSxiVC7CJxUFD8Fk3cwuO1iZ2O
l6lgnAthQs3HGoeOG+OHOCxpJ1Gqzl0fTuPootQlrCTC2OVTkz/YRmiZIJn8aWC8zIqlHDHePFJW
TwA7zp9CMhbOD+WCh/Z1sc2DMF4mMiqdB2FC3WLIKcEzHjeKuHIWjhc0FYVk7M3Zbm59SE2mqjSH
z62P28mVVitoIHCadz91NMg8BDWr9N5N7W6nP2e9CTyNwsicTdZ6K7a5DsbLVDiaDkC+XKboUxMf
E7B3PjiFDxhX97CQVz7WK8BRlZR48K1zslk4LX3J13DKR0BsN+d2k4X4VW50MFtFFoIzP259ST38
tuNswUug+TvoGesloM2FmSbqgjqCRy2ZT99vFbs+O5HjMnRfIhCL7/mq8xQX0WScbYIn8pYlxGn4
HbVjvQEjjXbxAwFVeHMWrQ3ZNdtcBsWCy0BLmZCTpdPko1N+bj9UzjELotDIZb9jOMtKbY8H1K6E
GIS94xDQeUS8e1kpHVjxqFP/E9AUYXIym8Wunob3PG5AQLvrbZtlwSOgozIQgs1xJ6y+0n8McVg4
heg41zWaY0Cp4TvuLE3AtCul2cHMYvY2suXnzDYl4qqRG7kdfvVeB93x6u1K+AEZTPvYHt7G+YsF
zq91Hbx6y8kpi8kHBLq6RotPdXR8m97sssQdRkiTi0iFsiksPKWe56PfndoQtwBV8PG8Lk4mC4eS
YVNouEZBdJTLWKw9j8pt7H68TLW4Y/cT6mpi9ZA86qDuf50vDSKpN9P7EHCaxHGoBPbKwcIxWmlG
GVevHx08Ta2KE/v8w1CFHNfGO3ga8yBf00VB9JEg8v1w15TbiP54mUpJ8/TJYzLvnMg9Zf2qNQyI
CBefVHwuIxi7JjmDvGfVHw4EBQrrvE+6JrYww7D06JI1ed/kFegG0RtzUObR8cDbUm6j8uNlKgRH
5SfUPb+MTJI4a3dPxZrxhPHdw7dXApqCT87EvA+AqAC2il2fjA913iEQS7dTgDQ7b7VXgcI79KIW
3rI/7JrQRAqlHu+PbWS+XMgHUDPnGVvXvGq0eU4W9LNGNIoncTzLUXNsxODThFR8OM61LyCqj6ji
jg5GRGP5Nk0dU11AyOYFTn9yKFEER0h2dUYskQwY7ZptHL5cyAKoHIefULd0QCqB8yiWC78IntPX
dKh2xMTg0S9MRst8oF5INlDf0daodIExsya1NFTux57PM3c0pzOV6DQwXBGN5Aqk7iFBfwkm8m0y
g8fL5EBTa5RdYxm86Tqy2xVLut+mC4w9q7OAp8s4M3eg4oizPh/drQXc9omw9sh6U2vMLEkzPJrn
ucpgXYdxSuXg9bxl8VQM0pzl8Tm2jcWXCyxe07eQiGXBTIbMklU5up3Ktyw4laAupiuMIShUvsCZ
nJfNXnNsReEk5q7U0+vqtIpizkMcdJHV8e/QtST2e+nD8GoWDUOxnbdx+XKBy+vMZaRlw/lp7Jw3
yiwmdaSLK3mRkMBT20K/SyyoSLO97naFywk0a45pnLxpZ5RZls6mblfab9rnTA1FGTD2mFmW20j9
eJmeZi7MP6FmRYMSMBNdnAdM8KkAM28Mpe1RaTljbAz2JoHN+2v3u0fw+D3yRrleTJasd+mwDJdH
6Qi3T1ElLTdWEPkyecFnlHFWbnMAjJepmFzQf0LdrGgIfT76wPnCDJ5BPVibmg/KtrFeBYKKeT9T
Vz2meHzRhD/WtpBk+uPaWYu8yDOTK8y+dwzHrknQGTUVWGjVNhfAeJlKxLkAJtQcRSbRFG9EZL7s
eU9mH6Smdtk2cKVMFk+coCUgEjdgs3D8aBSlL86xvVY1KRzrMjfk3TFnHj59TSk5IVY6AsdUzAZp
ZD/VKp1qmytgvEyl5VwBE2qWVsryjRsXIK2c5WOBcVDn+UZa9qf4FL3MGyVpfY3Fp1kj2LJxe1sH
T/6BlRoB8/Ssjvc+nqR80dVxTf2BrtBFtc1pMF6m4nJOgwk1h5mJJ6E2VjaX5dY7TCKNIRyuDzxn
SqcO6DTudJ4bvTF9oNR+POlK6MA0siTkoLImA3ToDLiyeyQ1AFfooutPds82R0G14ChQ3/ozR485
vJJrNps84t3PgqerAmo21MqIRmg3r8hRUMFg8+ZlevO5JtF4XDGq3s96tzRiWz3ubApdiaSSpXwO
kcI2n0C14BOonU9gQs2bgl7p+v1ycOUsmTTMygQc5WDnxdv0fiy5Kh5wfbRw9AA9TdxMOAXhAnD7
DBnYnAPKFtix9y2kzZDcohSjRL2HaZy4if2Pl8nJVLv4/YS62cs0kaIL8srRpBF5MneckWwWTTVN
PU7oaE3EYNdExvVKdabC6eKZV8PKEYhohODjtYv7VrJRLJyGbYyLWzjdZKNs8wdUC/4A7bLKcSX+
gDQdfM3l7PD0dlrp26brw1BMGwXHPN36aczBit1s8MSKUBYr1c72cWCquHFd5EyWTKHbjJmLbLax
/2qB/WsfeWRjWTjZEPkUAEc3Bd7ikFoMaEyuGoEn58jKzAf7MFjNow8y2nfofYn449bJsne81Swh
fCrc44puNpJG/Bn6EhGbbR6BaiHMr+c3ErKp+Tty/OSnoWZsbJ/jJ28A7rzNCsc41pbeumRKlclm
zDneb5ZMiQOoupXsC4GTPYIGUW6pIGoHMzNSNsk2tl8thPs1JokIcpJbP0HlIH/qxTQgApeMBdDx
Tyj4fCVoZEkqQ8hS0Swa4yelRV3JgikY1rCW9yJwcjfokrRi/dongDjmKWlWBvU2fj9epore8fsJ
NYf4+V5IDVMZGFAKHpOAFc+Jw1Frkv+opFzp4XZUeJ9qJZw4ZM2KjLSVgVl2TfYN7mDtYnNRUNsR
JL1/fyKEbbS9XkjV11ScZ0pybDAYR0I2cce1ovR4ChiySItLPzLrJ7cJRYLhKYJAbPC/h7frljsp
qKvpzOCMLFmJbBCXYYYYpJCf8zDSCPU2Nj5eplvBsfEJddsKdPTK/prjX+Qw32PMW7nRswMScPtz
/hODT32TUPQiLN6+XRSzi1Z890XlsRGE4JNrPi7pPFs8dhReEJ8cJk+KqV5l6bCyNbZx8nqBkyvT
Y2tYTk6RVpFXbfijSvCpJNHvB8t6k95ZNOZHcwuJWDhvgmR51RcCot8LacYaSNGVsNi1eQD7QW5H
LfqiXSxS2MbJ6wVO3jhOPqGuW6OBEeNru3+TXgg57a3xK+J8C7/gQ2FWp0FZRSZimP2NOCz5H2fb
+V0hYXca7sXhSTaFhdMdyrnkPWS5nkrEso2l11e6yZfw7YfXX1//+P3vP9Kz035ObA4bo6cZJK24
nPLOQRX9V+m2t1KgL2vy2lw3E0Rgb8zkIeLsNwl7YVjyTFQnP02mEkizZkodJPbj2o0IiPonUl0e
0vB6Gw0fLxO1kXUIn9q/TKjZVcJUJQq9nRAsVycSwfkQOoLYEpLBzucbx7+Rh8A5IvPicXdWSagf
52+24RzDk9WpK6J9a2zbKpyypbCKq95GwsfLVDKuAn9CzZ5EOrWQ/+AkI/Fy3EDx+BcEY+EYtn3W
YcKl4Qk8tYJUOxQNLo+QJq6t1D3Kz6Isf6f2MkpESDyRoMcjF1Hzm3yK42UqDheDn1C3gi0C0L5P
koBSiVzu1HLJdwbPrCG8lFkSkXOvGzjJW8yq1AoL5KHBdhzGK3nDAqcGX6cmIQ5ZskdoUVpXvY1z
j5epEFyEfULNQqiZ+Z17mlzGneLpr51tD02eZH9YYgtpXukIwcElPJgCWE3YQh4WRMTXuHadkWXh
qcdEzHYQjaTkpyDl4w5WzTZSPl6mQnKkfELNYdwd1khcKbrn/DEphomExIW+BwdPrVbjibEKZ7+Q
kR17D+Vh0PSrMXeBQ16yWnyfFyFwvDxU8wXuw2YbZR8vUxG5SPuEuoVuKbGJ23YjIstxSVRp42gD
IrIOASpJTbNS53qX5Un6wqcXZxcrnNzwlaGB+vCEEUFHX8BF4anfyOL8YGsoN9uo/XiZSstR+wk1
n3qMLaFJdshIEJfl1KmrBWlB0U9GXoKndjSrMXLzJRSPuq90xOpJQbSXJRslfOizxY/Jr+Nknukz
cHzGPHNqcVuZDkLRptpG9psFsp81NZtM6Ql1FVPijZzF4cmElHKiXBMRSo3VIxaCkCTWnfq9+J1k
/QeY0ZCdexDLlabKoiDrVhZFMvbOJCV3a9msAk+9ALP20XdBygba5gBoFhwArXMATKib2cBMA09y
FIQTU0N0SEGYNgnyLm9IFmKCAho/3H7sFEmab2lUJ5JCCBbE3iD4snKKWXhBJ+bFFosihG10v1mg
+5qG+0x6ic1PgUSuDBdlf1h8j8bJm725hHzBE+9N/d5uf47cCJ4a/yLPYvV7xT4PYs0HU6ibG4lJ
UgG2YZZh5w80Cyf5qAt7KDfbPALjZaJttPU5crJkn8Q0kybnbGyDp1U+XnJdlH1jOTvZ+Yxetabv
Ue9MzUKZJ0G4pgeyKCVJeIPVnhZQW9Up3Wb+82KwD0oXYfJnF/aZbJxtjoBmIRqvfRsQiEa0aQYU
/gL2jcDJ7NROHsjDgqj6wkqI3gqSkbA3qWJx/2NONAvn7NlpTRn7Q9aE/GbDukadijUmIBh15gQR
IWyj/81CwF0nOiIEG0xnrh++xUhbIwTLmPnemVtgP02EILQ6+fFXWhwJnH4PmNXqHBNQKp53Uzf1
xjgysBBX9oR6FOh/9bhquNnmCBgv00PKOQIm1FWjk0KH2zIujkYcOUsGnoYUuVJ7A6K5OzlghXPB
GBDTWTik2QrBccJOsPR8oEnWyjQjhXMAQhFXBCPuCnJq/0BL13Yb+R8vU8E48j+hroLpnqiozasJ
nP/SwFPqA+ftSt82hcPM4g/3iMvQVi9iizq1LhisKswAVSICwseaT0ByiVy6Jt1Qw+bu7TaeP16m
0nA8f0LdmCMZ0ForuefYtdU/pNoS2b39uX1i8CRC4q1ZnAA7xR8dnILTlbagAschSu+XyNA924fH
JZpGuut4ZwWRxYoTLqCI7TYmP16m8nBMfkLdKGJTpvzg+c9FIg08TVeDejm7V0BkTSERNa10JQal
xr36ThhwJgeG+QUaZOfNWwzdJrpMrvLTLxZOWjLG+X2bWUXebmPp42UqAtmbzwQZrbux3ZU645kt
YXk0Di/TnNFvCYunBz/KOeTdHEwWT/tj+t2FzhHkIQ9NO+m1ZFOBjzPXw8oMRGNXJ//MTE2JNso2
xt4uMPbOMfYJNev3lNrkdYeNpLM7yM+JvVyyZCpJi/vYIyLLoLukh8MpJUjIwknzo+WhUyPC9EtC
ZfHMI/cIwMNW+u026j5eJnumc5H6CTVLgzIo/Nax8WvguydO24ah5iuSscwaFxQdn9wJJvSbHLAs
quDrf+QhoOtmMoZzsBg89Vj86aLsFEvSaUqbOarDorl2G10fL1PZuB76E+oWlyRBwvu2DAjTlsPa
FzgYUGr6zMHgPIwCIu8YN4iSEAGRQZOGIAdGMprEcu4e+yMu1UIIFk6AhtB4dEhtI+btAjFXzYsq
yckpA7so+Msdfa5gXvHw+NwSchUnBs8n2SORlbxghVNwotMdOafEO5DyBULqh2g0EM88mtB4QzRC
13E9hMkT7Ta6Pl6mu8JF6yfUdVe0lFg1+dxwb2jlDBc4IahsyKQ3uQTO8ZYmTk1//ujK4TUZYkQJ
V7rnmGenrzIzyShevP05pWLZOcNF89bXzsFlVk85+Tz141kT7TYyP16mwnJkfkLN0ciaIC1pW8Fx
gXEmEfKaBG1vkeUgZhLRuTmnxq6mVBdlxnk8tZptZJ+B/CaaXTrJSHoAxr66idkyAsKpHHq4um3M
fbxMpeCY+4SaFQkJoKbRlDvNBM+M0CrzVfhiecUT7srHvjlPi+JTK05XYWJA0D8CWDEXPeN6McZ/
ani9pmkETkU3PcADTdNt4/HjZSobx+Mn1CybNOR3da6hwaPvie7n6eDqiJTl09jOvJ2bfNhHTkfz
GlMLIs2FOikI5UVjr9gI0DXpAbbWBEzgdOQhWWdhdcssu23kfrxMheTI/YS6WWK8xMzo9Z3aDJ6I
N1+Xy/UWTBrYQqFCoAsQjC1LZ6w347oiOCKycJKp8KLGmkbgjDRBu8feSYGP7U0fjyzotpH/8TIV
kSP/E+oqouRQabCR7G7Y8yEZ5wexC9eR8qAgZLKLR6gjGFkTM2rNBBA4TlQMbVUvBpRauVEtF5oV
F/sIOGBa7Ow/sGO2sfxugeX3juVPqFtcPmUWZF+IM9MET1EbH/jdzeLsNINP7aHW2nYhJMm6x2Bw
7mLBUKNL114nGQnWc/AtDl2dglz6mCkl/HEOX7eN8Y+XyUbpHeOfULNJRguhtUHH5OAZhZC6Z2hG
EFvGgvBTMsRAab4BsUNR6FT1zX9e/9tU/h3NIZWzovXl6TDuc55mH4GNInD8YVklrCiUbdS+WyiR
zyyLKaFoQl2F0DwlFh3PyeTcsrw4DdxQmxQhKIjkYEdYBISzgIIZJfkCYmxiXtLoiukEXlFUrqkz
vHpJ7eeQXOzJK0LYRvK7BZLfuzT8CXUzi6nvy3I2R0nx6tUTQD2h7ClevSXHqa+cWk2cQRaUki/0
NaG3ZaWOZJc108rCabhPCqT76i2IhHt2SWTrbqPu3UKkXR19z4ynlrJEzNG4PJR3L3g6ZGZTsxd4
iPDl8cyIrBgEosvTQSzup4ts7PKE3wkerNhUFp5s2CGsnmCDKJwD4XEovtvG3sfLVFU49j6h5g1C
VyCInbOpLB0nemH6yDr6bhZNvkjcsaEhi5Ds8gSiyPO5GwZeiws+xZyz1+hNLUvSyeyEOq5Yvuod
wD10X9MeXv02Tj9eprJxnH5CzbKBM2KKqGwExDnOTI77y3NFK4Kn611WT+U6uR45MM2GJm8F8a8I
R/AwXSMc4V1nu37qYE0F0oodbJbHDqZgYrHtlYhpG73vFyros4mUk6KfULf4Skl7z/DM2GPEmhda
pzbBmVPWdfYw+NROgNol59hXEOPWXCWkwTBlL82sWin10iXpKS8762J/CyQG59cfyBbut/H48TLd
NI7HT6h50/Qp2BV30EQcNn0evcnYUnWxCKih/1LW21DdgmwaKc6nLDOPoTlrTB+a6GNmN/shQwaf
nA8kp67oHYHX9LhYZDSyabZx+X4h3V5TGJ/x55tdwH5JA3kjTYuYFE+mRHbmy7F4UHwa4LzSBQmJ
2Sg6nW4YJq5Gs4AoRtKSZ84zCcdjKGpSPvvGguiOt1xkJQLZxub7BTY/ODY/oW7Khp+mnAYp5NSY
IyRVc4eHNUKw8JRkwujN+c/5jA2c3s10g1Fue7JrksJHB3xf9CArYYNSDhBrfIFTmdmGbUD6bcR9
vEwOL3U9sCty8kqmI+bY4ijXibgYOGXrxN7jkfOIw1LjKpXjr7RiUXjZkpvktoRdkwxAhBwbzLJm
6qOWGSsu3CVw6BS6MqA1/TYyP16mgnFx+gk17w6sdlMU58IrBo8FjH9RC3ORh6TVQ+zymIo6Vwyc
zccJqIYA28OuiU9uJVWM00rgaJF4hjLnloeHOS39Nl4/XqbycLx+Qs2uYDKH8pQqV+Ug8NTsT18d
4sg5dMVErzQPJHJeoTEs5e4ZWaCZe4jDglKe/lqES+B8770OAUEIEqYnULHYHlOUxzbW3y+wfvWr
cm5Zmk2KOkbqmjbP8Wn4sN1PzvyyvBl3Ok1n3fawII7ClWloSEbgbBN1BAuE3G9SPla0iDwlLDmM
BffbOP14mW4Ox+kn1C3eSFezBd5oSTS6oM2THh2nN4vC03AALlbWTnnDAk8cJx4ihDQs56bmTvOS
OKssJrWl94MFBJQydBZVot0cwzYaP16m4nA0fkLN3ngSHoa1SdsCJ8MV+emOEBAfZmqjPf+5kK/A
09y4tZpGXR3FRFV3mMOiT8zElHyYjvoqBU6mQvkHhtQO2yj8eJmKyEXoJ9SNNFZEIrLqQ+cQM/hk
eA3L89ynnqmyPJPi6SB7f5/OEJbleZkc8Gp56TPjSMhywTT78YybRzo1IFTX40hAKcc2T1UITK9h
G6EfL1PZOEI/oW4ufIZokgx6+3PtjhweuzVuH31gvJlhoimhLrftvHCk5x1hgLycxLldzPpw9TQB
1JWoCIhCARLsY1Uj8OT0y0p25WzbRuOHBRqvH+EzlcnZy6vpaUO8XU6fvYKofYdbR4YVAsnXrJ5q
PC1ZD2BXCWzgdOFJNVqh++1kVyeqjPW01pzNrA4cozvOLLvo6pTiQHmjXbONzg+eznPy29MBweTU
m3YG6EG1eBGMBVUE7PIGO07pWDqPDc2ZE6ezmNXLp9TmMA7cIhhxFtBEN5sIKWLnOLNR+o6SlN1K
FaTAU3D1D1QGD9vI/niZPdjcnB1EZKkz7g7SoNS9b0CQvjRM6a6ZnHdf1qTALnVMi+0CCZYzsUVL
hRCMBuDJl3XFEfpj2OFx4Rf7RH47P+uP2ADbKP7g4/WuOgBx5NyWugfonM8uEhD7nS1wj4a4qLHg
rx3b1jS/fQi+ibU2CMjGEnJKe12ARSA1bePimlckY1fE0U2RwMIXJEpmG9kffBC/VG83krGEdyAi
m4WUvbrJ4TUKF9vsrktdkp5ZHdpPCaIP7BsQiS0wqsxB70oo5InJ+ssnrLmMI4H35CXFvm1EJA4A
8jsWQ2Yiom0OgME7AFweNCLKuW8661OLbHeWWYLMAJh+MVNqtpotPHUB1nyAo70xPmNizbl16Ixm
WZPzbm0st/lZrE5sXH8W4pA1iUv8EZt5mwdguJJgTKRbc9ZSi+ERh+TPwzZywufclYJPiUr5BGmv
Zuz64FM76dufC0/q8zBOJesIqc/PsSbPT5QhswUWuI2E7HHT+HlDZtFE2vLogtkr2FOYtb+9/fT1
h9fFd4j3V152wa77Z1G/fffdz/86vHx99/KJf4me+P+cnV1PGzkUhv8KykXVVisgE6CBQqQAgeWi
XWn7ob1bZUUCaFuC0qi7P3+fY4/J+LU9MwtXYeRz7Hje2D6vz4cZJg6xUy+m+77yAaHVM3d5DKjK
XFncfH8Xjp+73fIFf9yeCxKKPCSVOnUMpInB7indzFxpc5xP8ZssEgLJNyTjXIPmV5ZfR2zFZbM5
XuUdvYgQ4BzmLJb4B6SEQGj17EFppel0o4kbHe6OgWgjrlcDwpLmJLYv33jO4ubEHZF8opz5llck
meyZRHXkudZG+IBT+qH0Hn9NdBJG26hcJq/jRRwA57DM61AOILR69lKyZb4ccX0Rt7fifxg2RY+f
S21u9HUzabgwzdqc/IVwb6VZ5M3EfvrkaCXWXrjmZMT4HDX85tKfTKyzsoxihShKDlQvW8wCAbBX
r2/nXpPV9wuPmOlgrIdHzKY+Asv6iFnRR6BTH4HAxiPBW856ZhtoXaL5Ct5sZC3f7p9yTsm1UQI2
10YdcXNtZOdlGtLxKDmUayP4YaJSPdtfkcxczqjtmjk2N2+yAbzGyUNjNKzV5HQ5+XDz8fX56IT5
rt6c7i0th/wRp8Lmenc8Tqta1OKuh/v5enE72FkvlmcDcHZ4wpe0ITyw6w5cBxejE/uphw6s2vP+
cVIcHkC6MTWVeiVA9ueEHZxSrpAHRSu5S/4A3lXvxbtkiH+PoofV4bpLvquaX7s8LCR5uxvp5AUg
OTO7B0C85RgBZKjEFDnIPUCmfyhAxrBrmQpAtUQOE0eGCesVTAzBBDoFE53RwBntXpsDB+Lt0cHt
4p3Rwu3indHD7eIkZDKqvJxnsl3cXA37HcRytn8PuHgrNoaLhrKQR9HBZfp19vv0eqaQwQGUDAak
Gqx334TirOVz4Hln4LExAJ5qMAk9JIsKzLqZ+mGBUN/ATA9eowMQA8TKwGk2RJhryEynOHG58LLB
qzLdP9z86NpW2Q5N2Q5SclGW/Ei9qNhqO8SIGEIs5InTa6JOccJ+SHIYguoLQbekh8wcTHoAx9vb
MXDUY8eUu41odnkzTfYiQsqJ8WhegapfdS2fA87YgGNjADgjVh3fQ4IbK1RRdq9iV3ID1Dc3Cm/u
gFsrqu8ULl05UrWLk7QsceTntNHRJ1RZEtcDWDq64npGa1u4GWL+y1+P0vbwOSkzLVtRjiXpARHP
B8QQUScizuwOIn/++235uPvp8+Xs6+6nzArz7pALJauwzimfz8lp0WnJAeXYgGIjASgHg0ncT4IX
Il9g9gjW4jxC0uXUfEz68XrrU4z5kHMSge4nBI5AFPWPqb+tvpADjzcKsI8Rr4z5Ic6SwFphzrrE
6d2imMzPksjphEEFRO3Dt1o/VpmG5Da4ymmlGzePGTg9jx63UPLEcR9lZdCaJUliOA1zvE43nJyY
7RLMtSjMkRA9FHpjPcanpkGBt3G2sT8wXfz25ePnm6uAz192Bq/uNu9Hgzd77vbPHbH3SXu5Pcfa
pwStTZ0ZzA6HYNa1AbMcm0OvNVrrXs+SbuWqMBq6Qs6Zjz8nJE1vsF58xB7Qy90+euwON/5L9Fz1
0UOIpsxdYp9c99EjJ956Os8G7jUW5mIrI/DKkSo94OXZgRhe6ibGBVcLvBy6Bq/m35/en+PNE6NM
/WEiVTlUVYYq6w5UMQ+KqkZnF0lnGnVyWezNa6/XQyWVZ33E+mGpMW/6Po/8ctoPS916Uiz9HxnB
Uo4GAkv3D7e3i0czoLro7aEnY2JYJfQ2rezgVb3F+Oew7BYmaGjudzVXA6/amuYAMzLAWHcAhqNq
9RZDPyiryPDE7dI2Zio5kqd6vR4HjYp0Qla3rXhbkRlWQ9y8VbnOSwz+rj5drhpl/VqF6AnLoyVH
R/tA+Z5cC1oytvpvuxd4YOz9uF8sNpfzzXxy+jS/W3yYr+8eHn/sfFss3c0GttH64c6uPsiOBuuz
enKf4GD+Wm02q+/hv/vF/Haxtv94YcvVahP+sd3yn9X6b9fP5D8AAAD//wMAUEsDBAoAAAAAAAAA
IQBYWqj78KkAAPCpAAAXAAAAZG9jUHJvcHMvdGh1bWJuYWlsLmpwZWf/2P/gABBKRklGAAEBAQBI
AEgAAP/hAIBFeGlmAABNTQAqAAAACAAEARoABQAAAAEAAAA+ARsABQAAAAEAAABGASgAAwAAAAEA
AgAAh2kABAAAAAEAAABOAAAAAAAAAEgAAAABAAAASAAAAAEAA6ABAAMAAAABAAEAAKACAAQAAAAB
AAABAKADAAQAAAABAAAAmwAAAAD/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUA
AAAAABDUHYzZjwCyBOmACZjs+EJ+/+IMWElDQ19QUk9GSUxFAAEBAAAMSExpbm8CEAAAbW50clJH
QiBYWVogB84AAgAJAAYAMQAAYWNzcE1TRlQAAAAASUVDIHNSR0IAAAAAAAAAAAAAAAAAAPbWAAEA
AAAA0y1IUCAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR
Y3BydAAAAVAAAAAzZGVzYwAAAYQAAABsd3RwdAAAAfAAAAAUYmtwdAAAAgQAAAAUclhZWgAAAhgA
AAAUZ1hZWgAAAiwAAAAUYlhZWgAAAkAAAAAUZG1uZAAAAlQAAABwZG1kZAAAAsQAAACIdnVlZAAA
A0wAAACGdmlldwAAA9QAAAAkbHVtaQAAA/gAAAAUbWVhcwAABAwAAAAkdGVjaAAABDAAAAAMclRS
QwAABDwAAAgMZ1RSQwAABDwAAAgMYlRSQwAABDwAAAgMdGV4dAAAAABDb3B5cmlnaHQgKGMpIDE5
OTggSGV3bGV0dC1QYWNrYXJkIENvbXBhbnkAAGRlc2MAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4x
AAAAAAAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAADzUQABAAAAARbMWFlaIAAAAAAAAAAAAAAA
AAAAAABYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSg
AAAPhAAAts9kZXNjAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAABZJRUMg
aHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAZGVzYwAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2Ug
LSBzUkdCAAAAAAAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2Ug
LSBzUkdCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5n
IENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBD
b25kaXRpb24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2aWV3AAAA
AAATpP4AFF8uABDPFAAD7cwABBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf521lYXMAAAAA
AAAAAQAAAAAAAAAAAAAAAAAAAAAAAAKPAAAAAnNpZyAAAAAAQ1JUIGN1cnYAAAAAAAAEAAAAAAUA
CgAPABQAGQAeACMAKAAtADIANwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACV
AJoAnwCkAKkArgCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsB
MgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gID
AgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYD
IQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+
BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicG
NwZIBlkGagZ7BowGnQavBsAG0QbjBvUHBwcZBysHPQdPB2EHdAeGB5kHrAe/B9IH5Qf4CAsIHwgy
CEYIWghuCIIIlgiqCL4I0gjnCPsJEAklCToJTwlkCXkJjwmkCboJzwnlCfsKEQonCj0KVApqCoEK
mAquCsUK3ArzCwsLIgs5C1ELaQuAC5gLsAvIC+EL+QwSDCoMQwxcDHUMjgynDMAM2QzzDQ0NJg1A
DVoNdA2ODakNww3eDfgOEw4uDkkOZA5/DpsOtg7SDu4PCQ8lD0EPXg96D5YPsw/PD+wQCRAmEEMQ
YRB+EJsQuRDXEPURExExEU8RbRGMEaoRyRHoEgcSJhJFEmQShBKjEsMS4xMDEyMTQxNjE4MTpBPF
E+UUBhQnFEkUahSLFK0UzhTwFRIVNBVWFXgVmxW9FeAWAxYmFkkWbBaPFrIW1hb6Fx0XQRdlF4kX
rhfSF/cYGxhAGGUYihivGNUY+hkgGUUZaxmRGbcZ3RoEGioaURp3Gp4axRrsGxQbOxtjG4obshva
HAIcKhxSHHscoxzMHPUdHh1HHXAdmR3DHeweFh5AHmoelB6+HukfEx8+H2kflB+/H+ogFSBBIGwg
mCDEIPAhHCFIIXUhoSHOIfsiJyJVIoIiryLdIwojOCNmI5QjwiPwJB8kTSR8JKsk2iUJJTglaCWX
Jccl9yYnJlcmhya3JugnGCdJJ3onqyfcKA0oPyhxKKIo1CkGKTgpaymdKdAqAio1KmgqmyrPKwIr
NitpK50r0SwFLDksbiyiLNctDC1BLXYtqy3hLhYuTC6CLrcu7i8kL1ovkS/HL/4wNTBsMKQw2zES
MUoxgjG6MfIyKjJjMpsy1DMNM0YzfzO4M/E0KzRlNJ402DUTNU01hzXCNf02NzZyNq426TckN2A3
nDfXOBQ4UDiMOMg5BTlCOX85vDn5OjY6dDqyOu87LTtrO6o76DwnPGU8pDzjPSI9YT2hPeA+ID5g
PqA+4D8hP2E/oj/iQCNAZECmQOdBKUFqQaxB7kIwQnJCtUL3QzpDfUPARANER0SKRM5FEkVVRZpF
3kYiRmdGq0bwRzVHe0fASAVIS0iRSNdJHUljSalJ8Eo3Sn1KxEsMS1NLmkviTCpMcky6TQJNSk2T
TdxOJU5uTrdPAE9JT5NP3VAnUHFQu1EGUVBRm1HmUjFSfFLHUxNTX1OqU/ZUQlSPVNtVKFV1VcJW
D1ZcVqlW91dEV5JX4FgvWH1Yy1kaWWlZuFoHWlZaplr1W0VblVvlXDVchlzWXSddeF3JXhpebF69
Xw9fYV+zYAVgV2CqYPxhT2GiYfViSWKcYvBjQ2OXY+tkQGSUZOllPWWSZedmPWaSZuhnPWeTZ+lo
P2iWaOxpQ2maafFqSGqfavdrT2una/9sV2yvbQhtYG25bhJua27Ebx5veG/RcCtwhnDgcTpxlXHw
cktypnMBc11zuHQUdHB0zHUodYV14XY+dpt2+HdWd7N4EXhueMx5KnmJeed6RnqlewR7Y3vCfCF8
gXzhfUF9oX4BfmJ+wn8jf4R/5YBHgKiBCoFrgc2CMIKSgvSDV4O6hB2EgITjhUeFq4YOhnKG14c7
h5+IBIhpiM6JM4mZif6KZIrKizCLlov8jGOMyo0xjZiN/45mjs6PNo+ekAaQbpDWkT+RqJIRknqS
45NNk7aUIJSKlPSVX5XJljSWn5cKl3WX4JhMmLiZJJmQmfyaaJrVm0Kbr5wcnImc951kndKeQJ6u
nx2fi5/6oGmg2KFHobaiJqKWowajdqPmpFakx6U4pammGqaLpv2nbqfgqFKoxKk3qamqHKqPqwKr
davprFys0K1ErbiuLa6hrxavi7AAsHWw6rFgsdayS7LCszizrrQltJy1E7WKtgG2ebbwt2i34LhZ
uNG5SrnCuju6tbsuu6e8IbybvRW9j74KvoS+/796v/XAcMDswWfB48JfwtvDWMPUxFHEzsVLxcjG
RsbDx0HHv8g9yLzJOsm5yjjKt8s2y7bMNcy1zTXNtc42zrbPN8+40DnQutE80b7SP9LB00TTxtRJ
1MvVTtXR1lXW2Ndc1+DYZNjo2WzZ8dp22vvbgNwF3IrdEN2W3hzeot8p36/gNuC94UThzOJT4tvj
Y+Pr5HPk/OWE5g3mlucf56noMui86Ubp0Opb6uXrcOv77IbtEe2c7ijutO9A78zwWPDl8XLx//KM
8xnzp/Q09ML1UPXe9m32+/eK+Bn4qPk4+cf6V/rn+3f8B/yY/Sn9uv5L/tz/bf///8AAEQgAmwEA
AwERAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMF
BQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkq
NDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqi
o6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/E
AB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMR
BAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVG
R0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKz
tLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/bAEMAAQEBAQEBAQEB
AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAf/b
AEMBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB
AQEBAQEBAQEBAf/dAAQAIP/aAAwDAQACEQMRAD8A/u98M+F/DU/hvw/PP4e0OaabRNKlmml0iwkl
llksLd5JJJGhLPI7ks7sSzMSSSSTQBt/8Il4V/6Frw//AOCbTv8A4xQAf8Il4V/6Frw//wCCbTv/
AIxQAf8ACJeFf+ha8P8A/gm07/4xQAf8Il4V/wCha8P/APgm07/4xQAf8Il4V/6Frw//AOCbTv8A
4xQAf8Il4V/6Frw//wCCbTv/AIxQAf8ACJeFf+ha8P8A/gm07/4xQAf8Il4V/wCha8P/APgm07/4
xQAf8Il4V/6Frw//AOCbTv8A4xQAf8Il4V/6Frw//wCCbTv/AIxQAf8ACJeFf+ha8P8A/gm07/4x
QAf8Il4V/wCha8P/APgm07/4xQAf8Il4V/6Frw//AOCbTv8A4xQAf8Il4V/6Frw//wCCbTv/AIxQ
Af8ACJeFf+ha8P8A/gm07/4xQAf8Il4V/wCha8P/APgm07/4xQAf8Il4V/6Frw//AOCbTv8A4xQA
f8Il4V/6Frw//wCCbTv/AIxQAf8ACJeFf+ha8P8A/gm07/4xQAf8Il4V/wCha8P/APgm07/4xQAf
8Il4V/6Frw//AOCbTv8A4xQAf8Il4V/6Frw//wCCbTv/AIxQAf8ACJeFf+ha8P8A/gm07/4xQAf8
Il4V/wCha8P/APgm07/4xQAf8Il4V/6Frw//AOCbTv8A4xQAf8Il4V/6Frw//wCCbTv/AIxQAf8A
CJeFf+ha8P8A/gm07/4xQAf8Il4V/wCha8P/APgm07/4xQAf8Il4V/6Frw//AOCbTv8A4xQAf8Il
4V/6Frw//wCCbTv/AIxQAf8ACJeFf+ha8P8A/gm07/4xQB//0P72fCn/ACK/hv8A7AGj/wDputqA
N+gCm2oWCMyNfWaujFHVrmEMjqSGVlLgqykEFSMg5Bxg0AJ/aWnf8/8AZf8AgVB/8coAP7S07/n/
ALL/AMCoP/jlACHU9NHJ1CxAyBk3duOScAf6zqSQB6nigBf7S07/AJ/7L/wKg/8AjlAB/aWnf8/9
l/4FQf8AxygA/tLTv+f+y/8AAqD/AOOUAH9pad/z/wBl/wCBUH/xygA/tLTv+f8Asv8AwKg/+OUA
H9pad/z/ANl/4FQf/HKAE/tPTSSBqFjkdR9rt8jPTI8zjPv1/CgBf7S07/n/ALL/AMCoP/jlAB/a
Wnf8/wDZf+BUH/xygA/tLTv+f+y/8CoP/jlAB/aWnf8AP/Zf+BUH/wAcoAP7S07/AJ/7L/wKg/8A
jlACHU9NAJOoWIA6k3duAPc/vB/P8qAF/tLTv+f+y/8AAqD/AOOUAH9pad/z/wBl/wCBUH/xygA/
tLTv+f8Asv8AwKg/+OUAH9pad/z/ANl/4FQf/HKAD+0tO/5/7L/wKg/+OUAH9pad/wA/9l/4FQf/
ABygBP7T03JH9oWOQASPtdvkA5AJHmZAJU4PfBx0NAC/2lp3/P8A2X/gVB/8coAP7S07/n/sv/Aq
D/45QAf2lp3/AD/2X/gVB/8AHKAD+0tO/wCf+y/8CoP/AI5QAf2lp3/P/Zf+BUH/AMcoAQ6npoBJ
1CxAAJJN3bgADkkkyYAA6k/0oA//0f72fCn/ACK/hv8A7AGj/wDputqAN+gD4a+InxB1L4f+MPhP
4a0f4F+C/iZP8ePjt8SPhnaa/rvizT/C9xoHiHR/Cvxb+L0suowXHgbxRPqGkt4K+E/itIbmC7S4
GutoulmxWzvrjVdNAPCfCX7cfw08VeEPhb46HwQ+GWk+FPit8Uh8ObDxJqPjzw5B4Y8FTG2huLTS
vid4mm8AQ6J4I+J3iie7s9H8AfD2/vZtL8X+JJf+Eci8eabq9zo9rq4B6VZ/tBfY/hV+1h8UPGn7
MngPw7D+y2/jDTbnR9K8Z6P4kfxvr/gnwZZeNtYsrS+Pw30caDpj6brGh29lqtxZ6lcTXd1frJpU
MenRy6kAXIv24P8Agn3c6x480FPHPgg3/wANJ/FkPjAv8L/FaafZHwN4d+Mvi3xLcadq7+CBpPiG
0sNA/Z6+NGpW974dvtWtdVi+H2sDR5b95tKGoAFH/htP9kHW/ido/wAJfh5Y+H/H3jGP4p618M/H
mk2Pw+8RaXqPg2Tw74S+Oesa9qml2V/4DLfEK50TxZ8B/E3w91jQPBs1/qOmeIriCK8eG5fS7DWg
D1P4wfFDwX8JNT+C09x8FNI13wT8XPGWg+CJNfjtNE0TxVoGq+KLDUNV06e0+GusaHb+JNftfD+h
aPrni/4jwvJomqeB/BGg674jfTdYOh6vp9kAeC6L+2X8Mb74ReIvirrH7OkmgPolt+yx4wtPCSad
pPinXdW+E37XHi7w74b+HPi22tfBnhzxBqVz4v0yHUfEX/CQ/DTRNI1zU38SeE5/DvhzWfEFrrWi
+IbgA6mT9tD9k3/hN/APhHT/AAlfa9F8Rtd0PwppV5oXwT8dXGseE/El+37WFtrsHxS8KX/w807V
vAGm+Fdb/Y9+KnhTXZb1r/XtA8SabqR8Z+GfCHhbRrjxXdAH1H8Jdd+CXxw+HXhT4sfDXQdE1rwH
440xda8K6zqHw/vPC82r6PNLJHa6pDo/irw/outw2F+kX2rTbm606GLULCW21CzaazuYJnAPRf8A
hBvBP/Qn+Fv/AAn9J/8AkSgDitD8H+EpfGHjm3k8LeHJILU+Gfs0D6Jpjw2/naVLJN5ETWpSLzXA
eTywvmP8zZYZoA7X/hBvBP8A0J/hb/wn9J/+RKAD/hBvBP8A0J/hb/wn9J/+RKAD/hBvBP8A0J/h
b/wn9J/+RKAD/hBvBP8A0J/hb/wn9J/+RKAD/hBvBP8A0J/hb/wn9J/+RKAOO+IXg7wjaeCfE1za
+FfDltcQ6TdSQz2+iaZDNE4Xh45Y7VZEcdmUgjtQB2P/AAg3gn/oT/C3/hP6T/8AIlAB/wAIN4J/
6E/wt/4T+k//ACJQAf8ACDeCf+hP8Lf+E/pP/wAiUAH/AAg3gn/oT/C3/hP6T/8AIlAB/wAIN4J/
6E/wt/4T+k//ACJQAf8ACDeCf+hP8Lf+E/pP/wAiUAcvaeDfCDeNfEFs3hTw21vF4X8ITxQHQ9LM
Mc1xq3jhJ5o4ja7ElnS2tkmkVQ8iW8CuWESBQDqP+EG8E/8AQn+Fv/Cf0n/5EoAP+EG8E/8AQn+F
v/Cf0n/5EoAP+EG8E/8AQn+Fv/Cf0n/5EoAP+EG8E/8AQn+Fv/Cf0n/5EoAP+EG8E/8AQn+Fv/Cf
0n/5EoA5fxx4N8IW3grxfc23hTw3b3Fv4X8QTwTwaHpcU0E0Wk3bxTQypaq8csbqrxyIyujqGUgg
GgD/0v72fCn/ACK/hv8A7AGj/wDputqAN+gD5U8Q6Z4aFz4T8ZeO/Enw38OQ/Dz47eMvEPww1Txt
f6poY074jeI9J+JXwtVYLlPGfh7Sde1PVvB3xD8baDp+g6haahDL/a5v7TT21rTdNv7IA4GL9hj4
fReB7b4YrL4hk+G1tdTTH4f3fxt/arv/AAXeafcNEZ/C2p+GL/8AaCuNG1XwHOIFhm+HuoWdz4Il
tJLrT5PDxsNQ1C3ugDudR+GHgTWPCvxs8Bahq3wquPDPxc8X6lofxq0gal4sifVPHPxD8L+FfDt1
4f1G7g+JEWpeF/EXiLwxc+D4NO0HR7rRLxodU0e/0myS51iG6uwDzLxT+xd8JrLwjrmkap4P8P6z
4V1r4t+C/ipP4UvPEvxqn8P6Z48sPiReeKbHUPC+j3Pxbn0zwhoV34i8X6+fFXgnwta6P4L8beFd
Y1X4e+LtA1vwFeyeHFAK9t8Dv2e/DWo+PvF1t43+GmiP4M+J/iL4k+Obhfi58UrDQfhb8VPH1n8Q
7TxJr8ml/wDC749B+FWveJf+Fx+Pb+5g0+z8Ni41jxQNcgtl1ex0W9sAD0PxL8BfB3jP4rfCDxvr
3ijT7z4p/DLwZrkfwuW0+KXxz0q5m8Dvqng1vF1/qPg/R/jZYaP8R9I1TUbbwRY+Nda8aaJ4oXXI
p9G0bxNfXtlqcdldgHK+EP2NvhDbfCLVPht4OtfD158MvGy/DfURd6d4++OOs6odM+Fs/h/UvhJa
eDviSfjRe+NPC/hfwDL4a0S78CaH4L8VaN4d0AxXU+j2MB1fV3vwC5p37D/w00ifQ77StF07Tdb8
Par4f13TfFFh40+PFp4x/t3w74j+OfiyHXb/AMYW/wAYo/E+r63ruvftLfHi88b6tqurXmo/EGP4
m+I7HxxdeILBrG3sgD1L4J/C6x+FfgKDwz8HdT8E/wDCGXXiDxf4oN59s8cePJ9X8TeLfFGreIfG
etX/AIt8SfETxHrOs6lqnirUNXu9RmvNXuTDePNaRrbw26W0AB619n+In/QX8F/+E7rn/wA1FAHn
sF/4m0TxB8QNT1XxN4E0a1s/+EXbVtV1jTr+y0mFZdPMNoRPceJ7aOzBaRIHNzdSCa4kjWLYWVGA
OjsfEet6nr+t+FdN8efCzUPFHhmHTbjxJ4bsbW7u9f8AD8GswvcaRPrejweMZNQ0mHVYIpZtNkv7
a3S+hjeS2MqIxUAZpvifWNasvDWpaP4/+FOq6d4z0uLXPB9/ptvdX9l4s0WbT4NWh1fw1dWvjKWD
XdLm0q5ttTi1DS3u7STT7iC8SVraaORwDovs/wARP+gv4L/8J3XP/mooA57UfE2s6PrmgeGNX8ff
CrSvEvio6gPC/h7Uba6stc8SHSbcXeqDQNJufGUN/rB021IudQGnW9z9jtyJrny4juYA6H7P8RP+
gv4L/wDCd1z/AOaigDj/AIgQeOx4L8Sm91TwlJajSbkzpa6DrENw8e35lhll8RTxxuezPDKo7oel
AFjW/GF/4attfvPEfxH+Efh+08KafYat4outbSbSrbw3pWqS3UGmanr89/40t4tH0/UZrG+hsL3U
Gtra7ls7qO3kle3lVQC5Fr/iCe80TT4PHHwvm1DxLpF7r/hyxisr2S88QaDph0kalreiWyeMGn1X
SNPOv6EL3UrFLiztDrekieZP7SsjKAXdOvPGOr25vNJ8UfDzVLQXF7Zm607SNUvbcXem311pmo2p
mtvFs0YuNP1KyvNOvYCwltb60urSdUuIJo0AL/2f4if9BfwX/wCE7rn/AM1FAGdp+oeLtXN+NJ8V
/DrVDpWo3Gj6oNP0rU706bq1osT3el34tvFsv2PUbVZ4WuLK48u5hWWIyxIHSgDR+z/ET/oL+C//
AAndc/8AmooA4m6vvFGh+IvFmr6z4m8BaNZaZ4P8LXur6xq2m6hYaNZaZDqfjdknubi68UW8Vils
VvJLy7urz7OYntwEgMMrzgDoPiD9q8ZXfw5tvir8F7j4hWEAur7wJBOJfGVlbGzttQFxd+GI/HDa
3bQGwvLS+E01gkZs7q2uQxhnjdgDSsvE+salaaJqGneP/hTf2HiW9utN8OXtlb3V1aeINRsbTVb+
9sNEuYPGTw6re2dhoWuXt1a2L3E9vaaNqtzLGkOnXjxAHRfZ/iJ/0F/Bf/hO65/81FAHO674n1jw
vc6DZ+JvH/wp8O3finV4PD/hi1123utJufEevXKs9vomgwX/AIytpdX1edFZoNN09bi8lVWMcJCk
0AdF9n+In/QX8F/+E7rn/wA1FAHMeNoPHg8GeLjd6p4RktR4Y183MdvoOsQ3D240q785IJZPEc8c
UzR7likkgmRHKs8UigowB//T/vZ8Kf8AIr+G/wDsAaP/AOm62oA36APzg+LXgrVtZ+L/AMOfif4d
sPgN8RF+HenftT/DPxL8Kfjl48v/AALpBi+NPjn4U6vaePtG1TTvhl8Xo59d8P6f8KtX8IT6HqPh
Gy/tTwz8SddltPFOmRWV/oPiwA+ctP8Agf8AtPWzX0+t/tEeGPFWnyeI/A914u8G/wDDa/7RnhGH
43x6FB+0ZF4m8WJ4/wBE8HXPij9lmXxBq3xI+Cnis/Cn4K6drvgZovg6Phxcas3hC8tb6gDD+G/7
MP7UHgjV/HF5q37Y/gLxHdeOdT/ZR8QzeLF+IvjLSL/R/GHwV0r9mbQvjd4vvfBVjo6eFvH+o/H+
y+Fviy6u4/Ft0b3wzF4c8P8Aha31q98M/GPx7a+BAD6c/ZU8GeN/gr8A9V8IfHD45z/FT4g6p488
F67cajrnx51j44Q20OnaV8MdC1l/DniLxf4B+HvibQ9E1fXPDXiHxfP4UvoPEUGm6hrOp6xBriHW
bnR9KAPGfEXwO+JXiL47eOfj1f2P7Is2rWXxn+HetfD/AMG2vxp8Tab4U+IHwV+FSftBWfhLRfit
Av7PFwfD3xPn8UftD+Lf2gNV8TWcfxP00fEOw8J+A7KOCw8Kf8LR14AyfEH7LnxF0vSP2EdH+G/x
n+HOm6l+zN+zloXwJ8X+N9P+PnxP+Ft1pOpWHjD9l3WL7xV4a8FeCfDuq6J8ZfC8nh74J+M9EX4X
/FfV/D/hvVY9e0PT9almsbvWLqwAOW0f9l349+DtE1e+8N/HrwVf/FHXbH9l3WNV8Y337Xfx60Pw
54g8YfB74P33wx8a6R458IaV4SurzxJ4C1XUrTQ/Fe7wr4n+G3i7xtqNwl3reseHrrwrHF4sAP1o
vPEPh2e/8YXd58TPDXinQde0GPTNN+HGv3HhK18K2dwlncW9+lzq9ro19r93Z+JDIsOrR6t/b1ra
WzS/YdKdC1tKAfC/w4+DfinT/wBmf4XfA7xF49+GPwqm8J/tD65448U6Z8Av2gPiNoGj3vwZ1b4q
+OPiGPA+g+NPC3gz4OeLrGV9P8Uad4dvvC9tpWj+Hrq00mSBtYawuhawAHj1l8A/2o9N1Xxd4gf9
rKPxN4gv/wBovw38RtDg8Q/tc/Emz+GF74B0jxb8dL240/Vvhn4d+E+la74c0+fwd8TPB2nXnwf8
IfFWz8G6p4h+HvgS6fxRZ6N8Obew8egH1F+114Vg+O/wd+P/AMNPBJ+CfiTxV4003wzaeD5fi74x
m8NeENG1iDS5o4vFdrrmj+AvibqdtrXhyZ/O019N8NG6W5bamqaax81QDk/gt8FD4H/a08R/tAax
4+8C+HvBlx4J+Nmmab4C0z4oaF8QRe+N/wBon4gfBX4lfEDxAmpTfA34VeL9F0nRNb+EMtvomneK
vH/xZW5h8XXNp4ctPhl4e8O2Hh/VQD4W8OfsNftAJ+zn/wAKM134/wDw70vQtN/Z2034R2fgLTv2
vP2hfF/hTWfH3hb4Ox+ELXx7B4x1vwhoPij4c+FfHfjDT/Da6j8KvCejX3gz4aeHfDcmp+GLHxJf
+Ktf0CUA/SH4LeH/AIheEvE/7RUniv44aFpHhX4inwRf/Ca5Hxw8T/HXxl8PdXsrPxHZ+MLO3/4W
h4V0DwVpXg+3tm8HHwjpVv4W1rxJf6n/AMJhfePfFniWM+FI9IAG/HbwzrnxN+LH7M8tnqHwB8T/
AAl+F/i3QPiH8TvE3ij4j3Pg/wCMes+M/BOpWdz8P/8AhGrLQvhJ4t0Ofwr4e1K41b4iazoFv4u8
BXPizxfpvhXww2raF4GbxhZ+JwD59/aI/Z9+M/xG1f4ma38N/wBrTW/Cf/Cf/HiLxVHpXh79rD4o
/DF9E+EFh+zfpXw48M6J4RvrXwp8SvDXw91jw18ZX8UfEm98L+G/AE/hvxtPquneJ/FusaprugaR
oVuAfQPw+03xj4Jn/anfxz8VfD/jHwf4+8TXHiT4TwX/AMXfE3xH8bWEGo6h4nuda0u/tdU0Lwf4
L8F+GILW78MWvgjwN4F8N3U3hy2tdV0jXvGnjW3sfD2pQAHzf+0Z+z346+J/xX/aJ8T/AA/u/wBm
vwh4W+K+j/sTTaV4l0j42a14L+LOreNP2Vfjp8RvivqfjHVJbT9nzxb4Z8KeK73TPHmiaV4W8Saj
J8X4ZYvh1p/h3xB4dXRfE6X3g8AxviF+zF8Ur34I/sh+Bfhv8V/hJ4V+IX7P37LHj74B3Hi3wx+0
J8WPhLB4D8a+JvC3wY0LwR8R/CF34E8J3mo/F/R/hzqPwym1rUPh58Q7fwX4V+I93BpMus6dpCTm
y0YAyPE/7L/xwTXPj74w8I/HjwlJ47+Kngfw5ovhXxR/w138c/A6aNqfgP8AbB/aZ+OfhLwz4k0f
QvCGurJ8N9R+GHxg+H/gvxLB4M1Hwn4tsLLw54+8EeDtb0Ow8XzeNboA/VOfxCs1xf6hbfHLw9p0
t34EOg2Og/Y/DOqeF9F8asGkTx1E9w9r4t1byJWSA+H7/wAUR6bdWMWHEF/I98oB+eHwp/Zd8Z/D
f4H/ABq+D11+0l8OLm9+KH7VXwK+LjePPhf4g+I/wN8Xa78NvDt7+zJF+0G/ivxPofxA8WeNbD4p
/GXRPhZ8VV17U/Dni2NfE+ueN5dT1XxPoq+K9Wj8MAHEav8As8/tPW9j+0Bc6D+1nJrPibxb8S73
xN8IIfEf7YnxS0v4c6f4Wsfid8SPGHgDQfFfhXQ/hVJ438J6T4c8GeJPBvw38c+H/hx8U7W9+JWi
+HBqM/jLRNY0bQ7qUA+uv2z/AAtYftB/AP8AaZ+Dng64+C3iTxT8VfgS3gHwe3xZ8VvoPgXR/Fet
23xF0vTvFtzrGleCviTqdrqfgW91jTvFWl/2Z4WutQXUrPTxbX2kzSxanbgHZaNoWk63+0dpvx7+
IGvfCLTh4S+CNl4H8DaF4X8Uf27e6Z4+8faxDqnxy17Wtc1Lwz4WOt2UOmeCfhX4O+GOsfYrPWLX
Q7f4izXmmaHD40m0aAA/L+b9iL47a38NfiJ8Jbz9ob4e+E/AvjHQPiV4Xm8Oab+1J8dfGug643jr
4N/t5+CW8VjR9a8MeHoPhzb3fiv9on9nq51j4YeCnm8IfYfhDfa6l/f6toPhPTtQAPv34L+HPiN4
S+Jfxa13xN8XfDeheAvHvwx+Hek+EtIl/aN8f/H7Xvhn8QfDvgPw/wCEtVPgxPib4T8K+GbTwha3
Ok3Ovz33ibSfGvjb4ieN77V/G3ifW9LtPEd14L0sA8p/bL+Afiv4+eKv2Zdb8F/Fj4WalJ8ILDVb
Lxl4i8bePD4M1PxJd3XxP/Zz+IcZ13wz4U+HXi7w/wCO/AOuXPwTuNT8afDfTLn4Q6lquv2Hguz0
P4jeG/D7+I4XAHftE/BH4qfEnXvij4m+Hv7UN94Zfxf8YvAuraT4Z0X9qL4q/DCwHwM0L4C2XgzX
PA2kXnh3SvFmi/CvxRcfHEv8Wpdc8HeCtUv/ABdp+hWvhnXvEOnWfijV49LAPQ/hP4a+IPw81n9o
y88f/GnS/iD4M8b/AA28B2PglfEfxt8Q/EzxunjLwt8P77wp4wmh0V/Bvw2+HPgjw74kktNG19NK
8H+FrnWte8cav4y1zWdYi0m68MeGfDwB/9T+9nwp/wAiv4b/AOwBo/8A6bragDfoA/Pb4uftaXX7
NvxA8K6Rq3w+8QeMvhlrXgn9rb4tfEnXPCCeGZPEfw/0n4N/Fv8AZ/8AD48W3Ft4p8deEI9T8H6b
pHxl8R3/AIm0bwtpvjDx/qNzYaCvhTw/eGLUrS7APj34jf8ABZrwZ4a+Gn7WnjzwofgprV58Jtat
bH4F6Pq3xc0rTx4z0VPh58QfHt7r/wAU5opZT4Duda0f4RePdb8B+FML4g8Rf2j8P/AeoQ6H8QvE
d9pGigHvmjf8FQvhrrXxm/aT8FaKPBnjfwb8FdA+GY8EweAvib8PL34p/E/xV4h+J3jb4TeO47Lw
r4p8XeE9M07SdC8c6HpXh3wvYzap/b/i/wD5GHw9ba5pPjT4fpq4Ba+HH7XPj79pa48deKvCejeH
/B3wD0jxn+zNpfgD/hOPDsC+PvibB8Y/gr8If2grK40rVtB+L+pJo2saXb/FXwyms+HNY+GlvDpH
h/SNR1Gz8ReJbvUNVtvAgB+otABQB8qaD8fPFf8AwkP7XmneNPD3gXQNM/Zyn07UfDeoR+Nbu30z
XPCeofDGDx/b6p458R69oGk6f4PuP9edaeCy1PR/DNixLarrqWMmoXQB+fHgj/gpx8Z/Efg+91rW
Pg/4Z8Oa/wCAfD/xD+JfxM8L+LNP8aeBfGU3gr4eaR+yfrGo+B9J+H2sXOpaz4R+JGpwftOXD+Gt
S1/Vdd0XxNofhLwD4wsdEg0T46aOPAwBufFX/gp54i+AfwO+IGvfGDRfh14T/aP8NXUeoQ/Bjxt/
bnwp0Hwz4ZXwb4h+INxca1478Ra7r+l+Po9Q0PwR4t8PeC/EPw+Y2ni74iP4d8JzaJ4e+1atfaQA
fRPxG/ar+NWg+Nfi74N8I/DXw1rlj4P1P4DXPh3xt4V074mfGiPSPhz8YdO+KVzN8RfGPw7+HPhq
28beJEstV+HOn6HF4e+Hg1GHTU8aaf4l1bxO3hzQtcvbcA9x/ZY+KzfHf4beDfjg+gy+FX+Mvwf+
BHxWfwxNcTXk3hxviH8M9J8XNoMt3cWOl3F1Lo51g6fJcT6bp00725llsbR2a3QA+nKAPnz9qb4r
eMfgd8B/iF8WvBHhzwz4p1bwFo7+IrzSPFWuapoWnyaJp7rLrEltPpGi61c3uqpZq66bpso0q0ur
l1N1rFlFEVnAPCP2sP2uvGH7P/xj/Z5+HXhrwXpPiXQPibrGlD4h+IbyPVruPwNoGrfGj4K/Ce31
HX73SbmC0+HejS6d8T/FfirSvHXiy31Pw7rmvfDyP4aW9paaz4vs9c0gA+YviH/wUR+P/wAKvhl4
78UeLvgxEfHXwk8M+MPib8X/AANYfCj40aiPAHhjQfA114z8D+AbvU/CH/CdQahcfGJ9A8daL4b/
AGiYja/B7wdd+B9Xj8Y6FHq91pmg3YB9I+PP2ofjnoWu/HXwvofwt0G7ufhr8Yvhp4H0zxF4b0j4
ofGRPD3w58ffDxvGa/Erxt8O/AHhix+IHiK8g1OOy8OXvhTwFaXEHh2bxRY6vqXia88NeG9f11gD
wL4I/wDBSvQP2sPE+g/DrRNI8EeHLLxx+xza/HHUdHm8d29/8S9C+I50T4DeKfE/gs+EGtbDUD4N
0DRvjvp2i2nivU9P0jVdZ8X+C/HtmPDun6boEN9qQB+wdABQB8reCfjV481b4/fHv4bavo/hLXvh
98KPCXhTxDD4t8C/27LqPhvxR4hm8RXg+EvjA6k82k658QZPA+n+G/iPdWXh46Xc+FdD8aeF7TXt
Hls/EvhLxP4iAPlD4d/t3fGXxVo/w21TVvhv8LjB468QfsXa7ql7oni3xObfw98NP20gsHhrRdMg
l0K8h8UfEHwBqkGoW2v6pPqvhfQtc0F9A8U2GhabJrjeHNPAMX42ft+/Gn4UeMPjd8O9O+Fmn+Lv
Ffgrxb8KbP4fWGh+APibf+NfFPh34lad+0hrNzF4Q+D9xeaP4r+O8vhvTv2e5Jrnxn8N9a0Lw1d6
brHxB8SQ6eui/BDXm8VgHrdn+2D8WNZ8OfH/AFvQfAXwf1GT4e/sb/s9/tX/AAvm034peIdd8LeM
LD4z6d8d7nV7XW/FeneAkT+zdFl+Ct3ceF5fDWlapa+LdMvtOuZ9d0P+2ZG8PAH2D8OfEE3i2Wy8
VXFvHZz+JvhT8KvEE9pC7SQ2s2st4z1GW3ikfDvHA9y0UbuNzKoLYJNAHq1AHhn7SXxG134SfBjx
t8RfDuqeCtH1Lwtp6X8N149sPEms6PdztPHbaf4f0/w94RmtvEvibxX4u1afTvCXg/w5oc51jWvE
2uaZY6RY63qktloOqAHzP+0N+158Uvgz4K8D62vwu8OaX4wX9lH44/te/FfwT4n8QXuoy6LoH7OO
m/BW5+Ivwa8L6voEEFrdeO9Z1P4z2+keG/Gt5FceHLKbwxdT3fhzVYtYtxp4B454e/4KWah8StG/
aV8TfCPRPg94t0P4JfFX4H6DokTfE6a58RX/AMJ/ih4pTwZdeOPE+heHtJ1uTRPFGrarp+r6x4K8
GancaA8fhXUtIuPFuoaP4q0vXPByAHSftI/tx/Fj4EfFrxz8L7TwBo/iGe48PfDzXPhU0Xgr4jTe
INcj174w/Cr4Z+O4vBvh43Wnf8NM6v4D8O/FLTvH/iTwz8ItS8N3vhi4Gi+BNSv77VvEceq6aAcp
4F/bv+KXxPv/AIX+HPGXwfh8I+Gfj98LM6Lc6Xo/xD1qyGsXv7I0P7Qfifxlp3xXOgQ/Cu98M+Gv
G1t46/Z81P4bTahbfE/S/F3hWy8Z3gbw7r8Om2gB/9X+9nwp/wAiv4b/AOwBo/8A6bragDfoA+Vd
V+AHw9+Lmpaf4j+IHh3wN4t1PwJ8RPHOo/D668Z/DL4c+NdR8D6pP4vh1K7vvB+reLPDmrapoF9d
ah4a0HU7ifSrq3mkvNB0e6ZvN0myeAAn8K2Hwq+N2k/FKfwn8QvBPxK0LXtT1T4S/GCey8HfDjX9
I8VX2j6THpGqeB/G00nh24svFlpaaH4hGky6ZqTalpp0zVpdORXtrmaFgDz3xjL+zH8UNW8W+GvH
Pjv4X/E7VLPx/wCAfgh450/Xfhp8OfHv2fx9p91feOvh74C8TyT+D9Ytku/Deq6jqniHSbXU3+w+
EfEF1qk8kmlay96tAGTq+m/s+eEfFVr8FdB1nwFoPxD8FXXg/wCI2geCLD4TeC/CzaWvhfRfh78G
rbxV4NvrPwXpulXOr+Bfhd4y8CfDi6PhXUrjV/Cnw98S+EPBWpxad4U1/SdNvQD7D/4RzxZ/0UPV
v/BF4V/+U1AB/wAI54s/6KHq3/gi8K//ACmoA+OvDPg/9kLxN8QfjLf+Gb74J33xJ0LUNS8RfGrx
Ba/BX4UweItV1Hw5N4t8D694i8QeKJfAlvN44n8LajaeOfAPiPXLXU9e/wCEZ12DxV4J1q607WE1
XSFAOD0Hw1+wnpnhX4M63o+k/Cfwx4P1r4j2E/wVvbr9lPwl4R0jS/iRrur/AA/8N6L4k0Ear8IN
Ji8Fal4i8Qj4VeGvDnjS7XRLTX9fj+HuhaLrV7qkPhqzUA2bvxF+xf8ABzwD8dNGsfFnw18PfDLw
74w8QeB/2jtH8AfATwtrXgvT/FVt8P8AS/EfivTPi5pngH4a6ro7R6d8PL7TE8SX/iiB9K0vSkHh
/Vby2k06bTLUAw/Gdh+wVe+Kfi1L44k+C+r+PdYbwVa/FSDWP2afAmtePfiYdY1m/wBK8FW0li/w
tvfFHxoRfENhq+j2sGgW/jGPStasNZ0q7jsb6x1K3iAPq/4aCLxYb7xD4C+JcOqeD9d8O+ANd8Le
IvDem+EbzQfEPhbW/DEWpeGdT0WS10p9NfRp9GuLSbSZtNVLW4sJoJkLoyNQB6r/AMI54s/6KHq3
/gi8K/8AymoA8F/aT0T4S2/wo1p/2ovEHh3xX8H/ADoZdf0X4ifCLwh8TfCspsobnUft2p+EpvBH
iSK4tdHsbO/1jUNTn0mWz0LSrDUNZ1Gey06xu7uIA4fxH8KP2T7Hxp8BtP8AEs3wFPj3x14g1TUv
2co7r4T/AAVvfEOta/4b8L6V8QNW174ZTR+ELi7ifRfDPw88L+I7rxFo8sFtZL4X8FTNfLfWfhcK
AeO6wv7A3gLwVqvi67t/hlpvw38E+O9V8X6h4t0T9kzQ9U8BaT438FWg/tb4iW3iPw78HL/w1cHw
rB4bW0m+JOn30+laLP4YGmrr0F14c+y2ABf8S6d+w5ceK/jVonibQPBGqeNtTvdN1f45afc/saWW
s+JPHMtpr2qeH9K8SeK44fgleah8TtLg1yx1WxsvFAbxJo4K3Lw6mLW4LygHquk+Pvgn8XtO1rUf
hZ8YvBvxD8TeDvgh4I8URDQPDng3+3vDPwd+P+m23i7wBA93b+H7XWPDHhz4laX4F0vxLa+HhLps
19ZeHvDur32mJDDodw4B9Yf8I54s/wCih6t/4IvCv/ymoAP+Ec8Wf9FD1b/wReFf/lNQB8neBvhr
+y7qvxc+Kvh7wJB8J7b40WmtaL4/+KxsPgP8M/D/AIv8Qa5F43/4SPRvH+qa5cfD/Trjx7d6X8Tv
CQ1QeM7C/wBf/sP4jeHI5LnVLHxXpSLEAeSyeHf+Cea+BPDVxHcfs2ah8L7z413Np4dvNM+AHwg1
v4e2Hxt0LW9E8ES+JzfaZ8OLvwz4d1zTddj8L+GIPiPqE2n2EV2/hjS7XxIv2jRY5QCLX9N/4J/W
+lftBp41HwU0LRvhzHpHxZ/aHj+IH7MvgbwtYRgar4+0Tw18QPEieMPhTpkPjGa91uL4k6T4V8Qa
cmvT6rql94psdBubu61q9ivQDX1rw/8AsNW9z8atU1jTPhNdS2eheBfhF8bNbH7Kng7V7fxToF9r
PhTQvh78JNa1y0+Ed5afEu1j17XPB+leHvhtp954lbTtSvNJtrbQ7WeKNEAPqD4YeD7DS7bTtM+G
utf8Ih4Gt/ht8O5/CWiaJ8PPDfgnTtL8MXtx4wn0XSLTwXJ4W0ZfC1vp9vvdNHbRNKvLGS7ltL60
hktkt4AD1n/hHPFn/RQ9W/8ABF4V/wDlNQB4P+0l4a+DMHwn1zXP2r/F3w81T4M+FLnTvFWtH40+
Afhh4n8FaXqejXAm0bWDpfinwvqentrdheMH0Wa2s5dVjvGUaaDcsqsAcp8UPg/+zH8OdG8F6p8W
Yvgt4d0UfE74caJ8Pn8T/B34PGBPi3rVt4Q+FHwxh8J2svguV4vGK6P4b8FeDPD15pUCX+j+FfCe
iWaXFj4c8KW7aeAcV8TdX/Y88f6B4x/4WX4t+F3xg0Ob4xab8IvGmlXfwP8ABHxobWfjZ4F8Ez+O
9L8J6l4d0v4d+L77xH4t8EeBJ77xBbOunajJ4U0YanILjT0t7+OIA5PxbpP7Atnr/wAUND8V3fwJ
u/Ezz6BpvxF02X9nr4ca7rHjXVNI8c+D9F0TQLGGz+Gt7d/FPxH4V+J2v/D/AEeTw14THijXvB3x
D1zwbp2oWGk+KNU0OC4AL+kal+yRpmraKnws1nwFp/jnx78DG034WeIPCHwG8PeGrHxp8I7b4YWn
jfRfCfgn4naR8ONN8P3nhKL4feHtG1C28MaB4pEOnaPoOnQJYW0mhW0FoAf/1v72fCn/ACK/hv8A
7AGj/wDputqAN+gD8yvj7+yx4Z/aM+JHwd8ceIPEGq2lv8CPiB8Vrs+Frn4c/FvxNo+sXevfFj4Y
+ONO8UeH/EHw48ZeA5vDPj7wlffCS2tPDfiNrrxNa2Ft4m1uO40OXc8U4B5H8ZP2C9Q+POk+OdH+
JnxcsPEGkeL/ANo3xN8do/DUX7LXx+0LwtFYeK/gf/wo+78M67baB8dNP8R6v4h0XS7XTde8MePN
E8U+EZtHv38QW8Xh521uw1Dw6Ad58V/2S/EPxU8R/FjVdb+I3gfWfD3jv4v/AAR+K/hvwR48/Yv+
LXjzw/pa/BPRE8Paf4Y+IUWp/F+2h+JltrumwWs91qdvZ+CZbLWov7UWyu49mnoAVPh9+zD4s+E9
94EvNf8AjInxF8GfCT4FfCH9nT4UeHtQ/Zl+JvhPxH4I8N6Dc/CR/iNqlr40n+JGqeHby7+LXi74
d6TrGsWl14FF/pHhjw78OvAPhTU7a+8Oa94m8egH6Zf8Jto3/Pl4u/8ADfePf/meoAP+E20b/ny8
Xf8AhvvHv/zPUAfA/wAPP2b9a+H3jTXPEcXxKtfEOhm3+PPhvwd4a1/9lz4q3H9l+A/2iPjB4l+N
/jvQfGWo2vj+0j8b6xbeLbrwZo+h69Bpnha0g8H+GfEFjqWgapr3jT/hI/DoB5037GniGfwN4R+H
8nxovbDw54d/aG8G/Hi20bRfgB+0jD4f8AxfDzU/g9qng/wH8EPDur/HPWtH8I+HdP1D4Xax4ll0
74m2fxn8LQfEH4hav4w8M+EPDFnpNl4YuADU+H/7EOh/D3wX8Wfhinx1+Nvjn4dfGb4vfCT4geN9
K+IHwShudf1nwf8AD/RPBVj498Ba14k8DfD7wCnie9+PmoeDFi+L/jTxRo2sXviXwt4g8SaXdaRN
4s8Qa5491IAyPjd+xx4w+Pfib4u694/+M2ja7Y/EHxd8OLrwvol7+yb8etOm8GfC74U6zqfiDwd8
I5PE/hD47eFfEj2cPifWdS+IWs+Pfh/ffC3x/wCIfiI2nzazrd78MtD0X4U2AB9h/s/adafCTwfo
Xw11HV/FHjC6+H/w3+EPgG48VL8LvEmg3HiW68E+A7Dw1deIbnwpoujTWvhY63Pp7alFosIWysku
PsunST2lukrAHvv/AAm2jf8APl4u/wDDfePf/meoA+ef2ovDPif47fCHWvhV4A+IOqfCoeMLyx0r
x1rWs/AT4q+PB4h+Gdx50fjXwBYwaB4n+FuteGZ/HWmuPDmoeMtG8Txa/oXh6+1s+Fm0bxTc6J4s
8PAHHeOPh58QfF2v/sz6rY/EPwp4a079nn4vz/EmXQdO/ZH+MRsvE2gP8FvGfwYt/Bmh+X8WbSHw
S9lpnxK8b6pa629n4qs4pP8AhD9PXw2lv4e1eXxWAfPHwd/Yej+GHgDSvhHqfxp8c+JPhVYaz+zv
a6h4Itvgl8YrHT/EngD9m298Ra94f03WR4k8a+NrODx98Udff4c2Xx18W6Bp2ieCfiB8PPhva/D2
y+E/hi11y61e0APoPxr8FIvGlp+1I83xE8daX4l/ach8GeA7vxZp3wd+IVvq/wAPPgB4Y0S10C7+
FHhGeCS3uItYuU8SfHDxT4e+IRuoLrwr8QPjJfeJIfD2qWPhjTtAuwCnffDrU/DHxc+MXxZ03xPp
9t8NvF37Pfwm+Cnhr4T6f+zx8RvDGqeD7P4Oa38Tdf0TUn+JVx4tuPDF1p13c/FnxRZNokPwx8O2
+naXZeGbW21MyabqVzrIB9j/APCbaN/z5eLv/DfePf8A5nqAD/hNtG/58vF3/hvvHv8A8z1AHyX4
M8AfEjw58cvjD8ate+KOjeLbz4i3fgnw94PsLn9lP4x6dqfwy+DPg3xMuqj4WafrEPxVuNJ1ifVN
N1bxxqF742Twpouq3/xH8VWHinX7HxB4H8EeDvhTpQB4ZefszfGTUtJbwvqfx/8ACF74L1j9qDxF
+0h478Jt+xN8b4tO8eQXniLT/GnhL4b6xcQ/tBrqEGgeFvG+n2finUri0ult/G0+jaB4f8R6NN4L
/wCEv8MeMwDc+Pn7HXhv9oXwf+0Bo/iX4u/GDwz4s+N3jD/hILTxb4U+DN5c2fhnwv4b+E+ufDD4
V/DDVfCfjzwX450zxd4D8Aar4k174xJafafDurS/GvWtS+IPhPVvAmpDS00sAzLr9km7n1zxrqsn
jzRtW07xR4N0bw9c+FfEH7L/AMbZPCnj3xfovjH4S+K9M+M3xx8NeGfir4U8N+Mfi/4YX4VC18A+
LfhponwZ/wCEV1Lxb4g1e4sddsYtF8O6UAfUvwH03/hU3hfwz8Ptf8W/ET4lat4O+Ffw48L6l468
Q+CfiNNr3ifUNHu/GiXerX0GrReJPEcNtO06R6bJ4h1/xHqslpCLfUvFXifWLLVdXuAD3n/hNtG/
58vF3/hvvHv/AMz1AHg37UXhm7+P37O3xp+BnhXxNqfw91P4x/DPxr8L5vGXiD4FfEv4g2Hh/SPH
vh3UfC2t6hH4U07Vvh5calqMGk6rdvpRbxVY21tqK21zdwahbRS2M4B4Z+0b+zhq37Ttl8PpvGXx
0+I3gbxJ8LvGng/xf4SvfhZ+zzfW3hmW40jWvgz4o8RXmv8AhP4r6F8XzceLpte+HPjaz+H/AIx8
Oa54UvvAvgf4n6n4I1qz8f2UXiu98fAHF+Pf2WvGvj2w/aSt9S+K3hX+0Pjj8d7L42eCfEA/ZJ/a
E07xF8Dr60/Zv8N/s0w3fg/xD4Z/aC8Pa5L8RdP8LeDdA1jR/iHpOo+E0sby+8a6c3hWay8Saa3h
gA80+Kn/AATw0P4k+KfEHidfih4h0xbm1Fnovh+9+Dv7S2reHdSfX/jD8D/jb8TPEPjnSrX4y6JY
ad468d+NfgH4L10+NP2d7T9nLWLPxfceIfGmvv4yv9WWxsgD6F8AfAay+FfhzwTca/438TePG+B/
7HVt+zb8N7U/Bbxf4H0zRLiSCCT4m+NWLNqlnFb+OdP8EfB7QdD0nUpZbn4faL4A1QXHjDxRL421
y9gAP//X/vZ8Kf8AIr+G/wDsAaP/AOm62oA36APgH4u/tTar8C/Fvgv4daD4U8C67rfxOk/aK8V6
VP4/+KLfDWPV9R+G/jrwFomnfDT4dWUXg3xbP8Rvi/4+1D4oWj+DPAUU/hv+1oPDusR/23BLJA8Q
B8KaT+398Vm8NfDnWbH49fDj4jLq/wAfv2ZPDUGs+GrH4S6dp/xB8NfFmz/Zvv8A47eCdL8J3Xig
+N/GGofCAfFLxLYeGtJ+DVlrXxB0nVvGPws0b4jXGq3HhfxXe+NgDW8F/t/fH5PGHw8+F3j7UvhZ
oPijxl+0LbX2ua3q/wATdCbUR8JfFH7T37SXwisvh/8ACXwAfgZ4Ll8ZaF8PfD/wBiPj3xdrnia0
8VaBZeLNH1688SaldXq2VqAdh8Dv27fFnxE8X/8ACl/E2seCvHlpr3xv+Iuk+E/irqXjn4eaa+o+
DPhT4Y/ZH8ZW2geGJfg9a+M/hd8YPiL4g8QfHrWtZsNB8F+JdBPhD4W+ENVtPGV9qPxA8H+IV1UA
/aOgAoA/Nr4bftX2/ij43fti+DdO/aT+C3irwl8MpNN8DeBU8Q6z4A8K6r4M/aF02b4w3PxM+Gst
tY6wms674L+HuheH/h5p+qeINe06fUJPiDovxn0q31aVPB+seHfCIB8f2P8AwUT+Iuiw/Anw/r/j
HU/E1tJ4n+KmlfF74k+Er79nbW4viV45+HV5+yYNE+G37Oeu6XJB4A+K2geKrf8AaP16FvD3hTRY
vjRqWufDTxn4J0e50bxR4O115wC94U/bD/aM+K/wU17WPCHxq0aH4peIvh9+yTqXgSDwh4H8A6vY
eEv2s/2pbz4m+FfFv7I3jnT9TsfEctroX7N2q6B4E8d/Eu2vFt/jP4L+Huo+J9X8bX729tYvEAT/
ABK/bq+Lnwy8W/tH+GviV8ZPC/gjRvAWkeP/AOz/ABj4aj/Z78Tab4b8exfHHTvh9+yz8LPDZk+I
OrXWi+Ov2hfBmp3E/wASdH/aM0Pwang/xl4I+IGqeFL/AEb4aaTqXiXwsAfqz8DNa1zxJo0HiLxP
qXg/WfEuveBPhLrXiHWPh5fPqngDVdc1TwPZ32ral4G1N7i6fUfB99fz3F14Zvnurl7vRZbK4a4m
MhkcA93oAKAPzq0f9qjUNN/bT+Lfwd1b4j+Ete+HejfC2113R9Ok1z4V7tC+KR+IHw9+Hmj/AA8j
1Dwp4ivfEvgfV/FOu/EfQPCWleHfjpa6b4o+KXj+7uU+DmnzaL4U8S2TAH50v/wU6+M+keB/BXiL
WPHWg+L/AARrvg3wf8UfHfxT+HGl/DDRdZ8P+O5/gPqPxW+IX7G3w+0/x5qcvgvUfi5pWsWdjdeE
fBniFNZ+Kt/4bvm+H+rBfFlw/wAS9AAPRviX+3t8Z/Amo/tX6J4x+MHgj4fzeArzWNI+G2vWEn7P
3iLw3bfF7WPjN8WPBP7PvwK0zVf+FhasNM1D4meCPDXhTXPi3b/Hqw8B+KvhxceEviz4pubrwR4B
kt9X+HgB9jaB+0Xqvi/49/tEfAnxH8Xvgp4u/wCEf/ZP/Zm+LvhnwT8OZ9PGs6JrPxCvPjJY/Eu9
mvJvFmua54t0DUU8OfDzxR4e1M6P4ctNH8H+MPB8c2n3dxrC+JfEQB+j9ABQB+dXgX9qi/H7XX7R
Xwn134j+EvEvgDwd4M8D6h4Rt/7c+FZfR/ifrnxI1r4cv8MTqngzxDqGpeEdT1rW7/wL4O8O+FPj
TFZfELx78RJfEx8BaedF0a90eyAPzm/4eK/tTy+DPDfizwp46+G/xTstR+GHgDxvbr4Ot/g/pPiP
X/2oviF4X+H2u237G9r4T8afEDw5qeteEfDeoal4g0vxla/D2LxR+0z4NuPiB8HNKvbHW76PxBf6
0Ae5237Zfxu8VeE/j9qWnfFezXxP4T8O6VqOh+DPAXhXwBN4l+HX7QHin9oH4ufAH4X/ALIniOfx
NpXiuyTWPiTrul/DXRGvvFOl2/irS/Ftl4o8Um8svBPirRPDnhkA9V8V/thS/CLxf+1l8N/jt+17
8JdAHwB/Zk/ZH+I+oeLfBfhTwdaeN/CfjL4i+N/i38PPiRaHwPr3irxZDrfijxz4i8L/AAxtPAuk
ajo1nYaPrHxc8B6GnhnVJ9W06XxIAfZn7L3i3xl48+Gvw18ZfEbVfBGufETxL+z/APBHWPH+q/DX
VNM1vwDd+OLy18Xy+Ln8I6tomra9o+oaFH4hOow2NzpWtatp0kUYNlqF5beXOwB9NUAfJP7d/wAY
vEH7Pv7H/wC0R8a/CfjvwN8OvFHwx+FHjbxr4c8QfETT7TVPDlxr3hzw/qGraN4b+x33iTwvayax
4s1K0tfDehGW+vdur6naFNC12TZpV0AfOX7bn7Xnjb4a6R4G8S/s4+NPh145sp7LxPE3h3wr4u+D
PiLxb4/+MN1p/wAGPFnwK+FUGheMfiD4c1HVvBHxR8FfEPUdQ8Rt8J4PEXxjt08WfBjxH4K0a98O
eI7p9UAPk/4g/wDBQn9pNNL/AGjNetln+Eul/D/4neHJNF0Dx58LrD4XeP8Awr8OvEPwR+NeveAv
DOmL+05q3wn8F/Fvx54u+Ivw58B+I/H/AIc8H61qniTTvBXirxr4S+GUOtXumeHPiCwB0niv/goJ
8f4/jVc+A/GWnX/7M3grVPDvwZ0zVvEPxB+Dni/RbL4TnUfiZ4X8FfFP4r3XxO+ImhWPwo1Wx8Re
I/E9z8NvhfaNqniHwzp8dr4U+Ims/wBuy6t4h8EaQAew/CD9rzxr8SvFHw5+HvxD+Jfwln1L4r/s
E+L/AIyTfDrQtNsvDvjObxbo1/4NsbXxvbWV94x1rXH8M/Ebwp4h1fxt4d8PJo1kmieH40Emoa/9
hudXYA//0P72fCn/ACK/hv8A7AGj/wDputqAN+gD438d/Efwb8Jf+Ef1HxrN8U4tM+IPxyf4c2ms
eD7h5vD3hnxJ49+KukfDfwaNct11K0voI/EXjLxr4f0SAaDp+t6hEl5qGuX9ja+GtE8Q6xpYBleD
f2iP2ePF/hKH4h3Pxe1rwP8ADvVfGNt4O8A+PPiN8TfDvg/w98TdZ1PT77VdOl8BNqHicapdDWdH
stQ1vSLTWtL0HXdZ8NJ/wlem6Pd+FLy01q6AOLb9sH9nC6+DHjf45eGviB8S/Hnh34VW+ual8XfD
fgDxXpXjD4gfCPw94aHja48ReJPiN4U0bxTc3fhrSdNsfhx4wv1hnlk1jWX0SbRvD2k6x4mMehsA
d7rfxH+GeqeKfH/wssfEnxRh8W/DhPgV4g1ODxJD4o0XRtX0/wCNHi7xTp3g678HXuu2thb+LPMm
+HPjRb3UtDW507SbvSbpZ9QFzp+px2QB9N/8ILB/0NHjn/wqtR/+OUAH/CCwf9DR45/8KrUf/jlA
Hzp4M+Mnwv8AGWlfG/xOviT4q+G/A/wA13x/oHjnx14l8TWdv4ea6+FWueMPD3xGudMg0vxFq/iK
Ky8J6h4I1s302v6DoEl7YtYalosGqWF7Hc0AedR/tYfAK20nw3c63r/x28J63r3x7+G37OFr4E8Q
2eu2vjXSPiN8WNO+HmteCH1rR7Ke+t9I8LXvhb4tfDzX9S8TzXy6b4di8Wad4Z1+TTfHTXHhOIA4
3x3+3F8C/hXaeNZviZa/tMeBbvwF4otPC2vaXrL6TPcf2hcfCzxt8cNQayv9E8batoFzeaN8JvAW
ueOr/wAMnWIvHN7pd54YtdA8La3rHjHwvpurgHSan+2R+zZoV78d7XUfG/xjtj8AdP1fUPF8sT6t
eXGu3+i+LLf4d3Ph3wxo1heXXiSbxZqfj+507wV4N0HxJonhvUPiPql/Z3nw3j8XeHRNrUAB9HfD
uw0bxrcar4m0XxN42bRfEGheA/Eej3T69qFpf3WmeIvDcer2MmoKziXzha3MIWGXL22WhyMEUAeo
f8ILB/0NHjn/AMKrUf8A45QB5P8AG7xN4Z+A/wANvEnxT8VX/wAYNa8NeEdPvdZ8Qp4U10XuoaZo
Ok6feavreu3I1fWtD0+LTtG0nT72/ujJqKXd20UWmaPaaprd9pul3oBz3xB+JXw++GjfCm813VPj
NcaD8Y/FPgvwhofirSrrUZNJ0nXfiLr3hvwn4BtvE9re3un+I7V/EviLxVoulwxaboWsXehQvfa3
4qtvD/hnRtY1mwAPJpP2rPgyfhfqfxssZP2gtb+Dmka6lvc/EbQZoNY0H/hFSIp5/ij9isvEr+I7
fwNFHc2moWxvdCtPGevaTf6f4i8L+Dtd8P39pq04BVk/a8+BS+INU8JaVqH7QWt+LJPF+s+C/Afh
3SYrtb/4y6/4Y8Z/EP4feMx8Mp9R1jTdM1C28G+K/hR4/sfEd54p1DwnHBY6Db+ILRr7w54k8Iav
rwBW8JftTfAX48Wlzovwu8ZfFjXrLxP8N9W8d+BvFusJr2n+BvHWmaLoPwv8R+JdO0a41Uwag2r+
GdI+Mvw6udW0vXNI0c3T6zqVrocus3Xg/wAaweGwD7l/4QWD/oaPHP8A4VWo/wDxygA/4QWD/oaP
HP8A4VWo/wDxygDyjwf4m8D+NfiJ8U/hlomv/F638VfCQeEZ/Fqa3/wlXh6xvIfGlvrj6Df+G7/W
baxTxNpsx8L6vZnWdLW40lrixeK0v7pFL0AfL19+2l8EdB1Hxpo3jDTv2nvBmv8AwxPiPVviNo2t
WtvfXXgPwX4L8I/Drx18RfiTr154W8V+I9Gj8KfD7wl8Y/hfrfi+LTtTv/F9tp/xA8PXNh4W1OG7
neIA67xF+1F8JPDPi3xb8PL2L9o+5+JPhzxR4f8ADem+ANLglv8AxL48k8TeGvjF4y0XV/B3keID
o8llc+Df2e/jD4o+weJtX8N+KItG8FRyv4dE3izwHb+KwDqfDPx8+FXj7/hNI/hnqH7QHxHvPB/w
1+CfxZtbLw3YeJrCTx34I/aDk8VJ8Mta+Hl34wfwtpfiXTtTHgzxBJqespfWvh7QVsLtdW1i2m0/
VY7AA7v4O6z4M+NeheGvit4C8XePr3wP8S/hJ8LPiN4R1K+1TW9G1e98O+NU8Vazo7alY6gtvqFl
IunyW8n9nXkSS2NzPeIyh5XLAHs3/CCwf9DR45/8KrUf/jlAHlfxu8T+Cf2f/hT46+Mvj7xF8Xpv
Bnw68O6n4q8THwk3ivxfrNtomjWkt/qd+mj6Db3l2LPT7K3nvdS1G6FrpWlWME+oarf2Vhbz3CAH
O/Hrx54d/Z+8N2HjLxNp/wAevFnh6XUbPTb3UfAWqWGsy6Dfavq2j+HNAt7zT9V8UaFqt/f+Jtc1
+w0Pw7pXhix17WtZ1WdNLtNOkvLqyt7oA8f8RftW/CHw9rOseFdQg/aHl8b6R8VfDvwmtvBf27R7
PWdZ8Q+K/A/jr4jeFtS0y/1nxppvha007WfCPw38Xanb2GveI9E8YWT2VhZ6r4X0++8QeHrfVADU
8Z/tQ/BTwdcfFCG6174x6zYfCjxV4N+HPiXWtJ8RaSmi3XxM8feLfCXgbQPh9plzrvivRZPt7+Jv
GuiaPqXivWYNH+GOlapFrujaj46g1rwv4l03SADntB/ap+BPxZs7fRvBHij4yX1v458FJN4X8Sa9
Brum+D9R8X+If2e9E/aY0v4X3zalNFqUPjab4DeK9F+Jlzpt1o8egyeH5dR0+LXp/EOlarolkAf/
0f72fCn/ACK/hv8A7AGj/wDputqAN+gD4c+KvwE0n9oBfDFr4ni+JUGjfDX406t48sYPBdn8CPL1
vXfDnxK0rxXo06eJ/iBomtfEjwXc2N74ZXTH1b4X+IPh1r0+ka1rtrJq8076NqGkAHjXw4/4J5fD
34Q6r4P8RfDPUP2jfB3ij4fx+EdC8FeINKk/ZX8/Qfht4H8M/Ebwj4d+GD6Vc+DLjw34g0e20X4o
eJI7zx34s0XxB8atYnt9EOs/FDUbTSxZTgFaf/gnn4dl0PWfD8XxF/a6s9O1y/8AAcN9DDqH7Ilz
b3XgD4deNPi58SdC+D2q6Xq3w21PQ/EvwyvfH/xj1rxH4m03xTpet6/4ri8PeF/C3iDxHqPgr/hL
PDnisA9e8UfAQR/FTxb8edb1n46eINd8UaD8BPBaeGfEsv7PMfgbw5F8HPHXi7WfCWtaDD4U8O6T
4y/4SK9vPi58S7bUpNb8U65oV0vjSaMaTp1tpPh6fQAD7G/4SPWP+hB8W/8AgX4E/wDm2oAP+Ej1
j/oQfFv/AIF+BP8A5tqAPjfUP2TfDmueL/jV4u8SR/G3XZfj54Su/hr8QtGMH7Mnh/SdR+FF8/xG
lu/hvJL4Q8OeHNc1PSpJfiVqbReKvEOt618TLGPR9Jh0/wAdWaah40HiwA8/vv8Agn58KvEbW2te
PF/ao8c/EeH4l/D/AOJ918Wbj4v+EPAXjPVtR+HOtfs8axpPh/V9L+DniL4a/Dm+8Mamn7Lfwesd
atG8Bpqckmgy+JNJ1bSfG0lv4psgDT+MX7C/w9+NXgjVfBPiW2+PNmPEPxf+Jvxp8T+Ire7/AGdf
EGs+JPFXxL0PXPCKR6rY+P8ARfGXhEr8M/AupaF4J+DniCy8LWfjr4d+H/AHgePS/Fst7Y6ze64A
che/8E2fgjrfivx/4u8UaX+0z4g1Dx7N4zvJpofih4B8E67pep+M9W1DVTq138Q/hlrHgf4qfEm+
8FQ6pqPhv4XL8bvHnxSsfhl4Kvb3wZ4NsdJ8OX17YXAB9ffB7RF+F2nn4eeHfCnxA1LRfA3hL4b+
DNJk8QeIvDOv+Jv7K8KeE4ND0248R69qvjETazq17Z2cU93qJurqa7nMs115EriKgD2b/hI9Y/6E
Hxb/AOBfgT/5tqAPE/2gvhkP2ifhlrHwq8SaH8Q/Dvh3xA6prcmk6H+zb4vk1OwFvdQtptxo/wAY
9P8Aij4R8pZ7iDVLW9j8NJq9hqumadc2eoRQJeWl6AeUeMP2V9M8cw/BfTfEeo/H/UdB+BHjLwF4
z8C6XfSfsz6rqtvdfDbWPA2ueGNNk+I2r+G9Q+LdnaSXngOzt/E2qaD4/wBG8V+NdI13xNovi7xJ
rOm6lb29gAeG6B/wTa8A+ENO8PaP4L8VftS+D9H8Man8JJtP0bQn/Y+/sS/8N/AE+M7r4H+CvFWh
6v8ADPV9H8baP8Mdc8c6r4s0bxB4xsdd+ImteL9M8H+I/GXjfxJqPgXwfLooB3viL9hH4WeJfEfx
p8YXng7xnH4q+N95pkmv6x/wrD9h/U49G07TPGWu+PE0/T9B8QfDPV/DHie+uPEmtpqNz4z+Kei/
EX4gy3Wg+Hro+K/tNnfS6kAQeGP2Lvg78DtZk+Jvgj4beK9K1LwZ8BLX4B+BLe70b4A2Nl4N+G+m
6B8MfDUdpc+JvCOnaX8UfHV+NE+EPgbS7fVfiT4x8eXuiaXptxpnhlNJsdS1G3ugD7//AOEj1j/o
QfFv/gX4E/8Am2oAP+Ej1j/oQfFv/gX4E/8Am2oA+dtI+EGvaH8Yfid8ZrDxV+0Omr/FO3+Fmm6t
4XlP7MEvhHQ9C+FHiHVNb0zQfDiHwt/wlEdj4jsfEHifwv4nu9c8Va9rbaD4jvp/Dur+HPE1joHi
HRgDyDxj+xL4C8Z6XcabeQ/tB6bN4gj/AGlNH+JGs6dr/wAC5ta+K/gT9rPxf4Y8XfGr4ceNrvWr
XWI7fwzq6+BvAvhHw7qfguDwh468EeBPBug+F/CPjHSbO3mecAy/E/7C3gjxhefG7U9ei+Luoap8
etS8GX3i66vfBH7Eeo2VivgS9+JN9oMuk+GdU+Ft/wCDrzxPG/xQ1mCf4meLPDvij4qzWeieE7I+
Nxa6NNFfgFzVv2K9NmtviXpXg/xz+1h8LPDfxG+AfwR/ZotfDXw51z9mHS7P4cfCT4C654l1Twjo
vw71rWvB2v8AjKwv9T0rxz8QPB/iPWvE3ijxVqU3hrxtqraHPoXiPSfB3iHwwAfTfw2sL34fLaeD
LHwz4y1e08KfDn4e+GbGW7tPg9oV8NL0O78Z2emPJo/gW78GeA9KtFtAljYab4T8PaNptjDpzQRa
Np1stp9oAPVf+Ej1j/oQfFv/AIF+BP8A5tqAPHv2gfh9c/tDfBX4nfA3WbL4weA/D/xZ8FeIvh94
m8R/D+8+Ci+LYPC/i3SrvQvEdlpE3jubx34btZtU0W/vdOe8ufDV7dWcdy1zp0tlfxW95EAZuvfC
++8YjwJF49l+N3jix8AfE/wd8VrHS9bufgHp+ma3r/gTwRH4f8N6d4ms/Clr4bi1XQ9O+IENt8f7
WBBZ6jp/xnsNIvtK1PT/AABoWh/D7SwD5z8QfsL+F/Eml/HjTtQ1X47pL+0fdad/wtO8tfDH7FEV
vrOlWGnfEbTZLFfC7fCyXwM2u6xH8Ttbn8Q/E+/8LX/xi8QNpHhDTdY+IV54b8L6XoUQBxniX/gm
h8GPEWv+Jtdh07496NFr9xqtza+H4Zf2ZvEPh7Sz4m8afBv4g+NrLVLTxz4Y8V3vxQ0bxv4q+Bvg
vUtb0P43aj8T9L095dabwpa+G5bjS5dIAOu0f9in4YfDS+8J/EWDwz8SvEGv/BX4J3vw58Bat4w0
z9nE6npkFj8MLj4anxVr/jfwd4f0D4oeI9QTwdPrmmQaBf8AivUfAWhWniTWIPCfgDSobPwtaeHg
D//S/vZ8Kf8AIr+G/wDsAaP/AOm62oA36APyr/an8Q/H/SfEvhOz+ELfGGGGfTf2gNR8Fj4W+EvE
viLw3q37Rtj8afg1afCvQvjRqPh7w9rVjoPw3vvCep/E+LVH8dXeifDqXQZvF2t6/fwa74W8Ialp
AB4vqX7bP/BQ7SPgPrvxA1L9m63m+Kc2u26+F/hj4T/Zl/ai8V3Wj3dj8NfGfjDxJ8LvH5kudCme
VPFPh7RPBHhT49fDuTxt8OfFOsa6ltN4d8O6bdaN4n1AA6Lxt+0B+2v4u+Cn7ZOo+KfB3jf4Vaz8
O9Wey+A2kfAP4FfHzX/jBq2r6b8Rfilo9n4e1hdX+F/jzw58TvC/iHwp4Z+HmtyePfgpLDaBdc1a
5vLzw34e1zwtPdgHrun/ABA8Y+J/2lfjbcaH/wANJ6Z8LtI8PfCvSxovxb+Efxj0XwH41+IGq/ET
4f6pP4u+FF74z8CeGPCvhjwt8PPCmrW3g++0/QPEh8RePvE2qeNdX1vwfJbfCu38UeKwD9PaACgD
87dA+Knxa0X4h/ty6BpUHx28ba3Z6xpr/s5QfED4JfEbTPhy/ii4+D95ex+FfB/jW1+GPhXwJe/D
uz8d6G+lXHiiXxDf2P2i4tpdd8ZX2p6/ZX+qAHwdoHxL/bQ1Twb4PtY9C/as0nXNP0jx4fAvihvB
vx1vh8X/ANoprL9j3XvBep/GPQfHfwv8P6v8JvhX9u8a/H74ea54Z8S6H4N+AbL4P+I3jTRU8Pwa
f4BtPCwBxumfEn9uWX9mP9oO/wBYX9qs/GFbrwh4p+CrQfDX9pfStdHi7UfBXxAutR0a/wBEtfgv
rscvxN0jXNL0Obxd8MbNl/YHHiO/8CaD4Y+J+raJfeN7JQD2j4z/ABG/4KBp8cvjzbP8Pfj54M+D
utaz8BdJ0HVNA0iy8ZeD/Cfwn0b4rfGLwx4k1fwBP+z5qfxD+NereNPi3pdl4B8V/EebRvBul/ED
4ceBfFV1pM1z4Ci8H+EviTqgB+oH7NuueJPE/grQPEnjLwjrfw/8X+IPhf8ABbW/FXgPxLrGoeIf
EXgrxHqvw806+1vwnr2v6taWGq65rPh3U57nSNT1fVLCy1LUr2znvL6ztbqaWBAD6NoA+Rf26te8
eeGf2X/ifrvwv1T4u6b8QtM0uO78HRfBHwDrnxI8c6xr9vKJtP0KPw14a8C/EDXm0bVJ0WHWb3S9
J065trTKnX9LhmldwDyX9oT4geO7z4wfsyeK/hfafHDxD4d07xpH4O8Z/CTTvh7+0r8NtP8AEQ8f
fED4GWo+J3iTxlZeAIvBEGi/BTwRP438Tah4W+Ks+meE/Glld+I/DlprGm+INKvXsAD4I8R/E/8A
bQ8G+GLfQdA8G/tHfF/w54U8U+J9c8R/EC30j9rbwT4m/aE8c2Hwuvtb8F/CvTfD2q/DGb4m/Arw
3qni2wmtNX8V+GbS3+ANp4svfCGl6n4zfTk8afDPVQD2Txdr/wC0hputftEaFp+qfHXxF4a0v4uW
PjXUvGqaJ+2J4PfxF4K1r4lfGm3tP2c/hpZ+HPgV8SvEPhO68CaHJ4BvV+MH7N3hXxv4Z+Ivh/w5
pekeJrrwnF410XxTq4B6R8FvDX7R2o3Wi+K/jRq/xe0fWPC/7EXwrg+PmjeJ/EOt3Xw08e/tVfEz
QPCN944TwN4eljtfBulx/BeHwDq/9s3/AMPtPt/DGs638bpNNieDUfBmpadagH6v0AFAHxD8OfiP
4q0r9qT9qDw54muvj/r/AIBhtP2fx8PZfEfwS+JKfD/SfE3ijW/GPhPxfonw58XaJ8KNK8Na94b0
u7v/AIfX/irXINY8UR+G9Km1Pxf4t8TW3hvRNe1bSAD8/fg98Y/2tv8AhTfwb1v4r+H/ANq3Qfie
nx7/AGXL/wCLM/h34VfHnxfp3ja58Zr4Vn/aP8J674H1j4KXmq/D74efCWOXWrOTWPha/h34F63J
NDJ4X1zWdR0rxDZQAGFD8SP2zrfwb+3/AKtrmoftcafqGmXiax8BYfCPwQ+LfiHxG2tW3x1/aLi0
rwfYeH9S+EXiOGeTUPhzb/CHQdcH7PQ8SfDBvBXhfwz49fx7o3iT4k63PrIB9gfEGz/aMuvij8df
HXwBsv2hL/Qk+GngDwHofh7W9ebSbPVPHfxr8T+GPE3xF+KPw08DftC6/wCDPBGm6j+zT8HbHRrn
wTYw3mjeHvE3xO8eePPhn4zhh1HwPqVrpoB7/wDsWax8Stf+AvwJ1j4zaP420H4uX/7LH7OUvxO0
z4k29lZ+PovHw8PeI4/Ftx4vsrC7vYrHX9Q1xL7UdRsJ5YdSsbi6a01fT9K1WG90y0APr6gD5J/b
v1jx94f/AGP/ANojWvhRqvxY0n4p6X8KPG198M3+CXgjVviH8RtR+Idt4f1CbwRoei+F9B8FeP8A
WbuHXfE6aXpWqXOmaDFd6fpt1dXset+HxC2sWQBx37S8niP4xeGfhtonwd1D9oTwd4w8QfF/wF4K
Hirw5pfxg+E+n+CPCniDw/oXxa+Ifjnxpa6tovh7T9TsdE+EOm614f8ACVx4p07V/Ctj8ftY0X4Q
+IooPGR8VeFrAA+HPEPxB+Omr6r8S9T0PU/26/D3wQvf2htX8P3OkN8E/j7L8adL0nw58CPj6NP+
IXg2S7+EsfiCP4X/ABO/aG0X4dyeHfCPw6i8ReF/Dvh/w58Pbvxivhfw18avGPgK0AOL0P4pft5z
eLLrR/jt4I+Pun/2nr3g22+N3iv4QeH/AI2y2Hwz+Gei+IfgHpp0L4TaB4M8CXngrxtqHxZTxX4u
8QeJvHfwX1bxh8V/hponh/4sW1/q+hW9t4bsvhmAe2fB7xp8evEPjjwBpHxCuv2ndJvdF/Y3165+
Nd18SvhZ8TNM+FfxA8Y+JfC2iXvw30bStQHw9sPhT4a+J/hPw3o+ueMfjZrcWv8AhvVbPx14zsPh
Zp9j4huYfEPhv4VgH//T/vZ8Kf8AIr+G/wDsAaP/AOm62oA36APjXxn4u8M+Atf+G9nq/wANNb8W
r8Zf2gvFHwxuPFWn6zpVhpXgu9vJvFeraVe65Z3mu2utaiNSbRZbGxtvD2i6hFH5d3c6tfaUIrGL
VQD5o8SftZWfhDXPid4Q1j9lt9V8Y/DPWNbsrvTvB3xgttY0XVLLwT8GD8e/iLHBr+u6F4TFv4n8
M+AdY+HVvZaCdOuNN1nxX8VPCOjz+JtG07TvHOueDwDuvH37UHwgtvg94++MfwO+GN/8adD+Gcs9
v4iS/l+JXwt0vxDqsd5qfh2Lwd8J/GXiTwDqPg74t/EO4+Iemj4XP4P8G61eS6X8Q7qDwpruo6Vr
TJZOAWZfjx8LfFfxN+K/wd0H4ZeIorv4Wz/A63uPHSXF/qfhHxJ4l8ffEjxP4Q8X+HdDu9KOpOLD
4ba14F1jwh4n8U6jFZaU/j6DWfAtoU8R6G9vdAH3L/wrbwT/ANAGL/wL1H/5LoAP+FbeCf8AoAxf
+Beo/wDyXQB8h/Cj4zeAviz488U+B9L+EF9pDDSvi9rPwr1nVPFm+y+JGnfA34val8DfH89/BYm6
uvBHl+PbfRrzQUuk159W8FeKtG12b+ztbg1zwnowB4baftm/Dey8T+HPAvjv4QeF/APifxJ8Vfi7
4DstY1n4zyyfC668NfAXXPg14G+LPi/TfHx8LWt3cX3h74s/GO1+EFp4d1PwnomnXfj3wZ4wtNS8
XaHpdpp2p6gATeOf2zfhf8Nrrxf4b8dfBvTvCXjTw38Zl+EsLa98V4IfhnFEnwRP7QeqeJvF3xJ0
3TtVbwqPCPw7Np/wnWi23hXxHceGNc13w3LJeXngjUNQ8daMAanxd/at8H/Bf4i+Jfh/4q+Buk3g
hsvh5ceBvEWgfFm71PSteuPi54x8T+G/hpb+L4z4WgufB6eIdD+H/wAT/HU48Pp8RNTtfD/w71mz
0/SNa8Q6z4L0jxOAfW/wp034f/EK2l8X6Xa+HdX0DxP4W+HXivQb/wALeJ5vFHhi803xV4Ut9ct7
7w54os3tbfxLoV9Ddw3Wk67DbwW+rWElvf29vBFcJEoB67/wrbwT/wBAGL/wL1H/AOS6APD/AI36
x4W+FEPw40vw98Lm8f8Ajz4vfEGb4a/D3wsPFT+FdNv/ABDYfDj4ifFvVX1zxPftqEeiafaeBPhZ
4xuba4j0vU5b3W4tI0gwW0OpT6np4B4Df/tX/s7vc/snQ6L4asLe2/av+HfhT4weH9S+IPi+XwFY
+FPhx4v1H4Y6Rof9rzIviP7X4+8Qat8WPDuj+FfCca2uiaxrdnqejX/jbQtSuvC9t4mAPOPjD+3B
8KPgx4a1bXfFX7PnivTrzSP2g/F3wBfQtX8ZaNb3Wpa54W+GmmfFPToNJ1Hw/qXivRLjxf8AEbQd
VtdL+GvhS81HTtI1XxM66R4o8a+DQwulAN7x1+2V8FPCvjX4weC9N+FUt1b/AAv8Q/CPwlY/Efxh
4+074ffB/wAQ638TNc+OvhXWL3VfH+p3WpQ+CPCXgDxx+z546+GGseJdb0yY6v8AFVLHwTommXc1
9YahegE/w7/as+Bn7Q8+i6D8MPh54mj0bx3+y1p37ROjePtTvbWPSbC41PSfg34luvhnc2dtrOoS
3Xi/w74R+PXwy17X9Q057/wrBJr7aHZaxqGs6TrlnpYB+iH/AArbwT/0AYv/AAL1H/5LoAP+FbeC
f+gDF/4F6j/8l0AfJvwr+MXw2+J/xcv/AIZRfCrU9C02/H7RH/CvfF114iW+j8Xn9k/41+Hv2fPj
oNU0O1uRdeEjpPxM8U6LB4M8671f/hL/AA3Lda5cf8I9c2p0hwD5P8Ef8FDPgz44+Gdr8VLP4InT
tBX46/Db4Iatpup/FCzsvEdnr3xQs/hveab4d03SLy0tX1n4q+EB8SbS3+JHgOOW08LeF7nwz4vS
z+KOuxaVbzXoBdk/b/8Ag1daj8RdE0T4N2tzrHw/8SaLYaquqfFKO003wh4X1XxP8dPCF14j+N8+
gaX4r1n4H3+jav8AAXWZdT8P+KPD1+lppnjr4c3F1rVre6j4r07weAfSt/8AHb4T6Rr/AMaNE1P4
V6y0Xws+F/wB+JPhTVND8U6D4ltPjmf2j/EPxM8FfDLw58Kjo/iaZbjUPE/j74bTeCvDkniaXw+2
t6vr2kXYtbHQ5rfVroA9H+AWoeA/jl4G+HnxesfBs+gaR8WPgN8Efizpnhy/1K4u77QYfiTo+veJ
10u9vbW5WC7vLG1u7OxuZ4P9GlmtGlt1VJTuAPef+FbeCf8AoAxf+Beo/wDyXQB4p+0drfgr9nr4
FfFX44t8K9Z+INl8J/Avib4gax4Y8N65p+lardaB4S0e817XruO98Ta9pWnRw6bpGn3l/cxxS3mp
zw27Q6TpeqahJb2U4AfGfW/BXwd/4VlNN8K9Z8Vad8Q/ix4B+FV5q+k65p9lY+DLn4heItP8LaPr
mtQ6rr9rq2o2javqlnAtp4e0zVrjBmmvDYW8azuAfJHxR/a78I/BPw7+09rXxE/Z2uLm9/Z3i8PW
+maN8O/iWPGM/wASfEup+APGPxj8SeC7K51XSfByeGvE/wAN/gZ4Z0z42+PbW8i1Kz0z4c+KdM1L
Tr7VdSim0lwDudY/aV+Fnhzxd8ePCOvfC+3sda+E1xbaV4F8G/8ACcXkPxU+N+t6pf8AhXw94fXw
V4D1fTNHtI/C3iDxl4z8O+E7Xx3H4p1bwxo1/qdrd+MLvwzp7TXMABh/D/8AaR+HPxluj4dsvhnZ
fD+Dxb+z5oPxd8FXfjLx1eWPi3xZ/wAJj8IPCnxRNt4H8IyaMNN8ZaV4QsfGMej+Kdd0fxZcTaXr
mh6tDd6BDYJDfzgH/9T+9nwp/wAiv4b/AOwBo/8A6bragDfoA+TvE3wY0f4wy+H7vxV4du9Vj+F/
xm8T/EDwPcaR8cvi98LXtPFun69q1vaapq+lfDU6VY+JY7SGe6trfTfFM+v6T9nvL1PsCpqF5FOA
ZXi/9kn4a+OvCv8AwhviH4T6O2iN45+J/wARZ5NF+PHxk8La/e+J/jRL4tf4pHUvF3hew0fxZqeg
eM7fxv4h0vVPBuoa1deD00J9H0Gx0O00fwv4XstGAL+l/su+BtGmvhp/wz06LSL74oaN8Zh4Nl+P
XxjuvhzpfxL0HxhqXxF0/wAT+HfhndafN8P/AAvMfiLqt18Q9R0/w74b0vSNZ8ex6d4x1fT77xFo
2kalaAGLqX7Nvwu8F+MPGnxq8Lfs/fBjwX8UPiDL4K0rxv478IXc2ka/4phsPi1H8Q4X1r+zfAmk
W9/qGreO9Yude8Ta9Pu1rxDdm0udfudcGjaTZ24B9SfbPHf/AELnhL/wtNY/+YGgA+2eO/8AoXPC
X/haax/8wNAHz34O/Zn8IeAPGurfEHwj8PYNG8Uaz4h1zxLdTxftB/Gu40m2vvFHifxP438VWGj+
GLy1uPDGgeF/FnjXxhrvjDxV4L0PR9P8IeJfFDaTr2uaJqGp+GvDFzowBg6x+x/8LNd0H4a+GNR+
EGhNonwn0jxD4e8J2Vn8dPjDpjXnh7xjr/hXxZ420Dx5eabYWl98VdD8eeKvBHhXxL4+0n4n3Pi+
w8da9o8WqeLYNYvLm9kuwDk1/YL+DC+CX+Hh+GuuTeF38YeLPHghvP2wP2p9Q1iHxP8AEDTPGukf
EK9tPFN/rdz4psrX4hWHxE8aL490ez1m30fxlea7LqviOw1HVrPTb20APS/EH7M3gjxJZ+KrO8+F
2hadJ4w8c+CviRqereFvjX8VfBniTTvGPw68KeGvA3gvU/CHirwjo+h+I/ANtoPhPwnpeh2+h+Bt
U8P6BPZXXiUXulXT+M/GDa4AdP8ACzwtd/DaO7+H3gTwV4S0Lwp4G8NfDzwb4b8Ow+Mddaw0Dwz4
X8LQ6J4c0qwvbrwhe399DZ6RZW1sZb/bdDyV82e9kZ7igD1z7Z47/wChc8Jf+FprH/zA0AeX/FX4
UJ8aNJ0PR/Hvg7T5k8L+I08W+GNW8KfGv4ofDjxZ4Z8RroWveFpdX8OeNvhzofhXxhoV3eeFvFPi
bwzqTaVrloup+HfEOtaJfrc6bqd5bSgHlupfsffC/VZfh+138JtKW1+F8Fjp/gjRrL4+/GnTfDWk
+HNK1P4d61pPgefwtp1pa+HdY+HGkaz8KPAWq6R8Ntb0vUfAel32hzT2Hh2A674iGrgHG+Iv2A/g
l4rHjMeIvhhq+rH4h6z421nxq95+13+1JNJ4iPxK8MaP4M+IWhXsj600i+CvG3hbw54c0TxN4BtX
tvBGr2fh7QDd+H5JtD0qW0AO0b9j34RWviX4g+NPC3wK8BfDHxp8VNH8PaD8QfGXwW+KPxC+CHi3
xPpfhnxD4w8V2EN74l+EXh3wVrUVzea/488T6j4i1OyvbXVfFU11pp8S3urDw34aTSgDFuP2Uvgr
8NLmf4oeA/2avgT8PPHHhr4Xa98M9N8YeBv+JLrdt4F1lvB76ho88emeAtIt9bbZ4D8K21ne6zLN
qmn2OnS6fp+p2djqerW9+AfXX2zx3/0LnhL/AMLTWP8A5gaAD7Z47/6Fzwl/4Wmsf/MDQB88aL+z
H4M8OeLdf8caH8OrXS/EfiPWdY128ntP2gvjVFpum3fij4i6T8WvHVr4U8PC0/4R7wRofxP+I2ia
b4q+L3hnwdpeheHfi/fQvD8TNL8V2FzdWkoB5po/7A3wU0HwwngrTfhhqi+Emt/C+mX/AIdu/wBr
b9p3UtJ1/wAM+B9N0vRvBvgTxVZalqd3D4r+HHhfStItdO0T4c+JBqngmys7nXbePQvL8VeKV1kA
9E1X9l/w1rL+PLm98O+KE1T4l3GlN4x8Q6f+1v8AtK6P4p1DStCfxfJovhCx8VaTfWXiLw98PtJl
8e+MbnTfh34c1LSPBNjf+IL7VbXQItVFvfQAGXD+x18Hk8Q+IfEN/wDAfwH4kTxR4B+G3wu1Xwf4
2+KvxI8e/ChPAfwevdT1L4XeH9G+C/jTQde+EXhqLwJqGt65e+Gr3w34I0jU9Nudd1yaG8V9Y1J7
sA7z4QfDiz+CGlaN8IvhP8OPA3gv4f8Aw3+GHw48GeD/AAfpfi7Xf7L0DwvoFz4zstGtoL678H3e
pajdukdw2pXmqNPqN7cqdU1DU9U1HUr2ZAD2b7Z47/6Fzwl/4Wmsf/MDQB5r8Yfhefjx8M/Gfwg+
Jvg/TdV+H/xB0LUPC/jDSPD/AMaPid8P7/WvDurW0llq+iyeJ/h5oXhbxXa6dq1jNPp+q2thrdrF
qWnXFzYXy3FncT28oBw/jL9m3QviDpGgaH4u8PeJ9X07wx438FfEXRE/4a3/AGmNPu7Txf8AD3TP
C+meEdTk1PS9QsdTvrfTT4O0TW7jRtQu7zQ9Y8YtrnjrXNN1Lxp4r8Ua7q4Bm+O/2SPg98UvAHjn
4YfEz9nT4PfELwZ8RvEXxA8XeLdP8beKPEHinUbzxV8T7PUNL8X+JNN8Sa34KvvE3hvXJdF1KXw9
oGqeGdY0e98FeGrXR/DXgubw/oWg6Hp+ngEOsfsh/CTxPr1z4g8a/Aj4d/EWV9CvPC+k6F8T/iP4
6+JvgbwZ4b1C88PahqGhfDf4c+PfDPiLwD8MdLvr3wn4WnurT4feG/DUc3/CNeHoX3W2haVBaAGH
bfsr/Dv4X+HdGvvB/wANLDQtO+D3wp1HwN8MPDw+OPxe8Q+Cfhr4csPh6fAn2nwR8MvEFrceAdI8
TSeDrV9Fu/FFno1h4o1aDUfEJ1DxC9x4u8V3ergH/9X+9nwp/wAiv4b/AOwBo/8A6bragDfoA/ML
9q/wl468cr8Gbf4X+G7nWfFfgz9qXRvHF94jtdZ8C6Ha+EfDfhT4/eAfE3irT9W8R+IvjB4G8T+E
LPxj4T0fW9M1nWPBPw6+L2s6v4Ig8Y+BzoNmvjGGz8QgHxzrXwX/AGuJ/hb+0l4I+LPw0g+KPjb4
8/tG+E/FmkfE74K/tQeE9evvhJZeIPgR4c0L4j/Gn4U6X8Y/EX7Or+D7j4W6zod34P8A2cfCKajq
Os+FfF154b1/WrXU/D/g6+8beNgD1bxpo37a/jj4l+JLj4tHU/in+ztpXx51XV9Q/Z48Mz/s2eHd
M+IPwVt9a+IFn8K7XwX45m+M3hLxHrN3ounar8L/ABj8ZvA3xoGj6T4l13wh4hsfCWqz6bb6boPj
kAf8BtL/AG9vCGqeFvCvxv8AiS+o/C3wX8LP2efCsGlZ+C/jPTPEOt6P4A/Zrs/HGtap8UJPHn/C
67z4o6Z8WNN+OLXeqa54W1jwT4q8O3VjqdzeRXsuk3toAfsh/wAJJ4d/6D+i/wDg0sP/AI/QAf8A
CSeHf+g/ov8A4NLD/wCP0AfBvw0v/Fvgr42ftf3epfCj4s6n4A+JfjjwpqvgrWrj4y/B/XbPxBBa
/DF9I8Vah4Vh139oiXxV4H0O617RYNM0LQ7jS/By6UNY0E6ZoWj6RZ6pcaCAfLnw9/Z01zx78J/h
F4e8ffBpvhJrWsftZ3nxT8X6F4h+JPwr15P2YPhFatovxNu/h/8ABfV/AvxX8cm/0H4g618OvA/w
d8T32j3+jatqOueOPi78WLPwr4B06bw3piAHkOrfAX4+2ngDWvAWjfCjxL4j+F+nar46PhvSLj4j
/Ar4b/H3xh8RvE3wL8YeHfCnxh+J/iLwl+0HeeBfEum/Dn4hPoE3h/xjF4p0j4kweLtXh+IEPw4u
L74eeGvGN6Adt4z+DPxg8W+N/jR4mv8A4a+PNJW0n+EWi2+i2Hin4D/EH4YftdX3gA+K5PGfxJ+J
/gS7/bB+EWpyWnjDXPG0Y8B+Etd1j4b3Xgjw38NvBWseIdQ1iDUpfhD4MAP0e/ZSsPEnw++FXgHw
T8XPHOleKfif4Q+DHwG8JfEbxa/iJtVTxV8QPDHwx0fRfG2vx6zqt1JqGrnVfEtnqN++o300t9dt
c/aLyRrmWRmAPp//AISTw7/0H9F/8Glh/wDH6APiH/gob4W+MPxk/Za+IXwz/Zy1/wAGSeLfFuke
INO1+wvvi3efCfXtb8MjwX4ruLPw54L8d6PoHiiLR9d8RePIfBGjaxFrMOiaRqvgK98Z6PJ4t8JX
2oWPiHTwDnfibd/EjxD48/YS8TwfDDx3c6n8JfjRrkvxgn8JfG74YJ4C0Xwdr37NPxB8Aav4l1LS
db+MfgZvih4fHxK8b+FW8L3t78O7/wCI+l6b4S8Y6xZ+DfCraxaad4sAPzL+K37Of7Vt38OG+Hnw
o+HfiO18L+G/F/iLxL4X1rVfGf7O3h/4zeOvFN38KtV8Pre/FObRP2jJvBtrcT+Jb7TJ/An7U3hr
xBP8afhN4s0u88SWfwP8VWstr4lvQD6r+PP7OPjjWfGHx2+I/wAM/DVh4e0zxf8AF74HeGtR+H3g
bxJ8NJtW+MXwa8MS6r8RPiz8R73SfE/xJ8DeB9S17x58XPiDb6P4k8G/EDxVpFvrvwx+B0NndaXq
lt8Qdb8E+JAC/wDCvwd8brH4w6d8RPiF4B0D4dabJ+xJH4E+LUfhTWfAWmeAdT+Ov2b9nia2svCV
loHxz+J3irx7oPh0+GviV4e8CSeLfBPgOH4VaBZ6vpmgar4u/wCFjajqt6Afr1/wknh3/oP6L/4N
LD/4/QAf8JJ4d/6D+i/+DSw/+P0AfEPw5vfFXg79qT9qDxJP8O/iPP8ADb4gWn7P9r4V8S6n8Wfh
T4k8O61r+n634x8PfEXXfDPh7XPjpqHiXwd4Z8PaF4p8N+ItS0iTwt4U+2aB4W1m38I+GNb8ULo/
h7XwD4c8f/svftBWPhs6n8B/D3wz8G6d4h/bF8N/GPxF8FYPj8/wrfSvAfwZ+LHwh8I/BXTrLVPC
Xh/x/wCFNf8ACHiD4a+DviJ+0F8XPCd1f6Lrv/CwvGvh3RrG88XW/gpPA2sgHI/Hr4EftH+NvEn7
SbfD7wb4k8NeB/iR8TPg5q2i29rrXwDvjL/wjOn/ALVj+OfGN38Ftf8A2ppPAXxnbWtW8U/BldS8
RfEL4k/BrxPfSX3gzxLb+CDc/s6+H/DmpAHp3h34W/GQeJfib4l8RfAbTfFNhqn7F+i+GL74afEL
4rfDjVPDvxJ/aa8Dp8N9W8E2Gt/EFfjR4q1z4yWl34j0/wAVwXXxb+JPgj4Man8OvDWhaZY+GNB8
WXPjjxCmigH6Ofs8+CfDHwL8G+D/AIS2/jS28Rw/D74PfC3wlceKdT1K0W78Uaxo83jRNd8QXCNd
yw2tzrWqTXGszaZZutjpQ1GOx0+3tdOhtLdAD6F/4STw7/0H9F/8Glh/8foAP+Ek8O/9B/Rf/BpY
f/H6APiJ77xZ4Y/bW8d/EHTfh38R/Efw18R/AjwB4Sk8W2nxa+FN74Ku/G2leO76a5i8O+BfGHx1
07W/C8Wj+GddF9rVzpvgHw/YaxPpmvXNu2va9eWX9uAH5S/EH9n/APbc8TfCPxx4Gu/C73fiPV/i
ha+Kdd+Imia98BNQ8bePvFd94Q/bE0TxF4mvtI8SftHaHoPxI+Euk33ib9nrUPgraePfEnwz8c/C
DxXq1t4s0vwIui/Bzwz4K0EA+l9N+Ef7Vlz4s/a38V/Fv4ffB34qD4nfs+/DTSPg74W1L9pC5+In
gfT/AIleAPGfxOs/hp4S1jwr448L+Bf7C03wn4d8QeGPGvxq8YW2u6zeeK/FD+J9a8HXPiq88Q2n
hHwYAZXg/wDZx+K3wd/aesZtDufFHiH4AfDv4Ix/CTS/GPiP4hfD/Uhr/hvw7+y1onhm28WXWtRf
EWT4oXOoat8VtLu9K1D9ni5+E/8AwriTxPfar+0fD8T18V3Nl4JYA//W/vZ8Kf8AIr+G/wDsAaP/
AOm62oA36APzm+PH7WPwv/Zi1rwfpnj7wTo2rx/EPxb8TdVvfEWs6z4V8OLZaJ4c+LPw98DajYeG
l8RRGf4gfEHzvivpniTSvh3o8tvqeqeDvCfjfULS+OraboWgeIgC78SP2ufhppfw7+JHjz4L/CzR
fi/e/B/x3pvwy+IngTX7PW/gr42tfiD4nbwxY/D7wR4Y0Tx58MjceJvE3xG8Q+NPCvhfwjGV0rQb
3X9ctdPm8RW9xbatHp4B5LD/AMFGfg7/AMLn8XfCK4+AuuTSeCvjY/wb1+78MeGdT+IHi3S5/L/a
Lt7DV7z4Y+A/AniHxdeXfie7/Z4vvEHhLQ/DEXiZLv4X+NfDnj/xJrHhWeK98LRAGov7dv7PnxB+
K1n8HvB/hvw3d2HikeBtS+HvjO01PwxFrHjS11rwr8D/AIwaT4gtvhzNa2vi/S/hj4r8DfF7T7Tw
z8Qr5BYar4m8LeNvDmo6ZpK2vh698TgH6Z/8Ip4W/wCha0D/AME+nf8AxigA/wCEU8Lf9C1oH/gn
07/4xQAf8Ip4W/6FrQP/AAT6d/8AGKAPFPCfjnwx4m+Ovxf+B118JB4dvfhV4F+D3xAt/E+p2/g2
60rxvoHxg1j4vaDp13oNlo17qeo6bDo+r/BvxFYXieJI9J1O5meOaHSYrA2t7fgHyR47/bZ8P/Cj
wz8ftX+In7N+mnW/gd4o0nwjB4d+H/ijw54y/wCE31v/AIVm/wAb/HdjY6rq3hTwXDos3wu+C0mn
/EbxfPqFtLpL2Wrad4a0PVNX8azp4bYAqaz/AMFBvgNYN8So7DwN4Hvb3wp8Zb/4C+DPDt34i0ew
8X+MfHXhz4neNfhJ4y1vWfD0PhTUj4X+Gvh/xT8PfGNxD4p0W88ea/q+k6Dc21v4Kg8Yah4e8I64
AfZnwnn8F/EGG58Z6Vp/gfWNC8WeFvhv4r0S+8M3Ok+KvCl3pvifwnBrVtfeF/EdrY21lr+hX8F3
FdaXrtna2tvrVi9vqMUESXCooB7D/wAIp4W/6FrQP/BPp3/xigDxT9ofxx4Y+AHwh8X/ABcb4SDx
9ZeC7JNV1fRPDtv4N0y9t9GikX+09YmufEl7plubPSrXfcz2+nrqesXLCOCw0q6Z3eAA8h/aQ/ab
+Gv7OXxX/Z3+FOsfCuy1/UP2hfE8HhvRNSgTRdLitbif4k/CT4ZtaaVBNpd2mv8AiCyu/i/pvjO/
0W7vPDlvH8PPCHjzXbPWL/V9FsfDmrgHjXjD9vP4b/D3xL4o8BePPgz4P8FeNPDXxM1DwVd3nibx
x4Ts/hdpvhnRfhV4Y+MfiTxj4q+Jdl4a1OLw3deD/CHjPwpbeMvDKeHNXPhzWPE+h399rg+Hr6x8
QNGAPSvF/wC0Pq/hDxN+0Z4duv2b/h7Pb/s+fDzRvirqfimT4q+F9J8JS+Cte1Px81hJ4u1vWPAd
jD4I19fCHw513xjqOhRJ4q/sSwvfDv8AbV/pul+IdN1ycA29C+NPhv4p3vxP8DR/A7xF8Nrrw5+z
z8Bfjlp2qeNtM8HadqeqaV8fU+JSW2i/8I/oup6vrXhvXPAep/DPWPDnim18SLo98fEKX0Wm2N1o
ltp2vayAfZP/AAinhb/oWtA/8E+nf/GKAD/hFPC3/QtaB/4J9O/+MUAfPvg74iaR4h+P3xM+A2sf
BzStBu/Avgjwj8RdL8U2d54a8Rafq/hbxj4k8Z+FdIHiPT7Kwt7rwRr+q6h4G1zUvD2jXU2sJrfh
u3n1D7fY6lp+raHp4B8kfET/AIKE/Cb4W+G18TeOvgSngu30/wAXfH/R/E9n418R/C7QpdM0T9nT
xP4M0HxdbaDqNnf634d8a/FvxLp3jiz8UfD34O+H9am1Hxho/hnx6LDxIt14YSDVQDd8afty/DfQ
9c+LGkeGfgZBrulfC/xZ4C8Ot8QdfudK8L/DbVdI8V/8Lt0vxD48v/EGn+GPF2reFfAvgjxv8A/H
nw/v/EeteG1sNV8QR6XqOnSjwjqth4mugCnr/wC3X4DsTqt14Z/Z+g8a+H70+N7b4beK/D+p6Dqm
g+Orn4R/Hb4Mfs+fGLVbv+wPDmu6t4e8E+DfGPxntdb0zxZaaV4mPiTwN4C8f+KpNH0OzsvDsfic
A+yfhXf+CfiVaaV450nTfAGqaP4v+Fvwy8VWNx4Qv9H8Z+EZDr0vjG7nm8OeKbPTrCz8RaYxEcNr
rtvp9iuq21tb3JtLYFbeIA9f/wCEU8Lf9C1oH/gn07/4xQB4v8avGHh74VWHgW00X4Y6J438c/FL
4gWPwz+HnhUnRvDWn6p4muPDXirxvqEut+JbrTNTTQdF0XwT4G8XeIb69i0nV72ZdITTdN0u+1C+
tYHAPlP4oft1/Bv4c/Cn9lP4uJ8HZtR0H9q/SfCmteEbDVIfDeg6npkvizSvB+qaT4CZoLXXdN1D
4sawvjFLfw14Zm1DSfB+qS+G/Fb6n8RdAt9P06fWQDxDxR/wVS+CnhnwZ8XvGdz8BolsPhH8U2+G
GuT3up6Laabo+rQ6f8edRutH8dXsHhW/vvCfjpf+FB3mk2fhfStH8Y6DqWv/ABX+Cun2njhrXxV4
m1LwSAfUXiT9oLXND+IPjTwTD+zh8OFsPCHwQ/4X/f8AirxH8VtA8O6X4Z8C3HiK00bRz8UDH8ON
Zt/Ad/4ksNM+KOs6A1hfeMdKu4vg545gudTskTTru6AOa8NftW+C/idq/hH4WD4Fat4L8Y+P/wBk
7xJ8ePFU2pWvh9rT4SeJB4b+HeuWnwZ8QXEVrbX1x8T7Lw58T9E8U+IdPgs7F/Cuj3vhW81CIDxl
pGwA/9f+9nwp/wAiv4b/AOwBo/8A6bragDfoA+MfHng74deL77wpZfFP4g+FtChHxh8ST/D/AME+
IvGfjTwppfjnxZYfELTNY0rTdW8IaJ8XPBXhv4vzWPiPSvD15pPhzxP4Y8T2tldypBbaeBq16l+A
eXfDn9nP9kj4NeHo18FeMfg9o/hbwb8Y/CF7Ida+InxC8TaDofxj8A+GZvAngPwzqZ8X/tB61p8W
r+D9IvreLw18O9TJstJ8RWWgeK7Pw8njHRND1qwAMzxv+x9+yd4X1/VvF3jbxv4Y8AeJNO8UX3xF
i167+OXx7+Hmo/D3XPij4n+JWu6jqnge7tf2ndBf4WaX8Q/F3iz4mX15pXgz/hHPD/izUzqFtNp+
oJ4a0220YA9Ij/Z0+GXhjRPBnxA8H3/hy70Tw94O+GngT4WfYtc+JWtfD7wj8PYr74Z6Z4Zi+Fvh
zVfjFr3w+8KWl9pvg3wU8uveDdC07VvElpYGS41mebWtRvbsA+vfsfjv/oY/CX/hF6x/831AB9j8
d/8AQx+Ev/CL1j/5vqAOc0nxLe6/e+ItN0L4mfC/WtS8IXy6Z4t0/SdGl1G98L6k8H2pNP8AEVrZ
/EiefRL5rb/SFtNSjtZzB++EZjO6gD5z0/4e/Bq/+Id5+0Jo/wAafDE/i344H4dfDq38V6N8ZvjB
/wAIp44b4Q+NNV8Y+B/A3g7w1p/7SC/D0vpHiq48WDU/Dfg7QrdvEth4g8feFvFllrXh3xd4x0fV
QDk/G/wF/ZB+Jfwt8SeA/iPJ+yv4/wDhp4n+J3xP0rWH8bafD4paP4w/GXX9X1n4iaNpXjTXfixf
eIPDnxC1vV9eu7az0fw/4g0rxB4b0+PSPDnhe10bRdC0LTNPAOV1T9mn9jzTL/4iXl548+FPhjU/
DnimPxP4qu7D4t/FHwjffBbxN4l+IeofEG6uvCEul/tH6XL+z0/jj4ja1qes+JLDwB/wgdp4+1HU
rjTvEVrrdi66fQB9T/CnwHcfDyG5+H3gC58IaB4R8C+GPh14Q8MaTbeGNcvNN07wv4c8Kw6P4a0z
Tjc+PJb4W+m6PZWtmJ77UtSubwRJPJOHLlwD177H47/6GPwl/wCEXrH/AM31AHh/7RXw/wDCfxD+
E3iPwX+0D498I6H8KvEf2PSfEs7+IPiF8G4L5b65S1tNIuvG3g342eB9bhg1S6mjszpcWvwwatJJ
HaTW11uSOgDzH4g/sw/BbW/Gvw6uviX4x0qfxtLqEFt4E03xV8UfjlBfeN28M634L8eQeG5/D2of
tFRRfE3Q9C8R+AfCvi//AIRHXNP8SaJZanb6nqsmlIfFPip9aAPJE/ZD/Y4m8Ef8IfJ8QfCWpeDd
T+Jnjzw08Wp/tDftA64dV+JPxQTXbb4q/DafXdW/aov9V1G8+J8vibWJ/iX8K5dSmsPHerXFtq3i
zwzq2sabpd7ZAHqvxI+Cf7Pfjnwv8bNB8eeP/hxa+H7/AOKvgj4tfHq40v4ifErwBe6Z8S/Cul+B
dM8A6j468S+EP2gvDet+FYNM0z4feAItD8KXuq6T4ZkXw7otxFoU0yCVwBX+Enw00Dxv8UvHvhb4
jWPiD4wf8KZ8A/D7x1ps/wAVPjJ421FPhp4Wh1K8+HK6z4D8VfHzxb4b026Z9b8Qaxp/ji+8Hf8A
CSeIdS8SeJ9evtc1bUvEmu3uoAH2H9j8d/8AQx+Ev/CL1j/5vqAD7H47/wChj8Jf+EXrH/zfUAfO
Hg/9mzwZ4W8ffFbxN4P8YXlr44+Ifjfw/wDEn4q21r8TP2g9RS78W2154e1XQNRvvCV1+0VeaJ4b
sLrT/Beg+HI9B0vRNH8Oav8ADnSP+FcXGlXnw6e78MzgHmeh/sy/s+yeFtej0n4lafrvgTVPjJqX
iDxnaXvx2/aD8XeCvEfxa8R+JtFtdV8MeNrTWf2ndY0HxAuteLV0bTb34V+IY73w3qGqXx0SfwpP
/bt9ZagAVbf9mT9k671P4y614G1H4HfDzW9V/wCEa8JfHbWvgFrniz4IaxGfC2pePI9I8PfEHVPg
n8b/AATfaNcyat468aRarY6rNYXmv6nLaya2uoaj4V8OvooA1f2af2Yfhbq3jGHTfHXgP4R6rpHg
eefWtN8N/Fb4ufDL/hV3w/17xD4G1PW9T8JaJon7Rmg2vwW8M+N/E3w78DXHjTU/BFj4O034gapo
kK+LbjXJtQ1SPUAD6G+FHgOP4f2Wm+Cvhlqfg2w8E+Hfhv8AD6x8MC00XxDr9lP4e+3eNZNLuU1f
UfiLqWr65fXpa61PUvE+ra7rOo+Jbm//ALUv7ue/lvL6/APYfsfjv/oY/CX/AIResf8AzfUAeT/G
X4Xab8RvCMdv8VfE/hvTvD3hLWLHxxZeJ9Om8f8Aww1jwbrWhRXccHiXSPiF4M+MHhPxL4Unh0++
1PTNQvdO8QafFf6Dqmr6Fqv2rRdV1KyugDwP4hfsd/s9SaJ4B8I+P9T8L+HvDdppEvwU+Hvhi78f
/GrwZot94Q8VeE/ht4Lv/gVoujWn7Quj2Wt+AfGOgfBnwANa+D0UF94T8Wav4evPE2qeGdS8Sa94
n1fVwDzWf9jv9jG20fVr0+OvA+labonizQ/Ac/iKy+PHxz0a68Da9oGk/FjwnoPwi0DxVY/tQ2mo
/D3TNO0b9oH4taDY/CLw/qWg6LBbfEG/toPDKvFo/wBgAPY9b+FP7OWk+GPjd4I1/wAX/AvR/C+s
6F8N/Cvx20PUtY13SrXSfBejeHdI8E/DfwN4rE3xqtpvBHgG/wBAsotH0/wMsuheEvFX9veKZLzS
NYvvHXi6bXACz4z+BPwQ1Xx9/wANEpoH7PV98d7z4VfEe98M/EzQ/AVnZ/EPxV4J1vwn4R0DxPrN
lr9l44muvFNqnhrTvBHhu08VX1vr3/CN6Df2GjabdWekeIbjT9UAP//Q/vZ8Kf8AIr+G/wDsAaP/
AOm62oA36APzY+O/gjxJ4x8Z/C/xV8Mte8JeEfiH8M/iX4/s7rx94i8batpsvhTwN4o+MPw08TeP
NGg+GY+E/j/w18Uo/GWgfDhbL7NqniT4b6t4f1Gy0qXw54u0q61S813QQD8t9W/4J0/G3U/hHrPg
CTx78DPtup3li0Yt/jD8RbOTTUb4A/Hf4K6zoHhfxTP+zXqr+Hv2fJLf4tw6Zof7PmteD/G3jLRf
Cmo+OLtv2ltQ8TXmhyWQB9qL+zZ8XNL+Jf7X3xCs/wBoH4E67q/7UHwx8G+BNL8Vn4beNfCPjb4e
atp/xD8e21n4it5rvxL8R/C+pD4E/BPxpa6V8KNPsvDuhW3jzxn4Y0SbxfH4PuLvxh4x8YAHqfhf
4aSfDPxr8QbLS9R0DUPggl18FtC+BGj2nx2+MVpa/CX4ZfDfwv8AAfwvpnwx0n9nufwddfCKwi0j
xP8AD3xn4wi+Itl4jl8YXtl4rfRblBZ3V9bwAH6H/wDCyvA3/Qx2X/fu5/8AjdAB/wALK8Df9DHZ
f9+7n/43QB8HfDXSPHfhn47ftH/GDxP4T/Zrn/4WtPoXw98HweGfip44sIW+B3w91b4ueJPB7eOf
Ds37NkdtN8TPF3jD4o+JvFfxDu4/EXiPS4h43m8O6bfapF8PbfW/iQAfFsP7G/xTuk8Stq3jH4HX
0vxHvvjxpOqXeu+OvEuueKvhTpfxn179k7xDD8TPC/ibQf2dfAWg+PviT4V1j4A+KNR0HQ7TwB8G
dI0qwk+EnhmHxVczeCtc8Y+IQDs/FXwD+MfjX4W/HTwnr/gn9jZdd/ab+LduPi7Z6R8YfiPp3hrS
v2bbX4f3fw1j8AfCy8/4ZElvPCPj688AaP4f8C6x4yutF1TUp5vG3xL8faBrXhV9O+HfgHQADtvi
B8J/jilz+0NafBjUP2etF8J/GCbWjZeFviR8TvFHjC0g8UfEP4hX2tfED40aDeX/AOyzrV58OvGl
h4J1vxbb+F/AV23xW+Hl5468T6fqepQWHh7wVeaX8RwD7t+CepeBfh1oNj4Ot5dG8NaZ4W8C/C3w
lpeh6breteK9L0e28J+C7PQho2meJ9Z0fQ9Z8R2OkCzTT7bX9X0XSdS1mGCPUL3TNPup5rOAA9t/
4WV4G/6GOy/793P/AMboA+V/2yhrPxi+BXiP4YfCS4+D+ra746mXwp4hvfitrmt+G7Lw58PPEmn6
loXxB1vwTqGn/Cv4uxJ8TJfCmo6loHgq41nwlceHtH1DXX8R65D4g07RZ/BficA8c+N/gPxd8VLb
9nHw54fh+D3gjw18G/i/8D/GWosvxX8TeI4W8G/B74jfCjx7b6JJpGrfs3L4j8XXSL4L1iPw5Z2n
xN+GkFp4p0vwd4p8R6p4js5dQ8O6WAfO+u/AP4zeLfCnxL0nxF4G/Yzj1H49/HLRPEnxhg0L4y/E
nTNMsvgF4N8PaZ4d8KfC34VXP/DIDz+EvEWoaH4N8G+HfHXjG80/UdZ1WHV/iNr/AIT1XwTe3fw3
0z4agBP+yN4p0X486j8avCXir4Zav4d8J/FvUfHfgf4JePviJcXHhb4h2HjD4k/tA/EXxhc+O/GH
h39l/TPEnhe40Pxd8bl+Jfw18P8AiS1/aFm8PeNdNv8ATIfHOm6fdQa4oB03wR/Z58WfBzxN8OtX
8Q+LfhrfeFfg9+w7/wAMxWR0DxNqWsan4k8TGz/ZzS68RaB4Wf4MeA5vBOl39x8GdTj10+Jvid8W
tS1iztvAEOlr4Yh03VbdwD9bf+FleBv+hjsv+/dz/wDG6AD/AIWV4G/6GOy/793P/wAboA+LfA2l
a54I/aR/aU+JmneHvgJp/gH40WXwN0ywl0L4jeM9G8Z6xceDNd8X2fxC8Z+NNFsPgVb6ZaeJ7nwj
44utQ0COy8ZeJLnxBrfhXSfDmr+JPDOn6w3inw2AfnPa/wDBPj4lxeFvD9hof7QXwl8LWfgr4rfs
8eLPB3wq8caLqfxh8J2Gj/s6J8F/Dvw+8UXXjv4deCP2ULu/8f8AhLwH4N+IvhzTYPEHw28Uw+It
N1zwlDr/AIpi8SeG9B8beFgD3fx/+zx4/wBf+Gn7Yfw78PD4A3Xhf406g/iT4O/Dz4hfFHxX4l0P
wZ8VfFPxI+MHj/4nfGa48dn9mKbxd4RvdfuvHnhS58O/Duy03x/pvhLU9B1dvDfi/QYNUuWvwDZ0
L4Q/Hjwz8RP2hfFVp8Q/hjqHhr4wXPjrxcnh7/haF3BqN/8AEDxl4n+Beo+C9Xj1jxJ+yZ42j8DX
v7P3hTwR8Q/BnhLWms/iND8SrFvhrNrPhzwCvhzRoPA4B9a/skaZpnwI+DXwj+EPirxR4VudV+Fv
7P3wW+GN1d+GDq1z4fa48B2PibRfsml32paZo+oarFY2KadBJrl5oXh+XXZd2rnw9oJvTo2ngH1L
/wALK8Df9DHZf9+7n/43QB8s/ttaJpf7Qv7KHx7+CXgsfCnxN4x+J/wx8Y+CfCkXxY1PWdC8FaF4
j8SaDf6PovjK91XSfh98StVs7/wXqF7b+J9Gk03wndX51XS7VLS+0mdk1K1APAP2wPhF4n/ar0bw
7bR634B+GnimDw14z+FV74u0D4q3OvQaF8M/jBpvwW1r4mX9r4c8Y/st68mv+J9G8dfD2b/hBZNA
1f4U+LIrfwP4S8Saf8VPA8vxD8WeE/BgB4949+BHxh8feBP2ntF1Xwf+x3H4j/ae8eaN4L8T/YPi
38Q7DQPD37KGmeGfiN4Jl0DwUv8AwyXeHw38a5vBPia70Z/GGoaT4sjl8SfF/wCI3iyPV7Pwx8Pv
h/8ACvWQDsfiJ8EvFXxQ+Jnxe8Z+MvBX7PMujXHh74a+FvgZa+B/2g/iT8P/ABBo9h4G+J3w7+M+
oa5461O3/ZT1prrxlrvxQ8G2GvS6rLdeL9Dh8PeBPBnhG08M2U/if4jeKNcAKfhT9n/4w6H8bvAH
7QvxR/aL+EHxR1nQP2RPFHwM+INvb/DDxDoHjE6xe/Dr4R28mmeAtd0jxFo3gNvCuv8Axg8IfEP4
oajqEnwu8HanbJ4vt/CJ0jUdItfC7/DwA//R/vZ8Kf8AIr+G/wDsAaP/AOm62oA36APiT4y/FD4r
fC7SfAUnwr/4V5qur/EL9o2T4WW/gzxno/iS91nxXf8Ai34gNLqN14X1TQfEekQaNbfD74baT8S/
in4yuL/SPEcg8JeCNTu9PsHuLF7O/APk7xJ/wU/8T6jrejQ+APg34j0nwn8T/D/7PfiD4QeI/GHh
eLxpr2p+Efi78NP20fjhqfxbn8BfCn4ja1qOteDrr4YfsqWY8J+CdW1f4Z/Eay1vXtYm8V2NnHZ6
bpN0AdNoH/BUjwsvgLxR4g8X+FotJutRvvjm/wABvHepav4X8H/BX4x6R8Ov2hPBvwE8LzyeItS8
a674y+Hlums/F74PzeP9f+Ivg7wrp+mabq3i3xXollfaD4WvUQAl+Cv/AAUj8FftM+C/hXpGjfD/
AMe6p4l8Y+AvgL4q8cePvBHh+PxD+z/4L+Jfjj4efCT436n8Nrjx9b6zdatZ3Gl6B4/0uOHVdT0G
PQ/7SeLwrc66njCSPRpwD9YaACgD82PD/wC3T4miX42+J/F3gHR7nwV4I+Fn7WHxe8Ead4R1DUpf
GB0T9kX4y+K/g54o8N+NW1CF9OHiT4gTaHpvifww2mWllDoU9x4k8HX9nrVx4VHiXWgCz4Z/a2+N
beIPD/hPxV4I+E93d2P7Vfgr9nr4h+JvC/ifxVFpQ034i/s1eAP2hfDms+BtEvtGvm1C801/iCPC
OtT634o06Ge08NW/i2w0tE8bReH/AAiAeKeHv+Cmev8Axb+Ff7SHxI+Bdn8EPFWp/Cf4z+GvBfwg
+Hn/AAm994n8X/HHw545+GXhzxV8I/Cy2XhaUXPgT4p/G7xTqt3pmjxa5Yz2Hwr0WLU7n4g6FPqP
gTxva6eAe1/Ev9q344eEfiV+0f8ADPQvA2larqnw2+Fnhv4sfC5rb4UfGXxJrXjSyuvFeq+GvEHh
bw54S0V7bUfjTfabu8ES674p+Ht5oPhv4e3/AI+sdN8Qf2smk3N/egH05+z78Qbf4teGdM+Ktoml
x2vxM+HPwd+INtHoesx+ItES38Z+AbHxHCmj+IIrazi13S1j1JV0/WY7O0j1O0EN8ltAs4iQA+gq
ACgD4e+E37UnjD4h/tCXHw3v/Cvhqw8A6/8A8NXWXgy9sr7VJPG2laj+yH8YfhV8FvFlz4xtp0Ok
3GnfETXviRfa94WTTIrB/DWgaFoR1G68SXXjZF8MAHzP4s/4KGfEnwFp2vL4s8M+B20nR/ip8Y9P
/wCF3+CvCvxJ8efDCX4K/s//AAm8FePvjP490zwjpN3a+KvEd18PfiB4k8S/BfVbvTfEVvpl/f8A
w38ceL9LtJ9Z02y+FWpAFvXP27f2grnWLm28E/Cjwpq2haxrPxx1PTNW0fRvGHxB174bfDL9nX41
+Ofgd438Q/EDwPomteHNX8Ya34m1vQvCWtaDo3gq807UNDXX/FPh+XS/FNx4GbWfEIB23gr9tnTv
jt4++Kfw/wBLfT7X4fw+FNVt/hdryeDPGqP8XLzRPh78EviN4l8X6V4xvrm18N+H9KsdM+Mum2th
4Av9GvvEGp6Ulj4utfFcjHxF4V8NgH6cUAFAHwv8H/2rvE/j74yX/hDxL4c8K6J4A12D9se48F6t
YajqR1/w9D+xJ+0l4X/Zp8eTePJr5V0i9i+ImteKY/G3hN9Hg0tfC+iaTqGi6w2v3bR6vEAfKPhr
/gqFrnxE+GnxL+MXw/0L4aax4L+Gn7UvgP4aX1no+oeJfHl8vwJ+Ifgr4F+OtC+IvxG13whv0f4F
6pp3hb4peK9f8ean45t73QPAGpeA774e32nat4jh1XUNPANu9/4KA/HW73P4d+Evhm80jxTZy+ON
A8TaP4e+K3xLf4RfDG08S/tCeEhqPxm8BfDnSdU8a61qWr+Ivg54G0Br3wTbWdh4S1f4r67Jrdlf
eH/g1q2v+NgDK+DH/BSb4hfHK/8AHtyvhbwB8DfBWlfAHW/j3oXjn4o6b4t1zwvovh/4f6d8Cta+
Ja3WvaTrPhrT/ii/g62+Kfivw38U7Hwl/wAIpqP7P3jrwdonhzxrF4nufGtommgH6Efs8eKfiJ44
8I+EfGnxZ8L2Xgj4j+Lvg38KfE3i7wbYRX0EfhXVtduPHGqP4dubbUbm9u7TVdHhuodP1uye/wBR
jstYt761ttR1C2iivbgA+iKAPn/4/wDxR8VfDu2+Ffh7wJY+HZ/G3xn+LGm/Cjw1qvjFdSm8IeGL
mTwV46+Imp6/4hsdGuLHVdVhj8O/DvWtL0bR7LVNHfVfFGqaDYy6tp9tPPcKAfIXi7/goJfaR8J/
2SviOfCNv4Rtfj7+zvrf7VPxL1280Hxd8T/Dvwe+E3w+8M/CDX/iPI9j4NTQNb1xLGf4yaEll4qc
6dY2fhvSdb8S/wBg65qKaX4S1cA8G8W/8FS/iDa/DHWfGvgv4Z2+teMtT8TWWpeDvhQPh18SNU8a
Wnwe1fwp+1Fr/gvxjFaWmsac/wAWtS8dap+zLrOha9B4Jh8OwfBe0ufF3jPxJB4y8E+BdP1zxyAe
rSft8fEyTxv4y8L6z4a8AfCvRG+D3xS+M3gnx7428OfFzX/AVl4M+E3jn4C+F7bxHa+OdI0fQvB/
x/svjXofxysfE/w40b4Oa3Z694cudN07wf4lg1LxX4gbTdIAPS4vjr+0N4m8RfDHwV4u8E+APCC/
E39k7X/jd8Y/hq0HiK+8f/AK7h8A+HNPu/C2s+NoNck8Na/qWpfF3xRqHhfwrbP4N8Ppr/hvwN8R
NYtdQa88Iz2d+Af/0v72fCn/ACK/hv8A7AGj/wDputqAN+gD85/GXjPXdP8AHmoND/Y00/gvx542
1Pwhfah4X8MatqfhjUdYn1vRtVv9A1TVNIvNR0m81HR9T1LSL25sbqCa50q/vdOldrO5ngYA+f5P
h/8ACmbSde0GX4Ifs/yaH4q1aw1/xRo0nwA+DD6X4k1zSm159M1fXrBvAv2XWNT04+KfFAsb7UIb
m5tU8Sa9HBIiaxqIugDtfCFzp3w98UeI/HHgLwb8M/BHjTxj558W+LfCPwo+GfhvxN4oN1ftql0f
EOu6N4UstT1prrU3OoXLajdXJuL3F3MWnUOoBmWdj4c0nU9M1zRvAfwv0LXNG8N+HfBWka3oPwp+
G+h61pXg3wrHZ2nhrwjpuraT4WstQsfC+g2Nja6dpPh+2uI9IsdMhXTLeyjsC9uwB7F/wvb4q/8A
Q0/+UPw5/wDKmgA/4Xt8Vf8Aoaf/ACh+HP8A5U0AeS2MPh/S9e17xVpvgD4T6f4n8U6+nivxN4js
vg98LbXXfEPiiNPEMUfiPW9Wh8JR3+q66kfi3xWqatfXE9+o8T+IsT/8TzUzcAHOw+CfhlbaN4T8
O2/wX+AkPh/wF4lbxn4F0OP4B/BpNH8F+MHjs4W8VeE9NHgcWfhzxIYdO0+D+3NHgs9T8mwsYRde
Xa26oAbfjvT/AAt8UmZ/ib8N/g/8RmfxPB42ZvHfwY+FHi9m8ZWvhT/hBLbxaT4g8H6gT4mt/BH/
ABR0GvZOqxeFc+Ho7pdIJtGAMfU/Bvw41uTxbNrPwe+BmrTePr201HxzNqXwL+EF7L4xv7C6v76y
vPFElz4KlfXrm1vtW1W9gl1Rrp4rzVtUulYT6leyTgHrmifFHxt4cVoNA1Oy0a1Wy0nTYbDTfDvh
qz06007Q7FNO0iw0/TYNJSx06y06wjS0tbSxt7eCKBI4xGFRAoBu/wDC9vir/wBDT/5Q/Dn/AMqa
AD/he3xV/wChp/8AKH4c/wDlTQB5UTox8U+IfHJ8DfCw+NfFuo+GtX8VeLz8I/hgfE/iXVvBuseH
/EPhDVdf17/hE/7U1jUvC2v+EvCmt+Hb7ULq4utF1fwx4d1LTpbW80TTJ7cA4jTvhn8HtH8K6d4E
0j4C/s66T4I0fW7PxLpPg7TP2d/glp/hXTPEWn6RceH7HXdP8PWngOHSbPWLPQbu60O11K3tIryD
R7q50yOdbGeW3cA1NY8IfDrxC3i1te+D/wADNabx/rcHiXx2+rfAv4Qag3jTxDbPrkkGueLGu/BU
x8RatG/ifxMy6hq5vLrPiTxBmU/23qf2oA6NJtPs/E/iPx7p/hP4e6V488V6BH4Y8S+OtH+Gfw90
fxtrvh23stCsINE1Txdpnhm18Q3mlw2HhbwvYxWM2pPbx2fhrw9aqgg0TTY7cA9V/wCF7fFX/oaf
/KH4c/8AlTQAf8L2+Kv/AENP/lD8Of8AypoA8rtzo1p4g8S+LbTwN8LLbxV4z1vw34m8X+JYPhH8
MIdf8VeI/B2uWXifwjr/AIj1mPwkuo63rXhbxLpun+IfDmqalc3V9omu2Vpq+mXFrqFtDcIAReJ4
9C8bavDr/jLwH8KvFmu23im38cwaz4l+EPwv1zVYvGtppfhTRLXxcmoan4SuroeJrbR/AfgbS7fX
PN/tOGw8F+ErSK6WHw3o0dgAYl/4V+H+qW3i+z1L4R/BDULT4geII/Fnj21vPgb8Irm38b+KI7rX
b1PEXi6CbwZJF4k1sXninxRd/wBqawt7etc+JfEM5n8zW9Te6ANA6V4TOt+NfEp+GvwfbxF8SNLu
9E+Ieut8GPhSdY8d6NqDaY+oaT4x1I+EPtniXTdQfRNFe/sdZlvbW9bRtJNzHKdNsjEAerx/Gn4l
x6ld6kniTF7d2Wn2NxN/Y2gHzLXT59TntIvLOmGJPJl1O+feiLJJ5+2V3WKFUALv/C9vir/0NP8A
5Q/Dn/ypoA4/x34z1f4peHLnwd8TLHwj8Q/CN7c2F5eeF/HPw/8AAfivw9dXmlXkOo6Xd3Gja94d
1DTpbrTdRtre/wBPuHtmmsr23gurZ454kkQA4vVtL8J6/FpsGufDX4PaxBo3iDSvFmkQ6p8F/hRf
w6X4p0LwxoPgrQ/EmnxXXg6ZLPXtH8G+FfDHhLStWtxHf6f4a8N6BoVpcxaXo2nWtqAYWp+A/hdr
dl4g03Wfgr8BNV07xZ4qfx14psdS+AnwbvrPxJ41lTxFFL4u122ufBLw6t4lmh8YeLoZ9bv0uNSm
h8WeJ4pbp49f1Zb0Aua34T+HniWLxRb+JPhB8DfENv43uPC934zt9d+BXwf1iDxZc+CNTg1vwXP4
kh1HwVcR63L4R1q2t9Z8MPqS3LaDq8SappRtb4edQB3GmeJr3w7Z31r4b0vwh4ZhvvBOg/Dq5/4R
nwD4G8Oyv4B8Ip4hHhLwWtxovh+xni8L+Ez4t8Uv4X0OGWPTvDsniPXZdGtrKTVb55wD/9kAUEsD
BBQABgAIAAAAIQDA6RfBjgEAABkDAAAQAAgBZG9jUHJvcHMvYXBwLnhtbCCiBAEooAABAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAJySzW7bMBCE7wX6DgLvMeWkLQqDYhA4LXJoUAN20vOWWllE
KJLgbgS7T19KQhw56am3/RkMPw6prg+dK3pMZIOvxHJRigK9CbX1+0o87L5ffBUFMfgaXPBYiSOS
uNYfP6hNChETW6QiW3iqRMscV1KSabEDWuS1z5smpA44t2kvQ9NYg7fBPHfoWV6W5ReJB0ZfY30R
T4Ziclz1/L+mdTADHz3ujjEDa3UTo7MGON9S31uTAoWGi3sw1nOgtvh2MOiUnMtU5tyieU6Wj7pU
ct6qrQGH63yEbsARKvk6UHcIQ3wbsIm06nnVo+GQCrJ/coCXovgNhANYJXpIFjxnwEE2NWPtInHS
v0J6ohaRScksmIZjOdfOa/tJL0dBLs6Fg8EEkhfniDvLDulns4HE/yBezolHhol3wqmB4R3deOF8
zhvndegi+GNenKof1j/RQ9yFW2B8CfN8qLYtJKxz/qewTwN1l3NMbjBZt+D3WL9o3i+GT/A4/XS9
/Lwor8r8qrOZkq9/Wv8FAAD//wMAUEsDBBQABgAIAAAAIQApX2FfRAEAAMAEAAAQAAAAeGwvY2Fs
Y0NoYWluLnhtbGzUXU6DQBSG4XsT9zCZezsUY/0J0KS0tAvQBUyGsZDAQBhidPd+mtbqd7xp0gfC
e4DTZuv3vlNvfortEHK9XCRa+eCGug3HXL88VzcPWsXZhtp2Q/C5/vBRr4vrq8zZzpWNbYPCFULM
dTPP45Mx0TW+t3ExjD7gyOsw9XbG1+lo4jh5W8fG+7nvTJokK9PjArrInJpyfUiTR61aTKFV9/Vp
Tgf2lwNnqiTtJG0llZI2kg7p8vY0ymUIQZU8aydpK6mUhGIqi0woMqHIhCITikybf4lvG2fhdXy/
lPOTwKhMe0kYlc/CqEwYlQmjymKCNfwzBHaCCTvBhJ1gwk4wYSeYsIv3ssiEIhOKTCgyociE4koW
mVBkQpEJRSYUmVC8k0UmFJlQZEKRCUUm/NL4QYP4SYB4VNCva5mf/57iEwAA//8DAFBLAwQUAAYA
CAAAACEATKp3kU8BAAB7AgAAEQAIAWRvY1Byb3BzL2NvcmUueG1sIKIEASigAAEAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAjJJfS8MwFMXfBb9DyXub/mFVQtuByp4cCk4U30JyuwWbpCTRbt/e
tN1qZQpCXpJz7u+ee0mx3Msm+ARjhVYlSqIYBaCY5kJtS/S8WYXXKLCOKk4braBEB7BoWV1eFKwl
TBt4NLoF4wTYwJOUJawt0c65lmBs2Q4ktZF3KC/W2kjq/NVscUvZO90CTuM4xxIc5dRR3APDdiKi
I5KzCdl+mGYAcIahAQnKWZxECf72OjDS/lowKDOnFO7Q+pmOcedszkZxcu+tmIxd10VdNsTw+RP8
ur5/GkYNhep3xQBVBWeEGaBOm2otmNFW1y54qGvBIHi2YAo8c/TbbKh1a7/4WgC/OfxVdG70nYbB
xnbAAx+VjIOdlJfs9m6zQlUaJ4sw9iffpCnJcpJmb32OH/V99PFBHtP8h3i1STKSpWSRz4gnQFXg
s+9SfQEAAP//AwBQSwECLQAUAAYACAAAACEAsN8m2HYBAABEBQAAEwAAAAAAAAAAAAAAAAAAAAAA
W0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQB9zFSeBwEAAN0CAAALAAAAAAAAAAAA
AAAAAK8DAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCW1flzAgEAAD8DAAAaAAAAAAAAAAAA
AAAAAOcGAAB4bC9fcmVscy93b3JrYm9vay54bWwucmVsc1BLAQItABQABgAIAAAAIQAdsI3aWQIA
AKkEAAAPAAAAAAAAAAAAAAAAACkJAAB4bC93b3JrYm9vay54bWxQSwECLQAUAAYACAAAACEACjmo
NrMVAABVLgAAFAAAAAAAAAAAAAAAAACvCwAAeGwvc2hhcmVkU3RyaW5ncy54bWxQSwECLQAUAAYA
CAAAACEAi4JuWJMGAACOGgAAEwAAAAAAAAAAAAAAAACUIQAAeGwvdGhlbWUvdGhlbWUxLnhtbFBL
AQItABQABgAIAAAAIQA2sXTHnwMAAIEMAAANAAAAAAAAAAAAAAAAAFgoAAB4bC9zdHlsZXMueG1s
UEsBAi0AFAAGAAgAAAAhAE3PsbS3QgAAZVIBABgAAAAAAAAAAAAAAAAAIiwAAHhsL3dvcmtzaGVl
dHMvc2hlZXQxLnhtbFBLAQItAAoAAAAAAAAAIQBYWqj78KkAAPCpAAAXAAAAAAAAAAAAAAAAAA9v
AABkb2NQcm9wcy90aHVtYm5haWwuanBlZ1BLAQItABQABgAIAAAAIQDA6RfBjgEAABkDAAAQAAAA
AAAAAAAAAAAAADQZAQBkb2NQcm9wcy9hcHAueG1sUEsBAi0AFAAGAAgAAAAhAClfYV9EAQAAwAQA
ABAAAAAAAAAAAAAAAAAA+BsBAHhsL2NhbGNDaGFpbi54bWxQSwECLQAUAAYACAAAACEATKp3kU8B
AAB7AgAAEQAAAAAAAAAAAAAAAABqHQEAZG9jUHJvcHMvY29yZS54bWxQSwUGAAAAAAwADAADAwAA
8B8BAAAA
--Apple-Mail=_2570FBA2-2B1C-4A0B-9889-440B023AB790--


From nobody Thu May  7 10:01:22 2015
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31FEE1A1A1D for <ipsec@ietfa.amsl.com>; Thu,  7 May 2015 10:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level: 
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ip1It25t5XFd for <ipsec@ietfa.amsl.com>; Thu,  7 May 2015 10:01:20 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14A211A032D for <ipsec@ietf.org>; Thu,  7 May 2015 10:01:20 -0700 (PDT)
Received: from [10.20.30.101] (50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t47H1ITi035472 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 7 May 2015 10:01:19 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218] claimed to be [10.20.30.101]
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <E6F61CCF-084B-4636-9DF6-232A4D20880C@vpnc.org>
Date: Thu, 7 May 2015 10:01:18 -0700
To: IPsecME WG <ipsec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/GMyHPsfADOIaNOyXZjVim1hgOTk>
Subject: [IPsec] Helping highlight running code
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2015 17:01:21 -0000

Please consider RFC 6982 [1], Improving Awareness of Running Code: The =
Implementation Status Section, encourages Internet-Drafts to include an =
"Implementation Status" section. This is a useful idea not only for our =
WG documents, but also for all documents that discuss changes to IKEv2 =
and IPsec. Please keep it in mind as you write or revise your documents. =
Thanks!

--Paul Hoffman

[1] https://datatracker.ietf.org/doc/rfc6982/=


From nobody Sat May  9 09:32:20 2015
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF4541A8924 for <ipsec@ietfa.amsl.com>; Sat,  9 May 2015 09:32:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level: 
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LPlrql_zfGU for <ipsec@ietfa.amsl.com>; Sat,  9 May 2015 09:32:17 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE3B21A8909 for <ipsec@ietf.org>; Sat,  9 May 2015 09:32:16 -0700 (PDT)
Received: by widdi4 with SMTP id di4so61759244wid.0 for <ipsec@ietf.org>; Sat, 09 May 2015 09:32:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=CsWHPOEnwT8yJWIBrTuQSV+RwOl7JS4kKBNBiwDYu4o=; b=kU+cfsP1SFaetXPMjP8x7p4h1t3+K90UBeD7I5bYuUrd3wb2FhjHFgWQlrfQ8vu2IJ +DGuoRR4mYzb2d2dF49AbYKIFvFsKUTrOzc/6/i1Ut6pc8Tzk9gm6V2KNT7zq9LeQ81+ Af+UrXsB5TDsHcKocxCsZj7r+gGIox+Hpb31eW1ZZueLX1T7EkeueMhVXwwk8udW4Rn0 JdeTDTs9a+NdGxnCVDRjc967ukUh23WEekMerfHNrG2sW/TJilyQq3bN/gKxU9iSqMSt r82ZQygM4RADyRbQdHicK+RuD9EC0QCcAnHtky/I/WNu90w/MWXEdEuSmIMYucOOiq6M 41wg==
X-Received: by 10.180.84.201 with SMTP id b9mr5726519wiz.49.1431189135637; Sat, 09 May 2015 09:32:15 -0700 (PDT)
Received: from [10.0.0.4] (bzq-79-177-61-102.red.bezeqint.net. [79.177.61.102]) by mx.google.com with ESMTPSA id k2sm4533240wix.4.2015.05.09.09.32.14 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 09 May 2015 09:32:14 -0700 (PDT)
Message-ID: <554E368C.7040604@gmail.com>
Date: Sat, 09 May 2015 19:32:12 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, IPsecME WG <ipsec@ietf.org>
References: <6A72CE8C-FBB2-460D-9BBE-4528496E1DC4@gmail.com>
In-Reply-To: <6A72CE8C-FBB2-460D-9BBE-4528496E1DC4@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/KVVoSUkWrh7GQ1STop9xfZY6De8>
Subject: Re: [IPsec] Restarting the discussion about the puzzle
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2015 16:32:19 -0000

Hi Yoav,

First, I raised a third concern, which is that allowing the client to 
decide on the difficulty of the puzzle it is willing to solve adds 
unneeded complexity. Basically the client doesn't have enough 
information to make a good decision.

To answer your question, I think we've already been down this path and 
reducing the variance is certainly a good thing.

Thanks,
	Yaron

On 05/07/2015 04:52 PM, Yoav Nir wrote:
> Hi.
>
> As a reminder, there were two concerns about the difficulty of puzzles:
> 	• That some clients are weaker than others and therefore are able to try less keys in a unit of time
> 	• That individual puzzles might prove more difficult than other puzzles, so some “unlucky” initiators might take too long to solve the puzzle.
>
> This is about the second issue. I’d be glad if someone could make a measurement of solving the proposed puzzle on an ARM processor so that we can know how much of an issue #1 is.
>
> As Tero has mentioned, there are no easy or hard puzzles. Depending on how you order your guesses you might stumble upon the solution very quickly, or you might be trying millions of keys before hitting the answer. Choose a different ordering of your guesses for the same puzzle, and you might get very different results.  Still, we don’t like that luck plays such a role.
>
> One way to reduce the variance is to increase the sample size: instead of looking for one key for a hard puzzle, we can require the initiator to return several correct solutions for an easier puzzle.  The advantage is that it indeed reduces the variance. The disadvantage is that the responder’s job becomes more difficult, as it has to verify not one but several correct solutions.
>
> I’ve run a test of 20 randomly-generated cookies, and set the puzzle difficulty to 20 bits when requiring 1 solutions, 19 bits when requiring 2 solutions, 18 bits when requiring 4 solutions, etc. The full results are in the attached Excel file (all results in seconds), but here’s a summary:
>
> Bits | keys | median | % over twice median
> -----+------+--------+--------------------
> | 20 |   1  |  0.947 |  30.0%
> | 19 |   2  |  1.309 |  15.0%
> | 18 |   4  |  1.464 |   5.0%
> | 17 |   8  |  1.516 |   1.5%
> | 16 |  16  |  1.499 |   0.5%
> | 15 |  32  |  1.507 |   0.0%
> | 14 |  64  |  1.499 |   0.0%
> -----+------+--------+——————————
>
> I could increase the sample to get more accurate results, or look for results that are 3 times the median or 3 times the average etc. But just looking at this it seems to me that either 8 or 16 keys is the sweet spot, where an initiator is not likely to get stuck, a packet is not too big, and the load on the responder is not too great.
>
> Comments?
>
> Yoav
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>


From nobody Mon May 11 08:01:49 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356D11A8A04 for <ipsec@ietfa.amsl.com>; Mon, 11 May 2015 08:01:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_sW4JJa63yc for <ipsec@ietfa.amsl.com>; Mon, 11 May 2015 08:01:47 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFD051A8A29 for <ipsec@ietf.org>; Mon, 11 May 2015 08:01:46 -0700 (PDT)
Received: by widdi4 with SMTP id di4so109205343wid.0 for <ipsec@ietf.org>; Mon, 11 May 2015 08:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=aQ2EShQOlRP2Q94Z8uqB/MvzVNBdIA+fLSZHb06ygqk=; b=eSpwPpfi6K/zZD03uRKFUuUDOC+C75MP8KU5XVOTBW1R1+SqQiN9LZyqxu679Jso67 K9PzTpRqrp+Azhzx7cKr+L4TPMVlMsYoFd6tA0Iggrx2OyHA1/Y6hwMg4sMTEUW12e+C zyFFZGDKE0TxNuJU1Qjve1nHQ6GKMvUpvtJhoi3S25cc+Eyps4J9+nMGSD2fGP5HlbN2 f2cTRyEa5Aja8h7rnCFOTv+dONcHYCqlgkk58fxEsNukNl/Ile9U2JTZqT3JErdsXXqE 43thzauWXsZtSFZcmVHBnjJLd/ju4QS6u8q5jCqXSsbaMwFnf04N0P306pyeFWk6ztCs nk7g==
X-Received: by 10.180.99.42 with SMTP id en10mr20417383wib.83.1431356505406; Mon, 11 May 2015 08:01:45 -0700 (PDT)
Received: from [172.24.250.138] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id a4sm215121wic.1.2015.05.11.08.01.44 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 11 May 2015 08:01:44 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <554E368C.7040604@gmail.com>
Date: Mon, 11 May 2015 18:01:42 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <025AD6B1-A1AE-4225-9703-72D2131551AD@gmail.com>
References: <6A72CE8C-FBB2-460D-9BBE-4528496E1DC4@gmail.com> <554E368C.7040604@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/l0WQfV92vktkrufxqJOccmzySIk>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] Restarting the discussion about the puzzle
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 15:01:48 -0000

> On May 9, 2015, at 7:32 PM, Yaron Sheffer <yaronf.ietf@gmail.com> =
wrote:
>=20
> Hi Yoav,
>=20
> First, I raised a third concern, which is that allowing the client to =
decide on the difficulty of the puzzle it is willing to solve adds =
unneeded complexity. Basically the client doesn't have enough =
information to make a good decision.
>=20
> To answer your question, I think we've already been down this path and =
reducing the variance is certainly a good thing.
>=20

I=92m sure that less variance is better than more variance, but that =
comes at the expense of more work for the responder. So do we set the =
number of returned results to 1, with minimal work for the responder and =
maximum variance?  Do we set it to 8, with a nice balance between =
fairness and responder work?  Do we set it to 64, with a huge packet, a =
lot of responder work and maximum fairness?  Or do we let the responder =
decide and communicate through the challenge, which has some complexity =
cost?

Yoav



From nobody Mon May 11 08:19:41 2015
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863B81A8AD6 for <ipsec@ietfa.amsl.com>; Mon, 11 May 2015 08:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gk_TYTjUdJw6 for <ipsec@ietfa.amsl.com>; Mon, 11 May 2015 08:19:38 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 277C01A8ADD for <ipsec@ietf.org>; Mon, 11 May 2015 08:19:38 -0700 (PDT)
Received: by wgin8 with SMTP id n8so131729428wgi.0 for <ipsec@ietf.org>; Mon, 11 May 2015 08:19:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=b2KCTP1Gf09Ut+xN1RMWRVl+lWdIcmysgsTa/6KtQlg=; b=uZM1/scfHVCGLmKQXvpU9M9Ha7c+gn7O9SZujn/VIW3pErJxo0c8m2J8OnZeXhr/jO Uxt3L/OO6AR8GorL2oKa8X/Wzc6Z2tLylYTB4HOV1tFmQOEJDlVkPi6SlTt8xLYKnvPS nuj3MiJVEHuQCPnmTvHxIiNBnQnij/VQn4tPl0semIz7wXDEBecISO/NRXV/dVyDb8W1 pO9ui81EDs4KdR0kw/iY4x3JE2/mxjeDS8HYko6rqD4IdGrXIiFwVZJ3ay6X+nvg0qYZ eoaZBccMCfcxK6IHqnnwQb2+wnx4s8UHicS+KUV5LqAVzRUxMH19UbLUEuztAW+bRtO3 TX/A==
X-Received: by 10.194.62.167 with SMTP id z7mr20804110wjr.62.1431357576944; Mon, 11 May 2015 08:19:36 -0700 (PDT)
Received: from [192.168.12.107] (bzq-218-112-74.red.bezeqint.net. [81.218.112.74]) by mx.google.com with ESMTPSA id kc4sm23329745wjc.2.2015.05.11.08.19.35 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 May 2015 08:19:35 -0700 (PDT)
Message-ID: <5550C886.7050403@gmail.com>
Date: Mon, 11 May 2015 18:19:34 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>
References: <6A72CE8C-FBB2-460D-9BBE-4528496E1DC4@gmail.com> <554E368C.7040604@gmail.com> <025AD6B1-A1AE-4225-9703-72D2131551AD@gmail.com>
In-Reply-To: <025AD6B1-A1AE-4225-9703-72D2131551AD@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/5myMybPgHmQ7ZqQl2EMYma6-qxU>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] Restarting the discussion about the puzzle
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 15:19:39 -0000

IMO we should choose a reasonable balance and fix it in the document. We 
should care about packet size for sure, but 64 hashes are not that much 
work.

Thanks,
	Yaron

On 05/11/2015 06:01 PM, Yoav Nir wrote:
>
>> On May 9, 2015, at 7:32 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
>>
>> Hi Yoav,
>>
>> First, I raised a third concern, which is that allowing the client to decide on the difficulty of the puzzle it is willing to solve adds unneeded complexity. Basically the client doesn't have enough information to make a good decision.
>>
>> To answer your question, I think we've already been down this path and reducing the variance is certainly a good thing.
>>
>
> I’m sure that less variance is better than more variance, but that comes at the expense of more work for the responder. So do we set the number of returned results to 1, with minimal work for the responder and maximum variance?  Do we set it to 8, with a nice balance between fairness and responder work?  Do we set it to 64, with a huge packet, a lot of responder work and maximum fairness?  Or do we let the responder decide and communicate through the challenge, which has some complexity cost?
>
> Yoav
>
>


From nobody Tue May 12 07:51:44 2015
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F6201B2E0E for <ipsec@ietfa.amsl.com>; Tue, 12 May 2015 07:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.552
X-Spam-Level: 
X-Spam-Status: No, score=0.552 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XyhM0aFUAiWg for <ipsec@ietfa.amsl.com>; Tue, 12 May 2015 07:51:42 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70B641B2E0D for <ipsec@ietf.org>; Tue, 12 May 2015 07:51:42 -0700 (PDT)
Received: from [10.20.30.101] (50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t4CEpepX001329 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Tue, 12 May 2015 07:51:41 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218] claimed to be [10.20.30.101]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <BCF783F1-5195-4715-BBA9-DEE207C418A0@vpnc.org>
Date: Tue, 12 May 2015 07:51:40 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CEA1F580-0C49-40D8-9903-EF24122BE8EE@vpnc.org>
References: <BCF783F1-5195-4715-BBA9-DEE207C418A0@vpnc.org>
To: IPsecME WG <ipsec@ietf.org>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/V9UHim8Iru1SrVkRleq0DiLgQ70>
Subject: [IPsec] Publication requested for draft-ietf-ipsecme-chacha20-poly1305
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 14:51:43 -0000

Greetings again. I have asked our AD to move this draft forwards for =
IETF Last Call. She will first review it and, if she has desired =
changes, will probably ask for them to be done before taking the draft =
to the IETF.

You can always see the current status of the document at =
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-chacha20-poly1305/ =
If you have a Datatracker account (which is free and easy to get), you =
can even subscribe to the Atom feed for the document (and any other =
draft).

--Paul Hoffman=


From nobody Wed May 13 14:24:31 2015
Return-Path: <internet-drafts@ietf.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8840A1ACEDC; Wed, 13 May 2015 14:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H54CBf4LLDwg; Wed, 13 May 2015 14:24:27 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B62B1ACEB7; Wed, 13 May 2015 14:24:27 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150513212427.25594.74900.idtracker@ietfa.amsl.com>
Date: Wed, 13 May 2015 14:24:27 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/lWRusZrh256WH3uCSwPvMoFcQfE>
Cc: ipsec@ietf.org
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-chacha20-poly1305-08.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 21:24:28 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the IP Security Maintenance and Extensions Working Group of the IETF.

        Title           : ChaCha20, Poly1305 and their use in IKE & IPsec
        Author          : Yoav Nir
	Filename        : draft-ietf-ipsecme-chacha20-poly1305-08.txt
	Pages           : 11
	Date            : 2015-05-13

Abstract:
   This document describes the use of the ChaCha20 stream cipher along
   with the Poly1305 authenticator, combined into an AEAD algorithm for
   the Internet Key Exchange protocol (IKEv2) and for IPsec.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-chacha20-poly1305/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-ipsecme-chacha20-poly1305-08

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-chacha20-poly1305-08


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Wed May 13 14:27:32 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD301ACF59 for <ipsec@ietfa.amsl.com>; Wed, 13 May 2015 14:27:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id voMfMsmq5DuD for <ipsec@ietfa.amsl.com>; Wed, 13 May 2015 14:27:22 -0700 (PDT)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 186DA1AD05D for <ipsec@ietf.org>; Wed, 13 May 2015 14:27:22 -0700 (PDT)
Received: by wgin8 with SMTP id n8so56420860wgi.0 for <ipsec@ietf.org>; Wed, 13 May 2015 14:27:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=c5jUHLwOi9VrlZW03u5QD5PbxEmfWZ6ytzl7sEQYDDA=; b=Hm+m/a3AGx3LAjnVucaVNbSRGTnk6KpPObJB97tRDYQO1dXp0fBfrKTlrVGVagep2+ s0/ZR6McSXm2PnZwo0XeKJU4QHeAHn0cBDdQeKS4sgd0HRup2XfkEAQYH3xeA6wvOqUm KxgJCZ3/zKkiu0Qh2z0xGbPP69LFTyL99vExJI3+31FQg4+Yrw6rK5+8g1ELWaPWFdLH 8X/Uzhq7k8WRv1XZiVP2/7Ntn6PfUGBwuxIUJ5zE+YddXvPOU0gelsOi7m0jPsYHLIeS IGVfE05/xXmmEhajF8sYMaNtTnMjIrx7lrXrp6TO5rH1/rAu8iCNqw8UXqBf1ljRuV4T dC4g==
X-Received: by 10.181.11.193 with SMTP id ek1mr17927036wid.15.1431552440736; Wed, 13 May 2015 14:27:20 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id j12sm34861869wjn.48.2015.05.13.14.27.19 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 13 May 2015 14:27:20 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20150513212427.25594.97541.idtracker@ietfa.amsl.com>
Date: Thu, 14 May 2015 00:27:18 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <6E9956C5-2094-4567-9FDB-C8D628308E87@gmail.com>
References: <20150513212427.25594.97541.idtracker@ietfa.amsl.com>
To: IPsecME WG <ipsec@ietf.org>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/rkIU23FDx6jRuAC5-69m0vSKYcs>
Cc: Kathleen.Moriarty.ietf@gmail.com, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] New Version Notification - draft-ietf-ipsecme-chacha20-poly1305-08.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 21:27:30 -0000

Hi

I have just uploaded version -08. The only difference from version -07 =
is changing the reference for the algorithm document from draft-irtf- to =
RFC 7539.

Yoav

> On May 14, 2015, at 12:24 AM, internet-drafts@ietf.org wrote:
>=20
>=20
> A new version (-08) has been submitted for =
draft-ietf-ipsecme-chacha20-poly1305:
> =
https://www.ietf.org/internet-drafts/draft-ietf-ipsecme-chacha20-poly1305-=
08.txt
>=20
>=20
> The IETF datatracker page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-chacha20-poly1305/
>=20
> Diff from previous version:
> =
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-ipsecme-chacha20-poly1305-0=
8
>=20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org.
>=20
> IETF Secretariat.
>=20


From nobody Thu May 14 08:24:35 2015
Return-Path: <housley@vigilsec.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107AC1A1EFD for <ipsec@ietfa.amsl.com>; Thu, 14 May 2015 08:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.899
X-Spam-Level: 
X-Spam-Status: No, score=-101.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8LA-GVYm3sC for <ipsec@ietfa.amsl.com>; Thu, 14 May 2015 08:24:32 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB0C1A1EF9 for <ipsec@ietf.org>; Thu, 14 May 2015 08:24:29 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id B685F9A4020 for <ipsec@ietf.org>; Thu, 14 May 2015 11:24:18 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id 8Kwz4qKW10NC for <ipsec@ietf.org>; Thu, 14 May 2015 11:23:57 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-145-93.washdc.fios.verizon.net [96.255.145.93]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 7F1389A402D for <ipsec@ietf.org>; Thu, 14 May 2015 11:23:57 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary=Apple-Mail-416-190777305
Date: Thu, 14 May 2015 11:23:46 -0400
Message-Id: <F8B1C0BD-144A-4DFC-8F7C-2BEE938F26C6@vigilsec.com>
To: IETF IPsec <ipsec@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/SjjaTbW1M21ueGBGMmg8QKR9KWU>
Subject: [IPsec] Ignoring UDP/TCP checksums
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 15:24:34 -0000

--Apple-Mail-416-190777305
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


=
http://arstechnica.com/information-technology/2015/05/the-discovery-of-apa=
che-zookeepers-poison-packet/

This article describes a set of four bugs that caused a serious problem =
for one open source project:

"RFC 3948 tells the tale. It states that while using IPSec in NAT-T =
Transport mode, the client MAY forgo the validation of the TCP/UDP =
checksum under the assumption that packet integrity is already protected =
by ESP. ... The assumption made by the authors is invalid, as there is =
clearly ample opportunity for corruption prior to ESP/IP formation. =
While checksumming is a great way to detect in-flight corruption, it can =
also be used as a tool to detect corruption during the formation of the =
packet. It is the latter point that was overlooked, and this =
optimization has come to bite us. ... We claim this is a bug=97intentional=
 or not."

Russ=

--Apple-Mail-416-190777305
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div =
dir=3D"ltr"><div><br></div><div><a =
href=3D"http://arstechnica.com/information-technology/2015/05/the-discover=
y-of-apache-zookeepers-poison-packet/">http://arstechnica.com/information-=
technology/2015/05/the-discovery-of-apache-zookeepers-poison-packet/</a><b=
r></div><div><br></div><div>This article describes a set of four bugs =
that caused a serious problem for one open source =
project:</div><div><br></div><div>"RFC 3948 tells the tale. It states =
that while using IPSec in NAT-T Transport mode, the client MAY forgo the =
validation of the TCP/UDP checksum under the assumption that packet =
integrity is already protected by ESP. ... The assumption made by the =
authors is invalid, as there is clearly ample opportunity for corruption =
prior to ESP/IP formation. While checksumming is a great way to detect =
in-flight corruption, it can also be used as a tool to detect corruption =
during the formation of the packet. It is the latter point that was =
overlooked, and this optimization has come to bite us. ... We claim this =
is a bug=97intentional or =
not."</div><div><br></div><div>Russ</div></div>
</body></html>=

--Apple-Mail-416-190777305--


From nobody Thu May 14 09:24:20 2015
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCDDC1A884E for <ipsec@ietfa.amsl.com>; Thu, 14 May 2015 09:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSFvhWgm2XiV for <ipsec@ietfa.amsl.com>; Thu, 14 May 2015 09:24:09 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AE5D1A886C for <ipsec@ietf.org>; Thu, 14 May 2015 09:24:02 -0700 (PDT)
Received: by wizk4 with SMTP id k4so247978638wiz.1 for <ipsec@ietf.org>; Thu, 14 May 2015 09:24:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=1Db85K2qCitWqfxapQX/Wa/9t4Nchs4onngXHDygJQE=; b=XD830ymlTubKxYinDMWuIjS0StYcMR7nJluq0WPR9x2dSmKSGgPTrGeGrP9WbpjFld HJ61XPmJae9kcMBM/O+W82dVekeiB+X2udK3yBlDNQI2ugqZJ6BDVdBtY8WvMOolTGI/ 71snE8/iIla/2UYcr5Wj9yE+LtJ6UmHH2SYfzL97gs1ZBR1PA23z6z7N9WT1nYS02TUx iAgB0bLhv1ZVcbEQ5UEHjSe2GJfg1aHnemlvf6+nfpn071apgFCUjcx/B3VRK18uRN3W tY8XYraVNbG/q9dANpZ151vDi/yLK//xaOQC3k0YpH2eD8++3Cnpya930Fv/vbfG4e1H HG9Q==
X-Received: by 10.180.206.229 with SMTP id lr5mr50812912wic.86.1431620640491;  Thu, 14 May 2015 09:24:00 -0700 (PDT)
Received: from [10.0.0.4] (bzq-109-65-204-75.red.bezeqint.net. [109.65.204.75]) by mx.google.com with ESMTPSA id b5sm14041182wiw.8.2015.05.14.09.23.58 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 May 2015 09:23:59 -0700 (PDT)
Message-ID: <5554CC1E.7060300@gmail.com>
Date: Thu, 14 May 2015 19:23:58 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>, IETF IPsec <ipsec@ietf.org>
References: <F8B1C0BD-144A-4DFC-8F7C-2BEE938F26C6@vigilsec.com>
In-Reply-To: <F8B1C0BD-144A-4DFC-8F7C-2BEE938F26C6@vigilsec.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/BQg8YCI2TOT15AvMgHqVntVV4aA>
Subject: Re: [IPsec] Ignoring UDP/TCP checksums
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 16:24:12 -0000

This is a great article, but I disagree with his point about IPsec. ESP 
detects malicious or benign data corruption on the wire, and I don't 
think it is the job of IPsec to detect errors that are actually 
introduced by bugs in the sender's network stack. So I think that 
exempting the receiver from verifying the checksum was a correct decision.

Thanks,
	Yaron

On 05/14/2015 06:23 PM, Russ Housley wrote:
>
> http://arstechnica.com/information-technology/2015/05/the-discovery-of-apache-zookeepers-poison-packet/
>
> This article describes a set of four bugs that caused a serious problem
> for one open source project:
>
> "RFC 3948 tells the tale. It states that while using IPSec in NAT-T
> Transport mode, the client MAY forgo the validation of the TCP/UDP
> checksum under the assumption that packet integrity is already protected
> by ESP. ... The assumption made by the authors is invalid, as there is
> clearly ample opportunity for corruption prior to ESP/IP formation.
> While checksumming is a great way to detect in-flight corruption, it can
> also be used as a tool to detect corruption during the formation of the
> packet. It is the latter point that was overlooked, and this
> optimization has come to bite us. ... We claim this is a bug—intentional
> or not."
>
> Russ
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>


From nobody Wed May 20 05:13:39 2015
Return-Path: <fdetienn@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD2301A0032 for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 05:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.612
X-Spam-Level: 
X-Spam-Status: No, score=-12.612 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7xOu8hE1ImeC for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 05:13:36 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCE2B1A0035 for <ipsec@ietf.org>; Wed, 20 May 2015 05:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=666; q=dns/txt; s=iport; t=1432124014; x=1433333614; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=miQIINesuY7xUPPdeTQqgZGqbtX5D/0murzXQE5rQ2U=; b=aMxQWYG/01YbvU591zr3khw9DWt0POOyWjcquR+75rcyzWnIxHq3IczT XCxbnMhw1xIGqWQeEO+RC76e6D7RhO5Rsbq7k7xc1rTf45vYn3CkhMRPn c9FJfIcHMJ+kRzQ+kQg+bgmWUabI9168LP5D61MKrAJD5qhzK4g2hchlj I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AnBQA1eVxV/40NJK1cgxCBOMQPb4dRgTo5EwEBAQEBAQGBCoQlBDo/EgE+QicEDogxzEMBAQEBAQEBAQEBAQEBAQEBHJA/gx6BFgWScIsAlxQjg3iCNYEBAQEB
X-IronPort-AV: E=Sophos;i="5.13,464,1427760000";  d="scan'208";a="413606"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-1.cisco.com with ESMTP; 20 May 2015 12:13:34 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id t4KCDYm6031152 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <ipsec@ietf.org>; Wed, 20 May 2015 12:13:34 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.97]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.03.0195.001; Wed, 20 May 2015 07:13:33 -0500
From: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: How to negotiate a new capability with parameters
Thread-Index: AQHQkvZkMp49LYMC/UKyGc8oqSt71g==
Date: Wed, 20 May 2015 12:13:33 +0000
Message-ID: <67FE655C-E516-4F51-BD91-1FB7AE481CE9@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.60.74.179]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AC25D6CE82187444B2F0615CE5E9176A@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/s6iQBDC2IjlRRZj3prJnTNVfYEY>
Cc: "Piotr Kupisiewicz \(pkupisie\)" <pkupisie@cisco.com>, "Yeleshwarapu Sairam \(ysairam\)" <ysairam@cisco.com>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: [IPsec] How to negotiate a new capability with parameters
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 12:13:37 -0000

Hello,

we would like to implement new vendor specific capabilities under IKEv2. Th=
is capability requires argument passing. These arguments should be protecte=
d (encrypted and signed).

We were wondering what was the cleanest way to do this.

What seemed the most logical is

1- negotiating capability in message 1/2 via a Vendor-ID payload
2- if both peers support capability, exchange parameters via Notify Payload=
s in message 3/4 or later

We were considering using configuration attributes instead of Notify Payloa=
d but we are not sure this is an adequate message type.

Can someone give us an advice ?

thanks,

	Frederic Detienne=


From nobody Wed May 20 05:38:17 2015
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0CDF1A00C3 for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 05:38:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.909
X-Spam-Level: *
X-Spam-Status: No, score=1.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7i4csuaOcqw for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 05:38:15 -0700 (PDT)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9C111A00BE for <ipsec@ietf.org>; Wed, 20 May 2015 05:38:14 -0700 (PDT)
Received: by lagv1 with SMTP id v1so71864718lag.3 for <ipsec@ietf.org>; Wed, 20 May 2015 05:38:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=qCJmGU9Z+QbfhLay8iJcQ42T6jRd88tQyOk3V/J1bLg=; b=NbHh7hYztwVkxeSLJF3YxpCtaOqRy1weRqgaI6dzjySe6+/dDLRpCwqs7OWwV3J95N vrSmhzE6CYxutf0DrDnREGcJZyMnSRoDlOatOcVePvtRW+NSN5nVFnhfnFQPBRMNzCsq W50thWQIVoMc+jhxb2MuiV8cQt4IDGM6O6/8Ni6ZHhv9wpaOxTdlx0Z8m82imKrQbIUZ 8Ctjo0dyDHO2QsMsxdoIHqF0OefXVh1ExRmeVs9f16KmyCwizeXA+I/Nv9n5zKC6/mQQ x1GIin+w/zxtUboloUjT4mX5ksNV+J3dfmqoEeZwqp8lYqbrbF5UWwo+yVt5MlF2w2/A FwXw==
X-Received: by 10.112.171.68 with SMTP id as4mr3749191lbc.64.1432125493500; Wed, 20 May 2015 05:38:13 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by mx.google.com with ESMTPSA id ky7sm4539843lab.37.2015.05.20.05.38.12 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 20 May 2015 05:38:12 -0700 (PDT)
Message-ID: <A206417BF1CB4E37AEAAE2AD05C70F15@buildpc>
From: "Valery Smyslov" <svanru@gmail.com>
To: "Frederic Detienne \(fdetienn\)" <fdetienn@cisco.com>, <ipsec@ietf.org>
References: <67FE655C-E516-4F51-BD91-1FB7AE481CE9@cisco.com>
Date: Wed, 20 May 2015 15:38:06 +0300
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/O5Il5s2OIsmXBY7u3aRqbc6yock>
Cc: "Piotr Kupisiewicz \(pkupisie\)" <pkupisie@cisco.com>, "Yeleshwarapu Sairam \(ysairam\)" <ysairam@cisco.com>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] How to negotiate a new capability with parameters
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 12:38:16 -0000

Hi Frederic,

in IKEv2 the BCP is that optioal capabilities are negotiated
via exchange of Notify Payloads with the type from Status Types range.
These notifications must be ignored by unsupported implementations,
so there is no harm if they are present in IKE Message.
Vendor ID can also be used for this purpose, but
Notify Payloads usually win in terms of compactness
and fine-grained capability negotiation.

What about your scenario - I don't know the details,
but it seems to me that step 1 is not needed.
The presence of Notify Payload with the parameters
in Message 3 (IKE_AUTH Request) will serve as an
indication for the responder that the initiator supports
these new capabilities. If the responder doesn't support
them, it will include no such Notify Payload in response,
if it does - it will respond with that Payload with the needed
parameters. I could have missed something due to the lack
of details you have given, but as you described it must be worked.

Regards,
Valery Smyslov.


> Hello,
>
> we would like to implement new vendor specific capabilities under IKEv2. 
> This capability requires argument passing. These arguments should be 
> protected (encrypted and signed).
>
> We were wondering what was the cleanest way to do this.
>
> What seemed the most logical is
>
> 1- negotiating capability in message 1/2 via a Vendor-ID payload
> 2- if both peers support capability, exchange parameters via Notify 
> Payloads in message 3/4 or later
>
> We were considering using configuration attributes instead of Notify 
> Payload but we are not sure this is an adequate message type.
>
> Can someone give us an advice ?
>
> thanks,
>
> Frederic Detienne
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec 


From nobody Wed May 20 05:49:09 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 241BB1A00F7 for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 05:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3GlmL7Xqu_y for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 05:49:06 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 169D21A0115 for <ipsec@ietf.org>; Wed, 20 May 2015 05:49:06 -0700 (PDT)
Received: by wgjc11 with SMTP id c11so51764023wgj.0 for <ipsec@ietf.org>; Wed, 20 May 2015 05:49:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=oSQ971AZpb7QrtJgchOzikNKve+lFPMYv6pWoh57HFA=; b=SlJDLPqcsp4HUMbmsDzS2ySoEsGWwmpc1MRqgQ4XaqQ/f7C3Du59i8cl4mQBh5wGc9 M7tjQea8oZ0JxRMTLY+vgDkFsM6MMabTBB9/WCrEpD3Czxd1nP9T29jP9c/IaK3x6yrc i5hNImCFXj+0e6vLOyBaJunUH/oQkwKrGoIHWPZqBXoeebCn7qKy29DgRXETtxZ3MZqt vr5DNVq2+QbqYJPjF5yU3PCsj4vNhRLE9vfl08DIj4xyb6WTuPQGMAvnqc1u0D00hjZc 0tgoj1LL+Bg/CTex3d1r2cGQO6oIKhL9HwllliVurGB1cs2sJO54QxWmk16qWKYpEVVu deTg==
X-Received: by 10.180.92.42 with SMTP id cj10mr42320031wib.67.1432126144901; Wed, 20 May 2015 05:49:04 -0700 (PDT)
Received: from [172.24.251.137] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id ng5sm3300262wic.24.2015.05.20.05.49.03 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 20 May 2015 05:49:03 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <67FE655C-E516-4F51-BD91-1FB7AE481CE9@cisco.com>
Date: Wed, 20 May 2015 15:49:01 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <EEEB75BD-682A-4EC9-9756-37C2575A54C4@gmail.com>
References: <67FE655C-E516-4F51-BD91-1FB7AE481CE9@cisco.com>
To: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/szIDnYHStnKIYbSeqLQpw3QZFW0>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Piotr Kupisiewicz \(pkupisie\)" <pkupisie@cisco.com>, "Yeleshwarapu Sairam \(ysairam\)" <ysairam@cisco.com>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] How to negotiate a new capability with parameters
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 12:49:08 -0000

Hi, Frederic

That sounds mostly correct.=20

In IKEv1 capabilities were usually declared in VendorIDs. In IKEv2 they =
are mostly declared in notifications within IKE_SA_INIT.  Why the =
difference? No idea. It=E2=80=99s just the way other extensions were =
done, but with a private extension you can do either.

Whether the parameters are passed in new payloads, notify payloads or =
Config attributes is a matter of taste. Generally, Config attributes are =
mostly for remote access and have request-response semantics, so =
they=E2=80=99re somewhat negotiable. Notifications are for something one =
side declares which is not negotiable, and new payloads are hardly ever =
used.

Note though, that in the IKE_AUTH exchange, the peer is not yet =
authenticated. So depending on how sensitive the content of the =
parameters is, you might not want to send it at that point. The IKE SA =
at that point protects against passive eavesdropping and message =
modification only.

Yoav

> On May 20, 2015, at 3:13 PM, Frederic Detienne (fdetienn) =
<fdetienn@cisco.com> wrote:
>=20
> Hello,
>=20
> we would like to implement new vendor specific capabilities under =
IKEv2. This capability requires argument passing. These arguments should =
be protected (encrypted and signed).
>=20
> We were wondering what was the cleanest way to do this.
>=20
> What seemed the most logical is
>=20
> 1- negotiating capability in message 1/2 via a Vendor-ID payload
> 2- if both peers support capability, exchange parameters via Notify =
Payloads in message 3/4 or later
>=20
> We were considering using configuration attributes instead of Notify =
Payload but we are not sure this is an adequate message type.
>=20
> Can someone give us an advice ?
>=20
> thanks,
>=20
> 	Frederic Detienne
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Wed May 20 06:13:23 2015
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE96B1A1A2E for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 06:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.47
X-Spam-Level: *
X-Spam-Status: No, score=1.47 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pYTri-ymZRF for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 06:13:20 -0700 (PDT)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 408181A1A24 for <ipsec@ietf.org>; Wed, 20 May 2015 06:13:20 -0700 (PDT)
Received: by laat2 with SMTP id t2so72824475laa.1 for <ipsec@ietf.org>; Wed, 20 May 2015 06:13:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=UabYnm7l2lB9b0ZQld9deobJSXdx1Rynu6LNL3PuL38=; b=QsjH/Dx/t5McBFCN67kPHYGHX001vQSnwwzgXn0V8FdTO7fjt2ALtpEUgrcMdnQwu2 TK1QhiPCK+CS9eCzJXZRS5aXmJLVtYtaB78SWo7yiSMjaVMnDCxOZ2OTxxXct4V8l6OU tCBjZrcXCU2pq/kHjUvUb3xNipJki945dKuCdyOqkWPJ37rSrGwpw/mIueUT52y2YNYL TRXh5+ROgnayZHoU0fmuT2wqRf/lvt4JzFs5N86WY1Lym+/HgkQO1LTnS/qvr6xS8b/Y XyemUxBnxw4YAppI+Ja+SPSJ3pLgvnKsDZoILXx4whDYWedmts3lTog2y8ytKlu0Lluy QUJw==
X-Received: by 10.152.22.34 with SMTP id a2mr26312751laf.59.1432127598478; Wed, 20 May 2015 06:13:18 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by mx.google.com with ESMTPSA id p6sm4561200laj.41.2015.05.20.06.13.17 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 20 May 2015 06:13:17 -0700 (PDT)
Message-ID: <511A838B06C64BBD812D2AF25799D5A3@buildpc>
From: "Valery Smyslov" <svanru@gmail.com>
To: "Yaron Sheffer" <yaronf.ietf@gmail.com>, "Yoav Nir" <ynir.ietf@gmail.com>,  "IPsecME WG" <ipsec@ietf.org>
References: <6A72CE8C-FBB2-460D-9BBE-4528496E1DC4@gmail.com> <554E368C.7040604@gmail.com>
Date: Wed, 20 May 2015 16:13:11 +0300
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="windows-1252"; reply-type=response
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/iZMhelk4P1QO98lHsMWmCxfzD_A>
Subject: Re: [IPsec] Restarting the discussion about the puzzle
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 13:13:22 -0000

Hi Yaron,

> First, I raised a third concern, which is that allowing the client to 
> decide on the difficulty of the puzzle it is willing to solve adds 
> unneeded complexity. Basically the client doesn't have enough information 
> to make a good decision.

The problem is that the server doesn't have enough information either.
Selecting appropriate puzzle difficulty so that weak legitimate clients
are not thrown away and, on the other hand, the server could
effectively defend against DoS attack looks like the main problem
of puzzles.

> To answer your question, I think we've already been down this path and 
> reducing the variance is certainly a good thing.

I agree, that it is a good thing in general, but what the price?
Is the game worth the candle? If the solution for 1 puzzle
is the key for PRF, then its size is the PRF's key size.
For HMAC-SHA2-256 it is 32 bytes. 8 solutions would take
256 bytes, 16 - 512 bytes. Don't you think it is too much
for IKE_SA_INIT messages to be sure it is not fragmented?

Let's look on the problem from another angle. The puzzles are
needed only if the server is under DoS attack, and the most
dangerous scenario is DDoS attack. In this case the server
meets thouthans of clients, most of which are attackers.
All the clients are of different power. In this situation what
would we get by spending efforts to reduce the variance
of puzzles? Imagine we have implemented some mechanism
that guaranties that different puzzles require roughly the same
time to be solved on a single computer. But the diversity
of computing power of clients would make this effort far less
valuable - it would be great if the server could know the power
of any client beforehand and give each client its own puzzle,
but it is impossible.

Regards,
Valery.



> Thanks,
> Yaron
>
> On 05/07/2015 04:52 PM, Yoav Nir wrote:
> > Hi.
> >
> > As a reminder, there were two concerns about the difficulty of puzzles:
> > • That some clients are weaker than others and therefore are able to try 
> > less keys in a unit of time
> > • That individual puzzles might prove more difficult than other puzzles, 
> > so some “unlucky” initiators might take too long to solve the puzzle.
> >
> This is about the second issue. I’d be glad if someone could make a 
> measurement of solving the proposed puzzle on an ARM processor so that we 
> can know how much of an > issue #1 is.
>
> > As Tero has mentioned, there are no easy or hard puzzles. Depending on 
> > how you order your guesses you might stumble upon the solution very 
> > quickly, or you might be
> trying millions of keys before hitting the answer. Choose a different 
> ordering of your guesses for the same puzzle, and you might get very 
> different results.  Still, we don’t like that luck plays such a role.
> >
> > One way to reduce the variance is to increase the sample size: instead 
> > of looking for one key for a hard puzzle, we can require the initiator 
> > to return several correct solutions > for an easier puzzle.  The 
> > advantage is that it indeed reduces the variance. The disadvantage is 
> > that the responder’s job becomes more difficult, as it has to verify not 
> > one but > several correct solutions.
> >
> > I’ve run a test of 20 randomly-generated cookies, and set the puzzle 
> > difficulty to 20 bits when requiring 1 solutions, 19 bits when requiring 
> > 2 solutions, 18 bits when requiring
> 4 solutions, etc. The full results are in the attached Excel file (all 
> results in seconds), but here’s a summary:
> >
> > Bits | keys | median | % over twice median
> > -----+------+--------+--------------------
> > | 20 |   1  |  0.947 |  30.0%
> > | 19 |   2  |  1.309 |  15.0%
> > | 18 |   4  |  1.464 |   5.0%
> > | 17 |   8  |  1.516 |   1.5%
> > | 16 |  16  |  1.499 |   0.5%
> > | 15 |  32  |  1.507 |   0.0%
> > | 14 |  64  |  1.499 |   0.0%
> > -----+------+--------+——————————
> >
> I could increase the sample to get more accurate results, or look for 
> results that are 3 times the median or 3 times the average etc. But just 
> looking at this it seems to me that either 8 or 16 keys is the sweet spot, 
> where an initiator is not likely to get stuck, a packet is not too big, 
> and the load on the responder is not too great.
> >
> > Comments?
> >
> > Yoav
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec 


From nobody Wed May 20 06:58:20 2015
Return-Path: <fdetienn@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8F6A1A212A for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 06:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level: 
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHOe5eUjylPo for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 06:58:18 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89EB01A3BA5 for <ipsec@ietf.org>; Wed, 20 May 2015 06:58:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2114; q=dns/txt; s=iport; t=1432130291; x=1433339891; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RnfQlrFEEWSt2jVsmLS/zAk9AHTxcr8xArTiB/4sQrY=; b=SkRBnrwR2/dBsNNgeYr/1E4Hxpese0MElkU6nzloLgdJEFeloNIPtBJS cxZxTZ7HBNawHdV+o88YacR0L9KN5FlGhKRhB1FVEsoXeq6K68kKmz4vn wijaU3j8nPwTq+w6GOM18T6ubAxR6wOkvTZeYyBDAnZgIalCz4gvH9MKF o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BxBAC7klxV/5FdJa1cgxBUXrQij3RmCYFQCoV3AoE3OBQBAQEBAQEBgQqEIgEBAQMBAQEBawsFCwIBCA4KLiEGCyUCBA4FiBcDCggNx3YNhQIBAQEBAQEBAQEBAQEBAQEBAQEBAQETBIs6gk2CBTMHgxeBFgEEkDSCPIkqgVaQGIZ8I4N4b4EDB4E9AQEB
X-IronPort-AV: E=Sophos;i="5.13,464,1427760000"; d="scan'208";a="151868876"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-6.cisco.com with ESMTP; 20 May 2015 13:57:55 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id t4KDvsFO010273 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 20 May 2015 13:57:55 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.97]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.03.0195.001; Wed, 20 May 2015 08:57:54 -0500
From: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [IPsec] How to negotiate a new capability with parameters
Thread-Index: AQHQkvZkqxq5huHz0U6r2PUhwzmMIZ2FJJWA//+/bY8=
Date: Wed, 20 May 2015 13:57:54 +0000
Message-ID: <C70239E4-C729-4E46-B378-B8C997E532FE@cisco.com>
References: <67FE655C-E516-4F51-BD91-1FB7AE481CE9@cisco.com>, <EEEB75BD-682A-4EC9-9756-37C2575A54C4@gmail.com>
In-Reply-To: <EEEB75BD-682A-4EC9-9756-37C2575A54C4@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/Tk3bwEY3Em9FCRuX-sHph_q2ITM>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Piotr Kupisiewicz \(pkupisie\)" <pkupisie@cisco.com>, "Yeleshwarapu Sairam \(ysairam\)" <ysairam@cisco.com>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] How to negotiate a new capability with parameters
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 13:58:19 -0000

Thanks!

Sent from my iPad

> On 20 May 2015, at 14:49, Yoav Nir <ynir.ietf@gmail.com> wrote:
>=20
> Hi, Frederic
>=20
> That sounds mostly correct.=20
>=20
> In IKEv1 capabilities were usually declared in VendorIDs. In IKEv2 they a=
re mostly declared in notifications within IKE_SA_INIT.  Why the difference=
? No idea. It=92s just the way other extensions were done, but with a priva=
te extension you can do either.
>=20
> Whether the parameters are passed in new payloads, notify payloads or Con=
fig attributes is a matter of taste. Generally, Config attributes are mostl=
y for remote access and have request-response semantics, so they=92re somew=
hat negotiable. Notifications are for something one side declares which is =
not negotiable, and new payloads are hardly ever used.
>=20
> Note though, that in the IKE_AUTH exchange, the peer is not yet authentic=
ated. So depending on how sensitive the content of the parameters is, you m=
ight not want to send it at that point. The IKE SA at that point protects a=
gainst passive eavesdropping and message modification only.
>=20
> Yoav
>=20
>> On May 20, 2015, at 3:13 PM, Frederic Detienne (fdetienn) <fdetienn@cisc=
o.com> wrote:
>>=20
>> Hello,
>>=20
>> we would like to implement new vendor specific capabilities under IKEv2.=
 This capability requires argument passing. These arguments should be prote=
cted (encrypted and signed).
>>=20
>> We were wondering what was the cleanest way to do this.
>>=20
>> What seemed the most logical is
>>=20
>> 1- negotiating capability in message 1/2 via a Vendor-ID payload
>> 2- if both peers support capability, exchange parameters via Notify Payl=
oads in message 3/4 or later
>>=20
>> We were considering using configuration attributes instead of Notify Pay=
load but we are not sure this is an adequate message type.
>>=20
>> Can someone give us an advice ?
>>=20
>> thanks,
>>=20
>>    Frederic Detienne
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>=20


From nobody Wed May 20 07:05:24 2015
Return-Path: <fdetienn@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D24721A6F0B for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 07:05:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level: 
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjtwLC2MjDPy for <ipsec@ietfa.amsl.com>; Wed, 20 May 2015 07:05:22 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52F6F1A6F2B for <ipsec@ietf.org>; Wed, 20 May 2015 07:04:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2342; q=dns/txt; s=iport; t=1432130667; x=1433340267; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=o/uOAVpnMdiYpruOnGGMZJKsAJkTLx7gR2axo6/5Oq0=; b=Gc/iXBGzEDOEOtZ6iwheXNdbZDoF/suLTYG30DEEcWuVlhoXe4Oo8/6E rhvEGCG2IdSme2vdn0UEa8KzB98zy3dq/aW+tsAFuOfbOnBPwvphUWgz7 mCnRUZSsNxlcdJz9DucXAauqkziaTqCR8pUgCc9oMyGeEbhYHORPz6S14 M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AyBQC1k1xV/51dJa1cgxBUXsQWgj8KhXcCgTdMAQEBAQEBgQuEIgEBAQMBAQEBNzQLBQsCAQgOCh4QIQYLJQIEDgUeh3kDCggNx3YNhQIBAQEBAQEBAQEBAQEBAQEBAQEBARQEizqCTYIFMweDF4EWAQSScIkqgVaBJ45xgyODWSODeG+CRwEBAQ
X-IronPort-AV: E=Sophos;i="5.13,464,1427760000"; d="scan'208";a="421319052"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-4.cisco.com with ESMTP; 20 May 2015 14:04:26 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t4KE4QA2016495 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 20 May 2015 14:04:26 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.97]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.03.0195.001; Wed, 20 May 2015 09:04:26 -0500
From: "Frederic Detienne (fdetienn)" <fdetienn@cisco.com>
To: Valery Smyslov <svanru@gmail.com>
Thread-Topic: [IPsec] How to negotiate a new capability with parameters
Thread-Index: AQHQkvZkqxq5huHz0U6r2PUhwzmMIZ2EzcKHgAAYE/k=
Date: Wed, 20 May 2015 14:04:25 +0000
Message-ID: <5ABDD838-E92B-4EC8-A978-96D03523300E@cisco.com>
References: <67FE655C-E516-4F51-BD91-1FB7AE481CE9@cisco.com>, <A206417BF1CB4E37AEAAE2AD05C70F15@buildpc>
In-Reply-To: <A206417BF1CB4E37AEAAE2AD05C70F15@buildpc>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/43e4Aaa1kkjbwX11FKL9J8TlgTU>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Piotr Kupisiewicz \(pkupisie\)" <pkupisie@cisco.com>, "Yeleshwarapu Sairam \(ysairam\)" <ysairam@cisco.com>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] How to negotiate a new capability with parameters
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 14:05:24 -0000

Thanks Valery,

We are negotiating experimental keep-alive methods and a protected address =
must be exchanged between the peers. This is why we wish to cover the excha=
nge.

We will go with a simple protected Notify in the Status Type range.

Thanks again and best regards,

  Fred


> On 20 May 2015, at 14:38, Valery Smyslov <svanru@gmail.com> wrote:
>=20
> Hi Frederic,
>=20
> in IKEv2 the BCP is that optioal capabilities are negotiated
> via exchange of Notify Payloads with the type from Status Types range.
> These notifications must be ignored by unsupported implementations,
> so there is no harm if they are present in IKE Message.
> Vendor ID can also be used for this purpose, but
> Notify Payloads usually win in terms of compactness
> and fine-grained capability negotiation.
>=20
> What about your scenario - I don't know the details,
> but it seems to me that step 1 is not needed.
> The presence of Notify Payload with the parameters
> in Message 3 (IKE_AUTH Request) will serve as an
> indication for the responder that the initiator supports
> these new capabilities. If the responder doesn't support
> them, it will include no such Notify Payload in response,
> if it does - it will respond with that Payload with the needed
> parameters. I could have missed something due to the lack
> of details you have given, but as you described it must be worked.
>=20
> Regards,
> Valery Smyslov.
>=20
>=20
>> Hello,
>>=20
>> we would like to implement new vendor specific capabilities under IKEv2.=
 This capability requires argument passing. These arguments should be prote=
cted (encrypted and signed).
>>=20
>> We were wondering what was the cleanest way to do this.
>>=20
>> What seemed the most logical is
>>=20
>> 1- negotiating capability in message 1/2 via a Vendor-ID payload
>> 2- if both peers support capability, exchange parameters via Notify Payl=
oads in message 3/4 or later
>>=20
>> We were considering using configuration attributes instead of Notify Pay=
load but we are not sure this is an adequate message type.
>>=20
>> Can someone give us an advice ?
>>=20
>> thanks,
>>=20
>> Frederic Detienne
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>=20


From nobody Thu May 21 11:35:31 2015
Return-Path: <barryleiba@computer.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F65B1A1EF5; Thu, 21 May 2015 11:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKYkmkZ_gAVq; Thu, 21 May 2015 11:35:27 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DD47B1A1BFE; Thu, 21 May 2015 11:35:27 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Barry Leiba" <barryleiba@computer.org>
To: "The IESG" <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150521183527.2369.7540.idtracker@ietfa.amsl.com>
Date: Thu, 21 May 2015 11:35:27 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/67x6YcXaZL4Pj1zTdssU69hV87w>
Cc: ipsecme-chairs@ietf.org, paul.hoffman@vpnc.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: [IPsec] Barry Leiba's Discuss on draft-ietf-ipsecme-ikev2-null-auth-06: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 18:35:29 -0000

Barry Leiba has entered the following ballot position for
draft-ietf-ipsecme-ikev2-null-auth-06: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-null-auth/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

First: Thanks, Paul, for a very informative and useful shepherd writeup.

I have no problem with the reference to Experimental RFC 5739, but I do
have a problem with the downref not having been noted in the last call
announcement, as required by RFC 3967 (BCP 97).  And I think the MUST in
the last paragraph of Section 2.5 requires 5739 to be normative.  I hate
to say this, but I think this requires a second last call on this
document, which will really serve no one.  We really do need to do an
update to BCP 97 to fix this, because it comes up all the time.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Editorial comment in Section 2:

   If a peer
   that requires authentication receives an AUTH payload containing the
   NULL Authentication method type, it MUST return an
   AUTHENTICATION_FAILED notification.

We're referring to NULL authentication as "authentication", so maybe this
should say something like "If a peer that requires positive
identification receives [...]", or "If a peer that requires authenticated
identity receives [...]" ?



From nobody Thu May 21 11:45:39 2015
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EFD71A876F; Thu, 21 May 2015 11:45:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level: 
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJYTI4XSgoQc; Thu, 21 May 2015 11:45:33 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 888731A876D; Thu, 21 May 2015 11:45:33 -0700 (PDT)
Received: from [10.20.30.101] (50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t4LIjUJZ043548 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 21 May 2015 11:45:31 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218] claimed to be [10.20.30.101]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20150521183527.2369.7540.idtracker@ietfa.amsl.com>
Date: Thu, 21 May 2015 11:45:30 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <760AAAD4-BF1A-4202-BFA1-537C4B3DD9D5@vpnc.org>
References: <20150521183527.2369.7540.idtracker@ietfa.amsl.com>
To: Barry Leiba <barryleiba@computer.org>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/W-HjCh9bkZqcVG1Xl-87piNardw>
Cc: ipsecme-chairs@ietf.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Barry Leiba's Discuss on draft-ietf-ipsecme-ikev2-null-auth-06: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 18:45:34 -0000

On May 21, 2015, at 11:35 AM, Barry Leiba <barryleiba@computer.org> =
wrote:
> First: Thanks, Paul, for a very informative and useful shepherd =
writeup.

...but then...

> I have no problem with the reference to Experimental RFC 5739, but I =
do
> have a problem with the downref not having been noted in the last call
> announcement, as required by RFC 3967 (BCP 97).  And I think the MUST =
in
> the last paragraph of Section 2.5 requires 5739 to be normative.  I =
hate
> to say this, but I think this requires a second last call on this
> document, which will really serve no one.  We really do need to do an
> update to BCP 97 to fix this, because it comes up all the time.

If the IESG wants to fix BCP 97, that's grand. Do note in the "very =
informative and useful shepherd writeup", it says:

If this becomes too much of an issue for the
purists, the reference can be moved to the Informative References =
section, but it is more
appropriate as a normative reference.

I really meant that. Instead of wasting everyone's time with another =
IETF LC, please strongly consider changing the DISCUSS to "yes, you need =
to move that reference to the Informational References" section.

--Paul Hoffman=


From nobody Thu May 21 11:58:26 2015
Return-Path: <barryleiba@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446441A876F; Thu, 21 May 2015 11:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level: 
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p54Pm3PYerc5; Thu, 21 May 2015 11:58:21 -0700 (PDT)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1EDA1A883F; Thu, 21 May 2015 11:58:19 -0700 (PDT)
Received: by ieczm2 with SMTP id zm2so15425825iec.1; Thu, 21 May 2015 11:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=iydul6HvYqHg5mNBQFd8z5m40RRWzo8JKAqsmyHHQ3g=; b=m1lXnHiSQbimmLc69YVqb9SQZfWqJBBxGXBfIV3P/d1Q2NPbsZAtqB6qt2iVtZQYj1 ttI34SahaRMi5jKIJ7ndH94WnN7IZN+6p+uc94MK27k1dPAtsFiT1lTbs/Mwx0NoAPJD 8LrLloZHge3xpu07We7t/5vqRcTNCISk1Et347magv1IYKXYaMPEnyLUlUA+GyBCbMGI yvvwgDmkCSgFVXBODkaNZtTX/JKfR2q/r5gBRabUCRNyLIQPC6limHA8ReuUzFYpoSBo xdZB3aB89owajizrDpTnTaZn2FqV0XVbWaYfHkyEMGF3iYclOErFG0Ly95nRyaC5tFBX nq6g==
MIME-Version: 1.0
X-Received: by 10.43.34.205 with SMTP id st13mr4998599icb.4.1432234699516; Thu, 21 May 2015 11:58:19 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.107.3.195 with HTTP; Thu, 21 May 2015 11:58:19 -0700 (PDT)
In-Reply-To: <760AAAD4-BF1A-4202-BFA1-537C4B3DD9D5@vpnc.org>
References: <20150521183527.2369.7540.idtracker@ietfa.amsl.com> <760AAAD4-BF1A-4202-BFA1-537C4B3DD9D5@vpnc.org>
Date: Thu, 21 May 2015 14:58:19 -0400
X-Google-Sender-Auth: DZnmHO3DCyLBaFMCQLwB0zqeiKk
Message-ID: <CALaySJLrp-+NZZBbePGKpdLM75hZ_Y6x_MXZ38DazGRZxOiN1g@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/HPSjv22dO1uCvsub7ubtOH1cdtc>
Cc: ipsecme-chairs@ietf.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Barry Leiba's Discuss on draft-ietf-ipsecme-ikev2-null-auth-06: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 18:58:22 -0000

>> I have no problem with the reference to Experimental RFC 5739, but I do
>> have a problem with the downref not having been noted in the last call
>> announcement, as required by RFC 3967 (BCP 97).  And I think the MUST in
>> the last paragraph of Section 2.5 requires 5739 to be normative.  I hate
>> to say this, but I think this requires a second last call on this
>> document, which will really serve no one.  We really do need to do an
>> update to BCP 97 to fix this, because it comes up all the time.
>
> If the IESG wants to fix BCP 97, that's grand. Do note in the "very
> informative and useful shepherd writeup", it says:
>
> If this becomes too much of an issue for the
> purists, the reference can be moved to the Informative References section, but it is more
> appropriate as a normative reference.
>
> I really meant that. Instead of wasting everyone's time with another
> IETF LC, please strongly consider changing the DISCUSS to "yes, you
> need to move that reference to the Informational References" section.

The problem is that Section 2.5 says that you MUST do what's in 5739,
so I think 5739 has to be normative.  And, while I do think a second
last call is silly, it doesn't really waste must of anyone's time, and
only delays the document by a week or two, depending upon when
Kathleen is able to start the second last call.

I think the best thing is just to start a second last call tout de
suite, which notes the downref and asks for comments only on that
point.  And then we've done the right thing with respect to BCP 97.
(And meanwhile, I'll scare up an author for an update to BCP 97,
because I, too, am tired of this silliness.)

Barry


Barry


From nobody Thu May 21 13:24:40 2015
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8BF01A8992; Thu, 21 May 2015 13:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MiU3KseVlIcZ; Thu, 21 May 2015 13:24:35 -0700 (PDT)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB18E1A8A48; Thu, 21 May 2015 13:24:34 -0700 (PDT)
Received: by laat2 with SMTP id t2so110913004laa.1; Thu, 21 May 2015 13:24:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wZK5K0AzpyM9xc5P0RICa4tA6+RjcyO9RUH2+OOFysw=; b=ep4G5sO+YLakOhENkmSOpPVebzhnZ3PsRHZ9gmKvIwK4q5LfAQz+TuL11CvNI9M05Q wGKdYOzhxjJa4XZTHehkn6kcHR58rWIC5lMrUK7YH3aTaa06kmOky01+jTp2xpbaUZ0X SydJGDO2dw1RVFxHSYUGR2fzwFV8b47uWjcCbVq+vlddsb9HZZbMi9tf4gMu3kdfx6NO XUyavZa6qI7gV1IRKSZV2PE5wJ/6kDjWx3rClcNgSdG+pCYfvyJriJj964uKrxDVn0jG JBUJr+5tggt5BzMW5OrRc3oVTqwG51Ut+PCq25UMhmPcBFhcmN+4nV5SPfC29cnamvCb vYlQ==
MIME-Version: 1.0
X-Received: by 10.152.4.72 with SMTP id i8mr3770091lai.32.1432239873259; Thu, 21 May 2015 13:24:33 -0700 (PDT)
Received: by 10.112.11.199 with HTTP; Thu, 21 May 2015 13:24:33 -0700 (PDT)
In-Reply-To: <CALaySJLrp-+NZZBbePGKpdLM75hZ_Y6x_MXZ38DazGRZxOiN1g@mail.gmail.com>
References: <20150521183527.2369.7540.idtracker@ietfa.amsl.com> <760AAAD4-BF1A-4202-BFA1-537C4B3DD9D5@vpnc.org> <CALaySJLrp-+NZZBbePGKpdLM75hZ_Y6x_MXZ38DazGRZxOiN1g@mail.gmail.com>
Date: Thu, 21 May 2015 16:24:33 -0400
Message-ID: <CAHbuEH7zeuo=otowWVEY+Ovx1rRS=_fCu3wYX_zugSrYmkn_YA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: multipart/alternative; boundary=089e01494248e0ff1a05169d54e0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/CBcXpU7d-WGddtQeq2jVf8Ekef0>
Cc: ipsecme-chairs@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>, "ipsec@ietf.org" <ipsec@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Barry Leiba's Discuss on draft-ietf-ipsecme-ikev2-null-auth-06: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 20:24:37 -0000

--089e01494248e0ff1a05169d54e0
Content-Type: text/plain; charset=UTF-8

If it's decided to put this draft back into last call, I can do this in the
next couple of hours, but then will be on an overnight flight and will be
without much access until tomorrow afternoon US eastern time.

Thanks,
Kathleen

On Thu, May 21, 2015 at 2:58 PM, Barry Leiba <barryleiba@computer.org>
wrote:

> >> I have no problem with the reference to Experimental RFC 5739, but I do
> >> have a problem with the downref not having been noted in the last call
> >> announcement, as required by RFC 3967 (BCP 97).  And I think the MUST in
> >> the last paragraph of Section 2.5 requires 5739 to be normative.  I hate
> >> to say this, but I think this requires a second last call on this
> >> document, which will really serve no one.  We really do need to do an
> >> update to BCP 97 to fix this, because it comes up all the time.
> >
> > If the IESG wants to fix BCP 97, that's grand. Do note in the "very
> > informative and useful shepherd writeup", it says:
> >
> > If this becomes too much of an issue for the
> > purists, the reference can be moved to the Informative References
> section, but it is more
> > appropriate as a normative reference.
> >
> > I really meant that. Instead of wasting everyone's time with another
> > IETF LC, please strongly consider changing the DISCUSS to "yes, you
> > need to move that reference to the Informational References" section.
>
> The problem is that Section 2.5 says that you MUST do what's in 5739,
> so I think 5739 has to be normative.  And, while I do think a second
> last call is silly, it doesn't really waste must of anyone's time, and
> only delays the document by a week or two, depending upon when
> Kathleen is able to start the second last call.
>
> I think the best thing is just to start a second last call tout de
> suite, which notes the downref and asks for comments only on that
> point.  And then we've done the right thing with respect to BCP 97.
> (And meanwhile, I'll scare up an author for an update to BCP 97,
> because I, too, am tired of this silliness.)
>
> Barry
>
>
> Barry
>



-- 

Best regards,
Kathleen

--089e01494248e0ff1a05169d54e0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">If it&#39;s decided to put this draft back into last call,=
 I can do this in the next couple of hours, but then will be on an overnigh=
t flight and will be without much access until tomorrow afternoon US easter=
n time.<div><br></div><div>Thanks,</div><div>Kathleen</div></div><div class=
=3D"gmail_extra"><br><div class=3D"gmail_quote">On Thu, May 21, 2015 at 2:5=
8 PM, Barry Leiba <span dir=3D"ltr">&lt;<a href=3D"mailto:barryleiba@comput=
er.org" target=3D"_blank">barryleiba@computer.org</a>&gt;</span> wrote:<br>=
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><span class=3D"">&gt;&gt; I have no problem =
with the reference to Experimental RFC 5739, but I do<br>
&gt;&gt; have a problem with the downref not having been noted in the last =
call<br>
&gt;&gt; announcement, as required by RFC 3967 (BCP 97).=C2=A0 And I think =
the MUST in<br>
&gt;&gt; the last paragraph of Section 2.5 requires 5739 to be normative.=
=C2=A0 I hate<br>
&gt;&gt; to say this, but I think this requires a second last call on this<=
br>
&gt;&gt; document, which will really serve no one.=C2=A0 We really do need =
to do an<br>
&gt;&gt; update to BCP 97 to fix this, because it comes up all the time.<br=
>
&gt;<br>
&gt; If the IESG wants to fix BCP 97, that&#39;s grand. Do note in the &quo=
t;very<br>
&gt; informative and useful shepherd writeup&quot;, it says:<br>
&gt;<br>
&gt; If this becomes too much of an issue for the<br>
&gt; purists, the reference can be moved to the Informative References sect=
ion, but it is more<br>
&gt; appropriate as a normative reference.<br>
&gt;<br>
&gt; I really meant that. Instead of wasting everyone&#39;s time with anoth=
er<br>
&gt; IETF LC, please strongly consider changing the DISCUSS to &quot;yes, y=
ou<br>
&gt; need to move that reference to the Informational References&quot; sect=
ion.<br>
<br>
</span>The problem is that Section 2.5 says that you MUST do what&#39;s in =
5739,<br>
so I think 5739 has to be normative.=C2=A0 And, while I do think a second<b=
r>
last call is silly, it doesn&#39;t really waste must of anyone&#39;s time, =
and<br>
only delays the document by a week or two, depending upon when<br>
Kathleen is able to start the second last call.<br>
<br>
I think the best thing is just to start a second last call tout de<br>
suite, which notes the downref and asks for comments only on that<br>
point.=C2=A0 And then we&#39;ve done the right thing with respect to BCP 97=
.<br>
(And meanwhile, I&#39;ll scare up an author for an update to BCP 97,<br>
because I, too, am tired of this silliness.)<br>
<br>
Barry<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>
Barry<br>
</font></span></blockquote></div><br><br clear=3D"all"><div><br></div>-- <b=
r><div class=3D"gmail_signature"><div dir=3D"ltr"><br><div>Best regards,</d=
iv><div>Kathleen</div></div></div>
</div>

--089e01494248e0ff1a05169d54e0--


From nobody Thu May 21 18:01:54 2015
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A3BE1A1BD9; Thu, 21 May 2015 18:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level: 
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77ODUIaNfOWd; Thu, 21 May 2015 18:01:52 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BEC981A0113; Thu, 21 May 2015 18:01:50 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3
Auto-Submitted: auto-generated
Precedence: bulk
Sender: <iesg-secretary@ietf.org>
Message-ID: <20150522010150.22533.86974.idtracker@ietfa.amsl.com>
Date: Thu, 21 May 2015 18:01:50 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/834H_dgWxDASyiWzuaqO6giL6vY>
Cc: ipsec@ietf.org
Subject: [IPsec] Last Call: <draft-ietf-ipsecme-ikev2-null-auth-06.txt> (The NULL Authentication Method in IKEv2 Protocol) to Proposed Standard
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Reply-To: ietf@ietf.org
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 01:01:53 -0000

The IESG has received a request from the IP Security Maintenance and
Extensions WG (ipsecme) to consider the following document:
- 'The NULL Authentication Method in IKEv2 Protocol'
  <draft-ietf-ipsecme-ikev2-null-auth-06.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-06-04. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

This is a second last call, specifically to seek comments
on the downref to Experimental RFC 5739.

Abstract


   This document specifies the NULL Authentication method and the
   ID_NULL Identification Payload ID Type for the IKEv2 Protocol.  This
   allows two IKE peers to establish single-side authenticated or mutual
   unauthenticated IKE sessions for those use cases where a peer is
   unwilling or unable to authenticate or identify itself.  This ensures
   IKEv2 can be used for Opportunistic Security (also known as
   Opportunistic Encryption) to defend against Pervasive Monitoring
   attacks without the need to sacrifice anonymity.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-null-auth/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-null-auth/ballot/


No IPR declarations have been submitted directly on this I-D.





From nobody Mon May 25 19:14:44 2015
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471B41AD1EC for <ipsec@ietfa.amsl.com>; Mon, 25 May 2015 19:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level: 
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i0ypgR5iYg3c for <ipsec@ietfa.amsl.com>; Mon, 25 May 2015 19:14:42 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57F561AD210 for <ipsec@ietf.org>; Mon, 25 May 2015 19:14:42 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lwf4Z6pHVz1Hm for <ipsec@ietf.org>; Tue, 26 May 2015 04:14:38 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=jqA+6saq
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id xK9YBD1Zszvh for <ipsec@ietf.org>; Tue, 26 May 2015 04:14:37 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <ipsec@ietf.org>; Tue, 26 May 2015 04:14:37 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8904C80042 for <ipsec@ietf.org>; Mon, 25 May 2015 22:14:34 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1432606474; bh=bXKrUW0uIk153DBpRzz+5FbZo5TxLdVhJDqu/t1xl2c=; h=Date:From:To:Subject; b=jqA+6saqaWaMyO3wTOmkglesQSSh71h3ol+yrHg8cd0QnHlag+9hrgU0Qy71Z05/v 8YcLz8UcByhYui0wMegI/kkXLzjjR+xsUBvZJSPrrWFwiqnJeqJQWL4qpqrz0hT4Eh 3G4ujqLmCYftElGN0y0loSd7plsQWAAt4nkeX41I=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4Q2EYTM022486 for <ipsec@ietf.org>; Mon, 25 May 2015 22:14:34 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 25 May 2015 22:14:34 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-ID: <alpine.LFD.2.11.1505252211130.21801@bofh.nohats.ca>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/xMUFtY2L4vh70DF0sGVfALyGedo>
Subject: [IPsec] IKE daemon supporting twofish and serpent for IKE?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 02:14:44 -0000

Hi,

Is there any IKE daemon that supports twofish or serpent for IKE (not
ESP) ?

I only know of libreswan/openswan, but I would like to do a real
interop test with another implementation.

This would be using the private numbers 65004/65005 ?

Paul


From nobody Tue May 26 07:21:23 2015
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C77331B2F14; Tue, 26 May 2015 07:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level: 
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25jYK9-eUZl4; Tue, 26 May 2015 07:21:03 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F21E1B2EEE; Tue, 26 May 2015 07:20:45 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lwyBJ0H9qzpQ; Tue, 26 May 2015 16:20:40 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=IxUiAxrA
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 6dXZCEGlofDk; Tue, 26 May 2015 16:20:38 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 26 May 2015 16:20:38 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DCC968003D; Tue, 26 May 2015 10:20:31 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1432650032; bh=nVXMdo3Ko3jBMcL+3rlXHk0uW/x9Y0HbWyDwfhV1bik=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=IxUiAxrAknvO4hSivPp2yt7ljNWMTO/teavprc1nRklmwPglk7wdD2tb1WAOkwuLN ucyBFr1YUSknjwZJf0ZvV8pP/K3w1cMFCunIotH/sb75AdQmxr43vahmIDsMdzzilk J6CFd7XK3db6Izul7rNPEjhkFYkKPu9XGqzjy2Jg=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4QEKVGI014313; Tue, 26 May 2015 10:20:31 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 26 May 2015 10:20:31 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Donald Eastlake <d3e3e3@gmail.com>
In-Reply-To: <CAF4+nEF7oeR4swbG8uQXLnb-QrkSsKSRWjTK3huzWiK71f7UTA@mail.gmail.com>
Message-ID: <alpine.LFD.2.11.1505261012020.12821@bofh.nohats.ca>
References: <CAF4+nEF7oeR4swbG8uQXLnb-QrkSsKSRWjTK3huzWiK71f7UTA@mail.gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/KNTS24bKQ1JUzgq9bvwj2bRPvio>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [IPsec] [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SECDIR review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 14:21:11 -0000

On Tue, 26 May 2015, Donald Eastlake wrote:

Thanks for the review Donald,

> The Security Considerations section is quite thorough. I did notice one small thing: Section 3.1 is labeled
> "Audit trail and peer identification". But the content of that Security Considerations section is about not
> trusting identification when null authentication is used. It seems to me that a few words to the effect that
> some clear indication should be present in audit/log trails when a purported identity has not been
> authentication should  be included, as I expected them to be from the section heading.

The bulk of that section was moved into section 2.2i and 3.2.

How about:

OLD:

    With NULL Authentication an established IKE session is no longer
    guaranteed to provide a verifiable (authenticated) entity known to
    the system or network.  Implementers that implement NULL
    Authentication should ensure their implementation does not make any
    assumptions that depend on IKE peers being "friendly", "trusted" or
    "identifiable".

NEW:

    With NULL Authentication an established IKE session is no longer
    guaranteed to provide a verifiable (authenticated) entity known to
    the system or network. Any logging of unproven ID payloads that
    were not authenticated should be clearly marked and treated as
    "untrusted", possibly accompanied by logging the remote IP address
    of the IKE session. Rate limiting of logging might be required to
    prevent excessive logging causing system damage.

then move this bit:

    Implementers that implement NULL
    Authentication should ensure their implementation does not make any
    assumptions that depend on IKE peers being "friendly", "trusted" or
    "identifiable".

To just above the "While implementations should..." in section 3.2

Paul


From nobody Tue May 26 08:47:03 2015
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 626911A9028; Tue, 26 May 2015 08:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2aBRwSlkSPo3; Tue, 26 May 2015 08:46:55 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68F871A9026; Tue, 26 May 2015 08:46:55 -0700 (PDT)
Received: by lbbqq2 with SMTP id qq2so73483584lbb.3; Tue, 26 May 2015 08:46:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Fxdx4znIlchHN88g+c3q5KtxtVh3mY2oUht8OFR2Fco=; b=O0LtpVd/qSmjMa0zIcexauV9/k/KCTc2JnkZhYD/RuE2PuySnbZhU/07vtfsC/29z1 mGRubqrqZJ+6gyf7e2mmATOFp+6YNlTWnQojtCUt9nbdtejF6h0wAckJeGmI+KnkOImr OLpT0/kxWJY+M7aTo26MrVgN2h0sDuc/BYQivoYQJxUEB/2Y+tAU+PZ4gvtlv+WLPxVe KRSknWXgJOrakNWgaoVGqWwpl2wEDQhSTt5RbqKksOqhobns9elGbf6naB1lTS9EPMZn u/sw2BWprU96rpJqEz1dEEJZX3aHoCUbNx/nIDhr7VSGlEHhams25ZVHuA7ekKbX07f1 cI8Q==
MIME-Version: 1.0
X-Received: by 10.112.50.74 with SMTP id a10mr23253204lbo.4.1432655213975; Tue, 26 May 2015 08:46:53 -0700 (PDT)
Received: by 10.112.11.199 with HTTP; Tue, 26 May 2015 08:46:53 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.11.1505261012020.12821@bofh.nohats.ca>
References: <CAF4+nEF7oeR4swbG8uQXLnb-QrkSsKSRWjTK3huzWiK71f7UTA@mail.gmail.com> <alpine.LFD.2.11.1505261012020.12821@bofh.nohats.ca>
Date: Tue, 26 May 2015 11:46:53 -0400
Message-ID: <CAHbuEH5PP4aLjocOSAGHrT_eog1y8qW5y_rL3XfbNfSmBjC1Dg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary=001a1133bb461d5ede0516fe09db
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/_O0saTOn7Iie00qZsAFn5dozTOo>
Cc: Donald Eastlake <d3e3e3@gmail.com>, "ipsec@ietf.org WG" <ipsec@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [IPsec] [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SECDIR review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 15:46:58 -0000

--001a1133bb461d5ede0516fe09db
Content-Type: text/plain; charset=UTF-8

I'm okay with that change.  I thought that we discussed this last, there
was an emphasis on the possibility to avoid logging unauthenticated
sessions though?  I see there is wiggle room to allow for that still.  Does
the new text meet your needs and still allow for logging of authenticated
sessions (my previous concern that was addressed).

Thanks,
Kathleen

On Tue, May 26, 2015 at 10:20 AM, Paul Wouters <paul@nohats.ca> wrote:

> On Tue, 26 May 2015, Donald Eastlake wrote:
>
> Thanks for the review Donald,
>
>  The Security Considerations section is quite thorough. I did notice one
>> small thing: Section 3.1 is labeled
>> "Audit trail and peer identification". But the content of that Security
>> Considerations section is about not
>> trusting identification when null authentication is used. It seems to me
>> that a few words to the effect that
>> some clear indication should be present in audit/log trails when a
>> purported identity has not been
>> authentication should  be included, as I expected them to be from the
>> section heading.
>>
>
> The bulk of that section was moved into section 2.2i and 3.2.
>
> How about:
>
> OLD:
>
>    With NULL Authentication an established IKE session is no longer
>    guaranteed to provide a verifiable (authenticated) entity known to
>    the system or network.  Implementers that implement NULL
>    Authentication should ensure their implementation does not make any
>    assumptions that depend on IKE peers being "friendly", "trusted" or
>    "identifiable".
>
> NEW:
>
>    With NULL Authentication an established IKE session is no longer
>    guaranteed to provide a verifiable (authenticated) entity known to
>    the system or network. Any logging of unproven ID payloads that
>    were not authenticated should be clearly marked and treated as
>    "untrusted", possibly accompanied by logging the remote IP address
>    of the IKE session. Rate limiting of logging might be required to
>    prevent excessive logging causing system damage.
>
> then move this bit:
>
>    Implementers that implement NULL
>    Authentication should ensure their implementation does not make any
>    assumptions that depend on IKE peers being "friendly", "trusted" or
>    "identifiable".
>
> To just above the "While implementations should..." in section 3.2
>
> Paul
>



-- 

Best regards,
Kathleen

--001a1133bb461d5ede0516fe09db
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I&#39;m okay with that change.=C2=A0 I thought that we dis=
cussed this last, there was an emphasis on the possibility to avoid logging=
 unauthenticated sessions though?=C2=A0 I see there is wiggle room to allow=
 for that still.=C2=A0 Does the new text meet your needs and still allow fo=
r logging of authenticated sessions (my previous concern that was addressed=
).<div><br></div><div>Thanks,</div><div>Kathleen</div></div><div class=3D"g=
mail_extra"><br><div class=3D"gmail_quote">On Tue, May 26, 2015 at 10:20 AM=
, Paul Wouters <span dir=3D"ltr">&lt;<a href=3D"mailto:paul@nohats.ca" targ=
et=3D"_blank">paul@nohats.ca</a>&gt;</span> wrote:<br><blockquote class=3D"=
gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-=
left:1ex">On Tue, 26 May 2015, Donald Eastlake wrote:<br>
<br>
Thanks for the review Donald,<span class=3D""><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
The Security Considerations section is quite thorough. I did notice one sma=
ll thing: Section 3.1 is labeled<br>
&quot;Audit trail and peer identification&quot;. But the content of that Se=
curity Considerations section is about not<br>
trusting identification when null authentication is used. It seems to me th=
at a few words to the effect that<br>
some clear indication should be present in audit/log trails when a purporte=
d identity has not been<br>
authentication should =C2=A0be included, as I expected them to be from the =
section heading.<br>
</blockquote>
<br></span>
The bulk of that section was moved into section 2.2i and 3.2.<br>
<br>
How about:<br>
<br>
OLD:<br>
<br>
=C2=A0 =C2=A0With NULL Authentication an established IKE session is no long=
er<br>
=C2=A0 =C2=A0guaranteed to provide a verifiable (authenticated) entity know=
n to<br>
=C2=A0 =C2=A0the system or network.=C2=A0 Implementers that implement NULL<=
br>
=C2=A0 =C2=A0Authentication should ensure their implementation does not mak=
e any<br>
=C2=A0 =C2=A0assumptions that depend on IKE peers being &quot;friendly&quot=
;, &quot;trusted&quot; or<br>
=C2=A0 =C2=A0&quot;identifiable&quot;.<br>
<br>
NEW:<br>
<br>
=C2=A0 =C2=A0With NULL Authentication an established IKE session is no long=
er<br>
=C2=A0 =C2=A0guaranteed to provide a verifiable (authenticated) entity know=
n to<br>
=C2=A0 =C2=A0the system or network. Any logging of unproven ID payloads tha=
t<br>
=C2=A0 =C2=A0were not authenticated should be clearly marked and treated as=
<br>
=C2=A0 =C2=A0&quot;untrusted&quot;, possibly accompanied by logging the rem=
ote IP address<br>
=C2=A0 =C2=A0of the IKE session. Rate limiting of logging might be required=
 to<br>
=C2=A0 =C2=A0prevent excessive logging causing system damage.<br>
<br>
then move this bit:<br>
<br>
=C2=A0 =C2=A0Implementers that implement NULL<br>
=C2=A0 =C2=A0Authentication should ensure their implementation does not mak=
e any<br>
=C2=A0 =C2=A0assumptions that depend on IKE peers being &quot;friendly&quot=
;, &quot;trusted&quot; or<br>
=C2=A0 =C2=A0&quot;identifiable&quot;.<br>
<br>
To just above the &quot;While implementations should...&quot; in section 3.=
2<span class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br><br clear=3D"all"><div><br></div>-- <b=
r><div class=3D"gmail_signature"><div dir=3D"ltr"><br><div>Best regards,</d=
iv><div>Kathleen</div></div></div>
</div>

--001a1133bb461d5ede0516fe09db--


From nobody Tue May 26 09:06:27 2015
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 297951A9115; Tue, 26 May 2015 09:06:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level: 
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EE5ZNygZBY6; Tue, 26 May 2015 09:06:24 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA2B81A90E9; Tue, 26 May 2015 09:06:18 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lx0X85Fzjz7WC; Tue, 26 May 2015 18:06:16 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=iVS0msRp
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id YhmcOxPC0QZC; Tue, 26 May 2015 18:06:14 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 26 May 2015 18:06:14 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 57D868004A; Tue, 26 May 2015 12:06:12 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1432656372; bh=ztIWOlIZWE7wyYDPXi4uW6RJbakgnSbklNK5R1XVBug=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=iVS0msRpHqmkj614l9+lC/3wI3NJML0OqLLy+Gr9sjhxZ5gysFHt2MSKqzBESv5dO O9EAP4drQ+dj3KrIweDhRE+zGaaEl8yj5Za2tstaV4AbL56bQ9Ay6CKrkv7gDaoIEA 1E0IS9CdWzIIETOPAEqZAU5SLoj5So5sMGGdqPgc=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4QG6B44030839; Tue, 26 May 2015 12:06:11 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 26 May 2015 12:06:11 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
In-Reply-To: <CAHbuEH5PP4aLjocOSAGHrT_eog1y8qW5y_rL3XfbNfSmBjC1Dg@mail.gmail.com>
Message-ID: <alpine.LFD.2.11.1505261158390.21553@bofh.nohats.ca>
References: <CAF4+nEF7oeR4swbG8uQXLnb-QrkSsKSRWjTK3huzWiK71f7UTA@mail.gmail.com> <alpine.LFD.2.11.1505261012020.12821@bofh.nohats.ca> <CAHbuEH5PP4aLjocOSAGHrT_eog1y8qW5y_rL3XfbNfSmBjC1Dg@mail.gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/dnzC0j9aRZcmkmm_xiQNz207M9k>
Cc: Donald Eastlake <d3e3e3@gmail.com>, "ipsec@ietf.org WG" <ipsec@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [IPsec] [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SECDIR review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 16:06:26 -0000

On Tue, 26 May 2015, Kathleen Moriarty wrote:

> I'm okay with that change.  I thought that we discussed this last, there was an emphasis on the possibility to
> avoid logging unauthenticated sessions though?

We mostly talked about not using unauthenticated IDs and only use them
for logging. Then Tero wanted it for additional debug and we loosened
up to allow ID's other than ID_NULL for AUTH_NULL. We added text to
ensure no security decisions are based on unauthenticated IDs in
section 2.2.

We never talked about completely not logging unauthenticated sessions.
I'm sure everyone would like at least some logging of that. What we
noticed in our deployment though is that logging failures is what
really kills you - in our Opportunistic IPsec we clearly enounter 99.99
percent of "no IKE daemon, so incoming ICMP message", followed by a
0.01% chance we found an IKE server that was never meant to talk IKE
to us, returning a NO_PROPOSAL_CHOSEN. On an open DNS resolver (yes
we like real hammer tests) this filled up on 4GB log disk in 15 minutes.
So we are making changes to minimize logging in the Opportunistic case.

But these considerations are not specific to AUTH_NULL and should go
into the (to be created) Opportunistic IPsec document.

>  I see there is wiggle room to allow for that still.  Does the
> new text meet your needs and still allow for logging of authenticated sessions (my previous concern that was
> addressed).

As I read the new text, it makes no statement about authenticted IKE,
only about things to do or not do when using unauthenticated IKE

Paul

> Thanks,
> Kathleen
> 
> On Tue, May 26, 2015 at 10:20 AM, Paul Wouters <paul@nohats.ca> wrote:
>       On Tue, 26 May 2015, Donald Eastlake wrote:
>
>       Thanks for the review Donald,
>
>             The Security Considerations section is quite thorough. I did notice one small thing:
>             Section 3.1 is labeled
>             "Audit trail and peer identification". But the content of that Security Considerations
>             section is about not
>             trusting identification when null authentication is used. It seems to me that a few
>             words to the effect that
>             some clear indication should be present in audit/log trails when a purported identity
>             has not been
>             authentication should  be included, as I expected them to be from the section heading.
> 
>
>       The bulk of that section was moved into section 2.2i and 3.2.
>
>       How about:
>
>       OLD:
>
>          With NULL Authentication an established IKE session is no longer
>          guaranteed to provide a verifiable (authenticated) entity known to
>          the system or network.  Implementers that implement NULL
>          Authentication should ensure their implementation does not make any
>          assumptions that depend on IKE peers being "friendly", "trusted" or
>          "identifiable".
>
>       NEW:
>
>          With NULL Authentication an established IKE session is no longer
>          guaranteed to provide a verifiable (authenticated) entity known to
>          the system or network. Any logging of unproven ID payloads that
>          were not authenticated should be clearly marked and treated as
>          "untrusted", possibly accompanied by logging the remote IP address
>          of the IKE session. Rate limiting of logging might be required to
>          prevent excessive logging causing system damage.
>
>       then move this bit:
>
>          Implementers that implement NULL
>          Authentication should ensure their implementation does not make any
>          assumptions that depend on IKE peers being "friendly", "trusted" or
>          "identifiable".
>
>       To just above the "While implementations should..." in section 3.2
>
>       Paul
> 
> 
> 
> 
> --
> 
> Best regards,
> Kathleen
> 
>


From nobody Tue May 26 11:54:42 2015
Return-Path: <andreas.steffen@strongswan.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6BA51AD06F for <ipsec@ietfa.amsl.com>; Tue, 26 May 2015 11:54:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.111
X-Spam-Level: 
X-Spam-Status: No, score=0.111 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6owS6Ec3zs0Y for <ipsec@ietfa.amsl.com>; Tue, 26 May 2015 11:54:38 -0700 (PDT)
Received: from mail.strongswan.org (sitav-80046.hsr.ch [IPv6:2001:620:130:a080::46]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F2C01AD05F for <ipsec@ietf.org>; Tue, 26 May 2015 11:54:38 -0700 (PDT)
Received: from [IPv6:2001:1620:f00:f1::2] (cl-242.zrh-02.ch.sixxs.net [IPv6:2001:1620:f00:f1::2]) by mail.strongswan.org (Postfix) with ESMTPSA id CE8014013F; Tue, 26 May 2015 20:55:40 +0200 (CEST)
Message-ID: <5564C16A.1010506@strongswan.org>
Date: Tue, 26 May 2015 20:54:34 +0200
From: Andreas Steffen <andreas.steffen@strongswan.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
References: <alpine.LFD.2.11.1505252211130.21801@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.11.1505252211130.21801@bofh.nohats.ca>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/qiOIezZ1BFUK64XQgozyw_cdqlw>
Subject: Re: [IPsec] IKE daemon supporting twofish and serpent for IKE?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 18:54:40 -0000

Hi Paul,

the strongSwan IKEv1 re-implementation based on the IKEv2 charon
daemon source code supports the Serpent/Twofish IKEv1 encryption
methods using the FreeS/WAN private numbers 65004/65005.
We are using the optional strongSwan gcrypt plugin which links to
the gcrypt crypto library to implement the Serpent/Twofish ciphers:

http://www.strongswan.org/uml/testresults/gcrypt-ikev1/alg-serpent
http://www.strongswan.org/uml/testresults/gcrypt-ikev1/alg-twofish

Regards

Andreas

On 05/26/2015 04:14 AM, Paul Wouters wrote:
> 
> Hi,
> 
> Is there any IKE daemon that supports twofish or serpent for IKE (not
> ESP) ?
> 
> I only know of libreswan/openswan, but I would like to do a real
> interop test with another implementation.
> 
> This would be using the private numbers 65004/65005 ?
> 
> Paul

======================================================================
Andreas Steffen                         andreas.steffen@strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


From nobody Tue May 26 14:52:31 2015
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF35D1B3222 for <ipsec@ietfa.amsl.com>; Tue, 26 May 2015 14:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.768
X-Spam-Level: 
X-Spam-Status: No, score=0.768 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TTQ1cn9PjW7r for <ipsec@ietfa.amsl.com>; Tue, 26 May 2015 14:52:27 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43A4C1B3221 for <ipsec@ietf.org>; Tue, 26 May 2015 14:52:27 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t4QLqBh1028918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 27 May 2015 00:52:11 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t4QLqBwh016185; Wed, 27 May 2015 00:52:11 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID: <21860.60171.152056.691937@fireball.kivinen.iki.fi>
Date: Wed, 27 May 2015 00:52:11 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <EEEB75BD-682A-4EC9-9756-37C2575A54C4@gmail.com>
References: <67FE655C-E516-4F51-BD91-1FB7AE481CE9@cisco.com> <EEEB75BD-682A-4EC9-9756-37C2575A54C4@gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 10 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/JOSIsxmUxtX8nkOyxGeIibsrkm8>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Frederic Detienne \(fdetienn\)" <fdetienn@cisco.com>, "Yeleshwarapu Sairam \(ysairam\)" <ysairam@cisco.com>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>, "Piotr Kupisiewicz \(pkupisie\)" <pkupisie@cisco.com>
Subject: Re: [IPsec] How to negotiate a new capability with parameters
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 21:52:29 -0000

Yoav Nir writes:
> In IKEv1 capabilities were usually declared in VendorIDs. In IKEv2
> they are mostly declared in notifications within IKE=5FSA=5FINIT.  Wh=
y
> the difference=3F No idea. It=E2=80=99s just the way other extensions=
 were
> done, but with a private extension you can do either.

Actually in both IKEv1 and IKEv2 you use VendorIDs if you use private
use number space. I.e. if you decide to use private use notify number,
or private use payload numbers then you need to sue VendorIDs in the
IKE=5FSA=5FINIT before you send those private use values. I.e. the Vend=
or
IDs are used to identify whose private use numbers you are using.

The reason in IKEv2 we mostly use real IANA allocated status
notifications is that the status notifications in the IKEv2 have IANA
allocation policy of Expert review, i.e. they are easier to get. For
IKEv1 the allocation policy was Specification required, which means
you need to have some kind of public specification (RFC or similar)
before you can get those.

So because getting new status notifications is easier in IKEv2, we
have added lots of features negotiated using them. As they have been
used so much for extensions, they also have the benefit of backward
compatibility, i.e if other end does not support them, implementations
will simply ignore them (i.e. I would say all implementations knows
how to ignore unknown status notifications).

> Whether the parameters are passed in new payloads,

Using new payloads might break some implementations, even when the
specification says they should not break, but as they are not used
that much in IKEv2 now, this is not something that vendors test
against.=20

> notify payloads or Config attributes is a matter of taste.
> Generally, Config attributes are mostly for remote access and have
> request-response semantics, so they=E2=80=99re somewhat negotiable.

Lots of implementations support very fixed format for configuration
payloads, and even though the IKEv2 format allows them to be used in
different ways, most of the implementations only support very limited
set of operations for them.=20
--=20
kivinen@iki.fi


From nobody Wed May 27 00:43:37 2015
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E5D1A88F9; Wed, 27 May 2015 00:43:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNewoZuU2K2P; Wed, 27 May 2015 00:43:33 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E74D41A88D2; Wed, 27 May 2015 00:43:32 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
To: "The IESG" <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150527074332.5286.73511.idtracker@ietfa.amsl.com>
Date: Wed, 27 May 2015 00:43:32 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/rWFtHgm-8FlxMMExN2zxxA0SUX8>
Cc: ipsecme-chairs@ietf.org, paul.hoffman@vpnc.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 07:43:34 -0000

Stephen Farrell has entered the following ballot position for
draft-ietf-ipsecme-ikev2-null-auth-06: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-null-auth/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


- 2.1: just wanted to check as I didn't have time to go
through it all myself - are we confident that using
SK_pi/SK_pr in this way has no cryptographic downsides? The
reference to the EAP methods convinces me this is no worse
than an existing thing, but not (by itself) that it is
cryptographically sound, so I just wanted to check as I
think prf(SK_pr,IDr') has until now been calculated but not
transmitted, so there's a tiny change here maybe, but as I
said I didn't have time to fully check. If someone just
tells me that yes, the authors/wg did consider this, that'll
be fine, no need to fully explain to me why using SK_pr like
this is safe (though if you want to, that'd be fine too).

- 2.5: "hand out" is an odd phrase here - would be better
to expand on that I think and say more precisely what
should never be done.



From nobody Wed May 27 08:38:57 2015
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A48C11A9041; Wed, 27 May 2015 01:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.301
X-Spam-Level: 
X-Spam-Status: No, score=-97.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, STOX_REPLY_TYPE=0.439, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZTQb8CXGfLBQ; Wed, 27 May 2015 01:49:53 -0700 (PDT)
Received: from fish.elvis.ru (fish.elvis.ru [82.138.51.18]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13BAF1A9042; Wed, 27 May 2015 01:49:53 -0700 (PDT)
Received: from [10.111.1.40] (helo=robin.office.elvis.ru) by fish.elvis.ru with esmtp (Exim 4.76) (envelope-from <svan@elvis.ru>) id 1YxX22-00061M-EV; Wed, 27 May 2015 11:49:46 +0300
Received: from buildpc (10.111.10.31) by robin.office.elvis.ru (10.111.1.40) with Microsoft SMTP Server id 14.3.224.2; Wed, 27 May 2015 11:49:46 +0300
Message-ID: <0024D7C10AD742EA968C394854CF1167@buildpc>
From: Valery Smyslov <svan@elvis.ru>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150527074332.5286.73511.idtracker@ietfa.amsl.com>
Date: Wed, 27 May 2015 11:49:49 +0300
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/M2nS2zkI2UuDMQldfTKRk63PNkM>
X-Mailman-Approved-At: Wed, 27 May 2015 08:38:55 -0700
Cc: ipsecme-chairs@ietf.org, paul.hoffman@vpnc.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 08:49:55 -0000

Hi Stephen,

thank you for your comments.

> Stephen Farrell has entered the following ballot position for
> draft-ietf-ipsecme-ikev2-null-auth-06: Yes
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>
> - 2.1: just wanted to check as I didn't have time to go
> through it all myself - are we confident that using
> SK_pi/SK_pr in this way has no cryptographic downsides? The
> reference to the EAP methods convinces me this is no worse
> than an existing thing, but not (by itself) that it is
> cryptographically sound, so I just wanted to check as I
> think prf(SK_pr,IDr') has until now been calculated but not
> transmitted, so there's a tiny change here maybe, but as I
> said I didn't have time to fully check. If someone just
> tells me that yes, the authors/wg did consider this, that'll
> be fine, no need to fully explain to me why using SK_pr like
> this is safe (though if you want to, that'd be fine too).

In IKEv2 the AUTH payload plays dual role - it first authenticates
peer identity and it also cryptographically binds the first
messages of IKE_SA_INIT exchange to the protocol run.
Unlike the other IKEv2 messages the messages of IKE_SA_INIT
have no cryptographic protection and are sent in clear, so they
need to be included into the AUTH payload calculation.
The calculation of the AUTH payload depends on the authentication
method the host selected, but in general it is digital signature
(in case of certificates or raw public keys) or prf (in case
of preshared key) over the blob of data containing
the IKE_SA_INIT message, peer's nonce and own
MAC'ed identity.

With the NULL authentication the first role of the AUTH
payload is obviously lost (by definition there is no credential
in case of the NULL authentication, and thus no way to authenticate 
identity,
and often no identity itself). But the second role - binding the first 
messages,
is still very important. That's why the AUTH payload cannot be omited.
As the host has no credentials, the only way to calculate
AUTH payload is to use some key derived from SKEYSEED
for that calculation. The SK_pi/SK_pr are the natural choice.
And the situation with the NULL Authentication in this regard is the same,
as with the EAP authentication in case the EAP method doesn't
produce the shared secret. In this case the RFC7296
instructs to use SK_pi/SK_pr as shared secrets when
calculating AUTH payload. Note, that in this case IKE identity
becomes not authenticated (only the identities that were exchanged
inside EAP method are authenticated), so we get the same situation
as with NULL authentication.

The SK_pi/SK_pr are also used in the calculations of MAC'ed
identities (e.g. prf(SK_pr,IDr')), but it is not where SK_pi/SK_pr
are used as keys for calculating AUTH payload. To be precise,
in case of the NULL authentication (and EAP with non-key-generating
methods) the SK_pi/SK_pr are used twice in the calculation of the
AUTH payload - first as preshared key and second in the calculation
of MAC'ed identity, that then included in a data blob,
"signed" with the preshared key (the same SK_pi/SK_pr).

We (the authors) don't believe that the draft somehow changes
the authentication fundamentals, that IKEv2 is based on.
The construction of AUTH payload in case of NULL authentication
is exactly the same, as with EAP methods that don't generate shared
secret. It was in the draft from the very begining
and I drew WG's attention to this fact, but no
comments were received, that would criticize it from
cryptographic point of view.

Hope this long explanation helps.


> - 2.5: "hand out" is an odd phrase here - would be better
> to expand on that I think and say more precisely what
> should never be done.

I think Paul Wouters, my co-author, will address this
and will expand the text.

Regards,
Valery Smyslov. 


From nobody Thu May 28 02:28:09 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 245A41A0282 for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 02:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MplxI592oZqV for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 02:28:06 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 860351A02F1 for <ipsec@ietf.org>; Thu, 28 May 2015 02:28:06 -0700 (PDT)
Received: by wgv5 with SMTP id 5so30985143wgv.1 for <ipsec@ietf.org>; Thu, 28 May 2015 02:28:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=7RqDqTwQsQI6chMQMPLe4gQdGxeTvO+vWmGex+yPDsc=; b=HIQmpX90qQ/+ZV4yw/N6hQlVdIz3JfJSVmVVQZ5hYABxhWXRVc2RDgnfoQPq9lrGvf DO5p2HcltN4tdkAJOxEp51vBpLHS0GbtCBQsCz/6x1z4savPFvNkxz99ypCFALgkMDWa /W12gp82KO9Cb8Cg72T38rtHUYbevjVChZr667OgcAzOq2gUMr2D9CkwdZ5fnorf9YTo rdk46Paf3+hWSKs/lxS1y+31gsQV4qjKaR1c5zGs1cMZn5RgcWnEJr/UyEDUhFVgsk+R gQbd41nBYUE6tqIEp1DXPQelGoc4WO4OUO5Y65bNljyIPTCX8R8x0gr371+SB58loB9N +6SQ==
X-Received: by 10.194.23.234 with SMTP id p10mr3617072wjf.52.1432805285281; Thu, 28 May 2015 02:28:05 -0700 (PDT)
Received: from [172.24.251.210] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id hm8sm2404966wjc.28.2015.05.28.02.28.04 for <ipsec@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 May 2015 02:28:04 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com>
Date: Thu, 28 May 2015 12:28:01 +0300
To: IPsecME WG <ipsec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/5qEqbEA46DMcfk1rV11Jlm8gpK8>
Subject: [IPsec] Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 09:28:08 -0000

Hi

This may have been discussed before, but I haven=E2=80=99t found such =
discussion. Apologies in advance if this is a stupid question.

Suppose we have to VPN peers configured to set up a tunnel between them. =
Suppose further that the IKE SAs are significantly longer-lived than the =
IPsec SAs.

PFS is configured on both sides, but there are no matching groups =
(perhaps GW-1 is configured with only group 19, while GW-2 is configured =
only with group 20).

When the tunnel is first set up, it is negotiated in the IKE_AUTH =
exchange. Diffie-Hellman is not performed, so the mismatched =
configuration is not detected - traffic flows through the tunnel.

After a while, one of the gateways attempts to rekey the tunnel, or else =
create a new tunnel with the same peer. This time the tunnel is set up =
using the CREATE_CHILD_SA exchange. The SA payload will contain the =
wrong DH group and the exchange will fail, resulting in traffic flow =
stopping.

As far as I can tell, this behavior is consistent with the RFC, but the =
user experience is very strange. Traffic should either flow or not flow =
- it should not stop at rekeying.

Am I missing something?

Thanks

Yoav


From nobody Thu May 28 02:39:35 2015
Return-Path: <vijay.kn@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 702D81A03E3 for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 02:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHfO-36VnJ2q for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 02:39:31 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 031301A034C for <ipsec@ietf.org>; Thu, 28 May 2015 02:39:30 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BTB08892; Thu, 28 May 2015 09:39:29 +0000 (GMT)
Received: from SZXEML432-HUB.china.huawei.com (10.82.67.209) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.158.1; Thu, 28 May 2015 10:39:28 +0100
Received: from SZXEML513-MBS.china.huawei.com ([169.254.8.179]) by szxeml432-hub.china.huawei.com ([10.82.67.209]) with mapi id 14.03.0158.001; Thu, 28 May 2015 17:38:55 +0800
From: vijay kn <vijay.kn@huawei.com>
To: Yoav Nir <ynir.ietf@gmail.com>, IPsecME WG <ipsec@ietf.org>
Thread-Topic: [IPsec] Question about PFS in IKEv2
Thread-Index: AQHQmSiimh19cN5uEEmm1+IWGoA+452RIAqg
Date: Thu, 28 May 2015 09:38:54 +0000
Message-ID: <AD5AD8B0B070044BAD3C37D7057F37E17CDB21BB@szxeml513-mbs.china.huawei.com>
References: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com>
In-Reply-To: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.18.146.118]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/eNJBGaNQ-tqXi4755M28Gfehh94>
Subject: Re: [IPsec] Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 09:39:34 -0000

SGksDQpJbXBsZW1lbnRhdGlvbnMgY2FuIGZvbGxvdyB0aGlzIFJGQyBleHRyYWN0IHRvIGF2b2lk
IHRyYWZmaWMgbG9zcy4NCg0KIiINCiAgIFNpbmNlIHRoZSBpbml0aWF0b3Igc2VuZHMgaXRzIERp
ZmZpZS1IZWxsbWFuIHZhbHVlIGluIHRoZQ0KICAgSUtFX1NBX0lOSVQsIGl0IG11c3QgZ3Vlc3Mg
dGhlIERpZmZpZS1IZWxsbWFuIGdyb3VwIHRoYXQgdGhlDQogICByZXNwb25kZXIgd2lsbCBzZWxl
Y3QgZnJvbSBpdHMgbGlzdCBvZiBzdXBwb3J0ZWQgZ3JvdXBzLiAgSWYgdGhlDQogICBpbml0aWF0
b3IgZ3Vlc3NlcyB3cm9uZywgdGhlIHJlc3BvbmRlciB3aWxsIHJlc3BvbmQgd2l0aCBhIE5vdGlm
eQ0KICAgcGF5bG9hZCBvZiB0eXBlIElOVkFMSURfS0VfUEFZTE9BRCBpbmRpY2F0aW5nIHRoZSBz
ZWxlY3RlZCBncm91cC4gIEluDQogICB0aGlzIGNhc2UsIHRoZSBpbml0aWF0b3IgTVVTVCByZXRy
eSB0aGUgSUtFX1NBX0lOSVQgd2l0aCB0aGUNCiAgIGNvcnJlY3RlZCBEaWZmaWUtSGVsbG1hbiBn
cm91cC4gDQoiIg0KDQpUaGlzIHBvaW50IGNhbiBiZSBmb2xsb3dlZCBmb3IgQ1JFQVRFX0NISUxE
X1NBIGV4Y2hhbmdlIGFsc28gKHJla2V5IG9yIGNoaWxkIHNhIGNyZWF0aW9uKSB0byBhdm9pZCB0
cmFmZmljIGxvc3MuIEkgbWVhbiB0aGUgZmlyc3QgcmVrZXkgd2lsbCBmYWlsIChyZWtleSBpcyBu
b3JtYWxseSBzdGFydGVkIGF0IHNvbWUgcG9pbnQgYmVmb3JlIHRoZSBhY3R1YWwgbGlmZXRpbWUg
aGFzIGNvbXBsZXRlbHkgZWxhcHNlZCksIHNvIHRoZSBpbXBsZW1lbnRhdGlvbnMgbXVzdCByZXRy
eSByZWtleSB3aXRoIHRoZSByaWdodCBESCBncm91cCBhcyBwZXIgaW5mbyBpbiB0aGUgSU5WQUxJ
RF9LRV9QQVlMQU9EIG5vdGlmaWNhdGlvbi4NCg0KVGhlIG9ubHkgcHJvYmxlbSBJIHNlZSBpcyBp
ZiB0aGUgR3ctMSByZWtleWVkIHdpdGggZ3JvdXAxOSBidXQgR1cyIGRvZXMgbm90IHN1cHBvcnQg
R3JvdXAxOSB0aGVuIGl0IGNhbiByZXN1bHQgaW4gdHJhZmZpYyBsb3NzLiBGb3IgdGhpcywgdGhl
IGFkbWluaXN0cmF0b3JzIG9mIHRoZSB0d28gZGV2aWNlcyBtdXN0IGVuc3VyZSB0aGF0IHRoZSBv
dGhlciBlbmQgc3VwcG9ydHMgdGhpcyBhbGdvcml0aG0gYmVmb3JlIHVzaW5nIHRoZSBzYW1lIGlu
IHBmcyBjb25maWd1cmF0aW9uLg0KDQoNCg0KDQpUaGFua3MuDQoNCi0tLS0tT3JpZ2luYWwgTWVz
c2FnZS0tLS0tDQpGcm9tOiBJUHNlYyBbbWFpbHRvOmlwc2VjLWJvdW5jZXNAaWV0Zi5vcmddIE9u
IEJlaGFsZiBPZiBZb2F2IE5pcg0KU2VudDogVGh1cnNkYXksIE1heSAyOCwgMjAxNSAyOjU4IFBN
DQpUbzogSVBzZWNNRSBXRw0KU3ViamVjdDogW0lQc2VjXSBRdWVzdGlvbiBhYm91dCBQRlMgaW4g
SUtFdjINCg0KSGkNCg0KVGhpcyBtYXkgaGF2ZSBiZWVuIGRpc2N1c3NlZCBiZWZvcmUsIGJ1dCBJ
IGhhdmVu4oCZdCBmb3VuZCBzdWNoIGRpc2N1c3Npb24uIEFwb2xvZ2llcyBpbiBhZHZhbmNlIGlm
IHRoaXMgaXMgYSBzdHVwaWQgcXVlc3Rpb24uDQoNClN1cHBvc2Ugd2UgaGF2ZSB0byBWUE4gcGVl
cnMgY29uZmlndXJlZCB0byBzZXQgdXAgYSB0dW5uZWwgYmV0d2VlbiB0aGVtLiBTdXBwb3NlIGZ1
cnRoZXIgdGhhdCB0aGUgSUtFIFNBcyBhcmUgc2lnbmlmaWNhbnRseSBsb25nZXItbGl2ZWQgdGhh
biB0aGUgSVBzZWMgU0FzLg0KDQpQRlMgaXMgY29uZmlndXJlZCBvbiBib3RoIHNpZGVzLCBidXQg
dGhlcmUgYXJlIG5vIG1hdGNoaW5nIGdyb3VwcyAocGVyaGFwcyBHVy0xIGlzIGNvbmZpZ3VyZWQg
d2l0aCBvbmx5IGdyb3VwIDE5LCB3aGlsZSBHVy0yIGlzIGNvbmZpZ3VyZWQgb25seSB3aXRoIGdy
b3VwIDIwKS4NCg0KV2hlbiB0aGUgdHVubmVsIGlzIGZpcnN0IHNldCB1cCwgaXQgaXMgbmVnb3Rp
YXRlZCBpbiB0aGUgSUtFX0FVVEggZXhjaGFuZ2UuIERpZmZpZS1IZWxsbWFuIGlzIG5vdCBwZXJm
b3JtZWQsIHNvIHRoZSBtaXNtYXRjaGVkIGNvbmZpZ3VyYXRpb24gaXMgbm90IGRldGVjdGVkIC0g
dHJhZmZpYyBmbG93cyB0aHJvdWdoIHRoZSB0dW5uZWwuDQoNCkFmdGVyIGEgd2hpbGUsIG9uZSBv
ZiB0aGUgZ2F0ZXdheXMgYXR0ZW1wdHMgdG8gcmVrZXkgdGhlIHR1bm5lbCwgb3IgZWxzZSBjcmVh
dGUgYSBuZXcgdHVubmVsIHdpdGggdGhlIHNhbWUgcGVlci4gVGhpcyB0aW1lIHRoZSB0dW5uZWwg
aXMgc2V0IHVwIHVzaW5nIHRoZSBDUkVBVEVfQ0hJTERfU0EgZXhjaGFuZ2UuIFRoZSBTQSBwYXls
b2FkIHdpbGwgY29udGFpbiB0aGUgd3JvbmcgREggZ3JvdXAgYW5kIHRoZSBleGNoYW5nZSB3aWxs
IGZhaWwsIHJlc3VsdGluZyBpbiB0cmFmZmljIGZsb3cgc3RvcHBpbmcuDQoNCkFzIGZhciBhcyBJ
IGNhbiB0ZWxsLCB0aGlzIGJlaGF2aW9yIGlzIGNvbnNpc3RlbnQgd2l0aCB0aGUgUkZDLCBidXQg
dGhlIHVzZXIgZXhwZXJpZW5jZSBpcyB2ZXJ5IHN0cmFuZ2UuIFRyYWZmaWMgc2hvdWxkIGVpdGhl
ciBmbG93IG9yIG5vdCBmbG93IC0gaXQgc2hvdWxkIG5vdCBzdG9wIGF0IHJla2V5aW5nLg0KDQpB
bSBJIG1pc3Npbmcgc29tZXRoaW5nPw0KDQpUaGFua3MNCg0KWW9hdg0KDQpfX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KSVBzZWMgbWFpbGluZyBsaXN0DQpJ
UHNlY0BpZXRmLm9yZw0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9pcHNl
Yw0K


From nobody Thu May 28 03:15:08 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E9BA1A6FBC for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 03:15:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xwo2dQaEMMQU for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 03:15:06 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B49341A0029 for <ipsec@ietf.org>; Thu, 28 May 2015 03:15:05 -0700 (PDT)
Received: by wicmx19 with SMTP id mx19so140803060wic.0 for <ipsec@ietf.org>; Thu, 28 May 2015 03:15:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1y5ii2Q3gYvlFOz51gLmzGTnSivcm1rCb4/SLQ2IhBg=; b=WFvdoLYblvSt/5CMwixTdrHJVKYlUUUg8+R8Uf1msAft4Ao3k0bYjNAJTBKQQsUXJ1 4rNi6RObua9Tbq7Q3WjlZ/kdz5PueXNwh+90a68hK8Yap89xxxcdMvIAPy8G8sbMc+kH vMn2Fbwo4DWB+lH/92FnfE52sGnbKfANiHywpYN9KdeW2hmNVcigBiWdY0UsltZrrLEm 0jxqkHwvU3MwFRiAGASWQbKN+SxoCRvOfT5p4SLz6S1CgmylOfYHb70/mDWVmTm8gEIz H7mrqu4388U8c3EXclGCI1pM58BjxOG0l65qdjKfPlpPu37HtqKkTGsBAZCnJquexvQH ETBA==
X-Received: by 10.194.61.50 with SMTP id m18mr3891572wjr.135.1432808104459; Thu, 28 May 2015 03:15:04 -0700 (PDT)
Received: from [172.24.251.210] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id a19sm7828939wiv.2.2015.05.28.03.15.03 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 May 2015 03:15:03 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <AD5AD8B0B070044BAD3C37D7057F37E17CDB21BB@szxeml513-mbs.china.huawei.com>
Date: Thu, 28 May 2015 13:15:01 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <8B1DBF2F-AC85-45A7-BA3A-E4FD2AA67672@gmail.com>
References: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E17CDB21BB@szxeml513-mbs.china.huawei.com>
To: vijay kn <vijay.kn@huawei.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/IQ-wU-iAl0k4xTbtQzTE04RnF3M>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 10:15:07 -0000

Hi, Vijay.

Thanks for the response.

> On May 28, 2015, at 12:38 PM, vijay kn <vijay.kn@huawei.com> wrote:
>=20
> The only problem I see is if the Gw-1 rekeyed with group19 but GW2 =
does not support Group19 then it can result in traffic loss. For this, =
the administrators of the two devices must ensure that the other end =
supports this algorithm before using the same in pfs configuration.
>=20

This is the issue for me. Of course the root cause is the configuration =
mismatch (that they have no common group for PFS). We usually expect =
configuration mismatches to show up immediately rather than hours down =
the line.=20

Ideally, the original tunnel setup would have failed. In fact, with =
IKEv1 where keying IPsec SAs is always done in Quick Mode you get the =
failure immediately.

Yoav


From nobody Thu May 28 03:41:00 2015
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D407D1A8839 for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 03:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.269
X-Spam-Level: 
X-Spam-Status: No, score=0.269 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id far6PS5oUDzt for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 03:40:57 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456FC1A87F1 for <ipsec@ietf.org>; Thu, 28 May 2015 03:40:57 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t4SAercA020519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 28 May 2015 13:40:53 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t4SAert4021671; Thu, 28 May 2015 13:40:53 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21862.61621.303517.567806@fireball.kivinen.iki.fi>
Date: Thu, 28 May 2015 13:40:53 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com>
References: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 3 min
X-Total-Time: 2 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/uoGJm_kbJ_kGTvl7b0GKmIXLZYU>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: [IPsec]  Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 10:41:00 -0000

Yoav Nir writes:
> When the tunnel is first set up, it is negotiated in the IKE_AUTH
> exchange. Diffie-Hellman is not performed, so the mismatched
> configuration is not detected - traffic flows through the tunnel.

If your setup is set to that you configure only one Diffie-Hellman for
the IKEv2, which is then used for both IKE SA and Child SAs, then you
would notice this misconfiguration immediately. 

> After a while, one of the gateways attempts to rekey the tunnel, or
> else create a new tunnel with the same peer. This time the tunnel is
> set up using the CREATE_CHILD_SA exchange. The SA payload will
> contain the wrong DH group and the exchange will fail, resulting in
> traffic flow stopping. 

When the last Child SA gets deleted from the IKE SA, you should most
likely shut down the IKE SA, or at least if all the rekeys fails, you
should start from the beginning. 

> As far as I can tell, this behavior is consistent with the RFC, but
> the user experience is very strange. Traffic should either flow or
> not flow - it should not stop at rekeying. 

IKEv2 tries to notice some misconfigurations, but it cannot catch them
all. 

> Am I missing something?

Do not misconfigure your systems...
-- 
kivinen@iki.fi


From nobody Thu May 28 05:34:15 2015
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84BDB1A90F9 for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 05:34:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JIkOPf-LQI0u for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 05:34:05 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C570D1A914F for <ipsec@ietf.org>; Thu, 28 May 2015 05:32:58 -0700 (PDT)
Received: by wicmc15 with SMTP id mc15so122200307wic.1 for <ipsec@ietf.org>; Thu, 28 May 2015 05:32:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZsswCqZuCONNC/yKWdkFifP8gVQsB7McWt0N994/X5c=; b=O7abjinqlycc10oZdgbU9TsJzjxDP1LsZ6GULOrfUVMQPQKjJf8qK8u5uK0RXCjyy1 P4fdfEU/Xv9GumeFZm5uJ6ZYMhP35/jcNqO5DKf12t71chrObyf3RhCbjrBShW0xUwZw iwtA9+UMA4W+IqiA5AeQcn2sMDkxc+ImwEzBqugmfG56yEEx0YUyquei08N8AAPleexi D/HjmkFGqMVgGsgTphzO9BEtaswsN/i4UjRhVnUi2G7yOuiRi6luVgLFFqPzZ1kpaoFu D110jXOmNK3G9SN8xqBX4Jf1L64RAVdhTplRw3DsTjiWEJ0otpCEJBsu6W4UrhwvJEXF W+dw==
X-Received: by 10.181.29.36 with SMTP id jt4mr59380915wid.21.1432816377607; Thu, 28 May 2015 05:32:57 -0700 (PDT)
Received: from [172.24.251.210] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id j7sm3165651wjz.11.2015.05.28.05.32.56 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 May 2015 05:32:56 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <21862.61621.303517.567806@fireball.kivinen.iki.fi>
Date: Thu, 28 May 2015 15:32:55 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <C088E459-D1C3-4EA6-8599-307FE52E0CD5@gmail.com>
References: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com> <21862.61621.303517.567806@fireball.kivinen.iki.fi>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/_AG7SdwoRTg0NWwLgoAmRBPuDBc>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 12:34:06 -0000

> On May 28, 2015, at 1:40 PM, Tero Kivinen <kivinen@iki.fi> wrote:
>=20
> Yoav Nir writes:
>> When the tunnel is first set up, it is negotiated in the IKE_AUTH
>> exchange. Diffie-Hellman is not performed, so the mismatched
>> configuration is not detected - traffic flows through the tunnel.
>=20
> If your setup is set to that you configure only one Diffie-Hellman for
> the IKEv2, which is then used for both IKE SA and Child SAs, then you
> would notice this misconfiguration immediately.=20

My product has a separate configuration for phase 1 Diffie-Hellman group =
and phase 2 Diffie-Hellman group. Thinking it over, I cannot explain why =
this is needed, but at least StrongSwan also specifies ESP groups =
separately from IKE groups.

>> After a while, one of the gateways attempts to rekey the tunnel, or
>> else create a new tunnel with the same peer. This time the tunnel is
>> set up using the CREATE_CHILD_SA exchange. The SA payload will
>> contain the wrong DH group and the exchange will fail, resulting in
>> traffic flow stopping.=20
>=20
> When the last Child SA gets deleted from the IKE SA, you should most
> likely shut down the IKE SA, or at least if all the rekeys fails, you
> should start from the beginning.=20
>=20
>> As far as I can tell, this behavior is consistent with the RFC, but
>> the user experience is very strange. Traffic should either flow or
>> not flow - it should not stop at rekeying.=20
>=20
> IKEv2 tries to notice some misconfigurations, but it cannot catch them
> all.=20

IKEv1 caught that particular one.

>> Am I missing something?
>=20
> Do not misconfigure your systems=E2=80=A6

I=E2=80=99ll tell the users=E2=80=A6

Yoav


From nobody Thu May 28 07:24:10 2015
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1731ACDC0 for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 07:24:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.41
X-Spam-Level: 
X-Spam-Status: No, score=-1.41 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_32=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SM3a-CDAjZqB for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 07:24:06 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C1EA1ACEA1 for <ipsec@ietf.org>; Thu, 28 May 2015 07:21:48 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lyB6b42fgzBCM for <ipsec@ietf.org>; Thu, 28 May 2015 16:21:43 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=hxpFWyNJ
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id sxjs81fdMc6O for <ipsec@ietf.org>; Thu, 28 May 2015 16:21:37 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <ipsec@ietf.org>; Thu, 28 May 2015 16:21:37 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E033C8002E for <ipsec@ietf.org>; Thu, 28 May 2015 10:21:36 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1432822896; bh=lrJsMhYbYcg4y3WYh8rphX6Inmw0ZcKNJUsYWZY/Bus=; h=Date:From:To:Subject:In-Reply-To:References; b=hxpFWyNJogITn3ew5TxYkpkaitgnsbyUAaInhAJLGzwPvyqpFj0x7wLKTgU2LJaIn YKu9Q0mjg0Tv+DoBj3IAU5bz5Ej23qlfRTFrUXiUQxy5/5F7/CxRLqo9xX/fOpt8jt 9EkBgqwKDqr0GxQypGPGcL4X5jEC+xdU2zFWmsSM=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4SELaEL002375 for <ipsec@ietf.org>; Thu, 28 May 2015 10:21:36 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Thu, 28 May 2015 10:21:36 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <C088E459-D1C3-4EA6-8599-307FE52E0CD5@gmail.com>
Message-ID: <alpine.LFD.2.11.1505281010070.1303@bofh.nohats.ca>
References: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com> <21862.61621.303517.567806@fireball.kivinen.iki.fi> <C088E459-D1C3-4EA6-8599-307FE52E0CD5@gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/S3OJyvGcfbGiGrhle0izfvPP2Og>
Subject: Re: [IPsec] Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 14:24:08 -0000

On Thu, 28 May 2015, Yoav Nir wrote:

>> Yoav Nir writes:
>>> When the tunnel is first set up, it is negotiated in the IKE_AUTH
>>> exchange. Diffie-Hellman is not performed, so the mismatched
>>> configuration is not detected - traffic flows through the tunnel.
>>
>> If your setup is set to that you configure only one Diffie-Hellman for
>> the IKEv2, which is then used for both IKE SA and Child SAs, then you
>> would notice this misconfiguration immediately.
>
> My product has a separate configuration for phase 1 Diffie-Hellman group and phase 2 Diffie-Hellman group. Thinking it over, I cannot explain why this is needed, but at least StrongSwan also specifies ESP groups separately from IKE groups.

I had a long talk with Tero a few IETF's ago, and he was pretty
convincing that it makes no sense whatsoever to have different
phase 1/2 diffie hellman groups.

It does lead to a more complicated exchange. With strongswan, we need to
set the modp group on the esp line to avoid failing if the phase1
negotiates a different modp group depending on the peer, because we will
pick the same modp group in phase2 that we negotiated for phase1.

>>> As far as I can tell, this behavior is consistent with the RFC, but
>>> the user experience is very strange. Traffic should either flow or
>>> not flow - it should not stop at rekeying.

Yes. We ran into that with pfs= as well. We never reject pfs since it is
always better, but then at rekey time, depending on which endpoint
started the rekey, the proposal would be rejected on pfs. So we changed
it to not allow pfs when pfs=no.

>>> Am I missing something?
>>
>> Do not misconfigure your systems…
>
> I’ll tell the users…

Try to tell your webgui developers instead? :)

Paul


From nobody Thu May 28 07:54:37 2015
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C61581AD26B for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 07:54:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.909
X-Spam-Level: *
X-Spam-Status: No, score=1.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8l14FUYWJ5Wz for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 07:54:34 -0700 (PDT)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80FA61AD1BA for <ipsec@ietf.org>; Thu, 28 May 2015 07:54:34 -0700 (PDT)
Received: by lbcue7 with SMTP id ue7so30105798lbc.0 for <ipsec@ietf.org>; Thu, 28 May 2015 07:54:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=uMr4w0coI919FSCpqxNy6X7wRJSB3hD9vOtZaQjlrfQ=; b=cAw1FDiDAsXZcYY7PLKR+wA5R9qdK+Y5vv+Ht8x1MBQbYUPSXUcvlpO8w7FYjWZRHS a4CwusbYJL+7L9QX0eIGrc5cWtFrBaSYshcCnEWya17k3tl7axRQZFTH9MVvTMDeoSpy u1QcNyG9YOoGhDvJKKKXq6W4jsd5Y9etCxqSKwRKpaIhBQiUiYXDVJU0BHtQ6nrCNWNE iEm/EHcqBAeAgbu0s9Hbsoj6Gol42XxdsbMkeuo/oriIzhhc6wgcZ/KI5PRe4xOEue+h Q1bD0G2nrddDyqZ0i1J0YFk9xGnQg/2oMQsmu29u/8827XwN731iqeCS4ud3QVJYpN4l 3INw==
X-Received: by 10.152.2.133 with SMTP id 5mr1902764lau.36.1432824873037; Thu, 28 May 2015 07:54:33 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by mx.google.com with ESMTPSA id j1sm605580lbc.15.2015.05.28.07.54.32 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 28 May 2015 07:54:32 -0700 (PDT)
Message-ID: <949B1EC59F73463CA0229785337B95B7@buildpc>
From: "Valery Smyslov" <svanru@gmail.com>
To: "Yoav Nir" <ynir.ietf@gmail.com>, "Tero Kivinen" <kivinen@iki.fi>
References: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com> <21862.61621.303517.567806@fireball.kivinen.iki.fi> <C088E459-D1C3-4EA6-8599-307FE52E0CD5@gmail.com>
Date: Thu, 28 May 2015 17:54:34 +0300
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/mTPCat-MRkHK_F0VUBnwUYjpbOA>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 14:54:35 -0000

>> If your setup is set to that you configure only one Diffie-Hellman for
>> the IKEv2, which is then used for both IKE SA and Child SAs, then you
>> would notice this misconfiguration immediately.
>
> My product has a separate configuration for phase 1 Diffie-Hellman group 
> and phase 2 Diffie-Hellman group.
> Thinking it over, I cannot explain why this is needed, but at least 
> StrongSwan also specifies ESP groups separately from IKE groups.

This had sense in IKEv1. In IKEv2 separating configuration of DH groups
for IKE and IPsec has much less sense. Note that besides the problem of
misconfiguration, that you've encountered, there is another subtle issue.
If the groups for IKE and IPsec are different, then even if no 
misconfiguration
takes place and all IPsec rekeys run smoothly, we have the situation
that the very first IPsec SA has different level of protection than the 
others
IPsec SAs, because unlike the others the first IPsec SA is created using
IKE DH group, not IPsec DH group.

And here are the reasons why there is little sense to use different DH 
groups
for IKE and IPsec in IKEv2. The very first IPsec SA, created in IKE_AUTH 
exchange
will have the keys derived from the shared secret calculated using DH group 
for IKE.
When doing a rekey it is unlikely that you want to degrade security of new 
SA,
so you shodn't use weaker DH group for the IPsec SA than for the IKE SA.
On the other hand, there is no point to use stronger DH group,
since some (probably substantial) part of data has already beed transferred
over the IPsec SA that is being rekeyed, so why should we protect
the resulting part (that will pass over new IPsec SA) differently?

That's a trade-off for piggy-backing of creating the first IPsec SA,
that was selected when IKEv2 was designed.

> Yoav

Regards,
Valery. 


From nobody Thu May 28 07:57:46 2015
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 948E71AD356 for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 07:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level: 
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z4DKJQfhc6hV for <ipsec@ietfa.amsl.com>; Thu, 28 May 2015 07:57:41 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E5411AD2AF for <ipsec@ietf.org>; Thu, 28 May 2015 07:57:39 -0700 (PDT)
Received: from [10.20.30.101] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t4SEvcLs092624 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 28 May 2015 07:57:38 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.20.30.101]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <alpine.LFD.2.11.1505281010070.1303@bofh.nohats.ca>
Date: Thu, 28 May 2015 07:57:38 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <BF20764A-FFE2-489E-9BF9-99D383638E05@vpnc.org>
References: <63145AF1-CE50-4919-A659-6120B128AB68@gmail.com> <21862.61621.303517.567806@fireball.kivinen.iki.fi> <C088E459-D1C3-4EA6-8599-307FE52E0CD5@gmail.com> <alpine.LFD.2.11.1505281010070.1303@bofh.nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/6ZO5lhTuxQpNRpnGB4BXpGYWFSE>
Subject: Re: [IPsec] Question about PFS in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 14:57:45 -0000

On May 28, 2015, at 7:21 AM, Paul Wouters <paul@nohats.ca> wrote:
> I had a long talk with Tero a few IETF's ago, and he was pretty
> convincing that it makes no sense whatsoever to have different
> phase 1/2 diffie hellman groups.

We actually talked about this during the design of IKEv2, but some =
people claimed we needed the separation because of different security =
needs for the two parts. In retrospect, we should have said "even if =
that's true, it will cause problems". Here is an example of where it =
causes problems.

> Try to tell your webgui developers instead? :)

That seems to be the easiest way around this protocol mis-design.

--Paul Hoffman=


From nobody Sun May 31 08:57:52 2015
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6281A1A7C; Sun, 31 May 2015 08:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.111
X-Spam-Level: 
X-Spam-Status: No, score=-0.111 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBjjpbe3Ckpb; Sun, 31 May 2015 08:57:49 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3821B1A1A80; Sun, 31 May 2015 08:57:49 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3m04632nRVz4KN; Sun, 31 May 2015 17:57:47 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=RMkutqLf
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id k8MZC0yQmmld; Sun, 31 May 2015 17:57:46 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 31 May 2015 17:57:46 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B0FC48010B; Sun, 31 May 2015 11:57:44 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1433087864; bh=N6ciIcQEAMd8ufe20xzjLFDgeEUoOGDpowXhuchyMis=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=RMkutqLfYwNSP+MCdTiLjBZESzc5sPPdnru62MflizJGPxz+NA6pJoIYQUNdayz/M 5k79/bLrLdomqlZSQL9GT8cmKttyRWkv0WtToGCUSq+wE8PZlbvPsfUooaD9xSzyQi zq+YPbHvO5hfuXyq4f96M3nytaqjZpUG16Omvtb4=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4VFvhIx006122; Sun, 31 May 2015 11:57:44 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 31 May 2015 11:57:43 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <20150527074332.5286.73511.idtracker@ietfa.amsl.com>
Message-ID: <alpine.LFD.2.11.1505311151230.5269@bofh.nohats.ca>
References: <20150527074332.5286.73511.idtracker@ietfa.amsl.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/7AGWLd-CvH4tlv9aUWmP1UEndus>
Cc: ipsecme-chairs@ietf.org, paul.hoffman@vpnc.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2015 15:57:52 -0000

On Wed, 27 May 2015, Stephen Farrell wrote:

> - 2.5: "hand out" is an odd phrase here - would be better
> to expand on that I think and say more precisely what
> should never be done.

How about:

OLD:

    A rogue IKE peer could use malicious Traffic Selectors to obtain
    access to traffic that the host never intended to hand out.

NEW:

    A rogue IKE peer could use malicious Traffic Selectors to trick
    a remote host into giving it IP traffc that the remote host never
    intended to be send to remote IKE peers. For example, if the remote
    host uses 192.0.2.1 as DNS server, a rogue IKE peer could set its
    Traffic Selector to 192.0.2.1 in an attempt to receive the remote
    peer's DNS traffic.

Paul


From nobody Sun May 31 09:24:52 2015
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2EBD1A6EF0; Sun, 31 May 2015 09:24:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level: 
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBPs7rNg87UC; Sun, 31 May 2015 09:24:45 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 094441A1E0E; Sun, 31 May 2015 09:24:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id ED61EBE5D; Sun, 31 May 2015 17:24:41 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0N1q1rgtrqA; Sun, 31 May 2015 17:24:40 +0100 (IST)
Received: from [127.0.0.1] (unknown [86.46.31.250]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C2C50BE59; Sun, 31 May 2015 17:24:40 +0100 (IST)
X-Priority: 3
To: paul@nohats.ca
From: stephen.farrell@cs.tcd.ie
In-Reply-To: <alpine.LFD.2.11.1505311151230.5269@bofh.nohats.ca>
References: <20150527074332.5286.73511.idtracker@ietfa.amsl.com> <alpine.LFD.2.11.1505311151230.5269@bofh.nohats.ca>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Date: Sun, 31 May 2015 16:24:37 +0000
Message-ID: <jtfsr2.np82x3.2vaeqh-qmf@mercury.scss.tcd.ie>
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/QO-u10P3OJlbm6h7CLdZ1RVn6ks>
Cc: ipsecme-chairs@ietf.org, paul.hoffman@vpnc.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, iesg@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2015 16:24:47 -0000

DQoNCk9uIFN1biBNYXkgMzEgMTY6NTc6NDMgMjAxNSBHTVQrMDEwMCwgUGF1bCBXb3V0ZXJzIHdy
b3RlOg0KPiBPbiBXZWQsIDI3IE1heSAyMDE1LCBTdGVwaGVuIEZhcnJlbGwgd3JvdGU6DQo+IA0K
PiA+IC0gMi41OiAiaGFuZCBvdXQiIGlzIGFuIG9kZCBwaHJhc2UgaGVyZSAtIHdvdWxkIGJlIGJl
dHRlcg0KPiA+IHRvIGV4cGFuZCBvbiB0aGF0IEkgdGhpbmsgYW5kIHNheSBtb3JlIHByZWNpc2Vs
eSB3aGF0DQo+ID4gc2hvdWxkIG5ldmVyIGJlIGRvbmUuDQo+IA0KPiBIb3cgYWJvdXQ6DQoNClll
cCB0aGF0J3MgYmV0dGVyLg0KVGENClMNCg0KPiANCj4gT0xEOg0KPiANCj4gICAgIEEgcm9ndWUg
SUtFIHBlZXIgY291bGQgdXNlIG1hbGljaW91cyBUcmFmZmljIFNlbGVjdG9ycyB0byBvYnRhaW4N
Cj4gICAgIGFjY2VzcyB0byB0cmFmZmljIHRoYXQgdGhlIGhvc3QgbmV2ZXIgaW50ZW5kZWQgdG8g
aGFuZCBvdXQuDQo+IA0KPiBORVc6DQo+IA0KPiAgICAgQSByb2d1ZSBJS0UgcGVlciBjb3VsZCB1
c2UgbWFsaWNpb3VzIFRyYWZmaWMgU2VsZWN0b3JzIHRvIHRyaWNrDQo+ICAgICBhIHJlbW90ZSBo
b3N0IGludG8gZ2l2aW5nIGl0IElQIHRyYWZmYyB0aGF0IHRoZSByZW1vdGUgaG9zdCBuZXZlcg0K
PiAgICAgaW50ZW5kZWQgdG8gYmUgc2VuZCB0byByZW1vdGUgSUtFIHBlZXJzLiBGb3IgZXhhbXBs
ZSwgaWYgdGhlIHJlbW90ZQ0KPiAgICAgaG9zdCB1c2VzIDE5Mi4wLjIuMSBhcyBETlMgc2VydmVy
LCBhIHJvZ3VlIElLRSBwZWVyIGNvdWxkIHNldCBpdHMNCj4gICAgIFRyYWZmaWMgU2VsZWN0b3Ig
dG8gMTkyLjAuMi4xIGluIGFuIGF0dGVtcHQgdG8gcmVjZWl2ZSB0aGUgcmVtb3RlDQo+ICAgICBw
ZWVyJ3MgRE5TIHRyYWZmaWMuDQo+IA0KPiBQYXVsDQo+IA0KPg==