From nobody Tue Aug 1 08:45:16 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF6DF1321AF for ; Tue, 1 Aug 2017 08:45:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.523 X-Spam-Level: X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id btC5tZBzXwae for ; Tue, 1 Aug 2017 08:45:05 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E7B12ECC6 for ; Tue, 1 Aug 2017 08:45:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3907; q=dns/txt; s=iport; t=1501602305; x=1502811905; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RXCDZm3Eo7DXt76qG5Iw2uzi3sP6p1YRYyE4h/bh3Fo=; b=QNSsSCCIVgamZDyWeFUkE9KPTb/1JZkWFVmq8ZA/gJ4iGvXjwnnqOcEO 6k3fC1CppQDtNOp/Bg/5z6G1uc8wA7mytgLab1E2pY7QAZdLK6XeemN8k KMNsXk9QXgCSjlsiPkIExVfFWbvujJja/iBuUUAdxv4GaBlgtCdA4T30y w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AjBAAQoYBZ/4kNJK1dGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBgy8rgVEnB54EgWyIM41aghKFRwKEJUEWAQIBAQEBAQEBayiFGAEBAQE?= =?us-ascii?q?DOj8MBAIBCA4DBAEBHwkHIREUCQgBAQQBDQUIE4d/AYF8AxWxT4cyDYQRAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQEBHYMoggKBTIFhgyaCV4gQBZ87PAKPNoRoghaJTIZ?= =?us-ascii?q?ojCGJVwEmCCk/S3cVhVuCCHaJIQGBDQEBAQ?= X-IronPort-AV: E=Sophos;i="5.41,306,1498521600"; d="scan'208";a="59357355" Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 01 Aug 2017 15:45:04 +0000 Received: from XCH-RCD-010.cisco.com (xch-rcd-010.cisco.com [173.37.102.20]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v71Fj4UA003828 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 1 Aug 2017 15:45:04 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-010.cisco.com (173.37.102.20) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 1 Aug 2017 10:45:04 -0500 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Tue, 1 Aug 2017 10:45:03 -0500 From: "Panos Kampanakis (pkampana)" To: Valery Smyslov , "Scott Fluhrer (sfluhrer)" , "David McGrew (mcgrew)" CC: "ipsec@ietf.org" Thread-Topic: Proposed text for the draft-fluhrer-qr-ikev2 Thread-Index: AdMGtJeA5KOJXoRBSEOTN8v5AhfcXADb1T0w Date: Tue, 1 Aug 2017 15:45:03 +0000 Message-ID: References: <0b0101d306e6$0498e4d0$0dcaae70$@gmail.com> In-Reply-To: <0b0101d306e6$0498e4d0$0dcaae70$@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [64.102.56.155] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed text for the draft-fluhrer-qr-ikev2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2017 15:45:12 -0000 Thank you for the text Valery. We appreciate it. We might reorganize it in a section that basically talks about PPKs, PPK Di= stribution and PPK operations. The changes will go in the next iteration. A= s discussed in Prague we will try to have normative language to make clear = that null auth is not recommended and that the caveats of using group PPKs.= =20 Panos -----Original Message----- From: Valery Smyslov [mailto:svanru@gmail.com]=20 Sent: Thursday, July 27, 2017 10:39 AM To: Scott Fluhrer (sfluhrer) ; David McGrew (mcgrew) ; Panos Kampanakis (pkampana) Cc: ipsec@ietf.org Subject: Proposed text for the draft-fluhrer-qr-ikev2 Hi, at the ipsecme meeting in Prague I was asked to contribute a text for the d= raft-fluhrer-qr-ikev2 about operational considerations. Here is my try. I think the text should be placed into a new section, "Oper= ational Considerations". Any thoughts? Regards, Valery. X. Operational Considerations This document provides a solution that doesn't replace classical public key= cryptographic mechanisms used in IKEv2, like (EC)DH or digital signatures = .=20 Instead, the proposed solution extends these mechanisms by using an additio= nal security credential, namely PPK, to make IKEv2 secure against Quantum C= omputers. In practice it means, that each peer must possess two security cr= edentials to successfully complete authentication - a classic one (like cer= tificate private key) and a PPK.=20 The need to maintain several independent sets of security credentials can s= ignificantly complicate security administrators job, and can potentially sl= ow down widespread adoption of this solution. It is anticipated, that admin= istrators will try to simplify their job by decreasing the number of creden= tials they need to maintain. Two possible approaches are given below.=20 X.1 Group PPK This document doesn't explicitly require that PPK is unique for each pair o= f peers. If it is the case, then this solution provides full peer authentication, bu= t it also means that each host must have that many independent PPKs, how ma= ny peers it is going to communicate with. As the number of hosts grows this= will scale badly. It is possible to use a single PPK for a group of users. Since each peer us= es classical public key cryptography in addition to PPK for key exchange an= d authentication, members of the group can neither impersonate each other n= or read other's traffic, unless they use Quantum Computers to break public = key operations.=20 Although it's probably safe to use group PPK in short term, the fact, that = the PPK is known to a (potentially large) group of users makes it more susc= eptible to a theft. If an attacker equipped with a Quantum Computer get acc= ess to a group PPK, then all the communications inside the group are reveal= ed. X.2 PPK-only Authentication If Quantum Computers become a reality, classical public key cryptography wi= ll provide little security, so administrators may find it attractive not to= use it at all for authentication. This will reduce the number of credentia= ls they need to maintain to PPKs only. PPK-only authentication can be achieved in IKEv2 if NULL Authentication met= hod [RFC7619] is employed. Without PPK the NULL Authentication method provi= des no authentication of peers, however since PPK is stirred into SK_pi and= SK_pr, the peers become authenticated if PPK is in use. Note, that using P= PK MUST be mandatory for both Initiator and Responder if PPK-only authentic= ation (i.e. the NULL Authentication method + PPK) is employed. Combining group PPK and PPK-only authentication is NOT RECOMMENDED, since i= n this case any member of the group can impersonate any other member even w= ithout help of Quantum Computers. From nobody Tue Aug 1 12:09:33 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5241322C8 for ; Tue, 1 Aug 2017 12:09:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.261 X-Spam-Level: X-Spam-Status: No, score=-2.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvPX_S_tDM0o for ; Tue, 1 Aug 2017 12:09:28 -0700 (PDT) Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 022E11322DF for ; Tue, 1 Aug 2017 12:09:16 -0700 (PDT) Received: by mail-lf0-x235.google.com with SMTP id d17so11037992lfe.0 for ; Tue, 01 Aug 2017 12:09:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-transfer-encoding:importance; bh=iv09bRI9dCA5kshc5/W8bfC0KwDwlJNz2rSvfXeyqPA=; b=NvTJmZlElryxM7TBbr3bWh0Yje3rukzWkBcQz4nPlCZjQS8XJW2nSr8C1Gg1ZZChJG wNNHUs/wz6x6tFc+pPYCojrMIPJBm/UygdfWxhN478iPF19l9PAAeDUPQroriEifjObf y0/uFdsvp5n4I+m4y5BlJb4zxOKChBTNEdWQC2bghsaIMGQ/Xp73Y7cW0dsVITdkad31 Gr9ITY3Oe7Rqm8hmRs68YSjXZvaZk5VBHFE2gxCRMtvxTXpHnSrCp916ZI3QcsoJOrHh 6lV4ThEGw0Y4Wp/a0jp5XFz9w9j+R3SG3Uvmx1KYw12wgD9UCw5wRtUwz5LV6T+SZ1be Za7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=iv09bRI9dCA5kshc5/W8bfC0KwDwlJNz2rSvfXeyqPA=; b=K3NtcTXZ/ikYoEyuc6xiKiviIVHjcWZWbqnnap7xqq10yV9vSsWVyODz12upxxiGAw gJFvVSqlcT1lmxtRSGgD0nN6q7/facnQbPLNHCEiqzeHbrmZrG3GYl2x/sSNxMkLExbx GJ9T73I9NlZcXyH2nVyWuNTEdIjI4xvuKYqCJ+HAf4x4bgL4pNVPeHZaYmUn94MW9Nq+ hGBc6xwZqYlMSyk6xmd2oT+iYlly5q/9f/gluIB5CYUtOcxTEqY69qBnl++wYYidEcHo 6PBcKoKVQHG9SO1UHhqr/7aZOl1P7rnUJ55BEz7anpZhxpAOiV/VKA/2wS8/kuEXQ9aF Vg1Q== X-Gm-Message-State: AIVw112g/Mvvahdhqgr9pkm3lU/JA6kcdi5XfNrdFbTMdMc8dBNbBeY1 lhNcIS+b4J2QEg== X-Received: by 10.46.84.85 with SMTP id y21mr4836482ljd.160.1501614554164; Tue, 01 Aug 2017 12:09:14 -0700 (PDT) Received: from chichi (ppp83-237-165-241.pppoe.mtu-net.ru. [83.237.165.241]) by smtp.gmail.com with ESMTPSA id i1sm2962063ljd.86.2017.08.01.12.09.12 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 01 Aug 2017 12:09:13 -0700 (PDT) Message-ID: From: "Valery Smyslov" To: "Panos Kampanakis \(pkampana\)" , "Scott Fluhrer \(sfluhrer\)" , "David McGrew \(mcgrew\)" Cc: References: <0b0101d306e6$0498e4d0$0dcaae70$@gmail.com> In-Reply-To: Date: Tue, 1 Aug 2017 22:09:09 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 16.4.3528.331 X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331 Archived-At: Subject: Re: [IPsec] Proposed text for the draft-fluhrer-qr-ikev2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2017 19:09:32 -0000 Hi Panos, I don't think we should make NULl Auth NOT RECOMMENDED. If PPK is in use it becomes non-NULL, since authentication is provided by PPK. I think it is a valid option - it just relies on PPK only and doesn't use any conventional authentication, like certificates. Just make sure that Identity Payload is not of type ID_NULL... On the other hand, using group PPK must be discouraged, especially in conjunction with NULL auth, so I think NOT RECOMMENDED is a right choice here. Regards, Valery. -----Original Message----- From: Panos Kampanakis (pkampana) Date: 1 августа 2017 г. 18:45 To: Valery Smyslov ; Scott Fluhrer (sfluhrer) ; David McGrew (mcgrew) Cc: ipsec@ietf.org Subject: RE: Proposed text for the draft-fluhrer-qr-ikev2 Thank you for the text Valery. We appreciate it. We might reorganize it in a section that basically talks about PPKs, PPK Distribution and PPK operations. The changes will go in the next iteration. As discussed in Prague we will try to have normative language to make clear that null auth is not recommended and that the caveats of using group PPKs. Panos -----Original Message----- From: Valery Smyslov [mailto:svanru@gmail.com] Sent: Thursday, July 27, 2017 10:39 AM To: Scott Fluhrer (sfluhrer) ; David McGrew (mcgrew) ; Panos Kampanakis (pkampana) Cc: ipsec@ietf.org Subject: Proposed text for the draft-fluhrer-qr-ikev2 Hi, at the ipsecme meeting in Prague I was asked to contribute a text for the draft-fluhrer-qr-ikev2 about operational considerations. Here is my try. I think the text should be placed into a new section, "Operational Considerations". Any thoughts? Regards, Valery. X. Operational Considerations This document provides a solution that doesn't replace classical public key cryptographic mechanisms used in IKEv2, like (EC)DH or digital signatures . Instead, the proposed solution extends these mechanisms by using an additional security credential, namely PPK, to make IKEv2 secure against Quantum Computers. In practice it means, that each peer must possess two security credentials to successfully complete authentication - a classic one (like certificate private key) and a PPK. The need to maintain several independent sets of security credentials can significantly complicate security administrators job, and can potentially slow down widespread adoption of this solution. It is anticipated, that administrators will try to simplify their job by decreasing the number of credentials they need to maintain. Two possible approaches are given below. X.1 Group PPK This document doesn't explicitly require that PPK is unique for each pair of peers. If it is the case, then this solution provides full peer authentication, but it also means that each host must have that many independent PPKs, how many peers it is going to communicate with. As the number of hosts grows this will scale badly. It is possible to use a single PPK for a group of users. Since each peer uses classical public key cryptography in addition to PPK for key exchange and authentication, members of the group can neither impersonate each other nor read other's traffic, unless they use Quantum Computers to break public key operations. Although it's probably safe to use group PPK in short term, the fact, that the PPK is known to a (potentially large) group of users makes it more susceptible to a theft. If an attacker equipped with a Quantum Computer get access to a group PPK, then all the communications inside the group are revealed. X.2 PPK-only Authentication If Quantum Computers become a reality, classical public key cryptography will provide little security, so administrators may find it attractive not to use it at all for authentication. This will reduce the number of credentials they need to maintain to PPKs only. PPK-only authentication can be achieved in IKEv2 if NULL Authentication method [RFC7619] is employed. Without PPK the NULL Authentication method provides no authentication of peers, however since PPK is stirred into SK_pi and SK_pr, the peers become authenticated if PPK is in use. Note, that using PPK MUST be mandatory for both Initiator and Responder if PPK-only authentication (i.e. the NULL Authentication method + PPK) is employed. Combining group PPK and PPK-only authentication is NOT RECOMMENDED, since in this case any member of the group can impersonate any other member even without help of Quantum Computers. From nobody Thu Aug 3 04:57:24 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D23D124BAC for ; Thu, 3 Aug 2017 04:57:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.521 X-Spam-Level: X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1518U1jcbzak for ; Thu, 3 Aug 2017 04:57:19 -0700 (PDT) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 895EA129AF6 for ; Thu, 3 Aug 2017 04:57:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=102881; q=dns/txt; s=iport; t=1501761439; x=1502971039; h=from:to:subject:date:message-id:mime-version; bh=B26PAQw+DV1PZkzAWxNb09i55qzOB++Iy5z2Ql8T08k=; b=UYJSzpAeAljbNbgBWKzI+LoJQmHMhLk/32Cm3msuOxBG8MayYlTe9xAt BbDQS7JABfCWvYK18rqyvJ8eCIXERdFeMFjFXVYIRAUYomidOhNdeDnAk 7RT+iiAn70dBoUlV7ipQf0PvlqgxzK4MHrJX6PGRvnu+FZqASVShmFQ9h c=; X-Files: smime.p7s : 4557 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DVAAATD4NZ/4kNJK1bGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBgm8+LWRtLo4IkAeYAw6CBAclhUCEGj8YAQIBAQEBAQEBax0LhTkJBGQ?= =?us-ascii?q?BBjoBCQIEMCcEIYohEI5enWSBbDqLTwEBAQEBAQEBAQEBAQEBAQEBAQEBAQ4KB?= =?us-ascii?q?YMkBIICgUyBYyuHV4MrMIIxBYliCohnjSoCgWaCSYIhgQGMWoIPhViKYZYAAR8?= =?us-ascii?q?4P0t3FVsBhQQcgWeJPYEPAQEB?= X-IronPort-AV: E=Sophos;i="5.41,315,1498521600"; d="p7s'?scan'208,217";a="460981742" Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 03 Aug 2017 11:57:17 +0000 Received: from XCH-RCD-009.cisco.com (xch-rcd-009.cisco.com [173.37.102.19]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v73BvHtq025268 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for ; Thu, 3 Aug 2017 11:57:17 GMT Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-RCD-009.cisco.com (173.37.102.19) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 3 Aug 2017 06:57:16 -0500 Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1210.000; Thu, 3 Aug 2017 06:57:16 -0500 From: "Graham Bartlett (grbartle)" To: "ipsec@ietf.org" Thread-Topic: Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2g== Date: Thu, 3 Aug 2017 11:57:16 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.1a.0.160910 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.61.168.192] Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3584609835_8835603" MIME-Version: 1.0 Archived-At: Subject: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 11:57:22 -0000 --B_3584609835_8835603 Content-type: multipart/alternative; boundary="B_3584609835_993542608" --B_3584609835_993542608 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Hi =20 After listening to the Prague meeting Dan Harkins raised the point that the= Quantum Resistant IKEv2 implementation should protect passive attacks, wher= e traffic that traffic that is sent and is captured today should be resilien= t to an adversary with a quantum computer in the future. But the Quantum Res= istant IKEv2 does not have to protect against an adversary with a quantum co= mputer in the future who can perform an active attack. =20 Someone else (can=E2=80=99t remember who) suggested the quantum resistant =E2=80=98blob= =E2=80=99 be sent in IKE_AUTH as it will be large and probably fragmentation. Obvi= ously for this the natural choice is to use the IKEv2 Fragmentation mechanis= m defined in RFC7383. =20 A few weeks ago I developed a method to send the quantum resistant =E2=80=98blob=E2= =80=99 in IKE_SA_INIT, this is to amend https://tools.ietf.org/html/draft-tjhai-= ipsecme-hybrid-qske-ikev2-00. After hearing the discussion described above I= was going to park this idea and never speak of it again, however before I d= o this I=E2=80=99d like to share with the group for comments.=20 =20 I personally feel this is an elegant and simple method to achieve sending o= ne or more quantum resistant =E2=80=98blobs=E2=80=99. The main benefits being; =20 1. The IKE_AUTH exchange is protected using the quantum secure algorit= hms. So all attributes within the IKE exchange are protected against passive= attacks, which wouldn=E2=80=99t be the case should the quantum resistant =E2=80=98blob=E2= =80=99 be sent in IKE_AUTH. =20 2. This allows for a quantum resistant authentication method to be int= roduced into IKE_AUTH in the future, therefore protecting against active att= acks with a quantum computer should this occur. =20 3. A simple method to fragment the quantum secure key exchange data in= IKE_SA_INIT is included, however this is not mandatory. From personal exper= ience I=E2=80=99ve seen a few cases where RFC 7383 fragmentation is required today= , however the vast majority of customer implementations do not experience is= sues with IP fragments being denied and so do not require the functionality = provided by RFC7383 (but for the cases where it=E2=80=99s needed, it=E2=80=99s a lifesav= er). =20 4. The large quantum resistant =E2=80=98blob=E2=80=99 of data is only sent when it= is known that the peer will accept this. This minimises delays when establi= shing IKEv2 SAs and minimises the risk of DoS (see point 7).=20 =20 5. Backwards compatibility is maintained, with minimal risk that the a= ddition of a quantum resistant exchange could cause abnormal behaviour with = devices that do not support the new attributes. The QSKE are advertised usin= g a transform type 4 groups. =20 6. This idea allows for algorithm agility, where multiple quantum resi= stant algorithms can be used in addition to a single classic DH (as per RFC7= 296). PQ algorithms with public data size larger than 65,536 octets are also= supported. =20 7. With regards to fragmentation attacks, the use of fragmentation in = this idea has the same security as of RFC7383. Whereby an attacker that reve= als her true IP address can send multiple fragments, but not the complex cha= in. =20 The following is the idea, any questions, please feel free to ask. =20 =20 =20 =20 =20 QSKE Notify =20 For devices that are operating in a mesh network, where many devices have m= ultiple peers, where peers are using varying QSKE groups. In these instances= the QSKE that is preferred by the Initiator might not be available or prefe= rred on the Responder. To overcome scenarios where the Initiator will send a= QSKE which is large in size and not supported by the Responder, (therefore = wasting time and resource), the QSKE Notify payload can be used to query the= responder to determine the supported security association attributes. The Q= SKE Notify payload is sent by the Initiator, which also excludes the QSKE pa= yload (however a single KE payload should be included for backwards compatib= ility). If the Responder supports the QSKE notify payload it replies with th= e accepted security associations (which includes one classic DH group and >=3D= 1 QSKE group, these are sent as groups within transform type 4. Most of the = time, we will be using one PQ algorithm, rather than multiple. The Responder= will also includes the COOKIE notification, note the Responder does not sen= d the KE or QSKE payload. The Initiator can now select the correct security = association algorithms it intends to use, including the correct classic DH a= nd QSKE and reply using the COOKIE.=20 =20 Although the COOKIE does not provide protection against DoS attacks, whereb= y an attacker sends many fragments but does not complete the fragment chain,= it does ensure that the attacker reveals their own IP address. Note that RF= C 7383 is also prone to this attack which is described within the security c= onsiderations. =20 Should an IKE gateway be under a fragmentation attack, dropping traffic fro= m a peer that does not complete the fragment chain can be used as a simple p= rotective mechanism to minimise the impact of future attacks. =20 For implementations that do not support the use of the QSKE, the QSKE Notif= y payload will be ignored and the IKEv2 exchange will continue as per RFC729= 6. The QSKE Notify payload can be used to minimise inter-op issues with QSKE= and non QSKE implementations.=20 =20 The QSKE Notify payload can be marked as critical for devices that mandate = the use of QSKE to protect IKE. =20 QSKE Notification Payload =20 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C| RESERVED | Payload Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol ID | SPI Size | Notify Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Notification Data ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ =20 =E2=80=94=E2=80=94=E2=80=94=E2=80=94 A Quantum Safe Key Exchange Payload =20 The quantum-safe key exchange payload, denoted QSKE in this document, is us= ed to exchange a quantum-safe shared secret between two IKE peers. The QSKE= payload consists of the IKE generic payload header, a two-octet value denot= ing the Quantum-Safe Group number, and followed by the quantum-safe data its= elf. =20 =20 The Fragment bit, denoted F (below), specifies if the QSKE is fragmented. I= f this is set to '1', meaning the QSKE is fragmented the Fragment Number and= Total Fragments fields will be populated. If the Fragment bit is not set (s= et to '0'), then the Fragment Number and Total Fragments fields will not exi= st. The Fragment Number is used should the Quantum-Safe Data be too large to= fit within a single payload. The Fragment Number is the first fragment, inc= reasing by one for every other fragment that is sent. The Total Fragments fi= eld denotes the maximum number of fragments that contain the Quantum-Safe Da= ta. =20 The QSKE is nearly identical to the KE payload, however the Fragment bit id= entifies if the receiver should handle this in a different manner to the KE = payload. The KE and QSKE are negotiated/advertised using the transform type = 4 (Diffie Hellman groups). By including the QSKE in the same transform type= 4 as classic DH allows for minimal configuration changes for current implem= entations when configuring both DH and QSKE Groups. =20 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C|F| Reserved | Payload Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Quantum-Safe Group Num | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Fragment Number | Total Fragments ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Quantum-Safe Data ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ =20 The size of the Quantum-Safe Data can be the total fragments * payload leng= th =3D ~ 4GB, which seems sufficient for the size of the QSKE payloads discuss= ed so far. =20 The use of the Fragmentation bit is not mandatory. Implementations can atte= mpt to send the IKE_SA_INIT payload containing the QSKE payload without frag= mentation at the IKE layer, opting for fragmentation at the IP layer instead= . Implementations can initially exclude the the use of fragmentation in the = QSKE payload, however if connectivity fails when not using fragmentation of = the QSKE, it is assumed that that traffic has been denied due to fragmentati= on at the IP layer and fragmentation of the QSKE should be used instead. =20 =20 =E2=80=94=E2=80=94 =20 In the following example the Initiator will propose DH Groups 14,19,21 and = 30,32 and 35 (fictitious QSKE groups). The Initiator sends the N(QSKE), whic= h informs the responder to choose >=3D1 QSKE groups along with a classic DH gr= oup. =20 The responder will return the N(QSKE) payload, indicating it supports the Q= SKE, the security association includes DH Groups 14, 30 and 35 which informs= the initiator of the QSKE groups it selects to use. =20 The Initiator then sends the QSKE's and KE for the groups it wishes to use,= plus the identical security associations as was sent in the first exchange = (to mitigate downgrade attacks). Note: The Responder should check that the r= eceived QSKE's in the security association match with its preferred secure Q= SKE's. This is to mitigate the following attack, Initiator sends SA contains= certain QSKE in the security association Responder responds, but attacker m= odifies this response to remove the said QSKE. The Initiator then performs t= he IKE_SA_INIT excluding the QSKE that was removed by the attacker, in the = QSKE (but it's included in the security associations). Hence if the responde= r verifies that the received QSKE match the received security associations, = it will mitigate this attack. =20 =20 Initiator Responder ----------- ----------- HDR, SAi1, Ni,KEi --> (DH Groups 14,1= 9,21 and 30,32 and 35) N(QSKE) =20 <-- HDR, SAr1, N(COOKIE),[N(QSKE)] (DH Group= s 14, 30 and 35) =20 =20 HDR, N(COOKIE), SAi1, (SA contains DH= Groups 14,19,21 and 30,32 and 35) KEi, Ni, QSKEi-1/3 --> (KE is Group 14= , QSKE1 is Group 30, fragment 1 of 3) =20 HDR, QSKEi-2/3 --> (QSKE1 is Group= 30, fragment 2 of 3) =20 HDR, QSKEi-3/3 --> (QSKE1 is Group= 30, fragment 3 of 3) =20 HDR, QSKEi2-1/4 --> (QSKE2 is Group= 35, fragment 1 of 4) =20 HDR, QSKEi2-2/4 --> (QSKE2 is Group= 35, fragment 2 of 4) =20 HDR, QSKEi2-3/4 --> (QSKE2 is Group= 35, fragment 3 of 4) =20 HDR, QSKEi2-4/4 --> (QSKE2 is Group= 35, fragment 4 of 4) =20 =20 <-- HDR, SAr1, Nr, KEr, (KE is Group 14= , QSKE1 is Group 30, fragment 1 of 3) QSKEi-1/3 =20 <-- HDR,QSKEi-2/3 (QSKE1 is Group= 30, fragment 2 of 3) =20 <-- HDR,QSKEi-3/3 (QSKE1 is Group= 30, fragment 3 of 3) =20 <-- HDR,QSKEi2-1/4 (QSKE2 is Group= 35, fragment 1 of 4) =20 <-- HDR,QSKEi2-2/4 (QSKE2 is Group= 35, fragment 2 of 4) =20 <-- HDR,QSKEi2-3/4 (QSKE2 is Group= 35, fragment 3 of 4) =20 <-- HDR,QSKEi2-4/4 (QSKE2 is Group= 35, fragment 4 of 4) =20 =20 As three groups were used, the keymat is generated with the combination of = the output from the three public values. =20 KEYMAT =3D prf+(SK_d, QSSS2 (Group 35) | QSS1 (Group 30) | g^ir (Group 14) | = Ni | Nr) =20 =20 HDR SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> =20 =20 =20 =20 =E2=80=94=E2=80=94=E2=80=94=E2=80=94 =20 =20 In the following the Initiator will propose DH Groups 14,19,21 and 30,32 an= d 35 (fictitious QSKE groups). The Initiator sends N(QSKE), which tells resp= onder to choose a DH group and >=3D1 QSKE groups . =20 The Responder in this case does not support QSKE and assuming the N(QSKE) w= as non critical, will ignore this Notify Payload. =20 The exchange will continue as per RFC7296. =20 =20 Initiator Responder ----------- ----------- HDR, SAi1, Ni,KEi --> KE=3DGroup 14 (SA: DH G= roups 14,19,21 and 30,32 and 35) N(QSKE) =20 =20 <-- HDR, SAr1,Nr,KEr (DH Groups 14) =20 =20 HDR SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> =20 =20 =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 =20 =20 =20 --B_3584609835_993542608 Content-type: text/html; charset="UTF-8" Content-transfer-encoding: quoted-printable

Hi

 

<= span style=3D'font-size:11.0pt;font-family:"Courier New";color:black'>After li= stening to the Prague meeting Dan Harkins raised the point that the Quantum = Resistant IKEv2 implementation should protect passive attacks, where traffic= that traffic that is sent and is captured today should be resilient to an a= dversary with a quantum computer in the future. But the Quantum Resistant IK= Ev2 does not have to protect against an adversary with a quantum computer in= the future who can perform an active attack.

 

Someone else (can’t remembe= r who) suggested the quantum resistant ‘blob’ be sent in IKE_AUT= H as it will be large and probably fragmentation. Obviously for this the nat= ural choice is to use the IKEv2 Fragmentation mechanism defined in RFC7383.<= /span>

 = ;

A f= ew weeks ago I developed a method to send the quantum resistant ‘blob&= #8217; in IKE_SA_INIT, this is to amend&nb= sp;https://tools.ietf.org/html/draft-t= jhai-ipsecme-hybrid-qske-ikev2-00. After hearing the discussion d= escribed above I was going to park this idea and never speak of it again, ho= wever before I do this I’d like to share with the group for comments.<= span class=3Dapple-converted-space> 

 

I personally feel this is an ele= gant and simple method to achieve sending one or more quantum resistant R= 16;blobs’. The main benefits being;

 =

1.<= span style=3D'font-size:7.0pt;color:black'>      The IKE_AUTH exchange is protected= using the quantum secure algorithms. So all attributes within the IKE excha= nge are protected against passive attacks, which wouldn’t be the case = should the quantum resistant ‘blob’ be sent in IKE_AUTH.<= span style=3D'font-family:Calibri;color:black'>

 

2.     =  This allows for a quantum resistant authentication method to be= introduced into IKE_AUTH in the future, therefore protecting against active= attacks with a quantum computer should this occur.

 

3. = ;     A si= mple method to fragment the quantum secure key exchange data in IKE_SA_INIT = is included, however this is not mandatory. From personal experience I’= ;ve seen a few cases where RFC 7383 fragmentation is required today, however= the vast majority of customer implementations do not experience issues with= IP fragments being denied and so do not require the functionality provided = by RFC7383 (but for the cases where it’s needed, it’s a lifesave= r).

 =

4.      The large quantum resistant ‘blob’ of da= ta is only sent when it is known that the peer will accept this. This minimi= ses delays when establishing IKEv2 SAs and minimises the risk of DoS (see po= int 7). 

 =

5.&n= bsp;     <= /span>B= ackwards compatibility is maintained, with minimal risk that the addition of= a quantum resistant exchange could cause abnormal behaviour with devices th= at do not support the new attributes. The QSKE are advertised using a transf= orm type 4 groups.=

 

6.      This idea allows for algorithm agilit= y, where multiple quantum resistant algorithms can be used in addition to a = single classic DH (as per RFC7296). PQ algorithms with public data size larg= er than 65,536 octets are also supported.

 

7.  &nb= sp;   With regards t= o fragmentation attacks, the use of fragmentation in this idea has the same = security as of RFC7383. Whereby an attacker that reveals her true IP address= can send multiple fragments, but not the complex chain.

&nbs= p;

Th= e following is the idea, any questions, please feel free to ask.<= /span>

 

 

 

 

<= span style=3D'font-size:11.0pt;font-family:"Courier New";color:black'> 

QSKE N= otify

 

For devices that are operating in a mesh network, where many devices have= multiple peers, where peers are using varying QSKE groups. In these instanc= es the QSKE that is preferred by the Initiator might not be available or pre= ferred on the Responder. To overcome scenarios where the Initiator will send= a QSKE which is large in size and not supported by the Responder, (therefor= e wasting time and resource), the QSKE Notify payload can be used to query t= he responder to determine the supported security association attributes. The= QSKE Notify payload is sent by the Initiator, which also excludes the QSKE = payload (however a single KE payload should be included for backwards compat= ibility). If the Responder supports the QSKE notify payload it replies with = the accepted security associations (which includes one classic DH group and = >=3D1 QSKE group, these are sent as groups within transform type 4. Most of= the time, we will be using one PQ algorithm, rather than multiple. The Resp= onder will also includes the COOKIE notification, note the Responder does no= t send the KE or QSKE payload. The Initiator can now select the correct secu= rity association algorithms it intends to use, including the correct classic= DH and QSKE and reply using the COOKIE.&n= bsp;

 

Although the COOKIE does not provide protection against DoS attacks= , whereby an attacker sends many fragments but does not complete the fragmen= t chain, it does ensure that the attacker reveals their own IP address. Note= that RFC 7383 is also prone to this attack which is described within the se= curity considerations.

 <= /p>

Should an IKE gateway be under a fragmentation attack, d= ropping traffic from a peer that does not complete the fragment chain can be= used as a simple protective mechanism to minimise the impact of future atta= cks.

=  

&n= bsp;

= The QSKE Notify payload can be marked as critical for devices that mandate t= he use of QSKE to protect IKE.

 =

QSKE Notification Payload

 

    &= nbsp;            = ;       1      &= nbsp;            2&nb= sp;            &= nbsp;     3<= /span>

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 = 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= /span>

   | Next Payload  |C|  RESER= VED   |         Payload Le= ngth        |

   +-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |  Protocol ID&n= bsp; |   SPI Size    |     = ; Notify Message Type      |

   +-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |  &nb= sp;            &= nbsp;            = ;            &nb= sp;            &= nbsp;         |

   ~  = ;            &nb= sp;        Notification Data  &= nbsp;            = ;        ~

   |   &nb= sp;            &= nbsp;            = ;            &nb= sp;            &= nbsp;        |

   +-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 

————

= A Quant= um Safe Key Exchange Payload

 

The quantum-safe key exchange payload, denoted QSK= E in this document, is used to exchange a quantum-safe shared secret between= two IKE peers.  The QSKE payload consists of the IKE generic payload h= eader, a two-octet value denoting the Quantum-Safe Group number, and followe= d by the quantum-safe data itself. &n= bsp;

 

The Fragment bit, denoted F (below), specifies if the QSKE is fragm= ented. If this is set to '1', meaning the QSKE is fragmented the Fragment Nu= mber and Total Fragments fields will be populated. If the Fragment bit is no= t set (set to '0'), then the Fragment Number and Total Fragments fields will= not exist. The Fragment Number is used should the Quantum-Safe Data be too = large to fit within a single payload. The Fragment Number is the first fragm= ent, increasing by one for every other fragment that is sent. The Total Frag= ments field denotes the maximum number of fragments that contain the Quantum= -Safe Data.

 

The QSKE is nearly identical to the KE payload, however the Fragmen= t bit identifies if the receiver should handle this in a different manner to= the KE payload. The KE and QSKE are negotiated/advertised using the transfo= rm type 4 (Diffie Hellman groups).  By including the QSKE in the same t= ransform type 4 as classic DH allows for minimal configuration changes for c= urrent implementations when configuring both DH and QSKE Groups.

 

  &n= bsp;            =             1 &n= bsp;            =      2        &n= bsp;          3

   &n= bsp;   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9= 0 1

=       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+

<= p class=3DMsoNormal style=3D'font-variant-caps: normal;orphans: auto;text-align:= start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width:= 0px;word-spacing:0px'>      | Next Payload  |C|F| Re= served  |            = Payload Length     |

      +-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

     = ; |    Quantum-Safe Group Num     | =           RESERVED  &= nbsp;         |

    &= nbsp; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 &nb= sp;    ~        Fragment N= umber            |  &= nbsp;  Total Fragments       ~

  &nb= sp;   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+

      |       &= nbsp;            = ;            &nb= sp;            &= nbsp;            = ;     |

      ~   &nb= sp;            &= nbsp;      Quantum-Safe Data    = ;            &nb= sp;      ~

      |  &= nbsp;            = ;            &nb= sp;            &= nbsp;            &nbs= p;         |

    = ;  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

=  <= /span>

The s= ize of the Quantum-Safe Data can be the total fragments * payload length =3D ~= 4GB, which seems sufficient for the size of the QSKE payloads discussed so = far.

=  

=  <= /span>

 = ;

= 212;—

 

In the following example the Initiator will propose DH Groups 14,19= ,21 and 30,32 and 35 (fictitious QSKE groups). The Initiator sends the N(QSK= E), which informs the responder to choose >=3D1 QSKE groups along with a cl= assic DH group.

 

The responder will return the N(QSKE) payload, indicating it su= pports the QSKE, the security association includes DH Groups 14, 30 and 35 w= hich informs the initiator of the QSKE groups it selects to use.

 

The Initiator = then sends the QSKE's and KE for the groups it wishes to use, plus the ident= ical security associations as was sent in the first exchange (to mitigate do= wngrade attacks). Note: The Responder should check that the received QSKE's = in the security association match with its preferred secure QSKE's. This is = to mitigate the following attack, Initiator sends SA contains certain QSKE i= n the security association Responder responds, but attacker modifies this re= sponse to remove the said QSKE. The Initiator then performs the IKE_SA_INIT = excluding the QSKE that was removed by the attacker,  in the QSKE (but = it's included in the security associations). Hence if the responder verifies= that the received QSKE match the received security associations, it will mi= tigate this attack.

 

    Initiator     = ;            &nb= sp; Responder

   -----------       &= nbsp;         -----------

   HD= R, SAi1, Ni,KEi    -->       = ;            &nb= sp;             = (DH Groups 14,19,21 and 30,32 and 35)<= /o:p>

      N(QSKE)

 

=  &= nbsp;            = ;         <--   HDR, SA= r1, N(COOKIE),[N(QSKE)]       (DH Groups 14, 3= 0 and 35)

 

 

   HDR, N(COOKIE), SAi1,     &nb= sp;            &= nbsp;            = ;     (SA contains DH Groups 14,19,21 and 30,32 and 35)<= /span>

 = ;   KEi, Ni, QSKEi-1/3  -->     &= nbsp;            = ;            &nb= sp;  (KE is Group 14, QSKE1 is Group 30, fragment 1 of 3)

 

   HDR= , QSKEi-2/3       -->    &nb= sp;            &= nbsp;            = ;   (QSKE1 is Group 30, fragment 2 of 3)

 

   HDR, QSKEi-3/3&= nbsp;      -->      &nb= sp;            &= nbsp;            = ; (QSKE1 is Group 30, fragment 3 of 3)=

 

   HDR, QSKEi2-1/4   = ;   -->         &n= bsp;            =            (QSKE2 is Group= 35, fragment 1 of 4)

=

 

   HDR, QSKEi2-2/4      --&= gt;            &= nbsp;            = ;        (QSKE2 is Group 35, fragment 2 o= f 4)

=  

 

   HD= R, QSKEi2-4/4      -->     &= nbsp;            = ;            &nb= sp;  (QSKE2 is Group 35, fragment 4 of 4)

 

 

     =              <= ;--  HDR, SAr1, Nr, KEr,        &nbs= p;         (KE is Group 14, QSKE1 is= Group 30, fragment 1 of 3)

         = ;            &nb= sp;  QSKEi-1/3

          = ;        <--  HDR,QSKEi-2/3 =             &nbs= p;          (QSKE1 is Group 30,= fragment 2 of 3)

 

 

          &nb= sp;       <--  HDR,QSKEi2-1/4 &nb= sp;            &= nbsp;        (QSKE2 is Group 35, fragment= 1 of 4)

 

           &nbs= p;      <--  HDR,QSKEi2-2/4  &nbs= p;            &n= bsp;       (QSKE2 is Group 35, fragment 2 of 4= )

&nb= sp;

&= nbsp;            = ;     <--  HDR,QSKEi2-3/4    = ;            &nb= sp;      (QSKE2 is Group 35, fragment 3 of 4)

 

<= span style=3D'font-size:11.0pt;font-family:"Courier New";color:black'> &n= bsp;            =     <--  HDR,QSKEi2-4/4     =             &nbs= p;     (QSKE2 is Group 35, fragment 4 of 4)

 

 

As three grou= ps were used, the keymat is generated with the combination of the output fro= m the three public values.

 

KEYMAT =3D prf+(SK_d, QSSS2 (Group 35) | QSS1 (Group 3= 0) | g^ir (Group 14) | Ni | Nr)<= /span>

 

 

   HDR SK {IDi, [CERT,]

  &nbs= p;    [CERTREQ,] [IDr,] AUTH,

      = SAi2, TSi, TSr}  -->

        &nb= sp;     

 =

&nbs= p;

&n= bsp;

= ————

 

 =

In the following the Initiator will propose DH G= roups 14,19,21 and 30,32 and 35 (fictitious QSKE groups). The Initiator send= s N(QSKE), which tells responder to choose a DH group and >=3D1 QSKE groups=   .

 

The Responder in this case does not support QSKE and assuming the N(QS= KE) was non critical, will ignore this Notify Payload.

 

The exchange will contin= ue as per RFC7296.

 

<= p class=3DMsoNormal style=3D'font-variant-caps: normal;orphans: auto;text-align:= start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width:= 0px;word-spacing:0px'> 

    Initiator     =             &nbs= p; Responder

   -----------       &n= bsp;         -----------

   HDR= , SAi1, Ni,KEi    -->       =             &nbs= p;       KE=3DGroup 14 (SA: DH Groups 14,19,21 a= nd 30,32 and 35)

      N(QSKE)    &n= bsp;            =             &nbs= p;           

 

       &nb= sp;            &= nbsp;  <--   HDR, SAr1,Nr,KEr     = ;    (DH Groups 14)

 

 =

  HDR SK {IDi, [CERT,]

   &= nbsp;   [CERTREQ,] [IDr,] AUTH,

       SA= i2, TSi, TSr}  -->

 

 

———————<= /span>

 = ;

&nb= sp;

 

--B_3584609835_993542608-- --B_3584609835_8835603 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIRyQYJKoZIhvcNAQcCoIIRujCCEbYCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGggg9+MIIFbTCCBFWgAwIBAgIQDZu2aTrsxkrY+ilxZLyNgTANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTYw NTE2MDAwMDAwWhcNMTgwNTE2MTIwMDAwWjCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNjbyBTeXN0ZW1zLCBJ bmMuMRgwFgYDVQQDEw9HcmFoYW0gQmFydGxldHQxITAfBgkqhkiG9w0BCQEWEmdyYmFydGxl QGNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqOS+hfMCqvKj+e gZdgQIEPbPvc6Mv9fJvK/hNbeOiOwBepKx73eSUh+gABrR8i7ui5/V7XlyMPg/OgQr/6UZX2 QGaqBNkiVkOqNDjwjDz6+voKVS2MNU0cCvxP5Xwb9VXgw2JzFAMMshknhP7G+9V6qxda7e5m fmBzYgCgewiITHD83tGiS/YuoOogmPfYnpQyCcnSdwj8MqnlvVfBQVdAOg+a7hv8zPcTA4mH H0Y3dqCIdNtj1QEm9D9YbDlCS1MZl/7byqLpEZA+la8Pva/r/lydbVuM7BXygqI+itXM9963 8kZim8zTh4r/wCi8uklBSeMRUHSmgocw5BpnIk8CAwEAAaOCAeswggHnMB8GA1UdIwQYMBaA FOcCI4AAT9jXvJQL2T90OUkyPIp5MB0GA1UdDgQWBBQmnj6AyXbjUyNRGN6Y2JOK17/CkzAM BgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSBEmdyYmFydGxlQGNpc2NvLmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZI AYb9bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGI BgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hB MkFzc3VyZWRJRENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUH MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0B AQsFAAOCAQEAna7Ws4vfNhrcm0Od6wb6xiOBURSSXAgX7LE8chrD7UfTF+b7DKits6QY1Vvo 5s0ryCy2T4ikMMKzpAnQ9O0vvF5wbb2iF9zTyKv2M36uY6L6EbMC7QoQAihAiOGnLy4wwhsB qtoGHPL8f1ROW2xpK3twQm2jthhv7fzHRPnFFh4bwWLLISHsw7JKzaL1GuxghNr9W9CN7o2r OtnnvoSwdkPBlMmquWrUgCZ06UQfsD6nbVDvqlBlJGBsrfXk3y8yg3q+rN6LTqHccW4Rk1KS OkE8i/8NKTo8QXHSOa+jcK0o7mnjGXERklDnFGMiNVLbVhVa9CJynUpLjNct3q6+ATCCBk4w ggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMC VVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEk MCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEzMTEwNTEyMDAwMFoX DTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1 cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/AJ3kb LQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAf JUXo8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ 9ZEXjsYhrTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1x GOSm4IksG/OyczzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgw BgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhho dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0 LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1s AAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQG CCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABDAGUA cgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBlAHAA dABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABDAFAALwBDAFAA UwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIA ZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQA eQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUA aQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP2Ne8lAvZ P3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcNAQEL BQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mg VgxIEM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0 k4f5lpaBVUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEy br1DDE0023vGQtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIwggO3MIIC n6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0z MTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5 cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+Y MjZ2zN7dPKii72r7IfJSYd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nY Lxj+KA+zp4PWw25EwGE1lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGY M2wi6YfQMlqiuhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSS plazvbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQY MBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUAA4IBAQCiDrzf4u3w43Jz emSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwSTFjk0z2DSUVYlzVpGqhH6lbGeasS 2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1 bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/ N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHS oyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMYICDzCCAgsCAQEweTBlMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t MSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0ECEA2btmk67MZK2PopcWS8 jYEwDQYJYIZIAWUDBAIBBQCgaTAvBgkqhkiG9w0BCQQxIgQgFWOco3ZJqYVSWy1dMFpFHyP1 qaUt61vPXO3H+73o7skwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx DxcNMTcwODAzMTE1NzE1WjANBgkqhkiG9w0BAQEFAASCAQBavoKhrhLc5G0GxBO7bWKpro2P /XnyPIhcjn52P1JwxUYEugLbTr8tSbJxeQe86lcukn+jEE2/1s0InqJ8QATCG7umT2OsXHFv V6fLlcpQZIhNeRRKD3KDWbGcH5uzVR3WCuibkvOH04pWAusrgQjR8T4S3+qImyPEn+c1QBaq x+eecN0P+dZQcePSvm32EjA6N/zhQd+81q8BB8f954ROWhlU4MZWIfZl/p93WANRV3l1QdJf L8oeSNgnPrFPsAYZnGZURB7080yHjJeNHfOeBm6hBDK6yimUJzC5oirsiuQHgtLbe9lJ2Gve Q4YOyMwMyGEH5ur6uzPcoBLNDODx --B_3584609835_8835603-- From nobody Thu Aug 3 06:09:13 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 752EA131FF9 for ; Thu, 3 Aug 2017 06:09:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.522 X-Spam-Level: X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RU1AFK4aAsPG for ; Thu, 3 Aug 2017 06:09:06 -0700 (PDT) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 256C8131FFB for ; Thu, 3 Aug 2017 06:09:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=151508; q=dns/txt; s=iport; t=1501765745; x=1502975345; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=caF8qK06psO+OsC/3ZZDgGU4/voLFxbW4hexitGKsk4=; b=CAKfJV86MPv6DcS/7N6ziRAIlfezTgI45je7Tqwc6W/Gl3O7YyiiiBf0 o51ne0BY/TunETHy9fW6VrHHhCSaRVKWgdTcGRcUm9R6Elw0ciX8HE762 y0dNLSUcnSDyoQVXmKhyR2xzA3h7D523G1lcSwa07WJlSHskS2bJhA4rh 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ChAADEH4NZ/4gNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgm8+LWRtJweOCJAHgW6WFQ6CBCyFGwIahCM/GAECAQEBAQEBAWs?= =?us-ascii?q?ohRgBAQEBAxoJBAZcAgEGAhEEAQEhAQYDAgICMBQJCAIEARIIiUNkEI8DnWSBb?= =?us-ascii?q?DoniycBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYMkBIICgUyBY4MnhFsvH4JdgmE?= =?us-ascii?q?FiWIKiGeNKgKHUYxRghiFWIphlgABHzg/S3cVhWAcgWd2iEeBDwEBAQ?= X-IronPort-AV: E=Sophos;i="5.41,316,1498521600"; d="scan'208,217";a="466025196" Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 03 Aug 2017 13:09:03 +0000 Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id v73D934e010091 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for ; Thu, 3 Aug 2017 13:09:03 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 3 Aug 2017 09:09:02 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Thu, 3 Aug 2017 09:09:02 -0400 From: "Scott Fluhrer (sfluhrer)" To: "Graham Bartlett (grbartle)" , "ipsec@ietf.org" Thread-Topic: Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJyk1Bw Date: Thu, 3 Aug 2017 13:09:02 +0000 Message-ID: <35c7ff8909684374a316be24c7eba9d7@XCH-RTP-006.cisco.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.98.2.55] Content-Type: multipart/alternative; boundary="_000_35c7ff8909684374a316be24c7eba9d7XCHRTP006ciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 13:09:11 -0000 --_000_35c7ff8909684374a316be24c7eba9d7XCHRTP006ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SXQgc2VlbXMgdG8gbWUgdGhhdCwgd2hlbiB0YWxraW5nIGFib3V0IElLRSBhdXRoZW50aWNhdGlv biwgaXQgd291bGQgbWFrZSBzZW5zZSB0byBzdGFydCB3aXRoIHdoYXTigJlzIGFscmVhZHkgZGVm aW5lZCBpbiB0aGUgcHJvdG9jb2w6DQoNCkN1cnJlbnRseSwgSUtFIGRlZmluZXMgdGhyZWUgdHlw ZXMgb2YgYXV0aGVudGljYXRpb24gbWVjaGFuaXNtczoNCg0KLSAgICAgICAgICBQcmVzaGFyZWQg S2V5cw0KDQotICAgICAgICAgIENlcnRpZmljYXRlcw0KDQotICAgICAgICAgIEVBUA0KUHJlc2hh cmVkIGtleXMgYXJlLCBmb3IgYXV0aGVudGljYXRpb24gcHVycG9zZXMsIGFscmVhZHkgcG9zdHF1 YW50dW0gKGFzc3VtaW5nIHRoYXQgdGhlIHByZXNoYXJlZCBrZXlzIGFyZSBzdWZmaWNpZW50bHkg bG9uZywgYW5kIHdlIHVzZSBhIHBvc3RxdWFudHVtIHByZik7IG5vdGhpbmcgbmVlZHMgdG8gYmUg ZG9uZSBoZXJlDQoNCkNlcnRpZmljYXRlczsgcGVvcGxlIGFyZSBhbHJlYWR5IHdvcmtpbmcgb24g cG9zdHF1YW50dW0gY2VydGlmaWNhdGVzIChpbnZvbHZpbmcgYm90aCBjb252ZW50aW9uYWwgYW5k IHBvc3RxdWFudHVtIHNpZ25hdHVyZXMgaW4gcGFyYWxsZWwpOyBpdCB3b3VsZCBhcHBlYXIgdG8g bWFrZSBzZW5zZSB0byB0cnkgdG8gcmV1c2UgdGhlaXIgd29yaywgcmF0aGVyIHRoYW4gY29taW5n IHVwIHdpdGggc29tZXRoaW5nIHNwZWNpZmljIHRvIElLRQ0KDQpFQVA7IGZyYW5rbHksIEnigJlt IG5vdCB0aGF0IGZhbWlsaWFyIHdpdGggRUFQLCBob3dldmVyLCBpZiBFQVAgaXNu4oCZdCBjdXJy ZW50bHkgcG9zdHF1YW50dW0gc2VjdXJlLCBpdCBtYXkgbWFrZSBzZW5zZSBmb3IgdGhhdCBwcm90 b2NvbCB0byBiZSB1cGRhdGVkLg0KDQoNClRoZSBvdGhlciBxdWVzdGlvbiBhYm91dCB5b3VyIHBy b3Bvc2VkIG1lY2hhbmlzbSBpcyBob3cgZG9lcyBpdCB3b3JrOyB5b3UganVzdCBvdXRsaW5lIGEg d2F5IHRvIGV4Y2hhbmdlIOKAmHF1YW50dW0gcmVzaXN0YW504oCZIGJsb2JzLCBhbmQgZG9u4oCZ dCBzYXkgaG93IHRob3NlIGJsb2JzIGFjdHVhbGx5IHdvcmsuICBJ4oCZbSBub3QgdGFsa2luZyBh Ym91dCB0aGUgY3J5cHRvZ3JhcGh5LCBJ4oCZbSB0YWxraW5nIGFib3V0IHRoZSBhdXRoZW50aWNh dGlvbi4gIEZvciBhbiBhdXRoZW50aWNhdGlvbiBtZWNoYW5pc20gdG8gd29yayAoZm9yIEFsaWNl IHRvIGF1dGhlbnRpY2F0ZSB0byBCb2IpLCB3ZSBtdXN0IGhhdmU6DQoNCi0gICAgICAgICAgQWxp Y2UgY2FuIGdlbmVyYXRlIHRoZSBCbG9iDQoNCi0gICAgICAgICAgRXZlIGNhbm5vdCBnZW5lcmF0 ZSB0aGUgQmxvYg0KDQotICAgICAgICAgIEJvYiBjYW4gdmVyaWZ5IHRoYXQgdGhlIEJsb2Igd2Fz IGdlbmVyYXRlZCBwcm9wZXJseQ0KU2F5aW5nIOKAnHBvc3RxdWFudHVt4oCdIGRvZXNu4oCZdCBj aGFuZ2UgdGhlIHVuZGVybHlpbmcgcHJvYmxlbS4gIFlvdSBkb27igJl0IHNwZWNpZnkgaG93IHRo aXMgd29ya3MgKGUuZy4gd2hhdCBBbGljZSBhbmQgQm9iIGtub3dzKSwgYW5kIHdoeSB0aGUgY3Vy cmVudCBhdXRoZW50aWNhdGlvbiBtZWNoYW5pc21zIGFscmVhZHkgaW4gSUtFIGFyZW7igJl0IHN1 ZmZpY2llbnQNCg0KDQoNCkZyb206IElQc2VjIFttYWlsdG86aXBzZWMtYm91bmNlc0BpZXRmLm9y Z10gT24gQmVoYWxmIE9mIEdyYWhhbSBCYXJ0bGV0dCAoZ3JiYXJ0bGUpDQpTZW50OiBUaHVyc2Rh eSwgQXVndXN0IDAzLCAyMDE3IDc6NTcgQU0NClRvOiBpcHNlY0BpZXRmLm9yZw0KU3ViamVjdDog W0lQc2VjXSBQcm9wb3NlZCBtZXRob2QgdG8gYWNoaWV2ZSBxdWFudHVtIHJlc2lzdGFudCBJS0V2 Mg0KDQpIaQ0KDQpBZnRlciBsaXN0ZW5pbmcgdG8gdGhlIFByYWd1ZSBtZWV0aW5nIERhbiBIYXJr aW5zIHJhaXNlZCB0aGUgcG9pbnQgdGhhdCB0aGUgUXVhbnR1bSBSZXNpc3RhbnQgSUtFdjIgaW1w bGVtZW50YXRpb24gc2hvdWxkIHByb3RlY3QgcGFzc2l2ZSBhdHRhY2tzLCB3aGVyZSB0cmFmZmlj IHRoYXQgdHJhZmZpYyB0aGF0IGlzIHNlbnQgYW5kIGlzIGNhcHR1cmVkIHRvZGF5IHNob3VsZCBi ZSByZXNpbGllbnQgdG8gYW4gYWR2ZXJzYXJ5IHdpdGggYSBxdWFudHVtIGNvbXB1dGVyIGluIHRo ZSBmdXR1cmUuIEJ1dCB0aGUgUXVhbnR1bSBSZXNpc3RhbnQgSUtFdjIgZG9lcyBub3QgaGF2ZSB0 byBwcm90ZWN0IGFnYWluc3QgYW4gYWR2ZXJzYXJ5IHdpdGggYSBxdWFudHVtIGNvbXB1dGVyIGlu IHRoZSBmdXR1cmUgd2hvIGNhbiBwZXJmb3JtIGFuIGFjdGl2ZSBhdHRhY2suDQoNClNvbWVvbmUg ZWxzZSAoY2Fu4oCZdCByZW1lbWJlciB3aG8pIHN1Z2dlc3RlZCB0aGUgcXVhbnR1bSByZXNpc3Rh bnQg4oCYYmxvYuKAmSBiZSBzZW50IGluIElLRV9BVVRIIGFzIGl0IHdpbGwgYmUgbGFyZ2UgYW5k IHByb2JhYmx5IGZyYWdtZW50YXRpb24uIE9idmlvdXNseSBmb3IgdGhpcyB0aGUgbmF0dXJhbCBj aG9pY2UgaXMgdG8gdXNlIHRoZSBJS0V2MiBGcmFnbWVudGF0aW9uIG1lY2hhbmlzbSBkZWZpbmVk IGluIFJGQzczODMuDQoNCkEgZmV3IHdlZWtzIGFnbyBJIGRldmVsb3BlZCBhIG1ldGhvZCB0byBz ZW5kIHRoZSBxdWFudHVtIHJlc2lzdGFudCDigJhibG9i4oCZIGluIElLRV9TQV9JTklULCB0aGlz IGlzIHRvIGFtZW5kIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC10amhhaS1pcHNl Y21lLWh5YnJpZC1xc2tlLWlrZXYyLTAwLiBBZnRlciBoZWFyaW5nIHRoZSBkaXNjdXNzaW9uIGRl c2NyaWJlZCBhYm92ZSBJIHdhcyBnb2luZyB0byBwYXJrIHRoaXMgaWRlYSBhbmQgbmV2ZXIgc3Bl YWsgb2YgaXQgYWdhaW4sIGhvd2V2ZXIgYmVmb3JlIEkgZG8gdGhpcyBJ4oCZZCBsaWtlIHRvIHNo YXJlIHdpdGggdGhlIGdyb3VwIGZvciBjb21tZW50cy4NCg0KSSBwZXJzb25hbGx5IGZlZWwgdGhp cyBpcyBhbiBlbGVnYW50IGFuZCBzaW1wbGUgbWV0aG9kIHRvIGFjaGlldmUgc2VuZGluZyBvbmUg b3IgbW9yZSBxdWFudHVtIHJlc2lzdGFudCDigJhibG9ic+KAmS4gVGhlIG1haW4gYmVuZWZpdHMg YmVpbmc7DQoNCg0KMS4gICAgICBUaGUgSUtFX0FVVEggZXhjaGFuZ2UgaXMgcHJvdGVjdGVkIHVz aW5nIHRoZSBxdWFudHVtIHNlY3VyZSBhbGdvcml0aG1zLiBTbyBhbGwgYXR0cmlidXRlcyB3aXRo aW4gdGhlIElLRSBleGNoYW5nZSBhcmUgcHJvdGVjdGVkIGFnYWluc3QgcGFzc2l2ZSBhdHRhY2tz LCB3aGljaCB3b3VsZG7igJl0IGJlIHRoZSBjYXNlIHNob3VsZCB0aGUgcXVhbnR1bSByZXNpc3Rh bnQg4oCYYmxvYuKAmSBiZSBzZW50IGluIElLRV9BVVRILg0KDQoNCjIuICAgICAgVGhpcyBhbGxv d3MgZm9yIGEgcXVhbnR1bSByZXNpc3RhbnQgYXV0aGVudGljYXRpb24gbWV0aG9kIHRvIGJlIGlu dHJvZHVjZWQgaW50byBJS0VfQVVUSCBpbiB0aGUgZnV0dXJlLCB0aGVyZWZvcmUgcHJvdGVjdGlu ZyBhZ2FpbnN0IGFjdGl2ZSBhdHRhY2tzIHdpdGggYSBxdWFudHVtIGNvbXB1dGVyIHNob3VsZCB0 aGlzIG9jY3VyLg0KDQoNCjMuICAgICAgQSBzaW1wbGUgbWV0aG9kIHRvIGZyYWdtZW50IHRoZSBx dWFudHVtIHNlY3VyZSBrZXkgZXhjaGFuZ2UgZGF0YSBpbiBJS0VfU0FfSU5JVCBpcyBpbmNsdWRl ZCwgaG93ZXZlciB0aGlzIGlzIG5vdCBtYW5kYXRvcnkuIEZyb20gcGVyc29uYWwgZXhwZXJpZW5j ZSBJ4oCZdmUgc2VlbiBhIGZldyBjYXNlcyB3aGVyZSBSRkMgNzM4MyBmcmFnbWVudGF0aW9uIGlz IHJlcXVpcmVkIHRvZGF5LCBob3dldmVyIHRoZSB2YXN0IG1ham9yaXR5IG9mIGN1c3RvbWVyIGlt cGxlbWVudGF0aW9ucyBkbyBub3QgZXhwZXJpZW5jZSBpc3N1ZXMgd2l0aCBJUCBmcmFnbWVudHMg YmVpbmcgZGVuaWVkIGFuZCBzbyBkbyBub3QgcmVxdWlyZSB0aGUgZnVuY3Rpb25hbGl0eSBwcm92 aWRlZCBieSBSRkM3MzgzIChidXQgZm9yIHRoZSBjYXNlcyB3aGVyZSBpdOKAmXMgbmVlZGVkLCBp dOKAmXMgYSBsaWZlc2F2ZXIpLg0KDQoNCjQuICAgICAgVGhlIGxhcmdlIHF1YW50dW0gcmVzaXN0 YW50IOKAmGJsb2LigJkgb2YgZGF0YSBpcyBvbmx5IHNlbnQgd2hlbiBpdCBpcyBrbm93biB0aGF0 IHRoZSBwZWVyIHdpbGwgYWNjZXB0IHRoaXMuIFRoaXMgbWluaW1pc2VzIGRlbGF5cyB3aGVuIGVz dGFibGlzaGluZyBJS0V2MiBTQXMgYW5kIG1pbmltaXNlcyB0aGUgcmlzayBvZiBEb1MgKHNlZSBw b2ludCA3KS4NCg0KDQo1LiAgICAgIEJhY2t3YXJkcyBjb21wYXRpYmlsaXR5IGlzIG1haW50YWlu ZWQsIHdpdGggbWluaW1hbCByaXNrIHRoYXQgdGhlIGFkZGl0aW9uIG9mIGEgcXVhbnR1bSByZXNp c3RhbnQgZXhjaGFuZ2UgY291bGQgY2F1c2UgYWJub3JtYWwgYmVoYXZpb3VyIHdpdGggZGV2aWNl cyB0aGF0IGRvIG5vdCBzdXBwb3J0IHRoZSBuZXcgYXR0cmlidXRlcy4gVGhlIFFTS0UgYXJlIGFk dmVydGlzZWQgdXNpbmcgYSB0cmFuc2Zvcm0gdHlwZSA0IGdyb3Vwcy4NCg0KDQo2LiAgICAgIFRo aXMgaWRlYSBhbGxvd3MgZm9yIGFsZ29yaXRobSBhZ2lsaXR5LCB3aGVyZSBtdWx0aXBsZSBxdWFu dHVtIHJlc2lzdGFudCBhbGdvcml0aG1zIGNhbiBiZSB1c2VkIGluIGFkZGl0aW9uIHRvIGEgc2lu Z2xlIGNsYXNzaWMgREggKGFzIHBlciBSRkM3Mjk2KS4gUFEgYWxnb3JpdGhtcyB3aXRoIHB1Ymxp YyBkYXRhIHNpemUgbGFyZ2VyIHRoYW4gNjUsNTM2IG9jdGV0cyBhcmUgYWxzbyBzdXBwb3J0ZWQu DQoNCg0KNy4gICAgICBXaXRoIHJlZ2FyZHMgdG8gZnJhZ21lbnRhdGlvbiBhdHRhY2tzLCB0aGUg dXNlIG9mIGZyYWdtZW50YXRpb24gaW4gdGhpcyBpZGVhIGhhcyB0aGUgc2FtZSBzZWN1cml0eSBh cyBvZiBSRkM3MzgzLiBXaGVyZWJ5IGFuIGF0dGFja2VyIHRoYXQgcmV2ZWFscyBoZXIgdHJ1ZSBJ UCBhZGRyZXNzIGNhbiBzZW5kIG11bHRpcGxlIGZyYWdtZW50cywgYnV0IG5vdCB0aGUgY29tcGxl eCBjaGFpbi4NCg0KVGhlIGZvbGxvd2luZyBpcyB0aGUgaWRlYSwgYW55IHF1ZXN0aW9ucywgcGxl YXNlIGZlZWwgZnJlZSB0byBhc2suDQoNCg0KDQoNCg0KUVNLRSBOb3RpZnkNCg0KRm9yIGRldmlj ZXMgdGhhdCBhcmUgb3BlcmF0aW5nIGluIGEgbWVzaCBuZXR3b3JrLCB3aGVyZSBtYW55IGRldmlj ZXMgaGF2ZSBtdWx0aXBsZSBwZWVycywgd2hlcmUgcGVlcnMgYXJlIHVzaW5nIHZhcnlpbmcgUVNL RSBncm91cHMuIEluIHRoZXNlIGluc3RhbmNlcyB0aGUgUVNLRSB0aGF0IGlzIHByZWZlcnJlZCBi eSB0aGUgSW5pdGlhdG9yIG1pZ2h0IG5vdCBiZSBhdmFpbGFibGUgb3IgcHJlZmVycmVkIG9uIHRo ZSBSZXNwb25kZXIuIFRvIG92ZXJjb21lIHNjZW5hcmlvcyB3aGVyZSB0aGUgSW5pdGlhdG9yIHdp bGwgc2VuZCBhIFFTS0Ugd2hpY2ggaXMgbGFyZ2UgaW4gc2l6ZSBhbmQgbm90IHN1cHBvcnRlZCBi eSB0aGUgUmVzcG9uZGVyLCAodGhlcmVmb3JlIHdhc3RpbmcgdGltZSBhbmQgcmVzb3VyY2UpLCB0 aGUgUVNLRSBOb3RpZnkgcGF5bG9hZCBjYW4gYmUgdXNlZCB0byBxdWVyeSB0aGUgcmVzcG9uZGVy IHRvIGRldGVybWluZSB0aGUgc3VwcG9ydGVkIHNlY3VyaXR5IGFzc29jaWF0aW9uIGF0dHJpYnV0 ZXMuIFRoZSBRU0tFIE5vdGlmeSBwYXlsb2FkIGlzIHNlbnQgYnkgdGhlIEluaXRpYXRvciwgd2hp Y2ggYWxzbyBleGNsdWRlcyB0aGUgUVNLRSBwYXlsb2FkIChob3dldmVyIGEgc2luZ2xlIEtFIHBh eWxvYWQgc2hvdWxkIGJlIGluY2x1ZGVkIGZvciBiYWNrd2FyZHMgY29tcGF0aWJpbGl0eSkuIElm IHRoZSBSZXNwb25kZXIgc3VwcG9ydHMgdGhlIFFTS0Ugbm90aWZ5IHBheWxvYWQgaXQgcmVwbGll cyB3aXRoIHRoZSBhY2NlcHRlZCBzZWN1cml0eSBhc3NvY2lhdGlvbnMgKHdoaWNoIGluY2x1ZGVz IG9uZSBjbGFzc2ljIERIIGdyb3VwIGFuZCA+PTEgUVNLRSBncm91cCwgdGhlc2UgYXJlIHNlbnQg YXMgZ3JvdXBzIHdpdGhpbiB0cmFuc2Zvcm0gdHlwZSA0LiBNb3N0IG9mIHRoZSB0aW1lLCB3ZSB3 aWxsIGJlIHVzaW5nIG9uZSBQUSBhbGdvcml0aG0sIHJhdGhlciB0aGFuIG11bHRpcGxlLiBUaGUg UmVzcG9uZGVyIHdpbGwgYWxzbyBpbmNsdWRlcyB0aGUgQ09PS0lFIG5vdGlmaWNhdGlvbiwgbm90 ZSB0aGUgUmVzcG9uZGVyIGRvZXMgbm90IHNlbmQgdGhlIEtFIG9yIFFTS0UgcGF5bG9hZC4gVGhl IEluaXRpYXRvciBjYW4gbm93IHNlbGVjdCB0aGUgY29ycmVjdCBzZWN1cml0eSBhc3NvY2lhdGlv biBhbGdvcml0aG1zIGl0IGludGVuZHMgdG8gdXNlLCBpbmNsdWRpbmcgdGhlIGNvcnJlY3QgY2xh c3NpYyBESCBhbmQgUVNLRSBhbmQgcmVwbHkgdXNpbmcgdGhlIENPT0tJRS4NCg0KQWx0aG91Z2gg dGhlIENPT0tJRSBkb2VzIG5vdCBwcm92aWRlIHByb3RlY3Rpb24gYWdhaW5zdCBEb1MgYXR0YWNr cywgd2hlcmVieSBhbiBhdHRhY2tlciBzZW5kcyBtYW55IGZyYWdtZW50cyBidXQgZG9lcyBub3Qg Y29tcGxldGUgdGhlIGZyYWdtZW50IGNoYWluLCBpdCBkb2VzIGVuc3VyZSB0aGF0IHRoZSBhdHRh Y2tlciByZXZlYWxzIHRoZWlyIG93biBJUCBhZGRyZXNzLiBOb3RlIHRoYXQgUkZDIDczODMgaXMg YWxzbyBwcm9uZSB0byB0aGlzIGF0dGFjayB3aGljaCBpcyBkZXNjcmliZWQgd2l0aGluIHRoZSBz ZWN1cml0eSBjb25zaWRlcmF0aW9ucy4NCg0KU2hvdWxkIGFuIElLRSBnYXRld2F5IGJlIHVuZGVy IGEgZnJhZ21lbnRhdGlvbiBhdHRhY2ssIGRyb3BwaW5nIHRyYWZmaWMgZnJvbSBhIHBlZXIgdGhh dCBkb2VzIG5vdCBjb21wbGV0ZSB0aGUgZnJhZ21lbnQgY2hhaW4gY2FuIGJlIHVzZWQgYXMgYSBz aW1wbGUgcHJvdGVjdGl2ZSBtZWNoYW5pc20gdG8gbWluaW1pc2UgdGhlIGltcGFjdCBvZiBmdXR1 cmUgYXR0YWNrcy4NCg0KRm9yIGltcGxlbWVudGF0aW9ucyB0aGF0IGRvIG5vdCBzdXBwb3J0IHRo ZSB1c2Ugb2YgdGhlIFFTS0UsIHRoZSBRU0tFIE5vdGlmeSBwYXlsb2FkIHdpbGwgYmUgaWdub3Jl ZCBhbmQgdGhlIElLRXYyIGV4Y2hhbmdlIHdpbGwgY29udGludWUgYXMgcGVyIFJGQzcyOTYuIFRo ZSBRU0tFIE5vdGlmeSBwYXlsb2FkIGNhbiBiZSB1c2VkIHRvIG1pbmltaXNlIGludGVyLW9wIGlz c3VlcyB3aXRoIFFTS0UgYW5kIG5vbiBRU0tFIGltcGxlbWVudGF0aW9ucy4NCg0KVGhlIFFTS0Ug Tm90aWZ5IHBheWxvYWQgY2FuIGJlIG1hcmtlZCBhcyBjcml0aWNhbCBmb3IgZGV2aWNlcyB0aGF0 IG1hbmRhdGUgdGhlIHVzZSBvZiBRU0tFIHRvIHByb3RlY3QgSUtFLg0KDQpRU0tFIE5vdGlmaWNh dGlvbiBQYXlsb2FkDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIDEgICAgICAgICAgICAgICAg ICAgMiAgICAgICAgICAgICAgICAgICAzDQogICAgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAz IDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxDQogICArLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KICAgfCBO ZXh0IFBheWxvYWQgIHxDfCAgUkVTRVJWRUQgICB8ICAgICAgICAgUGF5bG9hZCBMZW5ndGggICAg ICAgIHwNCiAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rDQogICB8ICBQcm90b2NvbCBJRCAgfCAgIFNQSSBTaXplICAgIHwg ICAgICBOb3RpZnkgTWVzc2FnZSBUeXBlICAgICAgfA0KICAgKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCiAgIHwgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8 DQogICB+ICAgICAgICAgICAgICAgICAgICAgICBOb3RpZmljYXRpb24gRGF0YSAgICAgICAgICAg ICAgICAgICAgICAgfg0KICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHwNCiAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQoNCuKAlOKAlOKAlOKAlA0K QSBRdWFudHVtIFNhZmUgS2V5IEV4Y2hhbmdlIFBheWxvYWQNCg0KVGhlIHF1YW50dW0tc2FmZSBr ZXkgZXhjaGFuZ2UgcGF5bG9hZCwgZGVub3RlZCBRU0tFIGluIHRoaXMgZG9jdW1lbnQsIGlzIHVz ZWQgdG8gZXhjaGFuZ2UgYSBxdWFudHVtLXNhZmUgc2hhcmVkIHNlY3JldCBiZXR3ZWVuIHR3byBJ S0UgcGVlcnMuICBUaGUgUVNLRSBwYXlsb2FkIGNvbnNpc3RzIG9mIHRoZSBJS0UgZ2VuZXJpYyBw YXlsb2FkIGhlYWRlciwgYSB0d28tb2N0ZXQgdmFsdWUgZGVub3RpbmcgdGhlIFF1YW50dW0tU2Fm ZSBHcm91cCBudW1iZXIsIGFuZCBmb2xsb3dlZCBieSB0aGUgcXVhbnR1bS1zYWZlIGRhdGEgaXRz ZWxmLg0KDQpUaGUgRnJhZ21lbnQgYml0LCBkZW5vdGVkIEYgKGJlbG93KSwgc3BlY2lmaWVzIGlm IHRoZSBRU0tFIGlzIGZyYWdtZW50ZWQuIElmIHRoaXMgaXMgc2V0IHRvICcxJywgbWVhbmluZyB0 aGUgUVNLRSBpcyBmcmFnbWVudGVkIHRoZSBGcmFnbWVudCBOdW1iZXIgYW5kIFRvdGFsIEZyYWdt ZW50cyBmaWVsZHMgd2lsbCBiZSBwb3B1bGF0ZWQuIElmIHRoZSBGcmFnbWVudCBiaXQgaXMgbm90 IHNldCAoc2V0IHRvICcwJyksIHRoZW4gdGhlIEZyYWdtZW50IE51bWJlciBhbmQgVG90YWwgRnJh Z21lbnRzIGZpZWxkcyB3aWxsIG5vdCBleGlzdC4gVGhlIEZyYWdtZW50IE51bWJlciBpcyB1c2Vk IHNob3VsZCB0aGUgUXVhbnR1bS1TYWZlIERhdGEgYmUgdG9vIGxhcmdlIHRvIGZpdCB3aXRoaW4g YSBzaW5nbGUgcGF5bG9hZC4gVGhlIEZyYWdtZW50IE51bWJlciBpcyB0aGUgZmlyc3QgZnJhZ21l bnQsIGluY3JlYXNpbmcgYnkgb25lIGZvciBldmVyeSBvdGhlciBmcmFnbWVudCB0aGF0IGlzIHNl bnQuIFRoZSBUb3RhbCBGcmFnbWVudHMgZmllbGQgZGVub3RlcyB0aGUgbWF4aW11bSBudW1iZXIg b2YgZnJhZ21lbnRzIHRoYXQgY29udGFpbiB0aGUgUXVhbnR1bS1TYWZlIERhdGEuDQoNClRoZSBR U0tFIGlzIG5lYXJseSBpZGVudGljYWwgdG8gdGhlIEtFIHBheWxvYWQsIGhvd2V2ZXIgdGhlIEZy YWdtZW50IGJpdCBpZGVudGlmaWVzIGlmIHRoZSByZWNlaXZlciBzaG91bGQgaGFuZGxlIHRoaXMg aW4gYSBkaWZmZXJlbnQgbWFubmVyIHRvIHRoZSBLRSBwYXlsb2FkLiBUaGUgS0UgYW5kIFFTS0Ug YXJlIG5lZ290aWF0ZWQvYWR2ZXJ0aXNlZCB1c2luZyB0aGUgdHJhbnNmb3JtIHR5cGUgNCAoRGlm ZmllIEhlbGxtYW4gZ3JvdXBzKS4gIEJ5IGluY2x1ZGluZyB0aGUgUVNLRSBpbiB0aGUgc2FtZSB0 cmFuc2Zvcm0gdHlwZSA0IGFzIGNsYXNzaWMgREggYWxsb3dzIGZvciBtaW5pbWFsIGNvbmZpZ3Vy YXRpb24gY2hhbmdlcyBmb3IgY3VycmVudCBpbXBsZW1lbnRhdGlvbnMgd2hlbiBjb25maWd1cmlu ZyBib3RoIERIIGFuZCBRU0tFIEdyb3Vwcy4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAg MSAgICAgICAgICAgICAgICAgICAyICAgICAgICAgICAgICAgICAgIDMNCiAgICAgICAwIDEgMiAz IDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEN CiAgICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rDQogICAgICB8IE5leHQgUGF5bG9hZCAgfEN8RnwgUmVzZXJ2ZWQgIHwg ICAgICAgICAgICBQYXlsb2FkIExlbmd0aCAgICAgfA0KICAgICAgKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCiAgICAgIHwg ICAgUXVhbnR1bS1TYWZlIEdyb3VwIE51bSAgICAgfCAgICAgICAgICAgUkVTRVJWRUQgICAgICAg ICAgICB8DQogICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKw0KICAgICAgfiAgICAgICAgRnJhZ21lbnQgTnVtYmVyICAg ICAgICAgICAgfCAgICAgVG90YWwgRnJhZ21lbnRzICAgICAgIH4NCiAgICAgICstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQog ICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgfA0KICAgICAgfiAgICAgICAgICAgICAgICAgICAgICAgUXVhbnR1bS1TYWZl IERhdGEgICAgICAgICAgICAgICAgICAgICAgIH4NCiAgICAgIHwgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8DQogICAgICArLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKw0KDQpUaGUgc2l6ZSBvZiB0aGUgUXVhbnR1bS1TYWZlIERhdGEgY2FuIGJlIHRoZSB0b3Rh bCBmcmFnbWVudHMgKiBwYXlsb2FkIGxlbmd0aCA9IH4gNEdCLCB3aGljaCBzZWVtcyBzdWZmaWNp ZW50IGZvciB0aGUgc2l6ZSBvZiB0aGUgUVNLRSBwYXlsb2FkcyBkaXNjdXNzZWQgc28gZmFyLg0K DQpUaGUgdXNlIG9mIHRoZSBGcmFnbWVudGF0aW9uIGJpdCBpcyBub3QgbWFuZGF0b3J5LiBJbXBs ZW1lbnRhdGlvbnMgY2FuIGF0dGVtcHQgdG8gc2VuZCB0aGUgSUtFX1NBX0lOSVQgcGF5bG9hZCBj b250YWluaW5nIHRoZSBRU0tFIHBheWxvYWQgd2l0aG91dCBmcmFnbWVudGF0aW9uIGF0IHRoZSBJ S0UgbGF5ZXIsIG9wdGluZyBmb3IgZnJhZ21lbnRhdGlvbiBhdCB0aGUgSVAgbGF5ZXIgaW5zdGVh ZC4gSW1wbGVtZW50YXRpb25zIGNhbiBpbml0aWFsbHkgZXhjbHVkZSB0aGUgdGhlIHVzZSBvZiBm cmFnbWVudGF0aW9uIGluIHRoZSBRU0tFIHBheWxvYWQsIGhvd2V2ZXIgaWYgY29ubmVjdGl2aXR5 IGZhaWxzIHdoZW4gbm90IHVzaW5nIGZyYWdtZW50YXRpb24gb2YgdGhlIFFTS0UsIGl0IGlzIGFz c3VtZWQgdGhhdCB0aGF0IHRyYWZmaWMgaGFzIGJlZW4gZGVuaWVkIGR1ZSB0byBmcmFnbWVudGF0 aW9uIGF0IHRoZSBJUCBsYXllciBhbmQgZnJhZ21lbnRhdGlvbiBvZiB0aGUgUVNLRSBzaG91bGQg YmUgdXNlZCBpbnN0ZWFkLg0KDQoNCuKAlOKAlA0KDQpJbiB0aGUgZm9sbG93aW5nIGV4YW1wbGUg dGhlIEluaXRpYXRvciB3aWxsIHByb3Bvc2UgREggR3JvdXBzIDE0LDE5LDIxIGFuZCAzMCwzMiBh bmQgMzUgKGZpY3RpdGlvdXMgUVNLRSBncm91cHMpLiBUaGUgSW5pdGlhdG9yIHNlbmRzIHRoZSBO KFFTS0UpLCB3aGljaCBpbmZvcm1zIHRoZSByZXNwb25kZXIgdG8gY2hvb3NlID49MSBRU0tFIGdy b3VwcyBhbG9uZyB3aXRoIGEgY2xhc3NpYyBESCBncm91cC4NCg0KVGhlIHJlc3BvbmRlciB3aWxs IHJldHVybiB0aGUgTihRU0tFKSBwYXlsb2FkLCBpbmRpY2F0aW5nIGl0IHN1cHBvcnRzIHRoZSBR U0tFLCB0aGUgc2VjdXJpdHkgYXNzb2NpYXRpb24gaW5jbHVkZXMgREggR3JvdXBzIDE0LCAzMCBh bmQgMzUgd2hpY2ggaW5mb3JtcyB0aGUgaW5pdGlhdG9yIG9mIHRoZSBRU0tFIGdyb3VwcyBpdCBz ZWxlY3RzIHRvIHVzZS4NCg0KVGhlIEluaXRpYXRvciB0aGVuIHNlbmRzIHRoZSBRU0tFJ3MgYW5k IEtFIGZvciB0aGUgZ3JvdXBzIGl0IHdpc2hlcyB0byB1c2UsIHBsdXMgdGhlIGlkZW50aWNhbCBz ZWN1cml0eSBhc3NvY2lhdGlvbnMgYXMgd2FzIHNlbnQgaW4gdGhlIGZpcnN0IGV4Y2hhbmdlICh0 byBtaXRpZ2F0ZSBkb3duZ3JhZGUgYXR0YWNrcykuIE5vdGU6IFRoZSBSZXNwb25kZXIgc2hvdWxk IGNoZWNrIHRoYXQgdGhlIHJlY2VpdmVkIFFTS0UncyBpbiB0aGUgc2VjdXJpdHkgYXNzb2NpYXRp b24gbWF0Y2ggd2l0aCBpdHMgcHJlZmVycmVkIHNlY3VyZSBRU0tFJ3MuIFRoaXMgaXMgdG8gbWl0 aWdhdGUgdGhlIGZvbGxvd2luZyBhdHRhY2ssIEluaXRpYXRvciBzZW5kcyBTQSBjb250YWlucyBj ZXJ0YWluIFFTS0UgaW4gdGhlIHNlY3VyaXR5IGFzc29jaWF0aW9uIFJlc3BvbmRlciByZXNwb25k cywgYnV0IGF0dGFja2VyIG1vZGlmaWVzIHRoaXMgcmVzcG9uc2UgdG8gcmVtb3ZlIHRoZSBzYWlk IFFTS0UuIFRoZSBJbml0aWF0b3IgdGhlbiBwZXJmb3JtcyB0aGUgSUtFX1NBX0lOSVQgZXhjbHVk aW5nIHRoZSBRU0tFIHRoYXQgd2FzIHJlbW92ZWQgYnkgdGhlIGF0dGFja2VyLCAgaW4gdGhlIFFT S0UgKGJ1dCBpdCdzIGluY2x1ZGVkIGluIHRoZSBzZWN1cml0eSBhc3NvY2lhdGlvbnMpLiBIZW5j ZSBpZiB0aGUgcmVzcG9uZGVyIHZlcmlmaWVzIHRoYXQgdGhlIHJlY2VpdmVkIFFTS0UgbWF0Y2gg dGhlIHJlY2VpdmVkIHNlY3VyaXR5IGFzc29jaWF0aW9ucywgaXQgd2lsbCBtaXRpZ2F0ZSB0aGlz IGF0dGFjay4NCg0KDQogICAgSW5pdGlhdG9yICAgICAgICAgICAgICAgICAgIFJlc3BvbmRlcg0K ICAgLS0tLS0tLS0tLS0gICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tDQogICBIRFIsIFNBaTEs IE5pLEtFaSAgICAtLT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoREggR3JvdXBz IDE0LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUpDQogICAgICBOKFFTS0UpDQoNCiAgICAgICAgICAg ICAgICAgICAgICAgPC0tICAgSERSLCBTQXIxLCBOKENPT0tJRSksW04oUVNLRSldICAgICAgIChE SCBHcm91cHMgMTQsIDMwIGFuZCAzNSkNCg0KDQogICBIRFIsIE4oQ09PS0lFKSwgU0FpMSwgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoU0EgY29udGFpbnMgREggR3JvdXBzIDE0 LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUpDQogICAgS0VpLCBOaSwgUVNLRWktMS8zICAtLT4gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoS0UgaXMgR3JvdXAgMTQsIFFTS0UxIGlzIEdy b3VwIDMwLCBmcmFnbWVudCAxIG9mIDMpDQoNCiAgIEhEUiwgUVNLRWktMi8zICAgICAgIC0tPiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChRU0tFMSBpcyBHcm91cCAzMCwgZnJhZ21l bnQgMiBvZiAzKQ0KDQogICBIRFIsIFFTS0VpLTMvMyAgICAgICAtLT4gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDMgb2YgMykNCg0K ICAgSERSLCBRU0tFaTItMS80ICAgICAgLS0+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVudCAxIG9mIDQpDQoNCiAgIEhEUiwgUVNLRWky LTIvNCAgICAgIC0tPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChRU0tFMiBpcyBH cm91cCAzNSwgZnJhZ21lbnQgMiBvZiA0KQ0KDQogICBIRFIsIFFTS0VpMi0zLzQgICAgICAtLT4g ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdt ZW50IDMgb2YgNCkNCg0KICAgSERSLCBRU0tFaTItNC80ICAgICAgLS0+ICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVudCA0IG9mIDQpDQoN Cg0KICAgICAgICAgICAgICAgICAgPC0tICBIRFIsIFNBcjEsIE5yLCBLRXIsICAgICAgICAgICAg ICAgICAgKEtFIGlzIEdyb3VwIDE0LCBRU0tFMSBpcyBHcm91cCAzMCwgZnJhZ21lbnQgMSBvZiAz KQ0KICAgICAgICAgICAgICAgICAgICAgICAgUVNLRWktMS8zDQoNCiAgICAgICAgICAgICAgICAg IDwtLSAgSERSLFFTS0VpLTIvMyAgICAgICAgICAgICAgICAgICAgICAgIChRU0tFMSBpcyBHcm91 cCAzMCwgZnJhZ21lbnQgMiBvZiAzKQ0KDQogICAgICAgICAgICAgICAgICA8LS0gIEhEUixRU0tF aS0zLzMgICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50 IDMgb2YgMykNCg0KICAgICAgICAgICAgICAgICAgPC0tICBIRFIsUVNLRWkyLTEvNCAgICAgICAg ICAgICAgICAgICAgICAgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVudCAxIG9mIDQpDQoNCiAg ICAgICAgICAgICAgICAgIDwtLSAgSERSLFFTS0VpMi0yLzQgICAgICAgICAgICAgICAgICAgICAg IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMiBvZiA0KQ0KDQogICAgICAgICAgICAgICAg ICA8LS0gIEhEUixRU0tFaTItMy80ICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTIgaXMgR3Jv dXAgMzUsIGZyYWdtZW50IDMgb2YgNCkNCg0KICAgICAgICAgICAgICAgICAgPC0tICBIRFIsUVNL RWkyLTQvNCAgICAgICAgICAgICAgICAgICAgICAgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVu dCA0IG9mIDQpDQoNCg0KQXMgdGhyZWUgZ3JvdXBzIHdlcmUgdXNlZCwgdGhlIGtleW1hdCBpcyBn ZW5lcmF0ZWQgd2l0aCB0aGUgY29tYmluYXRpb24gb2YgdGhlIG91dHB1dCBmcm9tIHRoZSB0aHJl ZSBwdWJsaWMgdmFsdWVzLg0KDQpLRVlNQVQgPSBwcmYrKFNLX2QsIFFTU1MyIChHcm91cCAzNSkg fCBRU1MxIChHcm91cCAzMCkgfCBnXmlyIChHcm91cCAxNCkgfCBOaSB8IE5yKQ0KDQoNCiAgIEhE UiBTSyB7SURpLCBbQ0VSVCxdDQogICAgICAgW0NFUlRSRVEsXSBbSURyLF0gQVVUSCwNCiAgICAg ICBTQWkyLCBUU2ksIFRTcn0gIC0tPg0KDQoNCg0KDQrigJTigJTigJTigJQNCg0KDQpJbiB0aGUg Zm9sbG93aW5nIHRoZSBJbml0aWF0b3Igd2lsbCBwcm9wb3NlIERIIEdyb3VwcyAxNCwxOSwyMSBh bmQgMzAsMzIgYW5kIDM1IChmaWN0aXRpb3VzIFFTS0UgZ3JvdXBzKS4gVGhlIEluaXRpYXRvciBz ZW5kcyBOKFFTS0UpLCB3aGljaCB0ZWxscyByZXNwb25kZXIgdG8gY2hvb3NlIGEgREggZ3JvdXAg YW5kID49MSBRU0tFIGdyb3VwcyAgLg0KDQpUaGUgUmVzcG9uZGVyIGluIHRoaXMgY2FzZSBkb2Vz IG5vdCBzdXBwb3J0IFFTS0UgYW5kIGFzc3VtaW5nIHRoZSBOKFFTS0UpIHdhcyBub24gY3JpdGlj YWwsIHdpbGwgaWdub3JlIHRoaXMgTm90aWZ5IFBheWxvYWQuDQoNClRoZSBleGNoYW5nZSB3aWxs IGNvbnRpbnVlIGFzIHBlciBSRkM3Mjk2Lg0KDQoNCiAgICBJbml0aWF0b3IgICAgICAgICAgICAg ICAgICAgUmVzcG9uZGVyDQogICAtLS0tLS0tLS0tLSAgICAgICAgICAgICAgICAgLS0tLS0tLS0t LS0NCiAgIEhEUiwgU0FpMSwgTmksS0VpICAgIC0tPiAgICAgICAgICAgICAgICAgICAgICAgICAg IEtFPUdyb3VwIDE0IChTQTogREggR3JvdXBzIDE0LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUpDQog ICAgICBOKFFTS0UpDQoNCiAgICAgICAgICAgICAgICAgICAgICAgPC0tICAgSERSLCBTQXIxLE5y LEtFciAgICAgICAgIChESCBHcm91cHMgMTQpDQoNCg0KICBIRFIgU0sge0lEaSwgW0NFUlQsXQ0K ICAgICAgIFtDRVJUUkVRLF0gW0lEcixdIEFVVEgsDQogICAgICAgU0FpMiwgVFNpLCBUU3J9ICAt LT4NCg0KDQrigJTigJTigJTigJTigJTigJTigJQNCg0KDQoNCg== --_000_35c7ff8909684374a316be24c7eba9d7XCHRTP006ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseTpXaW5nZGluZ3M7DQoJcGFub3NlLTE6NSAwIDAgMCAwIDAgMCAwIDAgMDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIg MiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3Nl LTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNv Tm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJn aW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2Fs aWJyaSIsInNhbnMtc2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVy bGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxl LXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGlu ZTt9DQpwLk1zb0FjZXRhdGUsIGxpLk1zb0FjZXRhdGUsIGRpdi5Nc29BY2V0YXRlDQoJe21zby1z dHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IENoYXIiOw0K CW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTo4LjBwdDsN Cglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0KcC5Nc29MaXN0UGFyYWdyYXBo LCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXttc28tc3R5bGUt cHJpb3JpdHk6MzQ7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBp bjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9u dC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30N CnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLmFw cGxlLWNvbnZlcnRlZC1zcGFjZQ0KCXttc28tc3R5bGUtbmFtZTphcHBsZS1jb252ZXJ0ZWQtc3Bh Y2U7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7 DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30N CnNwYW4uQmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hh ciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRl eHQiOw0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQouTXNvQ2hwRGVmYXVs dA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBw YWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjU5NS4wcHQgODQyLjBwdDsNCgltYXJnaW46MS4waW4g MS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9u MTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDo1MDM5 MzYzMzQ7DQoJbXNvLWxpc3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOi03 Njg4MzMwMTYgMTgwMjgxNDU2NCA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2 NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7 bXNvLWxldmVsLXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K CW1zby1sZXZlbC10ZXh0Oi07DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCW1zby1mYXJlYXN0LWZvbnQtZmFtaWx5OkNhbGli cmk7DQoJbXNvLWJpZGktZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiI7fQ0KQGxpc3QgbDA6 bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4 dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp b246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 Ijt9DQpAbGlzdCBsMDpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K CW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2 ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFt aWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt YXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9u ZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWlu Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVsLW51 bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1z dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwwOmxldmVsNg0K CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0K CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm dDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0 IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs LXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6U3ltYm9s O30NCkBsaXN0IGwwOmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJ bXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5 OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9y bWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5v bmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVp bjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowaW47fQ0K dWwNCgl7bWFyZ2luLWJvdHRvbTowaW47fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+ PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8 L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0 IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNo YXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgYmdjb2xvcj0id2hp dGUiIGxhbmc9IkVOLVVTIiBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNs YXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPkl0IHNlZW1zIHRvIG1lIHRoYXQsIHdoZW4gdGFs a2luZyBhYm91dCBJS0UgYXV0aGVudGljYXRpb24sIGl0IHdvdWxkIG1ha2Ugc2Vuc2UgdG8gc3Rh cnQgd2l0aCB3aGF04oCZcyBhbHJlYWR5IGRlZmluZWQgaW4gdGhlIHByb3RvY29sOjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2NvbG9yOmJsYWNrIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFj ayI+Q3VycmVudGx5LCBJS0UgZGVmaW5lcyB0aHJlZSB0eXBlcyBvZiBhdXRoZW50aWNhdGlvbiBt ZWNoYW5pc21zOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdy YXBoIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbjt0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6 bDAgbGV2ZWwxIGxmbzEiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNw YW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48 L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 YmxhY2siPlByZXNoYXJlZCBLZXlzPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluO3RleHQtaW5kZW50Oi0uMjVp bjttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSI+DQo8IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJ Z25vcmUiPi08c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw Ow0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjpibGFjayI+Q2VydGlmaWNhdGVzPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluO3RleHQtaW5k ZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSI+DQo8IVtpZiAhc3VwcG9ydExpc3Rz XT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPjxzcGFuIHN0eWxlPSJt c28tbGlzdDpJZ25vcmUiPi08c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+RUFQPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6Ymxh Y2siPlByZXNoYXJlZCBrZXlzIGFyZSwgZm9yIGF1dGhlbnRpY2F0aW9uIHB1cnBvc2VzLCBhbHJl YWR5IHBvc3RxdWFudHVtIChhc3N1bWluZyB0aGF0IHRoZSBwcmVzaGFyZWQga2V5cyBhcmUgc3Vm ZmljaWVudGx5IGxvbmcsIGFuZCB3ZSB1c2UgYSBwb3N0cXVhbnR1bSBwcmYpOyBub3RoaW5nIG5l ZWRzIHRvIGJlIGRvbmUgaGVyZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+Q2VydGlmaWNhdGVzOyBwZW9wbGUgYXJlIGFs cmVhZHkgd29ya2luZyBvbiBwb3N0cXVhbnR1bSBjZXJ0aWZpY2F0ZXMgKGludm9sdmluZyBib3Ro IGNvbnZlbnRpb25hbCBhbmQgcG9zdHF1YW50dW0gc2lnbmF0dXJlcyBpbiBwYXJhbGxlbCk7IGl0 IHdvdWxkIGFwcGVhciB0byBtYWtlIHNlbnNlIHRvIHRyeSB0byByZXVzZSB0aGVpciB3b3JrLA0K IHJhdGhlciB0aGFuIGNvbWluZyB1cCB3aXRoIHNvbWV0aGluZyBzcGVjaWZpYyB0byBJS0U8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6 YmxhY2siPkVBUDsgZnJhbmtseSwgSeKAmW0gbm90IHRoYXQgZmFtaWxpYXIgd2l0aCBFQVAsIGhv d2V2ZXIsIGlmIEVBUCBpc27igJl0IGN1cnJlbnRseSBwb3N0cXVhbnR1bSBzZWN1cmUsIGl0IG1h eSBtYWtlIHNlbnNlIGZvciB0aGF0IHByb3RvY29sIHRvIGJlIHVwZGF0ZWQuPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+VGhlIG90aGVyIHF1ZXN0aW9uIGFi b3V0IHlvdXIgcHJvcG9zZWQgbWVjaGFuaXNtIGlzIGhvdyBkb2VzIGl0IHdvcms7IHlvdSBqdXN0 IG91dGxpbmUgYSB3YXkgdG8gZXhjaGFuZ2Ug4oCYcXVhbnR1bSByZXNpc3RhbnTigJkgYmxvYnMs IGFuZCBkb27igJl0IHNheSBob3cgdGhvc2UgYmxvYnMgYWN0dWFsbHkgd29yay4mbmJzcDsgSeKA mW0gbm90IHRhbGtpbmcNCiBhYm91dCB0aGUgY3J5cHRvZ3JhcGh5LCBJ4oCZbSB0YWxraW5nIGFi b3V0IHRoZSBhdXRoZW50aWNhdGlvbi4mbmJzcDsgRm9yIGFuIGF1dGhlbnRpY2F0aW9uIG1lY2hh bmlzbSB0byB3b3JrIChmb3IgQWxpY2UgdG8gYXV0aGVudGljYXRlIHRvIEJvYiksIHdlIG11c3Qg aGF2ZTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIg c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW47dGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwwIGxl dmVsMSBsZm8xIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjpibGFjayI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+LTxzcGFuIHN0 eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFu Pjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNr Ij5BbGljZSBjYW4gZ2VuZXJhdGUgdGhlIEJsb2I8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW47dGV4dC1pbmRl bnQ6LS4yNWluO21zby1saXN0OmwwIGxldmVsMSBsZm8xIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNd PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+PHNwYW4gc3R5bGU9Im1z by1saXN0Oklnbm9yZSI+LTxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj5FdmUgY2Fubm90IGdlbmVyYXRlIHRoZSBCbG9iPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJt YXJnaW4tbGVmdDouNWluO3RleHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZv MSI+DQo8IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6YmxhY2siPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPi08c3BhbiBzdHlsZT0iZm9u dDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+ PCFbZW5kaWZdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+Qm9iIGNh biB2ZXJpZnkgdGhhdCB0aGUgQmxvYiB3YXMgZ2VuZXJhdGVkIHByb3Blcmx5PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Y29sb3I6YmxhY2siPlNheWluZyDigJxwb3N0cXVhbnR1beKAnSBkb2VzbuKAmXQgY2hh bmdlIHRoZSB1bmRlcmx5aW5nIHByb2JsZW0uJm5ic3A7IFlvdSBkb27igJl0IHNwZWNpZnkgaG93 IHRoaXMgd29ya3MgKGUuZy4gd2hhdCBBbGljZSBhbmQgQm9iIGtub3dzKSwgYW5kIHdoeSB0aGUg Y3VycmVudCBhdXRoZW50aWNhdGlvbiBtZWNoYW5pc21zIGFscmVhZHkgaW4gSUtFIGFyZW7igJl0 DQogc3VmZmljaWVudDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5v bmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0 Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0 REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhv bWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij4gSVBzZWMgW21haWx0bzppcHNlYy1ib3VuY2VzQGlldGYub3Jn XQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5HcmFoYW0gQmFydGxldHQgKGdyYmFydGxlKTxicj4NCjxi PlNlbnQ6PC9iPiBUaHVyc2RheSwgQXVndXN0IDAzLCAyMDE3IDc6NTcgQU08YnI+DQo8Yj5Ubzo8 L2I+IGlwc2VjQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtJUHNlY10gUHJvcG9zZWQg bWV0aG9kIHRvIGFjaGlldmUgcXVhbnR1bSByZXNpc3RhbnQgSUtFdjI8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPkhpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2s7 bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tR0IiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29y cGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNp emUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNp bmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+QWZ0ZXIgbGlzdGVu aW5nIHRvIHRoZSBQcmFndWUgbWVldGluZyBEYW4gSGFya2lucyByYWlzZWQgdGhlIHBvaW50IHRo YXQgdGhlIFF1YW50dW0gUmVzaXN0YW50IElLRXYyIGltcGxlbWVudGF0aW9uIHNob3VsZCBwcm90 ZWN0IHBhc3NpdmUgYXR0YWNrcywgd2hlcmUgdHJhZmZpYyB0aGF0IHRyYWZmaWMgdGhhdA0KIGlz IHNlbnQgYW5kIGlzIGNhcHR1cmVkIHRvZGF5IHNob3VsZCBiZSByZXNpbGllbnQgdG8gYW4gYWR2 ZXJzYXJ5IHdpdGggYSBxdWFudHVtIGNvbXB1dGVyIGluIHRoZSBmdXR1cmUuIEJ1dCB0aGUgUXVh bnR1bSBSZXNpc3RhbnQgSUtFdjIgZG9lcyBub3QgaGF2ZSB0byBwcm90ZWN0IGFnYWluc3QgYW4g YWR2ZXJzYXJ5IHdpdGggYSBxdWFudHVtIGNvbXB1dGVyIGluIHRoZSBmdXR1cmUgd2hvIGNhbiBw ZXJmb3JtIGFuIGFjdGl2ZSBhdHRhY2suPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGln bjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJr aXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVy IE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4 dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+U29tZW9uZSBlbHNlIChjYW7igJl0IHJlbWVt YmVyIHdobykgc3VnZ2VzdGVkIHRoZSBxdWFudHVtIHJlc2lzdGFudCDigJhibG9i4oCZIGJlIHNl bnQgaW4gSUtFX0FVVEggYXMgaXQgd2lsbCBiZSBsYXJnZSBhbmQgcHJvYmFibHkgZnJhZ21lbnRh dGlvbi4gT2J2aW91c2x5IGZvciB0aGlzIHRoZSBuYXR1cmFsIGNob2ljZQ0KIGlzIHRvIHVzZSB0 aGUgSUtFdjIgRnJhZ21lbnRhdGlvbiBtZWNoYW5pc20gZGVmaW5lZCBpbiBSRkM3MzgzLjwvc3Bh bj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5v cm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQt dGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29y ZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNw Ozwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13 ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2si PkEgZmV3IHdlZWtzIGFnbyBJIGRldmVsb3BlZCBhIG1ldGhvZCB0byBzZW5kIHRoZSBxdWFudHVt IHJlc2lzdGFudCDigJhibG9i4oCZIGluIElLRV9TQV9JTklULCB0aGlzIGlzIHRvIGFtZW5kPHNw YW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxhIGhyZWY9Imh0 dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC10amhhaS1pcHNlY21lLWh5YnJpZC1xc2tl LWlrZXYyLTAwIj48c3BhbiBzdHlsZT0iY29sb3I6Izk1NEY3MiI+aHR0cHM6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LXRqaGFpLWlwc2VjbWUtaHlicmlkLXFza2UtaWtldjItMDA8L3NwYW4+ PC9hPi4NCiBBZnRlciBoZWFyaW5nIHRoZSBkaXNjdXNzaW9uIGRlc2NyaWJlZCBhYm92ZSBJIHdh cyBnb2luZyB0byBwYXJrIHRoaXMgaWRlYSBhbmQgbmV2ZXIgc3BlYWsgb2YgaXQgYWdhaW4sIGhv d2V2ZXIgYmVmb3JlIEkgZG8gdGhpcyBJ4oCZZCBsaWtlIHRvIHNoYXJlIHdpdGggdGhlIGdyb3Vw IGZvciBjb21tZW50cy48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8 L3NwYW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2si PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRv d3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztj b2xvcjpibGFjayI+SSBwZXJzb25hbGx5IGZlZWwgdGhpcyBpcyBhbiBlbGVnYW50IGFuZCBzaW1w bGUgbWV0aG9kIHRvIGFjaGlldmUgc2VuZGluZyBvbmUgb3IgbW9yZSBxdWFudHVtIHJlc2lzdGFu dCDigJhibG9ic+KAmS4gVGhlIG1haW4gYmVuZWZpdHMgYmVpbmc7PC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBp bjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41aW47bWFy Z2luLWJvdHRvbTouMDAwMXB0O3RleHQtaW5kZW50Oi0uMjVpbjtmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj4x Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdDtjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNv bnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPlRoZQ0KIElLRV9BVVRIIGV4Y2hhbmdlIGlzIHByb3RlY3RlZCB1c2luZyB0 aGUgcXVhbnR1bSBzZWN1cmUgYWxnb3JpdGhtcy4gU28gYWxsIGF0dHJpYnV0ZXMgd2l0aGluIHRo ZSBJS0UgZXhjaGFuZ2UgYXJlIHByb3RlY3RlZCBhZ2FpbnN0IHBhc3NpdmUgYXR0YWNrcywgd2hp Y2ggd291bGRu4oCZdCBiZSB0aGUgY2FzZSBzaG91bGQgdGhlIHF1YW50dW0gcmVzaXN0YW50IOKA mGJsb2LigJkgYmUgc2VudCBpbiBJS0VfQVVUSC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1h bGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3Vy aWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29MaXN0UGFyYWdyYXBoIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjttYXJnaW4tcmln aHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41aW47bWFyZ2luLWJvdHRvbTou MDAwMXB0O3RleHQtaW5kZW50Oi0uMjVpbjtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhh bnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUt YWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6 MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj4yLjwvc3Bhbj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdDtjb2xvcjpibGFjayI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFj ZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2si PlRoaXMNCiBhbGxvd3MgZm9yIGEgcXVhbnR1bSByZXNpc3RhbnQgYXV0aGVudGljYXRpb24gbWV0 aG9kIHRvIGJlIGludHJvZHVjZWQgaW50byBJS0VfQVVUSCBpbiB0aGUgZnV0dXJlLCB0aGVyZWZv cmUgcHJvdGVjdGluZyBhZ2FpbnN0IGFjdGl2ZSBhdHRhY2tzIHdpdGggYSBxdWFudHVtIGNvbXB1 dGVyIHNob3VsZCB0aGlzIG9jY3VyLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQ YXJhZ3JhcGgiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6MGluO21hcmdpbi1yaWdodDowaW47 bWFyZ2luLWJvdHRvbTowaW47bWFyZ2luLWxlZnQ6LjVpbjttYXJnaW4tYm90dG9tOi4wMDAxcHQ7 dGV4dC1pbmRlbnQ6LS4yNWluO2ZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0 bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6 IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0K PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPjMuPC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjcuMHB0O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJz cDs8L3NwYW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+QQ0KIHNp bXBsZSBtZXRob2QgdG8gZnJhZ21lbnQgdGhlIHF1YW50dW0gc2VjdXJlIGtleSBleGNoYW5nZSBk YXRhIGluIElLRV9TQV9JTklUIGlzIGluY2x1ZGVkLCBob3dldmVyIHRoaXMgaXMgbm90IG1hbmRh dG9yeS4gRnJvbSBwZXJzb25hbCBleHBlcmllbmNlIEnigJl2ZSBzZWVuIGEgZmV3IGNhc2VzIHdo ZXJlIFJGQyA3MzgzIGZyYWdtZW50YXRpb24gaXMgcmVxdWlyZWQgdG9kYXksIGhvd2V2ZXIgdGhl IHZhc3QgbWFqb3JpdHkgb2YgY3VzdG9tZXIgaW1wbGVtZW50YXRpb25zDQogZG8gbm90IGV4cGVy aWVuY2UgaXNzdWVzIHdpdGggSVAgZnJhZ21lbnRzIGJlaW5nIGRlbmllZCBhbmQgc28gZG8gbm90 IHJlcXVpcmUgdGhlIGZ1bmN0aW9uYWxpdHkgcHJvdmlkZWQgYnkgUkZDNzM4MyAoYnV0IGZvciB0 aGUgY2FzZXMgd2hlcmUgaXTigJlzIG5lZWRlZCwgaXTigJlzIGEgbGlmZXNhdmVyKS48L3NwYW4+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs O29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0 LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNw YWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9z cGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0 Oi41aW47bWFyZ2luLWJvdHRvbTouMDAwMXB0O3RleHQtaW5kZW50Oi0uMjVpbjtmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OmJsYWNrIj40Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBw dDtjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9 ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPlRoZQ0KIGxhcmdlIHF1YW50dW0gcmVzaXN0YW50IOKAmGJs b2LigJkgb2YgZGF0YSBpcyBvbmx5IHNlbnQgd2hlbiBpdCBpcyBrbm93biB0aGF0IHRoZSBwZWVy IHdpbGwgYWNjZXB0IHRoaXMuIFRoaXMgbWluaW1pc2VzIGRlbGF5cyB3aGVuIGVzdGFibGlzaGlu ZyBJS0V2MiBTQXMgYW5kIG1pbmltaXNlcyB0aGUgcmlzayBvZiBEb1MgKHNlZSBwb2ludCA3KS48 c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtv cnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1z aXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFj aW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bh bj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJnaW4tbGVmdDou NWluO21hcmdpbi1ib3R0b206LjAwMDFwdDt0ZXh0LWluZGVudDotLjI1aW47Zm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpi bGFjayI+NS48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6Ny4wcHQ7 Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFuIGNsYXNzPSJh cHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj5CYWNrd2FyZHMNCiBjb21wYXRpYmlsaXR5IGlzIG1haW50YWlu ZWQsIHdpdGggbWluaW1hbCByaXNrIHRoYXQgdGhlIGFkZGl0aW9uIG9mIGEgcXVhbnR1bSByZXNp c3RhbnQgZXhjaGFuZ2UgY291bGQgY2F1c2UgYWJub3JtYWwgYmVoYXZpb3VyIHdpdGggZGV2aWNl cyB0aGF0IGRvIG5vdCBzdXBwb3J0IHRoZSBuZXcgYXR0cmlidXRlcy4gVGhlIFFTS0UgYXJlIGFk dmVydGlzZWQgdXNpbmcgYSB0cmFuc2Zvcm0gdHlwZSA0IGdyb3Vwcy48L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBp bjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41aW47bWFy Z2luLWJvdHRvbTouMDAwMXB0O3RleHQtaW5kZW50Oi0uMjVpbjtmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj42 Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdDtjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNv bnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPlRoaXMNCiBpZGVhIGFsbG93cyBmb3IgYWxnb3JpdGhtIGFnaWxpdHksIHdo ZXJlIG11bHRpcGxlIHF1YW50dW0gcmVzaXN0YW50IGFsZ29yaXRobXMgY2FuIGJlIHVzZWQgaW4g YWRkaXRpb24gdG8gYSBzaW5nbGUgY2xhc3NpYyBESCAoYXMgcGVyIFJGQzcyOTYpLiBQUSBhbGdv cml0aG1zIHdpdGggcHVibGljIGRhdGEgc2l6ZSBsYXJnZXIgdGhhbiA2NSw1MzYgb2N0ZXRzIGFy ZSBhbHNvIHN1cHBvcnRlZC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3 aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdy YXBoIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21hcmdp bi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41aW47bWFyZ2luLWJvdHRvbTouMDAwMXB0O3RleHQt aW5kZW50Oi0uMjVpbjtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4 dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj43Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdDtjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9z cGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPldpdGgNCiByZWdh cmRzIHRvIGZyYWdtZW50YXRpb24gYXR0YWNrcywgdGhlIHVzZSBvZiBmcmFnbWVudGF0aW9uIGlu IHRoaXMgaWRlYSBoYXMgdGhlIHNhbWUgc2VjdXJpdHkgYXMgb2YgUkZDNzM4My4gV2hlcmVieSBh biBhdHRhY2tlciB0aGF0IHJldmVhbHMgaGVyIHRydWUgSVAgYWRkcmVzcyBjYW4gc2VuZCBtdWx0 aXBsZSBmcmFnbWVudHMsIGJ1dCBub3QgdGhlIGNvbXBsZXggY2hhaW4uPC9zcGFuPjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5z OiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFk anVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBw eCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtv cnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1z aXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFj aW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPlRoZSBmb2xsb3dp bmcgaXMgdGhlIGlkZWEsIGFueSBxdWVzdGlvbnMsIHBsZWFzZSBmZWVsIGZyZWUgdG8gYXNrLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dp ZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFs aWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0 ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1 dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5RU0tFIE5vdGlmeTwvc3Bhbj48c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBo YW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXpl LWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5n OjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPkZvciBkZXZp Y2VzIHRoYXQgYXJlIG9wZXJhdGluZyBpbiBhIG1lc2ggbmV0d29yaywgd2hlcmUgbWFueSBkZXZp Y2VzIGhhdmUgbXVsdGlwbGUgcGVlcnMsIHdoZXJlIHBlZXJzIGFyZSB1c2luZyB2YXJ5aW5nIFFT S0UgZ3JvdXBzLiBJbiB0aGVzZSBpbnN0YW5jZXMgdGhlIFFTS0UgdGhhdCBpcyBwcmVmZXJyZWQN CiBieSB0aGUgSW5pdGlhdG9yIG1pZ2h0IG5vdCBiZSBhdmFpbGFibGUgb3IgcHJlZmVycmVkIG9u IHRoZSBSZXNwb25kZXIuIFRvIG92ZXJjb21lIHNjZW5hcmlvcyB3aGVyZSB0aGUgSW5pdGlhdG9y IHdpbGwgc2VuZCBhIFFTS0Ugd2hpY2ggaXMgbGFyZ2UgaW4gc2l6ZSBhbmQgbm90IHN1cHBvcnRl ZCBieSB0aGUgUmVzcG9uZGVyLCAodGhlcmVmb3JlIHdhc3RpbmcgdGltZSBhbmQgcmVzb3VyY2Up LCB0aGUgUVNLRSBOb3RpZnkgcGF5bG9hZCBjYW4NCiBiZSB1c2VkIHRvIHF1ZXJ5IHRoZSByZXNw b25kZXIgdG8gZGV0ZXJtaW5lIHRoZSBzdXBwb3J0ZWQgc2VjdXJpdHkgYXNzb2NpYXRpb24gYXR0 cmlidXRlcy4gVGhlIFFTS0UgTm90aWZ5IHBheWxvYWQgaXMgc2VudCBieSB0aGUgSW5pdGlhdG9y LCB3aGljaCBhbHNvIGV4Y2x1ZGVzIHRoZSBRU0tFIHBheWxvYWQgKGhvd2V2ZXIgYSBzaW5nbGUg S0UgcGF5bG9hZCBzaG91bGQgYmUgaW5jbHVkZWQgZm9yIGJhY2t3YXJkcyBjb21wYXRpYmlsaXR5 KS4NCiBJZiB0aGUgUmVzcG9uZGVyIHN1cHBvcnRzIHRoZSBRU0tFIG5vdGlmeSBwYXlsb2FkIGl0 IHJlcGxpZXMgd2l0aCB0aGUgYWNjZXB0ZWQgc2VjdXJpdHkgYXNzb2NpYXRpb25zICh3aGljaCBp bmNsdWRlcyBvbmUgY2xhc3NpYyBESCBncm91cCBhbmQgJmd0Oz0xIFFTS0UgZ3JvdXAsIHRoZXNl IGFyZSBzZW50IGFzIGdyb3VwcyB3aXRoaW4gdHJhbnNmb3JtIHR5cGUgNC4gTW9zdCBvZiB0aGUg dGltZSwgd2Ugd2lsbCBiZSB1c2luZyBvbmUgUFEgYWxnb3JpdGhtLA0KIHJhdGhlciB0aGFuIG11 bHRpcGxlLiBUaGUgUmVzcG9uZGVyIHdpbGwgYWxzbyBpbmNsdWRlcyB0aGUgQ09PS0lFIG5vdGlm aWNhdGlvbiwgbm90ZSB0aGUgUmVzcG9uZGVyIGRvZXMgbm90IHNlbmQgdGhlIEtFIG9yIFFTS0Ug cGF5bG9hZC4gVGhlIEluaXRpYXRvciBjYW4gbm93IHNlbGVjdCB0aGUgY29ycmVjdCBzZWN1cml0 eSBhc3NvY2lhdGlvbiBhbGdvcml0aG1zIGl0IGludGVuZHMgdG8gdXNlLCBpbmNsdWRpbmcgdGhl IGNvcnJlY3QgY2xhc3NpYw0KIERIIGFuZCBRU0tFIGFuZCByZXBseSB1c2luZyB0aGUgQ09PS0lF LjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRl eHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQt c3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8 L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Vi a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5B bHRob3VnaCB0aGUgQ09PS0lFIGRvZXMgbm90IHByb3ZpZGUgcHJvdGVjdGlvbiBhZ2FpbnN0IERv UyBhdHRhY2tzLCB3aGVyZWJ5IGFuIGF0dGFja2VyIHNlbmRzIG1hbnkgZnJhZ21lbnRzIGJ1dCBk b2VzIG5vdCBjb21wbGV0ZSB0aGUgZnJhZ21lbnQgY2hhaW4sIGl0IGRvZXMgZW5zdXJlIHRoYXQg dGhlDQogYXR0YWNrZXIgcmV2ZWFscyB0aGVpciBvd24gSVAgYWRkcmVzcy4gTm90ZSB0aGF0IFJG QyA3MzgzIGlzIGFsc28gcHJvbmUgdG8gdGhpcyBhdHRhY2sgd2hpY2ggaXMgZGVzY3JpYmVkIHdp dGhpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+U2hvdWxkIGFuIElLRSBnYXRl d2F5IGJlIHVuZGVyIGEgZnJhZ21lbnRhdGlvbiBhdHRhY2ssIGRyb3BwaW5nIHRyYWZmaWMgZnJv bSBhIHBlZXIgdGhhdCBkb2VzIG5vdCBjb21wbGV0ZSB0aGUgZnJhZ21lbnQgY2hhaW4gY2FuIGJl IHVzZWQgYXMgYSBzaW1wbGUgcHJvdGVjdGl2ZSBtZWNoYW5pc20gdG8gbWluaW1pc2UNCiB0aGUg aW1wYWN0IG9mIGZ1dHVyZSBhdHRhY2tzLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPkZvciBpbXBsZW1lbnRhdGlvbnMgdGhhdCBk byBub3Qgc3VwcG9ydCB0aGUgdXNlIG9mIHRoZSBRU0tFLCB0aGUgUVNLRSBOb3RpZnkgcGF5bG9h ZCB3aWxsIGJlIGlnbm9yZWQgYW5kIHRoZSBJS0V2MiBleGNoYW5nZSB3aWxsIGNvbnRpbnVlIGFz IHBlciBSRkM3Mjk2LiBUaGUgUVNLRSBOb3RpZnkgcGF5bG9hZA0KIGNhbiBiZSB1c2VkIHRvIG1p bmltaXNlIGludGVyLW9wIGlzc3VlcyB3aXRoIFFTS0UgYW5kIG5vbiBRU0tFIGltcGxlbWVudGF0 aW9ucy48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9z cGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5i c3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQt Y2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87 LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFj ayI+VGhlIFFTS0UgTm90aWZ5IHBheWxvYWQgY2FuIGJlIG1hcmtlZCBhcyBjcml0aWNhbCBmb3Ig ZGV2aWNlcyB0aGF0IG1hbmRhdGUgdGhlIHVzZSBvZiBRU0tFIHRvIHByb3RlY3QgSUtFLjwvc3Bh bj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5v cm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQt dGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29y ZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNw Ozwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13 ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2si PlFTS0UgTm90aWZpY2F0aW9uIFBheWxvYWQ8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFs aWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0 ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1 dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg MSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAyJm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDM8L3NwYW4+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRl eHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQt c3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsm bmJzcDsmbmJzcDsgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAy IDMgNCA1IDYgNyA4IDkgMCAxPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6 YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFy dDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7ICYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdl YmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+ Jm5ic3A7Jm5ic3A7IHwgTmV4dCBQYXlsb2FkJm5ic3A7IHxDfCZuYnNwOyBSRVNFUlZFRCZuYnNw OyZuYnNwOyB8Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IFBheWxvYWQgTGVuZ3RoJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IHw8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzst d2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNr Ij4mbmJzcDsmbmJzcDsgJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzs8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgfCZu YnNwOyBQcm90b2NvbCBJRCZuYnNwOyB8Jm5ic3A7Jm5ic3A7IFNQSSBTaXplJm5ic3A7Jm5ic3A7 Jm5ic3A7IHwmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgTm90aWZ5IE1lc3NhZ2UgVHlw ZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB8PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7ICYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3 aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgfDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPiZuYnNwOyZuYnNwOyB+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IE5vdGlmaWNhdGlvbiBEYXRhJm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IH48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpi bGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0 O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgfCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyB8PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7ICYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7PC9zcGFuPjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29y cGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNp emUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNp bmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFu PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9y bWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10 ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3Jk LXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+4oCU4oCU 4oCU4oCUPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+QSBRdWFudHVtIFNhZmUgS2V5IEV4Y2hhbmdlIFBheWxvYWQ8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUgcXVhbnR1 bS1zYWZlIGtleSBleGNoYW5nZSBwYXlsb2FkLCBkZW5vdGVkIFFTS0UgaW4gdGhpcyBkb2N1bWVu dCwgaXMgdXNlZCB0byBleGNoYW5nZSBhIHF1YW50dW0tc2FmZSBzaGFyZWQgc2VjcmV0IGJldHdl ZW4gdHdvIElLRSBwZWVycy4mbmJzcDsgVGhlIFFTS0UgcGF5bG9hZCBjb25zaXN0cyBvZiB0aGUN CiBJS0UgZ2VuZXJpYyBwYXlsb2FkIGhlYWRlciwgYSB0d28tb2N0ZXQgdmFsdWUgZGVub3Rpbmcg dGhlIFF1YW50dW0tU2FmZSBHcm91cCBudW1iZXIsIGFuZCBmb2xsb3dlZCBieSB0aGUgcXVhbnR1 bS1zYWZlIGRhdGEgaXRzZWxmLiZuYnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3Bh Y2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpi bGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0 O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJj b2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWdu OnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtp dC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg TmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUgRnJhZ21lbnQgYml0LCBkZW5vdGVkIEYgKGJlbG93 KSwgc3BlY2lmaWVzIGlmIHRoZSBRU0tFIGlzIGZyYWdtZW50ZWQuIElmIHRoaXMgaXMgc2V0IHRv ICcxJywgbWVhbmluZyB0aGUgUVNLRSBpcyBmcmFnbWVudGVkIHRoZSBGcmFnbWVudCBOdW1iZXIg YW5kIFRvdGFsIEZyYWdtZW50cyBmaWVsZHMNCiB3aWxsIGJlIHBvcHVsYXRlZC4gSWYgdGhlIEZy YWdtZW50IGJpdCBpcyBub3Qgc2V0IChzZXQgdG8gJzAnKSwgdGhlbiB0aGUgRnJhZ21lbnQgTnVt YmVyIGFuZCBUb3RhbCBGcmFnbWVudHMgZmllbGRzIHdpbGwgbm90IGV4aXN0LiBUaGUgRnJhZ21l bnQgTnVtYmVyIGlzIHVzZWQgc2hvdWxkIHRoZSBRdWFudHVtLVNhZmUgRGF0YSBiZSB0b28gbGFy Z2UgdG8gZml0IHdpdGhpbiBhIHNpbmdsZSBwYXlsb2FkLiBUaGUgRnJhZ21lbnQgTnVtYmVyIGlz DQogdGhlIGZpcnN0IGZyYWdtZW50LCBpbmNyZWFzaW5nIGJ5IG9uZSBmb3IgZXZlcnkgb3RoZXIg ZnJhZ21lbnQgdGhhdCBpcyBzZW50LiBUaGUgVG90YWwgRnJhZ21lbnRzIGZpZWxkIGRlbm90ZXMg dGhlIG1heGltdW0gbnVtYmVyIG9mIGZyYWdtZW50cyB0aGF0IGNvbnRhaW4gdGhlIFF1YW50dW0t U2FmZSBEYXRhLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dz OiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7 d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv dDs7Y29sb3I6YmxhY2siPlRoZSBRU0tFIGlzIG5lYXJseSBpZGVudGljYWwgdG8gdGhlIEtFIHBh eWxvYWQsIGhvd2V2ZXIgdGhlIEZyYWdtZW50IGJpdCBpZGVudGlmaWVzIGlmIHRoZSByZWNlaXZl ciBzaG91bGQgaGFuZGxlIHRoaXMgaW4gYSBkaWZmZXJlbnQgbWFubmVyIHRvIHRoZSBLRSBwYXls b2FkLiBUaGUgS0UgYW5kIFFTS0UNCiBhcmUgbmVnb3RpYXRlZC9hZHZlcnRpc2VkIHVzaW5nIHRo ZSB0cmFuc2Zvcm0gdHlwZSA0IChEaWZmaWUgSGVsbG1hbiBncm91cHMpLiZuYnNwOyBCeSBpbmNs dWRpbmcgdGhlIFFTS0UgaW4gdGhlIHNhbWUgdHJhbnNmb3JtIHR5cGUgNCBhcyBjbGFzc2ljIERI IGFsbG93cyBmb3IgbWluaW1hbCBjb25maWd1cmF0aW9uIGNoYW5nZXMgZm9yIGN1cnJlbnQgaW1w bGVtZW50YXRpb25zIHdoZW4gY29uZmlndXJpbmcgYm90aCBESCBhbmQgUVNLRSBHcm91cHMuPC9z cGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5i c3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQt Y2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87 LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFj ayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDEmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgMiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAzPC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDgg OSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAm IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB8 IE5leHQgUGF5bG9hZCZuYnNwOyB8Q3xGfCBSZXNlcnZlZCZuYnNwOyB8Jm5ic3A7Jm5ic3A7ICZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBQYXlsb2FkIExl bmd0aCAmbmJzcDsmbmJzcDsmbmJzcDsgfDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAm IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB8 Jm5ic3A7Jm5ic3A7Jm5ic3A7IFF1YW50dW0tU2FmZSBHcm91cCBOdW0mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgfCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyBSRVNFUlZFRCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB8PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7ICYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IH4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgRnJhZ21l bnQgTnVtYmVyJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyB8ICZuYnNwOyZuYnNwOyZuYnNwOyBUb3RhbCBGcmFnbWVudHMmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyAmIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyB8Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHw8L3NwYW4+PHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczog YXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1 c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgi Pg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgfiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBRdWFudHVtLVNhZmUgRGF0YSZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyB+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2si PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRv d3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztj b2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7fDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPlRoZSBzaXplIG9mIHRoZSBRdWFudHVtLVNhZmUgRGF0 YSBjYW4gYmUgdGhlIHRvdGFsIGZyYWdtZW50cyAqIHBheWxvYWQgbGVuZ3RoID0gfiA0R0IsIHdo aWNoIHNlZW1zIHN1ZmZpY2llbnQgZm9yIHRoZSBzaXplIG9mIHRoZSBRU0tFIHBheWxvYWRzIGRp c2N1c3NlZCBzbyBmYXIuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3 aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpz dGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+VGhlIHVzZSBvZiB0aGUgRnJhZ21lbnRhdGlvbiBiaXQgaXMg bm90IG1hbmRhdG9yeS4gSW1wbGVtZW50YXRpb25zIGNhbiBhdHRlbXB0IHRvIHNlbmQgdGhlIElL RV9TQV9JTklUIHBheWxvYWQgY29udGFpbmluZyB0aGUgUVNLRSBwYXlsb2FkIHdpdGhvdXQgZnJh Z21lbnRhdGlvbiBhdCB0aGUgSUtFIGxheWVyLA0KIG9wdGluZyBmb3IgZnJhZ21lbnRhdGlvbiBh dCB0aGUgSVAgbGF5ZXIgaW5zdGVhZC4gSW1wbGVtZW50YXRpb25zIGNhbiBpbml0aWFsbHkgZXhj bHVkZSB0aGUgdGhlIHVzZSBvZiBmcmFnbWVudGF0aW9uIGluIHRoZSBRU0tFIHBheWxvYWQsIGhv d2V2ZXIgaWYgY29ubmVjdGl2aXR5IGZhaWxzIHdoZW4gbm90IHVzaW5nIGZyYWdtZW50YXRpb24g b2YgdGhlIFFTS0UsIGl0IGlzIGFzc3VtZWQgdGhhdCB0aGF0IHRyYWZmaWMgaGFzIGJlZW4gZGVu aWVkDQogZHVlIHRvIGZyYWdtZW50YXRpb24gYXQgdGhlIElQIGxheWVyIGFuZCBmcmFnbWVudGF0 aW9uIG9mIHRoZSBRU0tFIHNob3VsZCBiZSB1c2VkIGluc3RlYWQuPC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29y cGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNp emUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNp bmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFu PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9y bWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10 ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3Jk LXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+4oCU4oCU PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdl YmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+ Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+SW4gdGhlIGZvbGxvd2luZyBleGFtcGxlIHRoZSBJbml0aWF0b3Igd2lsbCBwcm9wb3Nl IERIIEdyb3VwcyAxNCwxOSwyMSBhbmQgMzAsMzIgYW5kIDM1IChmaWN0aXRpb3VzIFFTS0UgZ3Jv dXBzKS4gVGhlIEluaXRpYXRvciBzZW5kcyB0aGUgTihRU0tFKSwgd2hpY2ggaW5mb3JtcyB0aGUg cmVzcG9uZGVyDQogdG8gY2hvb3NlICZndDs9MSBRU0tFIGdyb3VwcyBhbG9uZyB3aXRoIGEgY2xh c3NpYyBESCBncm91cC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFj ayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dp ZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUgcmVzcG9uZGVyIHdpbGwgcmV0dXJuIHRoZSBOKFFTS0Up IHBheWxvYWQsIGluZGljYXRpbmcgaXQgc3VwcG9ydHMgdGhlIFFTS0UsIHRoZSBzZWN1cml0eSBh c3NvY2lhdGlvbiBpbmNsdWRlcyBESCBHcm91cHMgMTQsIDMwIGFuZCAzNSB3aGljaCBpbmZvcm1z IHRoZSBpbml0aWF0b3Igb2YgdGhlIFFTS0UNCiBncm91cHMgaXQgc2VsZWN0cyB0byB1c2UuPC9z cGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5i c3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQt Y2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87 LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFj ayI+VGhlIEluaXRpYXRvciB0aGVuIHNlbmRzIHRoZSBRU0tFJ3MgYW5kIEtFIGZvciB0aGUgZ3Jv dXBzIGl0IHdpc2hlcyB0byB1c2UsIHBsdXMgdGhlIGlkZW50aWNhbCBzZWN1cml0eSBhc3NvY2lh dGlvbnMgYXMgd2FzIHNlbnQgaW4gdGhlIGZpcnN0IGV4Y2hhbmdlICh0byBtaXRpZ2F0ZSBkb3du Z3JhZGUgYXR0YWNrcykuDQogTm90ZTogVGhlIFJlc3BvbmRlciBzaG91bGQgY2hlY2sgdGhhdCB0 aGUgcmVjZWl2ZWQgUVNLRSdzIGluIHRoZSBzZWN1cml0eSBhc3NvY2lhdGlvbiBtYXRjaCB3aXRo IGl0cyBwcmVmZXJyZWQgc2VjdXJlIFFTS0Uncy4gVGhpcyBpcyB0byBtaXRpZ2F0ZSB0aGUgZm9s bG93aW5nIGF0dGFjaywgSW5pdGlhdG9yIHNlbmRzIFNBIGNvbnRhaW5zIGNlcnRhaW4gUVNLRSBp biB0aGUgc2VjdXJpdHkgYXNzb2NpYXRpb24gUmVzcG9uZGVyIHJlc3BvbmRzLA0KIGJ1dCBhdHRh Y2tlciBtb2RpZmllcyB0aGlzIHJlc3BvbnNlIHRvIHJlbW92ZSB0aGUgc2FpZCBRU0tFLiBUaGUg SW5pdGlhdG9yIHRoZW4gcGVyZm9ybXMgdGhlIElLRV9TQV9JTklUIGV4Y2x1ZGluZyB0aGUgUVNL RSB0aGF0IHdhcyByZW1vdmVkIGJ5IHRoZSBhdHRhY2tlciwmbmJzcDsgaW4gdGhlIFFTS0UgKGJ1 dCBpdCdzIGluY2x1ZGVkIGluIHRoZSBzZWN1cml0eSBhc3NvY2lhdGlvbnMpLiBIZW5jZSBpZiB0 aGUgcmVzcG9uZGVyIHZlcmlmaWVzIHRoYXQNCiB0aGUgcmVjZWl2ZWQgUVNLRSBtYXRjaCB0aGUg cmVjZWl2ZWQgc2VjdXJpdHkgYXNzb2NpYXRpb25zLCBpdCB3aWxsIG1pdGlnYXRlIHRoaXMgYXR0 YWNrLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dz OiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7 d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv dDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyBJbml0aWF0b3ImbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUmVzcG9uZGVyPC9zcGFuPjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs O29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0 LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNw YWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5i c3A7IC0tLS0tLS0tLS0tJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0t LS0tLS0tLS0tPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6 IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xv cjpibGFjayI+Jm5ic3A7Jm5ic3A7IEhEUiwgU0FpMSwgTmksS0VpICZuYnNwOyZuYnNwOyAtLSZn dDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKERIIEdyb3VwcyAxNCwxOSwyMSBhbmQgMzAsMzIgYW5k IDM1KTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBOKFFTS0UpPC9zcGFuPjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhh bnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUt YWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6 MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs O29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0 LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNw YWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7ICZsdDstLSZuYnNwOyZuYnNwOyBIRFIsIFNBcjEsIE4oQ09PS0lFKSxbTihRU0tF KV0mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKERIIEdyb3VwcyAxNCwgMzAg YW5kIDM1KTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBh dXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6 YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNr Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBIRFIsIE4oQ09PS0lFKSwgU0FpMSwmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFNBIGNvbnRhaW5zIERIIEdyb3Vw cyAxNCwxOSwyMSBhbmQgMzAsMzIgYW5kIDM1KTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQt YWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzst d2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291 cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyBLRWksIE5pLCBR U0tFaS0xLzMmbmJzcDsgLS0mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChLRSBpcyBHcm91cCAx NCwgUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDEgb2YgMyk8L3NwYW4+PHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczog YXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1 c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgi Pg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4g bGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3Jw aGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6 ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2lu ZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsg SERSLCBRU0tFaS0yLzMmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tJmd0OyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDIgb2YgMyk8L3Nw YW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBu b3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0 LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dv cmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJz cDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzst d2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNr Ij4mbmJzcDsmbmJzcDsgSERSLCBRU0tFaS0zLzMmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IC0tJmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdt ZW50IDMgb2YgMyk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQt dmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93 czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2Nv bG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpi bGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0 O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgSERSLCBRU0tFaTItMS80Jm5ic3A7ICZuYnNw OyZuYnNwOyZuYnNwOyAtLSZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UyIGlzIEdyb3Vw IDM1LCBmcmFnbWVudCAxIG9mIDQpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpz dGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1h bGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3Vy aWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IEhEUiwgUVNLRWkyLTIvNCZu YnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsgLS0mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChRU0tF MiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMiBvZiA0KTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBh dXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVz dDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+ DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBIRFIsIFFT S0VpMi0zLzQmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7IC0tJmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDMgb2YgNCk8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJz cDsgSERSLCBRU0tFaTItNC80Jm5ic3A7ICZuYnNwOyZuYnNwOyZuYnNwOyAtLSZndDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVudCA0IG9mIDQpPC9zcGFu PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9y bWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10 ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3Jk LXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7 PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdl YmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+ Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDst LSZuYnNwOyBIRFIsIFNBcjEsIE5yLCBLRXIsICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAoS0UgaXMgR3JvdXAgMTQsIFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAx IG9mIDMpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFFTS0VpLTEvMzwvc3Bhbj48c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5z OiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFk anVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBw eCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtv cnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1z aXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFj aW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmbHQ7LS0mbmJzcDsgSERSLFFTS0Vp LTIvMyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50 IDIgb2YgMyk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFy aWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czog YXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9y OmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFj ayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dp ZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgJmx0Oy0tJm5ic3A7IEhEUixRU0tFaS0zLzMmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFT S0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAzIG9mIDMpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDstLSZuYnNwOyBIRFIsUVNLRWkyLTEvNCZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDEgb2YgNCk8L3Nw YW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBu b3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0 LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dv cmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJz cDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzst d2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNr Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0Oy0tJm5i c3A7IEhEUixRU0tFaTItMi80Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChRU0tFMiBpcyBHcm91cCAzNSwg ZnJhZ21lbnQgMiBvZiA0KTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7 d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv dDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAmbHQ7LS0mbmJzcDsgSERSLFFTS0VpMi0zLzQmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg KFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVudCAzIG9mIDQpPC9zcGFuPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1 dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0 OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4N CjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhh bnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUt YWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6 MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDstLSZuYnNwOyBIRFIsUVNLRWkyLTQv NCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDQgb2YgNCk8 L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Vi a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4m bmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0 bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQt dmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93 czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2Nv bG9yOmJsYWNrIj5BcyB0aHJlZSBncm91cHMgd2VyZSB1c2VkLCB0aGUga2V5bWF0IGlzIGdlbmVy YXRlZCB3aXRoIHRoZSBjb21iaW5hdGlvbiBvZiB0aGUgb3V0cHV0IGZyb20gdGhlIHRocmVlIHB1 YmxpYyB2YWx1ZXMuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2si PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRv d3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztj b2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6 YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFy dDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90Oztjb2xvcjpibGFjayI+S0VZTUFUID0gcHJmJiM0MzsoU0tfZCwgUVNTUzIgKEdyb3VwIDM1 KSB8IFFTUzEgKEdyb3VwIDMwKSB8IGdeaXIgKEdyb3VwIDE0KSB8IE5pIHwgTnIpPC9zcGFuPjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs O29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0 LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNw YWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9z cGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5i c3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQt Y2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87 LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFj ayI+Jm5ic3A7Jm5ic3A7IEhEUiBTSyB7SURpLCBbQ0VSVCxdPC9zcGFuPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1 dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0 OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4N CjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IFtDRVJUUkVRLF0gW0lEcixdIEFVVEgsPC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IFNBaTIsIFRTaSwgVFNyfSZuYnNwOyAtLSZndDs8L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3Nw YW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQt Y2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87 LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFj ayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6 IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xv cjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3 aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpz dGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+4oCU4oCU4oCU4oCUPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29y cGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNp emUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNp bmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+SW4gdGhlIGZvbGxv d2luZyB0aGUgSW5pdGlhdG9yIHdpbGwgcHJvcG9zZSBESCBHcm91cHMgMTQsMTksMjEgYW5kIDMw LDMyIGFuZCAzNSAoZmljdGl0aW91cyBRU0tFIGdyb3VwcykuIFRoZSBJbml0aWF0b3Igc2VuZHMg TihRU0tFKSwgd2hpY2ggdGVsbHMgcmVzcG9uZGVyIHRvIGNob29zZSBhIERIIGdyb3VwDQogYW5k ICZndDs9MSBRU0tFIGdyb3VwcyZuYnNwOyAuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1h bGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3Vy aWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+VGhlIFJlc3BvbmRlciBpbiB0aGlzIGNh c2UgZG9lcyBub3Qgc3VwcG9ydCBRU0tFIGFuZCBhc3N1bWluZyB0aGUgTihRU0tFKSB3YXMgbm9u IGNyaXRpY2FsLCB3aWxsIGlnbm9yZSB0aGlzIE5vdGlmeSBQYXlsb2FkLjwvc3Bhbj48c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBo YW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXpl LWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5n OjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPlRoZSBleGNo YW5nZSB3aWxsIGNvbnRpbnVlIGFzIHBlciBSRkM3Mjk2Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRv O3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDog YXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5z OiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFk anVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBw eCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtv cnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1z aXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFj aW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNw OyZuYnNwOyBJbml0aWF0b3ImbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgUmVzcG9uZGVyPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpz dGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IC0tLS0tLS0tLS0tJm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tLS0tLS0tLS0tPC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IEhEUiwg U0FpMSwgTmksS0VpICZuYnNwOyZuYnNwOyAtLSZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgS0U9R3JvdXAgMTQgKFNBOiBESCBHcm91cHMgMTQsMTksMjEgYW5k IDMwLDMyIGFuZCAzNSk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFj ayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dp ZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgTihRU0tFKSZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48 L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Vi a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4m bmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0 bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0Oy0tJm5ic3A7Jm5ic3A7IEhEUiwgU0FyMSxOcixL RXImbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKERIIEdy b3VwcyAxNCk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFy aWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czog YXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9y OmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFj ayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dp ZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsgSERSIFNLIHtJRGksIFtDRVJULF08L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgW0NFUlRSRVEsXSBbSURyLF0gQVVUSCw8L3NwYW4+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRl eHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQt c3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgU0FpMiwgVFNpLCBUU3J9Jm5ic3A7IC0tJmd0 Ozwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13 ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2si PiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBh dXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6 YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNr Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPuKAlOKAlOKAlOKAlOKAlOKAlOKAlDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRv O3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDog YXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5z OiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFk anVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBw eCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2JvZHk+DQo8L2h0bWw+DQo= --_000_35c7ff8909684374a316be24c7eba9d7XCHRTP006ciscocom_-- From nobody Thu Aug 3 07:13:15 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4ADF132058 for ; Thu, 3 Aug 2017 07:13:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knHn6pD0COpz for ; Thu, 3 Aug 2017 07:13:12 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80A3513203F for ; Thu, 3 Aug 2017 07:13:11 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 153792009E; Thu, 3 Aug 2017 10:15:05 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2B89780717; Thu, 3 Aug 2017 10:13:10 -0400 (EDT) From: Michael Richardson To: "Scott Fluhrer \(sfluhrer\)" cc: "Graham Bartlett \(grbartle\)" , "ipsec\@ietf.org" In-Reply-To: <35c7ff8909684374a316be24c7eba9d7@XCH-RTP-006.cisco.com> References: <35c7ff8909684374a316be24c7eba9d7@XCH-RTP-006.cisco.com> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 14:13:14 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Scott Fluhrer (sfluhrer) wrote: > EAP; frankly, I=E2=80=99m not that familiar with EAP, however, if EAP= isn=E2=80=99t currently > postquantum secure, it may make sense for that protocol to be updated. EAP is a framework for a set of algorithms, some of which are are as stupid as "send the cleartext password", to CHAP-methods, to run some variation of TLS and do something else inside the TLS. (Yes, you can run EAP inside the TLS, and recursive...) Key generating EAP methods (of which passwords are not an example), deliver the same key to both ends securely, which in some situations is used to authenticate something else. In WPA/1x, it becomes your WEP key. In IKEv2, we can use EAP in addition to other methods; the gateway machine will often authenticate with a certificate. So if the certificate is post-quantum, is it enough to have half-duplex resistance? I suspect not. (I didn't read the rest of your message yet) =2D- Michael Richardson , Sandelman Software Works -=3D IPv6 IoT consulting =3D- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlmDL3UACgkQgItw+93Q 3WXgBQf+JRicQUKwPS3TaJHeXDmjff8ubb3aauDOO5Xcg4JwLSumcYLwpXGEwlSq P0UMh9RQXtuEU/FmA5AiaS4REVP35DvGrlpLocNkcKd+IYVZmlg6zkBAZVMJOcPA 7HX8KbgcvqYYzTCbZVo+nKmm5ovVCb5kvtTQwGBULJaiTlES4OImIg9HfHg3xjNH RcZVflBOtXZUgQgg4/7jhN8mQzVWb8IBb/8GK+KK5mWHF350SUxucTpP0xQtvMTS JVzCfCFIWWBDLVO78cGvo+gAr+Lr1pecQCnK/G0b/e7BZBr1wb425wf5P5nrXb5A d7dD3hhXD1CHlhQVvmWIP2OLkVrKPQ== =3Cyq -----END PGP SIGNATURE----- --=-=-=-- From nobody Thu Aug 3 07:58:53 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F008C13202F for ; Thu, 3 Aug 2017 07:58:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id awki5gJjLp5f for ; Thu, 3 Aug 2017 07:58:50 -0700 (PDT) Received: from relay.ezis.com (relay.ezis.com [5.153.73.19]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4CC13235F for ; Thu, 3 Aug 2017 07:58:50 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.41,316,1498518000"; d="scan'208,217";a="2178023" Received: from unknown (HELO pqex01.post-quantum.com) ([192.168.142.3]) by ironport.ezis.com with ESMTP; 03 Aug 2017 15:58:49 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX01.post-quantum.com (192.168.142.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 3 Aug 2017 15:58:47 +0100 Received: from PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3]) by PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3%13]) with mapi id 15.00.1320.000; Thu, 3 Aug 2017 15:58:47 +0100 From: Cen Jung Tjhai To: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDGkCPH5PNqQgTkK9LOvm4SvL2g== Date: Thu, 3 Aug 2017 14:58:47 +0000 Message-ID: <6721BCD4-D95F-42F1-86B8-400D0F6C1F2F@post-quantum.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.3.255.7] Content-Type: multipart/alternative; boundary="_000_6721BCD4D95F42F186B8400D0F6C1F2Fpostquantumcom_" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 14:58:53 -0000 --_000_6721BCD4D95F42F186B8400D0F6C1F2Fpostquantumcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgU2NvdHQsDQoNCj4+IFRoZSBvdGhlciBxdWVzdGlvbiBhYm91dCB5b3VyIHByb3Bvc2VkIG1l Y2hhbmlzbSBpcyBob3cgZG9lcyBpdCB3b3JrOyB5b3UganVzdCBvdXRsaW5lDQo+PiBhIHdheSB0 byBleGNoYW5nZSDigJhxdWFudHVtIHJlc2lzdGFudOKAmSBibG9icywgYW5kIGRvbuKAmXQgc2F5 IGhvdyB0aG9zZSBibG9icyBhY3R1YWxseSB3b3JrLg0KPj4gSeKAmW0gbm90IHRhbGtpbmcgYWJv dXQgdGhlIGNyeXB0b2dyYXBoeSwgSeKAmW0gdGFsa2luZyBhYm91dCB0aGUgYXV0aGVudGljYXRp b24uICBGb3IgYW4NCj4+IGF1dGhlbnRpY2F0aW9uIG1lY2hhbmlzbSB0byB3b3JrIChmb3IgQWxp Y2UgdG8gYXV0aGVudGljYXRlIHRvIEJvYiksIHdlIG11c3QgaGF2ZToNCj4+IC0gQWxpY2UgY2Fu IGdlbmVyYXRlIHRoZSBCbG9iDQo+PiAtIEV2ZSBjYW5ub3QgZ2VuZXJhdGUgdGhlIEJsb2INCj4+ IC0gQm9iIGNhbiB2ZXJpZnkgdGhhdCB0aGUgQmxvYiB3YXMgZ2VuZXJhdGVkIHByb3Blcmx5DQo+ PiBTYXlpbmcg4oCccG9zdHF1YW50dW3igJ0gZG9lc27igJl0IGNoYW5nZSB0aGUgdW5kZXJseWlu ZyBwcm9ibGVtLiAgWW91IGRvbuKAmXQgc3BlY2lmeSBob3cgdGhpcw0KPj4gd29ya3MgKGUuZy4g d2hhdCBBbGljZSBhbmQgQm9iIGtub3dzKSwgYW5kIHdoeSB0aGUgY3VycmVudCBhdXRoZW50aWNh dGlvbiBtZWNoYW5pc21zDQo+PiBhbHJlYWR5IGluIElLRSBhcmVu4oCZdCBzdWZmaWNpZW50DQoN Ckkgd29uZGVyIGlmIHRoZXJlIGlzIGEgY29uZnVzaW9uIHRoZXJlLiBUaGUgdGV4dCBiYXNpY2Fs bHkgcHJvcG9zZWQgYSBtZXRob2QgdG8gZG8gZnJhZ21lbnRhdGlvbiBvZiBwYXlsb2FkcyBjYXJy eWluZyBwb3N0LXF1YW50dW0gcHVibGljIGRhdGEgaW4gSUtFX1NBX0lOSVQgZXhjaGFuZ2UgYW5k IGRlYWwgd2l0aCBiYWNrd2FyZCBjb21wYXRpYmlsaXR5Lg0KDQpJbiB0ZXJtcyBvZiBhdXRoZW50 aWNhdGlvbiwgdGhvc2UgcG9zdC1xdWFudHVtIGJsb2IgZnJhZ21lbnRzIHdpbGwgbmVlZCB0byBi ZSBzaWduZWQgYXMgcGVyIFJGQzcyOTYuIFdlIGRvbuKAmXQgY2xhaW0gdGhhdCB0aGUgYXV0aGVu dGljYXRpb24gaXMgcG9zdC1xdWFudHVtLiBIb3dldmVyLCB3ZSBkbyByZWNvZ25pc2UgdGhhdCBm dXR1cmUgbWVjaGFuaXNtIGNhbiBiZSBpbnRyb2R1Y2VkIHRvIG1ha2UgdGhlIGF1dGhlbnRpY2F0 aW9uIHBvc3QtcXVhbnR1bSwgYXMgeW91IHBvaW50IG91dCB1c2luZyBwb3N0LXF1YW50dW0gY2Vy dGlmaWNhdGUgZm9yIGV4YW1wbGUuDQoNCk9yIGhhdmUgSSBtaXN1bmRlcnN0b29kIHlvdT8NCg0K QmVzdCByZWdhcmRzLA0KQ0oNCg0K --_000_6721BCD4D95F42F186B8400D0F6C1F2Fpostquantumcom_ Content-Type: text/html; charset="utf-8" Content-ID: <92A64405DC4EEC4DBA04507FA5C13B79@post-quantum.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iVGl0bGUiIGNvbnRlbnQ9IiI+DQo8bWV0YSBuYW1lPSJLZXl3b3JkcyIgY29udGVu dD0iIj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUg KGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8N CkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3IjsNCglwYW5vc2UtMToyIDcg MyA5IDIgMiA1IDIgNCA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6V2luZ2RpbmdzOw0K CXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWls eToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250 LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAz IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJBbmRhbGUgTW9ubyI7DQoJcGFub3Nl LTE6MiAxMSA1IDkgMCAwIDAgMCAwIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhv bWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlv bnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2lu OjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250 LWZhbWlseTpDYWxpYnJpO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxl LXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGlu ZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9 DQpwLk1zb0FjZXRhdGUsIGxpLk1zb0FjZXRhdGUsIGRpdi5Nc29BY2V0YXRlDQoJe21zby1zdHls ZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1h cmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTo4LjBwdDsNCglm b250LWZhbWlseTpUYWhvbWE7fQ0KcC5Nc29MaXN0UGFyYWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdy YXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXttc28tc3R5bGUtcHJpb3JpdHk6MzQ7DQoJbXNv LW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjEyLjBwdDsNCglm b250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0KCXtt c28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5 OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IjsNCglmb250LWZhbWlseTpUYWhvbWE7 fQ0Kc3Bhbi5FbWFpbFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1m YW1pbHk6Q2FsaWJyaTsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uYXBwbGUtY29udmVydGVk LXNwYWNlDQoJe21zby1zdHlsZS1uYW1lOmFwcGxlLWNvbnZlcnRlZC1zcGFjZTt9DQpzcGFuLkVt YWlsU3R5bGUyMg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseTpDYWxp YnJpOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMNCgl7bXNvLXN0eWxlLXR5 cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkFuZGFsZSBNb25vIjsNCgljb2xvcjp3 aW5kb3d0ZXh0O30NCnNwYW4ubXNvSW5zDQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0K CW1zby1zdHlsZS1uYW1lOiIiOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7DQoJY29sb3I6 dGVhbDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglm b250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjU5NS4wcHQgODQy LjBwdDsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9u MQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBs MA0KCXttc28tbGlzdC1pZDo1MDM5MzYzMzQ7DQoJbXNvLWxpc3QtdHlwZTpoeWJyaWQ7DQoJbXNv LWxpc3QtdGVtcGxhdGUtaWRzOi03Njg4MzMwMTYgMTgwMjgxNDU2NCA2NzY5ODY5MSA2NzY5ODY5 MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5Mzt9 DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLW51 bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Oi07DQoJbXNvLWxldmVsLXRhYi1z dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0uMjVpbjsNCglmb250LWZhbWlseTpDYWxpYnJpOw0KCW1zby1mYXJlYXN0LWZvbnQtZmFtaWx5 OkNhbGlicmk7DQoJbXNvLWJpZGktZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiI7fQ0KQGxp c3QgbDA6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJp ZXIgTmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVs bGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZv bnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJl ci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0 b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6 LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxl dmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVs LXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQt aW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwwOmxl dmVsNg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6 74KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp b246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30N CkBsaXN0IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNv LWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1u dW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6 U3ltYm9sO30NCkBsaXN0IGwwOmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxs ZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28t bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1i ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1z dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTow aW47fQ0KdWwNCgl7bWFyZ2luLWJvdHRvbTowaW47fQ0KLS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxi b2R5IGJnY29sb3I9IndoaXRlIiBsYW5nPSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5 NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtBbmRhbGUgTW9ubyZxdW90OyI+SGkgU2NvdHQsPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FuZGFsZSBNb25vJnF1b3Q7Ij48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QW5kYWxlIE1vbm8mcXVv dDsiPiZndDsmZ3Q7DQo8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QW5kYWxlIE1vbm8mcXVvdDsiPlRoZSBvdGhlciBxdWVzdGlvbiBhYm91dCB5 b3VyIHByb3Bvc2VkIG1lY2hhbmlzbSBpcyBob3cgZG9lcyBpdCB3b3JrOyB5b3UganVzdCBvdXRs aW5lDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBbmRhbGUgTW9ubyZxdW90 OyI+Jmd0OyZndDsgYSB3YXkgdG8gZXhjaGFuZ2Ug4oCYcXVhbnR1bSByZXNpc3RhbnTigJkgYmxv YnMsIGFuZCBkb27igJl0IHNheSBob3cgdGhvc2UgYmxvYnMgYWN0dWFsbHkgd29yay48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBbmRhbGUgTW9ubyZxdW90OyI+Jmd0OyZndDsm bmJzcDtJ4oCZbSBub3QgdGFsa2luZyBhYm91dCB0aGUgY3J5cHRvZ3JhcGh5LCBJ4oCZbSB0YWxr aW5nIGFib3V0IHRoZSBhdXRoZW50aWNhdGlvbi4mbmJzcDsgRm9yIGFuPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QW5kYWxlIE1vbm8mcXVvdDsiPiZndDsmZ3Q7IGF1dGhlbnRp Y2F0aW9uIG1lY2hhbmlzbSB0byB3b3JrIChmb3IgQWxpY2UgdG8gYXV0aGVudGljYXRlIHRvIEJv YiksIHdlIG11c3QgaGF2ZTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBbmRh bGUgTW9ubyZxdW90OyI+Jmd0OyZndDsgLSBBbGljZSBjYW4gZ2VuZXJhdGUgdGhlIEJsb2I8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBbmRhbGUgTW9ubyZxdW90OyI+Jmd0OyZn dDsgLSBFdmUgY2Fubm90IGdlbmVyYXRlIHRoZSBCbG9iPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QW5kYWxlIE1vbm8mcXVvdDsiPiZndDsmZ3Q7IC0gQm9iIGNhbiB2ZXJpZnkg dGhhdCB0aGUgQmxvYiB3YXMgZ2VuZXJhdGVkIHByb3Blcmx5PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7QW5kYWxlIE1vbm8mcXVvdDsiPiZndDsmZ3Q7IFNheWluZyDigJxwb3N0 cXVhbnR1beKAnSBkb2VzbuKAmXQgY2hhbmdlIHRoZSB1bmRlcmx5aW5nIHByb2JsZW0uJm5ic3A7 IFlvdSBkb27igJl0IHNwZWNpZnkgaG93IHRoaXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtBbmRhbGUgTW9ubyZxdW90OyI+Jmd0OyZndDsgd29ya3MgKGUuZy4gd2hhdCBBbGlj ZSBhbmQgQm9iIGtub3dzKSwgYW5kIHdoeSB0aGUgY3VycmVudCBhdXRoZW50aWNhdGlvbiBtZWNo YW5pc21zDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBbmRhbGUgTW9ubyZx dW90OyI+Jmd0OyZndDsgYWxyZWFkeSBpbiBJS0UgYXJlbuKAmXQgc3VmZmljaWVudDxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBbmRhbGUgTW9ubyZxdW90 OyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0FuZGFsZSBNb25vJnF1b3Q7Ij5JIHdvbmRlciBpZiB0aGVyZSBpcyBhIGNvbmZ1c2lvbiB0aGVy ZS4gVGhlIHRleHQgYmFzaWNhbGx5IHByb3Bvc2VkIGEgbWV0aG9kIHRvIGRvIGZyYWdtZW50YXRp b24gb2YgcGF5bG9hZHMgY2FycnlpbmcgcG9zdC1xdWFudHVtIHB1YmxpYyBkYXRhIGluIElLRV9T QV9JTklUIGV4Y2hhbmdlDQogYW5kIGRlYWwgd2l0aCBiYWNrd2FyZCBjb21wYXRpYmlsaXR5Ljxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBbmRhbGUgTW9u byZxdW90OyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0FuZGFsZSBNb25vJnF1b3Q7Ij5JbiB0ZXJtcyBvZiBhdXRoZW50aWNhdGlvbiwgdGhv c2UgcG9zdC1xdWFudHVtIGJsb2IgZnJhZ21lbnRzIHdpbGwgbmVlZCB0byBiZSBzaWduZWQgYXMg cGVyIFJGQzcyOTYuIFdlIGRvbuKAmXQgY2xhaW0gdGhhdCB0aGUgYXV0aGVudGljYXRpb24gaXMg cG9zdC1xdWFudHVtLiBIb3dldmVyLA0KIHdlIGRvIHJlY29nbmlzZSB0aGF0IGZ1dHVyZSBtZWNo YW5pc20gY2FuIGJlIGludHJvZHVjZWQgdG8gbWFrZSB0aGUgYXV0aGVudGljYXRpb24gcG9zdC1x dWFudHVtLCBhcyB5b3UgcG9pbnQgb3V0IHVzaW5nIHBvc3QtcXVhbnR1bSBjZXJ0aWZpY2F0ZSBm b3IgZXhhbXBsZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QW5kYWxlIE1vbm8mcXVvdDsiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtBbmRhbGUgTW9ubyZxdW90OyI+T3IgaGF2ZSBJIG1pc3VuZGVy c3Rvb2QgeW91PzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVv dDtBbmRhbGUgTW9ubyZxdW90OyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0FuZGFsZSBNb25vJnF1b3Q7Ij5CZXN0IHJlZ2FyZHMsPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FuZGFsZSBNb25vJnF1 b3Q7Ij5DSjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2Jv cmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowaW4gMGluIDBpbiA0LjBwdCI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QW5kYWxlIE1vbm8mcXVvdDsiPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_6721BCD4D95F42F186B8400D0F6C1F2Fpostquantumcom_-- From nobody Thu Aug 3 09:06:49 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68B55132474 for ; Thu, 3 Aug 2017 09:06:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R44zb8EOFNbF for ; Thu, 3 Aug 2017 09:06:43 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC126132456 for ; Thu, 3 Aug 2017 09:06:42 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xNZgM3xxDz3KG; Thu, 3 Aug 2017 18:06:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1501776399; bh=TymIoxuMzIbeN6ljltVDWHqS00OULEpSN6g0n6x32/0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=pZVcGKT3OD6TcvI0h9qLX8ddIifpfzfJfEOZa2E3qesqvqcko9jj9G28t4PUZoCfF lw7+4trvcuUuE6d4JCAVldzSU4Pro56WV1+9DHp5xPYi5UavvbU/CBWwI9orXHQMb5 eIvih8UBQQfCdNucVMooDnp5irAnxMNDXvgLQNAo= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ZQM1YVRCNjCt; Thu, 3 Aug 2017 18:06:37 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 3 Aug 2017 18:06:36 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 121F830AFA2; Thu, 3 Aug 2017 12:06:36 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 121F830AFA2 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 0CA7640D3592; Thu, 3 Aug 2017 12:06:35 -0400 (EDT) Date: Thu, 3 Aug 2017 12:06:35 -0400 (EDT) From: Paul Wouters To: "Graham Bartlett (grbartle)" cc: "ipsec@ietf.org" In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 16:06:46 -0000 On Thu, 3 Aug 2017, Graham Bartlett (grbartle) wrote: > 1.      The IKE_AUTH exchange is protected using the quantum secure algorithms. So all attributes within the IKE > exchange are protected against passive attacks, which wouldn’t be the case should the quantum resistant ‘blob’ be > sent in IKE_AUTH. Depends on what you mean with "protected". Sure it could be seen in plaintext, but still not broken. But sure, it would be nice to have this message fully protected against passive eavesdroppers. > 3.      A simple method to fragment the quantum secure key exchange data in IKE_SA_INIT is included > 4.      The large quantum resistant ‘blob’ of data is only sent when it is known that the peer will accept this. I don't understand this? You mean known by preconfiguration? That would make migration really difficult and introduce a flag day. It would also not be true for Opportunistic IPsec, where there is no preconfiguration between peers. > 7.      With regards to fragmentation attacks, the use of fragmentation in this idea has the same security as of > RFC7383. Whereby an attacker that reveals her true IP address can send multiple fragments, but not the complex chain. I'm not sure how that can be, if it is the IKE_INIT that is getting fragmented. > For devices that are operating in a mesh network, where many devices have multiple peers, where peers are using > varying QSKE groups. In these instances the QSKE that is preferred by the Initiator might not be available or > preferred on the Responder. To overcome scenarios where the Initiator will send a QSKE which is large in size and not > supported by the Responder, (therefore wasting time and resource), the QSKE Notify payload can be used to query the > responder to determine the supported security association attributes. The QSKE Notify payload is sent by the > Initiator, which also excludes the QSKE payload (however a single KE payload should be included for backwards > compatibility). If the Responder supports the QSKE notify payload it replies with the accepted security associations Isn't this all unsafe against downgrade attacks? > For implementations that do not support the use of the QSKE, the QSKE Notify payload will be ignored and the IKEv2 > exchange will continue as per RFC7296. What prevents an attacker from stripping out the QSKE Notify payload in the IKE_INIT request? > The QSKE is nearly identical to the KE payload, however the Fragment bit identifies if the receiver should handle > this in a different manner to the KE payload. The KE and QSKE are negotiated/advertised using the transform type 4 > (Diffie Hellman groups).  By including the QSKE in the same transform type 4 as classic DH allows for minimal > configuration changes for current implementations when configuring both DH and QSKE Groups. Can this not be abused for an amplification attack by sending a really small QSKE payload and causing the responder to send back a large QSKE payload in multiple fragments? > The use of the Fragmentation bit is not mandatory. Implementations can attempt to send the IKE_SA_INIT payload > containing the QSKE payload without fragmentation at the IKE layer, opting for fragmentation at the IP layer instead. > Implementations can initially exclude the the use of fragmentation in the QSKE payload, however if connectivity fails > when not using fragmentation of the QSKE, it is assumed that that traffic has been denied due to fragmentation at the > IP layer and fragmentation of the QSKE should be used instead. How does that work on the responder side? In IKEv2, the responder never retransmits. What if fragments from responder to initiator fail? >                   <--  HDR,QSKEi-2/3                        (QSKE1 is Group 30, fragment 2 of 3) > >                   <--  HDR,QSKEi-3/3                        (QSKE1 is Group 30, fragment 3 of 3) > >                   <--  HDR,QSKEi2-1/4                       (QSKE2 is Group 35, fragment 1 of 4) > >                   <--  HDR,QSKEi2-2/4                       (QSKE2 is Group 35, fragment 2 of 4) > >                   <--  HDR,QSKEi2-3/4                       (QSKE2 is Group 35, fragment 3 of 4) Why would the responder reply to two group suggestions with QSKE payloads? Normally in IKEv2, the initiator sends a list of proposals/options, and the responder picks one from it. > As three groups were used, the keymat is generated with the combination of the output from the three public values. How did the initiator signal support for all groups _and_ support for combining them? What is gained by combining multiple groups? Paul From nobody Fri Aug 4 05:59:53 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F88813217A for ; Fri, 4 Aug 2017 05:59:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.198 X-Spam-Level: X-Spam-Status: No, score=-1.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GI62TamtLi1L for ; Fri, 4 Aug 2017 05:59:48 -0700 (PDT) Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB398131FF5 for ; Fri, 4 Aug 2017 05:59:47 -0700 (PDT) Received: by mail-lf0-x22e.google.com with SMTP id t128so6711030lff.2 for ; Fri, 04 Aug 2017 05:59:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-language:thread-index; bh=Yiu1bDypYRZJqdRmyjUjnbN4KKYMTY8KyHRhO0GAVZg=; b=I3qSxbnlO6Jd/B5BhRVNiMeJrNYkLV/AoppegECImlSBTjUHA4DSsehgOAqqnIiBoD NLyJXUIvkl7t2VlDJmoLO2CovVJ/PlEFfcUAFifZSkewQsgBz4+AkQdqtl8ZgeTYpoB3 2lFo5m4XWhO421F+nrf6fTjgLKRimC9znslciNUpQ+CJxjbEmYSPOMMTQt2MMuZdfWPt NYw1XhE6UaZAd0iuspVKk14vkYiDW8gkQhZ+gCigemAMpIyASDz23IaruUdk2qD7f9rP C+z4bTN1+zr7+U6TiqmBYvr4hCToKocPnTttowBIOcstKJMP8sZOoYGdb2LMkPpZBvl9 VvDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-language:thread-index; bh=Yiu1bDypYRZJqdRmyjUjnbN4KKYMTY8KyHRhO0GAVZg=; b=RJtsWE/0U78SFG7RUcGsmXZnJ5e8QeXrUEGI1lmV0uAzxNISV6XDzWeHYP6IKMQHHX 24fGMpipIbh5IqtO8Go5PJcTlYB36gMcrlmK4yplxAgTEuoRsGFROiRCaKaly64WQRvV mJZ6qrtSCrpO67/xmjlBM+1QTGUIC8X0ftAg5wHJI/GECFmumguTQyxYeGoovS56ly91 ytGr+hepPG1yMlwri1uVcnTeEAafLZaJdR/xChcG92v4dqNw4VBodZqwILtiNBQ9Ht8s uzothbfdMaKXHDYLcT+zwrpeZmIiSFJzSCdCqju+6TWVjlxX1tlyYb5dGpVw3mDaevVB N/Dw== X-Gm-Message-State: AHYfb5ilZ1t7W7TYcvNcAH4nRVURJGTPjX1Px4q/oCpxPyppNaYccuIS kyYWz9zN4TLRVg== X-Received: by 10.46.75.9 with SMTP id y9mr397714lja.43.1501851586053; Fri, 04 Aug 2017 05:59:46 -0700 (PDT) Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id 95sm431018lfw.67.2017.08.04.05.59.44 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Aug 2017 05:59:45 -0700 (PDT) From: "Valery Smyslov" To: "'Graham Bartlett \(grbartle\)'" Cc: References: In-Reply-To: Date: Fri, 4 Aug 2017 15:59:46 +0300 Message-ID: <041b01d30d21$8d33f230$a79bd690$@gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_041C_01D30D3A.B29686F0" X-Mailer: Microsoft Outlook 14.0 Content-Language: ru Thread-Index: AQJGClSbub5RkghZHKgMD6H8pOsCc6GOGSKQ Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 12:59:52 -0000 This is a multipart message in MIME format. ------=_NextPart_000_041C_01D30D3A.B29686F0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Graham, =20 few comments. =20 It is not clear for me (and I raised this concern in Prague) why do you = use QSKE as an additional Key Exchange mechanism instead of replacing DH KE with it? We=E2=80=99ve = been being told by cryptographers that conventional public key cryptography won=E2=80=99t provide security = in presence of QC, so why bother with it? Using QSKE as an additional Key Exchange complicates protocol exchange, = increases messages size and resource consumption and also modifies generation of SKEYSEED, that = makes it non-uniform. =20 The only reason that comes to my mind is that you don=E2=80=99t fully = trust QSKE. Are there any other reasons? =20 And as an additional point to the above concern =E2=80=93 why do you = allow several QSKE methods to be used in one exchange? The same set of problems =E2=80=93 protocol complexity, = resource consumption, messages size. =20 And I think if the IKE_SA_INIT messages grow too large with QSKE, then = it=E2=80=99s better to develop generic fragmentation mechanism for IKE_SA_INIT, rather than making it = specific for fragmenting QSKE blobs. Generic mechanism would allow to reuse it in case = we=E2=80=99ll have to include other large payloads in initial messages. =20 Regards, Valery. =20 From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Graham Bartlett = (grbartle) Sent: Thursday, August 03, 2017 2:57 PM To: ipsec@ietf.org Subject: [IPsec] Proposed method to achieve quantum resistant IKEv2 =20 Hi =20 After listening to the Prague meeting Dan Harkins raised the point that = the Quantum Resistant IKEv2 implementation should protect passive = attacks, where traffic that traffic that is sent and is captured today = should be resilient to an adversary with a quantum computer in the = future. But the Quantum Resistant IKEv2 does not have to protect against = an adversary with a quantum computer in the future who can perform an = active attack. =20 Someone else (can=E2=80=99t remember who) suggested the quantum = resistant =E2=80=98blob=E2=80=99 be sent in IKE_AUTH as it will be large = and probably fragmentation. Obviously for this the natural choice is to = use the IKEv2 Fragmentation mechanism defined in RFC7383. =20 A few weeks ago I developed a method to send the quantum resistant = =E2=80=98blob=E2=80=99 in IKE_SA_INIT, this is to amend = = https://tools.ietf.org/html/draft-tjhai-ipsecme-hybrid-qske-ikev2-00. = After hearing the discussion described above I was going to park this = idea and never speak of it again, however before I do this I=E2=80=99d = like to share with the group for comments.=20 =20 I personally feel this is an elegant and simple method to achieve = sending one or more quantum resistant =E2=80=98blobs=E2=80=99. The main = benefits being; =20 1. The IKE_AUTH exchange is protected using the quantum secure = algorithms. So all attributes within the IKE exchange are protected = against passive attacks, which wouldn=E2=80=99t be the case should the = quantum resistant =E2=80=98blob=E2=80=99 be sent in IKE_AUTH. =20 2. This allows for a quantum resistant authentication method to be = introduced into IKE_AUTH in the future, therefore protecting against = active attacks with a quantum computer should this occur. =20 3. A simple method to fragment the quantum secure key exchange data = in IKE_SA_INIT is included, however this is not mandatory. From personal = experience I=E2=80=99ve seen a few cases where RFC 7383 fragmentation is = required today, however the vast majority of customer implementations do = not experience issues with IP fragments being denied and so do not = require the functionality provided by RFC7383 (but for the cases where = it=E2=80=99s needed, it=E2=80=99s a lifesaver). =20 4. The large quantum resistant =E2=80=98blob=E2=80=99 of data is = only sent when it is known that the peer will accept this. This = minimises delays when establishing IKEv2 SAs and minimises the risk of = DoS (see point 7).=20 =20 5. Backwards compatibility is maintained, with minimal risk that = the addition of a quantum resistant exchange could cause abnormal = behaviour with devices that do not support the new attributes. The QSKE = are advertised using a transform type 4 groups. =20 6. This idea allows for algorithm agility, where multiple quantum = resistant algorithms can be used in addition to a single classic DH (as = per RFC7296). PQ algorithms with public data size larger than 65,536 = octets are also supported. =20 7. With regards to fragmentation attacks, the use of fragmentation = in this idea has the same security as of RFC7383. Whereby an attacker = that reveals her true IP address can send multiple fragments, but not = the complex chain. =20 The following is the idea, any questions, please feel free to ask. =20 =20 =20 =20 =20 QSKE Notify =20 For devices that are operating in a mesh network, where many devices = have multiple peers, where peers are using varying QSKE groups. In these = instances the QSKE that is preferred by the Initiator might not be = available or preferred on the Responder. To overcome scenarios where the = Initiator will send a QSKE which is large in size and not supported by = the Responder, (therefore wasting time and resource), the QSKE Notify = payload can be used to query the responder to determine the supported = security association attributes. The QSKE Notify payload is sent by the = Initiator, which also excludes the QSKE payload (however a single KE = payload should be included for backwards compatibility). If the = Responder supports the QSKE notify payload it replies with the accepted = security associations (which includes one classic DH group and >=3D1 = QSKE group, these are sent as groups within transform type 4. Most of = the time, we will be using one PQ algorithm, rather than multiple. The = Responder will also includes the COOKIE notification, note the Responder = does not send the KE or QSKE payload. The Initiator can now select the = correct security association algorithms it intends to use, including the = correct classic DH and QSKE and reply using the COOKIE.=20 =20 Although the COOKIE does not provide protection against DoS attacks, = whereby an attacker sends many fragments but does not complete the = fragment chain, it does ensure that the attacker reveals their own IP = address. Note that RFC 7383 is also prone to this attack which is = described within the security considerations. =20 Should an IKE gateway be under a fragmentation attack, dropping traffic = from a peer that does not complete the fragment chain can be used as a = simple protective mechanism to minimise the impact of future attacks. =20 For implementations that do not support the use of the QSKE, the QSKE = Notify payload will be ignored and the IKEv2 exchange will continue as = per RFC7296. The QSKE Notify payload can be used to minimise inter-op = issues with QSKE and non QSKE implementations.=20 =20 The QSKE Notify payload can be marked as critical for devices that = mandate the use of QSKE to protect IKE. =20 QSKE Notification Payload =20 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C| RESERVED | Payload Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol ID | SPI Size | Notify Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Notification Data ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ =20 =E2=80=94=E2=80=94=E2=80=94=E2=80=94 A Quantum Safe Key Exchange Payload =20 The quantum-safe key exchange payload, denoted QSKE in this document, is = used to exchange a quantum-safe shared secret between two IKE peers. = The QSKE payload consists of the IKE generic payload header, a two-octet = value denoting the Quantum-Safe Group number, and followed by the = quantum-safe data itself. =20 =20 The Fragment bit, denoted F (below), specifies if the QSKE is = fragmented. If this is set to '1', meaning the QSKE is fragmented the = Fragment Number and Total Fragments fields will be populated. If the = Fragment bit is not set (set to '0'), then the Fragment Number and Total = Fragments fields will not exist. The Fragment Number is used should the = Quantum-Safe Data be too large to fit within a single payload. The = Fragment Number is the first fragment, increasing by one for every other = fragment that is sent. The Total Fragments field denotes the maximum = number of fragments that contain the Quantum-Safe Data. =20 The QSKE is nearly identical to the KE payload, however the Fragment bit = identifies if the receiver should handle this in a different manner to = the KE payload. The KE and QSKE are negotiated/advertised using the = transform type 4 (Diffie Hellman groups). By including the QSKE in the = same transform type 4 as classic DH allows for minimal configuration = changes for current implementations when configuring both DH and QSKE = Groups. =20 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C|F| Reserved | Payload Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Quantum-Safe Group Num | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Fragment Number | Total Fragments ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Quantum-Safe Data ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ =20 The size of the Quantum-Safe Data can be the total fragments * payload = length =3D ~ 4GB, which seems sufficient for the size of the QSKE = payloads discussed so far. =20 The use of the Fragmentation bit is not mandatory. Implementations can = attempt to send the IKE_SA_INIT payload containing the QSKE payload = without fragmentation at the IKE layer, opting for fragmentation at the = IP layer instead. Implementations can initially exclude the the use of = fragmentation in the QSKE payload, however if connectivity fails when = not using fragmentation of the QSKE, it is assumed that that traffic has = been denied due to fragmentation at the IP layer and fragmentation of = the QSKE should be used instead. =20 =20 =E2=80=94=E2=80=94 =20 In the following example the Initiator will propose DH Groups 14,19,21 = and 30,32 and 35 (fictitious QSKE groups). The Initiator sends the = N(QSKE), which informs the responder to choose >=3D1 QSKE groups along = with a classic DH group. =20 The responder will return the N(QSKE) payload, indicating it supports = the QSKE, the security association includes DH Groups 14, 30 and 35 = which informs the initiator of the QSKE groups it selects to use. =20 The Initiator then sends the QSKE's and KE for the groups it wishes to = use, plus the identical security associations as was sent in the first = exchange (to mitigate downgrade attacks). Note: The Responder should = check that the received QSKE's in the security association match with = its preferred secure QSKE's. This is to mitigate the following attack, = Initiator sends SA contains certain QSKE in the security association = Responder responds, but attacker modifies this response to remove the = said QSKE. The Initiator then performs the IKE_SA_INIT excluding the = QSKE that was removed by the attacker, in the QSKE (but it's included = in the security associations). Hence if the responder verifies that the = received QSKE match the received security associations, it will mitigate = this attack. =20 =20 Initiator Responder ----------- ----------- HDR, SAi1, Ni,KEi --> (DH Groups = 14,19,21 and 30,32 and 35) N(QSKE) =20 <-- HDR, SAr1, N(COOKIE),[N(QSKE)] (DH = Groups 14, 30 and 35) =20 =20 HDR, N(COOKIE), SAi1, (SA contains = DH Groups 14,19,21 and 30,32 and 35) KEi, Ni, QSKEi-1/3 --> (KE is Group = 14, QSKE1 is Group 30, fragment 1 of 3) =20 HDR, QSKEi-2/3 --> (QSKE1 is = Group 30, fragment 2 of 3) =20 HDR, QSKEi-3/3 --> (QSKE1 is = Group 30, fragment 3 of 3) =20 HDR, QSKEi2-1/4 --> (QSKE2 is = Group 35, fragment 1 of 4) =20 HDR, QSKEi2-2/4 --> (QSKE2 is = Group 35, fragment 2 of 4) =20 HDR, QSKEi2-3/4 --> (QSKE2 is = Group 35, fragment 3 of 4) =20 HDR, QSKEi2-4/4 --> (QSKE2 is = Group 35, fragment 4 of 4) =20 =20 <-- HDR, SAr1, Nr, KEr, (KE is Group = 14, QSKE1 is Group 30, fragment 1 of 3) QSKEi-1/3 =20 <-- HDR,QSKEi-2/3 (QSKE1 is = Group 30, fragment 2 of 3) =20 <-- HDR,QSKEi-3/3 (QSKE1 is = Group 30, fragment 3 of 3) =20 <-- HDR,QSKEi2-1/4 (QSKE2 is = Group 35, fragment 1 of 4) =20 <-- HDR,QSKEi2-2/4 (QSKE2 is = Group 35, fragment 2 of 4) =20 <-- HDR,QSKEi2-3/4 (QSKE2 is = Group 35, fragment 3 of 4) =20 <-- HDR,QSKEi2-4/4 (QSKE2 is = Group 35, fragment 4 of 4) =20 =20 As three groups were used, the keymat is generated with the combination = of the output from the three public values. =20 KEYMAT =3D prf+(SK_d, QSSS2 (Group 35) | QSS1 (Group 30) | g^ir (Group = 14) | Ni | Nr) =20 =20 HDR SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> =20 =20 =20 =20 =E2=80=94=E2=80=94=E2=80=94=E2=80=94 =20 =20 In the following the Initiator will propose DH Groups 14,19,21 and 30,32 = and 35 (fictitious QSKE groups). The Initiator sends N(QSKE), which = tells responder to choose a DH group and >=3D1 QSKE groups . =20 The Responder in this case does not support QSKE and assuming the = N(QSKE) was non critical, will ignore this Notify Payload. =20 The exchange will continue as per RFC7296. =20 =20 Initiator Responder ----------- ----------- HDR, SAi1, Ni,KEi --> KE=3DGroup 14 (SA: = DH Groups 14,19,21 and 30,32 and 35) N(QSKE) =20 =20 <-- HDR, SAr1,Nr,KEr (DH Groups 14) =20 =20 HDR SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> =20 =20 =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 =20 =20 =20 ------=_NextPart_000_041C_01D30D3A.B29686F0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Hi = Graham,

 

few = comments.

 

It is not clear for me (and I = raised this concern in Prague) why do you use QSKE as an = additional

Key Exchange mechanism instead = of replacing DH KE with it? We=E2=80=99ve been being told by = cryptographers

that conventional = public key cryptography won=E2=80=99t provide security in presence of = QC, so why bother with it?

Using QSKE as an additional Key = Exchange complicates protocol exchange, increases messages = size

and resource consumption = and=C2=A0 also modifies generation of SKEYSEED, that makes it = non-uniform.

 

The only reason that comes to = my mind is that you don=E2=80=99t fully trust QSKE. Are there any other = reasons?

 

And as an additional point to = the above concern =E2=80=93 why do you allow several QSKE methods to be = used

in one exchange? The same set = of problems =E2=80=93 protocol complexity, resource consumption, = messages size.

 

And I think if the IKE_SA_INIT = messages grow too large with QSKE, then it=E2=80=99s better to = develop

generic fragmentation mechanism = for IKE_SA_INIT, rather than making it specific for = fragmenting

QSKE blobs. Generic mechanism = would allow to reuse it in case we=E2=80=99ll have to = include

other large payloads in initial = messages.

 

Regards,

Valery.

 

From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of = Graham Bartlett (grbartle)
Sent: Thursday, August 03, 2017 = 2:57 PM
To: ipsec@ietf.org
Subject: [IPsec] Proposed = method to achieve quantum resistant = IKEv2

 

Hi

 

After = listening to the Prague meeting Dan Harkins raised the point that the = Quantum Resistant IKEv2 implementation should protect passive attacks, = where traffic that traffic that is sent and is captured today should be = resilient to an adversary with a quantum computer in the future. But the = Quantum Resistant IKEv2 does not have to protect against an adversary = with a quantum computer in the future who can perform an active = attack.

 

Someone = else (can=E2=80=99t remember who) suggested the quantum resistant = =E2=80=98blob=E2=80=99 be sent in IKE_AUTH as it will be large and = probably fragmentation. Obviously for this the natural choice is to use = the IKEv2 Fragmentation mechanism defined in RFC7383.

 

A few = weeks ago I developed a method to send the quantum resistant = =E2=80=98blob=E2=80=99 in IKE_SA_INIT, this is to amend https://tools.ietf.org/html/draft-tjhai-ipsecme-h= ybrid-qske-ikev2-00. After hearing the discussion described = above I was going to park this idea and never speak of it again, however = before I do this I=E2=80=99d like to share with the group for = comments. 

 

I = personally feel this is an elegant and simple method to achieve sending = one or more quantum resistant =E2=80=98blobs=E2=80=99. The main benefits = being;

 

1.      The = IKE_AUTH exchange is protected using the quantum secure algorithms. So = all attributes within the IKE exchange are protected against passive = attacks, which wouldn=E2=80=99t be the case should the quantum resistant = =E2=80=98blob=E2=80=99 be sent in IKE_AUTH.

 

2.      This = allows for a quantum resistant authentication method to be introduced = into IKE_AUTH in the future, therefore protecting against active attacks = with a quantum computer should this occur.

 

3.      A = simple method to fragment the quantum secure key exchange data in = IKE_SA_INIT is included, however this is not mandatory. From personal = experience I=E2=80=99ve seen a few cases where RFC 7383 fragmentation is = required today, however the vast majority of customer implementations do = not experience issues with IP fragments being denied and so do not = require the functionality provided by RFC7383 (but for the cases where = it=E2=80=99s needed, it=E2=80=99s a lifesaver).

 

4.      The = large quantum resistant =E2=80=98blob=E2=80=99 of data is only sent when = it is known that the peer will accept this. This minimises delays when = establishing IKEv2 SAs and minimises the risk of DoS (see point 7). 

 

5.      Backwards compatibility is maintained, with minimal = risk that the addition of a quantum resistant exchange could cause = abnormal behaviour with devices that do not support the new attributes. = The QSKE are advertised using a transform type 4 groups.

 

6.      This = idea allows for algorithm agility, where multiple quantum resistant = algorithms can be used in addition to a single classic DH (as per = RFC7296). PQ algorithms with public data size larger than 65,536 octets = are also supported.

 

7.      With = regards to fragmentation attacks, the use of fragmentation in this idea = has the same security as of RFC7383. Whereby an attacker that reveals = her true IP address can send multiple fragments, but not the complex = chain.

 

The = following is the idea, any questions, please feel free to = ask.

 

 

 

 

 

QSKE = Notify

 

For = devices that are operating in a mesh network, where many devices have = multiple peers, where peers are using varying QSKE groups. In these = instances the QSKE that is preferred by the Initiator might not be = available or preferred on the Responder. To overcome scenarios where the = Initiator will send a QSKE which is large in size and not supported by = the Responder, (therefore wasting time and resource), the QSKE Notify = payload can be used to query the responder to determine the supported = security association attributes. The QSKE Notify payload is sent by the = Initiator, which also excludes the QSKE payload (however a single KE = payload should be included for backwards compatibility). If the = Responder supports the QSKE notify payload it replies with the accepted = security associations (which includes one classic DH group and >=3D1 = QSKE group, these are sent as groups within transform type 4. Most of = the time, we will be using one PQ algorithm, rather than multiple. The = Responder will also includes the COOKIE notification, note the Responder = does not send the KE or QSKE payload. The Initiator can now select the = correct security association algorithms it intends to use, including the = correct classic DH and QSKE and reply using the COOKIE. 

 

Although the COOKIE does not provide protection = against DoS attacks, whereby an attacker sends many fragments but does = not complete the fragment chain, it does ensure that the attacker = reveals their own IP address. Note that RFC 7383 is also prone to this = attack which is described within the security = considerations.

 

Should = an IKE gateway be under a fragmentation attack, dropping traffic from a = peer that does not complete the fragment chain can be used as a simple = protective mechanism to minimise the impact of future = attacks.

 

For = implementations that do not support the use of the QSKE, the QSKE Notify = payload will be ignored and the IKEv2 exchange will continue as per = RFC7296. The QSKE Notify payload can be used to minimise inter-op issues = with QSKE and non QSKE implementations. 

 

The = QSKE Notify payload can be marked as critical for devices that mandate = the use of QSKE to protect IKE.

 

QSKE = Notification Payload

 

         &= nbsp;           &n= bsp;  = 1            =        = 2            =        3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 = 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

   | Next Payload  |C|  = RESERVED   |         = Payload Length        |

   = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

   |  Protocol ID  |   = SPI Size    |      Notify = Message Type      |

   = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

   = |            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;  |

   = ~            =            = Notification = Data           &nb= sp;           = ~

   = |            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;  |

   = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

 

=E2=80=94=E2=80=94=E2=80=94=E2=80=94

A = Quantum Safe Key Exchange Payload

 

The = quantum-safe key exchange payload, denoted QSKE in this document, is = used to exchange a quantum-safe shared secret between two IKE = peers.  The QSKE payload consists of the IKE generic payload = header, a two-octet value denoting the Quantum-Safe Group number, and = followed by the quantum-safe data itself.  

 

The = Fragment bit, denoted F (below), specifies if the QSKE is fragmented. If = this is set to '1', meaning the QSKE is fragmented the Fragment Number = and Total Fragments fields will be populated. If the Fragment bit is not = set (set to '0'), then the Fragment Number and Total Fragments fields = will not exist. The Fragment Number is used should the Quantum-Safe Data = be too large to fit within a single payload. The Fragment Number is the = first fragment, increasing by one for every other fragment that is sent. = The Total Fragments field denotes the maximum number of fragments that = contain the Quantum-Safe Data.

 

The = QSKE is nearly identical to the KE payload, however the Fragment bit = identifies if the receiver should handle this in a different manner to = the KE payload. The KE and QSKE are negotiated/advertised using the = transform type 4 (Diffie Hellman groups).  By including the QSKE in = the same transform type 4 as classic DH allows for minimal configuration = changes for current implementations when configuring both DH and QSKE = Groups.

 

         &= nbsp;           &n= bsp;     = 1            =        = 2            =        3

       0 1 2 3 4 5 6 7 8 = 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

      = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

      | Next Payload  = |C|F| Reserved  |   =          Payload Length =     |

      = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

      |    = Quantum-Safe Group Num     = |           = RESERVED           = ; |

      = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

      = ~        Fragment = Number            | =     Total Fragments       = ~

      = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

      = |            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;  |

      = ~            =            = Quantum-Safe = Data           &nb= sp;           = ~

      = |            =             &= nbsp;           &n= bsp;           &nb= sp; =             &= nbsp;|

      = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<= span lang=3DEN-GB style=3D'color:black'>

 

The = size of the Quantum-Safe Data can be the total fragments * payload = length =3D ~ 4GB, which seems sufficient for the size of the QSKE = payloads discussed so far.

 

The use = of the Fragmentation bit is not mandatory. Implementations can attempt = to send the IKE_SA_INIT payload containing the QSKE payload without = fragmentation at the IKE layer, opting for fragmentation at the IP layer = instead. Implementations can initially exclude the the use of = fragmentation in the QSKE payload, however if connectivity fails when = not using fragmentation of the QSKE, it is assumed that that traffic has = been denied due to fragmentation at the IP layer and fragmentation of = the QSKE should be used instead.

 

 

=E2=80=94=E2=80=94

 

In the = following example the Initiator will propose DH Groups 14,19,21 and = 30,32 and 35 (fictitious QSKE groups). The Initiator sends the N(QSKE), = which informs the responder to choose >=3D1 QSKE groups along with a = classic DH group.

 

The = responder will return the N(QSKE) payload, indicating it supports the = QSKE, the security association includes DH Groups 14, 30 and 35 which = informs the initiator of the QSKE groups it selects to use.

 

The = Initiator then sends the QSKE's and KE for the groups it wishes to use, = plus the identical security associations as was sent in the first = exchange (to mitigate downgrade attacks). Note: The Responder should = check that the received QSKE's in the security association match with = its preferred secure QSKE's. This is to mitigate the following attack, = Initiator sends SA contains certain QSKE in the security association = Responder responds, but attacker modifies this response to remove the = said QSKE. The Initiator then performs the IKE_SA_INIT excluding the = QSKE that was removed by the attacker,  in the QSKE (but it's = included in the security associations). Hence if the responder verifies = that the received QSKE match the received security associations, it will = mitigate this attack.

 

 

    = Initiator          &nbs= p;        Responder

   = -----------          &n= bsp;      -----------

   HDR, SAi1, Ni,KEi    = -->           &= nbsp;           &n= bsp;         (DH Groups 14,19,21 = and 30,32 and 35)

      N(QSKE)

 

         &= nbsp;           &n= bsp; <--   HDR, SAr1, = N(COOKIE),[N(QSKE)]       (DH Groups 14, = 30 and 35)

 

 

   HDR, N(COOKIE), = SAi1,           &n= bsp;           &nb= sp;            = (SA contains DH Groups 14,19,21 and 30,32 and 35)

    KEi, Ni, QSKEi-1/3  = -->           &= nbsp;           &n= bsp;         (KE is Group 14, = QSKE1 is Group 30, fragment 1 of 3)

 

   HDR, QSKEi-2/3  =      = -->           &= nbsp;           &n= bsp;         (QSKE1 is Group 30, = fragment 2 of 3)

 

   HDR, QSKEi-3/3  =      = -->           &= nbsp;           &n= bsp;         (QSKE1 is Group 30, = fragment 3 of 3)

 

   HDR, QSKEi2-1/4      = -->           &= nbsp;           &n= bsp;         (QSKE2 is Group 35, = fragment 1 of 4)

 

   HDR, QSKEi2-2/4      = -->           &= nbsp;           &n= bsp;         (QSKE2 is Group 35, = fragment 2 of 4)

 

   HDR, QSKEi2-3/4      = -->           &= nbsp;           &n= bsp;         (QSKE2 is Group 35, = fragment 3 of 4)

 

   HDR, QSKEi2-4/4      = -->           &= nbsp;           &n= bsp;         (QSKE2 is Group 35, = fragment 4 of 4)

 

 

         &= nbsp;        <--  HDR, SAr1, = Nr, KEr, =             &= nbsp;    (KE is Group 14, QSKE1 is Group 30, fragment 1 = of 3)

         &= nbsp;           &n= bsp;  QSKEi-1/3

 

         &= nbsp;        <--  = HDR,QSKEi-2/3          =             &= nbsp; (QSKE1 is Group 30, fragment 2 of 3)

 

         &= nbsp;        <--  = HDR,QSKEi-3/3          =             &= nbsp; (QSKE1 is Group 30, fragment 3 of 3)

 

         &= nbsp;        <--  = HDR,QSKEi2-1/4          = ;            = (QSKE2 is Group 35, fragment 1 of 4)

 

         &= nbsp;        <--  = HDR,QSKEi2-2/4          = ;            = (QSKE2 is Group 35, fragment 2 of 4)

 

         &= nbsp;        <--  = HDR,QSKEi2-3/4          = ;            = (QSKE2 is Group 35, fragment 3 of 4)

 

         &= nbsp;        <--  = HDR,QSKEi2-4/4          = ;            = (QSKE2 is Group 35, fragment 4 of 4)

 

 

As = three groups were used, the keymat is generated with the combination of = the output from the three public values.

 

KEYMAT = =3D prf+(SK_d, QSSS2 (Group 35) | QSS1 (Group 30) | g^ir (Group 14) | Ni = | Nr)

 

 

   HDR SK {IDi, [CERT,]

       [CERTREQ,] [IDr,] = AUTH,

       SAi2, TSi, = TSr}  -->

         &= nbsp;    

 

 

 

=E2=80=94=E2=80=94=E2=80=94=E2=80=94

 

 

In the = following the Initiator will propose DH Groups 14,19,21 and 30,32 and 35 = (fictitious QSKE groups). The Initiator sends N(QSKE), which tells = responder to choose a DH group and >=3D1 QSKE groups  = .

 

The = Responder in this case does not support QSKE and assuming the N(QSKE) = was non critical, will ignore this Notify Payload.

 

The = exchange will continue as per RFC7296.

 

 

    = Initiator          &nbs= p;        Responder

   = -----------          &n= bsp;      -----------

   HDR, SAi1, Ni,KEi    = -->           &= nbsp;           &n= bsp;   KE=3DGroup 14 (SA: DH Groups 14,19,21 and 30,32 and = 35)

      = N(QSKE)           =             &= nbsp;           &n= bsp;     

 

         &= nbsp;           &n= bsp; <--   HDR, = SAr1,Nr,KEr         (DH Groups = 14)

 

 

  = HDR SK {IDi, [CERT,]

       [CERTREQ,] [IDr,] = AUTH,

       SAi2, TSi, = TSr}  -->

 

 

=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2= =80=94

 

 

 

------=_NextPart_000_041C_01D30D3A.B29686F0-- From nobody Fri Aug 4 06:40:59 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44831132199 for ; Fri, 4 Aug 2017 06:40:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.521 X-Spam-Level: X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJdi7viDncYR for ; Fri, 4 Aug 2017 06:40:53 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1DA713218D for ; Fri, 4 Aug 2017 06:40:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=157074; q=dns/txt; s=iport; t=1501854052; x=1503063652; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=be2q0wvDOdD5dizL8NHLknhM2Q5K4W3Jh69nwRPQGqU=; b=TT6FLFBTcB+2W6lAmLoh+660a6jjV6ks354B7nePiMbi6DEh4hcKQmwS I4kdKeXeoAuwZDkBbE8RbYBM9opKmTvtgzAD/nt72ibsnmNBuZO0RBuLw Ii0eklf2kfyBM/vTfN4/dqVG1zsvS0hFrO1Zff9K5iFaK6d5GNC2UHmvp M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DTAAAfeIRZ/4UNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgm8+LWRtJweOCJAHgW6WFQ6CBCyFGwIahC0/GAECAQEBAQEBAWs?= =?us-ascii?q?ohRgBAQEBAxoJBAZMEAIBBgIOAwQBASEBBgMCAgIwFAkIAgQBDQUIF4ksZBCQY?= =?us-ascii?q?Z1kgWw6J4sZAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWDJASCAoFMgWODJ4RbLx+?= =?us-ascii?q?CXYJhBYljCohnhRmIGAKHUYxTghiFWIpilgEBHzg/S3cVhWAcgWd2iFmBDwEBA?= =?us-ascii?q?Q?= X-IronPort-AV: E=Sophos;i="5.41,321,1498521600"; d="scan'208,217";a="276801423" Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Aug 2017 13:40:51 +0000 Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id v74Deo31025977 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 4 Aug 2017 13:40:50 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 4 Aug 2017 09:40:49 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Fri, 4 Aug 2017 09:40:49 -0400 From: "Scott Fluhrer (sfluhrer)" To: Valery Smyslov , "Graham Bartlett (grbartle)" CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0bYcA//+9LLA= Date: Fri, 4 Aug 2017 13:40:49 +0000 Message-ID: <74a8ea26371c4781b83078516ac502b7@XCH-RTP-006.cisco.com> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> In-Reply-To: <041b01d30d21$8d33f230$a79bd690$@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.98.2.55] Content-Type: multipart/alternative; boundary="_000_74a8ea26371c4781b83078516ac502b7XCHRTP006ciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 13:40:57 -0000 --_000_74a8ea26371c4781b83078516ac502b7XCHRTP006ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpGcm9tOiBJUHNlYyBbbWFpbHRvOmlwc2VjLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBP ZiBWYWxlcnkgU215c2xvdg0KU2VudDogRnJpZGF5LCBBdWd1c3QgMDQsIDIwMTcgOTowMCBBTQ0K VG86IEdyYWhhbSBCYXJ0bGV0dCAoZ3JiYXJ0bGUpDQpDYzogaXBzZWNAaWV0Zi5vcmcNClN1Ympl Y3Q6IFJlOiBbSVBzZWNdIFByb3Bvc2VkIG1ldGhvZCB0byBhY2hpZXZlIHF1YW50dW0gcmVzaXN0 YW50IElLRXYyDQoNCkhpIEdyYWhhbSwNCg0KZmV3IGNvbW1lbnRzLg0KDQpJdCBpcyBub3QgY2xl YXIgZm9yIG1lIChhbmQgSSByYWlzZWQgdGhpcyBjb25jZXJuIGluIFByYWd1ZSkgd2h5IGRvIHlv dSB1c2UgUVNLRSBhcyBhbiBhZGRpdGlvbmFsDQpLZXkgRXhjaGFuZ2UgbWVjaGFuaXNtIGluc3Rl YWQgb2YgcmVwbGFjaW5nIERIIEtFIHdpdGggaXQ/IFdl4oCZdmUgYmVlbiBiZWluZyB0b2xkIGJ5 IGNyeXB0b2dyYXBoZXJzDQp0aGF0IGNvbnZlbnRpb25hbCBwdWJsaWMga2V5IGNyeXB0b2dyYXBo eSB3b27igJl0IHByb3ZpZGUgc2VjdXJpdHkgaW4gcHJlc2VuY2Ugb2YgUUMsIHNvIHdoeSBib3Ro ZXIgd2l0aCBpdD8NClVzaW5nIFFTS0UgYXMgYW4gYWRkaXRpb25hbCBLZXkgRXhjaGFuZ2UgY29t cGxpY2F0ZXMgcHJvdG9jb2wgZXhjaGFuZ2UsIGluY3JlYXNlcyBtZXNzYWdlcyBzaXplDQphbmQg cmVzb3VyY2UgY29uc3VtcHRpb24gYW5kICBhbHNvIG1vZGlmaWVzIGdlbmVyYXRpb24gb2YgU0tF WVNFRUQsIHRoYXQgbWFrZXMgaXQgbm9uLXVuaWZvcm0uDQoNClRoZSBvbmx5IHJlYXNvbiB0aGF0 IGNvbWVzIHRvIG15IG1pbmQgaXMgdGhhdCB5b3UgZG9u4oCZdCBmdWxseSB0cnVzdCBRU0tFLiBB cmUgdGhlcmUgYW55IG90aGVyIHJlYXNvbnM/DQoNCk5vLCB0aGF04oCZcyBwcmV0dHkgbXVjaCBp dC4gIFdl4oCZdmUgc3R1ZGllZCBESCBmb3Igc29tZXRoaW5nIGxpa2UgNDAgeWVhcnMsIGFuZCBF Q0RIIGZvciBwZXJoYXBzIDMwOyB3ZSBmZWVsIHRoYXQgd2UgY2FuIGhhdmUgYSBtZWFzdXJlIG9m IHRydXN0IHdpdGggdGhlbSwgYXQgbGVhc3QgYWdhaW5zdCBjb252ZW50aW9uYWwgY29tcHV0ZXJz LiAgRm9yIHRoZXNlIG5ld2VyIHF1YW50dW0ga2V5IGV4Y2hhbmdlcywgd2VsbCwgd2XigJlyZSBu b3QgYXMgY2VydGFpbiBpZiB0aGV54oCZcmUgc2VjdXJlIGV2ZW4gYWdhaW5zdCBhIGNvbnZlbnRp b25hbCBjb21wdXRlci4gIEJ5IGluY2x1ZGluZyBhbiBFQ0RIIGV4Y2hhbmdlLCB3ZSBrbm93IHRo YXQgd2XigJlyZSBub3QgbWFraW5nIGFueXRoaW5nIHdvcnNlOyB3ZSBjYW4gYmUgZmFpcmx5IGNv bmZpZGVudCB0aGF0IHdlIGhhdmVu4oCZdCBtYWRlIGFueXRoaW5nIHdvcnNlIChhdCBsZWFzdCwg Y3J5cHRvZ3JhcGhpY2FsbHkgc3BlYWtpbmcpLg0KDQpBbmQgYXMgYW4gYWRkaXRpb25hbCBwb2lu dCB0byB0aGUgYWJvdmUgY29uY2VybiDigJMgd2h5IGRvIHlvdSBhbGxvdyBzZXZlcmFsIFFTS0Ug bWV0aG9kcyB0byBiZSB1c2VkDQppbiBvbmUgZXhjaGFuZ2U/IFRoZSBzYW1lIHNldCBvZiBwcm9i bGVtcyDigJMgcHJvdG9jb2wgY29tcGxleGl0eSwgcmVzb3VyY2UgY29uc3VtcHRpb24sIG1lc3Nh Z2VzIHNpemUuDQoNClNhbWUgcmVhc29uOyBrbm93biBwb3N0IHF1YW50dW0ga2V5IGV4Y2hhbmdl IG1lY2hhbmlzbXMgaGF2ZW7igJl0IGJlZW4gb3V0IHRoZXJlIGZvciB0aGF0IGxvbmcgKGV4Y2Vw dGlvbnM6IE1jRWxpZWNlIGFuZCBOVFJVKSwgYW5kIHNvIHdl4oCZcmUgbm90IGFzIGNlcnRhaW4g d2hldGhlciB0aGV54oCZbGwgYWN0dWFsbHkgdHVybiBvdXQgdG8gYmUgcXVhbnR1bSByZXNpc3Rh bnQuICBJdCBzZWVtcyBwbGF1c2libGUgdGhhdCBzb21lb25lIG1pZ2h0IG5vdCB3YW50IHRvIHB1 dCBhbGwgdGhlaXIgcG9zdHF1YW50dW0gZWdncyBpbiBvbmUgYmFza2V0LCBhbmQgaW5zdGVhZCBy ZWx5IG9uIHR3byB1bnJlbGF0ZWQgcG9zdHF1YW50dW0gZXhjaGFuZ2VzIChlLmcuIExXRSBhbmQg U0lESCkNCg0KVGhlIHRyaWNrIGlzIHRyeWluZyB0byBhbGxvdyB0aGlzLCB3aGlsZSBtaW5pbWl6 aW5nIHRoZSBpbmNyZWFzZSBpbiB0aGUgcHJvdG9jb2wgY29tcGxleGl0eS4gIEkgZG9u4oCZdCBj b25zaWRlciB0aGUgcmVzb3VyY2UgY29uc3VtcHRpb24gYW5kIG1lc3NhZ2Ugc2l6ZSAoYXBhcnQg ZnJvbSB0aGUgcHJvdG9jb2wgY29tcGxleGl0eSBuZWVkZWQgZm9yIGZyYWdtZW50YXRpb24gc3Vw cG9ydCkgdGhhdCBjcml0aWNhbDsgcHJlc3VtYWJseSwgaWYgc29tZW9uZSB3YXMgcGFyYW5vaWQg ZW5vdWdoIHRvIHRoaW5rIHRoZXkgcmVxdWlyZWQgaXQsIHRoZXkgb3VnaHQgdG8gYmUgd2lsbGlu ZyB0byBwYXkgdGhlIGFkZGl0aW9uYWwgcmVzb3VyY2UgY29zdC4NCg0KQW5kIEkgdGhpbmsgaWYg dGhlIElLRV9TQV9JTklUIG1lc3NhZ2VzIGdyb3cgdG9vIGxhcmdlIHdpdGggUVNLRSwgdGhlbiBp dOKAmXMgYmV0dGVyIHRvIGRldmVsb3ANCmdlbmVyaWMgZnJhZ21lbnRhdGlvbiBtZWNoYW5pc20g Zm9yIElLRV9TQV9JTklULCByYXRoZXIgdGhhbiBtYWtpbmcgaXQgc3BlY2lmaWMgZm9yIGZyYWdt ZW50aW5nDQpRU0tFIGJsb2JzLiBHZW5lcmljIG1lY2hhbmlzbSB3b3VsZCBhbGxvdyB0byByZXVz ZSBpdCBpbiBjYXNlIHdl4oCZbGwgaGF2ZSB0byBpbmNsdWRlDQpvdGhlciBsYXJnZSBwYXlsb2Fk cyBpbiBpbml0aWFsIG1lc3NhZ2VzLg0KDQpBY3R1YWxseSwgSSBwdXQgdG9nZXRoZXIgYSBwYXBl ciBkZXNpZ24gd2hpY2ggdHJpZWQgdG8gZG8gZXhhY3RseSB0aGlzLiAgSSBldmVudHVhbGx5IHB1 dCBpdCBhc2lkZSwgYmVjYXVzZSBvZiB0d28gY29uY2VybnM6DQoNCi0gICAgICAgICAgQmFja3dh cmRzIGNvbXBhdGliaWxpdHk7IGFuIElLRSBpbml0aWF0b3IgcmVhbGx5IGNhbuKAmXQgc2VuZCBm cmFnbWVudGVkIHBhY2tldHMgYmVmb3JlIGl0IGhlYXJzIHdoZXRoZXIgdGhlIHJlc3BvbmRlciBj YW4gdW5kZXJzdGFuZCB0aGVtOyB0aGlzIHByZXR0eSBtdWNoIHJlcXVpcmVkIGFuIGFkZGl0aW9u YWwgcm91bmQgdHJpcA0KDQotICAgICAgICAgIERvUyBjb25jZXJuczsgdGhlIHJlc3BvbmRlciBo YXMgdG8gaG9sZCBvbnRvIGZyYWdtZW50cyBmcm9tIGEgcmFuZG9tIGluaXRpYXRvciB3aG8gaGFz IGRvbmUgbm90IG11Y2ggb2YgYW55dGhpbmcNCkkgYWxzbyBkaWRu4oCZdCBjYXJlIHRoYXQgbXkg c3BlY2lmaWMgcHJvcG9zYWwgd2FzIHRpZWQgdG9vIGNsb3NlbHkgdG8gaG93IHRoZSBwb3N0cXVh bnR1bSBLRSBwYXlsb2FkIHdhcyBmb3JtYXR0ZWQuICBJIHN0aWxsIGhhdmUgdGhhdCBkZXNpZ247 IGlmIGFueW9uZSB3YXMgaW50ZXJlc3RlZCwgSSBjb3VsZCBzbGFwIGl0IG9uIHRoZSBtYWlsZXIg Zm9yIHBlb3BsZSB0byBsYXVnaCBhdC4NCg0KUmVnYXJkcywNClZhbGVyeS4NCg0KRnJvbTogSVBz ZWMgW21haWx0bzppcHNlYy1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgR3JhaGFtIEJh cnRsZXR0IChncmJhcnRsZSkNClNlbnQ6IFRodXJzZGF5LCBBdWd1c3QgMDMsIDIwMTcgMjo1NyBQ TQ0KVG86IGlwc2VjQGlldGYub3JnPG1haWx0bzppcHNlY0BpZXRmLm9yZz4NClN1YmplY3Q6IFtJ UHNlY10gUHJvcG9zZWQgbWV0aG9kIHRvIGFjaGlldmUgcXVhbnR1bSByZXNpc3RhbnQgSUtFdjIN Cg0KSGkNCg0KQWZ0ZXIgbGlzdGVuaW5nIHRvIHRoZSBQcmFndWUgbWVldGluZyBEYW4gSGFya2lu cyByYWlzZWQgdGhlIHBvaW50IHRoYXQgdGhlIFF1YW50dW0gUmVzaXN0YW50IElLRXYyIGltcGxl bWVudGF0aW9uIHNob3VsZCBwcm90ZWN0IHBhc3NpdmUgYXR0YWNrcywgd2hlcmUgdHJhZmZpYyB0 aGF0IHRyYWZmaWMgdGhhdCBpcyBzZW50IGFuZCBpcyBjYXB0dXJlZCB0b2RheSBzaG91bGQgYmUg cmVzaWxpZW50IHRvIGFuIGFkdmVyc2FyeSB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBpbiB0aGUg ZnV0dXJlLiBCdXQgdGhlIFF1YW50dW0gUmVzaXN0YW50IElLRXYyIGRvZXMgbm90IGhhdmUgdG8g cHJvdGVjdCBhZ2FpbnN0IGFuIGFkdmVyc2FyeSB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBpbiB0 aGUgZnV0dXJlIHdobyBjYW4gcGVyZm9ybSBhbiBhY3RpdmUgYXR0YWNrLg0KDQpTb21lb25lIGVs c2UgKGNhbuKAmXQgcmVtZW1iZXIgd2hvKSBzdWdnZXN0ZWQgdGhlIHF1YW50dW0gcmVzaXN0YW50 IOKAmGJsb2LigJkgYmUgc2VudCBpbiBJS0VfQVVUSCBhcyBpdCB3aWxsIGJlIGxhcmdlIGFuZCBw cm9iYWJseSBmcmFnbWVudGF0aW9uLiBPYnZpb3VzbHkgZm9yIHRoaXMgdGhlIG5hdHVyYWwgY2hv aWNlIGlzIHRvIHVzZSB0aGUgSUtFdjIgRnJhZ21lbnRhdGlvbiBtZWNoYW5pc20gZGVmaW5lZCBp biBSRkM3MzgzLg0KDQpBIGZldyB3ZWVrcyBhZ28gSSBkZXZlbG9wZWQgYSBtZXRob2QgdG8gc2Vu ZCB0aGUgcXVhbnR1bSByZXNpc3RhbnQg4oCYYmxvYuKAmSBpbiBJS0VfU0FfSU5JVCwgdGhpcyBp cyB0byBhbWVuZCBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtdGpoYWktaXBzZWNt ZS1oeWJyaWQtcXNrZS1pa2V2Mi0wMC4gQWZ0ZXIgaGVhcmluZyB0aGUgZGlzY3Vzc2lvbiBkZXNj cmliZWQgYWJvdmUgSSB3YXMgZ29pbmcgdG8gcGFyayB0aGlzIGlkZWEgYW5kIG5ldmVyIHNwZWFr IG9mIGl0IGFnYWluLCBob3dldmVyIGJlZm9yZSBJIGRvIHRoaXMgSeKAmWQgbGlrZSB0byBzaGFy ZSB3aXRoIHRoZSBncm91cCBmb3IgY29tbWVudHMuDQoNCkkgcGVyc29uYWxseSBmZWVsIHRoaXMg aXMgYW4gZWxlZ2FudCBhbmQgc2ltcGxlIG1ldGhvZCB0byBhY2hpZXZlIHNlbmRpbmcgb25lIG9y IG1vcmUgcXVhbnR1bSByZXNpc3RhbnQg4oCYYmxvYnPigJkuIFRoZSBtYWluIGJlbmVmaXRzIGJl aW5nOw0KDQoNCjEuICAgICAgVGhlIElLRV9BVVRIIGV4Y2hhbmdlIGlzIHByb3RlY3RlZCB1c2lu ZyB0aGUgcXVhbnR1bSBzZWN1cmUgYWxnb3JpdGhtcy4gU28gYWxsIGF0dHJpYnV0ZXMgd2l0aGlu IHRoZSBJS0UgZXhjaGFuZ2UgYXJlIHByb3RlY3RlZCBhZ2FpbnN0IHBhc3NpdmUgYXR0YWNrcywg d2hpY2ggd291bGRu4oCZdCBiZSB0aGUgY2FzZSBzaG91bGQgdGhlIHF1YW50dW0gcmVzaXN0YW50 IOKAmGJsb2LigJkgYmUgc2VudCBpbiBJS0VfQVVUSC4NCg0KDQoyLiAgICAgIFRoaXMgYWxsb3dz IGZvciBhIHF1YW50dW0gcmVzaXN0YW50IGF1dGhlbnRpY2F0aW9uIG1ldGhvZCB0byBiZSBpbnRy b2R1Y2VkIGludG8gSUtFX0FVVEggaW4gdGhlIGZ1dHVyZSwgdGhlcmVmb3JlIHByb3RlY3Rpbmcg YWdhaW5zdCBhY3RpdmUgYXR0YWNrcyB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBzaG91bGQgdGhp cyBvY2N1ci4NCg0KDQozLiAgICAgIEEgc2ltcGxlIG1ldGhvZCB0byBmcmFnbWVudCB0aGUgcXVh bnR1bSBzZWN1cmUga2V5IGV4Y2hhbmdlIGRhdGEgaW4gSUtFX1NBX0lOSVQgaXMgaW5jbHVkZWQs IGhvd2V2ZXIgdGhpcyBpcyBub3QgbWFuZGF0b3J5LiBGcm9tIHBlcnNvbmFsIGV4cGVyaWVuY2Ug SeKAmXZlIHNlZW4gYSBmZXcgY2FzZXMgd2hlcmUgUkZDIDczODMgZnJhZ21lbnRhdGlvbiBpcyBy ZXF1aXJlZCB0b2RheSwgaG93ZXZlciB0aGUgdmFzdCBtYWpvcml0eSBvZiBjdXN0b21lciBpbXBs ZW1lbnRhdGlvbnMgZG8gbm90IGV4cGVyaWVuY2UgaXNzdWVzIHdpdGggSVAgZnJhZ21lbnRzIGJl aW5nIGRlbmllZCBhbmQgc28gZG8gbm90IHJlcXVpcmUgdGhlIGZ1bmN0aW9uYWxpdHkgcHJvdmlk ZWQgYnkgUkZDNzM4MyAoYnV0IGZvciB0aGUgY2FzZXMgd2hlcmUgaXTigJlzIG5lZWRlZCwgaXTi gJlzIGEgbGlmZXNhdmVyKS4NCg0KDQo0LiAgICAgIFRoZSBsYXJnZSBxdWFudHVtIHJlc2lzdGFu dCDigJhibG9i4oCZIG9mIGRhdGEgaXMgb25seSBzZW50IHdoZW4gaXQgaXMga25vd24gdGhhdCB0 aGUgcGVlciB3aWxsIGFjY2VwdCB0aGlzLiBUaGlzIG1pbmltaXNlcyBkZWxheXMgd2hlbiBlc3Rh Ymxpc2hpbmcgSUtFdjIgU0FzIGFuZCBtaW5pbWlzZXMgdGhlIHJpc2sgb2YgRG9TIChzZWUgcG9p bnQgNykuDQoNCg0KNS4gICAgICBCYWNrd2FyZHMgY29tcGF0aWJpbGl0eSBpcyBtYWludGFpbmVk LCB3aXRoIG1pbmltYWwgcmlzayB0aGF0IHRoZSBhZGRpdGlvbiBvZiBhIHF1YW50dW0gcmVzaXN0 YW50IGV4Y2hhbmdlIGNvdWxkIGNhdXNlIGFibm9ybWFsIGJlaGF2aW91ciB3aXRoIGRldmljZXMg dGhhdCBkbyBub3Qgc3VwcG9ydCB0aGUgbmV3IGF0dHJpYnV0ZXMuIFRoZSBRU0tFIGFyZSBhZHZl cnRpc2VkIHVzaW5nIGEgdHJhbnNmb3JtIHR5cGUgNCBncm91cHMuDQoNCg0KNi4gICAgICBUaGlz IGlkZWEgYWxsb3dzIGZvciBhbGdvcml0aG0gYWdpbGl0eSwgd2hlcmUgbXVsdGlwbGUgcXVhbnR1 bSByZXNpc3RhbnQgYWxnb3JpdGhtcyBjYW4gYmUgdXNlZCBpbiBhZGRpdGlvbiB0byBhIHNpbmds ZSBjbGFzc2ljIERIIChhcyBwZXIgUkZDNzI5NikuIFBRIGFsZ29yaXRobXMgd2l0aCBwdWJsaWMg ZGF0YSBzaXplIGxhcmdlciB0aGFuIDY1LDUzNiBvY3RldHMgYXJlIGFsc28gc3VwcG9ydGVkLg0K DQoNCjcuICAgICAgV2l0aCByZWdhcmRzIHRvIGZyYWdtZW50YXRpb24gYXR0YWNrcywgdGhlIHVz ZSBvZiBmcmFnbWVudGF0aW9uIGluIHRoaXMgaWRlYSBoYXMgdGhlIHNhbWUgc2VjdXJpdHkgYXMg b2YgUkZDNzM4My4gV2hlcmVieSBhbiBhdHRhY2tlciB0aGF0IHJldmVhbHMgaGVyIHRydWUgSVAg YWRkcmVzcyBjYW4gc2VuZCBtdWx0aXBsZSBmcmFnbWVudHMsIGJ1dCBub3QgdGhlIGNvbXBsZXgg Y2hhaW4uDQoNClRoZSBmb2xsb3dpbmcgaXMgdGhlIGlkZWEsIGFueSBxdWVzdGlvbnMsIHBsZWFz ZSBmZWVsIGZyZWUgdG8gYXNrLg0KDQoNCg0KDQoNClFTS0UgTm90aWZ5DQoNCkZvciBkZXZpY2Vz IHRoYXQgYXJlIG9wZXJhdGluZyBpbiBhIG1lc2ggbmV0d29yaywgd2hlcmUgbWFueSBkZXZpY2Vz IGhhdmUgbXVsdGlwbGUgcGVlcnMsIHdoZXJlIHBlZXJzIGFyZSB1c2luZyB2YXJ5aW5nIFFTS0Ug Z3JvdXBzLiBJbiB0aGVzZSBpbnN0YW5jZXMgdGhlIFFTS0UgdGhhdCBpcyBwcmVmZXJyZWQgYnkg dGhlIEluaXRpYXRvciBtaWdodCBub3QgYmUgYXZhaWxhYmxlIG9yIHByZWZlcnJlZCBvbiB0aGUg UmVzcG9uZGVyLiBUbyBvdmVyY29tZSBzY2VuYXJpb3Mgd2hlcmUgdGhlIEluaXRpYXRvciB3aWxs IHNlbmQgYSBRU0tFIHdoaWNoIGlzIGxhcmdlIGluIHNpemUgYW5kIG5vdCBzdXBwb3J0ZWQgYnkg dGhlIFJlc3BvbmRlciwgKHRoZXJlZm9yZSB3YXN0aW5nIHRpbWUgYW5kIHJlc291cmNlKSwgdGhl IFFTS0UgTm90aWZ5IHBheWxvYWQgY2FuIGJlIHVzZWQgdG8gcXVlcnkgdGhlIHJlc3BvbmRlciB0 byBkZXRlcm1pbmUgdGhlIHN1cHBvcnRlZCBzZWN1cml0eSBhc3NvY2lhdGlvbiBhdHRyaWJ1dGVz LiBUaGUgUVNLRSBOb3RpZnkgcGF5bG9hZCBpcyBzZW50IGJ5IHRoZSBJbml0aWF0b3IsIHdoaWNo IGFsc28gZXhjbHVkZXMgdGhlIFFTS0UgcGF5bG9hZCAoaG93ZXZlciBhIHNpbmdsZSBLRSBwYXls b2FkIHNob3VsZCBiZSBpbmNsdWRlZCBmb3IgYmFja3dhcmRzIGNvbXBhdGliaWxpdHkpLiBJZiB0 aGUgUmVzcG9uZGVyIHN1cHBvcnRzIHRoZSBRU0tFIG5vdGlmeSBwYXlsb2FkIGl0IHJlcGxpZXMg d2l0aCB0aGUgYWNjZXB0ZWQgc2VjdXJpdHkgYXNzb2NpYXRpb25zICh3aGljaCBpbmNsdWRlcyBv bmUgY2xhc3NpYyBESCBncm91cCBhbmQgPj0xIFFTS0UgZ3JvdXAsIHRoZXNlIGFyZSBzZW50IGFz IGdyb3VwcyB3aXRoaW4gdHJhbnNmb3JtIHR5cGUgNC4gTW9zdCBvZiB0aGUgdGltZSwgd2Ugd2ls bCBiZSB1c2luZyBvbmUgUFEgYWxnb3JpdGhtLCByYXRoZXIgdGhhbiBtdWx0aXBsZS4gVGhlIFJl c3BvbmRlciB3aWxsIGFsc28gaW5jbHVkZXMgdGhlIENPT0tJRSBub3RpZmljYXRpb24sIG5vdGUg dGhlIFJlc3BvbmRlciBkb2VzIG5vdCBzZW5kIHRoZSBLRSBvciBRU0tFIHBheWxvYWQuIFRoZSBJ bml0aWF0b3IgY2FuIG5vdyBzZWxlY3QgdGhlIGNvcnJlY3Qgc2VjdXJpdHkgYXNzb2NpYXRpb24g YWxnb3JpdGhtcyBpdCBpbnRlbmRzIHRvIHVzZSwgaW5jbHVkaW5nIHRoZSBjb3JyZWN0IGNsYXNz aWMgREggYW5kIFFTS0UgYW5kIHJlcGx5IHVzaW5nIHRoZSBDT09LSUUuDQoNCkFsdGhvdWdoIHRo ZSBDT09LSUUgZG9lcyBub3QgcHJvdmlkZSBwcm90ZWN0aW9uIGFnYWluc3QgRG9TIGF0dGFja3Ms IHdoZXJlYnkgYW4gYXR0YWNrZXIgc2VuZHMgbWFueSBmcmFnbWVudHMgYnV0IGRvZXMgbm90IGNv bXBsZXRlIHRoZSBmcmFnbWVudCBjaGFpbiwgaXQgZG9lcyBlbnN1cmUgdGhhdCB0aGUgYXR0YWNr ZXIgcmV2ZWFscyB0aGVpciBvd24gSVAgYWRkcmVzcy4gTm90ZSB0aGF0IFJGQyA3MzgzIGlzIGFs c28gcHJvbmUgdG8gdGhpcyBhdHRhY2sgd2hpY2ggaXMgZGVzY3JpYmVkIHdpdGhpbiB0aGUgc2Vj dXJpdHkgY29uc2lkZXJhdGlvbnMuDQoNClNob3VsZCBhbiBJS0UgZ2F0ZXdheSBiZSB1bmRlciBh IGZyYWdtZW50YXRpb24gYXR0YWNrLCBkcm9wcGluZyB0cmFmZmljIGZyb20gYSBwZWVyIHRoYXQg ZG9lcyBub3QgY29tcGxldGUgdGhlIGZyYWdtZW50IGNoYWluIGNhbiBiZSB1c2VkIGFzIGEgc2lt cGxlIHByb3RlY3RpdmUgbWVjaGFuaXNtIHRvIG1pbmltaXNlIHRoZSBpbXBhY3Qgb2YgZnV0dXJl IGF0dGFja3MuDQoNCkZvciBpbXBsZW1lbnRhdGlvbnMgdGhhdCBkbyBub3Qgc3VwcG9ydCB0aGUg dXNlIG9mIHRoZSBRU0tFLCB0aGUgUVNLRSBOb3RpZnkgcGF5bG9hZCB3aWxsIGJlIGlnbm9yZWQg YW5kIHRoZSBJS0V2MiBleGNoYW5nZSB3aWxsIGNvbnRpbnVlIGFzIHBlciBSRkM3Mjk2LiBUaGUg UVNLRSBOb3RpZnkgcGF5bG9hZCBjYW4gYmUgdXNlZCB0byBtaW5pbWlzZSBpbnRlci1vcCBpc3N1 ZXMgd2l0aCBRU0tFIGFuZCBub24gUVNLRSBpbXBsZW1lbnRhdGlvbnMuDQoNClRoZSBRU0tFIE5v dGlmeSBwYXlsb2FkIGNhbiBiZSBtYXJrZWQgYXMgY3JpdGljYWwgZm9yIGRldmljZXMgdGhhdCBt YW5kYXRlIHRoZSB1c2Ugb2YgUVNLRSB0byBwcm90ZWN0IElLRS4NCg0KUVNLRSBOb3RpZmljYXRp b24gUGF5bG9hZA0KDQogICAgICAgICAgICAgICAgICAgICAgICAxICAgICAgICAgICAgICAgICAg IDIgICAgICAgICAgICAgICAgICAgMw0KICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0 IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMQ0KICAgKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCiAgIHwgTmV4 dCBQYXlsb2FkICB8Q3wgIFJFU0VSVkVEICAgfCAgICAgICAgIFBheWxvYWQgTGVuZ3RoICAgICAg ICB8DQogICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKw0KICAgfCAgUHJvdG9jb2wgSUQgIHwgICBTUEkgU2l6ZSAgICB8ICAg ICAgTm90aWZ5IE1lc3NhZ2UgVHlwZSAgICAgIHwNCiAgICstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQogICB8ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfA0K ICAgfiAgICAgICAgICAgICAgICAgICAgICAgTm90aWZpY2F0aW9uIERhdGEgICAgICAgICAgICAg ICAgICAgICAgIH4NCiAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICB8DQogICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KDQrigJTigJTigJTigJQNCkEg UXVhbnR1bSBTYWZlIEtleSBFeGNoYW5nZSBQYXlsb2FkDQoNClRoZSBxdWFudHVtLXNhZmUga2V5 IGV4Y2hhbmdlIHBheWxvYWQsIGRlbm90ZWQgUVNLRSBpbiB0aGlzIGRvY3VtZW50LCBpcyB1c2Vk IHRvIGV4Y2hhbmdlIGEgcXVhbnR1bS1zYWZlIHNoYXJlZCBzZWNyZXQgYmV0d2VlbiB0d28gSUtF IHBlZXJzLiAgVGhlIFFTS0UgcGF5bG9hZCBjb25zaXN0cyBvZiB0aGUgSUtFIGdlbmVyaWMgcGF5 bG9hZCBoZWFkZXIsIGEgdHdvLW9jdGV0IHZhbHVlIGRlbm90aW5nIHRoZSBRdWFudHVtLVNhZmUg R3JvdXAgbnVtYmVyLCBhbmQgZm9sbG93ZWQgYnkgdGhlIHF1YW50dW0tc2FmZSBkYXRhIGl0c2Vs Zi4NCg0KVGhlIEZyYWdtZW50IGJpdCwgZGVub3RlZCBGIChiZWxvdyksIHNwZWNpZmllcyBpZiB0 aGUgUVNLRSBpcyBmcmFnbWVudGVkLiBJZiB0aGlzIGlzIHNldCB0byAnMScsIG1lYW5pbmcgdGhl IFFTS0UgaXMgZnJhZ21lbnRlZCB0aGUgRnJhZ21lbnQgTnVtYmVyIGFuZCBUb3RhbCBGcmFnbWVu dHMgZmllbGRzIHdpbGwgYmUgcG9wdWxhdGVkLiBJZiB0aGUgRnJhZ21lbnQgYml0IGlzIG5vdCBz ZXQgKHNldCB0byAnMCcpLCB0aGVuIHRoZSBGcmFnbWVudCBOdW1iZXIgYW5kIFRvdGFsIEZyYWdt ZW50cyBmaWVsZHMgd2lsbCBub3QgZXhpc3QuIFRoZSBGcmFnbWVudCBOdW1iZXIgaXMgdXNlZCBz aG91bGQgdGhlIFF1YW50dW0tU2FmZSBEYXRhIGJlIHRvbyBsYXJnZSB0byBmaXQgd2l0aGluIGEg c2luZ2xlIHBheWxvYWQuIFRoZSBGcmFnbWVudCBOdW1iZXIgaXMgdGhlIGZpcnN0IGZyYWdtZW50 LCBpbmNyZWFzaW5nIGJ5IG9uZSBmb3IgZXZlcnkgb3RoZXIgZnJhZ21lbnQgdGhhdCBpcyBzZW50 LiBUaGUgVG90YWwgRnJhZ21lbnRzIGZpZWxkIGRlbm90ZXMgdGhlIG1heGltdW0gbnVtYmVyIG9m IGZyYWdtZW50cyB0aGF0IGNvbnRhaW4gdGhlIFF1YW50dW0tU2FmZSBEYXRhLg0KDQpUaGUgUVNL RSBpcyBuZWFybHkgaWRlbnRpY2FsIHRvIHRoZSBLRSBwYXlsb2FkLCBob3dldmVyIHRoZSBGcmFn bWVudCBiaXQgaWRlbnRpZmllcyBpZiB0aGUgcmVjZWl2ZXIgc2hvdWxkIGhhbmRsZSB0aGlzIGlu IGEgZGlmZmVyZW50IG1hbm5lciB0byB0aGUgS0UgcGF5bG9hZC4gVGhlIEtFIGFuZCBRU0tFIGFy ZSBuZWdvdGlhdGVkL2FkdmVydGlzZWQgdXNpbmcgdGhlIHRyYW5zZm9ybSB0eXBlIDQgKERpZmZp ZSBIZWxsbWFuIGdyb3VwcykuICBCeSBpbmNsdWRpbmcgdGhlIFFTS0UgaW4gdGhlIHNhbWUgdHJh bnNmb3JtIHR5cGUgNCBhcyBjbGFzc2ljIERIIGFsbG93cyBmb3IgbWluaW1hbCBjb25maWd1cmF0 aW9uIGNoYW5nZXMgZm9yIGN1cnJlbnQgaW1wbGVtZW50YXRpb25zIHdoZW4gY29uZmlndXJpbmcg Ym90aCBESCBhbmQgUVNLRSBHcm91cHMuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgIDEg ICAgICAgICAgICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzDQogICAgICAgMCAxIDIgMyA0 IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxDQog ICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKw0KICAgICAgfCBOZXh0IFBheWxvYWQgIHxDfEZ8IFJlc2VydmVkICB8ICAg ICAgICAgICAgUGF5bG9hZCBMZW5ndGggICAgIHwNCiAgICAgICstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQogICAgICB8ICAg IFF1YW50dW0tU2FmZSBHcm91cCBOdW0gICAgIHwgICAgICAgICAgIFJFU0VSVkVEICAgICAgICAg ICAgfA0KICAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSsNCiAgICAgIH4gICAgICAgIEZyYWdtZW50IE51bWJlciAgICAg ICAgICAgIHwgICAgIFRvdGFsIEZyYWdtZW50cyAgICAgICB+DQogICAgICArLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KICAg ICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIHwNCiAgICAgIH4gICAgICAgICAgICAgICAgICAgICAgIFF1YW50dW0tU2FmZSBE YXRhICAgICAgICAgICAgICAgICAgICAgICB+DQogICAgICB8ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfA0KICAgICAgKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSsNCg0KVGhlIHNpemUgb2YgdGhlIFF1YW50dW0tU2FmZSBEYXRhIGNhbiBiZSB0aGUgdG90YWwg ZnJhZ21lbnRzICogcGF5bG9hZCBsZW5ndGggPSB+IDRHQiwgd2hpY2ggc2VlbXMgc3VmZmljaWVu dCBmb3IgdGhlIHNpemUgb2YgdGhlIFFTS0UgcGF5bG9hZHMgZGlzY3Vzc2VkIHNvIGZhci4NCg0K VGhlIHVzZSBvZiB0aGUgRnJhZ21lbnRhdGlvbiBiaXQgaXMgbm90IG1hbmRhdG9yeS4gSW1wbGVt ZW50YXRpb25zIGNhbiBhdHRlbXB0IHRvIHNlbmQgdGhlIElLRV9TQV9JTklUIHBheWxvYWQgY29u dGFpbmluZyB0aGUgUVNLRSBwYXlsb2FkIHdpdGhvdXQgZnJhZ21lbnRhdGlvbiBhdCB0aGUgSUtF IGxheWVyLCBvcHRpbmcgZm9yIGZyYWdtZW50YXRpb24gYXQgdGhlIElQIGxheWVyIGluc3RlYWQu IEltcGxlbWVudGF0aW9ucyBjYW4gaW5pdGlhbGx5IGV4Y2x1ZGUgdGhlIHRoZSB1c2Ugb2YgZnJh Z21lbnRhdGlvbiBpbiB0aGUgUVNLRSBwYXlsb2FkLCBob3dldmVyIGlmIGNvbm5lY3Rpdml0eSBm YWlscyB3aGVuIG5vdCB1c2luZyBmcmFnbWVudGF0aW9uIG9mIHRoZSBRU0tFLCBpdCBpcyBhc3N1 bWVkIHRoYXQgdGhhdCB0cmFmZmljIGhhcyBiZWVuIGRlbmllZCBkdWUgdG8gZnJhZ21lbnRhdGlv biBhdCB0aGUgSVAgbGF5ZXIgYW5kIGZyYWdtZW50YXRpb24gb2YgdGhlIFFTS0Ugc2hvdWxkIGJl IHVzZWQgaW5zdGVhZC4NCg0KDQrigJTigJQNCg0KSW4gdGhlIGZvbGxvd2luZyBleGFtcGxlIHRo ZSBJbml0aWF0b3Igd2lsbCBwcm9wb3NlIERIIEdyb3VwcyAxNCwxOSwyMSBhbmQgMzAsMzIgYW5k IDM1IChmaWN0aXRpb3VzIFFTS0UgZ3JvdXBzKS4gVGhlIEluaXRpYXRvciBzZW5kcyB0aGUgTihR U0tFKSwgd2hpY2ggaW5mb3JtcyB0aGUgcmVzcG9uZGVyIHRvIGNob29zZSA+PTEgUVNLRSBncm91 cHMgYWxvbmcgd2l0aCBhIGNsYXNzaWMgREggZ3JvdXAuDQoNClRoZSByZXNwb25kZXIgd2lsbCBy ZXR1cm4gdGhlIE4oUVNLRSkgcGF5bG9hZCwgaW5kaWNhdGluZyBpdCBzdXBwb3J0cyB0aGUgUVNL RSwgdGhlIHNlY3VyaXR5IGFzc29jaWF0aW9uIGluY2x1ZGVzIERIIEdyb3VwcyAxNCwgMzAgYW5k IDM1IHdoaWNoIGluZm9ybXMgdGhlIGluaXRpYXRvciBvZiB0aGUgUVNLRSBncm91cHMgaXQgc2Vs ZWN0cyB0byB1c2UuDQoNClRoZSBJbml0aWF0b3IgdGhlbiBzZW5kcyB0aGUgUVNLRSdzIGFuZCBL RSBmb3IgdGhlIGdyb3VwcyBpdCB3aXNoZXMgdG8gdXNlLCBwbHVzIHRoZSBpZGVudGljYWwgc2Vj dXJpdHkgYXNzb2NpYXRpb25zIGFzIHdhcyBzZW50IGluIHRoZSBmaXJzdCBleGNoYW5nZSAodG8g bWl0aWdhdGUgZG93bmdyYWRlIGF0dGFja3MpLiBOb3RlOiBUaGUgUmVzcG9uZGVyIHNob3VsZCBj aGVjayB0aGF0IHRoZSByZWNlaXZlZCBRU0tFJ3MgaW4gdGhlIHNlY3VyaXR5IGFzc29jaWF0aW9u IG1hdGNoIHdpdGggaXRzIHByZWZlcnJlZCBzZWN1cmUgUVNLRSdzLiBUaGlzIGlzIHRvIG1pdGln YXRlIHRoZSBmb2xsb3dpbmcgYXR0YWNrLCBJbml0aWF0b3Igc2VuZHMgU0EgY29udGFpbnMgY2Vy dGFpbiBRU0tFIGluIHRoZSBzZWN1cml0eSBhc3NvY2lhdGlvbiBSZXNwb25kZXIgcmVzcG9uZHMs IGJ1dCBhdHRhY2tlciBtb2RpZmllcyB0aGlzIHJlc3BvbnNlIHRvIHJlbW92ZSB0aGUgc2FpZCBR U0tFLiBUaGUgSW5pdGlhdG9yIHRoZW4gcGVyZm9ybXMgdGhlIElLRV9TQV9JTklUIGV4Y2x1ZGlu ZyB0aGUgUVNLRSB0aGF0IHdhcyByZW1vdmVkIGJ5IHRoZSBhdHRhY2tlciwgIGluIHRoZSBRU0tF IChidXQgaXQncyBpbmNsdWRlZCBpbiB0aGUgc2VjdXJpdHkgYXNzb2NpYXRpb25zKS4gSGVuY2Ug aWYgdGhlIHJlc3BvbmRlciB2ZXJpZmllcyB0aGF0IHRoZSByZWNlaXZlZCBRU0tFIG1hdGNoIHRo ZSByZWNlaXZlZCBzZWN1cml0eSBhc3NvY2lhdGlvbnMsIGl0IHdpbGwgbWl0aWdhdGUgdGhpcyBh dHRhY2suDQoNCg0KICAgIEluaXRpYXRvciAgICAgICAgICAgICAgICAgICBSZXNwb25kZXINCiAg IC0tLS0tLS0tLS0tICAgICAgICAgICAgICAgICAtLS0tLS0tLS0tLQ0KICAgSERSLCBTQWkxLCBO aSxLRWkgICAgLS0+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKERIIEdyb3VwcyAx NCwxOSwyMSBhbmQgMzAsMzIgYW5kIDM1KQ0KICAgICAgTihRU0tFKQ0KDQogICAgICAgICAgICAg ICAgICAgICAgIDwtLSAgIEhEUiwgU0FyMSwgTihDT09LSUUpLFtOKFFTS0UpXSAgICAgICAoREgg R3JvdXBzIDE0LCAzMCBhbmQgMzUpDQoNCg0KICAgSERSLCBOKENPT0tJRSksIFNBaTEsICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKFNBIGNvbnRhaW5zIERIIEdyb3VwcyAxNCwx OSwyMSBhbmQgMzAsMzIgYW5kIDM1KQ0KICAgIEtFaSwgTmksIFFTS0VpLTEvMyAgLS0+ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgKEtFIGlzIEdyb3VwIDE0LCBRU0tFMSBpcyBHcm91 cCAzMCwgZnJhZ21lbnQgMSBvZiAzKQ0KDQogICBIRFIsIFFTS0VpLTIvMyAgICAgICAtLT4gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50 IDIgb2YgMykNCg0KICAgSERSLCBRU0tFaS0zLzMgICAgICAgLS0+ICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgKFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAzIG9mIDMpDQoNCiAg IEhEUiwgUVNLRWkyLTEvNCAgICAgIC0tPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMSBvZiA0KQ0KDQogICBIRFIsIFFTS0VpMi0y LzQgICAgICAtLT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTIgaXMgR3Jv dXAgMzUsIGZyYWdtZW50IDIgb2YgNCkNCg0KICAgSERSLCBRU0tFaTItMy80ICAgICAgLS0+ICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVu dCAzIG9mIDQpDQoNCiAgIEhEUiwgUVNLRWkyLTQvNCAgICAgIC0tPiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgNCBvZiA0KQ0KDQoN CiAgICAgICAgICAgICAgICAgIDwtLSAgSERSLCBTQXIxLCBOciwgS0VyLCAgICAgICAgICAgICAg ICAgIChLRSBpcyBHcm91cCAxNCwgUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDEgb2YgMykN CiAgICAgICAgICAgICAgICAgICAgICAgIFFTS0VpLTEvMw0KDQogICAgICAgICAgICAgICAgICA8 LS0gIEhEUixRU0tFaS0yLzMgICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTEgaXMgR3JvdXAg MzAsIGZyYWdtZW50IDIgb2YgMykNCg0KICAgICAgICAgICAgICAgICAgPC0tICBIRFIsUVNLRWkt My8zICAgICAgICAgICAgICAgICAgICAgICAgKFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAz IG9mIDMpDQoNCiAgICAgICAgICAgICAgICAgIDwtLSAgSERSLFFTS0VpMi0xLzQgICAgICAgICAg ICAgICAgICAgICAgIChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMSBvZiA0KQ0KDQogICAg ICAgICAgICAgICAgICA8LS0gIEhEUixRU0tFaTItMi80ICAgICAgICAgICAgICAgICAgICAgICAo UVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDIgb2YgNCkNCg0KICAgICAgICAgICAgICAgICAg PC0tICBIRFIsUVNLRWkyLTMvNCAgICAgICAgICAgICAgICAgICAgICAgKFFTS0UyIGlzIEdyb3Vw IDM1LCBmcmFnbWVudCAzIG9mIDQpDQoNCiAgICAgICAgICAgICAgICAgIDwtLSAgSERSLFFTS0Vp Mi00LzQgICAgICAgICAgICAgICAgICAgICAgIChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQg NCBvZiA0KQ0KDQoNCkFzIHRocmVlIGdyb3VwcyB3ZXJlIHVzZWQsIHRoZSBrZXltYXQgaXMgZ2Vu ZXJhdGVkIHdpdGggdGhlIGNvbWJpbmF0aW9uIG9mIHRoZSBvdXRwdXQgZnJvbSB0aGUgdGhyZWUg cHVibGljIHZhbHVlcy4NCg0KS0VZTUFUID0gcHJmKyhTS19kLCBRU1NTMiAoR3JvdXAgMzUpIHwg UVNTMSAoR3JvdXAgMzApIHwgZ15pciAoR3JvdXAgMTQpIHwgTmkgfCBOcikNCg0KDQogICBIRFIg U0sge0lEaSwgW0NFUlQsXQ0KICAgICAgIFtDRVJUUkVRLF0gW0lEcixdIEFVVEgsDQogICAgICAg U0FpMiwgVFNpLCBUU3J9ICAtLT4NCg0KDQoNCg0K4oCU4oCU4oCU4oCUDQoNCg0KSW4gdGhlIGZv bGxvd2luZyB0aGUgSW5pdGlhdG9yIHdpbGwgcHJvcG9zZSBESCBHcm91cHMgMTQsMTksMjEgYW5k IDMwLDMyIGFuZCAzNSAoZmljdGl0aW91cyBRU0tFIGdyb3VwcykuIFRoZSBJbml0aWF0b3Igc2Vu ZHMgTihRU0tFKSwgd2hpY2ggdGVsbHMgcmVzcG9uZGVyIHRvIGNob29zZSBhIERIIGdyb3VwIGFu ZCA+PTEgUVNLRSBncm91cHMgIC4NCg0KVGhlIFJlc3BvbmRlciBpbiB0aGlzIGNhc2UgZG9lcyBu b3Qgc3VwcG9ydCBRU0tFIGFuZCBhc3N1bWluZyB0aGUgTihRU0tFKSB3YXMgbm9uIGNyaXRpY2Fs LCB3aWxsIGlnbm9yZSB0aGlzIE5vdGlmeSBQYXlsb2FkLg0KDQpUaGUgZXhjaGFuZ2Ugd2lsbCBj b250aW51ZSBhcyBwZXIgUkZDNzI5Ni4NCg0KDQogICAgSW5pdGlhdG9yICAgICAgICAgICAgICAg ICAgIFJlc3BvbmRlcg0KICAgLS0tLS0tLS0tLS0gICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0t DQogICBIRFIsIFNBaTEsIE5pLEtFaSAgICAtLT4gICAgICAgICAgICAgICAgICAgICAgICAgICBL RT1Hcm91cCAxNCAoU0E6IERIIEdyb3VwcyAxNCwxOSwyMSBhbmQgMzAsMzIgYW5kIDM1KQ0KICAg ICAgTihRU0tFKQ0KDQogICAgICAgICAgICAgICAgICAgICAgIDwtLSAgIEhEUiwgU0FyMSxOcixL RXIgICAgICAgICAoREggR3JvdXBzIDE0KQ0KDQoNCiAgSERSIFNLIHtJRGksIFtDRVJULF0NCiAg ICAgICBbQ0VSVFJFUSxdIFtJRHIsXSBBVVRILA0KICAgICAgIFNBaTIsIFRTaSwgVFNyfSAgLS0+ DQoNCg0K4oCU4oCU4oCU4oCU4oCU4oCU4oCUDQoNCg0KDQo= --_000_74a8ea26371c4781b83078516ac502b7XCHRTP006ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseTpXaW5nZGluZ3M7DQoJcGFub3NlLTE6NSAwIDAgMCAwIDAgMCAwIDAgMDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIg MiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3Nl LTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNv Tm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJn aW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2Fs aWJyaSIsInNhbnMtc2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVy bGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxl LXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGlu ZTt9DQpwLk1zb0FjZXRhdGUsIGxpLk1zb0FjZXRhdGUsIGRpdi5Nc29BY2V0YXRlDQoJe21zby1z dHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IENoYXIiOw0K CW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTo4LjBwdDsN Cglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0KcC5Nc29MaXN0UGFyYWdyYXBo LCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXttc28tc3R5bGUt cHJpb3JpdHk6MzQ7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBp bjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9u dC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30N CnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLmFw cGxlLWNvbnZlcnRlZC1zcGFjZQ0KCXttc28tc3R5bGUtbmFtZTphcHBsZS1jb252ZXJ0ZWQtc3Bh Y2U7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9u dC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojNDQ1NDZBO30NCnNwYW4u RW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkJhbGxv b25UZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1zby1z dHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IjsNCglmb250 LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0 eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2Vj dGlvbjENCgl7c2l6ZTo1OTUuMHB0IDg0Mi4wcHQ7DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGlu IDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyogTGlz dCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6MTA5NDAwODYzMzsNCglt c28tbGlzdC10eXBlOmh5YnJpZDsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6NDU5NTU0MDk4IC0x NjQyODUxMDUyIDY3Njk4NjkxIDY3Njk4NjkzIDY3Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzIDY3 Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzO30NCkBsaXN0IGwwOmxldmVsMQ0KCXttc28tbGV2ZWwt c3RhcnQtYXQ6MDsNCgltc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs LXRleHQ6LTsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp Iiwic2Fucy1zZXJpZiI7DQoJbXNvLWZhcmVhc3QtZm9udC1mYW1pbHk6Q2FsaWJyaTsNCgltc28t YmlkaS1mb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjt9DQpAbGlzdCBsMDpsZXZlbDINCgl7 bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNv LWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K CXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0 IGwwOmxldmVsMw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs LXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2Rp bmdzO30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7 DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1s ZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1m YW1pbHk6U3ltYm9sO30NCkBsaXN0IGwwOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1h dDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsN Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0K CWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJe21zby1sZXZl bC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVs LXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQt aW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw3 DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3Qg bDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwt dGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9z aXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIg TmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0 Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28t bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQt ZmFtaWx5OldpbmdkaW5nczt9DQpvbA0KCXttYXJnaW4tYm90dG9tOjBpbjt9DQp1bA0KCXttYXJn aW4tYm90dG9tOjBpbjt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86 c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2Vu ZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVk aXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+ PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBiZ2NvbG9yPSJ3aGl0ZSIgbGFuZz0i RU4tVVMiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRT ZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGlu IDBpbiAwaW4gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10 b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bh bj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFo b21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBJUHNlYyBbbWFpbHRvOmlwc2VjLWJv dW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPlZhbGVyeSBTbXlzbG92PGJyPg0K PGI+U2VudDo8L2I+IEZyaWRheSwgQXVndXN0IDA0LCAyMDE3IDk6MDAgQU08YnI+DQo8Yj5Ubzo8 L2I+IEdyYWhhbSBCYXJ0bGV0dCAoZ3JiYXJ0bGUpPGJyPg0KPGI+Q2M6PC9iPiBpcHNlY0BpZXRm Lm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW0lQc2VjXSBQcm9wb3NlZCBtZXRob2QgdG8g YWNoaWV2ZSBxdWFudHVtIHJlc2lzdGFudCBJS0V2MjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9y OiM0NDU0NkEiPkhpIEdyYWhhbSw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5mZXcgY29tbWVudHMuPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0 NTQ2QSI+SXQgaXMgbm90IGNsZWFyIGZvciBtZSAoYW5kIEkgcmFpc2VkIHRoaXMgY29uY2VybiBp biBQcmFndWUpIHdoeSBkbyB5b3UgdXNlIFFTS0UgYXMgYW4gYWRkaXRpb25hbDxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTQuMHB0O2NvbG9yOiM0NDU0NkEiPktleSBFeGNoYW5nZSBtZWNoYW5pc20gaW5zdGVhZCBvZiBy ZXBsYWNpbmcgREggS0Ugd2l0aCBpdD8gV2XigJl2ZSBiZWVuIGJlaW5nIHRvbGQgYnkgY3J5cHRv Z3JhcGhlcnM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj50aGF0IGNvbnZlbnRpb25h bCBwdWJsaWMga2V5IGNyeXB0b2dyYXBoeSB3b27igJl0IHByb3ZpZGUgc2VjdXJpdHkgaW4gcHJl c2VuY2Ugb2YgUUMsIHNvIHdoeSBib3RoZXIgd2l0aCBpdD88bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xv cjojNDQ1NDZBIj5Vc2luZyBRU0tFIGFzIGFuIGFkZGl0aW9uYWwgS2V5IEV4Y2hhbmdlIGNvbXBs aWNhdGVzIHByb3RvY29sIGV4Y2hhbmdlLCBpbmNyZWFzZXMgbWVzc2FnZXMgc2l6ZTxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPmFuZCByZXNvdXJjZSBjb25zdW1wdGlvbiBhbmQmbmJz cDsgYWxzbyBtb2RpZmllcyBnZW5lcmF0aW9uIG9mIFNLRVlTRUVELCB0aGF0IG1ha2VzIGl0IG5v bi11bmlmb3JtLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPlRoZSBvbmx5IHJlYXNvbiB0aGF0IGNvbWVzIHRvIG15 IG1pbmQgaXMgdGhhdCB5b3UgZG9u4oCZdCBmdWxseSB0cnVzdCBRU0tFLiBBcmUgdGhlcmUgYW55 IG90aGVyIHJlYXNvbnM/PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPk5vLCB0aGF04oCZcyBwcmV0dHkgbXVjaCBpdC4m bmJzcDsgV2XigJl2ZSBzdHVkaWVkIERIIGZvciBzb21ldGhpbmcgbGlrZSA0MCB5ZWFycywgYW5k IEVDREggZm9yIHBlcmhhcHMgMzA7IHdlIGZlZWwgdGhhdCB3ZSBjYW4gaGF2ZSBhIG1lYXN1cmUg b2YgdHJ1c3Qgd2l0aCB0aGVtLCBhdCBsZWFzdCBhZ2FpbnN0IGNvbnZlbnRpb25hbCBjb21wdXRl cnMuJm5ic3A7DQogRm9yIHRoZXNlIG5ld2VyIHF1YW50dW0ga2V5IGV4Y2hhbmdlcywgd2VsbCwg d2XigJlyZSBub3QgYXMgY2VydGFpbiBpZiB0aGV54oCZcmUgc2VjdXJlIGV2ZW4gYWdhaW5zdCBh IGNvbnZlbnRpb25hbCBjb21wdXRlci4mbmJzcDsgQnkgaW5jbHVkaW5nIGFuIEVDREggZXhjaGFu Z2UsIHdlIGtub3cgdGhhdCB3ZeKAmXJlIG5vdCBtYWtpbmcgYW55dGhpbmcgd29yc2U7IHdlIGNh biBiZSBmYWlybHkgY29uZmlkZW50IHRoYXQgd2UgaGF2ZW7igJl0IG1hZGUgYW55dGhpbmcNCiB3 b3JzZSAoYXQgbGVhc3QsIGNyeXB0b2dyYXBoaWNhbGx5IHNwZWFraW5nKS48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0 LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZB Ij5BbmQgYXMgYW4gYWRkaXRpb25hbCBwb2ludCB0byB0aGUgYWJvdmUgY29uY2VybiDigJMgd2h5 IGRvIHlvdSBhbGxvdyBzZXZlcmFsIFFTS0UgbWV0aG9kcyB0byBiZSB1c2VkPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox NC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+aW4gb25lIGV4Y2hhbmdlPyBUaGUgc2FtZSBzZXQgb2YgcHJv YmxlbXMg4oCTIHByb3RvY29sIGNvbXBsZXhpdHksIHJlc291cmNlIGNvbnN1bXB0aW9uLCBtZXNz YWdlcyBzaXplLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2NvbG9yOmJsYWNrIj5TYW1lIHJlYXNvbjsga25vd24gcG9zdCBxdWFudHVtIGtl eSBleGNoYW5nZSBtZWNoYW5pc21zIGhhdmVu4oCZdCBiZWVuIG91dCB0aGVyZSBmb3IgdGhhdCBs b25nIChleGNlcHRpb25zOiBNY0VsaWVjZSBhbmQgTlRSVSksIGFuZCBzbyB3ZeKAmXJlIG5vdCBh cyBjZXJ0YWluIHdoZXRoZXIgdGhleeKAmWxsIGFjdHVhbGx5IHR1cm4gb3V0IHRvIGJlDQogcXVh bnR1bSByZXNpc3RhbnQuJm5ic3A7IEl0IHNlZW1zIHBsYXVzaWJsZSB0aGF0IHNvbWVvbmUgbWln aHQgbm90IHdhbnQgdG8gcHV0IGFsbCB0aGVpciBwb3N0cXVhbnR1bSBlZ2dzIGluIG9uZSBiYXNr ZXQsIGFuZCBpbnN0ZWFkIHJlbHkgb24gdHdvIHVucmVsYXRlZCBwb3N0cXVhbnR1bSBleGNoYW5n ZXMgKGUuZy4gTFdFIGFuZCBTSURIKTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+VGhlIHRyaWNrIGlzIHRyeWluZyB0byBh bGxvdyB0aGlzLCB3aGlsZSBtaW5pbWl6aW5nIHRoZSBpbmNyZWFzZSBpbiB0aGUgcHJvdG9jb2wg Y29tcGxleGl0eS4mbmJzcDsgSSBkb27igJl0IGNvbnNpZGVyIHRoZSByZXNvdXJjZSBjb25zdW1w dGlvbiBhbmQgbWVzc2FnZSBzaXplIChhcGFydCBmcm9tIHRoZSBwcm90b2NvbCBjb21wbGV4aXR5 IG5lZWRlZA0KIGZvciBmcmFnbWVudGF0aW9uIHN1cHBvcnQpIHRoYXQgY3JpdGljYWw7IHByZXN1 bWFibHksIGlmIHNvbWVvbmUgd2FzIHBhcmFub2lkIGVub3VnaCB0byB0aGluayB0aGV5IHJlcXVp cmVkIGl0LCB0aGV5IG91Z2h0IHRvIGJlIHdpbGxpbmcgdG8gcGF5IHRoZSBhZGRpdGlvbmFsIHJl c291cmNlIGNvc3QuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+QW5kIEkgdGhpbmsgaWYgdGhlIElLRV9TQV9JTklU IG1lc3NhZ2VzIGdyb3cgdG9vIGxhcmdlIHdpdGggUVNLRSwgdGhlbiBpdOKAmXMgYmV0dGVyIHRv IGRldmVsb3A8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5nZW5lcmljIGZyYWdtZW50 YXRpb24gbWVjaGFuaXNtIGZvciBJS0VfU0FfSU5JVCwgcmF0aGVyIHRoYW4gbWFraW5nIGl0IHNw ZWNpZmljIGZvciBmcmFnbWVudGluZzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPlFT S0UgYmxvYnMuIEdlbmVyaWMgbWVjaGFuaXNtIHdvdWxkIGFsbG93IHRvIHJldXNlIGl0IGluIGNh c2Ugd2XigJlsbCBoYXZlIHRvIGluY2x1ZGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZB Ij5vdGhlciBsYXJnZSBwYXlsb2FkcyBpbiBpbml0aWFsIG1lc3NhZ2VzLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj5B Y3R1YWxseSwgSSBwdXQgdG9nZXRoZXIgYSBwYXBlciBkZXNpZ24gd2hpY2ggdHJpZWQgdG8gZG8g ZXhhY3RseSB0aGlzLiZuYnNwOyBJIGV2ZW50dWFsbHkgcHV0IGl0IGFzaWRlLCBiZWNhdXNlIG9m IHR3byBjb25jZXJuczo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBh cmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW47dGV4dC1pbmRlbnQ6LS4yNWluO21zby1s aXN0OmwwIGxldmVsMSBsZm8xIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+ LTxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3Nw YW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOmJsYWNrIj5CYWNrd2FyZHMgY29tcGF0aWJpbGl0eTsgYW4gSUtFIGluaXRpYXRvciByZWFs bHkgY2Fu4oCZdCBzZW5kIGZyYWdtZW50ZWQgcGFja2V0cyBiZWZvcmUgaXQgaGVhcnMgd2hldGhl ciB0aGUgcmVzcG9uZGVyIGNhbiB1bmRlcnN0YW5kIHRoZW07IHRoaXMgcHJldHR5DQogbXVjaCBy ZXF1aXJlZCBhbiBhZGRpdGlvbmFsIHJvdW5kIHRyaXA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW47dGV4dC1p bmRlbnQ6LS4yNWluO21zby1saXN0OmwwIGxldmVsMSBsZm8xIj4NCjwhW2lmICFzdXBwb3J0TGlz dHNdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+PHNwYW4gc3R5bGU9 Im1zby1saXN0Oklnbm9yZSI+LTxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj5Eb1MgY29uY2VybnM7IHRoZSByZXNwb25kZXIg aGFzIHRvIGhvbGQgb250byBmcmFnbWVudHMgZnJvbSBhIHJhbmRvbSBpbml0aWF0b3Igd2hvIGhh cyBkb25lIG5vdCBtdWNoIG9mIGFueXRoaW5nPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2si PkkgYWxzbyBkaWRu4oCZdCBjYXJlIHRoYXQgbXkgc3BlY2lmaWMgcHJvcG9zYWwgd2FzIHRpZWQg dG9vIGNsb3NlbHkgdG8gaG93IHRoZSBwb3N0cXVhbnR1bSBLRSBwYXlsb2FkIHdhcyBmb3JtYXR0 ZWQuJm5ic3A7IEkgc3RpbGwgaGF2ZSB0aGF0IGRlc2lnbjsgaWYgYW55b25lIHdhcyBpbnRlcmVz dGVkLCBJIGNvdWxkIHNsYXAgaXQgb24gdGhlIG1haWxlcg0KIGZvciBwZW9wbGUgdG8gbGF1Z2gg YXQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4w cHQ7Y29sb3I6IzQ0NTQ2QSI+UmVnYXJkcyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZB Ij5WYWxlcnkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQg Ymx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxl PSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBw dCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpSVSI+RnJvbTo8L3NwYW4+PC9iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1YWdlOlJVIj4gSVBzZWMgWzxh IGhyZWY9Im1haWx0bzppcHNlYy1ib3VuY2VzQGlldGYub3JnIj5tYWlsdG86aXBzZWMtYm91bmNl c0BpZXRmLm9yZzwvYT5dDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkdyYWhhbSBCYXJ0bGV0dCAoZ3Ji YXJ0bGUpPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBBdWd1c3QgMDMsIDIwMTcgMjo1NyBQ TTxicj4NCjxiPlRvOjwvYj4gPGEgaHJlZj0ibWFpbHRvOmlwc2VjQGlldGYub3JnIj5pcHNlY0Bp ZXRmLm9yZzwvYT48YnI+DQo8Yj5TdWJqZWN0OjwvYj4gW0lQc2VjXSBQcm9wb3NlZCBtZXRob2Qg dG8gYWNoaWV2ZSBxdWFudHVtIHJlc2lzdGFudCBJS0V2MjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJSVSI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5IaTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImNvbG9yOmJsYWNrO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLUdCIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPkFmdGVyIGxpc3RlbmluZyB0byB0aGUgUHJhZ3VlIG1lZXRpbmcgRGFuIEhhcmtpbnMgcmFp c2VkIHRoZSBwb2ludCB0aGF0IHRoZSBRdWFudHVtIFJlc2lzdGFudCBJS0V2MiBpbXBsZW1lbnRh dGlvbiBzaG91bGQgcHJvdGVjdCBwYXNzaXZlIGF0dGFja3MsIHdoZXJlIHRyYWZmaWMgdGhhdCB0 cmFmZmljIHRoYXQNCiBpcyBzZW50IGFuZCBpcyBjYXB0dXJlZCB0b2RheSBzaG91bGQgYmUgcmVz aWxpZW50IHRvIGFuIGFkdmVyc2FyeSB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBpbiB0aGUgZnV0 dXJlLiBCdXQgdGhlIFF1YW50dW0gUmVzaXN0YW50IElLRXYyIGRvZXMgbm90IGhhdmUgdG8gcHJv dGVjdCBhZ2FpbnN0IGFuIGFkdmVyc2FyeSB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBpbiB0aGUg ZnV0dXJlIHdobyBjYW4gcGVyZm9ybSBhbiBhY3RpdmUgYXR0YWNrLjwvc3Bhbj48c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5z OiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFk anVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBw eCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtv cnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1z aXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFj aW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPlNvbWVvbmUgZWxz ZSAoY2Fu4oCZdCByZW1lbWJlciB3aG8pIHN1Z2dlc3RlZCB0aGUgcXVhbnR1bSByZXNpc3RhbnQg 4oCYYmxvYuKAmSBiZSBzZW50IGluIElLRV9BVVRIIGFzIGl0IHdpbGwgYmUgbGFyZ2UgYW5kIHBy b2JhYmx5IGZyYWdtZW50YXRpb24uIE9idmlvdXNseSBmb3IgdGhpcyB0aGUgbmF0dXJhbCBjaG9p Y2UNCiBpcyB0byB1c2UgdGhlIElLRXYyIEZyYWdtZW50YXRpb24gbWVjaGFuaXNtIGRlZmluZWQg aW4gUkZDNzM4My48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQt dmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93 czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2Nv bG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpi bGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0 O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7O2NvbG9yOmJsYWNrIj5BIGZldyB3ZWVrcyBhZ28gSSBkZXZlbG9wZWQgYSBtZXRob2QgdG8g c2VuZCB0aGUgcXVhbnR1bSByZXNpc3RhbnQg4oCYYmxvYuKAmSBpbiBJS0VfU0FfSU5JVCwgdGhp cyBpcyB0byBhbWVuZDxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwv c3Bhbj48YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtdGpoYWktaXBz ZWNtZS1oeWJyaWQtcXNrZS1pa2V2Mi0wMCI+PHNwYW4gc3R5bGU9ImNvbG9yOiM5NTRGNzIiPmh0 dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC10amhhaS1pcHNlY21lLWh5YnJpZC1xc2tl LWlrZXYyLTAwPC9zcGFuPjwvYT4uDQogQWZ0ZXIgaGVhcmluZyB0aGUgZGlzY3Vzc2lvbiBkZXNj cmliZWQgYWJvdmUgSSB3YXMgZ29pbmcgdG8gcGFyayB0aGlzIGlkZWEgYW5kIG5ldmVyIHNwZWFr IG9mIGl0IGFnYWluLCBob3dldmVyIGJlZm9yZSBJIGRvIHRoaXMgSeKAmWQgbGlrZSB0byBzaGFy ZSB3aXRoIHRoZSBncm91cCBmb3IgY29tbWVudHMuPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRl ZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQt YWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzst d2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291 cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPkkgcGVyc29uYWxseSBmZWVsIHRoaXMgaXMgYW4g ZWxlZ2FudCBhbmQgc2ltcGxlIG1ldGhvZCB0byBhY2hpZXZlIHNlbmRpbmcgb25lIG9yIG1vcmUg cXVhbnR1bSByZXNpc3RhbnQg4oCYYmxvYnPigJkuIFRoZSBtYWluIGJlbmVmaXRzIGJlaW5nOzwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJn aW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdDt0ZXh0LWluZGVudDotLjI1aW47Zm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjpibGFjayI+MS48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6Ny4wcHQ7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFu IGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4g bGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUNCiBJS0VfQVVUSCBleGNoYW5nZSBpcyBw cm90ZWN0ZWQgdXNpbmcgdGhlIHF1YW50dW0gc2VjdXJlIGFsZ29yaXRobXMuIFNvIGFsbCBhdHRy aWJ1dGVzIHdpdGhpbiB0aGUgSUtFIGV4Y2hhbmdlIGFyZSBwcm90ZWN0ZWQgYWdhaW5zdCBwYXNz aXZlIGF0dGFja3MsIHdoaWNoIHdvdWxkbuKAmXQgYmUgdGhlIGNhc2Ugc2hvdWxkIHRoZSBxdWFu dHVtIHJlc2lzdGFudCDigJhibG9i4oCZIGJlIHNlbnQgaW4gSUtFX0FVVEguPC9zcGFuPjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBo YW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXpl LWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5n OjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJnaW4tbGVmdDouNWlu O21hcmdpbi1ib3R0b206LjAwMDFwdDt0ZXh0LWluZGVudDotLjI1aW47Zm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13 ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFj ayI+Mi48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6Ny4wcHQ7Y29s b3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFuIGNsYXNzPSJhcHBs ZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7O2NvbG9yOmJsYWNrIj5UaGlzDQogYWxsb3dzIGZvciBhIHF1YW50dW0gcmVzaXN0YW50IGF1 dGhlbnRpY2F0aW9uIG1ldGhvZCB0byBiZSBpbnRyb2R1Y2VkIGludG8gSUtFX0FVVEggaW4gdGhl IGZ1dHVyZSwgdGhlcmVmb3JlIHByb3RlY3RpbmcgYWdhaW5zdCBhY3RpdmUgYXR0YWNrcyB3aXRo IGEgcXVhbnR1bSBjb21wdXRlciBzaG91bGQgdGhpcyBvY2N1ci48L3NwYW4+PHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1 dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0 OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4N CjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjtt YXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41aW47bWFyZ2lu LWJvdHRvbTouMDAwMXB0O3RleHQtaW5kZW50Oi0uMjVpbjtmb250LXZhcmlhbnQtY2Fwczogbm9y bWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10 ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3Jk LXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj4zLjwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdDtjb2xvcjpibGFj ayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZl cnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPkENCiBzaW1wbGUgbWV0aG9kIHRvIGZyYWdtZW50IHRoZSBxdWFudHVtIHNlY3Vy ZSBrZXkgZXhjaGFuZ2UgZGF0YSBpbiBJS0VfU0FfSU5JVCBpcyBpbmNsdWRlZCwgaG93ZXZlciB0 aGlzIGlzIG5vdCBtYW5kYXRvcnkuIEZyb20gcGVyc29uYWwgZXhwZXJpZW5jZSBJ4oCZdmUgc2Vl biBhIGZldyBjYXNlcyB3aGVyZSBSRkMgNzM4MyBmcmFnbWVudGF0aW9uIGlzIHJlcXVpcmVkIHRv ZGF5LCBob3dldmVyIHRoZSB2YXN0IG1ham9yaXR5IG9mIGN1c3RvbWVyIGltcGxlbWVudGF0aW9u cw0KIGRvIG5vdCBleHBlcmllbmNlIGlzc3VlcyB3aXRoIElQIGZyYWdtZW50cyBiZWluZyBkZW5p ZWQgYW5kIHNvIGRvIG5vdCByZXF1aXJlIHRoZSBmdW5jdGlvbmFsaXR5IHByb3ZpZGVkIGJ5IFJG QzczODMgKGJ1dCBmb3IgdGhlIGNhc2VzIHdoZXJlIGl04oCZcyBuZWVkZWQsIGl04oCZcyBhIGxp ZmVzYXZlcikuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBh dXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6 YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNr Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9t OjBpbjttYXJnaW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdDt0ZXh0LWluZGVudDot LjI1aW47Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjpibGFjayI+NC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJmb250LXNpemU6Ny4wcHQ7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3Nw YW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUNCiBsYXJnZSBxdWFudHVt IHJlc2lzdGFudCDigJhibG9i4oCZIG9mIGRhdGEgaXMgb25seSBzZW50IHdoZW4gaXQgaXMga25v d24gdGhhdCB0aGUgcGVlciB3aWxsIGFjY2VwdCB0aGlzLiBUaGlzIG1pbmltaXNlcyBkZWxheXMg d2hlbiBlc3RhYmxpc2hpbmcgSUtFdjIgU0FzIGFuZCBtaW5pbWlzZXMgdGhlIHJpc2sgb2YgRG9T IChzZWUgcG9pbnQgNykuPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7 PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0 bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6MGluO21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTow aW47bWFyZ2luLWxlZnQ6LjVpbjttYXJnaW4tYm90dG9tOi4wMDAxcHQ7dGV4dC1pbmRlbnQ6LS4y NWluO2ZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6YmxhY2siPjUuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Zm9udC1zaXplOjcuMHB0O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFu PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+QmFja3dhcmRzDQogY29tcGF0aWJp bGl0eSBpcyBtYWludGFpbmVkLCB3aXRoIG1pbmltYWwgcmlzayB0aGF0IHRoZSBhZGRpdGlvbiBv ZiBhIHF1YW50dW0gcmVzaXN0YW50IGV4Y2hhbmdlIGNvdWxkIGNhdXNlIGFibm9ybWFsIGJlaGF2 aW91ciB3aXRoIGRldmljZXMgdGhhdCBkbyBub3Qgc3VwcG9ydCB0aGUgbmV3IGF0dHJpYnV0ZXMu IFRoZSBRU0tFIGFyZSBhZHZlcnRpc2VkIHVzaW5nIGEgdHJhbnNmb3JtIHR5cGUgNCBncm91cHMu PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJn aW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdDt0ZXh0LWluZGVudDotLjI1aW47Zm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjpibGFjayI+Ni48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6Ny4wcHQ7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFu IGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4g bGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGlzDQogaWRlYSBhbGxvd3MgZm9yIGFsZ29y aXRobSBhZ2lsaXR5LCB3aGVyZSBtdWx0aXBsZSBxdWFudHVtIHJlc2lzdGFudCBhbGdvcml0aG1z IGNhbiBiZSB1c2VkIGluIGFkZGl0aW9uIHRvIGEgc2luZ2xlIGNsYXNzaWMgREggKGFzIHBlciBS RkM3Mjk2KS4gUFEgYWxnb3JpdGhtcyB3aXRoIHB1YmxpYyBkYXRhIHNpemUgbGFyZ2VyIHRoYW4g NjUsNTM2IG9jdGV0cyBhcmUgYWxzbyBzdXBwb3J0ZWQuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowaW47bWFyZ2lu LXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJnaW4tbGVmdDouNWluO21hcmdpbi1ib3R0 b206LjAwMDFwdDt0ZXh0LWluZGVudDotLjI1aW47Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtv cnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1z aXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFj aW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+Ny48L3NwYW4+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6Ny4wcHQ7Y29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQt c3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj5XaXRoDQogcmVnYXJkcyB0byBmcmFnbWVudGF0aW9uIGF0dGFja3MsIHRoZSB1c2Ugb2Yg ZnJhZ21lbnRhdGlvbiBpbiB0aGlzIGlkZWEgaGFzIHRoZSBzYW1lIHNlY3VyaXR5IGFzIG9mIFJG QzczODMuIFdoZXJlYnkgYW4gYXR0YWNrZXIgdGhhdCByZXZlYWxzIGhlciB0cnVlIElQIGFkZHJl c3MgY2FuIHNlbmQgbXVsdGlwbGUgZnJhZ21lbnRzLCBidXQgbm90IHRoZSBjb21wbGV4IGNoYWlu Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Vi a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4m bmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0 bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj5UaGUgZm9sbG93aW5nIGlzIHRoZSBpZGVhLCBhbnkgcXVlc3Rpb25zLCBwbGVhc2UgZmVl bCBmcmVlIHRvIGFzay48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4 dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1 dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0 OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4N CjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhh bnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUt YWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6 MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs O29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0 LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNw YWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+UVNLRSBOb3Rp Znk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzst d2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNr Ij4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFy aWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czog YXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9y OmJsYWNrIj5Gb3IgZGV2aWNlcyB0aGF0IGFyZSBvcGVyYXRpbmcgaW4gYSBtZXNoIG5ldHdvcmss IHdoZXJlIG1hbnkgZGV2aWNlcyBoYXZlIG11bHRpcGxlIHBlZXJzLCB3aGVyZSBwZWVycyBhcmUg dXNpbmcgdmFyeWluZyBRU0tFIGdyb3Vwcy4gSW4gdGhlc2UgaW5zdGFuY2VzIHRoZSBRU0tFIHRo YXQgaXMgcHJlZmVycmVkDQogYnkgdGhlIEluaXRpYXRvciBtaWdodCBub3QgYmUgYXZhaWxhYmxl IG9yIHByZWZlcnJlZCBvbiB0aGUgUmVzcG9uZGVyLiBUbyBvdmVyY29tZSBzY2VuYXJpb3Mgd2hl cmUgdGhlIEluaXRpYXRvciB3aWxsIHNlbmQgYSBRU0tFIHdoaWNoIGlzIGxhcmdlIGluIHNpemUg YW5kIG5vdCBzdXBwb3J0ZWQgYnkgdGhlIFJlc3BvbmRlciwgKHRoZXJlZm9yZSB3YXN0aW5nIHRp bWUgYW5kIHJlc291cmNlKSwgdGhlIFFTS0UgTm90aWZ5IHBheWxvYWQgY2FuDQogYmUgdXNlZCB0 byBxdWVyeSB0aGUgcmVzcG9uZGVyIHRvIGRldGVybWluZSB0aGUgc3VwcG9ydGVkIHNlY3VyaXR5 IGFzc29jaWF0aW9uIGF0dHJpYnV0ZXMuIFRoZSBRU0tFIE5vdGlmeSBwYXlsb2FkIGlzIHNlbnQg YnkgdGhlIEluaXRpYXRvciwgd2hpY2ggYWxzbyBleGNsdWRlcyB0aGUgUVNLRSBwYXlsb2FkICho b3dldmVyIGEgc2luZ2xlIEtFIHBheWxvYWQgc2hvdWxkIGJlIGluY2x1ZGVkIGZvciBiYWNrd2Fy ZHMgY29tcGF0aWJpbGl0eSkuDQogSWYgdGhlIFJlc3BvbmRlciBzdXBwb3J0cyB0aGUgUVNLRSBu b3RpZnkgcGF5bG9hZCBpdCByZXBsaWVzIHdpdGggdGhlIGFjY2VwdGVkIHNlY3VyaXR5IGFzc29j aWF0aW9ucyAod2hpY2ggaW5jbHVkZXMgb25lIGNsYXNzaWMgREggZ3JvdXAgYW5kICZndDs9MSBR U0tFIGdyb3VwLCB0aGVzZSBhcmUgc2VudCBhcyBncm91cHMgd2l0aGluIHRyYW5zZm9ybSB0eXBl IDQuIE1vc3Qgb2YgdGhlIHRpbWUsIHdlIHdpbGwgYmUgdXNpbmcgb25lIFBRIGFsZ29yaXRobSwN CiByYXRoZXIgdGhhbiBtdWx0aXBsZS4gVGhlIFJlc3BvbmRlciB3aWxsIGFsc28gaW5jbHVkZXMg dGhlIENPT0tJRSBub3RpZmljYXRpb24sIG5vdGUgdGhlIFJlc3BvbmRlciBkb2VzIG5vdCBzZW5k IHRoZSBLRSBvciBRU0tFIHBheWxvYWQuIFRoZSBJbml0aWF0b3IgY2FuIG5vdyBzZWxlY3QgdGhl IGNvcnJlY3Qgc2VjdXJpdHkgYXNzb2NpYXRpb24gYWxnb3JpdGhtcyBpdCBpbnRlbmRzIHRvIHVz ZSwgaW5jbHVkaW5nIHRoZSBjb3JyZWN0IGNsYXNzaWMNCiBESCBhbmQgUVNLRSBhbmQgcmVwbHkg dXNpbmcgdGhlIENPT0tJRS48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJz cDs8L3NwYW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6 IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xv cjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3 aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+QWx0aG91Z2ggdGhlIENPT0tJRSBkb2VzIG5vdCBwcm92aWRlIHByb3Rl Y3Rpb24gYWdhaW5zdCBEb1MgYXR0YWNrcywgd2hlcmVieSBhbiBhdHRhY2tlciBzZW5kcyBtYW55 IGZyYWdtZW50cyBidXQgZG9lcyBub3QgY29tcGxldGUgdGhlIGZyYWdtZW50IGNoYWluLCBpdCBk b2VzIGVuc3VyZSB0aGF0IHRoZQ0KIGF0dGFja2VyIHJldmVhbHMgdGhlaXIgb3duIElQIGFkZHJl c3MuIE5vdGUgdGhhdCBSRkMgNzM4MyBpcyBhbHNvIHByb25lIHRvIHRoaXMgYXR0YWNrIHdoaWNo IGlzIGRlc2NyaWJlZCB3aXRoaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zLjwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPlNo b3VsZCBhbiBJS0UgZ2F0ZXdheSBiZSB1bmRlciBhIGZyYWdtZW50YXRpb24gYXR0YWNrLCBkcm9w cGluZyB0cmFmZmljIGZyb20gYSBwZWVyIHRoYXQgZG9lcyBub3QgY29tcGxldGUgdGhlIGZyYWdt ZW50IGNoYWluIGNhbiBiZSB1c2VkIGFzIGEgc2ltcGxlIHByb3RlY3RpdmUgbWVjaGFuaXNtIHRv IG1pbmltaXNlDQogdGhlIGltcGFjdCBvZiBmdXR1cmUgYXR0YWNrcy48L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5Gb3IgaW1wbGVt ZW50YXRpb25zIHRoYXQgZG8gbm90IHN1cHBvcnQgdGhlIHVzZSBvZiB0aGUgUVNLRSwgdGhlIFFT S0UgTm90aWZ5IHBheWxvYWQgd2lsbCBiZSBpZ25vcmVkIGFuZCB0aGUgSUtFdjIgZXhjaGFuZ2Ug d2lsbCBjb250aW51ZSBhcyBwZXIgUkZDNzI5Ni4gVGhlIFFTS0UgTm90aWZ5IHBheWxvYWQNCiBj YW4gYmUgdXNlZCB0byBtaW5pbWlzZSBpbnRlci1vcCBpc3N1ZXMgd2l0aCBRU0tFIGFuZCBub24g UVNLRSBpbXBsZW1lbnRhdGlvbnMuPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+ Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNr Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPlRoZSBRU0tFIE5vdGlmeSBwYXlsb2FkIGNhbiBiZSBtYXJrZWQg YXMgY3JpdGljYWwgZm9yIGRldmljZXMgdGhhdCBtYW5kYXRlIHRoZSB1c2Ugb2YgUVNLRSB0byBw cm90ZWN0IElLRS48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQt dmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93 czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2Nv bG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpi bGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0 O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7O2NvbG9yOmJsYWNrIj5RU0tFIE5vdGlmaWNhdGlvbiBQYXlsb2FkPC9zcGFuPjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhh bnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUt YWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6 MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs O29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0 LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNw YWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IDEmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgMiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAzPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6 IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xv cjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0 IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRv O3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDog YXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyAmIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7 d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv dDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyB8IE5leHQgUGF5bG9hZCZuYnNwOyB8Q3wmbmJz cDsgUkVTRVJWRUQmbmJzcDsmbmJzcDsgfCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyBQYXlsb2FkIExlbmd0aCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyB8PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6 YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFy dDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7ICYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdl YmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+ Jm5ic3A7Jm5ic3A7IHwmbmJzcDsgUHJvdG9jb2wgSUQmbmJzcDsgfCZuYnNwOyZuYnNwOyBTUEkg U2l6ZSZuYnNwOyZuYnNwOyZuYnNwOyB8Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IE5v dGlmeSBNZXNzYWdlIFR5cGUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfDwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZu YnNwOyAmIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyB8Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IHw8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgfiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBOb3Rp ZmljYXRpb24gRGF0YSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgfDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyAmIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dz OiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPuKAlOKAlOKAlOKAlDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPkEgUXVhbnR1bSBTYWZlIEtleSBFeGNoYW5nZSBQYXlsb2Fk PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdl YmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+ Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+VGhlIHF1YW50dW0tc2FmZSBrZXkgZXhjaGFuZ2UgcGF5bG9hZCwgZGVub3RlZCBRU0tF IGluIHRoaXMgZG9jdW1lbnQsIGlzIHVzZWQgdG8gZXhjaGFuZ2UgYSBxdWFudHVtLXNhZmUgc2hh cmVkIHNlY3JldCBiZXR3ZWVuIHR3byBJS0UgcGVlcnMuJm5ic3A7IFRoZSBRU0tFIHBheWxvYWQg Y29uc2lzdHMgb2YgdGhlDQogSUtFIGdlbmVyaWMgcGF5bG9hZCBoZWFkZXIsIGEgdHdvLW9jdGV0 IHZhbHVlIGRlbm90aW5nIHRoZSBRdWFudHVtLVNhZmUgR3JvdXAgbnVtYmVyLCBhbmQgZm9sbG93 ZWQgYnkgdGhlIHF1YW50dW0tc2FmZSBkYXRhIGl0c2VsZi4mbmJzcDs8c3BhbiBjbGFzcz0iYXBw bGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6 IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4 Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+VGhlIEZyYWdtZW50IGJpdCwg ZGVub3RlZCBGIChiZWxvdyksIHNwZWNpZmllcyBpZiB0aGUgUVNLRSBpcyBmcmFnbWVudGVkLiBJ ZiB0aGlzIGlzIHNldCB0byAnMScsIG1lYW5pbmcgdGhlIFFTS0UgaXMgZnJhZ21lbnRlZCB0aGUg RnJhZ21lbnQgTnVtYmVyIGFuZCBUb3RhbCBGcmFnbWVudHMgZmllbGRzDQogd2lsbCBiZSBwb3B1 bGF0ZWQuIElmIHRoZSBGcmFnbWVudCBiaXQgaXMgbm90IHNldCAoc2V0IHRvICcwJyksIHRoZW4g dGhlIEZyYWdtZW50IE51bWJlciBhbmQgVG90YWwgRnJhZ21lbnRzIGZpZWxkcyB3aWxsIG5vdCBl eGlzdC4gVGhlIEZyYWdtZW50IE51bWJlciBpcyB1c2VkIHNob3VsZCB0aGUgUXVhbnR1bS1TYWZl IERhdGEgYmUgdG9vIGxhcmdlIHRvIGZpdCB3aXRoaW4gYSBzaW5nbGUgcGF5bG9hZC4gVGhlIEZy YWdtZW50IE51bWJlciBpcw0KIHRoZSBmaXJzdCBmcmFnbWVudCwgaW5jcmVhc2luZyBieSBvbmUg Zm9yIGV2ZXJ5IG90aGVyIGZyYWdtZW50IHRoYXQgaXMgc2VudC4gVGhlIFRvdGFsIEZyYWdtZW50 cyBmaWVsZCBkZW5vdGVzIHRoZSBtYXhpbXVtIG51bWJlciBvZiBmcmFnbWVudHMgdGhhdCBjb250 YWluIHRoZSBRdWFudHVtLVNhZmUgRGF0YS48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFs aWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0 ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1 dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUgUVNLRSBpcyBuZWFybHkgaWRlbnRp Y2FsIHRvIHRoZSBLRSBwYXlsb2FkLCBob3dldmVyIHRoZSBGcmFnbWVudCBiaXQgaWRlbnRpZmll cyBpZiB0aGUgcmVjZWl2ZXIgc2hvdWxkIGhhbmRsZSB0aGlzIGluIGEgZGlmZmVyZW50IG1hbm5l ciB0byB0aGUgS0UgcGF5bG9hZC4gVGhlIEtFIGFuZCBRU0tFDQogYXJlIG5lZ290aWF0ZWQvYWR2 ZXJ0aXNlZCB1c2luZyB0aGUgdHJhbnNmb3JtIHR5cGUgNCAoRGlmZmllIEhlbGxtYW4gZ3JvdXBz KS4mbmJzcDsgQnkgaW5jbHVkaW5nIHRoZSBRU0tFIGluIHRoZSBzYW1lIHRyYW5zZm9ybSB0eXBl IDQgYXMgY2xhc3NpYyBESCBhbGxvd3MgZm9yIG1pbmltYWwgY29uZmlndXJhdGlvbiBjaGFuZ2Vz IGZvciBjdXJyZW50IGltcGxlbWVudGF0aW9ucyB3aGVuIGNvbmZpZ3VyaW5nIGJvdGggREggYW5k IFFTS0UgR3JvdXBzLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNr Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyAxJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IDImbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgMzwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAwIDEgMiAzIDQgNSA2IDcgOCA5IDAg MSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDE8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzs8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgfCBOZXh0IFBheWxvYWQmbmJzcDsgfEN8RnwgUmVzZXJ2ZWQmbmJzcDsg fCZuYnNwOyZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsgUGF5bG9hZCBMZW5ndGggJm5ic3A7Jm5ic3A7Jm5ic3A7IHw8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzs8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgfCZuYnNwOyZuYnNwOyZuYnNwOyBRdWFudHVtLVNhZmUgR3JvdXAgTnVt Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUkVTRVJWRUQmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfDwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IEZyYWdtZW50IE51bWJlciZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfCAmbmJzcDsmbmJzcDsmbmJzcDsgVG90YWwg RnJhZ21lbnRzJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IH48L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzs8L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgfCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB8PC9z cGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IH4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUXVhbnR1bS1T YWZlIERhdGEmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQt YWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzst d2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291 cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyB8Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7ICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO3w8L3NwYW4+PHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0 bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6 IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0K PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzs8L3NwYW4+PHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0 bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6 IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0K PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFu czogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1h ZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzow cHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUgc2l6ZSBvZiB0aGUg UXVhbnR1bS1TYWZlIERhdGEgY2FuIGJlIHRoZSB0b3RhbCBmcmFnbWVudHMgKiBwYXlsb2FkIGxl bmd0aCA9IH4gNEdCLCB3aGljaCBzZWVtcyBzdWZmaWNpZW50IGZvciB0aGUgc2l6ZSBvZiB0aGUg UVNLRSBwYXlsb2FkcyBkaXNjdXNzZWQgc28gZmFyLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBh dXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVz dDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+ DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPlRoZSB1c2Ugb2YgdGhlIEZyYWdt ZW50YXRpb24gYml0IGlzIG5vdCBtYW5kYXRvcnkuIEltcGxlbWVudGF0aW9ucyBjYW4gYXR0ZW1w dCB0byBzZW5kIHRoZSBJS0VfU0FfSU5JVCBwYXlsb2FkIGNvbnRhaW5pbmcgdGhlIFFTS0UgcGF5 bG9hZCB3aXRob3V0IGZyYWdtZW50YXRpb24gYXQgdGhlIElLRSBsYXllciwNCiBvcHRpbmcgZm9y IGZyYWdtZW50YXRpb24gYXQgdGhlIElQIGxheWVyIGluc3RlYWQuIEltcGxlbWVudGF0aW9ucyBj YW4gaW5pdGlhbGx5IGV4Y2x1ZGUgdGhlIHRoZSB1c2Ugb2YgZnJhZ21lbnRhdGlvbiBpbiB0aGUg UVNLRSBwYXlsb2FkLCBob3dldmVyIGlmIGNvbm5lY3Rpdml0eSBmYWlscyB3aGVuIG5vdCB1c2lu ZyBmcmFnbWVudGF0aW9uIG9mIHRoZSBRU0tFLCBpdCBpcyBhc3N1bWVkIHRoYXQgdGhhdCB0cmFm ZmljIGhhcyBiZWVuIGRlbmllZA0KIGR1ZSB0byBmcmFnbWVudGF0aW9uIGF0IHRoZSBJUCBsYXll ciBhbmQgZnJhZ21lbnRhdGlvbiBvZiB0aGUgUVNLRSBzaG91bGQgYmUgdXNlZCBpbnN0ZWFkLjwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dz OiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPuKAlOKAlDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7 d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv dDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPkluIHRoZSBmb2xsb3dpbmcgZXhhbXBsZSB0aGUgSW5pdGlh dG9yIHdpbGwgcHJvcG9zZSBESCBHcm91cHMgMTQsMTksMjEgYW5kIDMwLDMyIGFuZCAzNSAoZmlj dGl0aW91cyBRU0tFIGdyb3VwcykuIFRoZSBJbml0aWF0b3Igc2VuZHMgdGhlIE4oUVNLRSksIHdo aWNoIGluZm9ybXMgdGhlIHJlc3BvbmRlcg0KIHRvIGNob29zZSAmZ3Q7PTEgUVNLRSBncm91cHMg YWxvbmcgd2l0aCBhIGNsYXNzaWMgREggZ3JvdXAuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4 dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1 dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0 OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4N CjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+VGhlIHJlc3BvbmRlciB3aWxsIHJl dHVybiB0aGUgTihRU0tFKSBwYXlsb2FkLCBpbmRpY2F0aW5nIGl0IHN1cHBvcnRzIHRoZSBRU0tF LCB0aGUgc2VjdXJpdHkgYXNzb2NpYXRpb24gaW5jbHVkZXMgREggR3JvdXBzIDE0LCAzMCBhbmQg MzUgd2hpY2ggaW5mb3JtcyB0aGUgaW5pdGlhdG9yIG9mIHRoZSBRU0tFDQogZ3JvdXBzIGl0IHNl bGVjdHMgdG8gdXNlLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNr Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPlRoZSBJbml0aWF0b3IgdGhlbiBzZW5kcyB0aGUgUVNLRSdzIGFu ZCBLRSBmb3IgdGhlIGdyb3VwcyBpdCB3aXNoZXMgdG8gdXNlLCBwbHVzIHRoZSBpZGVudGljYWwg c2VjdXJpdHkgYXNzb2NpYXRpb25zIGFzIHdhcyBzZW50IGluIHRoZSBmaXJzdCBleGNoYW5nZSAo dG8gbWl0aWdhdGUgZG93bmdyYWRlIGF0dGFja3MpLg0KIE5vdGU6IFRoZSBSZXNwb25kZXIgc2hv dWxkIGNoZWNrIHRoYXQgdGhlIHJlY2VpdmVkIFFTS0UncyBpbiB0aGUgc2VjdXJpdHkgYXNzb2Np YXRpb24gbWF0Y2ggd2l0aCBpdHMgcHJlZmVycmVkIHNlY3VyZSBRU0tFJ3MuIFRoaXMgaXMgdG8g bWl0aWdhdGUgdGhlIGZvbGxvd2luZyBhdHRhY2ssIEluaXRpYXRvciBzZW5kcyBTQSBjb250YWlu cyBjZXJ0YWluIFFTS0UgaW4gdGhlIHNlY3VyaXR5IGFzc29jaWF0aW9uIFJlc3BvbmRlciByZXNw b25kcywNCiBidXQgYXR0YWNrZXIgbW9kaWZpZXMgdGhpcyByZXNwb25zZSB0byByZW1vdmUgdGhl IHNhaWQgUVNLRS4gVGhlIEluaXRpYXRvciB0aGVuIHBlcmZvcm1zIHRoZSBJS0VfU0FfSU5JVCBl eGNsdWRpbmcgdGhlIFFTS0UgdGhhdCB3YXMgcmVtb3ZlZCBieSB0aGUgYXR0YWNrZXIsJm5ic3A7 IGluIHRoZSBRU0tFIChidXQgaXQncyBpbmNsdWRlZCBpbiB0aGUgc2VjdXJpdHkgYXNzb2NpYXRp b25zKS4gSGVuY2UgaWYgdGhlIHJlc3BvbmRlciB2ZXJpZmllcyB0aGF0DQogdGhlIHJlY2VpdmVk IFFTS0UgbWF0Y2ggdGhlIHJlY2VpdmVkIHNlY3VyaXR5IGFzc29jaWF0aW9ucywgaXQgd2lsbCBt aXRpZ2F0ZSB0aGlzIGF0dGFjay48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxl PSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFs aWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFu Zz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0 ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1 dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsgSW5pdGlh dG9yJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFJl c3BvbmRlcjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBh dXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6 YmxhY2siPiZuYnNwOyZuYnNwOyAtLS0tLS0tLS0tLSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyAtLS0tLS0tLS0tLTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBIRFIsIFNBaTEsIE5pLEtFaSAm bmJzcDsmbmJzcDsgLS0mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChESCBHcm91cHMgMTQsMTks MjEgYW5kIDMwLDMyIGFuZCAzNSk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0 YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgTihRU0tF KTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13 ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2si PiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBh dXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6 YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmbHQ7LS0mbmJzcDsmbmJzcDsgSERSLCBTQXIxLCBO KENPT0tJRSksW04oUVNLRSldJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChE SCBHcm91cHMgMTQsIDMwIGFuZCAzNSk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJj b2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWdu OnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtp dC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg TmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0 LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87 LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4g bGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0 bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6 IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0K PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgSERSLCBOKENP T0tJRSksIFNBaTEsJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChTQSBj b250YWlucyBESCBHcm91cHMgMTQsMTksMjEgYW5kIDMwLDMyIGFuZCAzNSk8L3NwYW4+PHNwYW4g bGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3Jw aGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6 ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2lu ZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsm bmJzcDsgS0VpLCBOaSwgUVNLRWktMS8zJm5ic3A7IC0tJmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyAoS0UgaXMgR3JvdXAgMTQsIFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAxIG9mIDMpPC9z cGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtp dC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3 b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5i c3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQt Y2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87 LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFj ayI+Jm5ic3A7Jm5ic3A7IEhEUiwgUVNLRWktMi8zJm5ic3A7ICZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyAtLSZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFn bWVudCAyIG9mIDMpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2si PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRv d3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztj b2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6 YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFy dDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IEhEUiwgUVNLRWktMy8zJm5ic3A7ICZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyAtLSZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UxIGlz IEdyb3VwIDMwLCBmcmFnbWVudCAzIG9mIDMpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1h bGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3Vy aWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87 dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBh dXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxz cGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IEhEUiwgUVNLRWky LTEvNCZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsgLS0mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMSBvZiA0KTwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBh dXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVz dDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+ DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBo YW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXpl LWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5n OjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBI RFIsIFFTS0VpMi0yLzQmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7IC0tJmd0OyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDIgb2YgNCk8L3NwYW4+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQt c2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3Nw YW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBu b3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0 LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dv cmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJz cDsmbmJzcDsgSERSLCBRU0tFaTItMy80Jm5ic3A7ICZuYnNwOyZuYnNwOyZuYnNwOyAtLSZndDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVudCAzIG9mIDQp PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdl YmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+ Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7IEhEUiwgUVNLRWkyLTQvNCZuYnNwOyAmbmJzcDsmbmJzcDsmbmJz cDsgLS0mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21l bnQgNCBvZiA0KTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dz OiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7 d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv dDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAmbHQ7LS0mbmJzcDsgSERSLCBTQXIxLCBOciwgS0VyLCAmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKEtFIGlzIEdyb3VwIDE0LCBRU0tFMSBpcyBHcm91 cCAzMCwgZnJhZ21lbnQgMSBvZiAzKTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246 c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBRU0tFaS0xLzM8 L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Vi a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4m bmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0 bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0Oy0t Jm5ic3A7IEhEUixRU0tFaS0yLzMmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UxIGlzIEdy b3VwIDMwLCBmcmFnbWVudCAyIG9mIDMpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGln bjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJr aXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVy IE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4 dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDstLSZuYnNwOyBIRFIsUVNLRWktMy8zJm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IChRU0tFMSBpcyBHcm91cCAzMCwgZnJhZ21lbnQgMyBvZiAzKTwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmbHQ7LS0mbmJzcDsg SERSLFFTS0VpMi0xLzQmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFn bWVudCAxIG9mIDQpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2si PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRv d3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztj b2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6 YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFy dDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7ICZsdDstLSZuYnNwOyBIRFIsUVNLRWkyLTIvNCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNL RTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDIgb2YgNCk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0 ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1 dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczog YXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1 c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgi Pg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0Oy0tJm5ic3A7IEhEUixRU0tFaTItMy80Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMyBvZiA0KTwvc3Bh bj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5v cm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQt dGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29y ZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNw Ozwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13 ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2si PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmbHQ7LS0mbmJz cDsgSERSLFFTS0VpMi00LzQmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UyIGlzIEdyb3VwIDM1LCBm cmFnbWVudCA0IG9mIDQpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3 aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpz dGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1h bGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxh bmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3Vy aWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+QXMgdGhyZWUgZ3JvdXBzIHdlcmUgdXNlZCwgdGhl IGtleW1hdCBpcyBnZW5lcmF0ZWQgd2l0aCB0aGUgY29tYmluYXRpb24gb2YgdGhlIG91dHB1dCBm cm9tIHRoZSB0aHJlZSBwdWJsaWMgdmFsdWVzLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQt YWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzst d2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291 cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRv O3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDog YXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPktFWU1BVCA9IHByZiYjNDM7KFNLX2Qs IFFTU1MyIChHcm91cCAzNSkgfCBRU1MxIChHcm91cCAzMCkgfCBnXmlyIChHcm91cCAxNCkgfCBO aSB8IE5yKTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBh dXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6 YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNr Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lk b3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7 Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBIRFIgU0sge0lEaSwgW0NFUlQsXTwvc3Bh bj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5v cm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQt dGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29y ZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBbQ0VSVFJFUSxdIFtJRHIsXSBBVVRILDwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBTQWkyLCBUU2ksIFRTcn0mbmJzcDsg LS0mZ3Q7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1z cGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3Rh cnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxp Z246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIg c3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3Rl eHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0 bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBh dXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVz dDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+ DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPuKAlOKAlOKAlOKAlDwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRv Oy13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPkluIHRoZSBmb2xsb3dpbmcgdGhlIEluaXRpYXRvciB3aWxsIHByb3Bvc2UgREggR3JvdXBz IDE0LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUgKGZpY3RpdGlvdXMgUVNLRSBncm91cHMpLiBUaGUg SW5pdGlhdG9yIHNlbmRzIE4oUVNLRSksIHdoaWNoIHRlbGxzIHJlc3BvbmRlciB0byBjaG9vc2Ug YSBESCBncm91cA0KIGFuZCAmZ3Q7PTEgUVNLRSBncm91cHMmbmJzcDsgLjwvc3Bhbj48c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBo YW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXpl LWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5n OjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4 dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPlRoZSBSZXNw b25kZXIgaW4gdGhpcyBjYXNlIGRvZXMgbm90IHN1cHBvcnQgUVNLRSBhbmQgYXNzdW1pbmcgdGhl IE4oUVNLRSkgd2FzIG5vbiBjcml0aWNhbCwgd2lsbCBpZ25vcmUgdGhpcyBOb3RpZnkgUGF5bG9h ZC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzst d2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNr Ij4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFy aWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czog YXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9y OmJsYWNrIj5UaGUgZXhjaGFuZ2Ugd2lsbCBjb250aW51ZSBhcyBwZXIgUkZDNzI5Ni48L3NwYW4+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRl eHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQt c3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8 L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Vi a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4m bmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0 bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsgSW5pdGlhdG9yJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFJlc3BvbmRlcjwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDtvcnBoYW5zOiBh dXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJraXQtdGV4dC1zaXplLWFkanVz dDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+ DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyAtLS0tLS0t LS0tLSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLS0tLS0tLS0tLTwv c3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDtvcnBoYW5zOiBhdXRvO3RleHQtYWxpZ246c3RhcnQ7d2lkb3dzOiBhdXRvOy13ZWJr aXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyBIRFIsIFNBaTEsIE5pLEtFaSAmbmJzcDsmbmJzcDsgLS0mZ3Q7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEtFPUdyb3VwIDE0IChTQTogREggR3Jv dXBzIDE0LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4 dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IE4oUVNLRSkmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNl Ij4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3 aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpz dGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDstLSZuYnNwOyZuYnNw OyBIRFIsIFNBcjEsTnIsS0VyJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IChESCBHcm91cHMgMTQpPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGln bjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJr aXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9 IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVy IE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4 dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFu IGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1 dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0 OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4N CjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7IEhEUiBTSyB7SURpLCBb Q0VSVCxdPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6IGF1 dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFtDRVJUUkVRLF0gW0lE cixdIEFVVEgsPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iY29sb3I6YmxhY2siPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsO29ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpzdGFydDt3aWRvd3M6 IGF1dG87LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOy13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xv cjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFNBaTIsIFRTaSwg VFNyfSZuYnNwOyAtLSZndDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpi bGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0 O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJj b2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWdu OnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtp dC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg TmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0 LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87 LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4g bGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj7igJTigJTigJTigJTigJTigJTigJQ8L3NwYW4+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Via2l0LXRl eHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQt c3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDs8 L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7b3JwaGFuczogYXV0bzt0ZXh0LWFsaWduOnN0YXJ0O3dpZG93czogYXV0bzstd2Vi a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4m bmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_74a8ea26371c4781b83078516ac502b7XCHRTP006ciscocom_-- From nobody Fri Aug 4 16:37:17 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB65E129AF6 for ; Fri, 4 Aug 2017 16:37:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaj0d_6f6yv3 for ; Fri, 4 Aug 2017 16:37:14 -0700 (PDT) Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13D1129AD1 for ; Fri, 4 Aug 2017 16:37:14 -0700 (PDT) Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [131.188.34.77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 2DB8958C4AF for ; Sat, 5 Aug 2017 01:37:11 +0200 (CEST) Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 09E2BB0C7BB; Sat, 5 Aug 2017 01:37:10 +0200 (CEST) Date: Sat, 5 Aug 2017 01:37:10 +0200 From: Toerless Eckert To: ipsec@ietf.org Message-ID: <20170804233710.GV3889@faui40p.informatik.uni-erlangen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: Subject: [IPsec] Multi-access interfaces (with IPsec) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 23:37:16 -0000 I want to describe (in some draft) the use of a virtual multi-access interface that is mapped to multiple p2p associations (eg: IPsec). Which i think is a pretty standard option in industry implementations, eg: in hub routers for hub & spoke deployments. Is there any good RFC reference that explains how this works, eg: replicate ll-multicast to all p2p associations, learn peer addresses from received packets or specific IPv6 signaling packets, use that to send unicast into right p2p association, etc. pp. I could not find a good reference RFC for this ;-( Thanks! Toerless From nobody Sat Aug 5 14:29:35 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07926120720 for ; Sat, 5 Aug 2017 14:29:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1Ec7Tp_3lPs for ; Sat, 5 Aug 2017 14:29:27 -0700 (PDT) Received: from relay.ezis.com (relay.ezis.com [5.153.73.19]) by ietfa.amsl.com (Postfix) with ESMTP id F1B5A12700F for ; Sat, 5 Aug 2017 14:29:25 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.41,328,1498518000"; d="scan'208";a="2191513" Received: from unknown (HELO pqex01.post-quantum.com) ([192.168.142.3]) by ironport.ezis.com with ESMTP; 05 Aug 2017 22:29:25 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX01.post-quantum.com (192.168.142.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 5 Aug 2017 22:29:22 +0100 Received: from PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3]) by PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3%13]) with mapi id 15.00.1320.000; Sat, 5 Aug 2017 22:29:22 +0100 From: Cen Jung Tjhai To: Paul Wouters CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJyu5KAgAOD6bc= Date: Sat, 5 Aug 2017 21:29:22 +0000 Message-ID: <1501968563280.70665@post-quantum.com> References: , In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [90.200.167.13] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Aug 2017 21:29:33 -0000 Hi Paul,=0A= =0A= >>> 4. The large quantum resistant =91blob=92 of data is only sent whe= n it is known that the peer will accept this.=0A= =0A= >>I don't understand this? You mean known by preconfiguration? That would= =0A= >>make migration really difficult and introduce a flag day. It would also= =0A= >>not be true for Opportunistic IPsec, where there is no preconfiguration= =0A= >>between peers.=0A= =0A= It's not pre-configuration, but negotiated via a notify payload (QSKE Notif= y) that is sent in IKE_SA_INIT. =0A= =0A= >>> 7. With regards to fragmentation attacks, the use of fragmentation= in this idea has the same security as of=0A= >>> RFC7383. Whereby an attacker that reveals her true IP address can send = multiple fragments, but not the >>>complex chain.=0A= =0A= >>I'm not sure how that can be, if it is the IKE_INIT that is getting=0A= >>fragmented.=0A= =0A= It's not entire IKE_SA_INIT message that is fragmented. The fragmentation o= nly applies to post-quantum public data, where almost all of them has paylo= ad size larger than 1KB. Furthermore, there is a known type of post-quantum= algorithm whose payload size is larger than 64KB and there could be more i= n the future. We think by fragmenting the payload in this way, it is possib= le to support this kind of algorithm.=0A= =0A= >>> For devices that are operating in a mesh network, where many devices ha= ve multiple peers, where peers are using=0A= >>> varying QSKE groups. In these instances the QSKE that is preferred by t= he Initiator might not be available or=0A= >>> preferred on the Responder. To overcome scenarios where the Initiator w= ill send a QSKE which is large in size and not=0A= >>> supported by the Responder, (therefore wasting time and resource), the = QSKE Notify payload can be used to query the=0A= >>> responder to determine the supported security association attributes. T= he QSKE Notify payload is sent by the=0A= >>> Initiator, which also excludes the QSKE payload (however a single KE pa= yload should be included for backwards=0A= >>> compatibility). If the Responder supports the QSKE notify payload it re= plies with the accepted security associations=0A= =0A= >>Isn't this all unsafe against downgrade attacks?=0A= =0A= If a peer declares support of post-quantum algorithm with QSKE Notify paylo= ad, but not sending the post-quantum blob, the other peer shall reject the = connection. On the other hand, for backward compatibility, it is up to the = initiator to set the fallback policy; does it allow standard SAs or only po= st-quantum SAs are supported. =0A= =0A= >>> For implementations that do not support the use of the QSKE, the QSKE N= otify payload will be ignored and the IKEv2=0A= >>> exchange will continue as per RFC7296.=0A= =0A= >>What prevents an attacker from stripping out the QSKE Notify payload in= =0A= >>the IKE_INIT request?=0A= =0A= If QSKE Notify payload is stripped, the peers won't be able to negotiate po= st-quantum algorithm for key-exchange, hence it depends on the configured f= allback policy. =0A= =0A= >>> The QSKE is nearly identical to the KE payload, however the Fragment bi= t identifies if the receiver should handle=0A= >>> this in a different manner to the KE payload. The KE and QSKE are negot= iated/advertised using the transform type 4=0A= >>> (Diffie Hellman groups). By including the QSKE in the same transform t= ype 4 as classic DH allows for minimal=0A= >>> configuration changes for current implementations when configuring both= DH and QSKE Groups.=0A= =0A= >>Can this not be abused for an amplification attack by sending a really=0A= >>small QSKE payload and causing the responder to send back a large QSKE=0A= payload in multiple fragments?=0A= =0A= In general, QSKE payloads sent by the initiator and responder are of pretty= much of equal size. It is possible for an malicious initiator to send a sm= all QSKE payload and expecting the responder to return large multiple fragm= ents QSKE payload. In order to combat, the responder could employ existing = mechanisms to minimise the impact of this attack, for example using COOKIE = or for more sophisticated attacks, RFC8019. =0A= =0A= =0A= >>Why would the responder reply to two group suggestions with QSKE payloads= ?=0A= >>Normally in IKEv2, the initiator sends a list of proposals/options, and= =0A= >>the responder picks one from it.=0A= =0A= In order to support "crypto-agility", which allows peers to have flexibilit= y in selecting cipher suites. In this way, peers are able to select a DH co= mbined with multiple post-quantum algorithms. We are not sure how important= this feature is, but it would be a great idea to get opinions from the gro= up.=0A= =0A= >>> As three groups were used, the keymat is generated with the combination= of the output from the three public values.=0A= =0A= >>How did the initiator signal support for all groups _and_ support for=0A= >>combining them? What is gained by combining multiple groups?=0A= =0A= The signalling is done via QKSE notify. I appreciate that we have not yet d= escribed how this work on the text.=0A= =0A= Best regards,=0A= CJ= From nobody Sat Aug 5 14:29:44 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F53C120720 for ; Sat, 5 Aug 2017 14:29:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcWDmqmmVGi4 for ; Sat, 5 Aug 2017 14:29:33 -0700 (PDT) Received: from relay.ezis.com (relay.ezis.com [5.153.73.19]) by ietfa.amsl.com (Postfix) with ESMTP id B8DEA1200F3 for ; Sat, 5 Aug 2017 14:29:30 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.41,328,1498518000"; d="scan'208";a="2191515" Received: from unknown (HELO pqex01.post-quantum.com) ([192.168.142.3]) by ironport.ezis.com with ESMTP; 05 Aug 2017 22:29:30 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX01.post-quantum.com (192.168.142.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 5 Aug 2017 22:29:28 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX02.post-quantum.com (192.168.142.18) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Sat, 5 Aug 2017 22:29:26 +0100 Received: from PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3]) by PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3%13]) with mapi id 15.00.1320.000; Sat, 5 Aug 2017 22:29:26 +0100 From: Cen Jung Tjhai To: Valery Smyslov CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0GbUAgAIwNdU= Date: Sat, 5 Aug 2017 21:29:26 +0000 Message-ID: <1501968567726.89885@post-quantum.com> References: , <041b01d30d21$8d33f230$a79bd690$@gmail.com> In-Reply-To: <041b01d30d21$8d33f230$a79bd690$@gmail.com> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [90.200.167.13] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Aug 2017 21:29:34 -0000 4oCLSGkgVmFsZXJ5LArCoAo+PkFuZCBJIHRoaW5rIGlmIHRoZSBJS0VfU0FfSU5JVCBtZXNzYWdl cyBncm93IHRvbyBsYXJnZSB3aXRoIFFTS0UsIHRoZW4gaXTigJlzIGJldHRlciB0byBkZXZlbG9w Cj4+Z2VuZXJpYyBmcmFnbWVudGF0aW9uIG1lY2hhbmlzbSBmb3IgSUtFX1NBX0lOSVQsIHJhdGhl ciB0aGFuIG1ha2luZyBpdCBzcGVjaWZpYyBmb3IgZnJhZ21lbnRpbmcKPj5RU0tFIGJsb2JzLiBH ZW5lcmljIG1lY2hhbmlzbSB3b3VsZCBhbGxvdyB0byByZXVzZSBpdCBpbiBjYXNlIHdl4oCZbGwg aGF2ZSB0byBpbmNsdWRlCj4+b3RoZXIgbGFyZ2UgcGF5bG9hZHMgaW4gaW5pdGlhbCBtZXNzYWdl cy4KwqAKWWVzLCB3aGlsZSBhIGdlbmVyaWMgbWVjaGFuaXNtIHdvdWxkIGFsbG93IGl0IHRvIGJl IHJldXNlZCwgaXQgc291bmRzIGxpa2UgYSBkaWZmZXJlbnQgZHJhZnQgYWxsIHRvZ2V0aGVyLiBJ dCBjb3VsZCByZXN1bHQgaW4gYSB2ZXJ5IGNvbXBsZXggY2hhbmdlIGluIHRoZSBwcm90b2NvbC4g RnVydGhlcm1vcmUsIHdlIHdvdWxkIGxpa2UgdG8gc3VwcG9ydCBRU0tFIGJsb2IgdGhhdCBpcyBs YXJnZXIgdGhhbiA2NEtCIGluIHNpemUsIGhlbmNlIHdlIGZyYWdtZW50IGl0IGluIHRoYXQgd2F5 LgoKQmVzdCByZWdhcmRzLApDSg== From nobody Sun Aug 6 10:59:05 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF97131CEB for ; Sun, 6 Aug 2017 10:59:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.519 X-Spam-Level: X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id at_KIQpdO1AO for ; Sun, 6 Aug 2017 10:59:01 -0700 (PDT) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D8E132029 for ; Sun, 6 Aug 2017 10:59:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15092; q=dns/txt; s=iport; t=1502042341; x=1503251941; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=qtYFbrKO+LzBCz4ozMMRGpP3Cs+dW2YcGoniVm8aSFA=; b=JA7P16hX02GdiDYF6D/4s3s/Kq+9qqAE4K6yuTh2tbasBW/roGEkX+e5 szNniUgQHh9/rB1XomawZrrrBm+zntVaLHB6Vd6WGdV+/NEwwHwA2/cPL UoUlX1vlDcA01zheJselI4foEKXU/jtIqPZe5WScyz+GgGAGgMknsH5Nb g=; X-Files: smime.p7s : 4557 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CYAQCKWIdZ/5NdJa1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1pkbScHgyyKXJAHgW6WFQ6CBAcaC4IDgxgCI4QoPxgBAgEBAQE?= =?us-ascii?q?BAQFrKIUZAQEBAgEBAQoXMRgCCxACAQYCQgICAiULJQIEAQ0FDooZCBCPdZ1kg?= =?us-ascii?q?iaLRgEBAQEBAQEBAQEBAQEBAQEBAQEBAQ4KBYMkBIELd4FMgWMrgXCBDIRbL4J?= =?us-ascii?q?8MIIxBZdziBwChC+CIYRRiRCSTJYHAR84P0t3FUkSAYUEHIFndogPgQ8BAQE?= X-IronPort-AV: E=Sophos;i="5.41,333,1498521600"; d="p7s'?scan'208";a="467530302" Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Aug 2017 17:58:57 +0000 Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id v76Hwv3u006823 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 6 Aug 2017 17:58:57 GMT Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 6 Aug 2017 12:58:56 -0500 Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1210.000; Sun, 6 Aug 2017 12:58:56 -0500 From: "Graham Bartlett (grbartle)" To: Cen Jung Tjhai , Paul Wouters CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJzICeAgAN+2QCAAOIygA== Date: Sun, 6 Aug 2017 17:58:56 +0000 Message-ID: References: <1501968563280.70665@post-quantum.com> In-Reply-To: <1501968563280.70665@post-quantum.com> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.1a.0.160910 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.50.131] Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3584861937_346587646" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Aug 2017 17:59:04 -0000 --B_3584861937_346587646 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Hi Sorry for the late reply. I=E2=80=99ve replied to where I feel I could add some m= ore context to CJ=E2=80=99s reply. GB>inline On 05/08/2017, 14:29, "IPsec on behalf of Cen Jung Tjhai" wrote: Hi Paul, =20 >>> 4. The large quantum resistant =E2=80=98blob=E2=80=99 of data is only sent= when it is known that the peer will accept this. =20 >>I don't understand this? You mean known by preconfiguration? That wou= ld >>make migration really difficult and introduce a flag day. It would al= so >>not be true for Opportunistic IPsec, where there is no preconfigurati= on >>between peers. =20 It's not pre-configuration, but negotiated via a notify payload (QSKE N= otify) that is sent in IKE_SA_INIT. GB> So the QSKE Notify basically tells the peer =E2=80=98I=E2=80=99ve got some PQ algor= ithms that are probably going to be large and these could be used=E2=80=99. I was = chatting to Frederic Detienne last night who did raise the point that we did= n=E2=80=99t have to use the QSKE Notify, we could just act on the fact that if we = receive a IKE_SA_INIT with certain (QCR) groups in transform type 4 that are= known to be large, we would naturally fragment these when they are sent in = the next round. =20 >>> 7. With regards to fragmentation attacks, the use of fragmenta= tion in this idea has the same security as of >>> RFC7383. Whereby an attacker that reveals her true IP address can s= end multiple fragments, but not the >>>complex chain. =20 >>I'm not sure how that can be, if it is the IKE_INIT that is getting >>fragmented. =20 It's not entire IKE_SA_INIT message that is fragmented. The fragmentati= on only applies to post-quantum public data, where almost all of them has pa= yload size larger than 1KB. Furthermore, there is a known type of post-quant= um algorithm whose payload size is larger than 64KB and there could be more = in the future. We think by fragmenting the payload in this way, it is possib= le to support this kind of algorithm. =20 GB> in RFC7383 an attack is described that can exhaust the receivers resour= ce, where the attacker reveals their IP address; The following attack is possible with IKE fragmentation. An attacker can initiate an IKE_SA_INIT exchange, complete it, compute SK_a and SK_e, and then send a large but still incomplete set of IKE_AUTH fragments. These fragments will pass the ICV check and will be stored in reassembly buffers, but since the set is incomplete, the reassembling will never succeed and eventually will time out. If the set is large, this attack could potentially exhaust the receiver's memory resources. To perform the same attack, as the quantum resistant =E2=80=98blob=E2=80=99 of data is = sent after a negotiation, an attacker would need to reveal their IP address = (they can not just perform a blond spoofing attack where they spoof another = IP address).=20 >>> For devices that are operating in a mesh network, where many device= s have multiple peers, where peers are using >>> varying QSKE groups. In these instances the QSKE that is preferred = by the Initiator might not be available or >>> preferred on the Responder. To overcome scenarios where the Initiat= or will send a QSKE which is large in size and not >>> supported by the Responder, (therefore wasting time and resource), = the QSKE Notify payload can be used to query the >>> responder to determine the supported security association attribute= s. The QSKE Notify payload is sent by the >>> Initiator, which also excludes the QSKE payload (however a single K= E payload should be included for backwards >>> compatibility). If the Responder supports the QSKE notify payload i= t replies with the accepted security associations =20 >>Isn't this all unsafe against downgrade attacks? =20 If a peer declares support of post-quantum algorithm with QSKE Notify p= ayload, but not sending the post-quantum blob, the other peer shall reject t= he connection. On the other hand, for backward compatibility, it is up to th= e initiator to set the fallback policy; does it allow standard SAs or only p= ost-quantum SAs are supported.=20 >>> For implementations that do not support the use of the QSKE, the QS= KE Notify payload will be ignored and the IKEv2 >>> exchange will continue as per RFC7296. =20 >>What prevents an attacker from stripping out the QSKE Notify payload = in >>the IKE_INIT request? =20 If QSKE Notify payload is stripped, the peers won't be able to negotiat= e post-quantum algorithm for key-exchange, hence it depends on the configure= d fallback policy. GB> If an attacker removed the QSKE Notify inline, the exchange would occur= as per RFC7296. As we include the RestOfMessage1 in the authentication mate= rial check, this would not tally on both peers and authentication would fail= .=20 =20 >>> The QSKE is nearly identical to the KE payload, however the Fragmen= t bit identifies if the receiver should handle >>> this in a different manner to the KE payload. The KE and QSKE are n= egotiated/advertised using the transform type 4 >>> (Diffie Hellman groups). By including the QSKE in the same transfo= rm type 4 as classic DH allows for minimal >>> configuration changes for current implementations when configuring = both DH and QSKE Groups. =20 >>Can this not be abused for an amplification attack by sending a reall= y >>small QSKE payload and causing the responder to send back a large QSK= E payload in multiple fragments? =20 In general, QSKE payloads sent by the initiator and responder are of pr= etty much of equal size. It is possible for an malicious initiator to send a= small QSKE payload and expecting the responder to return large multiple fra= gments QSKE payload. In order to combat, the responder could employ existing= mechanisms to minimise the impact of this attack, for example using COOKIE = or for more sophisticated attacks, RFC8019.=20 =20 GB> That=E2=80=99s a great point and yes your right, I guess this could happen (b= ut the attacker would reveal their IP address, which could then be blocked).= However I would assume that for these quantum resistant =E2=80=98blobs=E2=80=99 there=E2=80= =99s a check to ensure that the data is valid or structured. Something like RF= C6989 but for the algorithms that are used by the quantum resistant =E2=80=98blobs= =E2=80=99. =20 >>Why would the responder reply to two group suggestions with QSKE payl= oads? >>Normally in IKEv2, the initiator sends a list of proposals/options, a= nd >>the responder picks one from it. =20 In order to support "crypto-agility", which allows peers to have flexib= ility in selecting cipher suites. In this way, peers are able to select a DH= combined with multiple post-quantum algorithms. We are not sure how importa= nt this feature is, but it would be a great idea to get opinions from the gr= oup. =20 >>> As three groups were used, the keymat is generated with the combina= tion of the output from the three public values. =20 >>How did the initiator signal support for all groups _and_ support for >>combining them? What is gained by combining multiple groups? =20 The signalling is done via QKSE notify. I appreciate that we have not y= et described how this work on the text. GB> I know Scott Fluhrer also thought about this. For simplicity I suggeste= d that if Quantum Resistant groups are used we naturally allow the Responder= to decide how many of the QCR algorithms it wishes to use. I personally thi= nk that signalling the use of certain groups of groups could get messy (unle= ss someone develops a simple method to achieve this, which I haven=E2=80=99t seen = so far). I personally really like the simplicity of the method that IKEv2 ne= gotiates the transforms to use (just pick one of the following) and for the = QC groups we could just extend this to =E2=80=98just pick >1 of the following..=E2=80=99= . =20 Best regards, CJ _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec =20 --B_3584861937_346587646 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIRyQYJKoZIhvcNAQcCoIIRujCCEbYCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGggg9+MIIFbTCCBFWgAwIBAgIQDZu2aTrsxkrY+ilxZLyNgTANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTYw NTE2MDAwMDAwWhcNMTgwNTE2MTIwMDAwWjCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNjbyBTeXN0ZW1zLCBJ bmMuMRgwFgYDVQQDEw9HcmFoYW0gQmFydGxldHQxITAfBgkqhkiG9w0BCQEWEmdyYmFydGxl QGNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqOS+hfMCqvKj+e gZdgQIEPbPvc6Mv9fJvK/hNbeOiOwBepKx73eSUh+gABrR8i7ui5/V7XlyMPg/OgQr/6UZX2 QGaqBNkiVkOqNDjwjDz6+voKVS2MNU0cCvxP5Xwb9VXgw2JzFAMMshknhP7G+9V6qxda7e5m fmBzYgCgewiITHD83tGiS/YuoOogmPfYnpQyCcnSdwj8MqnlvVfBQVdAOg+a7hv8zPcTA4mH H0Y3dqCIdNtj1QEm9D9YbDlCS1MZl/7byqLpEZA+la8Pva/r/lydbVuM7BXygqI+itXM9963 8kZim8zTh4r/wCi8uklBSeMRUHSmgocw5BpnIk8CAwEAAaOCAeswggHnMB8GA1UdIwQYMBaA FOcCI4AAT9jXvJQL2T90OUkyPIp5MB0GA1UdDgQWBBQmnj6AyXbjUyNRGN6Y2JOK17/CkzAM BgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSBEmdyYmFydGxlQGNpc2NvLmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZI AYb9bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGI BgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hB MkFzc3VyZWRJRENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUH MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0B AQsFAAOCAQEAna7Ws4vfNhrcm0Od6wb6xiOBURSSXAgX7LE8chrD7UfTF+b7DKits6QY1Vvo 5s0ryCy2T4ikMMKzpAnQ9O0vvF5wbb2iF9zTyKv2M36uY6L6EbMC7QoQAihAiOGnLy4wwhsB qtoGHPL8f1ROW2xpK3twQm2jthhv7fzHRPnFFh4bwWLLISHsw7JKzaL1GuxghNr9W9CN7o2r OtnnvoSwdkPBlMmquWrUgCZ06UQfsD6nbVDvqlBlJGBsrfXk3y8yg3q+rN6LTqHccW4Rk1KS OkE8i/8NKTo8QXHSOa+jcK0o7mnjGXERklDnFGMiNVLbVhVa9CJynUpLjNct3q6+ATCCBk4w ggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMC VVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEk MCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEzMTEwNTEyMDAwMFoX DTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1 cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/AJ3kb LQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAf JUXo8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ 9ZEXjsYhrTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1x GOSm4IksG/OyczzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgw BgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhho dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0 LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1s AAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQG CCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABDAGUA cgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBlAHAA dABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABDAFAALwBDAFAA UwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIA ZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQA eQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUA aQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP2Ne8lAvZ P3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcNAQEL BQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mg VgxIEM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0 k4f5lpaBVUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEy br1DDE0023vGQtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIwggO3MIIC n6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0z MTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5 cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+Y MjZ2zN7dPKii72r7IfJSYd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nY Lxj+KA+zp4PWw25EwGE1lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGY M2wi6YfQMlqiuhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSS plazvbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQY MBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUAA4IBAQCiDrzf4u3w43Jz emSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwSTFjk0z2DSUVYlzVpGqhH6lbGeasS 2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1 bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/ N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHS oyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMYICDzCCAgsCAQEweTBlMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t MSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0ECEA2btmk67MZK2PopcWS8 jYEwDQYJYIZIAWUDBAIBBQCgaTAvBgkqhkiG9w0BCQQxIgQgTJEw5EWzdYnaWq+YH92myM9J G4GMg/FhTz4rO3yfFuUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx DxcNMTcwODA2MTc1ODU3WjANBgkqhkiG9w0BAQEFAASCAQApgPxJEzF/JJ2xTgvZYzs6KKcu vaD6f+ybekoS+cEqNR4Hvqbxy549vV7wTyC45rhHbftgsmIGZiVRLeWUUmzZbWwsEdbcP9XO bse5mT7hAI0ruWZR6BSWoA57BciYbD148DVnBZoY8pYhuvycPTP98JyITmUJ/mfipfhueVdv dydKmZ7mEcLfiZ5SXfsHrmoYYGfrhi2Qhuhq1rFVIM/1guP2SoI172dzXbKYJqxR3V3KAGP8 8j8ZZSqNIoKFd7lx1kXZKTz49swSgIULlPMMgFijCHDfhiih9EOh+MJVMuh1tuzIUIyElDTR WzgZoMJXSCMqb7ozHw5FfCW2uYIs --B_3584861937_346587646-- From nobody Mon Aug 7 09:40:27 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06E541323BE for ; Mon, 7 Aug 2017 09:40:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.399 X-Spam-Level: X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1qM7r4a0ZEg for ; Mon, 7 Aug 2017 09:40:24 -0700 (PDT) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69BA132385 for ; Mon, 7 Aug 2017 09:40:23 -0700 (PDT) Received: by mail-lf0-x22d.google.com with SMTP id m86so4205188lfi.4 for ; Mon, 07 Aug 2017 09:40:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=qwt9Y8CqNQyuILLv5Mrbg1+KbY38qTGunIsvORU/+lU=; b=lOno0KOJLiB3CeuLqBSxW9ki4Qs+s2ajEknXgiWyJZfCuPaMplYJcw7eR8rgASQ6eh LndBkjuN/60Hm6OCqkMykv4NXT6tL44QKvQJJUJpOc3FxKLyLMt0wv4HQesCaw+1VvdQ wQfbcl2bnmoBbY9735aDyGBZpaLrCfHTKHFevSeG5i/l7ekFAXGl74l8sgA5LP/AUKPb 8EZr+5u8n+NPU8bO5rTIq55+nq4ipydPcvtgDesiKmxlchpzf0i6bTh+s/VWuF0e658Y QXL85fgboMGOQNFd689EGmHxvYoVnanRBMUpACUrwSke/+yGO86bKid4Sl0v01bGIyXR UeWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=qwt9Y8CqNQyuILLv5Mrbg1+KbY38qTGunIsvORU/+lU=; b=YofGeYByZrynEy3JNtIetTXYewNCS/8euPNgKAeE/HEKbRbSVk+9KlC4qkG9BAqpWz JcCG6njONNt9j90raDvofLS0V7pqEZjKpHJElyxBy1X7Azlx28hqUMOWmi6I+Vjzu8HW O70UfWh4kgYZ1C8N81t4zVb4iqDahzly/GckXe1PTTp8TYst53mE6fXMP924pXYK52A2 xUKdz6izqJJz8bAY6Y+HcUgiqJ4kMQNb91QYHppLoLHih7B+X0bllvfWgsZsjf6cxotL 4JRgCJVA5nGjWAhyjeWqjEWu6CS/y28Qh3iVB8+d2i9mtOJCL4PPnJolfA2Q82cPf5ZJ QXng== X-Gm-Message-State: AHYfb5i9MNgzxfGwNDUm3bYPYXuEraLLT6Qw/597zVWfz7srdrRrdKs3 9mxKtVd9Dd5s0FpEJvJjaaG0pY/dQbQ8 X-Received: by 10.25.160.84 with SMTP id j81mr383130lfe.168.1502124022242; Mon, 07 Aug 2017 09:40:22 -0700 (PDT) MIME-Version: 1.0 Sender: mglt.ietf@gmail.com Received: by 10.46.80.68 with HTTP; Mon, 7 Aug 2017 09:40:21 -0700 (PDT) In-Reply-To: <20170804233710.GV3889@faui40p.informatik.uni-erlangen.de> References: <20170804233710.GV3889@faui40p.informatik.uni-erlangen.de> From: Daniel Migault Date: Mon, 7 Aug 2017 12:40:21 -0400 X-Google-Sender-Auth: 0t4_1wNYeZQ1dzarsFJk8riT9RU Message-ID: To: Toerless Eckert Cc: "ipsec@ietf.org" Content-Type: multipart/alternative; boundary="001a11402c74c1223a05562c80c6" Archived-At: Subject: Re: [IPsec] Multi-access interfaces (with IPsec) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2017 16:40:26 -0000 --001a11402c74c1223a05562c80c6 Content-Type: text/plain; charset="UTF-8" Hi, Not really sure what exactly you are looking at, but these links might be helpful. Yours, Daniel https://tools.ietf.org/html/rfc7791 https://tools.ietf.org/html/rfc7018 https://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03 https://tools.ietf.org/html/draft-detienne-dmvpn-01 On Fri, Aug 4, 2017 at 7:37 PM, Toerless Eckert wrote: > I want to describe (in some draft) the use of a virtual multi-access > interface that is mapped to multiple p2p associations (eg: IPsec). > Which i think is a pretty standard option in industry implementations, eg: > in hub routers for hub & spoke deployments. > > Is there any good RFC reference that explains how this works, eg: > replicate ll-multicast to all p2p associations, learn peer addresses > from received packets or specific IPv6 signaling packets, use that > to send unicast into right p2p association, etc. pp. > > I could not find a good reference RFC for this ;-( > > Thanks! > Toerless > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > --001a11402c74c1223a05562c80c6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Fri, Aug= 4, 2017 at 7:37 PM, Toerless Eckert <tte@cs.fau.de> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">I want to describe (in some draft) the use of= a virtual multi-access
interface that is mapped to multiple p2p associations (eg: IPsec).
Which i think is a pretty standard option in industry implementations, eg:<= br> in hub routers for hub & spoke deployments.

Is there any good RFC reference that explains how this works, eg:
replicate ll-multicast to all p2p associations, learn peer addresses
from received packets or specific IPv6 signaling packets, use that
to send unicast into right p2p association, etc. pp.

I could not find a good reference RFC for this ;-(

Thanks!
=C2=A0 =C2=A0 Toerless

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

--001a11402c74c1223a05562c80c6-- From nobody Mon Aug 7 11:39:09 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBC2613252C for ; Mon, 7 Aug 2017 11:39:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.713 X-Spam-Level: X-Spam-Status: No, score=-2.713 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FAKE_REPLY_C=1.486, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pp7X1ltjysHp for ; Mon, 7 Aug 2017 11:39:05 -0700 (PDT) Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A2B5132514 for ; Mon, 7 Aug 2017 11:38:54 -0700 (PDT) Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id C6B8758C4C1; Mon, 7 Aug 2017 20:38:44 +0200 (CEST) Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id A4EEAB0C802; Mon, 7 Aug 2017 20:38:44 +0200 (CEST) Date: Mon, 7 Aug 2017 20:38:44 +0200 From: te36 To: Daniel Migault Cc: "ipsec@ietf.org" Message-ID: <20170807183844.GY3889@faui40p.informatik.uni-erlangen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: Subject: Re: [IPsec] Multi-access interfaces (with IPsec) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2017 18:39:09 -0000 Thanks Daniel! Quick browsing does not seem to show that these docs discuss what i am looking for, so let me explain it hopefully better: Assume i have a p2p subnet with two routers attached. I want to use IPsec to protect all IPv6 traffic on that subnet and make it "invisible" to all IP protocols as much as possible. So i set up an IPsec SA between the two and set the SPD on both sides to protect all traffic. So this will work fine, and i vendors are supporting it, but i am not aware of an RFC specifying this. For example, what would you put into the Link-Layer address option of IPv6 ND packets. I assume this would be the underlying link-layer address (eg: ethernet address), but thats not 100% obvious. So, thats the simple case. Lets consider now i have 3 (or 30) routers on a LAN and want to protect it with IPsec. Usually, i could not create multiple SAs across a single interface (from what i have seen in products). There are products that allow you to create a virtual IPsec subnet, but those are p2p, eg: you create a full mesh of SAs and on every router you see two separate virtual IPsec p2p interfaces, each operating the same as the above p2p example, except that the implementation might be different. But i would rather like to see a single multiaccess subnet interface on each router so that i can fully reflect the underlying topology. And any protocols using multicast would continue to operate. Its not really that difficult, as i already said in my first email: - Replicate multicsts into all SAs. Including ND multicasts. - You keep a mapping table about which IPv6 nexthop belongs to which SA. - Send unicast into the right SA based on that nexthop table. - Populate that nexthop table from source IPv6 addresses received from each SA. Maybe limited to received ND packets. - Continue to populate the the underlying Link-Layer address, but no need to maintain any link-layer mapping table (send but ignore on receipt). And now i just wonder if i need to write this down into my draft, or if i can find some existing RFC (or draft) i could refer to. Especially because the details of learning the SA mapping are pretty arbitrarily. Eg: I think it would logically be a lot better to have SPIs as link-layer addresses, but i wouldn't want to invent something new just because i think it's logically better. Or i populate the mapping table solely from the peer address of the SPI (eg: link-local-IPv6-address of the peer on the SA). The definitions i am looking for does not need to be specific to IPsec. The problem is IMHO quite orthogonal to IPsec. Eg: instead of IPsec SA, i could equally try to protect the traffic with any other form of secure p2p tunnel. But i wouldn't know which other IETF mailing list to ask for other contexts (suggestions welcome). There is for example rfc7847, but it has a lot of surplus (;-) mobility stuff in it, and it doesn't tackle the simple points of multicast, how to learn next-hop mapping , eg: what to do with ND packets, etc. pp, so i think it wouldn't help me as a reference. Cheers Toerless On Mon, Aug 07, 2017 at 12:40:21PM -0400, Daniel Migault wrote: > Not really sure what exactly you are looking at, but these links might be > helpful. > > https://tools.ietf.org/html/rfc7018 > https://tools.ietf.org/html/rfc7791 > https://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03 > https://tools.ietf.org/html/draft-detienne-dmvpn-01 > > On Fri, Aug 4, 2017 at 7:37 PM, Toerless Eckert wrote: > > > I want to describe (in some draft) the use of a virtual multi-access > > interface that is mapped to multiple p2p associations (eg: IPsec). > > Which i think is a pretty standard option in industry implementations, eg: > > in hub routers for hub & spoke deployments. > > > > Is there any good RFC reference that explains how this works, eg: > > replicate ll-multicast to all p2p associations, learn peer addresses > > from received packets or specific IPv6 signaling packets, use that > > to send unicast into right p2p association, etc. pp. > > > > I could not find a good reference RFC for this ;-( > > > > Thanks! > > Toerless > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > -- --- tte@cs.fau.de From nobody Tue Aug 8 06:57:41 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C821E1321C7 for ; Tue, 8 Aug 2017 06:57:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jl3GA6TYBVW9 for ; Tue, 8 Aug 2017 06:57:37 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 272351323B9 for ; Tue, 8 Aug 2017 06:56:59 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 61B5BE241; Tue, 8 Aug 2017 09:59:10 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 9D8D080717; Tue, 8 Aug 2017 09:56:58 -0400 (EDT) From: Michael Richardson To: te36 cc: Daniel Migault , "ipsec@ietf.org" In-Reply-To: <20170807183844.GY3889@faui40p.informatik.uni-erlangen.de> References: <20170807183844.GY3889@faui40p.informatik.uni-erlangen.de> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Content-Transfer-Encoding: quoted-printable Date: Tue, 08 Aug 2017 09:56:58 -0400 Message-ID: <10444.1502200618@obiwan.sandelman.ca> Archived-At: Subject: Re: [IPsec] Multi-access interfaces (with IPsec) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Aug 2017 13:57:39 -0000 te36 wrote: > Assume i have a p2p subnet with two routers attached. I want to use = IPsec > to protect all IPv6 traffic on that subnet and make it "invisible" t= o all > IP protocols as much as possible. So i set up an IPsec SA between th= e two > and set the SPD on both sides to protect all traffic. > So this will work fine, and i vendors are supporting it, but i am no= t aware > of an RFC specifying this. For example, what would you put into the = Link-Layer > address option of IPv6 ND packets. I assume this would be the underl= ying > link-layer address (eg: ethernet address), but thats not 100% obviou= s. I have no idea why you would asking that question. What link layer are you speaking about? It's just IP inside the tunnel. Why would there be ND inside the tunnel? It's a PPP tunnel. > So, thats the simple case. Lets consider now i have 3 (or 30) router= s on a LAN and > want to protect it with IPsec. Usually, i could not create multiple = SAs > across a single interface (from what i have seen in products). There= are > products that allow you to create a virtual IPsec subnet, but those = are p2p, > eg: you create a full mesh of SAs and on every router you see two se= parate > virtual IPsec p2p interfaces, each operating the same as the above p= 2p example, > except that the implementation might be different. Yes. > But i would rather like to see a single multiaccess subnet interface= on each > router so that i can fully reflect the underlying topology. And any = protocols > using multicast would continue to operate. Its not really that diffi= cult, > as i already said in my first email: The reason you don't see such a specification is because it isn't specifie= d. While we have some multicast key management protocols for IPsec, they aren= 't aimed at securing a subnet. -- ] Never tell me the odds! | ipv6 mesh networ= ks [ ] Michael Richardson, Sandelman Software Works | network architec= t [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails = [ From nobody Tue Aug 8 09:52:26 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61B1B13274F for ; Tue, 8 Aug 2017 09:52:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.198 X-Spam-Level: X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVnQXLaXghHQ for ; Tue, 8 Aug 2017 09:52:20 -0700 (PDT) Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76D17132740 for ; Tue, 8 Aug 2017 09:52:20 -0700 (PDT) Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 2F4FC58C4C3; Tue, 8 Aug 2017 18:52:16 +0200 (CEST) Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 0E128B0C815; Tue, 8 Aug 2017 18:52:15 +0200 (CEST) Date: Tue, 8 Aug 2017 18:52:15 +0200 From: te36 To: Michael Richardson Cc: Daniel Migault , "ipsec@ietf.org" Message-ID: <20170808165215.GE3889@faui40p.informatik.uni-erlangen.de> References: <20170807183844.GY3889@faui40p.informatik.uni-erlangen.de> <10444.1502200618@obiwan.sandelman.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <10444.1502200618@obiwan.sandelman.ca> User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: Subject: Re: [IPsec] Multi-access interfaces (with IPsec) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Aug 2017 16:52:23 -0000 On Tue, Aug 08, 2017 at 09:56:58AM -0400, Michael Richardson wrote: > te36 wrote: > > Assume i have a p2p subnet with two routers attached. I want to use IPsec > > to protect all IPv6 traffic on that subnet and make it "invisible" to all > > IP protocols as much as possible. So i set up an IPsec SA between the two > > and set the SPD on both sides to protect all traffic. > > > So this will work fine, and i vendors are supporting it, but i am not aware > > of an RFC specifying this. For example, what would you put into the Link-Layer > > address option of IPv6 ND packets. I assume this would be the underlying > > link-layer address (eg: ethernet address), but thats not 100% obvious. > > I have no idea why you would asking that question. > What link layer are you speaking about? It's just IP inside the tunnel. > Why would there be ND inside the tunnel? It's a PPP tunnel. >From rfc4861: point-to-point - a link that connects exactly two interfaces. A point-to-point link is assumed to have multicast capability and a link-local address. point-to-point - Neighbor Discovery handles such links just like multicast links. (Multicast can be trivially provided on point-to-point links, and interfaces can be assigned link-local addresses.) But also remember that the original spirit of rfc4301 (i hope i state this correctly) is not that of "tunneling", but rather of authenticating/encrypting packets. This is reflected in the SPD that allows you to specify some subsets of packets to which you apply this security. So address resolution itself would in most traditional implementations (at least the ones i know) still see the underlying type of interface and use its address resolution method and formats (eg: Ethernete, ARP/ND, ethernet address). Thats of course exactly what i find non-ideal in what we want to do, hence also my question about a "virtual interface" definition. > > So, thats the simple case. Lets consider now i have 3 (or 30) routers on a LAN and > > want to protect it with IPsec. Usually, i could not create multiple SAs > > across a single interface (from what i have seen in products). There are > > products that allow you to create a virtual IPsec subnet, but those are p2p, > > eg: you create a full mesh of SAs and on every router you see two separate > > virtual IPsec p2p interfaces, each operating the same as the above p2p example, > > except that the implementation might be different. > > Yes. > > > But i would rather like to see a single multiaccess subnet interface on each > > router so that i can fully reflect the underlying topology. And any protocols > > using multicast would continue to operate. Its not really that difficult, > > as i already said in my first email: > > The reason you don't see such a specification is because it isn't specified. > While we have some multicast key management protocols for IPsec, they aren't > aimed at securing a subnet. Ok, thanks for confirming that there is no specification utilizing IPsec. There could still be some RFC specifying how to build a virtual "pseudo-multicast" enabled "NBMA" subnet using a bunch of underlying p2p subinterfaces and how to ND in that case. So maybe i should ask on 6man. Cheers Toerless > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | network architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ From nobody Tue Aug 8 14:18:34 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C082131F21; Tue, 8 Aug 2017 14:18:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59V_3GebI3DQ; Tue, 8 Aug 2017 14:18:23 -0700 (PDT) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C3B513202D; Tue, 8 Aug 2017 14:18:23 -0700 (PDT) Received: by mail-wm0-x235.google.com with SMTP id m85so16765985wma.1; Tue, 08 Aug 2017 14:18:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:to:date; bh=KyVYLptTZF4iQltOsvSn5lEriTl6ClJI8MOcEmjmND0=; b=RvQp8xHUkeZSi93JMSm3svWtI05jcZcT2JV3oB2p+Cg9Brpts++UR0A+U0QadGxuR/ /EeAwJmRq0r/X/unf+WOCRY9oulXU2JdaLOpoMoj5QEUhdgloM4IPYyK2sx75V6Oyg9v y55dHOFNd8y9YBMO74fSy7/MMDg+SGZ1p15crQHiVtzFX3phjVP91sAYu1CmVhiogQ7l VZBEFDgSh2EnAuMuSCiBm155tnvSiKHIo9jklXwsxXYFIAe5eixwKIIuoyCY3CuA9LYh E8WjW07ekqzF0Yn+LOhbpufdP60kVhGx6bSSrQ/SNMvKY7eXUVR6eS3N92vDCOYZ9YRW JJDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:to:date; bh=KyVYLptTZF4iQltOsvSn5lEriTl6ClJI8MOcEmjmND0=; b=rfdjB3Bioqjn1yJjc3yVmKToBWU2Dlh+QMCOABE1O5LwBjnxlX9uFVDf3QTFRde1VI GANYDYpOGqaNJllkmdHGCNr2tHm/D4zO7cA3y4BtZvF2yjTruaq39MK0I0qLllrs9DdY YXZc6kAOIUEDqLr483LEzmAWw//2yRE45yf52ke28Cra2F9LLvYa8qdwXeQaX7LYiycn rxLQXT7zUW2WT4BqZjmmsqXRn76iu6CjYYFB9UgtGXOIzE5k+anbzIKkqwzNpBvFWTrA //VQx258Qt/JwU0GB2GI3nc4kheZlBePk4xJjRIyGr3a3nv5mXYZk5yDlpkyPNnoV2jz zUrw== X-Gm-Message-State: AHYfb5iHJCvtgaSY6hR68riOhf2cgp32t5mT1hXkz2VFi+fFr2DBX/RC MKDbr7YZEQkiC0AjHc8= X-Received: by 10.80.221.2 with SMTP id t2mr6006060edk.134.1502227101870; Tue, 08 Aug 2017 14:18:21 -0700 (PDT) Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id t36sm1615686edb.38.2017.08.08.14.18.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Aug 2017 14:18:21 -0700 (PDT) From: Yoav Nir Content-Type: multipart/signed; boundary="Apple-Mail=_DB7CAFCF-652D-49E3-B081-D1552BE400F7"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) X-Mail-Calendar-Part: Yes Message-Id: <58CE7D86-A747-40BC-8F94-C760250169EA@gmail.com> To: i2nsf@ietf.org, IPsecME WG Date: Wed, 9 Aug 2017 00:18:18 +0300 X-Mailer: Apple Mail (2.3273) Archived-At: Subject: [IPsec] I2NSF Virtual Interim meeting on IPsec and draft-abad [Doodle] X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Aug 2017 21:18:25 -0000 --Apple-Mail=_DB7CAFCF-652D-49E3-B081-D1552BE400F7 Content-Type: multipart/alternative; boundary="Apple-Mail=_17FE71D7-B370-47E8-A19D-C1D5143303D3" --Apple-Mail=_17FE71D7-B370-47E8-A19D-C1D5143303D3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 * * * Cross-posting * * * Hi, all. The I2NSF will hold a virtual interim meeting on September 6th at 16:00 = GMT (that=E2=80=99s 6pm in Spain and central Europe, Noon on the US East = Coast, 9am on the US West Coast) The purpose is to discuss the issues raised about = draft-abad-i2nsf-sdn-ipsec-flow-protection. One issue is the applicability of the draft to different IPsec = scenarios, such as site-to-site VPN, remote access VPN, communications = between nodes in a data center, and others. It is entirely possible that = the concerns raised by IPsec (mostly VPN) people are related to the = scope of the draft. The other issue is what the draft calls =E2=80=9Ccase 2=E2=80=9D where = traffic (IPsec) keys are generated on the SDN controller rather than = using a key exchange protocol between the NSFs. If people would like to make a short presentation to clarify their = position during the meeting, please contact Linda and me. The authors = need not do so. We will contact them within a few days. A detailed agenda will be by August 25th. Call-in details will be sent = by August 31st. Linda and Yoav --Apple-Mail=_17FE71D7-B370-47E8-A19D-C1D5143303D3 Content-Type: multipart/mixed; boundary="Apple-Mail=_8D9661A0-6707-4BED-8943-E07E9718CC9E" --Apple-Mail=_8D9661A0-6707-4BED-8943-E07E9718CC9E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

* * * = Cross-posting  * * *


Hi, all.


The I2NSF will hold a virtual interim meeting on September = 6th at 16:00 GMT (that=E2=80=99s 6pm in Spain and central Europe, Noon = on the US East Coast, 9am on the US West Coast)

The purpose is to discuss the issues = raised about draft-abad-i2nsf-sdn-ipsec-flow-protection.

One issue is the = applicability of the draft to different IPsec scenarios, such as = site-to-site VPN, remote access VPN, communications between nodes in a = data center, and others. It is entirely possible that the concerns = raised by IPsec (mostly VPN) people are related to the scope of the = draft.

The = other issue is what the draft calls =E2=80=9Ccase 2=E2=80=9D where = traffic (IPsec) keys are generated on the SDN controller rather than = using a key exchange protocol between the NSFs.

If people would like to make a short = presentation to clarify their position during the meeting, please = contact Linda and me. The authors need not do so. We will contact them = within a few days.

A detailed agenda will be by August 25th. Call-in = details will be sent by August 31st.


Linda and Yoav
= --Apple-Mail=_8D9661A0-6707-4BED-8943-E07E9718CC9E Content-Disposition: attachment; filename=iCal-20170809-000706.ics Content-Type: text/calendar; x-unix-mode=0666; name="iCal-20170809-000706.ics" Content-Transfer-Encoding: quoted-printable BEGIN:VCALENDAR=0D=0ACALSCALE:GREGORIAN=0D=0AVERSION:2.0=0D=0A= X-WR-CALNAME:I2NSF=20Virtual=20Interim=20meeting=20on=20IPsec=20and=20= draft-abad=20[Dood=0D=0A=20le]=0D=0AMETHOD:PUBLISH=0D=0APRODID:-//Apple=20= Inc.//Mac=20OS=20X=2010.12.6//EN=0D=0ABEGIN:VEVENT=0D=0ATRANSP:OPAQUE=0D=0A= DTEND:20170906T173000Z=0D=0A= ORGANIZER;SCHEDULE-AGENT=3DCLIENT:MAILTO:mailer@doodle.com=0D=0A= UID:15047136000002039394961@doodle.biz=0D=0ADTSTAMP:20170808T210655Z=0D=0A= LOCATION:It's=20virtual=0D=0ADESCRIPTION:Initiated=20by=20Yoav=20= Nir\nThe=20I2NSF=20meeting=20in=20Prague=20and=20subse=0D=0A=20quent=20= mailing=20list=20chatter=20showed=20that=20there=20is=20a=20disconnect=20= between=20IPs=0D=0A=20ec=20(and=20VPN)=20people=20and=20the=20SDN=20= people=20proposing=20this=20draft.=20=20This=20meeti=0D=0A=20ng=20aims=20= to=20bridge=20that=20gap.\n\nA=20detailed=20agenda=20will=20be=20by=20= August=2025th.=0D=0A=20=20Call-in=20details=20will=20be=20sent=20by=20= August=2031st.=0D=0A= URL;VALUE=3DURI:https://beta.doodle.com/poll/crxhk94fcx3qmhks=0D=0A= SEQUENCE:0=0D=0ASUMMARY:I2NSF=20Virtual=20Interim=20meeting=20on=20IPsec=20= and=20draft-abad=20[Doodle]=0D=0ADTSTART:20170906T160000Z=0D=0A= X-APPLE-TRAVEL-ADVISORY-BEHAVIOR:AUTOMATIC=0D=0ACREATED:20170808T210346Z=0D= =0AX-MICROSOFT-CDO-BUSYSTATUS:BUSY=0D=0ABEGIN:VALARM=0D=0A= X-WR-ALARMUID:46B2CF34-27D6-4672-B827-711BBF39AC92=0D=0A= UID:46B2CF34-27D6-4672-B827-711BBF39AC92=0D=0ATRIGGER:-PT15M=0D=0A= ATTACH;VALUE=3DURI:Basso=0D=0AX-APPLE-LOCAL-DEFAULT-ALARM:TRUE=0D=0A= ACTION:AUDIO=0D=0AX-APPLE-DEFAULT-ALARM:TRUE=0D=0AEND:VALARM=0D=0A= BEGIN:VALARM=0D=0AX-WR-ALARMUID:20F5A27E-AD65-46F1-BBDD-C716BE422C05=0D=0A= UID:20F5A27E-AD65-46F1-BBDD-C716BE422C05=0D=0ATRIGGER:-PT15M=0D=0A= X-APPLE-DEFAULT-ALARM:TRUE=0D=0AATTACH;VALUE=3DURI:Basso=0D=0A= ACTION:AUDIO=0D=0AEND:VALARM=0D=0AEND:VEVENT=0D=0AEND:VCALENDAR=0D=0A= --Apple-Mail=_8D9661A0-6707-4BED-8943-E07E9718CC9E Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
--Apple-Mail=_8D9661A0-6707-4BED-8943-E07E9718CC9E-- --Apple-Mail=_17FE71D7-B370-47E8-A19D-C1D5143303D3-- --Apple-Mail=_DB7CAFCF-652D-49E3-B081-D1552BE400F7 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJZiiqbAAoJELhJCxUKWMyZpPkH/iAeMhPxdcKQKFsoBnGM1bkB MZYksTaS1ifYnWZQzggJ9OLEz/7DkmLC5bB0DqwzOOendukdfP8adq4hfnhJFOI5 VOen8cvUoyPtl7+CApKe6qFmxKMKpVG2UNT7wHk1Qk0ogYzFW1XLwq9pHinpk/0b nlz4Rsm9CrL9LvwjqV4AesF13L6U66SB5DMSB4pZvlikS57piH/JEgeJ6ho4bZLX +rCUdBqfxKxo93jazSeK+wsOX6x8jN2+UfuVRoG/JpTIzD+AHI2w4wh+VpB5ZwNS SCWKjiAoP7JUUDFfUjjeF/p/tREFEnrwe0Rnht2lneO/5+KfbD6ecRC/WEkDoZE= =a82X -----END PGP SIGNATURE----- --Apple-Mail=_DB7CAFCF-652D-49E3-B081-D1552BE400F7-- From nobody Tue Aug 8 17:15:50 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7632120227 for ; Tue, 8 Aug 2017 17:15:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLBnGcUjZXt6 for ; Tue, 8 Aug 2017 17:15:46 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CFD91201F8 for ; Tue, 8 Aug 2017 17:15:46 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 03D172009E; Tue, 8 Aug 2017 20:17:58 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id BAA7B8076D; Tue, 8 Aug 2017 20:15:44 -0400 (EDT) From: Michael Richardson To: tte@cs.fau.de cc: Daniel Migault , "ipsec\@ietf.org" In-Reply-To: <20170808165215.GE3889@faui40p.informatik.uni-erlangen.de> References: <20170807183844.GY3889@faui40p.informatik.uni-erlangen.de> <10444.1502200618@obiwan.sandelman.ca> <20170808165215.GE3889@faui40p.informatik.uni-erlangen.de> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [IPsec] Multi-access interfaces (with IPsec) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 00:15:49 -0000 --=-=-= Content-Type: text/plain wrote: > But also remember that the original spirit of rfc4301 (i hope i state this correctly) > is not that of "tunneling", but rather of authenticating/encrypting packets. This > is reflected in the SPD that allows you to specify some subsets of packets to > which you apply this security. So address resolution itself would in most traditional > implementations (at least the ones i know) still see the underlying type of interface > and use its address resolution method and formats (eg: Ethernete, > ARP/ND, It's a great thought, but it's not implemented for reasons that wind up devolving into "we don't have a global PKI", (with a bunch of "the customer didn't ask for that" in the middle) > There could still be some RFC specifying how to build a virtual > "pseudo-multicast" enabled "NBMA" subnet using a bunch of underlying > p2p subinterfaces and how to ND in that case. So maybe i should ask on > 6man. RFC6550 is such a specification. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlmKVDAACgkQgItw+93Q 3WUNrAgAgNvDG9bZ5SM9iDsx30Fuor5CtAg3wY07Z2rC2oyeB5Crq3NjQGXvId+k ElMsGc9MmHOfMxKOXsVOb38ZlkmsYjHF7GWDeeEzdaCvtFWk9fzlX1ICUDbOj2bG co0mvanM32+v731snd26HcTsEPh15cHAb2pC+2QQdCuiAyk6BqvQ/K9xOywIb0TU RqyXIJYfj0D+V63MyfcSxDcmdxmvVmWCQh4cxM0wd52ArrabW2m16CjfzJRtGQfz qCts1jSbF2+u0XKVDCzjPoQ88QZ5IM6khhbBqzjICoKPS6eGzgCHdpOVtm1zKsIm r5nBVCwBQMAcKzIxfqN+Q1neIZKYtw== =7JK4 -----END PGP SIGNATURE----- --=-=-=-- From nobody Wed Aug 9 02:42:38 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F16091320CF for ; Wed, 9 Aug 2017 02:42:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaDBc0u8lLlV for ; Wed, 9 Aug 2017 02:42:34 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D21451320BB for ; Wed, 9 Aug 2017 02:42:33 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v799gNUr027842 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 9 Aug 2017 12:42:23 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v799gN2d009617; Wed, 9 Aug 2017 12:42:23 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <22922.55551.190123.31763@fireball.acr.fi> Date: Wed, 9 Aug 2017 12:42:23 +0300 From: Tero Kivinen To: "Valery Smyslov" Cc: "'Graham Bartlett \(grbartle\)'" , ipsec@ietf.org In-Reply-To: <041b01d30d21$8d33f230$a79bd690$@gmail.com> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd) X-Edit-Time: 3 min X-Total-Time: 2 min Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 09:42:37 -0000 Valery Smyslov writes: > It is not clear for me (and I raised this concern in Prague) why do > you use QSKE as an additional Key Exchange mechanism instead of > replacing DH KE with it=3F We=E2=80=99ve been being told by cryptogra= phers > that conventional public key cryptography won=E2=80=99t provide secur= ity in > presence of QC, so why bother with it=3F For me the main reason is that we have been told that current protocol used in IKE is safe, and if we do not break it (i.e., remove it), but instead just add some more random data to SKEYSEED, I think it should be quite easy to proove that this new construct is also safe. I.e., us adding PPK/QSKE etc stuff to our calculations will not weaken the security of the IKEv2.=20 > The only reason that comes to my mind is that you don=E2=80=99t fully= trust > QSKE. Are there any other reasons=3F I think that is one of the main reasons. Especially as we do not know which QSKE we are talking about. --=20 kivinen@iki.fi From nobody Wed Aug 9 03:08:20 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C1CA126C22 for ; Wed, 9 Aug 2017 03:08:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eU9l2m5djdvM for ; Wed, 9 Aug 2017 03:08:17 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98F07124234 for ; Wed, 9 Aug 2017 03:08:16 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v79A8DX7029748 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 9 Aug 2017 13:08:13 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v79A8DGD015160; Wed, 9 Aug 2017 13:08:13 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <22922.57101.227283.113155@fireball.acr.fi> Date: Wed, 9 Aug 2017 13:08:13 +0300 From: Tero Kivinen To: Cen Jung Tjhai Cc: Valery Smyslov , "ipsec\@ietf.org" In-Reply-To: <1501968567726.89885@post-quantum.com> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com> X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd) X-Edit-Time: 24 min X-Total-Time: 25 min Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 10:08:18 -0000 Cen Jung Tjhai writes: >>And I think if the IKE=5FSA=5FINIT messages grow too large with QSKE,= >>then it=E2=80=99s better to develop generic fragmentation mechanism f= or >>IKE=5FSA=5FINIT, rather than making it specific for fragmenting QSKE >>blobs. Generic mechanism would allow to reuse it in case we=E2=80=99l= l have >>to include other large payloads in initial messages. > > Yes, while a generic mechanism would allow it to be reused, it > sounds like a different draft all together. It could result in a > very complex change in the protocol. Furthermore, we would like to > support QSKE blob that is larger than 64KB in size, hence we > fragment it in that way.=20 Actually I think it would be better NOT to change IKE=5FSA=5FINIT at al= l, but instead add new exchange between the IKE=5FSA=5FINIT and IKE=5FAUTH= =2E I.e., lets have following exchange: Initiator Responder ------------------------------------------------------------------- HDR(IKE=5FSA=5FINIT, MID=3D0), SAi1, KEi, Ni, N(IKEV2=5FFRAGMENTATION=5FSUPPORTED), N(PRE=5FAUTH=5FSUPPORTED) --> <-- HDR(IKE=5FSA=5FINIT, MID=3D0), SAr= 1, KEr, Nr, =09=09=09=09 N(IKEV2=5FFRAGMENTATION=5FSUPPORTED) =09 N(PRE=5FAUTH=5FNEEDED), [CERTR= EQ] HDR(PRE=5FAUTH, MID=3D1), SKF(NextPld=3DPLD1, Frag#=3D1, TotalFrags=3Dm) {...} --> HDR(PRE=5FAUTH, MID=3D1), SKF(NextPld=3D0, Frag#=3D2, TotalFrags=3Dm) {...} --> ... HDR(PRE=5FAUTH, MID=3D1), SKF(NextPld=3D0, Frag#=3Dm, TotalFrags=3Dm) {...} --> =09=09=09=09<-- HDR(PRE=5FAUTH, MID=3D1), =09=09=09=09 SKF(NextPld=3DPLD1, Frag#=3D1, =09=09=09=09=09 TotalFrags=3Dm) =09=09=09 {...} =09=09=09=09<-- HDR(PRE=5FAUTH, MID=3D1), =09=09=09=09 SKF(NextPld=3D0, Frag#=3D2, =09=09=09=09=09 TotalFrags=3Dm) =09=09=09 {...} ... =09=09=09=09<-- HDR(PRE=5FAUTH, MID=3D1), =09=09=09=09 SKF(NextPld=3D0, Frag#=3Dm, =09=09=09=09=09 TotalFrags=3Dm) =09=09=09 {...} HDR(IKE=5FAUTH, MID=3D2), SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> <-- HDR(IKE=5FAUTH, MID=3D2), =09=09=09=09 SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} I.e., we run normal IKE=5FSA=5FINIT with message ID of 0. It negotiates= the fragmentation (IKEV2=5FFRAGMENTATION=5FSUPPORTED), so all further exchanges after IKE=5FSA=5FINIT can use fragmentation. Then we do another exchange before the IKE=5FAUTH, i.e. we do PRE=5FAUT= H exchange before IKE=5FAUTH using message id 1 (or even message ids 2, 3= , 4, etc, as many as are needed). This step does the large blob exchange neede for the IKE=5FAUTH. As these are normal fragmented IKEv2 message,= i.e. there is request and there is reply. What goes in there is most likely using some new payload number to transfer the QSKE data in both directions. Note, that IKEv2 messages are limited to 4GB in size, and one payload inside IKEv2 message is limited to 64kB in size, so if larger than 64k objects need to be transmitted, it can be transmitted using exactly one IKEv2 message, having multiple payloads in it. On the other hand as fragments are not individually acknowledged, we do not want to transfer too big messages using it, so it might be better to allow multiple PRE=5FAUTH message exchanges before moving to the IKE=5FAUTH. This means that the PRE=5FAUTH exchange most likely needs to have some way of telling the other end when it is done, and when to move to IKE=5FAUTH. IKE=5FAUTH then would be just normal IKE=5FAUTH. The fact whether we need the PRE=5FAUTH exchange can be negotiated in the IKE=5FSA=5FINIT, either using transform types in SA payload, or usi= ng the notify payloads. Also if we split data to less than 64k chunks anyways, it might also be better not to use IKEv2 fragmentation, but instead just send several PRE=5FAUTH exchanges instead. Note, that the PRE=5FAUTH happening between IKE=5FSA=5FINIT and IKE=5FA= UTH would be encrypted, and MACed, but it WILL NOT be authenticated, i.e., we have not yet authenticated the other peer, and we will not include those octets to the AUTH payload calculations, so they will not be authenticated in AUTH phase, like the IKE=5FSA=5FINIT contents will be authenticated. I think this kind of step between IKE=5FSA=5FINIT and IKE=5FAUTH might = be easiest and most generic way of transferring the QSKE data. We will be transferring large amount of data anyways, so trying to put it part of IKE=5FSA=5FINIT is not useful, and trying to play around with cookies, = and IKE=5FSA=5FINIT modifications is just adding complexity.=20 --=20 kivinen@iki.fi From nobody Wed Aug 9 06:56:19 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A2701321F0 for ; Wed, 9 Aug 2017 06:56:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yEz2xwHsa8S1 for ; Wed, 9 Aug 2017 06:56:13 -0700 (PDT) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0531321EB for ; Wed, 9 Aug 2017 06:56:13 -0700 (PDT) Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip2.isaracorp.com with ESMTP; 09 Aug 2017 13:56:01 +0000 Received: from mb.isaracorp.com (2002:ac01:6e0b::ac01:6e0b) by mb.isaracorp.com (2002:ac01:6e0b::ac01:6e0b) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 9 Aug 2017 09:56:06 -0400 Received: from mb.isaracorp.com ([fe80::9056:5d62:46d0:fe1f]) by mb.isaracorp.com ([fe80::9056:5d62:46d0:fe1f%12]) with mapi id 15.00.1044.021; Wed, 9 Aug 2017 09:56:06 -0400 From: Daniel Van Geest To: "Graham Bartlett (grbartle)" CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ8WOuA Date: Wed, 9 Aug 2017 13:56:06 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.25.5.201] Content-Type: multipart/alternative; boundary="_000_B991A75E0473428E95B839491D0EB098isaracorpcom_" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 13:56:18 -0000 --_000_B991A75E0473428E95B839491D0EB098isaracorpcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgR3JhaGFtIGFuZCBhbGwsDQoNCkkgaGF2ZSBhIGZldyBjb21tZW50cy9zdWdnZXN0aW9ucyBv biBHcmFoYW3igJlzIGlkZWEuIFRoZXkgY29uY2VybiB0d28gY29tcG9uZW50cyBvZiB0aGlzIHBy b3Bvc2FsOiAxKSBRUyBTQSBuZWdvdGlhdGlvbjsgYW5kIDIpIFFTIEtFL2ZyYWdtZW50YXRpb247 IGFuZCBvbmUgaXRlbSB1bmFkZHJlc3NlZCBieSB0aGUgcHJvcG9zYWwgMykgUmVrZXlpbmcvQ2hp bGQgQ3JlYXRpb24uDQoNCkFwb2xvZ2llcyBpbiBhZHZhbmNlIGZvciB0aGUgbGVuZ3RoLg0KDQox KSBRUyBTQSBOZWdvdGlhdGlvbg0KDQpXaGVuIG5lZ290aWF0aW5nIGEgUVMgU0EsIGl04oCZcyBu b3QgZW5vdWdoIHRvIG5lZ290aWF0ZSBRUyBrZXkgYWdyZWVtZW50IGFsZ29yaXRobShzKSwgb25l IGFsc28gaGFzIHRvIGVuc3VyZSB0aGF0IHRoZSBhbGdvcml0aG1zIHNlbGVjdGVkIGJ5IHRoZSBv dGhlciB0cmFuc2Zvcm0gdHlwZXMgYXJlIGFsc28gUVMuIEZvciBleGFtcGxlIEVOQ1JfQUVTX0NC QyAoS2V5TGVuZ3RoID0gMTI4KSB3aWxsIG9ubHkgcHJvdmlkZSA2NCBiaXRzIG9mIHNlY3VyaXR5 IGFnYWluc3QgYSBxdWFudHVtIGNvbXB1dGVyLCB3aGljaCBpcyBpbnN1ZmZpY2llbnQuIElmIHdl IGFyZSBvbmx5IGNvbmNlcm5lZCBhYm91dCBwYXNzaXZlIHF1YW50dW0gYXR0YWNrcyB0aGVuIHRo ZSBjaG9pY2Ugb2YgaW50ZWdyaXR5IGFsZ29yaXRobSB3b27igJl0IG1hdHRlciBhcyBtdWNoLCBo b3dldmVyIFBSRiB0cmFuc2Zvcm1zIHdpdGggZW5vdWdoIGJpdHMgb2Ygc2VjdXJpdHkgdG8gYmUg UVMgd2lsbCBhbHNvIG5lZWQgdG8gYmUgY2hvc2VuLg0KDQpXaXRoIHRoYXQgaW4gbWluZCwgSSBo YXZlIGNvbmNlcm5zIGFib3V0IGFkdmVydGlzaW5nL25lZ290aWF0aW5nIHRoZSBRU0tFIGFsZ29y aXRobXMgYWxvbmcgd2l0aCB0aGUgS0UgYWxnb3JpdGhtcyBpbiB0cmFuc2Zvcm0gdHlwZSA0LiBJ biBvcmRlciB0byBlbnN1cmUgdGhhdCBhIFFTIFNBIGlzIGVzdGFibGlzaGVkLCB0aGUgaW5pdGlh dG9yIHdpbGwgaGF2ZSB0byBlbnN1cmUgdGhhdCB0aGUgZmlyc3QgYWR2ZXJ0aXNlZCBTQSBpcyB0 aGUgUVMgb25lLiBUaGlzIGlzIGZpbmUsIGFzIFJGQzcyOTYgc3BlY2lmaWVzIHRoYXQgdGhlIHBy b3Bvc2FscyBhcmUgbGlzdGVkIGluIG9yZGVyIG9mIHByZWZlcmVuY2UuIEhvd2V2ZXIsIEkgZG9u 4oCZdCBzZWUgYSByZXF1aXJlbWVudCB0aGF0IHRoZSB0cmFuc2Zvcm1zIHdpdGhpbiBhIHByb3Bv c2FsIGhhdmUgdG8gYmUgbGlzdGVkIGFjY29yZGluZyB0byBwcmVmZXJlbmNlLCBvciB0aGF0IHRo ZSByZXNwb25kZXIgaGFzIHRvIGNob3NlIHRoZSBmaXJzdCBvciBzdHJvbmdlc3Qgc3VwcG9ydGVk IHRyYW5zZm9ybSBpbiBhIGxpc3QgKHRoZSBlbmQgb2Ygc2VjdGlvbiAzLjMuNSB0YWxrcyBhYm91 dCBwaWNraW5nIHN0cm9uZ2VyIHRyYW5zZm9ybSAqYXR0cmlidXRlcyosIGJ1dCBub3QgYWJvdXQg dHJhbnNmb3JtcykuIE15IHBvaW50IGhlcmUgaXMgdGhhdCBpZiBhIHJlc3BvbmRlciBtYXkgY2hv c2UgYW55IG9mIHRoZSBwcm9wb3NlZCB0cmFuc2Zvcm1zIHRoZW4gZm9yIHRoZSBmaXJzdCBwcm9w b3NhbCB0byBiZSBRUyBpdCBtdXN0IG5vdCBjb250YWluIGFueSBxdWFudHVtLWluc2VjdXJlIHRy YW5zZm9ybXMsIG9yIHRoZSByZXNwb25kZXIgbXVzdCBiZSBtb2RpZmllZCB0byB1bmRlcnN0YW5k IHdoaWNoIEVOQ1IvUFJGIHRyYW5zZm9ybXMgYXJlIFFTIGFuZCB0byBwaWNrIHRoZW0gd2hlbiBj cmVhdGluZyBhIFFTIGNvbm5lY3Rpb24gKGFuZCB0byBmYWlsIGlmIG5vIFFTIGFsZ29yaXRobXMg YXJlIHByb3Bvc2VkKS4gVGhlbiBpZiBhbiBpbml0aWF0b3Igd2FudHMgdG8gY3JlYXRlIFFTIFNB cywgYnV0IGFsc28gd2FudHMgdG8gaW50ZXJvcGVyYXRlIHdpdGggKHZlcnk/KSBvbGQgcmVzcG9u ZGVycyB3aG8gZG9u4oCZdCBzdXBwb3J0IEFFUy0yNTYgb3IgUFJGX0hNQUNfU0hBMl8zODQrIHRo ZW4gdGhleSB3aWxsIG5lZWQgYSBzZWNvbmQgbm9uLVFTIHByb3Bvc2FsIGluIHRoZWlyIFNBIGxp c3QuIEFuZCBpZiB0aGV5IHdhbnQgdG8gYWxsb3cgbm9uLVFTLXVwZ3JhZGVkLCBidXQgc3RpbGwg cmVjZW50bHkgdXBkYXRlZCwgcmVzcG9uZGVycyBhIGNob2ljZSB0byB1c2Ugbm9uLVFSIEVOQ1Iv UFJGIHRyYW5zZm9ybXMgKGZvciBwZXJmb3JtYW5jZSByZWFzb25zIHBlcmhhcHMpLCB0aGV5IHdv buKAmXQgYmUgYWJsZSB0byBiZWNhdXNlIHRoZSByZXNwb25kZXIgd2lsbCBoYXZlIHRvIHBpY2sg dHJhbnNmb3JtcyBmcm9tIHRoZSBmaXJzdCAoZnVsbHkgUVMpIHByb3Bvc2FsIHNpbmNlIGl0IHN1 cHBvcnRzIGFsbCB0aGUgYWxnb3JpdGhtcyBpbiB0aGUgdHJhbnNmb3JtLg0KDQpOb3csIG1heWJl IHRob3NlIGNvbmNlcm5zIGFib3ZlIGFyZSBtaW5vciBhbmQgdGhlIFdHIGNhbiBsaXZlIHdpdGgg dGhlbS4gVGhhdOKAmXMgZmluZSwgSSBqdXN0IHdhbnQgdG8gbWFrZSBzdXJlIHRoZXnigJlyZSBj b25zaWRlcmVkLg0KDQpJIGRvbuKAmXQgZmluZCB0aGUgcmUtdXNlIG9mIHRyYW5zZm9ybSA0IGlu IHRoaXMgcHJvcG9zYWwsIGFuZCB0aGUgaW1wbGljaXQgY29tYmluYXRpb24gb2YgUVMgKyBub24t UVMgYWxnb3JpdGhtcywgdG8gYmUgdGhlIG1vc3QgZWxlZ2FudCwgdGhvdWdoIEkgY2FuIHVuZGVy c3RhbmQgaXQgaW4gdGhlIGNvbnRleHQgb2Ygbm90IHdhbnRpbmcgdG8gYWRkIGEgbmV3IHRyYW5z Zm9ybSB0eXBlLg0KDQpCdXQgSSBhbSBjdXJpb3VzIGhvdyBzdHJvbmcgdGhpcyBvcHBvc2l0aW9u IHRvIGEgbmV3IHRyYW5zZm9ybSB0eXBlIGlzIChhcG9sb2dpZXMsIEkgd2FzbuKAmXQgaW4gUHJh Z3VlIHNvIEkgZG9u4oCZdCBrbm93IGlmIGFueSBvdGhlciBkaXNjdXNzaW9ucyBvY2N1cnJlZCBv dXRzaWRlIHRoZSBXRyB0aW1lc2xvdCkuIEkgZnVsbHkgdW5kZXJzdGFuZCB0aGUgb3Bwb3NpdGlv biBkdWUgdG8gYmFja3dhcmRzIGNvbXBhdGliaWxpdHkgaXNzdWVzLCB0aGlzIGlzIHNvbWV0aGlu ZyBJIGNhbWUgYWNyb3NzIGluIG15IG93biBpbnZlc3RpZ2F0aW9uIHRvby4gSSByZWNhbGwgc29t ZSBvcHBvc2l0aW9uIGR1ZSB0byB0aGUgcG9zc2liaWxpdHkgb2YgdGhlIG5ldyB0cmFuc2Zvcm0g Y3JlYXRpbmcgYWRkaXRpb25hbCBwcm9wb3NhbHMgaW4gdGhlIFNBIGxpc3QgKGFzIG5ldyBwcm9w b3NhbHMgYXJlIGFscmVhZHkgbmVlZGVkIGR1ZSB0byBBRUFEKSwgdGhvdWdoIEkgd291bGQgaW1h Z2luZSB0aGlzIGlzIGEgbGVzc2VyIGlzc3VlIHRoYW4gYmFja3dhcmRzICBjb21wYXRpYmlsaXR5 LiBJZiB0aGUgbWFpbiBjb25jZXJuIGlzIGJhY2t3YXJkcyBjb21wYXRpYmlsaXR5LCB3b3VsZCB0 aGUgV0cgYmUgd2lsbGluZyB0byBjb25zaWRlciBhbiBpZGVhIHdoaWNoIGluY2x1ZGVzIHRoZSBu ZXcgdHJhbnNmb3JtIHR5cGUgYnV0IGF2b2lkcyBiYWNrd2FyZHMgY29tcGF0aWJpbGl0eSBpc3N1 ZXM/IElmIHNvLCBJIGhhZCBhIHZhcmlhbnQgb24gdGhlIGN1cnJlbnQgcHJvcG9zYWxzIHdoaWNo IEkgaXMgbW9yZSBleHBsaWNpdCBpbiB0aGUgc2VwYXJhdGlvbiBvZiBRUyBhbmQgbm9uLVFTIFNB cyBhbmQgdXNlcyBhIG5ldyB0cmFuc2Zvcm0gdHlwZSBpbiBhIGJhY2t3YXJkcyBjb21wYXRpYmxl IHdheS4NCg0KVGhlIGlkZWEgaXMgdG8gYWRkIHRoZSBuZXcgdHJhbnNmb3JtIHR5cGUgNiAoUS1T LUdyb3VwKSBsaWtlIENK4oCZcyBwcm9wb3NhbCwgYnV0IGRvbuKAmXQgaW5jbHVkZSBpdCBpbiB0 aGUgU0EgcGF5bG9hZC4gUmF0aGVyLCBpbnRyb2R1Y2UgYSBuZXcgUVNfU0EgcGF5bG9hZCB3aGlj aCB3b3VsZCBiZSBpZGVudGljYWwgaW4gc3RydWN0dXJlIHRvIHRoZSBTQSBwYXlsb2FkIGV4Y2Vw dCB0aGF0IGl0IHdvdWxkIGFsc28gaW5jbHVkZSB0aGUgUS1TLUdyb3VwIHRyYW5zZm9ybSB0eXBl LiBBbiBlbmRwb2ludCBjb3VsZCBjb25maWd1cmUgdGhlIHByb3Bvc2FscyBpbiB0aGlzIHBheWxv YWQgdG8gY29udGFpbiBRUyBhbmQgb25seSBRUyBFTkNSL1BSRiBhbGdvcml0aG1zLCBwbHVzIFFS S0UgYWxnb3JpdGhtcyBpbiB0cmFuc2Zvcm0gdHlwZSA2IGFuZCBleGlzdGluZyBESCBhbGdvcml0 aG1zIGluIHR5cGUgNC4gVGhlIFNBIHBheWxvYWQgd291bGQgc3RpbGwgZXhpc3QsIHNvIG5vbi11 cGdyYWRlZCByZXNwb25kZXJzIHdvdWxkIHN0aWxsIGJlIHN1cHBvcnRlZCwgYnV0IHVwZ3JhZGVk IHJlc3BvbmRlcnMgd291bGQgZ2l2ZSB0aGUgUVNfU0EgcHJvcG9zYWxzIGhpZ2hlciBwcmlvcml0 eSB0aGFuIFNBIHByb3Bvc2Fscy4NCg0KQSBub24tdXBncmFkZWQgcmVzcG9uZGVyIHdvdWxkIG5v dCByZWNvZ25pemUgdGhlIFFTX1NBIHBheWxvYWQgYW5kIHNvIHdvdWxkIGNob3NlIGFuIFNBIGZy b20gdGhlIFNBIHBheWxvYWQuIFRoZXkgd291bGQgYWxzbyBuZXZlciBzZWUgdGhlIG5ldyB0cmFu c2Zvcm0gdHlwZSwgc28gdGhlcmUgd291bGQgYmUgbm8gYmFja3dhcmQtY29tcGF0aWJpbGl0eSBp c3N1ZXMuIEEgcmVzcG9uZGVyIHdobyByZWNvZ25pemVzIHRoZSBRU19TQSBwYXlsb2FkIGNvdWxk IHJlc3BvbmQgdXNpbmcgYSBRU19TQSBwYXlsb2FkIHJhdGhlciB0aGFuIGEgU0EgcGF5bG9hZCAo b3IgaWYgeW91IHRoaW5rIHRoZXJlIHdvdWxkIGJlIGltcGxlbWVudGF0aW9uIHByb2JsZW1zIHdp dGggdGhpcyB3ZSBjb3VsZCBzYXkgdGhleSByZXNwb25kIHdpdGggYW4gU0EgcGF5bG9hZCB3aGlj aCBjb250YWlucyB0aGUgc2VsZWN0ZWQgcHJvcG9zYWwgZnJvbSB0aGUgUVNfU0EgcGF5bG9hZCku DQoNCldpdGggdGhpcyBpZGVhIGEgbmV3IG5vdGlmaWNhdGlvbiB0eXBlIGlzbuKAmXQgbmVjZXNz YXJ5LCBiZWNhdXNlIHRoZSBleGlzdGVuY2Ugb2YgdGhlIFFTX1NBIHBheWxvYWQgbGV0cyB0aGUg cmVzcG9uZGVyIGtub3cgdGhpcyBleHRlbnNpb24gaXMgc3VwcG9ydGVkLCBhbmQgYSByZXNwb25z ZSBTQSBjb250YWluaW5nIGEgcHJvcG9zYWwgZnJvbSBRU19TQSAoYW5kIGNvbnRhaW5pbmcgdHJh bnNmb3JtIHR5cGUgNikgbGV0cyB0aGUgaW5pdGlhdG9yIGtub3cgdGhpcyBleHRlbnNpb24gaXMg c3VwcG9ydGVkIGJ5IHRoZSByZXNwb25kZXIuIEFuIGF0dGFja2VyIGNvdWxkbuKAmXQgcmVtb3Zl IHRoZSBRU19TQSBwYXlsb2FkIGJlY2F1c2UgaXQgd2lsbCBiZSBwcm90ZWN0ZWQgYnkgdGhlIElE aS9JRHIgcGF5bG9hZHMgaW4gSUtFX0FVVEguDQoNCg0KMikgUVIgS0UgLyBmcmFnbWVudGF0aW9u DQoNCkkgd3JvdGUgdXAgdGhpcyBtZXNzYWdlIHllc3RlcmRheSB0byByZXZpZXcgYW5kIHNlbmQg aW4gdGhlIG1vcm5pbmcsIGJ1dCBUZXJvJ3MgbWVzc2FnZSBsYXN0IG5pZ2h0IGNvdmVyZWQgbXkg c3VnZ2VzdGlvbiBmb3IgZnJhZ21lbnRhdGlvbiwgc28gSeKAmWxsIGp1c3QgYWRkIGEgZmV3IG5v dGVzIHRvIGNvbnNpZGVyIGluIHRoaXMgYXJlYS4NCg0KQXMgbWVudGlvbmVkLCB0aGlzIFBSRV9B VVRIIChJIGxpa2UgSUtFX1FTX0tFLCBidXQgaWYgd2UgdGhpbmsgaXQgd2lsbCBiZSBleHBhbmRl ZCBsYXRlciB0aGVuIFBSRV9BVVRIIGlzIG1vcmUgZ2VuZXJpYykgbWVzc2FnZSBpcyBlbmNyeXB0 ZWQgd2l0aCB0aGUgY2xhc3NpY2FsIGtleXMgZ2VuZXJhdGVkIGluIElLRV9TQV9JTklULiBUaGUg c2hhcmVkIHNlY3JldHMgZ2VuZXJhdGVkIGluIFBSRV9BVVRIIGNhbiB1c2UgdGhlIGV4aXN0aW5n IHJla2V5aW5nIG1lY2hhbmlzbSB0byB1cGRhdGUgdGhlIFNBIHRvIGJlIFFTOg0KDQpLRVlNQVQg PSBwcmYrKFNLX2QsIFFTX1NFQ1JFVCB8IE5pIHwgTnIpDQoNClNvbWV0aGluZyB0byBrZWVwIGlu IG1pbmQgaXMgdGhhdCBtYW55IFFTIGtleSBhZ3JlZW1lbnQgYWxnb3JpdGhtcyBkb27igJl0IGhh dmUgZXhhY3RseSB0aGUgc2FtZSBtZXNzYWdlIGZsb3cgYXMgRGlmZmllIEhlbGxtYW4uICBXaXRo IERILCBlYWNoIGVuZHBvaW504oCZcyBwdWJsaWMvcHJpdmF0ZSBrZXlzIGNhbiBiZSBnZW5lcmF0 ZWQgaW5kZXBlbmRlbnRseSBvZiBlYWNoIG90aGVyLiBCdXQgbWFueSBRUyBhbGdvcml0aG1zIGhh dmUgYW4gaW5pdGlhdG9yLXJlc3BvbmRlciBmbG93LCBzbyB0aGUgcmVzcG9uZGVyIGNhbiBvbmx5 IGdlbmVyYXRlIGl0cyBwdWJsaWMga2V5IG9uY2UgaXQgaGFzIHByb2Nlc3NlZCB0aGUgaW5pdGlh dG9y4oCZcyBwdWJsaWMga2V5LiBXZSBqdXN0IG5lZWQgdG8ga2VlcCB0aGlzIGluIG1pbmQgd2hl biBkZXNpZ25pbmcgdGhlIGZsb3cgb2YgdGhlIFBSRV9BVVRIIG1lc3NhZ2VzLiBBbiBpbml0aWF0 b3IgY2Fu4oCZdCBzZW5kIHRoZSBmaXJzdCBjaHVuayBvZiBhIHB1YmxpYyBrZXksIGFuZCB0aGUg cmVzcG9uZGVyIHJlcGx5IHdpdGggdGhlIGZpcnN0IGNodW5rIG9mIHRoZWlyIHB1YmxpYyBrZXks IHRoZSByZXNwb25kZXIgd291bGQgbmVlZCB0byBwcm9jZXNzIGFsbCBpbml0aWF0b3IgY2h1bmtz IGZvciB0aGF0IGtleSBmaXJzdC4gVGhpcyBtZWFucyB0aGUgaW5pdGlhdG9yIHdvdWxkIGhhdmUg dG8gc2VuZCBhIHNwZWNpYWwgYWNrbm93bGVkZ2VtZW50IHJlc3BvbnNlIGZvciBjaHVua3MgdGhh dCBkb27igJl0IGNvbXBsZXRlIGEgcHVibGljIGtleSByYXRoZXIgdGhhbiByZXNwb25kaW5nIHdp dGggYSBwYXJ0aWFsIGtleSB3aGVuIHJlY2VpdmluZyBhIHBhcnRpYWwga2V5Lg0KDQpBbHNvIG5v dGUgdGhhdCBTdHJvbmdTd2Fu4oCZcyBjb2RlIGFzc3VtZXMgdGhhdCBJS0VfQVVUSCB3aWxsIGFs d2F5cyBoYXZlIGEgbWVzc2FnZSBJRCBvZiAxLCBidXQgdGhpcyB3b27igJl0IGhvbGQgaWYgdGhl cmUgYXJlIG9uZSBvciBtb3JlIFBSRV9BVVRIIGV4Y2hhbmdlcy4gSSB3YXMgYWJsZSB0byB1cGRh dGUgU3Ryb25nU3dhbiB0byByZW1vdmUgdGhhdCBhc3N1bXB0aW9uIGFuZCBpbnN0ZWFkIGNoZWNr IGFnYWluc3QgSUtFX0FVVEjigJlzIGFjdHVhbCBtZXNzYWdlIElELiBJdOKAmXMgbm90IGNsZWFy IHRvIG1lIHdoZXRoZXIgR3JhaGFt4oCZcyBJS0VfU0FfSU5JVCBmcmFnbWVudGF0aW9uIHdvdWxk IGFsc28gc3VmZmVyIGZyb20gdGhpcyBpc3N1ZSwgSSBzdXNwZWN0IHRoYXQgdGhlIElLRV9TQV9J TklUIGZyYWdtZW50cyB3b3VsZCBuZWVkIGluY3JlbWVudGluZyBtZXNzYWdlIElEcyBzbyBlbmRw b2ludHMgZG9u4oCZdCBkaXNjYXJkIHRoZW0/IEhvcGVmdWxseSBvdGhlciBpbXBsZW1lbnRhdGlv bnMgZWl0aGVyIGRvbuKAmXQgaGF2ZSB0aGlzIGFzc3VtcHRpb24gb3IgYXJlIGVxdWFsbHkgZWFz eSB0byBtb2RpZnkuDQoNClRlcm8gc2F5czoNCg0KTm90ZSwgdGhhdCB0aGUgUFJFX0FVVEggaGFw cGVuaW5nIGJldHdlZW4gSUtFX1NBX0lOSVQgYW5kIElLRV9BVVRIDQp3b3VsZCBiZSBlbmNyeXB0 ZWQsIGFuZCBNQUNlZCwgYnV0IGl0IFdJTEwgTk9UIGJlIGF1dGhlbnRpY2F0ZWQsIGkuZS4sDQp3 ZSBoYXZlIG5vdCB5ZXQgYXV0aGVudGljYXRlZCB0aGUgb3RoZXIgcGVlciwgYW5kIHdlIHdpbGwg bm90IGluY2x1ZGUNCnRob3NlIG9jdGV0cyB0byB0aGUgQVVUSCBwYXlsb2FkIGNhbGN1bGF0aW9u cywgc28gdGhleSB3aWxsIG5vdCBiZQ0KYXV0aGVudGljYXRlZCBpbiBBVVRIIHBoYXNlLCBsaWtl IHRoZSBJS0VfU0FfSU5JVCBjb250ZW50cyB3aWxsIGJlDQphdXRoZW50aWNhdGVkLg0KDQpDb3Vs ZG7igJl0IHRoZSBJRGkgYW5kIElEciBwYXlsb2FkcyBpbiBJS0VfQVVUSCBiZSBtb2RpZmllZCB0 byBzaWduIHRoZSBQUkVfQVVUSCBtZXNzYWdlIGluIGFkZGl0aW9uIHRvIHRoZSBJS0VfU0FfSU5J VCBtZXNzYWdlPw0KDQpUZXJvIHNheXM6DQoNCkkgdGhpbmsgdGhpcyBraW5kIG9mIHN0ZXAgYmV0 d2VlbiBJS0VfU0FfSU5JVCBhbmQgSUtFX0FVVEggbWlnaHQgYmUNCmVhc2llc3QgYW5kIG1vc3Qg Z2VuZXJpYyB3YXkgb2YgdHJhbnNmZXJyaW5nIHRoZSBRU0tFIGRhdGEuDQoNCkkgZGVmaW5pdGVs eSBhZ3JlZSA6LSkNCg0KDQozKSBSZWtleWluZy9DaGlsZCBDcmVhdGlvbg0KDQpHcmFoYW3igJlz IHN1Z2dlc3Rpb24gd29ya3MgZW50aXJlbHkgaW4gSUtFX1NBX0lOSVQsIHNvIGlmIG5ldyBTQSBp cyBjcmVhdGVkIG9yIG9uZSBpcyByZWtleWVkIGl04oCZcyBub3QgY2xlYXIgaG93IHRoZSBRUyBw dWJsaWMga2V5cyB3b3VsZCBiZSBleGNoYW5nZWQuIFRoZXkgY291bGQgYmUgaW5jbHVkZWQgaW4g YSBwYXlsb2FkIG9mIENSRUFURV9DSElMRF9TQSwgYnV0IHRoaXMgd2lsbCBydW4gdXAgYWdhaW5z dCB0aGUgNjRLIGJhcnJpZXIuIFNpbWlsYXIgZnJhZ21lbnRhdGlvbiBjb3VsZCBiZSBhZGRlZCB0 byBDUkVBVEVfQ0hJTERfU0EgYXMgd291bGQgYmUgYWRkZWQgdG8gSUtFX1NBX0lOSVQsIGhvd2V2 ZXIgdGhhdCBjb3VsZCBtYWtlIHRoaW5ncyBsZXNzIGVsZWdhbnQgYW5kIGNvdWxkIHJlc3VsdCBp biBkdXBsaWNhdGlvbiBvZiBsb2dpYyBiZXR3ZWVuIElLRV9TQV9JTklUIGFuZCBDUkVBVEVfQ0hJ TERfU0EuDQoNCkFzIG15IGludmVzdGlnYXRpb25zIGRpZG7igJl0IGFjY291bnQgZm9yID4gNjRL IFFSIHB1YmxpYyBrZXlzLCBJIGhhdmVu4oCZdCBjb25zaWRlcmVkIHRoaXMgZnVsbHkgeWV0LCBi dXQgd291bGQgYWRkaW5nIGEgSUtFX1FTX0tFIGV4Y2hhbmdlIGFmdGVyIENSRUFURV9DSElMRF9T QSBzaW1wbGlmeSB0aGluZ3MgaGVyZT8gU2luY2UgQ1JFQVRFX0NISUxEX1NBIGFscmVhZHkgdGFr ZXMgYWR2YW50YWdlIG9mIElLRXYy4oCZcyBmcmFnbWVudGF0aW9uLCBDUkVBVEVfQ0hJTERfU0Eg Y291bGQgaGFuZGxlIG1vc3QgUVNfS0UgcGF5bG9hZHMgd2l0aG91dCBhZGRpdGlvbmFsIGZyYWdt ZW50YXRpb24gc28gbWF5YmUgaXQgd291bGQgYmUgb3ZlcmtpbGwgdG8gbW92ZSBjaGlsZC9yZWtl eSBRU19LRSBwYXlsb2FkcyBpbnRvIGEgc3Vic2VxdWVudCBleGNoYW5nZS4gQnV0IGl0IHdvdWxk IHN0aWxsIG5lZWQgc29tZSB3YXkgdG8gaGFuZGxlID42NEsga2V5cy4NCg0KVGVyb+KAmXMgc3Vn Z2VzdGlvbiBjb3VsZCBwcm9iYWJseSBiZSBleHRlbmRlZCB0byBjb3ZlciBhZGRpdGlvbmFsIFBS RV9BVVRIIChJS0VfUVNfS0UgOi0pICkgZXhjaGFuZ2VzIGFmdGVyIENSRUFURV9DSElMRF9TQSwN Cg0KRm9yIGFueSBzb2x1dGlvbiB3aXRoIG11bHRpcGxlIGV4Y2hhbmdlcyB0aGVyZSBtYXkgYmUg YW4gaW1wbGVtZW50YXRpb24gaXNzdWUgd2hlcmUgdGhlIGVuZHBvaW50cyBhcmUgdHJ5aW5nIHRv IHNlbmQgYXBwbGljYXRpb24gZGF0YSBhZnRlciB0aGUgY2xhc3NpY2FsIHJla2V5IGlzIGRvbmUg YnV0IGJlZm9yZSB0aGUgUVMgcmVrZXkgY29tcGxldGVzLg0KDQoNCjQpIFRoYXQgd2FzIGxvbmcN Cg0KSG9wZWZ1bGx5IHRoaXMgd2FzbuKAmXQgdG9vIGxvbmctd2luZGVkLiBJ4oCZZCBiZSBpbnRl cmVzdGVkIGluIGhlYXJpbmcgaWYgYW55b25lIHRoaW5rcyBhbnkgb2YgdGhlc2UgaWRlYXMgYXJl IHdvcnRoIGZ1cnRoZXIgaW52ZXN0aWdhdGlvbiBhbmQgd291bGQgYmUgZ2xhZCB0byBwcm92aWRl IGFueSByZXNvdXJjZXMgdG8gZGV2ZWxvcCB0aGVzZSBpZGVhcyBmdXJ0aGVyLg0KDQo0LjEpIEEg bm90ZSBvbiAiUXVhbnR1bS1TYWZl4oCdIChRUykgdnMg4oCcUXVhbnR1bS1SZXNpc3RhbnTigJ0g KFFSKQ0KDQpJ4oCZdmUgdHJpZWQgdG8gdXNlIFFTIGluIG15IHJlc3BvbnNlIHRvIGJlIGNvbnNp c3RlbnQgd2l0aCBHcmFoYW0gJiBDSuKAmXMgaW5pdGlhbCBtZXNzYWdlcyBhbmQgZHJhZnQsIGhv d2V2ZXIgaW4gbXkgZXhwZXJpZW5jZSDigJxRdWFudHVtLVNhZmXigJ0gaGFzIGJlZW4gdXNlZCB0 byByZWZlciB0byBhbnl0aGluZyB0aGF0IGNhbuKAmXQgYmUgYnJva2VuIGJ5IGEgcXVhbnR1bSBj b21wdXRlciwgbWVhbmluZyBib3RoIGFsZ29yaXRobXMgd2hpY2ggYXJlbuKAmXQgdnVsbmVyYWJs ZSB0byBTaG9y4oCZcyBvciBHcm92ZXLigJlzIGFsZ29yaXRobXMgYnV0IGFyZSBydW5uaW5nIG9u IGNsYXNzaWNhbCBjb21wdXRlcnMsIGFzIHdlbGwgYXMgdHJ1ZSBxdWFudHVtIHByb2Nlc3NlcyBs aWtlIHF1YW50dW0ga2V5IGRpc3RyaWJ1dGlvbiAoUUtEKS4g4oCcUXVhbnR1bS1SZXNpc3RhbnTi gJ0gaGFzIGJlZW4gdXNlZCB0byByZWZlciB0byBRUyB3aXRob3V0IFFLRCwgaS5lLiBqdXN0IGFs Z29yaXRobXMgcnVubmluZyBvbiBjbGFzc2ljYWwgY29tcHV0ZXJzIHdoaWNoIGFyZW7igJl0IHZ1 bG5lcmFibGUgdG8gcXVhbnR1bSBhdHRhY2suIFNvIGluIG15IG9waW5pb24gYWxsIG9mIHRoZSB3 b3JrIHdlIGFyZSBkb2luZyBoZXJlIHNob3VsZCBiZSBsYWJlbGVkIFF1YW50dW0gUmVzaXN0YW50 IHJhdGhlciB0aGFuIFF1YW50dW0gU2FmZS4gWU1NVi4NCg0KDQrigJQNCkRhbmllbCBWYW4gR2Vl c3QgKGRhbmllbC52YW5nZWVzdEBpc2FyYS5jb208bWFpbHRvOmRhbmllbC52YW5nZWVzdEBpc2Fy YS5jb20+KQ0KaHR0cHM6Ly93d3cuaXNhcmEuY29tLw0KDQpPbiBBdWcgMywgMjAxNywgYXQgNzo1 NyBBTSwgR3JhaGFtIEJhcnRsZXR0IChncmJhcnRsZSkgPGdyYmFydGxlQGNpc2NvLmNvbTxtYWls dG86Z3JiYXJ0bGVAY2lzY28uY29tPj4gd3JvdGU6DQoNCkhpDQoNCkFmdGVyIGxpc3RlbmluZyB0 byB0aGUgUHJhZ3VlIG1lZXRpbmcgRGFuIEhhcmtpbnMgcmFpc2VkIHRoZSBwb2ludCB0aGF0IHRo ZSBRdWFudHVtIFJlc2lzdGFudCBJS0V2MiBpbXBsZW1lbnRhdGlvbiBzaG91bGQgcHJvdGVjdCBw YXNzaXZlIGF0dGFja3MsIHdoZXJlIHRyYWZmaWMgdGhhdCB0cmFmZmljIHRoYXQgaXMgc2VudCBh bmQgaXMgY2FwdHVyZWQgdG9kYXkgc2hvdWxkIGJlIHJlc2lsaWVudCB0byBhbiBhZHZlcnNhcnkg d2l0aCBhIHF1YW50dW0gY29tcHV0ZXIgaW4gdGhlIGZ1dHVyZS4gQnV0IHRoZSBRdWFudHVtIFJl c2lzdGFudCBJS0V2MiBkb2VzIG5vdCBoYXZlIHRvIHByb3RlY3QgYWdhaW5zdCBhbiBhZHZlcnNh cnkgd2l0aCBhIHF1YW50dW0gY29tcHV0ZXIgaW4gdGhlIGZ1dHVyZSB3aG8gY2FuIHBlcmZvcm0g YW4gYWN0aXZlIGF0dGFjay4NCg0KU29tZW9uZSBlbHNlIChjYW7igJl0IHJlbWVtYmVyIHdobykg c3VnZ2VzdGVkIHRoZSBxdWFudHVtIHJlc2lzdGFudCDigJhibG9i4oCZIGJlIHNlbnQgaW4gSUtF X0FVVEggYXMgaXQgd2lsbCBiZSBsYXJnZSBhbmQgcHJvYmFibHkgZnJhZ21lbnRhdGlvbi4gT2J2 aW91c2x5IGZvciB0aGlzIHRoZSBuYXR1cmFsIGNob2ljZSBpcyB0byB1c2UgdGhlIElLRXYyIEZy YWdtZW50YXRpb24gbWVjaGFuaXNtIGRlZmluZWQgaW4gUkZDNzM4My4NCg0KQSBmZXcgd2Vla3Mg YWdvIEkgZGV2ZWxvcGVkIGEgbWV0aG9kIHRvIHNlbmQgdGhlIHF1YW50dW0gcmVzaXN0YW50IOKA mGJsb2LigJkgaW4gSUtFX1NBX0lOSVQsIHRoaXMgaXMgdG8gYW1lbmQgaHR0cHM6Ly90b29scy5p ZXRmLm9yZy9odG1sL2RyYWZ0LXRqaGFpLWlwc2VjbWUtaHlicmlkLXFza2UtaWtldjItMDAuIEFm dGVyIGhlYXJpbmcgdGhlIGRpc2N1c3Npb24gZGVzY3JpYmVkIGFib3ZlIEkgd2FzIGdvaW5nIHRv IHBhcmsgdGhpcyBpZGVhIGFuZCBuZXZlciBzcGVhayBvZiBpdCBhZ2FpbiwgaG93ZXZlciBiZWZv cmUgSSBkbyB0aGlzIEnigJlkIGxpa2UgdG8gc2hhcmUgd2l0aCB0aGUgZ3JvdXAgZm9yIGNvbW1l bnRzLg0KDQpJIHBlcnNvbmFsbHkgZmVlbCB0aGlzIGlzIGFuIGVsZWdhbnQgYW5kIHNpbXBsZSBt ZXRob2QgdG8gYWNoaWV2ZSBzZW5kaW5nIG9uZSBvciBtb3JlIHF1YW50dW0gcmVzaXN0YW50IOKA mGJsb2Jz4oCZLiBUaGUgbWFpbiBiZW5lZml0cyBiZWluZzsNCg0KDQoxLiAgICAgIFRoZSBJS0Vf QVVUSCBleGNoYW5nZSBpcyBwcm90ZWN0ZWQgdXNpbmcgdGhlIHF1YW50dW0gc2VjdXJlIGFsZ29y aXRobXMuIFNvIGFsbCBhdHRyaWJ1dGVzIHdpdGhpbiB0aGUgSUtFIGV4Y2hhbmdlIGFyZSBwcm90 ZWN0ZWQgYWdhaW5zdCBwYXNzaXZlIGF0dGFja3MsIHdoaWNoIHdvdWxkbuKAmXQgYmUgdGhlIGNh c2Ugc2hvdWxkIHRoZSBxdWFudHVtIHJlc2lzdGFudCDigJhibG9i4oCZIGJlIHNlbnQgaW4gSUtF X0FVVEguDQoNCg0KDQoyLiAgICAgIFRoaXMgYWxsb3dzIGZvciBhIHF1YW50dW0gcmVzaXN0YW50 IGF1dGhlbnRpY2F0aW9uIG1ldGhvZCB0byBiZSBpbnRyb2R1Y2VkIGludG8gSUtFX0FVVEggaW4g dGhlIGZ1dHVyZSwgdGhlcmVmb3JlIHByb3RlY3RpbmcgYWdhaW5zdCBhY3RpdmUgYXR0YWNrcyB3 aXRoIGEgcXVhbnR1bSBjb21wdXRlciBzaG91bGQgdGhpcyBvY2N1ci4NCg0KDQoNCjMuICAgICAg QSBzaW1wbGUgbWV0aG9kIHRvIGZyYWdtZW50IHRoZSBxdWFudHVtIHNlY3VyZSBrZXkgZXhjaGFu Z2UgZGF0YSBpbiBJS0VfU0FfSU5JVCBpcyBpbmNsdWRlZCwgaG93ZXZlciB0aGlzIGlzIG5vdCBt YW5kYXRvcnkuIEZyb20gcGVyc29uYWwgZXhwZXJpZW5jZSBJ4oCZdmUgc2VlbiBhIGZldyBjYXNl cyB3aGVyZSBSRkMgNzM4MyBmcmFnbWVudGF0aW9uIGlzIHJlcXVpcmVkIHRvZGF5LCBob3dldmVy IHRoZSB2YXN0IG1ham9yaXR5IG9mIGN1c3RvbWVyIGltcGxlbWVudGF0aW9ucyBkbyBub3QgZXhw ZXJpZW5jZSBpc3N1ZXMgd2l0aCBJUCBmcmFnbWVudHMgYmVpbmcgZGVuaWVkIGFuZCBzbyBkbyBu b3QgcmVxdWlyZSB0aGUgZnVuY3Rpb25hbGl0eSBwcm92aWRlZCBieSBSRkM3MzgzIChidXQgZm9y IHRoZSBjYXNlcyB3aGVyZSBpdOKAmXMgbmVlZGVkLCBpdOKAmXMgYSBsaWZlc2F2ZXIpLg0KDQoN Cg0KNC4gICAgICBUaGUgbGFyZ2UgcXVhbnR1bSByZXNpc3RhbnQg4oCYYmxvYuKAmSBvZiBkYXRh IGlzIG9ubHkgc2VudCB3aGVuIGl0IGlzIGtub3duIHRoYXQgdGhlIHBlZXIgd2lsbCBhY2NlcHQg dGhpcy4gVGhpcyBtaW5pbWlzZXMgZGVsYXlzIHdoZW4gZXN0YWJsaXNoaW5nIElLRXYyIFNBcyBh bmQgbWluaW1pc2VzIHRoZSByaXNrIG9mIERvUyAoc2VlIHBvaW50IDcpLg0KDQoNCg0KNS4gICAg ICBCYWNrd2FyZHMgY29tcGF0aWJpbGl0eSBpcyBtYWludGFpbmVkLCB3aXRoIG1pbmltYWwgcmlz ayB0aGF0IHRoZSBhZGRpdGlvbiBvZiBhIHF1YW50dW0gcmVzaXN0YW50IGV4Y2hhbmdlIGNvdWxk IGNhdXNlIGFibm9ybWFsIGJlaGF2aW91ciB3aXRoIGRldmljZXMgdGhhdCBkbyBub3Qgc3VwcG9y dCB0aGUgbmV3IGF0dHJpYnV0ZXMuIFRoZSBRU0tFIGFyZSBhZHZlcnRpc2VkIHVzaW5nIGEgdHJh bnNmb3JtIHR5cGUgNCBncm91cHMuDQoNCg0KDQo2LiAgICAgIFRoaXMgaWRlYSBhbGxvd3MgZm9y IGFsZ29yaXRobSBhZ2lsaXR5LCB3aGVyZSBtdWx0aXBsZSBxdWFudHVtIHJlc2lzdGFudCBhbGdv cml0aG1zIGNhbiBiZSB1c2VkIGluIGFkZGl0aW9uIHRvIGEgc2luZ2xlIGNsYXNzaWMgREggKGFz IHBlciBSRkM3Mjk2KS4gUFEgYWxnb3JpdGhtcyB3aXRoIHB1YmxpYyBkYXRhIHNpemUgbGFyZ2Vy IHRoYW4gNjUsNTM2IG9jdGV0cyBhcmUgYWxzbyBzdXBwb3J0ZWQuDQoNCg0KDQo3LiAgICAgIFdp dGggcmVnYXJkcyB0byBmcmFnbWVudGF0aW9uIGF0dGFja3MsIHRoZSB1c2Ugb2YgZnJhZ21lbnRh dGlvbiBpbiB0aGlzIGlkZWEgaGFzIHRoZSBzYW1lIHNlY3VyaXR5IGFzIG9mIFJGQzczODMuIFdo ZXJlYnkgYW4gYXR0YWNrZXIgdGhhdCByZXZlYWxzIGhlciB0cnVlIElQIGFkZHJlc3MgY2FuIHNl bmQgbXVsdGlwbGUgZnJhZ21lbnRzLCBidXQgbm90IHRoZSBjb21wbGV4IGNoYWluLg0KDQoNClRo ZSBmb2xsb3dpbmcgaXMgdGhlIGlkZWEsIGFueSBxdWVzdGlvbnMsIHBsZWFzZSBmZWVsIGZyZWUg dG8gYXNrLg0KDQoNCg0KDQoNClFTS0UgTm90aWZ5DQoNCkZvciBkZXZpY2VzIHRoYXQgYXJlIG9w ZXJhdGluZyBpbiBhIG1lc2ggbmV0d29yaywgd2hlcmUgbWFueSBkZXZpY2VzIGhhdmUgbXVsdGlw bGUgcGVlcnMsIHdoZXJlIHBlZXJzIGFyZSB1c2luZyB2YXJ5aW5nIFFTS0UgZ3JvdXBzLiBJbiB0 aGVzZSBpbnN0YW5jZXMgdGhlIFFTS0UgdGhhdCBpcyBwcmVmZXJyZWQgYnkgdGhlIEluaXRpYXRv ciBtaWdodCBub3QgYmUgYXZhaWxhYmxlIG9yIHByZWZlcnJlZCBvbiB0aGUgUmVzcG9uZGVyLiBU byBvdmVyY29tZSBzY2VuYXJpb3Mgd2hlcmUgdGhlIEluaXRpYXRvciB3aWxsIHNlbmQgYSBRU0tF IHdoaWNoIGlzIGxhcmdlIGluIHNpemUgYW5kIG5vdCBzdXBwb3J0ZWQgYnkgdGhlIFJlc3BvbmRl ciwgKHRoZXJlZm9yZSB3YXN0aW5nIHRpbWUgYW5kIHJlc291cmNlKSwgdGhlIFFTS0UgTm90aWZ5 IHBheWxvYWQgY2FuIGJlIHVzZWQgdG8gcXVlcnkgdGhlIHJlc3BvbmRlciB0byBkZXRlcm1pbmUg dGhlIHN1cHBvcnRlZCBzZWN1cml0eSBhc3NvY2lhdGlvbiBhdHRyaWJ1dGVzLiBUaGUgUVNLRSBO b3RpZnkgcGF5bG9hZCBpcyBzZW50IGJ5IHRoZSBJbml0aWF0b3IsIHdoaWNoIGFsc28gZXhjbHVk ZXMgdGhlIFFTS0UgcGF5bG9hZCAoaG93ZXZlciBhIHNpbmdsZSBLRSBwYXlsb2FkIHNob3VsZCBi ZSBpbmNsdWRlZCBmb3IgYmFja3dhcmRzIGNvbXBhdGliaWxpdHkpLiBJZiB0aGUgUmVzcG9uZGVy IHN1cHBvcnRzIHRoZSBRU0tFIG5vdGlmeSBwYXlsb2FkIGl0IHJlcGxpZXMgd2l0aCB0aGUgYWNj ZXB0ZWQgc2VjdXJpdHkgYXNzb2NpYXRpb25zICh3aGljaCBpbmNsdWRlcyBvbmUgY2xhc3NpYyBE SCBncm91cCBhbmQgPj0xIFFTS0UgZ3JvdXAsIHRoZXNlIGFyZSBzZW50IGFzIGdyb3VwcyB3aXRo aW4gdHJhbnNmb3JtIHR5cGUgNC4gTW9zdCBvZiB0aGUgdGltZSwgd2Ugd2lsbCBiZSB1c2luZyBv bmUgUFEgYWxnb3JpdGhtLCByYXRoZXIgdGhhbiBtdWx0aXBsZS4gVGhlIFJlc3BvbmRlciB3aWxs IGFsc28gaW5jbHVkZXMgdGhlIENPT0tJRSBub3RpZmljYXRpb24sIG5vdGUgdGhlIFJlc3BvbmRl ciBkb2VzIG5vdCBzZW5kIHRoZSBLRSBvciBRU0tFIHBheWxvYWQuIFRoZSBJbml0aWF0b3IgY2Fu IG5vdyBzZWxlY3QgdGhlIGNvcnJlY3Qgc2VjdXJpdHkgYXNzb2NpYXRpb24gYWxnb3JpdGhtcyBp dCBpbnRlbmRzIHRvIHVzZSwgaW5jbHVkaW5nIHRoZSBjb3JyZWN0IGNsYXNzaWMgREggYW5kIFFT S0UgYW5kIHJlcGx5IHVzaW5nIHRoZSBDT09LSUUuDQoNCkFsdGhvdWdoIHRoZSBDT09LSUUgZG9l cyBub3QgcHJvdmlkZSBwcm90ZWN0aW9uIGFnYWluc3QgRG9TIGF0dGFja3MsIHdoZXJlYnkgYW4g YXR0YWNrZXIgc2VuZHMgbWFueSBmcmFnbWVudHMgYnV0IGRvZXMgbm90IGNvbXBsZXRlIHRoZSBm cmFnbWVudCBjaGFpbiwgaXQgZG9lcyBlbnN1cmUgdGhhdCB0aGUgYXR0YWNrZXIgcmV2ZWFscyB0 aGVpciBvd24gSVAgYWRkcmVzcy4gTm90ZSB0aGF0IFJGQyA3MzgzIGlzIGFsc28gcHJvbmUgdG8g dGhpcyBhdHRhY2sgd2hpY2ggaXMgZGVzY3JpYmVkIHdpdGhpbiB0aGUgc2VjdXJpdHkgY29uc2lk ZXJhdGlvbnMuDQoNClNob3VsZCBhbiBJS0UgZ2F0ZXdheSBiZSB1bmRlciBhIGZyYWdtZW50YXRp b24gYXR0YWNrLCBkcm9wcGluZyB0cmFmZmljIGZyb20gYSBwZWVyIHRoYXQgZG9lcyBub3QgY29t cGxldGUgdGhlIGZyYWdtZW50IGNoYWluIGNhbiBiZSB1c2VkIGFzIGEgc2ltcGxlIHByb3RlY3Rp dmUgbWVjaGFuaXNtIHRvIG1pbmltaXNlIHRoZSBpbXBhY3Qgb2YgZnV0dXJlIGF0dGFja3MuDQoN CkZvciBpbXBsZW1lbnRhdGlvbnMgdGhhdCBkbyBub3Qgc3VwcG9ydCB0aGUgdXNlIG9mIHRoZSBR U0tFLCB0aGUgUVNLRSBOb3RpZnkgcGF5bG9hZCB3aWxsIGJlIGlnbm9yZWQgYW5kIHRoZSBJS0V2 MiBleGNoYW5nZSB3aWxsIGNvbnRpbnVlIGFzIHBlciBSRkM3Mjk2LiBUaGUgUVNLRSBOb3RpZnkg cGF5bG9hZCBjYW4gYmUgdXNlZCB0byBtaW5pbWlzZSBpbnRlci1vcCBpc3N1ZXMgd2l0aCBRU0tF IGFuZCBub24gUVNLRSBpbXBsZW1lbnRhdGlvbnMuDQoNClRoZSBRU0tFIE5vdGlmeSBwYXlsb2Fk IGNhbiBiZSBtYXJrZWQgYXMgY3JpdGljYWwgZm9yIGRldmljZXMgdGhhdCBtYW5kYXRlIHRoZSB1 c2Ugb2YgUVNLRSB0byBwcm90ZWN0IElLRS4NCg0KUVNLRSBOb3RpZmljYXRpb24gUGF5bG9hZA0K DQogICAgICAgICAgICAgICAgICAgICAgICAxICAgICAgICAgICAgICAgICAgIDIgICAgICAgICAg ICAgICAgICAgMw0KICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAw IDEgMiAzIDQgNSA2IDcgOCA5IDAgMQ0KICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCiAgIHwgTmV4dCBQYXlsb2FkICB8 Q3wgIFJFU0VSVkVEICAgfCAgICAgICAgIFBheWxvYWQgTGVuZ3RoICAgICAgICB8DQogICArLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKw0KICAgfCAgUHJvdG9jb2wgSUQgIHwgICBTUEkgU2l6ZSAgICB8ICAgICAgTm90aWZ5IE1l c3NhZ2UgVHlwZSAgICAgIHwNCiAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQogICB8ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfA0KICAgfiAgICAgICAg ICAgICAgICAgICAgICAgTm90aWZpY2F0aW9uIERhdGEgICAgICAgICAgICAgICAgICAgICAgIH4N CiAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICB8DQogICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KDQrigJTigJTigJTigJQNCkEgUXVhbnR1bSBTYWZl IEtleSBFeGNoYW5nZSBQYXlsb2FkDQoNClRoZSBxdWFudHVtLXNhZmUga2V5IGV4Y2hhbmdlIHBh eWxvYWQsIGRlbm90ZWQgUVNLRSBpbiB0aGlzIGRvY3VtZW50LCBpcyB1c2VkIHRvIGV4Y2hhbmdl IGEgcXVhbnR1bS1zYWZlIHNoYXJlZCBzZWNyZXQgYmV0d2VlbiB0d28gSUtFIHBlZXJzLiAgVGhl IFFTS0UgcGF5bG9hZCBjb25zaXN0cyBvZiB0aGUgSUtFIGdlbmVyaWMgcGF5bG9hZCBoZWFkZXIs IGEgdHdvLW9jdGV0IHZhbHVlIGRlbm90aW5nIHRoZSBRdWFudHVtLVNhZmUgR3JvdXAgbnVtYmVy LCBhbmQgZm9sbG93ZWQgYnkgdGhlIHF1YW50dW0tc2FmZSBkYXRhIGl0c2VsZi4NCg0KVGhlIEZy YWdtZW50IGJpdCwgZGVub3RlZCBGIChiZWxvdyksIHNwZWNpZmllcyBpZiB0aGUgUVNLRSBpcyBm cmFnbWVudGVkLiBJZiB0aGlzIGlzIHNldCB0byAnMScsIG1lYW5pbmcgdGhlIFFTS0UgaXMgZnJh Z21lbnRlZCB0aGUgRnJhZ21lbnQgTnVtYmVyIGFuZCBUb3RhbCBGcmFnbWVudHMgZmllbGRzIHdp bGwgYmUgcG9wdWxhdGVkLiBJZiB0aGUgRnJhZ21lbnQgYml0IGlzIG5vdCBzZXQgKHNldCB0byAn MCcpLCB0aGVuIHRoZSBGcmFnbWVudCBOdW1iZXIgYW5kIFRvdGFsIEZyYWdtZW50cyBmaWVsZHMg d2lsbCBub3QgZXhpc3QuIFRoZSBGcmFnbWVudCBOdW1iZXIgaXMgdXNlZCBzaG91bGQgdGhlIFF1 YW50dW0tU2FmZSBEYXRhIGJlIHRvbyBsYXJnZSB0byBmaXQgd2l0aGluIGEgc2luZ2xlIHBheWxv YWQuIFRoZSBGcmFnbWVudCBOdW1iZXIgaXMgdGhlIGZpcnN0IGZyYWdtZW50LCBpbmNyZWFzaW5n IGJ5IG9uZSBmb3IgZXZlcnkgb3RoZXIgZnJhZ21lbnQgdGhhdCBpcyBzZW50LiBUaGUgVG90YWwg RnJhZ21lbnRzIGZpZWxkIGRlbm90ZXMgdGhlIG1heGltdW0gbnVtYmVyIG9mIGZyYWdtZW50cyB0 aGF0IGNvbnRhaW4gdGhlIFF1YW50dW0tU2FmZSBEYXRhLg0KDQpUaGUgUVNLRSBpcyBuZWFybHkg aWRlbnRpY2FsIHRvIHRoZSBLRSBwYXlsb2FkLCBob3dldmVyIHRoZSBGcmFnbWVudCBiaXQgaWRl bnRpZmllcyBpZiB0aGUgcmVjZWl2ZXIgc2hvdWxkIGhhbmRsZSB0aGlzIGluIGEgZGlmZmVyZW50 IG1hbm5lciB0byB0aGUgS0UgcGF5bG9hZC4gVGhlIEtFIGFuZCBRU0tFIGFyZSBuZWdvdGlhdGVk L2FkdmVydGlzZWQgdXNpbmcgdGhlIHRyYW5zZm9ybSB0eXBlIDQgKERpZmZpZSBIZWxsbWFuIGdy b3VwcykuICBCeSBpbmNsdWRpbmcgdGhlIFFTS0UgaW4gdGhlIHNhbWUgdHJhbnNmb3JtIHR5cGUg NCBhcyBjbGFzc2ljIERIIGFsbG93cyBmb3IgbWluaW1hbCBjb25maWd1cmF0aW9uIGNoYW5nZXMg Zm9yIGN1cnJlbnQgaW1wbGVtZW50YXRpb25zIHdoZW4gY29uZmlndXJpbmcgYm90aCBESCBhbmQg UVNLRSBHcm91cHMuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgIDEgICAgICAgICAgICAg ICAgICAgMiAgICAgICAgICAgICAgICAgICAzDQogICAgICAgMCAxIDIgMyA0IDUgNiA3IDggOSAw IDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxDQogICAgICArLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Kw0KICAgICAgfCBOZXh0IFBheWxvYWQgIHxDfEZ8IFJlc2VydmVkICB8ICAgICAgICAgICAgUGF5 bG9hZCBMZW5ndGggICAgIHwNCiAgICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQogICAgICB8ICAgIFF1YW50dW0tU2Fm ZSBHcm91cCBOdW0gICAgIHwgICAgICAgICAgIFJFU0VSVkVEICAgICAgICAgICAgfA0KICAgICAg Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSsNCiAgICAgIH4gICAgICAgIEZyYWdtZW50IE51bWJlciAgICAgICAgICAgIHwgICAg IFRvdGFsIEZyYWdtZW50cyAgICAgICB+DQogICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KICAgICAgfCAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwN CiAgICAgIH4gICAgICAgICAgICAgICAgICAgICAgIFF1YW50dW0tU2FmZSBEYXRhICAgICAgICAg ICAgICAgICAgICAgICB+DQogICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfA0KICAgICAgKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCg0KVGhlIHNp emUgb2YgdGhlIFF1YW50dW0tU2FmZSBEYXRhIGNhbiBiZSB0aGUgdG90YWwgZnJhZ21lbnRzICog cGF5bG9hZCBsZW5ndGggPSB+IDRHQiwgd2hpY2ggc2VlbXMgc3VmZmljaWVudCBmb3IgdGhlIHNp emUgb2YgdGhlIFFTS0UgcGF5bG9hZHMgZGlzY3Vzc2VkIHNvIGZhci4NCg0KVGhlIHVzZSBvZiB0 aGUgRnJhZ21lbnRhdGlvbiBiaXQgaXMgbm90IG1hbmRhdG9yeS4gSW1wbGVtZW50YXRpb25zIGNh biBhdHRlbXB0IHRvIHNlbmQgdGhlIElLRV9TQV9JTklUIHBheWxvYWQgY29udGFpbmluZyB0aGUg UVNLRSBwYXlsb2FkIHdpdGhvdXQgZnJhZ21lbnRhdGlvbiBhdCB0aGUgSUtFIGxheWVyLCBvcHRp bmcgZm9yIGZyYWdtZW50YXRpb24gYXQgdGhlIElQIGxheWVyIGluc3RlYWQuIEltcGxlbWVudGF0 aW9ucyBjYW4gaW5pdGlhbGx5IGV4Y2x1ZGUgdGhlIHRoZSB1c2Ugb2YgZnJhZ21lbnRhdGlvbiBp biB0aGUgUVNLRSBwYXlsb2FkLCBob3dldmVyIGlmIGNvbm5lY3Rpdml0eSBmYWlscyB3aGVuIG5v dCB1c2luZyBmcmFnbWVudGF0aW9uIG9mIHRoZSBRU0tFLCBpdCBpcyBhc3N1bWVkIHRoYXQgdGhh dCB0cmFmZmljIGhhcyBiZWVuIGRlbmllZCBkdWUgdG8gZnJhZ21lbnRhdGlvbiBhdCB0aGUgSVAg bGF5ZXIgYW5kIGZyYWdtZW50YXRpb24gb2YgdGhlIFFTS0Ugc2hvdWxkIGJlIHVzZWQgaW5zdGVh ZC4NCg0KDQrigJTigJQNCg0KSW4gdGhlIGZvbGxvd2luZyBleGFtcGxlIHRoZSBJbml0aWF0b3Ig d2lsbCBwcm9wb3NlIERIIEdyb3VwcyAxNCwxOSwyMSBhbmQgMzAsMzIgYW5kIDM1IChmaWN0aXRp b3VzIFFTS0UgZ3JvdXBzKS4gVGhlIEluaXRpYXRvciBzZW5kcyB0aGUgTihRU0tFKSwgd2hpY2gg aW5mb3JtcyB0aGUgcmVzcG9uZGVyIHRvIGNob29zZSA+PTEgUVNLRSBncm91cHMgYWxvbmcgd2l0 aCBhIGNsYXNzaWMgREggZ3JvdXAuDQoNClRoZSByZXNwb25kZXIgd2lsbCByZXR1cm4gdGhlIE4o UVNLRSkgcGF5bG9hZCwgaW5kaWNhdGluZyBpdCBzdXBwb3J0cyB0aGUgUVNLRSwgdGhlIHNlY3Vy aXR5IGFzc29jaWF0aW9uIGluY2x1ZGVzIERIIEdyb3VwcyAxNCwgMzAgYW5kIDM1IHdoaWNoIGlu Zm9ybXMgdGhlIGluaXRpYXRvciBvZiB0aGUgUVNLRSBncm91cHMgaXQgc2VsZWN0cyB0byB1c2Uu DQoNClRoZSBJbml0aWF0b3IgdGhlbiBzZW5kcyB0aGUgUVNLRSdzIGFuZCBLRSBmb3IgdGhlIGdy b3VwcyBpdCB3aXNoZXMgdG8gdXNlLCBwbHVzIHRoZSBpZGVudGljYWwgc2VjdXJpdHkgYXNzb2Np YXRpb25zIGFzIHdhcyBzZW50IGluIHRoZSBmaXJzdCBleGNoYW5nZSAodG8gbWl0aWdhdGUgZG93 bmdyYWRlIGF0dGFja3MpLiBOb3RlOiBUaGUgUmVzcG9uZGVyIHNob3VsZCBjaGVjayB0aGF0IHRo ZSByZWNlaXZlZCBRU0tFJ3MgaW4gdGhlIHNlY3VyaXR5IGFzc29jaWF0aW9uIG1hdGNoIHdpdGgg aXRzIHByZWZlcnJlZCBzZWN1cmUgUVNLRSdzLiBUaGlzIGlzIHRvIG1pdGlnYXRlIHRoZSBmb2xs b3dpbmcgYXR0YWNrLCBJbml0aWF0b3Igc2VuZHMgU0EgY29udGFpbnMgY2VydGFpbiBRU0tFIGlu IHRoZSBzZWN1cml0eSBhc3NvY2lhdGlvbiBSZXNwb25kZXIgcmVzcG9uZHMsIGJ1dCBhdHRhY2tl ciBtb2RpZmllcyB0aGlzIHJlc3BvbnNlIHRvIHJlbW92ZSB0aGUgc2FpZCBRU0tFLiBUaGUgSW5p dGlhdG9yIHRoZW4gcGVyZm9ybXMgdGhlIElLRV9TQV9JTklUIGV4Y2x1ZGluZyB0aGUgUVNLRSB0 aGF0IHdhcyByZW1vdmVkIGJ5IHRoZSBhdHRhY2tlciwgIGluIHRoZSBRU0tFIChidXQgaXQncyBp bmNsdWRlZCBpbiB0aGUgc2VjdXJpdHkgYXNzb2NpYXRpb25zKS4gSGVuY2UgaWYgdGhlIHJlc3Bv bmRlciB2ZXJpZmllcyB0aGF0IHRoZSByZWNlaXZlZCBRU0tFIG1hdGNoIHRoZSByZWNlaXZlZCBz ZWN1cml0eSBhc3NvY2lhdGlvbnMsIGl0IHdpbGwgbWl0aWdhdGUgdGhpcyBhdHRhY2suDQoNCg0K ICAgIEluaXRpYXRvciAgICAgICAgICAgICAgICAgICBSZXNwb25kZXINCiAgIC0tLS0tLS0tLS0t ICAgICAgICAgICAgICAgICAtLS0tLS0tLS0tLQ0KICAgSERSLCBTQWkxLCBOaSxLRWkgICAgLS0+ ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKERIIEdyb3VwcyAxNCwxOSwyMSBhbmQg MzAsMzIgYW5kIDM1KQ0KICAgICAgTihRU0tFKQ0KDQogICAgICAgICAgICAgICAgICAgICAgIDwt LSAgIEhEUiwgU0FyMSwgTihDT09LSUUpLFtOKFFTS0UpXSAgICAgICAoREggR3JvdXBzIDE0LCAz MCBhbmQgMzUpDQoNCg0KICAgSERSLCBOKENPT0tJRSksIFNBaTEsICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKFNBIGNvbnRhaW5zIERIIEdyb3VwcyAxNCwxOSwyMSBhbmQgMzAs MzIgYW5kIDM1KQ0KICAgIEtFaSwgTmksIFFTS0VpLTEvMyAgLS0+ICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgKEtFIGlzIEdyb3VwIDE0LCBRU0tFMSBpcyBHcm91cCAzMCwgZnJhZ21l bnQgMSBvZiAzKQ0KDQogICBIRFIsIFFTS0VpLTIvMyAgICAgICAtLT4gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDIgb2YgMykNCg0K ICAgSERSLCBRU0tFaS0zLzMgICAgICAgLS0+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgKFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAzIG9mIDMpDQoNCiAgIEhEUiwgUVNLRWky LTEvNCAgICAgIC0tPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChRU0tFMiBpcyBH cm91cCAzNSwgZnJhZ21lbnQgMSBvZiA0KQ0KDQogICBIRFIsIFFTS0VpMi0yLzQgICAgICAtLT4g ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdt ZW50IDIgb2YgNCkNCg0KICAgSERSLCBRU0tFaTItMy80ICAgICAgLS0+ICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVudCAzIG9mIDQpDQoN CiAgIEhEUiwgUVNLRWkyLTQvNCAgICAgIC0tPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgNCBvZiA0KQ0KDQoNCiAgICAgICAgICAg ICAgICAgIDwtLSAgSERSLCBTQXIxLCBOciwgS0VyLCAgICAgICAgICAgICAgICAgIChLRSBpcyBH cm91cCAxNCwgUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDEgb2YgMykNCiAgICAgICAgICAg ICAgICAgICAgICAgIFFTS0VpLTEvMw0KDQogICAgICAgICAgICAgICAgICA8LS0gIEhEUixRU0tF aS0yLzMgICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50 IDIgb2YgMykNCg0KICAgICAgICAgICAgICAgICAgPC0tICBIRFIsUVNLRWktMy8zICAgICAgICAg ICAgICAgICAgICAgICAgKFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAzIG9mIDMpDQoNCiAg ICAgICAgICAgICAgICAgIDwtLSAgSERSLFFTS0VpMi0xLzQgICAgICAgICAgICAgICAgICAgICAg IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMSBvZiA0KQ0KDQogICAgICAgICAgICAgICAg ICA8LS0gIEhEUixRU0tFaTItMi80ICAgICAgICAgICAgICAgICAgICAgICAoUVNLRTIgaXMgR3Jv dXAgMzUsIGZyYWdtZW50IDIgb2YgNCkNCg0KICAgICAgICAgICAgICAgICAgPC0tICBIRFIsUVNL RWkyLTMvNCAgICAgICAgICAgICAgICAgICAgICAgKFFTS0UyIGlzIEdyb3VwIDM1LCBmcmFnbWVu dCAzIG9mIDQpDQoNCiAgICAgICAgICAgICAgICAgIDwtLSAgSERSLFFTS0VpMi00LzQgICAgICAg ICAgICAgICAgICAgICAgIChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgNCBvZiA0KQ0KDQoN CkFzIHRocmVlIGdyb3VwcyB3ZXJlIHVzZWQsIHRoZSBrZXltYXQgaXMgZ2VuZXJhdGVkIHdpdGgg dGhlIGNvbWJpbmF0aW9uIG9mIHRoZSBvdXRwdXQgZnJvbSB0aGUgdGhyZWUgcHVibGljIHZhbHVl cy4NCg0KS0VZTUFUID0gcHJmKyhTS19kLCBRU1NTMiAoR3JvdXAgMzUpIHwgUVNTMSAoR3JvdXAg MzApIHwgZ15pciAoR3JvdXAgMTQpIHwgTmkgfCBOcikNCg0KDQogICBIRFIgU0sge0lEaSwgW0NF UlQsXQ0KICAgICAgIFtDRVJUUkVRLF0gW0lEcixdIEFVVEgsDQogICAgICAgU0FpMiwgVFNpLCBU U3J9ICAtLT4NCg0KDQoNCg0K4oCU4oCU4oCU4oCUDQoNCg0KSW4gdGhlIGZvbGxvd2luZyB0aGUg SW5pdGlhdG9yIHdpbGwgcHJvcG9zZSBESCBHcm91cHMgMTQsMTksMjEgYW5kIDMwLDMyIGFuZCAz NSAoZmljdGl0aW91cyBRU0tFIGdyb3VwcykuIFRoZSBJbml0aWF0b3Igc2VuZHMgTihRU0tFKSwg d2hpY2ggdGVsbHMgcmVzcG9uZGVyIHRvIGNob29zZSBhIERIIGdyb3VwIGFuZCA+PTEgUVNLRSBn cm91cHMgIC4NCg0KVGhlIFJlc3BvbmRlciBpbiB0aGlzIGNhc2UgZG9lcyBub3Qgc3VwcG9ydCBR U0tFIGFuZCBhc3N1bWluZyB0aGUgTihRU0tFKSB3YXMgbm9uIGNyaXRpY2FsLCB3aWxsIGlnbm9y ZSB0aGlzIE5vdGlmeSBQYXlsb2FkLg0KDQpUaGUgZXhjaGFuZ2Ugd2lsbCBjb250aW51ZSBhcyBw ZXIgUkZDNzI5Ni4NCg0KDQogICAgSW5pdGlhdG9yICAgICAgICAgICAgICAgICAgIFJlc3BvbmRl cg0KICAgLS0tLS0tLS0tLS0gICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tDQogICBIRFIsIFNB aTEsIE5pLEtFaSAgICAtLT4gICAgICAgICAgICAgICAgICAgICAgICAgICBLRT1Hcm91cCAxNCAo U0E6IERIIEdyb3VwcyAxNCwxOSwyMSBhbmQgMzAsMzIgYW5kIDM1KQ0KICAgICAgTihRU0tFKQ0K DQogICAgICAgICAgICAgICAgICAgICAgIDwtLSAgIEhEUiwgU0FyMSxOcixLRXIgICAgICAgICAo REggR3JvdXBzIDE0KQ0KDQoNCiAgSERSIFNLIHtJRGksIFtDRVJULF0NCiAgICAgICBbQ0VSVFJF USxdIFtJRHIsXSBBVVRILA0KICAgICAgIFNBaTIsIFRTaSwgVFNyfSAgLS0+DQoNCg0K4oCU4oCU 4oCU4oCU4oCU4oCU4oCUDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXw0KSVBzZWMgbWFpbGluZyBsaXN0DQpJUHNlY0BpZXRmLm9yZzxtYWlsdG86 SVBzZWNAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2lw c2VjDQoNCg== --_000_B991A75E0473428E95B839491D0EB098isaracorpcom_ Content-Type: text/html; charset="utf-8" Content-ID: <247E1D255833A34B8D0ADE6E96EB8F8A@isaracorp.com> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPg0KPGRpdiBjbGFzcz0iIj5IaSBHcmFo YW0gYW5kIGFsbCw8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8 ZGl2IGNsYXNzPSIiPkkgaGF2ZSBhIGZldyBjb21tZW50cy9zdWdnZXN0aW9ucyBvbiBHcmFoYW3i gJlzIGlkZWEuIFRoZXkgY29uY2VybiB0d28gY29tcG9uZW50cyBvZiB0aGlzIHByb3Bvc2FsOiAx KSBRUyBTQSBuZWdvdGlhdGlvbjsgYW5kIDIpIFFTIEtFL2ZyYWdtZW50YXRpb247IGFuZCBvbmUg aXRlbSB1bmFkZHJlc3NlZCBieSB0aGUgcHJvcG9zYWwgMykgUmVrZXlpbmcvQ2hpbGQgQ3JlYXRp b24uPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBjbGFz cz0iIj5BcG9sb2dpZXMgaW4gYWR2YW5jZSBmb3IgdGhlIGxlbmd0aC48L2Rpdj4NCjxkaXYgY2xh c3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjEpIFFTIFNBIE5lZ290 aWF0aW9uPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBj bGFzcz0iIj5XaGVuIG5lZ290aWF0aW5nIGEgUVMgU0EsIGl04oCZcyBub3QgZW5vdWdoIHRvIG5l Z290aWF0ZSBRUyBrZXkgYWdyZWVtZW50IGFsZ29yaXRobShzKSwgb25lIGFsc28gaGFzIHRvIGVu c3VyZSB0aGF0IHRoZSBhbGdvcml0aG1zIHNlbGVjdGVkIGJ5IHRoZSBvdGhlciB0cmFuc2Zvcm0g dHlwZXMgYXJlIGFsc28gUVMuIEZvciBleGFtcGxlIEVOQ1JfQUVTX0NCQyAoS2V5TGVuZ3RoID0g MTI4KSB3aWxsIG9ubHkgcHJvdmlkZSA2NA0KIGJpdHMgb2Ygc2VjdXJpdHkgYWdhaW5zdCBhIHF1 YW50dW0gY29tcHV0ZXIsIHdoaWNoIGlzIGluc3VmZmljaWVudC4gSWYgd2UgYXJlIG9ubHkgY29u Y2VybmVkIGFib3V0IHBhc3NpdmUgcXVhbnR1bSBhdHRhY2tzIHRoZW4gdGhlIGNob2ljZSBvZiBp bnRlZ3JpdHkgYWxnb3JpdGhtIHdvbuKAmXQgbWF0dGVyIGFzIG11Y2gsIGhvd2V2ZXIgUFJGIHRy YW5zZm9ybXMgd2l0aCBlbm91Z2ggYml0cyBvZiBzZWN1cml0eSB0byBiZSBRUyB3aWxsIGFsc28g bmVlZA0KIHRvIGJlIGNob3Nlbi48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0K PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPldpdGggdGhhdCBpbiBtaW5kLCBJIGhhdmUgY29uY2VybnMg YWJvdXQgYWR2ZXJ0aXNpbmcvbmVnb3RpYXRpbmcgdGhlIFFTS0UgYWxnb3JpdGhtcyBhbG9uZyB3 aXRoIHRoZSBLRSBhbGdvcml0aG1zIGluIHRyYW5zZm9ybSB0eXBlIDQuIEluIG9yZGVyIHRvIGVu c3VyZSB0aGF0IGEgUVMgU0EgaXMgZXN0YWJsaXNoZWQsIHRoZSBpbml0aWF0b3Igd2lsbCBoYXZl IHRvIGVuc3VyZSB0aGF0IHRoZSBmaXJzdCBhZHZlcnRpc2VkDQogU0EgaXMgdGhlIFFTIG9uZS4g VGhpcyBpcyBmaW5lLCBhcyBSRkM3Mjk2IHNwZWNpZmllcyB0aGF0IHRoZSBwcm9wb3NhbHMgYXJl IGxpc3RlZCBpbiBvcmRlciBvZiBwcmVmZXJlbmNlLiBIb3dldmVyLCBJIGRvbuKAmXQgc2VlIGEg cmVxdWlyZW1lbnQgdGhhdCB0aGUgdHJhbnNmb3JtcyB3aXRoaW4gYSBwcm9wb3NhbCBoYXZlIHRv IGJlIGxpc3RlZCBhY2NvcmRpbmcgdG8gcHJlZmVyZW5jZSwgb3IgdGhhdCB0aGUgcmVzcG9uZGVy IGhhcyB0byBjaG9zZQ0KIHRoZSBmaXJzdCBvciBzdHJvbmdlc3Qgc3VwcG9ydGVkIHRyYW5zZm9y bSBpbiBhIGxpc3QgKHRoZSBlbmQgb2Ygc2VjdGlvbiAzLjMuNSB0YWxrcyBhYm91dCBwaWNraW5n IHN0cm9uZ2VyIHRyYW5zZm9ybSAqYXR0cmlidXRlcyosIGJ1dCBub3QgYWJvdXQgdHJhbnNmb3Jt cykuIE15IHBvaW50IGhlcmUgaXMgdGhhdCBpZiBhIHJlc3BvbmRlciBtYXkgY2hvc2UgYW55IG9m IHRoZSBwcm9wb3NlZCB0cmFuc2Zvcm1zIHRoZW4gZm9yIHRoZSBmaXJzdA0KIHByb3Bvc2FsIHRv IGJlIFFTIGl0IG11c3Qgbm90IGNvbnRhaW4gYW55IHF1YW50dW0taW5zZWN1cmUgdHJhbnNmb3Jt cywgb3IgdGhlIHJlc3BvbmRlciBtdXN0IGJlIG1vZGlmaWVkIHRvIHVuZGVyc3RhbmQgd2hpY2gg RU5DUi9QUkYgdHJhbnNmb3JtcyBhcmUgUVMgYW5kIHRvIHBpY2sgdGhlbSB3aGVuIGNyZWF0aW5n IGEgUVMgY29ubmVjdGlvbiAoYW5kIHRvIGZhaWwgaWYgbm8gUVMgYWxnb3JpdGhtcyBhcmUgcHJv cG9zZWQpLiBUaGVuIGlmIGFuDQogaW5pdGlhdG9yIHdhbnRzIHRvIGNyZWF0ZSBRUyBTQXMsIGJ1 dCBhbHNvIHdhbnRzIHRvIGludGVyb3BlcmF0ZSB3aXRoICh2ZXJ5Pykgb2xkIHJlc3BvbmRlcnMg d2hvIGRvbuKAmXQgc3VwcG9ydCBBRVMtMjU2IG9yIFBSRl9ITUFDX1NIQTJfMzg0JiM0MzsgdGhl biB0aGV5IHdpbGwgbmVlZCBhIHNlY29uZCBub24tUVMgcHJvcG9zYWwgaW4gdGhlaXIgU0EgbGlz dC4gQW5kIGlmIHRoZXkgd2FudCB0byBhbGxvdyBub24tUVMtdXBncmFkZWQsIGJ1dCBzdGlsbA0K IHJlY2VudGx5IHVwZGF0ZWQsIHJlc3BvbmRlcnMgYSBjaG9pY2UgdG8gdXNlIG5vbi1RUiBFTkNS L1BSRiB0cmFuc2Zvcm1zIChmb3IgcGVyZm9ybWFuY2UgcmVhc29ucyBwZXJoYXBzKSwgdGhleSB3 b27igJl0IGJlIGFibGUgdG8gYmVjYXVzZSB0aGUgcmVzcG9uZGVyIHdpbGwgaGF2ZSB0byBwaWNr IHRyYW5zZm9ybXMgZnJvbSB0aGUgZmlyc3QgKGZ1bGx5IFFTKSBwcm9wb3NhbCBzaW5jZSBpdCBz dXBwb3J0cyBhbGwgdGhlIGFsZ29yaXRobXMgaW4gdGhlDQogdHJhbnNmb3JtLjwvZGl2Pg0KPGRp diBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+Tm93LCBtYXli ZSB0aG9zZSBjb25jZXJucyBhYm92ZSBhcmUgbWlub3IgYW5kIHRoZSBXRyBjYW4gbGl2ZSB3aXRo IHRoZW0uIFRoYXTigJlzIGZpbmUsIEkganVzdCB3YW50IHRvIG1ha2Ugc3VyZSB0aGV54oCZcmUg Y29uc2lkZXJlZC48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8 ZGl2IGNsYXNzPSIiPkkgZG9u4oCZdCBmaW5kIHRoZSByZS11c2Ugb2YgdHJhbnNmb3JtIDQgaW4g dGhpcyBwcm9wb3NhbCwgYW5kIHRoZSBpbXBsaWNpdCBjb21iaW5hdGlvbiBvZiBRUyAmIzQzOyBu b24tUVMgYWxnb3JpdGhtcywgdG8gYmUgdGhlIG1vc3QgZWxlZ2FudCwgdGhvdWdoIEkgY2FuIHVu ZGVyc3RhbmQgaXQgaW4gdGhlIGNvbnRleHQgb2Ygbm90IHdhbnRpbmcgdG8gYWRkIGEgbmV3IHRy YW5zZm9ybSB0eXBlLjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4N CjxkaXYgY2xhc3M9IiI+QnV0IEkgYW0gY3VyaW91cyBob3cgc3Ryb25nIHRoaXMgb3Bwb3NpdGlv biB0byBhIG5ldyB0cmFuc2Zvcm0gdHlwZSBpcyAoYXBvbG9naWVzLCBJIHdhc27igJl0IGluIFBy YWd1ZSBzbyBJIGRvbuKAmXQga25vdyBpZiBhbnkgb3RoZXIgZGlzY3Vzc2lvbnMgb2NjdXJyZWQg b3V0c2lkZSB0aGUgV0cgdGltZXNsb3QpLiBJIGZ1bGx5IHVuZGVyc3RhbmQgdGhlIG9wcG9zaXRp b24gZHVlIHRvIGJhY2t3YXJkcyBjb21wYXRpYmlsaXR5DQogaXNzdWVzLCB0aGlzIGlzIHNvbWV0 aGluZyBJIGNhbWUgYWNyb3NzIGluIG15IG93biBpbnZlc3RpZ2F0aW9uIHRvby4gSSByZWNhbGwg c29tZSBvcHBvc2l0aW9uIGR1ZSB0byB0aGUgcG9zc2liaWxpdHkgb2YgdGhlIG5ldyB0cmFuc2Zv cm0gY3JlYXRpbmcgYWRkaXRpb25hbCBwcm9wb3NhbHMgaW4gdGhlIFNBIGxpc3QgKGFzIG5ldyBw cm9wb3NhbHMgYXJlIGFscmVhZHkgbmVlZGVkIGR1ZSB0byBBRUFEKSwgdGhvdWdoIEkgd291bGQg aW1hZ2luZQ0KIHRoaXMgaXMgYSBsZXNzZXIgaXNzdWUgdGhhbiBiYWNrd2FyZHMgJm5ic3A7Y29t cGF0aWJpbGl0eS4gSWYgdGhlIG1haW4gY29uY2VybiBpcyBiYWNrd2FyZHMgY29tcGF0aWJpbGl0 eSwgd291bGQgdGhlIFdHIGJlIHdpbGxpbmcgdG8gY29uc2lkZXIgYW4gaWRlYSB3aGljaCBpbmNs dWRlcyB0aGUgbmV3IHRyYW5zZm9ybSB0eXBlIGJ1dCBhdm9pZHMgYmFja3dhcmRzIGNvbXBhdGli aWxpdHkgaXNzdWVzPyBJZiBzbywgSSBoYWQgYSB2YXJpYW50IG9uIHRoZQ0KIGN1cnJlbnQgcHJv cG9zYWxzIHdoaWNoIEkgaXMgbW9yZSBleHBsaWNpdCBpbiB0aGUgc2VwYXJhdGlvbiBvZiBRUyBh bmQgbm9uLVFTIFNBcyBhbmQgdXNlcyBhIG5ldyB0cmFuc2Zvcm0gdHlwZSBpbiBhIGJhY2t3YXJk cyBjb21wYXRpYmxlIHdheS48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9k aXY+DQo8ZGl2IGNsYXNzPSIiPlRoZSBpZGVhIGlzIHRvIGFkZCB0aGUgbmV3IHRyYW5zZm9ybSB0 eXBlIDYgKFEtUy1Hcm91cCkgbGlrZSBDSuKAmXMgcHJvcG9zYWwsIGJ1dCBkb27igJl0IGluY2x1 ZGUgaXQgaW4gdGhlIFNBIHBheWxvYWQuIFJhdGhlciwgaW50cm9kdWNlIGEgbmV3IFFTX1NBIHBh eWxvYWQgd2hpY2ggd291bGQgYmUgaWRlbnRpY2FsIGluIHN0cnVjdHVyZSB0byB0aGUgU0EgcGF5 bG9hZCBleGNlcHQgdGhhdCBpdCB3b3VsZCBhbHNvIGluY2x1ZGUNCiB0aGUgUS1TLUdyb3VwIHRy YW5zZm9ybSB0eXBlLiBBbiBlbmRwb2ludCBjb3VsZCBjb25maWd1cmUgdGhlIHByb3Bvc2FscyBp biB0aGlzIHBheWxvYWQgdG8gY29udGFpbiBRUyBhbmQgb25seSBRUyBFTkNSL1BSRiBhbGdvcml0 aG1zLCBwbHVzIFFSS0UgYWxnb3JpdGhtcyBpbiB0cmFuc2Zvcm0gdHlwZSA2IGFuZCBleGlzdGlu ZyBESCBhbGdvcml0aG1zIGluIHR5cGUgNC4gVGhlIFNBIHBheWxvYWQgd291bGQgc3RpbGwgZXhp c3QsIHNvIG5vbi11cGdyYWRlZA0KIHJlc3BvbmRlcnMgd291bGQgc3RpbGwgYmUgc3VwcG9ydGVk LCBidXQgdXBncmFkZWQgcmVzcG9uZGVycyB3b3VsZCBnaXZlIHRoZSBRU19TQSBwcm9wb3NhbHMg aGlnaGVyIHByaW9yaXR5IHRoYW4gU0EgcHJvcG9zYWxzLjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48 YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+QSBub24tdXBncmFkZWQgcmVzcG9u ZGVyIHdvdWxkIG5vdCByZWNvZ25pemUgdGhlIFFTX1NBIHBheWxvYWQgYW5kIHNvIHdvdWxkIGNo b3NlIGFuIFNBIGZyb20gdGhlIFNBIHBheWxvYWQuIFRoZXkgd291bGQgYWxzbyBuZXZlciBzZWUg dGhlIG5ldyB0cmFuc2Zvcm0gdHlwZSwgc28gdGhlcmUgd291bGQgYmUgbm8gYmFja3dhcmQtY29t cGF0aWJpbGl0eSBpc3N1ZXMuIEEgcmVzcG9uZGVyIHdobyByZWNvZ25pemVzIHRoZSBRU19TQQ0K IHBheWxvYWQgY291bGQgcmVzcG9uZCB1c2luZyBhIFFTX1NBIHBheWxvYWQgcmF0aGVyIHRoYW4g YSBTQSBwYXlsb2FkIChvciBpZiB5b3UgdGhpbmsgdGhlcmUgd291bGQgYmUgaW1wbGVtZW50YXRp b24gcHJvYmxlbXMgd2l0aCB0aGlzIHdlIGNvdWxkIHNheSB0aGV5IHJlc3BvbmQgd2l0aCBhbiBT QSBwYXlsb2FkIHdoaWNoIGNvbnRhaW5zIHRoZSBzZWxlY3RlZCBwcm9wb3NhbCBmcm9tIHRoZSBR U19TQSBwYXlsb2FkKS48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+ DQo8ZGl2IGNsYXNzPSIiPldpdGggdGhpcyBpZGVhIGEgbmV3IG5vdGlmaWNhdGlvbiB0eXBlIGlz buKAmXQgbmVjZXNzYXJ5LCBiZWNhdXNlIHRoZSBleGlzdGVuY2Ugb2YgdGhlIFFTX1NBIHBheWxv YWQgbGV0cyB0aGUgcmVzcG9uZGVyIGtub3cgdGhpcyBleHRlbnNpb24gaXMgc3VwcG9ydGVkLCBh bmQgYSByZXNwb25zZSBTQSBjb250YWluaW5nIGEgcHJvcG9zYWwgZnJvbSBRU19TQSAoYW5kIGNv bnRhaW5pbmcgdHJhbnNmb3JtIHR5cGUgNikgbGV0cyB0aGUNCiBpbml0aWF0b3Iga25vdyB0aGlz IGV4dGVuc2lvbiBpcyBzdXBwb3J0ZWQgYnkgdGhlIHJlc3BvbmRlci4gQW4gYXR0YWNrZXIgY291 bGRu4oCZdCByZW1vdmUgdGhlIFFTX1NBIHBheWxvYWQgYmVjYXVzZSBpdCB3aWxsIGJlIHByb3Rl Y3RlZCBieSB0aGUgSURpL0lEciBwYXlsb2FkcyBpbiBJS0VfQVVUSC48L2Rpdj4NCjxkaXYgY2xh c3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4N CjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4yKSBRUiBLRSAvIGZyYWdtZW50YXRpb248L2Rpdj4NCjxk aXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPkkgd3JvdGUg dXAgdGhpcyBtZXNzYWdlIHllc3RlcmRheSB0byByZXZpZXcgYW5kIHNlbmQgaW4gdGhlIG1vcm5p bmcsIGJ1dCBUZXJvJ3MgbWVzc2FnZSBsYXN0IG5pZ2h0IGNvdmVyZWQgbXkgc3VnZ2VzdGlvbiBm b3IgZnJhZ21lbnRhdGlvbiwgc28gSeKAmWxsIGp1c3QgYWRkIGEgZmV3IG5vdGVzIHRvIGNvbnNp ZGVyIGluIHRoaXMgYXJlYS48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9k aXY+DQo8ZGl2IGNsYXNzPSIiPkFzIG1lbnRpb25lZCwgdGhpcyBQUkVfQVVUSCAoSSBsaWtlIElL RV9RU19LRSwgYnV0IGlmIHdlIHRoaW5rIGl0IHdpbGwgYmUgZXhwYW5kZWQgbGF0ZXIgdGhlbiBQ UkVfQVVUSCBpcyBtb3JlIGdlbmVyaWMpIG1lc3NhZ2UgaXMgZW5jcnlwdGVkIHdpdGggdGhlIGNs YXNzaWNhbCBrZXlzIGdlbmVyYXRlZCBpbiBJS0VfU0FfSU5JVC4gVGhlIHNoYXJlZCBzZWNyZXRz IGdlbmVyYXRlZCBpbiBQUkVfQVVUSCBjYW4gdXNlIHRoZQ0KIGV4aXN0aW5nIHJla2V5aW5nIG1l Y2hhbmlzbSB0byB1cGRhdGUgdGhlIFNBIHRvIGJlIFFTOiZuYnNwOzwvZGl2Pg0KPGRpdiBjbGFz cz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIi PktFWU1BVCA9IHByZiYjNDM7KFNLX2QsIFFTX1NFQ1JFVCB8IE5pIHwgTnIpPC9kaXY+DQo8L2Rp dj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPlNv bWV0aGluZyB0byBrZWVwIGluIG1pbmQgaXMgdGhhdCBtYW55IFFTIGtleSBhZ3JlZW1lbnQgYWxn b3JpdGhtcyBkb27igJl0IGhhdmUgZXhhY3RseSB0aGUgc2FtZSBtZXNzYWdlIGZsb3cgYXMgRGlm ZmllIEhlbGxtYW4uICZuYnNwO1dpdGggREgsIGVhY2ggZW5kcG9pbnTigJlzIHB1YmxpYy9wcml2 YXRlIGtleXMgY2FuIGJlIGdlbmVyYXRlZCBpbmRlcGVuZGVudGx5IG9mIGVhY2ggb3RoZXIuIEJ1 dCBtYW55IFFTIGFsZ29yaXRobXMgaGF2ZQ0KIGFuIGluaXRpYXRvci1yZXNwb25kZXIgZmxvdywg c28gdGhlIHJlc3BvbmRlciBjYW4gb25seSBnZW5lcmF0ZSBpdHMgcHVibGljIGtleSBvbmNlIGl0 IGhhcyBwcm9jZXNzZWQgdGhlIGluaXRpYXRvcuKAmXMgcHVibGljIGtleS4gV2UganVzdCBuZWVk IHRvIGtlZXAgdGhpcyBpbiBtaW5kIHdoZW4gZGVzaWduaW5nIHRoZSBmbG93IG9mIHRoZSBQUkVf QVVUSCBtZXNzYWdlcy4gQW4gaW5pdGlhdG9yIGNhbuKAmXQgc2VuZCB0aGUgZmlyc3QgY2h1bmsg b2YNCiBhIHB1YmxpYyBrZXksIGFuZCB0aGUgcmVzcG9uZGVyIHJlcGx5IHdpdGggdGhlIGZpcnN0 IGNodW5rIG9mIHRoZWlyIHB1YmxpYyBrZXksIHRoZSByZXNwb25kZXIgd291bGQgbmVlZCB0byBw cm9jZXNzIGFsbCBpbml0aWF0b3IgY2h1bmtzIGZvciB0aGF0IGtleSBmaXJzdC4gVGhpcyBtZWFu cyB0aGUgaW5pdGlhdG9yIHdvdWxkIGhhdmUgdG8gc2VuZCBhIHNwZWNpYWwgYWNrbm93bGVkZ2Vt ZW50IHJlc3BvbnNlIGZvciBjaHVua3MgdGhhdCBkb27igJl0DQogY29tcGxldGUgYSBwdWJsaWMg a2V5IHJhdGhlciB0aGFuIHJlc3BvbmRpbmcgd2l0aCBhIHBhcnRpYWwga2V5IHdoZW4gcmVjZWl2 aW5nIGEgcGFydGlhbCBrZXkuPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwv ZGl2Pg0KPGRpdiBjbGFzcz0iIj5BbHNvIG5vdGUgdGhhdCBTdHJvbmdTd2Fu4oCZcyBjb2RlIGFz c3VtZXMgdGhhdCBJS0VfQVVUSCB3aWxsIGFsd2F5cyBoYXZlIGEgbWVzc2FnZSBJRCBvZiAxLCBi dXQgdGhpcyB3b27igJl0IGhvbGQgaWYgdGhlcmUgYXJlIG9uZSBvciBtb3JlIFBSRV9BVVRIIGV4 Y2hhbmdlcy4gSSB3YXMgYWJsZSB0byB1cGRhdGUgU3Ryb25nU3dhbiB0byByZW1vdmUgdGhhdCBh c3N1bXB0aW9uIGFuZCBpbnN0ZWFkIGNoZWNrIGFnYWluc3QgSUtFX0FVVEjigJlzDQogYWN0dWFs IG1lc3NhZ2UgSUQuIEl04oCZcyBub3QgY2xlYXIgdG8gbWUgd2hldGhlciBHcmFoYW3igJlzIElL RV9TQV9JTklUIGZyYWdtZW50YXRpb24gd291bGQgYWxzbyBzdWZmZXIgZnJvbSB0aGlzIGlzc3Vl LCBJIHN1c3BlY3QgdGhhdCB0aGUgSUtFX1NBX0lOSVQgZnJhZ21lbnRzIHdvdWxkIG5lZWQgaW5j cmVtZW50aW5nIG1lc3NhZ2UgSURzIHNvIGVuZHBvaW50cyBkb27igJl0IGRpc2NhcmQgdGhlbT8g SG9wZWZ1bGx5IG90aGVyIGltcGxlbWVudGF0aW9ucw0KIGVpdGhlciBkb27igJl0IGhhdmUgdGhp cyBhc3N1bXB0aW9uIG9yIGFyZSBlcXVhbGx5IGVhc3kgdG8gbW9kaWZ5LiZuYnNwOzwvZGl2Pg0K PGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2 IGNsYXNzPSIiPlRlcm8gc2F5czo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0K PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9IiI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFweDsiIGNsYXNzPSIiPk5vdGUsIHRoYXQgdGhlIFBS RV9BVVRIIGhhcHBlbmluZyBiZXR3ZWVuIElLRV9TQV9JTklUIGFuZCBJS0VfQVVUSDwvc3Bhbj48 YnIgc3R5bGU9ImZvbnQtc2l6ZTogMTFweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZTogMTFweDsiIGNsYXNzPSIiPndvdWxkIGJlIGVuY3J5cHRlZCwgYW5kIE1BQ2VkLCBidXQg aXQgV0lMTCBOT1QgYmUgYXV0aGVudGljYXRlZCwgaS5lLiw8L3NwYW4+PGJyIHN0eWxlPSJmb250 LXNpemU6IDExcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHg7IiBj bGFzcz0iIj53ZSBoYXZlIG5vdCB5ZXQgYXV0aGVudGljYXRlZCB0aGUgb3RoZXIgcGVlciwgYW5k IHdlIHdpbGwgbm90IGluY2x1ZGU8L3NwYW4+PGJyIHN0eWxlPSJmb250LXNpemU6IDExcHg7IiBj bGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHg7IiBjbGFzcz0iIj50aG9zZSBv Y3RldHMgdG8gdGhlIEFVVEggcGF5bG9hZCBjYWxjdWxhdGlvbnMsIHNvIHRoZXkgd2lsbCBub3Qg YmU8L3NwYW4+PGJyIHN0eWxlPSJmb250LXNpemU6IDExcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0 eWxlPSJmb250LXNpemU6IDExcHg7IiBjbGFzcz0iIj5hdXRoZW50aWNhdGVkIGluIEFVVEggcGhh c2UsIGxpa2UgdGhlIElLRV9TQV9JTklUIGNvbnRlbnRzIHdpbGwgYmU8L3NwYW4+PGJyIHN0eWxl PSJmb250LXNpemU6IDExcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDEx cHg7IiBjbGFzcz0iIj5hdXRoZW50aWNhdGVkLjwvc3Bhbj48YnIgc3R5bGU9ImZvbnQtc2l6ZTog MTFweDsiIGNsYXNzPSIiPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxi ciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj5Db3VsZG7igJl0IHRoZSBJRGkgYW5k IElEciBwYXlsb2FkcyBpbiBJS0VfQVVUSCBiZSBtb2RpZmllZCB0byBzaWduIHRoZSBQUkVfQVVU SCBtZXNzYWdlIGluIGFkZGl0aW9uIHRvIHRoZSBJS0VfU0FfSU5JVCBtZXNzYWdlPzwvZGl2Pg0K PGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+VGVybyBz YXlzOjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xh c3M9IiI+DQo8YmxvY2txdW90ZSB0eXBlPSJjaXRlIiBjbGFzcz0iIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOiAxMXB4OyIgY2xhc3M9IiI+SSB0aGluayB0aGlzIGtpbmQgb2Ygc3RlcCBiZXR3ZWVu IElLRV9TQV9JTklUIGFuZCBJS0VfQVVUSCBtaWdodCBiZTwvc3Bhbj48YnIgc3R5bGU9ImZvbnQt c2l6ZTogMTFweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFweDsiIGNs YXNzPSIiPmVhc2llc3QgYW5kIG1vc3QgZ2VuZXJpYyB3YXkgb2YgdHJhbnNmZXJyaW5nIHRoZSBR U0tFIGRhdGEuPC9zcGFuPjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIg Y2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+SSBkZWZpbml0ZWx5IGFncmVlIDotKTwv ZGl2Pg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBj bGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+MykgUmVrZXlpbmcv Q2hpbGQgQ3JlYXRpb248L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+ DQo8ZGl2IGNsYXNzPSIiPkdyYWhhbeKAmXMgc3VnZ2VzdGlvbiB3b3JrcyBlbnRpcmVseSBpbiBJ S0VfU0FfSU5JVCwgc28gaWYgbmV3IFNBIGlzIGNyZWF0ZWQgb3Igb25lIGlzIHJla2V5ZWQgaXTi gJlzIG5vdCBjbGVhciBob3cgdGhlIFFTIHB1YmxpYyBrZXlzIHdvdWxkIGJlIGV4Y2hhbmdlZC4g VGhleSBjb3VsZCBiZSBpbmNsdWRlZCBpbiBhIHBheWxvYWQgb2YgQ1JFQVRFX0NISUxEX1NBLCBi dXQgdGhpcyB3aWxsIHJ1biB1cCBhZ2FpbnN0IHRoZSA2NEsNCiBiYXJyaWVyLiBTaW1pbGFyIGZy YWdtZW50YXRpb24gY291bGQgYmUgYWRkZWQgdG8gQ1JFQVRFX0NISUxEX1NBIGFzIHdvdWxkIGJl IGFkZGVkIHRvIElLRV9TQV9JTklULCBob3dldmVyIHRoYXQgY291bGQgbWFrZSB0aGluZ3MgbGVz cyBlbGVnYW50IGFuZCBjb3VsZCByZXN1bHQgaW4gZHVwbGljYXRpb24gb2YgbG9naWMgYmV0d2Vl biBJS0VfU0FfSU5JVCBhbmQgQ1JFQVRFX0NISUxEX1NBLjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48 YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+QXMgbXkgaW52ZXN0aWdhdGlvbnMg ZGlkbuKAmXQgYWNjb3VudCBmb3IgJmd0OyA2NEsgUVIgcHVibGljIGtleXMsIEkgaGF2ZW7igJl0 IGNvbnNpZGVyZWQgdGhpcyBmdWxseSB5ZXQsIGJ1dCB3b3VsZCBhZGRpbmcgYSBJS0VfUVNfS0Ug ZXhjaGFuZ2UgYWZ0ZXIgQ1JFQVRFX0NISUxEX1NBIHNpbXBsaWZ5IHRoaW5ncyBoZXJlPyBTaW5j ZSBDUkVBVEVfQ0hJTERfU0EgYWxyZWFkeSB0YWtlcyBhZHZhbnRhZ2Ugb2YgSUtFdjLigJlzIGZy YWdtZW50YXRpb24sDQogQ1JFQVRFX0NISUxEX1NBIGNvdWxkIGhhbmRsZSBtb3N0IFFTX0tFIHBh eWxvYWRzIHdpdGhvdXQgYWRkaXRpb25hbCBmcmFnbWVudGF0aW9uIHNvIG1heWJlIGl0IHdvdWxk IGJlIG92ZXJraWxsIHRvIG1vdmUgY2hpbGQvcmVrZXkgUVNfS0UgcGF5bG9hZHMgaW50byBhIHN1 YnNlcXVlbnQgZXhjaGFuZ2UuIEJ1dCBpdCB3b3VsZCBzdGlsbCBuZWVkIHNvbWUgd2F5IHRvIGhh bmRsZSAmZ3Q7NjRLIGtleXMuJm5ic3A7PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0i Ij4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj5UZXJv4oCZcyBzdWdnZXN0aW9uIGNvdWxkIHByb2Jh Ymx5IGJlIGV4dGVuZGVkIHRvIGNvdmVyIGFkZGl0aW9uYWwgUFJFX0FVVEggKElLRV9RU19LRSA6 LSkgKSBleGNoYW5nZXMgYWZ0ZXIgQ1JFQVRFX0NISUxEX1NBLCZuYnNwOzwvZGl2Pg0KPGRpdiBj bGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+Rm9yIGFueSBzb2x1 dGlvbiB3aXRoIG11bHRpcGxlIGV4Y2hhbmdlcyB0aGVyZSBtYXkgYmUgYW4gaW1wbGVtZW50YXRp b24gaXNzdWUgd2hlcmUgdGhlIGVuZHBvaW50cyBhcmUgdHJ5aW5nIHRvIHNlbmQgYXBwbGljYXRp b24gZGF0YSBhZnRlciB0aGUgY2xhc3NpY2FsIHJla2V5IGlzIGRvbmUgYnV0IGJlZm9yZSB0aGUg UVMgcmVrZXkgY29tcGxldGVzLjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8 L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIi PjQpIFRoYXQgd2FzIGxvbmc8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9k aXY+DQo8ZGl2IGNsYXNzPSIiPkhvcGVmdWxseSB0aGlzIHdhc27igJl0IHRvbyBsb25nLXdpbmRl ZC4gSeKAmWQgYmUgaW50ZXJlc3RlZCBpbiBoZWFyaW5nIGlmIGFueW9uZSB0aGlua3MgYW55IG9m IHRoZXNlIGlkZWFzIGFyZSB3b3J0aCBmdXJ0aGVyIGludmVzdGlnYXRpb24gYW5kIHdvdWxkIGJl IGdsYWQgdG8gcHJvdmlkZSBhbnkgcmVzb3VyY2VzIHRvIGRldmVsb3AgdGhlc2UgaWRlYXMgZnVy dGhlci48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNs YXNzPSIiPjQuMSkgQSBub3RlIG9uICZxdW90O1F1YW50dW0tU2FmZeKAnSAoUVMpIHZzIOKAnFF1 YW50dW0tUmVzaXN0YW504oCdIChRUik8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIi Pg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPknigJl2ZSB0cmllZCB0byB1c2UgUVMgaW4gbXkgcmVz cG9uc2UgdG8gYmUgY29uc2lzdGVudCB3aXRoIEdyYWhhbSAmYW1wOyBDSuKAmXMgaW5pdGlhbCBt ZXNzYWdlcyBhbmQgZHJhZnQsIGhvd2V2ZXIgaW4gbXkgZXhwZXJpZW5jZSDigJxRdWFudHVtLVNh ZmXigJ0gaGFzIGJlZW4gdXNlZCB0byByZWZlciB0byBhbnl0aGluZyB0aGF0IGNhbuKAmXQgYmUg YnJva2VuIGJ5IGEgcXVhbnR1bSBjb21wdXRlciwgbWVhbmluZyBib3RoIGFsZ29yaXRobXMNCiB3 aGljaCBhcmVu4oCZdCB2dWxuZXJhYmxlIHRvIFNob3LigJlzIG9yIEdyb3ZlcuKAmXMgYWxnb3Jp dGhtcyBidXQgYXJlIHJ1bm5pbmcgb24gY2xhc3NpY2FsIGNvbXB1dGVycywgYXMgd2VsbCBhcyB0 cnVlIHF1YW50dW0gcHJvY2Vzc2VzIGxpa2UgcXVhbnR1bSBrZXkgZGlzdHJpYnV0aW9uIChRS0Qp LiDigJxRdWFudHVtLVJlc2lzdGFudOKAnSBoYXMgYmVlbiB1c2VkIHRvIHJlZmVyIHRvIFFTIHdp dGhvdXQgUUtELCBpLmUuIGp1c3QgYWxnb3JpdGhtcyBydW5uaW5nDQogb24gY2xhc3NpY2FsIGNv bXB1dGVycyB3aGljaCBhcmVu4oCZdCB2dWxuZXJhYmxlIHRvIHF1YW50dW0gYXR0YWNrLiBTbyBp biBteSBvcGluaW9uIGFsbCBvZiB0aGUgd29yayB3ZSBhcmUgZG9pbmcgaGVyZSBzaG91bGQgYmUg bGFiZWxlZCBRdWFudHVtIFJlc2lzdGFudCByYXRoZXIgdGhhbiBRdWFudHVtIFNhZmUuIFlNTVYu PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjwvZGl2Pg0KPGJyIGNsYXNzPSIiPg0KPGRpdiBjbGFzcz0i Ij4NCjxkaXYgc3R5bGU9ImNvbG9yOiByZ2IoMCwgMCwgMCk7IGZvbnQtZmFtaWx5OiBIZWx2ZXRp Y2E7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsOyBmb250LXdlaWdodDogbm9ybWFsOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBv cnBoYW5zOiBhdXRvOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10 cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogYXV0bzsgd29yZC1z cGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzsgLXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4OyI+DQo8YnIgY2xhc3M9IiI+DQrigJQ8YnIgY2xhc3M9IiI+DQpE YW5pZWwgVmFuIEdlZXN0Jm5ic3A7KDxhIGhyZWY9Im1haWx0bzpkYW5pZWwudmFuZ2Vlc3RAaXNh cmEuY29tIiBjbGFzcz0iIj5kYW5pZWwudmFuZ2Vlc3RAaXNhcmEuY29tPC9hPik8YnIgY2xhc3M9 IiI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pc2FyYS5jb20vIiBjbGFzcz0iIj5odHRwczovL3d3 dy5pc2FyYS5jb20vPC9hPjwvZGl2Pg0KPC9kaXY+DQo8YnIgY2xhc3M9IiI+DQo8ZGl2Pg0KPGRp diBjbGFzcz0iIj5PbiBBdWcgMywgMjAxNywgYXQgNzo1NyBBTSwgR3JhaGFtIEJhcnRsZXR0IChn cmJhcnRsZSkgJmx0OzxhIGhyZWY9Im1haWx0bzpncmJhcnRsZUBjaXNjby5jb20iIGNsYXNzPSIi PmdyYmFydGxlQGNpc2NvLmNvbTwvYT4mZ3Q7IHdyb3RlOjwvZGl2Pg0KPGJyIGNsYXNzPSJBcHBs ZS1pbnRlcmNoYW5nZS1uZXdsaW5lIj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSJXb3Jk U2VjdGlvbjEiIHN0eWxlPSJwYWdlOiBXb3JkU2VjdGlvbjE7IGZvbnQtZmFtaWx5OiBIZWx2ZXRp Y2E7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsOyBmb250LXdlaWdodDogbm9ybWFsOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyB0 ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7 IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ry b2tlLXdpZHRoOiAwcHg7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiPg0K PGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZv bnQtZmFtaWx5OiBDYWxpYnJpOyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAx MXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPkhpPC9zcGFuPjxzcGFu IHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQt ZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBz dGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsi IGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdD b3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9 IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46 IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7 IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNs YXNzPSIiPkFmdGVyIGxpc3RlbmluZyB0byB0aGUgUHJhZ3VlIG1lZXRpbmcgRGFuIEhhcmtpbnMg cmFpc2VkIHRoZSBwb2ludCB0aGF0IHRoZSBRdWFudHVtIFJlc2lzdGFudCBJS0V2MiBpbXBsZW1l bnRhdGlvbiBzaG91bGQgcHJvdGVjdCBwYXNzaXZlIGF0dGFja3MsIHdoZXJlIHRyYWZmaWMgdGhh dCB0cmFmZmljIHRoYXQgaXMgc2VudCBhbmQNCiBpcyBjYXB0dXJlZCB0b2RheSBzaG91bGQgYmUg cmVzaWxpZW50IHRvIGFuIGFkdmVyc2FyeSB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBpbiB0aGUg ZnV0dXJlLiBCdXQgdGhlIFF1YW50dW0gUmVzaXN0YW50IElLRXYyIGRvZXMgbm90IGhhdmUgdG8g cHJvdGVjdCBhZ2FpbnN0IGFuIGFkdmVyc2FyeSB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBpbiB0 aGUgZnV0dXJlIHdobyBjYW4gcGVyZm9ybSBhbiBhY3RpdmUgYXR0YWNrLjwvc3Bhbj48c3BhbiBz dHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYg c3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZh bWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3Rh cnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBj bGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291 cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIi PjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAw Y20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFz cz0iIj5Tb21lb25lIGVsc2UgKGNhbuKAmXQgcmVtZW1iZXIgd2hvKSBzdWdnZXN0ZWQgdGhlIHF1 YW50dW0gcmVzaXN0YW50IOKAmGJsb2LigJkgYmUgc2VudCBpbiBJS0VfQVVUSCBhcyBpdCB3aWxs IGJlIGxhcmdlIGFuZCBwcm9iYWJseSBmcmFnbWVudGF0aW9uLiBPYnZpb3VzbHkgZm9yIHRoaXMg dGhlIG5hdHVyYWwgY2hvaWNlIGlzIHRvIHVzZQ0KIHRoZSBJS0V2MiBGcmFnbWVudGF0aW9uIG1l Y2hhbmlzbSBkZWZpbmVkIGluIFJGQzczODMuPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIi PjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAw Y20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFz cz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48 L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7 IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXpl OiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPkEgZmV3IHdlZWtz IGFnbyBJIGRldmVsb3BlZCBhIG1ldGhvZCB0byBzZW5kIHRoZSBxdWFudHVtIHJlc2lzdGFudCDi gJhibG9i4oCZIGluIElLRV9TQV9JTklULCB0aGlzIGlzIHRvIGFtZW5kPHNwYW4gY2xhc3M9ImFw cGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMu aWV0Zi5vcmcvaHRtbC9kcmFmdC10amhhaS1pcHNlY21lLWh5YnJpZC1xc2tlLWlrZXYyLTAwIiBz dHlsZT0iY29sb3I6IHJnYigxNDksIDc5LCAxMTQpOyB0ZXh0LWRlY29yYXRpb246IHVuZGVybGlu ZTsiIGNsYXNzPSIiPjxzcGFuIHN0eWxlPSJjb2xvcjogcmdiKDE0OSwgNzksIDExNCk7IiBjbGFz cz0iIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtdGpoYWktaXBzZWNtZS1oeWJy aWQtcXNrZS1pa2V2Mi0wMDwvc3Bhbj48L2E+Lg0KIEFmdGVyIGhlYXJpbmcgdGhlIGRpc2N1c3Np b24gZGVzY3JpYmVkIGFib3ZlIEkgd2FzIGdvaW5nIHRvIHBhcmsgdGhpcyBpZGVhIGFuZCBuZXZl ciBzcGVhayBvZiBpdCBhZ2FpbiwgaG93ZXZlciBiZWZvcmUgSSBkbyB0aGlzIEnigJlkIGxpa2Ug dG8gc2hhcmUgd2l0aCB0aGUgZ3JvdXAgZm9yIGNvbW1lbnRzLjxzcGFuIGNsYXNzPSJhcHBsZS1j b252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9 IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46 IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7 IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNs YXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIi PjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFw dDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+SSBwZXJzb25h bGx5IGZlZWwgdGhpcyBpcyBhbiBlbGVnYW50IGFuZCBzaW1wbGUgbWV0aG9kIHRvIGFjaGlldmUg c2VuZGluZyBvbmUgb3IgbW9yZSBxdWFudHVtIHJlc2lzdGFudCDigJhibG9ic+KAmS4gVGhlIG1h aW4gYmVuZWZpdHMgYmVpbmc7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xh c3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAu MDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJz cDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3Nw YW4+PC9kaXY+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1yaWdo dDogMGNtOyBtYXJnaW4tbGVmdDogMzZwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTog J1RpbWVzIE5ldyBSb21hbic7IG1hcmdpbi1ib3R0b206IDAuMDAwMXB0OyB0ZXh0LWluZGVudDog LTE4cHQ7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyI+DQo8c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6IENhbGlicmk7IiBjbGFzcz0iIj4xLjwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1zaXplOiA3cHQ7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFu PjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcn OyIgY2xhc3M9IiI+VGhlIElLRV9BVVRIIGV4Y2hhbmdlIGlzIHByb3RlY3RlZCB1c2luZw0KIHRo ZSBxdWFudHVtIHNlY3VyZSBhbGdvcml0aG1zLiBTbyBhbGwgYXR0cmlidXRlcyB3aXRoaW4gdGhl IElLRSBleGNoYW5nZSBhcmUgcHJvdGVjdGVkIGFnYWluc3QgcGFzc2l2ZSBhdHRhY2tzLCB3aGlj aCB3b3VsZG7igJl0IGJlIHRoZSBjYXNlIHNob3VsZCB0aGUgcXVhbnR1bSByZXNpc3RhbnQg4oCY YmxvYuKAmSBiZSBzZW50IGluIElLRV9BVVRILjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6IENhbGlicmk7IiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L3A+DQo8 ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9u dC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246 IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4 OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTog J0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFz cz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxwIGNsYXNzPSJNc29MaXN0 UGFyYWdyYXBoIiBzdHlsZT0ibWFyZ2luLXJpZ2h0OiAwY207IG1hcmdpbi1sZWZ0OiAzNnB0OyBm b250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiAnVGltZXMgTmV3IFJvbWFuJzsgbWFyZ2luLWJv dHRvbTogMC4wMDAxcHQ7IHRleHQtaW5kZW50OiAtMThwdDsgZm9udC12YXJpYW50LWNhcHM6IG5v cm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsg d29yZC1zcGFjaW5nOiAwcHg7Ij4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaTsi IGNsYXNzPSIiPjIuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDdwdDsiIGNsYXNzPSIi PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0 ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFw dDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj5UaGlzIGFsbG93cyBmb3Ig YSBxdWFudHVtIHJlc2lzdGFudCBhdXRoZW50aWNhdGlvbg0KIG1ldGhvZCB0byBiZSBpbnRyb2R1 Y2VkIGludG8gSUtFX0FVVEggaW4gdGhlIGZ1dHVyZSwgdGhlcmVmb3JlIHByb3RlY3RpbmcgYWdh aW5zdCBhY3RpdmUgYXR0YWNrcyB3aXRoIGEgcXVhbnR1bSBjb21wdXRlciBzaG91bGQgdGhpcyBv Y2N1ci48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpOyIgY2xhc3M9IiI+ PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20g MGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0i Ij4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286 cD48L3NwYW4+PC9kaXY+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdp bi1yaWdodDogMGNtOyBtYXJnaW4tbGVmdDogMzZwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZh bWlseTogJ1RpbWVzIE5ldyBSb21hbic7IG1hcmdpbi1ib3R0b206IDAuMDAwMXB0OyB0ZXh0LWlu ZGVudDogLTE4cHQ7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0 OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyI+DQo8 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IENhbGlicmk7IiBjbGFzcz0iIj4zLjwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOiA3cHQ7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+ PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmll ciBOZXcnOyIgY2xhc3M9IiI+QSBzaW1wbGUgbWV0aG9kIHRvIGZyYWdtZW50IHRoZSBxdWFudHVt DQogc2VjdXJlIGtleSBleGNoYW5nZSBkYXRhIGluIElLRV9TQV9JTklUIGlzIGluY2x1ZGVkLCBo b3dldmVyIHRoaXMgaXMgbm90IG1hbmRhdG9yeS4gRnJvbSBwZXJzb25hbCBleHBlcmllbmNlIEni gJl2ZSBzZWVuIGEgZmV3IGNhc2VzIHdoZXJlIFJGQyA3MzgzIGZyYWdtZW50YXRpb24gaXMgcmVx dWlyZWQgdG9kYXksIGhvd2V2ZXIgdGhlIHZhc3QgbWFqb3JpdHkgb2YgY3VzdG9tZXIgaW1wbGVt ZW50YXRpb25zIGRvIG5vdCBleHBlcmllbmNlIGlzc3Vlcw0KIHdpdGggSVAgZnJhZ21lbnRzIGJl aW5nIGRlbmllZCBhbmQgc28gZG8gbm90IHJlcXVpcmUgdGhlIGZ1bmN0aW9uYWxpdHkgcHJvdmlk ZWQgYnkgUkZDNzM4MyAoYnV0IGZvciB0aGUgY2FzZXMgd2hlcmUgaXTigJlzIG5lZWRlZCwgaXTi gJlzIGEgbGlmZXNhdmVyKS48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJp OyIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0i bWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBD YWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIi Pg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5l dyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBj bGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIg c3R5bGU9Im1hcmdpbi1yaWdodDogMGNtOyBtYXJnaW4tbGVmdDogMzZwdDsgZm9udC1zaXplOiAx MnB0OyBmb250LWZhbWlseTogJ1RpbWVzIE5ldyBSb21hbic7IG1hcmdpbi1ib3R0b206IDAuMDAw MXB0OyB0ZXh0LWluZGVudDogLTE4cHQ7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQt YWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2lu ZzogMHB4OyI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IENhbGlicmk7IiBjbGFzcz0iIj40 Ljwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOiA3cHQ7IiBjbGFzcz0iIj4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4m bmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFt aWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+VGhlIGxhcmdlIHF1YW50dW0gcmVzaXN0YW50 IOKAmGJsb2LigJkgb2YgZGF0YQ0KIGlzIG9ubHkgc2VudCB3aGVuIGl0IGlzIGtub3duIHRoYXQg dGhlIHBlZXIgd2lsbCBhY2NlcHQgdGhpcy4gVGhpcyBtaW5pbWlzZXMgZGVsYXlzIHdoZW4gZXN0 YWJsaXNoaW5nIElLRXYyIFNBcyBhbmQgbWluaW1pc2VzIHRoZSByaXNrIG9mIERvUyAoc2VlIHBv aW50IDcpLjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpOyIgY2xhc3M9IiI+PG86cCBj bGFzcz0iIj48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAu MDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJz cDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3Nw YW4+PC9kaXY+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1yaWdo dDogMGNtOyBtYXJnaW4tbGVmdDogMzZwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTog J1RpbWVzIE5ldyBSb21hbic7IG1hcmdpbi1ib3R0b206IDAuMDAwMXB0OyB0ZXh0LWluZGVudDog LTE4cHQ7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyI+DQo8c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6IENhbGlicmk7IiBjbGFzcz0iIj41Ljwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1zaXplOiA3cHQ7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFu PjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcn OyIgY2xhc3M9IiI+QmFja3dhcmRzIGNvbXBhdGliaWxpdHkgaXMgbWFpbnRhaW5lZCwgd2l0aA0K IG1pbmltYWwgcmlzayB0aGF0IHRoZSBhZGRpdGlvbiBvZiBhIHF1YW50dW0gcmVzaXN0YW50IGV4 Y2hhbmdlIGNvdWxkIGNhdXNlIGFibm9ybWFsIGJlaGF2aW91ciB3aXRoIGRldmljZXMgdGhhdCBk byBub3Qgc3VwcG9ydCB0aGUgbmV3IGF0dHJpYnV0ZXMuIFRoZSBRU0tFIGFyZSBhZHZlcnRpc2Vk IHVzaW5nIGEgdHJhbnNmb3JtIHR5cGUgNCBncm91cHMuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LWZhbWlseTogQ2FsaWJyaTsiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwv cD4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0 OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1h bGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5n OiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFt aWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIi IGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPHAgY2xhc3M9Ik1z b0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJtYXJnaW4tcmlnaHQ6IDBjbTsgbWFyZ2luLWxlZnQ6IDM2 cHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6ICdUaW1lcyBOZXcgUm9tYW4nOyBtYXJn aW4tYm90dG9tOiAwLjAwMDFwdDsgdGV4dC1pbmRlbnQ6IC0xOHB0OyBmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxp YnJpOyIgY2xhc3M9IiI+Ni48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogN3B0OyIgY2xh c3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNv bnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPlRoaXMgaWRlYSBh bGxvd3MgZm9yIGFsZ29yaXRobSBhZ2lsaXR5LA0KIHdoZXJlIG11bHRpcGxlIHF1YW50dW0gcmVz aXN0YW50IGFsZ29yaXRobXMgY2FuIGJlIHVzZWQgaW4gYWRkaXRpb24gdG8gYSBzaW5nbGUgY2xh c3NpYyBESCAoYXMgcGVyIFJGQzcyOTYpLiBQUSBhbGdvcml0aG1zIHdpdGggcHVibGljIGRhdGEg c2l6ZSBsYXJnZXIgdGhhbiA2NSw1MzYgb2N0ZXRzIGFyZSBhbHNvIHN1cHBvcnRlZC48L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpOyIgY2xhc3M9IiI+PG86cCBjbGFzcz0i Ij48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0 OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3Nw YW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9k aXY+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1yaWdodDogMGNt OyBtYXJnaW4tbGVmdDogMzZwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogJ1RpbWVz IE5ldyBSb21hbic7IG1hcmdpbi1ib3R0b206IDAuMDAwMXB0OyB0ZXh0LWluZGVudDogLTE4cHQ7 IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyI+DQo8c3BhbiBzdHlsZT0i Zm9udC1mYW1pbHk6IENhbGlicmk7IiBjbGFzcz0iIj43Ljwvc3Bhbj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOiA3cHQ7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8c3Bh biBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xh c3M9IiI+V2l0aCByZWdhcmRzIHRvIGZyYWdtZW50YXRpb24gYXR0YWNrcywgdGhlDQogdXNlIG9m IGZyYWdtZW50YXRpb24gaW4gdGhpcyBpZGVhIGhhcyB0aGUgc2FtZSBzZWN1cml0eSBhcyBvZiBS RkM3MzgzLiBXaGVyZWJ5IGFuIGF0dGFja2VyIHRoYXQgcmV2ZWFscyBoZXIgdHJ1ZSBJUCBhZGRy ZXNzIGNhbiBzZW5kIG11bHRpcGxlIGZyYWdtZW50cywgYnV0IG5vdCB0aGUgY29tcGxleCBjaGFp bi48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpOyIgY2xhc3M9IiI+PG86 cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNt IDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4m bmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48 L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQt c2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdv cmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0 OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPlRoZSBmb2xsb3dpbmcgaXMg dGhlIGlkZWEsIGFueSBxdWVzdGlvbnMsIHBsZWFzZSBmZWVsIGZyZWUgdG8gYXNrLjxvOnAgY2xh c3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAu MDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyIgY2xhc3M9IiI+ DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3 JzsiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQt ZmFtaWx5OiBDYWxpYnJpOyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpw IGNsYXNzPSIiPiZuYnNwOzwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjog MGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsg Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFu IHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xh c3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+ PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0 OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3Nw YW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJw dDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQt YWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2lu ZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZh bWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0i IiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTog Q2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0i Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBO ZXcnOyIgY2xhc3M9IiI+UVNLRSBOb3RpZnk8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+ PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBj bSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBz dHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNz PSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwv bzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsg Zm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6 IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Rm9yIGRldmljZXMg dGhhdCBhcmUgb3BlcmF0aW5nIGluIGEgbWVzaCBuZXR3b3JrLCB3aGVyZSBtYW55IGRldmljZXMg aGF2ZSBtdWx0aXBsZSBwZWVycywgd2hlcmUgcGVlcnMgYXJlIHVzaW5nIHZhcnlpbmcgUVNLRSBn cm91cHMuIEluIHRoZXNlIGluc3RhbmNlcyB0aGUgUVNLRSB0aGF0IGlzIHByZWZlcnJlZCBieSB0 aGUgSW5pdGlhdG9yDQogbWlnaHQgbm90IGJlIGF2YWlsYWJsZSBvciBwcmVmZXJyZWQgb24gdGhl IFJlc3BvbmRlci4gVG8gb3ZlcmNvbWUgc2NlbmFyaW9zIHdoZXJlIHRoZSBJbml0aWF0b3Igd2ls bCBzZW5kIGEgUVNLRSB3aGljaCBpcyBsYXJnZSBpbiBzaXplIGFuZCBub3Qgc3VwcG9ydGVkIGJ5 IHRoZSBSZXNwb25kZXIsICh0aGVyZWZvcmUgd2FzdGluZyB0aW1lIGFuZCByZXNvdXJjZSksIHRo ZSBRU0tFIE5vdGlmeSBwYXlsb2FkIGNhbiBiZSB1c2VkIHRvIHF1ZXJ5DQogdGhlIHJlc3BvbmRl ciB0byBkZXRlcm1pbmUgdGhlIHN1cHBvcnRlZCBzZWN1cml0eSBhc3NvY2lhdGlvbiBhdHRyaWJ1 dGVzLiBUaGUgUVNLRSBOb3RpZnkgcGF5bG9hZCBpcyBzZW50IGJ5IHRoZSBJbml0aWF0b3IsIHdo aWNoIGFsc28gZXhjbHVkZXMgdGhlIFFTS0UgcGF5bG9hZCAoaG93ZXZlciBhIHNpbmdsZSBLRSBw YXlsb2FkIHNob3VsZCBiZSBpbmNsdWRlZCBmb3IgYmFja3dhcmRzIGNvbXBhdGliaWxpdHkpLiBJ ZiB0aGUgUmVzcG9uZGVyDQogc3VwcG9ydHMgdGhlIFFTS0Ugbm90aWZ5IHBheWxvYWQgaXQgcmVw bGllcyB3aXRoIHRoZSBhY2NlcHRlZCBzZWN1cml0eSBhc3NvY2lhdGlvbnMgKHdoaWNoIGluY2x1 ZGVzIG9uZSBjbGFzc2ljIERIIGdyb3VwIGFuZCAmZ3Q7PTEgUVNLRSBncm91cCwgdGhlc2UgYXJl IHNlbnQgYXMgZ3JvdXBzIHdpdGhpbiB0cmFuc2Zvcm0gdHlwZSA0LiBNb3N0IG9mIHRoZSB0aW1l LCB3ZSB3aWxsIGJlIHVzaW5nIG9uZSBQUSBhbGdvcml0aG0sIHJhdGhlciB0aGFuDQogbXVsdGlw bGUuIFRoZSBSZXNwb25kZXIgd2lsbCBhbHNvIGluY2x1ZGVzIHRoZSBDT09LSUUgbm90aWZpY2F0 aW9uLCBub3RlIHRoZSBSZXNwb25kZXIgZG9lcyBub3Qgc2VuZCB0aGUgS0Ugb3IgUVNLRSBwYXls b2FkLiBUaGUgSW5pdGlhdG9yIGNhbiBub3cgc2VsZWN0IHRoZSBjb3JyZWN0IHNlY3VyaXR5IGFz c29jaWF0aW9uIGFsZ29yaXRobXMgaXQgaW50ZW5kcyB0byB1c2UsIGluY2x1ZGluZyB0aGUgY29y cmVjdCBjbGFzc2ljIERIIGFuZCBRU0tFDQogYW5kIHJlcGx5IHVzaW5nIHRoZSBDT09LSUUuPHNw YW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3Bh biBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxk aXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250 LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjog c3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7 IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAn Q291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNz PSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2lu OiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJp OyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBj bGFzcz0iIj5BbHRob3VnaCB0aGUgQ09PS0lFIGRvZXMgbm90IHByb3ZpZGUgcHJvdGVjdGlvbiBh Z2FpbnN0IERvUyBhdHRhY2tzLCB3aGVyZWJ5IGFuIGF0dGFja2VyIHNlbmRzIG1hbnkgZnJhZ21l bnRzIGJ1dCBkb2VzIG5vdCBjb21wbGV0ZSB0aGUgZnJhZ21lbnQgY2hhaW4sIGl0IGRvZXMgZW5z dXJlIHRoYXQgdGhlIGF0dGFja2VyIHJldmVhbHMNCiB0aGVpciBvd24gSVAgYWRkcmVzcy4gTm90 ZSB0aGF0IFJGQyA3MzgzIGlzIGFsc28gcHJvbmUgdG8gdGhpcyBhdHRhY2sgd2hpY2ggaXMgZGVz Y3JpYmVkIHdpdGhpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMuPC9zcGFuPjxzcGFuIHN0 eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBz dHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFt aWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFy dDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNs YXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3Vy aWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+ PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBj bSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBz dHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNz PSIiPlNob3VsZCBhbiBJS0UgZ2F0ZXdheSBiZSB1bmRlciBhIGZyYWdtZW50YXRpb24gYXR0YWNr LCBkcm9wcGluZyB0cmFmZmljIGZyb20gYSBwZWVyIHRoYXQgZG9lcyBub3QgY29tcGxldGUgdGhl IGZyYWdtZW50IGNoYWluIGNhbiBiZSB1c2VkIGFzIGEgc2ltcGxlIHByb3RlY3RpdmUgbWVjaGFu aXNtIHRvIG1pbmltaXNlIHRoZSBpbXBhY3QNCiBvZiBmdXR1cmUgYXR0YWNrcy48L3NwYW4+PHNw YW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9u dC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246 IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4 OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTog J0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFz cz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdp bjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJy aTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxz cGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIg Y2xhc3M9IiI+Rm9yIGltcGxlbWVudGF0aW9ucyB0aGF0IGRvIG5vdCBzdXBwb3J0IHRoZSB1c2Ug b2YgdGhlIFFTS0UsIHRoZSBRU0tFIE5vdGlmeSBwYXlsb2FkIHdpbGwgYmUgaWdub3JlZCBhbmQg dGhlIElLRXYyIGV4Y2hhbmdlIHdpbGwgY29udGludWUgYXMgcGVyIFJGQzcyOTYuIFRoZSBRU0tF IE5vdGlmeSBwYXlsb2FkIGNhbiBiZSB1c2VkDQogdG8gbWluaW1pc2UgaW50ZXItb3AgaXNzdWVz IHdpdGggUVNLRSBhbmQgbm9uIFFTS0UgaW1wbGVtZW50YXRpb25zLjxzcGFuIGNsYXNzPSJhcHBs ZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xh c3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJn aW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGli cmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8 c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3Jzsi IGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNz PSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAw MDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+VGhlIFFT S0UgTm90aWZ5IHBheWxvYWQgY2FuIGJlIG1hcmtlZCBhcyBjcml0aWNhbCBmb3IgZGV2aWNlcyB0 aGF0IG1hbmRhdGUgdGhlIHVzZSBvZiBRU0tFIHRvIHByb3RlY3QgSUtFLjwvc3Bhbj48c3BhbiBz dHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYg c3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZh bWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3Rh cnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBj bGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291 cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIi PjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAw Y20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFz cz0iIj5RU0tFIE5vdGlmaWNhdGlvbiBQYXlsb2FkPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNz PSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2lu OiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJp OyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBj bGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0i Ij48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAx cHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1z aXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyAxJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IDImbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgMzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwv bzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsg Zm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6 IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQg NSA2IDcgOCA5IDAgMTwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIi PjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFw dDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5i c3A7ICYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNz PSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2lu OiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJp OyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBj bGFzcz0iIj4mbmJzcDsmbmJzcDsgfCBOZXh0IFBheWxvYWQmbmJzcDsgfEN8Jm5ic3A7IFJFU0VS VkVEJm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgUGF5bG9hZCBMZW5ndGgmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgfDwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwv bzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsg Zm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6 IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7 ICYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIi PjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAw Y20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFz cz0iIj4mbmJzcDsmbmJzcDsgfCZuYnNwOyBQcm90b2NvbCBJRCZuYnNwOyB8Jm5ic3A7Jm5ic3A7 IFNQSSBTaXplJm5ic3A7Jm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgTm90aWZ5IE1lc3NhZ2UgVHlwZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB8PC9z cGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwv ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEy cHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0 LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNp bmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1m YW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsgJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0Mzs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0i Ij48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAx cHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1z aXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZu YnNwOyB8Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHw8L3NwYW4+PHNwYW4gc3R5bGU9 IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxl PSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6 IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAt d2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9 IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIg TmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyB+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IE5vdGlmaWNh dGlvbiBEYXRhJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IH48L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9 IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46 IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7 IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNs YXNzPSIiPiZuYnNwOyZuYnNwOyB8Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHw8L3Nw YW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJw dDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQt YWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2lu ZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZh bWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyAmIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIi PjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFw dDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9z cGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwv ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEy cHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0 LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNp bmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1m YW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj7igJTigJTigJTigJQ8L3NwYW4+PHNwYW4g c3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1m YW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0 YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIg Y2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0Nv dXJpZXIgTmV3JzsiIGNsYXNzPSIiPkEgUXVhbnR1bSBTYWZlIEtleSBFeGNoYW5nZSBQYXlsb2Fk PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFu PjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6 IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0 ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNw YWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9u dC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5 bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0 eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1p bHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0 OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xh c3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJp ZXIgTmV3JzsiIGNsYXNzPSIiPlRoZSBxdWFudHVtLXNhZmUga2V5IGV4Y2hhbmdlIHBheWxvYWQs IGRlbm90ZWQgUVNLRSBpbiB0aGlzIGRvY3VtZW50LCBpcyB1c2VkIHRvIGV4Y2hhbmdlIGEgcXVh bnR1bS1zYWZlIHNoYXJlZCBzZWNyZXQgYmV0d2VlbiB0d28gSUtFIHBlZXJzLiZuYnNwOyBUaGUg UVNLRSBwYXlsb2FkIGNvbnNpc3RzIG9mIHRoZSBJS0UgZ2VuZXJpYyBwYXlsb2FkDQogaGVhZGVy LCBhIHR3by1vY3RldCB2YWx1ZSBkZW5vdGluZyB0aGUgUXVhbnR1bS1TYWZlIEdyb3VwIG51bWJl ciwgYW5kIGZvbGxvd2VkIGJ5IHRoZSBxdWFudHVtLXNhZmUgZGF0YSBpdHNlbGYuJm5ic3A7PHNw YW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3Bh biBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxk aXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250 LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjog c3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7 IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAn Q291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNz PSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2lu OiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJp OyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBj bGFzcz0iIj5UaGUgRnJhZ21lbnQgYml0LCBkZW5vdGVkIEYgKGJlbG93KSwgc3BlY2lmaWVzIGlm IHRoZSBRU0tFIGlzIGZyYWdtZW50ZWQuIElmIHRoaXMgaXMgc2V0IHRvICcxJywgbWVhbmluZyB0 aGUgUVNLRSBpcyBmcmFnbWVudGVkIHRoZSBGcmFnbWVudCBOdW1iZXIgYW5kIFRvdGFsIEZyYWdt ZW50cyBmaWVsZHMgd2lsbCBiZSBwb3B1bGF0ZWQuDQogSWYgdGhlIEZyYWdtZW50IGJpdCBpcyBu b3Qgc2V0IChzZXQgdG8gJzAnKSwgdGhlbiB0aGUgRnJhZ21lbnQgTnVtYmVyIGFuZCBUb3RhbCBG cmFnbWVudHMgZmllbGRzIHdpbGwgbm90IGV4aXN0LiBUaGUgRnJhZ21lbnQgTnVtYmVyIGlzIHVz ZWQgc2hvdWxkIHRoZSBRdWFudHVtLVNhZmUgRGF0YSBiZSB0b28gbGFyZ2UgdG8gZml0IHdpdGhp biBhIHNpbmdsZSBwYXlsb2FkLiBUaGUgRnJhZ21lbnQgTnVtYmVyIGlzIHRoZSBmaXJzdCBmcmFn bWVudCwNCiBpbmNyZWFzaW5nIGJ5IG9uZSBmb3IgZXZlcnkgb3RoZXIgZnJhZ21lbnQgdGhhdCBp cyBzZW50LiBUaGUgVG90YWwgRnJhZ21lbnRzIGZpZWxkIGRlbm90ZXMgdGhlIG1heGltdW0gbnVt YmVyIG9mIGZyYWdtZW50cyB0aGF0IGNvbnRhaW4gdGhlIFF1YW50dW0tU2FmZSBEYXRhLjwvc3Bh bj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rp dj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0 OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1h bGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5n OiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFt aWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIi IGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0i bWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBD YWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIi Pg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5l dyc7IiBjbGFzcz0iIj5UaGUgUVNLRSBpcyBuZWFybHkgaWRlbnRpY2FsIHRvIHRoZSBLRSBwYXls b2FkLCBob3dldmVyIHRoZSBGcmFnbWVudCBiaXQgaWRlbnRpZmllcyBpZiB0aGUgcmVjZWl2ZXIg c2hvdWxkIGhhbmRsZSB0aGlzIGluIGEgZGlmZmVyZW50IG1hbm5lciB0byB0aGUgS0UgcGF5bG9h ZC4gVGhlIEtFIGFuZCBRU0tFIGFyZSBuZWdvdGlhdGVkL2FkdmVydGlzZWQNCiB1c2luZyB0aGUg dHJhbnNmb3JtIHR5cGUgNCAoRGlmZmllIEhlbGxtYW4gZ3JvdXBzKS4mbmJzcDsgQnkgaW5jbHVk aW5nIHRoZSBRU0tFIGluIHRoZSBzYW1lIHRyYW5zZm9ybSB0eXBlIDQgYXMgY2xhc3NpYyBESCBh bGxvd3MgZm9yIG1pbmltYWwgY29uZmlndXJhdGlvbiBjaGFuZ2VzIGZvciBjdXJyZW50IGltcGxl bWVudGF0aW9ucyB3aGVuIGNvbmZpZ3VyaW5nIGJvdGggREggYW5kIFFTS0UgR3JvdXBzLjwvc3Bh bj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rp dj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0 OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1h bGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5n OiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFt aWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIi IGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0i bWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBD YWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIi Pg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5l dyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg MSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAyJm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDM8L3NwYW4+ PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+ DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsg Zm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxp Z246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzog MHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWls eTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0 IDUgNiA3IDggOSAwIDE8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0i Ij48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAx cHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1j YXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1z aXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48 c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4N CjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBm b250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGln bjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAw cHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5 OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IHwgTmV4dCBQYXlsb2FkJm5ic3A7IHxDfEZ8IFJlc2VydmVkJm5ic3A7IHwmbmJzcDsmbmJzcDsg Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFBheWxvYWQg TGVuZ3RoICZuYnNwOyZuYnNwOyZuYnNwOyB8PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIi PjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAw Y20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFz cz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0Mzs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48 L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQt c2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdv cmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0 OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyB8Jm5ic3A7Jm5ic3A7Jm5ic3A7IFF1YW50dW0tU2FmZSBHcm91cCBOdW0m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBSRVNFUlZFRCZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB8PC9zcGFuPjxz cGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0K PGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZv bnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWdu OiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBw eDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6 ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzst JiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0MzstJiM0 MzstJiM0MzstJiM0MzstJiM0MzstJiM0Mzs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+ PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBj bSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBz dHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNz PSIiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEZyYWdtZW50IE51bWJlciZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfCAmbmJzcDsmbmJzcDsm bmJzcDsgVG90YWwgRnJhZ21lbnRzJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IH48L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3Nw YW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6 ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQt c3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBm b250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAmIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0m IzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQz Oy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOy0mIzQzOzwvc3Bhbj48c3BhbiBzdHlsZT0i IiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTog Q2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0i Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBO ZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgfDwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpw IGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBj bSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxl PSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IH4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUXVhbnR1 bS1TYWZlIERhdGEmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfjwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFz cz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdp bjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJy aTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQt dGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxz cGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIg Y2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHwmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7fDwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNz PSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAw MDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7 LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYj NDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7LSYjNDM7PC9zcGFu PjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2 Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7 IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFs aWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6 IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1p bHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIg Y2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENh bGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+ DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3 JzsiIGNsYXNzPSIiPlRoZSBzaXplIG9mIHRoZSBRdWFudHVtLVNhZmUgRGF0YSBjYW4gYmUgdGhl IHRvdGFsIGZyYWdtZW50cyAqIHBheWxvYWQgbGVuZ3RoID0gfiA0R0IsIHdoaWNoIHNlZW1zIHN1 ZmZpY2llbnQgZm9yIHRoZSBzaXplIG9mIHRoZSBRU0tFIHBheWxvYWRzIGRpc2N1c3NlZCBzbyBm YXIuPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9z cGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNp emU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs OyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3Jk LXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsg Zm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4g c3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1m YW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0 YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIg Y2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0Nv dXJpZXIgTmV3JzsiIGNsYXNzPSIiPlRoZSB1c2Ugb2YgdGhlIEZyYWdtZW50YXRpb24gYml0IGlz IG5vdCBtYW5kYXRvcnkuIEltcGxlbWVudGF0aW9ucyBjYW4gYXR0ZW1wdCB0byBzZW5kIHRoZSBJ S0VfU0FfSU5JVCBwYXlsb2FkIGNvbnRhaW5pbmcgdGhlIFFTS0UgcGF5bG9hZCB3aXRob3V0IGZy YWdtZW50YXRpb24gYXQgdGhlIElLRSBsYXllciwgb3B0aW5nIGZvcg0KIGZyYWdtZW50YXRpb24g YXQgdGhlIElQIGxheWVyIGluc3RlYWQuIEltcGxlbWVudGF0aW9ucyBjYW4gaW5pdGlhbGx5IGV4 Y2x1ZGUgdGhlIHRoZSB1c2Ugb2YgZnJhZ21lbnRhdGlvbiBpbiB0aGUgUVNLRSBwYXlsb2FkLCBo b3dldmVyIGlmIGNvbm5lY3Rpdml0eSBmYWlscyB3aGVuIG5vdCB1c2luZyBmcmFnbWVudGF0aW9u IG9mIHRoZSBRU0tFLCBpdCBpcyBhc3N1bWVkIHRoYXQgdGhhdCB0cmFmZmljIGhhcyBiZWVuIGRl bmllZCBkdWUgdG8gZnJhZ21lbnRhdGlvbg0KIGF0IHRoZSBJUCBsYXllciBhbmQgZnJhZ21lbnRh dGlvbiBvZiB0aGUgUVNLRSBzaG91bGQgYmUgdXNlZCBpbnN0ZWFkLjwvc3Bhbj48c3BhbiBzdHls ZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5 bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWls eTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7 IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFz cz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmll ciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxv OnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20g MGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0i Ij4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286 cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZv bnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBu b3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAx MXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPuKAlOKAlDwvc3Bhbj48 c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4N CjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBm b250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGln bjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAw cHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5 OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNs YXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFy Z2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxp YnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtp dC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7 IiBjbGFzcz0iIj5JbiB0aGUgZm9sbG93aW5nIGV4YW1wbGUgdGhlIEluaXRpYXRvciB3aWxsIHBy b3Bvc2UgREggR3JvdXBzIDE0LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUgKGZpY3RpdGlvdXMgUVNL RSBncm91cHMpLiBUaGUgSW5pdGlhdG9yIHNlbmRzIHRoZSBOKFFTS0UpLCB3aGljaCBpbmZvcm1z IHRoZSByZXNwb25kZXIgdG8gY2hvb3NlICZndDs9MQ0KIFFTS0UgZ3JvdXBzIGFsb25nIHdpdGgg YSBjbGFzc2ljIERIIGdyb3VwLjwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNs YXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAw LjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJm b250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5i c3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9z cGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNp emU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs OyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3Jk LXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsg Zm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj5UaGUgcmVzcG9uZGVyIHdpbGwg cmV0dXJuIHRoZSBOKFFTS0UpIHBheWxvYWQsIGluZGljYXRpbmcgaXQgc3VwcG9ydHMgdGhlIFFT S0UsIHRoZSBzZWN1cml0eSBhc3NvY2lhdGlvbiBpbmNsdWRlcyBESCBHcm91cHMgMTQsIDMwIGFu ZCAzNSB3aGljaCBpbmZvcm1zIHRoZSBpbml0aWF0b3Igb2YgdGhlIFFTS0UgZ3JvdXBzIGl0IHNl bGVjdHMNCiB0byB1c2UuPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9 IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAw MXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQt Y2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8 L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+ PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTog MTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRl eHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3Bh Y2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250 LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPlRoZSBJbml0aWF0b3IgdGhlbiBzZW5k cyB0aGUgUVNLRSdzIGFuZCBLRSBmb3IgdGhlIGdyb3VwcyBpdCB3aXNoZXMgdG8gdXNlLCBwbHVz IHRoZSBpZGVudGljYWwgc2VjdXJpdHkgYXNzb2NpYXRpb25zIGFzIHdhcyBzZW50IGluIHRoZSBm aXJzdCBleGNoYW5nZSAodG8gbWl0aWdhdGUgZG93bmdyYWRlIGF0dGFja3MpLiBOb3RlOg0KIFRo ZSBSZXNwb25kZXIgc2hvdWxkIGNoZWNrIHRoYXQgdGhlIHJlY2VpdmVkIFFTS0UncyBpbiB0aGUg c2VjdXJpdHkgYXNzb2NpYXRpb24gbWF0Y2ggd2l0aCBpdHMgcHJlZmVycmVkIHNlY3VyZSBRU0tF J3MuIFRoaXMgaXMgdG8gbWl0aWdhdGUgdGhlIGZvbGxvd2luZyBhdHRhY2ssIEluaXRpYXRvciBz ZW5kcyBTQSBjb250YWlucyBjZXJ0YWluIFFTS0UgaW4gdGhlIHNlY3VyaXR5IGFzc29jaWF0aW9u IFJlc3BvbmRlciByZXNwb25kcywgYnV0IGF0dGFja2VyDQogbW9kaWZpZXMgdGhpcyByZXNwb25z ZSB0byByZW1vdmUgdGhlIHNhaWQgUVNLRS4gVGhlIEluaXRpYXRvciB0aGVuIHBlcmZvcm1zIHRo ZSBJS0VfU0FfSU5JVCBleGNsdWRpbmcgdGhlIFFTS0UgdGhhdCB3YXMgcmVtb3ZlZCBieSB0aGUg YXR0YWNrZXIsJm5ic3A7IGluIHRoZSBRU0tFIChidXQgaXQncyBpbmNsdWRlZCBpbiB0aGUgc2Vj dXJpdHkgYXNzb2NpYXRpb25zKS4gSGVuY2UgaWYgdGhlIHJlc3BvbmRlciB2ZXJpZmllcyB0aGF0 IHRoZSByZWNlaXZlZA0KIFFTS0UgbWF0Y2ggdGhlIHJlY2VpdmVkIHNlY3VyaXR5IGFzc29jaWF0 aW9ucywgaXQgd2lsbCBtaXRpZ2F0ZSB0aGlzIGF0dGFjay48L3NwYW4+PHNwYW4gc3R5bGU9IiIg Y2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENh bGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+ DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3 JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNs YXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAw LjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJm b250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5i c3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9z cGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNp emU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs OyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3Jk LXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsg Zm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsg SW5pdGlhdG9yJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IFJlc3BvbmRlcjwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIi PjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFw dDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5i c3A7IC0tLS0tLS0tLS0tJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0t LS0tLS0tLS0tPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9v OnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBm b250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTog MTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsg SERSLCBTQWkxLCBOaSxLRWkgJm5ic3A7Jm5ic3A7IC0tJmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyAoREggR3JvdXBzIDE0LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUpPC9zcGFuPjxzcGFuIHN0eWxl PSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHls ZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5 OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsg LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNz PSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVy IE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgTihRU0tFKTwv c3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48 L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAx MnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4 dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFj aW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQt ZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxl PSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHls ZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5 OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsg LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNz PSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVy IE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0Oy0tJm5ic3A7Jm5ic3A7IEhE UiwgU0FyMSwgTihDT09LSUUpLFtOKFFTS0UpXSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAoREggR3JvdXBzIDE0LCAzMCBhbmQgMzUpPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNs YXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFy Z2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxp YnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtp dC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7 IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFz cz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4w MDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9u dC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNw Ozwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bh bj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXpl OiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsg dGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1z cGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZv bnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7IEhEUiwgTihD T09LSUUpLCBTQWkxLCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoU0Eg Y29udGFpbnMgREggR3JvdXBzIDE0LDE5LDIxIGFuZCAzMCwzMiBhbmQgMzUpPC9zcGFuPjxzcGFu IHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQt ZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBz dGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsi IGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdD b3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsgS0VpLCBOaSwgUVNLRWkt MS8zJm5ic3A7IC0tJmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoS0UgaXMgR3JvdXAgMTQsIFFT S0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAxIG9mIDMpPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNs YXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFy Z2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxp YnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtp dC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7 IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFz cz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4w MDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFu dC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdp ZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9u dC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNw OyZuYnNwOyBIRFIsIFFTS0VpLTIvMyZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0m Z3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChRU0tFMSBpcyBHcm91cCAzMCwgZnJhZ21lbnQgMiBv ZiAzKTwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwv c3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1z aXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29y ZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7 IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFu IHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQt ZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBz dGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsi IGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdD b3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsgSERSLCBRU0tFaS0zLzMmbmJzcDsg Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tJmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNL RTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDMgb2YgMyk8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xh c3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJn aW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGli cmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8 c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3Jzsi IGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNz PSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAw MDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7 Jm5ic3A7IEhEUiwgUVNLRWkyLTEvNCZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsgLS0mZ3Q7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21lbnQgMSBvZiA0KTwv c3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48 L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAx MnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4 dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFj aW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQt ZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxl PSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHls ZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5 OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsg LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNz PSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVy IE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsgSERSLCBRU0tFaTItMi80Jm5ic3A7ICZuYnNw OyZuYnNwOyZuYnNwOyAtLSZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UyIGlzIEdyb3Vw IDM1LCBmcmFnbWVudCAyIG9mIDQpPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAg Y2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNt IDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4m bmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48 L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQt c2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdv cmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0 OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyBIRFIs IFFTS0VpMi0zLzQmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7IC0tJmd0OyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDMgb2YgNCk8L3NwYW4+PHNwYW4g c3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1m YW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0 YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIg Y2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0Nv dXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0i Ij48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjog MGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsg Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFu IHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xh c3M9IiI+Jm5ic3A7Jm5ic3A7IEhEUiwgUVNLRWkyLTQvNCZuYnNwOyAmbmJzcDsmbmJzcDsmbmJz cDsgLS0mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IChRU0tFMiBpcyBHcm91cCAzNSwgZnJhZ21l bnQgNCBvZiA0KTwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwv bzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsg Zm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6 IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6 IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFu PjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2 Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7 IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFs aWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6 IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1p bHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIg Y2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENh bGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+ DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3 JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyAmbHQ7LS0mbmJzcDsgSERSLCBTQXIxLCBOciwgS0VyLCAmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgKEtFIGlzIEdyb3VwIDE0LCBRU0tFMSBpcyBHcm91cCAzMCwgZnJh Z21lbnQgMSBvZiAzKTwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIi PjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFw dDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IFFTS0VpLTEvMzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48 bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNt IDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0 eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9 IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9v OnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBm b250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTog MTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0Oy0tJm5ic3A7IEhEUixRU0tFaS0y LzMmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKFFTS0UxIGlzIEdyb3VwIDMwLCBmcmFnbWVudCAy IG9mIDMpPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+ PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250 LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9y bWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3 b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFw dDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNw YW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9u dC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246 IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4 OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTog J0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyAmbHQ7LS0mbmJzcDsgSERSLFFTS0VpLTMvMyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAoUVNLRTEgaXMgR3JvdXAgMzAsIGZyYWdtZW50IDMgb2YgMyk8L3NwYW4+PHNwYW4g c3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1m YW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0 YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIg Y2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0Nv dXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0i Ij48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjog MGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsg Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4 dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFu IHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xh c3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDst LSZuYnNwOyBIRFIsUVNLRWkyLTEvNCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNLRTIgaXMgR3JvdXAg MzUsIGZyYWdtZW50IDEgb2YgNCk8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBj bGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20g MC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFy aWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0i Zm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZu YnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwv c3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1z aXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29y ZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7 IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDstLSZuYnNwOyBIRFIsUVNLRWkyLTIvNCZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDIgb2YgNCk8L3Nw YW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJw dDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQt YWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2lu ZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZh bWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0i IiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTog Q2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0i Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBO ZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7ICZsdDstLSZuYnNwOyBIRFIsUVNLRWkyLTMvNCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNLRTIg aXMgR3JvdXAgMzUsIGZyYWdtZW50IDMgb2YgNCk8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9 IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46 IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7 IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNs YXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIi PjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFw dDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDstLSZuYnNwOyBIRFIsUVNL RWkyLTQvNCZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoUVNLRTIgaXMgR3JvdXAgMzUsIGZyYWdtZW50IDQg b2YgNCk8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48 L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQt c2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdv cmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0 OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3Bh biBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxk aXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250 LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjog c3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7 IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAn Q291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNz PSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2lu OiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJp OyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10 ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBj bGFzcz0iIj5BcyB0aHJlZSBncm91cHMgd2VyZSB1c2VkLCB0aGUga2V5bWF0IGlzIGdlbmVyYXRl ZCB3aXRoIHRoZSBjb21iaW5hdGlvbiBvZiB0aGUgb3V0cHV0IGZyb20gdGhlIHRocmVlIHB1Ymxp YyB2YWx1ZXMuPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9v OnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBm b250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTog MTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+ PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+ DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsg Zm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxp Z246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzog MHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWls eTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPktFWU1BVCA9IHByZiYjNDM7KFNLX2QsIFFTU1My IChHcm91cCAzNSkgfCBRU1MxIChHcm91cCAzMCkgfCBnXmlyIChHcm91cCAxNCkgfCBOaSB8IE5y KTwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bh bj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXpl OiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsg dGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1z cGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZv bnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0 eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBz dHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFt aWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFy dDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNs YXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3Vy aWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+ PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBj bSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZv bnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBz dHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNz PSIiPiZuYnNwOyZuYnNwOyBIRFIgU0sge0lEaSwgW0NFUlQsXTwvc3Bhbj48c3BhbiBzdHlsZT0i IiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTog Q2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0i Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBO ZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFtDRVJU UkVRLF0gW0lEcixdIEFVVEgsPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xh c3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAu MDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlh bnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgU0FpMiwgVFNpLCBUU3J9Jm5ic3A7IC0t Jmd0Ozwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwv c3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1z aXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29y ZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7 IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bh bj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rp dj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0 OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1h bGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5n OiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFt aWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIi IGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0i bWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBD YWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIi Pg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5l dyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBj bGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20g MC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFy aWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0i Zm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZu YnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwv c3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1z aXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1h bDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29y ZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7 IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+4oCU4oCU4oCU4oCUPC9zcGFu PjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2 Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7 IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFs aWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6 IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1p bHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIg Y2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENh bGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+ DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3 JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNs YXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAw LjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJm b250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+SW4g dGhlIGZvbGxvd2luZyB0aGUgSW5pdGlhdG9yIHdpbGwgcHJvcG9zZSBESCBHcm91cHMgMTQsMTks MjEgYW5kIDMwLDMyIGFuZCAzNSAoZmljdGl0aW91cyBRU0tFIGdyb3VwcykuIFRoZSBJbml0aWF0 b3Igc2VuZHMgTihRU0tFKSwgd2hpY2ggdGVsbHMgcmVzcG9uZGVyIHRvIGNob29zZSBhIERIIGdy b3VwIGFuZCAmZ3Q7PTEgUVNLRQ0KIGdyb3VwcyZuYnNwOyAuPC9zcGFuPjxzcGFuIHN0eWxlPSIi IGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0i bWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBD YWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdl YmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIi Pg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5l dyc7IiBjbGFzcz0iIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBj bGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20g MC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFy aWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tl LXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0i Zm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPlRo ZSBSZXNwb25kZXIgaW4gdGhpcyBjYXNlIGRvZXMgbm90IHN1cHBvcnQgUVNLRSBhbmQgYXNzdW1p bmcgdGhlIE4oUVNLRSkgd2FzIG5vbiBjcml0aWNhbCwgd2lsbCBpZ25vcmUgdGhpcyBOb3RpZnkg UGF5bG9hZC48L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286 cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZv bnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBu b3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAx MXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48 c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4N CjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBm b250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGln bjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAw cHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5 OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+VGhlIGV4Y2hhbmdlIHdpbGwgY29udGludWUgYXMg cGVyIFJGQzcyOTYuPC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+ PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0 OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDog MHB4OyB3b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTogMTFwdDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDs8L3Nw YW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJw dDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQt YWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2lu ZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZh bWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0i IiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTog Q2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0i Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBO ZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IEluaXRpYXRvciZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBSZXNwb25kZXI8L3NwYW4+PHNw YW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9u dC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246 IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4 OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTog J0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyAtLS0tLS0tLS0tLSZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLS0tLS0tLS0tLTwvc3Bhbj48c3BhbiBz dHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYg c3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZh bWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3Rh cnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBj bGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291 cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7IEhEUiwgU0FpMSwgTmksS0VpICZuYnNw OyZuYnNwOyAtLSZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg S0U9R3JvdXAgMTQgKFNBOiBESCBHcm91cHMgMTQsMTksMjEgYW5kIDMwLDMyIGFuZCAzNSk8L3Nw YW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJw dDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQt YWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2lu ZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZh bWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyBOKFFTS0UpJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFj ZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNz PSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAw MDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lk dGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7 PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFu PjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6 IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyB0 ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3JkLXNw YWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsgZm9u dC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0 Oy0tJm5ic3A7Jm5ic3A7IEhEUiwgU0FyMSxOcixLRXImbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKERIIEdyb3VwcyAxNCk8L3NwYW4+PHNwYW4gc3R5bGU9 IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxl PSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6 IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAt d2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9 IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIg TmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpw IGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBj bSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxl PSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+ Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+ PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250 LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9y bWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3 b3JkLXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFw dDsgZm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj4mbmJzcDsgSERSIFNLIHtJ RGksIFtDRVJULF08L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48 L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7 IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAw cHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXpl OiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBbQ0VSVFJFUSxdIFtJRHIsXSBBVVRILDwvc3Bhbj48 c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4N CjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBm b250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGln bjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAw cHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5 OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IFNBaTIsIFRTaSwgVFNyfSZuYnNwOyAtLSZndDs8L3NwYW4+PHNwYW4gc3R5bGU9IiIg Y2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3NwYW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENh bGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Vi a2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQtc3BhY2luZzogMHB4OyIgY2xhc3M9IiI+ DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBmb250LWZhbWlseTogJ0NvdXJpZXIgTmV3 JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iIiBjbGFzcz0iIj48bzpwIGNs YXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbjogMGNtIDBjbSAw LjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaTsgZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IC13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBjbGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJm b250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5i c3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIiPjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9z cGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAwY20gMGNtIDAuMDAwMXB0OyBmb250LXNp emU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs OyB0ZXh0LWFsaWduOiBzdGFydDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3b3Jk LXNwYWNpbmc6IDBweDsiIGNsYXNzPSIiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsg Zm9udC1mYW1pbHk6ICdDb3VyaWVyIE5ldyc7IiBjbGFzcz0iIj7igJTigJTigJTigJTigJTigJTi gJQ8L3NwYW4+PHNwYW4gc3R5bGU9IiIgY2xhc3M9IiI+PG86cCBjbGFzcz0iIj48L286cD48L3Nw YW4+PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW46IDBjbSAwY20gMC4wMDAxcHQ7IGZvbnQtc2l6 ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGlicmk7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7 IHRleHQtYWxpZ246IHN0YXJ0OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHdvcmQt c3BhY2luZzogMHB4OyIgY2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyBm b250LWZhbWlseTogJ0NvdXJpZXIgTmV3JzsiIGNsYXNzPSIiPiZuYnNwOzwvc3Bhbj48c3BhbiBz dHlsZT0iIiBjbGFzcz0iIj48bzpwIGNsYXNzPSIiPjwvbzpwPjwvc3Bhbj48L2Rpdj4NCjxkaXYg c3R5bGU9Im1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsgZm9udC1zaXplOiAxMnB0OyBmb250LWZh bWlseTogQ2FsaWJyaTsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3Rh cnQ7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd29yZC1zcGFjaW5nOiAwcHg7IiBj bGFzcz0iIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDExcHQ7IGZvbnQtZmFtaWx5OiAnQ291 cmllciBOZXcnOyIgY2xhc3M9IiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSIiIGNsYXNzPSIi PjxvOnAgY2xhc3M9IiI+PC9vOnA+PC9zcGFuPjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luOiAw Y20gMGNtIDAuMDAwMXB0OyBmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpOyIg Y2xhc3M9IiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMXB0OyIgY2xhc3M9IiI+PG86cCBj bGFzcz0iIj4mbmJzcDs8L286cD48L3NwYW4+PC9kaXY+DQo8L2Rpdj4NCjxzcGFuIHN0eWxlPSJm b250LWZhbWlseTogSGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1h bDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgbGV0dGVy LXNwYWNpbmc6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7IHRl eHQtdHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3b3JkLXNwYWNpbmc6IDBw eDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2Io MjU1LCAyNTUsIDI1NSk7IGZsb2F0OiBub25lOyBkaXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsi IGNsYXNzPSIiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f PC9zcGFuPjxiciBzdHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4 OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2Vp Z2h0OiBub3JtYWw7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0 ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1h bDsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgYmFj a2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyIgY2xhc3M9IiI+DQo8c3BhbiBzdHls ZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBu b3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiBub3JtYWw7IGxl dHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVudDogMHB4 OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgd29yZC1zcGFjaW5n OiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgYmFja2dyb3VuZC1jb2xvcjog cmdiKDI1NSwgMjU1LCAyNTUpOyBmbG9hdDogbm9uZTsgZGlzcGxheTogaW5saW5lICFpbXBvcnRh bnQ7IiBjbGFzcz0iIj5JUHNlYw0KIG1haWxpbmcgbGlzdDwvc3Bhbj48YnIgc3R5bGU9ImZvbnQt ZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1zdHlsZTogbm9ybWFsOyBm b250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdodDogbm9ybWFsOyBsZXR0ZXItc3Bh Y2luZzogbm9ybWFsOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10 cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdvcmQtc3BhY2luZzogMHB4OyAt d2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUs IDI1NSwgMjU1KTsiIGNsYXNzPSIiPg0KPGEgaHJlZj0ibWFpbHRvOklQc2VjQGlldGYub3JnIiBz dHlsZT0iY29sb3I6IHJnYigxNDksIDc5LCAxMTQpOyB0ZXh0LWRlY29yYXRpb246IHVuZGVybGlu ZTsgZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBu b3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiBub3JtYWw7IGxl dHRlci1zcGFjaW5nOiBub3JtYWw7IG9ycGhhbnM6IGF1dG87IHRleHQtYWxpZ246IHN0YXJ0OyB0 ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1h bDsgd2lkb3dzOiBhdXRvOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXNpemUtYWRq dXN0OiBhdXRvOyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IGJhY2tncm91bmQtY29s b3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiIGNsYXNzPSIiPklQc2VjQGlldGYub3JnPC9hPjxiciBz dHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxl OiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiBub3JtYWw7 IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVudDog MHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgd29yZC1zcGFj aW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgYmFja2dyb3VuZC1jb2xv cjogcmdiKDI1NSwgMjU1LCAyNTUpOyIgY2xhc3M9IiI+DQo8YSBocmVmPSJodHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2lwc2VjIiBzdHlsZT0iY29sb3I6IHJnYigxNDksIDc5 LCAxMTQpOyB0ZXh0LWRlY29yYXRpb246IHVuZGVybGluZTsgZm9udC1mYW1pbHk6IEhlbHZldGlj YTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7IGZvbnQtd2VpZ2h0OiBub3JtYWw7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9y cGhhbnM6IGF1dG87IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRy YW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgd2lkb3dzOiBhdXRvOyB3b3JkLXNw YWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRvOyAtd2Via2l0LXRleHQt c3Ryb2tlLXdpZHRoOiAwcHg7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsi IGNsYXNzPSIiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vaXBzZWM8L2E+ PGJyIHN0eWxlPSJmb250LWZhbWlseTogSGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQt c3R5bGU6IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IG5v cm1hbDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5k ZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3b3Jk LXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyBiYWNrZ3JvdW5k LWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7IiBjbGFzcz0iIj4NCjwvZGl2Pg0KPC9kaXY+DQo8 YnIgY2xhc3M9IiI+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_B991A75E0473428E95B839491D0EB098isaracorpcom_-- From nobody Wed Aug 9 11:00:37 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8361132463 for ; Wed, 9 Aug 2017 11:00:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YAyXYVQvrKN for ; Wed, 9 Aug 2017 11:00:33 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F2EF1321BF for ; Wed, 9 Aug 2017 11:00:33 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 21A472009E for ; Wed, 9 Aug 2017 14:02:48 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6A6BF80717 for ; Wed, 9 Aug 2017 14:00:32 -0400 (EDT) From: Michael Richardson To: "ipsec\@ietf.org" In-Reply-To: <22922.57101.227283.113155@fireball.acr.fi> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com> <22922.57101.227283.113155@fireball.acr.fi> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 18:00:36 -0000 --=-=-= Content-Type: text/plain Tero Kivinen wrote: > Actually I think it would be better NOT to change IKE_SA_INIT at all, > but instead add new exchange between the IKE_SA_INIT and IKE_AUTH. I agree. All of the DoS (cookie, etc.) defense and switch to TCP, and detection of NAT-T, etc. is in the IKE_SA_INIT, and so doing any kind of framentation in IKE_SA_INIT is a bad idea. > Then we do another exchange before the IKE_AUTH, i.e. we do PRE_AUTH > exchange before IKE_AUTH using message id 1 (or even message ids 2, 3, > 4, etc, as many as are needed). This step does the large blob exchange Agreed. > PRE_AUTH message exchanges before moving to the IKE_AUTH. This means > that the PRE_AUTH exchange most likely needs to have some way of > telling the other end when it is done, and when to move to IKE_AUTH. > IKE_AUTH then would be just normal IKE_AUTH. The initiator will know when it is done, won't it? Can't it just move to IKE_AUTH when it knows it is done? Is the size of QSKE blob that the responder has to return to initiator likely to be either unknown to the initator or very different than the initiator->responder direction? > The fact whether we need the PRE_AUTH exchange can be negotiated in the > IKE_SA_INIT, either using transform types in SA payload, or using the > notify payloads. Agreed. I think it needs to be a new transform type. > Also if we split data to less than 64k chunks anyways, it might also be > better not to use IKEv2 fragmentation, but instead just send several > PRE_AUTH exchanges instead. How big are the blobs? Your text seems to imply they might very big. > Note, that the PRE_AUTH happening between IKE_SA_INIT and IKE_AUTH > would be encrypted, and MACed, but it WILL NOT be authenticated, i.e., > we have not yet authenticated the other peer, and we will not include > those octets to the AUTH payload calculations, so they will not be > authenticated in AUTH phase, like the IKE_SA_INIT contents will be > authenticated. Why couldn't we include those octets in the AUTH phase? BTW, I don't like the name "PRE_AUTH", I think it should be something like "AUTH_OBJECTS" or "AUTH_ARTIFACTS". > I think this kind of step between IKE_SA_INIT and IKE_AUTH might be > easiest and most generic way of transferring the QSKE data. We will be > transferring large amount of data anyways, so trying to put it part of > IKE_SA_INIT is not useful, and trying to play around with cookies, and > IKE_SA_INIT modifications is just adding complexity. I agree strongly. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlmLTcAACgkQgItw+93Q 3WU2tQgAsO9DrNulqFRdR89sFlxGAbUEAYNc1XsphtrqAJW0srwKm3OT/g3SKibs clkWIzUy08GJ54QMpO65w935ofBpS3BQRhKgxAcKKdH8VJvZfTRUnXQ/Dm+/hUFv jzqFdhY4M3RrdsLVzT3Vn7hEaiwOjSfxB3uAEI/R/Ogm9B6iyBNSOJCGWM/fm9LT xqpdZTsZ7QOKPtyDIXqvhUoJRACe+aRflgdlkSbNmCRpXxNygbwhepy+XvZGUVRD wWCnaZVhun++jSLnVqj5yKkbWsFgZysRu0oxjTRfgcneBHXSc94z5QVysYii8ka/ nLmr7PURtDNXSGOOm8kFS5Pz45fM0Q== =aLKj -----END PGP SIGNATURE----- --=-=-=-- From nobody Wed Aug 9 11:12:18 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB71132448 for ; Wed, 9 Aug 2017 11:12:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FtatI_x1puwq for ; Wed, 9 Aug 2017 11:12:15 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 686A713245E for ; Wed, 9 Aug 2017 11:12:15 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 666632009E; Wed, 9 Aug 2017 14:14:30 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A6C5580717; Wed, 9 Aug 2017 14:12:14 -0400 (EDT) From: Michael Richardson To: Daniel Van Geest cc: "Graham Bartlett \(grbartle\)" , "ipsec\@ietf.org" In-Reply-To: References: X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 18:12:17 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Daniel Van Geest wrote: > transform *attributes*, but not about transforms). My point here is > that if a responder may chose any of the proposed transforms then for > the first proposal to be QS it must not contain any quantum-insecure > transforms, or the responder must be modified to understand which > ENCR/PRF transforms are QS and to pick them when creating a QS > connection (and to fail if no QS algorithms are proposed). I don't see this an issue. Perhaps it needs to be well explained, but generally in IKEv2 we use (UI) suites to configure things. > Then if an > initiator wants to create QS SAs, but also wants to interoperate with > (very?) old responders who don=E2=80=99t support AES-256 or PRF_HMAC_= SHA2_384+ > then they will need a second non-QS proposal in their SA list. Sure, that's exactly what they will do during the transition time (which may be a few years... some entities stupidly refuse to even patch systems, pref= erring to just replace them with new hardware every three years.) They will propose a set of things that is compatible to the future and to t= he past, and over time the old stuff gets removed from the policy. > I don=E2=80=99t find the re-use of transform 4 in this proposal, and = the > implicit combination of QS + non-QS algorithms, to be the most elegan= t, > though I can understand it in the context of not wanting to add a new > transform type. So you are suggesting that the QR mechanism be a new transform type then? I could live with that actually since it make the combinatorics easier to m= anage. > The idea is to add the new transform type 6 (Q-S-Group) like CJ=E2=80= =99s > proposal, but don=E2=80=99t include it in the SA payload. Rather, int= roduce a > new QS_SA payload which would be identical in structure to the SA > payload except that it would also include the Q-S-Group transform > type. An endpoint could configure the proposals in this payload to I don't think we need to do this. I think that unknown transform types will be ignored by compliant implementations. > Something to keep in mind is that many QS key agreement algorithms > don=E2=80=99t have exactly the same message flow as Diffie Hellman. W= ith DH, > each endpoint=E2=80=99s public/private keys can be generated independ= ently of > each other. But many QS algorithms have an initiator-responder flow, = so > the responder can only generate its public key once it has processed > the initiator=E2=80=99s public key. We just need to keep this in mind= when > designing the flow of the PRE_AUTH messages. An initiator can=E2=80= =99t send > the first chunk of a public key, and the responder reply with the fir= st > chunk of their public key, the responder would need to process all > initiator chunks for that key first. This means the initiator would > have to send a special acknowledgement response for chunks that don= =E2=80=99t > complete a public key rather than responding with a partial key when > receiving a partial key. Would the initiator know how much data to expect from the responder? If so, the initiator can just keep sending query messages to get new blocks of data back. > Also note that StrongSwan=E2=80=99s code assumes that IKE_AUTH will a= lways have > a message ID of 1, but this won=E2=80=99t hold if there are one or mo= re That's a bug, we both agree. > 4) That was long :-) =2D- Michael Richardson , Sandelman Software Works -=3D IPv6 IoT consulting =3D- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlmLUH4ACgkQgItw+93Q 3WXYmgf/WBUsbFYF3h1q4SS/ub51oDSvub2IkJZPZvT25XHZ5oN9UqWHrtadlVrW l6GUqmR1H5W4k2jTj8r40GMxA7A53MzU6JdrzhBhC/2vJtu5eiW6qMYHc7J8Ky3f iu1YmUXRNnQ0JSYRTUyKPCN0OMJpLSIlfj2mv/xnx7QDCKmwp6LKES3FIeGcvBE+ AGbO1NbXUNU7EC2xcprNQNcSH5C6fD4ytHI3RSsO/K0F0fjKscr2xKwe4HUi+oBj Oah3KiKQZI/1Hw6GpFUrQcMTKOep6gfwMadIM2vROAlDSQx64vXL1Sr8BJtIFnnS idssUwlQKXdgllmSubjh+rmpqy6RnQ== =448O -----END PGP SIGNATURE----- --=-=-=-- From nobody Wed Aug 9 11:56:53 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29CD132489 for ; Wed, 9 Aug 2017 11:56:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVoZzZXoT2SU for ; Wed, 9 Aug 2017 11:56:32 -0700 (PDT) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) by ietfa.amsl.com (Postfix) with ESMTP id 8236A13248A for ; Wed, 9 Aug 2017 11:56:30 -0700 (PDT) Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip2.isaracorp.com with ESMTP; 09 Aug 2017 18:56:18 +0000 Received: from mb.isaracorp.com (2002:ac01:6e0b::ac01:6e0b) by mb.isaracorp.com (2002:ac01:6e0b::ac01:6e0b) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 9 Aug 2017 14:56:23 -0400 Received: from mb.isaracorp.com ([fe80::9056:5d62:46d0:fe1f]) by mb.isaracorp.com ([fe80::9056:5d62:46d0:fe1f%12]) with mapi id 15.00.1044.021; Wed, 9 Aug 2017 14:56:23 -0400 From: Daniel Van Geest To: Michael Richardson CC: "Graham Bartlett (grbartle)" , "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ8WOuAgABHkQCAAAxWgA== Date: Wed, 9 Aug 2017 18:56:23 +0000 Message-ID: References: <10412.1502302334@obiwan.sandelman.ca> In-Reply-To: <10412.1502302334@obiwan.sandelman.ca> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.25.5.201] Content-Type: multipart/alternative; boundary="_000_BBE32F9AE845482E8FEB44722DE6FE60isaracorpcom_" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 18:56:35 -0000 --_000_BBE32F9AE845482E8FEB44722DE6FE60isaracorpcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gQXVnIDksIDIwMTcsIGF0IDI6MTIgUE0sIE1pY2hhZWwgUmljaGFyZHNvbiA8bWNyK2lldGZA c2FuZGVsbWFuLmNhPG1haWx0bzptY3IraWV0ZkBzYW5kZWxtYW4uY2E+PiB3cm90ZToNCkkgZG9u 4oCZdCBmaW5kIHRoZSByZS11c2Ugb2YgdHJhbnNmb3JtIDQgaW4gdGhpcyBwcm9wb3NhbCwgYW5k IHRoZQ0KaW1wbGljaXQgY29tYmluYXRpb24gb2YgUVMgKyBub24tUVMgYWxnb3JpdGhtcywgdG8g YmUgdGhlIG1vc3QgZWxlZ2FudCwNCnRob3VnaCBJIGNhbiB1bmRlcnN0YW5kIGl0IGluIHRoZSBj b250ZXh0IG9mIG5vdCB3YW50aW5nIHRvIGFkZCBhIG5ldw0KdHJhbnNmb3JtIHR5cGUuDQoNClNv IHlvdSBhcmUgc3VnZ2VzdGluZyB0aGF0IHRoZSBRUiBtZWNoYW5pc20gYmUgYSBuZXcgdHJhbnNm b3JtIHR5cGUgdGhlbj8NCkkgY291bGQgbGl2ZSB3aXRoIHRoYXQgYWN0dWFsbHkgc2luY2UgaXQg bWFrZSB0aGUgY29tYmluYXRvcmljcyBlYXNpZXIgdG8gbWFuYWdlLg0KDQpZZXMsIEnigJltIHN1 Z2dlc3RpbmcgcmVjb25zaWRlcmluZyBwdXR0aW5nIHRoZSBRUiBrZXkgYWdyZWVtZW50IGFsZ29y aXRobXMgaW4gYSBuZXcgdHJhbnNmb3JtIHR5cGUuIFRoaXMgaXMgcGFydCBvZiBDSuKAmXMgJiBj bydzIHN1Z2dlc3Rpb24gZnJvbSB0aGUgb3JpZ2luYWwgZHJhZnQsIGJ1dCB0aGlzIHdhcyByZWpl Y3RlZCBpbiBQcmFndWUuIFRoZWlyIHRyYW5zZm9ybSB0eXBlIHdhcyBhZGRlZCB0byB0aGUgcHJv cG9zYWxzIGluIHRoZSBTQSBwYXlsb2FkLCB3aGlsZSBJ4oCZbSBzdWdnZXN0aW5nIG9ubHkgdXNp bmcgaXQgaW4gYSBuZXcgUVNfU0EgcGF5bG9hZC4gKFBlcmhhcHMgZXZlbnR1YWxseSBpdCBjb3Vs ZCBtaWdyYXRlIHRvIHRoZSBTQSBwYXlsb2FkIGluIGZ1dHVyZSBkcmFmdHMgaWYgbm9uLVFSIGNv bm5lY3Rpb25zIGV2ZXIgbmVlZCB0byBiZSByZW1vdmVkIGZyb20gSUtFdjIpLg0KDQpUaGUgaWRl YSBpcyB0byBhZGQgdGhlIG5ldyB0cmFuc2Zvcm0gdHlwZSA2IChRLVMtR3JvdXApIGxpa2UgQ0ri gJlzDQpwcm9wb3NhbCwgYnV0IGRvbuKAmXQgaW5jbHVkZSBpdCBpbiB0aGUgU0EgcGF5bG9hZC4g UmF0aGVyLCBpbnRyb2R1Y2UgYQ0KbmV3IFFTX1NBIHBheWxvYWQgd2hpY2ggd291bGQgYmUgaWRl bnRpY2FsIGluIHN0cnVjdHVyZSB0byB0aGUgU0ENCnBheWxvYWQgZXhjZXB0IHRoYXQgaXQgd291 bGQgYWxzbyBpbmNsdWRlIHRoZSBRLVMtR3JvdXAgdHJhbnNmb3JtDQp0eXBlLiBBbiBlbmRwb2lu dCBjb3VsZCBjb25maWd1cmUgdGhlIHByb3Bvc2FscyBpbiB0aGlzIHBheWxvYWQgdG8NCg0KSSBk b24ndCB0aGluayB3ZSBuZWVkIHRvIGRvIHRoaXMuDQpJIHRoaW5rIHRoYXQgdW5rbm93biB0cmFu c2Zvcm0gdHlwZXMgd2lsbCBiZSBpZ25vcmVkIGJ5IGNvbXBsaWFudA0KaW1wbGVtZW50YXRpb25z Lg0KDQpUaGUgcmVhc29uIHdoeSB0aGUgb3JpZ2luYWwgc3VnZ2VzdGlvbiB3YXMgcmVqZWN0ZWQg aW4gUHJhZ3VlIHdhcyBiZWNhdXNlIG9mIGJhY2t3YXJkcyBjb21wYXRpYmlsaXR5IGlzc3VlcyB3 aXRoIG5vbi1jb21wbGlhbnQgaW1wbGVtZW50YXRpb25zLiBGcm9tIGV4cGVyaWVuY2UsIFN0cm9u Z1N3YW4gaXMgbm9uLWNvbXBsaWFudCBpbiB0aGlzIHJlZ2FyZC4gSWYgaXQgcmVjZWl2ZXMgYSBw cm9wb3NhbCB3aXRoIGEgdHJhbnNmb3JtIHR5cGUgdGhhdCBpdCBkb2VzbuKAmXQgdW5kZXJzdGFu ZCBpdCB3aWxsIHByZXRlbmQgdGhhdCB0aGUgdHJhbnNmb3JtIHR5cGUgaXNu4oCZdCB0aGVyZSBy YXRoZXIgdGhhbiByZWplY3RpbmcgdGhlIHByb3Bvc2FsIGFuZCBtb3Zpbmcgb24gdG8gdGhlIG5l eHQgb25lLiBUaHVzIGl0IGNhbiBlbmQgdXAgcmVzcG9uZGluZyB3aXRoIGEgcHJvcG9zYWwgd2hp Y2ggdGhlIGluaXRpYXRvciBkaWRu4oCZdCBzdWdnZXN0Lg0KDQpGb3IgZXhhbXBsZSwgaWYgdGhl IGluaXRpYXRvciBpcyBjb25maWd1cmVkIHRvIHNlbmQ6DQoNCmlrZT1hZXMyNTYtc2hhNTEyLW1v ZHAzMDcyLW5ld2hvcGUxMjgsYWVzMTI4LXNoYTI1Ni1tb2RwMjA0OCENCg0KQSBub24tdXBncmFk ZWQgU3Ryb25nU3dhbiB3aWxsIHJlcGx5IHdpdGg6DQoNCmFlczI1Ni1zaGE1MTItbW9kcDMwNzIN Cg0Kd2hpY2ggZnJvbSB0aGUgaW5pdGlhdG9y4oCZcyBwZXJzcGVjdGl2ZSBpcyBub3Qgb25lIG9m IGl0cyBzdWdnZXN0aW9ucy4gVGhlIGluaXRpYXRvciB3aWxsIHRoZW4gZXJyb3Igb3V0IGFuZCBm YWlsIHRvIGVzdGFibGlzaCB0aGUgY29ubmVjdGlvbi4gV2UgY291bGQgZGVmaW5lIHRoaXMgbmV3 IHRyYW5zZm9ybSB0eXBlIGFzIG9wdGlvbmFsIGFuZCBob3BlIHRoYXQgb3RoZXIgaW1wbGVtZW50 YXRpb25zIGRvbuKAmXQgYmVoYXZlIGV2ZW4gbW9yZSBwb29ybHkgdGhhbiB0aGlzLiBCdXQgbWF5 YmUgYW4gaW5pdGlhdG9yIGRvZXNu4oCZdCB3YW50IHRvIHVzZSBhZXMyNTYtc2hhNTEyLW1vZHAz MDcyIGlmIGl04oCZcyBub3QgdGFsa2luZyB0byBhbiB1cGdyYWRlZCByZXNwb25kZXIsIG1heWJl IGZvciBwZXJmb3JtYW5jZSByZWFzb25zIGl0IHdvdWxkIHByZWZlciB1c2luZyB3ZWFrZXIgcHJp bWl0aXZlcyB3aXRoIHRoZW0uDQoNClB1dHRpbmcgdGhlIFFTIHByb3Bvc2FscyBpbiBhIHNlcGFy YXRlIFFTX1NBIHBheWxvYWQgd291bGQgYWxzbyBhbGxvdyBhbiBpbml0aWF0b3IgdG8gbWFyayB0 aGUgcGF5bG9hZCBhcyBjcml0aWNhbCBpZiBpdCB3YW50cyB0byByZXF1aXJlIFFTIGNvbm5lY3Rp b25zLg0KDQpTb21ldGhpbmcgdG8ga2VlcCBpbiBtaW5kIGlzIHRoYXQgbWFueSBRUyBrZXkgYWdy ZWVtZW50IGFsZ29yaXRobXMNCmRvbuKAmXQgaGF2ZSBleGFjdGx5IHRoZSBzYW1lIG1lc3NhZ2Ug ZmxvdyBhcyBEaWZmaWUgSGVsbG1hbi4gV2l0aCBESCwNCmVhY2ggZW5kcG9pbnTigJlzIHB1Ymxp Yy9wcml2YXRlIGtleXMgY2FuIGJlIGdlbmVyYXRlZCBpbmRlcGVuZGVudGx5IG9mDQplYWNoIG90 aGVyLiBCdXQgbWFueSBRUyBhbGdvcml0aG1zIGhhdmUgYW4gaW5pdGlhdG9yLXJlc3BvbmRlciBm bG93LCBzbw0KdGhlIHJlc3BvbmRlciBjYW4gb25seSBnZW5lcmF0ZSBpdHMgcHVibGljIGtleSBv bmNlIGl0IGhhcyBwcm9jZXNzZWQNCnRoZSBpbml0aWF0b3LigJlzIHB1YmxpYyBrZXkuIFdlIGp1 c3QgbmVlZCB0byBrZWVwIHRoaXMgaW4gbWluZCB3aGVuDQpkZXNpZ25pbmcgdGhlIGZsb3cgb2Yg dGhlIFBSRV9BVVRIIG1lc3NhZ2VzLiBBbiBpbml0aWF0b3IgY2Fu4oCZdCBzZW5kDQp0aGUgZmly c3QgY2h1bmsgb2YgYSBwdWJsaWMga2V5LCBhbmQgdGhlIHJlc3BvbmRlciByZXBseSB3aXRoIHRo ZSBmaXJzdA0KY2h1bmsgb2YgdGhlaXIgcHVibGljIGtleSwgdGhlIHJlc3BvbmRlciB3b3VsZCBu ZWVkIHRvIHByb2Nlc3MgYWxsDQppbml0aWF0b3IgY2h1bmtzIGZvciB0aGF0IGtleSBmaXJzdC4g VGhpcyBtZWFucyB0aGUgaW5pdGlhdG9yIHdvdWxkDQpoYXZlIHRvIHNlbmQgYSBzcGVjaWFsIGFj a25vd2xlZGdlbWVudCByZXNwb25zZSBmb3IgY2h1bmtzIHRoYXQgZG9u4oCZdA0KY29tcGxldGUg YSBwdWJsaWMga2V5IHJhdGhlciB0aGFuIHJlc3BvbmRpbmcgd2l0aCBhIHBhcnRpYWwga2V5IHdo ZW4NCnJlY2VpdmluZyBhIHBhcnRpYWwga2V5Lg0KDQpXb3VsZCB0aGUgaW5pdGlhdG9yIGtub3cg aG93IG11Y2ggZGF0YSB0byBleHBlY3QgZnJvbSB0aGUgcmVzcG9uZGVyPw0KSWYgc28sIHRoZSBp bml0aWF0b3IgY2FuIGp1c3Qga2VlcCBzZW5kaW5nIHF1ZXJ5IG1lc3NhZ2VzIHRvIGdldCBuZXcg YmxvY2tzDQpvZiBkYXRhIGJhY2suDQoNCknigJlkIGFuc3dlciB0aGF0IHdpdGggYSB0ZW50YXRp dmUgeWVzLiBGcm9tIHRoZSBhbGdvcml0aG1zIEnigJl2ZSBzZWVuIHRoYXTigJlzIHRoZSBjYXNl LCB0aG91Z2ggb25lIGNvdWxkIGltYWdpbmUgYW4gYWxnb3JpdGhtIHdoZXJlIHNvbWUgKHBvc3Np Ymx5IG5vbi1kZXRlcm1pbmlzdGljIGFtb3VudCBvZj8pIHBhZGRpbmcgaXMgYWRkZWQgZm9yIHNv bWUgcmVhc29uIG9yIG90aGVyPyBSZWdhcmRsZXNzLCBldmVuIGlmIHRoZSBpbml0aWF0b3IgZG9l c27igJl0IGtub3cgdGhlIGFtb3VudCBvZiBkYXRhIHRvIGV4cGVjdCwgaXQgY2FuIGtlZXAgcXVl cnlpbmcgYW5kIHRoZSByZXNwb25kZXIgcGF5bG9hZCBjb3VsZCBpbmNsdWRlIGEgdGVybWluYXRv ciBmbGFnIGluZGljYXRpbmcgaXQgaXMgdGhlIGxhc3QgY2h1bmsgb2YgZGF0YS4NCg0KSWYgd2Ug ZGVjaWRlIHRoYXQgd2Ugd2FudCB0byBiZSBhYmxlIGJyZWFrIHVwIHRoZSBRUiBwdWJsaWMga2V5 IHBheWxvYWRzIGFjcm9zcyBtdWx0aXBsZSBtZXNzYWdlIGV4Y2hhbmdlcywgdGhlbiBkbyB3ZSBo YXZlIHRvIGFkZCBzb21lIG1lY2hhbmlzbSBmb3IgdGhlIGVuZHBvaW50cyB0byBhZ3JlZSBvbiB0 aGUgbWF4aW11bSBzaXplIG9mIGVhY2ggbWVzc2FnZT8gRGVjbGFyaW5nIGEgY2h1bmsgc2l6ZSBh cyBwYXJ0IG9mIHRoZSBzcGVjIG1heSBub3QgYmUgYSBnb29kIGlkZWEgYmVjYXVzZSBzb21lIFFS IHB1YmxpYyBrZXlzIGFyZSB+MS41S2Igd2hpbGUgb3RoZXJzIGFyZSA+NjRLYi4gU28gcGlja2lu ZyBhIHNtYWxsIGNodW5rIHNpemUgdG8gYXZvaWQgSUtFdjIgZnJhZ21lbnRhdGlvbiBtZWFucyBt YW55IG1lc3NhZ2UgZXhjaGFuZ2VzIHdoZW4gdXNpbmcgbGFyZ2Uga2V5IHNpemVzLCBidXQgcGlj a2luZyBsYXJnZSBjaHVuayBzaXplcyBpbmNyZWFzZXMgdGhlIGNoYW5nZXMgb2YgZHJvcHBpbmcg SUtFdjIgZnJhZ21lbnRzIGFuZCBoYXZpbmcgdG8gcmV0cmFuc21pdCBlbnRpcmUgbWVzc2FnZXMu DQoNCuKAlA0KRGFuaWVsIFZhbiBHZWVzdCAoZGFuaWVsLnZhbmdlZXN0QGlzYXJhLmNvbTxtYWls dG86ZGFuaWVsLnZhbmdlZXN0QGlzYXJhLmNvbT4pDQpodHRwczovL3d3dy5pc2FyYS5jb20vDQoN Cg0KDQoNCg== --_000_BBE32F9AE845482E8FEB44722DE6FE60isaracorpcom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYg c3R5bGU9ImNvbG9yOiByZ2IoMCwgMCwgMCk7IGZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQt c2l6ZTogMTJweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs OyBmb250LXdlaWdodDogbm9ybWFsOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiBh dXRvOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06 IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogYXV0bzsgd29yZC1zcGFjaW5nOiAw cHg7IC13ZWJraXQtdGV4dC1zaXplLWFkanVzdDogYXV0bzsgLXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4OyI+DQpPbiBBdWcgOSwgMjAxNywgYXQgMjoxMiBQTSwgTWljaGFlbCBSaWNoYXJk c29uICZsdDs8YSBocmVmPSJtYWlsdG86bWNyJiM0MztpZXRmQHNhbmRlbG1hbi5jYSIgY2xhc3M9 IiI+bWNyJiM0MztpZXRmQHNhbmRlbG1hbi5jYTwvYT4mZ3Q7IHdyb3RlOjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiIGNsYXNzPSIi PjwvYmxvY2txdW90ZT4NCjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiIGNsYXNzPSIiPg0KPGJsb2Nr cXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9IiI+SSBkb27igJl0IGZpbmQgdGhlIHJlLXVzZSBvZiB0 cmFuc2Zvcm0gNCBpbiB0aGlzIHByb3Bvc2FsLCBhbmQgdGhlPGJyIGNsYXNzPSIiPg0KaW1wbGlj aXQgY29tYmluYXRpb24gb2YgUVMgJiM0Mzsgbm9uLVFTIGFsZ29yaXRobXMsIHRvIGJlIHRoZSBt b3N0IGVsZWdhbnQsPGJyIGNsYXNzPSIiPg0KdGhvdWdoIEkgY2FuIHVuZGVyc3RhbmQgaXQgaW4g dGhlIGNvbnRleHQgb2Ygbm90IHdhbnRpbmcgdG8gYWRkIGEgbmV3PGJyIGNsYXNzPSIiPg0KdHJh bnNmb3JtIHR5cGUuPGJyIGNsYXNzPSIiPg0KPC9ibG9ja3F1b3RlPg0KPGJyIGNsYXNzPSIiPg0K U28geW91IGFyZSBzdWdnZXN0aW5nIHRoYXQgdGhlIFFSIG1lY2hhbmlzbSBiZSBhIG5ldyB0cmFu c2Zvcm0gdHlwZSB0aGVuPzxiciBjbGFzcz0iIj4NCkkgY291bGQgbGl2ZSB3aXRoIHRoYXQgYWN0 dWFsbHkgc2luY2UgaXQgbWFrZSB0aGUgY29tYmluYXRvcmljcyBlYXNpZXIgdG8gbWFuYWdlLjxi ciBjbGFzcz0iIj4NCjwvYmxvY2txdW90ZT4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0K PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPlllcywgSeKAmW0gc3VnZ2VzdGluZyByZWNvbnNpZGVyaW5n IHB1dHRpbmcgdGhlIFFSIGtleSBhZ3JlZW1lbnQgYWxnb3JpdGhtcyBpbiBhIG5ldyB0cmFuc2Zv cm0gdHlwZS4gVGhpcyBpcyBwYXJ0IG9mIENK4oCZcyAmYW1wOyBjbydzIHN1Z2dlc3Rpb24gZnJv bSB0aGUgb3JpZ2luYWwgZHJhZnQsIGJ1dCB0aGlzIHdhcyByZWplY3RlZCBpbiBQcmFndWUuIFRo ZWlyIHRyYW5zZm9ybSB0eXBlIHdhcyBhZGRlZCB0byB0aGUgcHJvcG9zYWxzDQogaW4gdGhlIFNB IHBheWxvYWQsIHdoaWxlIEnigJltIHN1Z2dlc3Rpbmcgb25seSB1c2luZyBpdCBpbiBhIG5ldyBR U19TQSBwYXlsb2FkLiAoUGVyaGFwcyBldmVudHVhbGx5IGl0IGNvdWxkIG1pZ3JhdGUgdG8gdGhl IFNBIHBheWxvYWQgaW4gZnV0dXJlIGRyYWZ0cyBpZiBub24tUVIgY29ubmVjdGlvbnMgZXZlciBu ZWVkIHRvIGJlIHJlbW92ZWQgZnJvbSBJS0V2MikuPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBj bGFzcz0iIj4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9IiI+PC9ibG9j a3F1b3RlPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9IiI+DQo8YmxvY2txdW90ZSB0 eXBlPSJjaXRlIiBjbGFzcz0iIj5UaGUgaWRlYSBpcyB0byBhZGQgdGhlIG5ldyB0cmFuc2Zvcm0g dHlwZSA2IChRLVMtR3JvdXApIGxpa2UgQ0rigJlzPGJyIGNsYXNzPSIiPg0KcHJvcG9zYWwsIGJ1 dCBkb27igJl0IGluY2x1ZGUgaXQgaW4gdGhlIFNBIHBheWxvYWQuIFJhdGhlciwgaW50cm9kdWNl IGE8YnIgY2xhc3M9IiI+DQpuZXcgUVNfU0EgcGF5bG9hZCB3aGljaCB3b3VsZCBiZSBpZGVudGlj YWwgaW4gc3RydWN0dXJlIHRvIHRoZSBTQTxiciBjbGFzcz0iIj4NCnBheWxvYWQgZXhjZXB0IHRo YXQgaXQgd291bGQgYWxzbyBpbmNsdWRlIHRoZSBRLVMtR3JvdXAgdHJhbnNmb3JtPGJyIGNsYXNz PSIiPg0KdHlwZS4gQW4gZW5kcG9pbnQgY291bGQgY29uZmlndXJlIHRoZSBwcm9wb3NhbHMgaW4g dGhpcyBwYXlsb2FkIHRvPGJyIGNsYXNzPSIiPg0KPC9ibG9ja3F1b3RlPg0KPGJyIGNsYXNzPSIi Pg0KSSBkb24ndCB0aGluayB3ZSBuZWVkIHRvIGRvIHRoaXMuPGJyIGNsYXNzPSIiPg0KSSB0aGlu ayB0aGF0IHVua25vd24gdHJhbnNmb3JtIHR5cGVzIHdpbGwgYmUgaWdub3JlZCBieSBjb21wbGlh bnQ8YnIgY2xhc3M9IiI+DQppbXBsZW1lbnRhdGlvbnMuPGJyIGNsYXNzPSIiPg0KPC9ibG9ja3F1 b3RlPg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+ VGhlIHJlYXNvbiB3aHkgdGhlIG9yaWdpbmFsIHN1Z2dlc3Rpb24gd2FzIHJlamVjdGVkIGluIFBy YWd1ZSB3YXMgYmVjYXVzZSBvZiBiYWNrd2FyZHMgY29tcGF0aWJpbGl0eSBpc3N1ZXMgd2l0aCBu b24tY29tcGxpYW50IGltcGxlbWVudGF0aW9ucy4gRnJvbSBleHBlcmllbmNlLCBTdHJvbmdTd2Fu IGlzIG5vbi1jb21wbGlhbnQgaW4gdGhpcyByZWdhcmQuIElmIGl0IHJlY2VpdmVzIGEgcHJvcG9z YWwgd2l0aCBhIHRyYW5zZm9ybQ0KIHR5cGUgdGhhdCBpdCBkb2VzbuKAmXQgdW5kZXJzdGFuZCBp dCB3aWxsIHByZXRlbmQgdGhhdCB0aGUgdHJhbnNmb3JtIHR5cGUgaXNu4oCZdCB0aGVyZSByYXRo ZXIgdGhhbiByZWplY3RpbmcgdGhlIHByb3Bvc2FsIGFuZCBtb3Zpbmcgb24gdG8gdGhlIG5leHQg b25lLiBUaHVzIGl0IGNhbiBlbmQgdXAgcmVzcG9uZGluZyB3aXRoIGEgcHJvcG9zYWwgd2hpY2gg dGhlIGluaXRpYXRvciBkaWRu4oCZdCBzdWdnZXN0LjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIg Y2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+Rm9yIGV4YW1wbGUsIGlmIHRoZSBpbml0 aWF0b3IgaXMgY29uZmlndXJlZCB0byBzZW5kOjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xh c3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+aWtlPWFlczI1Ni1zaGE1MTItbW9kcDMwNzIt bmV3aG9wZTEyOCxhZXMxMjgtc2hhMjU2LW1vZHAyMDQ4ITwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48 YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+QSBub24tdXBncmFkZWQgU3Ryb25n U3dhbiB3aWxsIHJlcGx5IHdpdGg6PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4N CjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj5hZXMyNTYtc2hhNTEyLW1vZHAzMDcyPC9kaXY+DQo8ZGl2 IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj53aGljaCBmcm9t IHRoZSBpbml0aWF0b3LigJlzIHBlcnNwZWN0aXZlIGlzIG5vdCBvbmUgb2YgaXRzIHN1Z2dlc3Rp b25zLiBUaGUgaW5pdGlhdG9yIHdpbGwgdGhlbiBlcnJvciBvdXQgYW5kIGZhaWwgdG8gZXN0YWJs aXNoIHRoZSBjb25uZWN0aW9uLiBXZSBjb3VsZCBkZWZpbmUgdGhpcyBuZXcgdHJhbnNmb3JtIHR5 cGUgYXMgb3B0aW9uYWwgYW5kIGhvcGUgdGhhdCBvdGhlciBpbXBsZW1lbnRhdGlvbnMgZG9u4oCZ dCBiZWhhdmUNCiBldmVuIG1vcmUgcG9vcmx5IHRoYW4gdGhpcy4gQnV0IG1heWJlIGFuIGluaXRp YXRvciBkb2VzbuKAmXQgd2FudCB0byB1c2UgYWVzMjU2LXNoYTUxMi1tb2RwMzA3MiBpZiBpdOKA mXMgbm90IHRhbGtpbmcgdG8gYW4gdXBncmFkZWQgcmVzcG9uZGVyLCBtYXliZSBmb3IgcGVyZm9y bWFuY2UgcmVhc29ucyBpdCB3b3VsZCBwcmVmZXIgdXNpbmcgd2Vha2VyIHByaW1pdGl2ZXMgd2l0 aCB0aGVtLjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYg Y2xhc3M9IiI+UHV0dGluZyB0aGUgUVMgcHJvcG9zYWxzIGluIGEgc2VwYXJhdGUgUVNfU0EgcGF5 bG9hZCB3b3VsZCBhbHNvIGFsbG93IGFuIGluaXRpYXRvciB0byBtYXJrIHRoZSBwYXlsb2FkIGFz IGNyaXRpY2FsIGlmIGl0IHdhbnRzIHRvIHJlcXVpcmUgUVMgY29ubmVjdGlvbnMuPC9kaXY+DQo8 ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0 ZSIgY2xhc3M9IiI+PC9ibG9ja3F1b3RlPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9 IiI+DQo8YmxvY2txdW90ZSB0eXBlPSJjaXRlIiBjbGFzcz0iIj5Tb21ldGhpbmcgdG8ga2VlcCBp biBtaW5kIGlzIHRoYXQgbWFueSBRUyBrZXkgYWdyZWVtZW50IGFsZ29yaXRobXM8YnIgY2xhc3M9 IiI+DQpkb27igJl0IGhhdmUgZXhhY3RseSB0aGUgc2FtZSBtZXNzYWdlIGZsb3cgYXMgRGlmZmll IEhlbGxtYW4uIFdpdGggREgsPGJyIGNsYXNzPSIiPg0KZWFjaCBlbmRwb2ludOKAmXMgcHVibGlj L3ByaXZhdGUga2V5cyBjYW4gYmUgZ2VuZXJhdGVkIGluZGVwZW5kZW50bHkgb2Y8YnIgY2xhc3M9 IiI+DQplYWNoIG90aGVyLiBCdXQgbWFueSBRUyBhbGdvcml0aG1zIGhhdmUgYW4gaW5pdGlhdG9y LXJlc3BvbmRlciBmbG93LCBzbzxiciBjbGFzcz0iIj4NCnRoZSByZXNwb25kZXIgY2FuIG9ubHkg Z2VuZXJhdGUgaXRzIHB1YmxpYyBrZXkgb25jZSBpdCBoYXMgcHJvY2Vzc2VkPGJyIGNsYXNzPSIi Pg0KdGhlIGluaXRpYXRvcuKAmXMgcHVibGljIGtleS4gV2UganVzdCBuZWVkIHRvIGtlZXAgdGhp cyBpbiBtaW5kIHdoZW48YnIgY2xhc3M9IiI+DQpkZXNpZ25pbmcgdGhlIGZsb3cgb2YgdGhlIFBS RV9BVVRIIG1lc3NhZ2VzLiBBbiBpbml0aWF0b3IgY2Fu4oCZdCBzZW5kPGJyIGNsYXNzPSIiPg0K dGhlIGZpcnN0IGNodW5rIG9mIGEgcHVibGljIGtleSwgYW5kIHRoZSByZXNwb25kZXIgcmVwbHkg d2l0aCB0aGUgZmlyc3Q8YnIgY2xhc3M9IiI+DQpjaHVuayBvZiB0aGVpciBwdWJsaWMga2V5LCB0 aGUgcmVzcG9uZGVyIHdvdWxkIG5lZWQgdG8gcHJvY2VzcyBhbGw8YnIgY2xhc3M9IiI+DQppbml0 aWF0b3IgY2h1bmtzIGZvciB0aGF0IGtleSBmaXJzdC4gVGhpcyBtZWFucyB0aGUgaW5pdGlhdG9y IHdvdWxkPGJyIGNsYXNzPSIiPg0KaGF2ZSB0byBzZW5kIGEgc3BlY2lhbCBhY2tub3dsZWRnZW1l bnQgcmVzcG9uc2UgZm9yIGNodW5rcyB0aGF0IGRvbuKAmXQ8YnIgY2xhc3M9IiI+DQpjb21wbGV0 ZSBhIHB1YmxpYyBrZXkgcmF0aGVyIHRoYW4gcmVzcG9uZGluZyB3aXRoIGEgcGFydGlhbCBrZXkg d2hlbjxiciBjbGFzcz0iIj4NCnJlY2VpdmluZyBhIHBhcnRpYWwga2V5LjxiciBjbGFzcz0iIj4N CjwvYmxvY2txdW90ZT4NCjxiciBjbGFzcz0iIj4NCldvdWxkIHRoZSBpbml0aWF0b3Iga25vdyBo b3cgbXVjaCBkYXRhIHRvIGV4cGVjdCBmcm9tIHRoZSByZXNwb25kZXI/PGJyIGNsYXNzPSIiPg0K SWYgc28sIHRoZSBpbml0aWF0b3IgY2FuIGp1c3Qga2VlcCBzZW5kaW5nIHF1ZXJ5IG1lc3NhZ2Vz IHRvIGdldCBuZXcgYmxvY2tzPGJyIGNsYXNzPSIiPg0Kb2YgZGF0YSBiYWNrLjxiciBjbGFzcz0i Ij4NCjwvYmxvY2txdW90ZT4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQpJ 4oCZZCBhbnN3ZXIgdGhhdCB3aXRoIGEgdGVudGF0aXZlIHllcy4gRnJvbSB0aGUgYWxnb3JpdGht cyBJ4oCZdmUgc2VlbiB0aGF04oCZcyB0aGUgY2FzZSwgdGhvdWdoIG9uZSBjb3VsZCBpbWFnaW5l IGFuIGFsZ29yaXRobSB3aGVyZSBzb21lIChwb3NzaWJseSBub24tZGV0ZXJtaW5pc3RpYyBhbW91 bnQgb2Y/KSBwYWRkaW5nIGlzIGFkZGVkIGZvciBzb21lIHJlYXNvbiBvciBvdGhlcj8gUmVnYXJk bGVzcywgZXZlbiBpZiB0aGUgaW5pdGlhdG9yIGRvZXNu4oCZdA0KIGtub3cgdGhlIGFtb3VudCBv ZiBkYXRhIHRvIGV4cGVjdCwgaXQgY2FuIGtlZXAgcXVlcnlpbmcgYW5kIHRoZSByZXNwb25kZXIg cGF5bG9hZCBjb3VsZCBpbmNsdWRlIGEgdGVybWluYXRvciBmbGFnIGluZGljYXRpbmcgaXQgaXMg dGhlIGxhc3QgY2h1bmsgb2YgZGF0YS48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIi Pg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPklmIHdlIGRlY2lkZSB0aGF0IHdlIHdhbnQgdG8gYmUg YWJsZSBicmVhayB1cCB0aGUgUVIgcHVibGljIGtleSBwYXlsb2FkcyBhY3Jvc3MgbXVsdGlwbGUg bWVzc2FnZSBleGNoYW5nZXMsIHRoZW4gZG8gd2UgaGF2ZSB0byBhZGQgc29tZSBtZWNoYW5pc20g Zm9yIHRoZSBlbmRwb2ludHMgdG8gYWdyZWUgb24gdGhlIG1heGltdW0gc2l6ZSBvZiBlYWNoIG1l c3NhZ2U/IERlY2xhcmluZyBhIGNodW5rIHNpemUgYXMgcGFydCBvZg0KIHRoZSBzcGVjIG1heSBu b3QgYmUgYSBnb29kIGlkZWEgYmVjYXVzZSBzb21lIFFSIHB1YmxpYyBrZXlzIGFyZSB+MS41S2Ig d2hpbGUgb3RoZXJzIGFyZSAmZ3Q7NjRLYi4gU28gcGlja2luZyBhIHNtYWxsIGNodW5rIHNpemUg dG8gYXZvaWQgSUtFdjIgZnJhZ21lbnRhdGlvbiBtZWFucyBtYW55IG1lc3NhZ2UgZXhjaGFuZ2Vz IHdoZW4gdXNpbmcgbGFyZ2Uga2V5IHNpemVzLCBidXQgcGlja2luZyBsYXJnZSBjaHVuayBzaXpl cyBpbmNyZWFzZXMgdGhlIGNoYW5nZXMNCiBvZiBkcm9wcGluZyBJS0V2MiBmcmFnbWVudHMgYW5k IGhhdmluZyB0byByZXRyYW5zbWl0IGVudGlyZSBtZXNzYWdlcy48YnIgY2xhc3M9IiI+DQo8YnIg Y2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiPg0KPGRpdj7igJQ8YnIgY2xhc3M9IiI+DQpEYW5pZWwg VmFuIEdlZXN0Jm5ic3A7KDxhIGhyZWY9Im1haWx0bzpkYW5pZWwudmFuZ2Vlc3RAaXNhcmEuY29t IiBjbGFzcz0iIj5kYW5pZWwudmFuZ2Vlc3RAaXNhcmEuY29tPC9hPik8YnIgY2xhc3M9IiI+DQo8 YSBocmVmPSJodHRwczovL3d3dy5pc2FyYS5jb20vIiBjbGFzcz0iIj5odHRwczovL3d3dy5pc2Fy YS5jb20vPC9hPjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjwv ZGl2Pg0KPGJyIGNsYXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8L2Rpdj4NCjxiciBj bGFzcz0iIj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BBE32F9AE845482E8FEB44722DE6FE60isaracorpcom_-- From nobody Wed Aug 9 11:59:43 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E973132359 for ; Wed, 9 Aug 2017 11:59:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fol-rbuUz9eS for ; Wed, 9 Aug 2017 11:59:41 -0700 (PDT) Received: from relay.ezis.com (relay.ezis.com [5.153.73.19]) by ietfa.amsl.com (Postfix) with ESMTP id CABD3132193 for ; Wed, 9 Aug 2017 11:59:40 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.41,348,1498518000"; d="scan'208";a="2210816" Received: from unknown (HELO pqex01.post-quantum.com) ([192.168.142.3]) by ironport.ezis.com with ESMTP; 09 Aug 2017 19:59:39 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX01.post-quantum.com (192.168.142.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 9 Aug 2017 19:59:38 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX02.post-quantum.com (192.168.142.18) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 9 Aug 2017 19:59:37 +0100 Received: from PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3]) by PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3%13]) with mapi id 15.00.1320.000; Wed, 9 Aug 2017 19:59:37 +0100 From: Cen Jung Tjhai To: Tero Kivinen , Valery Smyslov CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0GbUAgAekgoCAAKx1AA== Date: Wed, 9 Aug 2017 18:59:37 +0000 Message-ID: References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <22922.55551.190123.31763@fireball.acr.fi> In-Reply-To: <22922.55551.190123.31763@fireball.acr.fi> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.3.255.7] Content-Type: text/plain; charset="utf-8" Content-ID: <66D3DE74ED4A724A973134F053A34FEF@post-quantum.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 18:59:43 -0000 DQogICAgPj4+IFRoZSBvbmx5IHJlYXNvbiB0aGF0IGNvbWVzIHRvIG15IG1pbmQgaXMgdGhhdCB5 b3UgZG9u4oCZdCBmdWxseSB0cnVzdA0KICAgID4+PiBRU0tFLiBBcmUgdGhlcmUgYW55IG90aGVy IHJlYXNvbnM/DQogICAgDQogICAgPj5JIHRoaW5rIHRoYXQgaXMgb25lIG9mIHRoZSBtYWluIHJl YXNvbnMuIEVzcGVjaWFsbHkgYXMgd2UgZG8gbm90IGtub3cNCiAgICA+PndoaWNoIFFTS0Ugd2Ug YXJlIHRhbGtpbmcgYWJvdXQuDQoNCkFub3RoZXIgcmVhc29uIGZvciBub3QgcmVtb3ZpbmcgS0Ug aXMgcG90ZW50aWFsbHkgZHVlIHRvIEZJUFMgcmVxdWlyZW1lbnQuIEFjY29yZGluZyB0byBOSVNU IChodHRwOi8vY3NyYy5uaXN0Lmdvdi9ncm91cHMvU1QvcG9zdC1xdWFudHVtLWNyeXB0by9mYXEu aHRtbCNRMSksIGlmIHdlIGhhdmUgYSBoeWJyaWQga2V5IGV4Y2hhbmdlLCBpLmUuIEtFICsgcG9z dC1xdWFudHVtIEtFLCB0aGUgS0UgcGFydCBjYW4gc3RpbGwgZ28gdGhyb3VnaCBGSVBTIHZhbGlk YXRpb24gYW5kIGNhbiBzdGlsbCBiZSBGSVBTLWNlcnRpZmllZCAodW50aWwgRklQUyBjb3ZlcnMg cG9zdC1xdWFudHVtIGFsZ29yaXRobXMpLg0KDQpXaGlsZSBkcmFmdC0wMCBtYWtlcyBzb21lIHJl ZmVyZW5jZXMgdG8gYSBmZXcgcG9zdC1xdWFudHVtIGFsZ29yaXRobXMsIHdlIHRoaW5rIG9uZSBz aG91bGQgdGhpbmsgb2YgdGhlIGRyYWZ0IGFzIHByb3ZpZGluZyBhIGZyYW1ld29yayBvbiBob3cg dG8gZXhjaGFuZ2UgcG9zdC1xdWFudHVtIGJsb2JzLiBXZSBhcmUgY3VycmVudGx5IHVwZGF0aW5n IHRoZSBkcmFmdCB0byByZW1vdmUgcmVmZXJlbmNlcyB0byB0aGVzZSBhbGdvcml0aG1zIGluIHRo ZSBtYWluIHRleHQuDQoNCkl04oCZcyBiZXN0IHRvIGxldCBzdGFuZGFyZGl6YXRpb24gYm9kaWVz IHRvIGNvbWUgdXAgd2l0aCBzdGFuZGFyZHMgZm9yIHBvc3QtcXVhbnR1bSBhbGdvcml0aG1zLg0K DQo= From nobody Wed Aug 9 12:30:53 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A23C132490 for ; Wed, 9 Aug 2017 12:30:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqK1ZDRONJfw for ; Wed, 9 Aug 2017 12:30:50 -0700 (PDT) Received: from relay.ezis.com (relay.ezis.com [5.153.73.19]) by ietfa.amsl.com (Postfix) with ESMTP id DC70B132489 for ; Wed, 9 Aug 2017 12:30:49 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.41,349,1498518000"; d="scan'208";a="2210881" Received: from unknown (HELO pqex01.post-quantum.com) ([192.168.142.3]) by ironport.ezis.com with ESMTP; 09 Aug 2017 20:30:50 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX01.post-quantum.com (192.168.142.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 9 Aug 2017 20:30:47 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX02.post-quantum.com (192.168.142.18) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 9 Aug 2017 20:30:46 +0100 Received: from PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3]) by PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3%13]) with mapi id 15.00.1320.000; Wed, 9 Aug 2017 20:30:46 +0100 From: Cen Jung Tjhai To: Michael Richardson CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0GbUAgAIwNdWABXuFgIAAg/cAgAAp+oA= Date: Wed, 9 Aug 2017 19:30:46 +0000 Message-ID: <5FBE6EC2-EAEF-419A-BFB7-CA42F65F4B16@post-quantum.com> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com> <22922.57101.227283.113155@fireball.acr.fi> <7769.1502301632@obiwan.sandelman.ca> In-Reply-To: <7769.1502301632@obiwan.sandelman.ca> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.3.255.7] Content-Type: text/plain; charset="utf-8" Content-ID: <705C203BFDADE8478D9759F2BC8F4243@post-quantum.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2017 19:30:51 -0000 DQo+Pj4gSXMgdGhlIHNpemUgb2YgUVNLRSBibG9iIHRoYXQgdGhlIHJlc3BvbmRlciBoYXMgdG8g cmV0dXJuIHRvIGluaXRpYXRvciBsaWtlbHkNCj4+PiB0byBiZSBlaXRoZXIgdW5rbm93biB0byB0 aGUgaW5pdGF0b3Igb3IgdmVyeSBkaWZmZXJlbnQgdGhhbiB0aGUNCj4+PiBpbml0aWF0b3ItPnJl c3BvbmRlciBkaXJlY3Rpb24/DQoNCkkgYmVsaWV2ZSBEYW5pZWwgaGFzIHRvdWNoZWQgb24gdGhp cy4gQnV0IGxldCBtZSBhZGQgbW9yZSBpbmZvcm1hdGlvbiBvbiB0aGlzIHNwZWNpZmljIHF1ZXJ5 LiBUaGVyZSBhcmUgdHdvIGtpbmRzIGtleS1leGNoYW5nZSBtZWNoYW5pc20gZm9yIHBvc3QtcXVh bnR1bSBhbGdvcml0aG1zLCBuYW1lbHkgRGlmZmllLUhlbGxtYW4tbGlrZSBhbmQgS0VNLiBGb3Ig REgtbGlrZSwgZnJvbSB3aGF0IHdlIGludmVzdGlnYXRlZCBzbyBmYXIsIHRoZSBwdWJsaWMgZGF0 YSBpcyBwcmV0dHkgbXVjaCBvZiBlcXVhbCBzaXplIGZvciBib3RoIGRpcmVjdGlvbnMuIE9uIHRo ZSBoYW5kLCBmb3IgS0VNLCB0aGlzIGNvdWxkIGJlIHZlcnkgYXN5bW1ldHJpYy4gVGhlIGJsb2Ig c2VudCBieSB0aGUgaW5pdGlhdG9yIHRvIHJlc3BvbmRlciBjb3VsZCBiZSAxTUIgaW4gc2l6ZSwg YW5kIHRoaXMgaXMgdGhlIHB1YmxpYy1rZXkgb2YgdGhlIGluaXRpYXRvci4gVGhlIHJlc3BvbmRl ciB0aGVuIG5lZWRzIHRvIHNhbXBsZSBzb21lIHJhbmRvbSBkYXRhLCBlbmNyeXB0IGl0IGFuZCBz ZW5kIGl0IGJhY2sgdG8gdGhlIHJlc3BvbmRlci4gVGhlIHNpemUgb2YgdGhpcyBjaXBoZXJ0ZXh0 IGNvdWxkIHdlbGwganVzdCBiZSAxS0IuIEJlY2F1c2UgdGhlIHNpemUgb2YgdGhpcyBjaXBoZXJ0 ZXh0IGlzIGRlcGVuZGVudCBvbiB0aGUgc2l6ZSBvZiB0aGUgcmFuZG9tIGRhdGEsIGEgS0VNIGFs Z29yaXRobSBtYXkgbmVlZCB0byBzcGVjaWZ5IHRoZSBzaXplIG9mIHRoZSByYW5kb20gZGF0YS4g SXQgY291bGQgYmUgc2ltaWxhciB0byB0aGUgY2FzZSBvZiBFTkNSIHdoZXJlIHRoZXJlIGlzIGFu IGF0dHJpYnV0ZSB0byBzcGVjaWZ5IHRoZSBrZXkgc2l6ZSwgb3IgaXQgY291bGQgYmUgZml4ZWQu DQoNCkluIGJvdGggY2FzZXMsIG9uY2UgdGhlIHBhcmFtZXRlcnMgYXJlIGFncmVlZCwgdGhlIGJs b2Igc2l6ZSBpcyBrbm93biBpbiBhZHZhbmNlLg0KDQpDSg0KDQo= From nobody Fri Aug 11 07:12:16 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BED129B30 for ; Fri, 11 Aug 2017 07:12:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1C-W4Y31ngCr for ; Fri, 11 Aug 2017 07:12:11 -0700 (PDT) Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0125.outbound.protection.outlook.com [23.103.200.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8CF7132616 for ; Fri, 11 Aug 2017 07:12:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=NjfnKyfkZEiYIC3IAiKvpfjRRqtFvP0YEXSNeUnDnqc=; b=2nJtcV5c/hZibv3+gE5QgnSuVPeOMA91iPkRKgwFmwSdgolW7n+4pXi77va5I7hK2VflUf+Chkmad8XyqVbzMbnO41xc3FSEk+R3BylG1EXYYoGFpXQ2z1JahsA1GonZWeWhMJPP/YRoMFcl/F/yWeAOrN4hBXDakjwTwlminoI= Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1461.namprd09.prod.outlook.com (10.173.191.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Fri, 11 Aug 2017 14:12:10 +0000 Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.1320.019; Fri, 11 Aug 2017 14:12:10 +0000 From: "Dang, Quynh (Fed)" To: "ipsec@ietf.org" Thread-Topic: Preference of ESP over AH in RFC7321bis question. Thread-Index: AQHTEqtCyJ5Rmbm57UKRXvrgSLfQJg== Date: Fri, 11 Aug 2017 14:12:10 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [129.6.105.150] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CY4PR09MB1461; 6:vanIsECHaPADnTmwTVlsrnKXNlPNy7izDMv/rHzmotZdGzOAKKU6wQxjm/2mb9PB/HFfDaQlljA4LiH9/a10qYDACsWGrSGgZME4mqvTX/dKbBdbUxe9bKsfgn951AUUcu+MaOfjXY2MKo7t+oPxfqy2OJK2m5d7lshNTLxDBhjrWrF3aXwvfV3FgoMHVhAnm9on6aDxbwJTucySTpuEBcrSEbTInFLLD7wfU+7vfA0XDEOTkAcTwYIr9MyvKsOzHraZS9OM4dp2MfmPIkXA8a7hF7DyqPMYd9MdKQB6EnbgFRn8Mm6ZlcZ0n6UTjr0vqx73MKEE1Ist/jb9uThLVA==; 5:FRmPuaWB2FF8iKmrgCNif24ADrdhv6G8ZR5+0Bv27MRPe6cIWj6aS572SVGlYCAyCNjrfahx2SHttmIST/yqfXwbJMQeqOVI14lp0goszJ2BZySa0xgYIHgPLABoLQUFO9d4WlQfLXKLFevsaNG5hA==; 24:MbrhB3xyumdJgE1TNPviyrBFbNgzZnAL8Z1IM8TIi8muNfP6rN4trK4by5rBjEiehmx4Fh94L1yggmK0xfJp6HkBpa5NfHPVZtizE3TWP6E=; 7:Wa6xIEwtOld82lrBP6+Cea2d/xTvolDZhfo8amufTmdiCUgMI1J+KOBwyZ8AKFokP8nbiCG51I+HJOVb75ixks7nP4R6DlueRJJeaoIhysVsv58GfZaW53rJTDFAcI52w5+YdKAid/S88DqS0RYUJEuQEcpJ8lBNPvTWhkT8pYZxargUhXRsog2ezJB5e95HR7Lh8dq4cD7o9lKTyTjJmVRx1i79CnmXzzQIYKjJdVI= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: d97d8c0f-e564-4414-4b8d-08d4e0c2f50d x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR09MB1461; x-ms-traffictypediagnostic: CY4PR09MB1461: x-exchange-antispam-report-test: UriScan:; x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123562025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123560025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR09MB1461; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR09MB1461; x-forefront-prvs: 03965EFC76 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(189002)(53754006)(199003)(19627405001)(558084003)(97736004)(33656002)(110136004)(6606003)(55016002)(81166006)(9686003)(8676002)(99286003)(54896002)(53936002)(1730700003)(81156014)(2351001)(14454004)(8936002)(478600001)(189998001)(66066001)(86362001)(102836003)(101416001)(6116002)(50986999)(25786009)(74316002)(54356999)(68736007)(3846002)(5660300001)(7736002)(105586002)(2501003)(106356001)(6506006)(6436002)(2900100001)(5640700003)(2906002)(7696004)(77096006)(3280700002)(3660700001)(6916009); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1461; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY4PR09MB14646706A7F252B221FC4F0DF3890CY4PR09MB1464namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2017 14:12:10.3774 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1461 Archived-At: Subject: [IPsec] Preference of ESP over AH in RFC7321bis question. X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 14:12:14 -0000 --_000_CY4PR09MB14646706A7F252B221FC4F0DF3890CY4PR09MB1464namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, In RFC 7321, we basically said that ESP is preferred over AH. However, that= recommendation is not in the current RFC7321bis. Was that an accidental mistake or because people using AH wanted to remove = that recommendation ? Thank you, Quynh. --_000_CY4PR09MB14646706A7F252B221FC4F0DF3890CY4PR09MB1464namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi all,


In RFC 7321, we basically said that ESP is preferred over AH. However, t= hat recommendation is not in the current RFC7321bis.


Was that an accidental mistake or because people using AH wanted to= remove that recommendation ?


Thank you,

Quynh. 

--_000_CY4PR09MB14646706A7F252B221FC4F0DF3890CY4PR09MB1464namp_-- From nobody Fri Aug 11 07:23:02 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A74381321C9 for ; Fri, 11 Aug 2017 07:23:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.399 X-Spam-Level: X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yL7tf3BlRg_6 for ; Fri, 11 Aug 2017 07:22:58 -0700 (PDT) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D2E126C23 for ; Fri, 11 Aug 2017 07:22:58 -0700 (PDT) Received: by mail-lf0-x231.google.com with SMTP id y15so16706061lfd.5 for ; Fri, 11 Aug 2017 07:22:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=oe6XJqT/MpWZw7r9vH2SsqIDujokzDWDK5WQnH0fc+s=; b=Or4LhYppTEsiV87rH8MP1w8jg7s2nCZPFAVPugA0BcwTDXT457nEWYheQcGVw6Ah6l LteyxTBKZGBhmWQPV9lV1838EvPBCQ+HoaI+y/gylSDXeUv9ZxHBm6ra/AiaZQfk2+MT RQEEgYp3ko/05U2lqBBlx4aYfPPWGaqXf0xqDvUUvQS8TbfFyFi1+p8WDsgHNkrAo7MC osxiijOnDrHhGoBju9Y1q8UI5prw1yUNq70505jF4JwmwM8/fR5a1sBdzzAK5KrsY+zu gc3T+JRAmouGTzkLKKEqSaIkNBYOK8KGsMw6yfwoTgEVDm4MS6Y6w5/txrxdI3UMATRZ nTqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=oe6XJqT/MpWZw7r9vH2SsqIDujokzDWDK5WQnH0fc+s=; b=pDlkIrm5g84dZWIDmSwSDphkkA3aFgXiGOVnio9bk/LOXowV8yrVGJufSKxIATUExB IMydik4zP2I4g+3uSxhuvKaALbrCQe3rgXn2pvKLfAzWRzkpJnPNav+tlvL/+WateBDe ZjKE4WT8vUbVDtJLmWulqo9NhtRq95O/masYdA4y4xG7wbYSqscvJa4rErtRCEsJ095e oZBsC/gs8XU0+qfIf6pjqnWsSV++8ae+yysw00OaRNRLTbKxGWExd0FV6FMOcdsbOyi8 +Kn2YRdNlaWanjBqKCd9jODMxXTBOYOeCL/BHVKW5QhBW/OyFm6xgObkT2DOoOUycpfn VzYQ== X-Gm-Message-State: AHYfb5gJjuHjKf4YcICdMdUlpEkyGSy2OqnYegDghEvomrmGnFAGsTId 9/dIp2JD9M3Zp4Jpz/hXnDdMiIF//A== X-Received: by 10.25.193.18 with SMTP id r18mr6187684lff.49.1502461376678; Fri, 11 Aug 2017 07:22:56 -0700 (PDT) MIME-Version: 1.0 Sender: mglt.ietf@gmail.com Received: by 10.46.97.18 with HTTP; Fri, 11 Aug 2017 07:22:55 -0700 (PDT) In-Reply-To: References: From: Daniel Migault Date: Fri, 11 Aug 2017 10:22:55 -0400 X-Google-Sender-Auth: 8EfKR83S0CjcsMOMqPqduVV6ELw Message-ID: To: "Dang, Quynh (Fed)" Cc: "ipsec@ietf.org" Content-Type: multipart/alternative; boundary="94eb2c1a1ca2a54f5905567b0c8b" Archived-At: Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis question. X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 14:23:01 -0000 --94eb2c1a1ca2a54f5905567b0c8b Content-Type: text/plain; charset="UTF-8" Hi Dang, My understanding is that the usage of AH vs ESP is outside the scope of recommendations mandatory to implement cryptography. It is mostly a usage concern. In my view AH and ESP are both mandatory to be implemented and RFC7321bis limits its scope to the crypto recommendations. Do you refer to the following text in section 3: """ The IPsec community generally prefers ESP with NULL encryption over AH. """ Yours, Daniel On Fri, Aug 11, 2017 at 10:12 AM, Dang, Quynh (Fed) wrote: > Hi all, > > > In RFC 7321, we basically said that ESP is preferred over AH. However, > that recommendation is not in the current RFC7321bis. > > > Was that an accidental mistake or because people using AH wanted to remove > that recommendation ? > > > Thank you, > > Quynh. > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > --94eb2c1a1ca2a54f5905567b0c8b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Dang,

My understanding is that the u= sage of AH vs ESP is outside the scope of recommendations mandatory to impl= ement cryptography. It is mostly a usage concern. In my view AH and ESP are= both mandatory to be implemented and RFC7321bis limits its scope to the cr= ypto recommendations.
=C2=A0=C2=A0

Do you refer to the following= text in section 3:

"""
 The IPsec community
   generally prefers ESP with NULL encryption over AH. 
""&quo=
t;

Yours, 
Daniel

On Fri, Aug 11, 2017 at 10:12 AM, Dang, Quynh (Fed) <quynh.dang@nist.gov> wrote:

Hi all,


In RFC 7321, we basically said that ESP is preferred over AH. However, t= hat recommendation is not in the current RFC7321bis.


Was that an accidental mistake or because=C2=A0people using AH wanted to= remove that recommendation ?


Thank you,

Quynh.=C2=A0


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


--94eb2c1a1ca2a54f5905567b0c8b-- From nobody Fri Aug 11 07:59:48 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EFB6132627 for ; Fri, 11 Aug 2017 07:59:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5Y0ajrEGZE6 for ; Fri, 11 Aug 2017 07:59:44 -0700 (PDT) Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0091.outbound.protection.outlook.com [23.103.201.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76C841325DD for ; Fri, 11 Aug 2017 07:59:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=I42VSG/Q0kFOQ2dVH9hTmC4r0Zon/hb76PiNQNYkivc=; b=KPtqJItuQq68+Xn2Bur+NyeWNR36xdvsXYPK9L69zWi2RsW6QbOs23Ju1QH4eIKrhY8KzuuXqRxbYU6DpQtnsuowcutbgUEJ5V9hOquBEUdh/6cxgoJtgN3OEUI5sJU2oFJnHioJ9tvKSA3D4u1gJOXlWZgyOlEelC3oLgKBnw8= Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1461.namprd09.prod.outlook.com (10.173.191.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Fri, 11 Aug 2017 14:59:43 +0000 Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.1320.019; Fri, 11 Aug 2017 14:59:43 +0000 From: "Dang, Quynh (Fed)" To: Daniel Migault CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Preference of ESP over AH in RFC7321bis question. Thread-Index: AQHTEqtCyJ5Rmbm57UKRXvrgSLfQJqJ/NU6AgAAKMdc= Date: Fri, 11 Aug 2017 14:59:42 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [129.6.105.150] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CY4PR09MB1461; 6:uUszdTdDXv5Dg8pOmVFUoEly9afqxqYt6fMrsPOVtWPrymatcB4o7Qz2OiXtBZ0KsMgZyE7WpO7DoehpVq5XQzP9tHbb9AxHTBpkB6ExY91nQUfmoyVOFJz9/3cQvNRst9TrRqoEqlXLLELHMk+oUKazgjlaSkwxp1BUio/+wVzWzZmglQJD518w9HBfj+107w0w1CFWlf2CnZsk1ZrYf68glEICJvO5z3kPO7JBD95DrU15L37EiUtxkPqXKejK8qRy65ts/WGsbg2poW/grp5SGB56Ph03shi2olXaVduhWAzx2t5QN1Y82wWNdsdYGs0Llo37TUSKxoVXU+QO2A==; 5:ZLzU0dlOYg4HtuTdd6ElXP2OYJ3UMrY0jRqsGTldUxLsG7FsjKhNfrx2PxdP76S7STBJcBF16pwx/umYxDT5xDbI3vw7XTSmmlVkZVUeOuJcVzVfoyoWgajsDp+k5Z/C+aIv/+OMUUWGLZy5hHJsWQ==; 24:TNcOPgYLBatN4aTVVIXRkJitGEmyxjDcG7sZ+T5xJZyskFmUGwTVDKDhDNzN3IxjMpHMNHKTdye3uY7chXR4U7jswKx62L2rYPWRY3PSeSU=; 7:Yoq6G619+7JrWKSybqt/GSVOggQr1ujso/ZEvPLaKo1sj8cDdc6/D3IBPCDumLbZkBaNv9n8C/jhi7gMpMp7N/pc11ztxRzdEeIstbwVh6b3OR0xPOZ86GHr/JkQQmNjrxEVfkSaTV9P9RX1L405w3yldbdU86HF+in/IiruxnyS+X6P2FgckkaMd5Euoy6kvYWjmxHF2qzVpng+njfhrWFCpELyprG9JXyJh4G7weY= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: beaa8c9c-167c-4c58-9556-08d4e0c99945 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR09MB1461; x-ms-traffictypediagnostic: CY4PR09MB1461: x-exchange-antispam-report-test: UriScan:(37575265505322)(65766998875637); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123562025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123560025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR09MB1461; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR09MB1461; x-forefront-prvs: 03965EFC76 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(24454002)(199003)(377454003)(53754006)(189002)(229853002)(7736002)(105586002)(106356001)(5660300001)(102836003)(101416001)(6116002)(76176999)(4326008)(50986999)(86362001)(3846002)(25786009)(74316002)(68736007)(54356999)(3280700002)(77096006)(7696004)(3660700001)(6916009)(2906002)(2950100002)(6506006)(2900100001)(6246003)(6436002)(9686003)(99286003)(55016002)(81166006)(8676002)(6306002)(53936002)(236005)(54896002)(81156014)(19627405001)(97736004)(110136004)(33656002)(66066001)(189998001)(966005)(14454004)(8936002)(53546010)(478600001)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1461; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY4PR09MB14647A0CD22E48357C21374CF3890CY4PR09MB1464namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2017 14:59:42.9198 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1461 Archived-At: Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis question. X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 14:59:47 -0000 --_000_CY4PR09MB14647A0CD22E48357C21374CF3890CY4PR09MB1464namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thank you. Quynh. ________________________________ From: mglt.ietf@gmail.com on behalf of Daniel Migault= Sent: Friday, August 11, 2017 10:22:55 AM To: Dang, Quynh (Fed) Cc: ipsec@ietf.org Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis question. Hi Dang, My understanding is that the usage of AH vs ESP is outside the scope of rec= ommendations mandatory to implement cryptography. It is mostly a usage conc= ern. In my view AH and ESP are both mandatory to be implemented and RFC7321= bis limits its scope to the crypto recommendations. Do you refer to the following text in section 3: """ The IPsec community generally prefers ESP with NULL encryption over AH. """ Yours, Daniel On Fri, Aug 11, 2017 at 10:12 AM, Dang, Quynh (Fed) > wrote: Hi all, In RFC 7321, we basically said that ESP is preferred over AH. However, that= recommendation is not in the current RFC7321bis. Was that an accidental mistake or because people using AH wanted to remove = that recommendation ? Thank you, Quynh. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec --_000_CY4PR09MB14647A0CD22E48357C21374CF3890CY4PR09MB1464namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thank you.


Quynh. 

From: mglt.ietf@gmail.com &= lt;mglt.ietf@gmail.com> on behalf of Daniel Migault <daniel.migault@e= ricsson.com>
Sent: Friday, August 11, 2017 10:22:55 AM
To: Dang, Quynh (Fed)
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis questio= n.
 
Hi Dang,

My understanding is that the usage of AH vs ESP is outside the scope of rec= ommendations mandatory to implement cryptography. It is mostly a usage conc= ern. In my view AH and ESP are both mandatory to be implemented and RFC7321= bis limits its scope to the crypto recommendations.
  

Do you refer to the following text in section 3:

"""
 The IPsec community
   generally prefers ESP with NULL encryption over AH. 
""&quo=
t;

Yours, 
Daniel

On Fri, Aug 11, 2017 at 10:12 AM, Dang, Quynh (F= ed) <quynh.dang@nis= t.gov> wrote:

Hi all,


In RFC 7321, we basically said that ESP is preferred over AH. However, t= hat recommendation is not in the current RFC7321bis.


Was that an accidental mistake or because people using AH wanted to= remove that recommendation ?


Thank you,

Quynh. 


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


--_000_CY4PR09MB14647A0CD22E48357C21374CF3890CY4PR09MB1464namp_-- From nobody Fri Aug 11 08:06:11 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E09F8132680 for ; Fri, 11 Aug 2017 08:06:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUh33XDpFGNm for ; Fri, 11 Aug 2017 08:06:08 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0632B132670 for ; Fri, 11 Aug 2017 08:06:08 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xTSxl1RNYz3DG; Fri, 11 Aug 2017 17:06:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1502463963; bh=9lwwpiGh/QlzQxtTuIJ1ShCXujdFqdBpxFdheAq8WbQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=stpGo7kuoSm+s+oAts9iYO0qsNPL66ckaDpbd+ArkEUA72UysV6jirbM3+oGhLLMD SxB0qLMrohu2ECY8bYIAuqHH63Zp7IRUH4/88Vz/LJSNB3XLDBdILVTBQXLNfqBkOC iZB8+HHfupKQg0AOs2r9lWujuLWlQ9TivAkfgxmE= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cD1zBq6S5nCD; Fri, 11 Aug 2017 17:06:00 +0200 (CEST) Received: from bofh.nohats.ca (vpn.nohats.ca [193.110.157.148]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 11 Aug 2017 17:06:00 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3B4742E75B7; Fri, 11 Aug 2017 11:05:59 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 3B4742E75B7 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 359F641092A2; Fri, 11 Aug 2017 11:05:59 -0400 (EDT) Date: Fri, 11 Aug 2017 11:05:59 -0400 (EDT) From: Paul Wouters To: "Dang, Quynh (Fed)" cc: "ipsec@ietf.org" In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis question. X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 15:06:10 -0000 On Fri, 11 Aug 2017, Dang, Quynh (Fed) wrote: > In RFC 7321, we basically said that ESP is preferred over AH. However, that recommendation is not in the current RFC7321bis. > > Was that an accidental mistake or becausepeople using AH wanted to remove that recommendation ? Daniel already responded, but let me add that I'd be happy if the WG decides to write a a draft-ipsecme-ah-ipcomp-diediedie :) Paul From nobody Fri Aug 11 08:23:05 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD014120727 for ; Fri, 11 Aug 2017 08:23:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQA4B-vnLUhp for ; Fri, 11 Aug 2017 08:23:02 -0700 (PDT) Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0102.outbound.protection.outlook.com [23.103.200.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2EE61241F5 for ; Fri, 11 Aug 2017 08:23:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=evrBR8uGebvWZYPAPBAVW2r747kJzg+UkWSbpqz/rl0=; b=ZltFYBNX83QilNu0+wat8svLWoRAcAIFVs2MT50/C5zHo3yqQ6lthfMCvFtbR0QWYps1r9aTNWQYPAlncEfXWU41qdLOg8FvYXqaQy2ZrY8LV8cJbv1/SHiIUwiAWiXUpUNgBBF4ipRLeLjucE3PX8Uk7e/j5kflQxeCsQ+R5ug= Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Fri, 11 Aug 2017 15:23:00 +0000 Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.1320.019; Fri, 11 Aug 2017 15:23:00 +0000 From: "Dang, Quynh (Fed)" To: "paul@nohats.ca" CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Preference of ESP over AH in RFC7321bis question. Thread-Index: AQHTEqtCyJ5Rmbm57UKRXvrgSLfQJqJ/QVeAgAAEppc= Date: Fri, 11 Aug 2017 15:23:00 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [129.6.105.150] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CY4PR09MB1464; 6:32zUnrOZ4ot4fZ+l94KMoAzxlOsjtxG83ra8tst92bs3AFCqt3/BnfQCopZ+tibvJwzRVJvBi2Ltae3PyRa94zEa2iMIPjGKPxTX5zpz448Tsz4eTjJWAYxjnMBLE9ahfg5F/Wt8f6M88bO4ni0ys4/a4F6U3sJDf60mEImOSOvk1HWB2IGPaiwyOZsfLXami+aD60iC7BHM85wrAv6kcuiElKCRTFFAmjphBXRKuWJR1x8MSQlI4Vdn+c1G370RACRrXfGyZp+5dspjLMGDzzYN+JmQK9IJs2R3jNXTBLq+PV0F+xeMo/HWvHwGOQMWvMENEUt0qE6Qxrivf5Iv4w==; 5:w9/DMz96fI9MYElViO6d3YnheJXinN3YkufhlltNJjaIrtJ5FXoc3szGbYYaYpNmchgF8lcmzkY6ZsCK+9wHAzVIMkSlmZcq7ZxwI8ZOOwv7jCyj5Z2f1Rz++lu1yiPZu16iEO1UtbeDUgC0LqLylw==; 24:wV8KvCos/AZ/MVFIbt9CSTRE9rrDJu5o8bWD0lWjv1J6wCKCyX55ltYzwC27iDmjMKFvt1PhK4C1vbmSKI8jM6NQ07g5oPn7Kztcm/DLbjQ=; 7:MCG8hKzQWejDujzgh6q4j6iDk9KxO/ggjLg5ypyB9owAePJnCI4ijCvgnDvge1x5Kw8EYgEDbfwGFNGsEUv0dBUa3/QhcxjxAjrbeRuLjgu5LvUWiF1U43A6WAyUYdMHVuW8o09q+v1EXij4QAonFUP6DnsprcYGzc8J8fBFlDTT2AffOvVgmFYpbTclge2NE6OOLrVgEFEq318tZvSxdnP0yLL+xdrEgdWJKRvCw+Q= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr x-ms-office365-filtering-correlation-id: 409e4ea7-e23e-4c2a-cb98-08d4e0ccda5f x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR09MB1464; x-ms-traffictypediagnostic: CY4PR09MB1464: x-exchange-antispam-report-test: UriScan:(158342451672863); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123562025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123560025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR09MB1464; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR09MB1464; x-forefront-prvs: 03965EFC76 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(24454002)(377454003)(199003)(51444003)(189002)(8676002)(81156014)(8936002)(54896002)(76176999)(2906002)(54356999)(9686003)(1730700003)(3660700001)(3280700002)(6506006)(14454004)(77096006)(229853002)(53546010)(50986999)(2501003)(81166006)(2950100002)(6916009)(478600001)(102836003)(189998001)(86362001)(3846002)(6246003)(68736007)(53936002)(6116002)(66066001)(2351001)(2900100001)(5660300001)(110136004)(7696004)(7736002)(74316002)(101416001)(99286003)(105586002)(106356001)(55016002)(4326008)(5640700003)(97736004)(6436002)(33656002)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1464; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY4PR09MB14646185D49D6196E72E890CF3890CY4PR09MB1464namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2017 15:23:00.5952 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1464 Archived-At: Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis question. X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 15:23:04 -0000 --_000_CY4PR09MB14646185D49D6196E72E890CF3890CY4PR09MB1464namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I think that would be a very useful document. Quynh. ________________________________ From: Paul Wouters Sent: Friday, August 11, 2017 11:05:59 AM To: Dang, Quynh (Fed) Cc: ipsec@ietf.org Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis question. On Fri, 11 Aug 2017, Dang, Quynh (Fed) wrote: > In RFC 7321, we basically said that ESP is preferred over AH. However, th= at recommendation is not in the current RFC7321bis. > > Was that an accidental mistake or because people using AH wanted to remov= e that recommendation ? Daniel already responded, but let me add that I'd be happy if the WG decides to write a a draft-ipsecme-ah-ipcomp-diediedie :) Paul --_000_CY4PR09MB14646185D49D6196E72E890CF3890CY4PR09MB1464namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I think that would be a very useful document.


Quynh. 

From: Paul Wouters <pa= ul@nohats.ca>
Sent: Friday, August 11, 2017 11:05:59 AM
To: Dang, Quynh (Fed)
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Preference of ESP over AH in RFC7321bis questio= n.
 
On Fri, 11 Aug 2017, Dang, Quynh (Fed) wrote:

> In RFC 7321, we basically said that ESP is preferred over AH. However,= that recommendation is not in the current RFC7321bis.
>
> Was that an accidental mistake or because people using AH wanted = to remove that recommendation ?

Daniel already responded, but let me add that I'd be happy if the WG
decides to write a a draft-ipsecme-ah-ipcomp-diediedie :)

Paul
 --_000_CY4PR09MB14646185D49D6196E72E890CF3890CY4PR09MB1464namp_-- From nobody Fri Aug 11 11:39:30 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE2BC132643 for ; Fri, 11 Aug 2017 11:39:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZTyQ9Oa_Bfk for ; Fri, 11 Aug 2017 11:39:27 -0700 (PDT) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9C11132642 for ; Fri, 11 Aug 2017 11:39:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1502476767; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=jPNS29/BlG8o01Ozjk/oRjHRkog1E/TZhwqNIF45ZZA=; b=299iM8HDTjKhIHR/iA75ZHTq95j25jM7/wdTOB8smP05QhYcZG9IQ8Pakr4FjGkB u2xuRKWXZKPdTWgFKGo69hbsAuKyu1Z5u7AKe9j5DSN+Oiz1sME+eOr9j4bBDhDd mx23NDWlT+LBdR44/mD3GHlDogPwlwteix/Uzd+RdQpYzy2LWo+XejqJwVcieRBn Gl89jyZB41RQUbs7ejGLykH5kP9t8AfZUW48bKyU1ID/ivj0c85qFb+DKeXQEQHd zJZBO97XF3mwValQi8hu2iGTwvg97isOSD11Wjn5auG0r+1afB7jt1mqoCuika/7 3jACAOKp2aoF0tv+SavV5A==; Received: from relay4.apple.com (relay4.apple.com [17.128.113.87]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id A1.DB.06961.FD9FD895; Fri, 11 Aug 2017 11:39:27 -0700 (PDT) X-AuditID: 11973e15-9dace9c000001b31-77-598df9df3935 Received: from koseret.apple.com (koseret.apple.com [17.151.62.39]) by relay4.apple.com (Apple SCV relay) with SMTP id A5.68.06992.FD9FD895; Fri, 11 Aug 2017 11:39:27 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from da0602a-dhcp130.apple.com (da0602a-dhcp130.apple.com [17.226.23.130]) by koseret.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OUJ0051ZAHRN040@koseret.apple.com> for ipsec@ietf.org; Fri, 11 Aug 2017 11:39:27 -0700 (PDT) Sender: dschinazi@apple.com From: David Schinazi Message-id: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> Date: Fri, 11 Aug 2017 11:39:26 -0700 To: IPsecME WG X-Mailer: Apple Mail (2.3273) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupiluLIzCtJLcpLzFFi42IRbCgM173/szfS4EyDksX+LS/YHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVMW3mDLaCR2IV36/eYm9gPCDUxcjBISFgItGzIqSLkYtDSGA1 k8S07vPMXYycYPGmzdvZIRJbGCWad9xgA0nwCghK/Jh8jwWkmVlAXuLgeVmQMLOAlsT3R60s EPXbmCTOvz3LCpIQFpCW6LpwlxWkng2o6MAaI4iwrcTRs69ZIEbaSDS0HwazWQRUJT637GID KRcBGj/zRibEObISt2ZfYgYZLyFwllXi+MmzrBMYBWYhuWgWwkWzkFy0gJF5FaNQbmJmjm5m npleYkFBTqpecn7uJkZQ4E23E93BeGaV1SFGAQ5GJR7eirO9kUKsiWXFlbmHGKU5WJTEeV8+ 7IkUEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnVwDgn4kvfHZ4lFdpJuycw1OfLnPox+3yewCvO orfPFxw2/pFo/WF/dfunkzNEX4eknDyptUgzXifQY3aodnvpxVnnpRaeZrNgVnvmXnTKdIrx Ju/crrfxXzeW/lu+NTDSQTTT89mUiSbdkvfeppycG5B16OSD6tXSC43m/4iaX9yZv/vmy+uW USlKLMUZiYZazEXFiQD6Mf4jHQIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHJMWRmVeSWpSXmKPExsUiON1OXff+z95Ig8Ob5C32b3nB5sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujGkzZ7AVPBKr+H71FnsD4wGhLkZODgkBE4mmzdvZuxi5OIQE tjBKNO+4wQaS4BUQlPgx+R5LFyMHB7OAvMTB87IgYWYBLYnvj1pZIOq3MUmcf3uWFSQhLCAt 0XXhLitIPRtQ0YE1RhBhW4mjZ1+zQIy0kWhoPwxmswioSnxu2cUGUi4CNH7mjUyIc2Qlbs2+ xDyBkXcWkiNmIRwxC8kRCxiZVzEKFKXmJFaa6CUWFOSk6iXn525iBIVKQ2H4DsZ/y6wOMQpw MCrx8M542RspxJpYVlyZe4hRgoNZSYR37jegEG9KYmVValF+fFFpTmrxIUZpDhYlcd7pHd2R QgLpiSWp2ampBalFMFkmDk6pBsbFpe3fO0rVtk1pTLlQ9LZ/n5/O9Lxn+dYrzCwZfBLPL5s8 Z4Gn8BXRBn07e/PLRRXC+yNj/hWEM+WYBWk7ztrpv5s76o7OzI6swHX20rueX1vX/ffl2eNN cVZKOnP2K8gt8FjPfiBh51leDceEWVcPCDAEvN4663299xrl75pnLlzc8YTpuaoSS3FGoqEW c1FxIgCM8R5oEQIAAA== Archived-At: Subject: [IPsec] Privacy attack vectors against IKEv2 and Postquantum X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 18:39:29 -0000 Hi everyone, I'd like to start off by saying that I have read draft-fluhrer-qr-ikev2-04 and I really like it, particularly the fact that it is a minor change, does not add RTTs and keeps existing properties. I have however come across two privacy attack vectors that IKEv2 is vulnerable to, with and without postquantum, that I think the postquantum draft could also help mitigate. 1) Active man-in-the-middle attack against the initiator An attacker that can intercept and spoof packets can complete the SA_INIT part of the exchange with both sides and get the initiator to disclose its IDi (and PPK_id). This allows an attacker to fingerprint devices and/or users. 2) Passive off-path attack against a "hidden" responder Today an IKEv2 server cannot hide the fact that it exists - the initiator's SA_INIT is not authenticated so the responder must respond to it even if it is forged, leaking the fact that it is running an IKEv2 server. Hypothetically speaking, if one were to run IKEv2 over TLS and sharing port 443 with a web server to obfuscate the fact that it is using IKEv2, an attacker could open a TLS connection and sending an SA_INIT to divulge the fact that this HTTPS server also supports IKEv2. Straw man Proposal: We slightly change the PPK_SUPPORT status notification payload to include notification data, and that data would contain a MAC of the SA_INIT using the PPK. Note that this would not contain the PPK_ID, just the MAC. The MAC would be defined as PPK_MAC = prf( prf(PPK, "PPK MAC for IKEv2"), ) where SAInitOctets is the entire SA_INIT, starting with the first octet of the first SPI in the header and ending with the last octet of the last payload, with PPK_MAC set to all zeroes (this is inspired by the IP header checksum) and where prf is the PRF of the first proposal in the SA_INIT. Both peers MUST send this PPK_MAC on all SA_INIT that contain PPK_SUPPORT. Upon receiving an SA_INIT, each endpoint has two options: - if it knows only of a small number of PPKs, it tries all of them and if none of them match it silently drops the SA_INIT. - if it has too many PPKs or if it is worried about DoS attacks, it MAY choose to ignore PPK_MAC entirely (and continue the IKEv2 exchange with PPK in the IKE_AUTH exchange) If the responder does not support the PRF from the first initiator's proposal, it can either - ignore PPK_MACi entirely and continue the IKEv2 exchange with PPK in the IKE_AUTH exchange - silently drop the SA_INIT if it was configured to only use a set of PRFs when provisioned with the PPK. The initiator can retry with a different PRF. I believe this proposal does not reduce the security properties of the current draft, it also does not leak any information to any party that does not possess PPK, and it mitigates the attack vectors discussed above. What are your thoughts? Thanks, David Schinazi Apple From nobody Fri Aug 11 18:23:39 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99729132344 for ; Fri, 11 Aug 2017 18:23:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EoT1sdiKpMdm for ; Fri, 11 Aug 2017 18:23:34 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F428132051 for ; Fri, 11 Aug 2017 18:23:28 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xTkf45dw7zDL; Sat, 12 Aug 2017 03:23:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1502501004; bh=PNjxALQ0/Y2XmxNhPntzpGtrmkLR7e6C5uaM0nmrMCk=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=S808EFWK2dZuJSc0X7yr02trpXE7PsCijHC2HDJk16K1DoWYiw3HtB3G9TBClQLcW yixjltjb8HDdq+RVh8SzzuF4NZEmNmoub67d+Pwf16lYnDGxvTpsDenUxZ4K8qG3Yw gB1sd6CIYQDCbhKhjekuKdQcvsE7DOD0fqd5aksk= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id CzPlpNVyPrXK; Sat, 12 Aug 2017 03:23:21 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sat, 12 Aug 2017 03:23:21 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id E75592E75B6; Fri, 11 Aug 2017 21:23:19 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E75592E75B6 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CDAE74095D6C; Fri, 11 Aug 2017 21:23:19 -0400 (EDT) Date: Fri, 11 Aug 2017 21:23:19 -0400 (EDT) From: Paul Wouters To: David Schinazi cc: IPsecME WG In-Reply-To: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> Message-ID: References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2017 01:23:37 -0000 On Fri, 11 Aug 2017, David Schinazi wrote: > 1) Active man-in-the-middle attack against the initiator > An attacker that can intercept and spoof packets can complete the SA_INIT part of the exchange with both sides and get the initiator to disclose its IDi (and PPK_id). This allows an attacker to fingerprint devices and/or users. One of the two will have to show ID before the other can make a decision (before revealing itself) if it sees an attacker or a valid endpoint. There have been suggestions in the past (eg BTNS with channel binding) but no one thought it was worth the extra round trips. In theory you could still do this using NULL-AUTH on the client, which authenticates the server without losing any privacy and then running a second authentication to 'upgrade' the client. > 2) Passive off-path attack against a "hidden" responder > Today an IKEv2 server cannot hide the fact that it exists - the initiator's SA_INIT is not authenticated so the responder must respond to it even if it is forged, leaking the fact that it is running an IKEv2 server. Hypothetically speaking, if one were to run IKEv2 over TLS and sharing port 443 with a web server to obfuscate the fact that it is using IKEv2, an attacker could open a TLS connection and sending an SA_INIT to divulge the fact that this HTTPS server also supports IKEv2. Maybe we should run DH on all webserver's for IKE :) > Straw man Proposal: [...] > I believe this proposal does not reduce the security properties of the current draft, it also does not leak any information to any party that does not possess PPK, and it mitigates the attack vectors discussed above. > > What are your thoughts? I think the tor people will tell you that you would still be able to fingerprint this enough to tell it is IKE over TLS. I'd also prefer a mechanism not tied to PPKs. Those are supposed to be a bandaid that wouldn't be used anymore in the future where we have quantum safe algorithms. Paul From nobody Sat Aug 12 16:57:12 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1CE13243B; Sat, 12 Aug 2017 16:57:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3GiSKtZ_M2q0; Sat, 12 Aug 2017 16:56:54 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F3DC132413; Sat, 12 Aug 2017 16:56:49 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id B4FAEB818C8; Sat, 12 Aug 2017 16:56:32 -0700 (PDT) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org X-PHP-Originating-Script: 1005:ams_util_lib.php From: rfc-editor@rfc-editor.org Cc: rfc-editor@rfc-editor.org, drafts-update-ref@iana.org, ipsec@ietf.org Message-Id: <20170812235632.B4FAEB818C8@rfc-editor.org> Date: Sat, 12 Aug 2017 16:56:32 -0700 (PDT) Archived-At: Subject: [IPsec] RFC 8229 on TCP Encapsulation of IKE and IPsec Packets X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2017 23:57:03 -0000 A new Request for Comments is now available in online RFC libraries. RFC 8229 Title: TCP Encapsulation of IKE and IPsec Packets Author: T. Pauly, S. Touati, R. Mantha Status: Standards Track Stream: IETF Date: August 2017 Mailbox: tpauly@apple.com, samy.touati@ericsson.com, ramantha@cisco.com Pages: 25 Characters: 56294 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-ipsecme-tcp-encaps-10.txt URL: https://www.rfc-editor.org/info/rfc8229 DOI: 10.17487/RFC8229 This document describes a method to transport Internet Key Exchange Protocol (IKE) and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP. This method, referred to as "TCP encapsulation", involves sending both IKE packets for Security Association establishment and Encapsulating Security Payload (ESP) packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP. This document is a product of the IP Security Maintenance and Extensions Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Mon Aug 14 06:03:24 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8A31321D2 for ; Mon, 14 Aug 2017 06:03:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LevRyep_sEEi for ; Mon, 14 Aug 2017 06:03:21 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACAF1321D0 for ; Mon, 14 Aug 2017 06:03:20 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v7ED39IN025688 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 14 Aug 2017 16:03:09 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v7ED39jA025891; Mon, 14 Aug 2017 16:03:09 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <22929.40845.325793.136908@fireball.acr.fi> Date: Mon, 14 Aug 2017 16:03:09 +0300 From: Tero Kivinen To: Daniel Van Geest Cc: "Graham Bartlett \(grbartle\)" , "ipsec\@ietf.org" In-Reply-To: References: X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd) X-Edit-Time: 18 min X-Total-Time: 18 min Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 13:03:23 -0000 Daniel Van Geest writes: > 1) QS SA Negotiation >=20 > When negotiating a QS SA, it=E2=80=99s not enough to negotiate QS key= > agreement algorithm(s), one also has to ensure that the algorithms > selected by the other transform types are also QS. All of these kind of issues are really policy matters, thus outside the PROTOCOL work. I.e., we can add security considerations section text saying, that when using QS key agreement algorithm, other algorithms needs to be considered too. I do not see any reason for making any hard rules.=20 > I don=E2=80=99t find the re-use of transform 4 in this proposal, and = the implicit combination of QS + > non-QS algorithms, to be the most elegant, though I can understand it= in the context of not > wanting to add a new transform type. Adding new transform types is bit painfull, mostly because if you want to allow old implementations to connect, you need to have two proposals, one with new transform type and another without. The responder MUST pick exactly one algorithm for each transform type the initiator send, and if it does not understand transform type (thus will not be able to pick any), it MUST ignore the specific proposal. This means that for backwards compatibility there needs to be two proposals, or 3/4 if AEAD algorithms are also needed. This will make IKE=5FSA=5FINIT larger. On the other hand this is ONLY needed if the initiator DOES NOT know whether other end supports QS or not. Usually initiator can be configured to assume either way, it is more important to configure the responder so it will accept either QS or non-QS... Anyways this is something we need to decided, and there are different kind of tradeoffs with different proposals. > The idea is to add the new transform type 6 (Q-S-Group) like CJ=E2=80= =99s > proposal, but don=E2=80=99t include it in the SA payload. Rather, int= roduce > a new QS=5FSA payload which would be identical in structure to the SA= > payload except that it would also include the Q-S-Group transform > type. I think creating QS=5FSA is bad idea. First of all, I assume there are implementations which will break when there is unknown payload included in the exchange. Secondly this will require even more space than adding 2nd proposal in the SA payload, thus adding new transform type and two proposals is more efficient encoding. Thirdly there might be policy mismatch issues, i.e., cases where the SA and QS=5FSA algorithms do not match, and that might cause issues also. And lastly this will break the base IKE=5FSA=5FINit exchange payload listing, i.e., currently we assume that we send one SA payload and receive one SA payload back. Implementations quite often do sanity check very early in the processing to verify that all needed payloads are included, and this will break it.=20 > Also note that StrongSwan=E2=80=99s code assumes that IKE=5FAUTH will= always > have a message ID of 1, but this won=E2=80=99t hold if there are one = or more > PRE=5FAUTH exchanges. That also does not hold for cases where EAP is used, where IKE=5FAUTH i= s message IDs 1, 2, ...., n. The text in section 2.2 talking about the message IDs in IKE=5FAUTH is descriptive, i.e., it describes normal behavior, it is not normative, and if any implementation assumes IKE=5FAUTH will have message ID 1, it is broken. > Tero says: >=20 > Note, that the PRE=5FAUTH happening between IKE=5FSA=5FINIT and I= KE=5FAUTH > would be encrypted, and MACed, but it WILL NOT be authenticated, = i.e., > we have not yet authenticated the other peer, and we will not inc= lude > those octets to the AUTH payload calculations, so they will not b= e > authenticated in AUTH phase, like the IKE=5FSA=5FINIT contents wi= ll be > authenticated. >=20 > Couldn=E2=80=99t the IDi and IDr payloads in IKE=5FAUTH be modified t= o sign > the PRE=5FAUTH message in addition to the IKE=5FSA=5FINIT message=3F They could be, that that would again change the basic crypto calculations done by the IKE library, and if we do not need to touch it, it is better. I.e., if the result of the PRE=5FAUTH is authenticate= d in some other ways (for example because the QS key exchange protocol run there generates keys, which we use later), then we might not need to add specific authentication step for them. I was mostly just stating what the current text describes. I.e., the RFC7296 text as written in section 2.15 will not authenticate those messages unless we modify that.=20 --=20 kivinen@iki.fi From nobody Mon Aug 14 06:05:35 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF6441321D8 for ; Mon, 14 Aug 2017 06:05:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AXPy-sHyt1qd for ; Mon, 14 Aug 2017 06:05:32 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 364211321D2 for ; Mon, 14 Aug 2017 06:05:28 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v7ED5MkK025966 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 14 Aug 2017 16:05:22 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v7ED5Lmk022509; Mon, 14 Aug 2017 16:05:21 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22929.40977.702012.485140@fireball.acr.fi> Date: Mon, 14 Aug 2017 16:05:21 +0300 From: Tero Kivinen To: Michael Richardson Cc: Daniel Van Geest , "ipsec\@ietf.org" , "Graham Bartlett \(grbartle\)" In-Reply-To: <10412.1502302334@obiwan.sandelman.ca> References: <10412.1502302334@obiwan.sandelman.ca> X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd) X-Edit-Time: 1 min X-Total-Time: 1 min Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 13:05:34 -0000 Michael Richardson writes: > I don't think we need to do this. > I think that unknown transform types will be ignored by compliant > implementations. Nope. It will ignore unknown transform IDs for each known transform type, but it MUST understand each transform type, and if it does not understand it cannot pick one value for it, thus it must ignore the whole proposal, and try to use other proposals which might work better. -- kivinen@iki.fi From nobody Mon Aug 14 06:47:18 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D741321EC for ; Mon, 14 Aug 2017 06:47:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.521 X-Spam-Level: X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sADY3oGq5osP for ; Mon, 14 Aug 2017 06:47:15 -0700 (PDT) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711571320C9 for ; Mon, 14 Aug 2017 06:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2011; q=dns/txt; s=iport; t=1502718435; x=1503928035; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=3Mu2QVmYRZ9G2PEbvD3sQGkmHS0dNzQhY95NQW/voOU=; b=b3n6aeWZLbNQPmfoJFG//3G9MvKZiYwOQ/jYbpKF9WwmftlPqH/lDR6W c+bIsZYFHZQWuZ57aWtYYiaPzU2vnXupFecLJZbnWhgORHZXVb7wZkBHj PBTz4dEenNhQ9g0Z+uturbcUCk9xQqo3HRNB5p/QfSaAbCJXhqWAETqjo M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CaAABfqZFZ/4ENJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1pkgRQHjgqQDoFulhiCEiELhRsChHM/GAECAQEBAQEBAWsohRg?= =?us-ascii?q?BAQEBAwEBODQLDAQCAQgRBAEBHwkHJwsUCQgCBAENBQiKJxCuYYtfAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBGAWDKIICgUyBY4MnimcFoDEClDGSXpYUAR84gQp3FUm?= =?us-ascii?q?HGnaJPoEPAQEB?= X-IronPort-AV: E=Sophos;i="5.41,373,1498521600"; d="scan'208";a="282411457" Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Aug 2017 13:47:14 +0000 Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v7EDlDBF022673 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 14 Aug 2017 13:47:14 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 14 Aug 2017 09:47:13 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Mon, 14 Aug 2017 09:47:13 -0400 From: "Scott Fluhrer (sfluhrer)" To: Tero Kivinen , Michael Richardson CC: "ipsec@ietf.org" , Daniel Van Geest , "Graham Bartlett (grbartle)" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ8WOuAgABHkQCAB4XqgP//xTrQ Date: Mon, 14 Aug 2017 13:47:13 +0000 Message-ID: <6c1b52eb9c734cd2a9fdf6256f30aefd@XCH-RTP-006.cisco.com> References: <10412.1502302334@obiwan.sandelman.ca> <22929.40977.702012.485140@fireball.acr.fi> In-Reply-To: <22929.40977.702012.485140@fireball.acr.fi> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.150.34.195] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 13:47:17 -0000 > -----Original Message----- > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Tero Kivinen > Sent: Monday, August 14, 2017 9:05 AM > To: Michael Richardson > Cc: ipsec@ietf.org; Daniel Van Geest; Graham Bartlett (grbartle) > Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 >=20 > Michael Richardson writes: > > I don't think we need to do this. > > I think that unknown transform types will be ignored by compliant > > implementations. >=20 > Nope. It will ignore unknown transform IDs for each known transform type, > but it MUST understand each transform type, and if it does not understand= it > cannot pick one value for it, thus it must ignore the whole proposal, and= try > to use other proposals which might work better. Actually, where in RFC5996 (or 4301) does it say that it must go on to the = next proposal , rather than (say) silently rejecting the entire negotiation= ? I searched through the text, and cannot find a MUST (or even a SHOULD) s= tatement... And, in the 11+ years since IKEv2 has been defined, we haven't added a sing= le transform type. I would suspect that most implementations have never te= sted out the scenario where they've seen an unexpected transform type (but = which is followed by another proposal which is acceptable). How certain ar= e we that implementations will process the request as we hope? After all, a large point of this exercise is backwards compability; if a QR= IKEv2 initiator tries to talk to a nonupgraded IKEv2 responder, it works a= s we expect (that is, depends on the initiator's security policy, they eith= er downgrade to a non-QR key exchange, or they abort the exchange as they h= ad no mutually acceptable policy). Hence, the actual behavior of real nonu= pgraded responders is important. > -- > kivinen@iki.fi >=20 > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec From nobody Mon Aug 14 11:52:00 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0D91200F3 for ; Mon, 14 Aug 2017 11:51:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6hm8Hqe5T70 for ; Mon, 14 Aug 2017 11:51:51 -0700 (PDT) Received: from mail-in5.apple.com (mail-out5.apple.com [17.151.62.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD174132399 for ; Mon, 14 Aug 2017 11:51:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1502736711; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=U84akn2yboEfif3Udda0JIDPuuLDqixRYSMJ+aZYnWM=; b=zk8Qhe1LR8KQW7X7Lns9B3qS/wrQKhpGP5umCSymIlPwERsU3Fa7RA8FYerd8xuW IZbd+tsqmZRSY1cfWv7wmSalFB7kPrLBB3q6IDCxiOfmhl2atuA/V7un/iGaS5Lk JpWKIcpULwUaPpJIti7tqzCJBF8q1I1B2SaKhTVj7qo4tGw86KfaQMZrZx/8nng9 +MZZ/f4QVykIFPSGxWZU0HTi/5qeAh49/77IMPbhCnNClIl93IV/zHANvO2hIClx /HyKGw5fwPJtyBFNyP7OsLUh3jomdryMAJyRyQoWYqrVMpIPkXw5YXwXkCTan2UY EEUBHDGHdn40vgwji1zSMA==; Received: from relay7.apple.com (relay7.apple.com [17.128.113.101]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id DD.6F.06802.741F1995; Mon, 14 Aug 2017 11:51:51 -0700 (PDT) X-AuditID: 11973e13-e30ed9c000001a92-26-5991f147eb00 Received: from nwk-phonehomebzp-sz01.apple.com (nwk-phonehomebzp-sz01.apple.com [17.151.62.64]) by relay7.apple.com (Apple SCV relay) with SMTP id 34.18.07283.741F1995; Mon, 14 Aug 2017 11:51:51 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from [17.234.125.69] (unknown [17.234.125.69]) by nwk-phonehomebzp-sz01.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OUO00LQ2V2FJ850@nwk-phonehomebzp-sz01.apple.com>; Mon, 14 Aug 2017 11:51:51 -0700 (PDT) Sender: dschinazi@apple.com From: David Schinazi In-reply-to: Date: Mon, 14 Aug 2017 11:51:49 -0700 Cc: IPsecME WG Message-id: <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com> References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> To: Paul Wouters X-Mailer: Apple Mail (2.3273) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKLMWRmVeSWpSXmKPExsUi2FCYquv+cWKkwaanChb7t7xgs3h/6xKT A5PHkiU/mTy+z2MKYIrisklJzcksSy3St0vgypi9t5Ol4Jt4xfmvd1kbGPuEuxg5OCQETCRu rFboYuTiEBJYwySxasFWRpj46x/WEPELjBIXT79k7mLk5OAVEJT4MfkeC0gNs4C8xMHzsiBh ZgEtie+PWlkg6hcySTSt/MAGkhAWkJbounCXFcL2lJjTuJodpJcNqOHAGiOQMKeAo0T7uZts IGEWAVWJ7QfYIUbKS/T+38gIsdVG4sb8ThYQW0igWGLt96NgNSICihKTzjwCi0sIyErcmn2J GcL+yyqxpzlyAqPwLCRHz0I4ehaSoxcwMq9iFMpNzMzRzcwz1UssKMhJ1UvOz93ECArn6XbC OxhPr7I6xCjAwajEw8txYWKkEGtiWXFl7iFGaQ4WJXHeaJu+SCGB9MSS1OzU1ILUovii0pzU 4kOMTBycUg2MihetFAvPO4Svn/Rgxw/jZ0JbJvNnb+iR5Ar++n3GzAX/NXN4pnRUFFnNnJ6l 8W2iU4JL2yYDs8u/2aPDvzmf+pXf8j6IbcLZO+KTHd58r3d++z3jHUPgwXidYz5vLm2a/eCb 7a+aTYIZDNM4QgSsLR5HrdIwioj8KiL/fUU/t3ztgs1n6pvZlViKMxINtZiLihMBvpa/40gC AAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFLMWRmVeSWpSXmKPExsUiON3OQdf948RIg6vfZS32b3nBZvH+1iUm ByaPJUt+Mnl8n8cUwBTFZZOSmpNZllqkb5fAlTF7bydLwTfxivNf77I2MPYJdzFycEgImEi8 /mHdxcjFISRwgVHi4umXzF2MnBy8AoISPybfYwGpYRaQlzh4XhYkzCygJfH9USsLRP1CJomm lR/YQBLCAtISXRfuskLYnhJzGlezg/SyATUcWGMEEuYUcJRoP3eTDSTMIqAqsf0AO8RIeYne /xsZIbbaSNyY38kCYgsJFEus/X4UrEZEQFFi0plHYHEJAVmJW7MvMU9gFJiF5NBZCIfOQnLo AkbmVYwCRak5iZXmeokFBTmpesn5uZsYQSHYUJi6g7FxudUhRgEORiUeXo4LEyOFWBPLiitz DzFKcDArifAmtQOFeFMSK6tSi/Lji0pzUosPMUpzsCiJ887o6I4UEkhPLEnNTk0tSC2CyTJx cEo1MJqcenylfMWkcl8lgU9patKTXf8zlv4XSM3tXH3SVuR5TGFAV2rLfUmNf+XebEcnhil0 HeW0jLz0rvNtet2e+27FK7RDivX/OO7QtS/bF3B7b887A75TC5/s9XX6JvmR+0S8eHScfUf6 D3PGsrdH9i7kE2Wf6xP5/Webde7nryJVnmsmGAgkK7EUZyQaajEXFScCAL9XJcw9AgAA Archived-At: Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 18:51:54 -0000 Thanks Paul, responses inline. > On Aug 11, 2017, at 18:23, Paul Wouters wrote: > > On Fri, 11 Aug 2017, David Schinazi wrote: > >> 1) Active man-in-the-middle attack against the initiator >> An attacker that can intercept and spoof packets can complete the SA_INIT part of the exchange with both sides and get the initiator to disclose its IDi (and PPK_id). This allows an attacker to fingerprint devices and/or users. > > One of the two will have to show ID before the other can make a decision > (before revealing itself) if it sees an attacker or a valid endpoint. > There have been suggestions in the past (eg BTNS with channel binding) > but no one thought it was worth the extra round trips. In theory you > could still do this using NULL-AUTH on the client, which authenticates > the server without losing any privacy and then running a second > authentication to 'upgrade' the client. [DS] I think "showing ID" is exactly what we're avoiding here. You can think of this in terms of the Socialist Millionaire Problem - we want to be able to assert identity without anyone disclosing anything first. And the proposed solution is to send a MAC without the identity of the key used to MAC. Peers can than iterate their list of peers to check the MAC against. >> 2) Passive off-path attack against a "hidden" responder >> Today an IKEv2 server cannot hide the fact that it exists - the initiator's SA_INIT is not authenticated so the responder must respond to it even if it is forged, leaking the fact that it is running an IKEv2 server. Hypothetically speaking, if one were to run IKEv2 over TLS and sharing port 443 with a web server to obfuscate the fact that it is using IKEv2, an attacker could open a TLS connection and sending an SA_INIT to divulge the fact that this HTTPS server also supports IKEv2. > > Maybe we should run DH on all webserver's for IKE :) > >> Straw man Proposal: > > [...] > >> I believe this proposal does not reduce the security properties of the current draft, it also does not leak any information to any party that does not possess PPK, and it mitigates the attack vectors discussed above. >> >> What are your thoughts? > > I think the tor people will tell you that you would still be able to > fingerprint this enough to tell it is IKE over TLS. [DS] Some security is still better than less security, you can imagine timing attacks and such but this is better than what we have today. > I'd also prefer a mechanism not tied to PPKs. Those are supposed to be > a bandaid that wouldn't be used anymore in the future where we have > quantum safe algorithms. [DS] I was initially going to make this a separate proposal that only involved a pre shared key and SA_INIT MAC, but it was pointed out to me that once you have that might as well include the benefits of PPK. If you know of a way to solve the described privacy attack vectors without a pre shared key and without adding round trips, I'm interested - I couldn't come up with one myself. David From nobody Mon Aug 14 14:25:20 2017 Return-Path: X-Original-To: ipsec@ietf.org Delivered-To: ipsec@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A6B132422; Mon, 14 Aug 2017 14:25:17 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IETF Meeting Session Request Tool To: Cc: ipsec@ietf.org, ipsecme-chairs@ietf.org, ekr@rtfm.com, david.waltermire@nist.gov X-Test-IDTracker: no X-IETF-IDTracker: 6.58.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150274591790.10413.2264345722523694499.idtracker@ietfa.amsl.com> Date: Mon, 14 Aug 2017 14:25:17 -0700 Archived-At: Subject: [IPsec] ipsecme - New Meeting Session Request for IETF 100 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 21:25:18 -0000 A new meeting session request has just been submitted by David Waltermire, a Chair of the ipsecme working group. --------------------------------------------------------- Working Group Name: IP Security Maintenance and Extensions Area Name: Security Area Session Requester: David Waltermire Number of Sessions: 1 Length of Session(s): 1.5 Hours Number of Attendees: 50 Conflicts to Avoid: First Priority: sacm mile tcpinc curdle tls saag cfrg i2nsf fud Second Priority: 6tisch lwig ace Third Priority: uta 6lo tcpm netmod People who must be present: Eric Rescorla Tero Kivinen David Waltermire Resources Requested: Special Requests: --------------------------------------------------------- From nobody Wed Aug 16 09:34:43 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2621321B6 for ; Wed, 16 Aug 2017 09:34:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKxhQVxlXAy0 for ; Wed, 16 Aug 2017 09:34:38 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5463E12EC06 for ; Wed, 16 Aug 2017 09:34:38 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xXZgZ2sFgz5RC; Wed, 16 Aug 2017 18:34:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1502901274; bh=WpTgFjrSSP2AlmU9FRvJ5xsNFv3g8td4Shavt38xnN8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=P//a3SXI3GeavKmeq8+orwA8raPZmJSeVvRWm4NksEHB7T6n4V25YzwOkth/lmT81 D4TP5KmMCKhIL1e4vHUpqZbTJCgzk1Xra7fBqhiryUJOXCt7EYvW5Vj5hWhQK3Bnq9 l0LdyKAYTvR1i6bRrtJNTcSxAz+3NVp0BcbvMhNw= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id wmvVUfpCFjhy; Wed, 16 Aug 2017 18:34:33 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 16 Aug 2017 18:34:32 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 125B52E75B2; Wed, 16 Aug 2017 12:34:31 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 125B52E75B2 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id F259140D3592; Wed, 16 Aug 2017 12:34:31 -0400 (EDT) Date: Wed, 16 Aug 2017 12:34:31 -0400 (EDT) From: Paul Wouters To: David Schinazi cc: IPsecME WG In-Reply-To: <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com> Message-ID: References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2017 16:34:41 -0000 On Mon, 14 Aug 2017, David Schinazi wrote: > [DS] I think "showing ID" is exactly what we're avoiding here. You can think of this in terms of the Socialist Millionaire Problem - we want to be able to assert identity without anyone disclosing anything first. And the proposed solution is to send a MAC without the identity of the key used to MAC. Peers can than iterate their list of peers to check the MAC against. But when you are using X.509 based clients, you will have never seen the cert/ID until you receive it via IKE ? So your use case is limited to very static type deployments (which suffer less from this issue as they tend to not move around) > [DS] Some security is still better than less security, you can imagine timing attacks and such but this is better than what we have today. But I think we would need something a little better to make it part of an RFC standard. > [DS] I was initially going to make this a separate proposal that only involved a pre shared key and SA_INIT MAC, but it was pointed out to me that once you have that might as well include the benefits of PPK. If you know of a way to solve the described privacy attack vectors without a pre shared key and without adding round trips, I'm interested - I couldn't come up with one myself. A PreSharedKey based solution is also very limiting, and people should be migrating away from PSK in favour of RSA/ECC based solutions :P I understand your use case (prevent blocking of hidden IKE over TCP/TLS servers) but it might not be a use case the IETF can solve. From an IETF perspective, the way to solve this would be to IPsec everything, so that blocking based on ESP visibility becomes impossible. Which is why I'd like to see more Opportunistic IPsec. But if we can fit in your goal, that would be great. And I think if that takes another roundtrip people can make that decision. But I think nation state actors are already active attackers, so I see not too much value in a passive attackers only solution, which IKE over TCP/TLS already is. Paul From nobody Wed Aug 16 09:50:24 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDCD9132692 for ; Wed, 16 Aug 2017 09:50:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6B4VkTNoJUH for ; Wed, 16 Aug 2017 09:50:21 -0700 (PDT) Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27424132339 for ; Wed, 16 Aug 2017 09:50:21 -0700 (PDT) Received: by mail-oi0-x22a.google.com with SMTP id f11so41901833oic.0 for ; Wed, 16 Aug 2017 09:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W+DnZGqHD1KFVNNAl+ESlsuFCUJRrlaBdx3ryEdnPhM=; b=tMs6j8U92d0L3eV0NpYa7VP0Pg6gVSLpNgQU4M/Hf5yOx4rxAkidYuPioYtoJjw2hh W8a0KsT1ciHWv5hcmdyK1BcUwLDnQqww4EnBO47w4C/yW50aPfq9Qh9eqUIbX0oxW3Ph wSQODnVmQjKE51MB0fii+qKry8v+YdCEhbegLIagKRE/4BcP/l4kexH9OxxGLnAM5fRl m3nYHZYtQP8GuMdAkkfRPR6Fnck0riki+tMWntm/z+xvVvriy3l+rTGdY1uKPb7AOSqq QvmcT1e2JGWXUOshMgeDOiiEOSOrd1vrPeYFF8BwqGgdJzaiksHwk8P6patgltOUf+Vd Mw+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W+DnZGqHD1KFVNNAl+ESlsuFCUJRrlaBdx3ryEdnPhM=; b=RUflAXBs9feqLhm9aVVn99RK0cdEjcoxb/glLZqPkd5129trlMkZGMidLp4mQUwAtk CdqM7f4cEace9amF5kz80NOSOVGk5sy6/cCqiHEO5d9r/F1lrAEvcNn14mkn9V2TkOkV V4hcZ1NVbGTDXW2RagiawEcqz06Nb6dcFyUfvMkCo7mWiEILuaF1FpxghUVgfsyZlLYY 9ooOMqGRca50LVqCHBjp7ndRMt+I+u9bE5V9V1DPCDO8RG+mX8J96wFnBaAEN7olJKeC k07T10Q1ARSwQ6w/2va1jpcEMQdq7n5xThIL07lnu3GF9mDwZvtpqzaUs0bbhv4XdfgN wetA== X-Gm-Message-State: AHYfb5iRfZiingJPiJz7m9WSiVpV/dP1vqNUwDM3nGbtTRB712C0pSeX 3d8nE2OvX2xlF8kfS1OO8NVheHH4qA== X-Received: by 10.202.87.2 with SMTP id l2mr2672669oib.277.1502902219072; Wed, 16 Aug 2017 09:50:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.91.73 with HTTP; Wed, 16 Aug 2017 09:50:18 -0700 (PDT) In-Reply-To: References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com> From: Christopher Wood Date: Wed, 16 Aug 2017 09:50:18 -0700 Message-ID: To: Paul Wouters Cc: David Schinazi , IPsecME WG Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2017 16:50:23 -0000 On Wed, Aug 16, 2017 at 9:34 AM, Paul Wouters wrote: > On Mon, 14 Aug 2017, David Schinazi wrote: > >> [DS] I think "showing ID" is exactly what we're avoiding here. You can >> think of this in terms of the Socialist Millionaire Problem - we want to be >> able to assert identity without anyone disclosing anything first. And the >> proposed solution is to send a MAC without the identity of the key used to >> MAC. Peers can than iterate their list of peers to check the MAC against. > > > But when you are using X.509 based clients, you will have never seen the > cert/ID until you receive it via IKE ? So your use case is limited to > very static type deployments (which suffer less from this issue as they > tend to not move around) > >> [DS] Some security is still better than less security, you can imagine >> timing attacks and such but this is better than what we have today. > > > But I think we would need something a little better to make it part of > an RFC standard. > >> [DS] I was initially going to make this a separate proposal that only >> involved a pre shared key and SA_INIT MAC, but it was pointed out to me that >> once you have that might as well include the benefits of PPK. If you know of >> a way to solve the described privacy attack vectors without a pre shared key >> and without adding round trips, I'm interested - I couldn't come up with one >> myself. > > > A PreSharedKey based solution is also very limiting, and people should > be migrating away from PSK in favour of RSA/ECC based solutions :P David's original email suggested that this technique was enabled by (and perhaps constrained to) draft-fluhrer-qr-ikev2, which assumes the existence of a long-term PPK. Best, Chris From nobody Wed Aug 16 13:40:49 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2D8513233D for ; Wed, 16 Aug 2017 13:40:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAPLvBERxBGh for ; Wed, 16 Aug 2017 13:40:46 -0700 (PDT) Received: from mail-in24.apple.com (mail-out24.apple.com [17.171.2.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E33031326DB for ; Wed, 16 Aug 2017 13:40:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1502916045; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=T6jxOalsyRtTz2yS7EuWBmcTmKwcam1DZa9gI4wJyek=; b=K7gn4BEC2P6GCUdU0VWCq4PSf3ZedOEEby/7frecPorv9edt+/r+sRB1drGsBHog tjk5N/zXETQYXRYfm+lJvNr74FDjxLi2N836tD4GNCQoyUDUHUXrrnxdVTdQ1OOt 37OfvTMnZ6nM+t+opDBbjDg7BtyTPRPlkV+j2pZR7WYwbHOOedbHnIUSnAD+wkp3 tV9Fe9cQiUKB9myjl0lgqs1oy0+niTSxTUWf9kOofmrRy2N2FBPiNMWdOYOfPFsO 0FZeMBvO8PXcgWNj/iHSWROUrF/c32ceUJEjeM4LPgA5RGYHLHecNp9tuMjlzQTh 8wvSLMXWi2KO6KQMNXPeXw==; Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in24.apple.com (Apple Secure Mail Relay) with SMTP id 3F.A7.25405.CCDA4995; Wed, 16 Aug 2017 13:40:45 -0700 (PDT) X-AuditID: 11ab0218-751d39c00000633d-53-5994adcce2fb Received: from koseret.apple.com (koseret.apple.com [17.151.62.39]) by relay6.apple.com (Apple SCV relay) with SMTP id 60.EE.03275.CCDA4995; Wed, 16 Aug 2017 13:40:44 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from da0602a-dhcp158.apple.com (da0602a-dhcp158.apple.com [17.226.23.158]) by koseret.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OUS002JUPFW5V70@koseret.apple.com>; Wed, 16 Aug 2017 13:40:44 -0700 (PDT) Sender: dschinazi@apple.com From: David Schinazi In-reply-to: Date: Wed, 16 Aug 2017 13:40:40 -0700 Cc: IPsecME WG Message-id: <3C9D7AEC-0FCF-4F31-ADF8-56907720E9B6@apple.com> References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com> To: Paul Wouters X-Mailer: Apple Mail (2.3273) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJLMWRmVeSWpSXmKPExsUi2FAYpXt27ZRIg5c9rBb7t7xgs3h/6xKT A5PHkiU/mTy+z2MKYIrisklJzcksSy3St0vgyug8qV1wXrJi+vtVTA2MW0W6GDk5JARMJD5t fsHcxcjFISSwhklixp/HjDCJk40NrBCJLYwSfxedYgNJ8AoISvyYfI+li5GDg1lAXuLgeVmQ MLOAlsT3R60sEPWLmST2n/zBDJIQFpCW6LpwlxXC9pSY07iaHaSXDajhwBojkDCnQLDE9zN7 mUBsFgFVie6mi+wQM+Ulev9vZIRYayPR8fUOWI2QwBImiSuPOEBsEQFFiUlnHrFA3CwrcWv2 JbBnJAQa2SR6509knsAoPAvJ2bMQzp6F5OwFjMyrGIVzEzNzdDPzjEz0EgsKclL1kvNzNzGC wno1k8QOxi+vDQ8xCnAwKvHw3pg8JVKINbGsuDL3EKM0B4uSOG+MxaRIIYH0xJLU7NTUgtSi +KLSnNTiQ4xMHJxSDYwF/UEfjnbulZ727U+b1LObJm3vvq/T2XjrpElXcr7xsop/lflTvU4K VXBdXcFyTf0Pz3YZQeH38TvYror41q4NC37O5y/QOIPfxMXANPHKk+3rTknHbcp/Elr9bFX/ tWgOTp0H1tsvFJ+7N7M9q7Blh+V1e4HrWt/mC6Zx5u+p2SMvfT/4nKwSS3FGoqEWc1FxIgBS iZHcTAIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrNLMWRmVeSWpSXmKPExsUiON1OXffM2imRBjO26Vjs3/KCzeL9rUtM DkweS5b8ZPL4Po8pgCmKyyYlNSezLLVI3y6BK6PzpHbBecmK6e9XMTUwbhXpYuTkkBAwkTjZ 2MDaxcjFISSwhVHi76JTbCAJXgFBiR+T77F0MXJwMAvISxw8LwsSZhbQkvj+qJUFon4xk8T+ kz+YQRLCAtISXRfuskLYnhJzGlezg/SyATUcWGMEEuYUCJb4fmYvE4jNIqAq0d10kR1iprxE 7/+NjBBrbSQ6vt4BqxESWMIkceURB4gtIqAoMenMIxaIm2Ulbs2+xDyBUWAWkktnIVw6C8ml CxiZVzEKFKXmJFaa6SUWFOSk6iXn525iBAVhQ2HUDsaG5VaHGAU4GJV4eCPypkQKsSaWFVfm HmKU4GBWEuHNXQEU4k1JrKxKLcqPLyrNSS0+xCjNwaIkzitXNDlSSCA9sSQ1OzW1ILUIJsvE wSnVwDir1u5QTcb3mYVJexVNrlzTVL5Zo7xu28P0k5P1ct6/DMuqlOPLavtw+dPEXfWnLtkw pjwVyRI6rPSgdYNmZmT18vVl1zJ4yw+KFAieO8j2Yr7s24ZzKaVbpz97bHyil7Pernfebd9v gotv3f6bL7uNm43dPuzkIpnOT/WyKRW6b9sOzDM2m6PEUpyRaKjFXFScCADm5wzwPgIAAA== Archived-At: Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2017 20:40:48 -0000 Paul, I understand your concerns, and I do agree with them. However, the proposal isn't meant to solve all issues - the idea is that if we're building a PPK infrastructure already, I believe this is an incremental improvement to it that solves a few more attack vectors without compromising anything. > On Aug 16, 2017, at 09:50, Christopher Wood wrote: > > On Wed, Aug 16, 2017 at 9:34 AM, Paul Wouters wrote: >> On Mon, 14 Aug 2017, David Schinazi wrote: >> >>> [DS] I think "showing ID" is exactly what we're avoiding here. You can >>> think of this in terms of the Socialist Millionaire Problem - we want to be >>> able to assert identity without anyone disclosing anything first. And the >>> proposed solution is to send a MAC without the identity of the key used to >>> MAC. Peers can than iterate their list of peers to check the MAC against. >> >> >> But when you are using X.509 based clients, you will have never seen the >> cert/ID until you receive it via IKE ? So your use case is limited to >> very static type deployments (which suffer less from this issue as they >> tend to not move around) On the contrary, if you were to run IPsec over point-to-point links between several mobile devices you own then you have a configuration that doesn't change much but devices that are very mobile - this allows you to have this type of configuration and ensure that there is no way for attackers to fingerprint who you are and where you go. >> >>> [DS] Some security is still better than less security, you can imagine >>> timing attacks and such but this is better than what we have today. >> >> >> But I think we would need something a little better to make it part of >> an RFC standard. I'm happy to hear proposals to make this a little better. Do you have an alternative that solves these use cases? >>> [DS] I was initially going to make this a separate proposal that only >>> involved a pre shared key and SA_INIT MAC, but it was pointed out to me that >>> once you have that might as well include the benefits of PPK. If you know of >>> a way to solve the described privacy attack vectors without a pre shared key >>> and without adding round trips, I'm interested - I couldn't come up with one >>> myself. >> >> >> A PreSharedKey based solution is also very limiting, and people should >> be migrating away from PSK in favour of RSA/ECC based solutions :P > > David's original email suggested that this technique was enabled by > (and perhaps constrained to) draft-fluhrer-qr-ikev2, which assumes the > existence of a long-term PPK. > >> I understand your use case (prevent blocking of hidden IKE over TCP/TLS >> servers) but it might not be a use case the IETF can solve. From an >> IETF perspective, the way to solve this would be to IPsec everything, >> so that blocking based on ESP visibility becomes impossible. Which >> is why I'd like to see more Opportunistic IPsec. I don't see how adding a MAC in an extension data field is something the IETF can't handle. I'm being realistic here, and have an actual problem to solve. Are you telling me to go build and deploy my own proprietary solution instead of working with the IETF? David From nobody Wed Aug 16 14:20:57 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588EF132356 for ; Wed, 16 Aug 2017 14:20:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VuBmd02rp61Z for ; Wed, 16 Aug 2017 14:20:50 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E05C13270D for ; Wed, 16 Aug 2017 14:20:45 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 5821E203B0 for ; Wed, 16 Aug 2017 17:23:24 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 89F6F8076D for ; Wed, 16 Aug 2017 17:20:44 -0400 (EDT) From: Michael Richardson To: "ipsec\@ietf.org" In-Reply-To: <22929.40845.325793.136908@fireball.acr.fi> References: <22929.40845.325793.136908@fireball.acr.fi> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2017 21:20:55 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Tero Kivinen wrote: > Daniel Van Geest writes: >> 1) QS SA Negotiation >> >> When negotiating a QS SA, it=E2=80=99s not enough to negotiate QS key >> agreement algorithm(s), one also has to ensure that the algorithms >> selected by the other transform types are also QS. > All of these kind of issues are really policy matters, thus outside > the PROTOCOL work. I.e., we can add security considerations section I agree. > On the other hand this is ONLY needed if the initiator DOES NOT know > whether other end supports QS or not. Usually initiator can be > configured to assume either way, it is more important to configure the > responder so it will accept either QS or non-QS... I think that one goes around and enables the new QS policy in nodes as one upgrades them to have QS. An implementation could have a policy knob like: QS=3Dforbid,accept,propose,insist (a bit like MUSTNOT,MAY,SHOULD,MUST) which would add the extra proposals. One starts with "QS=3Daccept" or "QS=3Dpropose", which so that one can interoperate with nodes which have not yet been upgraded, and then perhaps moves to QS=3Dinsist. I think we are in agreement here, just want to be clear I'm not disagreeing. One only needs the huge SA_INIT during the transition period between QS=3Dpropose to QS=3Dinsist. Still that could be many months to even years. =2D- Michael Richardson , Sandelman Software Works -=3D IPv6 IoT consulting =3D- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlmUtywACgkQgItw+93Q 3WUaAQgAgE2WdgwhzIJtRcFM6hj76/IRZrLedUOkymr3RmcCmReUZztjkgtawUi2 +wrOG0gBoGVgvFBvMve9AeWv0Z/b7SZz6Pb1/90ML1RVigMRPX1jt92oDhoE3jHj ncsU036eWoK0xoaXK4z1+QJP+6RrSNh4Go4UY1RLzxJc20eB20Tp8BVXfBMa+BT1 pPo6AEL58i8CcVIRdTpAAZEDb8J5Ljb8Iz3wJ0NYXvUoV/MsCfMbuMsrJtJ7/PYB syA0ei0iyCcwCFqpHioDPAHDXYPr/yfTUBzgMOGPW3tDYQLmOMn2ccuHRaE85KCo IzQkotIGP79J+Ah0HU/6NtrwzUtm0w== =n6qq -----END PGP SIGNATURE----- --=-=-=-- From nobody Wed Aug 16 19:16:23 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F77213217D for ; Wed, 16 Aug 2017 19:16:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwObnGthBXHI for ; Wed, 16 Aug 2017 19:16:18 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 439F41321F0 for ; Wed, 16 Aug 2017 19:16:18 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xXqZh2R6tz3Ch; Thu, 17 Aug 2017 04:16:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1502936172; bh=GUSPjTbgLxYR4f2UPtgtkP7tKu/hXoYN81HmFQyxotA=; h=Date:From:To:cc:Subject; b=jxdyo3Ufy6GrKaXiYV8M+su00WupOKKtDcuaxdiK7/231BT/mx/2y8w1xG4ivxKJt l+CfiFmdB/AOy9hnJg2dcs0vuDgu/vPcHYvFaGaviIXwnv9/MqifZZN68ONcUjjHr3 wfrbDRfBXG6CI7NCq2i/zTHyEl3pxl6jKwij7xQw= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 4fjZoiBT9spt; Thu, 17 Aug 2017 04:16:09 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 17 Aug 2017 04:16:09 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 785E52E75B2; Wed, 16 Aug 2017 22:16:08 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 785E52E75B2 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 68EE840D3592; Wed, 16 Aug 2017 22:16:08 -0400 (EDT) Date: Wed, 16 Aug 2017 22:16:08 -0400 (EDT) From: Paul Wouters To: "ipsec@ietf.org WG" cc: "Scott Fluhrer (sfluhrer)" , Vukasin Karadzic Message-ID: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Archived-At: Subject: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 02:16:21 -0000 Hi, Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2 for libreswan and stumbled upon a problem. The relevant text: When the initiator receives this reply, it checks whether the responder included the PPK_SUPPORT notify. If the responder did not, then the initiator MUST either proceed with the standard IKE negotiation (without using a PPK), or abort the exchange (for example, because the initiator has the PPK marked as mandatory). If the responder did include the PPK_SUPPORT notify, then it selects a PPK, along with its identifier PPK_id. Then, it computes this modification of the standard IKE key derivation: A responder answering an IKE_INIT containing PPK_SUPPORT needs to reply without knowing for which connection this IKE_INIT will be. The responder has not yet received the initiator's ID. If the responder has some connections that require a PPK and some connections that require NO PPK, then it has to flip a coin on whether or not to send the PPK_SUPPORT notify and if it guessed wrong, the AUTH payload on the initiator will be wrong. Sending the notify commits to using a PPK because the initiator uses it as input to the AUTH payload. So this table from the RFC is incomplete: This table summarizes the above logic by the responder Received PPK_SUPPORT Have PPK PPK Mandatory Action ------------------------------------------------------------------ No No * Standard IKE protocol No Yes No Standard IKE protocol No Yes Yes Abort negotiation Yes No * Standard IKE protocol Yes Yes * Include PPK_SUPPORT Basically, we are in the case where "Have PPK" is not yet known. One way of solving this could be to allow PPK_SUPPORT to have some notify data, which could for instance be a hash of the connection/group name used by the responder. Another option is to use the PPK as one of the inputs to some hash algorithm as PPK_SUPPORT data, so the responder can go through its list of PPKs to match it back to a connection/group. But we would need to be sure that this does not open up the PPK to attacks (classic and quantum) Paul From nobody Thu Aug 17 06:49:11 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E46B132444 for ; Thu, 17 Aug 2017 06:49:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.12 X-Spam-Level: X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PdBr2s0OxWTn for ; Thu, 17 Aug 2017 06:49:07 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 620C01323AF for ; Thu, 17 Aug 2017 06:49:07 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v7HDmues007915 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 17 Aug 2017 16:48:56 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v7HDmtTQ011372; Thu, 17 Aug 2017 16:48:55 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22933.40647.462618.166901@fireball.acr.fi> Date: Thu, 17 Aug 2017 16:48:55 +0300 From: Tero Kivinen To: Paul Wouters Cc: "ipsec\@ietf.org WG" , Vukasin Karadzic , "Scott Fluhrer \(sfluhrer\)" In-Reply-To: References: X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd) X-Edit-Time: 6 min X-Total-Time: 7 min Archived-At: Subject: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 13:49:09 -0000 Paul Wouters writes: > Received PPK_SUPPORT Have PPK PPK Mandatory Action > ------------------------------------------------------------------ > Yes No * Standard IKE protocol > Yes Yes * Include PPK_SUPPORT > > Basically, we are in the case where "Have PPK" is not yet known. I think the discussion earlier was that we solve this by policy, where responder is configured BEFORE initiator. I.e., if responder sees initiator that says PPK is supported (meaning initiator has PPK) then responder is safe to assume that it has also been configured PPK for that ID. Anyways if this guess turns out to be wrong, it can then fail the exchange later, and mark that peer as not having PPK when it reconnects, i.e., add peer IP-address to temporary list saying that if connection comes from this IP-address, and says it has supports PPK, we do not have PPK for it, so fall back to standard IKE. Anyways this kind of text needs to be added to the protocol draft. I do not like to make this document any more complicated than what is required, as I like to get this document out so it can be implemented, even when we know there are some corner cases which require manual configuration. -- kivinen@iki.fi From nobody Thu Aug 17 07:19:44 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D883132668 for ; Thu, 17 Aug 2017 07:19:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.52 X-Spam-Level: X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8USh25XmQbd for ; Thu, 17 Aug 2017 07:19:40 -0700 (PDT) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CBDD132645 for ; Thu, 17 Aug 2017 07:19:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4028; q=dns/txt; s=iport; t=1502979579; x=1504189179; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=GZsAb4XlMC9SIsLfvDj4sH8/SaMnnM7us32b1xjP7YU=; b=I4R3GhlnrTAWinOCutmudHUbSC3bx8734H5E9+dyR7uPDfgl0UGDi5iH tFo+crOyzrt4yuwsfvaKqOV/XZvyr/bampmv4QhAwjAT/OQYQivBwOV44 eV5C+DmJU+CHkopM/FYok7pWetGOUc0Cei6/t5GbHUWnoPK2DtqdA5rFn 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C5AQC+pZVZ/4wNJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgy8rgXkHnhyBbneVJIIShUcChFhBFgECAQEBAQEBAWsohRgBAQE?= =?us-ascii?q?BAgE6PwUHBAIBCBEEAQEfCQcyFAkIAgQBDQUIiBIBgg0IrC+LYAEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAR2DKIICgUyBY4JzNIRdhgoFiX6HF480AosniRCSZZYcASY?= =?us-ascii?q?DLoEKdxVJhRYBHIFndodjB4ErgQ8BAQE?= X-IronPort-AV: E=Sophos;i="5.41,388,1498521600"; d="scan'208";a="471245884" Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Aug 2017 14:19:13 +0000 Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v7HEJC8h001046 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Aug 2017 14:19:12 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 17 Aug 2017 10:19:12 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Thu, 17 Aug 2017 10:19:12 -0400 From: "Scott Fluhrer (sfluhrer)" To: Paul Wouters , "ipsec@ietf.org WG" CC: Vukasin Karadzic Thread-Topic: draft-fluhrer-qr-ikev2 AUTH issue Thread-Index: AQHTFv7PXMQpAeZDckWYCR1jI1LmeqKIlRwQ Date: Thu, 17 Aug 2017 14:19:11 +0000 Message-ID: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.86.252.68] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 14:19:42 -0000 > -----Original Message----- > From: Paul Wouters [mailto:paul@nohats.ca] > Sent: Wednesday, August 16, 2017 10:16 PM > To: ipsec@ietf.org WG > Cc: Scott Fluhrer (sfluhrer); Vukasin Karadzic > Subject: draft-fluhrer-qr-ikev2 AUTH issue >=20 >=20 > Hi, >=20 > Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2 for > libreswan and stumbled upon a problem. The relevant text: >=20 > When the initiator receives this reply, it checks whether the > responder included the PPK_SUPPORT notify. If the responder did not, > then the initiator MUST either proceed with the standard IKE > negotiation (without using a PPK), or abort the exchange (for > example, because the initiator has the PPK marked as mandatory). If > the responder did include the PPK_SUPPORT notify, then it selects a > PPK, along with its identifier PPK_id. Then, it computes this > modification of the standard IKE key derivation: >=20 > A responder answering an IKE_INIT containing PPK_SUPPORT needs to reply > without knowing for which connection this IKE_INIT will be. >=20 > The responder has not yet received the initiator's ID. If the responder h= as > some connections that require a PPK and some connections that require NO > PPK, We never envisioned a situation where you would deliberately chose not to u= se a PPK. Can we replace this with a situation where you don't know whethe= r you share a PPK with the initiator? > then it has to flip a coin on whether or not to send the PPK_SUPPORT > notify and if it guessed wrong, the AUTH payload on the initiator will be > wrong. Sending the notify commits to using a PPK because the initiator us= es > it as input to the AUTH payload. >=20 > So this table from the RFC is incomplete: >=20 > This table summarizes the above logic by the responder >=20 > Received PPK_SUPPORT Have PPK PPK Mandatory Action > ------------------------------------------------------------------ > No No * Standard IKE protocol > No Yes No Standard IKE protocol > No Yes Yes Abort negotiation > Yes No * Standard IKE protocol > Yes Yes * Include PPK_SUPPORT >=20 > Basically, we are in the case where "Have PPK" is not yet known. >=20 >=20 > One way of solving this could be to allow PPK_SUPPORT to have some notify > data, which could for instance be a hash of the connection/group name use= d > by the responder. > Another option is to use the PPK as one of the inputs to > some hash algorithm as PPK_SUPPORT data, so the responder can go > through its list of PPKs to match it back to a connection/group. But we w= ould > need to be sure that this does not open up the PPK to attacks (classic an= d > quantum) That's what we did in our original proposal (actually, it was a function of= the PPK itself). The problems with that were: - If we made it a nondeterministic function (that is, include a randomizer)= , then the server had to do a linear scan over all their known PPKs to find= the matching one. - If we made it a deterministic function, then someone listening in can tri= vially determine when we're reusing the same PPK (There's also a minor issue of "which hash function to use"; we haven't neg= otiated any at this time). A linear scan over possibly 10,000 PPKs was considered unacceptable. One o= f our proposals even allowed the server to specify the trade-off between th= e above two; that was considered too complex. I'm not thrilled with Tero's answer of "lets be careful about the order we = upgrade things in complex networks", but I don't know how to better solve i= t without adding lots of complexity to the protocol, potential anonymity le= aks or requiring significant computation on the server side. >=20 > Paul From nobody Thu Aug 17 15:44:27 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8951323B6 for ; Thu, 17 Aug 2017 15:44:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.52 X-Spam-Level: X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ia5Bw2ahXhKT for ; Thu, 17 Aug 2017 15:44:24 -0700 (PDT) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C6BD1323AA for ; Thu, 17 Aug 2017 15:44:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3836; q=dns/txt; s=iport; t=1503009864; x=1504219464; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=6jZQl8FV7362aefhZmO0uYnqpqmGO+nDYiB6R/nbKr8=; b=kLUJjvhetamb+hpk8at+33HW9GjAomxG5bGHXdWvwjCbfYZpjQOkc3Qw J//bsaOK+dnRxpTsLpm4XFcgEK7B9qDDkSUNL5nIXFCtQhuD4VIbb/8Kf jga0gV3OQTFgJZ3Jz6z6DaLZOyrTbCdTjeWhiSo6UoFNlDJHva9RBTkAw w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CeAQBgG5ZZ/4ENJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgy8rZIEVB54dgW53h0GNY4ISIQuFGwKEWEAXAQIBAQEBAQEBayi?= =?us-ascii?q?FGAEBAQEDAQE4NAsMBAIBCBEEAQEfCQchBgsUCQgCBAENBQiIEgGBfQMVEKwLh?= =?us-ascii?q?zkNhCABAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYMoggKBTIFjgnM0gleIEAWJfoc?= =?us-ascii?q?Xjng8Ao9KhG2SZYw2iWYBIAE2P0t3FUmFFgEcgWd2h2MHgSuBDwEBAQ?= X-IronPort-AV: E=Sophos;i="5.41,390,1498521600"; d="scan'208";a="471135396" Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Aug 2017 22:44:23 +0000 Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v7HMiNA6015838 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Aug 2017 22:44:23 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 17 Aug 2017 17:44:22 -0500 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Thu, 17 Aug 2017 17:44:22 -0500 From: "Panos Kampanakis (pkampana)" To: Paul Wouters , "ipsec@ietf.org WG" CC: Vukasin Karadzic , "Scott Fluhrer (sfluhrer)" Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Thread-Index: AQHTFv7XjuMkEWgpNEmBeMtf53kCNqKJFIsg Date: Thu, 17 Aug 2017 22:44:22 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.116.108.5] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 22:44:26 -0000 Good point Paul. The issue will also hold for an initiator. The initiator m= ight have PPK enabled with other peers but not have a PPK_id configured for= a responder after he gets her IKE_INIT response with N(PPK_SUPPORT) includ= ed. Practically the N(PPK_SUPPORT) is dictated by a global PPK support conf= iguration on the initiator and responder, but that does not mean a PPK is c= onfigured for all their peers. As Tero and Scott suggested, for the shake of simplicity it makes sense to = tighten the text with normative language to make it clear to an implementer= . For an initiator with PPK enabled but no PPK_id, regular IKE should be in= cluded in the initiators IKE_AUTH message. For the responder, imo a failure= should occur after the initiator's IKE_AUTH if a PPK_id doesn't exist and = PPK is enabled in the responder. And optionally the responder could add the= initiator in a no_PPK_supported local cache. =20 Rgs, Panos -----Original Message----- From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Paul Wouters Sent: Wednesday, August 16, 2017 10:16 PM To: ipsec@ietf.org WG Cc: Vukasin Karadzic ; Scott Fluhrer (sfluhrer)= Subject: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Hi, Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2 for libr= eswan and stumbled upon a problem. The relevant text: When the initiator receives this reply, it checks whether the responder included the PPK_SUPPORT notify. If the responder did not, then the initiator MUST either proceed with the standard IKE negotiation (without using a PPK), or abort the exchange (for example, because the initiator has the PPK marked as mandatory). If the responder did include the PPK_SUPPORT notify, then it selects a PPK, along with its identifier PPK_id. Then, it computes this modification of the standard IKE key derivation: A responder answering an IKE_INIT containing PPK_SUPPORT needs to reply wit= hout knowing for which connection this IKE_INIT will be. The responder has not yet received the initiator's ID. If the responder has= some connections that require a PPK and some connections that require NO P= PK, then it has to flip a coin on whether or not to send the PPK_SUPPORT no= tify and if it guessed wrong, the AUTH payload on the initiator will be wro= ng. Sending the notify commits to using a PPK because the initiator uses it= as input to the AUTH payload. So this table from the RFC is incomplete: This table summarizes the above logic by the responder Received PPK_SUPPORT Have PPK PPK Mandatory Action ------------------------------------------------------------------ No No * Standard IKE protocol No Yes No Standard IKE protocol No Yes Yes Abort negotiation Yes No * Standard IKE protocol Yes Yes * Include PPK_SUPPORT Basically, we are in the case where "Have PPK" is not yet known. One way of solving this could be to allow PPK_SUPPORT to have some notify d= ata, which could for instance be a hash of the connection/group name used b= y the responder. Another option is to use the PPK as one of the inputs to s= ome hash algorithm as PPK_SUPPORT data, so the responder can go through its= list of PPKs to match it back to a connection/group. But we would need to = be sure that this does not open up the PPK to attacks (classic and quantum) Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec From nobody Fri Aug 18 08:27:03 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684AF132964 for ; Fri, 18 Aug 2017 08:27:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJvo-tSOWQXW for ; Fri, 18 Aug 2017 08:27:00 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9937E13296D for ; Fri, 18 Aug 2017 08:27:00 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xYn4d5pQVzCQl; Fri, 18 Aug 2017 17:26:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1503070017; bh=HAxEgdrqgrCXZ2fNWGZGRGSMgR33DpXlPZ4njddT3C4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=TvkkMVtS0xN3tb2Riemy2gtYWWNkBL00eKIKQ1CbXHNBBSvXSgWopsA4vP8YRZfem uWcf3DbQcXspNBqSnEa/0fjWxR/ulCwFYDTdOj3E33VwX+QNQnlGTMLqHEhsSRDSLP 2y/ISmtSbc4mnJIUxcA2KMKAWxFBZpTBUScTU+6w= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id gc2tbclcfFSR; Fri, 18 Aug 2017 17:26:56 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 18 Aug 2017 17:26:56 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9C0AC3531DF; Fri, 18 Aug 2017 11:26:55 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 9C0AC3531DF Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 943AA40B8F9D; Fri, 18 Aug 2017 11:26:55 -0400 (EDT) Date: Fri, 18 Aug 2017 11:26:55 -0400 (EDT) From: Paul Wouters To: Tero Kivinen cc: "ipsec@ietf.org WG" , Vukasin Karadzic , "Scott Fluhrer (sfluhrer)" In-Reply-To: <22933.40647.462618.166901@fireball.acr.fi> Message-ID: References: <22933.40647.462618.166901@fireball.acr.fi> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2017 15:27:02 -0000 On Thu, 17 Aug 2017, Tero Kivinen wrote: >> Basically, we are in the case where "Have PPK" is not yet known. > > I think the discussion earlier was that we solve this by policy, where > responder is configured BEFORE initiator. I thought about this a few times, and after some discussions with myself, I agree that you are right. > I.e., if responder sees > initiator that says PPK is supported (meaning initiator has PPK) then > responder is safe to assume that it has also been configured PPK for > that ID. Anyways if this guess turns out to be wrong, it can then > fail the exchange later, and mark that peer as not having PPK when it > reconnects, i.e., add peer IP-address to temporary list saying that if > connection comes from this IP-address, and says it has supports PPK, > we do not have PPK for it, so fall back to standard IKE. That is a terrible hack. It will likely not work well with NAT, when the client mind end up with a new exchange on a different NAT port, so you cannot tell whether this is 1 client behind NAT or 2 clients behind NAT. But I see how we can just call this a "misconfiguration" and I don't mind it not working. > Anyways this kind of text needs to be added to the protocol draft. Yes. So I agree with Tero. And I guess our code is already doing this. Paul From nobody Fri Aug 18 13:56:30 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8260C13234E for ; Fri, 18 Aug 2017 13:56:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYBvai2VNQnD for ; Fri, 18 Aug 2017 13:56:28 -0700 (PDT) Received: from Mail.Yoyodyne.COM (mail.yoyodyne.com [139.60.72.138]) by ietfa.amsl.com (Postfix) with SMTP id E5AF9132332 for ; Fri, 18 Aug 2017 13:56:27 -0700 (PDT) Received: from [192.168.1.73] ([172.8.232.61]) by Mail.Yoyodyne.COM via Internet for ; Fri, 18 Aug 2017 13:56:27 PDT From: Derrell Piper Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Fri, 18 Aug 2017 13:56:27 -0700 References: <22933.40647.462618.166901@fireball.acr.fi> To: "ipsec@ietf.org WG" In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2017 20:56:29 -0000 Notes on draft-fluhrer-qr-ikev2-04, mostly nits: pp. 1 "...pose a serious challenge to cryptography algorithms [deployed?] = widely today." pp. 2 "when might one be implemented" -> "when one might be implemented" pp. 3 The Changes section wording confuses me. Does that mean, relative to = the last draft? Or=20 does it mean those were the change in -03? pp. 4 "...then it must check if has a..." -> "...if it has a..." pp. 8 "Algorithm=3Durn:ietf:params:xml:ns:keyprov:pskc:pin" RE: rfc6030, any chance we can not refer to an RFC with XML in it? I = strongly object to XML. Does IKEv2 reference any XML? (sticks fingers in = ears...) pp. 9 RE: rfc6023 text I would prefer text here that suggests exactly how to achieve = post-quantum ID confidentiality. This is vague and that means people will implement it = all over the map. I also don't think Child SAs should ever have been made mandatory, so refering to rfc6023 is fine. Overall, I think this document should advance. This is nice and simple, = more or less. Derrell From nobody Mon Aug 21 02:46:07 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0741413219B for ; Mon, 21 Aug 2017 02:46:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.52 X-Spam-Level: X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTGTDAtQTmSN for ; Mon, 21 Aug 2017 02:46:04 -0700 (PDT) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C31AD13240D for ; Mon, 21 Aug 2017 02:46:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11660; q=dns/txt; s=iport; t=1503308763; x=1504518363; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=xMhfKvr1lzz/LwSbXqok5ACpjr87PhpQyxffapej0ig=; b=ZEvh6rPpKCoq1+QfHDdPbgLrjnRu/OyREjfDtFmxCTxyAsT7Np5pp87u uhq9NqVH9Zt4RT603U9B2RNxdfq1d2lBYsW7SXwtnT0lIbXZs7ujZdDi1 QeL49uOb4m/raCuajUr8jpGgK7c/VeEPUsTpZ8tY+DLzrQWTUqR+ZN+qI o=; X-Files: smime.p7s : 4557 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AzAQClqppZ/5RdJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1pkgRUHg3CKG5AUgUyBGZUnghIHGguFGwIjg1k/GAECAQEBAQE?= =?us-ascii?q?BAWsohRkCAQMBASFLCxACAQhCAgICJQslAgQBDQUOiiMQryGCJotVAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBDgoFgyiCAoFMgWMrC4I9NIUKgnwwgjEFiX6HGY84AoQ?= =?us-ascii?q?wgiGNb5Jelh8BHziBCncVSRIBhQMBBReBZ3aIHweBK4EPAQEB?= X-IronPort-AV: E=Sophos;i="5.41,408,1498521600"; d="p7s'?scan'208";a="472821516" Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Aug 2017 09:46:02 +0000 Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v7L9k2sF008250 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 21 Aug 2017 09:46:02 GMT Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 21 Aug 2017 04:46:02 -0500 Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1210.000; Mon, 21 Aug 2017 04:46:02 -0500 From: "Graham Bartlett (grbartle)" To: Paul Wouters , "ipsec@ietf.org WG" CC: Vukasin Karadzic , "Scott Fluhrer (sfluhrer)" Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Thread-Index: AQHTFv7XJ5jltk7mwUuzxiRaE15dYKKO+zAA Date: Mon, 21 Aug 2017 09:46:02 +0000 Message-ID: <91469627-49D0-47FF-8D8D-082179BF671A@cisco.com> References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.1a.0.160910 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.55.142.74] Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3586157162_1068384987" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2017 09:46:06 -0000 --B_3586157162_1068384987 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Hi Paul I=E2=80=99m a bit late to the party, but thought I=E2=80=99d chip in if it helps.. With regards to =E2=80=98If the responder has some connections that require a PPK= and some connections that require NO PPK, then it has to flip a coin on whe= ther or not to send the PPK_SUPPORT notify and if it guessed wrong=E2=80=99 If you follow the logic below (I sent the following to Scott back in the da= y) with the GW (or responder) being configured with the PPK=E2=80=99s for the init= iators first, then the initiators being configured and ONLY sending the PPK = supported when it has a key for the peer you should be ok. cheers I would like to propose the following; - Step 0 is "never use PPKs" (this is the existing IKE standard) - Logic 1 is =E2=80=9Cif we are initiator only advertise PPK notify if we have a = PPK for the peer=E2=80=9D - Step 1 is "if we're the initiator, then use PPKs if the responder signale= d support for it" - Step 2 is "insist on PPKs if the peer support it (in both the initiat= or and the responder roles)" So for a remote access VPN GW, you would configure the GW first and then ea= ch client. The GW will only respond with the PPK notify if the client had in= cluded the PPK notify. Once the client has the PPK it will include the PPK n= otify and pass authentication. Likewise for Hub and Spoke, the same principle. The issue I would foresee is something like DMVPN or a partial/full mesh, b= ut my logic mitigates any issues.. the Hub has the PPK and Spoke 1 has the P= PK.. The Spoke1 =E2=80=93 Hub SA is protected by the PPK. If Spoke2 did not have a= PPK and connected to the Hub, the Spoke2 =E2=80=93 Hub is not PPK protected, then= Spoke1 connected to Spoke2, because of the logic (=E2=80=9Cif we are initiator on= ly advertise PPK notify if we have a PPK for the peer=E2=80=9D) Spoke1 would not a= dvertise the PPK notify and hence we get over this limitation. Now where this falls down is if there=E2=80=99s a shared key, so in the example a= bove is all spokes used a shared key and one of the spokes didn=E2=80=99t have it = =E2=80=93 then the logic would fail. On 17/08/2017, 03:16, "IPsec on behalf of Paul Wouters" wrote: =20 Hi, =20 Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2 for libreswan and stumbled upon a problem. The relevant text: =20 When the initiator receives this reply, it checks whether the responder included the PPK_SUPPORT notify. If the responder did no= t, then the initiator MUST either proceed with the standard IKE negotiation (without using a PPK), or abort the exchange (for example, because the initiator has the PPK marked as mandatory). I= f the responder did include the PPK_SUPPORT notify, then it selects a PPK, along with its identifier PPK_id. Then, it computes this modification of the standard IKE key derivation: =20 A responder answering an IKE_INIT containing PPK_SUPPORT needs to reply without knowing for which connection this IKE_INIT will be. =20 The responder has not yet received the initiator's ID. If the responder has some connections that require a PPK and some connections that require NO PPK, then it has to flip a coin on whether or not to send the PPK_SUPPORT notify and if it guessed wrong, the AUTH payload on the initiator will be wrong. Sending the notify commits to using a PPK because the initiator uses it as input to the AUTH payload. =20 So this table from the RFC is incomplete: =20 This table summarizes the above logic by the responder =20 Received PPK_SUPPORT Have PPK PPK Mandatory Action ------------------------------------------------------------------ No No * Standard IKE protoc= ol No Yes No Standard IKE protoc= ol No Yes Yes Abort negotiation Yes No * Standard IKE protoc= ol Yes Yes * Include PPK_SUPPORT =20 Basically, we are in the case where "Have PPK" is not yet known. =20 =20 One way of solving this could be to allow PPK_SUPPORT to have some notify data, which could for instance be a hash of the connection/group name used by the responder. Another option is to use the PPK as one of the inputs to some hash algorithm as PPK_SUPPORT data, so the responder can go through its list of PPKs to match it back to a connection/group. But we would need to be sure that this does not open up the PPK to attacks (classic and quantum) =20 Paul =20 _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec =20 --B_3586157162_1068384987 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIRyQYJKoZIhvcNAQcCoIIRujCCEbYCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGggg9+MIIFbTCCBFWgAwIBAgIQDZu2aTrsxkrY+ilxZLyNgTANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTYw NTE2MDAwMDAwWhcNMTgwNTE2MTIwMDAwWjCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNjbyBTeXN0ZW1zLCBJ bmMuMRgwFgYDVQQDEw9HcmFoYW0gQmFydGxldHQxITAfBgkqhkiG9w0BCQEWEmdyYmFydGxl QGNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqOS+hfMCqvKj+e gZdgQIEPbPvc6Mv9fJvK/hNbeOiOwBepKx73eSUh+gABrR8i7ui5/V7XlyMPg/OgQr/6UZX2 QGaqBNkiVkOqNDjwjDz6+voKVS2MNU0cCvxP5Xwb9VXgw2JzFAMMshknhP7G+9V6qxda7e5m fmBzYgCgewiITHD83tGiS/YuoOogmPfYnpQyCcnSdwj8MqnlvVfBQVdAOg+a7hv8zPcTA4mH H0Y3dqCIdNtj1QEm9D9YbDlCS1MZl/7byqLpEZA+la8Pva/r/lydbVuM7BXygqI+itXM9963 8kZim8zTh4r/wCi8uklBSeMRUHSmgocw5BpnIk8CAwEAAaOCAeswggHnMB8GA1UdIwQYMBaA FOcCI4AAT9jXvJQL2T90OUkyPIp5MB0GA1UdDgQWBBQmnj6AyXbjUyNRGN6Y2JOK17/CkzAM BgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSBEmdyYmFydGxlQGNpc2NvLmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZI AYb9bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGI BgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hB MkFzc3VyZWRJRENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUH MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0B AQsFAAOCAQEAna7Ws4vfNhrcm0Od6wb6xiOBURSSXAgX7LE8chrD7UfTF+b7DKits6QY1Vvo 5s0ryCy2T4ikMMKzpAnQ9O0vvF5wbb2iF9zTyKv2M36uY6L6EbMC7QoQAihAiOGnLy4wwhsB qtoGHPL8f1ROW2xpK3twQm2jthhv7fzHRPnFFh4bwWLLISHsw7JKzaL1GuxghNr9W9CN7o2r OtnnvoSwdkPBlMmquWrUgCZ06UQfsD6nbVDvqlBlJGBsrfXk3y8yg3q+rN6LTqHccW4Rk1KS OkE8i/8NKTo8QXHSOa+jcK0o7mnjGXERklDnFGMiNVLbVhVa9CJynUpLjNct3q6+ATCCBk4w ggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMC VVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEk MCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEzMTEwNTEyMDAwMFoX DTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1 cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/AJ3kb LQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAf JUXo8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ 9ZEXjsYhrTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1x GOSm4IksG/OyczzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgw BgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhho dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0 LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1s AAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQG CCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABDAGUA cgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBlAHAA dABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABDAFAALwBDAFAA UwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIA ZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQA eQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUA aQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP2Ne8lAvZ P3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcNAQEL BQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mg VgxIEM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0 k4f5lpaBVUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEy br1DDE0023vGQtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIwggO3MIIC n6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0z MTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5 cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+Y MjZ2zN7dPKii72r7IfJSYd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nY Lxj+KA+zp4PWw25EwGE1lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGY M2wi6YfQMlqiuhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSS plazvbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQY MBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUAA4IBAQCiDrzf4u3w43Jz emSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwSTFjk0z2DSUVYlzVpGqhH6lbGeasS 2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1 bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/ N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHS oyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMYICDzCCAgsCAQEweTBlMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t MSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0ECEA2btmk67MZK2PopcWS8 jYEwDQYJYIZIAWUDBAIBBQCgaTAvBgkqhkiG9w0BCQQxIgQgiBbGUtZnYRYCa5Idavvm4YIL OH9j9S2g/9LZBkFYlWEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx DxcNMTcwODIxMDk0NjAyWjANBgkqhkiG9w0BAQEFAASCAQAdbJ/rX9EbgM3+s2Jsd7p7bPhm HhtTSdwPWj9MCNmN/UPpmz21btbJOSmtOyz84QJeaPOA97sJhWbwepPgeQVi1Ma+Y+NkAib5 mfrh0otl801MWIIW62banN6evjcfQ+SuDIxSsyAYkJ3Oi4LXpYk0ZKzia4mIH1cavaMj/h6x sspTz4ueeZt8hGcgsDm4JfjXn0cg1YmkXujJQLC/ENs9xVIcSdV+FtjZf4iuOq8gV81tjecA dyVAEbwn9A7Of669N+f99MA1+7XqXbdOnzstC4vr55hywFUjXmQNt88tnZ7omPQK9TJszDUR qFv1IxNdxmUHUOxRdZsVNGyl3e9q --B_3586157162_1068384987-- From nobody Mon Aug 21 07:24:55 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09C9113217D for ; Mon, 21 Aug 2017 07:24:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VfAp3k_X_5x for ; Mon, 21 Aug 2017 07:24:52 -0700 (PDT) Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98C9132113 for ; Mon, 21 Aug 2017 07:24:49 -0700 (PDT) Received: by mail-lf0-x22e.google.com with SMTP id y15so67390155lfd.5 for ; Mon, 21 Aug 2017 07:24:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=k8bs3yNIddlpeaXzeoDga4bvU6VdsjZiYdB4QD8wJE4=; b=iIjZh7EneTcu7q+DzfYuTqXDB92EGNP1/cRdj8xRJWaaPlUCVj7pcKqydDC/dSvJra ksukjsev4/m3KrZEuzjFXlFdIJY8h9d6ry/AgbQyz94EZOzA+Kg6IEn1ss75eEGQ1SDr kMv2Exybj3lfHrMID4M2gxZipFdLBkX2zNTKHzrm4nTroyn4yCif0PwCZx0S+iZwROv0 Cu9f9s77y/MDPtuGSp15LU7PctNL4qWkTmSU74UBd9OrPlN+q+8IPj7Hx6jnE9Irzcj1 b+nD4y8YvEDJ4FHkOFQ1kmRsgh54Q3GKFZo2GP1tGXcmKdx855nT1uSOYgp66VShrcOJ 9KsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=k8bs3yNIddlpeaXzeoDga4bvU6VdsjZiYdB4QD8wJE4=; b=V+gzWF/kx8aYZzUBvy2vP9ClXNUYSBmo/AaoqdqWT3occnlVJkGWIofNVnbnYF9R4r m0RpKsvYBE2HRS9y9lo1HLK4+MmZS+HT79PxOQdMGbx19KvX7qCf8HD2w9mMFS6hByjc NplArjnHbIfurlpvQzhfO/CPjsrrJwRGV+0xfobyHFd1BF9gSFAezdqWakmfz/CJ625U qYgd2pbb2c9bMSM8fIxQMohGys3+kaZJNUbRVBc6ZCf6EsGeSwBjXEp0V4N3IgBxxZL7 81SdQeylbDkQkm0ZBDo+gbQ5oMok6pz6bQtPQVvgs9RcMZ47/qe/Nc8R21OjtefHx0Si PJUw== X-Gm-Message-State: AHYfb5ha979Kt4gRfeC8DVtYSXOkqyQHwEnItjQdA+0pJSWpEJ3SYZqy oLJojSI4q5Xq6Yfj X-Received: by 10.25.79.80 with SMTP id a16mr383901lfk.122.1503325487703; Mon, 21 Aug 2017 07:24:47 -0700 (PDT) Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id o69sm2746955lfk.8.2017.08.21.07.24.46 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 21 Aug 2017 07:24:46 -0700 (PDT) From: "Valery Smyslov" To: "'Scott Fluhrer \(sfluhrer\)'" , "'Paul Wouters'" , Cc: "'Vukasin Karadzic'" References: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> In-Reply-To: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> Date: Mon, 21 Aug 2017 17:24:45 +0300 Message-ID: <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFrzo/mLNHQ912KAIRbgs5wCt+pzQFW4fuSo1KroxA= Content-Language: ru Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2017 14:24:54 -0000 Hi Scott, > > then it has to flip a coin on whether or not to send the PPK_SUPPORT > > notify and if it guessed wrong, the AUTH payload on the initiator will be > > wrong. Sending the notify commits to using a PPK because the initiator uses > > it as input to the AUTH payload. [...] > > One way of solving this could be to allow PPK_SUPPORT to have some notify > > data, which could for instance be a hash of the connection/group name used > > by the responder. > > Another option is to use the PPK as one of the inputs to > > some hash algorithm as PPK_SUPPORT data, so the responder can go > > through its list of PPKs to match it back to a connection/group. But we would > > need to be sure that this does not open up the PPK to attacks (classic and > > quantum) > > That's what we did in our original proposal (actually, it was a function of the PPK itself). The problems with > that were: > > - If we made it a nondeterministic function (that is, include a randomizer), then the server had to do a linear > scan over all their known PPKs to find the matching one. > > - If we made it a deterministic function, then someone listening in can trivially determine when we're reusing > the same PPK > > (There's also a minor issue of "which hash function to use"; we haven't negotiated any at this time). > > A linear scan over possibly 10,000 PPKs was considered unacceptable. One of our proposals even allowed the > server to specify the trade-off between the above two; that was considered too complex. > > I'm not thrilled with Tero's answer of "lets be careful about the order we upgrade things in complex > networks", but I don't know how to better solve it without adding lots of complexity to the protocol, potential > anonymity leaks or requiring significant computation on the server side. One (relatively) simple solution would be the following. If initiator is configured with PPK, but at the same time its policy marks using PPK as optional, then the initiator can send two authenticators - one using SK_pi' and the other using SK_pi (where SK_pi = prf(PPK, SK_pi')). The one, computed using SK_pi (where PPK is involved) is placed in AUTH payload, and the other, computed using SK_pi' (without PPK) is placed in a new optional status notification NO_PPK_AUTH. Initiator Responder ------------------------------------------------------------------ HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr, N(PPK_IDENTITY)(PPK_id), [N(NO_PPK_AUTH)(auth_data)] } ---> When responder receives this message and cannot find the corresponding PPK based on PPK_id and is configured to allow PPK-less SA, it can still authenticate initiator by using the content of NO_PPK_AUTH. In this case the Responder replies with the IKE_AUTH response lacking PPK_IDENTITY to let the initiator know that AUTH payload is computed as per RFC7296 (using SK_pr', i.e. without using PPK). <--- HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} If the responder has the corresponding PPK, then it computes its AUTH payload using SK_pr and includes PPK_IDENTITY notification: <--- HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr, N(PPK_IDENTITY)(PPK_id)} This solution allows peers to communicate in different settings and to enforce their own policy. For instance, if the initiator is configured to always use PPK, it won't include NO_PPK_AUTH at all. If responder is configured to always use PPK, it will just ignore NO_PPK_AUTH and return AUTHENTICATION_FAILED in case the proper PPK is not found. Regards, Valery. From nobody Tue Aug 22 01:35:10 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38F11132357 for ; Tue, 22 Aug 2017 01:35:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.199 X-Spam-Level: X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HE50rN08hWR0 for ; Tue, 22 Aug 2017 01:35:07 -0700 (PDT) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24DDA12EC06 for ; Tue, 22 Aug 2017 01:35:07 -0700 (PDT) Received: by mail-lf0-x22d.google.com with SMTP id y15so76134052lfd.5 for ; Tue, 22 Aug 2017 01:35:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=GBNVvzhOz5+f8SgXZDRk2Os7PHbLwRvG/V3ztDHcWgs=; b=I+/ENe1d1m//KCunj/X28HDY0Z88ZjiK028T+GvpTdnlvX7yT8R7PV8n0dDPBDtqPa 06+wsaGxHeR9zhcg8ZDOYuT/okTW5hTnCL5qc3CJZTX38CVucJSc39vVKl2JtPfoWBXa pQ88czMYKkEqWS7ezPvx/KeR9b4v7m78rML8EyeFp/PyuSlEcGNIuySloQX4OHR0UB59 PlVe6QAOAiXPqaj9TfHO32QnfVWnqshJrl0UtXL2QGzw9NruSw1a+PKBq6Gl0J1HwwxR GBa/BFoLzsFL9jkCswAh+GTgXtLY5biyv8V+/zgKt9XUiv01xmtg9d1h/jKYCMQYcr+E 3FSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=GBNVvzhOz5+f8SgXZDRk2Os7PHbLwRvG/V3ztDHcWgs=; b=qdQVz58erihEv9rb84T+AOmanVUSAk/l60j9Pi0LONBT/SnXPvg4f3v2FYRmrpTO4c CWfqJBLWJ57R3NrVefA9yiXyRHWxQj10JtmQbDsvTlZB9OnWOn3ZKZwUkFPuunFIsn37 J8f9f67JEqHCppLr/ZQjrOubWCRlh0D2eZSBgfPFAolZefxiRYeh12iiba/+LlhMAZoT 2qGKKz+PlYk2wZ6o2eh8xFXHMzmZiX/V90JCHGuqUNiRZOaYZODFpP/WYRPxczU5i4hJ BsUIGcNJs4ridOrGANdy1NB9wUNJ9lIBXz6kZPwEIiZW3ydqL7627RH+XnmoBnbxBwDn 03cQ== X-Gm-Message-State: AHYfb5gUVABs8V8jIERcUxF6GvC+cic/GO20pplEGgkrZbZsds+1vCoG yeCMIhoFxMZ71w== X-Received: by 10.25.214.10 with SMTP id n10mr1419497lfg.124.1503390905453; Tue, 22 Aug 2017 01:35:05 -0700 (PDT) Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id w17sm56564lff.6.2017.08.22.01.35.04 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 22 Aug 2017 01:35:04 -0700 (PDT) From: "Valery Smyslov" To: "'Cen Jung Tjhai'" , "'Tero Kivinen'" Cc: References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <22922.55551.190123.31763@fireball.acr.fi> In-Reply-To: Date: Tue, 22 Aug 2017 11:35:03 +0300 Message-ID: <006601d31b21$8d59ce20$a80d6a60$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQJGClSbub5RkghZHKgMD6H8pOsCcwJfffzfAjQj/cMC0HHoQKFvA/cw Content-Language: ru Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 08:35:09 -0000 Hi, > >>> The only reason that comes to my mind is that you = don=E2=80=99t fully trust > >>> QSKE. Are there any other reasons? >=20 > >>I think that is one of the main reasons. Especially as we do not = know > >>which QSKE we are talking about. >=20 > Another reason for not removing KE is potentially due to FIPS = requirement. According to NIST > (http://csrc.nist.gov/groups/ST/post-quantum-crypto/faq.html#Q1), if = we have a hybrid key exchange, i.e. KE > + post-quantum KE, the KE part can still go through FIPS validation = and can still be FIPS-certified (until FIPS > covers post-quantum algorithms). Well, that are valid reasons. However, what makes me uncomfortable is = that this design looks like yet another short-term (or medium-term) solution. We already have = draft-fluhrer-qr-ikev2 that was declared as=20 a temporary short-term approach to countermeasure immediate threat until = cryptography science gives us=20 new well-studied QC-proof primitives to replace classic public key = cryptography. Now it turns out that we don't have=20 primitives we are certain in (at least for key exchange), so we decide = to combine several different primitives (which we don't fully trust in) with classic DH. That's a valid approach = for transition to PQ cryptography, but it doesn't look like long-term standard solution. What particularly makes me unhappy: - the design looks like violation of the "gold rule" of cryptography - = "don't combine several week primitives, it doesn't add=20 to security, instead use one strong primitive" (I understand that = each rule has exceptions, so that's probably the case, but still) - when (and if) workable QC appears, the classic DH exchange will = provide zero security, but will still consume resources, that will just be wasted. And the proposed design doesn't allow to = get rid of DH completely, so the resulting protocol will be inefficient.=20 So we end up with yet another temporary solution. That's not good. Regards, Valery. From nobody Tue Aug 22 03:43:05 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28284132955 for ; Tue, 22 Aug 2017 03:43:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-9uikhzHAfm for ; Tue, 22 Aug 2017 03:43:01 -0700 (PDT) Received: from relay.ezis.com (relay.ezis.com [5.153.73.19]) by ietfa.amsl.com (Postfix) with ESMTP id D74CF132951 for ; Tue, 22 Aug 2017 03:43:00 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.41,411,1498518000"; d="scan'208";a="2267609" Received: from unknown (HELO pqex01.post-quantum.com) ([192.168.142.3]) by ironport.ezis.com with ESMTP; 22 Aug 2017 11:43:00 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX01.post-quantum.com (192.168.142.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 22 Aug 2017 11:42:59 +0100 Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX02.post-quantum.com (192.168.142.18) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 22 Aug 2017 11:42:58 +0100 Received: from PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3]) by PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3%13]) with mapi id 15.00.1320.000; Tue, 22 Aug 2017 11:42:58 +0100 From: Cen Jung Tjhai To: Valery Smyslov , 'Tero Kivinen' CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0GbUAgAekgoCAAKx1AIATrwqAgAA0fAA= Date: Tue, 22 Aug 2017 10:42:58 +0000 Message-ID: <46593A80-1391-4849-9B57-D53EF08863FD@post-quantum.com> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <22922.55551.190123.31763@fireball.acr.fi> <006601d31b21$8d59ce20$a80d6a60$@gmail.com> In-Reply-To: <006601d31b21$8d59ce20$a80d6a60$@gmail.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.3.255.7] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 10:43:03 -0000 SGkNCg0KPj4gV2VsbCwgdGhhdCBhcmUgdmFsaWQgcmVhc29ucy4gSG93ZXZlciwgd2hhdCBtYWtl cyBtZSB1bmNvbWZvcnRhYmxlIGlzIHRoYXQgdGhpcyBkZXNpZ24gDQo+PiBsb29rcyBsaWtlIHll dCBhbm90aGVyIHNob3J0LXRlcm0gKG9yIG1lZGl1bS10ZXJtKSBzb2x1dGlvbi4gV2UgYWxyZWFk eSBoYXZlIA0KPj4gZHJhZnQtZmx1aHJlci1xci1pa2V2MiB0aGF0IHdhcyBkZWNsYXJlZCBhcyBh IHRlbXBvcmFyeSBzaG9ydC10ZXJtIGFwcHJvYWNoIHRvIGNvdW50ZXJtZWFzdXJlDQo+PiBpbW1l ZGlhdGUgdGhyZWF0IHVudGlsIGNyeXB0b2dyYXBoeSBzY2llbmNlIGdpdmVzIHVzIG5ldyB3ZWxs LXN0dWRpZWQgUUMtcHJvb2YgcHJpbWl0aXZlcyB0bw0KPj4gcmVwbGFjZSBjbGFzc2ljIHB1Ymxp YyBrZXkgY3J5cHRvZ3JhcGh5LiBOb3cgaXQgdHVybnMgb3V0IHRoYXQgd2UgZG9uJ3QgaGF2ZSBw cmltaXRpdmVzIHdlIA0KPj4gYXJlIGNlcnRhaW4gaW4gKGF0IGxlYXN0IGZvciBrZXkgZXhjaGFu Z2UpLCBzbyB3ZSBkZWNpZGUgdG8gY29tYmluZSBzZXZlcmFsIGRpZmZlcmVudCANCj4+IHByaW1p dGl2ZXMgKHdoaWNoIHdlIGRvbid0IGZ1bGx5IHRydXN0IGluKSB3aXRoIGNsYXNzaWMgREguIFRo YXQncyBhIHZhbGlkIGFwcHJvYWNoIGZvciANCj4+IHRyYW5zaXRpb24gdG8gUFEgY3J5cHRvZ3Jh cGh5LCBidXQgaXQgZG9lc24ndCBsb29rIGxpa2UgbG9uZy10ZXJtIHN0YW5kYXJkIHNvbHV0aW9u Lg0KDQpPbiBvdXIgZHJhZnQtMDAsIG9uZSBvZiB0aGUgb2JqZWN0aXZlcyBpcyB0byBkZXByZWNh dGUgREgga2V5IGV4Y2hhbmdlIGluIHRoZSBsb25nLXRlcm0gZnV0dXJlLiBIZW5jZSwgd2UgdGhv dWdodCBpdCB3b3VsZCBiZSBuZWF0ZXIgdG8gaW50cm9kdWNlIGEgbmV3IHRyYW5zZm9ybSB0eXBl IGFuZCBhIG5ldyBQUSBrZXkgZXhjaGFuZ2UgcGF5bG9hZCAoUVNLRSkuIFRoZSBpZGVhIGlzIHRo YXQgd2hlbiBwZW9wbGUgYXJlIGhhcHB5IHRvIGRyb3AgS0UgcGF5bG9hZHMsIHRoZXkgY2FuIHVz ZSBRU0tFIHBheWxvYWRzIGluc3RlYWQuIE9idmlvdXNseSwgdGhlcmUgYXJlIGNvbmNlcm5zIHdp dGggYmFja3dhcmQgY29tcGF0aWJpbGl0eSBieSBpbnRyb2R1Y2luZyBhIG5ldyB0cmFuc2Zvcm0g dHlwZSwgd2hpY2ggSSBhZ3JlZS4NCg0KSG93ZXZlciwgdGhlIGlzc3VlIHdpdGggbGFyZ2UgcGF5 bG9hZCBzaXplIG9mIHBvc3QtcXVhbnR1bSBrZXkgZXhjaGFuZ2UgbmVlZHMgdG8gYmUgcmVzb2x2 ZWQgcmVnYXJkbGVzcy4gSGVuY2UsIHRoZSBkaXNjdXNzaW9uIGhhcyBiZWVuIGZvY3VzZWQgb24g dGhpcyBzaW5jZS4NCg0KSXMgS0UgcGF5bG9hZCBtYW5kYXRvcnk/IE9uZSB0aGluZyB0aGF0IHdl IHRob3VnaHQgYWJvdXQgaXMgdG8gdXNlIGtlZXAgS0UgcGF5bG9hZCBhbmQgZXhjaGFuZ2UgcG9z dC1xdWFudHVtIGJsb2JzIGluIHRoaXMgcGF5bG9hZCBhbmQgdXNlIGEgYml0IG9mIHRoZSByZXNl cnZlZCBmaWVsZCB0byBpbmRpY2F0ZSB0aGF0IHRoaXMgaXMgYSBsYXJnZSBwYXlsb2FkIHRoYXQg cG90ZW50aWFsbHkgbmVlZHMgdG8gYmUgdHJlYXRlZCBkaWZmZXJlbnRseS4gSW4gdGhpcyB3YXks IHRoZXJlIGlzIG5vIG5lZWQgdXNlIGFub3RoZXIgS0UgcGF5bG9hZCBidXQgdGhlcmUgY291bGQg YmUgaXNzdWUgd2l0aCBtdWx0aXBsZSBLRXMgaW4gSUtFX1NBX0lOSVQgd2hlbiBib3RoIGNsYXNz aWMgYW5kIFBRIEtFIHByaW1pdGl2ZSBhcmUgdXNlZC4NCg0KPj4gV2hhdCBwYXJ0aWN1bGFybHkg bWFrZXMgbWUgdW5oYXBweToNCj4+ICAgIC0gdGhlIGRlc2lnbiBsb29rcyBsaWtlIHZpb2xhdGlv biBvZiB0aGUgImdvbGQgcnVsZSIgb2YgY3J5cHRvZ3JhcGh5IC0gImRvbid0IGNvbWJpbmUgDQo+ PiBzZXZlcmFsIHdlZWsgcHJpbWl0aXZlcywgaXQgZG9lc24ndCBhZGQgdG8gc2VjdXJpdHksIGlu c3RlYWQgdXNlIG9uZSBzdHJvbmcgcHJpbWl0aXZlIiANCj4+IChJIHVuZGVyc3RhbmQgdGhhdCBl YWNoIHJ1bGUgaGFzIGV4Y2VwdGlvbnMsIHNvIHRoYXQncyBwcm9iYWJseSB0aGUgY2FzZSwgYnV0 IHN0aWxsKQ0KDQpCZWZvcmUgcGVvcGxlIGFyZSBoYXBweSB3aXRoIFBRIGFsZ29yaXRobXMsIGl0 IGlzIGFjY2VwdGFibGUgdG8gY29tYmluZSBjbGFzc2ljIGFuZCBQUSwgYXMgdGhlIHNlY3VyaXR5 IG9mIElLRSBpcyBub3Qgd2Vha2VuLiANCg0KPj4gICAgLSB3aGVuIChhbmQgaWYpIHdvcmthYmxl IFFDIGFwcGVhcnMsIHRoZSBjbGFzc2ljIERIIGV4Y2hhbmdlIHdpbGwgcHJvdmlkZSB6ZXJvIHNl Y3VyaXR5LCANCj4+IGJ1dCB3aWxsIHN0aWxsIGNvbnN1bWUgcmVzb3VyY2VzLCB0aGF0IHdpbGwg anVzdCBiZSB3YXN0ZWQuIEFuZCB0aGUgcHJvcG9zZWQgZGVzaWduIGRvZXNuJ3QgDQo+PiBhbGxv dyB0byBnZXQgcmlkIG9mIERIIGNvbXBsZXRlbHksIHNvIHRoZSByZXN1bHRpbmcgcHJvdG9jb2wg d2lsbCBiZSBpbmVmZmljaWVudC4gDQo+PiAgICANCj4+ICAgIFNvIHdlIGVuZCB1cCB3aXRoIHll dCBhbm90aGVyIHRlbXBvcmFyeSBzb2x1dGlvbi4gVGhhdCdzIG5vdCBnb29kLg0KDQpJIHRvdGFs bHkgYWdyZWUgd2l0aCB5b3Ugb24gaW5lZmZpY2llbmN5IGlzc3VlIGhlcmUsIGJ1dCBoYXZpbmcg REggbWF5IG5vdCBkZWNyZWFzZSBzZWN1cml0eS4gSXQgd291bGQgYmUgZ3JlYXQgdG8gaGVhciBm cm9tIHRoZSBXRyB3aGV0aGVyIHdlIHNob3VsZCBsb29rIGludG8gdGhlIG5lZWRzIGluIGRyb3Bw aW5nIERIIGF0IHRoaXMgc3RhZ2UuDQoNCkJlc3QgcmVnYXJkcywNCkNKDQoNCg0K From nobody Tue Aug 22 07:31:09 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FE93132623 for ; Tue, 22 Aug 2017 07:31:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.52 X-Spam-Level: X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YDKCR0KueT42 for ; Tue, 22 Aug 2017 07:31:06 -0700 (PDT) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BBF1126BF0 for ; Tue, 22 Aug 2017 07:31:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6191; q=dns/txt; s=iport; t=1503412266; x=1504621866; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=yed3n2WJj2YRqNhECZioqyfomQ0WR8Q/grRSPdicJJI=; b=l/2O102fUtsUzIX0Ja6JdJ3SIGNMFMC+903vJcGrCLMj8Vv+dMeXEZ6T QUx/6QEpU6HyedAsYlIw61S0AfTN5t7XYHWTEjk5SEG3l2R0ashD3d6MT 9DWHzs1nSJZ7B7kZ8aqBgrVhTsxHVtheMYpqFm1NMDroRIcDk5NiTUrTA Q=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ClAABZP5xZ/4YNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1qBeQeODJAYgW6WH4IShUcChCU/GAECAQEBAQEBAWsohRgBAQE?= =?us-ascii?q?BAzoaHAkMBAIBCBEEAQEfCQcyFAkIAgQBDQUIE4oWrwWLXgEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAR2DKoELd4FMgWODJ4pnAQSgVQKUOJJpligBHziBCncVSYcadoh?= =?us-ascii?q?UKoEIgQ8BAQE?= X-IronPort-AV: E=Sophos;i="5.41,412,1498521600"; d="scan'208";a="474626973" Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 22 Aug 2017 14:31:05 +0000 Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v7MEV4Nt032246 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 22 Aug 2017 14:31:05 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 22 Aug 2017 10:31:04 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Tue, 22 Aug 2017 10:31:04 -0400 From: "Scott Fluhrer (sfluhrer)" To: Cen Jung Tjhai , Valery Smyslov , "'Tero Kivinen'" CC: "ipsec@ietf.org" Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0bYcAgAekgoCAAJuwgIATv86AgAAjvgD//+W2UA== Date: Tue, 22 Aug 2017 14:31:04 +0000 Message-ID: <11e11cdc7bac4e80aa1c3bcb3d5c18ef@XCH-RTP-006.cisco.com> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <22922.55551.190123.31763@fireball.acr.fi> <006601d31b21$8d59ce20$a80d6a60$@gmail.com> <46593A80-1391-4849-9B57-D53EF08863FD@post-quantum.com> In-Reply-To: <46593A80-1391-4849-9B57-D53EF08863FD@post-quantum.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.86.245.131] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 14:31:08 -0000 > -----Original Message----- > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Cen Jung Tjhai > Sent: Tuesday, August 22, 2017 6:43 AM > To: Valery Smyslov; 'Tero Kivinen' > Cc: ipsec@ietf.org > Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 >=20 > Hi >=20 > >> Well, that are valid reasons. However, what makes me uncomfortable is > >> that this design looks like yet another short-term (or medium-term) > >> solution. We already have > >> draft-fluhrer-qr-ikev2 that was declared as a temporary short-term > >> approach to countermeasure immediate threat until cryptography > >> science gives us new well-studied QC-proof primitives to replace > >> classic public key cryptography. Now it turns out that we don't have > >> primitives we are certain in (at least for key exchange), so we > >> decide to combine several different primitives (which we don't fully t= rust > in) with classic DH. That's a valid approach for transition to PQ cryptog= raphy, > but it doesn't look like long-term standard solution. >=20 > On our draft-00, one of the objectives is to deprecate DH key exchange in > the long-term future. Hence, we thought it would be neater to introduce a > new transform type and a new PQ key exchange payload (QSKE). The idea is > that when people are happy to drop KE payloads, they can use QSKE > payloads instead. Obviously, there are concerns with backward compatibili= ty > by introducing a new transform type, which I agree. If we look at the general problem, I see that there are three subproblems t= hat we need to solve: 1. How to introduce a postquantum key exchange to IKE 2. How to have the postquantum key exchange in addition to the classical (E= C)DH (so that we can't make security worse) 3. How to handle the greater-than-MTU payloads that are likely to result (and, of course, how to handle this all in a backwards-compatible way, whic= h minimizes additional complexity, and which allows us to deprecate traditi= onal DH Keyexchanges eventually). Much of our discussion has been on #3 (which is, indeed, the hardest of the= three), however I would like to discuss #1 and #2. Draft-00 solves #1 by adding a new payload type; one issue with this is, be= cause of the new transform type to negotiate it, existing IKE responders ma= y be confused by it. They do solve #2 for free (because it's in parallel w= ith the existing KE payloads). I would suggest a different way; instead of assigning a key payload type, w= e just issue new group descriptions for the postquantum key exchanges; the = traditional 2048 MODP group is 14; we might make NewHope number 32. One objection to this may to say "but, NewHope isn't a group"; actually, th= at's just terminology. As far as the protocol is concerned, all these key = exchanges do fundamentally the same thing; the initiator creates a payload = and sends it to the responder; the responder then generates a payload and s= ends it to the initiator; both sides do some computation and create a share= d secret (that someone in the middle cannot derive just seeing the payloads= ). There are distinctions between the key exchanges (sometimes the intiiat= or's and responder's keyshares are of different lengths; sometimes the resp= onder's keyshare is a function of the initiator's), but those are distincti= ons that the protocol doesn't have to care about. I would argue that this minimizes complexity (the protocol parts of IKE imp= lementations wouldn't have to change at all), and we have good backwards co= mpatibility (as existing IKE implementations already know how to deal with = groups they haven't heard of). However, as it stands, it doesn't address #= 2 at all. To solve that, I would suggest adding a way to exchange multiple groups in = parallel (and have the shared secret depend on all of them); that way, we c= an perform both an ECDH (so we're at least as secure as now) and a NewHope = exchange (so we have a potential to be secure against a quantum computer). = Ideally, we would be able to allow more than 2 (as some users might not wa= nt to trust just one of these new-fangled PQ key exchanges; it would be goo= d if we could give them the option, without adding much complexity on our s= ide). Here is one possible way to do this; we assign group descriptions 0x7f00-0x= 7fff (the high end of the IANA unassigned list) to be dynamically assigned = by the initiator. That is, the initiator could include a notify that may s= pecify "group 7f00 is really group 14 and group 32 concatinated", he can th= en include that within his policy (and the resulting key share would be the= group 14 and the group 32 key share concatenated); the responder can eithe= r accept this, or reject it in favor of another proposal (just as the curre= nt IKE allows fallback to other DH groups). The idea here is that we try to reuse as much of the existing KE protocol l= ogic (and security logic) as possible; by reusing this logic, we avoid addi= ng complexity, and we also rely on the same security logic that makes the c= urrent KE exchange safe. So, in summary, this idea: - Allows us to rely on postquantum key exchanges (once they have been defin= ed and accepted) - Allows us to also rely on traditional groups as well (so we don't make th= ings worse) - Is backwards compatible (in that someone proposing this to an unupgraded = responder will react in the expected way; either downgrading the key exchan= ge, or rejecting the key exchange, based on the initiator policy) - Allows a clean way to deprecate traditional groups in the future - Allows someone to rely on multiple postquantum key exchanges, should they= be paranoid. - Does all this while trying to minimize complexity (most of the changes in= the implementation will be in the crypto engine and the policy handling; t= hose would have to change in any such solution) Thoughts? Credit: this idea was worked out in conjunction with Oscar Garcia-Morchon, = Zhenfei Zhang and William Whyte; this idea applied to TLS can be found in d= raft-whyte-qsh-tls13=20 From nobody Tue Aug 22 08:03:26 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF041329D3 for ; Tue, 22 Aug 2017 08:03:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.519 X-Spam-Level: X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xv4X3Z05Jf7P for ; Tue, 22 Aug 2017 08:03:19 -0700 (PDT) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D3AA1329CF for ; Tue, 22 Aug 2017 08:03:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13188; q=dns/txt; s=iport; t=1503414199; x=1504623799; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zm7MacQSr4xVVnXOCO5VKBY6dEhbLtY8n521FPSc3lQ=; b=DVzNCZHbHegUduvUelsg804L1ySciBf+J27wgaXymVFno+OEaXHGB9XI lYfetbhfXyNZUb5hYuLB5wQDssTkWqe64sPI074tNr2x1dHcDu9DqUqkd 9rQ6YsO+I0ecC+lZhe3Ieq4fEw6wvI02jhY44xBSc/R+vYJirleI01ZQ+ 8=; X-Files: smime.p7s : 4557 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DCAABpRpxZ/4cNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1pkgRUHjgyQGIFMlkGCEgcaC4UbAiOEBT8YAQIBAQEBAQEBayi?= =?us-ascii?q?FGQIBAwEBIQQtGgsQAgEIQgICAiULJQIEAQkEBQ6KIxCsV4FsOotcAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBDgoFgyYEgWIggUyBYysLgnGETD6CfDCCMQWJfpZXAoQ?= =?us-ascii?q?xgiGNb5JgligBHziBCncVSRIBhQQFF4FndohUgTKBDwEBAQ?= X-IronPort-AV: E=Sophos;i="5.41,412,1498521600"; d="p7s'?scan'208";a="473479649" Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 22 Aug 2017 15:03:18 +0000 Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id v7MF3Iuh011797 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 22 Aug 2017 15:03:18 GMT Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 22 Aug 2017 10:03:17 -0500 Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1210.000; Tue, 22 Aug 2017 10:03:17 -0500 From: "Graham Bartlett (grbartle)" To: Tero Kivinen , Cen Jung Tjhai CC: "ipsec@ietf.org" , Valery Smyslov Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2 Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0fkoAgAIguwCABYr/gIAU0YGA Date: Tue, 22 Aug 2017 15:03:17 +0000 Message-ID: <5E6A99A5-1867-4632-BA67-25A52D97AF71@cisco.com> References: <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com> <22922.57101.227283.113155@fireball.acr.fi> In-Reply-To: <22922.57101.227283.113155@fireball.acr.fi> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.1a.0.160910 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.55.142.72] Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3586262595_1289572235" MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 15:03:25 -0000 --B_3586262595_1289572235 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Hi Tero So I=E2=80=99m not a big fan of the interim exchange (Scott had suggested somethi= ng similar). I would imagine that it=E2=80=99s going to decrease the tunnel setup rate on VPN = GW=E2=80=99s. Adds at minimum another round trip, which could be >two if the QS blob isn=E2= =80=99t correct or many more if fragmentation. It seems to be a large change to what=E2=80=99s there today. Does not allow for a 1-1 swap for the DH value today to something that is Q= S. On a more positive note I like the idea of the incrementing message ID=E2=80=99s = for re-transmissions. I had a similar idea myself =E2=98=BA As mentioned before, if the issue is with sending these QS blobs is the siz= e. At the moment CJ has given some indication of the sizes, however what is = going to be used isn=E2=80=99t decided.=20 With regards to sending the QS blob using IKEv2 fragmentation. Unless this = is sent after authentication occurs it still allows for an attack whereby so= meone can send up to=20 HDR(PRE_AUTH, MID=3D1), SKF(NextPld=3D0, Frag#=3Dm-1, TotalFrags=3Dm) To exhaust the receivers buffers.. cheers On 09/08/2017, 11:08, "IPsec on behalf of Tero Kivinen" wrote: Cen Jung Tjhai writes: >>And I think if the IKE_SA_INIT messages grow too large with QSKE, >>then it=E2=80=99s better to develop generic fragmentation mechanism for >>IKE_SA_INIT, rather than making it specific for fragmenting QSKE >>blobs. Generic mechanism would allow to reuse it in case we=E2=80=99ll have >>to include other large payloads in initial messages. > > Yes, while a generic mechanism would allow it to be reused, it > sounds like a different draft all together. It could result in a > very complex change in the protocol. Furthermore, we would like to > support QSKE blob that is larger than 64KB in size, hence we > fragment it in that way.=20 =20 Actually I think it would be better NOT to change IKE_SA_INIT at all, but instead add new exchange between the IKE_SA_INIT and IKE_AUTH. =20 I.e., lets have following exchange: =20 Initiator Responder ------------------------------------------------------------------- HDR(IKE_SA_INIT, MID=3D0), SAi1, KEi, Ni, N(IKEV2_FRAGMENTATION_SUPPORTED), N(PRE_AUTH_SUPPORTED) --> =20 <-- HDR(IKE_SA_INIT, MID=3D0), SAr1, KEr= , Nr, N(IKEV2_FRAGMENTATION_SUPPORTED) N(PRE_AUTH_NEEDED), [CERTREQ] =20 HDR(PRE_AUTH, MID=3D1), SKF(NextPld=3DPLD1, Frag#=3D1, TotalFrags=3Dm) {...} --> HDR(PRE_AUTH, MID=3D1), SKF(NextPld=3D0, Frag#=3D2, TotalFrags=3Dm) {...} --> ... HDR(PRE_AUTH, MID=3D1), SKF(NextPld=3D0, Frag#=3Dm, TotalFrags=3Dm) {...} --> =20 <-- HDR(PRE_AUTH, MID=3D1), SKF(NextPld=3DPLD1, Frag#=3D1, TotalFrags=3Dm) {...} <-- HDR(PRE_AUTH, MID=3D1), SKF(NextPld=3D0, Frag#=3D2, TotalFrags=3Dm) {...} ... <-- HDR(PRE_AUTH, MID=3D1), SKF(NextPld=3D0, Frag#=3Dm, TotalFrags=3Dm) {...} =20 HDR(IKE_AUTH, MID=3D2), SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> =20 <-- HDR(IKE_AUTH, MID=3D2), SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} =20 I.e., we run normal IKE_SA_INIT with message ID of 0. It negotiates the fragmentation (IKEV2_FRAGMENTATION_SUPPORTED), so all further exchanges after IKE_SA_INIT can use fragmentation. =20 Then we do another exchange before the IKE_AUTH, i.e. we do PRE_AUTH exchange before IKE_AUTH using message id 1 (or even message ids 2, 3, 4, etc, as many as are needed). This step does the large blob exchange neede for the IKE_AUTH. As these are normal fragmented IKEv2 message, i.e. there is request and there is reply. What goes in there is most likely using some new payload number to transfer the QSKE data in both directions. =20 Note, that IKEv2 messages are limited to 4GB in size, and one payload inside IKEv2 message is limited to 64kB in size, so if larger than 64k objects need to be transmitted, it can be transmitted using exactly one IKEv2 message, having multiple payloads in it. On the other hand as fragments are not individually acknowledged, we do not want to transfer too big messages using it, so it might be better to allow multiple PRE_AUTH message exchanges before moving to the IKE_AUTH. This means that the PRE_AUTH exchange most likely needs to have some way of telling the other end when it is done, and when to move to IKE_AUTH. =20 IKE_AUTH then would be just normal IKE_AUTH. =20 The fact whether we need the PRE_AUTH exchange can be negotiated in the IKE_SA_INIT, either using transform types in SA payload, or using the notify payloads. =20 Also if we split data to less than 64k chunks anyways, it might also be better not to use IKEv2 fragmentation, but instead just send several PRE_AUTH exchanges instead. =20 Note, that the PRE_AUTH happening between IKE_SA_INIT and IKE_AUTH would be encrypted, and MACed, but it WILL NOT be authenticated, i.e., we have not yet authenticated the other peer, and we will not include those octets to the AUTH payload calculations, so they will not be authenticated in AUTH phase, like the IKE_SA_INIT contents will be authenticated. =20 I think this kind of step between IKE_SA_INIT and IKE_AUTH might be easiest and most generic way of transferring the QSKE data. We will be transferring large amount of data anyways, so trying to put it part of IKE_SA_INIT is not useful, and trying to play around with cookies, and IKE_SA_INIT modifications is just adding complexity.=20 --=20 kivinen@iki.fi =20 =20 _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec =20 --B_3586262595_1289572235 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIRyQYJKoZIhvcNAQcCoIIRujCCEbYCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGggg9+MIIFbTCCBFWgAwIBAgIQDZu2aTrsxkrY+ilxZLyNgTANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTYw NTE2MDAwMDAwWhcNMTgwNTE2MTIwMDAwWjCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNjbyBTeXN0ZW1zLCBJ bmMuMRgwFgYDVQQDEw9HcmFoYW0gQmFydGxldHQxITAfBgkqhkiG9w0BCQEWEmdyYmFydGxl QGNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqOS+hfMCqvKj+e gZdgQIEPbPvc6Mv9fJvK/hNbeOiOwBepKx73eSUh+gABrR8i7ui5/V7XlyMPg/OgQr/6UZX2 QGaqBNkiVkOqNDjwjDz6+voKVS2MNU0cCvxP5Xwb9VXgw2JzFAMMshknhP7G+9V6qxda7e5m fmBzYgCgewiITHD83tGiS/YuoOogmPfYnpQyCcnSdwj8MqnlvVfBQVdAOg+a7hv8zPcTA4mH H0Y3dqCIdNtj1QEm9D9YbDlCS1MZl/7byqLpEZA+la8Pva/r/lydbVuM7BXygqI+itXM9963 8kZim8zTh4r/wCi8uklBSeMRUHSmgocw5BpnIk8CAwEAAaOCAeswggHnMB8GA1UdIwQYMBaA FOcCI4AAT9jXvJQL2T90OUkyPIp5MB0GA1UdDgQWBBQmnj6AyXbjUyNRGN6Y2JOK17/CkzAM BgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSBEmdyYmFydGxlQGNpc2NvLmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZI AYb9bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGI BgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hB MkFzc3VyZWRJRENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUH MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0B AQsFAAOCAQEAna7Ws4vfNhrcm0Od6wb6xiOBURSSXAgX7LE8chrD7UfTF+b7DKits6QY1Vvo 5s0ryCy2T4ikMMKzpAnQ9O0vvF5wbb2iF9zTyKv2M36uY6L6EbMC7QoQAihAiOGnLy4wwhsB qtoGHPL8f1ROW2xpK3twQm2jthhv7fzHRPnFFh4bwWLLISHsw7JKzaL1GuxghNr9W9CN7o2r OtnnvoSwdkPBlMmquWrUgCZ06UQfsD6nbVDvqlBlJGBsrfXk3y8yg3q+rN6LTqHccW4Rk1KS OkE8i/8NKTo8QXHSOa+jcK0o7mnjGXERklDnFGMiNVLbVhVa9CJynUpLjNct3q6+ATCCBk4w ggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMC VVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEk MCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEzMTEwNTEyMDAwMFoX DTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1 cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/AJ3kb LQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAf JUXo8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ 9ZEXjsYhrTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1x GOSm4IksG/OyczzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgw BgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhho dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0 LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1s AAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQG CCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABDAGUA cgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBlAHAA dABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABDAFAALwBDAFAA UwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIA ZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQA eQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUA aQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP2Ne8lAvZ P3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcNAQEL BQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mg VgxIEM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0 k4f5lpaBVUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEy br1DDE0023vGQtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIwggO3MIIC n6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0z MTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5 cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+Y MjZ2zN7dPKii72r7IfJSYd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nY Lxj+KA+zp4PWw25EwGE1lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGY M2wi6YfQMlqiuhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSS plazvbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQY MBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUAA4IBAQCiDrzf4u3w43Jz emSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwSTFjk0z2DSUVYlzVpGqhH6lbGeasS 2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1 bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/ N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHS oyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMYICDzCCAgsCAQEweTBlMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t MSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0ECEA2btmk67MZK2PopcWS8 jYEwDQYJYIZIAWUDBAIBBQCgaTAvBgkqhkiG9w0BCQQxIgQgNU0edVzXb/YVM76F2x54vMA9 oscj3Ygjsnt1/8UgxiwwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx DxcNMTcwODIyMTUwMzE1WjANBgkqhkiG9w0BAQEFAASCAQB/DvzyEENh7zzHSd7UYE747LA4 5hvyyEqHiWTosxkK8wov6Yui3UvCNCbSb/rvw51NIBjeeiGQuHtCZYoY6/1TqssXrPboSI0q s1ClHLOrYTn1nM8PJGtvoshvlxc2ampraKTPd6YimH4mwPFXfoYj1vCWsP0954ZRQ3NZd5Tr s6wKHRQL72ppKi/00CMTmZ0IOLfRsqw6rABcsnaAE+a7ZR1mLeZAulQJb3yHKa0OV16gxuV4 KmJuFU2aF0+lQDd5/szGg7ATsaEYDnyV/fVXqEzdVgKFN67MbGT7+VrKuoQ+5oNN/5hyggba AnVHFYQ34yyq3T8RuwDaqek7M1yz --B_3586262595_1289572235-- From nobody Tue Aug 22 09:58:58 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4881321A2 for ; Tue, 22 Aug 2017 09:58:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.52 X-Spam-Level: X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9LREsTgRs6x9 for ; Tue, 22 Aug 2017 09:58:53 -0700 (PDT) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87DFF132026 for ; Tue, 22 Aug 2017 09:58:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5485; q=dns/txt; s=iport; t=1503421133; x=1504630733; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=gux4lE4XFx0dLYtXLhZpBUREO130+rLlT5ZiyGz6/zI=; b=LNSk4I8/iVsNBdQcvGWE5YKs1RpJFxt5KSOkEngFWmhVKloSvmoDpabB XKpNF4Ai5igRr/6z1+pYjZYRWglNe7PKOphJWX2Pve7XUBDc42JD1t4yU seTJrHck3+VrZ50/dZSZBsj/D4hKDQJZUheq8AuWyJ50uyMxGCS/aBHHU s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CxAQB9YZxZ/5hdJa1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1pkgRUHniSBbneHQY1nghIhC4UbAoQvQBcBAgEBAQEBAQFrKIU?= =?us-ascii?q?YAQEBAQIBAQElEw0nCwwEAgEIDgMEAQEfCQchBgsUCQgCBAENBQgTiX4DDQgQr?= =?us-ascii?q?lk6gz6Ddw2EHQEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgyYEggKBTIFjgnM0gle?= =?us-ascii?q?CBoYKBYl+hxyOfzwCiyiEI4RtkmmMPolqASABNoEKdxVJhRYBHIFndohUB4Erg?= =?us-ascii?q?Q8BAQE?= X-IronPort-AV: E=Sophos;i="5.41,412,1498521600"; d="scan'208";a="475342659" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Aug 2017 16:58:52 +0000 Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v7MGwq69016590 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 22 Aug 2017 16:58:52 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 22 Aug 2017 11:58:51 -0500 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Tue, 22 Aug 2017 11:58:51 -0500 From: "Panos Kampanakis (pkampana)" To: Valery Smyslov , "Scott Fluhrer (sfluhrer)" , "'Paul Wouters'" , "ipsec@ietf.org" CC: "'Vukasin Karadzic'" Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Thread-Index: AQFrzo/mLNHQ912KAIRbgs5wCt+pzQFW4fuSo1KroxCAAG3q0A== Date: Tue, 22 Aug 2017 16:58:51 +0000 Message-ID: <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com> References: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> In-Reply-To: <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.150.34.216] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 16:58:56 -0000 Valery, It is a good idea. A new optional notification that includes the auth_data = as it would be calculated without the PPK would work. With that, the corner= case of ' PPK_id configured on initiator but missing on the responder' is = addressed. There is an additional cost of the extra notification message fo= r every initiator that has no-mandatory ppk configured for the responder. I= n the worst case scenario the responder would need to go through looking up= the PPK_id and if that fails then authenticate the auth_data. Even though = it is slightly more work for the responder, I don't consider that heavy pro= cessing that would introduce attack concerns.=20 My concerns is that we might be making it too complicated by potentially in= troducing two separate SK_p's. From an ops perspective, if we stated the ru= le that when we want to go postquantum a PPK should be populated on the res= ponder first as Graham and others suggested, then the extra complication of= a new notification can be avoided. Violation of that rule would lead to IK= E_AUTH failure for that initiator only. Vukasin, Any thoughts from an implementer's standpoint?=20 Panos -----Original Message----- From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Valery Smyslov Sent: Monday, August 21, 2017 10:25 AM To: Scott Fluhrer (sfluhrer) ; 'Paul Wouters' ; ipsec@ietf.org Cc: 'Vukasin Karadzic' Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Hi Scott,=20 > > then it has to flip a coin on whether or not to send the PPK_SUPPORT=20 > > notify and if it guessed wrong, the AUTH payload on the initiator=20 > > will be wrong. Sending the notify commits to using a PPK because the=20 > > initiator uses it as input to the AUTH payload. [...] > > One way of solving this could be to allow PPK_SUPPORT to have some=20 > > notify data, which could for instance be a hash of the=20 > > connection/group name used by the responder. > > Another option is to use the PPK as one of the inputs to some hash=20 > > algorithm as PPK_SUPPORT data, so the responder can go through its=20 > > list of PPKs to match it back to a connection/group. But we would=20 > > need to be sure that this does not open up the PPK to attacks=20 > > (classic and > > quantum) >=20 > That's what we did in our original proposal (actually, it was a=20 > function of the PPK itself). The problems with that were: >=20 > - If we made it a nondeterministic function (that is, include a=20 > randomizer), then the server had to do a linear scan over all their known= PPKs to find the matching one. >=20 > - If we made it a deterministic function, then someone listening in=20 > can trivially determine when we're reusing the same PPK >=20 > (There's also a minor issue of "which hash function to use"; we haven't n= egotiated any at this time). >=20 > A linear scan over possibly 10,000 PPKs was considered unacceptable. =20 > One of our proposals even allowed the server to specify the trade-off bet= ween the above two; that was considered too complex. >=20 > I'm not thrilled with Tero's answer of "lets be careful about the=20 > order we upgrade things in complex networks", but I don't know how to=20 > better solve it without adding lots of complexity to the protocol, potent= ial anonymity leaks or requiring significant computation on the server side= . One (relatively) simple solution would be the following. If initiator is configured with PPK, but at the same time its policy marks = using PPK as optional, then the initiator can send two authenticators - one= using SK_pi' and the other using SK_pi (where SK_pi =3D prf(PPK, SK_pi')).= The one, computed using SK_pi (where PPK is involved) is placed in AUTH pa= yload, and the other, computed using SK_pi' (without PPK) is placed in a ne= w optional status notification NO_PPK_AUTH. Initiator Responder ------------------------------------------------------------------ HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr,=20 N(PPK_IDENTITY)(PPK_id),=20 [N(NO_PPK_AUTH)(auth_data)] } ---> When responder receives this message and cannot find the corresponding PPK = based on PPK_id and is configured to allow PPK-less SA, it can still authen= ticate initiator by using the content of NO_PPK_AUTH.=20 In this case the Responder replies with the IKE_AUTH response lacking PPK_I= DENTITY to let the initiator know that AUTH payload is computed as per RFC7= 296 (using SK_pr', i.e. without using PPK). <--- HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}=20 If the responder has the corresponding PPK, then it computes its AUTH paylo= ad using SK_pr and includes PPK_IDENTITY notification: <--- HDR, SK {IDr, [CERT,]=20 AUTH, SAr2, TSi, TSr,=20 N(PPK_IDENTITY)(PPK_id)}=20 This solution allows peers to communicate in different settings and to enfo= rce their own policy. For instance, if the initiator is configured to always use PPK, it won't in= clude NO_PPK_AUTH at all. If responder is configured to always use PPK, it = will just ignore NO_PPK_AUTH and return AUTHENTICATION_FAILED in case the p= roper PPK is not found. Regards, Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec From nobody Tue Aug 22 13:33:17 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23A10132A30 for ; Tue, 22 Aug 2017 13:33:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4FtyfL1jGBu for ; Tue, 22 Aug 2017 13:33:14 -0700 (PDT) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60E11132A28 for ; Tue, 22 Aug 2017 13:33:12 -0700 (PDT) Received: by mail-wm0-x22d.google.com with SMTP id z132so1871622wmg.1 for ; Tue, 22 Aug 2017 13:33:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:references:to:date; bh=06KRr3ark7J40dl6pxDEQ5FvlfXX9LkOBHgGbu15qLI=; b=cylo3C62mEaBK89pxbl8jsqljfb1q2KO0+lneqcHP/tnNF8RJeuCM3lN9IAEfSiRmS xErA4qkarfjDsGpY9F0h7NhDIKwprIMujxeZRU+eIRbLr2awJzq7JtNg57DN87SqWZBz +v5KPymkBoGOqVZNF1wQSmo4guVIMP9/ygR37gj2OQm/GbB6tlu1aTF/9Iki0h307v4/ gS+2fR6MnNFGnpINuZt0dUxyQk0wi/RKvVHFcFA/hJh84TdDNcV8YX6TABWyP708JrKR rIaYc/zQ/PyBMt51pRd3OvaFSjtRxrthxMTjpWMee320WZoHykrMe++KrnEaigh51c0E Ej4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:references :to:date; bh=06KRr3ark7J40dl6pxDEQ5FvlfXX9LkOBHgGbu15qLI=; b=RnQl8rLnKLWsfJJq3PnLo+UdaJwTAWutzItVFCRfYvowuLbpYphqj/hU8y1sGpfNGt bRCdQBwmEdEjN7KrMIZKt0w1p01BafrYvZzo9IhFtztJY2kCGYr38yIYRT/muWI6mOtk IcWA8XCA+6SvV583xOer/t58dsbuN331lnS/o2jMfnSj36nJoO5KgGC0BISxmP86CGej KD0M7pm9YRJ5OstVzNujTMuE4uGakSJfFn1fSIARF5EDWx+bHegFfa236yt6DjdBJ7cP hR/BAERKGyNyLMG6ePAtBNI16xy8CZbQE4xZ4NSBsiFrx0Iut79xwrgjMVrzyHDTWZ/U hkQg== X-Gm-Message-State: AHYfb5iQjuEs6BLSQfNr6d6vOghcyVB7ns/MZBm0F89iAOcpb1QQ8EVT 8ziPEymZtftSpTTEi8M= X-Received: by 10.80.165.195 with SMTP id b3mr1057145edc.51.1503433990585; Tue, 22 Aug 2017 13:33:10 -0700 (PDT) Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id n15sm68249edb.87.2017.08.22.13.33.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Aug 2017 13:33:09 -0700 (PDT) From: Yoav Nir Content-Type: multipart/alternative; boundary="Apple-Mail=_2D8088FD-623D-4119-A3C4-6384F0D1494D" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Message-Id: <8B6D4110-1E39-4EB6-84D6-08D91FA675EB@gmail.com> References: <150343358912.6009.11846688013894757933@ietfa.amsl.com> To: IPsecME WG Date: Tue, 22 Aug 2017 23:33:08 +0300 X-Mailer: Apple Mail (2.3273) Archived-At: Subject: [IPsec] Fwd: [I2nsf] Interface to Network Security Functions (i2nsf) WG Virtual Meeting: 2017-09-06 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 20:33:16 -0000 --Apple-Mail=_2D8088FD-623D-4119-A3C4-6384F0D1494D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii FYI. This meeting may be of interest to IPsecME participants. draft-abad-i2nsf-sdn-ipsec-flow-protection describes how to control = IPsec implementations using an SDN controller. This includes automatic = configuration of RFC 4301 data structures such as the SPD, PAD, and = potentially the SAD. You are all invited Yoav (with co-chair of I2NSF hat on) > Begin forwarded message: >=20 > From: IESG Secretary > Subject: [I2nsf] Interface to Network Security Functions (i2nsf) WG = Virtual Meeting: 2017-09-06 > Date: 22 August 2017 at 23:26:29 GMT+3 > To: "IETF-Announce" > Cc: i2nsf@ietf.org >=20 > The Interface to Network Security Functions (i2nsf) Working Group will = hold > a virtual interim meeting on 2017-09-06 from 16:00 to 17:30 UTC. >=20 > Agenda (times in GMT): > 16:00 - Welcome, Note Well and Agenda Bashing > 16:10 - Uses of IPsec (Paul W) > 16:15 - Scope of draft-abad (Gabriel/Rafa) > 16:20 - Open discussion about scope. > 16:50 - Against IPsec without IKE (Tero) > 16:55 - The case for IPsec without IKE (Gabriel/Rafa) > 17:00 - Open discussion > 17:20 - Conclusion and next steps. >=20 > Information about remote participation: > Call-in details will be sent a week before. >=20 > The purpose of this meeting is to discuss the objections to = draft-abad-i2nsf-sdn-ipsec-flow-protection. >=20 > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf --Apple-Mail=_2D8088FD-623D-4119-A3C4-6384F0D1494D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii FYI.

This = meeting may be of interest to IPsecME participants.

draft-abad-i2nsf-sdn-ipsec-flow-protection describes how to = control IPsec implementations using an SDN controller. This includes = automatic configuration of RFC 4301 data structures such as the SPD, = PAD, and potentially the SAD.

You are all invited

Yoav
(with co-chair of I2NSF hat on)

Begin = forwarded message:

From: = IESG Secretary <iesg-secretary@ietf.org>
Subject: = [I2nsf] Interface = to Network Security Functions (i2nsf) WG Virtual Meeting: = 2017-09-06
Date: = 22 August 2017 at 23:26:29 = GMT+3
To: = "IETF-Announce" <ietf-announce@ietf.org>
Cc: i2nsf@ietf.org

The Interface to Network = Security Functions (i2nsf) Working Group will hold
a = virtual interim meeting on 2017-09-06 from 16:00 to 17:30 UTC.

Agenda (times in GMT):
16:00 - = Welcome, Note Well and Agenda Bashing
16:10 - Uses of = IPsec (Paul W)
16:15 - Scope of draft-abad = (Gabriel/Rafa)
16:20 - Open discussion about scope.
16:50 - Against IPsec without IKE (Tero)
16:55 = - The case for IPsec without IKE (Gabriel/Rafa)
17:00 - = Open discussion
17:20 - Conclusion and next steps.

Information about remote participation:
Call-in details will be sent a week before.

The purpose of this meeting is to discuss the objections to = draft-abad-i2nsf-sdn-ipsec-flow-protection.

_______________________________________________
I2nsf mailing list
I2nsf@ietf.org
https://www.ietf.org/mailman/listinfo/i2nsf

= --Apple-Mail=_2D8088FD-623D-4119-A3C4-6384F0D1494D-- From vukasin.karadzic@gmail.com Tue Aug 22 15:49:27 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4D971326E8 for ; Tue, 22 Aug 2017 15:49:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWsWGH36OeXg for ; Tue, 22 Aug 2017 15:49:26 -0700 (PDT) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA5BF1329FF for ; Tue, 22 Aug 2017 15:49:19 -0700 (PDT) Received: by mail-wm0-x232.google.com with SMTP id b189so2521097wmd.0 for ; Tue, 22 Aug 2017 15:49:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=epi6PXDrY2WyQ5n+MgqLkpzAnOTWSrwwc6LYt7I1OdY=; b=cxl0bflpR9BEj1GWxlexUVPHPkKOtpdPWDWLwwo9uhGYQCPOcYjgLFbjwF6QwddSVy vCGUgx5vmgqYiSDidLrmAwl6rE2soR4snxjs8zpfrvqUjM+gm6IKtsrj1iXmdswHo1gi lTviECaQvCTRrXjT1Mw6MTbcQqF/aMHZ7mLLzLqnSZbrjLmt9H2/PyagB8GxO2ZjwYlI NSuy8NdAnwpFOjUw0YrJC2sbY94VjtNDGo8GdRbprYFi72wVGUUrevdIo8tTqdHFi7Ag 1hWgdbKkV5pfRBDS0EQkKX0cEDOA/wObpoms2fFZl0eLoRok/XI7x5zYGfeJszX9l1eZ MG6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=epi6PXDrY2WyQ5n+MgqLkpzAnOTWSrwwc6LYt7I1OdY=; b=Z1QWi9QXAapkV2tjpT7y0mtzUzbMXai8bjVlNPEhl0YGwz+36gByC3ynI4CYs65IXf 6dNUs4aaCD7mKWjKkfzjOgss08aH6ioD8TlPifTd30Mf4pybxeh/aFyVb8wX4/mHOl9f HCRD1qNxJHPGrOdf+GLHH+LDv5XQJsjewQJTbWtIagcs3tg8p26QML7hS90sqYEpIbJU gAG79Vze3aNQ/Hmyq1k23ejDiPfGsXPnYlI/BRyg5uZ0kMXr4k9QCfA0EGXi+t75TWFc enLtWyUmGPv4dyJ1+tUonEIJpZCtda5Idu6D8lbdv73To6WgqtliX1iZfxCtxnllRY1i cPvg== X-Gm-Message-State: AHYfb5gWg7ssU2bcuvs/BRm9QvlrOMNe44sD5hvYZPyuIqO0NMOp0KWM m5b5nAvyzMyfhWovD9X3b4itmA3/Zg== X-Received: by 10.28.157.1 with SMTP id g1mr507948wme.111.1503442158312; Tue, 22 Aug 2017 15:49:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.21.81 with HTTP; Tue, 22 Aug 2017 15:49:17 -0700 (PDT) In-Reply-To: <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com> References: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com> From: Vukasin Karadzic Date: Wed, 23 Aug 2017 00:49:17 +0200 Message-ID: To: "Panos Kampanakis (pkampana)" Cc: Valery Smyslov , "Scott Fluhrer (sfluhrer)" , Paul Wouters , "ipsec@ietf.org" Content-Type: multipart/alternative; boundary="001a114ba76cc962b805575f6753" Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 22:51:51 -0000 --001a114ba76cc962b805575f6753 Content-Type: text/plain; charset="UTF-8" Vukasin, > Any thoughts from an implementer's standpoint? Unfortunately no, no special thoughts. All proposed solution seem to be more or less simple to implement/add to existing implementation. In my humble opinion (I'm a GSoC student), the Valery Smyslov proposal is very clever. But I don't know whether it is "worth the trouble" doing that because of the one corner case we found. I would also point out that currently libreswan aborts the negotiation if it comes to this situation. Regards, Vukasin Karadzic --001a114ba76cc962b805575f6753 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


Vukasin,
Any thoughts from an implementer's standpoint?

Unfortunately n= o, no special thoughts. All proposed solution seem to be more or less simpl= e to implement/add to existing implementation.

In my humb= le opinion (I'm a GSoC student), the Valery Smyslov proposal is very cl= ever. But I don't know whether it is "worth the trouble"
<= /div>
doing that because of the one corner case we found.

I would also point out that currently libreswan aborts the negotiatio= n if it comes to this situation.

Regards,
V= ukasin Karadzic
--001a114ba76cc962b805575f6753-- From nobody Wed Aug 23 06:34:43 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18D0C132C12 for ; Wed, 23 Aug 2017 06:34:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.199 X-Spam-Level: X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17AFUAGlA_TV for ; Wed, 23 Aug 2017 06:34:40 -0700 (PDT) Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DA28132518 for ; Wed, 23 Aug 2017 06:34:39 -0700 (PDT) Received: by mail-lf0-x232.google.com with SMTP id y15so434807lfd.5 for ; Wed, 23 Aug 2017 06:34:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=5M5ofUnM2In2D3zqOhQM7nu8E0q8Zogz2XlyM8hkdYk=; b=Vcfss9X7uLQGpgte9F9gSfYqnlYXZGLOtbyIwloYPTsHT9n0xMeb7jKYu+rKKX6Ws5 zuSQ49tgm898wurIL5f60f2IlyqP+nA5rxlPrtq1+G4REIV6+bEkMXa14w0roiFb4kND vvtNfZmLZ+upwECVo5W8/pOWF/9QUyrqpH5aXOrhVRoLi6dBd1S7S2M5v9os2azsFvzs 0uPoo/gUyHJ7mb57XakXWce2+QYsuDmZJIhDNj5A9ej4TqP40WZOJc1Cqkbta9CCPZo7 nB7un0R7A1VsF8sShRhAqI9rKtscvKcTIg7iBnDAFw7Y97iYX/4Eczu7kHnAzx1vIr0Y xnXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=5M5ofUnM2In2D3zqOhQM7nu8E0q8Zogz2XlyM8hkdYk=; b=Sivhtg1FBk/osNve5ohLRzoyRkdqjXrDf9bCfS9lRPns01hRktpkptN9LzaoZ0rG81 SxpncvObjQSueM3JvhjsjCWeV1E7s+aWxnNg5fp5ml8QO2dHDvcFFVYQFcKsgrMweLPf IKfH121eFEve6L/iqRoi/cfG6PGk3pzwl+3TF90V9JivvCqFkT7U8h56+/aMetQ1mqd/ BecOlvUbhR8xnHeZDeKYjprl6MZ5PLrMVlX4cowFd/gPgnllTAhp9EMckSuWPlJYlrNu dN32Toy5DKBsiGXfOJ2GgyJ5uGVwcc9wHZdVy7TjwSdRJBx0jl1ylUJeiTk4/MOrAleg r4YQ== X-Gm-Message-State: AHYfb5jxXuNeq1Y7SlBE9MBRMV3v0Cqhlrnl0LIie6W1MXjHqDjpj6ir 02HEo+sVs4vSUf0w X-Received: by 10.46.20.77 with SMTP id 13mr1052610lju.151.1503495277542; Wed, 23 Aug 2017 06:34:37 -0700 (PDT) Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id 78sm257340ljz.23.2017.08.23.06.34.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 Aug 2017 06:34:36 -0700 (PDT) From: "Valery Smyslov" To: "'Panos Kampanakis \(pkampana\)'" , "'Scott Fluhrer \(sfluhrer\)'" , "'Paul Wouters'" , Cc: "'Vukasin Karadzic'" References: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com> In-Reply-To: <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com> Date: Wed, 23 Aug 2017 16:34:35 +0300 Message-ID: <00f701d31c14$901b2ca0$b05185e0$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFrzo/mLNHQ912KAIRbgs5wCt+pzQFW4fuSAboNkmMBqLGLp6M6udRg Content-Language: ru Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2017 13:34:42 -0000 Hi Panos, > Valery, > It is a good idea. A new optional notification that includes the auth_data as it would be calculated without the > PPK would work. With that, the corner case of ' PPK_id configured on initiator but missing on the responder' is > addressed. There is an additional cost of the extra notification message for every initiator that has no- > mandatory ppk configured for the responder. Yes, and there is also an extra cost for initiator of performing AUTH calculation (e.g. digital signature) twice - one with SK_p' and the other with SK_p. Good news are is that it is a) is performed by initiator only, so there is no risk of DoS attack on responder b) is needed only if initiator is configured in "permissive" mode - when its policy allows both PPK and non-PPK SAs with the particular responder > In the worst case scenario the responder would need to go > through looking up the PPK_id and if that fails then authenticate the auth_data. Even though it is slightly > more work for the responder, I don't consider that heavy processing that would introduce attack concerns. Exactly. > My concerns is that we might be making it too complicated by potentially introducing two separate SK_p's. > From an ops perspective, if we stated the rule that when we want to go postquantum a PPK should be > populated on the responder first as Graham and others suggested, then the extra complication of a new > notification can be avoided. Violation of that rule would lead to IKE_AUTH failure for that initiator only. In general I think that if protocol allows more flexible operational conditions, then it is a good thing. If we add this feature, then it will be completely optional for both initiator and responder (neither initiator is required to send NO_PPK_AUTH, nor responder is required to understand it). So, if people strictly follow transition plan, then there is no much need in this feature. However, I suspect that in fields some folks may find these rules too restrictive under some circumstances. So we can add a bit more flexibility in the protocol for those folks for a relatively low cost. Regards, Valery. > Vukasin, > Any thoughts from an implementer's standpoint? > > Panos > > > -----Original Message----- > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Valery Smyslov > Sent: Monday, August 21, 2017 10:25 AM > To: Scott Fluhrer (sfluhrer) ; 'Paul Wouters' ; ipsec@ietf.org > Cc: 'Vukasin Karadzic' > Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue > > Hi Scott, > > > > then it has to flip a coin on whether or not to send the PPK_SUPPORT > > > notify and if it guessed wrong, the AUTH payload on the initiator > > > will be wrong. Sending the notify commits to using a PPK because the > > > initiator uses it as input to the AUTH payload. > > [...] > > > > One way of solving this could be to allow PPK_SUPPORT to have some > > > notify data, which could for instance be a hash of the > > > connection/group name used by the responder. > > > Another option is to use the PPK as one of the inputs to some hash > > > algorithm as PPK_SUPPORT data, so the responder can go through its > > > list of PPKs to match it back to a connection/group. But we would > > > need to be sure that this does not open up the PPK to attacks > > > (classic and > > > quantum) > > > > That's what we did in our original proposal (actually, it was a > > function of the PPK itself). The problems with that were: > > > > - If we made it a nondeterministic function (that is, include a > > randomizer), then the server had to do a linear scan over all their known PPKs to find the matching one. > > > > - If we made it a deterministic function, then someone listening in > > can trivially determine when we're reusing the same PPK > > > > (There's also a minor issue of "which hash function to use"; we haven't negotiated any at this time). > > > > A linear scan over possibly 10,000 PPKs was considered unacceptable. > > One of our proposals even allowed the server to specify the trade-off between the above two; that was > considered too complex. > > > > I'm not thrilled with Tero's answer of "lets be careful about the > > order we upgrade things in complex networks", but I don't know how to > > better solve it without adding lots of complexity to the protocol, potential anonymity leaks or requiring > significant computation on the server side. > > One (relatively) simple solution would be the following. > > If initiator is configured with PPK, but at the same time its policy marks using PPK as optional, then the > initiator can send two authenticators - one using SK_pi' and the other using SK_pi (where SK_pi = prf(PPK, > SK_pi')). The one, computed using SK_pi (where PPK is involved) is placed in AUTH payload, and the other, > computed using SK_pi' (without PPK) is placed in a new optional status notification NO_PPK_AUTH. > > Initiator Responder > ------------------------------------------------------------------ > HDR, SK {IDi, [CERT,] [CERTREQ,] > [IDr,] AUTH, SAi2, TSi, TSr, > N(PPK_IDENTITY)(PPK_id), > [N(NO_PPK_AUTH)(auth_data)] } ---> > > When responder receives this message and cannot find the corresponding PPK based on PPK_id and is > configured to allow PPK-less SA, it can still authenticate initiator by using the content of NO_PPK_AUTH. > In this case the Responder replies with the IKE_AUTH response lacking PPK_IDENTITY to let the initiator know > that AUTH payload is computed as per RFC7296 (using SK_pr', i.e. without using PPK). > > <--- HDR, SK {IDr, [CERT,] > AUTH, SAr2, TSi, TSr} > > If the responder has the corresponding PPK, then it computes its AUTH payload using SK_pr and includes > PPK_IDENTITY notification: > > <--- HDR, SK {IDr, [CERT,] > AUTH, SAr2, TSi, TSr, > N(PPK_IDENTITY)(PPK_id)} > > This solution allows peers to communicate in different settings and to enforce their own policy. > For instance, if the initiator is configured to always use PPK, it won't include NO_PPK_AUTH at all. If responder > is configured to always use PPK, it will just ignore NO_PPK_AUTH and return AUTHENTICATION_FAILED in case > the proper PPK is not found. > > Regards, > Valery. > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec From nobody Wed Aug 23 11:42:30 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 210D4132926 for ; Wed, 23 Aug 2017 11:42:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkqHDOZ2iY_c for ; Wed, 23 Aug 2017 11:42:26 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C52AE132732 for ; Wed, 23 Aug 2017 11:42:25 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xcx9p1T6BzCDW; Wed, 23 Aug 2017 20:42:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1503513742; bh=m/ann52WhwKY0GbkzPw2PBre9VnlyZVg4rt6Ocuz68U=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Sw/H9iyAL5f3F31ovV5NJTlS7rNrzROysBNExOcZwArE7u3L2Wd8b+/2NM2FGaXQH LGa+bxKrEys5tMExX6crUz2nLQHT1P7hrvK26mR+2xBrpkWGDdcBoMN+BTT/eYjPQV dh0L8D+LP1w39y+FrXncyezBieJRbaMxGirOiptU= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id rfbcL3rdICmj; Wed, 23 Aug 2017 20:42:19 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 23 Aug 2017 20:42:19 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3D95D41B353; Wed, 23 Aug 2017 14:42:18 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 3D95D41B353 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2066A4095D6B; Wed, 23 Aug 2017 14:42:18 -0400 (EDT) Date: Wed, 23 Aug 2017 14:42:17 -0400 (EDT) From: Paul Wouters To: Valery Smyslov cc: "'Panos Kampanakis (pkampana)'" , "'Scott Fluhrer (sfluhrer)'" , ipsec@ietf.org, 'Vukasin Karadzic' In-Reply-To: <00f701d31c14$901b2ca0$b05185e0$@gmail.com> Message-ID: References: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com> <00f701d31c14$901b2ca0$b05185e0$@gmail.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2017 18:42:29 -0000 On Wed, 23 Aug 2017, Valery Smyslov wrote: >> It is a good idea. A new optional notification that includes the auth_data as it would be calculated without the >> PPK would work. With that, the corner case of ' PPK_id configured on initiator but missing on the responder' is >> addressed. There is an additional cost of the extra notification message for every initiator that has no- >> mandatory ppk configured for the responder. > > Yes, and there is also an extra cost for initiator of performing AUTH calculation (e.g. digital signature) > twice - one with SK_p' and the other with SK_p. Good news are is that it is > a) is performed by initiator only, so there is no risk of DoS attack on responder > b) is needed only if initiator is configured in "permissive" mode - when its policy allows both PPK and non-PPK > SAs with the particular responder > >> In the worst case scenario the responder would need to go >> through looking up the PPK_id and if that fails then authenticate the auth_data. Even though it is slightly >> more work for the responder, I don't consider that heavy processing that would introduce attack concerns. > > Exactly. This is a good idea. It solves our issue when both ends are configured to initiate and/or respond, and one end is updated and the other isn't, yet we don't know which endpoint will become initiator or responder. The only thing I think we should double check with some cryptogrpahers, is if this opens up any kind of quantum or classic attack. I don't think it does, but it would be good to get confirmed. > In general I think that if protocol allows more flexible operational conditions, then it is a good thing. > If we add this feature, then it will be completely optional for both initiator and responder > (neither initiator is required to send NO_PPK_AUTH, nor responder is required to understand it). > So, if people strictly follow transition plan, then there is no much need in this feature. > However, I suspect that in fields some folks may find these rules too restrictive under some circumstances. > So we can add a bit more flexibility in the protocol for those folks for a relatively low cost. Yes, one of the scenarios is the one where both endpoints are configured to bring up the connection and you cannot predict which end will become initiator or responder. Paul From nobody Sat Aug 26 13:54:43 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA97C132396 for ; Sat, 26 Aug 2017 13:54:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bm8N11FaeEqs for ; Sat, 26 Aug 2017 13:54:41 -0700 (PDT) Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1255813235B for ; Sat, 26 Aug 2017 13:54:41 -0700 (PDT) Received: by mail-yw0-x22b.google.com with SMTP id s143so13755989ywg.0 for ; Sat, 26 Aug 2017 13:54:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=7sXUuhnckiiB/zWd/O4duvrjOh6Eet7MBEIXKpYCGZQ=; b=r8QyT5V5lTMcDn/sYxXDP1I8D96Tnil9DCJ6EQFDwFBY7a3VdMa2/dHCD3hTpkoDLZ NaOSLmFjF03cqmegmvfyA+aS7ms7ZjZIvczxAx4ER4UHP1pLPVoaejuBR5thzglcmt5l I49J6IBe4JQdkR96R9hpZ8jAVZqUXfyzGkKDhOMF+W0Icqtn8c44JzzPJNmFmtYfaltV 9nE1K+ApF6cMYr2isJHMf9Tc75h1nNmyf4NWHNlZQUcAcdvDw1LJsGlJQJJ4W/4QJoW0 A9bJd/C3KLCyzZT+I5xabAZSzgs83XEsuyhPq//2yTXFCzTx+3siFBnOXVP5ffMTVFZD lAGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7sXUuhnckiiB/zWd/O4duvrjOh6Eet7MBEIXKpYCGZQ=; b=YE/JPyOeDWTg/T1PqdCiWrDw8w2xCwNZJSjXJPOImQmvm1QUozognoW7T5JHBYzcY8 /7hFE6qaADUCYq787/duitDbWoE2UZ8zr+ad5hZYHECc509Jvr1opGv7IhSeBtSKU6Rm hAtLJJrtsq25slXlObDQFkNiM7sMLcFvvjiO/Asinb5Z1mDEsD6Xm4PQRXRhzgjKQSPY n22CJClHXmeXvMxuT4jpOHXTC59lq4yTxQ+63VelEYEArw9LfMbGpvfXF9gh7mQseMsv Q+o1OBckTl/yqexEctfEi7Ar55jLJaCLsfrLuD5vwByZ+pWRXZV95tIfOCm1Nv7bz3UM llEg== X-Gm-Message-State: AHYfb5iZt0gZ/QiQKgkt8vZFtv2oBC5b1H5LdHCB2nOrs6lTFJaqtetV U+zXtnxuBk0KHc2idiKn0jUsrkdj+FTpqbOxeQ== X-Received: by 10.13.251.3 with SMTP id l3mr2199276ywf.71.1503780880076; Sat, 26 Aug 2017 13:54:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.13.218.130 with HTTP; Sat, 26 Aug 2017 13:53:59 -0700 (PDT) From: Eric Rescorla Date: Sat, 26 Aug 2017 13:53:59 -0700 Message-ID: To: IPsecME WG , draft-ietf-ipsecme-eddsa@tools.ietf.org Content-Type: multipart/alternative; boundary="94eb2c07f0362d585c0557ae455b" Archived-At: Subject: [IPsec] AD Review of Document: draft-ietf-ipsecme-eddsa X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 20:54:43 -0000 --94eb2c07f0362d585c0557ae455b Content-Type: text/plain; charset="UTF-8" Document: draft-ietf-ipsecme-eddsa-00.txt In order to signal within IKE that no hashing needs to be done, we define a new value has in the SIGNATURE_HASH_ALGORITHMS notification, one that indicates that no hashing is performed. s/has// The pre-hashed versions of Ed25519 and Ed448 (Ed25519ph and Ed448ph respectively) SHOULD NOT be used in IKE. I wonder if this should be a MUST NOT, for two reasons: 1. Allowing the pre-hashed versions allows attacks based on collisions in the hash function. 2. It means that receivers cannot safely reject pre-hashed versions without interop problems. It's also not clear to me how this would even work. They would just use the OID values from some future document? -Ekr --94eb2c07f0362d585c0557ae455b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Document: draft-ietf-ipsecme-eddsa-00.txt
<= br>
=C2=A0 =C2=A0In order to signal within IKE that no hashing ne= eds to be done, we
=C2=A0 =C2=A0define a new value has in the SIG= NATURE_HASH_ALGORITHMS notification,
=C2=A0 =C2=A0one that indica= tes that no hashing is performed.
=C2=A0 =C2=A0
s/has//=


=C2=A0 =C2=A0The pre-hashed versio= ns of Ed25519 and Ed448 (Ed25519ph and Ed448ph
=C2=A0 =C2=A0respe= ctively) SHOULD NOT be used in IKE.


I wonder if this should be a MUST NOT, for two reasons:

1. Allowing the pre-hashed versions allows attacks based on collisio= ns in the hash function.
2. It means that receivers cannot safely= reject pre-hashed versions without interop problems.

<= div>It's also not clear to me how this would even work. They would just= use the OID values from some future document?

-Ek= r

--94eb2c07f0362d585c0557ae455b-- From nobody Wed Aug 30 08:58:38 2017 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B71D13213F; Wed, 30 Aug 2017 08:58:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dsC1yJ1fj2Fi; Wed, 30 Aug 2017 08:58:18 -0700 (PDT) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE68F132025; Wed, 30 Aug 2017 08:58:17 -0700 (PDT) Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DUL79227; Wed, 30 Aug 2017 15:58:16 +0000 (GMT) Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.301.0; Wed, 30 Aug 2017 16:58:15 +0100 Received: from SJCEML702-CHM.china.huawei.com ([169.254.4.148]) by SJCEML701-CHM.china.huawei.com ([169.254.3.191]) with mapi id 14.03.0301.000; Wed, 30 Aug 2017 08:58:08 -0700 From: Linda Dunbar To: Yoav Nir , IPsecME WG , "i2nsf@ietf.org" Thread-Topic: Conference bridge information for the (i2nsf) WG Virtual Meeting: 2017-09-06 Thread-Index: AdMhqJouaejxnypRQIuTVkSDmCkaJQ== Date: Wed, 30 Aug 2017 15:58:07 +0000 Message-ID: <4A95BA014132FF49AE685FAB4B9F17F65946D29B@SJCEML702-CHM.china.huawei.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.192.11.208] Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F65946D29BSJCEML702CHMchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090201.59A6E098.0099, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.148, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: f8f1b66534f7a8f31f12284b09367e9b Archived-At: Subject: [IPsec] Conference bridge information for the (i2nsf) WG Virtual Meeting: 2017-09-06 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2017 15:58:20 -0000 --_000_4A95BA014132FF49AE685FAB4B9F17F65946D29BSJCEML702CHMchi_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Here is the conference bridge: Join WebEx meeting Meeting number (access code): 642 733 681 Host key: 121744 Meeting password: P5B3DUCM Join by phone 1-877-668-4493 Call-in toll free number (US/Canada) 1-650-479-3208 Call-in toll number (US/Canada) Toll-free calling restrictions Can't join the meeting? Contact support. IMPORTANT NOTICE: Please note that this WebEx service allows audio and othe= r information sent during the session to be recorded, which may be discover= able in a legal matter. You should inform all meeting attendees prior to re= cording if you intend to record the meeting. Linda From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Yoav Nir Sent: Tuesday, August 22, 2017 3:33 PM To: IPsecME WG Subject: [IPsec] Fwd: [I2nsf] Interface to Network Security Functions (i2ns= f) WG Virtual Meeting: 2017-09-06 FYI. This meeting may be of interest to IPsecME participants. draft-abad-i2nsf-sdn-ipsec-flow-protection describes how to control IPsec i= mplementations using an SDN controller. This includes automatic configurati= on of RFC 4301 data structures such as the SPD, PAD, and potentially the SA= D. You are all invited Yoav (with co-chair of I2NSF hat on) Begin forwarded message: From: IESG Secretary > Subject: [I2nsf] Interface to Network Security Functions (i2nsf) WG Virtual= Meeting: 2017-09-06 Date: 22 August 2017 at 23:26:29 GMT+3 To: "IETF-Announce" > Cc: i2nsf@ietf.org The Interface to Network Security Functions (i2nsf) Working Group will hold a virtual interim meeting on 2017-09-06 from 16:00 to 17:30 UTC. Agenda (times in GMT): 16:00 - Welcome, Note Well and Agenda Bashing 16:10 - Uses of IPsec (Paul W) 16:15 - Scope of draft-abad (Gabriel/Rafa) 16:20 - Open discussion about scope. 16:50 - Against IPsec without IKE (Tero) 16:55 - The case for IPsec without IKE (Gabriel/Rafa) 17:00 - Open discussion 17:20 - Conclusion and next steps. Information about remote participation: Call-in details will be sent a week before. The purpose of this meeting is to discuss the objections to draft-abad-i2ns= f-sdn-ipsec-flow-protection. _______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf --_000_4A95BA014132FF49AE685FAB4B9F17F65946D29BSJCEML702CHMchi_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Here is the conference bridge:

 

Join WebEx meeting =

Meeting n= umber (access code): 642 733 681   

Host key:= 121744 &nb= sp;     

Meeting p= assword:&nb= sp;     P5B3DUCM    

 


 
 
Join by phone 
1-877-668-4493 Call-in = toll free number (US/Canada) 
1-650-479-3208 Call-in = toll number (US/Canada) 
Toll-free calling restrictions  


 
Can't join the meeting? Contact support.  
 
IMPORTANT NOTICE: Please note that this WebEx= service allows audio and other information sent during the session to be r= ecorded, which may be discoverable in a legal matter. You should inform all= meeting attendees prior to recording if you intend to record the meeting.

 

 

Linda

&nbs= p;

From: IPsec [mailto:ipsec-bounces@ie= tf.org] On Behalf Of Yoav Nir
Sent: Tuesday, August 22, 2017 3:33 PM
To: IPsecME WG <ipsec@ietf.org>
Subject: [IPsec] Fwd: [I2nsf] Interface to Network Security Function= s (i2nsf) WG Virtual Meeting: 2017-09-06

 

FYI.

 

This meeting may be of interest to IPsecME participa= nts.

 

draft-abad-i2nsf-sdn-ipsec-flow-protection describes= how to control IPsec implementations using an SDN controller. This include= s automatic configuration of RFC 4301 data structures such as the SPD, PAD,= and potentially the SAD.

 

You are all invited

 

Yoav

(with co-chair of I2NSF hat on)



Begin forwarded message:

 

From: IESG Secre= tary <iesg-secretary@ietf.org= >

Subject: [I2nsf] Interface to Network Security Functions (i2nsf= ) WG Virtual Meeting: 2017-09-06

Date: 22 August = 2017 at 23:26:29 GMT+3

To: "IETF= -Announce" <ietf-announce= @ietf.org>

 

The Interface to Network Security Functions (i2nsf) = Working Group will hold
a virtual interim meeting on 2017-09-06 from 16:00 to 17:30 UTC.

Agenda (times in GMT):
16:00 - Welcome, Note Well and Agenda Bashing
16:10 - Uses of IPsec (Paul W)
16:15 - Scope of draft-abad (Gabriel/Rafa)
16:20 - Open discussion about scope.
16:50 - Against IPsec without IKE (Tero)
16:55 - The case for IPsec without IKE (Gabriel/Rafa)
17:00 - Open discussion
17:20 - Conclusion and next steps.

Information about remote participation:
Call-in details will be sent a week before.

The purpose of this meeting is to discuss the objections to draft-abad-i2ns= f-sdn-ipsec-flow-protection.

_______________________________________________
I2nsf mailing list
I2nsf@ietf.org
https://www.ietf.or= g/mailman/listinfo/i2nsf

 

--_000_4A95BA014132FF49AE685FAB4B9F17F65946D29BSJCEML702CHMchi_--