From nobody Mon Jul  2 06:14:44 2018
Return-Path: <internet-drafts@ietf.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 635CA13100D; Mon,  2 Jul 2018 06:14:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: ipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.81.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153053727436.27846.5046501773075790088@ietfa.amsl.com>
Date: Mon, 02 Jul 2018 06:14:34 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/OBKRXUaVm3sKSlwrRO2BHo4NC7Q>
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-qr-ikev2-04.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 13:14:43 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.

        Title           : Postquantum Preshared Keys for IKEv2
        Authors         : Scott Fluhrer
                          David McGrew
                          Panos Kampanakis
                          Valery Smyslov
	Filename        : draft-ietf-ipsecme-qr-ikev2-04.txt
	Pages           : 18
	Date            : 2018-07-02

Abstract:
   The possibility of Quantum Computers pose a serious challenge to
   cryptography algorithms deployed widely today.  IKEv2 is one example
   of a cryptosystem that could be broken; someone storing VPN
   communications today could decrypt them at a later time when a
   Quantum Computer is available.  It is anticipated that IKEv2 will be
   extended to support quantum secure key exchange algorithms; however
   that is not likely to happen in the near term.  To address this
   problem before then, this document describes an extension of IKEv2 to
   allow it to be resistant to a Quantum Computer, by using preshared
   keys.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2-04
https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-qr-ikev2-04

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-qr-ikev2-04


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Jul  2 06:20:23 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70852128BAC; Mon,  2 Jul 2018 06:20:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level: 
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGbzzaxIXJ01; Mon,  2 Jul 2018 06:20:18 -0700 (PDT)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFB23127AC2; Mon,  2 Jul 2018 06:20:17 -0700 (PDT)
Received: by mail-lf0-x233.google.com with SMTP id i15-v6so12034143lfc.2; Mon, 02 Jul 2018 06:20:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=US89spsfIBLUiNLl3jsUbAD9c2+mhqeR3BID/ui6VQ8=; b=ip35hsYHeADg0TDo3AI8MAu7ytg5fDtRBJtftjZZrgiKZrLJDI21nFAtFqUoomiwxG 8lqk3HHwdtwdZpHO5TuSRedHE3THP2GkkhutkSOBC6Ct5kLe63VvM3s525qwC2snfMZa DieYGdR8Y0qXGXZYUyacJIL5yRF234K3tPGECoeaNTb5HjiEocdeKjIj8AY6+bgNmMe+ QUEhK3NMTGXQc7plzqeF23kNTTPTEp06q9e5N4jAx9icwdZrVKYXhUsJwqkk9HeULx46 2DTel+1mcKzlI0ExNcFvGb9dtSZKekhe/O+kDmbD6hE08N5nZ4arHI+++1hTpuwxqH9+ 0V+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=US89spsfIBLUiNLl3jsUbAD9c2+mhqeR3BID/ui6VQ8=; b=m8XBOHvKq3E8gyqjsa31tjks41+qkksNBYFq1xfDWhoa8nYhjCw4AQyMhFvlHY00s1 5yfsdxDLV9kFnz+4wWjv4EcuBROulrjrPoDu7qD9r621JLXDS1mw+Ds+tcL1hs9FyZcB 8+0JYtUpXfPZ4bihG2ywezxg3ntZNtf0kGZpEPe4eBw8p+02sPBjPllMk0r6uDjR6qCz jijfmcxUyfW2U02Ndh9NaXvNEdrX0luzVMss41/Xp5YdnDzhmxq+M/KLdEmlW8VUJIJZ 8+3LxvXQwuMrWF0nM6fRJuKvlzWLDJhXw/5+VWZrqqHNb+mcyqDe8Tquh+Cn3Jfuf4Ee uSnQ==
X-Gm-Message-State: APt69E0kyvwuc5ysXDAIEUAllrUEOrvUxv6+o9oSLEP1/s8fKJDAZfOp w4XD4yVfSojVnboPH9l8b0HLqg==
X-Google-Smtp-Source: AAOMgpeSlJB4F5Iof1Ca3MPBmbQOCWtHvjrCfbGouiMD4VsmF25X2Xmu0v2UIdPlMZ5A/4NeOS8stA==
X-Received: by 2002:a19:cf95:: with SMTP id f143-v6mr16147735lfg.101.1530537615758;  Mon, 02 Jul 2018 06:20:15 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id n24-v6sm713527ljc.7.2018.07.02.06.20.14 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 02 Jul 2018 06:20:15 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: <internet-drafts@ietf.org>, <i-d-announce@ietf.org>
Cc: <ipsec@ietf.org>
References: <153053727436.27846.5046501773075790088@ietfa.amsl.com>
In-Reply-To: <153053727436.27846.5046501773075790088@ietfa.amsl.com>
Date: Mon, 2 Jul 2018 16:20:01 +0300
Message-ID: <016f01d41207$622c04b0$26840e10$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH6u8v1z7pXUm3Rjp5vyfMgYz1ve6QulqMw
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IWh6OrQH7Tbd7RjopCgqJHtrITM>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-qr-ikev2-04.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 13:20:21 -0000

Hi,

this version of the draft includes a clarification of using Group PPK 
based on feedback from Quynh Dang.

Regards,
Valery.

> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.
> 
>         Title           : Postquantum Preshared Keys for IKEv2
>         Authors         : Scott Fluhrer
>                           David McGrew
>                           Panos Kampanakis
>                           Valery Smyslov
> 	Filename        : draft-ietf-ipsecme-qr-ikev2-04.txt
> 	Pages           : 18
> 	Date            : 2018-07-02
> 
> Abstract:
>    The possibility of Quantum Computers pose a serious challenge to
>    cryptography algorithms deployed widely today.  IKEv2 is one example
>    of a cryptosystem that could be broken; someone storing VPN
>    communications today could decrypt them at a later time when a
>    Quantum Computer is available.  It is anticipated that IKEv2 will be
>    extended to support quantum secure key exchange algorithms; however
>    that is not likely to happen in the near term.  To address this
>    problem before then, this document describes an extension of IKEv2 to
>    allow it to be resistant to a Quantum Computer, by using preshared
>    keys.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2-04
> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-qr-ikev2-04
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-qr-ikev2-04
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Mon Jul  2 12:40:05 2018
Return-Path: <bew@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4D21311B1 for <ipsec@ietfa.amsl.com>; Mon,  2 Jul 2018 12:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YcbIhh92Ps75 for <ipsec@ietfa.amsl.com>; Mon,  2 Jul 2018 12:40:00 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 683D713113B for <ipsec@ietf.org>; Mon,  2 Jul 2018 12:39:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=810; q=dns/txt; s=iport; t=1530560399; x=1531769999; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=VRMmIYOz73ZHa2E2K5QJbO+heo71yPGK7Cq5raP/p8A=; b=XhaL5Yz3nWOzAETMLqr7dxIxZNeJ4a0J1ew63WhyeWBNFj5xpoq0rfIT V8lN7Yt+RD0Q/iB7YPcJCgOiTUKGM2D+7OdbeUW/SZZFiNyj3z+5PjHYg F5HvzDRIgZgRotxT3AxICH6ZxSqZxiSyZ/rSfbrZmHOd01X+X2v+7Udee E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DCAQDJfjpb/4cNJK1ZAxsBAQEBAwE?= =?us-ascii?q?BAQkBAQGDSWJ/KAqDb4gEjECPX4RRQoI5FIFmCyOESRmDHSE0GAECAQECAQE?= =?us-ascii?q?CbRwBC4VgEVcBIgImAgQwFRIEExuDBQGBfw+oGoIchFuDdIEUHQWBC4dighW?= =?us-ascii?q?BNoYAAQEDgSoBEgE2CiaCOjGCJAKZRgkChgSEXoQ5gTKMI4ozhy0CERMBgSQ?= =?us-ascii?q?dOGFxcBVlAYI+ixSFPm+OToEfgRoBAQ?=
X-IronPort-AV: E=Sophos;i="5.51,300,1526342400"; d="scan'208";a="137118832"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Jul 2018 19:39:58 +0000
Received: from XCH-RTP-004.cisco.com (xch-rtp-004.cisco.com [64.101.220.144]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id w62JdwNG013985 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <ipsec@ietf.org>; Mon, 2 Jul 2018 19:39:58 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-004.cisco.com (64.101.220.144) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 2 Jul 2018 15:39:57 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1320.000; Mon, 2 Jul 2018 15:39:57 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Updated G-IKEv2 draft: draft-yeung-g-ikev2-14
Thread-Index: AQHUEjx1ytO53nY1fEW3KQ4QsgY1Hg==
Date: Mon, 2 Jul 2018 19:39:57 +0000
Message-ID: <89DD1E34-7E92-4A62-A9F2-0B06A9993246@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.172.225]
Content-Type: text/plain; charset="utf-8"
Content-ID: <DF2524D4DDB20B46924B0B283B8CFA32@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ZgoU-hav03RWpOy1B0i-N9Qh8LM>
Subject: [IPsec] Updated G-IKEv2 draft: draft-yeung-g-ikev2-14
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 19:40:04 -0000

R3JlZXRpbmdzLA0KDQpEdXJpbmcgdGhlIElQU0VDTUUgbWVldGluZyBhdCBJRVRGIDEwMSB3ZSBw
cmVzZW50ZWQgdGhlIEctSUtFdjIgZHJhZnQgYXMgYSBjYW5kaWRhdGUgZm9yIHRoZSBwcm9wb3Nl
ZCAgIkdyb3VwIERPSSBmb3IgSUtFdjLigJ0gY2hhcnRlciBpdGVtLiBUaGUgY2hhaXJzIGhhZCBh
c2tlZCBmb3Igc29tZSByZXZpZXdzIG9mIHRoZSBkb2N1bWVudC4gV2XigJl2ZSBwdWJsaXNoZWQg
YSBuZXcgdmVyc2lvbiBpcyBtb3JlIGludHJvZHVjdG9yeSB0ZXh0LCB3aGljaCBwcm92aWRlcyBh
IGJldHRlciBjb250ZXh0IGludG8gdGhlIHByb2JsZW0gYmVpbmcgc29sdmVkIGFuZCB3aHkgYW4g
SUtFdjIgc29sdXRpb24gaXMgbmVlZGVkLiANCg0KCTxodHRwczovL3Rvb2xzLmlldGYub3JnL2h0
bWwvZHJhZnQteWV1bmctZy1pa2V2Mi0xND4NCg0KTGV0IHVzIGtub3cgaWYgeW91IGhhdmUgcXVl
c3Rpb25zLg0KDQpUaGFua3MsDQpCcmlhbiAmIFZhbGVyeQ0KLS0gDQpCcmlhbiBXZWlzDQpTZWN1
cml0eSwgQ1NHLCBDaXNjbyBTeXN0ZW1zDQpUZWxlcGhvbmU6ICsxIDQwOCA1MjYgNDc5Ng0KRW1h
aWw6IGJld0BjaXNjby5jb20NCg0K


From nobody Mon Jul  2 13:53:53 2018
Return-Path: <carrel@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A1F2130DDB for <ipsec@ietfa.amsl.com>; Mon,  2 Jul 2018 13:53:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level: 
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19clzK5ez1D6 for <ipsec@ietfa.amsl.com>; Mon,  2 Jul 2018 13:53:49 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1454130E13 for <ipsec@ietf.org>; Mon,  2 Jul 2018 13:53:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9136; q=dns/txt; s=iport; t=1530564828; x=1531774428; h=from:to:cc:subject:date:message-id:mime-version; bh=rt1fUKypbVSIa5RdtOgVQrBC6ZDnB9vu2tAfJEOk8Vs=; b=Ed/cOIG/9EoXwwhlL8RvVfa4hKraw8eVKQQxLB5bhwqedE/WH6AJ3CcH 3lb3gUSUR1+bxZWa7oktBz1XMSkn0mtcRdbjSxDzXQtmNcB/LWQhbXRtW nZMoZPK3A/gttMzo1jlRx+YSDSGcK6eJottpTHIwi3sbOx8hXTrah+y4b Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DCAQCAjzpb/5xdJa1cGwEBAQEDAQE?= =?us-ascii?q?BCQEBAYJTdmJ/KAqDb4gEjECBZZA6hQyBegslhEcZgx0hNBgBAgEBAgEBAm0?= =?us-ascii?q?cAQuFYApMEgFHAwIEMBQTBA4FG4MFAYEbZA+oNIIchFuDdIExBYhtghWBNgy?= =?us-ascii?q?FdAEBAgEBhF0xgiQCmUYJAoYEiReNVYozhy0CERMBgSQdOIFScBVlAYI+ixS?= =?us-ascii?q?FPm8Bj2yBGgEB?=
X-IronPort-AV: E=Sophos;i="5.51,300,1526342400";  d="scan'208,217";a="416367506"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Jul 2018 20:53:47 +0000
Received: from XCH-RTP-001.cisco.com (xch-rtp-001.cisco.com [64.101.220.141]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id w62KrliY032406 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <ipsec@ietf.org>; Mon, 2 Jul 2018 20:53:47 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-001.cisco.com (64.101.220.141) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 2 Jul 2018 16:53:47 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Mon, 2 Jul 2018 16:53:46 -0400
From: "David Carrel (carrel)" <carrel@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
CC: "Brian Weis (bew)" <bew@cisco.com>
Thread-Topic: draft-carrel-ipsecme-controller-ike-00.txt
Thread-Index: AQHUEkbFnr/KKAiTWkacsK64iiWMNQ==
Date: Mon, 2 Jul 2018 20:53:46 +0000
Message-ID: <4CA644B5-5668-48BD-A2D1-5E9EE1AAF7AD@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.41.32.120]
Content-Type: multipart/alternative; boundary="_000_4CA644B5566848BDA2D15E9EE1AAF7ADciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/txNeJGo-3g698pzeBvoCW9GwEhU>
Subject: [IPsec] draft-carrel-ipsecme-controller-ike-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 20:53:52 -0000

--_000_4CA644B5566848BDA2D15E9EE1AAF7ADciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

Rm9sa3MsDQoNCkJyaWFuIGFuZCBJIHBvc3RlZCB0aGUgZm9sbG93aW5nIGRyYWZ0IHRoaXMgbW9y
bmluZzoNCg0KVVJMOiAgICAgICAgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRz
L2RyYWZ0LWNhcnJlbC1pcHNlY21lLWNvbnRyb2xsZXItaWtlLTAwLnR4dA0KSHRtbGl6ZWQ6ICAg
aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWNhcnJlbC1pcHNlY21lLWNvbnRyb2xs
ZXItaWtlLTAwDQpIdG1saXplZDogICBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9o
dG1sL2RyYWZ0LWNhcnJlbC1pcHNlY21lLWNvbnRyb2xsZXItaWtlDQoNCldlIHdvdWxkIGFwcHJl
Y2lhdGUgYW55IGRpc2N1c3Npb24gYW5kIGZlZWRiYWNrLiAgVGhlIG1vdGl2YXRpb24gZm9yIHRo
aXMgd29yayBiZWdhbiBpbiB2ZXJ5IGxhcmdlIFNELVdBTiBuZXR3b3JrIGltcGxlbWVudGF0aW9u
cyB3aGVyZSB0aGVyZSBpcyBmdWxsLW1lc2gsIG11bHRpLXBhdGggSVBzZWMgY29ubmVjdGlvbnMg
YmV0d2VlbiAxMHMgb2YgdGhvdXNhbmRzIG9mIG5vZGVzLCBhbmQgd2hlcmUgYmktZGlyZWN0aW9u
YWwgcGVlci10by1wZWVyIGNvbm5lY3Rpdml0eSBpcyBub3QgYWx3YXlzIHByZXNlbnQuICBJbiB0
aGVzZSBuZXR3b3JrcywgY2VudHJhbGl6ZWQgY29udHJvbGxlcnMgZG8gYWN0aXZlbHkgbWFuYWdl
IGFsbCBJUHNlYyBlbmRwb2ludHMuICBXaXRoIHRoaXMgYXBwcm9hY2gsIHdlIGFyZSBsb29raW5n
IHRvIHJlZHVjZSBzZXNzaW9uIGVzdGFibGlzaG1lbnQgdGltZSwgaW1wcm92ZSBzY2FsYWJpbGl0
eSBhbmQgcHJlc2VydmUgY29uZmlkZW50aWFsaXR5IG9mIElQc2VjIGtleXMuICBXaXRob3V0IGRp
cmVjdCBwZWVyLXRvLXBlZXIga2V5IG1lc3NhZ2VzLCBzeW5jaHJvbml6YXRpb24gYmVjb21lcyBh
IGtleSBjaGFsbGVuZ2UgYW5kIHdlIGhhdmUgYWxzbyBwcm92aWRlZCBhIHNvbHV0aW9uIGZvciB0
aGF0Lg0KDQpUaGlzIG1ldGhvZCB3b3VsZCBiZSBjb21wYXRpYmxlIHdpdGggYW4gSTJOU0YgY29u
dHJvbGxlciBiYXNlZCBhcHByb2FjaC4gIEFkZGl0aW9uYWxseSwgd2UgaGF2ZSBoYWQgaW50ZXJl
c3QgZnJvbSBvdGhlciB1c2UgY2FzZXMgZm9yIGEgY29udHJvbGxlciBiYXNlZCBrZXkgbWFuYWdl
bWVudCBzY2hlbWUuICBTbyB3ZSBhcmUgcHJvcG9zaW5nIHRoaXMgYXMgYSBtZXRob2QgdGhhdCBj
YW4gYmUgdXNlZCB3aXRoaW4gbXVsdGlwbGUgY29udHJvbGxlciBiYXNlZCBtYW5hZ2VtZW50IHBy
b3RvY29scyB0byBwcm92aWRlIGVuZHBvaW50IGtleSBtYW5hZ2VtZW50Lg0KDQpEYXZpZCBDYXJy
ZWwNCmNhcnJlbEBjaXNjby5jb208bWFpbHRvOmNhcnJlbEBjaXNjby5jb20+DQoNCg==

--_000_4CA644B5566848BDA2D15E9EE1AAF7ADciscocom_
Content-Type: text/html; charset="utf-8"
Content-ID: <6028E9560626C7469985D893681A339A@emea.cisco.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6eD0idXJuOnNjaGVtYXMtbWljcm9z
b2Z0LWNvbTpvZmZpY2U6ZXhjZWwiIHhtbG5zOm09Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5j
b20vb2ZmaWNlLzIwMDQvMTIvb21tbCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnL1RSL1JFQy1o
dG1sNDAiPg0KPGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9
InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCI+DQo8bWV0YSBuYW1lPSJHZW5lcmF0b3IiIGNvbnRl
bnQ9Ik1pY3Jvc29mdCBXb3JkIDE1IChmaWx0ZXJlZCBtZWRpdW0pIj4NCjxzdHlsZT48IS0tDQov
KiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvdXJpZXI7
DQoJcGFub3NlLTE6MiAwIDUgMCAwIDAgMCAwIDAgMDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFt
aWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0xOjIgNCA1IDMgNSA0IDYgMyAyIDQ7fQ0KQGZv
bnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0
IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9y
bWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0
Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7
fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJ
Y29sb3I6IzA1NjNDMTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwg
c3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29s
b3I6Izk1NEY3MjsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1haWxTdHls
ZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLWNvbXBvc2U7DQoJZm9udC1mYW1pbHk6IkNh
bGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLmFwcGxlLXRhYi1z
cGFuDQoJe21zby1zdHlsZS1uYW1lOmFwcGxlLXRhYi1zcGFuO30NCnNwYW4uYXBwbGUtY29udmVy
dGVkLXNwYWNlDQoJe21zby1zdHlsZS1uYW1lOmFwcGxlLWNvbnZlcnRlZC1zcGFjZTt9DQouTXNv
Q2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTt9DQpAcGFnZSBXb3JkU2Vj
dGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEu
MGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHls
ZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQi
IHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+
PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0
IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFk
Pg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxk
aXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5Gb2xrcyw8bzpwPjwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl
OjEwLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250
LWZhbWlseTpDb3VyaWVyIj5CcmlhbiBhbmQgSSBwb3N0ZWQgdGhlIGZvbGxvd2luZyBkcmFmdCB0
aGlzIG1vcm5pbmc6PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+PG86cD4m
bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpibGFjayI+VVJMOiZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPGEgaHJlZj0iaHR0cHM6
Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWNhcnJlbC1pcHNlY21lLWNvbnRy
b2xsZXItaWtlLTAwLnR4dCI+DQpodHRwczovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMv
ZHJhZnQtY2FycmVsLWlwc2VjbWUtY29udHJvbGxlci1pa2UtMDAudHh0PC9hPjxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTAuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXI7Y29sb3I6YmxhY2siPkh0bWxpemVkOiZuYnNwOyZu
YnNwOw0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWNhcnJlbC1p
cHNlY21lLWNvbnRyb2xsZXItaWtlLTAwIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh
ZnQtY2FycmVsLWlwc2VjbWUtY29udHJvbGxlci1pa2UtMDA8L2E+PG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7
Zm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpibGFjayI+SHRtbGl6ZWQ6Jm5ic3A7Jm5ic3A7DQo8
YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWNhcnJl
bC1pcHNlY21lLWNvbnRyb2xsZXItaWtlIj4NCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcv
ZG9jL2h0bWwvZHJhZnQtY2FycmVsLWlwc2VjbWUtY29udHJvbGxlci1pa2U8L2E+PG86cD48L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9u
dC1mYW1pbHk6Q291cmllciI+V2Ugd291bGQgYXBwcmVjaWF0ZSBhbnkgZGlzY3Vzc2lvbiBhbmQg
ZmVlZGJhY2suJm5ic3A7IFRoZSBtb3RpdmF0aW9uIGZvciB0aGlzIHdvcmsgYmVnYW4gaW4gdmVy
eSBsYXJnZSBTRC1XQU4gbmV0d29yayBpbXBsZW1lbnRhdGlvbnMgd2hlcmUgdGhlcmUgaXMgZnVs
bC1tZXNoLCBtdWx0aS1wYXRoIElQc2VjIGNvbm5lY3Rpb25zDQogYmV0d2VlbiAxMHMgb2YgdGhv
dXNhbmRzIG9mIG5vZGVzLCBhbmQgd2hlcmUgYmktZGlyZWN0aW9uYWwgcGVlci10by1wZWVyIGNv
bm5lY3Rpdml0eSBpcyBub3QgYWx3YXlzIHByZXNlbnQuJm5ic3A7IEluIHRoZXNlIG5ldHdvcmtz
LCBjZW50cmFsaXplZCBjb250cm9sbGVycyBkbyBhY3RpdmVseSBtYW5hZ2UgYWxsIElQc2VjIGVu
ZHBvaW50cy4mbmJzcDsgV2l0aCB0aGlzIGFwcHJvYWNoLCB3ZSBhcmUgbG9va2luZyB0byByZWR1
Y2Ugc2Vzc2lvbiBlc3RhYmxpc2htZW50DQogdGltZSwgaW1wcm92ZSBzY2FsYWJpbGl0eSBhbmQg
cHJlc2VydmUgY29uZmlkZW50aWFsaXR5IG9mIElQc2VjIGtleXMuJm5ic3A7IFdpdGhvdXQgZGly
ZWN0IHBlZXItdG8tcGVlciBrZXkgbWVzc2FnZXMsIHN5bmNocm9uaXphdGlvbiBiZWNvbWVzIGEg
a2V5IGNoYWxsZW5nZSBhbmQgd2UgaGF2ZSBhbHNvIHByb3ZpZGVkIGEgc29sdXRpb24gZm9yIHRo
YXQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+PG86cD4mbmJzcDs8L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+VGhpcyBtZXRob2Qgd291bGQgYmUgY29tcGF0
aWJsZSB3aXRoIGFuIEkyTlNGIGNvbnRyb2xsZXIgYmFzZWQgYXBwcm9hY2guJm5ic3A7IEFkZGl0
aW9uYWxseSwgd2UgaGF2ZSBoYWQgaW50ZXJlc3QgZnJvbSBvdGhlciB1c2UgY2FzZXMgZm9yIGEg
Y29udHJvbGxlciBiYXNlZCBrZXkgbWFuYWdlbWVudCBzY2hlbWUuJm5ic3A7IFNvIHdlIGFyZQ0K
IHByb3Bvc2luZyB0aGlzIGFzIGEgbWV0aG9kIHRoYXQgY2FuIGJlIHVzZWQgd2l0aGluIG11bHRp
cGxlIGNvbnRyb2xsZXIgYmFzZWQgbWFuYWdlbWVudCBwcm90b2NvbHMgdG8gcHJvdmlkZSBlbmRw
b2ludCBrZXkgbWFuYWdlbWVudC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpDb3VyaWVy
Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5EYXZpZCBDYXJy
ZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj48YSBocmVmPSJtYWlsdG86
Y2FycmVsQGNpc2NvLmNvbSI+Y2FycmVsQGNpc2NvLmNvbTwvYT48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm
b250LWZhbWlseTpDb3VyaWVyIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_4CA644B5566848BDA2D15E9EE1AAF7ADciscocom_--


From nobody Tue Jul  3 09:04:54 2018
Return-Path: <agenda@ietf.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A49EF13107D; Tue,  3 Jul 2018 09:00:20 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "\"IETF Secretariat\"" <agenda@ietf.org>
To: <ipsecme-chairs@ietf.org>, <kivinen@iki.fi>
Cc: ipsec@ietf.org, ekr@rtfm.com
X-Test-IDTracker: no
X-IETF-IDTracker: 6.81.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153063362066.4893.22913141528156827.idtracker@ietfa.amsl.com>
Date: Tue, 03 Jul 2018 09:00:20 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/G3xmnCe8sPzW7NUta2No9yYuHEg>
Subject: [IPsec] ipsecme - Requested session has been scheduled for IETF 102
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 16:00:31 -0000

Dear Tero Kivinen,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by
the original request. 


    ipsecme Session 1 (1:30 requested)
    Wednesday, 18 July 2018, Afternoon Session II 1520-1650
    Room Name: Saint-Paul/Sainte-Catherine size: 100
    ---------------------------------------------


iCalendar: https://datatracker.ietf.org/meeting/102/sessions/ipsecme.ics

Request Information:


---------------------------------------------------------
Working Group Name: IP Security Maintenance and Extensions
Area Name: Security Area
Session Requester: Tero Kivinen

Number of Sessions: 1
Length of Session(s):  1.5 Hours
Number of Attendees: 50
Conflicts to Avoid: 
 First Priority: sacm mile tcpinc curdle tls saag cfrg i2nsf
 Second Priority: 6tisch lwig ace
 Third Priority: uta 6lo tcpm netmod


People who must be present:
  Eric Rescorla
  Tero Kivinen
  David Waltermire

Resources Requested:

Special Requests:
  
---------------------------------------------------------


From nobody Tue Jul  3 09:12:56 2018
Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 993C6130FB2 for <ipsec@ietfa.amsl.com>; Tue,  3 Jul 2018 09:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZWFCLCnhQGs for <ipsec@ietfa.amsl.com>; Tue,  3 Jul 2018 09:12:38 -0700 (PDT)
Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8480A1310F6 for <ipsec@ietf.org>; Tue,  3 Jul 2018 09:08:35 -0700 (PDT)
Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip2.isaracorp.com with ESMTP; 03 Jul 2018 16:08:34 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Tue, 3 Jul 2018 12:06:23 -0400
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.003; Tue, 3 Jul 2018 12:06:22 -0400
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>
CC: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6g==
Date: Tue, 3 Jul 2018 16:06:22 +0000
Message-ID: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.5.17.248]
Content-Type: multipart/alternative; boundary="_000_A853873BED06471994E12CC24E693AD2isaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/n0QysCUXfgYUddrtWxtiEKvLqh4>
Subject: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 16:12:54 -0000

--_000_A853873BED06471994E12CC24E693AD2isaracom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgVmFsZXJ5LCBJIGhhdmUgc29tZSBjb21tZW50cyBvbiBodHRwczovL3Rvb2xzLmlldGYub3Jn
L2h0bWwvZHJhZnQtc215c2xvdi1pcHNlY21lLWlrZXYyLWF1eC0wMA0KDQpBVVhfRVhDSEFOR0Vf
U1VQUE9SVEVEOg0KDQogICBUaGlzIHNwZWNpZmljYXRpb24gZG9lc24ndCBkZWZpbmUgYW55IGRh
dGEgdGhpcw0KDQogICBub3RpZmljYXRpb24gbWF5IGNvbnRhaW4sIHNvIHRoZSBOb3RpZmljYXRp
b24gRGF0YSBpcyBsZWZ0IGVtcHR5Lg0KDQogICBIb3dldmVyLCBvdGhlciBzcGVjaWZpY2F0aW9u
cyBtYXkgb3ZlcnJpZGUgdGhpcy4gIEltcGxlbWVudGF0aW9ucw0KDQogICBNVVNUIGlnbm9yZSB0
aGUgbm9uLWVtcHR5IE5vdGlmaWNhdGlvbiBEYXRhIGlmIHRoZXkgZG9uJ3QgdW5kZXJzdGFuZA0K
DQogICBpdHMgcHVycG9zZS4NCg0KSWYgdGhlcmUgYXJlIG11bHRpcGxlIGZ1dHVyZSBzcGVjaWZp
Y2F0aW9ucyB3aGljaCB1c2UgQVVYX0VYQ0hBTkdFX1NVUFBPUlRFRCwgaXMgaXQgZXhwZWN0ZWQg
dGhhdCBtdWx0aXBsZSBBVVhfRVhDSEFOR0VfU1VQUE9SVEVEIG5vdGlmaWNhdGlvbnMgd291bGQg
YmUgc2VudCBpbiBJS0VfU0FfSU5JVD8gIEkgZG9u4oCZdCBrbm93IG9mIGFueSBvdGhlciBub3Rp
ZmljYXRpb25zIHdoZXJlIHRoZXJlIG1pZ2h0IGJlIG11bHRpcGxlIGNvcGllcyBzZW50IGluIG9u
ZSBleGNoYW5nZSwgbm90IHRoYXQgdGhpcyBpcyBhIHJlYXNvbiB0byBhdm9pZCBpdCwgYnV0IGl0
IG1pZ2h0IGJlIHNpbXBsZXIgdG8gbm90IGludHJvZHVjZSB0aGlzIHBvc3NpYmlsaXR5LiAgQWxz
bywgaWYgdGhlIGRhdGEgaXMgc2ltcGxlL29ubHkgYSBmZXcgYnl0ZXMgdGhlcmXigJlzIGEgY2hh
bmNlIG9mIGFtYmlndWl0eSBhcyB0byB3aGV0aGVyIHRoZSBkYXRhIGlzIGRlZmluZWQgYnkgb25l
IHNwZWNpZmljYXRpb24gb3IgYW5vdGhlci4gIEkgdGhpbmsgaXQgd291bGQgYmUgc2ltcGxlciBp
ZiB0aGUgbm90aWZpY2F0aW9uIGRhdGEgaXMganVzdCBsZWZ0IGVtcHR5IChvciBsZWZ0IGZvciBJ
S0VfQVVYLXNwZWNpZmljIGRhdGEsIHNlZSBiZWxvdykuICBPdGhlciBzcGVjaWZpY2F0aW9ucyB3
aWxsIGhhdmUgdG8gZGVmaW5lIGhvdyB0aGVpciBvd24gZmVhdHVyZXMgYXJlIG5lZ290aWF0ZWQs
IHNvIGFueSByZWxhdGVkIGRhdGEgY291bGQgYmUgc2VudCBpbiB0aGUgbm90aWZpY2F0aW9ucyBm
b3IgdGhvc2Ugc3BlY2lmaWNhdGlvbnMgYW5kIGRvZXNu4oCZdCBuZWVkIHRvIGJlIHNlbnQgaW4g
SUtFX0FVWC4NCg0KQXV0aGVudGljYXRpb246DQoNCiAgIElDVl9JTklUXzEsIElDVl9JTklUXzIs
IElDVl9JTklUXzMsIGV0Yy4gcmVwcmVzZW50IHRoZSBjb250ZW50IG9mIHRoZQ0KDQogICBJbnRl
Z3JpdHkgQ2hlY2tzdW0gRGF0YSBmaWVsZCBmcm9tIHRoZSBFbmNyeXB0ZWQgcGF5bG9hZHMgKG9y
DQoNCiAgIEVuY3J5cHRlZCBGcmFnbWVudCBwYXlsb2FkcykgZnJvbSBhbGwgdGhlIElLRV9BVVgg
bWVzc2FnZXMgc2VudCBieQ0KDQogICB0aGUgaW5pdGlhdG9yIGluIGFuIG9yZGVyIG9mIGluY3Jl
YXNpbmcgTWVzc2FnZUlEcyAoYW5kIGluY3JlYXNpbmcNCg0KICAgRnJhZ21lbnQgTnVtYmVycyBm
b3IgdGhlIHNhbWUgTWVzc2FnZSBJRCkuDQoNCkFFQUQgZW5jcnlwdGlvbiB0cmFuc2Zvcm0gSURz
IGRvbuKAmXQgdXNlIGFuIEludGVncml0eSBDaGVja3N1bSBEYXRhIGZpZWxkIGluIHRoZWlyIEVu
Y3J5cHRlZCBwYXlsb2Fkcywgc28gdGhpcyBtZXRob2Qgd29u4oCZdCB3b3JrIGZvciBhdXRoZW50
aWNhdGlvbiBvZiBJS0VfQVVYIGV4Y2hhbmdlcyB3aGVuIEFFQUQgaXMgdXNlZC4NCg0KQWRkaXRp
b25hbGx5LCBTY290dCBwb2ludGVkIG91dCB0byBtZSB0aGF0IEludGVncml0eSBDaGVjayBWYWx1
ZXMgYXJlbuKAmXQgZGVzaWduZWQgdG8gYmUgc2VjdXJlIGFnYWluc3Qgc29tZW9uZSB3aG8ga25v
d3MgdGhlIGtleSAod2hpY2ggd291bGQgYmUgdGhlIGNhc2UgZm9yIGEgUXVhbnR1bS1lbmFibGVk
IGF0dGFja2VyKSBhbmQgdGhhdCBmb3IgYWxnb3JpdGhtcyBsaWtlIEdNQUMgdGhlIGF0dGFja2Vy
IHdvdWxkIGJlIGFibGUgdG8gZmluZCBhIGNvbGxpc2lvbi4gIFNvIHRoZW4geW91ciBzdGF0ZW1l
bnQgbGF0ZXI6DQoNCiAgIFRIZSBmb3JnZXJ5IHdvdWxkIGJlY29tZSBldmlkZW50IGluIHRoZQ0K
DQogICBJS0VfQVVUSCBleGNoYW5nZSAocHJvdmlkZWQgdGhlIGF0dGFja2VyIGNhYW5vdCBicmVh
ayBlbXBsb3llZA0KDQogICBhdXRoZW50aWNhdGlvbiBtZWNoYW5pc20pDQp3b3VsZG7igJl0IGhv
bGQ7IGFuIGF0dGFja2VyIGNvdWxkIGZpbmQgYSBmb3JnZXJ5IHdpdGggdGhlIHNhbWUgSUNWIGFu
ZCBJS0VfQVVUSCBleGNoYW5nZSB3b3VsZCBzdWNjZWVkLg0KDQpCdXQgcmVnYXJkbGVzcyBvZiB0
aGF0LCBBRUFEIGlzIGEgZ29vZCBlbm91Z2ggcmVhc29uIHdoeSBJQ1ZzIHNob3VsZG7igJl0IGJl
IHVzZWQgaGVyZS4gIFByZXN1bWFibHkgeW91IGRvbuKAmXQgd2FudCB0byBpbmNsdWRlIHRoZSB3
aG9sZSBkYXRhIGZvciB0aGUgZW50aXJlIHNldCBvZiBJS0VfQVVYIGV4Y2hhbmdlcyBpbiB0aGUg
c2lnbmVkIG9jdGV0cyBiZWNhdXNlIHRoYXQgd291bGQgbWVhbiBwZXJzaXN0aW5nIHRoZSBkYXRh
IGZvciBhbGwgSUtFX0FVWCBleGNoYW5nZXMgdW50aWwgSUtFX0FVVEggaXMgcHJvY2Vzc2VkLCBy
ZXF1aXJpbmcgYSBsb3Qgb2YgZXh0cmEgYnVmZmVyIHN0YXRlIGFuZCBpbmNyZWFzaW5nIHRoZSBh
dHRhY2sgc3VyZmFjZSBmb3IgYnVmZmVyIGV4aGF1c3Rpbmc/DQoNCkEgc2Vjb25kLXByZWltYWdl
LXJlc2lzdGFudCBoYXNoIGZ1bmN0aW9uIGlzIG5lZWRlZCB0byB1c2UgYSBkaWdlc3Qgb2YgdGhl
IElLRV9BVVggbWVzc2FnZXMgaW4gdGhlIHNpZ25lZCBvY3RldHMuICBUaGlzIGFsZ29yaXRobSBj
b3VsZCBwb3NzaWJseSBiZSBuZWdvdGlhdGVkIGluIHRoZSBBVVhfRVhDSEFOR0VfU1VQUE9SVEVE
IG5vdGlmaWNhdGlvbiBkYXRhLg0KDQpUaGFua3MsDQpEYW5pZWwNCg0K

--_000_A853873BED06471994E12CC24E693AD2isaracom_
Content-Type: text/html; charset="utf-8"
Content-ID: <55C58BD8189F934197E3DD46B397E4F9@isara.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2
IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy
IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt
YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1i
b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9
DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpw
cmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZv
cm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglm
b250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0Kc3Bhbi5FbWFp
bFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsNCglmb250LWZhbWls
eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uSFRNTFBy
ZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIi
Ow0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3Jt
YXR0ZWQiOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KLk1zb0NocERlZmF1bHQNCgl7
bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6
NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3Mi4wcHQ7fQ0K
ZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPg0KPC9o
ZWFkPg0KPGJvZHkgbGFuZz0iRU4tQ0EiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4N
CjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs
YW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkhpIFZhbGVyeSwgSSBoYXZlIHNv
bWUgY29tbWVudHMgb24NCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm
dC1zbXlzbG92LWlwc2VjbWUtaWtldjItYXV4LTAwIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0
bWwvZHJhZnQtc215c2xvdi1pcHNlY21lLWlrZXYyLWF1eC0wMDwvYT48bzpwPjwvbzpwPjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+QVVY
X0VYQ0hBTkdFX1NVUFBPUlRFRDo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cHJlPjxzcGFuIHN0
eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IFRoaXMgc3BlY2lmaWNhdGlvbiBkb2Vzbid0
IGRlZmluZSBhbnkgZGF0YSB0aGlzPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFu
IHN0eWxlPSJjb2xvcjpibGFjayI+ICZuYnNwOyZuYnNwO25vdGlmaWNhdGlvbiBtYXkgY29udGFp
biwgc28gdGhlIE5vdGlmaWNhdGlvbiBEYXRhIGlzIGxlZnQgZW1wdHkuPG86cD48L286cD48L3Nw
YW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IEhv
d2V2ZXIsIG90aGVyIHNwZWNpZmljYXRpb25zIG1heSBvdmVycmlkZSB0aGlzLiZuYnNwOyBJbXBs
ZW1lbnRhdGlvbnM8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNv
bG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgTVVTVCBpZ25vcmUgdGhlIG5vbi1lbXB0eSBOb3RpZmlj
YXRpb24gRGF0YSBpZiB0aGV5IGRvbid0IHVuZGVyc3RhbmQ8bzpwPjwvbzpwPjwvc3Bhbj48L3By
ZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgaXRzIHB1cnBv
c2UuPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90
Oztjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5JZiB0
aGVyZSBhcmUgbXVsdGlwbGUgZnV0dXJlIHNwZWNpZmljYXRpb25zIHdoaWNoIHVzZSBBVVhfRVhD
SEFOR0VfU1VQUE9SVEVELCBpcyBpdCBleHBlY3RlZCB0aGF0IG11bHRpcGxlIEFVWF9FWENIQU5H
RV9TVVBQT1JURUQgbm90aWZpY2F0aW9ucyB3b3VsZCBiZSBzZW50IGluIElLRV9TQV9JTklUPyAm
bmJzcDtJIGRvbuKAmXQga25vdyBvZiBhbnkNCiBvdGhlciBub3RpZmljYXRpb25zIHdoZXJlIHRo
ZXJlIG1pZ2h0IGJlIG11bHRpcGxlIGNvcGllcyBzZW50IGluIG9uZSBleGNoYW5nZSwgbm90IHRo
YXQgdGhpcyBpcyBhIHJlYXNvbiB0byBhdm9pZCBpdCwgYnV0IGl0IG1pZ2h0IGJlIHNpbXBsZXIg
dG8gbm90IGludHJvZHVjZSB0aGlzIHBvc3NpYmlsaXR5LiZuYnNwOyBBbHNvLCBpZiB0aGUgZGF0
YSBpcyBzaW1wbGUvb25seSBhIGZldyBieXRlcyB0aGVyZeKAmXMgYSBjaGFuY2Ugb2YgYW1iaWd1
aXR5IGFzDQogdG8gd2hldGhlciB0aGUgZGF0YSBpcyBkZWZpbmVkIGJ5IG9uZSBzcGVjaWZpY2F0
aW9uIG9yIGFub3RoZXIuJm5ic3A7IEkgdGhpbmsgaXQgd291bGQgYmUgc2ltcGxlciBpZiB0aGUg
bm90aWZpY2F0aW9uIGRhdGEgaXMganVzdCBsZWZ0IGVtcHR5IChvciBsZWZ0IGZvciBJS0VfQVVY
LXNwZWNpZmljIGRhdGEsIHNlZSBiZWxvdykuJm5ic3A7IE90aGVyIHNwZWNpZmljYXRpb25zIHdp
bGwgaGF2ZSB0byBkZWZpbmUgaG93IHRoZWlyIG93biBmZWF0dXJlcyBhcmUgbmVnb3RpYXRlZCwN
CiBzbyBhbnkgcmVsYXRlZCBkYXRhIGNvdWxkIGJlIHNlbnQgaW4gdGhlIG5vdGlmaWNhdGlvbnMg
Zm9yIHRob3NlIHNwZWNpZmljYXRpb25zIGFuZCBkb2VzbuKAmXQgbmVlZCB0byBiZSBzZW50IGlu
IElLRV9BVVguPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5
bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkF1dGhlbnRpY2F0aW9uOjxvOnA+PC9vOnA+PC9zcGFuPjwv
cD4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgSUNWX0lOSVRf
MSwgSUNWX0lOSVRfMiwgSUNWX0lOSVRfMywgZXRjLiByZXByZXNlbnQgdGhlIGNvbnRlbnQgb2Yg
dGhlPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFj
ayI+Jm5ic3A7Jm5ic3A7IEludGVncml0eSBDaGVja3N1bSBEYXRhIGZpZWxkIGZyb20gdGhlIEVu
Y3J5cHRlZCBwYXlsb2FkcyAob3I8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4g
c3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgRW5jcnlwdGVkIEZyYWdtZW50IHBheWxv
YWRzKSBmcm9tIGFsbCB0aGUgSUtFX0FVWCBtZXNzYWdlcyBzZW50IGJ5PG86cD48L286cD48L3Nw
YW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IHRo
ZSBpbml0aWF0b3IgaW4gYW4gb3JkZXIgb2YgaW5jcmVhc2luZyBNZXNzYWdlSURzIChhbmQgaW5j
cmVhc2luZzxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6
YmxhY2siPiZuYnNwOyZuYnNwOyBGcmFnbWVudCBOdW1iZXJzIGZvciB0aGUgc2FtZSBNZXNzYWdl
IElEKS48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl
PSJmb250LXNpemU6MTEuMHB0Ij5BRUFEIGVuY3J5cHRpb24gdHJhbnNmb3JtIElEcyBkb27igJl0
IHVzZSBhbiBJbnRlZ3JpdHkgQ2hlY2tzdW0gRGF0YSBmaWVsZCBpbiB0aGVpciBFbmNyeXB0ZWQg
cGF5bG9hZHMsIHNvIHRoaXMgbWV0aG9kIHdvbuKAmXQgd29yayBmb3IgYXV0aGVudGljYXRpb24g
b2YgSUtFX0FVWCBleGNoYW5nZXMgd2hlbiBBRUFEIGlzIHVzZWQuPG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkFkZGl0
aW9uYWxseSwgU2NvdHQgcG9pbnRlZCBvdXQgdG8gbWUgdGhhdCBJbnRlZ3JpdHkgQ2hlY2sgVmFs
dWVzIGFyZW7igJl0IGRlc2lnbmVkIHRvIGJlIHNlY3VyZSBhZ2FpbnN0IHNvbWVvbmUgd2hvIGtu
b3dzIHRoZSBrZXkgKHdoaWNoIHdvdWxkIGJlIHRoZSBjYXNlIGZvciBhIFF1YW50dW0tZW5hYmxl
ZCBhdHRhY2tlcikgYW5kIHRoYXQNCiBmb3IgYWxnb3JpdGhtcyBsaWtlIEdNQUMgdGhlIGF0dGFj
a2VyIHdvdWxkIGJlIGFibGUgdG8gZmluZCBhIGNvbGxpc2lvbi4mbmJzcDsgU28gdGhlbiB5b3Vy
IHN0YXRlbWVudCBsYXRlcjo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cHJlPjxzcGFuIGxhbmc9
IkVOLVVTIiBzdHlsZT0iY29sb3I6YmxhY2siPiA8L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOmJs
YWNrIj4mbmJzcDsmbmJzcDtUSGUgZm9yZ2VyeSB3b3VsZCBiZWNvbWUgZXZpZGVudCBpbiB0aGU8
bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4m
bmJzcDsmbmJzcDsgSUtFX0FVVEggZXhjaGFuZ2UgKHByb3ZpZGVkIHRoZSBhdHRhY2tlciBjYWFu
b3QgYnJlYWsgZW1wbG95ZWQ8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5
bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgYXV0aGVudGljYXRpb24gbWVjaGFuaXNtKTxv
OnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij53b3VsZG7igJl0IGhvbGQ7IGFuIGF0dGFj
a2VyIGNvdWxkIGZpbmQgYSBmb3JnZXJ5IHdpdGggdGhlIHNhbWUgSUNWIGFuZCBJS0VfQVVUSCBl
eGNoYW5nZSB3b3VsZCBzdWNjZWVkLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86
cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5CdXQgcmVnYXJkbGVzcyBvZiB0aGF0
LCBBRUFEIGlzIGEgZ29vZCBlbm91Z2ggcmVhc29uIHdoeSBJQ1ZzIHNob3VsZG7igJl0IGJlIHVz
ZWQgaGVyZS4mbmJzcDsgUHJlc3VtYWJseSB5b3UgZG9u4oCZdCB3YW50IHRvIGluY2x1ZGUgdGhl
IHdob2xlIGRhdGEgZm9yIHRoZSBlbnRpcmUgc2V0IG9mIElLRV9BVVggZXhjaGFuZ2VzIGluIHRo
ZSBzaWduZWQNCiBvY3RldHMgYmVjYXVzZSB0aGF0IHdvdWxkIG1lYW4gcGVyc2lzdGluZyB0aGUg
ZGF0YSBmb3IgYWxsIElLRV9BVVggZXhjaGFuZ2VzIHVudGlsIElLRV9BVVRIIGlzIHByb2Nlc3Nl
ZCwgcmVxdWlyaW5nIGEgbG90IG9mIGV4dHJhIGJ1ZmZlciBzdGF0ZSBhbmQgaW5jcmVhc2luZyB0
aGUgYXR0YWNrIHN1cmZhY2UgZm9yIGJ1ZmZlciBleGhhdXN0aW5nPzxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5BIHNl
Y29uZC1wcmVpbWFnZS1yZXNpc3RhbnQgaGFzaCBmdW5jdGlvbiBpcyBuZWVkZWQgdG8gdXNlIGEg
ZGlnZXN0IG9mIHRoZSBJS0VfQVVYIG1lc3NhZ2VzIGluIHRoZSBzaWduZWQgb2N0ZXRzLiZuYnNw
OyBUaGlzIGFsZ29yaXRobSBjb3VsZCBwb3NzaWJseSBiZSBuZWdvdGlhdGVkIGluIHRoZSBBVVhf
RVhDSEFOR0VfU1VQUE9SVEVEIG5vdGlmaWNhdGlvbg0KIGRhdGEuPG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoYW5r
cyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkRhbmllbDxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Jv
ZHk+DQo8L2h0bWw+DQo=

--_000_A853873BED06471994E12CC24E693AD2isaracom_--


From nobody Tue Jul  3 14:50:40 2018
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4269130DCA; Tue,  3 Jul 2018 14:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level: 
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZUrnQyzB5Q7f; Tue,  3 Jul 2018 14:50:37 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A8A5130DC9; Tue,  3 Jul 2018 14:50:36 -0700 (PDT)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 8D800EC49EDB3; Tue,  3 Jul 2018 22:50:30 +0100 (IST)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.382.0; Tue, 3 Jul 2018 22:50:31 +0100
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.90]) by SJCEML701-CHM.china.huawei.com ([169.254.3.186]) with mapi id 14.03.0382.000;  Tue, 3 Jul 2018 14:50:29 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: SPRING WG List <spring@ietf.org>, "ipsec@ietf.org WG" <ipsec@ietf.org>
CC: "ekr@rtfm.com" <ekr@rtfm.com>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: Any objection to the mitigation methods proposed by draft-dunbar-sr-sdwan-over-hybrid-networks for the security risks associated when CPEs are connected to PEs via Internet 
Thread-Index: AdQTEXXIJQFMon2dTlKZIwTRbUxNhQ==
Date: Tue, 3 Jul 2018 21:50:28 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B07D651@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [10.192.11.89]
Content-Type: multipart/related; boundary="_004_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YndaNkh18ScXWspKrSp8I8QJUoI>
Subject: [IPsec] Any objection to the mitigation methods proposed by draft-dunbar-sr-sdwan-over-hybrid-networks for the security risks associated when CPEs are connected to PEs via Internet
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 21:50:40 -0000

--_004_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_
Content-Type: multipart/alternative;
 boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_"

--_000_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

https://datatracker.ietf.org/doc/draft-dunbar-sr-sdwan-over-hybrid-networks=
/  describes a scenario to steer an IPsec tunnel between two CPEs (E1<->E2)=
 through a provider SR domain.

[cid:image003.png@01D412ED.F0E18E50]


In the figure above, C1, being VPN PE node, is connected to CPE E1 via publ=
ic internet, and it doesn't terminate the IPsec tunnel.  (We call it "remot=
ely attached CPE" in the description below):

This scenario might bring out the following security risks:
1)            Potential DDoS attack to the PEs with ports facing internet. =
I.e. the PE resource being attacked by unwanted traffic.
2)            Potential risk of provider VPN network bandwidth being stolen=
 by the entities who spoofed the addresses of SD-WAN end nodes.


We would like to hear community feedback on potential other security risks =
and the following proposed mitigation methods. Copy IPsecme group and Sec A=
Ds to get more scrutiny to the proposed method.

--------------------------------------
To mitigate security risk of 1) above, it is absolutely necessary for PEs w=
hich accept remotely attached CPEs or simply have ports facing internet to =
enable Anti-DDoS feature to prevent major DDoS attack to those PEs.
To mitigate the security risk of 2) above, RFC7510 defines the use of DTLS =
to authenticate and encrypt the RFC7510 encapsulation.
However, for the scenario of SD-WAN source node being remotely attached to =
PEs, using the method recommended by RFC7510  means the source node has to =
perform DTLS on top of the IPSec encryption between SD-WAN end points E1<->=
E2. This can be too processing heavy for the SD-WAN end nodes. In addition,=
 if there are many SD-WAN flows to traverse through the ingress PE (e.g. C1=
, C2, C4 in the figure 1 above), heavy processing is required on the ingres=
s PEs.
Since the payload between E2<->E2 is already encrypted, the confidentiality=
 of the payload is already ensured.  The network operators need to balance =
between how much they can tolerant some percentage of bandwidth being stole=
n and how much extra cost they are willing to pay for completely prevent an=
y unpaid traffic traversing through its VPN networks. For operators who opt=
 for lower cost ingress PEs and CPEs, but can tolerant some percentage of b=
andwidth being used by unpaid subscribers, a simple approach can be conside=
red:
-              Embed a key in the packets, which can be changed periodicall=
y, like the digital signature used by a certificate authority or certificat=
ion authority (CA).
-              The key can be encoded in the GRE Key field between SD-WAN e=
nd node and Ingress PE. Since GRE has 24 bits, some fixed bits can be used =
to represent the signature of paid subscribers.


Thank you very much.

--_000_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:SimSun;
	panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:"\@SimSun";
	panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><a href=3D"https://datatracker.ietf.org/doc/draft-du=
nbar-sr-sdwan-over-hybrid-networks/">https://datatracker.ietf.org/doc/draft=
-dunbar-sr-sdwan-over-hybrid-networks/</a>&nbsp; describes a scenario to st=
eer an IPsec tunnel between two CPEs (E1&lt;-&gt;E2)
 through a provider SR domain. <o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><img border=3D"0" width=3D"641" height=3D"275" id=3D=
"Picture_x0020_3" src=3D"cid:image003.png@01D412ED.F0E18E50"><o:p></o:p></p=
>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">In the figure above, C1, being VPN PE node, is conne=
cted to CPE E1 via public internet, and it doesn&#8217;t terminate the IPse=
c tunnel. &nbsp;(We call it &#8220;remotely attached CPE&#8221; in the desc=
ription below):<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">This scenario might bring out the following security=
 risks:<o:p></o:p></p>
<p class=3D"MsoNormal">1)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp; Potential DDoS attack to the PEs with ports facing interne=
t. I.e. the PE resource being attacked by unwanted traffic.<o:p></o:p></p>
<p class=3D"MsoNormal">2)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp; Potential risk of provider VPN network bandwidth being sto=
len by the entities who spoofed the addresses of SD-WAN end nodes.
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">We would like to hear community feedback on potentia=
l other security risks and the following proposed mitigation methods. Copy =
IPsecme group and Sec ADs to get more scrutiny to the proposed method.
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">--------------------------------------<o:p></o:p></p=
>
<p class=3D"MsoNormal">To mitigate security risk of 1) above, it is absolut=
ely necessary for PEs which accept remotely attached CPEs or simply have po=
rts facing internet to enable Anti-DDoS feature to prevent major DDoS attac=
k to those PEs.<o:p></o:p></p>
<p class=3D"MsoNormal">To mitigate the security risk of 2) above, RFC7510 d=
efines the use of DTLS to authenticate and encrypt the RFC7510 encapsulatio=
n.
<o:p></o:p></p>
<p class=3D"MsoNormal">However, for the scenario of SD-WAN source node bein=
g remotely attached to PEs, using the method recommended by RFC7510&nbsp; m=
eans the source node has to perform DTLS on top of the IPSec encryption bet=
ween SD-WAN end points E1&lt;-&gt;E2. This can
 be too processing heavy for the SD-WAN end nodes. In addition, if there ar=
e many SD-WAN flows to traverse through the ingress PE (e.g. C1, C2, C4 in =
the figure 1 above), heavy processing is required on the ingress PEs.
<o:p></o:p></p>
<p class=3D"MsoNormal">Since the payload between E2&lt;-&gt;E2 is already e=
ncrypted, the confidentiality of the payload is already ensured.&nbsp; The =
network operators need to balance between how much they can tolerant some p=
ercentage of bandwidth being stolen and how much
 extra cost they are willing to pay for completely prevent any unpaid traff=
ic traversing through its VPN networks. For operators who opt for lower cos=
t ingress PEs and CPEs, but can tolerant some percentage of bandwidth being=
 used by unpaid subscribers, a simple
 approach can be considered:<o:p></o:p></p>
<p class=3D"MsoNormal">-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; Embed a key in the packets, which can be change=
d periodically, like the digital signature used by a certificate authority =
or certification authority (CA).
<o:p></o:p></p>
<p class=3D"MsoNormal">-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; The key can be encoded in the GRE Key field bet=
ween SD-WAN end node and Ingress PE. Since GRE has 24 bits, some fixed bits=
 can be used to represent the signature of paid subscribers.<o:p></o:p></p>
<div style=3D"mso-element:para-border-div;border:none;border-bottom:solid w=
indowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p class=3D"MsoNormal" style=3D"border:none;padding:0in"><o:p>&nbsp;</o:p><=
/p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Thank you very much. <o:p></o:p></p>
</div>
</body>
</html>

--_000_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_--

--_004_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_
Content-Type: image/png; name="image003.png"
Content-Description: image003.png
Content-Disposition: inline; filename="image003.png"; size=142377;
 creation-date="Tue, 03 Jul 2018 21:50:27 GMT";
 modification-date="Tue, 03 Jul 2018 21:50:27 GMT"
Content-ID: <image003.png@01D412ED.F0E18E50>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAyEAAAFYCAYAAABEXPPTAAAAAXNSR0IArs4c6QAAAAlwSFlzAAAS
dAAAEnQB3mYfeAAAABl0RVh0U29mdHdhcmUATWljcm9zb2Z0IE9mZmljZX/tNXEAAP+QSURBVHhe
7H0HgBXV2fY7c+fW7Y3eQQVEQVAUFDXGEGPBqNGYT43pyZfEdFNMwnWJST41MYlJ/vRi1Gi6oiIh
GgsKCoqI4FKW3pZdtpfb5s78z3PmDlyWXVhgd1mWOTrcnXbKe87MvM9bjfLycvGKRwGPAh4FPAp4
FPAo0L8psNS+8DSx47Kw/LL15eXz7P49Wm90HgU8CvR1Chh9vYNe/zwKeBTwKOBRwKOAR4Fjp4Bu
mQ/atmGe+pP7L5IGSR17jV4NHgU8CngUOHoKeCDk6Gnn3elRwKOARwGPAh4FThgK2LYW0TQ7OeZU
sWXZCdNtr6MeBTwK9FMKeCCkn06sNyyPAh4FPAp4FPAokE0BzbYaRdMi5vPnhyXyVLNHHY8CHgU8
ChxPCngg5HhS32vbo4BHAY8CHgU8CvQSBWxdGjWRwlC4PgdNeiCkl+juNeNRwKNAxxTwQIi3MjwK
eBTwKOBRwKPAyUEBXRPbFluzBWjEKx4FPAp4FDieFPBAyPGkvte2RwGPAh4FPAp4FOglCmi63mRb
th/4I9JLTXrNeBTwKOBRoFMKeCDEWxweBTwKeBTwKOBR4CSgABzTGwBAAqbmozmWVzwKeBTwKHBc
KeCBkONKfq9xjwIeBTwKeBTwKNBbFLB8ACG2AYMszxyrt2juteNRwKNAZxTwQIi3NjwKeBTwKOBR
wKPAyUGBOhEtIKaZJ4GTY8DeKD0KeBTouxTwQEjfnRuvZx4FPAp4FPAo4FGg2yigiR63bctI62ao
2yr1KvIo4FHAo8BRUsADIUdJOO82jwIeBTwKeBTwKHAiUQAARFNBsXQYZHnFo4BHAY8Cx5kCHgg5
zhPgNe9RwKOARwGPAh4FeoMCPluvs7R0QBcttzfa89rwKOBRwKPAoSjggRBvfXgU8CjgUcCjgEeB
k4ACllgx+IT4xDKCop8EA/aG6FHAo0CfpoAHQvr09Hid8yjgUcCjgEcBjwIeBTwKeBTwKND/KOCB
kP43p96IPAp4FPAo4FHAo8BBFNB1qbZsOyySLPLI41HAo4BHgeNNAQ+EHO8Z8Nr3KOBRwKOARwGP
Ar1DAQvNaPjHM8bqHXp7rXgU8ChwCAp4IMRbHh4FPAp4FDgGCkTPWHmZRPQ5kkj9UxJty8orZjUd
Q3XerR4FepACuimSRoAs6ES84lHAo4BHgeNMAQ+EHOcJ8Jr3KOBR4MSlQHTq8lIx/d+VsH+qpKz/
lWDetzGau07cEXk9788UMEWv9emaT0+n8/vzOL2xeRTwKHBiUMADISfGPHm99CjgUaAvUiDl/4iE
9KnSkoSA2W4Wn/Z8X+ym1yePAooCmgk1iCG2JT6PIh4FPAp4FDjeFPBAyPGeAa99jwIeBU5ICkSn
Vg4R0/6k6rwf1i0J+97yN6e8dEIOxuv0yUEBW9IAymLp4j85BuyN0qOAR4G+TAEPhPTl2fH65lHA
o0DfpUC65TMS8I0hUyex9Fp09MG+21mvZx4FBDqQeI3uyxEtnfLMsbwF4VHAo8Bxp4AHQo77FHgd
8CjgUeBEo0B0wuoSse0rAEJEzDS7/0D5W1O2nGjj8Pp7klFAC9mapglgs32SjdwbrkcBjwJ9kAIe
COmDk+J1yaOAR4E+ToGg+S7RtVMARGCGld4ilvZkH++x1z2PAqBA3EqbAUTotYMeOTwKeBTwKHC8
KeCBkOM9A177HgU8CpxQFIjOjWry+DUXS44/gohY7Purcs2/1shbU06ocXidPRkpEDKtZCKh+bTc
k3H03pg9CngU6FsU8EBI35oPrzceBTwK9HUKPHhloeTZY5RBSwy2WJq2uHxeuWfe0tfnzetfhgJM
EeItV285eBTwKHD8KeCBkOM/B14PPAp4FDiRKFAULhEzNVgsxci1IvHblhOp+15fT14KxEUsv2a3
AYOEo3PnauXz5nlo5ORdDt7IPQocdwp4IOS4T4HXAY8CHgVOMAqUwbN3mAIhNkCIZW06wfrvdffk
pYCJXOn1tmhhoo95Jy8dvJF7FPAo0Aco4IGQPjAJXhc8CngUOIEoYFk5YmtOiFNNkmKk6k6g3ntd
PYkpMEtbUveqdT7Cudna5+9fb5SIpDojRzQ6Vzv/lvJCCYsRj4W6oDGBnkVCEvKb8DcJheAE338o
nTI0Mc1Y3DBanHFheO1LOK5h9OnPXzqmoaKiQjmLecWjgEeBQ1PAAyHeCvEo4FHAo8CRUEC3YoiK
1QwAUoDbmPStENueI6nCu/bkpgBNoU79/P0HfH/L6mNDTFNyDUMcBtY0bLD/BZYeKIO2TRNdzwAB
E0ZVAV10CyaBEkHiwX0ML7w9+HeBZusDLKRFb190nxHKH5IYYFvpguUrnviHlQ6ldU1HxN72xZbz
bvmBnpbIIC0ufr8KA3e4EsE1GlKQ6MXoBoBIoAv3HK7OPnNeFyPQ5BetXoTjtA+imR2PaGkkg/zR
/M1VUDQB3CEWcgfF1nCvhXo0u6mz0WFOQHELpp5SjXlOWwjFd9C1WBO6rqctS3ZhycQtvd01lmiW
T49LQnYaYayLlKnqwBrTscaa82rCVZtO3e8cNGas2As///l0ebnn39ZnVt1J0BEPhJwEk+wN0aPA
iUCBaDSqTfvEnaUSCxmQvtpGs+Qhu1qkfd8NMVvjYUgkY0x3IKnXH/x6bS9/OBni1OXwNEn5vffo
ibDADtHHpUsLjY98ZLB1ww3X25def3ckFpKCuMThORGyjZiEDVMKTEMxbDYmO2yKAU0YwACLrufr
lgwF440CZk/XI2Ahh9qajkvJvCMzh20PBOtZhAVr4Yh13i335OHvwbgGiWYcXt20fdA5iGG6K8uH
K+1gwDYhYJcMvFBXEveSCfZDPM/j+3l9Zqxhlbqvg4TorM4HxJJWV0lay7+KCdRVlpt2hQ8Wa+Wl
agRHML9p9KcD/HMENfTNS4ELin26NupwvfNh1l36dXgt6OlDglOYxXUaHkAtNBDRTgPLZM1v+/qA
TnDexFVaGsDmwGninmmnNUPazCSasplVFQX9S9u22VCWiBUDUjlFk4blVvK8W+7esbAS2l21ZLnG
tBT+2UzYhHVAmGOiOzsMS2+zDMsnlo4OmpvRDfyPii1CHKFmmEPA1WjbiEN7xIJlHC5q/Nqvi+J/
u160SZMqOlp6hyOvd76fUcD7ePazCfWGc+JRILp6te+y5gsO+IDk5Q22++tLev7qtnAor2wc5Hvj
wLQNwYwNg+RvMBizMolpYMzsgBbDR88A02YDiOB75nwT1UdRTA0SyZjdgKxrOs4ncF/Vwkqt1tLs
PeB+qgw6ivutzbubZf2tkxKZD2C3ros4eMBWdKsItYbFp8awpltb8Co7LAUmTJig//73u/VNp27U
8t4e4q8vEg0TYhgh+Osojoj4QEaCOwqAWbLxN+cpB1iBS2kA5MF5YhNIaDlaWbLkvvlb7PNuuddq
tfU8cFAlfigZAHTJg+emDYHlkgZ1hG0jHFqu4Q+Ay6d+AMw8juJ/h/PEloZqAhJxl7dTFfDYPo6T
SIT3qJv2F8MH/k0D47nvEJIKYt/Q0cf2KAAX8fiB1/NGMLe4x4e6DiroiMJFMlDCwYSUDa0Ev5jM
dNy5ur3qYlBJA9QgKTxWXYEh7C8eirxWyQnjETnsDJ44F3BcLW1haWiGJaZSghw8OkIAznN1XQG0
DUQiHVyTubOhKUeaW8OYj86pZNtYR3i5YNY6bM9dYCZm27Z9vo7aQx1+0/TBlm5/HVge6KdPbdmF
L1Mo207Jbo7j9rGPmdvT+KVCjko6VdR+EGuRaAhrOg1cYqcaCXmwq2k+uxnPUUNmbWnS1lB7381N
1PBo2yuB5TW7Blfil3g9XY8aap1FTHCj7waoSbBBPWlVY0U386mGVqdmd70oLZLRHE6NwePUn7+X
J85TcnQ99UDI0dHNu8ujQJcoMH9nsDAUM0ohHyrSA1KKd/XAtGaPwntzKF/UeFP7zw2dM7Q+HA9C
S6/e7FTX19tbzG2V4R1gXSCOtfG10KsghdtmWWYVXvf1Ib9Ra6bMvbPHJaq71JHjeNGiSntoUo9M
CIg+EbYD5xqh0FlpE5JjW3IAPnwaRIc6pLc2xcgWWDx+4NVHjx82R6CmCJMR9AGQFODrNlyxRTjG
e2GXIDquRyY2iOpMyOd8bQOCUvV0ZWgVoMqrEFGvEb9ZcfnI9LE7kcfKNkug5m3xacPQfiF6MR3b
f44jiU/YpqmBMEfEjPpYvAD29DS0D4HDyYc+wA8WuxDmJuBvzAKoFwZT2oo5HwLGJQ9yV//TlVuG
SJkEiuqHBQBdhw7QtACWANCqFiZaVZJ8UzlgMyYtUa0O3OrQyl1zOIllp9aes+YIKhwptMN3kbFy
9p1C8JCRUuNav5GWglzyVA7XRQCQnxMTw5d21Ca4JoCR5Oe07ZsjC8dywgmJhBLqmLPCRcqKGtVx
F5zw3mAgJQOKGxTj5zC/TuE1A4obJTcSPwDMsO5wMKnucZ4PMGoAJD4IylmSZkB+9PgdUtdSIt++
8Y9Sll+NZ8fRdiRTgQzDu79PbJ/MaZcARWYgvL6/FtJ334R1NEicT6RgHIX56dgYy7kpiWtMMOyZ
N1uH5GpLBKWuIU8BG4KB9sUBPZrUAPTEkzAUa4cTeU8sHpCahgIFIt06uJYamyOytzEfAGO/yR77
1NIWwlrYH8I5BTBFsKQQBf7lU9GKaxIptJdZFfFkQN3n1A8tnB7E+9npL563Aryah+3rPxYblHGZ
p5N9cqwMWTu+bQQimQWONUctkOazAP1t2AxSO5Piw222SaIsBP0gn51gvKpB0xobtC0WQM0uPPVt
NDzTfL7teOebaKoeDdTwb8xKA94tKbTSahhmCzSdKYmHGsbImGR/FfidCM+hB0JOhFny+nhCUODh
2lp/XnxISahVPxPfjbPxGj4zoOtjYPAwUDP0YkghcyG0UszyfhNrMhf7pUoZviEj+XQ+ZA4zgdcp
X9gws7BTiXQiZdXgBV29sDK8De/lNXjJv275rZXmNtk5Z1ZiP8dznCi3qDI4ACYr74Sk+TLgjHPw
uZ0gPsAQzaTRigIYiiHEmGCfrnT9PsMv/hCsr9SgNZAqsA94tB8GP1D8aJF0FmwNLJP7zgdM1yC7
s+1csJ7jNN0/DnzstRrbNX2bF260XgejuRBGKc+8/ODXtx2NGVd5xdCG6JTqCjQ0G4Y6Im2pyceJ
zH2m2Si0Epe9tNtfE4/5QrF4MC6hHCCKAehgGLbqIzA5QIkyBFOfK7Ze4NP0UugUgnZposhu8/n9
WqQQUlZwO1pEfHYBZtHvMwJBSu5dkyBX6+A+PmTAWPZrFeBC4YMWAJ4MfKIonXU1AmS2DJ+j1iDT
4zcg3c8w+QPBsPMhU/uQ+rsMPBkuMuEDAQ7YEtk1tc/ryQDhqB92WpT8u/fraKcQoKQ9COExLmsX
mLgApDcmcFfdcLBbIdWnpIn3BxjFRDIsO+tGSdzMk911gxV4mjLmDYw/1mGXuqIHcV5U/bsogHWo
ceI8QeDhSlfmvwSC/+ED9x6uqm49nwCY4aNKCM9hEpg0tkQOACEtLWGsp8A+YRGBjtLqZIBHWzwo
e+vzlRcLnxlqj5qhRSLt+MxW1xZKCqpFXh9PBHAtZAoAPnw+CMzSaedvHkuZhCzUP/rC+Dvs/K3l
8X4+r7hukA/PvHrv40oXANOSkVomYkboiWCshq9wOpXAuwWWa9IMDVMzbH5Tekir225vSe7YEKqH
Zj2Bx6ABw6/FY4yH2oKfnw5fG2sbqm81iqQKCr5kfb0kmpt3WesX/iRZXu6FuD7WBeiBkGOloHf/
SU2B1asn+HaFNp2LF9f5Rfaw2XivTksjGzEk9X4fpK1ksB0GxZJ0MqEYbziHAj84qnDabyuz8I4K
jcctSIPw3eP9itHGyxTSI4qbBuG+QdACnIlzV1opEyIiX4t/kLVp4eacRXjb/zcpweVzxjVQvd1r
ZUGl/xJND9wMy5V3U2rt84OvBA3SAAr0oPT5gxIIRMQIgikKwAQeG+nBjV+UfZJq0saVWnfQeyWb
zYA3JaVWEu0U2sEGOqdTcTETMaTzcP6mpFs3/KN1X2A06Pg+mMvUwvTm+YVr0w8MM8csOHJJmFUh
rbDeDyu53ujo1MrS8hXjepdj6IVZpaaipqweWgqjCBLEAqxemMfphZbPyINL7GB0oQjUH3Lexi15
DQAdfpgypbXIMANTDRsLP875YD8X5A+9KdScglugoTqBp03/AVSi8KNa7/xRKkJaTVE+Kvm5MQmA
2feBiS7IbVPMSziUlFxwBCw0/XEZP54vyIMwFPdTI1GY16KYFV5bXNCs/laagpJGtWYUIIGmQpV9
AKUDU6ZeoHVPNEFG7qU1F8gf//NRAAxH82JaDgN31yNRtd/YViiXnz0fIOT1nuiCV+cJRAGC7OwS
wrOSj2eqOwuBTcayVgkQqG1xtUvU/LTAIYtgog0ApRb7fAsQrPBvBUxSPqkByCFggc5bGpsQAwEf
m9ZYUFoBgFhaAXpiuIdapIYGmNDBjkvX/UF8YrjlwrmF7y58d6iD4Xc4o7mirRq0Mab65XsArdsI
zcCvWL2WaIHkJBCyt5eEhrWce/M9exZsDDWjq7twfyPCBFShwTYEEqjD+68RutyGPMOoe+bXY5rK
y71oaZ2tIQ+EdOfT5dV10lAAkv5Jac33PglvvRiS3XN8vlBEg2Se5kDOCxW23dg3AmDfghDuGsEM
s+3H737gcUgQQvV3pj5aotsAIBY0AGkco1BHMdpJMtjg4CA8wps9D/VNhgZhsmnFb/fbqTcXbAi/
Av7vn0V7gv+dMaOhx7graGQuA+P4v1BCXIb2A2mY8lLbwf4TaEQKB0LLkQM6BBQQoQmW4jT3Bd3J
MvnIKIb2m8B0tKzUp8P5H5iMewQyBkCPRJzjBB6kk4UtBeVQoq1JUnG4cijTGq3E5w9cB839tTt8
W/+zozL4q6VXjXmsvKuhNXXrLUxEtVi+QWhrnFiN01Dpv0+UB2BpYaGx/qVYsCgUD8G0L09ixmDT
0IfhA1oG8weYPGkDoYsqsUqTJYYdyccKg8eF5INyuZhfAGxITDFY5Q+Bk2QmlBkTf6HSIGCglkBp
IKB1oKTdb8C8mz4OMGGir0NRfqsCCsFAUkoLm3CPJaUACmR8aGZE0MDr8yIAIX7ILlEnzZooJaVP
Q27EYarZjlc6pgDpN3vq07J8/XR5Ze35khNqUTTl8xGDNiSRDElZ4R65/Jwn94EUj5YeBXqSAjRP
zC7ZmqNss8Wu9kGBGJQ2aGSoheHiJiBRIARalcYWx4+nrjFX+fXQXG4PtDHUlOzZW0RtizRBk1Pb
kK/eLS5ISqX96n78hghmUqY/Qi0RNCulyn+GRtLU4EPTQq2PkitS455KmHgF4mMTaGxJSv15N29t
Wrgxr862U9WAOoh2JrtwZbVuQdMSlu3xWLytPh6Kn9ocTvTkN7qr9Ozt6zwQ0tsU99o7oSmwaG1w
uuX3fwRs1/thGlXIwdAcyEy2KWY7FMkXPyX9MCtypfyOhD/DNKvRk/l2yXBoe2tDOZKq96r6hz/q
VkZOURJjSG0SlPq3KUbb/SVzrxu+yTBHmpxOJT/WOMB8emFl8NdL468vKJ80qduiksyvDI40bO37
sN2/AUY1PrQFCVUbAEeuhHKLJAB6OHRQb2gFOlS/Ca6OqbhIxanE2TvwGNsz/DAKQvuBnAIFhAjc
Eq2NaksClJCkuj80G2DpXec9ufWxRXbwm/CzqThs104ds1wqtq3GdYMkB+ugOXUJonstOhrzrsO2
dZQXzG8LhkO7DERtMouhsxmMGKOF+IaOgSnaIPjzDxsY0gfYEhlmprQ8eB35ASDgwA1/azqJUnMB
cEcrcMPPj6yjtYDCTdrg6p8TSQJEtCktBAFDwA8DLJjyhEMpMLrOsaL8FvV3UUGL8osYXNYMP4iU
FAB8RAAiFEgFUHScX/fbph/lcL3bOqFAYU6D3PyOP8nG3eNgFgM/AAA69TYB3QkQZ5+1UCaO8OIq
eAvoxKSAK4QoyEUIuyPU2hBcOGaeOoIJYIN2pbquUIGP2sY8gJmQ1EHTQpMz7hPkEMjEE35lgkbN
S3NrRGlqGvFLQOTTwwY0I8X45sMEWxsNRzR8Zqgwz/i8mHz+0rD+0lJ6DFBFwm0DQ7K1PhjfA2He
TpzYDf/Pnfgm1eh+qZKUsTccNnfMGooPfT8sHgjph5PqDan7KTC/0h7pl5xv6gH9et0IFKahgbDA
0FKqH84vlSDBByX90Hw4iMGR8juAIcvv4wi7tg+itOevHS4C/xvgsfMUs89WTZo9ARBR6p9oaQQ4
go03DGp1f+BK8P1XnBea/vSCyvT3Lx+XeOkIu3LQ5QvX+6+ESPxeXyA4nvSgViYA8BEuLINHQCGs
+iGVApPJMSjH314vGbq7gA/0MgAQ/cEciRQMkHhrg8QaayQZa1bUhBblGuQjm7Zgve+brz78rYcP
BSjKHy1JRadsfwJitYsliKj7mrxHnrjy57JCaD/cK4UhjS+9/lc59VKfi4hQA2AqNYkBD2AWMBbC
7pF+TStBKM4BtuYrgIaqkPNBTYUJl05u1Fzwl8xoAL4QQX9SaSuC/halXeCxsqIGaaxrhZ9DkxTn
N8mgsjaZMqlJ4rEkwEgcpgoJyctJyOQzklJWQs1E5/NcW4NkKgijUF9F8wfYsI2C0iqne0hVjXp3
7nTqykGdtA9vVtMKGzJ4mIxBCJ3eLAhEIffcI3LBBSIXXnhwy2+8IfLEEyL/+79wSC/r+Z5Nhr/H
tef/Q/70zIcd9xyAPhN29aMGbpb3zfprt3WgCbiec+HS3p2PsWMzkuJMS3GwU6RRLixpDlXWrYPG
Bq+wYYh3Vlp66GvbYDW0B1b8jbS0yzzzeDLllFOc1Ik8V4W1x1cRj0/C03Io5/FuI4pXUZ+lgCv8
oL9UMBPVuitAhiCFZmMEHwQq1K4oLQt8avYgUEA9tC61TXnwdylQPjF7ahExDc9bEiAliWugXdGS
KX8gkQwgmY6WYxh2GeV0BrQqysCXnDnSUZnJdBNMHOpbYvqepzeFGyFz3ARN5lYs4c24qMKUlmqJ
D26dM6mq05wzfZb4mY55IKSvz5DXv+NOAfg5XO7XQ9+H4/SZjBiYhkmPHyZWofwStdHESNm6Kxv3
XmS2XZ+IjGaF3136ofgihQAmBZJTNBhAxGG0E2C0IXnRoJW43Eolpy+otP6vvijn/ptKGjrNmHwo
wkOr8iktELwX0a1yzXgbwFdQcouHSDivJGNqxRj3R6ftoKaEEneiKr9BO7P9hUNOgXt2nfmpYWp/
Taf9VqDQ8Tcgl6rAY04RtCL10lq7E5qkFowjPAJM+wPn3vJ/w+dGv/Z/8w7leJhI/VMCvm8gFv8g
CfrOkKR2LmruMRCyqLJwBFiy0ZZljMJHatR5H7x7YovdOAoGfqMwoCLI1qCzgDO/DedjajHob0GN
GaOOcdBxR1JYVNKizJ9o610Ip2puJdBWlOAYHah5jlqMPJhKpWEC+JdHbfn1rxyG8XO3icyaInLT
TZgHrJwJE0Tq6kUe+K3IV78qcsaZB1Of1/3tbyKPPuowhCytDCiFMm8eHEnovn6MpQK6q/nznUpe
fdVhRGfPdvYnTux9EEJn+pcA84cP73hgZIZffFHk4x8/8oGvXy+yCwYdF198ZPdeM+PvyixrzdYz
EFwYYBNL5fqLHpNCwNjuKj/4gciTT4q84x37axyBVctxRjIZf/bCc+pjHxO54orOx58Anr3/fpEV
KxBQeKBIZaXIl74kcsklnff0n/8U+d73nGuCjmuAWrMEegQdc+c6oIMglYC1sFDk9ttFCJC84lHg
SChA01Hlf9YFzQtBvwnQ0tCciy2ifFsaYCJWr0BKHkzBIspUjGZj9bimEaCF+44fSyAfkR/zwV+M
dOwgYJatfFXgcafZiFEWadaCjdsQBXItNC6bIE/aikAgiAwW3/jqVadWdtm8+EgG383XeiCkmwnq
Vde/KLBwffCbEJF/w6f7clLIuUQfj/yBQyWcW6y0II5JFJnibrNwOiYCKuY80xf6m4QLoJWAWRSl
/m0QQVPqrxvBUp8e+kFRffyc+XH7U3OGag1H0ujCzeGLYURzNzwxcun8HYSpU37ZCJig0faWTO/R
04Ld90EUNLAoqByT9zYlXJ9Fx5EZ58cMyoOjsePYXN+clB17W+G4jN5ko5XDDShjykaHRIIRarGa
a7ZLvKUOpmOIaeYLRM+76d61l4v8q7OqyivO2RGd8sYz6NTNTuYx64Zo4cOPlTfcdFTAzm2HzuDN
ZbEB+M6MsAz9bJDhHHxgTrHsxECoEAbC7C0HaiY43QMI4HuUYjoxps6GiVMkFMNWr7QYQ8rqZXBp
nQwqrZehA2oVuKDTNp20+fEMI0TsYc2gIB380IdEVsPwbNAgkSvnINoNVssOMMGf/KTILbc4vSZT
eWe5yEMPwV8DbjnZZeVKke9+V+RnPzuQOX3rrf3MIq/fsEGEDColgmcCzKiAvZlSAy3Kxo2OhLuo
SOTUUx1th1suukiEG0s5+kEJ+g9/uP88Itooyburdcjeb4F5GYESgcvu3U7948c795IZ5nneu2mT
M7bTTwc4zsoFyPMcC8sQZCIZOdLpG5ndABj9jgrvZzs7dohs3epcN3nygdoCMt4cN+lxxhlO2+zP
b34j8sorIt//PrIdwr22uNiR7pcgkwkLx0Y68TjBUC1CUxAA5Oa2yGff+yu586Hvyq69pVJmvyRD
gwdHll62zLmPGiQCOLdO9oPgh/Wz3VGjDh4ZweWsWQfSPvuqxx4TefBBkQULsJau7Jg2PEpQ+VsA
W15PoMt19tRThwYh1IRQ48V11r5QQ3PHHc7cuOVyPNwEOj/5Sef98M54FDhWClDrGMDGqHvcJGsN
unVTs+KaetGfhcCkBlqU7XtKVAjm7VVlyhm/LR6CCVhI+bu0xsJ+hFMu9vvtYoDsKXynQL8tVjIO
p7vgrhlPbtn9tB3aDPCyCi+kVxHqfAPeIdV9zazLAyHHusK8+4+YAotXB3OakVAMkdIL4bYMD1YJ
IzVRmYWUAPuyEFuQsUN2C/v1aoi6kTQMUb0NY09ZUXjPjJIGxyO1h8uCyvDH4MvwHfREo1kTmfm8
0uFOGFl85N2QsEfbDRMSfRNhmgxE6DCUDnZ/YVpac1/qZEcjgCwH+11JutLoPkZblwil/jDbaq7b
pTQj5NjhL/F+u02D0Uqsy/JY+IAMw7vup4bhzydN6GtRMHisCq97LODDHU4sacrZp5TKt/7nTLxk
TfnGH1YghCj8bTL0eeeUIXLuaaUKeIQDPjnntDJ59PlN8uyb4B4zPjNdIc2+azI0IrgsGDRG7Cp4
SzTXE2wGEYjlvv+uzXnzkvGtYD87K9ZDyF5xs2OGpF0uw8GiNsjKI+oDLgZdBxu6Ph1x8M9C4rwp
+LicDUHYUHy+oNXAk6IiGjFhRRoqf1tCgRYZBnAxEMnkBmAbUlYHwFEvTC5H4FFa1NSlUKFd7WcS
UUfJALuFkuV9MQVwkNoMgpOOgCAZ4DzE1HrhBZFzznHABe8nY83Cuv8Ki6Dlyx1Guq5O5C9/gdbl
cw7TuGiRyP/7fzDfGu0w/wQqn/60yNlnd9x7Agonytb+/vB+ah/IcBIguPs//anI4sUOg/qudzn1
vfmmyByArc98Bmot6LVuuEFk5kwHVFALQW3Od77jjINmVQ8/jEhc+c69m2Ek8T//I3LppYemLBl6
1k3tEGmxBi4ZlMjfdZcjvX/kEQdo0ASJTD+v++xnHeCyZYtzjAz6udC90VyJWgD2g7Rm+7zuz392
QBVp9Y1viMyYgTnc86a0bZ0vQ8Z+SE6x/yk/vqdVrnmfCBny7dtFfv97R0vFPrCd888X+ehHRf74
R6dP1C5xvjju26AVI52yC8EU55kaCbcQmL3//Q6Ieve7RaZOdQBf9npqTy2CwPehXwRanHcCnhtv
dDRqpBPraF/YNoHqt7+9Hwi79OD6dOeI9xFUslAb4hWPAsebAtSsUPPMrbOCpJPKX2V7dYkKgbwT
v1V7C6W6HhuAyk4AFgIUTQ/6mEcLL7rhMN2armup9+v4bqRFr2uOa8sXrA9Bv6itQtb7lbPHt649
3mP3QMjxnoF+2v7S2sJgcxzS3JgxBnG2zwRPPQLf/qHgC0ZrYcmD7LbItAOMY2RJ0g7AGSsXDBio
kQlXyxOwI0Fg1SYthbsRjQfpkRob6xPNC+pC9WB2dgPhbwZDsdm0rLcMiW/Lqyna013RJRZUBmdB
DXoXNo3+DuH8MmhARqkITN3BbFOKX5gbkJK8kNQ2J+DUloRU2lG4JgE+8iMBGT0IaUVwLJZMw6kU
Ph4pC+4HcKQ7wjXjOrAjRK0UYAwGInU17QXHgS+xT9c/Bme41y4bF4PBzeELXhjvh0/MJIbc9cHp
m6DMASDHboZGzUc4YMhFZwyU1VsapCDilwtOHyB/eXGL6hhpsQmmr8vX18h2gBA6/M39wGT5wMVj
5I1NdVLTGBd/OzB3+BE5V6gQvpjbfIynHvPNqFoIPDAqKSkCNLBwnZRIcKm0pp6HWdbFeLHDM9H6
FK7kdtiyaK1vvBUIvBPKo8uYyNFK26P1QI5GJjqedKJO5UZgPpULWsBkaiiAxqkjd8qY4VUyAvkD
CuHgXYBoUdRo9HYhI79qlchzzzmM95IljmlLtvbC7RM1B2T6yRySISaQoESdJjrXXuvUQU3Jt77l
2OmTCSYAIeNIAECAQFMcMtcs1DyQET6SQsk+N7dk75PeBAKf/zxeUHDj/xWeBIIi9k8lhMN97Ac1
LQQGNO/hRlOrr3/dYZJdjRDvY3+nTDlQW9K+r3xcSKsPf9gZMzUeZNDJwBOwEeR885sOUCM9vvAF
5zi1PGT8yTzT9ImFWqo//cnR/pDpJvDgmAimWC/9L846y/kljdOBp2TUmCp593krZFGDc4x+K9Qc
sY5o1GHiaQpFczmCM1ezcuedDq3YHwIfmlRloo2rvvA6AklqstxCQMR7WFgvNTS8JxvEtqePmxuG
91HzQxDDdcQ5omauIxDC+gieeJ3ra0KzrPZrkgCE/SfY/chHjmQVedd6FDh+FGBUwSHQaHPLLvRD
oeakvikHoKRYNu0cKBt3DJKtu8pkLxJV0syL58FEFYdC9rvhhfJu24RPq27vfnp9eA1ymP0bWpKF
CMiCN0nvFw+E9D7N+22LC7bmjIF9yAW6Zkyy7SQ+n/oZ+IgPZZQdyvlpv+/kXWXsbUb/zrDT+NA7
ZkQHkgZ2kGTLC9VRcueaVsQ6nICsmShLmVNpiWxpHJB4E9oLRjZ6E8Y6i/FQwfL3yAs1NVpQ/yI0
BQNTMUT2gQYhtwzRS7sJgLBHSQCKWy4ZJ++eNkQWvr5Tfvyvt0WHZJ/+DiX5Ifnwu8aqXAdkrM85
tVR21rbJL55ah+g2KaU5OZpCGpP+OUUDYcoTl7aGaoQPDjOk4Bf+u9b3n0vGHzqbeHTCXP28ynsv
cSJzIUUG/GFoxrQv2eLRdCrrHmp/zhxdKJNHF8lPHl8rpw3Ll1mnD5Tn36pCdl/mWNFk465mmBrp
yPQckkHFYTDhAVlRWQsJEAHV0dHF7QLHRHpEYMLWVA0bGYArKKoo0+4UhJQvmdQUnbryF/Dyvkih
IrGviZ6x8qflb02BbPvgEo3O1c655d4r/br+fttIXy5aAGCcoSDZ95T44jGYTtXJ+FE7ZBzBxuAa
GTO0Skbid18+i2Ok87HezlGSiaTJDJk8MtT/938i553Xec1kGmlO4/qCPP64w8CTkadGgIwizZLe
ftvRVLz3vY42gZJttnfxxfvrPpwzc2e9IEPramrYb9eci0wp/RZofsRCky1qPTgubjRDIzhhIRBw
zZxcJ2yaLP397861rJcaApcunfWFrztqOVwTKrbJPnC8rhkX6UEas58EHq52hWZH7DPb4zlqZgiE
6AtDcEYQ8fLLIv/4h9NXAgzSl+BkK2QPF124U0KNO2XBk2qJK4achW0TMCxc6IAYgkWeI+Dh/mmn
7QccpAk1MO2BBPtEk6hDmVq5AONQ65AaKvptPPCAo6EhgKUmhCDG1Vi1v59tk47UoLigp/01NH8j
kKE2jWZh2eZZx/pcePd7FDgeFGBul7JAI4KINEJItUsunOZgCUb8onZk085BsgWAZMuuAbJh2xDZ
ApCSMGFKLv7BeI8P9mvmpWnNmrtwU+RpCAL/VV8T/OdNMxqOUMxz9CP3QMjR0867ExRYsDV4CkRr
F0B0fB0Sf02BrfpQ+ko4ifW4wYEKsIF5BYApVE4HMvP7ckWgDuXYrRL2HSzjV0n+EPaVRdXH6E+o
W0nemWlbZc2Gh4LuG0XJtU83rjZTMahXfNue3hheCket+QFTf+XQJjUHTmXMkNOBkmY60nBDIsWD
VKjX7tCAsCVqNE4Zki9jBufJf97YJeOHFchY/F0JbUfQj4yxGNvjr2yH9qNZ6qAluWDSQCm/aYq8
vqFW/g3AAv+UI/N/yBpehlYAIoPgH9KkJP4Y5Pi4HrgYbMUhzI5gh//S/T7QE595Z6r8YNgJDLpF
CwJuhkqMCzHWqoa4vLWlXpraknL1jOHq2F9egLgda4cA7erzhiN3hB8agoDyDXn4+V2wlTWVydox
FYI00BbO6RluFYEVNeTHOFyJpZ4DMlwi+YHzsdih/UtDji/wmDiwLKr0nTvj1h9+G6ZW7xZf2GiL
E4ynATqqZPTQPTJ14kY585QtMmxgrQxAVKoj8nE5XB+P8TxNXVyJsvJxh1SdEmk6qB+u0CfktddE
PvhBh8FmobTaZaLJQJO5pKYj28/A9dEg00oG+5prnHsJZMhsk2HuqLjgIfscacmITS5NyeBnM9Cs
zzXRac8kkwF3NS+8xzX1IhiiqRH7TMbWLdTUsLC+zqT9SuaSkdzzWmqTqLWg2Rfvp0aDTHe20zTp
wcL7+LcLogh4aDZFEzaCJfaF/aIJFoHSH/7g3EdzJOWzgv5+8Yv7+0u6cG4JgthnajvcwnGzPdKE
c85fMvguDdrTvysKUYI9gtj2vkPZdbHfNH3jL4HqL37h0INriUCVzuodtc2+dgRAOIfPPy/y6187
WiqCGq94FOjPFKC/H4VY3NxSj3DD1XX5smrDaFm+ZpxUbB6uzLrSViQvJ0e7wSfxG0oGmoshzL3z
8nGx//YGfTwQ0htU7odtLKzMeTd0ER8CkzZb82nFSI6smFEy6vQVYG6IQA7C1iJ5HCMnkYmnOZDO
vBdKYN1Oat2ZEPtgXKJAB8ENTYJUjg6VGRsbpMjM16GK7hsBXw58VuX9CTu95+kN4Sd8mvVbaEfA
zhymGGS0tTKORWX4hibk0InzDlfh/vOunfplZw9FpIyE/BWmRrdfd7q8YzKkFdWtSlPRHEsp8BEA
U50b8sP5OiEtGSa7OxhTjovRvRiulrRjWN2k2QLjl0OX9btfss4NndPosvoEgw5udDRTx1JoilWG
vNxTxhTLSphWUdtDE7VGaH7OObVMnn5tJ0yU0tAEJeWRFzbtY+5umDVKvn79GXL/4xXy2oa98JXI
mPMdVWeccXBNuQ0ghnyGpey8Qjio10TPeP03kkyfDSSFTIza+6JTlz9YvuKcl9y7EE1sDjLJ/xJA
eXAsBj+gdEzOmbhZ3nXuSpk5Za0CHn2xkAklc0sGjgCCgIGRj8joUSLflcL76E9AHwbXD4TaDzLC
dMYmM02ptxupiGt8LSyVCXAo1aapFs2N6DDNwhCwNIfqzCeE9WU7rfMeApivfMUx66IUn/W7fWF7
2de33+e57OeO+67Wgww7GdtPfMLRatAvhoCN5lRktDt7XqllIBAiUKB2hf4XNM2izwzrdv04qFVg
HdSIkAnnRk0AtUqfgtEfNUQ8RmdwaqNcbQl9RQhgyLSPG+fQjfNA8yqam9HUjJoYghnWT1Msaqbo
1E3TMobEJeCgFoKmdOzvoWjkrgNeR9M8jsstBBEcG0HHf/4j8vTTDv25rlj/zfCocvvo3kP/F2pu
CHSpgSEoI7iiCdXXvuYEQmA/s4EM26Y2h+vKBcwEiqQlzcw+8AGnLpq/UVvkAlmeP1rtWlfWv3eN
R4G+QgFGPeR22qhdcv27XlYA5LW3x8rzr50hy1efAouCiOTk6rO0dOrRhZvktsvGxPCU9mzxQEjP
0rff1f4kMmNDDv9pGEq9C74BITcjNTOC+8O5iJTE8LC5jDAE0MEQcwgVmhH7OeFRXbOrdkzrEfGw
0K0A0FCDonJlwMOEGhECEzKQibZmJKJDjgwk70tDewJtxkDdCH8sbcavX7Ap8rgkEz+7fHx6eWeT
A+8AWOEIDWQcfvtQxstHOMPUgowelCNTxhbL3xdvkcpdTWCea+XdACXPvLFbtla3KG0INzqu0yCN
kv9YwpS3Ntc7Jm2dAbYj6AvJvd+MCsnoEAHgcLczyeGCSlkCM7lLGVUq1lQrQUQJMzJRwg53/6HO
00GfDunFeUFoOILyqSvALaA0taYQDStXTh9ZKC+vqVZjp9UTtR5tibQ8tnS7XAX60HRr2bqaA5yR
j7Q/pK2ZTGBce/eFXMbKgmFLF0o4+ajE9A9Kjn6J5PqLpcX6RHT60lfKl80w4XQ+FvD7+3gmBqeQ
b+r0MTvlliufk/OnVCCSVe/7c3RhNPsuISM9bZpjl0/mmNJ0bjSTyXb0PVSdNBci00wfBdcZmVL3
bK3Hrbc6DDXBCR83gg9qS1je8x4HrDBaFAtNjBgxqbNCZpUMZvZzQsbzd79zNA7sN5lit5BxJ/NP
MMBC3wyallHDwD5Sk0DgwsKxcN+VxPM+StbdiFKkF4ED27jvvv11tu8rQQIjiZGpJrPP+sggs5DZ
J4NNHxRXY3PddfvpQXDBsTCamGvOxWPPPOPQxi333uuYUWUz6pzLn//8wP4SWJJpJ1i4+25Ha0WA
SfoxChY1TvSdYF2u/wdBV/a+2+aXv+z4z2TnCSEt3GhipB/7Q3DBtcA6Osr/QY0N1xwd4Gn2lU0f
0pv9y45QxvbpX0RgSiDoamQICNke1wtDIrMubu55jtsN59v5ivLOeBTonxRg1ERul1/wurxRMUZ+
//ilsqJiLISUgTIwU/cv2prz5uyRPeu87oGQ/rm2un1U81fbg4xgzrcRpehT0GboaeTLgGGhCsvK
EKfUFtCe3s2X4fhs0GIqE4akW3uUyfWQlR+DX0yCEp8/AD8FaC5gbpRKtEoKgCTWvFf9DVObAjhl
fzAd0K9euCn9g2TQum/OUCCVdgX8+A6w/zsgtR6NnBrII9Gksm078bmPvjg+GWCoRhcrp3RqO2hO
RH+PEjDfk6EF2F7TqnQKaQCQNLQDN18yVmZMGCA/eextaEpaVESoYy00OWKoXmqNNGimANZo7wb2
7PAFvjaPQgP1ac3nLyVNW5Bfg87uNLU7WrMsAhD6d1wxfbgsebsa/iB066FNq62c07/7oaly1fRh
sgn+IBedCYc70GED/iZYoSakEUBlFcy3dGhPjhagqXULyrfU7gKARRhjrCOMs9HQbLDbhy8AG4no
lNd/BlOsWRKAk4ffeJ+YOqzy5XFEIRmLZIET49BwFRe0yjc++jeZMBrG6SdAIdPphmnN7i5BxJEU
MntkvA9VaJ/fmY0+mVJuXSmdJf+jqZLr25FdD8GHC0B4PHufTGz2WMmwth87mWGaQ7UvHbXlXuMy
xocaD9vpjM502m+fX4Xai+zSWeSnzvrr3tuRhskFO+417ffd4wQUh0oqSFDXUWjfjuhAbRtBXvvS
XmvinifYIdjsqHD9uT4/XVlD3jUeBU4mCvjh9D79jA1weq+Xj9x5G5zcNQmFQwPSZuupoAP0lj1X
PBDSc7TtNzUvQqQof8S4x+cLnEfwYSKyAk14IvkDIAkvdKIjqVCnxzFfBtvPgBKX8NTIBCJ5yoE6
1lynJNxknAEuCjTd/51A3DxvwVbfVy8fmYaV8f7y+avGvH3fE5v/C/Oxj6YAQlqRX8OP8QYQmvdY
wvLS8To/xy8zJw5QpkYz8EuAQQn87rqYnI9IUM+v2q3OhYOG3HLRaESKGiw/gtP60ooaHOseAEJ/
HYIHRv1i9nCYsq1Mhe3FXVmwMGergGnRHfAN+X+goxHPaA3ySodC84VwskeRI4Q+MENKIlJV3wbN
xjalAWJIXgKKRuCjfy3ZJudPLJMcALYmMPI0ZZsJMy3liA7ENvfBN3AvQihDe3Q0RQEoiKNbEL64
rbFa+QFhfDZAzbdnj4lnjIC6UPOcmx+Xxx95EkjzGqhrwoj6Njd62/xFl37wE5ubixp2B4KBwS2t
YfnDY5fKLVc9J2eMgz2OVzwKeBTwKOBRwKPAcaVAQN6qHCYPPjFLZX4PRcL4JqZ26sEwPLN6Vlvv
gZDjOvF9v/FFm4LvSGvGX6FlKKV5EwFHTvEwAJCyfZmxj4Uxp50/mXMykH4DTs7tzLIYyjYGsxua
JfGaI5F0u5J5+qLkFg8GGClGwr490gJQofw9AuEr7JSMXVSZvpbMtTsbFRUVlu3PuQ+ZwC+BP8to
E8CluWarCtFLX5ejYbSdcWkyC07WTLZ399/eklfWAlhAs9EKjdI7Jw+W2983CSFpEQ1qVZV8ds4E
mY58GL98aj1MtppleFmOSs5HZ21GzToaiywy29RMNSM8LzOp098Ffh0ttqV9Z87QeFVXV2Nt0a4/
FtcPPQ1JD79MH5a2hioAGsQ4L2MOFRhhK2d12Jh0sdD0bDU0GStglkbw4TqYI9i5ohmd9xet2Kl8
ZLbCb+YZ7LsAhNHE3KzpXWxu32WkB0FMCuu6RSUqbHD8lhBEAeP5eV1xCNb+sN3oYimfV2FFz0iV
S8K4CCF7i5FFfaosHvGVWedUfWfR+px5tp76keYPh/69dJqyw501tUIuPuctOef0DSqBYF8vNHOh
3wGjLTGvBM2I6CROR2r3uaXmhJLw9s7BbrSl7hij6xhPkx/W6xZKumnbT1MbRj/iOS4h9qezpIFH
2h86btOMiD4K7ruI7fG4ShaG9tx2s2nghgR2r+lKu12hL/OFuL45pL1rNkYasZ/0+WDf2BfXhIwm
YMyXQvMr+lZkF/pU0C+E/jjUiLjjpebG9QnpaLysI9s86kjHS/M5ri9qLOgAT20U2+T6onO664Nz
KC3LoWhKEyzWnf394Lrleqa25eqrD7y7o/VKWtAfiYXatvbmYJ2139naZ94a0okaKzdgw6HGcKTX
u0EUskMou/UzCAJp7oZM7sp6dNdR+2s5b5wn0qO9di77Ws6BayqXvR7b18f1yWtdOnf27JJ2e/Z0
bT7Ydybt5C/XMZ+F9n5j7vySbpwPzgvbYO4chhSnT1n2PLGPzGPDcNQ0H+Ua5drleuV97HdnWtmu
0JvvN5p+0hyVZozdVbYg/Mwj8PRg/p+c/Bw877qsXJMvO6xbEG1+CD5djbJn9TPSsnf7Cxd9b9QG
qehEvdhNHfJASDcRsj9Ws2irb5SZ1n9mBPylZrxVMZj5A0Yq7QK5jiNhNA+iT8Y1ZOKIQiktCMra
7Y0wT0oeEH6WAIUMKhnzNjDqG+E/4TKdR0LvfXkywFzmIg+EAQ1J056tMENqhQlZzng4Z/94/s7g
DTDNwifbKZePbH170abwF+FT8jCAR04CPib1OzcgL8YwCeXBSBrFJhroskO2rZjo4ryAPLV8h6yC
fwedqOlbEYHW4y3kxSCznQ/zo6HQChCcrNyIvBBD82TSyALFaDNc7/xXtilfiCMJR8t7wVmLiXDD
BCDx1kaYG+GLwZJOfffyUxNPHgk9byopSa3ePfpr20KbqhCO+du+YDg/gUhbqZ3rQZtixzwvA0ac
cL6KWodsgn4eQdKjg6tIN97NcwECVfcaHAiqqGpHUJRPDcGHLal4m9KOUZtD3yEfEhbalhlH+OJ7
6otDd91U0pDF4natjfK3znkTZlk/BEL/rkKLIl/G/kvlMu2XC9b7WjTbuj0v139ma7JQ/vXc+bJo
6Vmwyd0r0yZslPPOXKdC8TKaieHrOojrWs+O7Sp+XOlsTMbFzdHABHo//vGBmb7pP8Cwri4zzFbp
BEymo7siEtFvhI7p/MhnR0m6/nrHr4ShV//1L8efgYwFmQLmwqBfybEWOlPTMZpMB525yeC9/rrj
nM42aE7GhIPsFx2e3cL+0GGbeT6yTb8O1R8m5mMbZHJcQEOgRcdr0pl5OjgHHCcLmTf6S7B/dPQn
k0FGiqZTZNZ4jgkYWQcZbzJVZBrdhIO8n8EB6IvjRuViH3iMjv2ca46Xfhq//KWTx4SmVUxMSF8U
hiZ2C0MwMwkkHfe7YgZFB3VmL2eeFJpU0beEjBxpSH8OAghmrOccEyB1hWlnX7heOWY6ptMHxzVv
43HOF8HqJz954CxwPAR2nEe3cM3xuBtBjcCCzwOTKh6qMHQz/aHo3+LOIRnxH/3I8enhWiAgYF4c
rt2OCoEk/Yu6er27FviM0MGfQQvc4jLV7BPXKJlr5mBhZLr2THn2PZxbgtL2eVX+/W8n0AGZbYIk
Rncjvds7+nPMfP75SwDPMZN2HLf7riATT3px7fB+fra4Rjsyv+N6IYDke4n9dt9PHZmO8hzXFv22
+CxwbjkXnL9TaWyEQn81zhGBO+ujP5ZLE5qRco3wOzZ3rnOe88+1TZ8tlyZ8D5DeBAxcn/Q/47NF
f7euPvPZ8+8mceXz2F0gJGHmykvLQvLDH8dla+ssqU+fi+fZlA0vPSaDRr8q4869AoJK45VYQ82/
qiuXX/63G5a/f1L5pD8fepUf21kPhBwb/frt3RMmTNCfrtzyf0YgONGE2Q4zSucPGq2Yy2MCHxmK
UfuREzLktjnj4aidJ396dqM89N+NYK5hCkMrGzzw0+CoTKdsagQqtjXK9x5dJbHWBBLSHY0ewHXE
RkK8PLyJUH9j1SYlwccYZ+uxBF4f8t3sCZ09JvY4khZ+DEL9u33+8AhG/Wqo2ijhtlKVS4IRphg2
VkXOOozzugpli2se+u8mSExsBa5cIMHf1kRK+ULwb44v+tBK1RVmSXc5c2odGDWqawAEV6u8GZoy
u6JfDF4sML1KqLmERiQFE6S7hiXHwH11nxKoy+t50qSKNHiFHzy5Xt5A3N57DH94KulATVMcDuvM
Lq+CFERyQSKEZwadFHBVJnMdA5JDzWr2uSObfYIO0tBZVAzznASgjrfUq42BDJh0Ef2HGVhqjW6b
37p8XOKxI9GAHES0SPB+aU5dIvn+d4phF0ibPS86c/HV5TLrofmVrU9rZuRaaHluygnJebYeCm6r
HimVO4bJXxddoLKejxxSjdwge+SUEbvkFMR9JyihAztDLh6vsmCB88GlQ7or3SMDRwb4t7/tuFdk
uinJY+bu9owe7yBDRIaA0thsrQGZBjJ7/JB3pPnkeWoA6ERNrUx2IXNA52sm0XOlsmRWGEmKQMBl
eCi5Zd1kiNzi9ocMb2dSbgIaMt4MGUxmic7QZFzI5LsMKiWu7cMHc8mTXtkJEw83l6yHtKYTevsy
f74zfkYNc8EVJafMOs9CKS2ZQjJKF1zgSIHZV/aDQIh5PBh9ioDtne90aM25dSNouXRnnRwvndVJ
P4IvMkccr6uFYt0dgYIjGS9BD5M8MvEiI5gxuSIZZdL2nnschpkhe+mgzzmj5qL9PLkhhN2+UGtB
4MBIXG5YZ5eOdOJnxDFKuV3fHTKpXK/MPJ8depo0YFQxAkwXSPOXdTNyWEeRtciAct4IfFi/q43g
/PMePktsm2PgNZSokwbUTmWXjq5n/zq7nmuQ5xmNbtEiBxBkF0ao4zy6wRW4XsjoM5gCAUT7wkhm
XGMEo26gCPcaRl5j8AP2haCWwIIBFfhOYDju7EKAQVBMgMlnnc8RASUTbrpJNxkFj+CZgP5QIJMa
LBfoc15YuKZ5P8Fxe4afa372bOcdQL8h0pSCEo6boIdJOXkvwXb79wmfAwoBqDnk+mR4aI6BYJlg
nH11fZy4TrjOWBfXCueYIITvN46dz4MbsIHr2X33cDxsJ3vMfMb4juPayn4XcU3zeq6b9j5yTQCr
CHapQBI+uxKMBHGtT7btGSDrtw2Xt97Ok43bB8jqNxrAb6yQF1ZMlYJBw2TQKFii6O+Ib3n9SXPX
2oL7xky74v5PfeDS2mh0MaCe3BiNRheWl5dDRNEzxQMhPUPXE77WnzyxfhZk9+8m4CAzm1sytNsA
CIlDp2MmomPo2cfhB3DuaWVKE1DbBCaZ2gEAlDNGFcp6aD/akqYMQH6IjlnXIyc1TZLIJKcKB8A0
a7fjy2LZt/53q++RS0YemLAPDOmjyO+wzjTtH4B5v4T0aGsAow0fkzA0IkEAGvpV+JjIUDHXWU7z
HXSNUv2OCjUB2U7nR+WATik//8Mvss0rSX+8pU6BgjSSE9IJ3QBwwt8bNcu8/bJTU/gcHTkAye7/
lacmnp1fab9bs+yPAm3cAm3C6eR0Ys21yg+H5nuBSD4AST6YfYYFZk4YvnYIRliTM6v7/zyaWXaA
2n5w4u44ZmEE0dyYF4VBBpCcUYEh+n6QHjAn3IBcNI+aWvrXc8Yldhz5ijrwDiQwbEHCwm9Lm3km
dNtlEjEukNYcsFbyrTnjNLBssd88vLTwT2VlsbPTVmIOqHGBz2+drQfCgb3NA2TnW4Pk5TcBloNx
aMsSkp/bKuOG7Zaxw/bIaCQwHFxSL2XFjVJS0Nxr0bWYwI6hebPNC+ikTYkkzXfcCEP8kNJUixJ4
Mi380FOS21H+CGZcZ3hWSoXJJLiFDAYzk5NZ6kiC6AIWZienhNstjGjFsLvZ2bp5LttEifvsC6WX
lNBTiusy3G+95TCf1D5cdlnHq4CMNyXLlExy3LyODAG1Mm49ZBqoBcgGOBwPi9t3Mn9kYtoXMqtk
hFg/aUpJNaW4boQr1knGxg0TzPMuCCGtLrnEqZGvIt7vMr+UAJMxcnON8BqCEtJwzRoHuP33v07U
sGzgx/HS6Z7aCEbVYuSw9uPl2JkcMTtaGkEa++COlyCGzF77wnFwvJRIuzlIXKDGvmcnleQ1XH8E
GwQA7JvLwPIYJdekDSNvEYAxShoBGNcjmdRs2QfXM8eVHTyAknkCIDKK2dcyKhtpxLDGbiEYopaG
QKYj53ky4lxjHD/BuDs2MpbPPeesMzeMMNfQH//ohMEmE59deD3npaPreZxS9uxCmvFZIpghDdz8
Nu41T0LnzWfE1SBSu0EAQlDbEQiZPt1hdrNBtlsXAQqfczeQAeeGGgS2wec6W7NCTVl25DauFdfc
ifXxXcDxcH0RGLDfjBbXHhTwWgI8Xk9w6hauZQo6+Ay3HwefHWoB3UIasa/UbpGh5zPAZ4eJLKkN
4TvsqqsOfPeQDpxTrnOCEGqAOO7sIAscb/Z65fPGdgikCa6oRXHNGvkcupo00ov0J6BxAS2BHfvD
Ol1zNGo+/wHalJU6AGUWaP0xgBt++N6u8Ms3vx2S7dVDwFNFpCiyRybOOEeqY2dLc2tItr29Snas
Xyc5hfgmxnfjvQArEyPWYuixFam2xCvFg8fNX1O77VPN1Zs33jp7Ir5RqqBXQjiJt4P858CV1n17
HgjpPlr2q5pMCZyFPBuFzAVB8ys6oHdXZmwCEEaHuvSswfLqur3ySkW1nANtxwVwzJ6PkKv8CNIU
6/eLNihfkC9eM9GRZndjIasbKUBeOTDolIZrhnFKPGYPw+diU/tmZo9LvzF/Z9t1esz8JPKhfBzh
iMeyk63ION7WVKeS9jE6GCX/9Blh9Ckn+SKKcth3wEl3F0fCnwE1lPIj8R01HUmYWzH6VQoSf5Vw
kVHD0C8zlWqwU/FHfP7kPbNHprd0V3/AWEPGE7sbJm0PBGKp9yLt4Ecw/tNh9qTkzDR5osO3o3Fg
BLOQAm6MpqaSVmbG4YQfxnjUb9Z8Kw0KDx+4BhwNFEmsQGQmMIKj7eDY3fwxjHBGEMI6VHtME40I
C1baWo+IZ382LOvPl52SwCep+woypi8FELlPdOv7AhMydP42ZFb/b/mKKfjUgqmY0YBPk+CTlnh5
/upgGMzKNDvROsHn882IBO0Z+PwMAbOcn0znS3VDoezaO1j+C0YOfZYCgJLSoiYV731QaYMMKa2V
gSUNMgoaFGZbz4vAST+YRGZ5iEW7ofCDR2k3GYT2RVn6YcpchiOb8SCTz40f+I6UX/yAk5Fw83W4
dTPEK5lpl0nrbAjt84F09IpYutRhWGnC5Jot8TqagbT3zyDTwP4czmyLjAslvU884UheyXi1b5t9
y7bFb2/qQkanI/t5Xtd+3B3Rl4wmJauUyFMjw0KmnKZYZNaVuxMWPE14yOwRBJB5y9ZI8ThpQjMn
Mpq8v310MtbB8ZKpJKPEpIFsuyfG236NsA0yo9SOEEhSik8m773vdcZFKT+BHLUmlPxTSkyGnswb
mTj+TVDlAkA3WhhBBq8lY5ld3PDTrrTcPUfQyr64mi4e57om8OFz0VHhHJK5bz/Hbl3ZGjFXE0jQ
0L50dj3XlusPkX0P+8k55VySeW1PU+5nH+P1ZHwJZjsqBK+uf057QYJbD+fIFUIQaHAcpNWh/LA4
P5xXV7NEoEfNgetvxPVLgEmgw5w72ZrSzuaD/ehsPrLHRmaeoI+gmmOnGRVBGWnGdqkRo3aK74Ls
aGs0CyNwcddPtpkb6yctWQe1JXxm2Hce43uT64BaG847afPVrzqaMLbBvD9s78/QYH0CQIoappcg
xPjWN/F+ATCBj7jSvP7ylz4pvysgU84KyzMvDpBvfrVGlr09QsrGniWVWwulNgx/yqG6BGIheWvZ
U7J+d0LGXzRcmnZXSM2GJfapZ1/eims37n57ce2mpX8bvnfzqm8OvvSTj89oeBSUg3Ynnb4YP2dC
8+GD5iONrRV/UxuCN4oHQjp+QryjPUYBPIu5ipGG1kBFC6L0+jAmR13tDHNlzDq9WIrzg3DOrpa1
O5qUudXsqUPlhVV7VAQk8m00WaL5EbUE3V8gCQczyjEy8q4BkyEzkAJ32nGZM1RrwCvm7kWV+p+s
tP0B3HgLmOkp1DyQ2SXTSw2JYrDDOeJHIkD6GJDp3Z8RnnVnwEiHmMQ92MF49x1y/3CS6jGvBYEG
w+1S88HoX8ohHzRjYkgl6U+bO3ENXr3JX79nXBqv/p4p8KnhZ/SXkPL/AVL+yZatXWlrPsiNtXMB
OsLUQLGPyhwKWhJV2E/QXoVX5nyohJY+NTfqNNYcHdQ1rEFG0aKGxy2M8sWgCIjiQQd70INbcp/J
lwIu/A9fFoIwaIBweWo5bnrZZ/uejA8zX5kToQK7h4pp/Ez0FEyyjEshdspHSOt7kcTwciQxhDHL
/jJnkurDS5ntNwQloZA1ytas89DXs2B+d4rus0fAZWakDkKmrVzZuTdPtlbB1K5Cx9rF8+KD2MDv
/OYChIwaXC1lRY0AKfXKxKso3wEuPHekGhR+3Mn0ZEv22Xt+TAkksn0f2lPSdVDuiMI0WaLZVPvS
XpPRUZ1kcOinQO1MZ4WMKaWPtNOmfbxb+DrpKKRuZ/1pX7/roEufCJp1kAFrn2uCElyaYLiFddO8
yGU+SVM3s3p2/a69OY/xWoIC9r+jQok/JcAEiXzkaTLCYwRHBFi8n4w7tS7sMzU87RlvMpiU1NJ8
q6NxuPPs+vTQN4AAKnu8/CyQIcseL5lXgpYjGW/7MbpmOzQHcs1SCPrcMMCURHOOKTEnbWneQ7BC
fxIyctTEUVtFZpeS6J/+dL8GjGug/Xpm+xxLe5M50pZbe5NBztWhsr67tOts/bjHybhyfjpLmNje
IZzXs4+HMllyM9139Oy0B8QEU4dK1sj10ZEmk30gHbPpQvNK9qsjZ3j2heZKBMrM2UKtg8vksy5q
DWgy5WpMOH/U9FDDlS2o4Bx1NB+dzWk2DejXRPBBwQQdvvns8D4C1mytEvfpb5XtF0RwShNG0ov3
tKc/x8zx0RyOIJX71LQSjG6BAIBmqxQc8JmrxhfAzXXEZ+VDEGr8AtfOekdEHnnUlIEj8iUVKpON
W3fJn58+S9a8WS+ba0z54V+vkobfs/IcqUUewX88VSTDp50v6bYqqa18Ad8/RryEoC21N22If7du
tyxp3P5GcSpWFywsG/l5I5WqWPfcH84BTe7eufqZ1z6RASAZGgE6CeCSUIKKGVEFkF0Ag3queJqQ
nqPtCV2zqVu1vnTKhikWLHccBo+M4rFqQ+gPQYds+nnwZcL8GOOG5CnH85EDcmT88AIVNcpW/gw9
VxR4QJZ1MrCUsCMnRCpgC16hhy6IooXXkNy3aKf9oJmIXKBZQkOSd6GOEYgW5SdTHGuslTaLoV7J
TBOEAMQheaObYFEx22CqHXCX0ZigElcLcIDPDYhEBhsO0xlGO4lfJmYEsw2mnpoPzg1N5pggkkkj
mUkedVTj+CtwxXhcB9ONfmcZrhxulMd2PiPlhzxJli3eGQyBwZkMOk9Lp81zEfp2ClJADgWYKMJ6
0gmUuKbob+MAKOfdp3KqcMzQjNThZRxBGLO8eJ3KqGjhmAsueC3p5mifdKX14Rwo7Ra+MdCP7LFN
6zXNsJZhNt6Mx8w3wfQ3HtsIu3Z3eQXMsqau/LIk0gvgQT9URcuK25ABykcOVUMGlMDQg7ZyqT/w
2kU7g0Ok2RxqWtZIoLRTgM3HG357nPi1kYDTedAERVJpRnvPg/ldkVTVDQGjgrUDcjLnDH1KiqE5
iSAKV2FeK/yxEkqTMgBmXdSi8O9imHcNAHAJh5IQAKTAyBLYpKWk2IKfEkx5Gg7stb8LXw/XpKYj
rYYruSSDnn2epgpkfMhsugwT98kAkMl0pfydySbIWNC0gaYTZFI7yntBZoD1ZJuIdNQfvqMo2eU4
XKm2K4thvTT1oYSTJiAu48Xz7bPJkzlxJbguFTuS6WQfay+1zqa+a+JD5t81gyJTRdMO0or3sj80
+ejIXIh1cW2QpqQBac0+0nG4fXH7RI0DzVQ4Xpq+dfd4ybiRoXXH464Bmut1lPOEwJKgiLb6XD+u
gzDBEOeDzCJpTmaRc03mj+CM9XO/M01Ce0BJZ3YCFkrM3Vw3lExTe+Q6prsS+Pb5U3gfx5QdWIDA
nRo6l+mlzwrnwjUjor8EQSGZctKEySTbX09gQiDt+kdx/rJ9B0gvzk/7hKIE+Mxa7xY+B9RAkPln
4bNDcMycM+7z5dKtPWjjeqDJJOno+idQ43bxxU7bPO7mZ+Eaokkb55L0pXYquz4y5Hz+uK7pr8TC
fvBajotBExS/AIadJnTsE9tytRHUXvD5dB3TOR+83o2mRk0PQSi1fhy/a0ZFOnEOn39+//pxQWH7
8VLDxusVbbl+2mmuyLLwWfo52snDvO17zsHT//a3aXl7nV9+/YdSCYZ0+fJttbJqXTEAxqmyp65I
Nm/LR+6rV+WGm+JSW6fLqRdcK1//SZGs2/Sw1D87AybEDVJf96pUbsmXnKKBdrq1KZ2Ix438UqM1
L9JWvXHl00WNuzasv/ATv/h5UdGgbfN/+P4v7a18bdNnbnrPF6K/XUQe5asvP/iV1dBupJ7BtGCf
VgrKUiGrYNYV6ADM3VdAbVnV7rpu3e3CZ6Rb2/MqO0EoAB/Yl8EGVoFhHpyMt0ByXYvFP0Qx7McC
RKgFmTCiQCaNwoNX1Qzn8xLlaE1wwuhPDGG7HCZaFHgnTSbsc/xHGJ6W96ZwzM83wDEUdwzM/wHG
GCZCIWoTVooW35LtWXCoJmYP1WrwqcArWP4FyXVBIEe/EA7g70FSOrxOrdPBYJepNOTM5A6nc7E7
wDfEWUr54cjsyUCTcyYDfYDWSXEB2PirzJUy46eGQEn54WiOUF8AKqsxnvWi2y/7xHp6djebGB0N
yWcNRYpwaJPBGmGT//dwba2/rH7ASAvmfraZOg26kaEYQwm0SwM1zcanVEliYIVnR6B9C+2KDJFt
OSPFSCdkqFElg8wGAcwg+GLmx3q1GG2rAffvhuwGRhZ2NY7tsbX0xqAZeH13vb8SoEipm49HgfnV
quiUVXdiAf8CDw9UU/oHYaa1DOZakOl2vcwemqDBBLY05NpOia5e7ZsmY3JCoaJxqHe4JYnhMD07
BfQc4NdlmF+3B4tfygCE8xFzWupbS6S2WZMtVVyXzuJD2lE8f9B2ql+GO04rwFJS2AyTyValQRk0
oFV2t7wtjz9dC9X/YMnLieN4m1SDM9iwvlXug9mEy7jlgjm4ARJpKANxDuAJttMrwLxRYvzT+x1T
ntPw0WepgNnCjTc6EvzZMFlwCx3JyYyQoXZ9QuhATd8I2vKzLTJqNGdwHbF5LzOfk5khc/cS9Epk
UnmeDAYfHTI3PE/GlBm/yeCxDpfZosSckYLYH4ILFjLpvI8MLjUSZFCy7ezJvNG0gwyWy5TzfHbo
YNZDppHHXYkybdSz7dQ7Wgku40ZzFBekUWJNczUyaGTASU8yybyWTBnNzsgQkrElI5udubx9G2TI
eJ6MG4Eg/QgYJYh+FG7pbLyk1ZGMlyZuhzJzo6aCc0ybfpp80dSKzCfBHPvYEQghE0wacl1Qau2u
FY4nO0oSmVb6G9DfwvUPopSd/hzqlZqRd9GMhrb+9OdhodM11xTb+frXHYdygjReT0k+Tdtc3wr2
l8dpVkO6kOmlJohaKdKKQQQIWhkEgJoazinrJFPNumhi5tKH64+aHQaDIFPL6wn83OvpFM3rOXa2
wfP/+IfjC0Uww2eE19DEiWCcNKXWkG0RoNEsj+uffkcEVrzPNbXkmLjGKLXnePgcknb0weBa4Jpi
UAACI2oxuV7YPiPmsT3eQ80F541aOq5PRsej2RyfKYKbD3zAee5YF+eMpn5uRDT2l/PAerieOWaC
BD7TvJ5BLgjOCK45726kK/rZ0GfHNbmkhpIAjQ71BFrsM0ERx0e6EnATiLKvdEiPQmN6+1ec/nEc
Z2M8n84AM64FPrvbt2E9XOKsy2k4/zaesfomWDyAH2loyYHTdwrvpXr51zOnSR4mrrYhVxqacqSh
rVhe21YjletXyzuuHAtT86BUVb4puWXjZPefrwV/Q4EkUh9A+7H62YdlxFmXSCpwqmjJWrRli1+v
TxSOHLujZedrjbtW/nNq3oBRWtOeza3N1ZvmF4w49Ze5O63Xd1e89A4INj+x8N5rMXuCN4JgtgVv
YFUoEMSsy4MwrwL8E8y44A29v+A43qoyBttfAFQUV4JjeCMIVqBglnuueCCk52h7QtcMh+xVCypz
YMKjf4bv6Ja63crfgQ7dyhb/KHwcCCZyQj657oKR0gaH9Pv+uUZ2I8kcQQUBxgcvHSMfunScvLym
WplpnTIkX2UUZ8jaAYVhAJdCldCOiemO2jKMjDuY+FY4pLc17lWmP5Cc27Zm/nb2OI1ajiMuGck6
PjfyBPwiIqGYjDRNczheclPwNON1JaegzWLQDZIHG+HFtLDmc0J8uSZhDsgAXRMt4lP0db6MlPqr
POvoN/5O67a117DNPTB1aoWWoAZMzRpDfK/5THtTOC+9BUx/wxEPoBdvYHhfKUnjNR/Dtr88sDqY
MzgkBaZpFFJMg89LcHXhpG/WhQdcR9KYRki2FpwqzfHdv53QVPlnaDdihmE0QxcEOZPdEg9LHczB
KMXJKtkCnV4cZPumAhf+UWLPny25OnyK1IL7dnT68jfKl51DYHbUpXzSJKqNwI4j1Al4/eyKFq8e
lBsL1ZeA9y3Q7BREZ9ZgmLWNQQb4QbYh0J5og4H9i6gkwcKLYD0BySIkhC8izYlCadg1ANo2CgBY
q1+S1iny0hP/khW7L5IhCOMT9jcg8ECzJAY0y93QNpC5jkCDMnRQi+yEVmv0iCbZtSMlW3c3y9X/
E4cJWKMk4hacJpP4cCPkRSAlw0ak5de/seTMM1Qj+8oXPwemAwxjtlP6Emg1rnnvft+F38KUYxee
VlgjqsKvJqW+lDhTMk5tCpkWMk6uNNQ1nyDz4YYNztamkCkjoKB5j1vICBFAMSoUC0EKGRi3kElk
FCIyOK7TPoFAe2k6tRQzZhza7KX9QiDjSDt0jsV937kRocjckZkiE+iaD5Hpc8OZElCQqe8suzjb
IpNNZpzmIiwEN2SW6dztRmmiiZMLyHgNgRuZXIIzlwEnw9c+mhjNWWj61V4S336M7j7HRWaYJjpk
HimFpraF83Go3BMMs0v/HDdsdEf1k7knU50dKpi0JUP67LMO0GDh+qD5G011WAj03DVIelN6Tnqz
kKnNBjo0zWNxNXecfzK0BKk0HSRo5lrhPLpmYgQKfG6o0ch2pqYTOkFBNqiiWVlH17s0cueQ65nr
nRob+hpwrbraBPaPfSDI4dohY00zJ7bF+whO6PPANeCOw9UU0KzIBaSuCRrv4bgZaYwaFK41tkkQ
Q9BN0ydXM0Ra0EzJNf1zwTjrcsEswQjXjEtjrkP3WSRQ4GfRAMBjoc8Y58MNdnAVBAUTsZbdQn8K
txQXwiwKwDYGYMR3gvssJTD+MNYdgcsvfmXIUwuQDLfZJ+df5IPTd0CakoZsWFOA726O/PXBHdBK
pOXVLTNk1QMAC1ttef7fz8vGxqkQzEwVRqZqajQlfGqL/PivwySeygewgCmxslDgHGiSM3qSykUV
QFjEcbMmox9pC5xPm88Xb4MFQ3NTvK4wkh9KlAwft1Cs2HafndqGF/IOLdlam1M4cO+Z193W+szd
HzylZuNroJrSVrx86yXjQZUGvFvKFwI04C0kY7FBDySAbcpwAEEZyhtw7qv48yIuUWzPYwOEky37
qSSAp0ozwnNuAdVlKzaIWHqueCCk52h7wtdsij+qpRJTYE9/Ps1lGqu3KMl+OI8Ca2pEDmQeujJg
mmJtQ8K5596sQjbslBTkIFoSbgzDForgoyBCcxqgf0SRmjymSEoRFWsjGJlN2M4cXSRlyClS3YBo
R3iLHamzusqMjT631O5CVKxdjgkTtA8I0/u7+uKcP/BhPtYCRhivOhVyihvYEyVR0KZ94v9yQzFj
oOWzhoFjGggOr9TSod9JpAaDcwrza2TqRl5NeNhH4OFuQLVBL2RJ4p1hYYNvhaQ0XyrlC242Nf25
uD+wUFJDlpaXPNpHOO1jo9ytk2CLhW8mPlOU+Eu04bIbIQKaCTst7PHrgy95MvFw3dCrPze7dB4+
JSwZDvTYmu7xu8uXNZjRCUa5tKXOlrAxDdsQabXvi05Y/V6YbEGj1v1l1qQqsFDCrUM6RaNztUs/
cXdBrNkYZAVTgxAbvkzXU6XQwg3Gc1KE72epz2eXQpsCiZpWEhk4qHT0mdMjVav/jQ/rZZI3aDwY
lTIZdIougxVepoEcoUBaHlvMIAGIvoJnOicnLetbYDAGu0UftC2vwv8rDa65ILcNZmFtUlSYgpSw
lcaRyhyM+VFKi6lpiclLb1jwY2mVzZUtEFI0yHuuCkoznq68SKucTavmTgoZs8OVjqTyZPqyfUXI
3NPMI1uCTmaqfSEzlB0lp6OY/pTAZ+dOOVz/eP5w9zCkq5vPo319ZKg7MkPjdQQ1DCNKCT3N1Vwg
RqBEXwomMKT/CKXTHY2XjHq2A3tHQIcAJTuHy+HGS2Y1G+y413c2Bvf84WjE61h3ezMpasQYPYtg
lAwxQUb7cbXvMx3+3bwS7c+1D67A9lyzoo7GTqDACFsdFQIKF1S45zu7ngAtG6QRPBCAuGZjHdVP
wNg+OSOve/55JxpVtiasvVapo/pcEJd9jsKAbDNA9pFaoMOVzmic7SDu1tERnXiuvilXRo2zERUq
Im9vCik+wSjOQf4qv/jTutQ25itA09CYK79/MiT1zSFoJ/AJhusDs4W3bg3IzxbgGhvfXmzVla/J
9rf2ytjp75GFr00FeLNgPWFIeESR/HfBCzJ00hgpHXm60ibnDdKVOXRY4vTFbIFNcR0+3khEJXX5
ZYPrCweN2gPjY0BSDcZdVg0CyOzxSXjX+hceNmo2vfpHdP+B904JQ0ve4AxzIqQAqlCRAfOz8nLo
dTouABvQNwm3gwrOASbKY+1PgDchKAGMl89i+yquq8YxakkIQGDsKTfThKuzNrvjuAdCuoOK/bSO
OeMaav9bGfxM0kw8hPC0k+gA3Vi1WTkXA5krMyCKFboKRlQ+jHha/vCfShWGl4DELYyCtRfheX+5
YB0S0vlgk67L3xdvVaZYyuIGF9LmkqpPhq89EgDi+F3g0Ue/qdFh+FgCEvL+cOh+2hexv3Y0iem6
Ou2OepNSeiWpP0AD4NSxn5mOtly4GM4eVwOEQHkvwxADGIAE7wAT19gWPd3JYp2Hwfyv+PZsijZe
vBTe24sgplop979ru6tK7Wrf+uJ10YaLIAtM/UYsJO8AM4vwbAAgbf+Qtpz/LU+4AKQv9rzzPgFs
7IYZ1lckmf4HuPFiCRkzMa/3Rgsf/nh5w009+pLvqFfl5fP4SDVg7WETGBYc3IX5q/FFDhUBEdt5
mmbmlo0/O6d269tDEs07SgqHDB8EQV4u/CCH4/mEfFwG46EK41HNYaob7EcgOTUaGxAhjYEGfIga
ByBdXU9NKswrd0OzB58VSiXJ7Cv4wl/m0IGWJBxM4aNuwfQrIa3NXPut8qO/wWzhHwzfjXDTADX0
XSkr5PccUu6cNgVi0rYmefB7KYMTvgmTsxDqGgSfFxbWR20NzP5Uu2zHjSDGY7w2u1BC+wWYPJWC
oe5PhZJ5+nbQnKt9XgpG7SET2pH5U3+iAcdCEEDweDjn8v427s7GQ5BA7UNnTuXdTYdkCsFG0vTl
Q+LYlA9AAAsTBVpZicUpjCQI0KRqbxE0K1Ag8+/aQphk+9R9exsQ6wOxZNIAFjV1BfibwUt80hqD
YzbqiSUCkkj6lSVBWzyIPFBUQusAGgz3j3xbeL7JU+gq+A1DtjOYCwUmOAfOmH6YNgFFwUAZf+F1
bTmlQ1O22dwW1O2kZmstZcPHxnxaYreuxZr8estOvNVa0jGrCjLDWrzKaFXRjHi4rUgI0FwEfDNr
aB1NkzsoCXn5wVfJ+EMH3LNahw4a56sXBntyI3gHGN2pAgmoiob1AI456KcHiwdCepC4/aHqS8Yl
3lxUGXwv0P09sFuEwh/iajDyCSR6C+eXSAjZsZn8ThVaFB1GO0KpWy5ygHRUCFLywuRfnBIO7gcp
R0bL7AR18CNBpvB4U40kmBkbLxVD5fSw4lai9Te+ZPzO2adodUdWf89dXZ77FKyK5aFo20zEDzZm
SLp2Ft6O5+GNeI4YIectTUL7AoV4Y07FQKYCsHwGL75d8sXFL0Ub7KV4Ey+VC6qXl1dUHLmqqueG
1qWao7UXXY8J+gVUVECIYD5hAggAsgDqqs+UD32+nblVl6rsMxfBD+R5ZE//NrjmnyuuO6DdKqPG
vykr5Ud9ppNZHZkzCaG0VPorgfTNAcqzPwIuRZUsm6TMkaVLC43msthA04/MKCn69uhBU08PgWww
BJ+lMl3zh3U7XQoGAEDFytcNrQQ4wY/vPwAM1X1SRj8gxyHbAIiAXUEjcDcED3pQl43QkfEcpZOO
uSJqAhjhQYIIwBrVE/dvkpjaGWpheJ/fMJWvC31fWAdDHTNaGK9Dwk0VNSwQQDAEMCrhoOPIHw7b
kHzqCHkcg49MW8Z7C6AH9+ZEIO2kbw2YI91nqevp0E9mSfl4QTJaivb6WiHT3T68qNtHMmadnetr
4+iO/jA/ilccCrjZ5DujBzUMBA58vsis12G/FQw9wT2PtSI0bBN8I2DbrPbJ9NMvgr/cb2kNSxO0
ExCaKRDB+1kfn8cW3NuAffe+OmgpkqabuNh93pn/in+rp5xPtmNapfxU3WtgN4D6nfeA+7fznuBT
yX4XQssKAQoO2tRCx3C8BjtJiCbgTyhNmqW1oL5aS0s1I3JKfenwCW2wBqlKNO6KiWbWxMN5zXOG
IhQmy5gRmf4c/D50+9kVjT3D4eL65b29FjNCS3gG7S84xpc9DGB7p3ggpHfofEK3gshKG5fWFv5P
Y33sdogtPucP5ZRRK9K8dwfyZCA7dqQAFkQF4JHhpIWQtIpBUNoLxU30ztjp68F2qY+maRPD1jIU
bGu9mEjYV2UgcXVoqORbbRJMxxsRhemu68Y1/KCrjui9M4isF0FkSTUsNB/HkcejO6/Il7yWsZCq
zIRN1uV4y8L1UkaJAeEJHOsVZ2QEhgCY3ACwAsvueIMsGbA+qg1cDCf1f0PMVFFesgTq375dok0X
XQ4V2f8DAMkD6ADXCG4pFXsWCf8+Vh5Z4rz0T/SSCP5KAuZZEtA/JpDgYe6icFx/u3zlmXCJPbHL
jBkNlKDtzIxiw8Gj2a/xmzBhgn73M5uwgOOUNOSFYiE8vFjQPisIP5+QkTaGweSSVg9DgC1y7ZRW
ANOwQTZEkKBZMWBJmfOG0WCBbgOcQ81iw9+Kv4rNoUbGsWzXfUEViY6voj2NhUrbwrKzltoYToGz
T4mqCm+NQkaK/jBKC4u/CS6Ye8UtoYCTh4XnHC0tk0si0SrMyZQPFzuBYznQ2pDxYWGzfoAVhk12
r+P9rIfhlAMASe7rknXw+IDiBnUPgQ3PDShukoljtiktjldOTAqQWXcAckfFYdBbIbknuG1/EVeb
oykISgrrtX0dMWgTqBWwCY6zTpLRr8bxJig3fQTuaoHCXhMgguZJboe4jpPQLuypzc+AB+dSt00+
IxkXRaWtcEAJ66I2ww9tBjQPGRBCrQM1EAqoU7ugNA8ZgACBo4ovo/YJ2BlxygUPvBZ+Y+BOGdad
kSDVU2pbKYTub8sILCgcgR2nzS8/NAyM/ELwY+3G6JpAuxSq3IX3RQJWE614h2zFcQSKtGoQnLIW
ds6MLdlq5EFcEou3xOOD02OkqHXSpAr62bUrGetfOMQ7peHEXHh9tNceCOmjE9PXujWjBMnVSuSu
BZXB+ZBMfxhSiBshHRjEL2NbcyYZHTQizI4dCOWq/BRGAC9S8ASOyXjmjZiJ9KReN/v/OfxwM/cr
oNGuPsVEgJtIwUvVhEtGMg6H2bZmlRkbkgw4lhlSGxog9aGBUBfgHWOlGVbqmlWN+mRctBF9ext2
HGtlfXxt+Yxl+zmNw/eqV64oH/oUbE6UrSe3n0NLMlRM/wVQ78zAOGZh+Ah7i1e6Cm9LLYm/EGOC
i59Mx7EvQ2C0JdpwyWKwWa9inIvLS1501a690v+uNBKtnflOfHl+j0VTCuDhmGAlYksk5PtweeTZ
owoY0JV2e/samGWlkSvkDonZE6EvmAluFOjY/BFMta6CpmRjb/fneLVXAS3dnKEMB6meZ3zVCVCy
fXy65u+zeHWwEDwdHSoR91rKoO4ImClT9zPimpXKIQKw0q3FAHz5YOXJv0Tw8CsDK4VQDHsgXkm5
AAxwu9IC4J/gvYFQYgivhrOF2OgTowAAJa/qPYa/Y4kQwoqDCVTvJQWGpL7Flca6VHUktC4ocY5i
r7K9gpIvwo6Ulvu1O7xTOaCjIx94z4vylQ8+tg/cHK85PJHapTR+C4ItrN08TLbvgUNG5yjgiIbF
6EexBAVvhxe2cako06H6fMXUdwRCCFxpVlRHvwUFQg6sl/dQU8d2aWrE67OLE8TE1RYcOBS1fg9q
VekHDrxwn2bBPewIE6nx2HeE+9QuZECECqnO54saSVZH7SA0gfk5cItgUBXbakNL1VkDom9DA59A
XAAQATMmG2H6FIKRRuSEgnM1TKZ1vRHQoZ5VA7fgeqsekg4fwEgDAhjshQ2GL14vTXNmtQ9K0tVp
5ENFGlRltq7e513XXRTwQEh3UfIkqYdRszDUL86vtH8WSOfcCifyq/COOc0XjISZc6MNWcRj8MOi
5JGbn2BEbXAQQxg6SCf3ZRRnlCpGp9oHUNQ3lqrTA1/PTkZsmlRACkQ7TSat4z7aU/klmB0bv47U
hO8xRKXIZAnXkm176wJ5Tc2hkjFgzp1wPzoSx/n8M3HRTJWHJ07PWamT08J10fqL1uCF9zq0Cq9J
Gk7SYXMXpPCdOoMdj2lHfyht/gu3qPXOImlJjYHT9qUg7jvxPp0AQg9TWgQY7CtgYgSgNQmNAkJD
zKFkLca4HtcgLowJLYN/3fFm8qNNF87CXPwR/RzoABAIyFNtr2EiP4S+bT8eNO7JNpGssAb5Q76E
/CF/h/P9MIn4J0hb8r7ozMUfKF8yi4ENvNJFCsyapHxauLFs7YrpQ3bVD9cW+vPiMb/AVaWovtBX
L3FwlTHYY9l2qNkEj4O4TYxFgwIflqHgpgoQXCKtQbwLAccwvIjyGDsCbxW8kHxleHOBwwXHxFcV
tDTgx4bgjYaXnMvAaQb2Iap2FLf4H9EpoMnRpABNOIiGRf2rkbtlyE1V/PCVSyQ1+RfyBkybsEne
ee6bXaTSyXdZbWOe7NlbKOu2DpW3NoyS9duGgPkvgNNyHoIbELN2T6HEvn3yv05rzgAfOm13rAVx
pt3xfcyshvaV4QJ+Hn1YRaH9lsuZqwh600zKerAFggLPNsyJsmPFK7RBe0E6WTldctAEAnnbShjn
WEkiSRMUhziG+wnXFWqpRldqAEzgaIF9DdoHS9+l9hDxG9AiafgsfKcM5Qehp1L4GhkwOcpoFcKI
IVkPqUNRkVYWiqeVkNMrJyUFPBByUk77sQ96zjgNUtu2uciOfVdRSex8Kxm7EIrRS+HUNQNvUeXM
waRx8dYGseEIrt5tTCaH5HT7kvUph1W+kd1XMtSwfiREJMgAwHALE9hZEAMSjPC4pZL1IYEf9uns
ynrdpH8q4R/i2yGR31I7lfh3wIr/Z23RJCpfv4B36JmoHAG4tUKoRzLt4jcQxvvVgsRTxdY+BW/d
9zoSTw1qFf+6aOrStdCYVKKRt2FGs1rqY5XlQ5d04mR27LQ9khrK9WfrJR+gCSHfsd0dtW4eKE17
zgfguABfIwTKBCihyVYa738l9PKXYBIQLBTzlNa+hdirFfPi5y85pXXjurJELaRM+h58U9KcKgC9
KswObVWbhsTHVHWsqj6S3h58LQDI2ZL2/QEp5ocBTToakFRsFcDiLdDYdGDSc2zt9ZW7kT/k1egZ
r38daw3aH6Q+CRpzpCWXYRTv7Ct9PBn6kQlI4bxsIpSGuhHF3NEfYOsNB/5jL4srg6WxBN454MLi
CIwsWigMhnIANDj7eFMDWAVPLTQ5ND2D6Fu9T61PhsOBdzcjms+DT10sU8Zvhh8LlaQnd6HwvBoA
Y+2mYQpsbNoxULbtHiAbdw6UODRW9Cni90GHckvTEvDtaaLN3OFVF10hqyY0E0XQ6X3OCoe6i6ZD
JgDqDpjJptDvjrAIbTShNdB38XPn2GRlFUetkELn90CeduA3yLFETiKwZBWiMjF/0v57LYj/NB22
fVYDa3PWWghyn0RtOGW0xOJx7BdhPcbsOeMS3Sh0y8YWrtaBPcDxofxVz5xXTmIKeCDkJJ787hh6
JhHcc6jrOZhG/CAWMk7Fu3MaQMN0CEzG4802AmhhKHKMGAQISlLDDOAwlVJO7ErTu1/NS/MpxzF1
/zGVEZvva77ClSaFka0iTsZwM5GEjfcOLZ3eBinPKji3L8HLdxVUtVuczNOaXCIQ+iOXUXTnzHwJ
hQvFlzoVoGIq3sRnocLRaI2vw2ESQoxO5fnK8LjYDHDEunGW2mh2nmiD4atdL5HA3mjDxYgooUEU
mX4LX7fNkpvaUa4vYXzuXi9IlhiGF8UwI2aWXiSPlPoMqwxSp9yEHrLj2BoDBVoTLoghQhFC/GJs
BFigL2lqhCfkps0J+VYCmERlLye6A/kp8tLb0hp4IU1PbQ9t2bu1MrLZZ9ubkJiDgGwLtE5VkHNV
z56U2HY0g462vXMS7BP+BBA4VpJg9pQPSBzJFtO3lhe+2C0M39H0q7fuKX9r2sPRySsmAxnergTl
unwdZllvwSzrH73VB6+d3qfALMXkkTlzeUTFqLXz2TrYNH1RpbUB5jyTkYdh0IqKsUiKdp587DoV
BfykKvSp2FVTJDtgVrVm4wh5E5qOnVWl8HeIwPEZjtF4QTE8dDAIPx1l6ZPehbf6ZrzuVoGDfxmP
2kqQvls0jmYYov1YvIsOOiHATdvCW65t27Zwh0FDxkBElrd7sNkTAp+DF4kLsF1w0HBSrSNvsH2D
Ah4IOQ7zgDjMDCeVQhSCA740OF6I4wzVFse5wzK0rAfXHSSRx/HBiqVBVJtMpIMOR3k07aGiRHYY
WNRBdy1GbWrEceQlSLi+C0gPhUQZlb5xpmaMtVLxwZDADwDzOwR8PqLta+ijTY84Zu0bAkaesfT2
gQ8agGZKCmqKHeCKYe4gzdCn7NRMmF34oPo1zb3Ir7Y7YFkbkB0cphiHLtBeUGzIjUwzUiwx6/QE
nwxG6lKfdioi6J6CQ+MhfDoTPTkNjLYTLNz1xPPTedYuhhSrGAw8NSpIpIdOpxJN0hTYENXesQkS
/A0YJ4CJ9SZwwJbyyFMZ/fPhetf189HoBH3aLZsGGpZ+ARzxZgCCTLFM+9S0oQ+F3RtwEk3X0hKA
Q18A5k0FCZjUQmPU5o9IK3x/m/z5akvoACTJFilp26auS0NaCOiBaEUZIaFOs5HM35o2CMnuJjlg
0AGFiDCSSIe1bQsrw0hmZC0HoV6Kx+tXIqrSYcWz0aaZEyC2ewgAZEIWANkGx+Rby/NfXNl1apzg
V+YE5kmrSf+QK/DEBhHC9wfwGamAydbbJ/jIvO53MwVmj0uvXliZ/in0xd8NIorXo4tmyQVT35bx
o/t8zIljogQdoDfvGqgAx/otQ2QLtByboeWobYAFG95ZPtgu0SRKA7DLCcVor1uNF9TreAW+jtfX
akOz3kZwFeZt6qHSmXFV++aytAJDD2F9lAkp3UOd9ar1KNCnKOCBkF6cjgzD/gU0iQhGgpRQ8oJi
hJ2EMf+DjemL4Lwlg3GMTPIvOkoUg3NTcQ7ppiSBvz+AaxSjm6n/6/gTzpXKrKAUx76L8yuyh5lp
7wM49r5Me4Nw7L/4+/910t5ZmfYo8eF9bbieltJMcAPTHmGouyE49nvc/6/stvDhRF4MbvtLFJFx
pj2DLEL1cCYtoho4BMNrMPvZ7DqZX7prOMbUsB8tsqWo3nz90tHx7gw9W66iYVSsQxvcVIHjN4Bg
uBgxAskonwHVzZkASeMgURuJr95QpTFR2hJqcrAZAaZHnaY2+mAkIWSztEaJN++NJi5cja/k67h2
NZjMbZIytpWXPHvECeoW7wyGmmNyDrQy55570+ZLERRkiu2TMp+BqKekVcY8jb4xzMKOcMqwvEL4
RPV3QJnAFdIsgX41cDBM+5M0/JVmWHoMwVAD8MGlMbCjqdrvm2+lksoUDiFWMz43KSgvoCyBFgpa
qSDMHE7RDeMUYMT3QjMSM0Ile56ulJehrXpet8xX8PFHSrQDC5zQR4sv/Ds4DE3eB0CS8V1wEr4F
AOSV9tf35/3yJZNaoP34ksRS4+AbchrW2SgkMvw1EhleDSf2wwoi+jNtvLEdTIFkXH7uDyXnBIKh
c/c25MnvHnuX3P35Bw5wGj7R6bYdWo3de4ulcvsgWV05UgGP2qZ8RHKKqIAAfr+j5YjkIJxyqq0J
AQUqIRDZhMhLK5QgJBFfW9ZcVJ+J1naik8Prv0eBfk0BD4T00vSCQS9GU9/BRoBQhw1agH2Ftvuf
w/YZMPHLce1p+PtRbAQk/N1XcO5i7HwZG3WpdE2jFsJl36OZej9CDQiu/QL2f4rf67CfbXyJ/LDy
eWyfxfFlOE8NwF+xkTn+c7v2LsL+V7BRfc22XHe4j+Nv9vuDqGMn6ng3/r4Xvzs4huw62v+tQMRQ
1KdsQilF6oJP2lCn+3MqelCglekoHL9J21bE3KFTtJP1vPZGpFvdDSBij5JUyxhoPKbgMExp4EOi
abABAJdPVxj6pNCsyLYKYBVQgHNjcfxqmBjR1AhJCsxN0bqLNmHYa4EIVoOiq6Te3CK/urS1fJ5K
IHdAWbQ1Z5SZsq7Gtdei8gsMXwAQgs73sG9WlmNJ5YQfzCtWAQAIPgg4CDxUcAD8vb841TsBVWws
QCduDyKgHhjB5wDBXmZH+ePgo0+fHAVM8DfaZlAAbiqxk9hhAJNRCDYwCuDkJnjc1jxdGVkME7lH
4kHz38gm3wyAN0z0wB/FH5rhABAoBa0UEjyZHyvPf+nFQ62b/noO5lfrkT/kC3BUfwjhYEokx38+
QMkPotOXfqp82YwuPBz9lTLeuNpTACamjQs3BcvxvP0rEPAFF6+YKAsWT5MrL+r1FAPdMjmM8MTQ
sRVbhksFfDo2w5+DWo+d1ZABpYJwFWO4Vvo9w1tNT9h5kWaEW5I1CMy0NG1ab8D/YX28rb7iQO0r
31kN3dI/rxKPAh4FepYCHgjpWfpm184oFHcqnk9UcrLsuHgXYn+Fy7zjdx2Y+WU4Rg3EASAE+zR3
uhXbedgQ7QisLgqup1P1JGzUfLiMyz+xfyO2MdiyQQjbe4MAhPfidwPufzXT3gEgBMdWZto7N/PL
tviWR15deYoAJDNIZtikXQBMmXo/6U6mDz32U17yKLVARED7UFC07QpYBCPeos84A4z0FHw1MXbf
KHDkIwFGRqhEe9SMUGtCWzMjiEg6vslqo7M4I0El9BaJaNXyxRdWRrWLVuFLuzqUat0zqmlLYXG6
aU7atq7x+YxS2htQG5GGpsMIIta7Pw9YJ8cJh4x2XOd8ZSblONUo30s69bcvB3tk8kjW0YMvUFVo
jHbGCGPBHMccKxO1jICEOVkSsWYVItmEKw5/AYLKEGjgWgCla4Kt8vbft5T8Q8v3z7L9wQsVAAF4
UqZspv2J8rKXnu6xyTsBKi5fOW1h9PSV35ag+XOE7UUKP/1DEgvTJOveE6D7Xhd7kQLD2l5ftD10
9p8CgcDHm5t1eWjBxXLOpA0y8AQw42lsicBpvEy2VZXJmsoRysRqR3UJ8kmEEfI4rMIgBwOWBJEk
MuCP811WiX8q8bZ5C9KTV/SwvI6QrNWOv59bui/aVS9Oo9eURwGPAqCAB0J6aRlkzJyqwMAjk7DS
KGSzekXk8dp1pQH7+bjel+07gr8beV3Gr0RF5M7cBwNZFc4xG9xQok+fEdafXaiVyb6O5+p5Heo1
0Aa5ZlU6aI8gin1le/sKrrNwL30BCtu11W93lb8HLAQwQEZIcXxMaqdDfBcaKSlrNMyyoGFKT4Gl
2RmYpnEgWx7Qg6MxYWhiakysNNLEYt403xgcu5bmXUnTjG8vGBsykzVS2rJLRQKjy0w4r1RCuYUA
IcjpxqSQTthFtMpETlS+MOhLD5YMsFG+O24zTEIFbYsvr0hpY6gRMWEzQu1IvLkuoyVBXhbDOL06
b9TpthN+1xm/Ze/CGD5bXvb8Ez3Y6xOm6vI1U34RPfONcXgrf0l12ifzolNfryxfMe0AE8cTZkBe
R3uEApMmTUrv2uq7L52MX5qbGxz9NjQIjy68UD5/0/weae9oK2VujrZYUDbuGCSrGCZ3y1CAj1Ll
UM4EeUxt5A/oKkkdo8dGgq1tMBetQjwo+HNor8AtcDWSP62fPT695YA+KA26VzwKeBToDxTwQEjv
z6LSXLQrNHVqH/WbPhd0UO8gg6e6uz1oIdggQ5wdqcM1n2ofCYT7jEGfXShOotP5PgDS7rzbHn/J
g7KO9lFB6HDfLVFHen9auqfF8pJl1EKtz2z/Zq0KmAi0GWJMEit5plgJmNv5kAHdAjCBj4kOybe9
3+rG8gVDrZgey9wJ22fYQOcWA3wUKY2HCzzcyGLd0+tjqEUBE66IDCyBOZof2hluBE2pBDQkLQgI
j1DNpU1bJB5OSmOoTMXCH9SydfnnXvvnwsQcKvC8oiiQ8kdFS46TnMAcOOmHJG7fj5wiWxHS9wC/
Lo9aJzcFZo9sXbuwMvhj2zZ/BLMs/V/PnSsXnPW2TJt4gPtdrxJJJQTcOUBpOTZsHwzzquGyEX4d
9c15yKSNmAtmEEo+aDig6cjLpTlnbK+uaxUIPbzWp9nLA6a5oiXPWE+zzV7tuNeYRwGPAseNAh4I
6X3SU+NAz9/sFy3Dkf4PNAkRgAA6fVNbQvMn+nOQ6WcEKgKS7KhDvD+JY6yPhdJ4/k0zLTqZs7wL
G+e4IuNITu0F/T5o5nELjuXg/taMQzvv+zlvyrTfWXuqD7hmi9vHzP45+B2NbWWmbe8nQ4EMMKHZ
GjcHmBTeGJRdzQNCsZqzS+INt5uaf0aLEYZ3jF9MaEqC0FMNKy6VkjDyo9FsiWHfHXVH36YrQQn8
VVQB0ghE8rDlSyQ1SHJb6qSgYYfsSDXAB92WQcnaqx+feM5z1nrr+5efmni8bw+sd3oHZ3Q6qn9e
4uYwCfqmStgYJgnzF9EJy68rrzinf4dB6h0S95tWcsLy65a21DWhkH5xHZLzPTD/EpkwZrtEQr3j
RtTcFnb8OQA2mBBwI/w5dtUUS9XeIgAO+KkFoQD1I6w6onz79HgqN5iqR9y+1figLUEg8BWGZVXG
I7IRoCNLcNWZzK3fTJs3EI8CHgWyKOCBkF5aDmDaaSrFqFhk1M/GRvOl0/H7ELansF2E7X4cY5Qm
nqeT7t+wETgswEaTlXKcn4jfK7DRX2Qq9qP4XQ4wsQB//hJ/fwW/FEsTvMzCdhed0nHsGvx9HzYC
E9b1jkx7BEDTsC3G9ldcx/bYH7bJ6ifg90psU9ivTHuv4e8HsH0X+7RZpwM9/Ux+h+2kim6E8R5V
KW94NLF4U5uRDOZ/2NL8U+D7IerzizQm6cKhCByVIwUBOozjP0SnOiGLAiSOhkRlsC8aLEFodHLq
d0trYy1wlYXE9OFzbTP1twWV2v01cTt66ySoTk7yAkf1LQAin4EqbL6EjDJs0+FJ9oPozNUfRTSt
k54+J/ny2Df8WUMT8UVrg9F0KrUwJ2KHX35zvCx4aZq879IlPUKiWkTjomnVFjiOE3ishXnVTvhz
JOBATi0H/Tn8RlpCEUSvMlv54K9GFL8KBKhYjVDiK5Lh+GuvXzqxpjujG/bIQL1KPQp4FOg1Cngg
pNdIrXjMXdjo0/EyNtccygRI2AFm/qM4dgk2mkW9hmPPsWsZQPEZ/OmGdSUTsgUbTX7+hI3gRmU4
zQARHidAYfk7jnGfhW1+EFsVjrVk2ntnB+1R1M7Qu27W1Oz2HnTbQx0rUcet2Cf4oInZ84eLipXp
h/cDCixcH3yPHQ7/P58RHAXbbpXRN7+gTCKFA2AnraJrSZrhdPsJtVzzMQ15THIGjJJAXom01O2W
eEsDfO4Nv24EvzwglBy1qNL+/OxxmhvsoJ+M/siHASDyCsywPo+8Ib+DGDkMrcj7pdnciJq+eeS1
eXf0VwrMHp948enK4C99hu+LdjItDz7xDjnvjHUybOCxRXeOJwJS35QDs6ohUrERgGPrUPhylMie
2iLlz2EYGjQdFC6Qsm0S8sf24hnfgYAVr+u29qppWm+ZefEtc4ZqWQFRtF6Jbthf59obl0eB/kgB
D4T00qyCQae/xsLOmsucpwbigILjNN1i5CpVsL8VP9w6LDhPo+CDDINxnNoKbm499CHpSntM7Mft
oII6CVQYgcsrR0CBhevDV2p+36/AfA8xkVOEidnzy0Yg6FShqsVk/pF+Wlww4g/nS+HgHGkFEGmp
2yW2mYazfeg65FcsmV/Z9sE54zSGRz6pC/xAHome8fopACHlyvHGJ1+DhmQDAMofT2rCeIM/gAKQ
AP0YwSAuR7al07Yi8tQDT1wi3/wYlehdL4mUH/4bg5EEcIBUbhss67YOkXVbhklzWw40lgbeSQg+
AQdyv2FKQR5yBlnp3bC2fMtKIQu5bb+JyOGv5U0OVs5oaMjyKWzvttj1/nhXehTwKHByUMADISfH
PHuj7CMUmF8ZvMCva3/SNaMoBVPoYDhPCgaNVhGvmBT+wKBpfaTTPdANRvJimN/c0qEwyQpK056t
mfDDkYslYf96/uq693cl83oPdK1vVbk9+X8yEkEMwr4PKnVZyroXGpLNACgv9K2Oer05XhRAQtBt
CyqDd4ud+q3h9+v/XjJVLpq2Rjmqd1RshJ+qhQ9JVW2hrIVZ1Zv054AD+V5kIK+pL5CU6VdajgBc
0Qy/CavAeJvhS1bBLrRC17SX4Ej+OhiHTTXV4R03zWjY74DScLwo4LXrUcCjwIlKAQ+EnKgz5/X7
hKMATI2GG6L9UjcCRSZyhAQUABmjkgx2lM/jWAeYhjN70uxcq+IDCAj420dqdlrlfbzfgLjTj4xg
PVEcR3u4weQz7oIGILIF4X1j1IhcJlrJnQ8vDX4dTM7+9O090Yk+Xmd5w4xkdOLq26U1ORYRs84X
n1YqbXBUP2PlVdCI0DzLKx4FxAzLX/xt6feGw/459Q258uCT75DJp26RvBzH53t3TZFU7hgslVsH
y4ZtQ5WmY1dNiaTSfmg6EJgRUe0M3ZRQCFu6JYbH8W0kBHwTr4DVsLx6Mx42V8CB/ECYMa53HOC9
6fUo4FGg/1LAAyH9d269kfUxCqQlfIdhBE9HGhAy2lIwYGSPARDy9wURv5QVhlU4XEgwFTWy84i0
xU2pqo8psJE5LWbalngqLcNKI1KcF5TG1qTsbUocFA+6+0jrJFQM55ciH0pSmqu3q7womm7cVlKS
YgLMkzqJIekMZ/Rq5ageM/8B35CxEjEmSCz9s+iE1R9ANK0DGcPumxivphOIAoww9Y+1hfNCyeSM
nBx/2bI14+THD18l+bltKkcHo1bthfajvikXyQBtyUEywBSedTOdbtI0e6dlmdsSKXkjJ5Be/tae
UW/En7l+S3n5vGNOOzT3xqgfxrw5yFalSQivH/7GJD6vojw2d6YK1sIw8pY6Phhp0adJCzIu5cOm
awDSDzHxEcJr4d8UTInrJRYvkmEh5EzFeRV8BdZhLQi1skf+IyWmKcUIMGiqe5CgCXXuRmxIDYqd
IQZ+ccZCPYzu2DpvSXlctV+P9ouy2t+EcxXl/dce9gRa015XTw4KeCDk5Jhnb5THmQIwl7hA0/Qb
6BPBL2Ru4SClCYFpQ4/0LAkfi0umDJePzEa+xE7Kio11cs/f3pKWmMmE7Ijln5Z8AJc55w2Tq84d
LoOLI/Lk8h3yq6fWKRDjApWe6DDpEskfgCTyrRJrqoWJVsiwtNQ35y8OvjRnlpc3AFqPN6NTXkfo
XvsvEvDlAIxcJnbyLgCRzwOInKDh03piJZ28dV43vuH1x9bm/dxvWNGA39Yef/48aDl8kgbYKM1p
llEFdTK6qFaa4/6dzanIa+8Y/rYxqrS6alLpjtdnjVq9GXEYa+Y9Vv76srk3jAdz/mkVSN4SA28o
C6+Hf4OB3wuW/UuIIg6bLZzzSTEY+zWAB3fLAPkkQqpcJq2qSU1LSxOY/zsRigXZVeWXko+rCSaC
KjXr7+fmIZKjX36C+s5GO6aEcbwZvoxPop48ucbnlx/gaAqWYzruSmtBBEspksVBv8xHfUN9BBS6
6OjYU/rT8lEc+7qRh98EasNxvE7qtbC8H/cGwOT8C1eDIqqeasCTX8+djvYN+bEMl3Nwj9v+RrTx
qbnviJ6Nc59BTTZ6nca91fjr9xjzWvT3dvS7EOf2gC4ENJv1avhWlskEjAC5nxB4RlMBaEyMs2re
U8oX1CseBTwKdEIBD4R4S8OjQA9TgLleZtxyz40IR1ucijUrB/RQfokKUduTPiA5ISf/5atra+RP
z2wUH3IiZqs0Yok0wmviWw4Ow4/sxdPPKJMPXToWWhAILgFIWNwQuz1MIpXsENoPRAcbhMSGjRlt
iH5+YLB9Mdr2MqqDCOUrpz0FR/U7JKX9BGZZYAL1zyAW6gac+kmPz4/XQLdSYO7cqDZvXrk9d3XU
J59XYdgNaAiScimY2GekBHsD8azSDrJQSfZNldsphePvBRMcAWNMpn4UWOT1CO7+W3lBvgwG+eqv
zAwZW1qGaeGgT8qfvRqHWq17r/i7bkPLmEaob1hdSWss8GhsS/E3T525/ueoZSaAw4WoKygNsvar
M6P/A/3Bubjxq2gjjR5oumOZuQ23MkAKn8cBGV1DLd5gq/Trocx8HtrWlOoTNRE+i4ADsg30tRq/
1GYSTPD9w//WAXDYAB6vKAbf0VGgJamCtiSFMy9A4IEQ1WIjZRJfkYAh8pqMkUaEq/g2jkQ01gV5
Dn63A/qkEfvxURx5nfcwViOejiRotRVgygcw8EWGGcS1IbTCEPmVuMeS59F+GlEns9uHLIZ9Qaoj
yoo4lgC287Hzb5zZjPEwlP5gnPWhbzpSoCzC/jPY/yhqv5FzCD/+kAYlM8Z489wLoyVo86+4pg2v
uO0YlwVaPqDH5M8Y//+g9gKAoHrcvwXttKKNt9Bv8mVcE83Q2HiJG7v1yfMq62sU8EBIX5sRrz/9
jgLTPnHnMHyczrXTMCIAx8/kfbrf3+P5PxCfX9GyASZV63Y0AoTgO58VsAbZiiEm1JWkdGhJWD7+
7lOluiEmv/33BpkyuljeO3NET2Kkg+aZAYkNZIgPIHJWvBXfZcT/tKzkZbjQAyEutcybfyb6n8dB
E3IbE1hK0roLGpJNACgejXr5zTF3QpQgQUP2JwvmQIMhwS8EE+kDMzlCAYgUcj2FpdAycYUm+Qgu
NQRMrGYlkYPpb/IvMKh3y7sRTj0OjYIPZwwwuc/ILQhE9R49IPeDjYZDFphRMNVWTD6l58mf7Rb5
DJjp4ZBfMKcpE9Q6eWN0MNM+2RgJxFMTh1QuA2O7J8do2DEir6quIH/PaPSwAVszrvMVF8uaeStv
S8xtif4YdzLfEyUOfDO0hkZAut8MpjkO5ppwIFP0ImnMSPUvOIjMToiE/5fZOpqFuR1OTYX8ppMp
a8Hxzvyd5h90DzNqIax9Zuuoyr90cs9vO2mfoKkzM1CGpJe5V0TztLjkaSnEJybgseVXeMf/kxAL
vjQjQedmzME2zClh0f2kO969g7CXA1nLDhwPgriX49xMHI8AKBVibldoBnKAGXI15v1LgEB10Mo0
YXaq8eX4AUzPdluGXI7XNjUwO3HdbmhgquY9qiJoesWjwAlJAQ+EnJDT5nX6RKJAKBYajC/RUNhd
Awj4lRmWYiB7qdCUis7l7UGIj84iKAbASU1jTL71pxVS15KU3XtbZcJwCuJ6uQA06QgAFYjkIn9I
rYqeJbbOZJleyVCAid6iE/xzYek+Br4hV8BOLleS2o/hM7IdJlsrPUIdngJzoZlU7DU1DnFoAPIk
YNpSgo9hHKx8BaDCQDB407E3HFcRHND8aDF0AP+FxuGXMDeaDEYzZevQRJiy9jvl5ZfONaKfAAP6
OVSbAsOZxsqN4c4bsdeMx+wjGa0GTYVoj7kRfgfpb5VFG3D/XiCZl8Fo0su7GdL+lL4bPbMgWbdx
LCWb0MOU7pdagIDmue+MXsaacbEdIgP8tiTmvaB8GP6Y2fYRYCAyTiXSQ2XeU8xFe3CZ92L56k6o
RWMrz4zoEEuJc6Hmyy0V0O6I2liY+Nct1GAdFKaMmjDtdayLesBUrjHE51CAph4rsAwaJ0t+jWMl
2EbDjKwAazOAq0ZirXwJYBNqdKUtCVq75DcARN+FZ8wncWQYjhO8rcV6QhImWTtvWbkXPeAQ8+id
Ov4U8EDI8Z8Drwf9nAKmpRfCDAIfDuj5oQHx+ZlduPdACM2wwgHfASCErZtpQCP8QV4/BS5sZ20b
QABMtsP+fY7svT018JtR9FEAhLYjOkw/vHIABeiMDl8QmKukhkmOf7KEfGMQR/Vn0dHLbyjffA7t
0U+KAk2ET64XS5k1zYzmwJ5/OJgxMnVFWDew64M0n74GptyGY8PBvEXAqPlgUPMK9n8Ipu4eAJDz
qb3w+aQU2oWd2hC5AIzcJbjrQTwau7AEKWUmI7cC2gsNq5EmQm9kTIX+C2ZvTYbYf8dVa/E8xbFq
mVi2DdLtSgUcZkZnsY72pjV3vVh+VycTRe1Gh/mX5j1bXndSTG4/HyTXLIZ4IJBxx1whK/EntwMK
/FiCMPl6L9ZzGVBnKT4hA7DWKnARQWgBKoQTkFyrRWSI3SaLtDy58VsXRa+DXOdDWKdMGkkwtArA
9lWsxWPLZtnP58cbXu9RwAMhvUdrr6WTlAIQfvpgqEyjCocCvZTDy/XnuPiMQXLB6QMPoP62mla5
92+rZVtNiwT99CSFqA3akt6DRp0tBhLHEVSrYsNAwSsHUQBAZGt06vJPQl79OBzVByKPyPmwzL8n
On3pR8qXzTihzDPmFiKC0kS4LovkgznaDKa9EABhInBxnuEDjMjFuUZIeC+WJdBE/ADnBoKRGgDb
+yHYJ2N1A0yYvqSn5RtYNy1YQQloD2jdtx30qcD1VwF60O/AslPSgmva7iJwuTA6H0eZ2LUKmo0d
+G2BFLoFRjT/RA3Pw7G5DffzoYWbs7SoqEkVkDh3UDJahQ41CxgTk7p6xaPAMVEgo9XYhEq4HVAA
yL/VUCR3FYUBUywppMcY4HSD/hzWsy11WPOnAzzPhK+LrfnlfVj7EwDUv4CtAgr6Cizy7TD32oC1
mpXh/pi6693sUaBLFPA+8F0ik3eRR4GjpwDcQBrx7q+Dk0MZExLaiCWp+ejv2LMsv9ImoKzb2SjP
vrFbaTncwohYzTH4ucIUqy8V0oQheh0ApehT35f615f6Ur7inFdVxKyU9ieYrQWAIm+SuLYNfbyj
t/sJ8xKfLFQutVxkQegiqA9ohXkRYwW9C//CJBHHdTkFTNJbd71Q/vu5F0XvsMNwEY7hLh1Qw5IQ
AMhM7E2E8cl8IwWGCvfYcYxKky9Bevwy7snDsmBimZ3QUqzEbwNNWwBGHgdk2ADnBjr5NhltaDtP
Nmc0ERfAZMnxncgqAA6PYZdb+0JzJCfBhlc8CpwAFMiEFeaa5eZoy8qxvYhoYqI2wbM1BABkMJ63
NWZIpoD5oy/Q+/DAnuILQx8Yky9A2/KgFUZQAABz+K68BF3NHs+k6wRYACdwFz0QcgJPntf1E4MC
phiQhFrVPh0gBM7pyXiLGKGcXnP63lLVIn99cYsCHK5jOgEJI+gwGWHPQqEjmCN0jvRJgT4KQDF/
ia4dJPU7ghr7/aVwSP9L9PSVp4Jxn6cGa+hfjk5ZWVm+csrvj3bwYEQIJpAzG8VPAyTJi/ul/p5n
y7fDvINO08XQFAwGUChV8YP2yDcRHelGOE5/S8VTsgE9WELyAWgV/oM67ibIQJSlmB2AQ3Vc5Yb4
PaY3rSXAMGmwX7cAWWzAlTChCMyd4nIN9ndCnluv7cCxycoZV2BK9Um4eevzJpXvD0vsOEavymwH
DRvS3YMAyNHSxrvPo8CJSgE8BzTVdM016cj//ttgxgh5QR6e44l4TtfhtxCv3vfjmRyLZ7kAOsgN
cI7/9bznyn8Mf6TBuLuBOV5OVBp4/e57FPBASN+bE69H/YwC9UX+zcX1iTd1w396KhWXZFuzRAp6
z9WBTunM/9HeMZ1k7giAHC9QwtidJkKJJtqaAELIyzKJov1sP1sO3T+cnNjdEs8ZhohZH5KAFZC4
+YP7p7y67XMrz31GOWG/Btae+oGw0lAEwUiElNnTRdELAQ7ORIeKAAiGIHpTDkj+XUIPOMP+incg
ElMuY/cE4vI7HP82oOFXcPxCnGfuhDrsM7dCDvRp63D8nzhGU7DNgA0ECSvA1LSCublJpY4zpU2r
RpSmySrLhMAn4u5DEOO5A87R8h1F2dJPUnV7xaOAR4FjpMBPHYDObZ8Zlgp+YMo4HJuIZ3oycsnu
hRalGE/dL+FZNeZbA6P/1YPyd4gNVsPQsWFeufJv8YpHgaOigAdCjops3k0eBbpOgZtKGlIL64ML
0sn4+3SfP5BoawSj3SjBXKQAQOz+nirZWdDbEozM1S5ELy5w/UH4FUkgN0gaZlDMpJ4yHf8VOq/z
XkbYCvgR9v+YzbfocH6gW8y+LxiOx5vqJJ1KoK8BmGWZW1MRi1nTvZKhQMYBG/oBsP6GMnryzb1Y
3vj9M8Mf/nli3I0rfCWIomMUIT7sA9Z5f/kYAMhLsAp/CNqF8WAshsJYIweg4D+wIX8P7j0H22cA
HOIAII34NfFfBGClCk7ajNDkx5RsAWSIQYvxBruAWFxXMsu0VoSjNbia/hLNcA6vKD9UiFRqKfaX
DKDwJtWjgEeBvkcBBD+gCezyzKY6qN47NnKbmHI1lOfvwvvhs3B8/yP0nLchMhzBSi1MHjf3vdF4
PerrFPBASF+fIa9//YICybj80x9M34xM4JeZCRis11eJP5gjOnJhMFt4TxQCB5ZLpgyWMYNyVRis
bJ94RsP69dPrpQFheQty/PLZK8fLyIEwzYdYfHgZzMVQ3nP2MDl9JHldkYWv7ZBnVu5Wf7t1d6Xf
+yJdUbfBDPEAOmxDaTpYAfuFEC5MUtjawNxlzr7PMu97z9DE9q60cSJdw6hODNGKD3sIX/sQwjkF
QkUwUWqG8UMN9BTUVvgRBYeJ6piQTpdSOI++pq9XGaa/Advta/EbhKlSEExBPQK8XvmR4Pb8s/Tm
+jnxGcYOOydS448M+Vl8VLS+Pn7tT4xNj2Tq2Yp7Y3D43q5e/LnI09AC7QVDg46QOuQbUBqKTIl2
RNNMrgjPHONEWnBeXz0KHCMFMiaNzLfyF7y3ShBOeCbeS1uxH4YQ6ZdaQIbNvST6LLQlv4Nw5I0M
kDnGVr3bTwYKeCDkZJhlb4zHnQJzJiViiyp989JJ7VyEoC1KtCDcTu0OyStDXjP6QmQSC3ZXR6n1
eKOyVvIQbjcIc6wgQvS2L3XNCdWuSseBL0k9wEgkFFeX7a5D6l8zrfKLUFvC0oYM610P7MWsXc7V
1Gykkm3w9WhFJNkkNBxpajkASCBIh9kVgZiO4GHJthbllG4gRG/ajD+ZitudJTPrLjJ1Wz1zb0SE
p10qGzPQnoSRMXoITJTWwHNiI3wmrgRgOAeAgYnn8qlZmFsU/To+1u9GGJs7QSb6VhBwMDrTB+Ka
rEEms/fhw16CaE7NiA9mI/KTD+CEDjxLgN90aC72QAdRDUagDm3sRa7oBWcVNYxvsnzvAJEfBkGL
av2Rc+9vOfNbJatu/XSHA61QfhaOr8WSbiOFV5FHAY8C/ZgCmfC+KjkqE3ZqZfIxgI/3I2/OlXid
P2ul5Kc49TmAFUa7c94vXvEo0AkFPBDiLQ2PAr1Egdnj0ksXVMq3wfj/DP4h0IYg4TE40Lyy4Y4P
RDdqROhw/ubmenl1XefRQZmsMBI0VGjeGEyxfrNwvaQPkUSRYCQIk6zDlozGhb4dsaYaBT4IRAg8
nJIxwHLtsDLIRkMMSQ2hxGwYISOQ5JhAyL71gdXBh26dlGAG5W4vKs/EGOgU4pIbjyl8lQO1RAO0
BUloIqYDJBAwUCsxDr87ABT+gb9nA2C8DyCgDHcOxJXs2+fgWp1CDb8DVBiE6zQklwsrG+ptci+u
QzYLOQ9AbyeuTWOqX8avYWqywrDxwdZxd1LlDGhC/WtDu2AaVSQ3o+Y03PIb5fNi7rO7rkC2bVFb
RyX+ZWR6RsSsr8H9+5fKds6v/W/0jNc3lL817UfdTkCvQo8CHgVOagpkwlavBBFW3jYhendRmZyP
z8rmOy6KTsDr/ffQjmzC+/UugBHPCPOkXimdD94DId7C8CjQixQoqgn+qr40OVI3fLdTA0CzLDLd
eaXDRTcQNMjViJAlPpS7377zMGrqRItCcMHtcIXNUGmREzr214Gr1WnBuFrrdkOj4aSs4HGaWFHL
QQCmI/4j/lHnGBGL2eRdoJKGBga0mAhO/hcDQ6nrF1QGP335uISbjfhww1Hn4VxZDDCRhplRm7lb
ZoAMYwEEyuAbUahyWfvlR4ANY8DozwNwGBsMAAoI8k6YiPDE7NM2zJ40mQ4H7CZ0ndI8+jw8hauC
uJCJwuqx7cDGkJiNuK8FuSruBThxkpCloBcxoKG4VBr/9jf5n+tx8DvMM3FgoTNoZx9nINRMYajN
Iylz5v9OHr/6VBD4KwiJRuLPRUb1zcio/tiRVONd61HAo4BHga5S4KcV5Q14mz2l3r8zo4Pwjn0C
2pGP4p372tyLow/hPXsPzLSY0d0rHgX2UeDYuQ6PmB4FPAp0mQIzZjSYSwsL72hYnkgBhNxB4NHW
AA9fOI3kFg9RfiJpmCSlEUVLMeXwoaAJk1scBh7+ErjPFwirXx5jURqE4140pf1o3svcbwyx68OY
IhKMFEggkidGAKkfcExnNnRu9AyBBoh9p6aEWhPluN/ahHHDmT6Qc0miNfH76ANXXVN+69+r1Qeu
ECFkJ0qhaUgxXmBFAAA7oHeAvZfMxYdvGqDHIIAFA3//C3CgHNqGa7B3I7QNmm1KDKBiBa6lowvr
ew5d+AeOkXhbcM1q1FeD6z+Bv3NxMIacE9RSJAEomhCd6VFEnPpLJxFh/noQ+Z3YXrYTP7d3Svm8
cgsZ1eeKnTpFwsbV0IgUipm6Lzph+cbyinPe6p1eeK14FPAocLJSIJP08HtfnRn9QyAAXa7IpXi9
FzBXCTQj+rwV5fxAeMWjAD61XvEo4FGgVykwo6HBRMq2by7cFIYk3Veu+YyyZKxZGnZVgummP0RK
+Ua4WpFsTYfrZ0HVBbUJ/lAEWw4Y/EIw+nkYB/1LesbR/XBEYt/SZkLaGsHbow80rQrnlSpzMwco
ZZxPlEs6WXMewjhghoULxOcPiS+YL5FCpK1uapG63dvEgp3UaQMbZn70U1+9/bPXPfVtmDdNB8C4
AxqKUbhrDOrwQwPxUT0mf4WkDYgHWbJNWW4lpRoQZxkgSYs8ibCzfrkPOSZ2fgcMertxfKeTcW05
6HjGb+JECEmJjOoxaD++IPH0OOhuTgcYGY2F8TNkWX8vkhx6CSAPt5i98x4FPAocMwXuWVLOSCZf
p+mrkQchUEj+hixD05B75H+Re0RpTbxyclPAAyEn9/x7oz+OFLhsTOwXMDWqh7bgd9BuRBg5ipoA
ggj6RyCcr8OkQ3PgFttG7nX4bVBrQFOnNJzJ4y0N0IhUSyivWHJLhonuh1kXo1D1egEAYt+gwXCy
IsIcLKdQaT/ojM6+H1QARDBaSQFJcAsbtKEKyPkjN8k5E/8pEwvflpICmGslUx+HAdTvcCm1Eo2a
JQ9AhPImNBp7kCRvC6I2Ob4Z7YuTyM5xjDnJMo7A/GoLQMenJOl/QgJ6oYT8F0Jf9P3o3AmfLp9X
cTwWSK+vSK9BjwIeBY4/BVQ0QACRdEju8tlyD7XU8Bf5XrxBfn7PivKa499DrwfHiwIeCDlelPfa
PekpsHh1MFeC2nWa+MI27ISoGDAC0GyEcyUQzlGaAWoTdOTMcAs1JDRdoqlWMtYiZqJVUgj5Sya/
DeFt06mUFAwa7WgeOou4tS9Ur+sRjtozqgnn5+hyT1FjoxtwdEf/Y02IsoVMdy0wy7LR5yDACMGR
ChLsxOVVQ0qmDVxmybi8dfKOwc9Kvr9R7lvxCRlY+KqMKaiUNXWnSeW6spbhebvvuO7dr26BORTD
d73/pF88XSQAtB4vIYP6l5F9/pfAhH4J+D4h/3pkg8iUH3axCu8yjwIeBTwKHDMFCETgM/I6TLLe
i5Sq34E17qeMXJjDijiiIq+clBTwQMhJOe3eoPsCBVoD8jGYVL3PNV3KLRos4fwSaDWCTpQoBQaw
ZYMCOHYrPh5v8EgBwAgY/HjTXjiBVykTrkRrgzKHoqP7Ps2DAh1OyFzWSSdw+poosy210T2DPhpO
dCqGy1WaDObycPtwOIKxDaW1CUpO8WCl0THh12KmYtJYvRWAarfyd6HpmAFwldbhG4L2JpVulBvG
/FWmFi+XWDwtr+wYL3bdSvnz7jPln6snS21bntQ0h+/7+NTt/2/NvMsP1wvvfAcUKF855ffRySsn
SUj7ojBsmm19K3r6qrXla870zCG8FeNRwKNAr1IA/iLUZn8B/iI/ZJIkmGbdDvX3onkvlr/Zqx3x
GusTFPBASJ+YBq8TJyMFLE2bboDhN5MxCRcMUI7pGnhEBRD2hbNtTxmCEv4P8ACmHzlHJBeAw0wm
VKQtFmRmz2gcHJMo5uNIog1qTtLI15FOIVcHtClsw/UfoQO5Br8MHVFdCYKUnwk0Gq42RoERbtla
FGVy5QAV1pUE8EhBM8PxOPlHCGj8+wBVMtakQBK1H8WhRknCQDgv9KaUaOvkd69dLAs3niM7WwZI
0AfHfNQca5NK3Y79cMfjn/6VTO1N1+5+uBqTBgiYOg32bpeDwIWwmbs/On3lhvJlU9b3w9F6Q/Io
4FGgj1MA/iLb514UHY2P1dfwmfoQNCTvAUDZ1se77XWvmynggZBuJqhXnUeBrlJA1+w1aYINMPNM
XhiDRiOYi6BNSqugZwyWMk7cmUodIyalClHn6cTOe5OIKKW0GSiMmMXwtzZMs2LNNRJr3Ks0EvTV
6NAv46AOO+F0GUKYka3CBYhsm1usAAW1LeyzMgnD32aC4KYZvzQJo0M9EhoSHDF6F5MOppDx3ETS
PmQGx4fm1KRpDCyNNKa/c+kjgU2No+Xnr18tL++cJtXNQcvQ0m1Bo227lbZXofvPhBJtT8+epO2c
U+4BkK6uqc6ug6N6A6JjIUqNPQrZKydKyDcGTuu/gM/I+zxH9WOlrne/RwGPAkdDgXkvlG++48Lo
jbAefkwi8geEVv8wwvh6QORoiHmC3uOBkBN04rxun/gUSO7e9NPA4FPe7c8pmmUg3K4FLj2VpnkU
tBTQZtC/gsw8wQUhB42zqMFQ0bNg6pSCZiNBsydoH6ilUMAFAMCJtIXEg9B4MNytMqvCfzpNrYyQ
+NEWInIpvxGCDRaVq0NtDrBw83Yw2hXri+fUA1QEVOhgS0XvMsXEOXaKjvOsz0k2qDQmtQA8iCVl
PWub1oLLxyfggyCyqDI4AcBp3Hff+dCnzx658Z3B7ckf2cmWLTvjeW0Fgea9QCmNZrh13eyhWsZR
sev52U/81dDzI0B43kpEzLpNktY/4aheAI3IJRKz7kLLn+n51r0W+gMFolGEx4brGrZkeflBkeb6
wxC9MfQyBb73Yvkzcy+MftIOyt1aUqaieQ+E9PIcHM/mPBByPKnvtX1SUmBx28z8kGGcOfACucAy
EwMUE6/AAGGGLsnWFmnZs8nRdmQACM8zehbNsBiBir4cBCQ8T42Dez+voS8Gs5WrcL4EJjD5Cuci
hG9OAcysclVSRGVJpbQtDqPv+H7QT8RWTu8EOHGYTiVaG9WxePNe9auAS8Z3xA8nekf7YVbZZmod
+vQ62nouaadXltUEq5gTJXuCZ49LVMyd+/UNshQhcxPy/ONrP/y12WNiuISbWzzg0ZMPBSJm/RcZ
1e/AOvsxJtQPH5FPApisxvFf9GS7Xt0nDgUANJhD5z3Y+FLiM/wCAMeuzAg+gd+vYrsF22JcG8Hv
dGwbcM3Ooxkl6hiM+6Zhw0tPKlDP0UXGOJrGvXv6BgUulj8nnpRn8XkqASA5E/4hq/pGx7xe9DQF
PBDS0xT26vcokKFANDpXu/zOZ24KRowvwO9jGh20Lfp/0z+DiQaJDBAlKwXNA/cVw69MrzJO6gQl
SJDBqFPQexBkJDXL3mGlEs+DqVyOmkoAFMbigsm4dyrD9BKc5JUOQ+6NgZn6Ha2IKq5vidpx2oFL
iujKgTxXmWEx63lLHXgL5vKgNsay12m6uTVt6htsSVZCb7PdMK31s8cnDkyCNw5ako7KyzLATkkb
mnncWxjHiQLj1/5G3p54KvxDPo9oWT6otr4LYLK2fOU0RqrxyklMAQCCczH8b2cAQSV+c7FNxfHf
Ahysw9/PYCPYcH2JeP4RbF/A9pcjJR3qLcQ9TPJ5AbbfYPuU82byyslEAUQ95JxXwUfkdnzibsHv
e2Cq9frJRIOTdaweCDlZZ94bd69ToLx8nr3UvnC5z7Iq4IA+FZnQNZo1uYU+F9Ao7IF+4stpLV1i
W9pgLW2XaD6dkklVoOlogLKk1ra1vYZYS+IJWTNnUgI2V/vLgsqcdyPs7ZPMZkgTLQN+HdS2KLDT
PtrWvttch3eCG4cHoE+IynCOwnqSpt6y4pXp7yy/9dmjkniyHtj77oID4sXIcD4MvwVwRDyg770+
KSdhg+WP3pSCL0g5csBPhn/IxRIyiiSR/gk0ItdAI7LxJCSJN2RQAICATmXf42sGgGNfzh0cL8Ux
V11Zi7/5/Nfi+Bj8Xo+NfMRs7OfjdyXuhUBE1UfTGm5Ub67D8Rc7IPQ3cIzJM/+Rqcebi5OZAjYA
qV8+i/xPc+deEf0A8j+1nczkOBnG7oGQk2GWvTH2GQrM0F5ch0/yLUvN6c/6fMEfImxtcQoRq1SY
XGg6oLxYc1HZ5oeljF1G1vSjKEa4ZUW6LfIq/EzON1F3Y9UmSUGrQXMsHdoX+oYoUyxlk8WiUper
SFlOIsQ0TLoSkmiug7N8DVxKNImlgnLlKcv9Sz5++53BcPpBKZJX5j1anuxq96ZPnx4wDCP0tnlp
okX+Mjw3/fYjyE24YubMCV9csqQCTi1e6U0K0BkdQOTzErP/DSAyCEDkDGlJ/TA6c/FN5UtmefPR
m5PRQ21VVlaONk3zBjx3T40bN251F5uhPf6FABDUTCwHcEhgc5J9OuXd2O7B9k5slKC4LxFl4Onu
436aa9F0i+CC74nv4Bi1nz9BfSprKfavw8/52D6C7WvYPH6ki5PUXy+DGdar0IJ8VwqlXBrkfRjn
n/rrWL1xORTwHnpvJXgUOB4U0A1oOsxC04xvhcJiJDUNdPgWn/3ksXaHjt2L1iZvR3W/BxAZTx+P
5tqd0lK/G5qNsMrXwcSBPmg6CEYU75CJdkVn9lQcSRDhV0JAkkz7kMk8JDOGrZXPzngqGMxLfwxZ
t2+VKiSduij6CHDS09BmKMfz9uXCCy8cByZoGEDPcGwDAHpyJvtfTi9L/9Q404rapaGXPn6OfKfQ
f9FPn0iLUYVgxZSy1qdSqdolS5Y0HSsdvPsPTQEAkVXQfnwJE/wnIE0DEbOulpbcr+MumuN45QSn
AJ49Mvjfw/NETSrn9ZCFjuYABvT3+D9sNJHaTTMs/M7P8vcgoOCz6aN5Vub8R7H/JPb/yQZw7Az8
3M51hGPK7BLHduPnp9ho8vcG9kfzMLZ7cc167CNjxFFKXQ43MO/8iUWBlPzaapMQYpzQHNAr/ZwC
Hgjp5xPsDa9vUWDChLn6AxXPfy/g938NWopfJZLpHxh6+gO6ps9FiCrD0v3dkkBu9vj00kWVyatg
8fVV6DmuB+AoZAQr5XQeb9ufqDAT7tdNmEjHeCcqV0ha28z0oLwG7fJTXtc/OPk5KciFgLyF7Acz
b8t5uPQ8yDi/NPfi6AtQpjwMFuIlABKlPp9+4YVj0+n0B30+XyEAiLLpgr8KXEhSsCQLWW9rdy6b
FP9WsDi87PpTEj8Zsyr93VcCequl2y1Jv99fDwBD6esebFVgpraNGDGi5tFHHz061VDfWgJ9qjcw
v3okeuYbUxAp66uSZqgz7cvRqStfK18xxfPZ6VMzdeSdgd/Z+Egkosfj8YldvRuAgJHpPgpQcDZ+
J2P7FrbPYP9LOLcoqx7Xb6MAxyjJyMk6Nwl/n4rtJtznZhilqZZ6N+AY3weMyvY06nwwcx+dyFJe
xK2uzlT/vQ7fECa8ugNCrjnYLoRvSEdmfP2XACfZyDwQcpJNuDfc40eBxcGZkWWrn/mxLxj5eNqM
/9AqSd8xq2GZMlV4NXneKluXi824WYV46d1SZo9LQ5LU9okFa30/tiVwKfxPEMVGA4NgD4PnRwSm
WWE3t4gNEyyE5WWs3xjMsSpTSXvZrVOeG3vj5JcuG5QPk23Ah31yShpTcKPxRUBGSlA+CIvxm/H7
Cj4a/wAgWfCk7Cr06TuDPl8cvvd2K/xR9oW9MvSElpYCs0L7zvMj47+qbZJJ1WXa87mWHYAGflqD
IW1D4YEyilwOgEsS5iRNu3fvrrrooosYPWcjJLu76uvrmysqKpRZh1eOkQK5/u/D3m6ihP1Xik8P
4+8fAoi8DSDSoYbrGFvzbu8BCsD0qghg4zw8K9QwkOE3AP6vYeJTlGlr1669B/vV2G/CtgvbkkmT
JtV11hWAgddw7jUABmo3XsD2v9gIQg6IeJd5C7Aa1VBWYVbsX2NjjiCCFL7nGlBvCnXejL//B9tP
8fcX8cuoFwQ8aezTF+VxXLe1B8jkVXmCUAD+gvRDIlCNz50QnTGvwjHh80r/o4AHQvrfnHoj6oMU
WByckBuM67/Xg6Hrk8m26MLT6+8qr6jY9+E+N/AKJc+PR8+YoM+q6N4BXD4+/Tb8SrGpXB0DkOFj
AEBEMG1b+dB6qAyHOhJ7wByqyRQjacasHXR2/8IlTzwI9gHxg3FBdhRdt3tECZRfckNuQwCSmfid
KXH50rvMKcvWal+pabDPBXYJNgKIgAdKGhr0IEQvurQaCTtkrdG+tyzH3phzlva5y0PajoFb7A8+
v0U+ttbSAjFDmsFI+XRoQgqhUSkGIKGZRwyM1t6ysrKt2Dbg3MZLL720et68ee2ZoO4lYj+urXwJ
EhmesfIbEjcnih9JDCP+sdKaugf+ITd7/iF9d+IBPIagd2dhG45n49pwOHwpHjJYPTp4H8+GALDD
7NI3BM/M7TzOMNsEJtie37Rp099wzTrc8yZ8RpTfB0DAQAAAaiCzn3JqOdxgFE6YvIPPO5lSnULg
QdAxEXUxmpYqqHsQNgIf5BBSviWsF5lV971hyGgyFHA8qy7vz5OQAtCG7IWG/VkItG4zy+RcqVBr
xiv9kAIeCOmHk+oNqW9RYLE1c3CgVXtIM4xLYAr1uRnGkp/O6ARoZAOTnhgFcnVUo15uKPzmtw+l
6wic5s6NagjG+QU4jy8Cd3EVoMNlWkTy9mlE2suluO8ClaAMDfqqrxmVeED2aHV7Wu1hG+P2wMq4
PWSvZeu2pqXhGm/6fFoabNGuUFJyTYCPZaPs31ww1very4usFSM2yf8ua5QzG3wS130+eKc4hcyP
D8zUYPqZgJE6l4DkhRde2DJz5sx1YMI2Pvvss7Q998oRUgBmWasVELEQdCCgBxC6973SFvk0qrn3
CKvyLu8hCgB0DE4mkxdh7Y9DEzRznI1n4QyADAUsCDoyD7XqAR8YdUBpORkMXBWCFDxTvotx+uLM
+Tc2bNjwbEtLS2ro0KGXAShQC0KtIwuBPwUk/y+zT54hiM0FHQQs1JZ8FvcNxe+/ATzo88G1Mxe/
I/BLgEPAwd8HcZ51u/WranHd1fhhAsS/Z9rxfk52Ctgq9PMnEDaeYZs9ENJP14MHQvrpxHrD6hsU
WGzPHB3QjUfg73GumYx/aEbglQf6Rs8O3YtM3HY6itNm+8E7LoxONpJyLdKYXA9f9vHIHqApeSXB
R/uo/sQ1YHkKtApIYXMG7pXzBybMHZMR+GtHTB+2vsUattOUQniX2Az8a+gAI7u1927fm575z/HW
vecUyaun5dqVBU36+CbNNnVTK0wZ0uDPSHiVMRiYKrZOQDIAzNRgMFXTIfWthi8JtSPU+mzHVoyt
BECF3FkTjjfBjKsBZlz0bPFKOwoAiPw1OnkFQqrqjFSEot8JYLICx589nsQCg8rv1DnY/NjoF8Qw
sAry4tyH8UPH6M/h2ArsU7I+HFsN9o8quAHqoDkTmWf6O1Dyz8J1twZ1NhwvWmD9lsPH4+MZbKGA
B9Y8LCnT/0afaCrFPmZrJPZ11b2HB+ibhWJguxBA5kr4YJ2F5+iswsJCecc73mFv3rw5/PLLL7u+
aS9jzIuzxkzNBnOEKBCBcy2g123482JszBnCcLs8/jiOv4E/z8zQkBHXXsTxziLq0Undyw9yvBZX
H2wXviDLkLjw81BxdzWyWx8chdelw1HAAyGHo5B33qPAUVJgcXL6pGBA/yuczgenbPNqAJD5R1nV
cb/tey+Wv4lOvAlb3XsRU+8KOKhfB6BxmYSgHSHrQNYwWzui2AlLcsw3YESekgZ9Ro6tmacFrTdP
y9Mr97RZAypbZeiWhDa02rJ9lk8afWk9F34ic18J2HtXgFPSzrL+9zKfHgtsSX/slSrtPbtonuXT
korJyticUEMSy/yt4+8BODUYTBWdalvAZIVwLg+/JpgtE2CkBSZczdioCdqCbRsYu12IxOWBEneF
5bR+V9ryzkGkrEuQKCYiCfP/olNXX16+YhIdlnu9gJE9BY0iw7sy22H4WErUr8Tx34Ch5Rwyr8lC
bIr5ReEaIFPO6Ez/OsoOM3Ts97FRwu/msSHzTIfZhqOs85hvowaQlSQSB2gvqfAYjnMzsCHqAzzL
DlNwHZ8bajPGEpzQZMst0CZqMM2qmD17doeBCUBzCia47SuZkLsHAVUc53xxO2xhhKzDXuRdcPJR
wJR/ImfvOwFG4gjfu/LkI0D/H7EHQvr/HHsjPA4UWJqcfl7ICP0VMsdIymq7Zoax7Pnj0I1ubxK2
umTYmRn5L3PfGZ1gxeRacD3XQ/46GXDEMcnK0o5oACCF8obo6Rg4lxliaqWw9IkNLPRtHpiT3j41
KXk72mTE2pg9bGdSK2pOW7oe0wbHDWnyt2oTdg2yH5t5hn7HDaWy+JWt9gfXJOxBcZhz7bNJdw3g
yVixde6DsfIBdOTzT2xtmWMELoW4pgi/dN49F9fFAViqoD2hE+xq/L0N5lydOut2OzH7YIXwAWlG
/pCvwErvCUTMGoocImdLPHlndG70s+VOVuNeKwAa1ELch60ATOqFbsM4zmhPrpbjVfxdwahOOE4m
/VJsXInTsU/p+0acI1Ch1oTmQm6kKB4/wCQoa2CM3kRN2tdwDR2s+0QBmE5mHM1Vf5y8QlYKa30b
tu0EIPQJOVxniVpwHeeSgG4c6vG5mhKabgHkuNqffVXV1tYGt2/fPhRAng7DBDo+/B1hg1ntmTAX
YwSsNMC9FgqFAjjN0Lv7+sT+Yr+V5/FLbeZOOMgfF4B7ODp55/sABQwZjcS2f8VK+SF6s7IP9Mjr
QjdTwAMh3UxQrzqPAsvtmRcHQqFH4f7ZhK/xtQAgtLHudwXZz+nZ8l1oR34CQ5krrBa5CqzNFdCO
FCq2g7LjjHYkX1uLoF87Za89U1rMcWCgfAjElArn6vWnBNP1p+TL+uq4PWBTmz18Y8weWp3y5SUq
ZO7yXfbsLePkZ+cN1p6aGbNLWzdpn1njt2Mww9oPRFzCZgESmmsRgCjmJ8NwkWlLkIkjw5U5h+T1
1kicH4ljF4AxqkUErjX4++1Vq1ataWho6NWQwBmp//vRZTLBLuPWgL//AGbYdRwuxP7HsVEq/1cc
V2LxDMN+Gf5kbggymASLvyVzfqQLD/lD3oAZ1nfFZ/0YkxRAnKUPyb+ueR71/O1I6zrG60kDfqNy
ML7hGAuBAU19VJCFTGFCs2/j/HvwS/BBR22abTFELFcg53Ajzs/GL3NlMJs3V+UdOPbzTnwQyIQX
YhuBawhQmbCvV9dCV+mGdcwoWINwfS3+JlN/WBCSAedh3FdGwN6Vtmpqam7Jz8+fB60J8/0Q/DTi
twL3t2RAPtul6eNE1GsEAgEN11ThPAGgEg7QLwX7A/HnRAB+4heu3aUAOJeVlJT0Sfp2hTbeNT1I
Ab9ssmNSh8U1dm5h1D+voW8+hz1IgX5ftQdC+v0UewPsTQog1O51MIh4RDTz7bjVctMsfQUjxfTr
coB25MLoqZBa3Qg+/1rgjDMlF+qIeBGAx0DF/OdqleCSLGmxx8Jh1g/nDkp04elqxAaEta0DIqmd
U5KSvz1mDVvXag/dVafP2LPCPnPBQHluRZs+otUvSYh6DwYg7QnsApDs43Rsz+ASdRh/kxlty4AS
HUxSERgjZoKeceaZZ5J5fxPXrAIw2dpL0bemoM0vYCOzrKT3KGQs28AMU+J8DTaGSoXfhrKTfgyb
a5szAX9fhI32+wQgX8Q2G/e9Hwx0JhDBESxD0/i16Mnz4XVzEzQiEfg0zQUwWQ7/kC1HUMsxXYp+
m+j/l1AJnaJfwt8r8ftjbEtc8IW/CbioBfPj2Cpc8138TUDyR+w/wQ7gGAHJd7D9EMeYhI/HbsHP
Xfhd1YEpEGlPwEOTLjLHBCP/we8v6QNxTIPq5pu5oAGeCSSo8WPfDmuOxS5kngWl2cp+JjrrHq4Z
BoAxmJqSDAipRR1P4XnZTf8SVonf0+g07+YFwv42XP9P7DdntDT0X5mG+ycRgcCPKwxQQ8f3LvW5
m0nnVXciUKBMWrTd8hK6egF07eMQLLqbY0eeCETo3330QEj/nl9vdL1IgaXmzI9ABPibtJl8Nd7W
8oFZkRWUop5UBXa7tO2eB+3ID8EZvktvs6+NWYVXtYYuKYzZxWIl6xEOGHw1gAdj9yBoKNkgSWWy
D/h8ZihHqzslbNWdkmdv2Bu31mxs0cas3y2zd/vsJLiVhHFYUe8RUDwLlRChJLllpMM07aGt/WxE
31oHIFIBhul1+I/0pLkWqbAD22Ou5sMdSkbTQb+I72F7B7bz2g2TTtPMdq0KrqfdPn2QyIAfMQgp
r5iUjk5Y/k3cOw0IcbyEjEnIH/JZ7H/lCMh7zJdiTGQ63oHx3Ihfgi/6aSzD/u0EHfjbBSGuqVgh
jpEpp5O0W+gjxAR6l+I+/s1C7UEZNgYvOKCg3qdx4OkM8ONym4Htd9iGZ9rtzLn6mMd7qAoak/5U
LiJhJU2HZycYoJO5afmqU5ZGzYTuZCE9dIGOEGvdrjN8UufXlFZQCQhYTN0nLUnjIK1EVczXUAKL
R7qPUGiQTOupWFqPpVLUZhDM22bAl05FAnbajyB2OnChD7XCWIs8BtctO01LsDDAyT4HeppEHq6/
3vmTlwLzHi1PwR/kp1hMz0HccsRa3ZOXcifOyD0QcuLMldfTPkoBMCbaZd/+91eMQPAey0w9mfLJ
RwFAjpjx66PDO6puQTtCe/zHuN1x0Y8n2PGtt6Ts8C2hUC4SJfrFJDdj2eAgD4QUELQ6eRCpHfHF
SkO+baWR9K7JBfbKXXEZujYmI3YkpKSRIX4ROQtmWSpsb7eUjFkJmTIycmQ0CUhoQnImpbeQ3L4L
/iNIACmv5eXlbXzqqadcp+VuaZ88IDaaFH0Qa0qZHqEQXLydcf5lyEoCjHeRRNmN4nx7f41ROE8P
nYaj7Vx5xTlbo1Nev1NS6UcwV4SNn4lOWbWwfOWZ+3I/HG3dR3ofxvco7nkUY/8Tfp/E9mVst2Zo
1lF12fSgEzZp8Tw2+oGQdtQg3YmNoK/DgjZdhp5amH/gIgIhalp67dmeW7g0KKGaM8DK591fO3hI
DJZ6riN5RoOh+3XrVEMsgqkuPQsO7AdqsLWSlA3UQVFABoT4/Qm0EBv8+UHzCXT3lQfGlJ1elcpV
YYD5bAJklOX705f6dbsJ9dExJN1maoNbTCNk42xN3C/VMV8KVpEJxuOm5oPgI6Ot6VXfoiNda971
fYwCcTy3YTxzYQVmvdLPKOCBkH42od5wepcCc6NztWXls8p9vsC3zWTbI8lIwydmJbwQsNmz8L0X
vkBp9h1XzCz8U0vMviWgt17rl4ZTQ0YCvIsFsyyKsw/kn8gTUTvCo0hXGMr1NYyJWA1jTHtzTcwq
2hbTRq6PyZDqtB2C9oJ5RxDFt2cKNSQEVOwKjMu0aWCmpiOnwjYAknXYX1FdXb2pm7K3kznjOJiE
zrXVd5PEdXl0YJjHZJjlh/B7bOaAgeQ/JB76q4T094PVDCGh4b3RCasvhqakuwHYQePLaH9yAAay
Q+2uw4UEFK4ZmmvK42ap4TxFsGVL893IS62o6xW3oYym4wCGOHMsgOv2SehxjCBmGjaawPWqOZYV
qv6+5tM/A8+PwOemMI9fBhex1w7+1jEvI4AMGFL48AWaj32PGh8yJ6N6ViGk8M0Uv/+/2UdvnQyX
JJMpeDLPqaaVIf72FWo3g2qU9ID2lfi/JhGU371dEnp+T1FZaciiLxbnycLzQpDtgZDDz5R3hUuB
EMywoP2EiObn+KXwwSv9iAI99eHuRyTyhuJRoGMKPLx0euCVuf/9QcAfvi2diP1kXMPI20t8Sz0H
y04WzFNLGtZGo3O/9dzzLz8elD1XhlM7LgtI9SkBrakw6EeoULh6kC/KCGVVLeRWyNe4viMBX1tZ
EFs4XXVGSsvfEbeHwndkyM6UlDUQjHS3diSbO4Mwl3PLaESUHBMojKBD+4ABA3bBsfZVMFobYK7l
ajCO5rGhQ3UDth+BCT5i8MEGwTDzg/1HbNRW3N2BhuSI+lW+bIYJX5DvSyx9IVRTg8WvTYb1/4dR
yY+PqKKju7jQGVKUEZdcMDUTf9MMy02eRyf+/IkTJ56xc6ciGR32l2H7FO4jGCHoYAQt+oR8B8fG
4pdmHUXYyBgzD052yFlGc7oN15FZXpvpNiNzUUv1ddCTfem1Ah7/Gi2I4AAxJhzUpQlYOw3wEfLZ
kmOA6ycIUMEfusbXt8J9BKZUnV8PNYdfs+K5fnM/TaD2iKf0glg6nJ+xocT9rj0lLaxwEx7dkG5p
ERpL4v+y/LgMzzXt+A49KSHLBfHsKBWOXOde8SjQNQqYErMDshP4ecjc6dHgvGVOMA6v9A8KeCCk
f8yjN4pepsDinYMip57r/4UeCH0wmWj63sb6dXeeU/KSB0AOMw/l5fPsF1+QZTOvuK2itXn7Qhht
vCts7ZiRY+4a47f3jgr4Un4GGTUBSGCtdUBxtSM8aOjpQFCvHxOx68fkWxtrY3bh1lZr9Nq4NqQm
rSEJexoZ2XXlsNsjBYwUP4QJ+o9gG4F9OuTWQztCqfsqmGu9CXMtVzp/pH04nFkNpfSp9uFjM/4O
d+HcApyj70i3FDijv4kkhg9AQv51CYDLNJMfgzbk79CGdGrK1B0NYwy1GNO9qOtqbAQNLItx/M9Z
9b9QVFQ0d8KECd9obW2t+9rXvnbT3XffTTMtRhnjPdRqEED8BHUxSh39SnicoXfpe1Of3Vfst+I6
Zu1mpDG3TWoFGIksE+utO0bXtTroowTUAdbdlqpYQH6yZrBsbw3KJUMa5cOnVCNuADUZh1sumUtQ
zSMbS61X9+brzn0Hl4DfL3YqtvinU9feLEWZ4Yfi6bmLhn8pLuE7aAqmAYQj1NX6HF/6zwHDqqX7
R21KT940tvbqmQNb362zbjy/zSnfSEO3ijKJRZVFFsy5avC7C9swmpNh83iQri2Fk/mqRqxwCg5O
h56Yvl4eCOlHq8F7AfSjyfSG0jsUWG69syg4OPFHzfDPScbbvjbDePWe80p6p+3+0sqSp35KJnDJ
zJk3v50yhjzTYtVeELBrz8yxt50W1qpHIk9IaRDyUhNsH8FItnaENNinHcHffiNWEtBiJSFzzxmm
nb8tJoM3IpLW1qRd2oh0CPh+peA/osxBur2AiVJGKAw3SqdbbNNxbEpTU9NeOLO/BqbtTWhHtnax
YXKTzGVxKxhh+p4ozcvwaVfuHDH54sDSh+aWWMk2mgYxC/VQXEONxDYwx8/ib0YZoiM6JdhV2P8Q
fgnCNuD8i11sv/PLLP33kMbfABH8GACR08VK3IyL/++Y6z1MBeg7NUs/6+wynN8SDAYXIaTyd8Hs
Ttq1a1cJjm3D9b9qfw+Ov4xj3A5ZcB1p32mbh7u/W89DzaDqwzMQgPZjRG5S/Q4IAQwcRUNlwZSM
zo0LgUJH9/v9aQkwnF0oPFViGYs0QOkzCtuG18AhPmWiXWpLJB0YFE4OC/kk37ItX9zyJQsDVoEK
NKHMs3SJGOktL68f8oNvvD9C7ZQqq1evZv6eMzFnw7hPgLJ+/Xp7xgz6/nvFo0AHFLgUAoPnGXFS
hkBikAlh4lGqv1DAAyH9ZSa9cfQKBRZbU0cG7OTDkAaen0omPjHDWPKbXmm4nzayZMlDDRjayzNn
XvFW3IhMSMrISU3ScFrE3joe2pHRftk7xq+ZER1vKvjEHqwdwc37Imvplj/oaxgbthvG5llbauNa
8ZZWe9hG+I7ssexIoid9R2iTgq7wA0ngoIPRYg6GOQhregnAyJv4+3XkWlhzGN8RMsg360Zk7KDx
0z8WKRx8KTIuSG7p8Ia0aQXGX/zBSCreAiYQ9jHpZKK5Ztucmg2v/SGzNOirQHtp9oMmRa4TZ7eA
L2hDNkTPfP1hjO7b4ge28ekfgpnWX3G8s4R/PbZiwcj6kAivCFJ1bpSwz0beiUHMAYNkee9Zu3bt
CzhOs6kmJMLj+jqBC0AuOH2sKCkNpeUz54Cfp1+HhWlWuPrIpvfqSfX61dohArwRQPj0s8UIMELY
vnJLIe4xIYx2kYumjYJm7GMHIBkTN2cid8GHSKYWtT4Rf3sIbjxgClrxbNwJcP4bzhfD+C5cuDDl
gZATeIn2cNfnzVMayJ/MvTEaKHrTAyE9TO5er94DIb1Ocq/BE5UCS60LTw3qzBaun5pOtt0wI7Cs
t5O3naikO2y/lyx5is7Hr15xxRXrmlsCpzVqp09ttU4ZE9BqiiOyZWwoVTPOkOahAWhH6MjekXaE
PrZJ5h0hB07tiOwsCZu7pqSkYHubDNoQt0dsTehlDYz0BPeOHtGOZEL+kpUD6IEpjZM4bxa2afAb
WTN9+vQXLrvssgrkHTnIiB8S+D1Lk1MbY7VV77Rt8ywkukT4MFuz0qlCG1FNC4ecBgGzCmZEy3r/
4AmzzgcwMReu30uH62dxdPNhCX0sFxjWzyWl3QJH6FEI2XuatKZvQnX0tejx8vDDD/vPPffcUoCL
SZCifxb5JhixrBAgjySP0PGZEZ4Qweyn6EwMxxP4uw5S9lcAUu6Px+NbAEh6MrxyT9Hgh0iycy1U
f5h1Zjl3zai65gNycKcOG8EXt1CbkTpQUbJPxeHWeIj2dWRKSti1k4bVPVpe3nBAOGPMARnKJdn9
wtrtKdp59fYTCsy9KHqbtMo8BNW+AJlCji3YRj+hSX8ZhgdC+stMeuPoUQosTs6cHjTSf0NEmty0
Hb8WAOTfPdrgSVY5bPrDZWVl5zY3NzMKURg5QQKabvgSVlkjzKuW+bWW1WFt25BIqmoMtCNj/b5U
rgEhMLUgB/mOoAI3shbMsXw5esOokN0wKmVtqU9aBdtatFHrEukhe0w9J85Qvz0RWSsDRujArkyq
sBlgis+GBP+0559/fjV8R1558cUXGW1pX1m4Pnirra/9heEPhlPJmLK99wcjEozki274HR9kMymp
REygEdHBzZUZgfD7xBd6z4JK68OXj4v1KChGJvU90H78AoO6O+On8Nno1NUPla+Y1O3gZ/78+eER
I0YMy83NzQPwmDpt2rSbQFMmzBsLGjL79r6wsgQf3GcB4PC7js/MCI6/T0skEjfing3r1q1bBfDy
DxyvRJ2NWGtVkMD3afvyeVVzfjs3OP8/UsTZd8NQdQEIdPr+6IoRV1YErQPqaX9vJ0AkiCdzV83e
eYlbaXLpFY8C3UGBgORIoTR5YXq7g5h9qQ4PhPSl2fD60icpsDQ58/xwKPhnmtyYibb/z951AMhV
Ve3z2tSd7X2zu+l1QxoJpBMTmkgXRQVFUVBUbPwilqwbsSH2jgoioAgKSFdqCKQnJCEhpCeb3Wzv
01/7v/NmJtkkm2RrMrt5F25mdua9W869M3O+e853zmUAIIfDfCblgAfhoKZMmaKxPz9kPIWjUHFY
XNPE8S+8UWRBcxqmQ+0QJu7xm+P2gTuy3qPvRULDxuEKtQ9zKCZyEMR4IsdG1uLUbZZ1BPqTUwpn
uLhq9WWq4KsKmQW7g2bxgaiQ14xDZkE0YB0R+pc7kgAjeGRXrXY8spsUJxocByCyHm5Er77yyisN
z+90Xy3K8q/gxwUAEiSH20cpmYXWI2dh4PBDXDizCodVjYTaKdBcQ9FgB0kOp1cyxPte3OtuuWRk
aGBzeCgpD1Kk/ZOwhIyHQHMpon4Kw/pOf245uFNNQvklgw+ACzdn4IacOEdFK/7+D8IjN3IG7rgL
HAOPo7rvBEg4vDJrysWoCx0ORxnctT6K5yFYU/z4ez1cuz6L03nmkCRlWVrw1A/g9vR5ywBiufwh
ThDvZhMxsZDjE6+ypY25P3yFam2Qk+EME9dzLsH+Lwl3RA1h7gCPM6uXas9/fFnt+zkYgF1sCfRV
AghFbX0BdgdF97Uv+/7TKAEbhJxGYdtdDT4JrNJmvV9WpH8gEfEBLRK6AQCEw4PapZ8l8Oijj6pz
5sx5DcpmNhTHmRx1CsqkAeuB9aPD4EAyww7OHRgVMtvDlLdGNgOb3WZ1gUetHKuYTaMQWcsrnYg7
AlU0wR1BHF/JK7eXeqi91Kftb4tQ5r6AUbojQvkNKqWEBsI6EleYOfEhh/hFEjcjBafyFzkVYUTh
qMmbhT27vwhrRypALrk86ZRWMIIk2QUrDydRYc2y06kzlG6XL8uykrTV7qUIgIjsdKebUfVLD251
rv5EWWTAcllUbBzN1pDfISzTr+ImqA8jUtZPESmrtR+3xHgAhMUJawdbOgAe2NrRAdkx8b6ZiSAJ
EHJsvwlQwgCEK+Tsw2MH2mBSPxOr3dhXbvASLsWfnDU9aUEImcjP4hRTKRLLv4G/YV2AdU1ALhRJ
SCXN5AhsAfzN4MIHxH7yaL0w4+K60AAoc7xB3RiTx9qqPjmVWtWxeGaDkH78YJzFTTVR2Eo0ejh/
z1ksiyE1dRuEDKnltCfTnxJYZcz7GHx17tcNfWtIbf3IIsc7iaRn/dmN3VZcAogi1QxOyL9w0t0B
hXMeFEX29Q9DaeQkZ3EwwkkJ2IVKQ2hcWfeLY/b7jdEHXEI9rCP7RziNhlGKcGLrCHfF7lvReCJE
hxRJcwg1U1167Tk6+aoDev6ukDh8bxiRtcD/pv62jvA84tmpI3AtijoVR1EgaswErjgPIBfAQwER
vQjuV04o3ScIBMOgRNdIVlyUkjWMoqEdZKgR1v3eV+AijtM2YCDEWipFfQmR+w+QWylFrNbh5Ixc
gVc5k3l/FZVBB8DD4fZ4+SG3IGfdZpcrvMHk/1P2h3tYddfwqMXbsNy4uG08spxOGW0HroLi/fff
L+7du9fqcOTIkRzN6aj7mCwP9y7hZNeccrBdXYDNHnN9A7YwTCTHpI9CDTtguIyPIi3Oz5DI8FMU
dLyiyeFxkkR/FhRhnGX6O7YcEdVXAUH+w/JDPbUAuz9o1XCJnxJ1swJ2GTk+BjtkefflZ195Egks
W15xP97mapchJgEbhAyxBbWn0z8SWKOdf5ssS781TPMllYI3AoDU9U/LdisnkwByazRB6fsnEgDW
QOFchGs5KSC7Z3HWZSvTWeL+w9YRmDYiZlZbSMhfr5j+bS7zUD5bRxzUPNwhRlPZOnJC7khcz0UT
okNqL3aJ7cUR48CMqJBWCSL7Dr9ZVKeZvqBo5RxRmYbSLyUxD0kUgtGIISPakQfuZ1bkK0lxQEE+
NYHYImLjWgGRkyxgYwoeTYcqOtBh9EPuXeTQXsSp+61g7ygUNK4unzDh4Yrt20896F5Kj+cH0OYC
MC3E81DCsnSK5ixLCO5JB+jo1m/d7t27s7HPOMrYFDxiTUyTI5ohqICKapmj8LqM15h7wu3z3wLG
puF9rhZxg4148Wt4z+qoB/Haj8ePH59IgNg9SXQK0csehQaJ40TZ8IL7XQTnLA6RVUqO6CRMbjii
ZjlPnbPQHEYeaaKV+dCK0os7XTAuKWwMOlZETLhCLsjIcEA1DriWwF18D7K3K/GvxNg1KhmOAp77
qcfQvanbV9kSSEgAxPTrcLxyGzXSZ5a9YYXQtssQkUC3vpiHyFztadgS6JYE1hhzviU53Xdr0eCT
qtD6mfni9s4ZlbvVhn1R7yXASh/qa3DPehfuWe9DSzOhwKVCH+RIO9F4xvIjYMRK2RyzjhikaH4a
fSBAIysdZnOq29g/0m3UjbK4IzJcvKAiHssdsRTLhHUErTrESJpTqJ/M3JEUacfBkJG7N0TD9zF3
hO8Fkb3fuCMakiqmpzg7nA7Jr4XNFAMWjkignTxpuRjTyQ7pMVDMOhJsg1UE4AVIyxC0Gk3WBtxd
Aa5XOlyy/kcB9UaEj/VAIOeT+x8ziaZyZvIBKXFlnxX8SuyFPZaye+qTfAN7xYnrJ+FaBgKnHBui
aBXAFexOcEYs8jsn58PjI7hxnbVPYoSTNLR1g9vtHsfgCMR3ttDwKe0uHhOeMzjJxPNbcU0+W13Q
HoVCoefxWo9ACFzgDcHJlA+gZUUeDovZ38mM5eAUeNOKwo/IcjLDaywdBqMI4XfCItA3sWG+aZGk
WISCSgdC4+jx2mutMMAIzYvXE/eLlCF30M3pqwA6mL8fz/1pRGld2yxaHpzA5hnKVtrpxsx3SHIi
MXqCUsVjCMcHekqp2xfYEjiFBEwahTSFFwCEpNmyGloSsEHI0FpPezZ9kAC7XTy4LePHssNzhxEN
/6nYI9xeFNk+4EpdH4Y8pG+FexYftf4DYGQrTprnQKGcCKWPuRRhnG6zqwe7Nh2lWVrWEYqAZg7u
CGV0hCl3Q7vgf9dNtTle/eAYBzWMtqwjJ4qsxakO4tYRTujskTpKXGJHSYpxcEaEMvYHqXRHmArq
VIOtIyriw+owohw9hp4sSghWkLHFaU2FWZ7KHdX+iQJcsPxN1eAiy+RKyYgdKkPRSxDuY7ojBo8X
Qh1N1NFYbXXH+UTMqPZ4zrnuemo9DQGffPLL5Fc3Q5mdDbesfCQy5AzjAwZC4jJlQFGK56zgd8so
xQAA+4YDHiTyppxqeXj12+AOls54AzUYB7+MCA8TwPF6iF3G4pG5OPcFW+r4Gv5N1ePk+BAAyuHI
XexKdqrOj30fy/0bgL1Px/ggh4EX7wLeGvxqwq3KgiDxesJuDFNUIuR0uykKHklUJSQ+fKD+nIKK
ho/mkxnWYE3bi15iYXVNhdKc1XS5vJZyZbxkYmqSahyIZHlurf3Q6Lfbx4EILyjpzkPaVHn/vqme
ljDuwTmASGa7dkiImpt7Ol/7elsCXUqA9yRn/tEOx6i2BTVEJGCDkCGykPY0+iaBFdVzPGt14WeS
w32rFg39zFij3lU0e+1RMe771oN9d28lADDyztKlS99dvnz5JChyC6FUjsMjk41Z22Z/fz55PhqM
dLKOmIaiwTJShdC81S5q3ujRKoe7hFokQmwbAesIJ1+wgMexWdn5b4s7gpYVMepzCHWTnUbdZBJT
DwbM7H1BY/juiJjbagiSIZgxS0xP56hjnG6npL1/ZvHapvbdOU0dlKOpYWqrY8J5Nrm86Yh+5UL+
C9nSMHVkrNYiYQr7m61qWFYQJ4UD/rcONYZ/dGkrFMnTUCpWlrXDGvICRfRZiJIlYXCXgKB+H6wk
Nf3dfaelZTcsZMyzyKndAiEssjgHp1dyiUfX4v4iTIZnSwi7Y+Gp1W58bAwu2EJn7UdrmTQtwWXq
kzgQopczt/db9vbnjYvHpJuhX+MD0yIIUlDQtV0vtilRckd+ik10kELqJRVFK48KufyHRjZGHinl
TYuXAf5/jcTWZ2E9+UCr7q6ZtvPbl1Tk/fe0J67sk3DtmwefBGJfg3YZQhKwQcgQWkx7Kr2TwArn
HK+rQPyzqDivj0aC5ciCvoxm964t+66BkQCS+7GitwXWql0ZGRkTofDNhDVkAhRBLxRBBotMPAaF
53irRMI6wiOzrCNm7tuyEHrXY1bnerWDYx1i03CZwpkKIgvxWXXiSxEaLzvBWOfLCesIR4N1yO3F
DrO9GPdOR3v7glS8OyQMO6QydwRAhAEJ0wW6K4lQRJfHFKU3feiC0S88vnz3xQ3tlGegQ635EIXa
GmI5Qtj6wUPBANllS9f5EFrinIWUlSIdmDW99Kflt3+kCXLqbrd9v06hR0k1vghuSA5CHCPLtjYR
jfY7CEko+3i0HI9QGrDWiehYJ5KzxQdBYeCQi/3S7fVICCZBZMffHtQc5nkwDmGryjH7jDvycj+4
zrKW4Dq+J+mKl8LDJUm8WEJQA85Do/rb3kREq//EEDgqArKdbNDlTRfPIyFyJ8w7D2DzwU/L/KAV
PxpJI5NusvaAho4ECgDEc+CKWEmDMeHo0FmHAZiJDUIGQKh2k4NHAiuMOQWOgPAwUsm9T1MjtwOA
cMZluySpBMAV4ZCkGwBG3kVyw5FQFGdB+YNzOqXFuSIMSCzs0Nk6IiG0rywohgLnKRkkdFFIC2tm
+v52c3ylaDT6ZNozirTqcY16c/FBRNHtgEI2R3JRHhR9Tr6QKKyrReAIZllHkDDRAe6IU6ufnCrs
rA4JuXuCRuneiJDTYoB+wq5a3bWOBCOqUlaS3pB66binl286NOm9g23j24OUqYGEYuo4iE8MgX3E
2JUfTmeZHqVxQknG9nll+buKcz3zkARxInKPcALErRdccMHerrKy9+eyVmycuqt8yqbtIK/kkEuR
KaTNLi8vfxUZsPv9tDIORCRwhArwHExoa3kdEqJHHGfCgrTghqXiOrZWsHKcy9aLns49bkFhlyuB
3f/QRiI4wlHRuRj8cgHqiTBUZFcsDgGMpz22jPV0jD293kMRF+KLYbBwI2QKiGDUw3kqgTxArZKd
5ROWHrEyfYjMiopl1nqWB+dkkhhGskrkvNGhFIrmaEwUtzNu8XfXMtXTIdvX2xIgOkTvRx0LIPJH
iMP2UBhCe6LHX8xDaO72VM5yCawyF8Ath/6Bs9JZ0Wjk43Mdqx86y0UyaKbPYAR1G8DIe7CM5EM5
nY7Bl0EhLIbS6IazTthhiGoqcv85JcVoM0NKtdbmbtL8zkazw9VkBl2HjDbfIb0trcEMeaqNDp9O
wUzkfxM6YG1YrPiiF3ndDgfUTY4Uy3pWZ82awUgn7gi55Y4ip9FR5DUPnKsKGfv9ZvHOMME6QqmB
7lpHGIgUZ3s7brp4/MoDNe3bNu9rLq5qCOS1hyKp4aileJPLKQXTvEpHSa7v0OThGYeG5/naQhFN
DoZ1B+ZegkuG43HeihUr9gCQbIRb0E64s7UO2MIK9DIcnhaAJc3+bIvpset+RduR17gPBUp8l6fq
AJn5aDYfCr7lBtUW1Da3BIT/IPceB6WNK8GGjuDGuekO/eNelyMD5IwEb+NwhvXE0BAcynx8b0FL
WdmRwT6+bWTLR6ZWmbHsNDwlE9QGMdQRFhvRFCdMg5WDkJDGsHzvGKjgf2+7JnubQ2IQrnVyhsN0
O40IAxUrLHAyFUwhBeOJDQp7GEg5hO2OMGuW32EJ8lGvp5WvQzQQJwvvC8bHcOUL1vUh6cvk9pYh
csKvK/Le2FretGBqMs3NHsvQlMDSCeX82b4Bn73L4Yj5GJ63Dc2Znp2zskHI2bnuZ/2sVwSnT3E4
tceRmCEfibmvBgB5+qwXyiAUAEfSwrCZnV0NAvvrILBPhJI6DQ5MYzboB0teirxXAsAhtwshT6sR
8vnNiKddD6cgihQriUcKq2V8oIsE207B1bHYcf5rLtEltWiVExSzrdghG9b1J+SOxK0jsqR5nELD
RIfZMFEXdh4KGdn7QjRid1jIbTaQ1wSJ00/KHWHXLPYqK8jx+Ifl+bahS65dFk3TxbZALAEfCp/6
h9g8ACWeFc0ZeDoZ8qhZtGjRJijwW5CZvf+T8onq68Si4UhNZM4kdygPT/oEQhCdCiGhZAoi8/bx
Tm283AAWUJIvLGju+OKUKgZnFkCzCtSV2la343ubSvwHA1IGUhXG3+gcTAvWJERxQi/ujdduumda
jr/RiuokGnT1jZ7M728Z7gmqOOBH5/iBlMenh6cO83bk4m8rGHIE5O4tTe6C5qiCaZuIeGuk3jiq
6X3nF7WXRsJi9c52z5OP7s16jwEK5H4n5sOWEc74ngSWEXYTOwLy4LHWAXcskFusYAdQ7sT7AEma
8BrLDSYSkSN+EQDHeZjE50FE2kaHtLsow1oGJLaxLjMorPVpzU+0x+3XbQnQSMR/82OnmYg+F7KT
FQ61HWGDkKG2ovZ8TimBVdE5c9xe5yOGFvGBP3rFbHnt66e8yb4g6SWAE39kk6Y1sI6sn5Qxclgz
Rea/qu5Y1uGLjqDwkZBX1pm53sUJdfylRcrorRcpc9/bZ0Shmo3e4xTqspBZfZyDmkY4xFAWZ+LQ
+OD/GOsI386uLfzocZjkUNqR06K9MKwenB4x0/d1GMN2B4ziamRoR+bvqAxScJfcET59j0Q5vKlx
WGmNE6Stk/muFuIYYn6EeTK4FgkdzRKOKAX3pLnz5s3bAmV4PQj+lmLZLyXk3kEOdTuU2AkkiV4o
rfPRbp/aD4dp64SstpWpmcYcLRpbNxciLilQjFmxD0ZNRCMgml8QmkdOFzgKlrocKwgzkJ8m0gWF
HbQTUcLgeme9zPdyG1z4Fb5lpC8sTxuufxjmJc6xYgHQySkmfSzcQpX+WDAtoA5Hpkc6z6UcoXgw
3kp3I3sQZ3Hn1OWwIiwu9o/KzYqO4nbGBwPSJsfcT7z77ruvIoIWR3RTECWrFY8nBJT9shbdacRA
Uo9O1hnsE/j6QWhwO0RphrXjnoqiV47yuy9PnyVTC32RPJmZFGhYQSXKwvKmhTIia82zpCkIKeTz
Xl3eNOeViqyVfVr77kzBvuYsk0ALOFkKlWCn8afUToA5xJbfBiFDbEHt6ZxcAuuicxYrDuXvOKJs
hh76wdnS2g22zIaWBKw8I7T9AGZ1IGWyuLMjgEy7kjzJShBysoKT8AIjo+5zrgWbgmbAIQsaQv2K
RsQcVhc2S2tkoXmj16ga5jGqx8rUWpqwjnDmCAWhTiOqQFUtCjX4JapvR2aSsITX0Wa65s5J6ZiY
53tnYpZnVy3yjuxp0kbuinFHTm0dsRTnHoQB7gRI2B2IozUxiTsTp/KL8TgDYGQbnr+Bwvk2+lam
FLRA1G9AW59gqQi68X402KfMxmVlo3cvLXn8WfK651CHFdQKSrK5Fo+78CwVWi/cvyjdApL+rjCZ
TteNrD2SRYRP9TWzElJYC4WZU6UfuQlrdWx++ctLY2GPDxcLxxxDeWD3My4Cx08W00gV51FA8JEb
TRuW2xhNnDjxf3jgmjxFFNMTk7csNUStbESLOWixXFqOt9Zsk93khbVJDYIqJVwMuV8ZEwcutwjt
Qj5AzO8x77vwx4+SZ7L2SIaEBEpgWT1EtwM7i8TPVw6JWdmTiEvABiH2VjhrJLBKm3UNeJQPI5z/
7mg09NH5jrVM4rXLEJbAZ98ZvxahZD8FZel5ksUsy4TRVYFSpegO9XrX9NWlUnqw1Qxb7lfQMXEY
Dl8dJHXTwe9opSnbOoTxO11GTU6Kum+sR2mBpSGctaXKIb+yPYW2HUK4XA3MElR23eJDZ6cMl3uo
dgVpGi0aH8ifPfJg/rCUg9ODWsaBDiraFaLSg6oB7giysvc0stbJlq4TGOFIUUzoZy6FBwBkLh7L
wBnZAi7NcoASjmg1DXUU6hHXJqLVIJkfPr0H6Xwc3h+Lyq9zqFyqeDRLLT/34JtQD261dFjNmFn+
vz8UVlz0WaTU7kOJOh1W0j0YhEAvZ++sHy+ruuLJpbMecZiVKasEWZwecwE7QdE7gQZO9hfRX1tW
fcVNfRjRCW9dmv90PkbysiAJk+KZOnoVDnggxnZsm9jMylGhqA1sax1mEBGqgCBkkct3Q3nroliE
M05cGAojurX6ErVoN4MP7CQXrguFYjjGkK8nl+sXiBldQ6Z6LXmNLadjDnYfZ5kEKuGOBe9JmB33
Lnu0wraEDLHlt0HIEFtQezpdS2CNcf4nJNn5ZwTMWQOXmesBQKpsWQ19CQCAjIU38SdxaCudTGmF
kktLzLE7rnfPrOnQI24E07J+7Dq7OTHBnCvOjw2E5K0T3WMP7K3dW/rf9Tsu31wpp3aEoeGJyNsB
FY0jwjoVuA/hP8Y9Kv7ZXSfTzrpMem6Ljz50bpv74rKG8a5o4/iwvrs2KmbtC1Dp7gjlNxnkQvQX
Ve5uZK3urGJiHjj9juI5R3pyM4Ed7llj//jHP+68/fbbvwqXITYBPIWa0OCtR4CPdDx8AfV6VAYi
bO146XC/+9vqKcdLlAq3pqheQMMzOHFhn6whHGDKCqoLoGGdgOrmHVD2P0iVKcyBGXlSAHKsQCIW
8Lxgad7TsIAOQLIzU0jFShezQQFEE+4rCbgfXe8KhMVK59C8h4towPXKbKJwR7MVs1c070F4r9j4
2XIomnsplHFehee5psP3xD3TyhvmVJGu4j7hEKmhgxWpK5Ey3S62BPpZAgpNpGx6FUylu9Hyd/q5
dbu5MywBG4Sc4QWwux94CazR5nxNkh336ob2rEjBT80UN1qnuHYZuhIon7MilYK+mwE+voZkekU4
CY+Rp634tjHl9nBxSSRF6J0LUyf+2GPKnqAQYYtAOpT0CCeaOIZvYVlHXEhQXllXl/vQy7VzDjQ4
fQ5RI49ikuL2kRMJBmUkGBQlBQYYZN3WoqTiQDnsb4XOFoHLlky/fz2TwoA5l5T5yasE8l1GIN+t
V09XxfR9IaNwd5BKqlRK91sZ2a2s7Myc7ntJzCXOGWF3rbTMzMxFhYWFBaqqPvWZz3zmvi56mYzX
mOz+Q1R2uTnaB+r1SqQqHFVP6c5cWJsUmpST22fPbZEarEDLbqbGoD+nOAcEjzkWBYH5PafwrDtu
Di6hFG2U9l2CXbTAWykxJot3wjGVk7MAFMdgEhd8FjQTUG9n+N80VoPbGLPNUeIPlpBrgJ6/O6Od
lj13/ITGlDxDexpGU9il05IFftpu+8kk56oP8lGJlBm3MG4f5DOxh9+FBGwQYm+LIS2Bteb8Csmp
LNXDoX9EU4Rb5kc2+of0hO3JUfnULZdRIOVOKJ1MkoaCCO8YVhQd8QNqNk3wMTufXLPSqBsRXPGD
jjf2PFo2wSG9npMzAsr5lbhjPEecwiMimR5h8zKbPKqa4r9W7J1f0xIa4ZJ1HNtL5M0aRu60LCu5
oOUr3ym3hzsNZPX0AHU0wgDnb4HBQKKHV2eARK3TOcNCGAIiMYm60yk1jXdqTeN9tKc+bObsDQgj
dkaM7BZNcCMHRf9ZR3g+THZnoAXSOlx0TK2kpORKEKkbfvzjHy9HJKc2zLsGblcq6go8XwGLCAez
ZSEmQk7FdttjX1xOz74OXoj4QcQqRhBdVxEd7NtGFMOhh0lzV5NDhEqMILJxgnqvW+XMAsFe3929
GxksRU2NBHl19244/VfBYgNwzZG/rJDKMHqIbRWz17L7WEuXoynCq8u6BhcVrY9GKSues2F7FyDl
9E/P7nEoSsCgcyjm4Ng6FKd3ts/JBiFn+w4YovN/OjjBne/O+rGkOL+oq+FfGzn6HfNb19pJjobo
evO04Ho1Ae4jX8cR70ehDDus02kGA0xMZl/2oArVWPg1wlplgTF+ZyzjIEBIUPsPqcrj3MYyDvm7
fftuhPt9COFtP4KXzolbRKy9w5q70ylrb26tGV7TGBzOvGQRACQlu5i8GXmWcodMeUdLOQ5GFKeX
0vKGx/JVgF3ij0j0KngkkwpjB+fs/cKVh+WSgrlO80CuS6+abkjIyq7n7g2YI/erQlqgn60jFhhB
92pVVVXBqlWrbps1a9ZNBw4ceKG6uvpevM5gJFHYFUqnDIerfMG7HyJVn04R4YmKZWVry88xd1n2
EZZzuru4Mwgpn7DVjWzql5Oku8jjfKpiZVk3wrlqfrhOBRAVx02Ro1K0JO8OloFsw4ZGstGN+Z2h
aYCedFTPQLZnaCR2t7YEuicBk7YAfvwU3y/vde8G+6rBJAEbhAym1bLH2i0JrHBe5sk3O36LE+mb
1Ejw+y9sbymvKLPySdhlCEqgfM7WNFg7boFl48vwiSq0XK9CVvI1uPPAKhGFP1RY+xsIuPdUvIMs
37NWyXAhyaY0583UGmkgRbu7Ysu0o/YHwv3WA4j8FUBkEfgTi6Cop6AGASAMhHrVDzUGsyKaAaVc
t1yw2AICf3tI98RkaQMH+pICPTwthyJwzeKyvxG5JgA8QDY5fCdjlGh8+LCOOBSpcZyTGselmPsb
IkbWngDnHaHcJo36xTpicnJAWEOk6dOn7/7JT36yAW5ZDpfLtXHkyJFBZF0/dscEafawaRRSvwr5
ZVA4fH35rE3vo6iwBSDPBPhjBkc+rwnARlt5epOCEL73kle+jeCpRX61exGUQJAGErvf4liAHQOL
CKf3jgmJwSUDS36NC6cq5Ji9Jyr8Ft/L1x/tSNY/nwZedx4D9+PDT2pz9BE8u6F/Gu/vVsQMNupZ
SRZjPi5dW0D6u1u7PVsCvZAAEhVK5KO3UV8FKd0+ROyFDJP9FhuEJPsK2ePrkQRWGBOylEDz/YLD
dbmqRv5vtrTy3vM7ZUTuUWP2xUkvgfKpG5BFV7oLiups64w3GD/YTbhehdQVJBk/qtg44/nEZCrW
ztZwOv816ohmQpl9qWLjzHe6miiASBtyjjyDjOz7AEYugOI2AVU0DTOKzIDQ5I7WaNmgcFTkoRNK
78h9Msas4FuYvcOQm++o+y2PLlTmVVtRtqRgDleXVj1DF2AdMQv2BM2SyqjFHWGPsZ5xRxhQoVij
ZO5LKBTyg6heD0ASwUtsnjmWh8KuaRI1RfaQ17EOQO8iDKoUgGQZiDL/Bsirx/t5eJ5GhRnpeN5G
w/d/Cv5pt1kgQbXWJhZ56VRF4BRl6L4d97C27Bc2YDQI0Wum4q/34fY6AIp1eC4jiMBkcKpHn5Cs
zoAlaLKDGMJxI3shZzrsr8K0CpP5Q3Q+xgc0igU1TU7YmJzFPCr6GTYWALpdbAkkqwRGIkeIn5aj
7lk6p/zaZSsrkpZvlawiTPZx2SAk2VfIHl+3JbDOXFzoEKIcAWehpoVumS2u/lO3b7YvHFQSKJ++
biLU9zvgf38DXKqUw7yPxKl5UKsCk+Ne8il/wYn8cTygiu04pZ+z9ZO05LF22nTcaf9hWcQzsm+G
VWQXwtlOhaZ/AUgURaU5KYH1SkM0rEoOLQLSeQcyaqXnwNMr5mvfVRHgtqVD5wu1Iy4C9GK2fric
rpqAnt3qFFpLFWRbZ3hyLBjhtrhJla0jeC6JhuKSmsYieeJYr7m7OWpm70VkrZ1ho6ChJ9wRzAXR
ekUk/TZNWD9cGzZsMG+++eatmzdvbm1paWEgkgM+SBW4IDl4zlGxJqGOoTXVmfTPHa/TBcVLKM0y
L1wPpx4vkFQ7QEEejEOZdM/qmeVjfCCC5yyzrBYckcnQ/kzOyD+6tdEQVMwCFZyjnEP0SsJPlx36
wKOIkJUGkLMFQOLFZbVXfI7b+nbef34iKMIdFDmBNYTBTEB7Y1ndlQNinfh6+vMjnC7tOUFCwkYe
AhJFdmuOZ+Qiw2dlRz9cXHZEqzOyDnan3ZRAGoLzjgPzaIUNQLopsUF2mQ1CBtmC2cPtWgKrjFnj
RAo/JojyKAS+v262sPpftqyGngRgwciEIvsZMpUvwfWnwHK9CkI7t3gfOIVWEZkorD9MknZvxeaZ
O04mAXYXopUnBiCd74VVhGnNKwFGdmoOccrUUVnnr93ZMG5vfXiUrkVAOOeDdngj+bJjCncXRYsE
qaOpGq5YLdChOZGhaUwdU7KqVS7cK6qHctzmgTFuoXGEZPoL2DrCwIM5Ip0xjeVAg9cS1hGXFM50
UVWmSzs0RRPT9wf1vH0hcfj+qJnRwXYMuPwj98iJI2vB6iGmpqbqS5Ys2QwOSC7r9LD+RMLhcDsq
uxU9jMon+xyWlyf2e9Ri+t3bzTQu41FKyfgoQCDCH+tXYWCmRSDXDNDw9dsQsrcY7nC5FnIKahsp
GlhasXl+9xR0WDis3mIubgisa94MAHIuBJeJv1FpAf7+pWUJIZp7UncsdpUSaBZC9GLssIR0Thne
148ILCFoAotO+Z1C9Cbv76ooHEn9DsHBS62jryKw77clMGAS8NNkgBD+Gjjpd/mA9W83POASSN4v
ywGfut3BUJEAAMhMSXA+ahpatqoFPjhXXv/iUJmbPY+YBMqXlgv09BXXAm18nZyOmZbCF4i7XjH4
YF01or8KHfNHFZtmHMlh0c8CBBhpRJOvfPGLN6yZu795c2Nb5U/8onu8oYapve4ArBxN5EzJIAUh
egUphiQ4LG807LesJQxY4txg87xxOW/Nm5R7QDU0OSoUNAWpuF4x2ze5qLrAq1WOd1BriUNWvaey
jvAUY9aR5jEuoXlM1NjXEhWydgf1UoT6zWvURV9IpAgo+Npx+SsQDUv0+Xzqt771rQ1wObO4IWiO
TSThQCCQ19bWdiXctNbec8893zxWlOW3O9301KpRABrnEbKnYLKCtS5OSaOPTCyC6abYQlBRHeF2
5a9VbJ/fPVcs7kiAuxU3maqQYKBdh7gELndLrPbCTKIRJuI1WMNwKYMM1QIaXReLEyKPwbjGHHUB
ODqE0MkWLuGbGTy6EIm4p95aDJQYFfLYYHUx/bqVGDLZygrnHK8jyE6LlrmG0WwEXnIc08sutgSS
UwLYn2aEXsAnc31yDtAeVV8lYIOQvkrQvv+MSmCVMWehw+H6m6GbGpS9i+c61idteMwzKqhB3Hn5
9E3n0NNX3wU3nA9DkUQEojh5giNbcY0ae6D8/oIi8l8qtk89LQrgr3/9MLt4PTssO3/3zuqOX5Ek
X8jKaxRKbSQYC46U0O0s9Zz5HdaLErkdUnDWuKx1V80e8bYOBRuEdqi/BqqKYL/uiN8ch9C8Y/a5
hLosl1Y5wk11o2XyF57IOsLNshfYEe5IOMMlVM90a4empQnplUEzf3fQHLGPuSN8rSgebR3hVCj1
9fVWpvREXhS4avnAF8nB47j169efj+zqnDl9dUNDw164qFlEkoplkVD5dPFrAH8v4EjdR+Clx802
XgCQsTGiC1tH6PsV75S93qMtGA49hqgCDD4yLdJ3v5SjA0HV6llZbwTn3aQJTh+vjmxEWi7ybLg/
Xe7onXWAQUyHpoMfcph/1C/D7qdG7rxzifmbH6wWRQXBEDiCm2G0Tr34/BZ67o1+6sFuxpZAP0tA
o/VCCV1lk9L7Wa5J1JwNQpJoMeyh9EwCq4KzLpcc9E9d0/dFDJWzoHdJMO5Zq/bVySIBuF5lkVO7
DQDjdkS9yibO5sFRr1i55XwUESOAvx/A6z+p2D6z8kyMu9RR+15HnvPK+jr5Us3Ub0ZmwfMUlzNL
gwdUFCQODtnLSboVWdA8LqljdH76zjllue+NLkhv1g1d0ABAOo/bslYIyMoOlnvYzGsKU3Fdm9n2
jleoKvSoB8Y7xPZhDikKpRleT8cQ2WMgIvY6F2Q4lL1yy0in3jLSq+9tjQrgjpjFuyJmUZ1quCOS
qMoxMvsRhn0iHwqT1tFEAEBExHPk6qALUGfk5ORsRmLDNzs6OvavXbtWq9g49S2ERr4HUay+Z6Gu
BC2DrQMcHCCk/520j/yaqGd5xpa1fphJ7rhv4Ep59dKC2bmrr5Vlh4993FRNq/rwn+69q+Jjy5I6
bC04OrxnClHZfQ4hx7pXHA/8O2PKwk+6FJcbIAShpDXV8auHvj6v5b0Vh7rXQo+vYtDbAF4Rr6Vd
bAn0XAIK/cM8ZGX4uarnN9t3DAYJ2CBkMKySPcbjJLDGmPMR2ev4s6FHt0Wj6kfmO1butsU0dCQA
xfZa+AIj6pU0w+IFcNQrVnKdnEGbXXK0V8iUvl+xadprZ3rWZZ5IiEZEnsA4nlhR553uEoUpPpdc
lpWeeq5LlrxupxBMTXG0ji3KqMnPcPkRw9YMRTWZLRAnGjsDAwGWEZgSZENwRTtgHekQx+11GrVZ
XqNyhFOoGatQ4Ah3hAHJMY1ZXkIsNo6sJUfSYR2ZDuvIFE1IPxAU8vYiK/s+1czsAA4CEoJ1RDia
O5JIaIhxhuPgBN7ZNBcuW1MRwnfT4sWLV7zyyit7SNv8c4qcM5888kUWP4cHwvlCQvoWWIjurIhb
Ts70Oh3b/yUFrxeKhqqIIk+Lt1VEX/LRlxlwJa3SDAByKcb3WdQJqGN64kml7t9C6/Z/pbMYMnD/
Ez1poydriG3AIGQvxsyHQ78BGLGt1D0R4Fl+7dLLyrOQKWgKvvffPstFMaSnb4OQIb28Q3Nyq7Tz
PydJyu/AAXkJLNdPAIB039d8aIpkyMwK4GMqqMbfsLJvM+E5ke08EfUqpO2BuvgzijgfQISr0+J6
1RPhzs8LbMT1XGnpt5b6/DVbJlfWBs4JRY3CiKpnhSK6m1O1w8IAHyyRrQ3HYofjuktYR/jKqJDb
HKbCBoXat7nNmjy3VjnWKbQMd8hRHyuTbAWxuNydylHWEdGUvFLLSAesIynGvraokLnHT8W7I1RU
p5E3zC5hggnrCJKpd26DExpizCpnVse4OcP6fBDXJy5atOi/S/OWrhD2XvpNirgnwfrBObaBfrR2
uJ59uWJjWXVP5HdarzWiiLQlyvGIVtB1pBYKIeP5Eer2aR3OyTqLWz8YfPz4HKKUi/CECS5gsFjl
lJvoBNcNBABJtNmE4W1Fsk/4pp1TRXQh5vAJABGbr5c0uyrJB+KnOfhQuvH9ZfsLJvlS9WV4Ngjp
i/Tse0+7BNaY874pK/L3EVP0X61i6JaLxI0tp30Qdof9LgHL9cqtfR4N304OOcuKspSIesWuVyHV
j1wP95MR/mXFO7P39vsABqBBJPpjbsFKroiqVQrlfRTqePydC6U+DYo88zBg9LBcn1i5Z0oGTCBs
u+i6gGAOOAbuiOGMdNDoSr8w5oDTrMnwaFUjXGL9SNlsK3bIaJMbjBslOrfUmTvikCJpLrFmukut
hXVk58GQmbvXTyP2aEIGrCOgqhgRGaG1mKjujIMmDY/gPAhRVBU5RXywily/omb5OHPsCw8Kb1/2
Y/K4f2WpxLL2zYr1Z95KdbJlNSQZMLAT38Q0dZcr3F19fgB2zEmbBPagb8+DYv9tPOFwXByWK5nL
aAxuLuoFqIhBl4t01xUAIusARIBP7GJL4OQSwGFKFvwO96CusGU1dCVgg5Chu7ZDamar0mchLYJ8
t6I4/s/Q1Pv0bPX2i1o3ci4DuwxiCQB8SOB9XAfixB1wtZphkZutbOeYFEe94hLWXgDBAQkHpw7a
EzFE1TqAmRy4/vrrV1RWVmYi58gw4I1ivFYKhT4fj+n4m120GIQwJ+GwjslWiITrFt7lMEycmFAQ
gRN03fRExNxgSCjaqOj+rQjXm+/RD451IbKWAhesU1pHgPVACpG8cutwp9463GvsPzfCkbWMwn0B
ofiQLnj3yZLRQbpequtqFsblBvAAi15kZZ0BCWgt5uxVlW+J33Ve+eh31WcvAjwxp//v3CdWhJzD
MJEsTUFEJhWRdBVN0FTEySJqRBxlI8Nd0DK/qPaMJR+TyeBQv/DFMuGyxswdoSUSdkWT0RKCcZ6P
WnAV/uFBc3KPZEVLnb+OeP9xCLP5qAAh5+KBc87YIGQQf2efjqEv5WiIL9PT6OuZx1vIPmg8HUI/
Q33YIOQMCd7utvsSQGhJl7NZ+oXkdN2KxHA/MbK0b85uXZvsB4Hdn+BZeiUSDp5LhoKoV3QNkmYw
hyDGrOaIV+x+FdF34b17SQk9iCznQwJwPvroowww6uJ1Q35+vmvkyJHZACXFUO7HQ7kvAOBgPdOL
x0RIXVb6kaQdiThihhI2mfAR/iYEZGoFb6RMMtUCU3AoQWFMrd8YU+WkBh+4I6VuoWacLPiLHDKI
H3HS+sm4IyC9p7phHXGbHFlrz8Eo5a0LGemPVGrDn5NpfopP3jBSNAKl6D8LNQXWECZURJE0slnY
WNtAK1zXjx855RfucMozfoqAQC/kIJEhfmdwrqnCywt0aJ2EOhlYxh9qa3xht3sfxlOp+cVnrpga
OL1hODkXSefAvgBUlAEpJedOYxI6kpFAkoMEgPB4E3stzp7vOoHOWfr9Z0/7JBLYgKALCn0Pe33f
9u0VP7RlNXQlYIOQobu2Q2JmK4JzfA6d/iQ6lA9pauiu86SVP2K1yy6DVwLl07fmk6beTrpyK3nl
TIv3wTUR9Uo12wFA/kJh+WfgfcCdfOiW2traMCrPsWrp0qWrX3755VQ8T0fOjgKAjRI8LwA4YQsE
u/878BoiWlmJLNglKojQus8AxLzk9/sng64xHok6RoK9kaPKOWqznv+eRP5dbqM622tWjXWKLbCO
hJl4bSVB7OyJZCmMcZDCvBLABQGRtUrcFCxxqnTRcOe//5lnPHn/suUV/+Vr02ctlT+QA+erGpJC
h8jcMO8bLu9Vm8/9y+XeYc//Kzr1YKVzhgm6O+cvPDqDvMBJSDIAo/iRRElaCHxF7qxWjoBzekEI
iZC1yfwWYF3AI9L8E93DVYqwB13SFSvmWXetH3xd4lq2RiQCl/Frib9P5wzjAdtOZ5d2X4NYAloH
jYFy+nF8RfyFrSLLllV0d+sP4lmfnUO3QcjZue6DYtbrgtPznS7pAWhEl0QiwS/OlVf/ZlAM3B5k
lxIon4DQos6rPwpe9p2IpFSGzNpHJxzkhHNh/VkS1B9WvD0zKTXBgVxacEj4h7YtXtl9azW4JK6W
lhYvwuJ6kDQwHRYTV9w1KwCgUs85O1BZgV/DFRGrcnDdCMTfGgfrSSlwS46fRjd1mKPfdGj1qV6x
apibakfJZnuhQ2H3LwCSE0bWYtU8AiOVy+f05H3ajIy4cemi8jdJp6fIX/6viowlWobiWmyWmAuQ
K3Gmg1wTYElImTinCn5aOvkyQuTyqMfk/oOqHwU0andRoN1JrQ1eSkkN05z37/p0TmHbeM2QV4KK
8r/W58p4/gNdnFY2di7QzMHFD9W8udnIKhvobgeufd5AbClxpKZi5XMAAg0K79tnveYqKCDJ46Fo
QwNp7YgbMHDDsFu2JdAnCUAxLaMMcsIR6wUbgPRJlEl/sw1Ckn6Jzs4BrjCnlzidnscAQKbqmnYj
AMjDZ6ckhsasyyfD9UpGwkGC65WTieZxb7qE65Wqb4fbzj10MPRwRets29UuvuzgkjBnIgygwX70
B0+1GxAytwHXcF0LQMJWj0JTjYwyDKFUl/Ny26mwqd0I7HEZtflebf8oZFgf5lAiPrBOLEx4tHUk
dp7uFMO0s85H+w4tcH54QuPiDreweL1n5Ldz2t2iLsk5bg8CTMHioSGpYLDdoJxhzbTogy2wciBH
Cls8oO0y2LF0fTznPgwdHAwdeSeDCoxiEmUVREbLDtdoI6zfZEhqY851W/6pBiOPtT43c+B4QIbm
Y1NMfGQMRAKPP3adUbYMNOpBXPKuuYaKbr+dwnsQSA5HycFt26jj7bcp+/LLSfJ6KW3RItp3111U
9/jjoGLZxZZA8kkAXxHpQoRq8H2xM/lGZ4+oPyVgg5D+lKbdVr9IYIUxZ4rDJGRMhitKNHrdbMfq
Z/qlYbuR0y4BEM8L4P7/RRIdt4LngezXOHbv7HoVVDtARv8jSerPK96ZOVBJ0077vJOhQwASJnRy
3QZXL3HDhg05cNsqBCwoRljevDCNylGM2hK3Wj3KRbWTXJK/IMUrIMkilggBAtg7ThFVWrPPTQ+v
zqC99QW06pBC4y+uJy3NkSfBp0sE+AgHcEMnZwkGGgJHH8ZrDDa6KuyOJaP60mO8dDWCmF9I+S6i
U8UhZjuc4ucNXfl05lWbHk3LCf1g359m73z+PeekjBb3jtmzW/sHpMIuF/NsY3csRkhSoCJmjRqU
ha0d6XPn0oSHHqLq3/6Wdn7961g/kdLwmtrWRju+/GWSkS19HhLCZwGQMAixiy2BZJSAqNH9SFH4
FFJy7k/G8dlj6j8J2CCk/2Rpt9QPElhlzjnfJTsfhtO6O2yql813rLbD8/WDXE93E+WzVsmkuT+K
fv8P/jxlFgnhcNQrfO3wsXtQfZZ07UcAH2+d7vGdbf3B1Yt11AQh/u1Zs2Y5MnJyXC3hSWkhGpdl
RGpycsx3JmiB/ecDkMzOdQWHC3DieXZrMd33Via1BSXr1HzNwXHkrtep2NuEEMBdAwzL6nHiPIwx
0eP9mLZ/tFMQ0qfAUgKrClzzEEHX6fKJn2htcM3eKgTX65S6qC0r9EeEeV2GMK99BgsICuZmXgoi
81rjMBD/eTDvC5Zk1mWXkRGNUtMzz1iSRUhlalyxgjx5eVR0yy3kmz6dolVVVP2733WbXzKYZWKP
ffBJYOmc8hGUSndSiB5a9mgFgqrZZShLwAYhQ3l1B9nc3tLOXSIL9C8SjDrNDH1gvrj27UE2BXu4
kAASDs6miAvZzoXLUTlxXeyknF2vOApWWNuGALQ/oUklf694NIujRdnlNEtg7dq1yPOJqFZE7agJ
N6+XiFJ/9c2Ffxwpi8HzHls/v/xvm2aM84dlBKqBWXJkM01bcADuVu3AjnEqBZbXCXcsidc2Xgyd
rSMamXhkTVhBlnsHwi2H/IjPq8Xcs7jwfbIjdh+Djgju6Vx0ANVoSKXGmpyxDYfyxwKUwL1IKT/v
xh8hE3fkp30VmTejyKEjN6GhhklyesnnLa2mQ4ObimSoKhmhEOl+TlZ+pOjBIEXr6ymweTOlzZ9v
uWaFtsMDEhYSmxvS151k39+vEkAYPvLRrUbIyrFkH1D1q3CTrzEbhCTfmpyVI1pjnH+tQ3Y8aOja
Xs0IXTdbXLvjrBTEIJ40Qu4Wky59Eb44t5BLSaMoR73CAbzEmirAR8RoRtLBP1JE+QWiXtXTO4N4
skN46D9Y/n97y/9wWdu0C5bf5XAoJJpRGjammeZethNk8zDcpmI/G0hUAh6ITlv/W011+5BKBECC
8yx6Mxw0dXEh+TKdJAFk7N/STPs2N9M5iwopLccFIAK3K4DTjf+toprdnM+RqGRSOk2cm2e9l+CP
8OvszpWWASZL6SHavSWXBKcD3Zpff+h/mw/ufusfzJMZh5oIZdyjVck7f+t0X1YR+CwaqCEOqtm/
8Ur/1tc5j0VfCmeI34+6Ddaa0xrsl3F+MywgJXfcQYW33kr+r3wF7m0i5V5yCTEIaXn+ectKUoD3
8m64gWr++EeK2iCkL2tt39vPElg6q9wBVHylWU+18Nbc2M/N280loQRsEJKEi3K2DWmNNueTgiTd
Bw+NN0UxfON5wsYhHZZ1qK1vefoqJw13fxxp6O5A1KuxBIIywEY84aDleoXcC/pTIJ7D9Wra2qE2
/6E2n/IJE8Tzlrz+ZSjmZVpEpcy8AJ134R5KSQtTFFaRRBEBLqPI7fLq33YDnDhp1hXFACg6ubyK
ZeGIIOP9igf30eonD1BrXYiGjUuj7GEeKPxEu9Y30YF3Wqh4YgY1VQfo0WWb6IovT6SZ7y8hVT0S
rguEerQXpVkX7aZgwEFVezLJ6XbmSpL8YIbsILcWTaS07PEy6KsfpxgEipU0ouvB5L++xw11uoHD
lAEZNeJhK9zGvg8g8nJf2uvJvWzRaN+wgd69/noaBgAy/g9/IBOWkbbVq0l0u2nsffdZUQGitbW0
+/Ofp9DBgzYxvScCtq8deAnkEMLm0VSkZF1DiIcx8B3aPZxpCdgg5EyvwFne/xpjzldE2fkzXY8+
o1Lzp+cL2+vPcpEMqunD+jGXTPe3YO24lDjQEPM+LNcrPGdXrKixGXnqfkSRJx+r2F7BvAS7JLkE
Zjyzt0gg8VLml0uyTqMm11FGboCicQvIscN3eWUaPzuXFt042iKpq7B+sWtV0yHk9caKX3TzWHr7
pUOwapiWlUMFSB02Po1GnJNJ7lQ4euHFg9tbadfaRpp+0TCLnM7XJgq7fjndGo2fdogaD6WANI/T
/dxS16d92TSj5VDSKNI8Yg5LBgNfNqJqXABT7hQAkWsBRF47HUtu5QKBLGsxJmEAAP/0SURBVOth
DWl69lmSfMgViaLGw/E2PvUUFlQiDdYP/iDakbFOx6rYffREAsueq2hfurD8BlhDgsvWVrC7qF2G
uARsEDLEFzhZpzcBp61/3ZZRIcmub8OP+cGUSPrnyjxvhZJ1vPa4jpaAlXDQVO8gU/4MueVUC3yo
nRIOhtQW0sTf4tj7VxWbyqCbTbVFOEgk4AL9QzPNUh1ZC91elfKK2w5zQI6dQoLfUfluC61+6oBl
Ccku8sLi4aXMAg9d9dVJtOftJlr/QifjJrR1RMBilZl0AJK2xjC1N4Rp7GXFJDtFWFuOT23HQCS7
qB15RzQKNwHkpGRStieVUgFC2PqQDIVBwDDUsagTUL9JlLGf6OsAIssBRE4LAOcxsG8agxHOBcIl
ATa0TjwRG4Akw46xx3CsBL49r/wjeK0QVvOHbOmcHRKwQcjZsc5JNcsV1fmuNUbWj2TF8SU1Gv61
2ar9X1nWc6fVfzqpBDKIBmO5Xo303gg152vkkscTJxjkEK2sjbrxdcIheEPa49Ba70HUq9OcAXsQ
CTKJhwqqdgoSs6ezNYJD6TpceiKI7fGjxrrz0jceDNDOtQ0WL4QtGbmlKRbZPNiuWvlDji1sEWHA
EQF4/c/Pt1J6nptmXDoM93OG9eO7sYxrTh2YNvZmRFIoKMrImxhLzpcshcfDkRbGow5H3U80EQ+M
C/o6zFgU4W5OtKvruntvN7uwL7Ml0O8SECT6KhpFWHf6W783bjeYlBKwQUhSLsvQHdRW5wS3qzD7
N5Liuika9S87X1pVTllDd75DaWZwvVpguV6J5kUk4SwVPv9W4chITD4P65uhFf6ANPnfFdunHn+c
PZSEMaTnYjCnoQ6cjyItIpntTW4hPTsAF6nj+d+cpJABxdQLiyxOB7thMU+E+SBcmDfCoISBCj/y
39aWQaACFRaPf35/E4U6VLrhezPIk+rAvV2nAOF0Hu0NblhJEFIX7aSG2skTDSZlmNlYisejsFRf
AQiLzDL4DMYPFa94J0XDxkJD+ruj95P75sLyCdgcI/Fh+e/dr1SwZ6NdzgIJ2CDkLFjkZJniOnN6
thF03i/K4uVqNPDV88VVP0+WsdnjOLEEEHJ3OMIm44TK8SlyiV6ADVg8oCwy58OKeqU3kGb+liLy
762oV3YZ1BJoCMt7st30BGDC58Mhh3BwdxaVjG8EkGDAcYwOCW2b3aeYeF6/32+BD77CAasYA49A
W9SqbBFJPMoArU1VAXri3q3WNVd9pcySV3tDyArby1G3jirWnybt3pxP/nY36aCi59XVUaa/JWmV
cgYhceRhwhWr19hhztat6VMy5Jz/FuRlrqyp098F3GfTCrtT9QeyGeiNygoGT74t1hG729ohuQda
6IO0feyVKzF0H/b2o4N0CvaweyEBG4T0Qmj2LT2XALKgFzhJfgTK7KKoGrl5rrz6/p63Yt9xOiWA
bOducmo3xVyvlFGW6xWfcLNSCGURrldw0NceI0G7t2LTTDuny+lcnAHs6xNlkcDTu52vgsV8iyCJ
zsodWVQ0IodGAF9qqoSQtjGQwBYQDsFbivC6Nbvb6bG7N1tcBDcsGgs/MhLWDpFevn8XdbRELHCx
7rmDtBehej/w+QnEHJLmmiDlj0ih/92/03LdSkVI3wtAbk/NdpKBfCKJwuAnEoD7VcSBCNAwuAVk
Ktu9hXIDLXQiH05W0Dsr6WzD4VEn3Lf474HmRbBNR3E6c2dvXPtAisOxTdP0rUjBuHf51KnHRf25
bMUKn9/nGmHqYiFo+RMMkcow3kkIeZy/p0ly3z55svdgICg+0N5BI9HuDG77mDkO4JboVdMsb5bB
/1BfjLXwHConzLSLLYHjJaDSn7GptwGmnpZADvYSJIcEbBCSHOswpEexIjpnvEOif0ALGA3V4IMA
IP8e0hMeApMrn7phCRniN8ghLbamE45HvcJCWtpcVF+LHwvwPqbZazkE1vvYKWzIuPO5c5t/+l9R
ka4IBR20+r9jEORMoJGTYOiC9q5pEoCCAYuHBPJ5GYAJSOadgEOivau+VmblDpEUwXo/4b41+YJC
moZIWJwXpHMkLL6vMwCx/mbQ4xbomgvXUBYSJjYd9FHejq1WpsWuCgMN76hRVPjpT5OgKFaOjPqH
Hyb/zp2Ud+21lH7BBVT/yCPUyqFrB3DteByyJLo9knyTE3GJZXx2woZRe+H2d9YYgrQeQGM1BJmD
MLqzgj7PuUBwU92KmNIZHlluXUBTo31p9OWJ59C9m7bS/4U7aDoglptl0w/jP5aC05NU9KxAOFG7
kqMDrzejcrY5xElbg4dvwyrUOSpyP4zebmIoSGDpgvLh+JhfCQra8mUrK47OtDkUJmjP4YQSsEGI
vTkGVAKrjFnTnA7lUUNTkYkseM15jvXIymyXZJWA5XqliHdAfbqZ3KLLcr2CgmlxPlz4ugiqOMmU
fkltKX+o2De6JVnnYY+rdxJYsGnTKEFXx62VLpu0R0h1P+kare9yZEoB5OhY9fxYaqr10cSZ1VbS
Qg2hcg0dCQs5SSG6S0TK4p4TCQdjrwGgMOE8fg2/Z0Vv4iAGJ7gvMXpQ0UkDW7VUracl4Y2UMQY6
LNrciMBP7OJzrPLLLaadey5N+uc/qe2tt6jyl7+k1MmTKQWvZQOADPvqV0nJzqbgu+9S8wCDEP5x
LQtH6ODqteTwID+Ky4VoY558j9t9JdDJlRFBDIuK7ErzevGRgvMb5KTqSNYYQYVGJsQtToYCg6MS
pvPGpNC9JePpPzV7aXOgCfEfYnLvSxGiDhJVmcSoQoL1COgAdEQixgALFB2usXXsXBhcNoQjVc1t
bWwFZdF3hUdYoXwV9REAkLhXVl9GbN87JCUg0EViFv0CSXY+jvltGpJztCfVpQRsEGJvjAGTAFyw
5jtJfFwg069K8kXz5ZV2oroBk3bfGi7PX+GhQt/NaOXL5BRHWlGuEq5XDD4isISEtIfJgahXa6fZ
uc77IO5Zq1ZZ37s5Pp8CFAfTUotDDrkKBIUcUM2PaHoq+LyKexhsCOx5w4oh2OFUywofrhMElVVE
2fC53XVox691gOGN99bOnt01u7uLMac/8ogyZdLYc9H4+4AMzoVWO80hS6UkKjRK99PHQtvpcXMc
bZNyKAR3qHdWFtOhfRk0GrlDSsY2kscXsXgiJzo975z9/NjuO7/HUa8kma0ibDEBuAG8UAE+PEaE
ZkR20fTwLvIKYYueve9JotZ9x6dJ5zFIsHwU3nILyZmZdODuu6kd1g8/EvhxyVy8mA4sW0Yjvv99
K4nfQBYeCwOkCUgOGDhUYwGmhIwsorYsIeqY2yUiI30txiyiSk4nKR43ecuyycwEyEvxk56K6g6T
7oTjmUMjj1uljzk1+qgDNpCemCxOMFkpArATEUlCDhgBQEQKA5QE3aS0+Uju8JHU7oW3Jd6D5UsA
ODEZnEh6HHQKpAi4WxT2lRXl/npZat7u/pApQhozmInt+eQsLPkIQFW3P2fJOY3kGBWypDuxoRbg
Q8KGszeTY1T2KE6XBGwQcrokfZb1gySElzkF6e/QUA6Fo+Hr5jvWbj3LRDBopgvrx4Wk+O5ExKvF
lnYRjCto7HrFFpAQXK8E4ccVb099YtBM6gwOlMnEstaRK5CcRrpRALnmINjtGCiN2ZCmg1yO4WwK
8KvhAgcJqWBRiIJMTijloGR30r2g95GpIW1H7MAfSiDSd5hQG1n9hH8Tvr35eYcaxvm1oDmcyiFE
jmpZuHFdPR6h95o1Eol1OhlVgqq1oek6VfY1vbt5c/uUsWOHweJ1oThp3EfRykyHKHoUETk6cBKv
AuKobLkwFMoxdPqEuoNeT2+kN5Xh1KZ6qb46leqq0ikYctHUeQcQ9YpP7nmEx2vFHOLXsobwW3Gr
iDUXPGeuh4j3uQTaXdTa4CG3L0qeTI3ceoQmRKvonOheylcRrIsvg//Rwc1E1U+fmM8hyRBkaSkF
d+wgranJio2bsBY0vPIK+5FZCfsGuvBweSVzULk3NhN0tlqAH0KctyMhMcvtCtWRjSF+FQvrQ1hk
DgTAv9D8BsuXlyS+GUQ02Nny1Nv5aC6AG3eEogIMFpY5K9YPAC6JOsAHrCNyq4+U+iySm9JJbkkl
yQ/LDV8mYIySOMphSrev2X/oY5cKh34389zcHy2LFPU4dQuAB2dW/DDqQtRzUPN6O6fTcB9/Qe7C
mPk37d8AI8tPQ59Dtws3FeG77zIhSq9QEVUP3YnaM+tKAjYIsfdFv0tgjXb+9aLi/ItpGpsEU/0o
AMiBfu/EbrDPEgD4GAv19ivQkj4O7ocHUa6sM3Yr6hUDkLBeAx+RX5Gk/rFi40zb9eoYiV+2dau7
hUJZzog4yZAIxAizTASRWDdNgA2FlagMj8OZgtfg0QaFMn4/P2ddL6a3x87MY0p85xKDGpbrknWd
pXQqUOqPPyEGRGFbhCCIeZYeCf4Bd8DPuW+Mh0KmCG8fs9ahhhumTBjbhjdKXaI4khVZFe52EYCP
sA6lEhnSTZy4m16cvqd3UBAn8ZTWTvO8QRqmZ9O6g+fR9sqplOmtpymFb5FHd1JYSMcJuQyllIeG
cViT4Ud2uYJVA25FbOlgKwcuwt/AtXDv6mhxUXuzh/ytLmpp9FJTjY+KR9bTpYtfoMxQNfprJi+f
ifOvFGoYsZXufgDRtEAwAHHiOD4Ez1eLIhrXxo1U+PnPk6OoiPwAIjwqR1qalSk8YQHRAwGLND1Q
P4C8ZumolkTioax41RO7IAFIEnp/fIlJLsWapXPST7zCQCMeV4v3Aa8VjCWEZaIwjEIR4IeTWZr6
8gVhBUETOAgFalqYzIwG66ncmkJyQyY59wwjqTktts64FgA2yyVJ33l1ZXXZZ9JC3ykYNar65Tff
jGqyHD2VZQ7KfBEa+g127VWz8WQyKrBYUhZeFg6GsB95KWHWX7SX6GaMvxxA5N6kHPBgGFQ9HRBy
6RP4eBxY9qidJX0wLFl/jnGgvoP7c4x2W4NIAqui59+G08jfmlrkFUEIf2KmuNE+2Uiy9SufszWV
OrRPk2x+CTyPEuJkcux6xaFRrahXhgrXq0fAEL4XCQe3Jdnwz9hw5mxdVypHaBLy5I0FSXtKwBDK
4Ek/2hDNFKAD2YVTeOvQGuLUmajNyj/8+2P2CtbXOque8b8ZZMANyXR2ollbuATqKl4z45YCnrSg
i3Cdgc/+YauCpQPCjYbtIAw8+I9O4uG/rQtwGi+CYi4KxUjvUszARANQiDDoSFwew0IW+IiWHiJ1
VLUFQqyTeAY5mEYJdVBRwT6aPmINFE+dSqVKUg+Cy6CkUtiTg0cYfiQX0sS4yYCQDNFBG5ePpIM7
M8ibFqGQ32GBEh4Pu1wxuV3DSTtzS1iTReQoqtmfQdHdLSRnNdN7GNNebMtsjGE0zsn/9gzCK60j
ujYm0S6LiTkdeuABSluwgMbddx/VPPgguQBGAuCAhA8dotwPfYhE8DOyr76aorBEtP/vf6RDmz9R
e73dbKysMmp/LJ3o+58DUb4NAKkBgBDZD4wQABn+NoHvDFBcrBoHoTLU8cOGmk6EF1b04blF23cQ
vYxz953Qfiur8FE9ETu/twM/2X0sJIktJn7sQ3SOtbOKtc+AVRQHjU1LvXqEL+Wiq+oPhUakpRwC
uK1d+Pb6OuzmeszrPWymg0bEqElxu6ufKytrinf3JdhWrvoC/rgclQntyaqYJA4PWOzsO/QrfGP+
l2gpcMgmAJGXB0LsQ7nNpUvLJVpBVwBwtyx7o2LzUJ6rPbeuJZCsn3V7vQahBNYY8+5SnMoPdC36
72ik5dPzPdtbB+E0hvSQYf24BH7134IH0DxLA+XkcPyI3AtWiRqrSDV/gKhXzw5pQXRjchZfYuzY
8bA9XAYlfA4sDRNAUxjt5UzdABg6lC+2alg8hqhAfpxQW6BBgkYJv3kGF4Qs36YLRggf6BwugAoH
nns5XQJOxaHwmyAdWyRgvH5UQTsGv4b3DvvIAIQwgfgwmEm4zvBrDFACLsuvXwjBxRp+/GIQf/Nz
vG7gfZ2BShQ+XngOlBBztePxch+sSPLTlhRyN4+Diw7GWgDtGMe+DEC4WK5AuG1U4T7rWngUwWim
k6K2kKeNVW7mNANcAISYACE61En/oRFUW5dDUgN4BJayyokLATdEDbwIjZyOCHnBc/C5O6g0dw8N
z91F6b52gnsaKbicYyLUMj0JonhwBcjoeH4ysgDr7QHwQLZcfDFlXnIJSanA27CMNL/4IvmmTaP2
Vauo5aWXLCAiMi9kgEwJvDTsk1QJy4VrPipcyXRGGgz0oMEaINabsOgYDERQ+bkOrzNlNANG3Mii
6uQ15oBm/jJU3N/9CdfgW3UR3r4G1RO/tBvbuZ8v4d1wBAHxkBujKm2HhQk+m963auu8Pzh3RvY5
WVnnROHSZ1nlsDf8Ku6RhXq4ItZctOXtykp/oBKo6wMzAB7fH58yfzoOg+N+HnV/NcfzZVe7j6GC
de/DTroAT20Q0lMBv0VZOA/5J5KRvgFuyKplaytOFHW7py3b1w8SCdggZJAsVDIPc1XTLKeQId8t
K8odRiR63zCv+aUiaTscBuySLBIon7xuPDS7/4O140YADsWKesUKmOV6ha+BiF6JF34Jy8ifKzaW
QUU6e8videtKoEy/nyaOuxwSusAhSh6HDOUarmpR1I5QXCuP+axAE4yQkQqQgWqmw88fPvaGD9m8
8Wj6oFIBaDCh11L4LW0sJlvLTSd+BJ9Q9DtLPX7AfNRCHJsrkN/kYEZWiWOJBH+AOMIS34ATa8Hv
IjHgJqEDROMAgAkDFL+bxA685ocqG2WCCQMRuE8xSMrqsDBKV7FXGRhwYUBybJHRuawHwCeIba9J
+Rsox3sIbcX8itglSYZnmNflR+2gdG8LZaY2UCpAiCKrpKBNBjfwDov1Hy+WdQB/d8diwZcy36Lm
X/86cj+eNSNalomaKNbB/pElOH4yfXyF22cghenCRe6IaxU/l1LxZnpMvvw3D8Rk/zDGRfzYaaLs
grUHlo8HHobi20p0D94uQY0bqZJCYefh8rD5k8FhAL7Z1k4/fWcr/XD6eZaFRLVc9HQALIktPbmw
yuV6FXmKhxEXNgr7LrJIYCAaFIVnw/NlIkt8qZi7ZZeeSkCjxexmCiE+bQOQngpvaFxvg5ChsY5n
bBar0q9Hzuyan0uS/Dk1Ero35b2WbxSVbY97Mp+xYdkdxyWAqFc+RL36DNShryC7+TBi9yC2frB/
hwdnyiEtCs36IQpFf1SxfWa/RLcZrMKfs2nVVIcp32wq4qVOURzFIUgtojZI2jjkjYEIy6oBcAEl
3cgGxyCrHeADgAOcCdOLU95EBrmEJ9QRj6iYWOJ/W8/Z5z9mHOh+6eqIOIGJEq0kwAN4GFaH7OoF
wrchAFsm3uN7QqCtB2OWEqE5FRT2TDjL5JCR10xmMUjdfE0vOdwJDsPiactxAn789GJhemOWDq6J
vxF1NmYEOKZf/jtBxO6iueM64Gke++PWy6l0f226uhID4bEfx4XnSfK3ZOKbkvFpYh90AqfcJCL7
0ntww2pEXLTb8fcIVD7hSbZTnsTWmoOxfQD1kcYGqh+/jdLS08howh5r85KG6Fs6rHEUgrtenNfC
czxmyn2T+Wm8u9MPXfxTeBo7HwpdCQhGYCKBpZHIZzkUJmXPoScSsEFIT6RlX3uUBLaaE9LFpso/
iA73hzUt8o3z5ZU/Bj3XLkkiASQcvAzBl+6CtWOuNSTmfXBh0jn/6oe0N6AE/ahi05QXkmTIZ2QY
C9atGy8q4pfgE/Uxjyz52NUqzIn1LHFBUGzpGF5HZlEjmfnNZGTCTckJMMJabVwjtrymuHYV+bUz
yOgJ4OhPaRwDfqymXXAV8wA85aIOB/DQ9oMfgZ8EuG1JCiaT8ATrwziQQqR7GfXYynESSwcDGSeT
BXjbovIJdDIX3hr84wpPJAuEce2t5xei9xL49RY6YwDSGbskkwwSuIo/EuwmxvtHm7KP9DF4ZN80
Fa6AHR4SWnwkgOBu+H1k7IupIN1xv0ps4bj98fD2TNzbHXCaTPKyx2It/H3YJv+++42KnbY8zk4J
2CDk7Fz3Ps96nTkHwezFv4mSdKkeCX3hPHnlb/vcqN1Av0igfPqm8fhy/zqJ8sfg++KwcnzwLzVc
imANgdN8tBo+ID+nSMcfK7bPh0f62VsWbFr3IUkW7/XIcjFHhwowSR/KkmU9KGwnc0wNmaUAILB8
mC44E7GbEGuBCc2n8/nnYNSCEpojbwHWnL2MvFD7YAUZiN3EAGUc+BIbwQthd5/LUAEFu6W89mQ8
rOB2RyE+WZusgIPeQcgtT3lZnBOkC0tIDwbF9yesSWcKw/ZguLHgDPEbeEuxx5XEmoaCD44Xq1aI
zxLeYDdCYycQ1mNxwHuSTizrGHg8hbfeSmkLF5La2EhqfT1V/uhH5EJI5mFf+xq4NlHSWlqo8sc/
JrW5uUcGxp7Mz762fySALOnzYQVNFRvo7/3Tot3KYJSADUIG46qd4TGvis4aLgrmPyWHNFlX1RsB
QOCtbJczLYHyCVvTSNZuhRZwO8BGEWKvxlyvrGzn+NWP6GFo2Q/hePZnFe9MR6Sas7vM27DuDocs
L5Mlwe2PQk5M3GYy+LhqMicg+k8p1EgnslLzCX3cX/+wxBLa4GDQCnuzzEkGqJjTveQCohf/R/Rr
xNvjTBUzWTHtpPD2dJqMJVlZTnjEgRt+2M8/TtPoihJzwm4S7kg1uOLXqLtQv3YFOP4gpVuc9F7K
lO9LuGp1ByAlDFgioxcrcMIRpyHrNW4MA+JIYgNdLCsQuuNqlU5uaAikRmIKB1/oxigw7pH33EM5
11xD22+4gdoQbCD7ssusKGgjAUSaX3iB9uPRBBfIGIBoZ90YoX1JDyWArfAlbMUPUCEtp+3EHxu7
nIUSsEHIWbjofZnyKmPWZFF2IHyrMRockA/Pdqx9pi/t2ff2jwQQ9eoquF19A+DjPCvXB4MPLomo
VxHtddIMRL2a8VL/9Di4W1m0ad2NgijeA+VICKlQxhAyVihFLoQ58AoYDvDB3A52rUoc6SZYzIN7
2oN29KzEjx9P9O2vE/3y90R3AkJnYDa9wYAJ0AEvIfoQ6nZURM4l5jKkoVaiLkfl2NStqN1R/BOC
5bQmLagaBvepa4muBDki4YrV2xyJFh+mO4p6fLv6pkyh4q9DUEjMyCCk6ZlnSAC7vfC22yi8Zw8i
b2vUisSNdX//e6/k15NNxHPvkhODRthC0ikC9QmbZaiUisXnsMotGHfzq69a1x565BEa9tGPknfi
RIpUVtKYn/8cxl+Z9t51F4UPHBjwufVEDva1R0sAVpBJWKA5+HC9SIfACbHLWSsBG4SctUvf84kD
gMyUROfj+ElESjPjwtny2iOhZnrenH1HP0igfPq6c0iX78QX+kcAQAQr4SAzfRX8wrP7VdTYC0by
TynifxCuV3zYe9aXBZtWjdVNZakXJpCgCkVNB0F78kESL36HBBC4LfCRiFB0RtjMZ/0SdSkA1qnn
I9ztOEQQXr4SYAFnp705zOfwvwjgRQUvQhEG12ICemNAwuGNeOkZf3LSPBcQTgeQiXdKbDgGBw/t
BiJJB2FlLsw0EwGarO2Fj2RvAQj3210Qwng5ZcIEmgzQ0fbGG7QTLkoKXJg8M2ZQ2qRJ5IEivx15
UoLIl4K8MadFSeexn8gd7UTgpKvFl7yI6oYbGERxSVid3NgMKlywDt57L0Uxr2kIwaw2NNCOL32p
tzEV7A/f6ZHApYgOVwDE/udl2ytsUv/pkXlS9mKDkKRcluQb1Cpt1kWS6HgUp+yNSHJ27XzHSnbN
tssZkkD5iHUZiH35WTLkL5NXyQWTOmb9YL8HNz7WqhFEGN4HSA/B9Wr23jM0zOTsVpcXeB3K6KAG
lRMuWMKIBpIv3UICu4YkUh908+Q5OSc4dEfFWcKzwLP4GEwYnSNm9WTGYgo4G4/CXerJGMmdfwTZ
gtHZNSsVf1+E6j0Ii8s0JEyEVcM1ChiEQ+gyUkmYU47p2CJPoyHOaM6JBJmM3ls3rETTPM/ubEdW
zHM++EFSMjOp9q9/pQh4E4ylW2ElSEWOFCUjg9Lf9z6St2+n4ObNMGbD1bAnguvFtQlSflcySLx3
qmZ57oEdOyi8bx9lXXEFVcItKxwMkreggFQw9pkrwgAlCo6IgdeZFzLQ8zrVmO33TymBJ5BIpx0b
9M1TXmlfMKQlYIOQIb28/TO5Ncb5VyoO9wOmYexHrNIPAYCc1aFc+0eqvWulfGm5QE9efQU5HEvB
9ZhuKUMBTkTAmhSzPfEY0V+Bw/f3KzbNeK13vQy9uyZs3Zqeo3VkQUwmiQrUSgiOc2jAH0Qe0UhK
DqJdMdPZtnwk/eKzYg9ds1dFAj8jtBF5N34Ta4MV3IRxQ8kEJm0+4oGHxOYUhG9WPa7d/wRR7vUA
I1fBUpKNawAyYtHTTlz6Cj4SLVsgpDsoBDeIKSmktrZaCnki7C3/yDc8/jhpHR3khjVk+LJlFodi
zze/SXpb24Aq7Cd1x8K8umMh4q82ntPeO++kUT/5CU167DHq2LqVZIAPBls8l9KlSy2ievvKlVTz
l78M6Jx6tfHsmw5LYOni8lGGRu8Xm+jhZRsrWm3RnN0SsEHI2b3+p5z9Gm3WTYIkP2AY+muRoP+m
+Z6N7DJtlzMkgYplFSZC7xaR4phuZXTjvB/sesU1qO2FJeRnFJHvr9g+lQ95z5oyZ926PIW0QmS8
y0C6vXGaKRaA7jFWRPBZxLRKhyCQEENJJBTzhdi3hxEJXLHM+lSSkDPDdLAr21kjsrNuouyGxdnK
a+/DR2X/EesCcw4yZiEOwbfgfrWWqOZvACqwgHBJKPKRQ0RVPwPf479E+TcQZV4YSzio86dsgPdM
d92xGEwx16MEblhZIG23btlizSF96lTSADb2QoHnkjZvHmVeeikduPtu6/WBtBokXK66AhudwdWp
vNx4HZrhYha46CJyjx1LIjgu4f37KVRVRds/9jHywA1NgN9XcNs2UpG1vZuY7az7DCTFhFX6IsDp
bZqP8GmjNUkxJnsQZ0wCNgg5Y6JP/o7XaPO+KsrSTw1DfTZKTTfP92znqJN2OdMScETvo4CUQQ7h
bkpD8gS/6qeQej/Jjl8g2/m+Mz2809E/QEcpcNd09DVZFIWJhiJMEExljFOU3KxUxVNKxIbCYAPZ
w62kzShWRm5ojgKy8XFVNxdTtLCVXIt2wzjCFpLTMQO7j9MtAY7G1Pgccm6gJhRv3hJOWECGfRbk
Z3A/UkAQyXgfUd0jqP8Cxm+PGccSFhM/2Op77oJCjMw6BZ+CQn8u2gKJxAIjA7RvEhGmTiUvnlPL
669bxOz8m24iZ3GxRUgJwx0rUl1Nw77yFSsylpKdTfvLyykK7sRAK+sciOtEblfddcdKzJvXIQrQ
FFm3LvGxtsavh0JWtCwu/PdAz+lU62C/f2IJLJ1Tnm2K9Al8zb4op1AMJdvlrJaADULO6uXvevKr
0tNloXHCdyRFWWro2t+87pbPnhfZfladrCfztqhYO1uDW9YP6Kmr8gFAJiCt9/crtg1916uFIJSL
oryEdPEKWH6mmaaZ6ZZl0MsFUhERTIWPezgad7Ni0MFKoQU+QMJFckGBLR3sjQXuhwgLiNEGrVQ2
yFF2iBwjm6Es4QbW5HqpTLLCBW8Yi4ibKDwG6EjEXIb+LA6gLK7cdmdyNvfHr4PHSzgQRrb3nvfK
J9Q8DzYWsctSgtfAr3FfzHXg9g9n+EYXfC33xyWVLQS4jv/mR062x9fzWPneM1GQLYciILJXI7IW
x23o7IaVfx14JhdgDvHEIx7o7iO+AX7F+zkCE0ALCOwqxp5QcHl7NL1B1IZz3BxEvyqEZcR3DtrF
3IwEX6QfJ5mIqnuqJq2tCwEfgMWj/tFHScnNtRYg8M47Vphe/6ZNJCFecOUPfkDhmhprqw+kFYTH
e0pLCEcBiH/sujOWrgCGHbjuVDsjid5X6HLBCUp6iJ5e9lyFrVMk0dKcqaHYIORMST5J+12VPssh
Nyv3CE7Xl7Rw8Jdmjv71stbtZ0h1SFIhJcGwLLesWau+Qh0+E65XAx/w/wzOecGmTWUiaV+QBMcH
HIJUZHJ0IwAOHeCClWQO3yoATAjI8i24NZLSgyT6IiTiUUoLx567oiS4Yi5YYkoEyppEkXcKSSpq
I9cU5G5UkCGdFcjuaEJdyIJPdRlo/AwuO+DPWgo3F3CE6ROfiEV04msYIPB4WTlLKOWcR4Jf58Jt
8OusuMPl/TAQ4Pf4Gr6WQQFHKV0LJRjBjigvL9YevwcvFYJbPEEHJUQvtcLaMhDhtuJpIyyZMWjg
wq/zvdwmP/LrOxGlGK72NB12pvdDEef7QCeg3/0udv1shI76xz9ir3HbfB94z3TjjTDKIfXl974H
16bS2N9paSCAI2HG3+DidPHFROedF7unt9nDe7MNObwtu2IxAPFjLAlFlq0gaRNhBfkk3ucIVok3
mGKF5+mYf9pUWBeQ6+Pgn/AIufIHjU/krfwk4IXUwFrSshxABHyR/A9jDUpir1tgpJ9KTzghCWAR
OngQLmUxn7LEa/533z08otNlLTglJyTgwmcvShHkNEp8/Hp5BtBP0u5ZM6xAxWlkvfzm6Fl/Q+Dq
twBAPgZC+stDYC72FPpBAjYI6QchDpUmVjjneBxN9AdBdtyoq5Hvnq+sqrAC5dslKSXAFpGkHFg/
DWrO1hWZsua6RTLFr3gUJZctHcGoDkIwVCgDYXV9YVIKAiRlB0gubCNHSStJee2WxcNytQIo4dBH
7C7TOY0zu2XxKb5zZEtMg2DNMqFd9nLsrChyRKQnn8QJeRt8xCbHwMYGxJDjqKK/+lUMXMAzxgIL
dYiMj/QGBFd2ghs7IfiPVc7BiToDB74HB9iEAEDWdazMIQIpgY9LoxClKQFc+HW2UPB74OdaSj/c
5C2QsGgREaKzWuNaA89rvoZByty5set4POvXHyF5I9AQzUFI2vR0IqYTvISMMgw4xiB+LagGFgi5
4w6QnJFU419QvkePjo0PQZjoF7+IAYsLwZXg99gCwgfxDMAQrIgefjh2PZJdW3I5XSCE+1Ew13q4
YNWhJgoruswQGnUngFUhxgtgdhxvAYBQwLpmL4aLFtyuGiDfg3/F+kKXZ42TFXnePhHIY9+v8f7z
REUfByi8CoAxK9bmUSG3+rC3Eop5d8FDV9d1995eDrPL204GQjgwhPDmBBrnrKbNwXpiyDQctZcx
B/pz2Me11RkYJdaeI6pxLhl8vPjbA/DWLieTAAjpkwA+zkFSnv8iLC++bexiSyAWndAutgRoRXB6
ttMU/izIypWqGvnabHklznTtYkvgzEhg8bp1GZrs/ovPoVwVZVcSZDQ3YL0QnSY5RzeSe+ohUgA6
5OwOWD7i0cHiMVYtBTdR+TVoCZ1L4sjScidK2JD6GBUrkdWa3Y5YyUcUUcv16NvfJkLaBmIFnxV5
BiN8DRfmCTMA4Wtra2OvDRtG9N3vxhT2b4EoPXx4zKrB9/z2t0QIDGQBDHjWEHKzWUo/3P2J3f3Z
AsLghC0j7BLF4IQBCPf573/HQAfP+Vwo1OAuW2Dm97AOsFWF7+Pr//zn2Pivg4sSj4OtGOABE7vh
5+cTfRxKNrvf+3xECK5EH4A7EgMWcIMtwHXBBVDaET2KrSf33x+zfPC1DGxcnCEbmnAied/p2Fki
+oxAu638A9YDVprEDx4vewnGnDUfT7B9Thp9CjJ0QTbFsOxkL4G84aLFNYA1S7ho8Vz8AI47ygF4
noUl6Ba0DRAowXLUV74Ir5kH68Ml7vF2OkTX6z74Y8W4n0sChBwnX1xkSiblTWqn67HJv9vSSt9F
fOzb+DOAmvj49noQ/XQjj4O/QnidZUkm3eGhxtRsavWmUY0zhV5xuqkIYS0yhk0474U9rkLB1HEE
ILeJirGL1PCBwvC29rKysiFtqe6uqBER62a4RX6FcmgeMoS+1d377OuGtgRsEDK017dbs1sXnJ7v
cnkfIVFaYBjRTwKA/LVbN9oX2RIYAAlctnWr2y/T91MU5aog/IM4nQefmron1pHvgr3kGofM5m78
rrO2w649/BPf6ajysF/EYbRxkkH2kxNFIikbu0wxUEBEVKuwAsmKO3LFWZYFfp+tCTeAR8AWC6R1
sCwdz0Jx5fL5z8dcuvj+T386psjvRkBsVuwZZFxyCdESKMIMBFixY2X/ZTg28HsMUpAGgn76U6KH
Hoq9x2Dll7+MgQN+j60YbNFgKwW7TfF4GCAwEOJruE1210IQIgvsvPZabOzIAUdXXgm3I1gNuG92
u7r55tj82LKRACgMONhNi0EJoqpaAIhdxhI5PU4nCGErBi9v1QMgkgMgJX7s2HyYDgtU6afwGo6z
GSScKCN5DKcKoF5JlAotKosB3tdhAQL4qoSL2SGAu2PJ680AbG3oLxdrVfoZWFHOtxohvZvJDo/d
rWxVGgcgCP2XXsLaTMUFHOaNleNkKww+YAi0LAQe7NkE4O4K5LHMHZNq6eIZI8koKqa/7dhLt+0y
D58LdGdunT++/Bwi6tKjktecvyaOlRmDi66+AhIubG6nh7yZw8iXN4LSCsaQKzWHopKDVFGmCDaY
hDpMEDww7WE3meAboSeQ1WCtxa5yt1e5Zq2r2q0/j37WXjQ6gk/O2VmWXlYO/iItAc5cTxfQanrj
7JSDPevjJWCDkLN8VyAL+jjJ4fgnvjnH6GrwI8iCDmcKu9gSOHMSCIdC5wqyeBNbQBiAiE6d0i/e
Sb7FiEDsgjsWgxLWKhh4JHwjztxwrZ4TSjYrjGxJYJDB/ApWyhcsiFkZ2DLCYIJBBD++915M4Z81
K+Y2xVwJBgKs/Dc3x9pgMPK//4EAnRMDELfeeoQXkrAo8LXcPiKxWq5c3B9bTxggsGsYW4befjvm
4sXPma+RGA+PN+EmxWNlywmPm19j0PHEE7H++Lprr41ZM/g5PzIIYfcxnhdbS9jCwi5kfD9zRz77
WaJPfpLoAYCARNbsBFH5dLhjsRWi6U24UAEsJFyRWAl1wKo0GpajVPB0mIxucUFOAEYtbz3I7Hf1
Y6ky4qUbsvfR9JQWKpioUx6A2yHIaO8f4eqF0L0aGk/wRdjlrwbuWU047x0GoFlyE2SO/njv6pAX
B2HrLv+IeUILYLG5FKDmcawHuwFdhsrGkWQCIjz3dtSHUVegfgWueKUlJ8gYHzd1CBlByvnMavps
mkYfwF59F5Y3fzfMPczxCWwoIP+6YdjngrWGIV1veHjvrm8dbGqHs6P1DcGrKgNZi++/5pr5xYWF
ZfoDD8wWOjpSDp9ZXHPNcrO0tFWIRiVAB0ESBV2WSG9oNzL21IXHh8T0fHdGAcmKh8IIhx5Aq7CH
kCLplCIjwEUsu+lhTzcDPDVdkwQtKnkQAsOjOOhyGFAu17VI8wu7PMsRfe+RloaqZz82O6ufQ1Wc
4S/AU3XvpwUwj03GodGnli2rsC1Dp5LXWfS+DULOosU+dqqronOmyor0D1MUsnVNu2K2Yy0cRuxi
S+DMSkBzUnGapLjboN2aEYXc59QhY/UuK/qQyT/drFr00X2qv2eYIA+zy9OIETHlm5VHVtgTEabY
YpCIlMWKOrtaMd+C+RIMCriNP8BtiF2Y2C2LQQGTy5F7zVLiL788Bla4cFvcBlsyyspilgm2OrwJ
pZstMfw3gxQmxDNvIwFOGDDwvczNYHDBfycI8glyOrfPbV99dcwSw2O6Be5FU6bEXuf7eV5sWWGg
wn1xO4lIXPycI2OxhefLXya6DT42DG46R0oaUBACDVOAXNQmAK97MTbme8QXnJX2QmjwRVfECOSn
SpYnY685cNNB1UvPNYymF9sLabqnhS7LqKILM+po0sIADZsJ9yxYo3bAEtWwNtYRa6XcpwrFeg/W
rw58kuHYE8UAli5YU3T0fapkh4k9yrLivfA9uHplZhA9Bfe+h+v7ewf3X3vDsP+/DpL+rbDkOYCY
eD90KWdGAnDJEko6LABXko7PA8BsdxIzspVLfV8bHfrpZIpUpcGixVYIM+MHC+auWJaa9d7SpUvZ
KBJetmyZhdM+8ZnPpIT9fnHzP/4xXQcISYC3sZdeujfz6qsPRRsbHSkuWQVBXvrX8h3nHNxWPzFF
jmQ4IrDEgocmmCHKy/VTRk6QfJlh8qWHKCUdQS8w/sNWWOyVaFimjhY3qovam93UXOeldvwtSUqm
7JSuNvXI1Vl5xS8//55+1/vHR9b3n9STvCWVVuFD8YWwSti9drElcEQCNgg5S3fDquj0haJEjxlk
hhDA9P2zHSvhRGAXWwJJIAGDWgKGpiP0rmSCXB6tTqXA+jzyzagjjoxlAZEkK6w4cUSrEpz8sntT
O46EE1GgErkS2PrBwCMR4Yq5G8zJYFeoeB45uuYaoq9+NQZKWNnnCFPsanXgQMzywMooA4AsEJ8Z
qLByxxGsvvNtot9ACWbXrCmwTkwGMOHxsKXiV3DH+t7dMQ4Jj4UtNQkXKQYoFskd1/JpstkJ3PFY
GWQgRxy9/9IYqZ0VLuabMNAS0RbPM5G9nN/ntkbivRzMla1YDJzehW/OP2CZSU87whHobRhkXnYL
g57AcpHYFpwZ/d0fwaIENzJ2EWJQwMevOeDBTAEfxgeQwhYOVmZPVhiERIACfDLQl6RZEdnWdeSg
5tKf6jtoXmoDXZVTRXOvaqYLF2q0D/Pc/me4ou2OtcrNc9/BQxjP92EdgQo2EtasQsjFAXlozMLm
gZ1iPgz+8rFWP/kx3PuwJ6pqjg7NfNJJoO1YMAeMxY2ADZi71R97DnFljbyTO2NvP1rchAOfz9Ej
ASZgSWPwwePuHLK6y7bjiCAB2LvVP8Yv+IIU8nRQIOqBnDEvfDssrzxYPO+um4a9+vrrSwTTjCxc
uHAT2tu0f+/efPwt+w1D4O4SIKSxrc0RqapyOcMdtLXGn/fvN/fN318fGIvLENZYIC8i6Y2a3ESl
4xoBQAKUgmh77EbG73PuoWMLf74EAeG+AU7UiERtTR5qqPbR/u05VFuZjs+uRIpTWiIo2tQXd9Ky
S8ZGft2t+Q7ii0BIL8WH4DoQmh66Z2VF4yCeij30AZCADUIGQKjJ3uQq4/xLFZfnQV0NNxiq8eHz
HG9uTfYx2+M7eySgdrhXmt7wUxku57VITUZqo4dq/3QuhXbtQ7bng+Qqhg8NFyhvFh8EGoX1499L
EfF9nXNe9KQZ6954zQBweAxWDVZS4K1xJOQrNwhl7KtfhIsKOB9W3oe4FjQdfIuHcVKeCOnrxfkt
DgcowmR6NFwEZf5JKLasoLGSb1mD8NZncar+mY9DwUZbrPjdBcX6dii3PA+4gJCK67gdA5aZy8Hv
WAx3nkRYXgYKPAbu4zc/RWNoUIamzvNgkJco/Pe9UJx1jJ0BTQL8XbQAVhCAHW5DRD8piXswxrEA
YWsAWhJ9OyGL8m8Q3fnlI9d7+2DF4jGFMd7GqOOwN96x68UApBluUFuehvIPeVohiNlVCvIbeScA
XYmTgi2MuE690hL8plRkV2tU4wiM/ag4ni9KdTiF/hlOpX82ltCMyha6tvAgve/mBlpyRQcdgAvY
DrihsWMQj5mBCHfXtAUABXug6t9Q1PGYuygGhJiXkkim2dWoeF15/RjsTpsKFz5YX7pVcB8naWx5
rYha3yglV2kbye4gKTjFV3ID5MxHYAdfJ+8YyIk/Uycby6n6ZfDBlq9EfplTXd/T9y1QjzUO7fVR
tC7FSjBqyUc3wkJOQViMRhfBAyvdMAwTrloXwc3qXPytGdFol95rXrei7tkfyH7olZ2X1LSqRQLA
h4joeqOnNFDZ+VWUXRTG5wOWFh2uVrrTko2uwi0UCwpAcZhPpKsmgPeRLgSMK7swSPnDQzT+3CY6
uDuTNmId6qt85HBJ2SSbv3p+J7nfPzaCY4ghXCL0EfLRD3EasBOzxKfSLrYEjkjABiFn2W4AB+TD
iujEz6O5AT9oN5wnrcQZq11sCSSPBFbOL2tbWr7u8zsuUn2KLC7STEMxWuGo/dg48i/H8f+UGkqZ
Wgsw0k5yeoRAC4U/eOxku6dIhBVEVk1COKHsOYiBYoK7goZsJcCzTujZUoPnlt9/J5FanidQIC2F
k0+f49dHIsiAgnPcBDHagGsTW0ASxVJgcQ8rWTreS7gxcVsGXjzQ7kGuyphPPF/Hmq4JVyjrelYo
4wDNcoeJD8jE6buJAdeqbgpg7Na1J/DSThDJ+f0jfZvwhJfoUMRNEShm4jFRAeBTH3PZ4r55/Dw2
1MR4WBb1qov8GiOfbiCBTnK01gugoB33nmi5mS8QagHIAugDf9gahOVqhu48I0Cc36xQlC0D3ejb
Amaofh0NMbLsXET+mwUj0IaObNrwXg7lHwjQgpwG+tAXKmn8ha3UeH+Uqp6AUg6QwUPhyu3VvApA
shrWrKsQpQzkdc5Jwm9YkbROUhLJLxOg9VSfWmtfdQhUuyGTGl9DXhxXLmQBJdupkYxTfRlgxAEw
wuDENaKZHAV+vB5BUkMMB5asviRf7C2wP9mc+PMjAg+GK73Ian8ODii8yAGjkwsoOqiq/4uWlFSK
qpqKDagBgOgoeBDSkKxRNyUgi2OKLIlGIKQqT608MNcCILjC5VFp6oL9NH46hz8zqPGgSm2NEYqG
NGwlAa5fIuWP9JE3zUHVu9qpoxFydEhUMNpH7hTlMBBxuBVqqw9TzV6EDcfietMaaMGVzfTOqlG0
a1Mu7oEPgiT98MWdzjpYRB481VoOxve/OKc8BeDjkyClb8BHBTveLrYEjpaADULOoh2xTpvzWSSY
/r1u6P+LBjs+Od+zEU4CdrEl0DsJlE/eBOcWQpwlHP/xUbkhwsEImi0d/2N/0h5E6PIGpeJHKjuR
t6P8OSU6/pCxa16lOddJoqKz9gWN2tTAKm4FkWLFKHJCYfKOaSQhP0ANURdFkDuETx97UljJbNcV
66T7KGW6G43wvUxNrUXfGhS7nha+owXKdJvG/jG9KzgD7taJftet9/LehGZ+2AbUM5lbY7Hk1XOZ
xeYRR3AnEhkPBy5j2E1HFwtN8O38pIdjtiwgJ7ink3WkNuylx/an0mMHh9MFRbX03R+/Q/Ovb6P3
fgkSO6xHDFsYD/IPL7ti7fk7AAn4IiM+EQMjnuH4GMHdkC1evS2JSG0WTwlbK1rnIqkpjXwZ8dw5
rBLDrYz8sCK0wZpwIJfUjQb54UKk5PjJPaoFtZm8ExAKuxAKNPMe+rEwoOXKlp3ucoMYWHKFrQMW
nUJqeHocQi+nWWDKA3NgRNPrDS30Q+3OO2tcr79xeMCwgPBzPp8AdD2+SJKgv/72wVF7atvHCdiT
EpKezli0n8bNqLZWKdAm0BM/2UqtABOjZ2RhzAZcshyUU+ylnWsbaNWTByg1x0WHdrZzUCy6/jtT
KSMf7mHw49u1rpFef2QPedMVtnxQarab5l3npdmX7IGrlkB7t+Ui9LNT1I3Q157ebb54xWiBCfVD
qmQodCkiKYzF9/u3lq2oSGIm05AS+6CajA1CBtVy9X6wq7Q535AV5w9NPfpoNGzeAgAS92npfZv2
nWe5BCTjDvgDfYRU/HKzKcDUU3EcL/VUv7PuVaAx+VjTSOiHJr03wqD3illt63zmzf2w3Nn/Ig1H
ohnQ5PhUu0tPi+4tkKUL90HRspTTXt7f1767N8MTXHUKZf5kbfd13L3FH4kxdQX6WMuMWz6syxKG
Cyi7R8d9ZfDVlUp6kglb++ska8zjAQhmoDIM0bMuBmn98sxqKpJDlLUYYXrhPnXwSYRbBsm/aXOs
nwRfJAKrzbu/AEhhvgiASOlHcBoPaK/BomW5G3azsOWBXe3YSlKDQ/ym5pj2rftV6sjYR+HCFoo2
eEgFYfq4Ev9MmY0AKJvTATxS4a6VQ57RLZQ6s5qchf4ejeVEQ+YxMmcqAzUr8+iABsfdg2tFNpZh
TdU2mYLbs6j59eEU2JoHC40Iaw0ACCwgYU1r1XTtS2/MXrT6hr17fZWwEXZHZOyQ1xHSXFsbmkbB
Sifyx7gY4GtkWR1HuLKibjFK0gE8zllUQB/8xjkUDqpkaLAEwvTqTY/SFV+eRAWjUqn+gJ9+8ck3
aOOLVXTJreOpGqDklb/upDkfHEHzPwTzG0oI6+BvjsJdMkyTzqumxkPgusFKJYrCBJlcF8N2Bye+
IVZkeh3ZJzlDOhwk7WJL4HgJ2CBkiO+KVemzZKFZ+b6sOL6uq9H7VO+eL80Xa9nj3C62BPooASGN
HCKQQBwYWEAETXZLBejUNf/Ysy91tLuM84QyCA2NXWJYn+xpn51n3vlQnvUXuDf1rPThVL97+tIp
htMXANSzmR59dR9AjNVQb8YNdxisea4Dbni4P9FCjBAMRQ/Kt+UKF19CpPYgBVwdJ6wiFkcBvWbI
EUoBydyyIp2ixFbWpH2wcNRE4Pd3rDWELQoMaDCmmWn1dF3uQXp/Zg0NdzMpgl3HACZgfWEXIrZ2
FILgv+8hgJE/wQJXeQSI8Lha9yCUMvgzVU8hqhlcyQqglso+zMdynzv5QBPWDw5McB9U2Z070A/I
8TGLCpPqD6IRrj0Re+KD1QeA38WwC0sRwAF6+UWLEGzhphgo4UhyvByWxSOODxmARSp91LEll9o3
FlBoTybABxKWKnC/cpsk4+Kgqq03De3rb8w47zXuau/evZKiKCJbJU5VGGJENENu7YhkWeuMtS0B
AZ2tITrc9di1kouACAzhgErNNUHLJUuE7yNbOgpG+aw9FeqAPRSRElLSnZSW67Z4Iu+trqcgXq9+
r5X+9s0NcNHSaeqSIhoxNRNWEIVyitrBF2mntq1ucvtcsh4Nw7w7tMo3F5bPwudvNpbzmWUrKw4M
rdnZs+kvCdggpL8kmYTtrEq/3iE3V/1SkB2f1SKhH79w90V3VVRUnPrbOQnnYg8pCSUAPQAaYdzZ
AeNzsBbREyWn05w41BLXUxX+1U+Enep8LStbGoMZnC+zvz/vcvbEYIXGemSFOf7Y+T7cAn2U3CCV
slIqQAERXewncqqB8CVw30CbKZJqPfYUCfEdbiivXLvR3XEDktFnsRMkY5zSd0eh7twA48UcKPIZ
cszvpyf9M6fADX5EgSPUu74ht1wlTJkKTpV70nF8AjLm60X/DA4SRYb71V5EpXr33pjizTuJjQhe
OAjOgsKfAsdB5jfw6yxvJ3z9u9M1bx8m139r3yT6y0HEO47Ly7J6AIBkuII0P72BbszbT+elNlOe
oiGaFgx0zMeJD846UMeWYi6QI4Nowh0AI4hotvd+ov2PgDzfejRfpB6e883rY4BlLMIb5yAQwKn4
Ihwk4IG/IjTuUqK0NkQ1wy3gvYMPHCus0Hfj03XMHouBj+7I6dSfllj/nOJnH9TR5ajLXkcGP4Q0
/iOsQxn5AGyw/GitDoo2uSzA4X8nl0L7MiiKwBRcJOQLciG6lxPoIKCpDdg993kV18+fK5vR1Kn/
MADIXlgxJnRnTDByiKoGtnm8OF08wiOFAQhbRLa+UUvt4H6AWUJl8/Np+sVFFvdDwvcfA5KX/rKT
XF6Zxs/Js+QVQUKRpuogZRR6KAv1vdUN9LdvracbvjedRk3NBmhRwQmJbRIRRBfdZGbb0CoQyy1I
ZnMzomJtwMz2Dq3Z2bPpLwnYIKS/JJlk7awITkh3GFV/FCT5Q2o0fOdsZdU951dUJNko7eEMagkI
xgakks4G45i1aNYxwDECLdo8Uf7pE8xWwFGyKbSBBIp0fCcrkuGJkOvq94xbkNtsmMUT4RKVKA2n
xV4oEJ5xteQZ0wQwgUg1rU4ko0Nt4UeH9VzHIyvRicIteOCfnY6QSxx+1VfWSHnXbo9pTKc4AOZ7
GQjkQKF2WEptz9Q8vj8NCc/SoFD3RtGLndL3vvSFOJzot0/993LoLKvDS4M/ZNCE2rFkOxDuOAs7
MEH+5mumfQ5K/+SYEm5yrF6+F/d0V96Mi52oLra4scWDCepY85Gedromt4ouz6qhaSmtAGNQsNFo
Rxx8nChamxXdDGAkDXhmOgBTyQdhtfhNzFUrkeyQx88WnEq4Z9W9DgsK3LNGI/JZGiKp8f2WdaMT
5mUXrA1Q836IGEsjAEDQLEGnP9X27aX0+37bDDRxDerDqL99jujX3/fQFy8spJY9PgojclS4Crxy
5NvgOfI3iRNWDwWWBh3yVw2jKhpVH8ehwl+XT5255djRrFy5MjxnzpzlsIZMwXvsiHeyIjgUUfN6
HG3+1kAWf5001/moCC5oh4M4YLOwVWXyBQV02ecnxMjp2BQMQJhYzmN84t53aN+WZrph2XRKy8F3
DN5jF6680hSadmER8oo4aeS0bNq1vpF2r2ui0dMz4IblogC+n3h+uhYF0NGHFF9i6cLyyZDhxUiv
8orQQAgybhdbAl1LwAYhQ3BnrDDnZDk98oOIW3Oprkdvmy2vxM+zXWwJ9LMEHNGfU2Xw15SRYVJG
i1Cxcj5nPRjQ8olX1/1fwCOms9puRVuCsqIggVja/IOUOruKXPBdl1NBwMWPe4LgayBevwkLiREF
1gFg6QwW9KBMKsCJ5RWFf5SsIHkz2rs9BysSFuuE3dVqj2mZFWUrqlcvSx9u7b4mjrFx3AFOjMiP
PYSYvZzZ0bcxiZkNYBz+tXMkL+YMRLDrNv4QPAhk22acYRnFUAvmIfoUOBbs6QOY3KtiGdJQOXiB
ACAyN6uWPoS8IBfB5WqEO2JhgSDaZgDC5VShog+7icXdj3JmIwHhdPBAPgwQhYwRtStiy8I/zNyv
Cubee/chHPCz4IvcDPL6TbDqDMfrcPFKJDvk7PXrAELqwKX+Eu4BnQRu+D1a3l7Jpi838Tpdi4ro
0/TSv330weppFAxxDhOYJpAbyInkgw74mDEIDOpqc0A1N0qi+FRENp5ZWTYTjmwnLfwBZhGc1C7L
wdtSFDFanJNSXXuoZSRfvmtLPpWMb6CM7CDAakw9QqRfi1ieBgJ6JKhhLyFsc1i3OB6vP7yHGquC
9OmfnWe5ZwXbVSvyXMHoVNr88iGq2dNBmbCEVG5rhcUrSoVjECzKadCBdblUj/xHDhdnWI+2ibK4
pi/yTLZ7IdslcNQdZrbQ7d/bXtG//nzJNll7PH2SgA1C+iS+5Lt5VXTWcIdk/hP+Ieeohvax2eJK
/p63iy2BfpdAxdrZrO9FCX74p6MsWLfu3AMZwncckpgCX27rRDoDkWyyLttDnpEcnSamEFoaKGty
rMXhlFjwsC9K3B+li6P7+AF5bApoFnrGUSfNAz63vpgTBnBwiTwPfNJ+CMnx1m1E7g1YHPaDWnA6
iwvOMuPhMV+GbNrnQmHnRI6cINHKx4KxHUSEqQNPxRR3LrwFPNDEJ8M1yQ2TACvsvbX68DZigPGB
nBpanFlPV2RXwxUsZrUIolqhmbF+vVpC3Mvkcw4jXHwlUd4FsH78C2DkVziRfy/WZoK87oeFZ/P3
YuT1sbDucGhfdu3ikL4c/rg+fo5eEt+6fQKnp2FxeY34c8cfUbYhcn4c2WXA0sGHC1DyDaMW7lYr
8NcahYzlb0yfDQe1kxdkSReXIUM6rCEHkKTwZVgwroQrFSTcdWEZuWAJOX9Mwc7t71VP84fNlPZm
F61/dSQiWO2itKwohbEACsLvbl1ei0hZUcvC4fIoNPfa4fT2y9X08v27aMqSQnr1wV3Ilq5T1jAv
zblmOJ3zvgKq2d1OT8JKsvG/VdR0MEDnXVFEZQuzac872bRpRamVuNAJawqCCT89LFAK+IkP1xAp
cH18llqoTlTplSEyJXsaAyQBG4QMkGDPRLOwgIx3KvK/TF0doUYjH5zrWA1jt11sCQwNCSDPwzwo
Dl4NSSgM8D4yYfkovuVtkuCOw+Tdo3xsEmegPXC9OUpKvdIqh4acE7NgsjNbP5js/E14cu6B8wvS
sliKMdfTVfgYlb/ImrHOiy4g+j7GMhkuVvCMoQ4QsDkzOpPReUwJV60xn4wp9ayk93UpWWG+HBYQ
BRoz56MJdLKq9BbcWLKLgxd2FWMwIgNQjYXbVcESONCDXL7nAVhgYN3oLO+GTYh6hWvywCWZ8GUk
swS3hAtbhAZbScQbUxGyEYBjV0BVD+Ak4W3JIbyFoGKb5/7nmZpl3eAwXn/99c6ampq5r7/++pgF
Cxbwcr8DACJxnhAkLBTiYXq7FE9YNeSykdm188ry33r57ZrFsGPIB3dkgzwu07SF+6lgeAt96JsT
qQ0MlIh1wgEeGHzvnOB/sKvVxLl5FMFG5ESFXPj1hKXw4s+MoymLC8APgctljkzZJRn03vpcJCws
pqDfiWvhIhoJrdHE4LfKyrb30laXfKu+dEH5PKztJQAgPwAhfcCt48knAXtEPZGADUJ6Iq0kvnZV
dM75imQ+LoAhq0vCxXPlVW8m8XDtodkS6LEEQNkIgZNs0dc5kk24zktqk4cUH37n2IV8yPyM91g0
A3IDA5A33iC6CQo98qzRt9HLOaiZqKcLhPBacyg/Tmj0FhT1PwKN3IKxPArrR0kp0fqfQCnHAXJn
K0jB+chGDkWdTSIcWbc/3Mcskx9rzRhQd+In9GpBGIzA/cpbjHyc34WLFvyVOL/Ivn/CpezYZIdY
lyaQuktwzey7LI68VbprAbFcCOOD5LVMALXE6wk3tF7Nowc3MRt7f1v7+glpnivvKTqnsfOtr8xE
XONTlFmzZslVVVXvR/6rxbhUAehgIjnzQfwAIpAmnTQJD64RwmFN/sD5JduiACQrttUtiAqmcmhf
OhIUTqBRU+po3NQGKp4YIRlJEVlQBqLnIcw9olopsGIdA3HZkgN/QSsFKXoumeSD65ZMNQfS6OV/
5FHlLpiv8OlhsKJrkdWmbnz8ivHCabYtnkqqvX9/6axyGdMrB0VuMkxdgMpDyLzTe7HYd55EAjYI
GQLbAwBkseyQH9F1nKcZHdfMFjduHgLTsqdgS+AoCSCy6guabG5XZHmCBof44J4M2vez8yn/yh2U
PqsG4UxhIeHgNswVSRyz2jLslQSsDOfQuR6AGhGG0n83WgF9wcr114c8er0aC6t57GYEbywr2tP3
oXy/sJzo+hFQ0B+PufRw4SV3wVXrnO/AZQs3cGjc/gAgvRp0H24ymfeCml5GdB4iR434WAyMVCGp
ISK9Hs68rgGd7cT6dACQ6OCFsHp7KhDC73PNXLCA3CNGgFeiUcsrr1CkNuZTmbVwIUmImRt4+20K
VVb22Yp0KjHw2oVVtfWeotFHAZBT3Zd4H+CjCJaOBQATVlN4br2Fv10AIwbqqUQCTpYp6FFDumbu
8M2ZaY6OVzfVzG3uUHOCAQdtebOE9mzOo9zidioobaHMvCB5UhEdwxMFYZ4J5cwZibvk8XNILBpW
wBfxkL/NRQ3gfdTsS6OmuhTwmRBMkC1Wgh6MhNW/OUXzexeNjzC+HjrFR+fiA7kEwRN+dvfyiqHj
XzZ0VijpZmKDkKRbkp4NaI025wqH2/2gYejbTUG+caa4cU/PWrCvtiUwOCSAk9HKRVs33RZW9Se8
ipIRRMDPwP402v+7GZTyahOlTa+j9Bk15ABRXUJEHUS+tMi7HGkoaUMFJanoWZdjEvhb66AEY4xs
AWk7Q2JkLTLO47bGweXd16CYP4Yxxoxgh92wRn085s5kQEEfjACk83YwmPeCPVyAM/4cWHcO/gfH
ygAj9ViTBHmdj/nrcY6OYFv0ZVS2apwo245FkwKLfeQPfkDp73sf1T3yCEn4u2jCBNr97W9Txpw5
NPFf/yIlG5GcPv95qvzd7w5bmAZ4m/basMYgBECD7z8qEhYDkJ6MmYFIWDOkJdOKdo8tSK9/6e2q
KdsPtk30hwxfIOCkfdtzrAznbm8UGdMj5E6JAITA2iEhXDT+jsLaEQ4qVuS9kF8hfzuiX7UhUhaS
HsZCg7Nro24WZHqqp43K3LDgnILfL1++fGgBEP5+0OhGpighIjo+nXaxJXBqCdgg5NQyStorkAX9
Jji+PqDrkdciRvAT88WNQ8asm7RCtwd2RiXwWtnU1xdsWvfxkKb9yC3Lk3QoAVGoH22bkdBsaw7V
/mcMeUe1UMqEJvKObCVXXsACJTJOyBPWkcOJ35gvkjga7jyrxGudPS0SRPe4H//hI2LLNywGdoaS
OxiDED7lDcANiKMtcSKF020B6WqjsabJIm8DgbsafyS0V3YjygFCmXRHjKjNEcf6xNc4o7s83jlP
FPPQ4YbGifNGwSJSdCG4IrB+cDjiFkQD40sSXJjheM650E909M+v51x5JQ378pctkLHv97+3QIYj
IwMJHVOo+Gtfo8annqKsD3wAe3nQ+DaWsBWkp6Cjq+Vl16yOoOYozPL4P3Xx2Dd31/m3rtxaN25/
bcfw5o5wbkQTHBEkGgzVIsy3gUSF8USjnNwQ1BOrWl8H0MBFCYcgeJSQWDHFLbXlpLrqzhmZtWPW
2OwDmWlOIRQ2LkAo4T0g0Z+QOJ8MW7CnYwAP5HvYVI8te6NiSEX76qkc7Ou7LwEbhHRfVkl15Rpj
3hdlWfqVoUefiZrCTQAgzUk1QHswtgQGSAJvTJ357OKtKzYEou4vSaLwCYcs5ntSkdUY8fk5H0jr
hnxqWVMIwrpKTgAQR3aIHFkhcuX7yQF3ChdeU8CwljxqLDkhQoJap5WcPwSPFsn3GFdvyxc8BEVD
RZhfKBsmn3DitggSqRmqQK4CgJ1MhGwdNLrbyRcnkYEcyaEtpfaUPi24xgo33El/tvJddHqNHWV6
feQdHwMDIXbLOheWDtbeeJm4DwUoaUo5USrMNipbEI5dvwHaiydrVoSZgjOAJ3KD9GUIFnkd8+KI
WGVfgXvaFbAE/Y5o1/2QQ2sMfLyOehHLAvXolHuxnlkkvvPOoyhCaXVs3Hg4OlW4pYVGfOlLCI/r
oKqf/5wyL7oIez00KIyHAB8eJp9zQsH+KiFVlwVNMEuyvO1jLhy9urkjsml3VXvW/gZ/blNrOKPF
H0lvD6rpEdVgsccLB/5GhQUmxS23+TxKe6bP2VKQ4WkaUZDSOLogrVlWJCMUVmUAHc7oPhlWnPm4
+cX+GveZbufbC8s/BSGMRXBkfBLtYkugexKwQUj35JQ0V22dMEHyv5O+VHa6lurR8ANRj/CF+ZGV
dgSKpFkheyCnQwKvlM1H0Fj6xuKt634X0eiDUcO4DH/PT3Hh7BHmDZxNWq4QkUOpFAQp1FLCcCrJ
gIOBB59SyikqKRlINAiAYmVU55NMWFYcmWHrms6Frw8eSKVosxv5R5BbBInGWDM3kH9ERxzP4Z/e
QkVX7bMUxaFQEiCku3Nh8OEuLKTsK64g0emk8IED1PTss+QpKaHsyy+HIh6lDmTUa0eK7N6qi9wH
8x6uiT8m/G/4cSwS+hUjw3giW3qvO+nuhE9xHQOQ4H7wAFpc5B3dCvCACErMsI8FWOp1MYEuNFQf
slrMRFbCEcgvsh9g5GmE7n0Cx1BIjWIBva5ACHcaBs+DXbAkj8caClffyJFU8o1vUPv69ZRz7bUk
wzLC1pCWt96iyJ49fRlur+fZ3RuhzDdJ8InihIL9WdgqEtVMKQoXLbeiaLMm5FXPmpBTHQF3JBzV
ZAAQSePspscUJDI0EaFSx8GI7nKIeJT0qKbjHkMyAW4Sl4O7EgF4Wrh48eJtr7zyyqD3YFi6uDwX
DnF3YBncQg5V9Oda2G0NbQnYIGQQrS8DkMC7mT+THY7b9XDw56PbS+7Mkh490e/NIJqZPdQzKYHy
peUCPX6di3wdBnJ/nMil/EwO8YR9vxJLXPazWatW/cbtlmcghOp0QJDFsFbMACcgV3aKrhQPkp5B
lVKhM7DewOE0OQFZBD7ckVrvYbeKRCcJN4vjFQz27WY/Hz7xjL+L57rfYWVij7li4J/+1YfOiNx7
AkIYrjHRefSvfkXBd9+lhuefp/QLLrCUWSktDdaiRsr94AdpBLgIm8FFaAfp+TjtrRuzTFB7RuPa
zgAkZwKsIN/iPBN4nUPy9kHJ78YwTnkJAxC11UH7/zyF2t/NskBI+tR6Krh8F7kydMvCYLkExgMo
HHYPPLwBT9nFYc5L7iy4aKE+BetI2y9OHgqKt2Xjv/9NhbfcQiPuvpuMO+8EMFcoHVyQHbfeiuC0
MqWMGUOSD65GcMdi4JjsBZnR39M0bSEsEAqAw4B88hASXOwIRq0oW0x0dyBMlkM+mc0TNhHmmAB4
hCJHgEdnWeJ9C1OrqroQjw8nu5xPNT5wQa4WvTTB9NMXvvdcBT6FdrEl0D0J2CCke3I641etqJ6Q
6jAyfi1KysfVqFo+W1m5jLJWnvFx2QMYAhJ48ZIRpKg/Id3tK5/69g44NFfjiJ9Jk4dINOrJ5a6q
WFmW1O5+a2dbiRNXxetv56xYken0+aapmjpe0/VSURSGAXeMghqRBRCRIytCqktE9vQTkkKOX1fW
cDhHCVtaOhfRrVrhgqMtCk68kWmA3+R/WMmEqnGckjkItkx3QQhPk/kEJVBoZURV2vW5z1GwrY0a
H344psxCkQ1EIggIpFM2+AhunLozCOlpYVzB6LgVNRE+lk9fFBz7T0GI2nQgE/VMk9ExSAkGMi0k
0YEHJ1Hr23kkOnTqABAJIDSrEZQpFR8j0QULnC8KS1zUchlU0gCp4vyPnsrF2oq414ekjKcqLLfQ
wYO05cILqfC22ygXVg+OjtXwxBPUtIo/OpAvW0mwjo0gqIdxbbIrCKFQqBZAxOxvl6wTyZLBhcbs
85OWbmMhxtJTkdtk3RtvvIGMN4OzLJ3AEXlpgRlGckKN/jM4Z2GP+kxJINm/Y86UXJKq363BOWnu
QuV+MC6vUdXQ7bPl1b9OqgHagxncEog6SpH84EpyydDK6UJiIgCr9GE9QrrYihTijQAnbXgFycSE
fVCuD+D5DgCXWgCUFlBkQxUr53NM/qQpK+fPZ9D0Srxa41q8bl1GyO1KVUKhVE0xUzWTsqC95CCZ
eoYpisMwa06ELUMBLxRM02slI0kU0zSgepTCojIxRVHkCJRqDeiClUDJpVPL+ny436SRZ3gbpU1q
wolys8URYUVTwQk9F+sEPAFKuku0OEMS7REIyckh97hx1A5FVvf7La6BBdg6Oqw5e+H6k3fDDZYr
VisnHulF4fZYjFz/izoFv1wITkSlV8dcknTW48+UBQT9WvwPjKtjj48O/nM8Na8pANjQ8JXNHCPs
E7j6VT85lmqe0xG5DVGVUBm8Sk6dZACRwyAE1zuz4A4I8GIJEY064vwlFpuOKEzRpviGissx1aVQ
wwo+M2APxZMXC4hUV9Oub8F0FC/8WiLXoR4O08677rJcugaJcsB8EOZYnGrqSfc+J1PEoDjq9ALU
QQtCeJdi2y6FeXIZLcHBlX02mnR7LZkHNEi+Z5JZhAM7thXGnAKnS/i7KEszdTV6EwDIgwPbo936
WScBURpDPodEfiAPy02EXY74WFd04tg5D4840sXfpjnHCjvE7+u4UAdxIqDuQ1aGuvJz3j6Aa/eT
LtRDo9kHp3Q8qlX0gY9XVyzb3qNwmQMlf4T4BWAirr0qE7Y+7c41ii7xq+p1EM/FTlHKTBCj1bBI
gT1O8u/BKfLyYiigOsjqfvKWtpGnuAPk+DA5s0GKBzHeAR6KEFdajx1IwjBzOM8JRD2Q+pWluMeV
d8uVLP63xMvPum43FHutuZmiUGydxciyhwZZs0q4Wyle+Gg89BApACpbcfIeamjotXLLEbq48Bfg
l64jug2JS7LAxJagQXNejdNZWFZMOmf58VoF9vlgTSik2heHU6TBY1lAHEhkJ1kXYmQcqRVgRNcR
2ACePUYY2bKb+F6OqnT0GrNGZwVKSBT8nQBY1l6IR2VKvB0GB6djF3vA1HRnuQ5bkrqSFw+VAUnC
qzAxis5BBRL4OW7sO51iP66vkpKSILKlb4RCz2lsBl1YCIwbhhVzNKwhk2AN2XZGhdmLzpGc0Imo
CEgZSruXLa/4FfXujKEXPdu3DBUJ2CAkiVdyVXTBWIdiPIrT2klqxP+R2fLaJ5J4uPbQBqEELD7I
01fnUERvxtF+KikiHMOhhlhhjRhoQNVg+4AV87TTBK2jcugqkjAKAGUUgMocPI9d0BHF8a/QDpDS
Qs/8vaX8HGrElTjpE6qhJuyClnMAIKWFNLkVPBT/YOGhbC+7IoTsW09ihk8uWLdqXFgx5+G0+kpR
EKeagjksPVUSWGQRZFTWoxIF96aTf0cmrB8QFE7FlVRYRdgNB9WREyJPkZ88wwBQQIyXfSoUV5yO
Q1EVcTrOSqzkZDEeEfuxZ729OftNLGHikdvgMVsk+4hoRf+yTts1mQL1rCyzAezEuh0rpxG4Xx36
859pDDgho376U6pFmNe0KVMoAneeQnAN0pEA771PfpKcw4aR7HZTcOfOXn1SOs/XCx7I2C/GuCEW
Gb0bYKlXneImzkJh5ZzhhNl45DmzyKLNUP53ZFDjm0XU9k42hes9ACYmKW6d3JJEAU3rgHPew1h9
eJKZE3FPIe5NxefGZUrkBTDxwOwmSIgp7AEfw4yTidjkxpylxOeNgYfOf6MgJPtx+U/SnCKluGKw
r7daeBwnHbaIMIee55gAk2Gk/w66AK6AuBxgxosGQJYWJc54ziNj1zjuuyd7kq0t8fZ7HTTt0Ucf
jUKBXwui90Io84ORH6nClSwf22ASxDHoQAgAyHSYJ79IYforAIlj2dqK03wc0NtPtX1fskjABiHJ
shLHjGOVMWuaKBmPC6aYqgvGRbOltcuTdKj2sAazBB5/TCD33/5IUfV5aDfFFBHySY8glTJlwfVq
BKaWD2WoiGQxw9IwElqxZRlhTYU1JAYqUAf5MaEpiUIafFFQheHWa4Z5oXU94udbR/uiiZBB6n6K
umrg6rUfGleMg0L6QWg4cPMKH4CLV3uyivaNmbPZfYLrX+ZsXTdM0cTZ/qh2LvTHyVAmp8kIG+wA
lhORNJEFxSfgesBFYWRRtlIwMLjgE+4E0R3KqwNJzySO2BUHKrIvgteQlRkGJ3bZUQBUYpYSqLX8
Gq7nx25bSnCCztGa+PRdA5leC0Dx1US8xpG+QNzn5GohABBco7e6KewX8drLUBRPHvKLNcgaWDsi
+/ZRFiJh5SxZQmE8D+/eTW1vvkntK1eSe9Qo8k6aRO1r1lgghKfRF9zAWcWtMgBuWBa+ZuARB4DR
gEQqZMRR04IIZOAHv6NjdzoASCYFEDHNAOAUsK+dHijoskiI1sYA5AWA+h8unzlzRWIPl5eXC29e
tyRfC7kyTEXJRYSEbMRMSgHG9+qRaJ4WD4qLXeFDkKUcgBETHoFYYCEVo8ll4jXwSiPAUHvnIwHk
y4m2R9Ui9PM+wDtlIn9M+SN3ig9PwurBl/GWrE/JpMqc4VSfmkM1mQV0wTuv0bjGA9Y6vZM/jp45
/woYaEzyhTpIgekpJeynvNY6yupoouKmg5Tb3ng4aeSpPrfM8mZ4Gw8w0KdcGeCEtEORP6TrehbA
yFFJC081jjP9PnNMUIKooy+77LK85557ru5Mj6m7/TMXBNd+3YxQM/bIz2wA0l3J2dd1loANQpJw
P6zSZl0gSo5/4gs/oFP4stniWuTItYstgf6XQMV2dpWa2YiWub7duYfyCVvdOOlCmr8QwARASUgp
BYhAcmaD/W5gARFzcWSbCs0jE5pKimVBYXACsoV1vM4ABbk7uiyymI5j3am4fioATkwjDUF/UIUw
GUoHBZXW8nM2tQKs7IMSthvM5krSJeahwIkFPBQXtYIs7+9/ifS8xZVlM6tw1+NcEaXL4XK7CyGC
kZqpz8VneAa02VJQSrIx13TZJaak49Sbye1sYOLKYuJEZ9EmnCs3ILQr5yGxasxdhytbRthCEjtq
5tNwWElgXbFATHeOn1m+ABoMMrhdVpwt5TkBhLhVTrAWB0cYIhLknUqNPSIrBiLNAByNqAlwwRpK
y+bNRwk04dbTFwBiSaBTA92ygsSvP3xbJ5NQAmx0tg5pcK9TARiDVSlU9e/RFjBjHke40Q0LiAsW
Itnic7DlyukBAAGPKqCrYWTdfl0n84+FYe35R2PBEg6XiooKEyQlJm5wfbe7O23phAniy/fdl5KB
FdybkRHcXlZ2nMHjoX88Vor2nvkn0eQxeDIZNZFJvqt+eMtYDly+LNqbP4q2DZtE1VnDqNWTTmGQ
mKK6QinDAHzHZJGcalJtwyiq35dDqo494yqIWYZg+TQxbw8Ss6SG2qmwqZoueed1mtSwx+oysXu6
Wms+XXgQtTo2OAQY7n1BiNuaRYsWrQEA+RCU+pZ+TRrS+2F1+854uN6xfr+fgeSgASGIl815TEfC
c/A/cMV6p9sTti+0JdBJAjYISbLtAAvIxYrD+xBCJB7ShPCHAUAGM2EtyaRrD6cnEqjYXsZ6Cleo
xrQb9agsuOWzmpwIt1OA1wFO9Fwc/4IMAauJbhZDMR4OpbsQqkohwEoslTC7ayUsKQluCWvhYU43
jvf5PRlMBLir4HlOTNM0Z8ay5UF9hbWAVBmmAa0Kh/NV5VM31eG9A9B2GuDaso9ElcP1HqrYOPOM
xd2PR+naj3FwfZXlzSfgr199yQhkJikGMClpVfWRGHcJJoxKsDaZuRCRzwIWLCIGGZh7TFT8nOcP
AGEAQAC8JJQ6zk/SbSsImuB2LLyHahGpRajLDIBYwNYjG6liTkHch2HoKhIwWKvWnX3DQORYv5pu
3didxo+5xuKvcH9d/IKdCuDEbFOxf9jFKgILkAqQEW5wW3yO0KEUy7UqeMBHoToAQ+Zg4H8rCAH6
dUJ2ihuZaNgAiHVBgII9qqo/A8PFCxc8+exLDDZ6MaUT3rKMDwrmn9wqiD4PYJ99Ex/S334DuQzn
oDUvr2EXrYLHTSlZMG6OnEHvjZhKzQAeOixibA5RdJU8epDSOKrXnFyqWRglJwj0ykEXnbMBXpQM
XuFe6G91UQdbyxDmWsdns96RQ40lWdRWu5bc+LZglMTWjoSsE/sgAULZ7yh+svYbPH2or/KCIr8F
oXpn4TEHbQ0qtyy2hmDMITxORxb1HYMhi/pSduNlwPQ6XQ1zFnvv2cWWQK8kYIOQXoltYG5ao53/
IVEQ/oEf/7eEkHbDbM9aVqrsYksgKSVQsTYLvu5Z+zE4rodLuWWmvw4uJLCOuLU0MjSc0kol0KI5
xQMUbwYpQiaep6NmkRtRuRRWgtiCwtpw4rGTCpVQ6yRQuiVxJDT0kRao4crWlhBML7rcgdf95VPe
bobSWAsNbAf6OUhOABSDAEzUdkCqBvJpbeChnDbfZVZKlxPtxVy5Hi6Xbd0Kk04oTdE0D/CF04yI
RWCEZOF0eRhklQ2XnFzDFPPgkpPGNwFEpEIRdlrkAU5FIFIqHHZAH+8OFGEIAvaESYhihqg8Ovkh
kwhe7IDyUwNrCyOgKlwFVx+jGTatXRFNbwyGwq/AWatooMBEbzc2AzBCyNsocr4cVdjVDK8zcDDY
BY6fo6h+xXI3M8F5CQNYRKFEM+hQ25n3goSTSEDJ12psKWILESe0RBUBfE3BwPYULZ4HHPgJWebq
Vc3ciTVYB/D434hkbIY1rJb7qZg6s7dT6vN92GfPAojswEBuBnlwOhrslNH7sL0MNss8tWDWp0Zk
5+UPV1SETw4alJEeoMxcPxWMbMVjgDypcAVkHlOU84UgD0yan7IW89aBaAFC1AhkEZXJ3+6kltoU
Org7k1LgHlhwzTDatEKn9c83qc6M90mRcFBse+flbRQJsLtlItQBLxofFDyK+gLG3WcXKk74t3Dh
wgNorxgAPhpX7Pss09PVAMasAkBNh2vZc+izT+5pp2XMy2Fsk+in6OuRZSsr/npa+rQ7GZISsEFI
kizrGnPOpyXF8QddU18Rgv6Pz/RstH7U7GJLYLBJoGJ7BaOH1nhlV6XjCJfl09flkaogu4FaTAEh
Dyp4IWl6KfRpuCRYXJRCy8WLTQIMNPgIn00Dlu8SH0GjC/DfY5G8cDWHIWIOisBcFFhj2COFww1z
sfRvnM0yUR455CgiN5RP23wQx7/IgwKPEF3aC0buIYQo3k9LHg9WLOvfk+wTrd9zZYctTYlLwHs/
cblhxQpvTQZ5QyGXQe6wKYdc2VCRfaSw/9vJC4g/DNZCyGjShKfaksdfbl7WjRN789kXG6GDFjEr
pDs8g1ONo6/vJ0LJ1i0vov0/GkNNgU6H3mytAPhg/oYVdQqAQ4WSfCJyREJosQhhwHVwR5Mc2Ffs
9tapOABAVN3Y5zeNZ4D93sZ9G5dPm7mlr3MZiPuh0O9CuzCGnLgsXXq942uP/frR7evcw8N+ncZM
qaWScY2UnhNEiiD2AWRYG3MDZDdBLodhLn/cOIywRyMXeEqpmUEqHN5C42YcsqwpLq+bxk8cRxMn
jNHXv1oqCgpc1s5ZXCOnZH95Udaubrug9VI2b+K+SeCGuKHQDyprCM8X49YxbispYtIXk67Dt/MS
EHt+nvRjtQeY1BKwQUgSLM+a6JxvSC7XD009+mjUk37LfOmtpMq5kAQisocwxCQAlyn2fea6ufPU
ymetclKD7IO/MbRmZRjAQwlFpJEI1zQOimIeVGEAF8sykI3jaR95OZJXHIwkLCgJgnxCy2QNKuaL
hBTeAteYXw382y0WsWmEkQ8liHDDfnrqylqLKK+bu9E+u3rBzYuaKKS24GC5AS5qZ4yH8vD8+XxC
2vmUFPyY3pWVZfO7e+O6/UjLsRVXn496pibPqjCH6N3Io8ZaZgSyqGVLNvnVzgYty2/NAhPxywh5
7CyQGnNxi+FVWJutJxxxKsrglGDqQASQrrg1sW0DEKKpf3596nk/6K7Qku2653c7zzE0ecK1n99c
fd+OO74zdoq0JDu/CbhdB5CIJbjWNQnnACcOVHU4Rx+DlJiED0+TU+rIcOFC4CxYSEScESAKgxhA
AkkJgMWxJNJe++irfu+N7ysNHPV57085LV++fCesIetxbrGAkxdCoT8lOO/P/vuhLQEZ1NlazBad
pC1LF5ZPwIfxc2YbvSik0GtJO1B7YINCAjYIOcPLtNqY/WPZ7fm6EQ790aM2f2Wm8GbsF8EutgTO
QgnEw/VGoPpzYZeNWCrneCmfs8JHYVc2AAosJ7Ce+MNZUCvHwGcGlhNzFEADuCgIg8ou6axtsgWF
K6sjncnyRjxLtaVlxnkogsgE+xLUWZaCZem0uDGsB8gh1ZOgVpdP21QPgHLIcvPi8SkqXKzcB0ju
aKFLXoyeLivKadwa98PF/3Icd+Z9Fp1yHFEup1O742Vg09qLqH/kMWRl0rxhOXpQ4hTpx7MeDmNP
rDju1ZhXo5oGQjcJzbEzftoLHgy7npXgtYvY0yoeAfc4sfK9Bpj8oiQmbaS2U+0FAJARYBg9IDuU
6Sv+M6LjvEsO+LLzWyktE3iWBQSLEeZHrhT5KMK/GjVIDTH5HiQtT0xV4I9DJIg4XnGgL8A6ye8l
ODqRIDz9NJ0mzaqi9KwArXlpNLUDKju9yuSIGnqo2sz/+J03jqx6992wvnHjRgD7/i0pKSlPBQKB
KQAhCKjR64jF/Tuo7rXGYbI46eK5s2bNWr527do+u6h1r9teXYVMnNQO3PnHZc9V2PpKr0Ro35SQ
gA1CztBeWOGc41FC9HNJdt5iaKEfzFLe+tbhIO1naEx2t7YEkl0C8czsbCmMwZR4sfKdPH4dc3E9
5A5lkgFgwkAlqo9B4g4ACyEXGhRHcwFoQVQXtqBwYe3TYmfHq6XBxo96Ez4okoicDnARi1W8jwpf
eVTE3pXgwwImb8TVQE9fua98ysaD6Hs3TgrxiIzyBCsKIo/FLT/JLt7jxgf3nlXgGXwS0THKv050
Hpug4hI6bXNJ/EjBbBbEOr5yRXbW36dkZ1VX+jtA3uh6GIAmwBZavarKzW6sp8ftjrS0tKgZWNyw
z4e9oN2Fp/MARDwn4w9w81GYTIBcBqWyVV6+VDj/hnu/Kjld09VwlPxtXl8EvnUm9juHjeYiYk/7
W6L07oo6EM4joHDFrEf5I300YkoW3ovQ2qcrLeDhTXfSxLm5SBAZu1eN6LT65WqEcwZ/xCnRxHl5
uAY8GwCRkvFIDwROzVvPjqVgB2eOVyZ3+I0/HTrkeCUtTQnCasGfj804/Wcydmt/bKgZM2aEX3/9
9WfR1s1Q6tsGGzcE4+WPWLJRsA4vjZWcUKUd4Xo613UdnLHe6I9Vs9s4myVgg5AzsPorghPSXKby
O4Q5/Kgajdw5W155zxkYht2lLYEhI4G4BYK9hbjWo7537OQQcrgAACUbIKGQOrQcECuLAT4Qahj8
E5M4smkulC8mfjstoryDU2Lj1QRhngnw4ZjPvMVPiWWO8+IaL6wpiOZFEzv5/MBxykIxHFmsHi5e
HI0UJ/EcZQw5UVR9HzmNPRRyNyJhYxBWFDVZrSgAIi8AiKyEp815iOPM0YfORGGTR2XFd7/7Fnf+
cB9GsHjdugxDFlsZSjolybKlRK3kLV0XLCLUdU44OPjK3I/8eIYmiJ/UVZVtOjRt3l4qGoG8pHC9
ShTFJVHVe230z+9vpukXF1HWMC9SmMBWBKASbI/SyidAo0Kw+PQ8N73w+/dox6o6uubr52Drg5n/
7EGq2+en/FE+WvOfSlr/wkG6Ydl0SslwkhYVaNjoJpq6YD+tfG4sQIxO1U2B6Zv3NB2cMTq7OqJp
wwRJYjL2QSQcfC0cDq+HBaBPASOWLVtmIsLU27Isr4Y1ZCaASPKTvDttKwn7ceTIkQQ5JOVmM9z0
BXwzXuPKoVuXLavg7zO72BLokwRsENIn8fX85nXG9Ay32/c3QVaWaJHwZwFA2MPALkkgAfARkMHN
XUp7Q5UVrbMHpdKRBGJM2iGAz5HI0XBUTHusuwxQglisGQAT2nCEGx4BJ55hcG4fj/P0HICQPMuS
QmYWyOspljXEsqBgqkdZURKvxV9ndzAJ91lVLLOAC1tQmFQvgzhriiEkbAzBirKTnr6qtnzyJs4m
vx/aWi3cvziaUAvlyDUVz1kE9jNaAETaMID/ndFB9FPnr8ycyVEH71i8detPQ1rowxKJn0bm8kla
F0HGeAmhzAZ1SR+U7lgAW3A3k7waoojll7RRMawTh7kdCXnGDB+UAZBxwcdG0YipmRQN6wAeGgXb
onT+VaWUWeCx3LXScl301E+3UlN1gHJLfTT5ggKa+0EXQIeDxpybQ7/73FtUua2Vyhbmg1+COGuA
b8NGtVBuUTtV7s4m3aOJG3Y1jpg1Pm+vqQKVIMYb5FsKsPBxl8s1FQDiCVhF+hSUhUPcop0XAURG
wLKQjrYHzXc5J6Tcu/eoIHr9tOv73szSOeVpsAjeju3iF2ROLGsXWwJ9l4ANQvouw263AABSitRW
j4lkTNUj/k+eJ6/+e7dvti8ceAmE3IuRjO83NMZTUx55exuUxpU4JV9Pro7KuBvQwI/B7uG0SwA8
FPa/ZiWTKwOVo3koE1akkjsjF+zkTIpEQYyX8nBMDMuJADcvsxRmkVFAI2xB8QBwINguTpmZh5KI
4sWWlCi6sCJ5xbkmkqDguQJrTCr2GYOcmBOGBVTwJKK3QjNsoapoHfKhNOJeRPJC0kbOKi8SEmOr
1cgq30GaHIqP/7TLbbB3+EqZBUp/sfDt9YtlSZoUS2UfN3BhPTSE4+UCZ31DUJlENPgKtlwZk/I5
QWVecZsVdjcR8eqo2WDLqQDI+99ppih4IAAGluXD6ZaJLSVR5PLhLdreEKbMIg/ACJzcOHt6lhNA
w7Duaa0PkSdNoZxir9UfF46YxZG0Js2uotziDqNAmPRmcVr+wWhUhx3RKgZnDMelwIHCDACHbACI
BwEk+kTO5vsXL178MFy9mMrEes5giJbFxxoHOzo6TmyWO4Nb0HDQHfBxLEEshw9/7xXbCnIGl2JI
dW2DkNO0nKuMBWNlgf6Nn4NSzVSvmi2vfuE0dW13010JSPq15HGOxG82clCIc6EI3oJT8BAFUvaB
kLwGSuYGUB23gYy8fbD6+HdXFPZ1RyRQsd1KFNflSXjMeiaDi6LkQRsbQ6o0DBnwENEL4YZ1WE7g
kYJ7sy1rSCKSV8KCknhkkGKlMWeNNw5UOKM8Mqwf5qHwNewOZpHrKUKmEqaAXI09ubd8yqZq9MMA
BUq1XgeeSi32aIO9R0+9ixdsWHenJIkfSAAO9rADBSQMeUa8igz/fGSyN4yIYMhsCRp0BbihkKNc
s2uVy6Pia82EheJ4ygHnE2Vex8b/VtOudY3kcEuwcIwgt0+BW5VhWUH49VVPHaCLPj2W3NjLDFq4
OEFMbzgYoBf+sJ2mXTiMckpTDhPX+X3e2qUTGmnkxEaaop3/njs4rKkl2Mb8LQYyVoJzPMIQZXbg
eTGAyGfhnvXnN954I5Z6vZcFuUO2Llq06DUkMbxIlCQGkcfFUxCdTl30+TRTQ/yCM1kgBwZ1ks+3
e/vy5UkJQrBFgqZGTyEmYZ8y3J9JMdt9J58EbBByGtZkVXT6bEHW/8XZxRA75NLZ4mrLr9kuySOB
8lmbRlFUuMQ6ifbH3ZL56E8S3VAEJ+KcbiJccz6J98DclPfgdHo39JNNcN1ZiWPDd+DG0xSP7JQ8
k7JHMuASiCc95A3DkX6O4qGUT5iAuEt/g+UEAYcNMRcWjgIcr5dAF4IVBZG9DFhQJEIyRxOuYIi6
zxYUB2qCJG9ZUKCPWKGb4haUmCXFiWNpp5UXReR9ibdxRGkBmADUBNFs4Jwo8YzydbDWgMSPXChk
VOELaBdAUwdltARoycunLSfKgC9ELzpYsG7dXFEW72DgAaBhheLVTRO5GoT/M1TjrZBAt0ii+BFI
VjKUE2Ub6UXHp/MWAXlwOGwxwEewAzwNWCb4+bEuWUw6T8l00uVfnEilk9kdS7MiYzE3xJOq0Ltv
1tPjP9psuWtNvwSeiqGYYciVolDd3nb627c30qhpmbTkU7y1ect2ilrG/jvIrm5GXeH9ITMlzeyI
uDlaQKdiIRHe5TEOBycyvQ1A5H4AkeNyDPVEfK+99tq/0Y4ba3w+5+E49t5IZaVPWrcubATjWS17
0ng/XstgDCGFRS0cXjJm1aqGhhdftMJvc3bHeDry+taKijPmVgZXrEJ8z/xVqKVfLHvDjojVj0t/
1jdlg5AB3gJrzHlLZKf8sKFF23U98sHZjrVJmeRqgMWQ/M1r/MMnvkNBzQFFECRj/CayUsc/lawE
4gfZei6JTFqG4gflTzOugFKHMDNiCxS79SAfb8DP6Ba89h4I0FttN5nkX/aBHGHF9u3QxGay7zTX
o5QpEL0FeuEShToQqUnWigFmkQvFGAbQgYSNVIDrkRPFStyYh4zy7OoVKwneQsKKwpGMLH4K5zvh
/Ql3MFEowD5FxR7l19h6wjwUBjUirCgOtZlCKXvAQzkIoIJkkuI+XMNKz37UemroqK2onR/XfQZS
Qmeu7cW712WosnC3W5GyQ2pMoeas6HDfefKN6TN/Ex/Z5xZu2vQHfBfM0WTXoPSBB6PlecPQLpZk
KfPQvkxhwrk1ABVIixNPQphYAQN7SGUeCMLvcuXnFt6Nk89fe2QPLblpjMUPYcsIFxGm/V3rGuh5
kNUnzMmlSz4zLh7y9wgAkRWDOlqd9MZ/xlNDdarb56l9/8yx6vqr543YEorox+kfrIyjhqCPs6Xk
UwAQDwGIbOrLTgGweQsjmoEJScdGy6r72c+u6Evb/X4vCDymrn8V4MMCTIzMOD8OBPWGq7z8/2or
Kjb3e5+naHDp4vIc0hAhWydONvmx092/3d/QloANQgZwfddEz78SXt//gK/xFkOXPzrbsTI5GWcD
KIPB0nTFxqnryuds/SAIyiWILzmaTAm52czzMH5OkpdNLsVlJbhTrdCscWXQOpXmXBSZqBdZ1XpP
rwfBfT/CtW7DPWz12kghuQrEaI6UZBdbAgSit0lriS0onFGe6zE8lK1pACfIh0LpFNBBbCeAEwP8
EwH8E+S3EAFUDKQKIxNkegBjF0fywn5kwMFgI5FRPuHeZWmNcSsKg5RYjSVtZE0nZN3D1pxWKkhp
Ls9/ux5kCHbzgnVHr0EcV2TilusRqNZPUwraKx7NGgw+9ifcaUhLebtHli8II5Qsq8wuScL5g3aA
RO2obOPLp05lpe+0K3799RHB6r4E97JWhOHNaqpLoZ2b8mnynMrDZyzcD7sBuWHRYJer//1lJ7Ke
y5YL1YgpmTQe4GL5P/ZanI99W5pp59oG670Zlw6jCQjV++Zj+6j5UJCyCj309+++bblhjZqRRedd
wQY/XIhkEvu25VJdJTzbRFOIqJpndFF6ra5zupauC1tFMKYIKgORTyCUr4BEhG/3ViYwgIxA1CkH
JqoJsny0NUQ/SXbG3nbYl/tgrGFGGZo4rJuxoRMf9AvhD3rzhPLyr2yvqDit7lqGStfBBWsyddAv
l20/vX33RZT2vYNDAjYIGaB1WqfN+bjokO8zdHW1IEZumO3YyIqGXZJYAhUry9gVYHu8Wn6vCOvK
J9VTkbAOJ2n6ZJw6T8Hp8nhoLTHH6kQIVwYfcGGwft0VuN7IqKY0C0rhJ+HLr+P0eTd4JetworQF
p95bKOLcEo/WlMQSsYd2piSAvcEchBPyELAv08kNwKwKRWD/jiBwfqG9gI8i5EPZggXFHAaAkUFK
pwzYCbWPte4EaZ751mwtYUCi4HoRGeVF5EPhfWxloGcOStxFjNR2pICsou2Ve8qnHKglSd6PvY1I
RmoNUpMj4pRcX7Ex+YH2wg0bFimydDvzQOB+xYxonmoUqu93lk+d3ScewpnaLyfqtzA8sqnStf8R
5KNaKoGb3d7qszKjK46Y9YfdshhglExKp9t+P4cicLNiIMFbRXKIVu6PW37F5zE4e+Hvt7hFzgHC
OltErrtrirVVOJoW8064yOxSCGgnKzrt3pJPW1cXw1sQ7yGTfdnwjE2TStIbIhpvqpMXjmqF6sZV
n4BFRIRFBJbmnpXLLrvMA6L3LM70IimKkbJgwba2p56aK2oaMpgkZ+GPJ8vfMnbGh8hmSTx3g/TF
vzunDYTACgK3UfoeBWglfrv+nZwSs0c1mCVgg5ABWL012rzPi4r0a3zDPyUKkZtnCv2fGXYAhm03
2YUEoAxyzgkOTWqFJ7VyTcjaMHwhnwMFbS5eAjihIvw0ZJHPEVPa2F0BP8pW4V8TERlhZHEclDxY
VZhzYkbIpbMrDHz1jU34hYa1RN1GLnctgBDnubCLLYGTSgD7shUXcD3KvTNOlM8AosiAzpkKvtJY
bEoGJ7CgCKNxPSJxmRn424O9iahf+AngSF4Jty7ev0yAZ+2n81m15ZsjpFouXlxjeVIQxQvXReQo
1KJmErT28ilvN+G+g2h/Lx5hPdErSTQ4u3wHR/M601HmEJY3UxXM7ymilBnQQJ/BwNgK0qGqjzY6
3EMuWmFZ2XZ97+7035nhUCl08N3nvm/H+b4M87IICC9sqWCiOkew4iIDdMgOfIfFi+WNCmAhxxMT
Mln98Ht4nd93IHIW7xOOoJUoEowNnCPknVXFtPnNUgAb7DG8XZTpqrxsVunGHir/YUTqcsEqwkBE
ABBZ38OvBo66lQlvBIMJJzlf+MJm3/nnVxl+fzxbaQ9bO12Xu916+wsvjO14441pgmFYC8SOl6er
+079hLDUT6Hn/929soK/b+xiS6BfJWCDkH4VJxEAyFLJ4azQ1PCDqqf5C/Mj222lsp9lfCab65Rr
Yh3G8ZfyCeUgH19dxnnAyB+eDMRRhl+LaZY1xHJ/iXNL2EUmCA+WBK9EhkIoiqPBJ7kQv+b/h6hK
Abz/dvk5bwOUGFsR4WgzlcibkyFHxJmUt913zyQQJ8ojuThx5XJU1rPypSDLP/mPEXidkw6OoFC0
CIChEPt2OJTJHOzF4Xi9APs3plVaoYMtN64jhHnknLBcvhKuXpLoACDJxzX51rUmzT6SgR4/MToc
OpgXE0ipRiSvSiikSNYIwrSkH8I+rwKfaj/55tVWrG0d8DC4qhb+ukuW5oYAQHhKbllmN6zt8IL5
zvaystN2wtyzVe3b1VeMbuW9cBO3UjqlNatxv7t8zzsFt9ZWpjtGTqqlgtJWeNtxTg9EBusichZb
Rk5UmEsSw6cJsrtJ9dU+C3xU7UI8BujPYGJQfrpS/ZGFo14uyPQE/GG12wAgzuEIAz8AK0ofhWtW
BK5ZR+X5OZV00Ia1ruBaIDeiZPqWLKnFkx5ioVP10r/vixkZavTdd7M6+rfZHrVmcUEMmi5G6VvL
Vlb0KXdLjzq2Lz6rJGCDkH5a7qam65XdGQfulZzO2/Vw6Odmjvb1+a3bB/xHtZ+GbzfTSwlUbK/g
0yk+jbZOpHESDR6huwg+9qNJ1ufiS3wWFLPReCwkj+Kxjl7ZUsI++53PtSTJC8VvnlUj/JuJPBGH
tBoobdugLa0gUV2P7NqVdN3j1cmaWbuXIrRvO40SqFjGZPmp7HLEdXWiayuSV8bjKYjxlUE+zUdR
k8nxSHNtFGH/wZoC9y4B3CfT5MhFHMnLaUXzsly24pWtKZ2jIiUa55woolCKY3dUYY5lQbFAueWi
0w4eBgI7vN5RPhXRu0zxANweYSFU9pADFhRNZcJ8B6yPLXGA1WtpLdiw5mJJkm+Da451FsDRsCK6
HkWQ2PKVM8+FO9nQL9vvmd/0/G73esUhfjHQrlDljgxkNW+m0ZPrkKwwQB5f1AIUnGSQLSSJOAix
2FVxvd3CpbGIWwnwEglhidnBCdaUkN9BNbvTKBB1kctpqBOGud+7al7pqmEZHn9PAEhiNeIcEbaI
+PDaVcgjUo88IAmQfdJFa2lp0ZGRPYA2fMx9YSCit7Z2GwSdqR0h8TgjkTOqn+Ho4DNY93KEuvgQ
5PCfMyULu9+hLYEzusmHimhXBCekOTIO/koUHR9X1cjS2crK71mOEnY56yQQD9PLAQi4xly4RqzL
pgzlHApFyvDLPQ0nz9OhvE3ADzYrZ7GT5kQ41gSvhPNESKiE60z6IEXxUXVE99GzV28C4f1dhHd9
myNywTJz4KwTsj3hfpdALJJXWed8KFvRyUudO4IrYiZ4KKXQUHMpBFARMvJgtSvGNWAhc0QvcElE
8mGPx1y1LGKBZRk5mixvJW3EazErCydr5MoXw4rIQCYebhgn8wg1zCCkDnv9ADhVDBSQ8hsASiQO
8rAPhPyDcGHsModL57Fftm5rfkCWlsEK4gsiGhb3xiAkqKoPrpg+8/F+F2iSNshgc+bOyqAWEd9x
uNXJoZCDdm0uoP3v5lJmfgcym3dQalaQUjNDlJXvh3vW/7f3FYBxXVfa58GwWBZZZssgW2bGMCcO
NU3aNNA2SWnL2227f9eqvNtuu90yJts2TdJAg62TONCgmVG2DDJbliVZLA0++L9zZ0aRjGJL9r3J
84zePLjvPDrfPef7DnM92FrxwAFqemCMpLHJBdldN5SvPHSyPIGaIf87c+F+mpB9mK7L3kCjZx6l
Dw4U0E35+2uHjPvy+6QnRgKhUJecf4CQADoyFHVErp45c+bf1q9ff95BPoCQYEZGxi4AkFwAkX4d
6YoNW/VKBAeSvINwjz2I27EUd/T7ffRylt26CCwgQUgXT+IK/9xkt8fxR0VTbzfDga+gCOGvu7hJ
ufpFZoGigzNOwl16D4fFE/NK0iHhO5AMABJCUURO5eKidqxYxLwSjpIIdaPYOzOe9uLQhiNSwqTh
26kR4RSXcQI5+IfgH2wgp7KKrMgeOu45UnRC8AVkkxboVgsA8NZggzy1aYXZK9yUmupDBCUZXKkU
AGxEUBAJtHFNK1wTBdEVAmfKxqeqJIprnJuIBnKmO6aY7GvLhuOulq6mY510UacnpgUh0hpR8RXz
6yAG0YgURr7e92BfxwDO92C5w0gBO4mCjdWUE6yzp+uhvVfp/5rgdcxsAgBxw6fWQdgPhI3tWdXB
73Wrkfr4xgTYHE0vltkpiIIl/7CsqvmWkw3BlAh44ieOJlP5oVQR4cgeUk/zb9lDA9IaqP6kl7av
GEI1JxJQoDCapcefEQzUh4JMUNeoyXTT7KS9dM2sTZCUjVBeQRl9fNxK8nmCqYcjGaP3GF8vdimd
L3MRqyPCsWNO7ZvsdrvX4ZMLdJ6zlZSUmAAhewBCro+VIjnfKn32d93r9Q5fuFBDfuV5wVeXD8JB
D+OOHaWcpDuWvF50XpDf5f3JDVyyFpAgpAunfoWVn+N0WM/BgZxpm6HPzNLXPtmFzclVLxELwJnj
0V2eOLdZXDOFUzeMgwM1jvw0HqPBkwFMpgvCu44hYj1G+mTCcJxXomO4WVO5gNRAOHdzAUy+ShHb
T1nGtsIsSAMr9g5SXRvJXbvjQpOBL5HTeskepqgpckLUVBMF1tA2tzZG4T3VDtp5NBotUcxsaH4B
cCOKYiujcZ2Cj6IArACA2zYLOEQjgyKSgimu0BViwNJKyUsXKV4ZYuLxdZumtjkBQTuMoqJHqDyh
POVvSvOCI9a8YY02pTcqlOUH4m+2G7SIveS9axew8MQl1x4tvK96y7pdW4/X+K0tB6pTD59oGnSk
smlYQ8BIDRuq4rFTykYos7e4EO5oqqC0gzvdkxsb3SjfEc0h5ZQtVrzitCyn17QmJx1UhrlBteBn
FM6Hplnkc4hSM44s+7XplcrVRxtodKNOTZ32OWJAJAxAkYLtTkM05FB7oiFIxwqGw2GIoVlcELBX
IgndfUHxcJR7zJgC4/LLEykU6jyaa2/HbFoOGP8dNULvtncVuZy0QGcs0OkHQmd2djGts8G+bLhL
sZ6zVWOyZQQ+MUtf//LFdHzyWHrXAkWbZ3AhKJ5eLExZo1OOPoA8NIIsxzwKGLPglIFXYg8HkzZJ
OGfx4nMiD5/7yvn1UDxyanNIc8wRUZSI0URNCdWIlmyBV7ACQ5dbyeM4RNe/clDySnr3/F7Ke4vW
FEmP81BaTIGIoIbK7V6qdSOKAjWvAAjyYaQfatZAHkwXkUEDDicT3jFsD06Vo4VP0rqqfLyoaOw2
EPeCroAsD+EH8LHqwWJ5jd1WEOoV8Bw8wDK6QZ4Gj/4Dsrc8jMUPABAdhfO8l/QIQInjJOSyahHZ
qekqD6Wvnvd33tkEazq8KQmuwM2zhlTARS8trwn4KmqDiQdPNGRmJ3trR6sj9muNTjPQXDVgYHJJ
QtBneJCMBZMqlselNycnOBsykl21Gek5lddk/Dx/TMJKSJLjiONct9h3t6NywDDjsSnblV98aFsa
KDicZ9e5BgBiA0zYABNjkZbF/KTzgkhETY4bhrEBIGY2Vu+XRTiFnonL5XXm5U2mnTvf6Zz12rfW
4isKb8L9p/7XyqIft28NuZS0QOctIEFIJ2y3xpo5RbMjLyma04f6rtfP0tbInMlO2FGucmYLFNXN
McApYjUSnlbzUnDYkpHCNZ5Cyhg4TOCV2LPhD+QjEpLAZFAxgsyjkExq5xHj6GhyAtK3EuDEDcXf
t4khypB9mF67oxi8khJEXjYA6GykvYOPFtX17+Jz8lrqfxZARJDdVBYA4omvda7R02bktYWHEoFy
V5MxkFyI/kVQYV6B5LDFkRVc21BOAvBwiHsgHkkRdVCw+XAMpLMXx/QULOLnbDAXbgZNg2Q2FyNl
28U4LBEB8CvJqVdAergCwhCQF7YqkKPEHK+jcLKPUSLUvIbkhPpzwcYhQ4Y0lJeXVxuWPbS2OeLW
ENrITHb7c9I8zVPy0ssNw1QbjDovWyY3Rwn+690TXo0K+UZba00NKOhafuuTgaC5cbBbL88RCVPx
xnbHlK6sKcixXz54jO467KLqj3SAO3jZAnyw0q7BartYNQvTeUHI66+/HoCq1iGAl4VYr9+CEDaV
npBw9czFiz9Yv2RJj6RkgQuSid08CQW7vfi+HKpY9R08RXJxaYEOWUCCkA6ZC2WNrYULkCnwvGVF
InbYf/Mc53qWapVNWqBHLRArXseAhKfH4ZwlYDgXNR/MKRSyUGVMmQA/Kg9v6GGUEOOViOrZsZoP
cV6JUxsKYDIUCOUmpHbZqPNQS0OPHCgcdpRzrNdDhWsPUvj3Fm3Oq+3RA5IblxZohwXOykO5Z42T
thke8iCKojsQQQEp3rDHUJgBij0EkZAEn98ei5yhAc0ujoxEnWHIOUU/45GUeBQlHk0URS+EvDaq
1KsTWiIvIfh8JlK8VCVAzYgw7jpSUTj56F5s6xiWKwUf6xC2XUcBncFUXex+bccRXphFnnvuuQjq
buzF3iexPAAUw1gmTIuyDdryt1km139OWd0I1dsFTQnKXRtHGr+7QVUNvQ1KweZUR8g9KPzsjFp1
bkXITo2AkXPeYoVnsgz3hQnmABSESEhrXHROQ0YikRIsvx/rD+IiiBfG6l3bK0JAJiSGExM3bLgG
W3qja1s789qWk76MhLVUvDV+jrogEoD0hJHlNttYQIKQDlwQ64zZN2s6Rgls5aCtmp+Yo6/nh7hs
0gK9bgE4OVx/hidOc3mRO1A4c+tICqtjqdkEr8SYgdHd6XCauHaDm1y41dnxivNKeAXkVWBKi03g
oChfomY7QGrzTkRK9iBSsh3jxWsp0FhMdz1SF5V3lU1a4MJboOi5OWH0gid2lI5jalPEbkDFmoKk
ZsfzQa86oEq3qMqnUHWCQisHGhsPpEMlySaU8UaKF+QdcP3riLBEoyhxJS9RtBEeeWslL66HoqBm
vKokC76WAh5KtEgG/HaOMkK9yWVAZtiuKZyypRzbQoFrpQw+/T7cR+ijXkqB2kZEUkJI8+qRkeyO
nJmmpqbtiYmJc7HOIDjnrDzV6eakOkeZ8vH9mdY7h5Idu1iU4CNBLd4qjjZJ3TdssPXU2D3K17ej
fiuSCDqXlsUAhNOyACaGoiL6PkQ6/OfrOCR9TwB07cNqQ2Lckn7HDYmlormRWsZiD90OQoQilg1F
LKL3wQVZej6byt+lBbrDAhKEtNOKa8Iz79F0/SnbtNapIf8n53g3XxK68u00j1ysD1igaH1L/YfX
CxcXKvTCXaiIbYwGaJ6HqAdXdodqEdJPPDqcKHacYupE8ZolPCqsqx6kd01Hqsp0pHbdi2VC5Eyo
oX88s7FwqrIa8qwgvFuldPNreyWvpA+cdNmF0yywuLhYWxV0/EuirueHT6IqOi5zD9SwGixj7X1k
337N/R4GLi5wPnIowOlcJsp62yOgtJWLyAkT5FnJK0dEQ3wAF/FoCQMS4VyzolfsM/4390JTPLh/
RkVTIWMyw6L6PPS3TQAmJeLHvVSJ6ONh8LRKcQ8yeMIggnkSnawkt+cEGY3MQ+kVgLJ58+YqOObb
keLEIAQZWYoZKw7Y4auKeR6GnWAepns3FhhLBqtqyNWi6stbE6QGKBOYr808qVx1pMYeX+/oZDQE
WzLRV66Efj2AVP5VV121BryPDZx2da6Ow3lf6XQ6C3CM6ViuddJYh4/3Qq2AY2bgnY3zNg7V45lD
2G0NqVfHFl9W+ACu3kZ875dpa91mDLmhXrOABCHtMPUaY/bDDo/317ZhvKFQ02dneDezRr1s0gJ9
1gIxgMDOFqcLipTBwvwVACXu0RTWRqI08ix4BjwKikJ0GNn1wGtiRaIWXgm8hmjFd2TPgyCsKbfA
sboFaV+cM3+MXr19r+CVKPZqpKFsIHfjcahwNfdZg8iOXTIW+DAUuNvp1B9ssEwygCFcGpJ/LLMW
fObvrp4x40QRM08I8ANpU5iif8WaKNroeZKd1ByIQmRRo5EK5xlA3gI4UQAwaBgc6nTcF16AESeE
IFTByeI0LpH+yHLDMV4Wb5PBPtx7fEHEBcBHUaCBi4EAVbk2WhsFrZn5K2oVNUdOkOqpwX1VhrlH
cG9Balg7AKlhHvCqQLHSIH38hWBRUVG3jeLDMV+FNKWxiC7kcU+6ImOrKWH1pHV1eSV9sDVb/ees
NilZfJwsnOWoTxpmPDqjTn30bRth285EQ2LFCxmoseHzTNMcVl9fPwm8j3dQTb3N+Wx9bhENKYPz
vhXrX4v5vH632bEXby5DsW2k4Spjsc9uAyGojj4B2/sirPKXJR8WyRTzXjyhl/quJAg5zxUAAPJt
XXf9yDYjTwcD5pcWeDfLPMlL/a7pp8dfVLKA9d45bYWnv4nq7kZiFlmhaRS0OX1rPN7L4/CZByUi
OA2x8ljxOg5w6oTj5NQGIW9+EFJVrqSg+SU4Xk3UnFBaOGXbOsgPbcGKJXCYdsakiPuptWS3+6MF
rtqwIc9wKN+Hd+oKIWKB4XIegLeClvnrFTNmfnC+Y4oWbZzBg0ynDTThftEBSlwA8iiY4RgFcJFJ
kchY8FHAQ1EhOQy5YUXUQ8kF8vGIaAjfO+zrxtOTRDSlVURF8FQEUMnA8iw5HHWteTCAI5S2bZCt
Q24YgMkZPkqv3Ha4UEVtIIKalwqifATEbA8ASoZeXvR6QYdTquCYn4Rj/ib2+GkAES+iIv5YutL5
TIXSRLrlJt0MkqGFbej62mHVVBOMw/TA9mRjx3CP4wTs02ozMZc/Rd06epD91P5D9Nl9Lqp0nXdH
Z1ggnlKFqEZzLIozmdOzEBV5a+fOnStOnDhxxpF8gK53oQo2HOvk9VtuSCwO1xm7nWmdxfmFKsDH
QyhK+HlIRLzSXduV25EWaI8FJAg5h5XWWfP/2+F0fsc0gn8Ie+jrC2i1DFG256qSy/QLC8Squ/Mo
K0/i5VM4tRgVsa0RFDImYGR3LuSEpsLZyYaTlCiAiciVj9Ur4RXESC8UuFRlMlJRJgvib1OEc+P3
QVnoEEZzt+A3kOn1neROrS5anSvvoX5xdfTPTkZ0+i+vpo8KGtGq6G5EQRojxkrTGfqfrh5RLE2K
R9A54ldx6vYK50LBLohijRTIRvHFFLCxh+J+GSH4IwzuUQMQ370AFD7cTw5xPzHo4OhJXEQiFEMr
fF9x08BXIUxYGsuiLpAyKwpUMAVYBc9qRKLXSToeqSqcvKUWoOUgANExrMlV5Q/iZj2ONK96pHkx
D+WMhOzLqy7f8UHqB2/Ymr0IIMQFMBI6HxBBzqb5bGDjyEq70Xeva/qeIVqqv84KOJxKk15Pk+vK
6ZZNw80/X6Oo5plI6q5BkZemnaSF5X4rO+hQO0dSjz5+hKE4Oa4RwCIRIOO2vLy87BEjRiwFwDpt
wBDz6gC63sFqg7E8WHFKv+O5sQ5ixDRz8vPzE1CMkXmBXWuZNAPX1+fArnoSqYLvdW1jcm1pgY5Z
QIKQM9hrhSs/wdGc+lPd6XzEiAR/MFtb/T3cnLJJC1z0FijaXHAYB8nT+5h+VTi3zE1G7XioDs2m
ptAkvPXz4UyNQzSECe0fjeqyIxXBsCf7UMwr0dWJcKAmArAsglSqDfWgGvJXbSuccnItgEkxRkh3
0fjBu/qzzOlFfzH0swNcuGnD5xy6diccNHEZcqaU3zBqFTPy3dUFPZ8qWLS6gJ1envj+adMKU552
0Lghbgq6UbQR6nQ2FL2awyOxEGRmFSa5I5ICkKIjogL+Sgv3JL6VOGG+NX+L7z9dTcR9mIh7bXgb
QMP1gyyOomghGAHqXe5KpHntx4DBEdx7FaSZR5DqVYtUr8O0eclJ7Oat+6+4zVlnB66ymM5ioSK9
BraMZTPbg5n8TBiJISPCoLnLWGscHLqW9k9a6z846h7XtA23OiYd0RAPUewGxyHr/r3p5toRyY4d
Y05LywJ28mqHBg81nhi3W/veRttCWlYXaoewiWIpWgF8OqEgtQBgKnnu3LnPcaTn1HNx+eWXb0Pa
1geYvwhTf6wGbuD4hqASfFa3gBCbrrZNCgLO/XbJ+qJe4SP1s0eL7G4PWkCCkFOMu8I/Nwkh5t/Z
unKvGQ5+c7a++mc9aH+5aWmBPm2BaOQidxM6yRPXK0lAvZKhABfIjddmwtNZADIvCO82iivqLpGC
EuH6DJjissAcLtGVdExXovr7leI306yk3UcPF04+sgvRE0RKrLU8aouijac5DX3aQLJzfcICl23Y
MEF1qt92qKoeQBSEhd/YZwYP5KfLZ8wRtXYuZCuquzcCcW1OTtoZm1q6U3gPAMq2Sam4r1IBPjIp
6MpCZITTvYbhJgJosUdifgJWSIS77YWSF3goDFSYSyLARoyHgs94BIXhAsjbiIroMMakWMrXNYL3
xev47RAGA5rIRC2UqdvqUFuo7H/rdx9doI0YVKDmuHK15PpUy+dPVtxGguo20pWEsFd1mAZZAoyE
yVRrrOYkznU7YFcO+UnwnZwPwnt3PeJZuHGmPqSmBrUi99sPbJxkLB6saX5vG9XfWLAnS3lrepV9
xeEqZc5JZxcqqccNGQMiTNxmjeFJ4LpoU6dOfRIE/NrW537JkiU20rY+gGwvg8AxmM6rrnUhr51T
981JejhWL/ov6rh0pX1qbqEbAPhZxINeQRRPqn12xZhy3U5ZQIKQVmYDAMl0OukJRdWusIzIQ7P0
1X/qlFXlStICF6kFYtLAcUfqdT5MAJNM1CwBryQ8BU7PeIx8TsTs8eTW2ROMWiLOKwnCP2BHiWsx
6JhspAIY1gNwjExSNKRwbdkAP2cb0gN2oebCVuwPMqeySQuc3QJfLi72bHco/+HT9OGNiMbxFcdp
WM3I/zf8wZ/3ddsVPQeAEi26xxPq9LRtAqTsHY3ifI4R+AU1USJDIAc8DCAiAweLqAoKOSo0CPeb
s0VSmDfB95lQ8uIoJQOV2HcGKJoaJcprano0oqlSYzhAy8I7aBlwEpxcO8F2NCcrnsYk1ducqSbW
J6tuf7aa2DhMTa9vtILOatufhHuVtaooohqO1db+SSVNFUOv0/M3P+iZvcur3nK0yl6+KZuWLjjt
HMCT1vVm39DIH2fW0OS3TNIgz9U5yd7W244BEQYhnPZZ4PV670RE5HlERNpEPN59991apGW9hmVy
kJbljalO9fVLJd4/PswQuC1dzs8Y4aDHsNE6kNG/0l8OXvbz4rKABCGx87nCmjvY6VGfxdDZLDMc
uHeWvvb5i+tUy6ORFugZCwAosPPEuvVCu75w6gakmDgGI9ed07HmwxGaihFYJu1mUGKskCLzShiQ
CGeJnSIUStO0sQAnY/H3faiOHUHGxxGAEuS12+uRFr+anCC863oF0l6kClfPnMo+vdW5K1Yk6m73
mKry8p0lixa1kLC3G6EH3ap2J0CHACAeAJCwZZYB2H5n9YIF/WqU+0wnIAZSWM6XpzYNAwApiKAg
QuJIw/2WAXAyBOAiHwAlW8hxazQA4+YJuAeTAfqdQnKYW1zJi9O7OJVS3Ics4hWt/2djpUY1lNCo
hBJIqY3KMDF7IqxwsfmQaivQ7gZJP44bGIzgxq3VmlOeMzZeubbx4Ki73PPX3ud4ZFu2tWUo6UeH
RAshtmrYXopSPGqY/Vxpqfr53Zrd+UrqrTcbByIAF2F8n4GISMM999zzDxRobOO0Q+J2NxS1eKDx
EZb8xfJtqzT20buBjw+8He5rl1Knvrew8A5cK/dBf+SPixcXqkuWFPU7fkwfPUWyWx2wgAQhMNaK
8NyxTl19QVXUHOTD3jJLWc1qIbJJC0gLdMICSKli0i5PrML1ZzhKGiIlY5GMMgMs4Yl48SFaYjOR
HVWp2fGJjdiyM+SP8UqYuKurIzFKCzlh+2oxmhuy6zAKvA0EXKSGWTtByt2K7e48G+G2E12Xq/Rl
C6SmJqmR4EuDhw7ek7l1w+ORjOArjipITtvK91DxW0WakFDDYpq3YVtIw5rRpoBhXz60zvYNAwB1
WJeno2faBsjyKVD0gpodUrtY2rUhPAz3FCt5gSxPQ2AscFCgyhVN34oOCMRTuuJKXnxfCpUv/g23
oRKB1DC+C+BxSmNQgv8PqScH/yzwWs4/Q2O2/bf3xtLr1T9jHxFPG1FcuLyKbmo5kZdnVNJVx5oo
N9CF2iFtOhIjrHOEieufzC8vLz+E7+tP7S64Ibvmz5+/DPNv53XQIp2tldLZc9jB9TjH0A0Qsg3T
aaC0vdtCYcIByFb8NoBlLRL2FksA0l7LyeW62wKXPAhZY82dBSbbC2Di6YYVvHWOun5VdxtZbk9a
4FK2ABwlHrVryYUvzAbZPaNqIFzFESDHzoZDNB+8kpF4ueaSV/eI9BCOlIhCb60sp6spACaXwWm6
DIXlOLe9mkLaicLJW1FAUV2B5TeAaFsGENTpl/OlfJ76+rHrRqPbJofL69CviYSta/RK70aM2DvA
AxkYxnAuj+FzTRCkZL01aOiI3/T14+mN/iFqWIf98FTcen+QG3ZSY2IKCjYmkBFGWheUvCI2AArq
hdjKUBG5tKwkwIRkJnlbPrgKBugWDEiYn36uzClBolexiKlvpZJpH29KrP2ua1L4y56tHuys7WHj
yeDRy7OGm3+YvEP5yUrLDGhgvHRLi0VEOC2LuRPXIC3rMNKyTlM1W7ly5dsAIgjEandiOd4780r6
XlMQLcYlrqhqJc7JavS7K0qDOcCaDoCQxUveLZIpr33vbF8yPbqkQcgaa/aVuup4xras2hDZH1ug
rmdHSTZpAWmBHrRA0QmQ3U/kHsAueHqHd4UR23So+EyhJrMAKSQTMCgwXdQtcULzl0dm41KmTGpn
ACKUgUB21xwoLGczD+UeMVpr6nsLp2zdCl+nGPnu20j1bizanCdBSQ+ez97atBLRfQSqdTN4HzwG
j/qa0xEBQepVNItEj6phHVBVx5eeS0/vlxWxe8uWiB6yox3nofB9uK71vqM1UfRc1CDJdVueYVmh
5HGZSsLCoB3JqbSaEquUxnSQ1PVzl/vjs2RjMw2p/x4aSu9YLvqpu5gmqywgFmuxQYYBysqJ2dbr
h44rtxxzUfekZfEeYlENlIyxh+LPaZg46nFaYyCC1KxyLHcffkzBxA5+6yEQ1AgEcSZKCu/1tCXe
sdnYWG1FIu85fL7NzfX1+zt7rSAKwvdRAELR18AiNbS8s1uS60kLdN0ClywIWWPMvEMl9RmbjG0A
IPcsUFcj91w2aQFpgQthAYzYVmO/DEiioCQfoMQTyEVRuCnI+0Bld/BLSEW+O0ZoE5HXzrnsHCkR
KlzC3YgT3kcDuCBFhz6OCtTwk5rKIU2K2gkK1Le0tRjp3QsC71Hsrz9Kc16IU9OX9pnMOmtioB3g
A5WyW/om3F38gJTaCpMCA/Dnob7U8f7Wl1hNFJYa5kmoi33yils+32CHxr8Z2jngx4F/3tSgBBNF
VCTeRCoXnwS+F/F/RLWTLU9DOiXUDdEGH71G9fhylE2T8ZvImWtpOI2aw+8dEvnrtHoUigzYPtOB
6uvdYTNEDBiIiAsF3JApiIasRTSk5kzbRmrWDvz+KxC+7wbQGMUABilPLIeLoJDFgZWjmFIx39Pb
QIRDIIE9e3YX33TTi3VFRV0D2DpqgjjoqyhMeDvSsPi5K5u0wAWzwCUJQtYYc+93Ol1/MMKB1YoS
/uQCZfOJC3YG5I6lBaQFTrNArNo6vyC3Y3qCFyicuhW8EnBJmozxiJRMhcMzFa5ONtKzeBg8Spxl
cNIce0dzoTdNHQwJ4MFwURcKhylsN2C4fAeAyQ6sjzQupHC5B+6EFHG/JzBf9JeRqrrFaPQZqAjs
0xqIiIATMseyHSsv27ppGcjXL0X8wVcuBnL6hT63U+dOHVBmNgyAOpZpoBRIM4WQ4oQToTHgYM4I
87oUSrDdTbmUUjHCTq8c7c6umqQPPDlRz60jxWk5qdydYi8fQNqRwadRqhHcTKJdo3LoxX0H1S+U
KEjmAnY4w5nuuCUYPQBIMCk9BwCDIyJnBCG8ZQCUYzNnzvyNx+OZhT8LsN4gfGq47g46nc6lkMUd
iM19Bn+zgljvRkRARs+Bpes6boKWNRYvLBwJAPIfsP8WTBwBk01a4IJa4JIDIWvCM7+iOfRfmrb1
vKqGPz9DaashfkHPhty5tIC0wFktULR58m78yBOJnHZDx4i3YxSGxeeAsD4HgGMEUrKGI8ncJ1K4
OFLCOewMTOLREk1NAmiZR7pjnqg4bdr11FSFQm5V25AGtgJoZgsFAkeKSmbwCLBsfcgCJlnJyM1z
tB5EP7V7HCHx6rrLo+u31wQDuXqim2sfbOhDh9Evu5KTmhNuamwyG+ywc6tRlmW6DA0S2pSieuvS
VV/9aD3z+BTHoOOjtay6wWqqP0dNFnyFRiukB5SwZtoh3aDssGrfv26c+eNs8L8dbaIhfFIxjjDQ
eHXqcevGw2EtI6Sdk3jSMTMCNCCYYXEEA348HPBztPXr1zNgWQ4wshrRk2R896ASexVStkKYVwmA
wqlQeZh6lTvCwSWQN0RmVseOPrr04pmFqBlDP8TaLBBQtGR1UV1nttN6ncL8fHXaO+VIieWq90Fb
N9xJECDx6LGza0QMRXfoNrQOm+BsQtUwyEGd4LV5kFyTTVoAFrikQMg6a26hw+36vhUO/TkUoK8t
8G5ulFeBtIC0QP+zQCynPS5b+iEfAXglaeCLFIBXMhZJO5PxomXSO+RKVTdStLg2QlSaNIR3OAMQ
5pVoSjI5MRGNwt8foxDmO/X9iLrsxLK7sA4UliLr6YBRXlQ3p0uSmP3Pyn2rx6pmuVEg86xpOiCo
4zSrUH42j/vNyG+QjPfn1TOEUptsXbRAVVWV3+f2lTXYgZGoqhi63p64Jt+bXTlBy6me4BxU50Cd
dA4LWIiShG1TrbQaXS27jKFGDSlW5faNxzKtFdszHB9OO5Nkr1s7nj3SfGziDvrRGq2buCEAIKIH
HBEBmHC31xQAI3y/t0lX4nlI2XoZJPZ/xW+svNUpQNDePnTnclwNffFlhduwzd1LlheJZ2Z729Ji
4PpEGqNG9BEWWYgG2YMU1ZE9e9/hTIhDgOQOjS3ycFgsDQExH0BHrGGsKPq9FoWgGhTyavjd/8Z+
QvaJUo1TU4Fb9jjy3Q7jxt6fmOopnZNe1+X6J+09LrnchbfAJQFC1lTPdKnJ2g9Vh/MbphH+2bL/
vPpfi4qWnGtA7cKfGdkDaQFpgQ5ZADwPTrNgmqWgWhbOXZEEBSAUeQP9MmzOIcuciAyS4WLieiUi
UoIpHimJV3h3aiPhzUKty16E1C0LOqI1NFTfVzhkyxqknLDs615qihwoOjhDjuZ16Ax1bWGN1BSc
LUfMp2zZGDxB0Hw04E+zFuDjSTzYf/vh5Bn7urY3uXZrC7DzDeL2TjiK0z/lnbU/nbx+h6LZHOkI
2mGtmcvTczvHW1WxEQixE4zD6n3bksxdQ1161YA2QCQWDcmwlk/Mst46VElXn3AqdbHCJh07Hww8
kEqlgDckRLIwOTHLQGSjy0pQtbW1R9LT01/CNj/O++n1tKyOmUIsvfieQhcdo8vw9e8oTCjKvpyr
LS11DYFzOEZV9QLEkGbpbnuyYqg5Nlk+8K40FaEOAA88DgVfpuXEI+CE7LzTLwIsmxKXflZxv2IT
Yn1e17ZQYBTnxlLVpvraUNkbdZ4t+G09GcYuAJTd1+aFys7XX/l7/7XARQ9CUAXd50rTfqWq2mci
kfD35uirfzCrSKrw9t9LVvZcWqB9FihavYDJ5zxx+oQoPlqYv2E4udR88pvjwWzmvO9pACU5kPh1
IYkgVl26Da8E+hXKgNg0R+w5aDRSsr4HvJK9eJtuReRkLUieO+muu+qKlpT0bp54+0xxUSzFAAQH
0sITYGeGCxMGTNMCAHnJjFg/+XDGDJl61UNnOyEhYVd9ff0+h0YT6+zmCHvfYlcdGM7T1SYg+tnV
5fYNm4fZf70KnCxNcLniDbEH3dGYOCz81LQae8bbluKC2C8yszrYGBvElLHYx2EAwsUtNyQmJnZZ
AbOkpMRE8cOVx48fHwUTzMR2uXhqB6zQwYPphsVRUeRm1UsvUoj+HzZ3RhDydqkrB0LX10Fx7lqH
os4AUMhTNQigKSgCymBB8GAAQ3HaLRMKdVxfFmDE4cKATgxYqBpu0bMweSyERGzUWOTtWJB7NmN/
CxED7AgRlRQGKwCP4xFY+RSLHYJqtPvNUm099v6GQf73F+UpMrLZDddDX9rERQ1CAECS3R71j7hT
bjDNyMMAIH/sS8aXfZEWkBboXQuA63EQe+RpGeczE72QhIzv0SC8zyIzMhtgYxQiIKMxtJ4clQVu
xSuJF2zT1ETwSqYjGWM6Urs+SREjiPH5k7T0ma2FU7U1ZEW2ggy/j25+ubRoiYy4dtsZtikVwAND
qESokI7TZFOzYa5QFeun8195bemSoqI+7Qh2mx0u0IZef/31AKIhH4B3MwRd4CrsoVhRwHb3iHPp
nEqD46D5wJ40a11ekmsPeFynrA4gkqzuGDXU+tv+UvsLJU7VUJUOktSRLsUkkB3oXylzQfB3BUjl
u3EM3SJAgerrYfBDHne73S7sYzyOoCs1O4T8b0+ldkGSNwUQ6RvgahzD9GRraxcX52vHvAeuRZrj
pwACrgQIyNYdKB9iQljQDAvQoDmcpLu8pDvdmKKfDE4Unhh8CCwaRR4CpJylcZQk2rAn3LsC2FiG
ACNGOEgmJogF4TEMgIJPLAHXzTlWcWhj7UjkPgf5jr9RqvxTI+MviI50KJ2s3ReoXLDXLdAuEPJ0
dYrDKA84U1NT+8VDvvbAO8qQSZ/ITUhQf4GL/Roz2PilAy98/Ynw5Z9x1+I91utWbrVDhHKVVAD8
RQVgpcgmLSAtcMEsUFTCUQtRzI0rKfP0a6RwJVLQPYb8ACMqQX3LmgMwMg6OUjKAiSoqvHP6FvNK
GJQwUFEUcE6UQfg+CMUUb6YwHqsR6ygtvaO0cLKNyu7KBrDv1kIjtAwpYzxqKlsnLABPVGPeB57p
4ZBlbrZM+6fLp814kTf1/uQZndiiXKWjFgAIKYaU7XI49jdgXXacO+wTcFpWhJIjh9UH142LFA3U
tKC7DdWat6hb2kD7pZnVtLCsyc5rUgSvuf0N14gTfeOq8KtAKC9p/5rtXxIpamHwQ15Eilcm9pXB
0ZaOgrIY+Ahj9J9Bkw97PyOwEybJyclKu/9+Dx5YHZLoRTWXe9RkmmvV0pf+a3XRMT7C4uJigI85
i2zXoS9gy1choqEiVR33FhgfACAMOty+ZHz6BAjRHC4Ei8W91yrmwzChVeOfWoDGmezIz0qez8AF
Fw8GEgBJAWpQgdGXIlZg0GNGQmKKBP0U8tcLYCJiIoqai34+CNzyiTdKtddtNfLojSMib7f/jMkl
+6IFznpjv71bG2s5ndDnVyakWaGxtkfNVgL1fZeExRc33wSmYecMna+4nS5Ic6qZjcf3VYSaqu9P
m/XQQ00BUh1Uf0HPQ6ZbeC3BN0q9hzRV2YYHz/rkKtfKOXPqJOn1gp4ZuXNpASKkcLFYBfM+eHo2
psKVBVGmGeCVzMBbtgDzR+MtOpp8SD3gSIlg5OLhwxwTBif8hnVCFliHPLBtXyHmhWy8USN7Ud0d
9UpoM6mRPSBylhRtLqi6UHZfXFiofHj77aNsimTCHXDFNcQuVH/OuV8TdAJVmQzLBiKWvd7W7EeV
CB29bMOaBeRATkgfapywgjT3BniKRy42YvwSRPbgeK+B1O0ovLvy4HSHY2lPHToDToCKSrqmPMN+
f1s2vc1pkW0bbhm3VpEx1PjTpB3Kf69CAAz5Ve2T7I0R0Vm5ahD692n092lI7zIhu9sbtnsc2/89
gMinsa8RmBpP5Syda6dYngn8JVjnA0wPIWLjw+dpURV29lX8iIFghUId423jelxJfvo8Ek5f4L4s
K3WNIffMHwNSLNKcLkU4/SaCuahn70pIJZc3iTSnR4AOgRo4aiHASVfdv9YAJo5lYjCmBc2gEBD2
7QAIYmDiTc0SEZKQv45CzXUUDjRxGpgLwOgOZIQtWrbf8ZThbi5clKsc7faTKzfYKxY4DYS8vds1
wdTVbygO9WpVc7JGNt6xyP/jC5EHPTo87tErx9EiwenETeTLHCb+rj1cjIu2PgshvayzJir2Uvda
diPCl+yn6HMVTfskGaFQXUZ4zZsHPI9dPyLwbG93R+5PWkBa4OwWiKlw8QuOp5d5ycKpG4aQ5RoJ
bshEgI+5eEBOwZhwNiIniYLwHi+kGIgNWPINryMjG040PieLvfmRo64apYUTt+zDfAAedS2cixJK
NGqxz455GR08gQu3bh2tk/HpVXcsmqtYxnA82NMxzsiJ3X316c4F8NjXdQQiRggPzwLFVB+DAhr6
7Gxb+K6DtuiJxZFkAk+KGt2KcvzyrRv2wqgvVDYGXy1ZsKCpJ/bX29uE431y4cKFb7PcLYBIIj47
fr0yUoME70HlM9tSrG3DATgyT4uGwHDpyopJWfTWwQq6qUyn9pHU49EI9M2P76kACLfddNNN1UjF
ElGA7m6wRxmAyK9dLtcnsM9puFA5mtEej53TsLgKYi2iS7sQZfo9iPSfgvPPMsJtoh08xhppaGhM
ra0NkxclWtrZoIZ1P3wh55J3ix7lVcD7uAfh3B+pDvdQM4LUJ0QenAAfnuRMOP3IQGVOB/t6/J8g
nPd2i6VqxZ5EKPBCDrePHN5E8qKPwaZa8tdXIUrSzCBJR4Tm02rAnrGs1PrOjXmh13u7t3J/XbdA
GxAChPxpxaEvgdM+iIlHRtiPE62L0BznAIrwmUDHfbAJZRtINCaiFhLie6GGKqBpD24wRDhj/Lm+
0GsOdYqQI9B9JNTMOZRA9a7LQdq6/I097iu1SODfry1QLtjoaF+wkeyDtEBftkDR5hlH0D+e3sf0
y8L8FT7SE8fi+wxqCE8HqBiLF/l4DOWmxEcSxeANR00isQrvuuoBIJmA9K4JiLDcISrtObUqCulb
C6dsXUeGWQwF0GIyPrEnmjbW9XbVhg2DDYf9dTDtH3CqWpqCun9hICg4zXgmdX37PbsFkGGFc6S4
Ua3QHYVLZ2HA9mxH2rF1MdCUqilqqlvTxwdN4/aBSb61GZs2tKSPtWMjfXqR5cuXF8Np/js6eW9M
earDNTNUpGU10djGo/YdG/KUx66H366dWjtE04PuoZEnZlXTvFdtRYcCsNFuB4RTxQAKOEVqcGNj
442xiEiPpEMCiHCKxR/mz59/G5zj6wAu2LeKnEs5C785GIBwNgSfbACRfQxmMO+zkI2Cih/4T7Em
rvRwOFS1bZtFc6L6GOdrACCjscxvUH+FxRr++Npe33ccuvKfTAI3Qk3Cr0tIzyU3Bm5ZrYofAuyb
dKRZiABH+Ll2SoMwGTlaqWnHl9PgP+qc0treFgNE/OxkH9SXkkXuxHQKNpykpppyjOH6IWTgKQDT
/fllB6wvIz3rz+3dtFyub1hAgBAmaM569cA3oPv8Y9xAqjixCIn50nLgxCfhJDujkmpCVq0DF1Av
HyPjEBMJgzw0loAwnoL+97WGoqdihEGAvEAzBRpPUrC5HrbF+ITH+5Cpqrlvl5qfBfGqy1KCfe3Y
ZX+kBS5GCxSVLGDHZlNsYmlg8EoSh1PIyoPnDFBCcwXh3aQMVNJzCB4Jp26FGZDw4InIlcYDQMsC
MLkOpPfrKMDcE/s4OZ85XDjJLsYDYi1SuNZSwHMC1eRZirhDbeHWDVNtXX000eGYHghDZwb7d/sM
Skm1yJtgk8PJkxjHka0LFmAfLoy4QDioUmMdmAz1Koi3KJzgVGej7vazC7dsmB0MGt9ZP6f/15yB
07wKQMQPJ/pWTFnsOmACbz0m13seOwJ0IMnKrx1T7t6fYa3Zk+LYOq7N+D8DTdwmiVrp0GHmn8aV
2N/Z6lGqcJW2r8UiIlykkMHAJKSQbcGaPaqeBv7J3xElKsX+rsW+xsQ5H/hushxtNMVJNBeiHs1Y
7nUAOlbvE42jTIja/M7v8VxOkcjQ1hwTKxgM733zzXaBEEjyOlCJoxCbTKAs+uazxZk3pXqbv48b
XOcBUHbkkzIGi7QrTrXqKPjgvvKjK8nnpIFpnpYTwvOagwYFMdhS3xzGWIpNQTxv3E6dhmYmUBN+
a4pHiNt3Glttm6MkqDYCG3pTs0X6WEPVUQrDf9KdLq9tOH6+tFTduygvtLKDm5aLX0ALCBAy69VD
n9JU53/jFKucH+hOSqOkAdELVDS+SMUHHOgL2Nn27Dp6iwOGsPLCabIb7dlCTy/D/CoeDXDjpe8h
V2Iq+esqqam6TChCYHTiBiPc/MsVZa7PLMjFcIVs0gLSAv3KAjFeyXZ0mqdoCtfc4hwKhqZDT3YK
IhwFgluiKvnkwiM4rqvPvBIGJnhRC6DiVAciUjIQD7I5iJQ8TIZmkDNSgkKKG+CsbSfN3EVe1zaQ
3SvPZaCrijcMMUl93Od0TKwPhPGMsWnwMJMyByH44mbZzRa+aL+yc1/trDid/M7EZ0MNKrEd0qim
wiYXqit4NP2bSCLj4eZv99X+d6RfACJbMHpfDef6WkwFcLTdLBzAEYBzkbQ5SsFghQsYRpTU8GH7
vs0Jkf2Ddb0xsU3tEB5k1y01x1o2tdK6/GgdTavpSO0Q7gP6xeliCXD656Gvu+Do90g0JG43jhJB
OWsflLOmY14+piGwy4A4KOIjwrEfwN8foHjiaVwVpI0xL+3VgW++OQwRkWtwe3ZYopiqwFuz6Wok
Wf7Y8dXnG6cMOPor4A9XFICkUnL2COaYdAp88HEKfIgLPB3pp3PyM8TgNEc7wHOlq6cMpOLDtfQ/
LxQDedk0YXgq3T53KM3Nz6QXVhyip98/INK9WGK7U01wVEykaSVQSs4Iqi3bh/SsRpDnvUkOI/TL
paX2tZDybVNkslP7kSv1igX0pWV2BmQkFnPelYUL1JOUTslZw4T8WmfQca/0ul/vJMqrERJ1OA6+
eTnipCB02VB5BNVFkSquOe4INAdfxc9P9etDlZ2XFpAWEBYAUODIJt/TPMVAiTEU0sBTwQqdh1lc
SDEbD4QBbXglHDHhxu9rOLGYJiBSMoGYzhqALGjQOAJeyX680ZnwvgbpXHvxWYloSYv6nh1Uvp/o
0ifWB8OIbNuUN9Gg1EyOyHKKk/CXZesBC7CPlZJhUSKiTYf36lR+UCHouSJNRfnKZZs2rPxw2gxx
LfT3Bqf+CJzup+Dsz8B7jSMAucyLwN8iRevUyEiMOC7wAUcHdLvGUUHXnsigD7YPtF6dJ6711qOd
wOROvTpthPnkxG3W+BW24kRaVrglpBDbHr9LxfbOBIBiwGggtpyKqUdBCB8zlLMY+HBBslVXXXVV
BuSBed8JsTStaoCPQ7DbOQcZjaamAA7SwtQhELJ4caESfIdOuj1004Hm1D0T0459x+l0jjCRXs8p
WIkYYI4CkM7f+NHHkUL7y5to5xFobKD5MXhy44xcWlCQRf/cXE6NiHjkDUyiO+cPo+qGEB2paiY3
isx0VxPywboLEZ0hVFdeKiSFgTin6ob7PiiB/KK79iO307MW0J0hLwjojpEcAWH954T0QTEA0vkL
tGe7fHFtPSp5h5SIpEwK+5soAC6L4nBphqnfuaIs/ZUFuSdkNOTiOuXyaKQF4qCEgQmDh98Vpjzt
oBHjRyN4O40aIxPAEZ+M75MQDcmIyQBHIyZIb0AuVdSCmgrhfqh0OTGZ9g3iN2f4JBDLtsLJm6HA
ZW99aBPpUAz+tDNkkBfezJh8g5IzTORxRwGIbD1nAXG6OKgFuw8djRSVZoWqT9iU4nG4G+3Iw3OL
V7y/uuDiIKvHnO6ViDQcAhH8KrzXpiLykMBABMDAgLATp0XFjc2RAANTBQBDJmY6dKvROqA+vC3V
3jrcox4d2Iakzmth1TRaPXEgvXawzLrjsI4ISuszx5XRsQ9kM0MDCncG9sXkcBThBoMoGnXh2ooe
TAk9d8bPvOV3332XOZ4d5nniADuXHPkhfdLlogcBt+7967tfa3TqxlXxgQZvygCRat8VANL6KJnf
kYAB6wAiuBwR+ZdF+QAgx2nVrkryODWqqA3Qj57fTj63gwrvnSweZd3ZOJXMCdK6B+lljTXHkV3i
hdyBeTX28Yvu3I/cVs9ZQMc5vNOyQZbGPpyQRGM9aFu+nXrO4mfcsoiJAIikQ4auFrXOeADJnh8I
1A7DFxBUZZMWkBa4mC1QVHdvBMK9XM1ZVHQuzC8Gcd0YCKQwEtwQVGW2EC1RR+HhnEteB6qFxXgl
HClh3y7+cte1AYiUXAVuyVUMVp4Zbwc+HEo0HNBkph8pQqDJoaAJZcFDdvNzHuth7JhAW4im3F7M
Rr5Ax8a+N/w0ykZSXEOtSn44bIiDz9YDOosZsBT0RdMwun8sPz//rxkZGQyu5wAMTMBnIj5Z3wwZ
PKCX67qCSMAmv9//KiqYX4HfF2hqWPHbg5sP093rxlo/uxUix1CQbWUW2FDRIo4h9tOzKu15FZaS
HIlHQ2IpVw7sg/keJwA85mJeNu8L4IRfpkx1deL3YvBCzpm62N9PxOKrCtMA4P5LsaK1CH7xxFzf
2HlbBojBTtzjLH3b3S0CNcDUBCc9csNoKjvpp78tPySiJJzlYeAZE8bvKcj04Hnd/nzhKu64uQR1
QLhRkN0glaNdsvUTCyDniibGuRMs1cYXzrkLzvSTI+t33bRFqJTJ/wxCEC5Nh+JDYr87DNlhaQFp
gS5bIJZOxYRVnkRBLkgDD0ByxmRqMguQoDEBD2oUUwS3xMHShfAwRIV3vIm5Lkkgyivxe1XPPo9F
+zKwEahh/cB001g4BZMAXsZFkK+N71PwfbCBHG3R6+iACOOaSAyYdPlg5AaQKgJPPMUih4OJuhAF
cOgZIY36nnJKN5yrkpISExPn6OxBZGQIQMdo+BWDOQoBZ5ijFEcYMGzevPkYSNgv1dfXRwAS5muK
P6mCbjg20H6jNEnfOboNNyR2aXqUQ4NH2P9XsMsq2uBSqgVJnaMcsQjISXBU3kD608ZQKDQFkREm
hnPBQq7BtQOA5w3wLRq64RD75CY4DYs+pP/Es2EYgMidS14sqpx29aaUpoDSIMYoODIXQRT1Ix55
l4+DeSE8lnHPZcMpLdFF//HkFkFMdzni7FxR0bIHBUqj/F8LhRZjTBU+TJk90uUz23sb0HF5QBsl
ik9Z2lZcLd0OV3vvgPrrnoTJYXuWRLYgnMno3rCCHaoS21+PXfZbWkBa4PwWgDQw4hn0TmziaEk6
6YFssvQZFDG4sOwkUbVdoYEtvBImurfKrOXnTAkchBKkSnBzArRwVCQPIGQ2wMt0AJJR+J4DScwB
DGhizyUuE8dsahktOf95OtsSHA1xQBQggLQsSCSDzmO0W+mp83u9sGsyXwQ94InAG9FHjBihPPfc
cy01MAAK/Jj/MkjcJzQ7fF2Y0lMOK/duzTf+c7CuBTxt0rI4GqLz9frulCq66nCNMq9Ks6phVVXj
iAeAiFCNi6U/vX3PPfe8f+TIkWTMstCPDivKXVjLdWLvm8iNe38kAO8zaiX9g7dwxH28OS0waB1S
7qcYyA0M1J8URQDZv+gqGYyfBSEAauaAMBn9d6+WUOnxBnJDbINJ6izTy43J6fy3eHYwEMJ3ZMh1
S+kE0ICETG+wqUZI+KJYNQZyrTWdsJ5c5QJZALd0n5SQukDm6EO7FRIrfHo6ptvdh45AdkVaQFqg
By2AaAkrwPDEKVx/KVy8WKHX7hgD5ayJ1BQuwADTDF+ILm9yKUjfwqOkTXpL9I8w/ISjcBaOIrf7
fVd09DINTsJYgJGxiJRM4UgJHI18AJMkPJP4iRSXFeZIiXw6tf8Ex9WYeY2oS8Yn5dJp4I0YmE47
YMzjYewPEDU5qOlNV1fQjeMH0Nq9OerSSaddYIhpOBz1SUPDj09toMlvm/C7Ue3GAwCyp6mpiUUZ
WloM7DBw75cNCFUkZscb3251RUVtihjGf1t8U6GXGmkIyqXeq9ZSZElJkbg1701Pj7xdqz5jmpH7
4KT7Qv56akZ9jUTI83LqUleyXkwMVIwdnET/cssY2rTvJG0qraGsVFRaZ6UsXOzME+GWDBlfnhLc
OiV6dErB95BhijStrlBEWGUUdCNqhLIoFy/UwGk2jchR6AM/0y9P+CXaaTnSfomeeHnY0gLSAheX
BYqWLIFTO3k3joqn55e6ij3f2hFYUZOiT9uaatPhPJuOJhEdgvPhjxcME8IYbe1QA1CyGqOZq92Y
j9+T4EtkAphMgtMwB47FpLBNw+CADEakJM4rwdgmCKHREa1o4IWHt3joGl8/qrnW9wzOUrrhqFiS
4uTCthwhuqSwQZ85J4hWHEZn/vSxTy0eZTXdsZWaVi0mZ/VIJAa0bUxSd20cO9r6y+HD+ld2e/XG
XQke59K/Ll/eYfJ3nzn4Vh0pLCxURnz70eQvJqRmJDTVtvjpQYc7sXhFdWbBgvTTeS1NdDfp9Csk
Ij2wZHWRkAWPt1W3DFmFOnA/VnX3ElWzqbnuhIhCJKQNFOUCOgNE4oA6d4CPymuiQnyfviZPFCLk
u6cRfLTX1h8TGaIsz+tG5LW82k9eAJEHrhkJ0FJNK3dWgCfCwgEdPwuctm4jBaux+hgFG6tJRRaP
bZqGatF3ri8w24DRjm9drtGbFugVEMKoOIiXV5zvzhdqXKqN5zN5qXVjAhP/fqaLk69XXp7X4989
KIITX46RNU86r4+LnpflTXNxLr5pPC4NsvvRK56XC8WQOOcvcnXPeC9a9ze+rXj/QijCE+GXL/qH
6qMtEv+9edLkvqQFpAWkBc5ngUWhgsDwuvWh0Y02Td5vU4EWpsAQiwuMUAmeXTvw3NvIqVm6SkEB
FnjidFwGJh+Bkwb45Q14ZpfimfeSJ5rGlYcoST6en+MwTcb3aXge5+Jh64aDCAayYGLbLieFMVJp
ozDreRuvA3lyAQAcIM92xjM5705OWQB5K4obxXhnfVr8YBa/SnZjBfru6OiW5PLdZAE44OrTW11e
3Zme8eCU6+grs18kFyv98suZLz1cnmFkKW+syNNf2+u87GDz2hxNtZ7fcqA2eHdBN3XiAmwGtS3S
neSdCw7LvDn3/e/4UHV4wO4xc4bN3LQMd2dUJuvEwNE3lmVmjz100HtEMUI7HJr94ao1npWBZ76a
BdHh7wP9H0EUdPWp3S8qKbGeCLp+nuWOjFIdzvu4UDLXJeM0poSMQS1k9Y4oZvHtqWEwY2VxBb23
tVyADwYUrVv8Fn7sjb0i8scEdo6S6FxJHeuLzw41rrEW898CjdRUdYRCftQHQf1XHjwwrfAP1z09
7Lnri0o6tFW58IW1QI+DEL7w+AKdPgry997ow50RcWl5I8hLGo0fmkIpUFZg4MEXKL+LTjYEaefh
umi9rlN0pRmAsBID60+HAQhKjtajKme0MNSQDB/lDvDSyfoQHTjRKN5jTlzo+Xnp5MPIXglKHTWB
sMkgIyfNS8OyfAKk7EdfahpDog/8GwObgqGpqAOGIlONYdpb1oDfojU9RmG/GSlu2n+8kapj61zY
Uyj3Li0gLSAtcLoFFufnqx9u3qCacN4CAAd+PMOyENW4OmLQ1ZzoieddPZ5p5Xg+r3eqtAGApNih
0CE87I4CpLQAEt70KcGBUixXiuckF7pQ+ZmMKQ+hkNmQAp4aDNLYlMGUN/8rlNZUS/TWf4r8cwtO
C4aixDM2ViWJ0/mjuelw/NXcWfgb+eTHtmL0CMCFy7fzb/wZL+UOUCMaryekvWJMlfgyAjy1ShIT
lRhjtQl4W2J7MaDF4AiqOvqE28QmzdLlRHXHPgJA8X3Ii6vHLVBcXKwdc864e/b9P/0iBHUnmdSY
8LcdM2h8WgndOGGLoJYfOZlKq45CAnb/ZCo5ORjaC84EXaubiqScCUku5ZtvlnqX4gr76bV5oX7j
hQJ85Dgs79dw692NCy9Xc3L1UsZbCgU8yVTvBUg2UQ8D8xoS0tIU3ZkGov90XMJ3RCJGcN5sf0lF
2cDqobnH03BrfWbJB0UIc5zeHigINaEA8uebA0GEJ7RvIHXJFcS9GQ41ky8xTdSH01D8j+8pERkR
6eDnb8z7YD/utHZKdAPwAbVePlquI8EP9ruizwIAmQDKGNRXUaCxBs8R2AUpWIiANJAVLFr31Ld/
XlTE0WDZ+pMFehSEMGBggPGpK0fQ1ZMHInIQRb71zWH6/tNbaR+c+3uvHElTR6aJ+fEQH4OKlTsr
6W8fHhQFbuLr8TL8G2tOf/HmMTQgyU3/9qeNVHyoTrxXHkQ4cPbYDAFwirB9BjvDASZ+8MBUoVfN
yg0MKpzoxz2XD0efouIkf1txkP78Vil5cDOFkAs9JtdH3717AvIXHVTbFKbCp7bQ7mP1ACU6LZo9
WJCwfvz8DvonRgA4z1E2aQFpAWmBvm4BfjuzFK8RK5HOLkEKntHMARmP596nAQ2C+K0Uz8d9ACHb
4RltADjZhr8r4WyIygwtwiWcbhV933P6VTWATDU2uA7AhBJ9SE2vofx9f0XZZidNSXTQdICTMcAG
KZoPReIhz8MOPtKgIsF6pHFhACo5lxzX/D8iVwKF//Z5RCSOwxNjoRQsZwSjBTcYCYmUKXQkgnm8
Z6gVi+VYiRUOlWjeFO5odPkwoiu8PoqaiYn3y+uypKeBenIMiEJcoJo3h30wqEF0BNWlyY74sQyD
oY64TH39Kuh7/Vta5vI6PNP/U1X0b6g4PybSbEA3xnXhoqf33kq+BDcV1xTQirIpdKR+AEs8ke4L
UoLhB1YN4hQqDkXRMjSH87NmOHDdslLX52/MC73e9460bY+W7nZNcDr0P6pu10xWd+Lie1yvjVOL
PA4nnRw7n9aMnB5VLMVvAYz4a7jebVzTHM3AxezGjCkv7b2Kkg9W7Pz9prmli/LOftQLchH6IPr3
ZaWeLSpFfoC6cKP43qirraDGxnpK8CWSMyEVt5RPENeZ9C3uDwFIzu7bn+/2ON/vp/c4Ku/L9x0D
ImRZAXw0gnxeS6GmOhy7IUpJaAoT4I31WOa7ON/vXV+0pK+fctm/M1igxzzoaETfpql5aXTD9EG0
ubSafvbKLhHd4L/j6VgREJS4/fntvfT6+jJKT0KVHYCJyydmUxq+//C57ULyjaMU3BiQlJ1spm0H
aukqgIgJw9Jo64EaGp6VKCIh3DjKMSI7UWhW8zxed/2ek1SFCAunUk0blSoK6+xGFGVYZgJNzxtA
b244ThV10dxGyJiL0brKuiANSHbRx+YPpZ+8tFOoOnAaFzeh8CAvKWkBaQFpgX5qAX7yMo/jo4aU
CvxRAEBSAN7H7XACOHpSh889eCZytGQzBmpK8Z2BSoOQBOZUmWgkI5o0ws6KAo5shNZXbKX1UMH5
a7KHPJYOXolCU1JH0ZwB42hi8nCocJk0ZOPz5GbZ0Ou/D/CQKrri+sT/kbnnn2RVlJA+8wEy931A
xvs/JSUphxy3/AgKSS6KvP0DssqLAVy+RuqIeWR88AsyD60lfcpdmDCozCldABXWkfUUWfNnsit2
kTbzPkQ9bie7+iDGnCeRXbWfIqt+J5xaUcjDRDR84u3kuOzLZJVto8h7/wuHD7x/mZ7VY1d4YXG+
Nst96GE43t9gR5tBhSshmdw+OMOeRKQBuunne+eR3/CiyJ5NmdnsfEfTBTl9yIBDHgbZmkfGOb1I
dXoGqZHgowPDpf/10LBtJ8ni2oXxxrLVXMg8Fk077agAaFuW52VPKaxusX/RDS6TatCu+gx633n5
N0Kae6YJ8Az1KvIkZwJjJyE9ygdlKXAecE2G+bqMAWqOiKRweiOAcQTrhJrryN9QR09unsZ+0bgM
R+PP7/H983+ea76Ca7Sctd2YF3hhxYbq5cGUnC9UuzP+5Zg3N10FGMlr2EcuRBlgQ9EPF6IwmsOD
yfmRmpbAIlFA8tHXzgQfGGREjyzaYpFX3i6uAyMcFOc21NyA84tAB54z7E+ynXTYxLLMnZZpPm2Q
//8W5Sn9Vnygx26sfrThbrijzny0DGRZlq22MZoPPDo3ia5BBOHNjcfoT2/tFYNo6UkfKRRymhRH
HeoQJfn963soGyoLE4elivW4+mYciMcj6ZyGxSCkYFiy2M/YIckCwDBwyES6FIMP5oVMGpkqIiwM
OJqxDyZGzRydIdKzXlh5CN8H0LVTcwFmUqhsEw8UMPKPpl5V1Qeh+FAN0JRLa0qq6L3tJyRlsR9d
3LKr0gL93QKQ4R0KDx6FCkMlkOhFXkrPthZggucfOwjw+ygbz9eBGLy5guuP2BGqQLrWfrw59gKQ
bB82ldbqFu2u3ofqaHD6OZrAwESD88dTLHISAGA5DIxyuGEP/b0OYl6IhoxIGkwj01w0rraOZhY/
TbPHf4xy3Knk2fgMaeUlKHuN7QBM6CPmk7n5b6RkjiZ1wMioy5KVT0p9GWmDpwlZTqv2EOlzHiZ9
0h1kAniYO5eRNmgyaUi1cnhSKfyPfxVRFQYy5E4mc8vfBMgR0RDOZQcQ0cZeR/rEO8g6sRvg5FGy
myUA6dmrjWhe6oFkM6A+xECWz6MvNVvwFFScK3Y6ebJsB+pzMnhg8PGRw4paWghoJUJyFqAF6UR1
x/dTCCpJYcWTm+Rx/J4ScQWzhFtLA1C2ErE9bPu0A2NOA/ahwF8RHBRwRLlWaAxYM2NU0bnECN8D
DLg743jHdop7J9gEhQhE8MIATi5EOJKzh5E7IT2apsi24GscIEuz+LjjLeqog9ch0pDcSKNyeqqo
vuIwRSyI3uqu25GZcc3itOd+ueToPd8717l7Z/znUAOgHoXJsJSopplAR+Dcj/AfIQVg3I/oCE+8
H4466IjAONwMBKF+hUgNR0niaVIiYsLPi9YhD5FyGfWjWrdoqhdjSBwjy/aKcxyt8xGBLSKhAG5F
nkIAIdFj5/0rPBBgRoJIwdppm9ZfDY/13KLcEDPse/oSldvvYQv0GAjhfjPZexd4GL/6RwndtWAY
PXD1SLr3ihG0fMcJRD72UWPgI8IiRys4ysGpUqyscBypVBzNyE330ZSR6TQ8G4UUsU2ORLCywo5D
tQK0MAeEIx8MVhiMvLbuqNiP4G4kozDXoBQ6XuOngxXR+jU5ADcLJmTStoO1tBbAgtOzGMxwZGT1
7iqqbYhe+DzIx1yWf6w5IrZ1N4rxMPCJR0J6+Lx0avOF91Q7YJgbyK0vwgZCuLv/VLR58uZObUyu
JC0gLXBBLYDihHPJ1P8MJxmyu7q/cMq2v6N6+p/o9lfeL1pS1AUvqH2HJdK3eNGW93y06FgGnrNZ
ACRzQ3Aosq+g0KiFVP7+T2jd4Q9oS8F1tNNooN1Vu6jUQtoTgxKdR5jZeYvxO1ROn4rQgeo9dAAO
zD+5Zkn5O5RQt5nyvVk0o2wPTQoEaKzmpXGHVtGAvCvJNXASJLrGRHN2sU0dkQyD06W8SIXf9z68
OhBUh6KwPBwYY9UfyDq6hayDq0gZPIMU8FMUpHuJvqCZu9/CMr+PjqwOQP4KnDAlIYv06Z/CC6aJ
jBW/QeQEAAVgpUvOZvvMfEkv5QmQ2kg267BF37twyAUAES5s9BJXlVOFoKNgxBZAObok1zhTAEr4
byROEJIlQILCeuCNioZtlEdS6Najn6V94RwKYKWwHXd/eMRUp8cHPUkPpK6iDYFh9Jea+fTn+ukU
sp3kUAxKUoP0UMoa+saA9yhDw8YBZDrddIOqmqFShWgj95cVqlSReogtxupptAoztNqNOGj+n8Cb
EYWNBSDAwioijtUIWzpUJYFM59f/Pfu1D3944uZ/ntrHwrK5bvI5kHlZ801yukbC04/aGRGPKts+
kmy738o0GoHw1TlI19I49Yl5GGEQwEXJQ+4j7lkNoIBtLs4X87lge67TEW+ib5xax2mUfN9zw24g
FSwiHZxOxml3loG0O9EH/j3K7WXgwjbRXSgTE0ZpTzOyHsUtVzkUbanHbWxGWhnnYsp2kVigR0EI
Aws/ngjPgdvB6VhjBiXTjTMG0ZVw+jU4+H9AxONUZSwmsrvAxWBdaW4N/jDNH59JN2E98TeASxWi
HVv2V9Ne8DSmgHTOkYqRACllAC7r9lTRbACKAkQ2OMqRluik1QAbDGqY5D5heCqlJbgEYf1/H5qO
aIkuVBomjkgT21iHbccbgygGMAyYvv+pyXTLrMFR8vopal4X+loozF7hpUGJN9Fu+/NAcZeTCx1n
/k198AaMpE5BPYH6C91HuX9pAWmBDlrAUseTWxsTiyZ48dD6JDysj9HS298rnLr1URQqfKNo/ZzW
Q6Ud3EHHF2eHj2uLxJGJC56FC/yJYeSgYTW1dHcQI5Zz/50Olb5NBz0JtKNmH63Y8yptSUwGrwTS
nQHUjDPxjFWxnJhiryBwPZoAKjbUl9IGpG9Ripd8SNfK2/04jarfSrOQXTU7MYlG7fsnpcKxcQ6b
T46UoaIfypEN0QMR5HV0jnkfDDh8aZDdhX/LRPU4oZ2X4++I0oiCbTHSqx1qgF92ktTMsYie3EpW
9YHocoKcLltPWUCv8tSpA8KvwJH9FlJsoqpNSMXhyIYDo+7szIrp1FH22Ah6lC9QQ36kETFvIGS7
aJC7iWalluM6a33ubKq3PHQgkkZ1kUS6L3Ul3ZaMwKKIaqDBs5/uPQQn2EHP1s0Qy/110F/g7Gv0
XMMUeqFuFv2ochHtjwygP+c8Swka84k6qu4Us6KlUUFiFY1OqKOt4LhoqAZSd2I/eZMzRCFBASyE
dG3b4xbcDBFBQLoS1gkiHStQXylSx5tNF12XcZi4WAjCRl61wbwce2sDQgobLltAXuX/4b67Tlz3
rEYH8AGOFCQ//X+FY/OD+4Ye27ei2JUQcFvTIIE7HSlPMwF3JkGVKhsRi2QGSyJVDP3gyIWNVeOq
Wq0J7fH+M4gR2SV8Z4poSdRmIpISO7cMZjiCyoAE8+tsyzhu2+p6zbY2aA51a1A3tiLqwWkqsl2E
FuhREMK++kQ4/R6kPn2IVKadR+oE8XvSiFQR4fChcA2H5Lgx+GgCwGDwsWj2IAEiKgAIOPrA6VjP
fnAw+qxghQSkBvBa68DzmC7SqQZiWw5wSo7RMfBAtiPKMW5ICt00c5CING7Zj4cUZHoZfHBKGMv7
7jpSj5o2IIKZAfGZPziZrp82SHBNmO8Rb8xdYQD19ubjdAtI6QdPNImbvi8EAQEwkkk3FpGe+DlE
iechAgJD4oBRXCz2YC2lVFlP7CK8b+UhXQoW8PqfoebEfBA1HsbAQoIY1VUVJ8DI9eSPXA/R8XcL
J299nEL6PzDQEA319nKzMALKrl4ETpOBARpl52vkyhhFw/JvBjAhusKRTp9f8RT5B8yh/TM/Setq
SmhHwxHa6S8Xn3Wh2mh0gxu2JUaYxSA4HCuMpWyL1CJq/Ra96EQqSN1WyoLzNdmdQbPsOipIH0Xj
y47TUKRfudhHqUR5gFEYg1nwFbIy84mQxqV408EpeQ/8j1JSRi6I7YdHneNPcHwySR0js8bq/yN9
6idIK7iFLEj1mpuf+yh608t2vVR2N2dOnfF2qet/EdUaququj3MkINBwUkzRFCDwI5iEjBF3dlyF
rhq4ETx6juwcUaQOBeowmKlQBAAiQY/Q54btoGkMQhDdaN14bQdHVTDN8RyiO1KhZmuJYjjRxSxc
F9jGf2cuIxenZWlw0vE5zV1Gu4I5tDM4jN5qHk37wxk0yXO086cIICTXV09fH7GZfrB3Ju1rTiFH
EOlI4aOkVR8Xx8xpULpIQ+LoTrSWBzv08bQlA2lLBuxgAAiFAbwmJp6kLw3fhiAH+gy+uqoCccVa
oX/uYArqX8Wz4xFyehOFUAPftQKABDbhwP+rKGX53+PLL4CSFr5/iGQKTARBAJe7MUAjdVWdYkRC
o2FqFBhR0gDcsnA20hGJyeTlcH6SoO4VRX6xdCzmb0TvNdQRYrCDcWS2NPy4WsuIlCuKUQnzV9qK
WYFO79Us5+aqk3To3jl1vTq40vmTKdfsqgV6DIRwtICvvVlQq7ptzhA6cjXLNtiQt/WINKyXVx0W
UroJMdnez1w3mm5GpIGVr3LSPHS4sokeXbaXTkDViqMPTE6PXuj8Hub8TejcIyWL06MGIO2K287D
tWLbpZDP5TYsK0HwOoqxHNf7uGJSNip8JgueBytlBSFVyaBo/vgs+vFnponfn4dSFt8yCeiH342w
PxffwQ31zPsHkNqVhGgOcjnjHemq9Tu5PsBHCvLEPw4E9Qjir9NE1IPztQHO8Df0OI1yPKGeAjj5
UdHqvAvinHTy0ORq0gLSAjELFK1ewEkl30Ba1jMIP3wGntbHyaOnx8AI649fhXlXwTPZgMjInzEI
8XzR6gKEGnqvMW/CbkBqNtKYhEoVRlfDG54iRxL8lKQssip3w5FyUmLpSpoGHsi0afcihWs+ntMn
6UDVTtq94S+00WqidXje7gPoOInnbVy9S4CTeMQE3w04T2V4OJeFyun1nY/j+BNosOahwUkWTQzr
NHvzYzQDoCV3xJWUPP+L6Av8mC0vkgr+h8IpIVDB4r7aAQCfmGPEURK7rkwYzK4/TpGVvyPHjUtI
G7mQrEOryT6JiAirasnWYxaApG7lE8Wuz2Q4g1swOv4QnNmRzAMIhFDPAtcJgwdNQcpcTK2Jh9gs
5mzgFzB5WPyVksAZmZZ4gu4fXELz0o9hgXNHKTh9KarrxhNHGBAREelZHNmLpQeZXK8mTD5MbsET
UfA9QulaNwzKAyBNSztOPxu/nB4/Op5W1Q6k6pCLwiZS0iNN8HEaxHGL6mXiuAG8BBiBM49jjgCs
u3GvDHAF6IoB++nTg3dSthf+vRmPLDY2FRYuVujrHzyADXwbQHusiOwxAGFFuZC/BkIMv8a8Xxel
rwb56ewtlv4EIhfx1NKWFmcnkbs2CW5Sqpip214rFGCd35bWMpyr6+g1bnS4VThpMHqwqTzkPgnp
4FPY/wBR51D46rGLUG74glmgx0AI60dzxODFFYdEDY68nKjzvvtYA723rRwRhxoADh3FbirpWGWz
SJViPghHIV7fcIze2XJcSPmytvSZJN54+7xdBgdZIKIzSOF6Hyyju+94Az317n5KTXTR0aomqgN3
hPkmDFA4WrIW3A/eZioiIwyWjgDw/AkpV7npSAHA+jVNIXpx5WERmYkYeCghZ7kW8/745j6aX5CF
4ocmHcI6Tnb4e7HBGcFbXYX0i/pppAlMhnGi4ANhTFHIxLB24QYHq9N4EiTWLgzV9OJByV1JC0gL
nNMCuJc3YoGNuP9/RgHlPrzN74I3ko/Bhih5zaPNwN8z8PcXCydvQmTEer6oZEbZEhQpu6JlmLeb
jRxLqzDW/JGMtX8SEQMF0QpudlMlhZd+K5YWBX9D5IaHKLLj73gBvCWcSR/mTYJTNQmj2Rj+pkiT
JeqVbIQC1xY8q0u4ZglUuPbyAEs8/Sv+IuA0GAAQ3ufRSCMdxXtkNUDMH8BFcez+M00oeYqmYXBp
Agao8sEtGY8IUg4vv/MNol1vkQPrqVBdYrli24+BrKX/FjUO81bgqIWfeziaJsZpXEgVka3nLRBz
Rn/0dqkNKTP3dUaApgxPaPi4Rc7cOmhD10Y48S96MfsghJDtDSPqYdAQdwONS6yhsb5KGu+rwjsZ
wFOkYZ05VyH+xl7aOJ6qWQlLRN5QF8xzjG5J2Cn4FS1pVgA+QK/0UsNE2hYYAuddodtTS2mQD4Oc
kIcV5IyuNAQ1h6XXU1HqWjrelEbr67Job1MK7WlOo/qIkxpMJzUbiACJ+A8Ahx7CsUcozdFEeb46
Gpd0kgq8FTTEw6CaCRfok4oIDgZXl9XOmEJf2vEn9PPTYnCABRj4Wub893Dzi6TZPypKWt4lvuii
ghMc1eAJqO987dTABttOBjvOZ7VL4fceAyFsPI5YMDh4fvmhNilOXKGcwQIPdC1dewSD9h+lP/F6
omI6HP8zFsGJnRXeNq/HfBMhl4trmgEEV0VncPLEO6VCgYu3xWCH+R0fICXsrU3HsV1VLCcG2vA7
V0F/IdZHLlDIuYu/fx0jePjkdXlf3JdtB2to/d6T4vHGKlsMmuKZBD1xsXiqQNvLC1Hh3OIcClr3
4SHzGYyEjhGDNwBCGA6JOiG2jYRm+3GEjp+loGcneSIOAVgCnq6jJA+efxHDDeF/N12KdDA9kkEB
5JRcak1DQR5TyybNjI5yXUrN1HgIMhseaToeAmfT8+xdi9jwiEwdw7GcPK1WwesYhj56xEOOo8T8
UHJqE+Bd/wyL/Evh9K1PJDTrz9wAFf0e7SiPrgo2aVQhR7R4kUGWX49xLgS3IqZCxR0SY82x35Ad
Lro/GAM+QzGgcicWiOC5VgZQcgyf2/AuWMn1SvDcrsBuajA/ypPhxxuPEvPG+GHvwBiMTZttgzZz
sUVs1evz0mD8xBXe56BWyXQ8N0fivTEA63KNlCjRHakwWNoSfcR7iSV7eRIVoLvoaPao8S++jV+b
p0AKM/QUT19N/2duwO37uL/REs64OM187k2rCo75Sp/DVIa46xGo8sMZcE7GuRtKxrldmmhkwaYP
AyNpfRDAghvAyF0p6+hm3y5cuqzeFL+Ow/Q6+CD/VrWIDGRDDlTLDn8u4Z0dZEA5x3J2z4UhtmLQ
QE853ZaAcUPDSUf9KVQfdlEjQIUff3N/OQKSAoDl1SKU6ghSjhdASMNdZDihnKdnRGWyA1QNLstv
KhbS7+ovu5k8XF+Hr++YOIQR2AHb/YjmX/5cUcmSWM72xXcNySPqXxboURDCpmAnnx35szUGI51t
Anicsm1+pzDwSABHpHXjBxgDiTiwaf1qjoON1stzocJTW+v1xWuvJ1/vHKGZcWxC4fwd86jZ8xU4
GCORGwaHg1VmWu1YfIWDYthXIXXhanJEICkh3sBwSj5SH+usjUWJYwXh1gByQPsYIb/Tx9SRFTlM
f/ql0JEt9NNlca0JZ6/z92c/PfBoKQAG9/Eq3X3pQIQHz45SLOk63jeez1FRfii6tRE4d0VNrsjX
v3+5rjyw1aIsDJb2SBPg4wxbPuN8LHgGonfcG4rWLGG7i4x1GgZQMgyPn/k43i9gXhOOrQSPNgYj
2zEAtAPAZDv+ruPrtKXx948IyX583YM5XOfkdU+Ub5KJ5xjXQpkMYDIe0ZLJ2P4YfPrij9VYhXV+
ep6qy9QjNpQbPaMFkpFqlOxjuBorVMlL+fgdGNmy5Mhdd4iV6qOrLs5a+hiu+4cxMnlOa4L6LEDG
kgFv0jcy3hYApE0TwJadiBD9o3YqPVx+LzXokHUOVq9vIOVTf6+btQ/ThTljrYdDYvfzf2S9+rbi
sq+xwhq9gn79oOpa2gJ1L+a98DGI1CszDKJr4DFyhn9Z5F1dTiXLL0z/5V6lBc5ggUvQw+jb14HC
ozB4BlYNPEFHJh58lDTIezk5n5lHHM/QdxHOUVLAC0npsUE73i8DkFjByL5twW7unXBGu3mb/WVz
YqS6v3S2m/spzjsffE+ONHS0z/xs4NF7rBduW2awzZa479GiqieTg3aKD7USbJED33/aR4UUo1ES
nrw49lmQNZ3FYAutBtHtcvikzCVZj4HpdQAnBzHQVMbV3ePAJG6vVuexEr+9B8Lve56oPTMwWsx1
UCbCZnMgOzwJ4GQwAoE5mOcWUR5mDjBXJWr6/mXJ/nPOT+uphRPFKUatcYWBEx45Q4C/g1oxzDER
jnpr+V8hu8vvuRAtq59ED5bfR3V2puWOVC0Pknn/t9I397kUZwWRkQhqn3yhfBH9qYaFF/h65fo6
AFccAYkE/4FcyB8WpS9f391XAng8CanuYCIEBFgPIM1SVS6sMgrPGi8mU7GUAZBRzmh7x/D9rNRi
DKUClU1AzbG5RPwBVTOOGwG9WteNJo+H6sFDicHL7u613F5fs4AEIX3sjLCzwLdp8sk0Sqw4+Wit
rxJa3o4bW5SvYhXb23SbyTdhzh8AQ49zqLu7tbzIu3vD/WB7Easep4PHnS41d5wvpJN4p/HxXzqN
bz8xGKog5Ynq8CbvGxqtnI4FxXM4zczEnQRPaY7oaTwqysCDhWn4+WBYG+GA/NFd73rxm2v8r5gu
fUFTPz6HccefYRUDAQaH/MHpVGmYOT4codv8SFkBsDgKQLIVufs7EPnYCVCyA9MePBPb1Kzjq1ls
NAonquDr8rQNkZWnmNaC2fmIwkxBhGQc7MncEo6WDMT+dLEK/wPOI/7l7UpQ0uuPhzZX8+LFhQo9
Ou28V3isKoforCUG+ziVr/X7kh14iz5sGkf/Un43AEgq3epb2fz1lNcWf9g8p88BEHEg8ON11DAZ
7MCjioEVHw/4Tg4K7QOW/iGqcj5dlF7XDSkRRFAxy0TO4mRDtcZBPnhiptseYZM3W41AJUvVUqIA
LvqiFCdDfD/TaYmmz0ejntG7xwb/RdGNkKGolc0BOvZmKUg6RMWoD7ILN9q2dbeP2F8EjluvX2ly
hz1ugR4DIewXx9+P0fdGtNBVX2os1cvqWswRYQ5KACNsrf/u0XSrcxiCgYgr4qZZL8z7vzcfe2Ev
7XbdiDSsR5BicQU0wF1RJazY/cgjfhZzQpQXMKrzFubjaYQywybkN7rFfYJcB1E10iiQq3sJNlsJ
kq5femyYgEjC81NtbSimfXJpnPxafjOm4ljv8ve1lx54XqjW53gQD9YhIklcvOhj4IPle0PGejxk
HwOL9+WigzNEwkaTY4Ojm7LXo+cf6jo2q07xM52rGLO8bWtHg4uRcRFB9i0gz6ngUdTlB78YBOGR
6494JyIYxBaAVKuSlE3Oy75KiiuRBr/zIxpSd4wWYdkw+noSjtlxVlLEM35VQgJtdbvxt03lgk4S
53zEokutrvASAJkSFv5AcyIiwlXjR+BzDp69M5DKNQogZSCewWlxPiNzFEXEREZLevxBEVXob2lL
ULhzcebS82JByCNQwOLK2z76VuUt9OOaK/giiG4Hr8vfov7HrYk76VsVi+igHxJN4Fi858/zvd78
recNy4FBgFiqlmH/oigD1Tn7QLMtDcEGi76X8QbVmW56pm42fWHQFrpVX/Xqq7XT/tKVLi4tcyXq
jTRedapX4ha8Gsplw6FRl63pbjfXCuGCg1wjhOu7cBqcqA3SUtOFCw6exQHh+xbriboiDOa5eKEo
ZgplZFUbDF9jMBc/xG93WeGgrTiUitmvHjr+JnnW4HS9qVrWZiiqHe/Kscl1+44Fuh2EcKoyy96y
GhWTwbnxMyOMeVygkEneXWkRPPh5W0wK5310pgkuIv7hIogThqWKCuxcc2RBwUd/b4SML+/jQjUG
IrVDqpKLnhPFyF4pLCz8O/1j0bUgqKPaqXIrCOqQd8FNzHVBEDjBMvfAK0B1Lnq8aPPEpReq33K/
0gIXhwVQMbuPtMIJW6eRyve94+OQ4M4QZFN+iHGlcR6QCJsfwvv9I3mbXonJ+oqeL87PVz/cHCvk
19VjESMy4OsPn0fq4GnCeeCq4uZ+5JfHAQIcCTVtKKn5Nwjuhw0wYO55h1NCYg5/JzvBzh87NLE+
tNkKK13lFICmPxt9WSEK17GqleLykXPSHTQwfQQNxPrTUfrg08X/oOCJY7TH5aKdsF0xVJa2IWLC
ilyVLWmX/H6K+bMxDhzEmegIfj+CZT9wRd8JqTgHQn0Lw82T8DkNkZKx+EzgweBW0RKOlEheSSfP
+1lXs9XF+YWtX86IVU8998saAcRBej39JvtlqjSSIYzAdUVaOcmIIIx2sRww0dfSllN50jaAEJuJ
4eGXGye8VhzKhtPLv1qo3xHZcsr+u/sA2709u2Y6oqFcqydCP8h8gz6dsoEmDoBkdqDJBAhp93Za
L/j2YdcCM6Jchwrll5FuzVWAQhQGDSLVSxW1SjjqyMUkNdQaiVZLRxFD/hSFFvke4irwGIQ4i7+H
Ioi4naMp5gxm4jVQuPikiUEOrgHDn9gWD19nY8AgGyBnKlb6kqWYu9/Y51kJd/JdT9B6FXVNTpH5
7dRhy5UukAW6FYTEox/jh6bQx+YPg4OfElOfsui5Dw7QG5vKhPPPrXWUgYFJ/FoVSle8AEdLY++C
eG0Q/i0LdUZYSrcclczLawKi2rnI2Y0pZH2UnRDdZhxwxO0bTXNHqimWnzoqnW6cPkiApg93VLT5
m6usx9Wv4n0W3cL6cSAVP974fsSt10O8iaKiIpu20luFiwvfpldunw05zkdIV25BdaJ0oZRl2QlI
x7gDTsntKGC2Gm++P5An8DwqKsdEzy/QFSZ3Ky0gLdApCxRmr/BSZsJ3cZ9/BTrhSaI+CA88cNpV
EEPxAeM9REd/T4HGN4tKRE2RHmzRh7E2+mpMV0af4Xj329UHUV18f0zSFgNN0+8Vy4jfUfDPOoha
G1xDBP22WSa0VeOK0FwwzebKzSLFCsDGimaOKKhoHpUUDZI2+S7SJ32MIst/A1DzJikeRKpYQpdz
3l0JpI5Cf8wwWbuWkd0MR3LwdHIu/AopmWNE7Q/ev5qYTXbqINKWLaZJeVfTpCn3oArbb6kR26tK
TKdSPLfXQv5vk9tJ+6GQdAgDUM0oGidke4XyUKzAYeydVAsPaDmcrOWi1p0tQEk2FpuEd8kcPI8L
cLxMrB/CvJIYn06oNbIfd94x+x48jf190wGGdMpcqpvGegOtWyaJ387WoLgJ+dr70lZggTNk9fDL
G5EEluv9ZNoq/iP6skcG3n9kvwQmOmpcxJvtvhX7x8Vx4Rt4FQOFSiaAiBdpWRNRhBGa3bhvvB0a
QS0uzteOOQ9cC4T1MK7nazSHM4EjFQwGLBQI1bl4osuDyQu6SbSYIoOOaOSDq7tHna2Ydxc1zDlS
SbhK+kcBVPbVovXY+F7jqIiIsOB5EQmirAieM6I4Yxh9AUhRdcdYzekcaxqhzza7aRNStx4Nk/+V
RXnKOeudXPizJXtwJgt0GwjhC4glc+chuvCtO8cLR33p2qOi2GDewERaODGHNqNy+YET0VoenP4U
vVCJ/CBd8zXMkQ2uUM7RDgYV8WVYQjeCcJ8D6lBXoqDgp64cKYoK/vW9A1GVR0xcZ4RTqbi4IAMB
ExcxR0z4pmitoMUpWLx9xgr8nRtvn7dx6t98PHxcLMcbbyFeH9vmKE880sPb434zKGldbb0nLrki
hJ6x3TU8IT1jOvntB3CQXMQsU4yQ8q3t0iDbZ8+DXO98FDb8Oqop4y0vm7SAtEC/skBG4rXkVL8n
CpAyAOFPPzzbkPUa3tL/R67wGxhk6EUJYXY04MCxww/woaYNJ23CIrI++KWYpw6aSuoQlCypPYwH
MtKwGCTwIx7OhDZsLmn5KPLOFZQ5MoLf7GADmSVvkT72WuSNVQllVHXgJAE8zP0rBYDRJt0JAHIn
KckDSZ+NkgfD55Cx/WXs44joC0dBtKEzRUTGPLxOgA3HnIcFAOGK55FVj4r0MHXACFLSR5I68Tay
x99MSkouEbaXiO0lYrkRAEPXjkX/qg9QddYo2uly0LbiF6k4KZ02IFKyp/4g+eEARVXTYqNbrbhy
DEpq8UorwXvgOW9UhWs0ThWrb43De2gKpqmYOLkViT3kA9ZKrZOFEjp8P/IrTlW8AOZtS9rB1udX
b+SwVLSWzTmb2VJsnBeDvr864TRqQ7ekOp+vI+34vfVxC44L17XpWLbJsr2uKxTXwW8B+d+g4f40
ATqMMAZ4EenwpWRhnCAJWZcJiHq0qpkTi/aJW4ALfrajq20X4RU/mvPR12gal4pBBgYqDk+iGJxg
8BEONiPS2YQ6i3V4RIgxF0XRHdOxnekOO/Hzy0rtX6578l//GvOROtwjucKFsUC3gRCmKGSicvm9
l48QBQZ/++puAIVD4jpLhBPPhQObghEakZ1Id84fSpeh6J8GR54ByLINZShqiJcacgr//Z4JAkBz
fZGZYzIEQFi3u5IeQ/X027DePQuHC0vdOW8YXT9tEP3333aQH8TEr946TgAejpIkoQr7j58vptLy
Brp97lBRsZ0BTgQvhJW7KulZFDgsqz531VMGFFxL5NbZg+lWrM+yvwyMVu6spKfe249q70G67+qR
NH9cFgoiNtOUkWlUcrSefvJisShmyMv3dGspYjZz6y8QAXkIt+TdACDDxcMYL0M4Kw8gGvI99EOC
kJ4+GXL70gLdbQEHHYEc72ZIj06loN0EIPJPkE8fpQO73iuqu7dbyKad6jIXHyz9gGgERiVHX0XK
lucFKNHG3SCqoxslb+L7zdFoNgOQobPJcUOhqKZuA2yoGaNFTQ/zEMZSICHK4ETxpYsihxxdUdOH
kzpiPkWWfhsuIEanARCEx+FOIkqGXCpHJWIpYFoB9sP56diWjYro6pDppOZORgTkGBk7XxNgR/Gk
4O9ysmuOgs7/WQCk6CC2je3ZADcRzmVPziXnlI+J+emNlbSw+hAtDOIZOvpyahh7NR1b8UvauO9N
Wp2YSDvxLjnENUxYCT0OSMQG21pzL3gle8EreQXzdbxP0vBcHjiXqKCcaEod0XHdGvHTucU+VLnv
4ShWp85y312J329QSeu1xinPF2FbUeZyNwesryqa/v90hyvRCPsRcQhi/CCBPEkDEGRMgY+G9CoR
pcCALgZfe75FwUkL7SeOVXCPunzJYvKZmRjHaCZ/XRUFAUhspHYBME1DnYInZ9//P1e+7bH+37W5
kjPS8+eqe/bQbSCEL5rsVDcNzfSJNKnth2qFE++BM2ziAcxOe3qSCyBjIg3PShDAY9/xekQ2cuiT
lwNYYJl/IHLC9TnyBibRziN19CQKDl4zdSCmXNp5uI5WAQAMy0ygeeMy8UI4SWuRMnUEFdEHDfBR
TqpXABxOq+Jq7Ly/L948Vmx/3Z4qse6M0QPoOmwvCfv40fNct+fMDzIhwY+fPglAdfvcIajeXk4H
EcEZCIBz08xB4l3zs5dRExARnWE4ljQArKVrj4ll+FjPlgfZPafs9K0UrZ+MfAj6LiIjj4GJeg/G
bm4RtQSI4LDsrSea0VO7ltuVFpAW6CELFG2evBmRzJtRPvlyePBHinbM4DwRtM7lendbN5FGZTec
gOO/jvTs8aRxJOPgGgE2rIrdZJZtJW3i7VHSOFI11PRhgjQeWfk7pFP9kxzXFZI2cj5xtXVOn+Io
CgOIyHv/K6Ifjqu/S9r4mxCtGEzmur+A3I40kJkPYPk/k7njZdRBScahYHw0bZhIvbJO7ifr8Aax
nAAqaHYzuCGc/sWRF2460rsAfIx1T3CuF7Z3Pyq9P07m9pfEfAXcES5QyOlbYYAfu+YQUr18iHC7
KUn30DjUah3XHKb7sc0QnLJ9ACJ7YwpcGxChYl7JSQw8CRWu1sAk9o7hmBBLA1dmEW0Fjvorv0UM
rQgpdXcXTtyyD5yfjQBTa6CCuEeCkugpg+kaQEKODuz3Iubotvvkgm6ojezXaT2B0tVQDJX+VNVd
dyowNDv1Lm8SeVIyyO1LxS3CFeGZPM6+UG+Aj/MYS/QjmrnCkRInwAhHaDyBRgrUV1KwCfc7njWa
w/WgFQzNWLpX+/Ki0eb7F/QUyJ23ywLdBkL4IcHF/Fpy+1rtXuT64iIanZskAMi2A7X06LI9iFz4
6XBFM/3skRk0elASJSKCwRGVRkRMuOL5iuJKsb2Hrh8FAOOmnWuOiJQuBiEMcjjSwspWgzN8IhXq
UEUj/ebVEhHlKBiaKkBHNaqn/+H1PbQbUYoNe6tp0og0gJUEygS3xDylUnu8y/zeSEtw0VREN7jN
HjuApualtRQ6HIXjYOBhxORyX19/lH6P4+GULE7d6oUgyBlPLiIjB/HDf8Nx+QUvEE3DmtyuC0Eu
JC0gLdD3LIB7GOPm9Gxf6xkrY5n73iV92idIAydDBRghAABj6wvRdKuYkpXNBd5rDmO0MkyOy79B
DnA1+DezGBllADLM6RDLAoRwtEK0QF30kx0hAR5iaSC8nAAVnFYTEftl4MERFbsZispYzg40iFWV
lEFIjU+ByDIrq3KaCmAAp1OxWhfno4uFWm0vZmC78YSI1jAAEf2EA8aZN6DOQv0qmrvOf3OxwwKM
xt+Bv1Gvm2rx0Gcp4HWQItuC90ApAMpe5pWwemEsdUXsgv05IaHF4REtFel2YPor8wBGHsRLrJma
I+WFk7ZswhD0GiTj7yTVtbdocwFyzy7BpqgHKQQ7SRDS/pPPtuIULVIw+HjmtnRFtlfPrvuFw+29
zYhxuhPSB5IvNVukXHHEw2YuVAcb+3gR7Lu1eBmntDMm9yAiGBcoas3/bS1g1N7dRbkj4hhFZMSJ
lC1nQxI1VpcJ3ojD5R0PUv0f3i6N3AkVreL2blcud2Es0G0ghC8sjoDUN0coK81D+YOTRXoS8yy8
uAA5RcoV44FE0bUNTqWKNK3oC4EBQcugB64vBhWtuRh8yTHI8cUqrOsIz0VJ4B+lPcUveI6mMCAQ
LR7Ow9cUn0OQzZvgmkN/+pwWj3NUOLXqxZWHBZeFSfAJABl+zGudcsWcENG3c1SG783TKzkgvWlt
uS9pgUvQAsjZ5giEuQfc+AKOWgwSURCrbBskczHcL569ePgyeTV1CBwRRMShTmXXl4GjAYLp4fVk
+6H8HYtqRAEB5FPjSljx9VuRW5nHoTDBHEpXSmKm4IfYSCEx974XAypIma3aS9bRTULByzHrM4i+
/BbApA5ck4kiamJuAp4TJZUYqES3ZzW34rMy4Z37ESPIn+nMthRSFGR6Ls5EothhLtJCrmSnGZCl
Au+KfQAiu/G+2YKBsvWY+O8GvLNsbL7FsQ4KUZEo10RTffjME5OG1Fou924Z+xApKQWbvRiFFNZQ
KLQZLl3lpfCMVym0FMb6Knn1DEjUX4I3WScOmdXb/EYtLjDcFKc3CNsos+7/n+9quisKQHANJ2cM
JU9yhsDKrFrVmcZZJTywe+OM3BYfjeexDxcMG/TsBwcFZ/fey4dQcgKUtGLRwhdXHaayk/5OKp3C
j2SwhG15wV1h0nxd+X4R1dHdvtFG2PpfpJzdg8KHdZ05JrlO71ig20AIcyDKwcl4efVh+vQ1efS5
G0bTAKRfMTDh9KqJw1NE5OI4VK0mI8LwMH7fX94o+BrcNkImt64pJMjojI55e/yAZ6I5tzgno8Ef
FXuaPWYAwESEVu8CoRF/8zoMMPjiZsGsqvoAHa5sRkQkRfSFuRxXTckR2992sIaO4cKPE99527yN
OI/DgX3WoC8MPOYjBWvQAC+iLE0CaMzJz6DjiLS8v61ccFq4MUE9ju5757TJvUgLSAtIC1wAC3Bk
QjyQud4C5DT3vo3UqRuFIyDkeP1Ii0AalSCms2oOP8WRlsW8DeaPRAEA5k25W5DGLRDBmRciHvbx
OgzxyAcUsjiCYh5eSzrSs/QZnwIRHpmmr3wTqVgANiDGm6UfRknqLOHL6wfqoaL1a9LnfV6AFBem
OH/EOrASXUHKLG8PhHqdlbzGY3tLv4ll4MzwMXFfWrf48TI4OUNOEL83ONVKFFEULfre4irsWRic
mg/n2eRoCbrGldxfPeqk9XAUjw4g2plu1Ta5KQW1n4CexMhbdOIIexyYONRRKEA7CiGZG1AHBpUU
NISMIjsLp21dBVXErXj57EUKVwlSuD5Sb7oAl0VP7HLJiTt3LM5+bQkAyNdx/DnscvbEfi6GbXKu
CWlA94Z5jHT/z5cc+wzLgJ3W5n3yv6ajCP23RLQDqySm5UQBiAD7nc95Y7+rHumKb24sE34UD8yy
ANF/fGKS4OrW+yPEqqnsJ/0DGS3M/2W/7N/umkCLn9xCjfDlOs2jjaVquRARSc4YQnUnDiDDM4Cg
qeO6QMD+BMob/EGoi8rWJy3QbSAkLtH2CkBIPRx4JoR/HCRyHuBhCdyXVh2iNeBw1DSGhbrVNVMG
0vXTFQCPMD32xl56Z+txAA4NvyOPF+twWI8vWCao87yogpYi+B3M+5iG9KhPXztKgJxm/FZRFxSp
V2LwDS+jBlz0v0Vq1j2XDRdpWTwF0Y+XVx0BUDokTkZ82/ypYdsMaqL7EjKA9Mc394n+Xg3wcvlE
jMBh28WHa8X+GXjEl+f1JQjpk9e37JS0gLRAd1hAPOAANKAkZe59l+yTGJx3JyLysI/Cr35HOPDW
8e2CSG43VVDkrf/EQxxcD1a5yQdnhCMWu94QnAs1AwP9BQABU++m8Fv/RZE3l4g0q2hKlQuKWW+Q
iW3ZiLRwvQ+7fKfgaShJOQKUMH9EH7EgCnx2vxkFEGosxQqpVnbNQWyziMzcSaQ4Od2Ls7Gg6HVs
k+CJ2JV7Y9sbGFX2aUIkBOAlDPlegmKXcMZYPpizvkC6N/d9EO1LjCB/PnOytyMKKfIG8D8PVTEV
fgynyRy26AqUfbUTdXpzYKRw8Q2O7aigB4UfaxaiHSD7KJl4aSZQAksQY3nm9kF4JbohDr2oSXhZ
zQEwmSPERwJGHZz0aLREVSAPxsqJkQOkG3W9q5x2Pqt07vclJ27+zeLsl143yJHVkv/cuU1d1Gsd
MDI9i2tu+szuYHb6ttDQPLLCX4EeNNR3GJmz1i4h99FRN8m16Us+K+IyMRjAHBBvSmbMLl3z0fnx
wMI/7I8xL9bE90duhEIdruHfv7ZbnLodB2tFTTYe5GWf7Q0Alkdig9XRweWPslo6c7I4u4XJ9F6A
qqZaCFFwP2z7/quv/tHj8EIvvYLDnTHiBVin20AI952RLF90b246LlSoNFGRlqPytnD4GUQUH6qj
7/91i1DQ4sZpV/xbtPaGST/423ZxKUYwksSpV+8h4rC8+ISQ/+V0p+aAIUjh0SjGRzmI33wM4X1e
Dxc7F0VEEoDgm/yUCeSxyreck+jHvhhMMGmeAdPStUfEthORqvXK6iNCVlj87dERTQkKgPQ01LTi
jdW6eOL9M6J/bV10eU45k01aQFpAWuDitEDUQbDKi0UtD4VVqzhKgGiIdXCVeMYLJ92BeUiXslA4
UNTY8KYCqMA/BmdEB1ndhvOjYD1RyHD7K3Cia8mCkpXwlXh9TvMCsLFP7IzuQ0RFkKqLv+3jSPXC
YK8yciH4IJeTje3alVwu4hTnBURyjrhw5CNOqhXxCd4+95lrEZwowfb4XYP5iNpw/y2AK1HlmZeL
jSqJ/SLg0LovHT2/PHzPMIIliP14TTSiC6D+0t271P12+uQP8RNPVDgXdWGC7nFkOWZRUxgIShmL
Qx8P+fU08XITufD4ZDAjgAmarqZAQnYGIiQzEBn5BLwu/KBVUkjbVDh16wacA/BKrF3gC55aV6Oj
h3HBlkdE5CB2zpNsZ7FA4ROLE+imDT+EYzKX9MBNXAG+TWRDZQKsaQZ1n+4LQQwC15LTlySKC9pn
EejpqLH5lmHfK4zo340zBglRH/a/DsaySKLckGgpAycGnEfnJooISAN8uq7Bj3hPo4MHDESaak/E
tqmMqB0hEiAlCOnoCe2l5bvdc2YgouJC4+hHywsAVxjzKfgi5PQqdtojRlRDXnAvYr/xMzZeqyNe
wJDDeiE8VhnP8DzmgcSBC68bLxwYiOUytg7pOZGHG19W7AuTSPOKvWA4R5GpIfFtn/o3p3i1Xp+3
wZEdTsviduryvXTO5G6kBaQFpAXaZQEMvHTP+z2+N6Qroexb9C9+YPOzFJK3LTsR8/CwjsngcuTB
WP2YAARiXiwXnNWnbBDWwSrFAzWx1bFgfQAFBiqxnUQ/WPmKPznNC+Tx8OvfA7Edo52IsLQoYLVs
BdtgMNG6X/HfYoRWTrtqOY7Yy0FhkvypDUBIAJDoAbfL5udcKGYoE5/HE+OGjK6BavesG78xNlFh
/gpopbqHU1AZhX3PwqmcjU98p3TwJJBYDztzrSuO3MfPBcpX4dhz8aLLBThZRLxFUz2GArYYSbN2
wLgoZGttIUMvB6+krusH1DtbWJzytItGd8cJ6J3+9upeRuy1/7th7shgOHGAKESjcFohptbZazae
Ayi8yGp1cSt+pOLZDdd17IB5gJaFe+6/aqQYoP1wxwmRKh/PFOEyB8ypvWFaLjJMBkKgaC9V1gVE
Kn33tTaPvO7ccPd1UW6pxQLdDkJiz/Nz5vedK/fv1N8E8DilMNCZ5nE61ZnamZaNL3fqb+3d19nW
l9eVtIC0gLRAX7IAHI2WPHpWHmzF8+6dbjKXgiMPRza2kfrkeiICUHS0KUjbajpJVu1RDHrC0RJg
pXtxVke71N7l+RUl6jcyThMrWefseFHJAuZ5ADiICdrEHC0pzqGgMRnVwWeSZo5HVGQiZo8BL+Sj
kyvSuABMEPUXo2ZObRDcTygHqAtRXftLOBEhckZKCqdsXYe+bEUKVwlRwvaizXm17T2W3lpucfbS
cbDWF6EgkEdHuYy5bKdZ4NhEc+3QX6X9snbh4Boj0S4JD9i4N5gDaVEDYtAxgKEg+GYrSUFFTbBV
znk0KdzcSJ7EDPhXuKe6gW5jMA8EGSEPXT9a8IOfQjHpqDZF9DLnLJkwQMpNiJI8CN4wZ5hwpove
nXKiOI6wv17cZOLIoaadGg1EytZHLaDzmFH/eIT3UQv2WLfkWekx08oNSwtcAhZQPv5x+4Pbbqnm
lzE7wCFoycbEZHoXjIjIiLeboEI0ynHGqEUfP6cc/DdAFuER6BBH7k21wykiIKCzjjFPbwhQMrUY
pd+NwQAXk5Aah1KIygy80bMwpRFSjIXmPfNKAlGeYzQdQHFhlHAyIiWThafmD6NCZNNhSAPvx2/r
KKKvIkdgP3glFeCVRJVgLkBbnPJ2KpzYx5VkfaY4hl5H0BfgoDu1SxdN0ivoz56/cX13G0WKG3eF
Rn5+/PFHPrq+DJ3DfB6nESpA6uEzAB56sLke0rYnIc0LrNLFFg3EKXTHvKGiaPVipNyXQ4SI09YZ
eDiRPeKAOhzzhDkCwsWn/4FUeM5W4RQtN+7prsZjOJUy1FSHIoZc2oGjL5w5Y70IdawO32ddNIdc
vQMWQBDMDsRPvsUqJl2+FDqwd7loiwX43cA3siWGynjwEFVAo4ryskkLSAtIC3TYAqwIo2xdDyKF
ejODkPpqlbJRokxvNWje4Y3KFTplAY7m159QKYIxWQeG/cKWVaFodqwwSqc2KVZCDZEyfPC0FtOj
hfdUO2jvgQIyXdOoKVIA0IHv9hRya9GiV7F0OMyDMgs6wy8eXfNhOHocvo/D/FuiNVXg1dr6psJJ
W0GcMYvBK9kCXsmuzve0E2u6wyjDYs+gZu5PV13UTuy/X60iSEMcXFOQkHf5OMfO64u8q//Y6hBA
BEFLopI3Sj1XqLrjCxZqajRVHxe1QdyJoB0JzlHn7Mxp86xEeuf8IVRRG6QF47ME2ODLi39bUVwh
VFI/e90o2lvWADlfN33plrEiY2Yf/l6/92Tn1bGY2YUbLBJspMaqI8DiYZbohUJW8MMIBZ/oL5HS
fnW5dWNndTyU9uEcjuCLjwu9RElKwiXuxt3ITbXHAiZIlyydx7m+tmkGcBokgm+P4eQy0gLSAme0
APRhXjFM9dtIedAbalSqPqFR9hATQkyd9jekpTtoAQYgEYg+VhyBo4RISBpET+pDoRWRpmC3O/VF
z6UDWaRvQRd5osJskN0HJiJaQqMwQj4PJ34mPLaRCInlkM8Jwgve9Zy6xVP8lS+AiZoFtHQjPm8U
vBJLO1E4ectR+Alb4S2uRILLNvBKjoNXAkmznmlglU4Bv5QRW8/s4KLaKp80TDyGmcjF0JT8sx0e
qOHfx4DzOIfbdxnXCqk/cRC+X0BERNiZFz5IB/0/5vqyFO9/PLFFcEA8sXpu3AfmgTBHeO+xBvq3
P20U/OB4eQT+nQWAOqsuqgjxIzhKiOg0noRIEHwoBxT1zEjoiOawvnHDUKVVEaCL6oRfNAeD8t7m
u6rius6ywhRsrhOSbSpybaO60bL1mgUQPgw0VOPdYJAOhRnDDm1Cgi5kY2STFpAWkBbonAVydh7Y
fmLsmN9ADfBrjSgadngPJHORhJuRAxePXQ2Z5dI77dFkAAAsDUlEQVQ5w7ZjLSF4AgASBgA5tNtB
dQCBHqSl+E2jgdOMVi9Y0OODTEUnQHY/QfvQXZ6WcbcLp27Igrc5kRqNKQi3T4D6ylTMHgOFGBRz
wTdO0OZaJUx4h3KR+Nuhopy2gsqOiEzY9DA4BUaUV7JtE5wFRErALaHINkRLoiPu3dBU207jYpey
PEgnjHkO3IYq4pXvlfoeCYX9f1Adrits5Ak2njwGVatm8sH/c3qSoipxeDi01w9kPm0tyi1wqYTT
8AvTkjjnBhf90SoUSDylMYBh4NLuxkrVMdRiBP3kr6+E7wSeGMCTjrRP04jsN0zzczeP5MKesvV1
C+hq2HjB1NXvAnikcqVJf10FJaQPEie5vRdgXz/Ivt0/zltEbViQqYKN1UIyMgr/tJfvzmuGorxs
0gLSAtICnbPAc/feG7mquPh/mo3wtCSnY0Ej9Pn3b3dAwtKgjFyLPAmQzHFyWKRz25drtbJALIlA
ENDBOQ8FUXuqVqHjBzXiKJSLZekRgopY5o+WT5shAMGFaAAKFdjvP2MTVLiKMynRGIiIA8CIPQ/X
wlS8hlhhK0PwShiQYCRbfHLj49SgEKCrEwBcAGIw328EoPd6ArySfQAOqzFvNamRg3Q8eAxAqHNg
i5W+zkaNPJXJGpcv5v6d67fOGFwEGfooR/Ns8rpxN+Isx3tlXvPeFcWuRY3u8PdVVfua7vRooaZa
kLobyAUQwoPRiJQICV9xytsxWsGpVczvOHtTEAXpzAngdaLAgyMfPFDLgImBB/fZRD0iTinTWN7b
CL0ejij/umhsaHdn9yTX610L6NeONQ+9sc/8lap5Ci0UbmqqQZoqTrYvJTummgCVgW5QTujdw+oH
e2uF5hmANFQcxuBSBDd+AnIbm5cbivvJfnAUsovSAtICfdwC7xYUlF+1deunm4zIn+EkLGSuctkB
haqOox5SCgp8eVBs2WET3uOydcUCsSxmjnwwAb2pXqXmeh5WwvsUEZCwZfrDhrFk+bRZP+7Kbrp7
XaRU8WAXT1sx/RmgRCOPMR48jAnUGCrAvMmYpgNcDAD4YAASBSIMSsIx3rquejB/OA51OH67Vgh/
RfRKyk7YXpi9ZSeciu2IlqyjgL4b+2ufyhULHHHeoBpbnL+LpnDuWARqTxhe5yF7FIdoDaJ7Iouj
J7bZ3Seyg9tbUICCPkT/uqzUs0axrW9qmmMOh+7YH+HJ4fIiKpJIDhQ1dHoSAAA4e1/YX+RyCv2p
HrKLiHSwoAW3WESGgUfE30jhQAMm1CICf1YDSNIg8w1gcshWwr+tCtDvHyhAjpls/cYCQqI34lV+
ageCI5AGdJ9lRKKhOZxkDs3F0XBUXzome9ZvDq/vdTQeRrQAOCLBIAVRrTdQj1Aip2HhpgeZ6qCu
2N+9Ma9O5jL2vdMneyQt0C8t8O7kyftvKl5xS5Pl/bpm0yOJLm0gD2DXV4A1gtFUUXOp06OU/dIk
PdNp+GUsfBWtf6VQkktFQXOTgpaxMmKaP1g5bRZKvPftFgMJ29FLnqhw5hrkB7OWq5EPLsg8MI2n
4QCHIzVrKNBVtLhKPFIS40eLebqK3B7takQmriYUpYPMSjU5jbLCSZs3wXtcLeqWBPQj2N+ZCfpO
MOftFKoN4b1oA9CZSBPHUHooTPtP+L0/znAHzRxXY21q+rFaCiT/G3k8N1OjVQ3f+CHsHdEXTogT
BIc7kU72kOhjRxqDLdNqJlP7DxDzIWOMGsh9pqmormnYtqr+UNGVyaKAZSfbjXmBl5aucL3tzrJv
NRXrs3gQXAZfUGF+BTv+KtKdNKSI8wAp+4OImgjnH+R2MVDNLZo1E4+onsFPjFONW/UxGluKKbYJ
qM5/IoSDU8YiSUirQqX1IHHKVSTYBF5VAFxZpAdiGQ11flRb52X2Kpr1eEOg6am7CxQWaJCtn1lA
XEGLckONS8tcX1L9wRqgzy/hItNZa5knJvnoLhSKwhuKuSICjPTRxopS4jruw29TCy8kCxWHQZwS
N5aFfEwRSgRHEABkvW2o/3L92NCGPmpi2S1pAWmBfmqB1wsWNKDrRZdt2PBCgKxrbVIXwreboqp2
DvsQUoCoe04sl0axSEGVDmuP37Q3Grb5XmJj8I3XF4hihP2uQaYXsR3BT+SJ07jAKylNJa22gPwW
VLX0qRhFA1cEFd41xUMAXsL/50gJ1yrhlCFOkdKVdHym44+J+Pw0BTDE7TJKUEhxB6IkxdjGRjj7
m6c9P93yBpNmO6qvHRfR3LTf7wD2Uagu4oJdkbpsKUNOhj1fxh6aDVutjFjqrqKxa7w3Dy2nRKWu
eUn5bX9vbeTF2a+NFFyXjraoVxzGC/vdJZWLBCDra+0/spZ+NZp+1nkQwse0aEGoER9/fbo65W/p
taHr4fxfhuO+EcniYxVNV5hvEWyswYApdAgAAnSAAM0JpWeAEa7XowGQ8MT1f5DeBYDCruVHKWxi
8BXXQetecuYH+0M2IhpR0IFPE+YG0IAvJEjm/F34nhyFETwVbMMyKwE+3oZy2jvwpN5eNDzE6Tt9
7dTI/rTTAi3FChmIYJ2vLdvrWmlHrG8pijYTpCVcCHCWQ36BdDkfL4ZX27n53luML29G6HwxmlxF
t49elC25lbClGE3ATYub8aASMZ7TPP6fX5ur9JjaSO+dDbknaQFpgb5qgQ9nCKnVXfnFxb9ODQRS
8dTkBycF+mqH+1m/2JhhjNliZL5hdUEBp7xcdC1W2HAFDownFFFckURBdw5ZjikI/aBeiTUJqVQj
4CAPogTk+XEOIIMSnsSguQAmYH2o4xEyQtFFBiw2PFG1uuTaPXZqeXrGo5VpDq3RTT6/k1whjLoD
gljIxFJU253ksCbbgiOA7Sj27b8+MJleOpFPk5MqfFvrrRmTc9XWA3ldSTRk9OTusycQjlp39u3e
9LoIpdOr2Oarb5faP7Bs91TbsG9C5ttcIIJhACRZzBNhcGAgNYoHfgVXI5Y+Fc30+Ig4LvoG8KAD
oHBkIz5QzLPj0ZO4NHD0E9eBOK/QTGJAA4BjRUJ1iI4ctMjcjUvmdc1rv39tbtPx7jxuua0LZ4HT
KqbfODr04ooy17LGZrrOVkLzcNHMVWxltKIqzmg6VgdDmr10bOzcJ2QMA5NKpbrD25v7LJFMhB9Z
KcKqQOrbGlKs9bYWXnbDCPNAXwVOvXQK5W6kBaQFetECJQUiN7/b1Ix6setyV33MAkWrRZSNpz2Y
nhPAZOrWsQhhjIEXybySaXjpzcB7OQvREgdY+tEICadIIb8qWkRRRUqAkuNPD5E/HUEX6wg5ml3k
afRg8lFScxqlNA8gXyAFmWFwVMNIJcS6hhUA30ah/Q1uOuAfle5WzdffLA0/cn1e6O99zEz9qjvX
5ikQ6Ay9i06/+/SaFFdqRnCMYth5AANj4G5Ngzc4Fn7hIDiFLsu2nJzRyfQc5sSL4oXxjBQu/wDy
uGicScPnuo0MsIhu8G8h/AakQlWIjuzHtNm0rGJdNfYGwSVaVBCq71cGlJ1tlwVOAyG8FipMcijh
FZ6WFiMXy2373Ijdt2uLF2ohro6pOz/AQ86FVM45XQ1P9txhRAOSoIOEFhWgZKls0gLSAtIC0gLS
AheZBYo2T2aFIp7+Ubg4X6UXXkgB4Z0LIs5BIhUrcI2GtzqKPFoivNSoYwpwEY2UsDFQ3NGDTIyE
ADUMrKUKs4Ic4IU4I15Kbc6kFD9Evfyp5G5KIE+NQkZ9I/BME2kuZ4Zpm7/5yYpBO7+14Ng+zuDq
gmm5J303jc5GxK0Xsj7unVPHNkRKmhnlCeXnq9PeOeBzB2wPEu6yMWuwYtsDATgHA1JA5kJJsE0l
B5GR03S6osqrVgM+TnA4BEOy1YZGh/WwcpgS7TJUS/M3HvH4sc8YcuE9tk/LoAvnWa56gSxwRhDS
ui9Anxyl7xeR+nWWgicZaayDfYHsKXcrLSAtIC0gLSAtIC3QygJFS0qAMApqMGtlbGJp4BRKrRrh
PZJzTVJ91o+a0pookNBMFiSjbQ2vcq7cbnOlR8444gwCkyKKQRGXn5rdVXQsfQeAi4sSwimUGEkj
bx2I00cjACQs1JWY+6Mpa7/8pUH/XEmh1HmdUl2Ijhe6LN26c/HApZOiRJc+0qJlfvifQSKi1Mut
qATnM5c4hZ8n9re6gTPTCivmdgU39rIx5O66ZIHzgpAubb23Vwb8jj6tZJMWkBaQFpAWkBaQFuir
FoAqVl3+isV7ns1401GubN8HQvuokDNAwWyDgpkW+VOaqcldR82OOvj/GBTHmDnI7zgcFr1iD5zd
F4uaXFVY7gRXCidloEZaBCVMGhJolVbz5QF67r+MUCxlLEjPiaeWGjhf7Y+oUoMXXJTvi/0pZ0hF
ByiKqkIxUOpFjBLzcoRqcReUsfrqtSH7delY4OICIZfOeZNHKi0gLSAtIC0gLdCvLfCX+e/cRZb+
3YTG4c5QfbWpNiqau84i5wEfKT4XhVNQmC4xQs2JDVTrq6Q630kKA6hYOtJzHKy8xapLAAAmuzKI
oMArN1yQds2spmdRT/FZylbSAEBGIN1rND6nQYVpLmqbjIYyUwrSv1RRhI8BBkdazjJ+eWrxw7jF
EZnZHRyERCGVxrvAk1a5WjiKOwpA0ltjoXFZ3H59GcjOX8IWuBhBSO/HJi/hC0geurSAtIC0gLSA
tECnLAAsAanX0e7ULNJ9ybYB2fpwUw3KA9SRVVdPWr2D3NDEcakJlKq6kao1hJoS6qgpFVGS5Gby
JwbERG5O34oXt0NPGJwIdGFSDcjQNVD63AhZ2WcwzwGi9EBIw84wQjQ1EqHxACjjMOUBmIjUptZg
JCYte9qxAYA0mh76TNldtCU4hG5L3EF3JW2ha3x7EJBBhpKI2rSVqe2UfTq7Ul+VMe3s8cj1LloL
XGwghIcgXMXW3PReG4i4aC8NeWDSAtIC0gLSAtICPWSBKPk8iWtmcf0xVdMUV0IqOX3JUL0K2OHm
OiXSDBqJ4Sd/xIF6h6hJgWAD1WdS0jGFBmgG2d4gOZOaKCWjihIGnqBjiahkiBoVNVBpMuJKTEL6
tYXtDvklAgtaF9OLHo6kWDQEoGQ4ZGenIFIyD0pOkwFOsqDYlMi879bARAAUGxLMRD88eQ2taR7N
EsH0XN1seq5hCk12H6W7k7bRPUmbaZiLqRJc3B0KwXGA1EOmPHWzQnxKNmmBfmCBiwqE4DlT6XB7
L28OBzbiwcEyG70VE+0Hp1p2UVpAWkBaQFpAWqCvWECFe28lCrc+BhKE2BOa7vYpTl8KGeZgSgge
pYn2Foh01qG0iCYwgUczKVUPUTII7GM99TTCW09KCMXvgDCOaRptQgHgzbqLSgA0dqBGxV6u7H1q
ulULOCE6guWOYLkPXW76Beb7MHGEZAamKQBJ45DKxX8nCSlZ1MYwPNQElS4PtHACDDKYGwJ3Y6t/
BKbh9MuahfSxxG10W9J2utJbKtRneyU6wlXe/UIwa19fOcuyH9IC57LARQVCIDn+dSUSnqYqqNoq
FCMkBpGXv7SAtIC0gLSAtECfsgB0WSHwZCFpaR7e1PcyPhC1JfBFQ9Fh/h4KhU7M8eyyHhy8fuCw
BJTRUlGGhCMKArXE3u1irJGJ6pyKhQJ3WG8IIhVDUPfwdhuOv6FSGGlRR8Eb2QaQsQpVvrfg8zhq
WFSgIB6gC0S4EDbgeiWCiB7N5m5GFGU9ll3vRJ1CJZGSESkZjEjJaEwzESlZEAnQ13L/QfekraN3
6qbQ6/4C2m1lUyPzQZDmdSKSQr9BpOSPdXNopucQ3Z+8iW5M2EU5TtQidqKvAEiCyB53UThyEQF4
0DGPgURnG9a1a8Mr1VDw5c5uojvXQwV2R6InoKfWoltImsO2Tyv86A4EQ8GgO0gjILW1zWPF5IC7
sxtyW33YAhcVCFngXL0VtuaJn0eySQtIC0gLSAtIC0gL9FELbLDmNyAKcq8Kp5wBiAVehmmE15mG
sbReTXz2+1lFKM+d+glq9IEQwo77mfKMotyPMzeQ3K0wjcSPPN3BRUOgtPsKyp/9X4KPPtTcCaZi
5wN7TEL19nShwhtHRAxKuNI7/q/H/HrUUixGhOVltxdbSqFhVogWmHU0LuMta1Fw48FA+ZXbiyum
+wCK5mIbYNZHlCB4I8sbx9Hy5rFIz6qgOxJ32Jd79666JbF4BWn+IJkOoBa3C9WVnRt0x9gZgchu
n202IXTS8Srv3HfTDCqm49kldbf2apmCpaWuAbphDFedziwYJxPJdQNN285Ks0PDqE71gCVj6jal
4TdMkDFVhK4Xg03ElXz1uts6qZQratqAYPjN/d4jWKDCsqxKHFEV1MnKsOgxlF443EcvY9mtLlhA
uupdMJ5cVVpAWkBaQFpAWkBaoJMWsMDjhlMP8HHSMo33Tdt4ylDqVyzQS+p4i0uO/Qt/fL+TWz/n
apfhV54K567wUjAxF1K3I0m15gF0zAYIGAmuyEDygdHOgYkwF1KMKWkJSV6iQ6qLDmkY2HciHJNo
JtPAN0dQ8woLlRWL6eSYAVSXPZRCCQjFJICg4qBDZi79rHkI/Uy7PYcMBGzCQ/5SNPgX73AnCz+2
Ip0OJL+C6EioaHPB4p443u7a5hNlLneGQYN1Ux1tWig8adNUp6KNsnUlHdl0iaru0BXdSRpS10Ql
9Fh0yQZRJZp2FytIGf0mwKeiOqJBISiRKQBTXG1dxboApAhQKY3gDNW+sc9zFPpn28DBWauTURwk
48iiPKW6u45LbufCWECCkAtjd7lXaQFpAWkBaQFpgUvaAsiSOmSGGn+gqc4XZior4WD2vjmKVi/g
iujMoeDpTQEKpm7IQorXFPKHCkjRJyK9ezqc6bHkRL4TZ35xtIRBCUdLmH+qagPI8g0gD5xu5wGL
Bhxk6eAwNWdYVJ+lUXOWTY3pCjUPUMhMHkkOx0hyld5bWHPddgro/0cbqgZT9rEF2O6CwslbZpJq
/GvR5hlbet8aZ9/j26WuWTjiq7IUbSGwxBxb05IE91+k0iGkgVQ0lkjmaBYAJUyikwYwIoAFjMZ/
A12ccQe2ZQDzMa8GZuNoWAR105ECx8sripaIfwBulCH4eR5290XDVCyn4tr25j57OWn0TthvrUBh
7fq+ZC/Zl/ZZQIKQ9tlJLiUtIC0gLSAtIC0gLdCNFnhwXPXbJSUlwvHvSw0AoCIGSD4CJeTIRXrW
FIAPREuUCfCQh5CuZCJaEgUkzCthaWCbSR+CX+KmRBRRTD7GgEShMNK4wj4Qx5GR1JCNaSD+HjgR
LPtfU8QN7x2sepbucutXImdsWeGErd8p2jH5iQtpl2W7tRHkdH8cEgK3AAiMQ5QjhXOoWNHMxDEz
sFARxVCRpuZweUF18UTnaVAyiyqeRbvP0Q6ICpwVZIooSTTVDmlYMJ0VS82LAhIjzBPqw0AggEEK
gJ+qOLQpqsMxxYgEv+h0qQfeLPW9r5LxJNK21lxIm8l9d8wCEoR0zF5yaWkBaQFpAWkBaQFpgW6w
AABInxKTLSwsFLGYoqKiNvXGYqCEgclmTH8qXIzlXrt9AljvkyDhNR4hkSmYPxWj/gPALYmSy3kL
BhxvVHAXfzigL+xE0CUB5PSMPZiH5fwpACLJmFetiOV4nQAiAi4NKMX+I6IikynkKOLq8t1g7nZv
YlmpbzRCEQ9pTv0eRdUH26gWz5EKE2CA+TueZBymO4E01F5xMPAA2T9a9LHVLqKsj5YZp/zZti9I
weL/uKlsO7EdT3SZeAYXIiMMRAA6yAj6KRRohAYAB7HIQZo2BuBnDHDcA8v2KX9XdfOx64dHPmj3
AcsFL5gFJAi5YKaXO5YWkBaQFpAWkBaQFuhNCwBoIBxB12Bi/4dJC6sAOuJE7s/g729hmUcwbzk+
Wc1pEqbD+BthjWgrWiJAyvbYBF5JmZuCxzNAnh8Dlav5FFGmw5EGr8QeikhJ1JsWClwxXklcHthb
R+RDLRSu+t66lkiIqzhCvsulfQ3U7UmF+aX/WlSSxwCoR9vSYpfH6Va/CfGyL6tOdyanVZlhPyId
AB6JaeTypgB8+ETkQwVvg6MXnIrFfA/R2kC3DnQ1SrOJtTZ/fLRdABUGPk5vEtlJFnkhmcygKNRc
R+HmegoDkIBf4tGdnk+YZmTRG6WO5zQylyAycqQDPZGL9rIFJAjpZYPL3UkLSAtIC0gLSAtIC/S+
BQAqJmKvhZjg+QsOSAKmuZj/R4AMDk+sw/QDTNAEFi0R0wuYvovp6bP1uGh1LsIcuUfxO09Rsnl+
cQbpxgTyG6NRVORyCkauoTR3EunIV3ICdIArQWGADU7lOlNjwBKEQ+7RryA78EbhkNrf05pPPVqU
+3p5T1gOqVfjHG7lxyCV38wFHE1EHTjqkZCeS+6kdJFuFSWVA3RgYoDSq433y/+xXdA05px4EwUo
sVLDFGysIX99lYiOgNjuU52uzwKkzH3zgOPfrh8Rea1X+yp31m4LSBDSblPJBaUFpAWkBaQFpAWk
BfqjBQA0ON/nR5gSADjujB8D5oOcQU2xv3nUnL3rcswfgs9FmFgbeCH+5sH6XVh3Ky+Lv8fgYyom
Th7ah/kbWtsFKVTIu6L3eMKyj9K3p+XQrIw0sjzTEC2ZTScDVwCIjKFk3vxZGkdM/OBAOME9yTpR
SFNeebDw8PxnqGzIS0V5L27qrvOwbLfnStWpPQYi+UiR4gQ+hy81h7wpmajbEi3t0RLtaOdOueuW
ACxtV2AiuyrI6hwYavu7xvPbKU4glLZiG1cASLyp2eROTAcYqaam2nKRsqW73PmWqb74Zqn679fn
hX7Wzq7LxXrRAhKE9KKx5a6kBaQFpAWkBaQFpAUumAVY0nUUQAHUrmgLgIOJ6Xir3lyH7z/BdAMm
pomnYmLwwhGTDEycysUA5GP4+AqmNzAhCkKfw7wX8flbbO+00EaMY3KcdhDvqxjTE1j+1/TIxNF0
y0gUSMGcU731eKfYK+ekMRU4KW/rUBrQ+F3yzP5y4ckr3iXdep6aI68V5a5GJcfOtWWHfSMUh/1b
BiCRUDPp4HkkZg4htw+HzoGPeKpVBzbPuMOBwotJXpDWY4CD5wVDBig0NjCYRQFEgRLcOpZhEjt+
w9/VjSHUa4SWFkeJOtIE2DEFKZ7BiMOTSI0nj4pULU13uWxNXbJsr3rwxtGBV8622RhIdeNcCaJJ
vMV4Qrmx66ACv6MK5ukNyzGazMTEZ5OXOy1UhGVy2DSY+IyePNO2TtlfJZbh6+u0dr794fcBWInD
V2z6WmwnDrQ7YtkeX1aCkB43sdyBtIC0gLSAtIC0gLTAhbQAgwM4Zv+GPvCI+FJMR/D37/D5Bn7j
qAU3dhzZCdUwrwS//wbf78X0d/zNaVnxCMi/4+t/t5oHTV76FaaVmM4orYttgWxOV2JiZxVyvDSd
JgyoAJE9W9QhYcebvXH2v/k7T0zS5vSjZji29kCVGllhC/OSqxMoNOxW8lu3kk/ZVdhwxTPw7F8r
Sl++rSM2Xlrm8uoR+2eawzk2EgQAQdQjJSePnJ6EmEpV50geFiIcKUlOunFGLvkANLhFAD7GDUkW
IOQ/n91GmSke+viCYfjboghS0vKHptDyHRX0jzVHcMiWqB/S0SYUtlgDALyVlJyRVFe+n0JNtYjm
eHyKpvzk7VLfjmvzmktP3S7OzRw+n5hO4Pt9OK8MQPlcM/jgc80gNIApA/O+j993tN4G5g3H31/A
BJUBkcKXiHlfw3L7Y9vhQo1fxjQKE4MBnv6AqU1fYlE53l8SJr4OeX9LsJ025xXzhsX2lxLrWxLm
fR3LleKTQQ5zmy7DxOCUQdEzmPja7HNNgpA+d0pkh6QFpAWkBaQFpAWkBbrbAnDSmE/xCThqC/A5
GRPzP76Gv7+J396P7Y8977j3zU4e68yyExpvkOelfEx3Yr3L8cneMi/HzYN5/J2jJvFWg21zBIaX
YweRq6FvphtHJlN++jABNgRp3Q6j2EYQLmMtPPA9+L4Xuz6EHw+SkVxHhyZkUFX+nRRMuIlcTi8q
sgOoYEBddY4DeeO/yPJ/vbB24TvYy3PkTHyryPs6O83nbHqzfiOUc281QfLmAoGJAwYhihADIJ1m
mTOnXqGq+iD96S2m3cB7R5RjeHYizRg1hVbvqqLqhhClJjjprc1lVHyojpoCYbp74Qh6+IbRtL+8
kTbtO4lISsdBSPxguUgiR0WSMgZTLcsJs6qXwz3SioQfyc/P/05rVTacrxux3hcxMRDlnbJfHIlF
Rvj6YDDwIEezMI+5Qb/G58fw98lWxuVo2d8wb1MMBCzD37zsQ/ib89kY/Ibx+6fOdkJiERDeH583
3h+D5m/j+69i+4sDZd4E7+8FLLMxtj/mvHwH3xkIPYhpJqaH8Xvzua+AC/+rBCEX/hzIHkgLSAtI
C0gLSAtIC/SSBeCcrcCuVsBpew6fzNv4KiYGIWdjW7dOsWJQws4djy5zahU7rjxyXoeJR7gXYrqr
1aFwrZFXYwDoifj8wiGrNPrgKDvAG2hWzhMoglECBLCfvLU1ZOiBovVzTulLDRX+5Krn6SurJoPw
8CnkGV2PIf5xYnsGMoQ0Rzo87bvx213IQ9pQGL7sCQCbtxEdEaPxZ2qqZt0ACV7U/IiQB+RzV0KK
qNHReZmrj/bCgQxOyQojypGe5KKv3ppPVQAfzy0/gACPQvuPN4rfNER7EpGSlYjUrWPVzQAkAESd
xx8tHbARjdFBpveB11JfeVhUb7cU++YfP1b7/UULBLCIt9X4wlGCazExByheUZFTp/IwfSuWTsfL
v4zpNkyDMbWAkHjEgxfgKAquq918VmI74HPE6X8vY/7Dse1vwHKnqp3F9/cdBiCxdTl97A5MzE9q
ASH4nYUThHhCbH8sqhDGxEpsN2Naj+lu7I8B7wEs83Zse33uQ4KQPndKZIekBaQFpAWkBaQFpAW6
0wKxEeNsOGSsYBVvDBo4OhF38EQ99FP2K3ggrVpJzOHLxbY4rUs0bJ/5I5zG9QE+eWpp+I3z8+1Y
RCQ6f/Hy1XQ0yOkyrMz12Cn7OOOfRUVLOELD6V5bCv1X/S+F/ddC2vdeUrR5ACBeSEfxetCydc3C
B6bgIURH3kIs52mKBNcXpa9vw2cAlWKgoIgDeHAKE0dDOsMBOVvfzRh5/JNXjKCROYn03cc3UX2z
QS6HqKFON80cJCIkbodGowcl0fPLD9Huo/UCvHS9salU0iHry3tTUM0dLZNG1MYqKEb3ANvX8Wcs
YtF6x5xaxZyK1ssz+GRnn8/1GRu2w2lQHIn4RmwBTs8aK/ZNdAhTFqYnsdz3sO+/t9oI74+vtdZ9
4P3xOUs5x/44qodzLThKfO1yyhdH/Mow8UH/GPuagH399GzbuJDzJQi5kNaX+5YWkBaQFpAWkBaQ
FugNC7BD+Q04ZJxatTO2w8n4/AAT8zm48cgxLxd3BBmcvI7pCzGQ8T7n5+P71zDv3/HJI9RcxJAd
TXYYn8LUOm0mflycwvV1LM/VvDndhp3FKzD9EdNfO3PwRd53y9HTJwrzFz9F6z6cg7DCvUjLug7D
/yNENMOEr6w5ke6lfg5g5TOk+T4srFv4LMIebxalr46S8W0LICiaecaRgi5kYJ12CLzVcMSkBeOz
6LqpufSH13fTnmP15HbqLZGONSVVtKm0GstZNHtsBn1s/lCRhrVsQxk5uwWI4JAgJQxBYfQG+7Up
lFqLP5npcXo7FXwyIZzPleCHxBpfH/FI2GlbiKX5/Q9++Cmuk1WxBRjkcjrenzFP1CzBcswh4XQ+
jpAJ5Ih2tv2xn37GtKrY/lhIgfe3Dn8PwncGLS/h73/G9sXHdT9++z/M67SAwRkt1g0zJQjpBiPK
TUgLSAtIC0gLSAtIC/RdC8ABq4cjVogectoNO5PcOI+fFa7i7UN8YSI6E815lLwJq3wJX6/HFCcn
8/znMZ8jEtMwMWDh5d85Ww4+5r+P5euxDMv6xp1dzC7qssxuUckSCzRmdnhXFVZfNhxoAn21H0RY
YypStnSUGecy5A6wzq+GhBSm8J7CmsuWkVt/fJa2eotihj+mogUbayFxOwDqWC5RhLCrLWKYlJvm
o89cO4o+3F5O72w5DoAB/z129KyG1RzkqIgKKV+iF1ceonnjM2lhQRa9tem4kPdVu5KXhXVtVHln
yd7oTpnsTxuP5ByHk55+psPjqBjzNuIOP0cS+PtcTFw/hhunz3Ga1d4YmE3B9xNYx8Df8/H9m9HL
pog5IfHGIJWjJxwNiRdO5PWYlG5jvbiiFu+vEROT5NfGVmaVNgYpvD+OknAE5tT9MXE9vj9en9PE
xmMSIASNIy8cGeE+9LkmQUifOyWyQ9IC0gLSAtIC0gLSAt1tgdhIMEvpnrHhd66cHq+eLpbBPHbe
WtKu4itiPrOuo8zrdjQszxyAU3kA7Viz/YsUpX/IYOj3hWVzHyef6zpIQ90NMHItcq3SUV2QwwJI
PnMCCKE+SSj40JbkyTuGNh8Np0bq3GqggfzVxygpC4P0qBMS5YZ0rrGqb6LHSZ+7aYwgpf/1vQPY
pII6jVEEwvVB5iFCwqpY2w/WCG7IfPw9JMNHb24qE793LSWL642o1FxbQQGAEK7ubllIDlOMJ+9N
T28d2eCoxBR0iYEpp1CNxd+L8bkW5+ttfGf1tC/jkxXNmGA+AxOrY9Vi3n38HdMcfGfuCF8jzMUY
zelP+GRQ8zyW3YG//4Tv343ti0EBX1M8jxt/1mG5+2L7+2qr/XGfeH81mMek9iWx/XEkhfe3odX+
4jwlVvlivJ2CTzZ4AaZfYBtnlPqN9eGCfUgQcsFML3csLSAtIC0gLSAtIC0gLdC9FkDdEHY4/8FT
YcPC8WQGb4Nn/wl44+ORshUlsqtaYlhPnLtPzbN9RhOlhWoovbmGVNTXSErLJltzimhEZxpL7A7P
TqasFDc1oNgic0KciHhwulcYkrxvbSwTVddvnzsE4CMTAMGmnHQPPfXufvoQMr0OgJXOctMZfHAL
1FdSUzWCC9in6nAiCy3w+9Spvn9QXd2ph8QRKgaTLDLA4IAjXgKIwnH/O5z5XTFHno3xOOYdjm2A
Iw28Xg0mjnB8HBP71EwO5+7zORAcHKzzB2yHASinS23D9C7mxRW4WJJXkNgxbymWY84Rgxje318w
71Bsf+/gk6MnHNrhFK8z7Y8jOVwck6MqTIjnbfwK83idPtkkCOmTp0V2SlpAWkBaQFpAWkBaQFqg
axYoSlrO/JediI78mnz6jRRu/hh80+vJ4fWJ6AhCFM2OROKp3Mym1FAt5VTX0qCUJPKgbgh7sZwu
1RE4wlGMvcca6OuPrYdcrypSruKNcU0YqVosxctREBdI6dxC4IWwMhavyxK/HW2irggAiGVGqPlk
GTUDhDAW0EG4N4P+dzUlUDSnDvlfpzQ46C1KU2faJ36HVDLx1KZh/gnM4Inbsdh01m5jeY6S8NTS
MI/DTW1qjpwtwtaR/WFZVsviqc83CUL6/CmSHZQWkBaQFpAWkBaQFpAW6LwFYlXVWZL4ucKGy6aA
K3IXWZFPQBZ4GNS1QL8OkqG5qMqbQ1UgtR9qiNAgZ4gGelBvA2RxVs4yRAWV9sERTqniaIdpmoKg
3rpxalZcvpdJ6fHmdrYRrmrXwSoAOQw2LHBfmNcSaKikcKAZAR+H6LMZDL6oKtZXr81T2qTZtWvj
cqEet4AEIT1uYrkDaQFpAWkBaQFpAWkBaYG+YYGipA+jMr/VU38H5IG6Esqd4IBciVLpHEpgpEEN
tk67IjaVRgzKBo1/sCNC6U4I66IIoGgcHRGA5MygRAQmzkMsF8TzDgY9ohEPlhXm/21klvkp2FQv
COiRULMAHlwfxDRCtZYR+UntSc/P7p3T3EaauG+cBdkLtoAEIfI6kBaQFpAWkBaQFpAWkBa4xCxQ
lL6Z04j+UOi/6QkKNM1GocNPAlncACJ7VMQW1cbDtoOORIBN6g+TZtaQ05eCKRm1Ed0i2qCCYyLA
CCb+L4pJ2hctObe5o+hE4Bj8w7U+WGrXMgwGGIh2NFEY4CMSbsY8rh6PmiAoJI90rEYzEn5To9Av
r80zV1GexB99+bKWIKQvnx3ZN2kBaQFpAWkBaQFpAWmBHrRAkff1AGqOvI9dvA8iex5FArcgpMDc
kbnk8lFisJpyjDo4+GFqqgUNApPu9CDi4IakL39iwt+ajpBJLFIRgxCxSMep4Q4GKWeYF8MurcGM
yaAjHAAeCpARCeB7EN/96IspojJMRFcAhjCjxgyHXrUV5Y835jVzBXTZ+oEFJAjpBydJdlFaQFpA
WkBaQFpAWkBaoKctACI7KzD9HNGRP1Jz0+XQmbrVFWo47gnWp4U1x5UAD2MBOhSOPjAHg+wakQKl
aJgACLgkiQY1KgYkKk/4jSMmcdDB6VQqlrWgoNW6OjsTyhlY2Pg0we8wsX3meXARRcjrxoop2tiP
ju25sE/MNyLHbDuyBfOWWrb57o2jQqK+i2z9xwIShPSfcyV7Ki0gLSAtIC0gLSAtIC3Q4xZAdKQR
0ZFXsaNXKQX/5qAwRWkk3UnueWYkNBvgYAryoyYCZXDdCy2eicWpUgaiFVxnpHXRQ/EdkQ4mknME
QwAOrlsigiJc1yMWGRHfEd0QEwoOtiHCKw0oQLgdRdA3g/IOqdvwyhtHmVCukilXPX5B9NAOJAjp
IcPKzUoLSAtIC0gLSAtIC0gLXCwWWJSnoN5ECEXyQkufXpPiTMyoTXXr7uFWhGaiNsg4xaahyLJK
Ad5IBX5IBsJIA8LQACY03cXlNxhoRPkjHCXhxkAjFvUAKsF/igWSh1WNJWoAY2oxp8JWaB80sNaH
FWtnbZBqHihoilc1v1hMe8kehwQhl+yplwcuLSAtIC0gLSAtIC0gLdBxC9w7pw6F/ZQKABJMtDa+
hTUpKXrVxkCm20HpyKLKRDxDA6vDY0X86arFKOSUSuwcGVGoWVNR9A9VPAzdboAY8IngEb1y0QKQ
P2S7qC0gQchFfXrlwUkLSAtIC0gLSAtIC0gL9I4F5tTVGZRHx7E3njrfhratLdL5Dck1+7IFJAjp
y2dH9k1aQFpAWkBaQFpAWkBaQFpAWuAitMD/B2yWZ0mFFxUhAAAAAElFTkSuQmCC

--_004_4A95BA014132FF49AE685FAB4B9F17F66B07D651sjceml521mbschi_--


From nobody Wed Jul  4 01:59:38 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA874130DC1 for <ipsec@ietfa.amsl.com>; Wed,  4 Jul 2018 01:59:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level: 
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Nm1XSfD7nr5 for <ipsec@ietfa.amsl.com>; Wed,  4 Jul 2018 01:59:33 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EA21124C04 for <ipsec@ietf.org>; Wed,  4 Jul 2018 01:59:32 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id p6-v6so3705657ljc.5 for <ipsec@ietf.org>; Wed, 04 Jul 2018 01:59:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=DTxm0aJ3qx4j6ZGXDnFSjth8YnkV+JUC09FZ1kaBzh0=; b=m9KUduEcyKznJ4//wyhh7ZlQGSSSTpPBS3q9bMA1pHmmKS/aSg+5rfLSsNFKn4LCLv LlSk0dm63Z1jqgOwLc00RSsODAV5W0zKz1rSPs9uafhCPyj3V32HqpROIDxK7TSgxzbR wxWsnrNR3y1x3xGcR/+bz8Ax/ESr2yOJTVn6cHGFjoLhab5NL6Nh57tL53fSsgfgVujb h5Cbxkqo61yFylmMV9i/gQt9UBPoLkpIdeQ2tlfHehUTbwGDjJhBEZQz+dISrIrplsNt W3yaGHqZw04GpZ0eD1AE3Hp6Wr3LeXC+43RwZwFK+Q3FDt9pngxJrANhD0mmARlEZHkW KmQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=DTxm0aJ3qx4j6ZGXDnFSjth8YnkV+JUC09FZ1kaBzh0=; b=SxebPqxUaS8N95Uag+tGwkX1CRkg8qpf/Q99A3ajyu9viW/b/tiYeeEnVpsMsD8et7 xml5jLppk19f4a3InETKyV/xSDrNhrffXqlC0VePH7xRG/WBrF36Y4MnbjJ0NssHLUjv 6q+g9YMR8SuylkzF59TKef3/pRDVGf9/aKZGAYaqcC0ZiQ95qMAF5D3Nck0dfeMYqsrm FFdxCVYNuCPAwG1s05CA5LF/XI6O/jbnMC1aaD/Ffni0yR4zVCW88bn4iJ46+J1ay2i0 0pcDKTEaRQVw7Wj6kl2+IToP9DSxb1WYb7tgZSm1k/Wquy/PHxnNXXUQYDwduD8fxIPe XCdw==
X-Gm-Message-State: APt69E21edbIvWiHRP6BNhbMYppoXK9nUxjRjeupd20srBh6i69wIHqd 2huP23kjomUz2bhAogRfhRI=
X-Google-Smtp-Source: AAOMgpdhA4jPnpZfEtV9/JHFoshAqF12iy5pyEBSNDf4M+rcC0Y97eNuDPyTPlN3fyise/neRP2qgw==
X-Received: by 2002:a2e:9c04:: with SMTP id s4-v6mr877373lji.97.1530694770888;  Wed, 04 Jul 2018 01:59:30 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id i1-v6sm491879ljg.43.2018.07.04.01.59.29 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 04 Jul 2018 01:59:30 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, <ipsec@ietf.org>
Cc: "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer@cisco.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com>
In-Reply-To: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com>
Date: Wed, 4 Jul 2018 11:59:17 +0300
Message-ID: <038701d41375$4a5bab50$df1301f0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0388_01D4138E.6FB20B10"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEciSsDD1zqgCWGCuqENOVpeeZcmKXtq6lw
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/jy_ptjqyYehe-LWW1tyfeHEn0UI>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 08:59:37 -0000

This is a multipart message in MIME format.

------=_NextPart_000_0388_01D4138E.6FB20B10
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Daniel,

=20

thank you for your comments. See responses inline.

=20

Hi Valery, I have some comments on =
https://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-aux-00

=20

AUX_EXCHANGE_SUPPORTED:

   This specification doesn't define any data this
   notification may contain, so the Notification Data is left empty.
   However, other specifications may override this.  Implementations
   MUST ignore the non-empty Notification Data if they don't understand
   its purpose.

=20

If there are multiple future specifications which use =
AUX_EXCHANGE_SUPPORTED, is it expected that multiple =
AUX_EXCHANGE_SUPPORTED notifications would be sent in IKE_SA_INIT?  I =
don=E2=80=99t know of any other notifications where there might be =
multiple copies sent in one exchange, not that this is a reason to avoid =
it, but it might be simpler to not introduce this possibility.  Also, if =
the data is simple/only a few bytes there=E2=80=99s a chance of =
ambiguity as to whether the data is defined by one specification or =
another.  I think it would be simpler if the notification data is just =
left empty (or left for IKE_AUX-specific data, see below).  Other =
specifications will have to define how their own features are =
negotiated, so any related data could be sent in the notifications for =
those specifications and doesn=E2=80=99t need to be sent in IKE_AUX.

=20

The idea behind this text was that IKE_AUX specification itself might be

enhanced at some point in the future, so that new negotiation would be =
needed.

Instead of introducing new notify payloads, the content of the =
AUX_EXCHANGE_SUPPORTED

could be used. So, it is not the specifications that use IKE_AUX =
exchange (e.g. QSKE)

that would use data of AUX_EXCHANGE_SUPPORTED for their purposes, it is =
some future

enhancement (if any) of the IKE_AUX specification itself that this text =
meant.

It was never intended that multiple AUX_EXCHANGE_SUPPORTED are present.

=20

I see some ambiguity here. How about the following:

=20

   This specification doesn't define any data this

   notification may contain, so the Notification Data is left empty.

   However, future enhancements of this specification may override this. =
 Implementations

   MUST ignore the non-empty Notification Data if they don't understand

   its purpose.

=20

=20

=20

=20

Authentication:

   ICV_INIT_1, ICV_INIT_2, ICV_INIT_3, etc. represent the content of the
   Integrity Checksum Data field from the Encrypted payloads (or
   Encrypted Fragment payloads) from all the IKE_AUX messages sent by
   the initiator in an order of increasing MessageIDs (and increasing
   Fragment Numbers for the same Message ID).

=20

AEAD encryption transform IDs don=E2=80=99t use an Integrity Checksum =
Data field in their Encrypted payloads, so this method won=E2=80=99t =
work for authentication of IKE_AUX exchanges when AEAD is used.

=20

Well, I agree that from theoretical point of view AEAD algorithms might =
not have separate ICV value.

However, all the widely used AEAD algorithms I=E2=80=99m aware of (GCM, =
CCM, GCM-SIV etc.) computes a separate

Authentication Tag and RFC5282 uses this Tag as ICV while describing how =
to construct=20

Encrypted Payload with AEAD algorithms.

=20

So, in my opinion, this construction can be used with all currently =
defined AEAD algorithms (unless I missed something).=20

If you think we should generalized it to be applicable to any future =
AEAD algorithm, including those that don=E2=80=99t produce

a separate Authentication Tag, but spread authentication information =
across the ciphertext,

then I agree that a different construction is needed (e.g. see below).

=20

=20

=20

Additionally, Scott pointed out to me that Integrity Check Values =
aren=E2=80=99t designed to be secure against someone who knows the key =
(which would be the case for a Quantum-enabled attacker) and that for =
algorithms like GMAC the attacker would be able to find a collision.  So =
then your statement later:

   THe forgery would become evident in the
   IKE_AUTH exchange (provided the attacker caanot break employed
   authentication mechanism)

wouldn=E2=80=99t hold; an attacker could find a forgery with the same =
ICV and IKE_AUTH exchange would succeed.

=20

OK I agree that for the current definition of how IKE_AUX is =
authenticated this statement is not accurate.

=20

=20

=20

But regardless of that, AEAD is a good enough reason why ICVs =
shouldn=E2=80=99t be used here.  Presumably you don=E2=80=99t want to =
include the whole data for the entire set of IKE_AUX exchanges in the =
signed octets because that would mean persisting the data for all =
IKE_AUX exchanges until IKE_AUTH is processed, requiring a lot of extra =
buffer state and increasing the attack surface for buffer exhausting?

=20

Exactly.

=20

=20

=20

A second-preimage-resistant hash function is needed to use a digest of =
the IKE_AUX messages in the signed octets.  This algorithm could =
possibly be negotiated in the AUX_EXCHANGE_SUPPORTED notification data.

=20

I=E2=80=99d rather to avoid using an additional algorithm. I think the =
negotiated PRF can be used for this purpose, can=E2=80=99t it?

=20

InitiatorSignedOctets =3D RealMessage1 | AUX_I | NonceRData | =
MACedIDForI

AUX_I =3D PRF(SK_pi, AUX_INIT_MSG_1) | PRF(SK_pi, AUX_INIT_MSG_2)| =
PRF(SK_pi, AUX_INIT_MSG_3) ...

=20

ResponderSignedOctets =3D RealMessage2 | AUX_R | NonceIData | =
MACedIDForR

AUX_R =3D PRF(SK_pr, AUX_RESP_MSG_1) | PRF(SK_pr, AUX_RESP_MSG_2)| =
PRF(SK_pr, AUX_RESP_MSG_3) ...

=20

=20

I used SK_pi/r instead of SK_ai/r here because their size fits the =
preferred key length

for PRF (that is not generally the case for SK_ai/r).

=20

So, what do you think? Is this construction secure?=20

=20

Regards,

Valery.

=20

=20

=20

Thanks,

Daniel

=20


------=_NextPart_000_0388_01D4138E.6FB20B10
Content-Type: text/html;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 14 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DRU =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Hi Daniel,</span><span =
style=3D'font-size:14.0pt;color:#44546A'><o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>thank you for your comments. =
See responses inline.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><div=
 style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Hi Valery, I have some comments on <a =
href=3D"https://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-aux-00">h=
ttps://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-aux-00</a><o:p></o=
:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>AUX_EXCHANGE_SUPPORTED:<o:p></o:p></span></p><=
pre><span lang=3DEN-CA style=3D'color:black'>&nbsp;&nbsp; This =
specification doesn't define any data =
this<o:p></o:p></span></pre><pre><span lang=3DEN-CA =
style=3D'color:black'> &nbsp;&nbsp;notification may contain, so the =
Notification Data is left empty.<o:p></o:p></span></pre><pre><span =
lang=3DEN-CA style=3D'color:black'>&nbsp;&nbsp; However, other =
specifications may override this.&nbsp; =
Implementations<o:p></o:p></span></pre><pre><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp; MUST ignore the non-empty =
Notification Data if they don't =
understand<o:p></o:p></span></pre><pre><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp; its =
purpose.<o:p></o:p></span></pre><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:10.0pt;font-family:"Courier =
New";color:black'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:11.0pt'>If there are multiple future =
specifications which use AUX_EXCHANGE_SUPPORTED, is it expected that =
multiple AUX_EXCHANGE_SUPPORTED notifications would be sent in =
IKE_SA_INIT? &nbsp;I don=E2=80=99t know of any other notifications where =
there might be multiple copies sent in one exchange, not that this is a =
reason to avoid it, but it might be simpler to not introduce this =
possibility.&nbsp; Also, if the data is simple/only a few bytes =
there=E2=80=99s a chance of ambiguity as to whether the data is defined =
by one specification or another.&nbsp; I think it would be simpler if =
the notification data is just left empty (or left for IKE_AUX-specific =
data, see below).&nbsp; Other specifications will have to define how =
their own features are negotiated, so any related data could be sent in =
the notifications for those specifications and doesn=E2=80=99t need to =
be sent in IKE_AUX.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>The idea behind this text was =
that IKE_AUX specification itself might be<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>enhanced at some point in the =
future, so that new negotiation would be needed.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Instead of introducing new =
notify payloads, the content of the =
AUX_EXCHANGE_SUPPORTED<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:14.0pt;color:#44546A'>could be used. So, =
it is not the specifications that use IKE_AUX exchange (e.g. =
QSKE)<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>that would use data of =
AUX_EXCHANGE_SUPPORTED for their purposes, it is some =
future<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>enhancement (if any) of the =
IKE_AUX specification itself that this text =
meant.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>It was never intended that =
multiple AUX_EXCHANGE_SUPPORTED are present.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>I see some ambiguity here. How =
about the following:<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'>=C2=A0=C2=A0 This =
specification doesn't define any data this<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'>=C2=A0=C2=A0 =
notification may contain, so the Notification Data is left =
empty.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'>=C2=A0=C2=A0 =
However, future enhancements of this specification may override =
this.=C2=A0 Implementations<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'>=C2=A0=C2=A0 MUST =
ignore the non-empty Notification Data if they don't =
understand</span><span lang=3DEN-US style=3D'font-family:"Times New =
Roman","serif"'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Courier New"'>=C2=A0=C2=A0 its =
purpose.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:11.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Authentication:<o:p></o:p></span></p><pre><spa=
n lang=3DEN-CA style=3D'color:black'>&nbsp;&nbsp; ICV_INIT_1, =
ICV_INIT_2, ICV_INIT_3, etc. represent the content of =
the<o:p></o:p></span></pre><pre><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp; Integrity Checksum Data field from =
the Encrypted payloads (or<o:p></o:p></span></pre><pre><span =
lang=3DEN-CA style=3D'color:black'>&nbsp;&nbsp; Encrypted Fragment =
payloads) from all the IKE_AUX messages sent =
by<o:p></o:p></span></pre><pre><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp; the initiator in an order of =
increasing MessageIDs (and increasing<o:p></o:p></span></pre><pre><span =
lang=3DEN-CA style=3D'color:black'>&nbsp;&nbsp; Fragment Numbers for the =
same Message ID).<o:p></o:p></span></pre><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US style=3D'font-size:11.0pt'>AEAD =
encryption transform IDs don=E2=80=99t use an Integrity Checksum Data =
field in their Encrypted payloads, so this method won=E2=80=99t work for =
authentication of IKE_AUX exchanges when AEAD is =
used.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Well, I agree that from =
theoretical point of view AEAD algorithms might not have separate ICV =
value.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>However, all the widely used =
AEAD algorithms I=E2=80=99m aware of (GCM, CCM, GCM-SIV etc.) computes a =
separate<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Authentication Tag and RFC5282 =
uses this Tag as ICV while describing how to construct =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Encrypted Payload with AEAD =
algorithms.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>So, in my opinion, this =
construction can be used with all currently defined AEAD algorithms =
(unless I missed something). <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>If you think we should =
generalized it to be applicable to any future AEAD algorithm, including =
those that don=E2=80=99t produce<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>a separate Authentication Tag, =
but spread authentication information across the =
ciphertext,<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>then I agree that a different =
construction is needed (e.g. see below).<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Additionally, Scott pointed out to me that =
Integrity Check Values aren=E2=80=99t designed to be secure against =
someone who knows the key (which would be the case for a Quantum-enabled =
attacker) and that for algorithms like GMAC the attacker would be able =
to find a collision.&nbsp; So then your statement =
later:<o:p></o:p></span></p><pre><span lang=3DEN-US =
style=3D'color:black'> </span><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp;THe forgery would become evident in =
the<o:p></o:p></span></pre><pre><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp; IKE_AUTH exchange (provided the =
attacker caanot break employed<o:p></o:p></span></pre><pre><span =
lang=3DEN-CA style=3D'color:black'>&nbsp;&nbsp; authentication =
mechanism)<o:p></o:p></span></pre><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:11.0pt'>wouldn=E2=80=99t hold; an =
attacker could find a forgery with the same ICV and IKE_AUTH exchange =
would succeed.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>OK I agree that for the current =
definition of how IKE_AUX is authenticated this statement is not =
accurate.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US style=3D'font-size:11.0pt'>But =
regardless of that, AEAD is a good enough reason why ICVs =
shouldn=E2=80=99t be used here.&nbsp; Presumably you don=E2=80=99t want =
to include the whole data for the entire set of IKE_AUX exchanges in the =
signed octets because that would mean persisting the data for all =
IKE_AUX exchanges until IKE_AUTH is processed, requiring a lot of extra =
buffer state and increasing the attack surface for buffer =
exhausting?<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Exactly.<o:p></o:p></span></p><p=
 class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US style=3D'font-size:11.0pt'>A =
second-preimage-resistant hash function is needed to use a digest of the =
IKE_AUX messages in the signed octets.&nbsp; This algorithm could =
possibly be negotiated in the AUX_EXCHANGE_SUPPORTED notification =
data.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>I=E2=80=99d rather to avoid =
using an additional algorithm. I think the negotiated PRF can be used =
for this purpose, can=E2=80=99t it?<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>InitiatorSignedOctets =3D RealMessage1 | AUX_I | NonceRData | =
MACedIDForI<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'> AUX_I =3D =
PRF(SK_pi, AUX_INIT_MSG_1) | PRF(SK_pi, AUX_INIT_MSG_2)| PRF(SK_pi, =
AUX_INIT_MSG_3) ...<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier New"'> =
ResponderSignedOctets =3D RealMessage2 | AUX_R | NonceIData | =
MACedIDForR<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'> AUX_R =3D =
PRF(SK_pr, AUX_RESP_MSG_1) | PRF(SK_pr, AUX_RESP_MSG_2)| PRF(SK_pr, =
AUX_RESP_MSG_3) ...<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>I used SK_pi/r instead of =
SK_ai/r here because their size fits the preferred key =
length<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>for PRF (that is not generally =
the case for SK_ai/r).<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>So, what do you think? Is this =
construction secure? <o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Regards,<o:p></o:p></span></p><p=
 class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Valery.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Thanks,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Daniel<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p></div></div></body=
></html>
------=_NextPart_000_0388_01D4138E.6FB20B10--


From nobody Wed Jul  4 21:00:48 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 455FC130F16 for <ipsec@ietfa.amsl.com>; Wed,  4 Jul 2018 21:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jodFo_f_Lfah for <ipsec@ietfa.amsl.com>; Wed,  4 Jul 2018 21:00:25 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4819D130F41 for <ipsec@ietf.org>; Wed,  4 Jul 2018 21:00:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=27258; q=dns/txt; s=iport; t=1530763225; x=1531972825; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=D+P9ok1vYTw13N0YGkM6NWpQXIW5VFas+bIhWaVSqyg=; b=N/YxQaGu6n6DDiK2+aXvZlEgzmXJTwAdz5N3qDDsG3V8nj3qYMq/YckG Q3ryfJnX71InqM+9WwuonfbBP1SU+zZ71eTMQpwSgo+tbbNzwaHLzchQs 0VO+zVP2idMQd+3IjgwpvKX9LxpynLDrOljwgf9gdKvRp/6BbPUqPL6/U A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AYAgCelj1b/4kNJK1bGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYJTSC5ifygKg3CUN4IHdYdBjnQLhGwCF4INITcVAQIBAQI?= =?us-ascii?q?BAQJtKIU2AQEBBCMKXAIBCBEEAQErAgICHxEdCAIEARIIgxmBG0wDFahIghy?= =?us-ascii?q?HDQ2BLoE6hjiCNYFWP4EOAYJaNYJWgisHGIJbglUCh0CKJ4c6KwkCjBODA41?= =?us-ascii?q?fK4pZhl4CERMBgSQzIoFScBWDJIIjAhaOF2+QUIEaAQE?=
X-IronPort-AV: E=Sophos;i="5.51,310,1526342400";  d="scan'208,217";a="138780591"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jul 2018 04:00:24 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id w6540NYW017162 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 5 Jul 2018 04:00:24 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 5 Jul 2018 00:00:23 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Thu, 5 Jul 2018 00:00:22 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6qR/B9KAgADxt4A=
Date: Thu, 5 Jul 2018 04:00:22 +0000
Message-ID: <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com>
In-Reply-To: <038701d41375$4a5bab50$df1301f0$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: multipart/alternative; boundary="_000_4ce0380da4d147bb98d80dbc71315a68XCHRTP006ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/wQgF1OjZ1t5LiipV8EYc6XY75DI>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 04:00:46 -0000

--_000_4ce0380da4d147bb98d80dbc71315a68XCHRTP006ciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

DQoNCkZyb206IFZhbGVyeSBTbXlzbG92IDxzbXlzbG92LmlldGZAZ21haWwuY29tPg0KU2VudDog
V2VkbmVzZGF5LCBKdWx5IDA0LCAyMDE4IDQ6NTkgQU0NClRvOiAnRGFuaWVsIFZhbiBHZWVzdCcg
PERhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20+OyBpcHNlY0BpZXRmLm9yZw0KQ2M6IFNjb3R0IEZs
dWhyZXIgKHNmbHVocmVyKSA8c2ZsdWhyZXJAY2lzY28uY29tPg0KU3ViamVjdDogUkU6IElLRV9B
VVggY29tbWVudHMNCg0KSGkgRGFuaWVsLA0KDQp0aGFuayB5b3UgZm9yIHlvdXIgY29tbWVudHMu
IFNlZSByZXNwb25zZXMgaW5saW5lLg0KDQoNCg0KDQpBZGRpdGlvbmFsbHksIFNjb3R0IHBvaW50
ZWQgb3V0IHRvIG1lIHRoYXQgSW50ZWdyaXR5IENoZWNrIFZhbHVlcyBhcmVu4oCZdCBkZXNpZ25l
ZCB0byBiZSBzZWN1cmUgYWdhaW5zdCBzb21lb25lIHdobyBrbm93cyB0aGUga2V5ICh3aGljaCB3
b3VsZCBiZSB0aGUgY2FzZSBmb3IgYSBRdWFudHVtLWVuYWJsZWQgYXR0YWNrZXIpIGFuZCB0aGF0
IGZvciBhbGdvcml0aG1zIGxpa2UgR01BQyB0aGUgYXR0YWNrZXIgd291bGQgYmUgYWJsZSB0byBm
aW5kIGEgY29sbGlzaW9uLiAgU28gdGhlbiB5b3VyIHN0YXRlbWVudCBsYXRlcjoNCg0KICAgVEhl
IGZvcmdlcnkgd291bGQgYmVjb21lIGV2aWRlbnQgaW4gdGhlDQoNCiAgIElLRV9BVVRIIGV4Y2hh
bmdlIChwcm92aWRlZCB0aGUgYXR0YWNrZXIgY2Fhbm90IGJyZWFrIGVtcGxveWVkDQoNCiAgIGF1
dGhlbnRpY2F0aW9uIG1lY2hhbmlzbSkNCndvdWxkbuKAmXQgaG9sZDsgYW4gYXR0YWNrZXIgY291
bGQgZmluZCBhIGZvcmdlcnkgd2l0aCB0aGUgc2FtZSBJQ1YgYW5kIElLRV9BVVRIIGV4Y2hhbmdl
IHdvdWxkIHN1Y2NlZWQuDQoNCk9LIEkgYWdyZWUgdGhhdCBmb3IgdGhlIGN1cnJlbnQgZGVmaW5p
dGlvbiBvZiBob3cgSUtFX0FVWCBpcyBhdXRoZW50aWNhdGVkIHRoaXMgc3RhdGVtZW50IGlzIG5v
dCBhY2N1cmF0ZS4NCg0KQnV0IHJlZ2FyZGxlc3Mgb2YgdGhhdCwgQUVBRCBpcyBhIGdvb2QgZW5v
dWdoIHJlYXNvbiB3aHkgSUNWcyBzaG91bGRu4oCZdCBiZSB1c2VkIGhlcmUuICBQcmVzdW1hYmx5
IHlvdSBkb27igJl0IHdhbnQgdG8gaW5jbHVkZSB0aGUgd2hvbGUgZGF0YSBmb3IgdGhlIGVudGly
ZSBzZXQgb2YgSUtFX0FVWCBleGNoYW5nZXMgaW4gdGhlIHNpZ25lZCBvY3RldHMgYmVjYXVzZSB0
aGF0IHdvdWxkIG1lYW4gcGVyc2lzdGluZyB0aGUgZGF0YSBmb3IgYWxsIElLRV9BVVggZXhjaGFu
Z2VzIHVudGlsIElLRV9BVVRIIGlzIHByb2Nlc3NlZCwgcmVxdWlyaW5nIGEgbG90IG9mIGV4dHJh
IGJ1ZmZlciBzdGF0ZSBhbmQgaW5jcmVhc2luZyB0aGUgYXR0YWNrIHN1cmZhY2UgZm9yIGJ1ZmZl
ciBleGhhdXN0aW5nPw0KDQpFeGFjdGx5Lg0KDQpBIHNlY29uZC1wcmVpbWFnZS1yZXNpc3RhbnQg
aGFzaCBmdW5jdGlvbiBpcyBuZWVkZWQgdG8gdXNlIGEgZGlnZXN0IG9mIHRoZSBJS0VfQVVYIG1l
c3NhZ2VzIGluIHRoZSBzaWduZWQgb2N0ZXRzLiAgVGhpcyBhbGdvcml0aG0gY291bGQgcG9zc2li
bHkgYmUgbmVnb3RpYXRlZCBpbiB0aGUgQVVYX0VYQ0hBTkdFX1NVUFBPUlRFRCBub3RpZmljYXRp
b24gZGF0YS4NCg0KSeKAmWQgcmF0aGVyIHRvIGF2b2lkIHVzaW5nIGFuIGFkZGl0aW9uYWwgYWxn
b3JpdGhtLiBJIHRoaW5rIHRoZSBuZWdvdGlhdGVkIFBSRiBjYW4gYmUgdXNlZCBmb3IgdGhpcyBw
dXJwb3NlLCBjYW7igJl0IGl0Pw0KDQpJbml0aWF0b3JTaWduZWRPY3RldHMgPSBSZWFsTWVzc2Fn
ZTEgfCBBVVhfSSB8IE5vbmNlUkRhdGEgfCBNQUNlZElERm9ySQ0KQVVYX0kgPSBQUkYoU0tfcGks
IEFVWF9JTklUX01TR18xKSB8IFBSRihTS19waSwgQVVYX0lOSVRfTVNHXzIpfCBQUkYoU0tfcGks
IEFVWF9JTklUX01TR18zKSAuLi4NCg0KUmVzcG9uZGVyU2lnbmVkT2N0ZXRzID0gUmVhbE1lc3Nh
Z2UyIHwgQVVYX1IgfCBOb25jZUlEYXRhIHwgTUFDZWRJREZvclINCkFVWF9SID0gUFJGKFNLX3By
LCBBVVhfUkVTUF9NU0dfMSkgfCBQUkYoU0tfcHIsIEFVWF9SRVNQX01TR18yKXwgUFJGKFNLX3By
LCBBVVhfUkVTUF9NU0dfMykgLi4uDQoNCg0KSSB1c2VkIFNLX3BpL3IgaW5zdGVhZCBvZiBTS19h
aS9yIGhlcmUgYmVjYXVzZSB0aGVpciBzaXplIGZpdHMgdGhlIHByZWZlcnJlZCBrZXkgbGVuZ3Ro
DQpmb3IgUFJGICh0aGF0IGlzIG5vdCBnZW5lcmFsbHkgdGhlIGNhc2UgZm9yIFNLX2FpL3IpLg0K
DQpTbywgd2hhdCBkbyB5b3UgdGhpbms/IElzIHRoaXMgY29uc3RydWN0aW9uIHNlY3VyZT8NCg0K
TXkgY29tbWVudCBhc3N1bWVkIHRoYXQgd2Ugd2VyZSB1c2luZyBJS0VfQVVYIHRoaXMgd2F5OyB3
ZSBwZXJmb3JtIGFuIGluaXRpYWwga2V5IGV4Y2hhbmdlIGR1cmluZyB0aGUgSUtFX0lOSVQ7IHRo
aXMgd2lsbCBnZW5lcmF0ZSBrZXlpbmcgbWF0ZXJpYWwgd2hpY2ggd2Ugd2lsbCB1c2UgdG8gcHJv
dGVjdCB0aGUgaW5pdGlhbCBJS0VfQVVYIG1lc3NhZ2U7IHRoZW4sIHdlIHdpbGwgcGVyZm9ybSBh
IHNlY29uZCBrZXkgZXhjaGFuZ2UgZHVyaW5nIHRoZSBJS0VfQVVYLCB3aGljaCB3b3VsZCBiZSB1
c2VkIHRvIGdlbmVyYXRlIGEgc2Vjb25kIHNldCBvZiBrZXlpbmcgbWF0ZXJpYWw7IHRoaXMgd2ls
bCBiZSB1c2VkIHRvIHByb3RlY3QgdGhlIG5leHQgSUtFIG1lc3NhZ2VzICh3aGljaCBtaWdodCBi
ZSBhbm90aGVyIElLRV9BVVgsIG9yIGl0IG1pZ2h0IGJlIHRoZSBJS0VfQVVUSCkuLg0KDQpJZiB3
ZSBhc3N1bWUgYW4gYWR2ZXJzYXJ5IHRoYXQgY2FuIGJyZWFrIHRoZSBpbml0aWFsIGtleSBleGNo
YW5nZSB3aGlsZSB0aGUgcHJvdG9jb2wgaXMgcnVubmluZyAoZS5nLiBpdOKAmXMgYW4gKEVDKURI
IGV4Y2hhbmdlLCBhbmQgaGUgaGFzIGEgZmFpcmx5IGFkdmFuY2VkIHF1YW50dW0gY29tcHV0ZXIp
LCB0aGVuIGhlIGNhbiBsZWFybiB0aGUgU0tfcGksIFNLX3ByIHZhbHVlcy4NCg0KVGhlIHByb2Js
ZW0gaXMgdGhhdCwgd2l0aCBzb21lIFBSRuKAmXMsIGlmIHlvdSBrbm93IHRoZSBrZXksIHlvdSBj
YW4gZmluZCBhIHNlY29uZCBtZXNzYWdlIHdpdGggdGhlIHNhbWUgUFJGIHZhbHVlIGFzIGEgZ2l2
ZW4gbWVzc2FnZTsgaGVuY2Ugb3VyIE1JVE0gd291bGQgYmUgYWJsZSB0byBpbnRyb2R1Y2UgaGlz
IG93biBrZXkgc2hhcmVzLCBhbmQgbGVhdmUgdGhlIFBSRiB2YWx1ZSB1bm1vZGlmaWVkLiAgRnJv
bSB0aGUgSUFOQSBQUkYgcmVnaXN0cnksIGFsbCB0aGUgSE1BQy1iYXNlZCBQUkZzIHdvdWxkIGJl
IHNhZmUgKHRoYXQgaXMsIG1ha2UgdGhpcyBhdHRhY2sgaW5mZWFzaWJsZSwgYXQgbGVhc3QgaW4g
cmVhbCB0aW1lKSwgd2hpbGUgUFJGX0FFUzEyOF9YQ0JDIGFuZCBQUkZfQUVTMTI4X0NNQUMgYXJl
IG5vdDsgZ2l2ZW4gYSAxMjggYml0IGJsb2NrIHdpdGhpbiB0aGUgbWVzc2FnZSB0aGF0IHRoZSBh
dHRhY2tlciBjYW4gc2V0IGFyYml0cmFyaWx5LCBpdCBpcyBlYXN5IHRvIGZpbmQgdGhlIHNldHRp
bmcgdG8gbWFrZSB0aGUgUFJGIHZhbHVlIGJlIHdoYXRldmVyIHRoZSBhdHRhY2tlciBjaG9vc2Vz
IChpbmNsdWRpbmcgdGhlIFBSRiBvZiBhbm90aGVyIG1lc3NhZ2UpLiAgQW5kLCB5ZXMsIHRoaXMg
aXMgYSBzaXR1YXRpb24gd2hlcmUgTUQ1IGlzIGFjdHVhbGx5IHN0cm9uZ2VyIHRoYW4gQUVT4oCm
DQoNCldoYXQgY291bGQgYW4gYXR0YWNrZXIgZG8gd2l0aCB0aGlzIGNhcGFiaWxpdHk/ICBXZWxs
LCBkZXBlbmRpbmcgb24gdGhlIGxhdGVyIGtleSBleGNoYW5nZSwgYW4gYXR0YWNrZXIgbWF5IGJl
IGFibGUgdG8gaW5zZXJ0IGhpcyBvd24ga2V5IHNoYXJlcyBpbiBzdWNoIGEgd2F5IHRoYXQgYm90
aCBzaWRlcyBvYnRhaW4gdGhlIHNhbWUgc2hhcmVkIHNlY3JldCAodGhhdCB0aGUgYXR0YWNrZXIg
d291bGQga25vdyk7IHRoaXMgbWVhbnMgdGhhdCB0aGUgYXR0YWNrZXIgd291bGQgaGF2ZSBzdWNj
ZWVkZWQgaW4gbGlzdGVuaW5nIGluIChhcyBldmVyeXRoaW5nIHVzZWQgdG8gY29tcHV0ZSBJbml0
aWF0b3JTaWduZWRPY3RldHMgYW5kIFJlc3BvbmRlclNpZ25lZE9jdGV0cyBhcmUgZXhhY3RseSB0
aGUgc2FtZSBhcyBpbiB0aGUgbm9uLU1JVE0gY2FzZSkNCg0KVGhlcmUgYXJlIHNvbWUgZGV0YWls
cyB0aGF0IEnigJltIG9taXR0aW5nIHRoYXQgbWF5IG1ha2UgdGhpcyBhdHRhY2sgbW9yZSBkaWZm
aWN1bHQgdGhhbiBJIG91dGxpbmVkOyBob3dldmVyIEkgZG9u4oCZdCBiZWxpZXZlIHdlIHNob3Vs
ZCBkZXBlbmQgb24gdGhvc2UgZGV0YWlscy4NCg0KT25lIHRoaW5nIHdlIG1pZ2h0IGNvbnNpZGVy
IHRvIGFkZHJlc3MgdGhpcyBpcyBsaW1pdGluZyB0aGUgUFJG4oCZcyB0byB0aG9zZSB3aGljaCBk
aXNhbGxvdyBwcmVpbWFnZSBhdHRhY2tzIChldmVuIGlmIHRoZSBhdHRhY2tlciBrbm93cyB0aGUg
a2V5KTsgdGhvc2Ugd291bGQgYmUgSE1BQy1iYXNlZCAoYW5kIEtNQUMtYmFzZWQgaWYgdGhlIFdH
IGFjdHVhbGx5IGRlZmluZXMgc3VjaCBhIFBSRikuDQoNClJlZ2FyZHMsDQpWYWxlcnkuDQoNCg0K
DQpUaGFua3MsDQpEYW5pZWwNCg0K

--_000_4ce0380da4d147bb98d80dbc71315a68XCHRTP006ciscocom_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg
MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1
IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz
YW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph
OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5
Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUN
Cgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1h
dHRlZCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250
LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29MaXN0UGFy
YWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXttc28t
c3R5bGUtcHJpb3JpdHk6MzQ7DQoJbWFyZ2luLXRvcDowaW47DQoJbWFyZ2luLXJpZ2h0OjBpbjsN
CgltYXJnaW4tYm90dG9tOjBpbjsNCgltYXJnaW4tbGVmdDouNWluOw0KCW1hcmdpbi1ib3R0b206
LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5z
LXNlcmlmO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhU
TUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5
bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7
fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5
bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJp
Z2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47
DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJp
Zjt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250
LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4u
RW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJD
YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiM0NDU0NkE7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjIN
Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki
LHNhbnMtc2VyaWY7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5
bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0
aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4w
aW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQovKiBMaXN0IERl
ZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDo3NTQwMTUwNjE7DQoJbXNvLWxp
c3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOjExNDYyNDMxOTYgMTAzNDQ2
MTU4OCA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4
OSA2NzY5ODY5MSA2NzY5ODY5Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLXN0YXJ0
LWF0OjA7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0
Oi07DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlv
bjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu
cy1zZXJpZjsNCgltc28tZmFyZWFzdC1mb250LWZhbWlseTpDYWxpYnJpO30NCkBsaXN0IGwwOmxl
dmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6
bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9u
OmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7
fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCglt
c28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVs
LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWls
eTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0
OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7
DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsN
Cglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1i
ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3Rv
cDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDot
LjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDYNCgl7
bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCglt
c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7
DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBs
MDpsZXZlbDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10
ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBv
c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9
DQpAbGlzdCBsMDpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1z
by1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51
bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToi
Q291cmllciBOZXciO30NCkBsaXN0IGwwOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1h
dDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25l
Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47
DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCm9sDQoJe21hcmdpbi1ib3R0b206MGluO30NCnVs
DQoJe21hcmdpbi1ib3R0b206MGluO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4
bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94
bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2
OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFw
ZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBs
aW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEi
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29s
b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+PG86cD4m
bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxl
ZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8
ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFk
ZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjExLjBwdCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0Ij4gVmFsZXJ5IFNteXNsb3YgJmx0O3NteXNsb3YuaWV0ZkBnbWFpbC5jb20m
Z3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gV2VkbmVzZGF5LCBKdWx5IDA0LCAyMDE4IDQ6NTkgQU08
YnI+DQo8Yj5Ubzo8L2I+ICdEYW5pZWwgVmFuIEdlZXN0JyAmbHQ7RGFuaWVsLlZhbkdlZXN0QGlz
YXJhLmNvbSZndDs7IGlwc2VjQGlldGYub3JnPGJyPg0KPGI+Q2M6PC9iPiBTY290dCBGbHVocmVy
IChzZmx1aHJlcikgJmx0O3NmbHVocmVyQGNpc2NvLmNvbSZndDs8YnI+DQo8Yj5TdWJqZWN0Ojwv
Yj4gUkU6IElLRV9BVVggY29tbWVudHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZB
Ij5IaSBEYW5pZWwsPC9zcGFuPjxzcGFuIGxhbmc9IlJVIiBzdHlsZT0iZm9udC1zaXplOjE0LjBw
dDtjb2xvcjojNDQ1NDZBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBsYW5nPSJSVSIgc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2
QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+dGhhbmsgeW91IGZvciB5
b3VyIGNvbW1lbnRzLiBTZWUgcmVzcG9uc2VzIGlubGluZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xv
cjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3Jk
ZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4g
NC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
MS4wcHQiPkFkZGl0aW9uYWxseSwgU2NvdHQgcG9pbnRlZCBvdXQgdG8gbWUgdGhhdCBJbnRlZ3Jp
dHkgQ2hlY2sgVmFsdWVzIGFyZW7igJl0IGRlc2lnbmVkIHRvIGJlIHNlY3VyZSBhZ2FpbnN0IHNv
bWVvbmUgd2hvIGtub3dzIHRoZSBrZXkgKHdoaWNoIHdvdWxkIGJlIHRoZSBjYXNlIGZvciBhIFF1
YW50dW0tZW5hYmxlZCBhdHRhY2tlcikgYW5kIHRoYXQgZm9yIGFsZ29yaXRobXMNCiBsaWtlIEdN
QUMgdGhlIGF0dGFja2VyIHdvdWxkIGJlIGFibGUgdG8gZmluZCBhIGNvbGxpc2lvbi4mbmJzcDsg
U28gdGhlbiB5b3VyIHN0YXRlbWVudCBsYXRlcjo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cHJl
PjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+IDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5
bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDtUSGUgZm9yZ2VyeSB3b3VsZCBiZWNvbWUgZXZp
ZGVudCBpbiB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gbGFuZz0iRU4t
Q0EiIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IElLRV9BVVRIIGV4Y2hhbmdlIChw
cm92aWRlZCB0aGUgYXR0YWNrZXIgY2Fhbm90IGJyZWFrIGVtcGxveWVkPG86cD48L286cD48L3Nw
YW4+PC9wcmU+DQo8cHJlPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iY29sb3I6YmxhY2siPiZu
YnNwOyZuYnNwOyBhdXRoZW50aWNhdGlvbiBtZWNoYW5pc20pPG86cD48L286cD48L3NwYW4+PC9w
cmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+
d291bGRu4oCZdCBob2xkOyBhbiBhdHRhY2tlciBjb3VsZCBmaW5kIGEgZm9yZ2VyeSB3aXRoIHRo
ZSBzYW1lIElDViBhbmQgSUtFX0FVVEggZXhjaGFuZ2Ugd291bGQgc3VjY2VlZC48bzpwPjwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl
OjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1
NDZBIj5PSyBJIGFncmVlIHRoYXQgZm9yIHRoZSBjdXJyZW50IGRlZmluaXRpb24gb2YgaG93IElL
RV9BVVggaXMgYXV0aGVudGljYXRlZCB0aGlzIHN0YXRlbWVudCBpcyBub3QgYWNjdXJhdGUuPG86
cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkJ1
dCByZWdhcmRsZXNzIG9mIHRoYXQsIEFFQUQgaXMgYSBnb29kIGVub3VnaCByZWFzb24gd2h5IElD
VnMgc2hvdWxkbuKAmXQgYmUgdXNlZCBoZXJlLiZuYnNwOyBQcmVzdW1hYmx5IHlvdSBkb27igJl0
IHdhbnQgdG8gaW5jbHVkZSB0aGUgd2hvbGUgZGF0YSBmb3IgdGhlIGVudGlyZSBzZXQgb2YgSUtF
X0FVWCBleGNoYW5nZXMgaW4gdGhlIHNpZ25lZCBvY3RldHMgYmVjYXVzZQ0KIHRoYXQgd291bGQg
bWVhbiBwZXJzaXN0aW5nIHRoZSBkYXRhIGZvciBhbGwgSUtFX0FVWCBleGNoYW5nZXMgdW50aWwg
SUtFX0FVVEggaXMgcHJvY2Vzc2VkLCByZXF1aXJpbmcgYSBsb3Qgb2YgZXh0cmEgYnVmZmVyIHN0
YXRlIGFuZCBpbmNyZWFzaW5nIHRoZSBhdHRhY2sgc3VyZmFjZSBmb3IgYnVmZmVyIGV4aGF1c3Rp
bmc/PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4w
cHQ7Y29sb3I6IzQ0NTQ2QSI+RXhhY3RseS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojNDQ1NDZB
Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+QSBzZWNvbmQtcHJlaW1hZ2UtcmVzaXN0YW50IGhh
c2ggZnVuY3Rpb24gaXMgbmVlZGVkIHRvIHVzZSBhIGRpZ2VzdCBvZiB0aGUgSUtFX0FVWCBtZXNz
YWdlcyBpbiB0aGUgc2lnbmVkIG9jdGV0cy4mbmJzcDsgVGhpcyBhbGdvcml0aG0gY291bGQgcG9z
c2libHkgYmUgbmVnb3RpYXRlZCBpbiB0aGUgQVVYX0VYQ0hBTkdFX1NVUFBPUlRFRCBub3RpZmlj
YXRpb24gZGF0YS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z
aXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5J4oCZZCByYXRoZXIgdG8gYXZvaWQgdXNpbmcgYW4g
YWRkaXRpb25hbCBhbGdvcml0aG0uIEkgdGhpbmsgdGhlIG5lZ290aWF0ZWQgUFJGIGNhbiBiZSB1
c2VkIGZvciB0aGlzIHB1cnBvc2UsIGNhbuKAmXQgaXQ/PG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6
IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll
ciBOZXcmcXVvdDsiPkluaXRpYXRvclNpZ25lZE9jdGV0cyA9IFJlYWxNZXNzYWdlMSB8IEFVWF9J
IHwgTm9uY2VSRGF0YSB8IE1BQ2VkSURGb3JJPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPkFVWF9JID0gUFJGKFNLX3BpLCBBVVhfSU5JVF9NU0df
MSkgfCBQUkYoU0tfcGksIEFVWF9JTklUX01TR18yKXwgUFJGKFNLX3BpLCBBVVhfSU5JVF9NU0df
MykgLi4uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv
dDsiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3
JnF1b3Q7Ij5SZXNwb25kZXJTaWduZWRPY3RldHMgPSBSZWFsTWVzc2FnZTIgfCBBVVhfUiB8IE5v
bmNlSURhdGEgfCBNQUNlZElERm9yUjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90
O0NvdXJpZXIgTmV3JnF1b3Q7Ij5BVVhfUiA9IFBSRihTS19wciwgQVVYX1JFU1BfTVNHXzEpIHwg
UFJGKFNLX3ByLCBBVVhfUkVTUF9NU0dfMil8IFBSRihTS19wciwgQVVYX1JFU1BfTVNHXzMpIC4u
LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij48
bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0
LjBwdDtjb2xvcjojNDQ1NDZBIj5JIHVzZWQgU0tfcGkvciBpbnN0ZWFkIG9mIFNLX2FpL3IgaGVy
ZSBiZWNhdXNlIHRoZWlyIHNpemUgZml0cyB0aGUgcHJlZmVycmVkIGtleSBsZW5ndGg8bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z
aXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5mb3IgUFJGICh0aGF0IGlzIG5vdCBnZW5lcmFsbHkg
dGhlIGNhc2UgZm9yIFNLX2FpL3IpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPlNvLCB3aGF0IGRvIHlvdSB0aGlu
az8gSXMgdGhpcyBjb25zdHJ1Y3Rpb24gc2VjdXJlPzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1z
aXplOjE0LjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdE
Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5NeSBjb21tZW50IGFzc3Vt
ZWQgdGhhdCB3ZSB3ZXJlIHVzaW5nIElLRV9BVVggdGhpcyB3YXk7IHdlIHBlcmZvcm0gYW4gaW5p
dGlhbCBrZXkgZXhjaGFuZ2UgZHVyaW5nIHRoZSBJS0VfSU5JVDsgdGhpcyB3aWxsIGdlbmVyYXRl
IGtleWluZyBtYXRlcmlhbCB3aGljaCB3ZSB3aWxsIHVzZSB0byBwcm90ZWN0IHRoZSBpbml0aWFs
IElLRV9BVVgNCiBtZXNzYWdlOyB0aGVuLCB3ZSB3aWxsIHBlcmZvcm0gYSBzZWNvbmQga2V5IGV4
Y2hhbmdlIGR1cmluZyB0aGUgSUtFX0FVWCwgd2hpY2ggd291bGQgYmUgdXNlZCB0byBnZW5lcmF0
ZSBhIHNlY29uZCBzZXQgb2Yga2V5aW5nIG1hdGVyaWFsOyB0aGlzIHdpbGwgYmUgdXNlZCB0byBw
cm90ZWN0IHRoZSBuZXh0IElLRSBtZXNzYWdlcyAod2hpY2ggbWlnaHQgYmUgYW5vdGhlciBJS0Vf
QVVYLCBvciBpdCBtaWdodCBiZSB0aGUgSUtFX0FVVEgpLi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv
cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5JZiB3ZSBh
c3N1bWUgYW4gYWR2ZXJzYXJ5IHRoYXQgY2FuIGJyZWFrIHRoZSBpbml0aWFsIGtleSBleGNoYW5n
ZSB3aGlsZSB0aGUgcHJvdG9jb2wgaXMgcnVubmluZyAoZS5nLiBpdOKAmXMgYW4gKEVDKURIIGV4
Y2hhbmdlLCBhbmQgaGUgaGFzIGEgZmFpcmx5IGFkdmFuY2VkIHF1YW50dW0gY29tcHV0ZXIpLCB0
aGVuIGhlIGNhbiBsZWFybg0KIHRoZSBTS19waSwgU0tfcHIgdmFsdWVzLjxvOnA+PC9vOnA+PC9z
cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu
MHB0O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0Qi
PlRoZSBwcm9ibGVtIGlzIHRoYXQsIHdpdGggc29tZSBQUkbigJlzLCBpZiB5b3Uga25vdyB0aGUg
a2V5LCB5b3UgY2FuIGZpbmQgYSBzZWNvbmQgbWVzc2FnZSB3aXRoIHRoZSBzYW1lIFBSRiB2YWx1
ZSBhcyBhIGdpdmVuIG1lc3NhZ2U7IGhlbmNlIG91ciBNSVRNIHdvdWxkIGJlIGFibGUgdG8gaW50
cm9kdWNlIGhpcyBvd24ga2V5IHNoYXJlcywNCiBhbmQgbGVhdmUgdGhlIFBSRiB2YWx1ZSB1bm1v
ZGlmaWVkLiZuYnNwOyBGcm9tIHRoZSBJQU5BIFBSRiByZWdpc3RyeSwgYWxsIHRoZSBITUFDLWJh
c2VkIFBSRnMgd291bGQgYmUgc2FmZSAodGhhdCBpcywgbWFrZSB0aGlzIGF0dGFjayBpbmZlYXNp
YmxlLCBhdCBsZWFzdCBpbiByZWFsIHRpbWUpLCB3aGlsZSBQUkZfQUVTMTI4X1hDQkMgYW5kIFBS
Rl9BRVMxMjhfQ01BQyBhcmUgbm90OyBnaXZlbiBhIDEyOCBiaXQgYmxvY2sgd2l0aGluIHRoZSBt
ZXNzYWdlDQogdGhhdCB0aGUgYXR0YWNrZXIgY2FuIHNldCBhcmJpdHJhcmlseSwgaXQgaXMgZWFz
eSB0byBmaW5kIHRoZSBzZXR0aW5nIHRvIG1ha2UgdGhlIFBSRiB2YWx1ZSBiZSB3aGF0ZXZlciB0
aGUgYXR0YWNrZXIgY2hvb3NlcyAoaW5jbHVkaW5nIHRoZSBQUkYgb2YgYW5vdGhlciBtZXNzYWdl
KS4mbmJzcDsgQW5kLCB5ZXMsIHRoaXMgaXMgYSBzaXR1YXRpb24gd2hlcmUgTUQ1IGlzIGFjdHVh
bGx5IHN0cm9uZ2VyIHRoYW4gQUVT4oCmPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+V2hhdCBjb3VsZCBhbiBhdHRh
Y2tlciBkbyB3aXRoIHRoaXMgY2FwYWJpbGl0eT8mbmJzcDsgV2VsbCwgZGVwZW5kaW5nIG9uIHRo
ZSBsYXRlciBrZXkgZXhjaGFuZ2UsIGFuIGF0dGFja2VyIG1heSBiZSBhYmxlIHRvIGluc2VydCBo
aXMgb3duIGtleSBzaGFyZXMgaW4gc3VjaCBhIHdheSB0aGF0IGJvdGggc2lkZXMgb2J0YWluIHRo
ZSBzYW1lDQogc2hhcmVkIHNlY3JldCAodGhhdCB0aGUgYXR0YWNrZXIgd291bGQga25vdyk7IHRo
aXMgbWVhbnMgdGhhdCB0aGUgYXR0YWNrZXIgd291bGQgaGF2ZSBzdWNjZWVkZWQgaW4gbGlzdGVu
aW5nIGluIChhcyBldmVyeXRoaW5nIHVzZWQgdG8gY29tcHV0ZSBJbml0aWF0b3JTaWduZWRPY3Rl
dHMgYW5kIFJlc3BvbmRlclNpZ25lZE9jdGV0cyBhcmUgZXhhY3RseSB0aGUgc2FtZSBhcyBpbiB0
aGUgbm9uLU1JVE0gY2FzZSk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZu
YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5UaGVyZSBhcmUgc29tZSBkZXRhaWxzIHRo
YXQgSeKAmW0gb21pdHRpbmcgdGhhdCBtYXkgbWFrZSB0aGlzIGF0dGFjayBtb3JlIGRpZmZpY3Vs
dCB0aGFuIEkgb3V0bGluZWQ7IGhvd2V2ZXIgSSBkb27igJl0IGJlbGlldmUgd2Ugc2hvdWxkIGRl
cGVuZCBvbiB0aG9zZSBkZXRhaWxzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPk9uZSB0aGluZyB3ZSBtaWdodCBj
b25zaWRlciB0byBhZGRyZXNzIHRoaXMgaXMgbGltaXRpbmcgdGhlIFBSRuKAmXMgdG8gdGhvc2Ug
d2hpY2ggZGlzYWxsb3cgcHJlaW1hZ2UgYXR0YWNrcyAoZXZlbiBpZiB0aGUgYXR0YWNrZXIga25v
d3MgdGhlIGtleSk7IHRob3NlIHdvdWxkIGJlIEhNQUMtYmFzZWQgKGFuZCBLTUFDLWJhc2VkIGlm
IHRoZQ0KIFdHIGFjdHVhbGx5IGRlZmluZXMgc3VjaCBhIFBSRikuPG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7
Y29sb3I6IzQ0NTQ2QSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJz
cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+UmVnYXJkcyw8bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtj
b2xvcjojNDQ1NDZBIj5WYWxlcnkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86
cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5UaGFua3MsPG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkRh
bmllbDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp
dj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_4ce0380da4d147bb98d80dbc71315a68XCHRTP006ciscocom_--


From nobody Thu Jul  5 05:44:19 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC2AE1277BB for <ipsec@ietfa.amsl.com>; Thu,  5 Jul 2018 05:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level: 
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiSetkm3d8hx for <ipsec@ietfa.amsl.com>; Thu,  5 Jul 2018 05:44:14 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E961130E29 for <ipsec@ietf.org>; Thu,  5 Jul 2018 05:44:14 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id c12-v6so6566779ljj.1 for <ipsec@ietf.org>; Thu, 05 Jul 2018 05:44:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :thread-index:content-language; bh=py9p0aJVazl2+iPHT+YTIdKwJs8GHr6yLGK3AHOIjwc=; b=VVyh35Qyuknj6UFlUDkev7OqdNc8Bw4tjN19w5aa/LhFuqP0CevftYkGTh6+N05BU9 ujDA8s/yDeCIFnlJBypTdpgzt2x4XMciMgp3/oNHNSe9Z4XCIOPmembh0SMchyojy90R obC5+2AESaL9iY8ZyTJw/f+ALMaI8iedPgWjcVNzPei8WXYZKPUwsXhi57CpFeJys15B rzF/lXSjtV/LbzVprpWbqDeR5qe092vsh5MR1PuvBDYmcPBS5uFvTmXGHAxHkEPjxgDB zMWuvYLT5b0ijADFpEnVld99Low3zkdcBzpBNIwcHbQF8aEVK4zrt8Fv9RlddwFOhoCc /4QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=py9p0aJVazl2+iPHT+YTIdKwJs8GHr6yLGK3AHOIjwc=; b=syUoCkWN0wut310L9r6H4qXw0tW+jSFEjM3FZjlZaGJH7eJsR3qhqi9D5j6kxc5MOt XDZElBQFvRFWhiatlzWhOp+n45vkkrA6nWtPHGdg+oQReUCqekIVdq5IxO2WOJNSqkfD jnEuWCSXUPZ4JPFqUFbXq0YJPwv2nXMI95mY4NayT8pu9sj3PmUl4Ahho/D2/dlQ2+5u aaELzqUV0na1AV6ahhxfN6dcw1fDFvElsXZ7gtMzwYfDxh2/35PX+krapNaSDWalp4cq JFOvlwi9hhycJUBRqTMbPKczJL2D5DXlvOjbeRVv9/7+n5JJnCOcaUTklQg11dfU+bIu 67lg==
X-Gm-Message-State: APt69E1EFjUJNAGI4mRnMt2//Qnz7S/fVl8q52PKatAnvH2lAwCTvDjS IQOm02JH6aiAGxFvO3ivHpg=
X-Google-Smtp-Source: AAOMgpc9Qt64JdHZzpDYeWmlqgEKHRrQLUHiGNHpOs2veceFgubw/nNPZYL9gRlWcnjozMhzH8g4Hg==
X-Received: by 2002:a2e:6c07:: with SMTP id h7-v6mr4037652ljc.81.1530794652217;  Thu, 05 Jul 2018 05:44:12 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id x17-v6sm940725ljx.13.2018.07.05.05.44.10 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 05 Jul 2018 05:44:11 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer@cisco.com>, "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, <ipsec@ietf.org>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com>
In-Reply-To: <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com>
Date: Thu, 5 Jul 2018 15:43:40 +0300
Message-ID: <002201d4145d$cdd13160$69739420$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01D41476.F3260A80"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEciSsDD1zqgCWGCuqENOVpeeZcmAIUjD3lAYKjZjyl0tCzgA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8_0A76TZr-zpul7EezNYtpPXYGE>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 12:44:17 -0000

This is a multipart message in MIME format.

------=_NextPart_000_0023_01D41476.F3260A80
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Scott,

=20

thank you for clarification. Please, see inline.

=20

=20

Additionally, Scott pointed out to me that Integrity Check Values =
aren=E2=80=99t designed to be secure against someone who knows the key =
(which would be the case for a Quantum-enabled attacker) and that for =
algorithms like GMAC the attacker would be able to find a collision.  So =
then your statement later:

   THe forgery would become evident in the
   IKE_AUTH exchange (provided the attacker caanot break employed
   authentication mechanism)

wouldn=E2=80=99t hold; an attacker could find a forgery with the same =
ICV and IKE_AUTH exchange would succeed.

=20

OK I agree that for the current definition of how IKE_AUX is =
authenticated this statement is not accurate.

=20

But regardless of that, AEAD is a good enough reason why ICVs =
shouldn=E2=80=99t be used here.  Presumably you don=E2=80=99t want to =
include the whole data for the entire set of IKE_AUX exchanges in the =
signed octets because that would mean persisting the data for all =
IKE_AUX exchanges until IKE_AUTH is processed, requiring a lot of extra =
buffer state and increasing the attack surface for buffer exhausting?

=20

Exactly.

=20

A second-preimage-resistant hash function is needed to use a digest of =
the IKE_AUX messages in the signed octets.  This algorithm could =
possibly be negotiated in the AUX_EXCHANGE_SUPPORTED notification data.

=20

I=E2=80=99d rather to avoid using an additional algorithm. I think the =
negotiated PRF can be used for this purpose, can=E2=80=99t it?

=20

InitiatorSignedOctets =3D RealMessage1 | AUX_I | NonceRData | =
MACedIDForI

AUX_I =3D PRF(SK_pi, AUX_INIT_MSG_1) | PRF(SK_pi, AUX_INIT_MSG_2)| =
PRF(SK_pi, AUX_INIT_MSG_3) ...

=20

ResponderSignedOctets =3D RealMessage2 | AUX_R | NonceIData | =
MACedIDForR

AUX_R =3D PRF(SK_pr, AUX_RESP_MSG_1) | PRF(SK_pr, AUX_RESP_MSG_2)| =
PRF(SK_pr, AUX_RESP_MSG_3) ...

=20

=20

I used SK_pi/r instead of SK_ai/r here because their size fits the =
preferred key length

for PRF (that is not generally the case for SK_ai/r).

=20

So, what do you think? Is this construction secure?

=20

My comment assumed that we were using IKE_AUX this way; we perform an =
initial key exchange during the IKE_INIT; this will generate keying =
material which we will use to protect the initial IKE_AUX message; then, =
we will perform a second key exchange during the IKE_AUX, which would be =
used to generate a second set of keying material; this will be used to =
protect the next IKE messages (which might be another IKE_AUX, or it =
might be the IKE_AUTH)..

=20

Yes, that=E2=80=99s how I think it should work.

=20

If we assume an adversary that can break the initial key exchange while =
the protocol is running (e.g. it=E2=80=99s an (EC)DH exchange, and he =
has a fairly advanced quantum computer), then he can learn the SK_pi, =
SK_pr values.

=20

The problem is that, with some PRF=E2=80=99s, if you know the key, you =
can find a second message with the same PRF value as a given message; =
hence our MITM would be able to introduce his own key shares, and leave =
the PRF value unmodified.  From the IANA PRF registry, all the =
HMAC-based PRFs would be safe (that is, make this attack infeasible, at =
least in real time), while PRF_AES128_XCBC and PRF_AES128_CMAC are not; =
given a 128 bit block within the message that the attacker can set =
arbitrarily, it is easy to find the setting to make the PRF value be =
whatever the attacker chooses (including the PRF of another message).  =
And, yes, this is a situation where MD5 is actually stronger than =
AES=E2=80=A6

=20

OK, I see the problem. My (false) premise was that PRF in general has =
stronger cryptographic properties than MAC,

but now I see that in situation when attacker knows key some PRFs behave =
badly regarding second-preimage resistance.

So, using PRF won=E2=80=99t really help here (if we=E2=80=99re talking =
about arbitrary PRF).

=20

What could an attacker do with this capability?  Well, depending on the =
later key exchange, an attacker may be able to insert his own key shares =
in such a way that both sides obtain the same shared secret (that the =
attacker would know); this means that the attacker would have succeeded =
in listening in (as everything used to compute InitiatorSignedOctets and =
ResponderSignedOctets are exactly the same as in the non-MITM case)

=20

There are some details that I=E2=80=99m omitting that may make this =
attack more difficult than I outlined; however I don=E2=80=99t believe =
we should depend on those details.

=20

One thing we might consider to address this is limiting the =
PRF=E2=80=99s to those which disallow preimage attacks (even if the =
attacker knows the key); those would be HMAC-based (and KMAC-based if =
the WG actually defines such a PRF).

=20

So, our options are:

1. Using IKE_AUX messages themselves:

=20

InitiatorSignedOctets =3D RealMessage1 | AUX_INIT_MSG_1 | AUX_INIT_MSG_2 =
| AUX_INIT_MSG_3 ... | NonceRData | MACedIDForI

ResponderSignedOctets =3D RealMessage2 | AUX_RESP_MSG_1 | AUX_RESP_MSG_2 =
| AUX_RESP_MSG_3 ... | NonceIData | MACedIDForR

=20

This approach has a disadvantage that implementation needs to keep all =
IKE_AUX messages=20

(which might be quite large) until it receives IKE_AUTH, that increases =
vulnerability to DoS attack.

=20

2. Using hashes of IKE_AUX messages (as Daniel proposed):

InitiatorSignedOctets =3D RealMessage1 | H(AUX_INIT_MSG_1) | =
H(AUX_INIT_MSG_2) | H(AUX_INIT_MSG_3) ... | NonceRData | MACedIDForI

ResponderSignedOctets =3D RealMessage2 | H(AUX_RESP_MSG_1) | =
H(AUX_RESP_MSG_2) | H(AUX_RESP_MSG_3) ... | NonceIData | MACedIDForR

=20

where H is a collision-resistant hash function.

=20

The problem with this approach is that it would require to add a new =
crypto primitive (hash),

that is not currently present in a set of negotiated parameters. So a =
new negotiation mechanism

would be needed (or a new Transform Type) and a new IANA registry. And =
all this would=20

increase the IKE_SA_INIT messages size.

=20

3. Using the PRFs as outlined above, but limiting PRFs to only those, =
which are preimage=20

resistant even if key is known (as you proposed). From the current set =
of PRFs=20

registered for IKEv2 in IANA this would leave out PRF_AES128_XCBC and =
PRF_AES128_CMAC, that=20

don=E2=80=99t provide enough security in post-quantum world anyway (due =
to their 128 bit internal key).

=20

Any other options? Any thoughts?

=20

Regards,

Valery.

=20

=20

=20

Thanks,

Daniel

=20


------=_NextPart_000_0023_01D41476.F3260A80
Content-Type: text/html;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 14 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle24
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DRU =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Hi =
Scott,<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>thank you for clarification. =
Please, see inline.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><div=
 style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><div style=3D'border:none;border-left:solid blue =
1.5pt;padding:0cm 0cm 0cm 4.0pt'><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Additionally, Scott pointed out to me that =
Integrity Check Values aren=E2=80=99t designed to be secure against =
someone who knows the key (which would be the case for a Quantum-enabled =
attacker) and that for algorithms like GMAC the attacker would be able =
to find a collision.&nbsp; So then your statement =
later:<o:p></o:p></span></p><pre><span lang=3DEN-US =
style=3D'color:black'> </span><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp;THe forgery would become evident in =
the<o:p></o:p></span></pre><pre><span lang=3DEN-CA =
style=3D'color:black'>&nbsp;&nbsp; IKE_AUTH exchange (provided the =
attacker caanot break employed<o:p></o:p></span></pre><pre><span =
lang=3DEN-CA style=3D'color:black'>&nbsp;&nbsp; authentication =
mechanism)<o:p></o:p></span></pre><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:11.0pt'>wouldn=E2=80=99t hold; an =
attacker could find a forgery with the same ICV and IKE_AUTH exchange =
would succeed.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>OK I agree that for the current =
definition of how IKE_AUX is authenticated this statement is not =
accurate.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US style=3D'font-size:11.0pt'>But =
regardless of that, AEAD is a good enough reason why ICVs =
shouldn=E2=80=99t be used here.&nbsp; Presumably you don=E2=80=99t want =
to include the whole data for the entire set of IKE_AUX exchanges in the =
signed octets because that would mean persisting the data for all =
IKE_AUX exchanges until IKE_AUTH is processed, requiring a lot of extra =
buffer state and increasing the attack surface for buffer =
exhausting?<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Exactly.<o:p></o:p></span></p><p=
 class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US style=3D'font-size:11.0pt'>A =
second-preimage-resistant hash function is needed to use a digest of the =
IKE_AUX messages in the signed octets.&nbsp; This algorithm could =
possibly be negotiated in the AUX_EXCHANGE_SUPPORTED notification =
data.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>I=E2=80=99d rather to avoid =
using an additional algorithm. I think the negotiated PRF can be used =
for this purpose, can=E2=80=99t it?<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>InitiatorSignedOctets =3D RealMessage1 | AUX_I | NonceRData | =
MACedIDForI<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'>AUX_I =3D =
PRF(SK_pi, AUX_INIT_MSG_1) | PRF(SK_pi, AUX_INIT_MSG_2)| PRF(SK_pi, =
AUX_INIT_MSG_3) ...<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'>ResponderSignedOctets =3D RealMessage2 | AUX_R | NonceIData | =
MACedIDForR<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New"'>AUX_R =3D =
PRF(SK_pr, AUX_RESP_MSG_1) | PRF(SK_pr, AUX_RESP_MSG_2)| PRF(SK_pr, =
AUX_RESP_MSG_3) ...<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>I used SK_pi/r instead of =
SK_ai/r here because their size fits the preferred key =
length<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>for PRF (that is not generally =
the case for SK_ai/r).<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>So, what do you think? Is this =
construction secure?</span><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#1F497D'><o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'>My comment assumed that we were =
using IKE_AUX this way; we perform an initial key exchange during the =
IKE_INIT; this will generate keying material which we will use to =
protect the initial IKE_AUX message; then, we will perform a second key =
exchange during the IKE_AUX, which would be used to generate a second =
set of keying material; this will be used to protect the next IKE =
messages (which might be another IKE_AUX, or it might be the =
IKE_AUTH)..<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Yes, that=E2=80=99s how I think =
it should work.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'>If we assume an adversary that =
can break the initial key exchange while the protocol is running (e.g. =
it=E2=80=99s an (EC)DH exchange, and he has a fairly advanced quantum =
computer), then he can learn the SK_pi, SK_pr =
values.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'>The problem is that, with some =
PRF=E2=80=99s, if you know the key, you can find a second message with =
the same PRF value as a given message; hence our MITM would be able to =
introduce his own key shares, and leave the PRF value unmodified.&nbsp; =
>From the IANA PRF registry, all the HMAC-based PRFs would be safe (that =
is, make this attack infeasible, at least in real time), while =
PRF_AES128_XCBC and PRF_AES128_CMAC are not; given a 128 bit block =
within the message that the attacker can set arbitrarily, it is easy to =
find the setting to make the PRF value be whatever the attacker chooses =
(including the PRF of another message).&nbsp; And, yes, this is a =
situation where MD5 is actually stronger than =
AES=E2=80=A6<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>OK, I see the problem. My =
(false) premise was that PRF in general has stronger cryptographic =
properties than MAC,<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:14.0pt;color:#44546A'>but now I see that =
in situation when attacker knows key some PRFs behave badly regarding =
second-preimage resistance.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>So, using PRF won=E2=80=99t =
really help here (if we=E2=80=99re talking about arbitrary =
PRF).<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'>What could an attacker do with =
this capability?&nbsp; Well, depending on the later key exchange, an =
attacker may be able to insert his own key shares in such a way that =
both sides obtain the same shared secret (that the attacker would know); =
this means that the attacker would have succeeded in listening in (as =
everything used to compute InitiatorSignedOctets and =
ResponderSignedOctets are exactly the same as in the non-MITM =
case)<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'>There are some details that =
I=E2=80=99m omitting that may make this attack more difficult than I =
outlined; however I don=E2=80=99t believe we should depend on those =
details.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;color:#1F497D'>One thing we might consider to =
address this is limiting the PRF=E2=80=99s to those which disallow =
preimage attacks (even if the attacker knows the key); those would be =
HMAC-based (and KMAC-based if the WG actually defines such a =
PRF).<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>So, our options =
are:<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>1. Using IKE_AUX messages =
themselves:<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>InitiatorSignedOctets =3D RealMessage1 | AUX_INIT_MSG_1 | =
AUX_INIT_MSG_2 | AUX_INIT_MSG_3 ... | NonceRData | =
MACedIDForI<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>ResponderSignedOctets =3D RealMessage2 | AUX_RESP_MSG_1 | =
AUX_RESP_MSG_2 | AUX_RESP_MSG_3 ... | NonceIData | =
MACedIDForR<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>This approach has a =
disadvantage that implementation needs to keep all IKE_AUX messages =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>(which might be quite large) =
until it receives IKE_AUTH, that increases vulnerability to DoS =
attack.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>2. Using hashes of IKE_AUX =
messages (as Daniel proposed):<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>InitiatorSignedOctets =3D RealMessage1 | H(AUX_INIT_MSG_1) | =
H(AUX_INIT_MSG_2) | H(AUX_INIT_MSG_3) ... | NonceRData | =
MACedIDForI<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>ResponderSignedOctets =3D RealMessage2 | H(AUX_RESP_MSG_1) | =
H(AUX_RESP_MSG_2) | H(AUX_RESP_MSG_3) ... | NonceIData | =
MACedIDForR<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>where H is a =
collision-resistant hash function.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>The problem with this approach =
is that it would require to add a new crypto primitive =
(hash),<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>that is not currently present =
in a set of negotiated parameters. So a new negotiation =
mechanism<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>would be needed (or a new =
Transform Type) and a new IANA registry. And all this would =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>increase the IKE_SA_INIT =
messages size.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>3. Using the PRFs as outlined =
above, but limiting PRFs to only those, which are preimage =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>resistant even if key is known =
(as you proposed). From the current set of PRFs <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>registered for IKEv2 in IANA =
this would leave out </span><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Helvetica","sans-serif"'>PRF_AES12=
8_XCBC</span><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'> and </span><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Helvetica","sans-serif"'>PRF_AES12=
8_CMAC</span><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>, that <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>don=E2=80=99t provide enough =
security in post-quantum world anyway (due to their 128 bit internal =
key).<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Any other options? Any =
thoughts?<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Regards,<o:p></o:p></span></p><p=
 class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Valery.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Thanks,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'>Daniel<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p></div></div></div>=
</div></body></html>
------=_NextPart_000_0023_01D41476.F3260A80--


From nobody Thu Jul  5 06:10:03 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A57D130E4A for <ipsec@ietfa.amsl.com>; Thu,  5 Jul 2018 06:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iI63JrjEIGyz for <ipsec@ietfa.amsl.com>; Thu,  5 Jul 2018 06:09:59 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72EF1130E29 for <ipsec@ietf.org>; Thu,  5 Jul 2018 06:09:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18738; q=dns/txt; s=iport; t=1530796199; x=1532005799; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=YYs/fOYa2OQCsydcmjJkZWkTSQMTXOr0FionsUjrFf0=; b=j26X03uuKGBszvlNiYxX/Tqug9zry5LWX+iUbDUaQyJ71hqJdT8U/t2Z CZ0v6R0TGiMRUyZ6kbYVycQeJMKiP5MpeCbSACBC77chynklmJZbrVRhX aafxw4cG4L5KiPwm0M3egdNyO28re47k96t9f1Il3EpMSV0ISXJUm5alX 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C0AAA/GD5b/4YNJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYJTdmJ/KAqDcIgEjDOCB4g2h2yFDoF6C4RsAheCFiE0GAE?= =?us-ascii?q?CAQECAQECbSiFNgEBAQEDIwpcAgEIEQQBASsCAgIfER0IAgQBEgiDGYEbTAM?= =?us-ascii?q?VqHGCHIcODYEugTqGOIEFgTCBVj+BD4MPglaCKweCc4JVApFnhzorCQKME4M?= =?us-ascii?q?DjV8rilmGXgIREwGBJB04gVJwFYMkgiMYjhdvj3WBGgEB?=
X-IronPort-AV: E=Sophos;i="5.51,312,1526342400";  d="scan'208,217";a="138966946"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jul 2018 13:09:58 +0000
Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id w65D9wWn006949 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 5 Jul 2018 13:09:58 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 5 Jul 2018 09:09:57 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Thu, 5 Jul 2018 09:09:57 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6qR/B9KAgADxt4CAAN9PAP//vjng
Date: Thu, 5 Jul 2018 13:09:57 +0000
Message-ID: <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com>
In-Reply-To: <002201d4145d$cdd13160$69739420$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: multipart/alternative; boundary="_000_cca9b3323ad441e59643b6ff2afb7ee1XCHRTP006ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/FUM24lxe4m5CJAbcJ_LJzxdfD8Y>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 13:10:02 -0000

--_000_cca9b3323ad441e59643b6ff2afb7ee1XCHRTP006ciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

DQpGcm9tOiBWYWxlcnkgU215c2xvdiA8c215c2xvdi5pZXRmQGdtYWlsLmNvbT4NClNlbnQ6IFRo
dXJzZGF5LCBKdWx5IDA1LCAyMDE4IDg6NDQgQU0NClRvOiBTY290dCBGbHVocmVyIChzZmx1aHJl
cikgPHNmbHVocmVyQGNpc2NvLmNvbT47ICdEYW5pZWwgVmFuIEdlZXN0JyA8RGFuaWVsLlZhbkdl
ZXN0QGlzYXJhLmNvbT47IGlwc2VjQGlldGYub3JnDQpTdWJqZWN0OiBSRTogSUtFX0FVWCBjb21t
ZW50cw0KDQpIaSBTY290dCwNCg0KDQpTbywgb3VyIG9wdGlvbnMgYXJlOg0KMS4gVXNpbmcgSUtF
X0FVWCBtZXNzYWdlcyB0aGVtc2VsdmVzOg0KDQpJbml0aWF0b3JTaWduZWRPY3RldHMgPSBSZWFs
TWVzc2FnZTEgfCBBVVhfSU5JVF9NU0dfMSB8IEFVWF9JTklUX01TR18yIHwgQVVYX0lOSVRfTVNH
XzMgLi4uIHwgTm9uY2VSRGF0YSB8IE1BQ2VkSURGb3JJDQpSZXNwb25kZXJTaWduZWRPY3RldHMg
PSBSZWFsTWVzc2FnZTIgfCBBVVhfUkVTUF9NU0dfMSB8IEFVWF9SRVNQX01TR18yIHwgQVVYX1JF
U1BfTVNHXzMgLi4uIHwgTm9uY2VJRGF0YSB8IE1BQ2VkSURGb3JSDQoNClRoaXMgYXBwcm9hY2gg
aGFzIGEgZGlzYWR2YW50YWdlIHRoYXQgaW1wbGVtZW50YXRpb24gbmVlZHMgdG8ga2VlcCBhbGwg
SUtFX0FVWCBtZXNzYWdlcw0KKHdoaWNoIG1pZ2h0IGJlIHF1aXRlIGxhcmdlKSB1bnRpbCBpdCBy
ZWNlaXZlcyBJS0VfQVVUSCwgdGhhdCBpbmNyZWFzZXMgdnVsbmVyYWJpbGl0eSB0byBEb1MgYXR0
YWNrLg0KDQoyLiBVc2luZyBoYXNoZXMgb2YgSUtFX0FVWCBtZXNzYWdlcyAoYXMgRGFuaWVsIHBy
b3Bvc2VkKToNCkluaXRpYXRvclNpZ25lZE9jdGV0cyA9IFJlYWxNZXNzYWdlMSB8IEgoQVVYX0lO
SVRfTVNHXzEpIHwgSChBVVhfSU5JVF9NU0dfMikgfCBIKEFVWF9JTklUX01TR18zKSAuLi4gfCBO
b25jZVJEYXRhIHwgTUFDZWRJREZvckkNClJlc3BvbmRlclNpZ25lZE9jdGV0cyA9IFJlYWxNZXNz
YWdlMiB8IEgoQVVYX1JFU1BfTVNHXzEpIHwgSChBVVhfUkVTUF9NU0dfMikgfCBIKEFVWF9SRVNQ
X01TR18zKSAuLi4gfCBOb25jZUlEYXRhIHwgTUFDZWRJREZvclINCg0Kd2hlcmUgSCBpcyBhIGNv
bGxpc2lvbi1yZXNpc3RhbnQgaGFzaCBmdW5jdGlvbi4NCg0KVGhlIHByb2JsZW0gd2l0aCB0aGlz
IGFwcHJvYWNoIGlzIHRoYXQgaXQgd291bGQgcmVxdWlyZSB0byBhZGQgYSBuZXcgY3J5cHRvIHBy
aW1pdGl2ZSAoaGFzaCksDQp0aGF0IGlzIG5vdCBjdXJyZW50bHkgcHJlc2VudCBpbiBhIHNldCBv
ZiBuZWdvdGlhdGVkIHBhcmFtZXRlcnMuIFNvIGEgbmV3IG5lZ290aWF0aW9uIG1lY2hhbmlzbQ0K
d291bGQgYmUgbmVlZGVkIChvciBhIG5ldyBUcmFuc2Zvcm0gVHlwZSkgYW5kIGEgbmV3IElBTkEg
cmVnaXN0cnkuIEFuZCBhbGwgdGhpcyB3b3VsZA0KaW5jcmVhc2UgdGhlIElLRV9TQV9JTklUIG1l
c3NhZ2VzIHNpemUuDQoNCjMuIFVzaW5nIHRoZSBQUkZzIGFzIG91dGxpbmVkIGFib3ZlLCBidXQg
bGltaXRpbmcgUFJGcyB0byBvbmx5IHRob3NlLCB3aGljaCBhcmUgcHJlaW1hZ2UNCnJlc2lzdGFu
dCBldmVuIGlmIGtleSBpcyBrbm93biAoYXMgeW91IHByb3Bvc2VkKS4gRnJvbSB0aGUgY3VycmVu
dCBzZXQgb2YgUFJGcw0KcmVnaXN0ZXJlZCBmb3IgSUtFdjIgaW4gSUFOQSB0aGlzIHdvdWxkIGxl
YXZlIG91dCBQUkZfQUVTMTI4X1hDQkMgYW5kIFBSRl9BRVMxMjhfQ01BQywgdGhhdA0KZG9u4oCZ
dCBwcm92aWRlIGVub3VnaCBzZWN1cml0eSBpbiBwb3N0LXF1YW50dW0gd29ybGQgYW55d2F5IChk
dWUgdG8gdGhlaXIgMTI4IGJpdCBpbnRlcm5hbCBrZXkpLg0KDQpBbnkgb3RoZXIgb3B0aW9ucz8g
QW55IHRob3VnaHRzPw0KDQpBbGwgdGhyZWUgd29yayAodGhhdCBpcywgdGhleSBwcmV2ZW50IGFu
eSB1bmRldGVjdGVkIG1vZGlmaWNhdGlvbnMgdG8gdGhlIElLRV9BVVggcGF5bG9hZHMpOyBJIHF1
aXRlIHVuZGVyc3RhbmQgaWYgICgxKSB3b3VsZCBiZSBjb25zaWRlcmVkIGFuIHVuZGVzaXJhYmxl
IG9wdGlvbi4gIEFzIGZvciAoMikgYW5kICgzKSwgdGhleSBhcmUgbGFyZ2VseSB0aGUgc2FtZTsg
KDMpIGxpbWl0cyB0aGUgUFJG4oCZcyB0byB0aGUgb25lcyB3aGljaCBpbmNsdWRlIHNlY29uZC1w
cmVpbWFnZS1yZXNpc3RhbnQgaGFzaCBmdW5jdGlvbnMuICBJIGNhbiBzZWUgdGhlIGF0dHJhY3Rp
b24gb2Ygbm90IHJlcXVpcmluZyBhIHNlcGFyYXRlIG5lZ290aWF0aW9uOyBJ4oCZbSBqdXN0IHdv
cnJpZWQgYWJvdXQgc29tZW9uZSBpZ25vcmluZyBvdXIg4oCYZG9u4oCZdCB1c2UgWENCQy9DTUFD
4oCZIG1hbmRhdGXigKYNCg0KQWxzbywgZm9yICgzKSwgeW91IGhhdmUgdG8gYmUgY2FyZWZ1bCB0
byBzcGVjaWZ5IHdoaWNoIFNLX3BbaXJdIHRvIHVzZTsgaW4gb3VyIGRyYWZ0LCB0aGUgSUtFX0FV
WCBtZXNzYWdlIHVwZGF0ZXMgdGhlbTsgdGhlIG9idmlvdXMgdGhpbmcgdG8gZG8gaXMgc3BlY2lm
eSB0aGF0IHlvdeKAmWxsIHVzZSB0aGUgU0tfcFtpcl0gdmFsdWVzIHRoYXQgd2VyZSBpbiBlZmZl
Y3QgYXQgdGhlIGJlZ2lubmluZyBvZiB0aGUgSUtFX0FVWCBtZXNzYWdlIGluIHF1ZXN0aW9uLiAg
QWN0dWFsbHksIGZvciBzZWN1cml0eSwgd2UgZG9u4oCZdCBuZWVkIGEgc2VjcmV0IGtleSwgaGF2
aW5nIGJvdGggc2lkZXMgdXNlLCBzYXksIGFuIGFsbCB6ZXJvIGtleSwgd291bGQgYWNoaWV2ZSB0
aGUgc2FtZSBzZWN1cml0eSBnb2FsLCBob3dldmVyIHRoYXQgZG9lcyBmZWVsIHdlaXJk4oCmDQoN
Cg0KUmVnYXJkcywNClZhbGVyeS4NCg0KDQoNClRoYW5rcywNCkRhbmllbA0KDQo=

--_000_cca9b3323ad441e59643b6ff2afb7ee1XCHRTP006ciscocom_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN
Cgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAz
IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAx
NSA1IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFs
LCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90
dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs
c2Fucy1zZXJpZjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlv
cml0eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0K
YTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0
eTo5OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJl
DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3Jt
YXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9u
dC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnAuTXNvTGlzdFBh
cmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7bXNv
LXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1hcmdpbi10b3A6MGluOw0KCW1hcmdpbi1yaWdodDowaW47
DQoJbWFyZ2luLWJvdHRvbTowaW47DQoJbWFyZ2luLWxlZnQ6LjVpbjsNCgltYXJnaW4tYm90dG9t
Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu
cy1zZXJpZjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJI
VE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0
eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXci
O30NCnAubXNvbm9ybWFsMCwgbGkubXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0
eWxlLW5hbWU6bXNvbm9ybWFsOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1y
aWdodDowaW47DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGlu
Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsc2Vy
aWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9u
dC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFu
LkVtYWlsU3R5bGUyMg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToi
Q2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojNDQ1NDZBO30NCnNwYW4uRW1haWxTdHlsZTIz
DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5z
LXNlcmlmOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjQNCgl7bXNvLXN0eWxl
LXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29s
b3I6IzQ0NTQ2QTt9DQpzcGFuLkVtYWlsU3R5bGUyNQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25h
bC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojMUY0
OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZv
bnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGlu
Ow0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJ
e3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+
DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+
PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4
dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxh
eW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5r
PSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6
IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVy
Om5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQu
MHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNF
MUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+RnJvbTo8L3NwYW4+PC9iPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4gVmFsZXJ5IFNteXNsb3YgJmx0O3NteXNsb3Yu
aWV0ZkBnbWFpbC5jb20mZ3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEp1bHkgMDUs
IDIwMTggODo0NCBBTTxicj4NCjxiPlRvOjwvYj4gU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpICZs
dDtzZmx1aHJlckBjaXNjby5jb20mZ3Q7OyAnRGFuaWVsIFZhbiBHZWVzdCcgJmx0O0RhbmllbC5W
YW5HZWVzdEBpc2FyYS5jb20mZ3Q7OyBpcHNlY0BpZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9i
PiBSRTogSUtFX0FVWCBjb21tZW50czxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEi
PkhpIFNjb3R0LDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlk
IGJsdWUgMS41cHQ7cGFkZGluZzowaW4gMGluIDBpbiA0LjBwdCI+DQo8ZGl2IHN0eWxlPSJib3Jk
ZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4g
NC4wcHQiPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAx
LjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPlNvLCBvdXIgb3B0aW9ucyBhcmU6PG86cD48L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
NC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+MS4gVXNpbmcgSUtFX0FVWCBtZXNzYWdlcyB0aGVtc2VsdmVz
OjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0
O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5Jbml0aWF0b3JTaWduZWRPY3Rl
dHMgPSBSZWFsTWVzc2FnZTEgfCBBVVhfSU5JVF9NU0dfMSB8IEFVWF9JTklUX01TR18yIHwgQVVY
X0lOSVRfTVNHXzMgLi4uIHwgTm9uY2VSRGF0YSB8IE1BQ2VkSURGb3JJPG86cD48L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w
cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPlJlc3BvbmRlclNpZ25lZE9j
dGV0cyA9IFJlYWxNZXNzYWdlMiB8IEFVWF9SRVNQX01TR18xIHwgQVVYX1JFU1BfTVNHXzIgfCBB
VVhfUkVTUF9NU0dfMyAuLi4gfCBOb25jZUlEYXRhIHwgTUFDZWRJREZvclI8bzpwPjwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0
LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZB
Ij5UaGlzIGFwcHJvYWNoIGhhcyBhIGRpc2FkdmFudGFnZSB0aGF0IGltcGxlbWVudGF0aW9uIG5l
ZWRzIHRvIGtlZXAgYWxsIElLRV9BVVggbWVzc2FnZXMNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9y
OiM0NDU0NkEiPih3aGljaCBtaWdodCBiZSBxdWl0ZSBsYXJnZSkgdW50aWwgaXQgcmVjZWl2ZXMg
SUtFX0FVVEgsIHRoYXQgaW5jcmVhc2VzIHZ1bG5lcmFiaWxpdHkgdG8gRG9TIGF0dGFjay48bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xv
cjojNDQ1NDZBIj4yLiBVc2luZyBoYXNoZXMgb2YgSUtFX0FVWCBtZXNzYWdlcyAoYXMgRGFuaWVs
IHByb3Bvc2VkKTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l
dyZxdW90OyI+SW5pdGlhdG9yU2lnbmVkT2N0ZXRzID0gUmVhbE1lc3NhZ2UxIHwgSChBVVhfSU5J
VF9NU0dfMSkgfCBIKEFVWF9JTklUX01TR18yKSB8IEgoQVVYX0lOSVRfTVNHXzMpIC4uLiB8IE5v
bmNlUkRhdGEgfCBNQUNlZElERm9ySTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90
O0NvdXJpZXIgTmV3JnF1b3Q7Ij5SZXNwb25kZXJTaWduZWRPY3RldHMgPSBSZWFsTWVzc2FnZTIg
fCBIKEFVWF9SRVNQX01TR18xKSB8IEgoQVVYX1JFU1BfTVNHXzIpIHwgSChBVVhfUkVTUF9NU0df
MykgLi4uIHwgTm9uY2VJRGF0YSB8IE1BQ2VkSURGb3JSPG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6
IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+d2hlcmUgSCBp
cyBhIGNvbGxpc2lvbi1yZXNpc3RhbnQgaGFzaCBmdW5jdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtj
b2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5UaGUg
cHJvYmxlbSB3aXRoIHRoaXMgYXBwcm9hY2ggaXMgdGhhdCBpdCB3b3VsZCByZXF1aXJlIHRvIGFk
ZCBhIG5ldyBjcnlwdG8gcHJpbWl0aXZlIChoYXNoKSw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjoj
NDQ1NDZBIj50aGF0IGlzIG5vdCBjdXJyZW50bHkgcHJlc2VudCBpbiBhIHNldCBvZiBuZWdvdGlh
dGVkIHBhcmFtZXRlcnMuIFNvIGEgbmV3IG5lZ290aWF0aW9uIG1lY2hhbmlzbTxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTQuMHB0O2NvbG9yOiM0NDU0NkEiPndvdWxkIGJlIG5lZWRlZCAob3IgYSBuZXcgVHJhbnNmb3Jt
IFR5cGUpIGFuZCBhIG5ldyBJQU5BIHJlZ2lzdHJ5LiBBbmQgYWxsIHRoaXMgd291bGQNCjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPmluY3JlYXNlIHRoZSBJS0VfU0FfSU5JVCBtZXNz
YWdlcyBzaXplLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjMuIFVzaW5nIHRoZSBQUkZzIGFzIG91dGxpbmVkIGFi
b3ZlLCBidXQgbGltaXRpbmcgUFJGcyB0byBvbmx5IHRob3NlLCB3aGljaCBhcmUgcHJlaW1hZ2UN
CjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPnJlc2lzdGFudCBldmVuIGlmIGtleSBp
cyBrbm93biAoYXMgeW91IHByb3Bvc2VkKS4gRnJvbSB0aGUgY3VycmVudCBzZXQgb2YgUFJGcw0K
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+cmVnaXN0ZXJlZCBmb3IgSUtFdjIgaW4g
SUFOQSB0aGlzIHdvdWxkIGxlYXZlIG91dA0KPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5QUkZf
QUVTMTI4X1hDQkM8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0
NTQ2QSI+IGFuZA0KPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt
aWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5QUkZfQUVTMTI4X0NNQUM8L3Nw
YW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+LCB0aGF0DQo8
bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5kb27igJl0IHByb3ZpZGUgZW5vdWdoIHNl
Y3VyaXR5IGluIHBvc3QtcXVhbnR1bSB3b3JsZCBhbnl3YXkgKGR1ZSB0byB0aGVpciAxMjggYml0
IGludGVybmFsIGtleSkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJz
cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+QW55IG90aGVyIG9wdGlvbnM/IEFueSB0aG91
Z2h0cz88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdDtjb2xvcjojMUY0OTdEIj5BbGwgdGhyZWUgd29yayAodGhhdCBpcywgdGhleSBwcmV2ZW50
IGFueSB1bmRldGVjdGVkIG1vZGlmaWNhdGlvbnMgdG8gdGhlIElLRV9BVVggcGF5bG9hZHMpOyBJ
IHF1aXRlIHVuZGVyc3RhbmQgaWYgJm5ic3A7KDEpIHdvdWxkIGJlIGNvbnNpZGVyZWQgYW4gdW5k
ZXNpcmFibGUgb3B0aW9uLiZuYnNwOyBBcyBmb3IgKDIpIGFuZCAoMyksIHRoZXkgYXJlDQogbGFy
Z2VseSB0aGUgc2FtZTsgKDMpIGxpbWl0cyB0aGUgUFJG4oCZcyB0byB0aGUgb25lcyB3aGljaCBp
bmNsdWRlIHNlY29uZC1wcmVpbWFnZS1yZXNpc3RhbnQgaGFzaCBmdW5jdGlvbnMuJm5ic3A7IEkg
Y2FuIHNlZSB0aGUgYXR0cmFjdGlvbiBvZiBub3QgcmVxdWlyaW5nIGEgc2VwYXJhdGUgbmVnb3Rp
YXRpb247IEnigJltIGp1c3Qgd29ycmllZCBhYm91dCBzb21lb25lIGlnbm9yaW5nIG91ciDigJhk
b27igJl0IHVzZSBYQ0JDL0NNQUPigJkgbWFuZGF0ZeKApjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9y
OiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPkFsc28sIGZv
ciAoMyksIHlvdSBoYXZlIHRvIGJlIGNhcmVmdWwgdG8gc3BlY2lmeSB3aGljaCBTS19wW2lyXSB0
byB1c2U7IGluIG91ciBkcmFmdCwgdGhlIElLRV9BVVggbWVzc2FnZSB1cGRhdGVzIHRoZW07IHRo
ZSBvYnZpb3VzIHRoaW5nIHRvIGRvIGlzIHNwZWNpZnkgdGhhdCB5b3XigJlsbCB1c2UgdGhlIFNL
X3BbaXJdIHZhbHVlcw0KIHRoYXQgd2VyZSBpbiBlZmZlY3QgYXQgdGhlIGJlZ2lubmluZyBvZiB0
aGUgSUtFX0FVWCBtZXNzYWdlIGluIHF1ZXN0aW9uLiZuYnNwOyBBY3R1YWxseSwgZm9yIHNlY3Vy
aXR5LCB3ZSBkb27igJl0IG5lZWQgYSBzZWNyZXQga2V5LCBoYXZpbmcgYm90aCBzaWRlcyB1c2Us
IHNheSwgYW4gYWxsIHplcm8ga2V5LCB3b3VsZCBhY2hpZXZlIHRoZSBzYW1lIHNlY3VyaXR5IGdv
YWwsIGhvd2V2ZXIgdGhhdCBkb2VzIGZlZWwgd2VpcmTigKY8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv
cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZu
YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5SZWdhcmRzLDxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0
O2NvbG9yOiM0NDU0NkEiPlZhbGVyeS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48
bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoYW5rcyw8bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+
RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_cca9b3323ad441e59643b6ff2afb7ee1XCHRTP006ciscocom_--


From nobody Thu Jul  5 08:21:42 2018
Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5891130E84 for <ipsec@ietfa.amsl.com>; Thu,  5 Jul 2018 08:21:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVKE_gd7E3fT for <ipsec@ietfa.amsl.com>; Thu,  5 Jul 2018 08:21:38 -0700 (PDT)
Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 507DA130E7A for <ipsec@ietf.org>; Thu,  5 Jul 2018 08:21:38 -0700 (PDT)
Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip1.isaracorp.com with ESMTP; 05 Jul 2018 15:21:37 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 5 Jul 2018 11:19:30 -0400
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.003; Thu, 5 Jul 2018 11:19:30 -0400
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, Valery Smyslov <smyslov.ietf@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6qR/B9KAgADxt4CAAN9PAP//vjnggACO1oA=
Date: Thu, 5 Jul 2018 15:19:30 +0000
Message-ID: <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com>
In-Reply-To: <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.5.17.249]
Content-Type: multipart/alternative; boundary="_000_C35D70B2C47C45FF972819C22514C058isaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/viZE_JZKn0iMrEakhyGMsM4bDnI>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 15:21:41 -0000

--_000_C35D70B2C47C45FF972819C22514C058isaracom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

DQoNCk9uIDIwMTgtMDctMDUsIDM6MTAgUE0sICJTY290dCBGbHVocmVyIChzZmx1aHJlcikiIDxz
Zmx1aHJlckBjaXNjby5jb208bWFpbHRvOnNmbHVocmVyQGNpc2NvLmNvbT4+IHdyb3RlOg0KDQoN
CkZyb206IFZhbGVyeSBTbXlzbG92IDxzbXlzbG92LmlldGZAZ21haWwuY29tPg0KU2VudDogVGh1
cnNkYXksIEp1bHkgMDUsIDIwMTggODo0NCBBTQ0KVG86IFNjb3R0IEZsdWhyZXIgKHNmbHVocmVy
KSA8c2ZsdWhyZXJAY2lzY28uY29tPjsgJ0RhbmllbCBWYW4gR2Vlc3QnIDxEYW5pZWwuVmFuR2Vl
c3RAaXNhcmEuY29tPjsgaXBzZWNAaWV0Zi5vcmcNClN1YmplY3Q6IFJFOiBJS0VfQVVYIGNvbW1l
bnRzDQoNCkhpIFNjb3R0LA0KDQoNClNvLCBvdXIgb3B0aW9ucyBhcmU6DQoxLiBVc2luZyBJS0Vf
QVVYIG1lc3NhZ2VzIHRoZW1zZWx2ZXM6DQoNCkluaXRpYXRvclNpZ25lZE9jdGV0cyA9IFJlYWxN
ZXNzYWdlMSB8IEFVWF9JTklUX01TR18xIHwgQVVYX0lOSVRfTVNHXzIgfCBBVVhfSU5JVF9NU0df
MyAuLi4gfCBOb25jZVJEYXRhIHwgTUFDZWRJREZvckkNClJlc3BvbmRlclNpZ25lZE9jdGV0cyA9
IFJlYWxNZXNzYWdlMiB8IEFVWF9SRVNQX01TR18xIHwgQVVYX1JFU1BfTVNHXzIgfCBBVVhfUkVT
UF9NU0dfMyAuLi4gfCBOb25jZUlEYXRhIHwgTUFDZWRJREZvclINCg0KVGhpcyBhcHByb2FjaCBo
YXMgYSBkaXNhZHZhbnRhZ2UgdGhhdCBpbXBsZW1lbnRhdGlvbiBuZWVkcyB0byBrZWVwIGFsbCBJ
S0VfQVVYIG1lc3NhZ2VzDQood2hpY2ggbWlnaHQgYmUgcXVpdGUgbGFyZ2UpIHVudGlsIGl0IHJl
Y2VpdmVzIElLRV9BVVRILCB0aGF0IGluY3JlYXNlcyB2dWxuZXJhYmlsaXR5IHRvIERvUyBhdHRh
Y2suDQoNCjIuIFVzaW5nIGhhc2hlcyBvZiBJS0VfQVVYIG1lc3NhZ2VzIChhcyBEYW5pZWwgcHJv
cG9zZWQpOg0KSW5pdGlhdG9yU2lnbmVkT2N0ZXRzID0gUmVhbE1lc3NhZ2UxIHwgSChBVVhfSU5J
VF9NU0dfMSkgfCBIKEFVWF9JTklUX01TR18yKSB8IEgoQVVYX0lOSVRfTVNHXzMpIC4uLiB8IE5v
bmNlUkRhdGEgfCBNQUNlZElERm9ySQ0KUmVzcG9uZGVyU2lnbmVkT2N0ZXRzID0gUmVhbE1lc3Nh
Z2UyIHwgSChBVVhfUkVTUF9NU0dfMSkgfCBIKEFVWF9SRVNQX01TR18yKSB8IEgoQVVYX1JFU1Bf
TVNHXzMpIC4uLiB8IE5vbmNlSURhdGEgfCBNQUNlZElERm9yUg0KDQp3aGVyZSBIIGlzIGEgY29s
bGlzaW9uLXJlc2lzdGFudCBoYXNoIGZ1bmN0aW9uLg0KDQpUaGUgcHJvYmxlbSB3aXRoIHRoaXMg
YXBwcm9hY2ggaXMgdGhhdCBpdCB3b3VsZCByZXF1aXJlIHRvIGFkZCBhIG5ldyBjcnlwdG8gcHJp
bWl0aXZlIChoYXNoKSwNCnRoYXQgaXMgbm90IGN1cnJlbnRseSBwcmVzZW50IGluIGEgc2V0IG9m
IG5lZ290aWF0ZWQgcGFyYW1ldGVycy4gU28gYSBuZXcgbmVnb3RpYXRpb24gbWVjaGFuaXNtDQp3
b3VsZCBiZSBuZWVkZWQgKG9yIGEgbmV3IFRyYW5zZm9ybSBUeXBlKSBhbmQgYSBuZXcgSUFOQSBy
ZWdpc3RyeS4gQW5kIGFsbCB0aGlzIHdvdWxkDQppbmNyZWFzZSB0aGUgSUtFX1NBX0lOSVQgbWVz
c2FnZXMgc2l6ZS4NCg0KMy4gVXNpbmcgdGhlIFBSRnMgYXMgb3V0bGluZWQgYWJvdmUsIGJ1dCBs
aW1pdGluZyBQUkZzIHRvIG9ubHkgdGhvc2UsIHdoaWNoIGFyZSBwcmVpbWFnZQ0KcmVzaXN0YW50
IGV2ZW4gaWYga2V5IGlzIGtub3duIChhcyB5b3UgcHJvcG9zZWQpLiBGcm9tIHRoZSBjdXJyZW50
IHNldCBvZiBQUkZzDQpyZWdpc3RlcmVkIGZvciBJS0V2MiBpbiBJQU5BIHRoaXMgd291bGQgbGVh
dmUgb3V0IFBSRl9BRVMxMjhfWENCQyBhbmQgUFJGX0FFUzEyOF9DTUFDLCB0aGF0DQpkb27igJl0
IHByb3ZpZGUgZW5vdWdoIHNlY3VyaXR5IGluIHBvc3QtcXVhbnR1bSB3b3JsZCBhbnl3YXkgKGR1
ZSB0byB0aGVpciAxMjggYml0IGludGVybmFsIGtleSkuDQoNCkFueSBvdGhlciBvcHRpb25zPyBB
bnkgdGhvdWdodHM/DQoNCkFsbCB0aHJlZSB3b3JrICh0aGF0IGlzLCB0aGV5IHByZXZlbnQgYW55
IHVuZGV0ZWN0ZWQgbW9kaWZpY2F0aW9ucyB0byB0aGUgSUtFX0FVWCBwYXlsb2Fkcyk7IEkgcXVp
dGUgdW5kZXJzdGFuZCBpZiAgKDEpIHdvdWxkIGJlIGNvbnNpZGVyZWQgYW4gdW5kZXNpcmFibGUg
b3B0aW9uLiAgQXMgZm9yICgyKSBhbmQgKDMpLCB0aGV5IGFyZSBsYXJnZWx5IHRoZSBzYW1lOyAo
MykgbGltaXRzIHRoZSBQUkbigJlzIHRvIHRoZSBvbmVzIHdoaWNoIGluY2x1ZGUgc2Vjb25kLXBy
ZWltYWdlLXJlc2lzdGFudCBoYXNoIGZ1bmN0aW9ucy4gIEkgY2FuIHNlZSB0aGUgYXR0cmFjdGlv
biBvZiBub3QgcmVxdWlyaW5nIGEgc2VwYXJhdGUgbmVnb3RpYXRpb247IEnigJltIGp1c3Qgd29y
cmllZCBhYm91dCBzb21lb25lIGlnbm9yaW5nIG91ciDigJhkb27igJl0IHVzZSBYQ0JDL0NNQUPi
gJkgbWFuZGF0ZeKApg0KDQpBbHNvLCBmb3IgKDMpLCB5b3UgaGF2ZSB0byBiZSBjYXJlZnVsIHRv
IHNwZWNpZnkgd2hpY2ggU0tfcFtpcl0gdG8gdXNlOyBpbiBvdXIgZHJhZnQsIHRoZSBJS0VfQVVY
IG1lc3NhZ2UgdXBkYXRlcyB0aGVtOyB0aGUgb2J2aW91cyB0aGluZyB0byBkbyBpcyBzcGVjaWZ5
IHRoYXQgeW914oCZbGwgdXNlIHRoZSBTS19wW2lyXSB2YWx1ZXMgdGhhdCB3ZXJlIGluIGVmZmVj
dCBhdCB0aGUgYmVnaW5uaW5nIG9mIHRoZSBJS0VfQVVYIG1lc3NhZ2UgaW4gcXVlc3Rpb24uICBB
Y3R1YWxseSwgZm9yIHNlY3VyaXR5LCB3ZSBkb27igJl0IG5lZWQgYSBzZWNyZXQga2V5LCBoYXZp
bmcgYm90aCBzaWRlcyB1c2UsIHNheSwgYW4gYWxsIHplcm8ga2V5LCB3b3VsZCBhY2hpZXZlIHRo
ZSBzYW1lIHNlY3VyaXR5IGdvYWwsIGhvd2V2ZXIgdGhhdCBkb2VzIGZlZWwgd2VpcmTigKYNCg0K
VXNpbmcgYW4gYWxsIHplcm8ga2V5IGRvZXMgZmVlbCB3ZWlyZCwgaG93ZXZlciBpdCBjb3VsZCBo
ZWxwIGF2b2lkIHBvdGVudGlhbCBpbmNvbXBhdGlibGUgaW1wbGVtZW50YXRpb24gZXJyb3JzLiAg
VGhlcmUgYXJlIHR3byBzZXRzIG9mIFNLX3BbaXJdIGF2YWlsYWJsZSB0byB1c2UgaW4gdGhlIGNh
c2Ugd2hlcmUgYW4gSUtFX0FVWCBpbmNsdWRlcyBhIGtleSBleGNoYW5nZSwgdGhlIHZhbHVlcyBp
biBlZmZlY3QgYXQgdGhlIGJlZ2lubmluZyBvZiB0aGUgSUtFX0FVWCBleGNoYW5nZSwgYW5kIHRo
ZSB1cGRhdGVkIHZhbHVlcyByZXN1bHRpbmcgZnJvbSB0aGUgSUtFX0FVWCBleGNoYW5nZS4gIERl
cGVuZGluZyBvbiB0aGUgb3JkZXIgaW4gd2hpY2ggaW1wbGVtZW50YXRpb25zIHJlY2FsY3VsYXRl
IHRoZSBTS0VZU0VFRCBhbmQgU0tfKiBrZXlzLCB2cyB3aGVuIHRoZXkgcGVyZm9ybSB0aGUgUFJG
IG9uIHRoZSBJWEVfQVVYIGRhdGEsIHRoZSDigJxjdXJyZW504oCdIFNLX3BbaXJdIHZhbHVlcyBj
b3VsZCBiZSB0aGUgb2xkIG9yIG5ldyB2YWx1ZXMgYW5kIHNvIHNvbWUgaW1wbGVtZW50YXRpb25z
IG1heSBoYXZlIHRvIG1haW50YWluIGJvdGggdGhlIG9sZCBhbmQgbmV3IGtleXMgdW50aWwgdGhl
IElLRV9BVVggZGlnZXN0IGlzIGNhbGN1bGF0ZWQuICBBbGwgdGhpcyBpcyB0byBzYXksIGlmIGl0
IGRvZXNu4oCZdCBhZmZlY3QgdGhlIHNlY3VyaXR5IGl0IG1heSBqdXN0IGJlIHNpbXBsZXIgYW5k
IGVhc2llciBmb3IgY29tcGF0aWJpbGl0eSB0byB1c2UgYW4gYWxsIHplcm8ga2V5Lg0KDQoNClJl
Z2FyZHMsDQpWYWxlcnkuDQoNCg0KDQpUaGFua3MsDQpEYW5pZWwNCg0K

--_000_C35D70B2C47C45FF972819C22514C058isaracom_
Content-Type: text/html; charset="utf-8"
Content-ID: <59F6FB2657F19F428E882D9EA3191F10@isara.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseTpIZWx2ZXRpY2E7DQoJcGFub3NlLTE6MCAwIDAgMCAwIDAgMCAwIDAg
MDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0x
OjIgNCA1IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJp
Ow0KCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25z
ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow
Y207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1m
YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6IzA1NjNDMTsNCgl0ZXh0LWRlY29yYXRp
b246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXtt
c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Izk1NEY3MjsNCgl0ZXh0LWRlY29yYXRpb246
dW5kZXJsaW5lO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxp
bms6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRv
bTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3
Ijt9DQpwLk1zb0xpc3RQYXJhZ3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29MaXN0
UGFyYWdyYXBoDQoJe21zby1zdHlsZS1wcmlvcml0eTozNDsNCgltYXJnaW4tdG9wOjBjbTsNCglt
YXJnaW4tcmlnaHQ6MGNtOw0KCW1hcmdpbi1ib3R0b206MGNtOw0KCW1hcmdpbi1sZWZ0OjM2LjBw
dDsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZh
bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25vcm1hbDAs
IGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tYm90dG9tLWFs
dDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt
aWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXIN
Cgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1w
cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQt
ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5
cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6
d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25h
bDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojNDQ1NDZBO30N
CnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFt
aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0
eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki
LHNhbnMtc2VyaWY7DQoJY29sb3I6IzQ0NTQ2QTt9DQpzcGFuLkVtYWlsU3R5bGUyNQ0KCXttc28t
c3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsN
Cgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTI2DQoJe21zby1zdHlsZS10eXBlOnBl
cnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9y
OndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9u
bHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIu
MHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYu
V29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+
DQo8Ym9keSBsYW5nPSJFTi1DQSIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRp
diBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8
L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5PbiAyMDE4LTA3LTA1LCAzOjEwIFBNLCAmcXVvdDtTY290
dCBGbHVocmVyIChzZmx1aHJlcikmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzZmx1aHJlckBj
aXNjby5jb20iPnNmbHVocmVyQGNpc2NvLmNvbTwvYT4mZ3Q7IHdyb3RlOjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K
PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjoj
MUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6
bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4w
cHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0Ux
RTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiBW
YWxlcnkgU215c2xvdiAmbHQ7c215c2xvdi5pZXRmQGdtYWlsLmNvbSZndDsNCjxicj4NCjxiPlNl
bnQ6PC9iPiBUaHVyc2RheSwgSnVseSAwNSwgMjAxOCA4OjQ0IEFNPGJyPg0KPGI+VG86PC9iPiBT
Y290dCBGbHVocmVyIChzZmx1aHJlcikgJmx0O3NmbHVocmVyQGNpc2NvLmNvbSZndDs7ICdEYW5p
ZWwgVmFuIEdlZXN0JyAmbHQ7RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbSZndDs7IGlwc2VjQGll
dGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBJS0VfQVVYIGNvbW1lbnRzPC9zcGFuPjxv
OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+SGkgU2NvdHQsPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9v
OnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAx
LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25l
O2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+
DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3Bh
ZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h
cmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0
NTQ2QSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7
Y29sb3I6IzQ0NTQ2QSI+U28sIG91ciBvcHRpb25zIGFyZTo8L3NwYW4+PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj4xLiBVc2luZyBJS0VfQVVYIG1l
c3NhZ2VzIHRoZW1zZWx2ZXM6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
NC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPkluaXRp
YXRvclNpZ25lZE9jdGV0cyA9IFJlYWxNZXNzYWdlMSB8IEFVWF9JTklUX01TR18xIHwgQVVYX0lO
SVRfTVNHXzIgfCBBVVhfSU5JVF9NU0dfMyAuLi4gfCBOb25jZVJEYXRhIHwgTUFDZWRJREZvckk8
L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu
LWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom
cXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+UmVzcG9uZGVyU2lnbmVkT2N0ZXRzID0gUmVhbE1lc3Nh
Z2UyIHwgQVVYX1JFU1BfTVNHXzEgfCBBVVhfUkVTUF9NU0dfMiB8IEFVWF9SRVNQX01TR18zIC4u
LiB8IE5vbmNlSURhdGEgfCBNQUNlZElERm9yUjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPlRoaXMgYXBwcm9hY2ggaGFz
IGEgZGlzYWR2YW50YWdlIHRoYXQgaW1wbGVtZW50YXRpb24gbmVlZHMgdG8ga2VlcCBhbGwgSUtF
X0FVWCBtZXNzYWdlcw0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4w
cHQ7Y29sb3I6IzQ0NTQ2QSI+KHdoaWNoIG1pZ2h0IGJlIHF1aXRlIGxhcmdlKSB1bnRpbCBpdCBy
ZWNlaXZlcyBJS0VfQVVUSCwgdGhhdCBpbmNyZWFzZXMgdnVsbmVyYWJpbGl0eSB0byBEb1MgYXR0
YWNrLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
YXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0
NDU0NkEiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0
O2NvbG9yOiM0NDU0NkEiPjIuIFVzaW5nIGhhc2hlcyBvZiBJS0VfQVVYIG1lc3NhZ2VzIChhcyBE
YW5pZWwgcHJvcG9zZWQpOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu
MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5Jbml0aWF0b3JTaWduZWRP
Y3RldHMgPSBSZWFsTWVzc2FnZTEgfCBIKEFVWF9JTklUX01TR18xKSB8IEgoQVVYX0lOSVRfTVNH
XzIpIHwgSChBVVhfSU5JVF9NU0dfMykgLi4uIHwgTm9uY2VSRGF0YSB8IE1BQ2VkSURGb3JJPC9z
cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s
ZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7Q291cmllciBOZXcmcXVvdDsiPlJlc3BvbmRlclNpZ25lZE9jdGV0cyA9IFJlYWxNZXNzYWdl
MiB8IEgoQVVYX1JFU1BfTVNHXzEpIHwgSChBVVhfUkVTUF9NU0dfMikgfCBIKEFVWF9SRVNQX01T
R18zKSAuLi4gfCBOb25jZUlEYXRhIHwgTUFDZWRJREZvclI8L3NwYW4+PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj4mbmJzcDs8L3NwYW4+PG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj53aGVyZSBIIGlz
IGEgY29sbGlzaW9uLXJlc2lzdGFudCBoYXNoIGZ1bmN0aW9uLjwvc3Bhbj48bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPiZuYnNwOzwvc3Bhbj48bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w
cHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPlRoZSBwcm9i
bGVtIHdpdGggdGhpcyBhcHByb2FjaCBpcyB0aGF0IGl0IHdvdWxkIHJlcXVpcmUgdG8gYWRkIGEg
bmV3IGNyeXB0byBwcmltaXRpdmUgKGhhc2gpLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPnRoYXQgaXMgbm90IGN1cnJlbnRseSBwcmVz
ZW50IGluIGEgc2V0IG9mIG5lZ290aWF0ZWQgcGFyYW1ldGVycy4gU28gYSBuZXcgbmVnb3RpYXRp
b24gbWVjaGFuaXNtPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7
Y29sb3I6IzQ0NTQ2QSI+d291bGQgYmUgbmVlZGVkIChvciBhIG5ldyBUcmFuc2Zvcm0gVHlwZSkg
YW5kIGEgbmV3IElBTkEgcmVnaXN0cnkuIEFuZCBhbGwgdGhpcyB3b3VsZA0KPC9zcGFuPjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw
dCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+aW5jcmVhc2Ug
dGhlIElLRV9TQV9JTklUIG1lc3NhZ2VzIHNpemUuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+My4gVXNpbmcgdGhlIFBS
RnMgYXMgb3V0bGluZWQgYWJvdmUsIGJ1dCBsaW1pdGluZyBQUkZzIHRvIG9ubHkgdGhvc2UsIHdo
aWNoIGFyZSBwcmVpbWFnZQ0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
NC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+cmVzaXN0YW50IGV2ZW4gaWYga2V5IGlzIGtub3duIChhcyB5
b3UgcHJvcG9zZWQpLiBGcm9tIHRoZSBjdXJyZW50IHNldCBvZiBQUkZzDQo8L3NwYW4+PG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5yZWdpc3RlcmVk
IGZvciBJS0V2MiBpbiBJQU5BIHRoaXMgd291bGQgbGVhdmUgb3V0DQo8L3NwYW4+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6SGVsdmV0aWNhIj5QUkZfQUVTMTI4X1hD
QkM8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+IGFu
ZA0KPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OkhlbHZl
dGljYSI+UFJGX0FFUzEyOF9DTUFDPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0
O2NvbG9yOiM0NDU0NkEiPiwgdGhhdA0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+ZG9u4oCZdCBwcm92aWRlIGVub3VnaCBzZWN1cml0
eSBpbiBwb3N0LXF1YW50dW0gd29ybGQgYW55d2F5IChkdWUgdG8gdGhlaXIgMTI4IGJpdCBpbnRl
cm5hbCBrZXkpLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2Nv
bG9yOiM0NDU0NkEiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTQuMHB0O2NvbG9yOiM0NDU0NkEiPkFueSBvdGhlciBvcHRpb25zPyBBbnkgdGhvdWdodHM/PC9z
cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s
ZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+
Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6
IzFGNDk3RCI+QWxsIHRocmVlIHdvcmsgKHRoYXQgaXMsIHRoZXkgcHJldmVudCBhbnkgdW5kZXRl
Y3RlZCBtb2RpZmljYXRpb25zIHRvIHRoZSBJS0VfQVVYIHBheWxvYWRzKTsgSSBxdWl0ZSB1bmRl
cnN0YW5kIGlmICZuYnNwOygxKSB3b3VsZCBiZSBjb25zaWRlcmVkIGFuIHVuZGVzaXJhYmxlIG9w
dGlvbi4mbmJzcDsNCiBBcyBmb3IgKDIpIGFuZCAoMyksIHRoZXkgYXJlIGxhcmdlbHkgdGhlIHNh
bWU7ICgzKSBsaW1pdHMgdGhlIFBSRuKAmXMgdG8gdGhlIG9uZXMgd2hpY2ggaW5jbHVkZSBzZWNv
bmQtcHJlaW1hZ2UtcmVzaXN0YW50IGhhc2ggZnVuY3Rpb25zLiZuYnNwOyBJIGNhbiBzZWUgdGhl
IGF0dHJhY3Rpb24gb2Ygbm90IHJlcXVpcmluZyBhIHNlcGFyYXRlIG5lZ290aWF0aW9uOyBJ4oCZ
bSBqdXN0IHdvcnJpZWQgYWJvdXQgc29tZW9uZSBpZ25vcmluZyBvdXIg4oCYZG9u4oCZdCB1c2UN
CiBYQ0JDL0NNQUPigJkgbWFuZGF0ZeKApjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPkFsc28sIGZvciAoMyksIHlvdSBo
YXZlIHRvIGJlIGNhcmVmdWwgdG8gc3BlY2lmeSB3aGljaCBTS19wW2lyXSB0byB1c2U7IGluIG91
ciBkcmFmdCwgdGhlIElLRV9BVVggbWVzc2FnZSB1cGRhdGVzIHRoZW07IHRoZSBvYnZpb3VzIHRo
aW5nIHRvIGRvIGlzIHNwZWNpZnkgdGhhdCB5b3XigJlsbA0KIHVzZSB0aGUgU0tfcFtpcl0gdmFs
dWVzIHRoYXQgd2VyZSBpbiBlZmZlY3QgYXQgdGhlIGJlZ2lubmluZyBvZiB0aGUgSUtFX0FVWCBt
ZXNzYWdlIGluIHF1ZXN0aW9uLiZuYnNwOyBBY3R1YWxseSwgZm9yIHNlY3VyaXR5LCB3ZSBkb27i
gJl0IG5lZWQgYSBzZWNyZXQga2V5LCBoYXZpbmcgYm90aCBzaWRlcyB1c2UsIHNheSwgYW4gYWxs
IHplcm8ga2V5LCB3b3VsZCBhY2hpZXZlIHRoZSBzYW1lIHNlY3VyaXR5IGdvYWwsIGhvd2V2ZXIg
dGhhdCBkb2VzIGZlZWwNCiB3ZWlyZOKApjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+VXNpbmcgYW4gYWxsIHplcm8g
a2V5IGRvZXMgZmVlbCB3ZWlyZCwgaG93ZXZlciBpdCBjb3VsZCBoZWxwIGF2b2lkIHBvdGVudGlh
bCBpbmNvbXBhdGlibGUgaW1wbGVtZW50YXRpb24gZXJyb3JzLiZuYnNwOyBUaGVyZSBhcmUgdHdv
IHNldHMgb2YgU0tfcFtpcl0gYXZhaWxhYmxlIHRvIHVzZSBpbiB0aGUgY2FzZSB3aGVyZSBhbiBJ
S0VfQVVYIGluY2x1ZGVzIGEga2V5DQogZXhjaGFuZ2UsIHRoZSB2YWx1ZXMgaW4gZWZmZWN0IGF0
IHRoZSBiZWdpbm5pbmcgb2YgdGhlIElLRV9BVVggZXhjaGFuZ2UsIGFuZCB0aGUgdXBkYXRlZCB2
YWx1ZXMgcmVzdWx0aW5nIGZyb20gdGhlIElLRV9BVVggZXhjaGFuZ2UuJm5ic3A7IERlcGVuZGlu
ZyBvbiB0aGUgb3JkZXIgaW4gd2hpY2ggaW1wbGVtZW50YXRpb25zIHJlY2FsY3VsYXRlIHRoZSBT
S0VZU0VFRCBhbmQgU0tfKiBrZXlzLCB2cyB3aGVuIHRoZXkgcGVyZm9ybSB0aGUgUFJGIG9uIHRo
ZQ0KIElYRV9BVVggZGF0YSwgdGhlIOKAnGN1cnJlbnTigJ0gU0tfcFtpcl0gdmFsdWVzIGNvdWxk
IGJlIHRoZSBvbGQgb3IgbmV3IHZhbHVlcyBhbmQgc28gc29tZSBpbXBsZW1lbnRhdGlvbnMgbWF5
IGhhdmUgdG8gbWFpbnRhaW4gYm90aCB0aGUgb2xkIGFuZCBuZXcga2V5cyB1bnRpbCB0aGUgSUtF
X0FVWCBkaWdlc3QgaXMgY2FsY3VsYXRlZC4mbmJzcDsgQWxsIHRoaXMgaXMgdG8gc2F5LCBpZiBp
dCBkb2VzbuKAmXQgYWZmZWN0IHRoZSBzZWN1cml0eSBpdCBtYXkganVzdA0KIGJlIHNpbXBsZXIg
YW5kIGVhc2llciBmb3IgY29tcGF0aWJpbGl0eSB0byB1c2UgYW4gYWxsIHplcm8ga2V5LjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm
dDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPiZu
YnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD48L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7PC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0
OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+UmVn
YXJkcyw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjoj
NDQ1NDZBIj5WYWxlcnkuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4w
cHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0Ij5UaGFua3MsPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMS4wcHQiPkRhbmllbDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k
aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_C35D70B2C47C45FF972819C22514C058isaracom_--


From nobody Fri Jul  6 06:22:00 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A76130F14 for <ipsec@ietfa.amsl.com>; Fri,  6 Jul 2018 06:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level: 
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N5A5S2yXEEoI for <ipsec@ietfa.amsl.com>; Fri,  6 Jul 2018 06:21:57 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727C1130F1F for <ipsec@ietf.org>; Fri,  6 Jul 2018 06:21:56 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id y17-v6so4358640ljy.8 for <ipsec@ietf.org>; Fri, 06 Jul 2018 06:21:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :thread-index:content-language; bh=35B0kadqliIDK8ewxBBc5om7nNJm/StQhxkIss8qqU8=; b=JlFUthX3p7BPC+rf/8Eyw+HAr2M3FYoTup957ki/w6nbEoa2zroRI9diwsVfEsQytA DhYyhI+VO7rZm70/2F1aN7VVfIumpeLh5dnTK/FSxkWHC3AxiKbYq8bdrgY0w4mBlKzP vlidBerHLqi1NO8trQtRgDeRDADzoQu2F2Q9A0cyQ6vhEpRDDp/lesy58HeQJ3fOfULq CqEz8n0ApFJ0Vg4VkIjVr+fzbyyScWqQrAmwMCo8Iac+TMudKE1vZQ3CAWLi/Gyy2PTF lDTDVu7ISJbzwMVHQVLFF4W8gNEcGHYn1LFOyF6fkeWdjVLOOOIbNPPRI8yc0d2o/zu5 CKZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=35B0kadqliIDK8ewxBBc5om7nNJm/StQhxkIss8qqU8=; b=HDtH0y+hkhHvHDEhtQ3JXAa7jJ2C5znXzew1O1UgMdBg0e9WlU0FIM6OK80qSGYAPB /B05u1s8sD3SDLWMsrjFrUZ0MNq22HFj9wNfq06u6NHsDBbEEh7rE2Ymxk6iyVoQBd9e RkPmnnh6zQL+G9bwk5azynzs04uZOL7EfuPLmKDNxoDIajdBYwEF0Lw+dUx0J9A121Gs dAUBVlIuDLIN7/Cssn5ZzMBQf0CX75BgqAHyiq1K7UoUC6uiWhutoYJyeztByzZhvMW8 25u4yDsDRl9Pv0syUuQ1wG7dFbqH8ryBstmkXKUU2TaDkw5odK0G0opYmwjqaP9lXcr4 RUtw==
X-Gm-Message-State: APt69E08R1WfIMggPtByVRIXdHyxbvEShLlXriMjD1mx17KQLY1308dY HYGh5B5t/FSO5ROfmlHqX7x4OA==
X-Google-Smtp-Source: AAOMgpe5rJw/j/vdGPiUOa53dWgAkUVTym0x8/6E6PDRMj6JDdAByFc8vjQKQTm+NZj6Dwk+ZaRjdw==
X-Received: by 2002:a2e:99c7:: with SMTP id l7-v6mr6677382ljj.148.1530883314678;  Fri, 06 Jul 2018 06:21:54 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id e20-v6sm2037672lff.41.2018.07.06.06.21.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 Jul 2018 06:21:53 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer@cisco.com>, <ipsec@ietf.org>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com>
In-Reply-To: <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com>
Date: Fri, 6 Jul 2018 16:21:23 +0300
Message-ID: <012e01d4152c$3d1a11d0$b74e3570$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_012F_01D41545.626BDDB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEciSsDD1zqgCWGCuqENOVpeeZcmAIUjD3lAYKjZjwC2ApLZAEyIKg0At8cjcylnNx+0A==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/NbJ2glQxtp9mAIV1x_M1xiPuCA8>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 13:21:59 -0000

This is a multipart message in MIME format.

------=_NextPart_000_012F_01D41545.626BDDB0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

=20

So, our options are:

1. Using IKE_AUX messages themselves:

=20

InitiatorSignedOctets =3D RealMessage1 | AUX_INIT_MSG_1 | AUX_INIT_MSG_2 =
| AUX_INIT_MSG_3 ... | NonceRData | MACedIDForI

ResponderSignedOctets =3D RealMessage2 | AUX_RESP_MSG_1 | AUX_RESP_MSG_2 =
| AUX_RESP_MSG_3 ... | NonceIData | MACedIDForR

=20

This approach has a disadvantage that implementation needs to keep all =
IKE_AUX messages=20

(which might be quite large) until it receives IKE_AUTH, that increases =
vulnerability to DoS attack.

=20

2. Using hashes of IKE_AUX messages (as Daniel proposed):

InitiatorSignedOctets =3D RealMessage1 | H(AUX_INIT_MSG_1) | =
H(AUX_INIT_MSG_2) | H(AUX_INIT_MSG_3) ... | NonceRData | MACedIDForI

ResponderSignedOctets =3D RealMessage2 | H(AUX_RESP_MSG_1) | =
H(AUX_RESP_MSG_2) | H(AUX_RESP_MSG_3) ... | NonceIData | MACedIDForR

=20

where H is a collision-resistant hash function.

=20

The problem with this approach is that it would require to add a new =
crypto primitive (hash),

that is not currently present in a set of negotiated parameters. So a =
new negotiation mechanism

would be needed (or a new Transform Type) and a new IANA registry. And =
all this would=20

increase the IKE_SA_INIT messages size.

=20

3. Using the PRFs as outlined above, but limiting PRFs to only those, =
which are preimage=20

resistant even if key is known (as you proposed). From the current set =
of PRFs=20

registered for IKEv2 in IANA this would leave out PRF_AES128_XCBC and =
PRF_AES128_CMAC, that=20

don=E2=80=99t provide enough security in post-quantum world anyway (due =
to their 128 bit internal key).

=20

Any other options? Any thoughts?

=20

All three work (that is, they prevent any undetected modifications to =
the IKE_AUX payloads); I quite understand if  (1) would be considered an =
undesirable option.  As for (2) and (3), they are largely the same; (3) =
limits the PRF=E2=80=99s to the ones which include =
second-preimage-resistant hash functions.  I can see the attraction of =
not requiring a separate negotiation; I=E2=80=99m just worried about =
someone ignoring our =E2=80=98don=E2=80=99t use XCBC/CMAC=E2=80=99 =
mandate=E2=80=A6

=20

That=E2=80=99s a valid concern. But if somebody use XCBC/CMAC, then =
he/she won=E2=80=99t get enough QC protection anyway =E2=80=93=20

with or without this attack.=20

=20

Also, for (3), you have to be careful to specify which SK_p[ir] to use; =
in our draft, the IKE_AUX message updates them; the obvious thing to do =
is specify that you=E2=80=99ll use the SK_p[ir] values that were in =
effect at the beginning of the IKE_AUX message in question.  Actually, =
for security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6

=20

Using an all zero key does feel weird, however it could help avoid =
potential incompatible implementation errors.  There are two sets of =
SK_p[ir] available to use in the case where an IKE_AUX includes a key =
exchange, the values in effect at the beginning of the IKE_AUX exchange, =
and the updated values resulting from the IKE_AUX exchange.  Depending =
on the order in which implementations recalculate the SKEYSEED and SK_* =
keys, vs when they perform the PRF on the IXE_AUX data, the =
=E2=80=9Ccurrent=E2=80=9D SK_p[ir] values could be the old or new values =
and so some implementations may have to maintain both the old and new =
keys until the IKE_AUX digest is calculated.  All this is to say, if it =
doesn=E2=80=99t affect the security it may just be simpler and easier =
for compatibility to use an all zero key.

=20

PRF(SK_p*, AUX_*_MSG) aren=E2=80=99t sent on the wire and are calculated =
only in IKE_AUTH.

It is possible to use SK_pi/r from the latest recalculation (when final =
SKEYSEED is available)

for authentication of alll previous IKE_AUX messages. So there is no =
such a problem. However,=20

if security doesn=E2=80=99t depend on the key here, it=E2=80=99s =
probably easier to use all-zero key.

=20

Note, that SK_ei/r and SK_ai/r are recalculated after each IKE_AUX =
exchange=20

(more precisely =E2=80=93 after each new key exchange performed in =
IKE_AUX).=20

=20

Regards,

Valery.


------=_NextPart_000_012F_01D41545.626BDDB0
Content-Type: text/html;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 14 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle24
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle25
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle26
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle27
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DRU =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>So, our options =
are:</span><span lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>1. Using IKE_AUX messages =
themselves:</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>InitiatorSignedOctets =3D RealMessage1 | AUX_INIT_MSG_1 | =
AUX_INIT_MSG_2 | AUX_INIT_MSG_3 ... | NonceRData | =
MACedIDForI</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>ResponderSignedOctets =3D RealMessage2 | AUX_RESP_MSG_1 | =
AUX_RESP_MSG_2 | AUX_RESP_MSG_3 ... | NonceIData | =
MACedIDForR</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>This approach has a =
disadvantage that implementation needs to keep all IKE_AUX messages =
</span><span lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>(which might be quite large) =
until it receives IKE_AUTH, that increases vulnerability to DoS =
attack.</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>2. Using hashes of IKE_AUX =
messages (as Daniel proposed):</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>InitiatorSignedOctets =3D RealMessage1 | H(AUX_INIT_MSG_1) | =
H(AUX_INIT_MSG_2) | H(AUX_INIT_MSG_3) ... | NonceRData | =
MACedIDForI</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>ResponderSignedOctets =3D RealMessage2 | H(AUX_RESP_MSG_1) | =
H(AUX_RESP_MSG_2) | H(AUX_RESP_MSG_3) ... | NonceIData | =
MACedIDForR</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>where H is a =
collision-resistant hash function.</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>The problem with this approach =
is that it would require to add a new crypto primitive =
(hash),</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>that is not currently present =
in a set of negotiated parameters. So a new negotiation =
mechanism</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>would be needed (or a new =
Transform Type) and a new IANA registry. And all this would </span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>increase the IKE_SA_INIT =
messages size.</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>3. Using the PRFs as outlined =
above, but limiting PRFs to only those, which are preimage </span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>resistant even if key is known =
(as you proposed). From the current set of PRFs </span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>registered for IKEv2 in IANA =
this would leave out </span><span lang=3DEN-CA =
style=3D'font-size:10.0pt;font-family:"Helvetica","sans-serif"'>PRF_AES12=
8_XCBC</span><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'> and </span><span lang=3DEN-CA =
style=3D'font-size:10.0pt;font-family:"Helvetica","sans-serif"'>PRF_AES12=
8_CMAC</span><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>, that </span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>don=E2=80=99t provide enough =
security in post-quantum world anyway (due to their 128 bit internal =
key).</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Any other options? Any =
thoughts?</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>All three work (that is, they =
prevent any undetected modifications to the IKE_AUX payloads); I quite =
understand if &nbsp;(1) would be considered an undesirable option.&nbsp; =
As for (2) and (3), they are largely the same; (3) limits the =
PRF=E2=80=99s to the ones which include second-preimage-resistant hash =
functions.&nbsp; I can see the attraction of not requiring a separate =
negotiation; I=E2=80=99m just worried about someone ignoring our =
=E2=80=98don=E2=80=99t use XCBC/CMAC=E2=80=99 =
mandate=E2=80=A6</span><span lang=3DEN-CA =
style=3D'font-size:11.0pt'><o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>That=E2=80=99s a valid concern. =
But if somebody use </span><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>XCBC/CMAC</span><span =
lang=3DEN-CA style=3D'font-size:14.0pt;color:#44546A'>, then he/she =
won=E2=80=99t get enough QC protection anyway =E2=80=93 =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>with or without this attack. =
<o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>Also, for (3), you have to be =
careful to specify which SK_p[ir] to use; in our draft, the IKE_AUX =
message updates them; the obvious thing to do is specify that =
you=E2=80=99ll use the SK_p[ir] values that were in effect at the =
beginning of the IKE_AUX message in question.&nbsp; Actually, for =
security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA style=3D'font-size:11.0pt'>Using an =
all zero key does feel weird, however it could help avoid potential =
incompatible implementation errors.&nbsp; There are two sets of SK_p[ir] =
available to use in the case where an IKE_AUX includes a key exchange, =
the values in effect at the beginning of the IKE_AUX exchange, and the =
updated values resulting from the IKE_AUX exchange.&nbsp; Depending on =
the order in which implementations recalculate the SKEYSEED and SK_* =
keys, vs when they perform the PRF on the IXE_AUX data, the =
=E2=80=9Ccurrent=E2=80=9D SK_p[ir] values could be the old or new values =
and so some implementations may have to maintain both the old and new =
keys until the IKE_AUX digest is calculated.&nbsp; All this is to say, =
if it doesn=E2=80=99t affect the security it may just be simpler and =
easier for compatibility to use an all zero key.<o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:60.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>PRF(SK_p*, AUX_*_MSG) =
aren=E2=80=99t sent on the wire and are calculated only in =
IKE_AUTH.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>It is possible to use SK_pi/r =
from the latest recalculation (when final SKEYSEED is =
available)<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>for authentication of alll =
previous IKE_AUX messages. So there is no such a problem. However, =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>if security doesn=E2=80=99t =
depend on the key here, it=E2=80=99s probably easier to use all-zero =
key.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Note, that SK_ei/r and SK_ai/r =
are recalculated after each IKE_AUX exchange <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>(more precisely =E2=80=93 after =
each new key exchange performed in IKE_AUX). <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Regards,<o:p></o:p></span></p><p=
 class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Valery.<o:p></o:p></span></p></d=
iv></body></html>
------=_NextPart_000_012F_01D41545.626BDDB0--


From nobody Fri Jul  6 06:52:27 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303B3130EEE for <ipsec@ietfa.amsl.com>; Fri,  6 Jul 2018 06:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level: 
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4EzZyc3y56qD for <ipsec@ietfa.amsl.com>; Fri,  6 Jul 2018 06:52:22 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFD74130E55 for <ipsec@ietf.org>; Fri,  6 Jul 2018 06:52:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15180; q=dns/txt; s=iport; t=1530885142; x=1532094742; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=CCJ107NsdEmwb9hJH/TIXYGClOu9XWmxtlDZYA9dqA0=; b=Kv7IM6E1C9y1+scFHee+mldsZPjPP+bO/qCN2TWuho+LdV7wo/A18wzM DacX0+ltvk+msBbcuQy5wOvPJASYxovJstrTCeCW/AeqGY00u5gePVnef SL1qZDQ4bux5hndgP3hnVkkU60nLc1UrrHZwa3nD4Eb3q4MnctMCX40xi A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CgAgDM+T5b/51dJa1cGgEBAQEBAgE?= =?us-ascii?q?BAQEIAQEBAYJTdmJ/KAqDcJQ5ggeINodshQ6BeguEbAIXghYhNRcBAgEBAgE?= =?us-ascii?q?BAm0ohTYBAQEBAyMKXAIBCBEEAQErAgICHxEdCAIEARIIgxmBG0wDFakkghy?= =?us-ascii?q?HFA2BLoE6iG2BVj+EHoJWgisHgnOCVQKHQSaKA4c6KwkCiGiDLYMDjWArilm?= =?us-ascii?q?GYAIREwGBJB8CNIFScBWDJJBSb444gRoBAQ?=
X-IronPort-AV: E=Sophos;i="5.51,316,1526342400";  d="scan'208,217";a="138895625"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Jul 2018 13:52:21 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w66DqLeV013975 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Jul 2018 13:52:21 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 6 Jul 2018 09:52:20 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Fri, 6 Jul 2018 09:52:20 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6qR/B9KAgADxt4CAAN9PAP//vjnggACO1oCAAU/PgP//wcKw
Date: Fri, 6 Jul 2018 13:52:20 +0000
Message-ID: <43624913cc9e41e4908b1e7895e90edc@XCH-RTP-006.cisco.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com> <012e01d4152c$3d1a11d0$b74e3570$@gmail.com>
In-Reply-To: <012e01d4152c$3d1a11d0$b74e3570$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: multipart/alternative; boundary="_000_43624913cc9e41e4908b1e7895e90edcXCHRTP006ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/t_sWuRR1JW1AruhkfxLcvGoDEzU>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 13:52:26 -0000

--_000_43624913cc9e41e4908b1e7895e90edcXCHRTP006ciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

DQpGcm9tOiBWYWxlcnkgU215c2xvdiA8c215c2xvdi5pZXRmQGdtYWlsLmNvbT4NClNlbnQ6IEZy
aWRheSwgSnVseSAwNiwgMjAxOCA5OjIxIEFNDQpUbzogJ0RhbmllbCBWYW4gR2Vlc3QnIDxEYW5p
ZWwuVmFuR2Vlc3RAaXNhcmEuY29tPjsgU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpIDxzZmx1aHJl
ckBjaXNjby5jb20+OyBpcHNlY0BpZXRmLm9yZw0KU3ViamVjdDogUkU6IElLRV9BVVggY29tbWVu
dHMNCg0KQWxzbywgZm9yICgzKSwgeW91IGhhdmUgdG8gYmUgY2FyZWZ1bCB0byBzcGVjaWZ5IHdo
aWNoIFNLX3BbaXJdIHRvIHVzZTsgaW4gb3VyIGRyYWZ0LCB0aGUgSUtFX0FVWCBtZXNzYWdlIHVw
ZGF0ZXMgdGhlbTsgdGhlIG9idmlvdXMgdGhpbmcgdG8gZG8gaXMgc3BlY2lmeSB0aGF0IHlvdeKA
mWxsIHVzZSB0aGUgU0tfcFtpcl0gdmFsdWVzIHRoYXQgd2VyZSBpbiBlZmZlY3QgYXQgdGhlIGJl
Z2lubmluZyBvZiB0aGUgSUtFX0FVWCBtZXNzYWdlIGluIHF1ZXN0aW9uLiAgQWN0dWFsbHksIGZv
ciBzZWN1cml0eSwgd2UgZG9u4oCZdCBuZWVkIGEgc2VjcmV0IGtleSwgaGF2aW5nIGJvdGggc2lk
ZXMgdXNlLCBzYXksIGFuIGFsbCB6ZXJvIGtleSwgd291bGQgYWNoaWV2ZSB0aGUgc2FtZSBzZWN1
cml0eSBnb2FsLCBob3dldmVyIHRoYXQgZG9lcyBmZWVsIHdlaXJk4oCmDQoNClVzaW5nIGFuIGFs
bCB6ZXJvIGtleSBkb2VzIGZlZWwgd2VpcmQsIGhvd2V2ZXIgaXQgY291bGQgaGVscCBhdm9pZCBw
b3RlbnRpYWwgaW5jb21wYXRpYmxlIGltcGxlbWVudGF0aW9uIGVycm9ycy4gIFRoZXJlIGFyZSB0
d28gc2V0cyBvZiBTS19wW2lyXSBhdmFpbGFibGUgdG8gdXNlIGluIHRoZSBjYXNlIHdoZXJlIGFu
IElLRV9BVVggaW5jbHVkZXMgYSBrZXkgZXhjaGFuZ2UsIHRoZSB2YWx1ZXMgaW4gZWZmZWN0IGF0
IHRoZSBiZWdpbm5pbmcgb2YgdGhlIElLRV9BVVggZXhjaGFuZ2UsIGFuZCB0aGUgdXBkYXRlZCB2
YWx1ZXMgcmVzdWx0aW5nIGZyb20gdGhlIElLRV9BVVggZXhjaGFuZ2UuICBEZXBlbmRpbmcgb24g
dGhlIG9yZGVyIGluIHdoaWNoIGltcGxlbWVudGF0aW9ucyByZWNhbGN1bGF0ZSB0aGUgU0tFWVNF
RUQgYW5kIFNLXyoga2V5cywgdnMgd2hlbiB0aGV5IHBlcmZvcm0gdGhlIFBSRiBvbiB0aGUgSVhF
X0FVWCBkYXRhLCB0aGUg4oCcY3VycmVudOKAnSBTS19wW2lyXSB2YWx1ZXMgY291bGQgYmUgdGhl
IG9sZCBvciBuZXcgdmFsdWVzIGFuZCBzbyBzb21lIGltcGxlbWVudGF0aW9ucyBtYXkgaGF2ZSB0
byBtYWludGFpbiBib3RoIHRoZSBvbGQgYW5kIG5ldyBrZXlzIHVudGlsIHRoZSBJS0VfQVVYIGRp
Z2VzdCBpcyBjYWxjdWxhdGVkLiAgQWxsIHRoaXMgaXMgdG8gc2F5LCBpZiBpdCBkb2VzbuKAmXQg
YWZmZWN0IHRoZSBzZWN1cml0eSBpdCBtYXkganVzdCBiZSBzaW1wbGVyIGFuZCBlYXNpZXIgZm9y
IGNvbXBhdGliaWxpdHkgdG8gdXNlIGFuIGFsbCB6ZXJvIGtleS4NCg0KUFJGKFNLX3AqLCBBVVhf
Kl9NU0cpIGFyZW7igJl0IHNlbnQgb24gdGhlIHdpcmUgYW5kIGFyZSBjYWxjdWxhdGVkIG9ubHkg
aW4gSUtFX0FVVEguDQpJdCBpcyBwb3NzaWJsZSB0byB1c2UgU0tfcGkvciBmcm9tIHRoZSBsYXRl
c3QgcmVjYWxjdWxhdGlvbiAod2hlbiBmaW5hbCBTS0VZU0VFRCBpcyBhdmFpbGFibGUpDQpmb3Ig
YXV0aGVudGljYXRpb24gb2YgYWxsbCBwcmV2aW91cyBJS0VfQVVYIG1lc3NhZ2VzLg0KDQpBcmUg
eW91IHN1cmUgYWJvdXQgdGhhdD8gIFRoZSByZWFzb24gd2XigJlyZSBpbmNsdWRpbmcgYSBzdW1t
YXJ5IG9mIHRoZSBhdXggbWVzc2FnZSBpbiB0aGUgSW5pdGlhdG9yL1Jlc3BvbmRlciBTaWduZWQg
T2N0ZXRzIChyYXRoZXIgdGhhbiBpbmNsdWRpbmcgdGhlIGVudGlyZSBhdXgpIG1lc3NhZ2Ugd2Fz
IHRvIGF2b2lkIGhhdmluZyB0byBzdG9yZSB0aGUgZW50aXJlIGF1eCBtZXNzYWdlIHVudGlsIHRo
ZSBJS0VfQVVUSCBpcyBwcm9jZXNzZWQuICBQUkYoU0tfcCosIEFVWCkgY2Fu4oCZdCBiZSBjb21w
dXRlZCB1bnRpbCB3ZSBrbm93IHRoZSBTS19wKiBrZXkuICBJZiB3ZSBtYWtlIHRoYXQga2V5IHRo
ZSBmaW5hbCBTS19wIGtleSwgd2UgZG9u4oCZdCBrbm93IHRoYXQgdW50aWwgdGhlIGZpbmFsIElL
RV9BVVggaXMgZXhjaGFuZ2VkLCB0aGF0IG1lYW5zIHRoYXQgd2XigJlsbCBuZWVkIHRvIHN0b3Jl
IHRoZSBBVVggbWVzc2FnZXMgKHdoaWNoIGlzIHdoYXQgd2Ugd2VyZSB0cnlpbmcgdG8gYXZvaWQp
Lg0KDQpTbyB0aGVyZSBpcyBubyBzdWNoIGEgcHJvYmxlbS4gSG93ZXZlciwNCmlmIHNlY3VyaXR5
IGRvZXNu4oCZdCBkZXBlbmQgb24gdGhlIGtleSBoZXJlLCBpdOKAmXMgcHJvYmFibHkgZWFzaWVy
IHRvIHVzZSBhbGwtemVybyBrZXkuDQoNCk5vdGUsIHRoYXQgU0tfZWkvciBhbmQgU0tfYWkvciBh
cmUgcmVjYWxjdWxhdGVkIGFmdGVyIGVhY2ggSUtFX0FVWCBleGNoYW5nZQ0KKG1vcmUgcHJlY2lz
ZWx5IOKAkyBhZnRlciBlYWNoIG5ldyBrZXkgZXhjaGFuZ2UgcGVyZm9ybWVkIGluIElLRV9BVVgp
Lg0KDQpSZWdhcmRzLA0KVmFsZXJ5Lg0K

--_000_43624913cc9e41e4908b1e7895e90edcXCHRTP006ciscocom_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu
Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjoj
OTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1w
cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJ
bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsN
Cglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNv
TGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5
OjM0Ow0KCW1hcmdpbi10b3A6MGluOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbWFyZ2luLWJvdHRv
bTowaW47DQoJbWFyZ2luLWxlZnQ6LjVpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9u
dC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFu
LkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRl
ZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwg
UHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnAubXNvbm9ybWFs
MCwgbGkubXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0eWxlLW5hbWU6bXNvbm9y
bWFsOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGluOw0KCWZvbnQtc2l6ZTox
Mi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsc2VyaWY7fQ0Kc3Bhbi5FbWFp
bFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGli
cmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0K
CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1z
ZXJpZjsNCgljb2xvcjojNDQ1NDZBO30NCnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10
eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9y
OiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7
DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzQ0NTQ2QTt9DQpz
cGFuLkVtYWlsU3R5bGUyNQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWls
eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHls
ZTI2DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz
YW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjcNCgl7bXNv
LXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7
DQoJY29sb3I6IzQ0NTQ2QTt9DQpzcGFuLkVtYWlsU3R5bGUyOA0KCXttc28tc3R5bGUtdHlwZTpw
ZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xv
cjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5
Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4g
MTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rp
b24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDld
Pjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0K
PC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91
dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpz
aGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVT
IiBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlv
bjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7
Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0i
Ym9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4g
MGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNv
bGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+RnJvbTo8L3NwYW4+
PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4gVmFsZXJ5IFNteXNsb3YgJmx0O3Nt
eXNsb3YuaWV0ZkBnbWFpbC5jb20mZ3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gRnJpZGF5LCBKdWx5
IDA2LCAyMDE4IDk6MjEgQU08YnI+DQo8Yj5Ubzo8L2I+ICdEYW5pZWwgVmFuIEdlZXN0JyAmbHQ7
RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbSZndDs7IFNjb3R0IEZsdWhyZXIgKHNmbHVocmVyKSAm
bHQ7c2ZsdWhyZXJAY2lzY28uY29tJmd0OzsgaXBzZWNAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0
OjwvYj4gUkU6IElLRV9BVVggY29tbWVudHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJF
Ti1DQSIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1D
QSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+QWxzbywgZm9yICgzKSwg
eW91IGhhdmUgdG8gYmUgY2FyZWZ1bCB0byBzcGVjaWZ5IHdoaWNoIFNLX3BbaXJdIHRvIHVzZTsg
aW4gb3VyIGRyYWZ0LCB0aGUgSUtFX0FVWCBtZXNzYWdlIHVwZGF0ZXMgdGhlbTsgdGhlIG9idmlv
dXMgdGhpbmcgdG8gZG8gaXMgc3BlY2lmeQ0KIHRoYXQgeW914oCZbGwgdXNlIHRoZSBTS19wW2ly
XSB2YWx1ZXMgdGhhdCB3ZXJlIGluIGVmZmVjdCBhdCB0aGUgYmVnaW5uaW5nIG9mIHRoZSBJS0Vf
QVVYIG1lc3NhZ2UgaW4gcXVlc3Rpb24uJm5ic3A7IEFjdHVhbGx5LCBmb3Igc2VjdXJpdHksIHdl
IGRvbuKAmXQgbmVlZCBhIHNlY3JldCBrZXksIGhhdmluZyBib3RoIHNpZGVzIHVzZSwgc2F5LCBh
biBhbGwgemVybyBrZXksIHdvdWxkIGFjaGlldmUgdGhlIHNhbWUgc2VjdXJpdHkgZ29hbCwgaG93
ZXZlciB0aGF0DQogZG9lcyBmZWVsIHdlaXJk4oCmPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48
bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu
LWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48
bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs
YW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlVzaW5nIGFuIGFsbCB6ZXJvIGtl
eSBkb2VzIGZlZWwgd2VpcmQsIGhvd2V2ZXIgaXQgY291bGQgaGVscCBhdm9pZCBwb3RlbnRpYWwg
aW5jb21wYXRpYmxlIGltcGxlbWVudGF0aW9uIGVycm9ycy4mbmJzcDsgVGhlcmUgYXJlIHR3byBz
ZXRzIG9mIFNLX3BbaXJdIGF2YWlsYWJsZSB0byB1c2UgaW4gdGhlIGNhc2Ugd2hlcmUgYW4gSUtF
X0FVWCBpbmNsdWRlcw0KIGEga2V5IGV4Y2hhbmdlLCB0aGUgdmFsdWVzIGluIGVmZmVjdCBhdCB0
aGUgYmVnaW5uaW5nIG9mIHRoZSBJS0VfQVVYIGV4Y2hhbmdlLCBhbmQgdGhlIHVwZGF0ZWQgdmFs
dWVzIHJlc3VsdGluZyBmcm9tIHRoZSBJS0VfQVVYIGV4Y2hhbmdlLiZuYnNwOyBEZXBlbmRpbmcg
b24gdGhlIG9yZGVyIGluIHdoaWNoIGltcGxlbWVudGF0aW9ucyByZWNhbGN1bGF0ZSB0aGUgU0tF
WVNFRUQgYW5kIFNLXyoga2V5cywgdnMgd2hlbiB0aGV5IHBlcmZvcm0gdGhlIFBSRg0KIG9uIHRo
ZSBJWEVfQVVYIGRhdGEsIHRoZSDigJxjdXJyZW504oCdIFNLX3BbaXJdIHZhbHVlcyBjb3VsZCBi
ZSB0aGUgb2xkIG9yIG5ldyB2YWx1ZXMgYW5kIHNvIHNvbWUgaW1wbGVtZW50YXRpb25zIG1heSBo
YXZlIHRvIG1haW50YWluIGJvdGggdGhlIG9sZCBhbmQgbmV3IGtleXMgdW50aWwgdGhlIElLRV9B
VVggZGlnZXN0IGlzIGNhbGN1bGF0ZWQuJm5ic3A7IEFsbCB0aGlzIGlzIHRvIHNheSwgaWYgaXQg
ZG9lc27igJl0IGFmZmVjdCB0aGUgc2VjdXJpdHkgaXQgbWF5DQoganVzdCBiZSBzaW1wbGVyIGFu
ZCBlYXNpZXIgZm9yIGNvbXBhdGliaWxpdHkgdG8gdXNlIGFuIGFsbCB6ZXJvIGtleS48bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6
NjAuMHB0Ij48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6
IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0
NkEiPlBSRihTS19wKiwgQVVYXypfTVNHKSBhcmVu4oCZdCBzZW50IG9uIHRoZSB3aXJlIGFuZCBh
cmUgY2FsY3VsYXRlZCBvbmx5IGluIElLRV9BVVRILjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjE0
LjBwdDtjb2xvcjojNDQ1NDZBIj5JdCBpcyBwb3NzaWJsZSB0byB1c2UgU0tfcGkvciBmcm9tIHRo
ZSBsYXRlc3QgcmVjYWxjdWxhdGlvbiAod2hlbiBmaW5hbCBTS0VZU0VFRCBpcyBhdmFpbGFibGUp
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPmZvciBhdXRoZW50
aWNhdGlvbiBvZiBhbGxsIHByZXZpb3VzIElLRV9BVVggbWVzc2FnZXMuPC9zcGFuPjxzcGFuIGxh
bmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIg
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxl
PSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPkFyZSB5b3Ugc3VyZSBhYm91dCB0aGF0
PyZuYnNwOyBUaGUgcmVhc29uIHdl4oCZcmUgaW5jbHVkaW5nIGEgc3VtbWFyeSBvZiB0aGUgYXV4
IG1lc3NhZ2UgaW4gdGhlIEluaXRpYXRvci9SZXNwb25kZXIgU2lnbmVkIE9jdGV0cyAocmF0aGVy
IHRoYW4gaW5jbHVkaW5nIHRoZSBlbnRpcmUgYXV4KSBtZXNzYWdlIHdhcyB0byBhdm9pZA0KIGhh
dmluZyB0byBzdG9yZSB0aGUgZW50aXJlIGF1eCBtZXNzYWdlIHVudGlsIHRoZSBJS0VfQVVUSCBp
cyBwcm9jZXNzZWQuJm5ic3A7IFBSRihTS19wKiwgQVVYKSBjYW7igJl0IGJlIGNvbXB1dGVkIHVu
dGlsIHdlIGtub3cgdGhlIFNLX3AqIGtleS4mbmJzcDsgSWYgd2UgbWFrZSB0aGF0IGtleSB0aGUg
ZmluYWwgU0tfcCBrZXksIHdlIGRvbuKAmXQga25vdyB0aGF0IHVudGlsIHRoZSBmaW5hbCBJS0Vf
QVVYIGlzIGV4Y2hhbmdlZCwgdGhhdCBtZWFucyB0aGF0IHdl4oCZbGwNCiBuZWVkIHRvIHN0b3Jl
IHRoZSBBVVggbWVzc2FnZXMgKHdoaWNoIGlzIHdoYXQgd2Ugd2VyZSB0cnlpbmcgdG8gYXZvaWQp
LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9
IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw
OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1D
QSIgc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+U28gdGhlcmUgaXMgbm8g
c3VjaCBhIHByb2JsZW0uIEhvd2V2ZXIsDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7
Y29sb3I6IzQ0NTQ2QSI+aWYgc2VjdXJpdHkgZG9lc27igJl0IGRlcGVuZCBvbiB0aGUga2V5IGhl
cmUsIGl04oCZcyBwcm9iYWJseSBlYXNpZXIgdG8gdXNlIGFsbC16ZXJvIGtleS48bzpwPjwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5
bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJm
b250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPk5vdGUsIHRoYXQgU0tfZWkvciBhbmQgU0tf
YWkvciBhcmUgcmVjYWxjdWxhdGVkIGFmdGVyIGVhY2ggSUtFX0FVWCBleGNoYW5nZQ0KPG86cD48
L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0Ei
IHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPihtb3JlIHByZWNpc2VseSDi
gJMgYWZ0ZXIgZWFjaCBuZXcga2V5IGV4Y2hhbmdlIHBlcmZvcm1lZCBpbiBJS0VfQVVYKS4NCjxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO
LUNBIiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIg
c3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+UmVnYXJkcyw8bzpwPjwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5
bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+VmFsZXJ5LjxvOnA+PC9vOnA+PC9z
cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_43624913cc9e41e4908b1e7895e90edcXCHRTP006ciscocom_--


From nobody Fri Jul  6 07:05:19 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB6E130EC5 for <ipsec@ietfa.amsl.com>; Fri,  6 Jul 2018 07:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level: 
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQvWmVBsZYg9 for <ipsec@ietfa.amsl.com>; Fri,  6 Jul 2018 07:05:15 -0700 (PDT)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1CCF130E55 for <ipsec@ietf.org>; Fri,  6 Jul 2018 07:05:14 -0700 (PDT)
Received: by mail-lf0-x22f.google.com with SMTP id y127-v6so9895771lfc.8 for <ipsec@ietf.org>; Fri, 06 Jul 2018 07:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :thread-index:content-language; bh=AuMkj8O1mnuQImCRHzfKWBTll94c8J6rVSJZISMlQs0=; b=uvXZcyMf64dIc9QYx++vclkOqbQnqsuVtJgAjP2sfe6YVqwbPy/9hWBNngzu8GvCPF VsEjUSJ3cK9SgaNsRvBqZZjoFxpkJDzvhPQgYWXxwDAN2FKyOcdv30R+erSYp+UvWqMr mD9aRMRJ2TRaKrHxC5UYWFqKUFmyG60eOONYwE8D1Pi8E4BK/Uo12RM8Z+emfCMul0AP 7r3RnRbaqMQMlEBLxt1L89NB9QkfvwYDOYd296UPTiK7rauRfh+302dILTXIol/qqDpx 9KNvRHOq5hIX2wS0XgdM7hndzi0EVJ67XxLo1+OxrkDYY5Bfa38498XNdoC89D8Z0r+N ew5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=AuMkj8O1mnuQImCRHzfKWBTll94c8J6rVSJZISMlQs0=; b=jHmP40aCvggvsDaFt36kXPH/v9YB+Z+JWuqVHv54TOUgH/Tn/X0qHEC08tsm6BPLfd 8xZZ2M5lQfoc28WxjHaVQvWrU50uMzvruTg/c2+3x6hlhABj7HwiHPEGWwngPE3Xs8oy y/dBfHJO1/JJLdsPkY259cfEzPbcrOyqSPc+1+3C1Ta/eUJks63j5//yvxVyZLz/Gd7v wRpFmz3csok4MmYyeBsNfCLcx8Zv9/QmOJvRMv9SppqEGKGkapSzR6pfrAQ9j4jnuUyJ 5s9MauT7MJlhj61eRT8dqzD9Ws3bxgNEsCjsbiAPeNV0BYHfsq3BsMaqZLniEgQ3FMJH fg/A==
X-Gm-Message-State: APt69E23L6CJGFJUYWL9XERRjYlVUBq0Mm/Ikh2yMN9clh/atEloD7co so6gkXugWR1KTEIMHFDIdNw=
X-Google-Smtp-Source: AAOMgpfhfhrUL9wgvYo+vVwqTnTJkVZn4jGEvN2FB/rYvlZwV3InFchysBVrzbL/kPz9T3MIBqE5sQ==
X-Received: by 2002:a19:cf95:: with SMTP id f143-v6mr7799050lfg.101.1530885913059;  Fri, 06 Jul 2018 07:05:13 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id q6-v6sm1702385lfk.31.2018.07.06.07.05.12 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 Jul 2018 07:05:12 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer@cisco.com>, "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, <ipsec@ietf.org>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com> <012e01d4152c$3d1a11d0$b74e3570$@gmail.com> <43624913cc9e41e4908b1e7895e90edc@XCH-RTP-006.cisco.com>
In-Reply-To: <43624913cc9e41e4908b1e7895e90edc@XCH-RTP-006.cisco.com>
Date: Fri, 6 Jul 2018 17:04:42 +0300
Message-ID: <014501d41532$49f29610$ddd7c230$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0146_01D4154B.6F4154B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEciSsDD1zqgCWGCuqENOVpeeZcmAIUjD3lAYKjZjwC2ApLZAEyIKg0At8cjcwBfEWkHQKYOSezpXypqjA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oIAeufAectaDqPd5UOEshvD9l-Y>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 14:05:17 -0000

This is a multipart message in MIME format.

------=_NextPart_000_0146_01D4154B.6F4154B0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

From: Valery Smyslov <smyslov.ietf@gmail.com>=20
Sent: Friday, July 06, 2018 9:21 AM
To: 'Daniel Van Geest' <Daniel.VanGeest@isara.com>; Scott Fluhrer =
(sfluhrer) <sfluhrer@cisco.com>; ipsec@ietf.org
Subject: RE: IKE_AUX comments

=20

Also, for (3), you have to be careful to specify which SK_p[ir] to use; =
in our draft, the IKE_AUX message updates them; the obvious thing to do =
is specify that you=E2=80=99ll use the SK_p[ir] values that were in =
effect at the beginning of the IKE_AUX message in question.  Actually, =
for security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6

=20

Using an all zero key does feel weird, however it could help avoid =
potential incompatible implementation errors.  There are two sets of =
SK_p[ir] available to use in the case where an IKE_AUX includes a key =
exchange, the values in effect at the beginning of the IKE_AUX exchange, =
and the updated values resulting from the IKE_AUX exchange.  Depending =
on the order in which implementations recalculate the SKEYSEED and SK_* =
keys, vs when they perform the PRF on the IXE_AUX data, the =
=E2=80=9Ccurrent=E2=80=9D SK_p[ir] values could be the old or new values =
and so some implementations may have to maintain both the old and new =
keys until the IKE_AUX digest is calculated.  All this is to say, if it =
doesn=E2=80=99t affect the security it may just be simpler and easier =
for compatibility to use an all zero key.

=20

PRF(SK_p*, AUX_*_MSG) aren=E2=80=99t sent on the wire and are calculated =
only in IKE_AUTH.

It is possible to use SK_pi/r from the latest recalculation (when final =
SKEYSEED is available)

for authentication of alll previous IKE_AUX messages.

=20

Are you sure about that?  The reason we=E2=80=99re including a summary =
of the aux message in the Initiator/Responder Signed Octets (rather than =
including the entire aux) message was to avoid having to store the =
entire aux message until the IKE_AUTH is processed.  PRF(SK_p*, AUX) =
can=E2=80=99t be computed until we know the SK_p* key.  If we make that =
key the final SK_p key, we don=E2=80=99t know that until the final =
IKE_AUX is exchanged, that means that we=E2=80=99ll need to store the =
AUX messages (which is what we were trying to avoid).

=20

You are right, it was my mistake.


------=_NextPart_000_0146_01D4154B.6F4154B0
Content-Type: text/html;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 14 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle24
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle25
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle26
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle27
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle28
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle29
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DRU =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><b><span lang=3DEN-US =
style=3D'font-size:11.0pt'>From:</span></b><span lang=3DEN-US =
style=3D'font-size:11.0pt'> Valery Smyslov =
&lt;smyslov.ietf@gmail.com&gt; <br><b>Sent:</b> Friday, July 06, 2018 =
9:21 AM<br><b>To:</b> 'Daniel Van Geest' =
&lt;Daniel.VanGeest@isara.com&gt;; Scott Fluhrer (sfluhrer) =
&lt;sfluhrer@cisco.com&gt;; ipsec@ietf.org<br><b>Subject:</b> RE: =
IKE_AUX comments<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-CA style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA style=3D'color:#1F497D'><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>Also, for (3), you have to be =
careful to specify which SK_p[ir] to use; in our draft, the IKE_AUX =
message updates them; the obvious thing to do is specify that =
you=E2=80=99ll use the SK_p[ir] values that were in effect at the =
beginning of the IKE_AUX message in question.&nbsp; Actually, for =
security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA style=3D'font-size:11.0pt'>Using an =
all zero key does feel weird, however it could help avoid potential =
incompatible implementation errors.&nbsp; There are two sets of SK_p[ir] =
available to use in the case where an IKE_AUX includes a key exchange, =
the values in effect at the beginning of the IKE_AUX exchange, and the =
updated values resulting from the IKE_AUX exchange.&nbsp; Depending on =
the order in which implementations recalculate the SKEYSEED and SK_* =
keys, vs when they perform the PRF on the IXE_AUX data, the =
=E2=80=9Ccurrent=E2=80=9D SK_p[ir] values could be the old or new values =
and so some implementations may have to maintain both the old and new =
keys until the IKE_AUX digest is calculated.&nbsp; All this is to say, =
if it doesn=E2=80=99t affect the security it may just be simpler and =
easier for compatibility to use an all zero key.<o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:60.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>PRF(SK_p*, AUX_*_MSG) =
aren=E2=80=99t sent on the wire and are calculated only in =
IKE_AUTH.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>It is possible to use SK_pi/r =
from the latest recalculation (when final SKEYSEED is =
available)<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>for authentication of alll =
previous IKE_AUX messages.</span><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#1F497D'><o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>Are you sure about that?&nbsp; =
The reason we=E2=80=99re including a summary of the aux message in the =
Initiator/Responder Signed Octets (rather than including the entire aux) =
message was to avoid having to store the entire aux message until the =
IKE_AUTH is processed.&nbsp; PRF(SK_p*, AUX) can=E2=80=99t be computed =
until we know the SK_p* key.&nbsp; If we make that key the final SK_p =
key, we don=E2=80=99t know that until the final IKE_AUX is exchanged, =
that means that we=E2=80=99ll need to store the AUX messages (which is =
what we were trying to avoid).<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>You are right, it was my =
mistake.<o:p></o:p></span></p></div></body></html>
------=_NextPart_000_0146_01D4154B.6F4154B0--


From nobody Sat Jul  7 00:44:28 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10F6130E1F for <ipsec@ietfa.amsl.com>; Sat,  7 Jul 2018 00:44:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.778
X-Spam-Level: 
X-Spam-Status: No, score=0.778 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSmgsJw1IBUI for <ipsec@ietfa.amsl.com>; Sat,  7 Jul 2018 00:44:24 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D373130E1C for <ipsec@ietf.org>; Sat,  7 Jul 2018 00:44:24 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w677iLfu012051 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Sat, 7 Jul 2018 10:44:21 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w677iL5c001162; Sat, 7 Jul 2018 10:44:21 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23360.28501.111362.509479@fireball.acr.fi>
Date: Sat, 7 Jul 2018 10:44:21 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
Reply-to: ipsecme-chairs@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4vrCQToI7gdjnUW_LTMXr4C_Z_o>
Subject: [IPsec] Agenda items for Montreal IPsecME meetings
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2018 07:44:27 -0000

Send us items you want to talk in Montreal IPsecME WG meeting. I will
make the agenda early next week.
-- 
kivinen@iki.fi


From nobody Mon Jul  9 16:00:42 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCF8D130DF0 for <ipsec@ietfa.amsl.com>; Mon,  9 Jul 2018 16:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level: 
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93H-GLc7Vr0A for <ipsec@ietfa.amsl.com>; Mon,  9 Jul 2018 16:00:35 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE257127332 for <ipsec@ietf.org>; Mon,  9 Jul 2018 16:00:35 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41Pgm03wBDzFR9 for <ipsec@ietf.org>; Tue, 10 Jul 2018 01:00:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1531177232; bh=tA1M/Y8vGyxU7EnkEUYPdLZH8rsIHk9IAvNKO+LfOWU=; h=Date:From:To:Subject; b=HBknvRee4yD3T1bU1ep/xDpOq9gpTph+MVMgIgGpxVg4IJIULAG4tnhzRIH+GMhOk +zOj8XDCIvxVbnceBZbyn0pmhq9IMGGXzZq8V18e+/Qf6LsJWIqfa+EDXUFwcyOzxD rKBHdxih8s13lg2SglhjxC+VHvLEiVuiCQ82KtOI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id n-whdIXUlgEZ for <ipsec@ietf.org>; Tue, 10 Jul 2018 01:00:31 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <ipsec@ietf.org>; Tue, 10 Jul 2018 01:00:31 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 435E841853E; Mon,  9 Jul 2018 19:00:30 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 435E841853E
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 3470C409567A for <ipsec@ietf.org>; Mon,  9 Jul 2018 19:00:30 -0400 (EDT)
Date: Mon, 9 Jul 2018 19:00:30 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-ID: <alpine.LRH.2.21.1807091857590.10573@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4RXUQQXiM50_p8CPCoLMvaLaynE>
Subject: [IPsec] [slightly offtopic] Windows and IKEv2 Fragmentation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 23:00:39 -0000

Hi,

According to https://msdn.microsoft.com/en-us/library/cc233476.aspx
Microsoft Windows 10 v1803 (Windows April 2018 Update) has support for
IKEv2 fragmentation. However, I am getting reports of people who are
fully up to date and still their IKE daemon doesn't seem to send the
IKEv2 fragmentation notify.

Has anyone else run into this and found out why? Or are there any
Microsoft engineers on this list that can tell me more?

Paul


From nobody Tue Jul 10 10:08:44 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E384E129385 for <ipsec@ietfa.amsl.com>; Tue, 10 Jul 2018 10:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level: 
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_85VaVETSrC for <ipsec@ietfa.amsl.com>; Tue, 10 Jul 2018 10:08:40 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8F7C131168 for <ipsec@ietf.org>; Tue, 10 Jul 2018 10:08:39 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6AH8aYm008240 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Tue, 10 Jul 2018 20:08:36 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6AH8aPG023250; Tue, 10 Jul 2018 20:08:36 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23364.59412.431150.847778@fireball.acr.fi>
Date: Tue, 10 Jul 2018 20:08:36 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 2 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LUcJIKOnRAV58-4KIqrwHGgskWU>
Subject: [IPsec] Initial agenda posted for Montreal
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 17:08:42 -0000

Here is initial agenda for the Montreal. I would like to get everybody
who has any presentations to send the presentations to me before
Sunday, so I can upload them to meeting materials page well before the
meeting on Wednesday. Also if someone else still wants to have some
items on the agenda send chairs mail ASAP... 

----------------------------------------------------------------------
IETF 102 IPsecME WG meeting in Montreal
Wednesday, July 18, 2018
15:20-16:50 SAint-Paul/Sainte-Catherine

- Agenda bashing, Logistics -- Chairs (5 min)			15:20
- Rechartering (5 min)	       	      	 			15:25
- Draft status -- Chairs, Valery (10 min)			15:30
  - draft-ietf-ipsecme-eddsa
  - draft-ietf-ipsecme-implicit-iv
  - draft-ietf-qr-ikev2
- Work items
  - Split-dns (10 min)						15:40
    - draft-ietf-ipsecme-split-dns
  - Auxiliary Exchange in the IKEv2 Protocol (15 min)		15:50
    Valery Smyslov
    - draft-smyslov-ipsecme-ikev2-aux
  - Postquantum Key Exchange for IKEv2 (10 min)			16:05
    - draft-tjhai-ipsecme-hybrid-qske-ikev2
  - Labeled IPsec (10 min)					16:15
    - draft-sprasad-ipsecme-labeled-ipsec
  - Diet ESP (10 min)						16:25
    - draft-mglt-ipsecme-diet-esp
								16:35
-- 
kivinen@iki.fi


From nobody Thu Jul 12 07:08:56 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 730B5130DE4 for <ipsec@ietfa.amsl.com>; Thu, 12 Jul 2018 07:08:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bhquzm_BIvVl for <ipsec@ietfa.amsl.com>; Thu, 12 Jul 2018 07:08:51 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 434AE127598 for <ipsec@ietf.org>; Thu, 12 Jul 2018 07:08:51 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41RHq45PvFz3pQ for <ipsec@ietf.org>; Thu, 12 Jul 2018 16:08:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1531404528; bh=45v8QMQD38uCOlpqsdPDN2YMWjvM1PUB0oMQAw+cMs8=; h=Date:From:To:Subject; b=Du34yVzcwU1eoGBbSb2uF0SdqnPzrN9rVEv5EaUaAEwJ0zifVRYMz6kSBFcbrQq/B eSe+NagSigF7Jj8T8r3NFGHHqdejWa/lbUaG2bxbLhvs3Ld2bJOxmNsdCQdZXORQkJ Q56RjettYH6HmDJ8wIIj217GYHtwNoNOgcItTKkg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id R3v_lK49ik-h for <ipsec@ietf.org>; Thu, 12 Jul 2018 16:08:47 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <ipsec@ietf.org>; Thu, 12 Jul 2018 16:08:47 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 35390381FC7; Thu, 12 Jul 2018 10:08:46 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 35390381FC7
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2F88E40E08F4 for <ipsec@ietf.org>; Thu, 12 Jul 2018 10:08:46 -0400 (EDT)
Date: Thu, 12 Jul 2018 10:08:46 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-ID: <alpine.LRH.2.21.1807120957110.30290@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/dZ_w7rVjoF9KvH6IoJy6GqAKZjk>
Subject: [IPsec] Geneve and IPsec - can we advise them ?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 14:08:55 -0000

I was pointed to two drafts about using IPsec for transporting virtual
machine network traffic. Specifically, its use of AH is what I'm a
little concerned about, as I was hoping the IPsecME WG could start work
soon at obsoleting AH and recommend ESP-null for the remaining use cases.

IPsec over Geneve Encapsulation
https://tools.ietf.org/html/draft-boutros-nvo3-ipsec-over-geneve-01

Geneve Header Authentication Option (GAO)
https://tools.ietf.org/html/draft-mglt-nvo3-geneve-authentication-option-00

Is anyone aware of any other existing or planned deployments of AH?

Paul


From nobody Thu Jul 12 07:57:37 2018
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7635130E19 for <ipsec@ietfa.amsl.com>; Thu, 12 Jul 2018 07:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.139
X-Spam-Level: 
X-Spam-Status: No, score=-1.139 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zr5qLJXEZ-cR for <ipsec@ietfa.amsl.com>; Thu, 12 Jul 2018 07:57:32 -0700 (PDT)
Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46150126BED for <ipsec@ietf.org>; Thu, 12 Jul 2018 07:57:32 -0700 (PDT)
Received: by mail-lf0-x22e.google.com with SMTP id g6-v6so13815273lfb.11 for <ipsec@ietf.org>; Thu, 12 Jul 2018 07:57:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=ZElUe4v6fIBR3TQ0OiYxTVdGQGCk0c9TiI1bpGPhphc=; b=lvArnov60C0WWfIb6+nUxlaUUz9WZKiCF2CpG5H9EsJt/FSvYlt1DujgOpwyh5pa7n R5NmIdfCVPX0AeyqNlYpchyuW3Z62Xn8g7TacsMJ2RkmFdhft9q6OenzU3SKQvo6Cf+P e7BabQ7EOhy51WtZdmVkOb3VSH77jHtRyDaKC9Cg7wDTshAdBypy/U7+LtskwnFuDtRG hjEPl3/kLHG545b8u6O08oUUrn6YaxZVIAG+Zm+H0kXbZgRBdxCIYcCLkI4ZmHr2ggOM g8Odj713xntgh9ciJ+Rkst5x31BY9rRtEdtaaUMbKhaLultf50JcsYAybhavp9ctNGIz 1AvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=ZElUe4v6fIBR3TQ0OiYxTVdGQGCk0c9TiI1bpGPhphc=; b=FdOa50JxUysn0BmHL5ytPTT1YAFS527qwSpJDOTJgZEi0ugWSnE5i36VBWPtzofQ2t HQFGfxmw24coq2Bh9ljl9tfeoB3XgmRDPXWjKdB81+LX0cqAynqXS/Lg0JADUlgRZr9F bqPdjF7JSmBblQYy+DqUqi6Q39ucFQ6gUMdcuoS8j0imlsXyH07kME7uXGPtz1lkTIRb zyCp6CUqH9GXnQ5ZWLepMOqXHzkBxAIocTaoSLqM1P7NUzAfpLyY1n6UP71p5nxaoYvp WRdZpjQBbF0Yd03je4hM87cpefV0yv4eNHD97eDZPxgzZddo2eqK5wIq1Lh2aELLBZln 4Mhg==
X-Gm-Message-State: AOUpUlEW3PAqihQiUTrWz93mgZQGRZqcu4Y2KfGoAbkhjPX/f50CXxbs NrtDCnmj/xPxXH8IXzTQ0t0mjx7/FSWbynmSFc8=
X-Google-Smtp-Source: AAOMgpfTztN8JQSwF1rOha9rTtKIn9dW78cBP66KtJXvYEof9VQ7Lps5Yn4F/s9jhGNqEtCG2j2vv7lyt/YG5/bWgsw=
X-Received: by 2002:a19:6902:: with SMTP id e2-v6mr2083390lfc.70.1531407450574;  Thu, 12 Jul 2018 07:57:30 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:119d:0:0:0:0:0 with HTTP; Thu, 12 Jul 2018 07:57:29 -0700 (PDT)
In-Reply-To: <alpine.LRH.2.21.1807120957110.30290@bofh.nohats.ca>
References: <alpine.LRH.2.21.1807120957110.30290@bofh.nohats.ca>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 12 Jul 2018 10:57:29 -0400
X-Google-Sender-Auth: ZTJ_YS6PEozoXkVt9bwGK2Kfczg
Message-ID: <CADZyTkn4wxXnv1ZSQU_96SpvbjwKThvPhqUJwM7AJie9Mfq2HQ@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001913a50570ce95e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oChSTCrXilccIgTGetOI3F7nFWQ>
Subject: Re: [IPsec] Geneve and IPsec - can we advise them ?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 14:57:35 -0000

--0000000000001913a50570ce95e2
Content-Type: text/plain; charset="UTF-8"

never heard of it ;-)

I believe the first draft is documenting a solution implemented by VMware.
At least this is my understanding of it. The second one is using a packet
format for a Geneve option that looks like AH. I actually do not really see
how this could "re-use" IPsec implementation while it is heavily inspired
from IPsec.

Note also that the current discussion on Geneve is on the security
requirements, so discussion is currently put on hold for these draft. That
said, I am happy to have feed backs and one or other proposed solutions.

Yours,
Daniel

On Thu, Jul 12, 2018 at 10:08 AM, Paul Wouters <paul@nohats.ca> wrote:

>
> I was pointed to two drafts about using IPsec for transporting virtual
> machine network traffic. Specifically, its use of AH is what I'm a
> little concerned about, as I was hoping the IPsecME WG could start work
> soon at obsoleting AH and recommend ESP-null for the remaining use cases.
>
> IPsec over Geneve Encapsulation
> https://tools.ietf.org/html/draft-boutros-nvo3-ipsec-over-geneve-01
>
> Geneve Header Authentication Option (GAO)
> https://tools.ietf.org/html/draft-mglt-nvo3-geneve-authentic
> ation-option-00
>
> Is anyone aware of any other existing or planned deployments of AH?
>
> Paul
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

--0000000000001913a50570ce95e2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>never heard of it ;-)</div><div><br></div><div>I beli=
eve the first draft is documenting a solution implemented by VMware. At lea=
st this is my understanding of it. The second one is using a packet format =
for a Geneve option that looks like AH. I actually do not really see how th=
is could &quot;re-use&quot; IPsec implementation while it is heavily inspir=
ed from IPsec. <br></div><div><br></div><div>Note also that the current dis=
cussion on Geneve is on the security requirements, so discussion is current=
ly put on hold for these draft. That said, I am happy to have feed backs an=
d one or other proposed solutions. <br></div><div><br></div><div>Yours, <br=
></div><div>Daniel=C2=A0 <br></div></div><div class=3D"gmail_extra"><br><di=
v class=3D"gmail_quote">On Thu, Jul 12, 2018 at 10:08 AM, Paul Wouters <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:paul@nohats.ca" target=3D"_blank">paul@=
nohats.ca</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I was pointed to two drafts about using IPsec for transporting virtual<br>
machine network traffic. Specifically, its use of AH is what I&#39;m a<br>
little concerned about, as I was hoping the IPsecME WG could start work<br>
soon at obsoleting AH and recommend ESP-null for the remaining use cases.<b=
r>
<br>
IPsec over Geneve Encapsulation<br>
<a href=3D"https://tools.ietf.org/html/draft-boutros-nvo3-ipsec-over-geneve=
-01" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wb=
r>aft-boutros-nvo3-ipsec-over-ge<wbr>neve-01</a><br>
<br>
Geneve Header Authentication Option (GAO)<br>
<a href=3D"https://tools.ietf.org/html/draft-mglt-nvo3-geneve-authenticatio=
n-option-00" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/ht=
ml/dr<wbr>aft-mglt-nvo3-geneve-authentic<wbr>ation-option-00</a><br>
<br>
Is anyone aware of any other existing or planned deployments of AH?<br>
<br>
Paul<br>
<br>
______________________________<wbr>_________________<br>
IPsec mailing list<br>
<a href=3D"mailto:IPsec@ietf.org" target=3D"_blank">IPsec@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/ipsec" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/ipsec</a><br>
</blockquote></div><br></div>

--0000000000001913a50570ce95e2--


From nobody Thu Jul 12 19:22:13 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DC2130F88; Thu, 12 Jul 2018 19:22:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MJz4q3jRM37g; Thu, 12 Jul 2018 19:22:01 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3411130EAC; Thu, 12 Jul 2018 19:22:00 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6D2LqeL003664 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 13 Jul 2018 05:21:52 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6D2LpHF002421; Fri, 13 Jul 2018 05:21:51 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23368.3263.416115.132129@fireball.acr.fi>
Date: Fri, 13 Jul 2018 05:21:51 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Alissa Cooper <alissa@cooperw.in>
Cc: "The IESG" <iesg@ietf.org>, ipsecme-chairs@tools.ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org
In-Reply-To: <152831367012.6362.4051379754783235897.idtracker@ietfa.amsl.com>
References: <152831367012.6362.4051379754783235897.idtracker@ietfa.amsl.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 31 min
X-Total-Time: 33 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8ZL1WMgciPisSy8827h7oSb4lzA>
Subject: [IPsec] Alissa Cooper's No Objection on charter-ietf-ipsecme-11-01: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 02:22:05 -0000

I seem to have missed this email somehow. 

Alissa Cooper writes:
> Alissa Cooper has entered the following ballot position for
> charter-ietf-ipsecme-11-01: No Objection
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Substantive comments:
> 
> (1) I don't see the value in having an expiration date in a WG charter because
> it's not enforced in practice. 

This has been the way we have been working in the IPsecME WG for long
time (I think it was since from the beginning). Most people in the
IETF seem to work better if they do have deadline that they need to
meet.

> The previous version of this charter said the WG would close if the
> charter wasn't updated by Dec 2017, but the WG continued to exist
> without the charter being updated. This charter seems tightly scoped
> enough to just get the work done according to the milestone dates or
> close sooner if people lose interest.

We did start charter discussion in the November 2017 meeting [1], and
did have the charter proposal ready early 2018 (February 2016 [2]).
Then we added two more hanging items to it and forwarded it to the ADs
on March 19... So from our point of view we were 3 months late...

[1] https://datatracker.ietf.org/doc/agenda-100-ipsecme/
[2] https://www.ietf.org/mail-archive/web/ipsec/current/msg11820.html

If you feel this is something that we cannot have in charter, we can
remove it, but we rather keep it there to make sure we keep charter up
to date, and update it every few years. 

> (2) I think it might be worth a few words to state the reason why the goal was
> for the new IKEv2 mode to have the same quantum resistant properties as existed
> in IKEv1, rather than better/fuller quantum resistance.

If you are refering to this item:

	IKEv1 using shared secret authentication was partially
	resistant to quantum computers. IKEv2 removed this feature to
	make the protocol more usable. The working group will add a
	mode to IKEv2 or otherwise modify IKEv2 to have similar
	quantum resistant properties than IKEv1 had.

Then that is part of the already accepted agenda and the work there is
already done, and should be ready to go out very soon (most likely
after Montreal IETF).

There is another item later in the charter:

	Postquantum Cryptography brings new key exchange methods. Most
	of these methods that are known to date have much larger
	public keys then conventional Diffie-Hellman public keys.
	Direct using these methods in IKEv2 might lead to a number of
	problems due to the increased size of initial IKEv2 messages.
	The working group will analyze the possible problems and
	develop a solution, that will make adding Postquantum key
	exchange methods more easy. The solution will allow post
	quantum key exchange to be performed in parallel with (or
	instead of) the existing Diffie-Hellman key exchange.

Which goes further protecting against protection against quantum
computers, and also explaines what are the issues with it (i.e., why
this items is much bigger than the first item). 

> Nits:
> 
> Based on the number of grammar and wording errors I found in this charter, I
> would strongly suggest doing a clean-up pass to make sure all of the text reads
> properly. Here is what I found:
> 
> (1)
> s/to have similar quantum resistant properties than IKEv1 had/to have similar
> quantum resistant properties that IKEv1 had/

Agree.

> (2)
> s/in form of counter/in the form of a counter/

Agree.

> (3)
> I can't parse this sentence:
> 
> "A growing number of use cases for constrained network - but not
> limited to - have shown interest in reducing ESP (resp. IKEv2)
> overhead by compressing ESP (resp IKEv2) fields."

Unfortunately I have no problem parsing the sentence, so I do not know
what should be done to fix it. For me it is clear. I.e., there are
constrained networks, which want to reduce ESP overhead and because of
that want to compress ESP fields. Same for IKEv2. And those needs are
not only limited to constrained networks, also other use cases needs
them.

If you think the text is unclear I would need to have proposal for
better text.

> (4)
> OLD
> Currently IKE peers have no explicit way
> to indicate each other which signature format(s) the support, that
> leads to ineroperability problems.
> 
> NEW
> Currently IKE peers have no explicit way
> to indicate to each other which signature format(s) they support. That
> leads to ineroperability problems.

Agreed.

> (5) The milestones need to be updated. Some of the dates and draft names are
> wrong.

I would have assumed the datatracker would have known how to follow
replaced drafts automatically, but that does not seem to happen. This
means that the draft-mglt-ipsecme-implicit-iv needs to be replaced
with draft-ietf-ipsecme-implicit-iv, and draft-pauly-ipsecme-split-dns
with draft-ietf-ipsecme-split-dns.

Note, all of these draft names are from the old charter, and they have
not been updated when the drafts were replaced year ago. All of the
dates which are in past are for old chatered drafts, and one of them
is already sent to the AD 3 months ago (i.e., before the April
deadline), and another two should be ready go out to AD after
Montreal.
-- 
kivinen@iki.fi


From nobody Thu Jul 12 19:25:12 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7E12130DCF; Thu, 12 Jul 2018 19:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qd8cb8CnfhzM; Thu, 12 Jul 2018 19:25:02 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 321D1130DC7; Thu, 12 Jul 2018 19:25:02 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6D2P0KL009214 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 13 Jul 2018 05:25:00 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6D2OxDf015187; Fri, 13 Jul 2018 05:24:59 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID: <23368.3451.934002.661110@fireball.acr.fi>
Date: Fri, 13 Jul 2018 05:24:59 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Mirja =?iso-8859-1?Q?K=FChlewind?= <ietf@kuehlewind.net>
Cc: "The IESG" <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@tools.ietf.org,  ipsecme-chairs@ietf.org
In-Reply-To: <152832103138.6280.2877071506266435390.idtracker@ietfa.amsl.com>
References: <152832103138.6280.2877071506266435390.idtracker@ietfa.amsl.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/sfpLGxQyfEAi2Urm51fpSB0uw8w>
Subject: [IPsec] =?iso-8859-1?q?Mirja_K=FChlewind=27s_No_Objection_on_cha?= =?iso-8859-1?q?rter-ietf-ipsecme-11-01=3A_=28with_COMMENT=29?=
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 02:25:05 -0000

Mirja K=C3=BChlewind writes:
> Mirja K=C3=BChlewind has entered the following ballot position for
> charter-ietf-ipsecme-11-01: No Objection
>=20
> When responding, please keep the subject line intact and reply to all=

> email addresses included in the To and CC lines. (Feel free to cut th=
is
> introductory paragraph, however.)
>=20
>=20
>=20
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/charter-ietf-ipsecme/
>=20
>=20
>=20
> ---------------------------------------------------------------------=
-
> COMMENT:
> ---------------------------------------------------------------------=
-
>=20
> I agree that I don=E2=80=99t see value in having the expiration date.=
 Why does the
> working group feel this is needed=3F

For some reason I do think people in IETF do seem to work faster if
the have deadline they have to meet. I.e., just see how many drafts
are updated few days before the deadline. Having deadline in the
charter forces us to check our charter before it expires (we started
rechartering process last November), and causes us to update it every
few years..=20

> s/IPsec SA. non-standard/IPsec SA. Non-standard/

Agreed. (on the other hand I am not able to make any changes, so
someone else needs to do these editorial changes).=20
--=20
kivinen@iki.fi


From nobody Fri Jul 13 08:45:24 2018
Return-Path: <kaduk@mit.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9754F130E01; Fri, 13 Jul 2018 08:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level: 
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpMSKgym15Yd; Fri, 13 Jul 2018 08:45:13 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D12D1277D2; Fri, 13 Jul 2018 08:45:13 -0700 (PDT)
X-AuditID: 1209190e-f5dff70000004a4c-18-5b48c9073b56
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id CE.6C.19020.809C84B5; Fri, 13 Jul 2018 11:45:12 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w6DFjAsE023048; Fri, 13 Jul 2018 11:45:10 -0400
Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6DFj5nQ009052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 13 Jul 2018 11:45:07 -0400
Date: Fri, 13 Jul 2018 10:45:05 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Alissa Cooper <alissa@cooperw.in>, ipsec@ietf.org, ipsecme-chairs@tools.ietf.org, ipsecme-chairs@ietf.org, The IESG <iesg@ietf.org>
Message-ID: <20180713154504.GB59001@mit.edu>
References: <152831367012.6362.4051379754783235897.idtracker@ietfa.amsl.com> <23368.3263.416115.132129@fireball.acr.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <23368.3263.416115.132129@fireball.acr.fi>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUixCmqrctx0iPa4MpFPovpZ/4yWsz4M5HZ Yv+WF2wWM+d8YLGYuvI1u8XR88/ZHNg8vjx5yeSxZMlPJo/DXxeyeHy5/JktgCWKyyYlNSez LLVI3y6BK+POJI2CD1wVvTMOsTYwnuDoYuTkkBAwkTgyo525i5GLQ0hgMZPEpfnfmCCcjYwS UxYtYIFwzjJJfH5wkAWkhUVAVeJm2zcwm01ARaKh+zIziC0ioCix+8lWJhCbWWAmo8Sy1fog trBApMT8y9eB6jk4eAV0JH70ZoKEhQQqJSa82MUOYvMKCEqcnPmEBaJVS+LGv5dMIOXMAtIS y/+BHcopYC7x7fo5sHJRAWWJvX2H2CcwCsxC0j0LSfcshO4FjMyrGGVTcqt0cxMzc4pTk3WL kxPz8lKLdI31cjNL9FJTSjcxgsNbkm8H46QG70OMAhyMSjy8G1Z7RAuxJpYVV+YeYpTkYFIS 5T24GSjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhLesByjHm5JYWZValA+TkuZgURLnzV7EGC0k kJ5YkpqdmlqQWgSTleHgUJLg7T8O1ChYlJqeWpGWmVOCkGbi4AQZzgM0/NsxkOHFBYm5xZnp EPlTjLocf95PncQsxJKXn5cqJc5rDTJIAKQoozQPbg4oLUlk7695xSgO9JYwr9AJoCoeYEqD m/QKaAkT0JK4FDeQJSWJCCmpBsal56V7oixuzfjYWaq5KPiYWJpK3P2Sy2+Ot9zZypXkeOLu w9nMMzT+xAZMWbtn9a0bW/c9uqn2vGxL9MsVwdscu49FC4a9mO4YIrcrrdpl64e22bevNNWw et5YuHPj+fO2E9Zuq/xf9d5689nzray63xmuPnrqvLb+9oUXBnt+f173MDzir6zmcSWW4oxE Qy3mouJEAJyaJyYmAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uhyQP2Ool-zztUw6HidOZyQV4H0>
Subject: Re: [IPsec] Alissa Cooper's No Objection on charter-ietf-ipsecme-11-01: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 15:45:16 -0000

On Fri, Jul 13, 2018 at 05:21:51AM +0300, Tero Kivinen wrote:
> 
> I seem to have missed this email somehow. 
> 
> Alissa Cooper writes:
> 
> > (3)
> > I can't parse this sentence:
> > 
> > "A growing number of use cases for constrained network - but not
> > limited to - have shown interest in reducing ESP (resp. IKEv2)
> > overhead by compressing ESP (resp IKEv2) fields."
> 
> Unfortunately I have no problem parsing the sentence, so I do not know
> what should be done to fix it. For me it is clear. I.e., there are
> constrained networks, which want to reduce ESP overhead and because of
> that want to compress ESP fields. Same for IKEv2. And those needs are
> not only limited to constrained networks, also other use cases needs
> them.
> 
> If you think the text is unclear I would need to have proposal for
> better text.

This text is unclear because "but not limited to" does not have anything
that it binds to.  From the follow-up, it sounds like what's meant is
"There are a growing number of use cases for reducing ESP (resp. IKEv2)
overhead, especially in constrained networks, but not limited to them.
Such recution in overhead can be achieved by compressing ESP (resp. IKEv2)
fields."  There are presumably less-intrusive changes possible, too, though
for some reason just "but not limited to them" does not flow very well to
me.

-Benjamin


From nobody Mon Jul 16 13:11:29 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC8D131217 for <ipsec@ietfa.amsl.com>; Mon, 16 Jul 2018 13:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level: 
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rvKlTlbpCgb for <ipsec@ietfa.amsl.com>; Mon, 16 Jul 2018 13:11:05 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D1D0131243 for <ipsec@ietf.org>; Mon, 16 Jul 2018 13:11:05 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id j5-v6so26609525wrr.8 for <ipsec@ietf.org>; Mon, 16 Jul 2018 13:11:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:mime-version:subject:message-id:date:to; bh=gUy0x+9wKCgTgOK+yQfkoM/L0pgAh4vB9IqM01wjkDA=; b=s3EWhoS6gGJ7FTvkS344KBHc66pBziHhQY6UclyEdxRiUI7iLkNOVAZJV5ja7tsW06 QtjxzeL7nxlHqsow0pqTevkKJHMZTqebHJkM+rP6eeDTbFcKxyOk4KmQ45T1nHKp6tl1 ORVHQ5jhZxLKJf6GUcKkGBgSrj/GFHFoXndT8vrDCHrW1m6t69PXjSEbDfwzNZZxNamy w8ARXmVPtT6HIlhKJmfrAw4w92wrknZjpIISTD+Wsrg4diZVaebc7uNW2DdzH2Cu2W+b 94yfvIw0R9md54SJ9w+301wryNRnHQ56pYs6bFS+jeKfIfwrOoxtot1aId/gREzfwvR/ jAFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=gUy0x+9wKCgTgOK+yQfkoM/L0pgAh4vB9IqM01wjkDA=; b=cXDIu89tioEmwUmPwanOH+OWjY0amSbi3Iu8Q87SioToPamh45TQe9043T1yYxFpmx 7iedx91BRdECIMpODsTVmbz0s2gzZio6sYoc8XXaTkEi7PenhjAKsC6jzmJ9kXGqkJ97 GTJWatzrMBKIDta4BzF/T0BM1rDJ03ggsqzbpTRY4maSh4FRD1194oKRRZwOTtlB7wrY khd6B1Rsip15ndPbCTp8FZzx0WH1JzEeaJGbKNu6sLHO/Vxo+U2qDy8xUFvOTBF9OcQT IkkZJdrGH0N3qeQo+LteNsKindmzqmFpCITUvxjxgYG4566/4gb+6Xp+ZXcmDJf4LCP/ 3MwA==
X-Gm-Message-State: AOUpUlE14zJur4mImBYqYKeqcncUEv/U3D9TAbSyHrih0flK126px5g/ iBDjSbKoMq8AZ4e+Gh1jtfXckleY
X-Google-Smtp-Source: AAOMgpdstPcyACOUFBl0Gxqn3oi63fnopMChcIW4gtPmdEkBfVKpsZ6cN3yOZkUCnOB+RwMeJl//Pg==
X-Received: by 2002:adf:f0c3:: with SMTP id x3-v6mr8636094wro.281.1531771863398;  Mon, 16 Jul 2018 13:11:03 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id i6-v6sm33181459wrr.10.2018.07.16.13.11.02 for <ipsec@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Jul 2018 13:11:02 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7E1EC248-97CE-42FC-A028-5250F9C1C85B"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <966A3F35-7003-42ED-B050-70410A699FF2@gmail.com>
Date: Mon, 16 Jul 2018 23:11:00 +0300
To: IPsecME WG <ipsec@ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/dh-6ltcD-clch7Oik7q3tvu9sjE>
Subject: [IPsec] IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 20:11:20 -0000

--Apple-Mail=_7E1EC248-97CE-42FC-A028-5250F9C1C85B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi.

I=E2=80=99d like to draw you attention to the agenda of the I2NSF =
working group: =
https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2nsf-00 =
<https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2nsf-00>

The I2NSF working group will meet on Wednesday after lunch. On the =
agenda, there is this item which may be of interest to IPsec folks:

13:45-14:00 IPsec Flow Protection (15 min): Rafa Mar=C3=ADn-L=C3=B3pez
In case you haven=E2=80=99t been following, the IPsec flow draft was =
adopted by I2NSF. The authors are making progress, including open source =
implementations.

One issue that may come up in the discussion (either at I2NSF or here) =
is that other drafts about controlling IPsec VPNs with SDN ([1],[2]) are =
coming up. I=E2=80=99m wondering if these are competing, complementary, =
or what?

We=E2=80=99ll be glad to see you all there.

Yoav
(co-chair of I2NSF)

[1] https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00 =
<https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00>
[2] =
https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-networks-02 =
<https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-networks-02=
>


--Apple-Mail=_7E1EC248-97CE-42FC-A028-5250F9C1C85B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D"">Hi.<div class=3D""><br class=3D""></div><div class=3D"">I=E2=80=
=99d like to draw you attention to the agenda of the I2NSF working =
group:&nbsp;<a =
href=3D"https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2ns=
f-00" =
class=3D"">https://datatracker.ietf.org/meeting/102/materials/agenda-102-i=
2nsf-00</a></div><div class=3D""><br class=3D""></div><div class=3D"">The =
I2NSF working group will meet on Wednesday after lunch. On the agenda, =
there is this item which may be of interest to IPsec folks:</div><div =
class=3D""><br class=3D""></div><div class=3D""><pre style=3D"word-wrap: =
break-word; white-space: pre-wrap;" class=3D"">13:45-14:00 IPsec Flow =
Protection (15 min): Rafa Mar=C3=ADn-L=C3=B3pez</pre><div class=3D"">In =
case you haven=E2=80=99t been following, the IPsec flow draft was =
adopted by I2NSF. The authors are making progress, including open source =
implementations.</div></div><div class=3D""><br class=3D""></div><div =
class=3D"">One issue that may come up in the discussion (either at I2NSF =
or here) is that other drafts about controlling IPsec VPNs with SDN =
([1],[2]) are coming up. I=E2=80=99m wondering if these are competing, =
complementary, or what?</div><div class=3D""><br class=3D""></div><div =
class=3D"">We=E2=80=99ll be glad to see you all there.</div><div =
class=3D""><br class=3D""></div><div class=3D"">Yoav</div><div =
class=3D"">(co-chair of I2NSF)</div><div class=3D""><br =
class=3D""></div><div class=3D"">[1]&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00=
" =
class=3D"">https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike=
-00</a></div><div class=3D"">[2]&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-netw=
orks-02" =
class=3D"">https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-n=
etworks-02</a></div><div class=3D""><br class=3D""></div></body></html>=

--Apple-Mail=_7E1EC248-97CE-42FC-A028-5250F9C1C85B--


From nobody Mon Jul 16 14:36:03 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F06EF1311F8 for <ipsec@ietfa.amsl.com>; Mon, 16 Jul 2018 14:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level: 
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBqUQHLtrJkm for <ipsec@ietfa.amsl.com>; Mon, 16 Jul 2018 14:35:59 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66756130E2E for <ipsec@ietf.org>; Mon, 16 Jul 2018 14:35:59 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6GLZumo013870 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Tue, 17 Jul 2018 00:35:56 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6GLZut1026426; Tue, 17 Jul 2018 00:35:56 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23373.4028.718257.542196@fireball.acr.fi>
Date: Tue, 17 Jul 2018 00:35:56 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 1 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/kivNhsnhBvGX0XODIPHSyzDwou0>
Subject: [IPsec] Agenda updated, and most slides uploaded
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 21:36:02 -0000

I have now updated the IPsecME agenda for Monreal, and all but one of
the slides have been uploaded.

----------------------------------------------------------------------
IETF 102 IPsecME WG meeting in Montreal
Wednesday, July 18, 2018
15:20-16:50 SAint-Paul/Sainte-Catherine

- Agenda bashing, Logistics -- Chairs (5 min)                   15:20
- Rechartering (5 min)                                          15:25
- Draft status -- Chairs, Valery (10 min)                       15:30
  - draft-ietf-ipsecme-eddsa
  - draft-ietf-ipsecme-implicit-iv
  - draft-ietf-ipsecme-qr-ikev2
- Work items
  - Split-dns (10 min) - Tommy Pauly                            15:40
    - draft-ietf-ipsecme-split-dns
  - Auxiliary Exchange in the IKEv2 Protocol (15 min)           15:50
    Valery Smyslov
    - draft-smyslov-ipsecme-ikev2-aux
  - Postquantum Key Exchange for IKEv2 (10 min) - Scott Fluhrer 16:05
    - draft-tjhai-ipsecme-hybrid-qske-ikev2
  - Labeled IPsec (10 min) - Paul Wouters                       16:15
    - draft-sprasad-ipsecme-labeled-ipsec
  - Diet ESP (10 min) - Daniel Migault                          16:25
    - draft-mglt-ipsecme-diet-esp
  - Controller IKE (10 min) - David Carrel                      16:35
    - draft-carrel-ipsecme-controller-ike
                                                                16:45

-- 
kivinen@iki.fi


From nobody Mon Jul 16 20:17:16 2018
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CCB9130EFB; Mon, 16 Jul 2018 20:17:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnPhUFWVGE24; Mon, 16 Jul 2018 20:17:05 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82D3E130EF6; Mon, 16 Jul 2018 20:17:04 -0700 (PDT)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 688B5713C1616; Tue, 17 Jul 2018 04:17:00 +0100 (IST)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 17 Jul 2018 04:17:00 +0100
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.107]) by SJCEML701-CHM.china.huawei.com ([169.254.3.200]) with mapi id 14.03.0399.000;  Mon, 16 Jul 2018 20:16:55 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Yoav Nir <ynir.ietf@gmail.com>, IPsecME WG <ipsec@ietf.org>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: How about simplified IKE?  RE: [IPsec] IPsec Flow Protection @I2NSF
Thread-Index: AdQded/1kRiNEMLaSMyP+ZJwQpIh+Q==
Date: Tue, 17 Jul 2018 03:16:54 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [10.124.182.59]
Content-Type: multipart/mixed; boundary="_004_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/fwzPNzfEkPiCpiNr2rzWjBY_dZs>
Subject: [IPsec] How about simplified IKE? RE: IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 03:17:09 -0000

--_004_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_
Content-Type: multipart/alternative;
 boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_"

--_000_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhlcmUgYXJlIHR3byBjYXNlcyBwcm9wb3NlZCBieSAgU0ROIGNvbnRyb2xsZWQgSVBzZWMgRmxv
dyBQcm90ZWN0aW9uOg0KDQotICAgICAgICBDYXNlIDEgaXMgU0ROIGNvbnRyb2xsZXIgb25seSBz
ZW5kaW5nIGRvd24gdGhlIElQc2VjIGNvbmZpZ3VyYXRpb24gYXR0cmlidXRlcyB0byBFbmQgcG9p
bnRzLCBhbmQgRW5kIFBvaW50cyBzdXBwb3J0cyB0aGUgSUtFcyBhbmQgU0EgbWFpbnRlbmFuY2Uu
DQoNCi0gICAgICAgIENhc2UgMiBpcyBlbmQgcG9pbnRzIG5vdCBzdXBwb3J0aW5nIElLRXYyLiBT
RE4gY29udHJvbGxlciBtYW5hZ2UgYWxsIHRoZSBTQSBLZXkgY29tcHV0YXRpb24gYW5kIGRpc3Ry
aWJ1dGUgdG8gYWxsIGVuZCBub2Rlcy4gV2UgaGFkIGFuIGludGVyaW0gbWVldGluZyBkaXNjdXNz
aW5nIHRoaXMuIChzZWUgdGhlIGF0dGFjaGVkIE1lZXRpbmcgbWludXRlcykuDQoNClF1ZXN0aW9u
IHRvIElQc2VjbWUgV0c6IEhvdyBhYm91dCBzb21ldGhpbmcgaW4gYmV0d2Vlbj8NCg0KLSAgICAg
ICAgQXNzdW1lIHRoYXQgU0ROIGNvbnRyb2xsZXIgbWFpbnRhaW4gVExTIChvciBEVExTKSB0byBh
bGwgZW5kIHBvaW50cyBmb3IgZGlzdHJpYnV0aW5nIHRoZSBJUHNlYyBjb25maWd1cmF0aW9uIGF0
dHJpYnV0ZXMgKHNhbWUgYXMgQ2FzZSAxIGFib3ZlKS4NCg0KLSAgICAgICAgSW5zdGVhZCBvZiB1
c2luZyBJS0V2MiBmb3IgdHdvIGVuZCBwb2ludHMgKEUxICYgRTIpIHRvIGVzdGFibGlzaCBzZWN1
cmUgY2hhbm5lbCBmaXJzdCBmb3IgU0EgbmVnb3RpYXRpb24gcHVycG9zZSwgRTEgY2FuIHV0aWxp
emUgdGhlIHNlY3VyZSBjaGFubmVsIGJldHdlZW4gRTEgPC0+IFNETi1Db250cm9sbGVyIDwtPkUy
IHRvIG5lZ290aWF0ZSBTQSB3aXRoIEUyIGFuZCByZXNwb25zaWJsZSBmb3IgaXRzIG93biBTQSBj
b21wdXRhdGlvbi4NCg0KLSAgICAgICAgRTEmRTIgc3RpbGwgY29tcHV0ZSBTQSBhbmQgbWFpbnRh
aW4gU0FELiBPbmx5IHV0aWxpemUgdGhlIHNlY3VyZSBjaGFubmVsIHRocm91Z2ggdGhlIFNETiBj
b250cm9sbGVyIHRvIGV4Y2hhbmdlIFNBLg0KDQpUaGlzIG1ldGhvZCBub3Qgb25seSBkb2VzbuKA
mXQgcmVxdWlyZSB0aGUgU0ROIGNvbnRyb2xsZXIgdG8ga2VlcCBhbGwgdGhlIFNBRCBmb3IgYWxs
IG5vZGVzLCBidXQgYWxzbyBzaW1wbGlmeSBsYXJnZSBTRC1XQU4gZGVwbG95bWVudCB3aXRoIGxh
cmdlIG51bWJlciBvZiBJUHNlYyB0dW5uZWxzIGFtb25nIG1hbnkgZW5kIHBvaW50cy4NCg0KQW55
IG9waW5pb24/IElzc3Vlcz8NCg0KTGluZGEgRHVuYmFyDQoNCg0KRnJvbTogSVBzZWMgW21haWx0
bzppcHNlYy1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgWW9hdiBOaXINClNlbnQ6IE1v
bmRheSwgSnVseSAxNiwgMjAxOCAzOjExIFBNDQpUbzogSVBzZWNNRSBXRyA8aXBzZWNAaWV0Zi5v
cmc+DQpTdWJqZWN0OiBbSVBzZWNdIElQc2VjIEZsb3cgUHJvdGVjdGlvbiBASTJOU0YNCg0KSGku
DQoNCknigJlkIGxpa2UgdG8gZHJhdyB5b3UgYXR0ZW50aW9uIHRvIHRoZSBhZ2VuZGEgb2YgdGhl
IEkyTlNGIHdvcmtpbmcgZ3JvdXA6IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvbWVldGlu
Zy8xMDIvbWF0ZXJpYWxzL2FnZW5kYS0xMDItaTJuc2YtMDANCg0KVGhlIEkyTlNGIHdvcmtpbmcg
Z3JvdXAgd2lsbCBtZWV0IG9uIFdlZG5lc2RheSBhZnRlciBsdW5jaC4gT24gdGhlIGFnZW5kYSwg
dGhlcmUgaXMgdGhpcyBpdGVtIHdoaWNoIG1heSBiZSBvZiBpbnRlcmVzdCB0byBJUHNlYyBmb2xr
czoNCg0KDQoxMzo0NS0xNDowMCBJUHNlYyBGbG93IFByb3RlY3Rpb24gKDE1IG1pbik6IFJhZmEg
TWFyw61uLUzDs3Bleg0KSW4gY2FzZSB5b3UgaGF2ZW7igJl0IGJlZW4gZm9sbG93aW5nLCB0aGUg
SVBzZWMgZmxvdyBkcmFmdCB3YXMgYWRvcHRlZCBieSBJMk5TRi4gVGhlIGF1dGhvcnMgYXJlIG1h
a2luZyBwcm9ncmVzcywgaW5jbHVkaW5nIG9wZW4gc291cmNlIGltcGxlbWVudGF0aW9ucy4NCg0K
T25lIGlzc3VlIHRoYXQgbWF5IGNvbWUgdXAgaW4gdGhlIGRpc2N1c3Npb24gKGVpdGhlciBhdCBJ
Mk5TRiBvciBoZXJlKSBpcyB0aGF0IG90aGVyIGRyYWZ0cyBhYm91dCBjb250cm9sbGluZyBJUHNl
YyBWUE5zIHdpdGggU0ROIChbMV0sWzJdKSBhcmUgY29taW5nIHVwLiBJ4oCZbSB3b25kZXJpbmcg
aWYgdGhlc2UgYXJlIGNvbXBldGluZywgY29tcGxlbWVudGFyeSwgb3Igd2hhdD8NCg0KV2XigJls
bCBiZSBnbGFkIHRvIHNlZSB5b3UgYWxsIHRoZXJlLg0KDQpZb2F2DQooY28tY2hhaXIgb2YgSTJO
U0YpDQoNClsxXSBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtY2FycmVsLWlwc2Vj
bWUtY29udHJvbGxlci1pa2UtMDANClsyXSBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh
ZnQtZHVuYmFyLXNyLXNkd2FuLW92ZXItaHlicmlkLW5ldHdvcmtzLTAyDQoNCg==

--_000_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseTpTaW1TdW47DQoJcGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0xOjIgNCA1
IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBh
bm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q29uc29sYXM7DQoJcGFub3NlLTE6MiAxMSA2IDkgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseToiXEBTaW1TdW4iOw0KCXBhbm9zZS0xOjIgMSA2IDAgMyAxIDEgMSAxIDE7
fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRp
di5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9u
dC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z
b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw
bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJn
aW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZv
bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29MaXN0UGFyYWdyYXBoLCBsaS5Nc29MaXN0
UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXttc28tc3R5bGUtcHJpb3JpdHk6MzQ7
DQoJbWFyZ2luLXRvcDowaW47DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltYXJnaW4tYm90dG9tOjBp
bjsNCgltYXJnaW4tbGVmdDouNWluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp
emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4u
SFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVk
IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQ
cmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHlsZTE5
DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
IixzYW5zLXNlcmlmOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0
eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2Vj
dGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEu
MGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyogTGlzdCBE
ZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6NTQwMTY1MzQ3Ow0KCW1zby1s
aXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMTgxMTUzNjIxNCAyNjYy
NzUxNiA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4
OSA2NzY5ODY5MSA2NzY5ODY5Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLXN0YXJ0
LWF0OjA7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0
Oi07DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlv
bjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJv
bWFuIixzZXJpZjsNCgltc28tZmFyZWFzdC1mb250LWZhbWlseTpTaW1TdW47fQ0KQGxpc3QgbDA6
bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4
dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp
b246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3
Ijt9DQpAbGlzdCBsMDpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K
CW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2
ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFt
aWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt
YXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9u
ZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWlu
Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVsLW51
bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1z
dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50
Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwwOmxldmVsNg0K
CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0K
CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm
dDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0
IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs
LXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt
cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6U3ltYm9s
O30NCkBsaXN0IGwwOmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJ
bXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwt
bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5
OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9y
bWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5v
bmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVp
bjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDENCgl7bXNvLWxpc3QtaWQ6MTM4
NTk1NjQzMzsNCgltc28tbGlzdC10eXBlOmh5YnJpZDsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6
LTE5Nzk0MzQ3NzYgMjY2Mjc1MTYgNjc2OTg2OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2OTEg
Njc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2OTEgNjc2OTg2OTM7fQ0KQGxpc3QgbDE6bGV2ZWwxDQoJ
e21zby1sZXZlbC1zdGFydC1hdDowOw0KCW1zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsN
Cgltc28tbGV2ZWwtdGV4dDotOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZl
bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1p
bHk6IlRpbWVzIE5ldyBSb21hbiIsc2VyaWY7DQoJbXNvLWZhcmVhc3QtZm9udC1mYW1pbHk6U2lt
U3VuO30NCkBsaXN0IGwxOmxldmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7
DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2
ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFt
aWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDE6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXIt
Zm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9w
Om5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0u
MjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw0DQoJe21zby1s
ZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxl
dmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRl
eHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2ZWw1
DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0K
CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm
dDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpA
bGlzdCBsMTpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1s
ZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVt
YmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5Oldp
bmdkaW5nczt9DQpAbGlzdCBsMTpsZXZlbDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVs
bGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt
c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZv
bnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMTpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1m
b3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5v
bmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVp
bjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwxOmxldmVsOQ0KCXttc28t
bGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1s
ZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0
ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCm9sDQoJe21hcmdp
bi1ib3R0b206MGluO30NCnVsDQoJe21hcmdpbi1ib3R0b206MGluO30NCi0tPjwvc3R5bGU+PCEt
LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlk
bWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+
DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0
YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxi
b2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9
IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGVyZSBhcmUgdHdvIGNhc2Vz
IHByb3Bvc2VkIGJ5ICZuYnNwO1NETiBjb250cm9sbGVkIElQc2VjIEZsb3cgUHJvdGVjdGlvbjo8
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1p
bmRlbnQ6LS4yNWluO21zby1saXN0OmwxIGxldmVsMSBsZm8yIj48IVtpZiAhc3VwcG9ydExpc3Rz
XT48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQg
JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkNhc2UgMSBpcyBTRE4gY29u
dHJvbGxlciBvbmx5IHNlbmRpbmcgZG93biB0aGUgSVBzZWMgY29uZmlndXJhdGlvbiBhdHRyaWJ1
dGVzIHRvIEVuZCBwb2ludHMsIGFuZCBFbmQgUG9pbnRzIHN1cHBvcnRzIHRoZSBJS0VzIGFuZCBT
QSBtYWludGVuYW5jZS4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3Jh
cGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDEgbGV2ZWwxIGxmbzIiPjwh
W2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPi08c3BhbiBz
dHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+
Q2FzZSAyIGlzIGVuZCBwb2ludHMgbm90IHN1cHBvcnRpbmcgSUtFdjIuIFNETiBjb250cm9sbGVy
IG1hbmFnZSBhbGwgdGhlIFNBIEtleSBjb21wdXRhdGlvbiBhbmQgZGlzdHJpYnV0ZSB0byBhbGwg
ZW5kIG5vZGVzLiBXZSBoYWQgYW4gaW50ZXJpbSBtZWV0aW5nIGRpc2N1c3NpbmcgdGhpcy4gKHNl
ZSB0aGUgYXR0YWNoZWQgTWVldGluZyBtaW51dGVzKS4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij5RdWVzdGlvbiB0byBJUHNlY21lIFdHOiBIb3cgYWJvdXQgc29tZXRoaW5nIGluIGJldHdlZW4/
IDxvOnA+DQo8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRl
eHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSI+PCFbaWYgIXN1cHBvcnRM
aXN0c10+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+LTxzcGFuIHN0eWxlPSJmb250Ojcu
MHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT5Bc3N1bWUgdGhhdCBT
RE4gY29udHJvbGxlciBtYWludGFpbiBUTFMgKG9yIERUTFMpIHRvIGFsbCBlbmQgcG9pbnRzIGZv
ciBkaXN0cmlidXRpbmcgdGhlIElQc2VjIGNvbmZpZ3VyYXRpb24gYXR0cmlidXRlcyAoc2FtZSBh
cyBDYXNlIDEgYWJvdmUpLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFn
cmFwaCIgc3R5bGU9InRleHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSI+
PCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+LTxzcGFu
IHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwhW2VuZGlm
XT5JbnN0ZWFkIG9mIHVzaW5nIElLRXYyIGZvciB0d28gZW5kIHBvaW50cyAoRTEgJmFtcDsgRTIp
IHRvIGVzdGFibGlzaCBzZWN1cmUgY2hhbm5lbCBmaXJzdCBmb3IgU0EgbmVnb3RpYXRpb24gcHVy
cG9zZSwgRTEgY2FuIHV0aWxpemUgdGhlIHNlY3VyZSBjaGFubmVsIGJldHdlZW4gRTEgJmx0Oy0m
Z3Q7IFNETi1Db250cm9sbGVyICZsdDstJmd0O0UyIHRvIG5lZ290aWF0ZSBTQSB3aXRoIEUyIGFu
ZCByZXNwb25zaWJsZSBmb3IgaXRzIG93bg0KIFNBIGNvbXB1dGF0aW9uLiA8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWlu
O21zby1saXN0OmwwIGxldmVsMSBsZm8xIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHls
ZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMg
TmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsNCjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkUxJmFtcDtFMiBzdGlsbCBjb21wdXRlIFNBIGFu
ZCBtYWludGFpbiBTQUQuIE9ubHkgdXRpbGl6ZSB0aGUgc2VjdXJlIGNoYW5uZWwgdGhyb3VnaCB0
aGUgU0ROIGNvbnRyb2xsZXIgdG8gZXhjaGFuZ2UgU0EuDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+VGhpcyBtZXRob2Qgbm90IG9ubHkgZG9lc27igJl0IHJlcXVpcmUgdGhlIFNETiBjb250cm9s
bGVyIHRvIGtlZXAgYWxsIHRoZSBTQUQgZm9yIGFsbCBub2RlcywgYnV0IGFsc28gc2ltcGxpZnkg
bGFyZ2UgU0QtV0FOIGRlcGxveW1lbnQgd2l0aCBsYXJnZSBudW1iZXIgb2YgSVBzZWMgdHVubmVs
cyBhbW9uZyBtYW55IGVuZCBwb2ludHMuDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QW55IG9w
aW5pb24/IElzc3Vlcz8gPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw
PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkxpbmRhIER1bmJhcjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMx
RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxhIG5hbWU9Il9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7
Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Qi
PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvYT48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9y
ZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGlu
IDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9t
Ojwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gSVBzZWMgW21haWx0bzppcHNlYy1ib3VuY2Vz
QGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5Zb2F2IE5pcjxicj4NCjxiPlNlbnQ6PC9i
PiBNb25kYXksIEp1bHkgMTYsIDIwMTggMzoxMSBQTTxicj4NCjxiPlRvOjwvYj4gSVBzZWNNRSBX
RyAmbHQ7aXBzZWNAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFtJUHNlY10gSVBz
ZWMgRmxvdyBQcm90ZWN0aW9uIEBJMk5TRjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K
PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPkhpLjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+SeKAmWQgbGlrZSB0byBkcmF3IHlvdSBhdHRlbnRpb24gdG8gdGhlIGFnZW5kYSBv
ZiB0aGUgSTJOU0Ygd29ya2luZyBncm91cDombmJzcDs8YSBocmVmPSJodHRwczovL2RhdGF0cmFj
a2VyLmlldGYub3JnL21lZXRpbmcvMTAyL21hdGVyaWFscy9hZ2VuZGEtMTAyLWkybnNmLTAwIj5o
dHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL21lZXRpbmcvMTAyL21hdGVyaWFscy9hZ2VuZGEt
MTAyLWkybnNmLTAwPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj5UaGUgSTJOU0Ygd29ya2luZyBncm91cCB3aWxsIG1lZXQgb24gV2VkbmVz
ZGF5IGFmdGVyIGx1bmNoLiBPbiB0aGUgYWdlbmRhLCB0aGVyZSBpcyB0aGlzIGl0ZW0gd2hpY2gg
bWF5IGJlIG9mIGludGVyZXN0IHRvIElQc2VjIGZvbGtzOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp
dj4NCjxkaXY+DQo8cHJlIHN0eWxlPSJ3b3JkLXdyYXA6IGJyZWFrLXdvcmQ7d2hpdGUtc3BhY2U6
cHJlLXdyYXAiPjEzOjQ1LTE0OjAwIElQc2VjIEZsb3cgUHJvdGVjdGlvbiAoMTUgbWluKTogUmFm
YSBNYXLDrW4tTMOzcGV6PG86cD48L286cD48L3ByZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj5JbiBjYXNlIHlvdSBoYXZlbuKAmXQgYmVlbiBmb2xsb3dpbmcsIHRoZSBJUHNlYyBmbG93
IGRyYWZ0IHdhcyBhZG9wdGVkIGJ5IEkyTlNGLiBUaGUgYXV0aG9ycyBhcmUgbWFraW5nIHByb2dy
ZXNzLCBpbmNsdWRpbmcgb3BlbiBzb3VyY2UgaW1wbGVtZW50YXRpb25zLjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uZSBpc3N1
ZSB0aGF0IG1heSBjb21lIHVwIGluIHRoZSBkaXNjdXNzaW9uIChlaXRoZXIgYXQgSTJOU0Ygb3Ig
aGVyZSkgaXMgdGhhdCBvdGhlciBkcmFmdHMgYWJvdXQgY29udHJvbGxpbmcgSVBzZWMgVlBOcyB3
aXRoIFNETiAoWzFdLFsyXSkgYXJlIGNvbWluZyB1cC4gSeKAmW0gd29uZGVyaW5nIGlmIHRoZXNl
IGFyZSBjb21wZXRpbmcsIGNvbXBsZW1lbnRhcnksIG9yIHdoYXQ/PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldl4oCZbGwgYmUgZ2xhZCB0byBz
ZWUgeW91IGFsbCB0aGVyZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+WW9hdjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+KGNvLWNoYWlyIG9mIEkyTlNGKTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5bMV0mbmJzcDs8YSBocmVmPSJodHRwczov
L3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtY2FycmVsLWlwc2VjbWUtY29udHJvbGxlci1pa2Ut
MDAiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1jYXJyZWwtaXBzZWNtZS1jb250
cm9sbGVyLWlrZS0wMDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPlsyXSZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRt
bC9kcmFmdC1kdW5iYXItc3Itc2R3YW4tb3Zlci1oeWJyaWQtbmV0d29ya3MtMDIiPmh0dHBzOi8v
dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1kdW5iYXItc3Itc2R3YW4tb3Zlci1oeWJyaWQtbmV0
d29ya3MtMDI8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8
L2h0bWw+DQo=

--_000_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_--

--_004_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_
Content-Type: application/pdf; name="Sept 6 Interim minutes v1.pdf"
Content-Description: Sept 6 Interim minutes v1.pdf
Content-Disposition: attachment; filename="Sept 6 Interim minutes v1.pdf";
 size=65563; creation-date="Fri, 08 Sep 2017 16:15:10 GMT";
 modification-date="Fri, 08 Sep 2017 16:15:11 GMT"
Content-Transfer-Encoding: base64

JVBERi0xLjQKJcfsj6IKMzEgMCBvYmoKPDwvTGluZWFyaXplZCAxL0wgNjU1NjMvSFsgNDA0OTUg
MTcwXS9PIDMzL0UgNDA0OTUvTiA2L1QgNjQ5MDE+PgplbmRvYmoKICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKeHJlZgozMSAxNwowMDAwMDAwMDE1IDAw
MDAwIG4gCjAwMDAwMDA2NTIgMDAwMDAgbiAKMDAwMDAwMDc2OCAwMDAwMCBuIAowMDAwMDAwOTMx
IDAwMDAwIG4gCjAwMDAwMDU0ODAgMDAwMDAgbiAKMDAwMDAwNTUwMSAwMDAwMCBuIAowMDAwMDA1
NTQzIDAwMDAwIG4gCjAwMDAwMDYwMTMgMDAwMDAgbiAKMDAwMDAwNjIxNiAwMDAwMCBuIAowMDAw
MDA2NTQzIDAwMDAwIG4gCjAwMDAwMDY3NDkgMDAwMDAgbiAKMDAwMDAwNjc4MCAwMDAwMCBuIAow
MDAwMDA2ODIyIDAwMDAwIG4gCjAwMDAwMjY4MTkgMDAwMDAgbiAKMDAwMDAzOTMwMyAwMDAwMCBu
IAowMDAwMDQwMDAwIDAwMDAwIG4gCjAwMDAwNDA0OTUgMDAwMDAgbiAKCnRyYWlsZXIKPDwvU2l6
ZSA0OC9JbmZvIDI4IDAgUi9Sb290IDMyIDAgUi9JRFs8MEQ4Nzc4RUMzNjIzMUMzRUEzNTkzM0M3
Mjg2RTFCQkQ+PDBEODc3OEVDMzYyMzFDM0VBMzU5MzNDNzI4NkUxQkJEPl0vUHJldiA2NDg5Mj4+
CnN0YXJ0eHJlZg0KMAolJUVPRgogICAgCjMyIDAgb2JqCjw8L1R5cGUgL0NhdGFsb2cgL1BhZ2Vz
IDI5IDAgUgovUGFnZUxheW91dC9TaW5nbGVQYWdlCi9QYWdlTW9kZS9Vc2VOb25lCi9QYWdlIDEK
L01ldGFkYXRhIDMwIDAgUgo+PgplbmRvYmoKMzMgMCBvYmoKPDwvVHlwZS9QYWdlL01lZGlhQm94
IFswIDAgNjEyIDc5Ml0KL1JvdGF0ZSAwL1BhcmVudCAyOSAwIFIKL1Jlc291cmNlczw8L1Byb2NT
ZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA0MSAwIFIKL0ZvbnQgNDIgMCBSCj4+Ci9Db250ZW50
cyAzNCAwIFIKPj4KZW5kb2JqCjM0IDAgb2JqCjw8L0xlbmd0aCAzNSAwIFIvRmlsdGVyIC9GbGF0
ZURlY29kZT4+CnN0cmVhbQp4nN1cW9MctREtg23CBwUm3Aw49iYQsouzg6TR6JJwCSR5SeWFlN9w
nkigKlWkCvL/q9IajaSjUWtn9zPOBftla7/RrS+nT7d69rudGKTaifA/ffjq26sP/2J33/zrSuy+
ufruyg1j+Df/DT9/9e3u80f0qNtJOQi9e/T1lRi8d8LZ+e9yZ9XOCj8Yt3v07dX+xuHRP+hxKcrz
0qhhmuTuqNSg6Zu/XX1Jjx2nQRmh5f6Zg6EHldw/G74bpfZqf/OgByu1GPe3DnIwYlTT/vbhqAbj
nbHL6MkLt3/uMA6jlaPe/+RwlIP2cnL75w+KppR+2j/+J80+CSPM/oXDUQ/aCfr44sEOUniDcz7+
ngZZY3F0+QSTwzxl8ZcOE214tJqf8gXahZaCHixDXj698zuH4zh4rR3N+NdHf6pVcFRisKSFWaaT
iTJ9Jovq2bAHP1lPglQkZhnkGLYlFM18o+zwdjiL026kL90gvbQj7TDoQ1gb9hX+6s1I+0pfkkTj
GJp9FgXpYXTLeLVMrrRSMOZ2mWje0OS9JSXoQQipHW6IRHYUg9GjVnYW6qSd8yQrEoYwdGRc4A6p
0Vsv4u6VMTIIMC81656EaeT+lbLRn3LHw10dzUBLTh4m7e7KDk4psuEbs4qOUsvBVpbO+cOisj9f
Pfrgy7Az0pryTtPOSOGjNG6R8ehGIZNxKC8XK5L05athl1ZNWi7maP3o96/NFiWMg6mey9/BRMm2
Rrl//aCsaexrsmTN9FEkb02SeDUqwilNq9EeaOfG0ySS7FGqcf/G7MPeklWDVt+kTWhDu9jfPYiB
TmXJzt6ij5OwTvn920G82rrJKRz2Dhm0E3SO/b0DbY3MS0XT1sbRqj87+MFJpQytT+OldZKEcD9Z
/IP0ARaCPcM6O9KonKQGv4Ex5cuf04xeT16vNpw85xfh20nJIAiYIJ5ZkLjbjc42B1t5N5iUDXa+
LOtpLpjgvaBEMU1Tbw+/DGcZA+bgWqAWmOwBt4P3Z1MnHY31duFAlXCC7ZAOyO6zuSzaInTmFKtp
j7QbO41G8ZbT2WI64ruzDcrgd7jBe2UUgB2I8a2wrdHTVhYnd4RXd/NeW5WHQR3T/NUaa7sL8Cov
53rtUCB0nt6Qfz/eBz37USi3KERZTcHl8SHIa5ycQSF+UB6utxv0IoSasUk5ggmjdwRSwxKEK1hb
9jkv83B2HWF0Eoo0Gl13ObOb7CL1+VsQz68JqaShgehxORZxHoUxYDl8AO50YJr+pdlANDkqfvtB
ebajqmNYVhtCwLJuBomBrEr7MQfFYH7RjSVFlrGDV0N4eAxnguOBJBAoaKOE2VWQ+zB8tKObpso6
wGpFNg+w6mdDuBultGhz9xkHAUkt+3OjOQORiv3eim49klvPPHA2FzkHJW8Nc6xgtPOxFAkuQHOA
KUtbwL3eO+3XvW2XTXFe/V6IAqMmj2ik4mh5HiVhKZCFCrumqDqhAlBA/FnKtGOYYFLCjRdNC5op
cgGkB2kUdfMH282oQMQ5a5aoyl6vzGmUooGHRdcBHiYVFb4A7Vi7sc7gcCvQAuekREAAxFiOELj9
sluvdBVsRlIesRNiEyiPiaYQxkvlagdh9dcRJDhudHbh5N4QaislrSSAIlu2RB0qfJJj4AG2Aij6
jgTfDQRR5YGww0wPmZlgbxUXZ62fQoJRQqMRRKQKVB3MwQYNUYYxob3B9FuMBQxWc5YHHytEndFB
kwSdS+gAu2KnqoAsu5EMlNYTBe3JtyQ1RSo2pG+KBFnF8Tx98ZG76KRNfCnBtWU7sFv4GO1HUKxe
LwfmFf5MASrEkFFraXmECuZAWxTa7F1QIiV6etr7nJx0YzojGVbeJ6lmgOsYF/2oESmilUbLDdGG
cpA0KXn6KXqxWAPix8slWeABIqqUPjPRMZD9u5n2L+wwRPHWs001f47tHbk1FBv5ADz3mzBcOSu1
j7gd/s5mGr8Nab4c+4lMSo4/oq0b72kQrH2v4VU1WkQX0cLzyqc0OkVmQ5kSYC4YbvEdoNktJKin
6A+RUAhKuFWCDLDWwm14x4AKQkfG7wdKQus+TT+G7fKObGm7S9kpF0l6eRrkQJyn3mXxkqUdPJuJ
Vil9nR6vqcASMeZAvpQx6mrFMSntSN6ePPuNuWqhRzJ+qD/cIUulaKMV1idezgWIVHXwDp6E4W+S
kdKTIxYtoJoGazZ1uVDUiDUPRVx+qZOYIMR5dkdCunMYvW8KHY5AliJ2tMhYrPnjo6svrowQOz2Z
aUfotTO77/9+9fUZRVKUW1slJWWTlOcq6e2wkCKlqVQHSiVNCuVQEgKRPX+QKriIReEm8WhGOgoL
QndRzDKUXmVI7mhNOUPhizORsJ7oWRHuogbiilXtKKjOEByVxd8Oox25jGzrWUEhiw3oYJ9JNbez
+b4TFvSGHC9agBR5RL10VdbNBbJSKL03V/nmvO31Q4hD8yYbnZMaiF2SPdO8LtpzpM2jr7JgnfCd
z3FLHGnIseRKEBYTLIBpmLIEEghybxymkKIKAxPBmJog569zsl3WLMNhdYyBibQue5crbIIjwfbi
4eeMgstFgRYirS/FoI+DXZNJKMxd2MiQ8iiDNeCPwvEm5y0OL/XGsk7JrABOb3Jo+NoSqyYCflmS
30RUgXSyeXgEU6urQjscCMTYkS7L5z45JKaeYjXQK8Edjg02fC0RUtStPKAUzAqpYEuZMGdHTvOB
RY5vZiaHs7VOBr9s6pQkptruouXm2wc5pfg5/702vDrrjUrusFagqggMmfiBH2V/AzCoUr4UYbPl
lnsEGJKL1ujrUd0gT5aFgujBlmAPbK11A5xYyCnuFSv0lsITSK211BtLlXi+FInxDlg+ijbtXAHn
Zgkyy90LIUqifQVvqPD+sIM+YwccFeVwZAaVAltDiVJmdFMZSoLZkv30agN5w42tBDxlEa0IAXy2
wAObpXfqcnl1vmrVxKW4fB6FXgeo82nwhHVl8MECuY44iMVbp3gUtjLKr7phm/Akj4TwUUdNiYru
dy9g8rwP8w71Guvqik8BwA34LjelBXKbYDwfBBy7G7kDfDuneoE71wcarYf6ANQCyqDfkcwpIhAw
lSOtcTZqFnG2XDJA8n46JV/bQQ2UHNOBwSWPLn+GCRG18phyA9leKzamNCMUG/3h7zzxu8+AArAw
eHKp+Jn6FqBKc1N8hlGXkJ9kYVDurzw1DerBfED3JiOdz74uhK8LKmxNZF2slDX93JpzXVtfoTGE
3qIDPmjAtWOpS3EWWXYMHAbRED83dCES8GREHYwpbJQFdJ6F1ZEpYRs8W91aJq6w3HVNUwecelyD
q2m8l5m1tZlZ31wHp1Ij7BbLERG34iG4zlI2Zm+X4JwnEGeevgxipV8KL4LTyEaEeqIAI0ZEcKDA
s0V5IRn+G1SBuAykF4D5s2TdOcPlr0bZJLNNhMK3MEFJfO8z07dMYu36LOniqdTGxVC+EGZrsfeZ
ix2+OgDnLFq6yXzib2jZMAIHKjDdKQUUZ2ApXeLcE83FPVpdJ0XyrkgHU3LauxgxmNvJgh9VxTKv
z6NKgTX+4qlIBRYtqAARi3VMkC9Lk2FQ4vtTZ6cXJPmwatlKmb/MxG4U1mQZCvYcwflXbr4oD938
lCMqMz4lR+xA2scrLhExPkQjL6p+Rnb+zqSVpye/7TBkXhqY4oQqlEo0UUmDK30ePhJ8T+ykwR4q
1XApyBQcxk81Vm2GeabKVq6E2arM9uXIkqxTXmxczsUuyMDuw99T6a4Y+bI97aYO8pV77jPKZwlk
wALBXzt2cUETxg+pK1YFlacnaW2RKzAm9tq7EBAgA5kBQN4Hf765FkrI9gqrWATsVMgLC3WM6LKY
SgddSkbDejTHoJsYXV2yngrm63xxFS9WjZ/xZt5I39vk4vRVltAp0EW+vwyANhu2nBQzZkrDO4Fu
u1zMBqhPcjWrpGL/oUIbX/YE/XSsvqgoXWK7Ov+KqeWrTSvBzDCT+jredTJpX/PwkOVfUik6tWYL
HikphxyLzb8LCpx/z3DykqblaLF5h5DRtJW2M4pip9G/s5eNWt6mhFm+zIJfy8x0jd3tJdSKgOQv
y1m5xl228Xfbcbmp1q00s24QTiG+tY4mjW7jCIEQDIK9gJND2wjbp4rwyMFnBo6CnlCeqspPpbzF
TRQzc614VA0dLqD1ppgJ/UEnCp8YXs/OqEok3eL+HYLEOPO1S+Rp1t8vVRTSnXLFhY/pXuJjiAKn
98c6EF8I2ayrJ22xLYk9pllz/aZfHjZdhL7qvckJHQfXLBiXfryicx5s2Qrqwjq1B3oEnGldYIla
6jgz17bW6RzIJ1288kdebS2ADPJoaNO1y+inuibWKTh76VK+bLE5aIctw18vunbT27RCI6FRyVRr
ldNAh6xR4nLOkqqt8ZY7lAf4dt6nxlmYavX1hBkpspij/5K9RAnh26n/d5x5lC1pDmuxtDm3Kpzx
bkSKr4uRh/ByCkxWd1Edy82F+G0KWQIwmykzE2ho34SgWLLWqlaybIQF+qrGyLQEbRyjwx3OpcRd
It1hD8lZP50fkKbHHaYwkXDZ/FMHDLxI/GOMJ1yZobnHCRMVLsrSk3bJuj+gKvSl8du6nF+EMb4u
Mhe19cwC23YDE/hv9jHyctdFbSmZYG/nS3mnPSGwPusxxSgFwHK5Dx0Km9dO7eEcLVrwg7lvsPDn
qitu1Uy9Yqrs9R3WR/NGCn/efN+PJacovPQS32hzz30RWTHPMzv1mtdpgZIuglB8IrlVPWYPhfCG
nspQdv6+GwJRgcetA1ZkkAkZnZoDg+pQZ62LDuEBzb2UPT8LPQMRisJRTrx3s6gXE4yGp0CTTe/d
9l63ClNhy5yGT+b5utr8Swmy+5rX2VW74ugcWlWGkAqkxeTvZ/rKIxRXeTqzy2/dMdu54GXeZT0V
ZmJbAxNm0l3gPrdWlp+U+BGF79X91ooprxGwLsuXRkuoxsNEwJ3rvDM3hIZfhRCiujOE95C2Kw7X
aF/sITmXNp3Ra50s51Z+/Uq7zF95LO+1dR3T6P+JRCkEgB8iUUo5w1k1s97VVPk5APbuSTB42d4K
dbuqzkgJ2tobj098nOt0VdQAueAb8yZr5QcRjHT4dSXm6nijSrgSWb9EeQG1gPEnkOOUePk30K/L
mSgAaCGY6nfdl3Z+c3anhsxfM8yj4m3wcSldlq5DKGI2IS3Q6XVImwF11bTItJgt1oAEBX5kqXr3
oW2uYttBKjg42fPLg+h2yyJ/dcJeN+TrlgvunZvfBzBTt0PgYQ2g64obCxlsdxTbM8m+b8oCAu89
vIDhAX7XnS6ZFKZIpYqrWXIAwUvwuTlOT5IexXQuS4jryeO3ynZdseHiyfz4SS9oHnI0scor22pV
JwVLCcricuF36VhsKC0v65wkKhB+auhBzkM6POFsYmOrxrK2PNCmpfD7I+u0oyoLMD3dTVVAWsl4
94R/7pUa2q32ci642uAqSMCk+EZBvg90swWNja+se/CNKE2VvW5EwV/yYKptgO8cx1q+C2/+sRkC
VIUy36oYfnrwum9ttRxuI5u77P0+afPbO6aqLLH4A4fgmhTuc0yoc/F6jUb6Uk3ZbodhC18LTwy/
lugyzjdda90XVzo9jG1te1kAM5YLfpOEL2iWUsYTm8/pbu/L7afzWneupiTSsSwS2MuJN6oapTNA
wRoazxTY97wvaF5n7382f6poK7dJjEORj+XmdgGhlGkaKa+pbCUfBSFgOBt0yzn5S7ntlbhAUBpV
eSLHHo+f6rO8qgY3Zn478byOVGA8k5En6ZwREn4k8cRLkyY7cjTympJEDWMW0jRfBHrC1Ryba//V
LxaV/B9Ko6c7ogTXEVU9ytJ6ZnEGETpkAYNlirrVK0ItFFyQaLO/QcfbRdWslWqzfMJ8AYA85Ha1
QaWRiTNAUHWd1eWcUETexLzeBRF30j/kixMeyS576d75MfVnz79n88XVvwGQ5NEiZW5kc3RyZWFt
CmVuZG9iagozNSAwIG9iago0NDc3CmVuZG9iagozNiAwIG9iago8PC9UeXBlL0V4dEdTdGF0ZQov
T1BNIDE+PmVuZG9iagozNyAwIG9iago8PC9CYXNlRm9udC9EVlRWUlErQ2FsaWJyaS9Gb250RGVz
Y3JpcHRvciAzOCAwIFIvVG9Vbmljb2RlIDQ1IDAgUi9UeXBlL0ZvbnQKL0ZpcnN0Q2hhciAxL0xh
c3RDaGFyIDgxL1dpZHRoc1sgMjI2IDQ1OSA0OTggNTI1IDMzNSA1MDcgNTA3IDUwNyA1MDcgNTA3
IDI2OCA3OTkgNjMxIDg1NSA0ODcKNDk4IDI2OCA1MDcgNDg3IDUyNyA0NzkgNDUyIDY0NiAyMjkg
MzQ5IDI1MCA1NzkgMjI5IDIzOSA1MjUgNTI1CjUxNyAzOTUgNTQ0IDg5MCAzOTEgNjE1IDUzMyA0
NTkgMzAzIDY0MiAzMDMgNTI1IDQyMCA2MjMgNDU1IDUyMAo1MjUgNDUzIDQyMyA1NDMgNTI1IDMw
NSAzMDYgNzE1IDQ5OCA1MDcgNDY4IDQ3MSA1NjcgMjUyIDI1MiA0MzMKMjIxIDUyNSA0ODggNDYz
IDI1MCA2NjIgNDk4IDM4NiA2OTAgNjczIDUxOSA1MDcgNTA3IDQxOCA0MTggNjgyCjMxOSA0OThd
Ci9TdWJ0eXBlL1RydWVUeXBlPj4KZW5kb2JqCjM4IDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0
b3IvRm9udE5hbWUvRFZUVlJRK0NhbGlicmkvRm9udEJCb3hbLTIwIC0xNzggODU5IDcxN10vRmxh
Z3MgNAovQXNjZW50IDcxNwovQ2FwSGVpZ2h0IDcxNwovRGVzY2VudCAtMTc4Ci9JdGFsaWNBbmds
ZSAwCi9TdGVtViAxMjgKL01pc3NpbmdXaWR0aCA1MDYKL0ZvbnRGaWxlMiA0MyAwIFI+PgplbmRv
YmoKMzkgMCBvYmoKPDwvQmFzZUZvbnQvSlVISEdIK0NhbGlicmksQm9sZC9Gb250RGVzY3JpcHRv
ciA0MCAwIFIvVG9Vbmljb2RlIDQ2IDAgUi9UeXBlL0ZvbnQKL0ZpcnN0Q2hhciAxL0xhc3RDaGFy
IDQ0L1dpZHRoc1sgMjY3IDUwNyA2NTkgNDczIDQ1OSAyMjYgNTM3IDM0NyA1MDMgMzU1IDI0NiA4
MTMgODc0IDQ3NCA1MzcKMzk5IDUzMiA0OTQgNDE4IDUzNyAyNzYgNjMwIDUzOCAyNDYgNDc0IDMx
MiA5MDYgMzEyIDMxNiA1MzcgMzA2CjUzNyA3NDUgNjM3IDQzMCA1NjMgNTM3IDUyOSA1NDcgNDg4
IDQ5NSA0NzMgNTIwIDI1OF0KL1N1YnR5cGUvVHJ1ZVR5cGU+PgplbmRvYmoKNDAgMCBvYmoKPDwv
VHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9KVUhIR0grQ2FsaWJyaSxCb2xkL0ZvbnRCQm94
WzAgLTE3OCA4ODQgNzI2XS9GbGFncyA0Ci9Bc2NlbnQgNzI2Ci9DYXBIZWlnaHQgNzI2Ci9EZXNj
ZW50IC0xNzgKL0l0YWxpY0FuZ2xlIDAKL1N0ZW1WIDEzMgovTWlzc2luZ1dpZHRoIDUwNgovRm9u
dEZpbGUyIDQ0IDAgUj4+CmVuZG9iago0MSAwIG9iago8PC9SNwozNiAwIFI+PgplbmRvYmoKNDIg
MCBvYmoKPDwvUjgKMzcgMCBSL1IxMAozOSAwIFI+PgplbmRvYmoKNDMgMCBvYmoKPDwvRmlsdGVy
L0ZsYXRlRGVjb2RlCi9MZW5ndGgxIDQ2NzI4L0xlbmd0aCAxOTkxMj4+c3RyZWFtCnic7L0HfFzF
1Tc8c+/2erc3bdM2rVbSqndLK6tYsiTbkixbsi1bslzBvWBjG2M6GAjNkFASSDMBE5DkJkMAkzgh
JDEhhEAaxKRBSEyAJDSj1Xvmzh1JLuTJ833v93vf5/d5r8/+/3du2Ttnzpw5U66MMEJIj/YgHs2Z
3ZUsROLnG6fga97g2oENdP/rKYTw1YOXbQkM3X/iZUj4LULyjBUbVq798MN2HfCPEVK7V665fAU9
v2gNQh17Vi0fWPYP85gNoSNzILF0FSTov22+BCGjFfbDq9Zu2U7P/2Y5QsLHa9YPDtD9a/+GkG/u
2oHtG4Jt0TicD8dRYN3A2uXS852AL9eG9Zu30P0j+eT4hk3LN3x0ZvAFOL8Hbg+/ofwKQum70NTP
HHQJ2gz53YOuR7eiu9Cz6DdoKboG2L3oIbQfPYKG0HPoBfQa+t/4SV8uX4t0/FGkQBaExj8dP53e
DzIqN0xJuQv2LLLAZMq4MP7uOWnvpu8aF9KjCjPSiNfquZch9R94bPxTrpbsj5eSfe4G4EbxiveV
X0k/kX74HB10oAVoIVqE+lA/GoD8L0Or0GrQzKVoDVqL1ol76+DYSvheAXtL4KxBOIvwybPWow0g
m9AWtBVdBtsG4JulPXJso7i/FW2DbTu6HO1AO9EudIX0vU1M2QVHdoj720F2oyuhZK5CV4uMIU25
Bl2LroNSuwHdiG76t3s3TbC96GZ0C5TzF9Btn8tvPWvvdtjuQHeCPexDd6N70JfALu5HD5yT+kUx
/T70FfQg2Aw5djekPCgycvQ76AfoMHocPYGOiLocBK1RjTC9rBB1uAF0sAtyeM2UJ6b62zahrd2Q
d5K3vVJOt0P61VOuuEzSIznzGjiT3oWWA7nLFedo4nbIA+WTOaJ7d4v5n0ydqpV/l8r08cAUzdwv
7hF2burn8XvQl6EGfhW+iVYJ+xpwyh4U+dT0r0yc+5C4/3X0DfRNKIuHRcaQpuwH/jD6FtTtR9EB
9Bhsk3wqo/g4+rZYckNoGI2gg+gQlOQRdBSNiun/7tiF0g9K6SMTKcfQk+gpsJBn0HHwNN+FjaU8
DWnPSqknxDS6/130PdgnZ9G9H6DnwUP9CP0Y/QT9FH0f9l4Uv38Iey+hl9HP0WtYD+xn6C/wPYZe
kv8RGVAd+OknQc8PoMVocWrGsiWL+xYtXNDb0z23q7NjzuxZ7W2tM1uaZzQ1NtRPr0vV1kyrrqqs
KC8rLUnm5eZkRSPhUKbfaTUJRr1Wo1YpFXIZz2GU0xhq6g8MRfuHZNFQc3Mu2Q8NQMLAlIT+oQAk
NZ19zlCgXzwtcPaZKThzxTlnpuiZqYkzsRCoRtW5OYHGUGDoZEMoMIoXdPQAv7Uh1BsYOi3ydpHL
ouKOHnaCQbgi0Ohc1RAYwv2BxqGmy1btbexvgPsNazX1ofrlmtwcNKzRAtUCG8oKbRjGWTVYJFxW
Y+Uwh1R68rNDfKRxYNnQnI6exgZPMNgrpqF68V5DivohpXivwGryzOjmwHDO8b23jApoaX9Ctyy0
bGBRzxA/ABft5Rv37r1hyJQYiocahuI7/uiELC8fygk1NA4lQnCz1s6JH8BD8ogQCuz9F4KHD53+
29kpA1KKIiL8CxFKsjihJjjOOIJngyeE/AWD5FluHk2hpbAztKejh+4H0FLPCEolE71DXD85cpwd
sXWTI3vYkYnL+0NBUlSN/dK/y1Y5h/YsDeTmgPbFfxH4B8cDQ3y0f+ngKoIDy/eGGhqo3ub2DKUa
gKQGpLw2Ducn4fyBfsjEaqKGjp6hZGjDkDU0nZ4ACQFSBqu7esRLpMuGrPVDqH9Qumoo2dhAnivQ
uLe/gT4guVeoo+cYKho/NVwc8BwsQsWolzzHkL0eCiXauLdn2Yohf79nGdjnikCPJziU6gX19YZ6
lveSUgoJQ/FT8HNB8RfFqyBv55zNTiY5V0ZUgR7Ow/eS0oKEQBN8haZXwwEBikvcJSU6vTrQgz2I
nQa/Ip1B2Fn3gR0+Ut9MDvHk0vpmT7A3SD//5pE80jPJI0OqKfcSIGHimejvfO6j0bPJA8UDjcsb
pjzgWTeVSw8o3e3Cz8kRXUg/DFeoSHE2s0N8BGoupHFwGzGJlKIzMITmBHpCy0O9IbCh1Jwekjei
a7F8W7tCrR0LesTSlqxk7ll79Hg53RtCQTjMdrh6sMGmhIcVq7g/Q9yf2G0+53ALOxzYqwq1du0l
Nw9JN0QBqEGQaUW0ZeDmcnMxVM0m8G6hpoFQQAg07R0YHd+zdO9wKrV3Q2P/qkpyj1DLsr2hrp5q
j/isnT1XeHaQnzKjVtw6d3puDvie6cMhfGPHcArf2LWg55gAMe+Nc3tGOMzV90/vHQ7DsZ5jAYRS
YipHUkki2QmQHXKnTthRied7jqUQ2iMelYkJ4v7gKEZimoqlYTQ4ytE0gaVxkCajaSkxjXygkJyr
QMXgbhsDy0jx7Opdtbe/l1QuZIeihH94CIdq0BAXqhnGnEI3pAktnz6kDU0n6bUkvZamK0i6EgwD
2zEoh/ikvf0h8FNgUD3Ig6kp8uSWgdHx8bk9wZOe071BMLVFIAt6htQJ8P3yyEw4bwaRfkieMbRn
cIA8B+ruIdcqIy2DvWC27IZwSsuQGu6glu4AZzSJ1xBzhIsGoWygAMXr98DO0J7eod4E+dGe1b2i
OQtDqDlUCcVO7ymPkh9K9u41hwrFuglVQRO5gYAang119dAUD+zCj/VSJSl18OSDITg02B8AbcvQ
YBeYOvWlGg9NWQ4uURZdLorGIx1EJFt8RKvXDKnz4Ibwj3BtHqmS8oiyt5c+vLh3g3QC/LYwpIUn
ik5RpXQBaAcOtZBngX83wKOSU58jt+kYRZ2h7eBZyEOLd1LC4SF9pGUAnD+9XgspoXJ2sYr4CK10
jxM0VUlyrgO985G5o+MPhy4PTvnk5oRI40AME3mOgWGj3r3nJgwtTOTmqM5N1YvJe/eq9Be+gOpL
pZ9AkhhohFYDToQ+sQKlET6heejMp58+pP4bSZn6kdWQFGMcB5AAsZkS6oOAkgh6p6Y7x8ehdPCI
mg+MctceUjvxTCDXMHI1I1cxsoeRKxnZzcgVjOxiZCcjOxi5nJHtjGxj5DJGtjKyhZHNjGxkZAMj
6xlZx8haRtYwcikjlzCympFVjKxkZAUjyxlZxsggI0sZGWCkn5EljCxmpI+RRYwsZGQBI72M9DAy
n5F5jHQzMpeRLkY6GelgZA4jsxmZxUg7I22MtDIyk5EWRpoZmcFIEyONjDQwUs/IdEbqGEkxUstI
DSPTGKlmpIqRSkYqGClnpIyRUkZKGClmpIiRQkYKGMlnJMlIHiO5jOQwkmAkm5E4I1mMxBiJMhJh
JMxIiJFMRoKMBBjxM+JjxMtIBiMeRtyMuBhxMuJgxM6IjRErIxZGzIyYGBEYMTJiYETPiI4RLSMa
RtSMqBhRMqJgRM6IjBGeEY4RzAiSCB5nJM3IGCOfMXKGkU8Z+YSRjxn5iJEPGfkXI/9k5B+MfMDI
+4y8x8jfGXmXkdOM/I2RvzLyDiN/YeRtRt5i5M+M/ImRPzLyB0Z+z8ibjJxi5HeMvMHI64z8lpHf
MPJrRn7FyC8ZeY2RVxn5BSOvMPJzRl5m5GeMvMTITxl5kZGTjPyEkR8z8iNGXmDkh4w8z8gPGPk+
IycY+R4j32XkOUaOM/IsI88w8jQj32HkKUaeZOQYI6OMHGXkCCOHGTnEyEFGRhgZZmSIkScYeZyR
bzPyGCMHGHmUkUcY+RYjDzOyn5FvMvINRr7OyNcY+SojDzHyICNfYeTLjDzAyP2M3MfIvYx8iZEv
MnIPI3czso+Ruxi5k5E7GLmdkdsY+QIjtzJyCyM3M7KXkZsYuZGRGxi5npHrGGFhD2ZhD2ZhD2Zh
D2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD2ZhD97ECIt/MIt/MIt/MIt/
MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/
MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MIt/MAt7MAt7MAt7MIt2MIt2MIt2MIt2MIt2MIt2MIt2
MIt2MIt2cP1BQiBqHvHV+CFmHvHZAK6me1eN+CoB9tC9KynsHvHpAK6ge7so7KSwg8LlI946gO0j
3nqAbRQuo7CVHttC9zZT2EQTN454pwNsoLCewjp6yloKayhcOpLRCHAJhdUUVlFYSWHFSEYDwHK6
t4zCIIWlFAYo9FNYQmExva6P7i2isJDCAgq9FHoozKcwj0I3hbkUuih0UuigMIfCbAqzKLRTaKPQ
SmHmiKcFoIVC84hnJsAMCk0jnlaAxhFPG0ADhXoK0+mxOnpdikItva6GwjQK1fTMKgqV9PIKCuUU
yiiUUiihNyumUETvUkihgEI+vVmSQh69LpdCDoUEhWwKcQpZFGL01lEKEXrPMIUQhUx66yCFAL3O
T8FHwUshg4KHgnvEPQvARcE54p4N4KBgp4k2ClaaaKFgpmCixwQKRppooKCnoKPHtBQ0FNT0mIqC
koJixDUHQD7i6gCQUeBpIkf3MAUkAh6nkBZPwWN07zMKZyh8So99Qvc+pvARhQ8p/GvEORfgnyPO
LoB/0L0PKLxP4T167O90710Kpyn8jR77K4V3aOJfKLxN4S0Kf6an/Inu/ZHu/YHu/Z7CmxRO0WO/
o/AGTXydwm8p/IbCr+kpv6J7v6Tw2ohjPsCrI455AL+g8ApN/DmFlyn8jMJL9JSfUniRJp6k8BMK
P6bwI3rKCxR+SBOfp/ADCt+ncILC9+iZ36V7z1E4TuFZeuwZCk/TxO9QeIrCkxSOURilZx6le0co
HKZwiMLBEXstwMiIfSHAMIUhCk9QeJzCtyk8RuEAhUdH7OCv8SP0Lt+i8DA9tp/CNyl8g8LXKXyN
wlcpPEThQXqzr9C7fJnCA/TY/RTuo3AvhS/RC75I9+6hcDeFffTYXfQud1K4gx67ncJtFL5A4VYK
t9Azb6Z7eyncROFGCjdQuH7ENgBw3YhtKcC1FK4Zsa0AuJrCVSO2boA9IzZwxvjKEVspwG4KV9DL
d9HrdlLYMWJbBnA5vXw7hW0ULqOwlcIWCpvprTfRyzdS2DBiGwRYT2+2jp65lsIaCpdSuITCanrd
Kgor6ZOtoJcvp7CMnjlIYSmFAQr9FJZQWEwz3UefbBGFhTTTC+ite+kP9VCYTx93Hv2hbnqXuRS6
KHRS6BixpgDmjFjJL8wesRLznjVivQagfcSaC9BGT2mlMHPECnEBbqF7zRRm0MSmEetugMYR6w0A
DSPWKwHqR6x7AKaPmJsA6iikKNRSqBkxQ/uOp9G96hFTL0AVhcoREzGNCgrlI6YZAGUjph6A0hHT
AoASeqyYQtGIKQegkJ5ZMGIiGcsfMZG6maSQRy/Ppb+QQyFBb5ZNIU5vlkUhRiFKITJiIloKUwjR
e2bSewbpzQL0Ln4KPnqdl0IGBQ8FNwXXiNAH4BwRFgM4RoQlAHYKNgpWChYKZnqBiV4g0EQjBQMF
PQUdPVNLz9TQRDUFFQUlBQU9U07PlNFEngJHAVNAqXHjUj+RtHHQP2Zc5v8M+BmQT0E+gbSPIe0j
kA9B/gXyT0j/B8gHcOx92H8P5O8g74KchvS/gfwVjr0D+38BeRvkLZA/G1b6/2RY5f8jyB9Afg/y
JqSdAvwdyBsgr8P+bwF/A/JrkF+B/FJ/qf81fYH/VcBf6Nf4X9FH/T8HeRn4z/QJ/0sgPwV5EY6f
hLSf6Nf6fwz8R8BfAP5D/SX+5/Wr/T/Qr/J/X7/SfwKu/R7c77sgz4Gkxo/D97Mgz4A8rdvo/45u
k/8p3Wb/k7ot/mMgoyBHIf0IyGE4dgiOHYS0EZBhkCGQJ7SX+x/X7vB/W7vL/5j2Cv8B7W7/oyCP
gHwL5GGQ/SDf1Ob6vwH4dZCvwTVfBXxIe6n/QeBfAf5lkAeA3w/3ug/udS/c60uQ9kWQe0DuBtkH
chfInXDdHXC/2zWz/LdpZvu/oFnpv1XzTf8tmof91/ER/7V8uf8aXO6/untP91UH9nRf2X1F9+4D
V3Rrr8DaKzxXtF6x84oDV/zmipRZodnVvaN754Ed3Zd3b+vefmBb95Pc9WgFd12quvuyA1u7ZVut
W7ds5f+5FR/Yihu24vytmENbha2BrbxuS/em7s0HNnWjTXM27dk0tElWNbTp1CYObcKa0fHjBzd5
fE2AqV2b9ELTxu713RsOrO9et2Jt9yXwgKvLV3avOrCye0X5su7lB5Z1D5Yv7R4o7+9eUt7XvfhA
X/ei8gXdCw8s6O4t7+meD+fPK5/b3X1gbndXeUd354GO7tnls7pnQXp7eWt324HW7pnlzd0tB5q7
Z5Q3dTdC5lGGkBHI4AXyALMy4EmQB0/P96Q8pzzveWTIM+Q57uHNRrffzcWNLlw/24XXu6503ebi
jc6fOrmUM57TZHT81PE7x98dMkvKEc9rQnbBHrDzNpI3e/vcJhFrGygWlIh5bbeHok1GGzba/Dau
0W/DyHTK9J6Jtz0r/FTgjEZsNI4buZQRTjca/AaOfI0b+JShoKzJqPfrOfI1ruftKT2kkDvGdHPm
Nhm1fi3XXaudreVS2tr6ppQ2N78J8TiAMcICAK+Ccw9hm7+JfxqTCR05wvh2NDfROqpCna1DqjkL
h/CNQ5Eu8p3qWDCkuHEIdS9Y2DOM8Rd6hzFXP3fISiZ9xf3rbr0Veae3Dnm7ekb4hx7yTu9tHdpD
eCol8nHCEZzSm1i8eevmRGLLYvhavHlLQvwHe3gr2UuQRPJv8xbYJ9tWcR8l/u2HngawZDN8trDE
Lf/+qv/bP/j/9AP8z/8MI7JYoW6cuxYt464BuRrkKpA9IFeC7Aa5AmQXyE6QHSCXg2wH2QZyGchW
kC0gm0E2gmwAWQ+yDmQtyBqQS0EuAVkNsgpkJcgKkOUgy0AGQZaCDID0gywBWQzSB7IIZCHIApBe
kB6Q+SDzQLpB5oJ0gXSCdIDMAZkNMgukHaQNpBVkJkgLSDPIDJAmkEaQBpB6kOkgdSApkFqQGpBp
INUgVSCVIBUg5SBlIKUgJSDFIEUghSAFIPkgSZA8kFyQHJAESDZIHCQLJAYSBYmAhEFCIJkgQZAA
iB/EB+IFyQDxgLhBXCBOEAeIHcQGYgWxgJhBTCACiBHEAKIH0YFoQTQgahAViBJEASIHkdWNwzcP
woFgEISWYUjDaZAxkM9AzoB8CvIJyMcgH4F8CPIvkH+C/APkA5D3Qd4D+TvIuyCnQf4G8leQd0D+
AvI2yFsgfwb5E8gfQf4A8nuQN0FOgfwO5A2Q10F+C/IbkF+D/ArklyCvgbwK8guQV0B+DvIyyM9A
XgL5KciLICdBfgLyY5AfgbwA8kOQ50F+APJ9kBMg3wP5LshzIMdBngV5BuRpkO+APAXyJMgxkFGQ
oyBHQA6DHAI5CDICMgwyBPIEyOMg3wZ5DOQAyKMgj4B8C+RhkP0g3wT5BsjXQb4G8lWQh0AeBPkK
yJdBHgC5H+Q+kHtBvgTyRZB7QO4G2QdyF8idIHeA3A5yG8gXQG4FuQXkZpC9IDeB3AhyA8j1INeh
ZXV7MNR/DPUfQ/3HUP8x1H8M9R9D/cdQ/zHUfwz1H0P9x1D/MdR/DPUfQ/3HUP8x1H8M9R9vAgEf
gMEHYPABGHwABh+AwQdg8AEYfAAGH4DBB2DwARh8AAYfgMEHYPABGHwABh+AwQdg8AEYfAAGH4DB
B2DwARh8AAYfgMEHYPABGHwABh+AwQdg8AEYfACG+o+h/mOo/xjqPoa6j6HuY6j7GOo+hrqPoe5j
qPsY6j6Guv9/2g//D//0/p9+gP/hH+eSxRBfovRm/mW5AfFIiSpQO5qFFn4H6cGk7agSHz5sa2hQ
5SqfAXPlUAAMXgUBaX3KKOP0R93u2tDREsWtvKkFOvCHapW3giuvHXtj7MXk2BunzRXJ0zj5+ptv
vCm8/6KpIln05itvFuRjU9AkitXAKZVWRSgzjyuJRUuLigpruJLiaCjTwIlpxaVlNXxRoY/jrSyl
hiP7mH/5swX87DEFtztUO69I7nMbrXqFnMtwmnOrI0LXwkh1nlfJKxW8XKXMKpue2bqmMfPXSpPX
ZveaVSqz127zmpRjv5EbPv1AbjhTL1tzZh+vqFpUG+a/pFFxMoVi1Od0ZVcFW+YZLYJMaxFMdpXS
bNJlNSwau96WQe6RYbPRe421g1pC45/KdsutKBNF0ZePofD424d0Am4LjUokOjr+3iEtEC0j0K96
L+UmLCKQb734rRO/U1k4Qg7naHF7OBSN/FOn1TkzvSGNHttlOqQTdNwToWdDPw3xIV1IZ/Z2mrvl
3ai2ttZcUZFM9vWZHBUmoKYi4XShqQg0nuijxQ3ResRuV4gqj/FB3sCHMqPR0jJM9exQhvigbKsK
CxG/P2JRy9aP/fkSXmMJZXgjRqzCIzK9K+YLZLsNsp34d/i70+weg4xX6tS4Kv2CWq+WyQ0eu2xE
a1DxvMqovXVsJwKbegwhGQbr8qEEKkc/TLn9TgG3+wUj+dLDl1MHXwHIK5kLSWW5bSk4bkvBcZtN
m0NOziEn55CTc8jJOeTknCch7kHjxw8DR9Ei0PRBOBPwvYNGCfUifnhQJ+LbB7UEOSGlf0h7XMtp
3bF/FhQow+LoS0fxKNYOK+ei2tO1ot1W4GTfm6LSCl9JUALJiUQF5aBUq0EWCmZGS0zFpUVB0J6N
2LOPx8V5XChkIsZsmaQy7C+fPbixJf24Ix534OiWfYOF9kRddsmixqz0mLt8wcyRE/Wdpa5ZkRmX
drz4aVVPfRRvnraysybb5o/Jro75c+buaM+bO6PcrCnpXMfhZFtJRrovVDV77PXKnmp/ujyjrBM6
iwPj78l0ch/U4qUHM1BVQtJKQtIK4N+IVgDfJVpJSFpJPANxpAE5cRIFURTnjFi6ZE/hbFSC8nHe
sHoeVOlXThPBSZp94dUTBfkRq0ExpVoqbFI1JRXYZvVxJN/ErGQ6Tq6yppbsbNn949vau+752ZXl
lyxo8qjkvEylVRkKZ2+cPe/WZWUlg7cvbN/cUWxUahT8UcFpNljjMc/cb7z/5a9+9sQiWyDbY7C4
zdYMizqWjDVe/9yunU9fWRdNRhUmH9RAYmW3gZWZkR9tS3lrg9hCLMdCLMdihTxbzJBhixNya3mK
WA5yU924Jd24JYtxSxbjlnTjfgpiWzXoRjdi6PCM4uiwnFoJ08UrzCL6iEc7yySUUwzgtnnffG9/
+l2x+CPfevvLHYeL1z96/RPDux7dVMHd960z3+ykBT3/62/fu/rwtTM/M9XseY6s+oSc8bsgZzno
smF3TCrRmPTUMempY9JTx6Snjo1yppRabQlYAvDw7lGsSun3RPHxKH4piqNRhYsMROo7YgDDigmr
79u4CbKVFN2IIFm/WM7ceZYeCprOofwumUavGruL5JBbodKr5HL4SivwiApcg0wNfBaHVXqNbIbZ
Y1bR3KrMHqvZY1KlL1ELGRazW1CmC1Qmj5jv8U/5uZDvGFo0rLRI+bZI+bZI+bZI+bZI+bZAvg/r
vcjnVULWDlosLsUozjqY2eEiDlJqkZInTBUTucPnZYa1Niy7/FzImDIN2lPCw4s8pbIG3M5Mqwqy
2iSmnrBkQC6alYLHZvGY1GN/UuqVcjl8yR4nufSSHC0cf1e2XR5AtehrKW9GhtFJLNRJLNRJfJtT
oyMMcuEkpadHz8ZwIJaK9cf4mFHKv1HKv1GqyUapJhul/BvJKshkMS52jmLNoczMimTNU1gDbbwG
x0cquqyjOGc4OY+UN9RmE1WH5Ode6es7MeHoJL2cVZtLy0zECkhtF7VlIh5wsv7LZNtlKp1SV774
mgWXPnpZbeOOR5ZX7yxJv2IyydTQRtyvtZs15spFS5cV3PO3r8/re+T07TOvXt7o1sgWW7wWVTQv
OmvvM+t3Hb+2wevFl2eGQY0qlZBhTlvcUW+mU9f32Hv77vt0aMAdirszqX3I5kCbm0Sjh2oLcEgn
qUgnqUgnmYhOMhGdpCIdUW6GI6wl2tcS7WuJ9rVE+1riH7SkjXCglA0alpSFfAkmiOdTcBw5yBAh
HCB4BI45sjuhAclJGY/r8Es6rDu7NYYKdboWQ6vxClGrZHKTFasvMmFqU62Oek0bpDEqm6OyBp3u
gFU1dhCYi1ieyprpdAWtKq5dtEVgbtA+mJxOxdWMfZdx2a8ZG/uUUzAu1S/cA/qzoTlHax2zHU84
eCSpEEkqRJIKkaRCJKkQPQk+UTN+/ChoQiN0itmFbE44wsh5mcE97LnVtqDDNfVpJ5+QPJVy/F38
R3iqLNRzDJr3//xxvPA4JtzuNYQ61U/hQmQBl503LJfaLqj0iSktN3k6BQsnxbhz8kn/mNGwvjOj
LC9Tq5RzPLRQKlcoz5+ZHxBoFixq3NS+Z0GB2mjS6Uwusx1iSaPZaMrrqOO/QvJDaoHkvz6GnBSh
pSlTAanW+cS6koQFNZKmNVLWNFLWNFLWNFLWNMRYdbZYZ1AjeDqFyTivljU/YEfwTTUejcbwBQxJ
Cu9sVoUSY7ud/1hpzfSEcuzKdPhca8I/UgiOoNsdsCj15nQXftGkzCCuXCFouBvGLp9wapNW9RxX
q9YpZXJI0LsdY+Nj97ktUqvVCrl3o+ZjyEYza5Mya5Mya5Mya5MyayMrk5Ha2GkbxQmpWcLJk6zc
prRDE1WEuOdWaFvUYycc8YlMvESC0Varx6KGVuZx9qhnvqo2ZUiWr0hAy1KNHksJ/TUbajh9fr4j
mdTkOZ3u0f8wLCAF4wsX6HQa4kc0xI9oiB/RED+iISWtIWYJEWrKRWw0XNqhdTr0SWdBnsKf1eHv
Zm6i1gzhehFklMWZELMLE8xUMS1ZVESi+Cm1KoRJ5A4xPA6d1VqJQTwuIuUt6keRUFn9LkfQouLS
RbzW5rXafFYtl56BwWe4nFDIOZ5VgfywU423yfH1Wrc/6lpr9Fh0k5Vz5Zl9So2Sl0FQBt2keyfS
92eHde4sz2fz+f2+bJdWbfHaJJ+8W25C09B1B2NGo1VSpohGCfUivkeUaZWUaRWV6dPk5RUSZRY6
jeQLTiwUdITBKYXkFAH5yjs1ecaYzEVadGIhovqI8s7TXbJIMhmqKagbIbvddgF9+XhHUXSKVcl2
621ufZk7FgrZ0qsCdRkcx6ksfqfTb1bluDu9Mb/XhCu9pYUFTgwBjcXvsgfMqhlW6BdqvYUx7lTF
FVXN98z87B8TteXRrEyNI+4f+2HxYH9fcvaB2dwz0GuCmAgcBXlrbfy07G15EFxWDO1Kua1EB1Zi
UFYSuFpJ4Gp1UjUVpdQBlC/+ZQyfpFyfZKk+KSTwSSGBT1Ku7ykI7jXIBQGAsStEapZ83tkBbN85
nnGioy3Gr1OiednbM+96Y9+dv7i5Yea+N/bd9sqtjYdjC7+0YcOXlsSjC764aeN9i7O4e7782fCS
+fs/fOjeT59YMu+b/3hk3dM3z5p7y1MrNx2/uX3ubd8hsTp4xueh/mWgONo+HFZIGVFIGVFIVU4h
VTmFlBEFMQGHyUvU4yXq8Qo6PW7zkt6glyyxQ6YIRD0HFQodZFN70NahmxL0UQMRzo77QucGe7Ip
ITv/fGrbt7ffpbYEXcSrZLuxLbt99dq2+OGq+X05D94/a2VTmL9r4IF11em8iXoBRa101C66fP7s
S4oNY59kzRikJVwnvwFKOIaq0BdSXk3QnEVykUVykUUKOYsUchYp5CzISUqDAhn5GXsy+IxCSTmF
knIKpVIulEq5UFJOIXkPxhzU6HNHcfyQoysiKyNFrSdF/cpJooSKyfKeiPMqCvLlkgZiiqmdOak3
K8fnWADkQqNTWHu3XFtTcM8gs4Sbf35bsyVek92yrjnLqko/dq5RbHL4TYpg7YJqX868/R89dN8n
xDI++HLHvms35FbXZxotIe7Uuu/cPKvr1idXbXr2FjCTpxG1E5kW7KQUNaA7Uj4hz1SmgqyWEa2V
iWVfRrRYRtRWBvk/GicjB/FaE9EVMJOkM5NkUCbJoEySzkxkwWJGngC9oyMbUjiVckwDuzkc7HBI
rlnsE52eUNyUkYAKybeIAyl5/HmGZHf4eGlAwGGx23FxNBaNsq6gVmEN+9xBq1a2zZZbM7dqMzMx
6BpaCurcrZtnxULTF1UEinOzrFsMqvRYwxxXbdEd32oYnO4H1wwhhhocY0Hx/NrQ2K8mTA86GnJe
Xz5vfX3dytmVVkOielZB+g9hL39d22qHUpFuC1bNAR89Y/w0Pwi22ILeOobqxt8+ZBRwW52kojpJ
dXWSh66TVFU3yuWkEoUpixW3FaYgzgoXhgt1Hie51kOaPY8gkC+4xEOKw/MkV0DavoMeMUw7ftAl
oZXiESMJqXV5T+EYKoPOSTSlNQXKcFlKq8NtJjJbriGszFRmsldDT+5wnUce77KDbUveC4rgtIn0
UxOJPuG0QCr4ZIxtpgfOcWuyswK+4okA8NyBCwU/WL/tq3116+dXObQQzKkMRXM2zizvqw8Xdq5e
t6qzqGr1HXMT89urLQoZxyu0Sm2yoa+ydE6xu7DrknWXdBXhSxd+YbDQHsh0Rvx2r1mZmRXylc0p
KptVVVBUM3fj7I4r5+UaXX6L1uS0mDMs6oyQ15s/PVI6q7qwaFrXRigjI3jI18DyM9Hyo84U6Rua
iNYOkeD3P3aXJPwwjR8/TCxfYSbdYK/kEQshWH9fVM73E8KJxEQneLI7wjyBGGC9Jnbe97FYEZjU
ueevFbv2Yt/3zFcmDHGpypRhsdDhURJvPQrt2+UQCybQvSlvfy4OkFobILU4QEwnQCKmALEa8kZa
yjS15wWWhuxShu1Shu1Shu1Shu1Shu1PcgLplZD+GVm2klLDLTTRTqHTM2k3YndM8oOJSRPpw+eH
zdZzuwayyxv3jG69dGh3A+3+W1Q5XVtbWrd2JETVBKFn8MZlx/ZMr7n8yDY+xNTx2QcLru/Nzem5
ej7vmNrTyQTvtgq0EkbrUt4wcWxZYewmGHXjLAeO6nGOC+c4sWtUqqQiIW7PyVIISZlJksvpckYj
/k6n3Ez7Y+aKWpMZ04pAcoj6+nBfX1+iLxERg0cZCYlKS6eEjIV2u0LJHZUZXDGvPeg06ZR8uleF
zVmZGUGzWoY3Y7yaV4Hr8of1vMpHhnkxxP1alWxEHAhW6TVnnpXVknQyEEzyOA0i7VOQx2q08mC0
GkNj9XGqnlTsCJigipCsJI4IYkoEZzoJiWdiZ4CQ3AKcm49zwzg3hMs6sztD+Vp+avca4r5aKDn4
kAFuaYtMRMY8Y+dm8+wMy6+RCRlxnz+RYZCl3+c+5Q3ueCCYk2Hk048qsCka8IctSg6HMLbyamvE
lxG0qnkc57CXV1hCXl9IwPKowUSiOZOB/9lnScZlBxxuohWD9swJWaXWSDqGRu2ZH8iqNMDlBreD
aCgfavqH4ihGfsobT+J4Ho46cdSBY3achXC8M6Q1eTtNUzp+UFv7xM/kUD7GEyP5U3I7kUXM/1Ev
N8czA2GbVpY+lX5drrOFfcGoUa7HA+kndEoBHFTUrlFgO7bKNZZMrz9mkunSQzV2t1EOXWA1x4+N
QbDKy41uO9fF1do9RhmvBKeQgf+o0ivF8h77PsmPT4ztrCgb9f73+u86qLgOcZTmeEpHhm0inR6F
uVMh2TKe6s8nHdVkdqGVdRSVlpZZJiy5hfYHbar0nVq5MRb0Rexa+UFXoZtzFLgO8VpLpjscF+Ra
/FF6orLi17lfk2KTKfWa9C0lW6oqNpbhyzQGJSkwO+SvCvq1+8Azx5F7ONM0iqMHPR262CiO0WHh
Qvg3padKfGgZnuJN7TYxKsDA+H1iv1XmDvAas57rHhvRGIjlGDTcSx6/TGMyjD3ObTeZmy0esyoQ
iujtLr+N368yecykq+EPxASX22f9bHEmiZUWQatey/8IFaEUGkoFjNP905PTea3aUawDTRcTP1tM
XGyxQPxG8Sj+KGVAsZgRYR0inhhVSi1+pdRHq5QKp5L5mspRTpWymhzfR8VCMVd1vBijYlxcnFeX
PYo9KeNLmTgzU+Z9J2/mtN/q2mUoycaUxWHGvo2L+1iH40RicV+FNL5cCIHUYujZEkOGPljJlCC0
qESKPaUUmeiDlbSRtpPhSL5WyPC4/YaqOzpmbO7IrdnyrdW77AWzKqYNtBToVNDBUnqmz1tRPHDj
3Og3bm1YNt3fO6du/TSnTgc9BN2C2qZI04q6tg0zI03Fc0o83pBXJbiMLq875LXkdO+ee8KRWxtv
6preANq9F7T7C/lGsGro2R6GRkQTLJWMuFQy6lJJX2Rf1FfpKP445bElSGSfCJBZF6L/BGn7EoI4
GcNpUmpk05SWBGXy/FEsPxKd6WkS2iqADsvbxdYKVOiomOjdTupsor2K2c5vuKiTY503pcluF7sz
vygavL0v0dLUFFOZPTawIYXSEnC6oO+a1drcnLX05vlZj9uK56UCNanGWMOu+pqeMhd+a+tT1zaZ
opXxdVBFoFroVPJyFR3kUo39KV4eEmZdM7S18epl08zZ0wvT93bNrx7cCfVkAWgswL+AStBNwxli
5EcdwSnJAbx9iFT8C0xnvHv2NMb4O3R6g9Om9EkDNrje8qc0+mZ/eBRzhywz+b8WkLhIrW8uyBnF
imF1OxnvS5wWvyaGtk9MTGScM2GloGGfYup0FR/g5EpXdWtPcuCe5SV1G+/tTXQ0lDjVCs6sN8aq
uyu3XRlM9VVXzKtN6MjQyNdMLpPeFfGaUzsPbr3u2R1VgjvTabA4zTF/MCt49PH51/QkwomQyuIl
9bQf9PKAfC2Kogp0c8pfW4W1ngpSOytIFFRBougKYh0VxFgqnsKfIISSVGtJSVlJSVlJqcYmJWUl
iUFpLMEmbUXMIzNkk6XjzplQ1WUHDe3yNhL4ieZUe87MlWhPE4NLU6sgdGMmrIqPRqd2BMv4B5Sm
DCuZDJ9x78LBW+ZnFS69Y8nsa1JKq5/YlHp//RUNtWBBYFF1wWmpppiLGdC29nnt1wwv3fLUtTMa
6zktGyUZawTbWbor1XD1crCl+gKirT7Q1r3g1RKoGD2eyk6W1pauL+UtpDZZAmQayBLMIX2OHKIt
OkEs+jewhU8ONyS+keDI1OdhUtuKZZLxySQbE/e1IlIHJyP6CwZznt8ju13GHZfhl2RYJstI/jY6
0/lOv2GDgTOo38kQDaxv6nwZrZSvJ6ixibPEYgVVhIJTzMp2tvFxtlipqFAlf2/MNTbia9rQkVrW
ktQptQqe45Xa0nkbU+sf3lRZvfGhwUvu7s/dz1++bdqimkyO42LB1u3z8mxum9LgMustRp3W5bTU
7BjdseXYVY0Nm+/vsVy9L69teRlpjyPjn3LXy7dDBLZsxC6QCihWPI/ktTzMW3kkd+aRjMlDXpLL
z46Mjr+UMpP5j4jmdOkMd/R0fnOgTWgWe8eFZAwpcaLofVrHik6cM2tkk0adp/aOQ9IMUhGbNeKu
hxhSobT54p5IccDwAkQbcrPxBRW4JmfAorpSEIiruTLUvHZmaHpYB7Gl0eIwyNVatbOoo3Kp0uS2
hAOf/ZWEoWQ6mbcFwha3Sdm3+IZ5cb1RZ/GQNQgl6bv4m/gfoho0Cy1BL6Vs5twZpJbNUEGWZwQE
C26bUVQL0SlRQa1UvwBPHSGHapWzgab0RjNum+2RGfP5IqWSWI8g6ut4Sg8kt0jp8SiLcmVEx6li
ouQe8hM9AQEu68mOpLSAEWO+ki+f+Wtd19s2W385/5fq5uzA9F+Vz1z4q8BsaRq2lk7MvUpdf6Lo
JFGuAwJ5EsqbIFE4mYB/CfZFtA46tttpUxCNKcCf2R3SCASzuTJoXotLxW9asyEEwcXRieaULFeI
xmIGXtrjb7IYrwplFPbtmVU26DE76kr/Wr+hM6/40v0b1967NEcIFgQKkoURf7h40VVt8Rl+LJhM
6fTyvvwZScfyhQXNSUfXko6/BOJO9bWXtS6v8fBbQv7w/OSs7V05Xrs5zxfK4zRccFpvVc2G7oJI
qrc4WFNe5HK15Uzrj0b6prfvmJurVgXT7y9aGShvyepd4S9rHltcWcupXLnxLFtdvTe/htj3vRBv
PgQtcyG6/FBtMc6enAiWDHvKDLE0YwzNssNHp/vEiT9xzk90G1pyTENn+nzZLgFalKO5M8NNrjbR
fYoDQhMzSbQxrjh7uktsTZQXmIOhUaqNf0hlpm2uM68lv2ZXA+yKA/GsKZ5xe8uCnW1BF7Nnzti+
uCHc0z12M0uZ2v62tkxbcdMA8ZTXjX+KO+RJZENBdMvR2tDs0PoQb5diubN6yhYRT53To6Y96Ke4
jSgD2T5vekZSqQ3UdETjJyt0yOtih1xCi6ifV08nJG8otSwXngu0kGaXGCNYIa45VwGWnKrKBJEJ
FfDXslk1nF+ZHa8AgRyP/yJ9F14GOQ6jfHT9wdmFZM2UGCwAfkCeO8IcO1lMRTIQIW/OJ3RIOm9K
N4Tma6I/Ar4vpXG5UGEeyWMe5PFglr/FCi3psFyspZBTU1ERi2dpbiGv8rMGmuxnjx6cle0OX2rZ
jECuE7rVvFKtVIQcwaTPwJwe0UF2oqoq27hs59yESqM3mfVkbYTcmtvcwh84Xx20HuyCelCM7k7p
aktxvAAXpMy4HcKjl8TMFUjNXwHJvU5EsfkreIqLoUzoflEdfP6sOVQNtz03FxGV0Cpiz9TKs1oy
mkyseoiDzBBsQXQvtgmFp5gVTJjBfzRBuUsFfTNPyGlUpK891z7wXJXZBf26TJtab0w/idfpteKQ
KHRH1fiDtP78avLZy9CD06t5aFTVOqeQfjIdMdkk34FrQGc2lBJnwNeLM+AX7qJO2gj++JBGaBJz
LBnAhWe8z7Ns1/mPJj2F/CWIceagd1IeM5kdFlcpRcVRkZg4JLKhEzedv9KFjtROWRHzzoR/8/ns
ZCbIV0hnI8V5SXFKUnRzGrDvo3PI2NqcmvMXDtHbnrfA6Cn8MThZAStGWmdC8K1I6etm1jTllrfk
trmmlP/UiaUKabzcVMEm34m3FF8Z+ncu8/N8qE3q6UvGIn+JulKLyprTkFexuZHUHkfQorTn1OdV
bJnwrApzhsPuFZRtt7WU9zbkC7kdrTPC8y9r8U/62FDFOT72/BT+WghMeF6tVW3rnu1O1mUVNGRb
wPm2sTYISrAQ7UsZaQmSL6k5OreUPmfdEuks+rSCwFolcWHKlDUp+OOjUsNEmqWUJndmtivcwlRP
oobJNQ7CWdr+D5on23/VPE0o8Yvt/0XzdJaiQEH9pHUivcE3QENkhvNbqYzaOM4y47iJjHFGdTiq
wlElzhZH1S4wq3nqgrOaJFj3JTVYM2W6NHD2dOmTnIbMQRw1ovYNUEwu8r6scWYIeo5S95r0ECWV
JScmQfvY57+aDeXfqNz87U3rv7mutGLzY5sByx731Fwyu2V1Q9BTe8ns5ksaAvhP645d3zp996FN
gDMBd7VcvbSieMnV7TOvHqgoXnw1GVtI7+N/AbohYwt7yNhCsPQCq0Go95lcFkKCGBsdVhAHGMSZ
GDrCcMFxhRZh9ueOK1xoWOECNvL5wwp3Ls5qqEuFpxiL1eYxK+Nt7R25S/eSYYUicVihKdawo76m
t8yN/3LZd66ZIWQWh9I1zBfK/gI2w5PRxsuza+K2tmuf2Np41bJqS7y+IH1fV0/1sl1i/xm09YCk
retTHlCXX5sgFSah0bEhFtHJJUjfORsVUbOZsi74HWldMFsvzNYFQ9/ZFmnRTkv4ZUIe6Tu7Z5aT
vrPQTtr8C/edz9JZiYmOODN7cZR8ft9ZTaqZ36qMz2xuiREVFQ7esSSrqXFGNllabs0wKc/rP6cP
MU3hk/GKkJH1oU2Rqvhaprr0v2gnmg7IQCda9E7cw+LI4OChDSU4apSManLJoGRcRsnqjMS4zFMm
YIiVITfYXCSlTsyMGm2BFlsbkty92OAnJmLhqR3ACzka0YgU3MOcQq1SObxhmyu/pDJ0rpuJ1FVW
ePXBsFcn4zG/1O4zqdVqlTWvrWxs6HxHc01pQ8zIqzQatUFcOdoxfpp7EXLcgl5M6ZKtta2zW69s
faJVPmWS80NpclM0ijoyPGU5Z/JTnPTEv0356UynOMdJTEya6CRdZOJzPE/iD8VFPhoSFulSWmkI
Owr3q9U9oeN0ea+Xaf5qmmPqN20w8XRC8zdkNnOm/W1aGSemMqWJzD4yNTVlInMylv7vTmRyLxYt
vnpW/vzGfLtGRiYqE7XzyrMbCj2x1JzujlQs3rmzM9xcGbcpeYiONAp1ZmlLMjsVt2WlOru7UjFs
aFwD5e1wWcN+C8SfnoDHHCqNRIuz/JmJmnnVJQMtOTqzTdAZ7YLJJSjtLrsllJ8RK8kKZGZXzyVl
ERz/O7dW9m1UiRYdiiNTKFfSea5UFrlSWeRKFTJXsspcYoQ6hz73dKjZqz/taC4g0beSuu2TxOyK
pNGrkyfo0J7swgMMZw9D2NlwDLdWJQTieY6mZSnvbqOZzGZewQK1t8jYsdn4VtkMRzjDqpKr5bKF
3kzBoFZEWjfP4gx0hOFVtoTnVToGkdb0LVFr1HKDk+R7Hxnn478DMcGdKT9EAtoYsaAYsaAYmeOL
iU4qJoghF/7kCK1pfkkrfkkrgB+LdZOQg+IrElJl9Us26id9FbUltyWmlbtaIDCTTw72TV0mOGFS
FxzsO2fSs7RsctjvAaXZa3N4TYr2e8SmX2mlfRRHsjm/Zmej0uqHmmtWT0QE27pnVa+8aSmXyWrn
2D9nL6mP9HRzW1mKNPvJ7wT95KA/HEOhcWjNSKDrF+cEI37so8SH7VI+bRJaJ8NfEc0TaznG30uV
kYUgEFWYcEzAWXKcmQUJ0zJxOBMHCa0N4nAQB8TUAA4HcMyILwviIBnkUptszcEA1NogmVNVgykG
yQgj2SMlEST315Glm1ktQa27Rds2OS+VIG/W9ImRQ4L+E2foqN7JrGRCfNdpYtHelCbC4qATVj6O
34k5nkuflOndWT5flssgS78ok5PlZQ5vyKKWpWX8GU5jCXocPpOSf1Cm1uiUnz1CJltlKoOGn68z
q3noE3LwpR5z63Tcn9U6Fc+ptETbJdDHuBa03YjeOIZmgHuaBlkrJ4Nf8XJcRjCSh6NBHA3gqB9H
fTjqxbEMnCXDcR5XVuGqSlyVi6vJ/3Bhw+2CNHxAMKUBcxUCcAfBKCUTFKfwjCTZWNcinkeUWSvM
FtYLVwoyIWW2NwtFLZGWyttzcA45lkO8pmCxN6/M2ZbDNUKqo01NlPwLosm+E7W1J0GTVN+TU9p0
Upt+qKIVE3rmY8opc8AXUPkUKr9WJk9/xOsdWT5/tkvHP81xT/B6d9znj8Fe+hO5DHoXjoxMs4r/
Fcc9z6nNYPZ+s4p7jcOvcmpL0O30kmJRWo2ThcLdqlaPbZ4sIqNVqdZCCUFPdcytVkMJ6cHxkkW0
TrbHqTSkvOJQO1qhvJLo+mOoABRjIuP7xG/kEY9RlYedYI9HyHyeEzsk32BnSXasJtaaTfqt5Jpq
hMtDuFSLtQHSvSClotUW5MdbyNxyi2miC0FXDCQnVgsQ46X2m4jYrey1Mf4Cc80Wy+Rcc73KEvP7
Qjat7JevybS2zAxvxITV2Jn+SIUtsYA3ZNXITr4k05j8Hm/EzKnTn+QYLDo59M6VeHn6fgBerrMY
8FH8sMGil/EKjTI9jGcryCpUrdWYXky8B0SBu0A/YdR5DHkgryWk5ntw3IOdYufZiaOGUgMXU2M3
aZIr3dhVThTnwv4Wl8bSommVzUatUqeVrCJI0EpLKm+Qp1kts5D11NHiidUDFnFUx25VckXbFQWF
7oCJU+xSC3z6WZUQ9vkyrWo5xvzHClNmICNsUqQPCya5zmrAFTKzhl9kcxrkvMqoH8vjXrVo5dBO
mCEnvRDUvsYfRQlUdQwJkBM7Wc0RFVe3JeF4sbpBzakjJui0HHQ1G2Ni56VVmmmGWOFkH1n/fd6E
85TXNNiEM7R5rylUBtXYqzYPsUd8a/pKwULmoDmZ1qRTkrT0VrxfpVcrmiwekzIjmGmw210Cd0kw
YoZ9hcFuChicDrcwdo9S8NBRxw/5+fLFqBg1o2jKEA771daDcnm+uqGStEx4OL+JNNivk7c/xVFt
OkMw8donHyUtNY1izpvrPbf/xc8vXLC7XRmK2XxmlQKrzRlme92iCncgNTC9cn4qrlFCE6SwVnQM
FF9637L89Am1M+4LZLnUaldWwBd3qvnf9dzYXyp/32gklQ5Dq2ZRxhsWFVYsaYy6fE6FyWt3uix+
t3naqls+qwomPFqtJxEM5rq0WlculEV2+g28GZ1CHqQZ0ToykPDKSTrXr1RSP1NmmXhFdbPC4DDd
JNdbXBaTQ4Nl12mdYbcr7NDe5i/Oy3W9qNSoxKqPLXs8AUGhEAJEn83p3+Fb+buhn5xEweGw9Slu
NorCgZ2HNf5EvtyIkifhR6FNf+XNH5y/XNd04Ue5FfLvD2SBj3FmBfygD4XeYbpRrje7zOKjXaNz
hF1OeDQ+EMghec4JZOYSzB1rFx/2JyqNUkZ6F9g08bAcemr8I+lZY8gzjKyj3M6jGl/I1SY3NqPa
k7UnSYhWeOGnPOtt3vOe79z9858rK0gToHCgqXPnEp/5RXiedVA6WuQYJovkjh8hi+HUPDg3eJTE
c6SopozArkvWVOcRWTsjmdcIQuaJ7hn/SPYeeoPcA4VQ9rPIye1CPqTjdiIzFMOuo4qgTe0xknsW
FZ0shAr4JtnOvrX8czhenayuzCOCv5dHWBW0qSdY2pqmZF7DBYTYHb8Vb5ZvB7tTg93NgPywavSf
m5086i9K5jpfVOrEJkeNLVe6A2aFwiza3Y38Nj5P/IUypD+kyLQXwq9ABuF3zppDkl7IVl4gVfSL
+7WOkNOZadeCiQk3yHVgYoJdg+VpxwUOQAshm7Fbegq3rwgs7aRoaVAt0qc/5wB52gS/jfvZxNNq
Y46iiaed0Eo0WjypFvkFlcX9jDzMjTK92Ukehr9W4wi5HCG7Nn3flAPw+DLxCHl6ecwPT+M8qdKS
CgFaNIEWTQqFKeD+vANQfjj9Fq+RP4NsSDUsyFESvKBDehhp5Fv5LZne6rW5gmaZguuT6S0+G3RE
ZPL39UaVTKm36BU79UY15N+qh/s14kNcHjcNGZHhEFJqT8sQWeAuzQMGqbmJ/j7PbEovNsMHfw28
uhx/EvP5o1GfwuRGePxDfFrGcbvhLqYRuMsxnIE+70YyzmL5rNZiNlv459RGtZwrjYZC0UhILb6p
Of5J+i4ZGnciPTIeRkrNX2RkjuT8+9hlSDB9Ns1kNpv47wmm9KuhgC+UmUk09Bxu4qv44+BL9AeR
xgg6Oildf04TUFUwf8v0uq3z8gvmba0DLOCuId/5sFe/eX5BwbwtcLfr0g/jf8hvhhqcmbLxJGDi
SVedFxtV3ubXXodqk+Cd6GIyBfQNzY6JtXR5vGjTtFzw35f0LVkoxwavy+y26PjSzvIMf0VnEVYL
GXZHhsDJl76Q7n31tfSCH+tMWjmnUMlX/OyXr2/c+NtfvbxSplBA8CIQ37QDnugteKIgKjqGzLQn
Y5Z6wgQPkycziwujteJYC33CROHE+mUli7pKzSXFXCwqBbN2M34ro7yjlNdZ3Ga3V4/lixYvXizj
hAyHLcOk4lZu5VwbX//lz1bIVQpODs38j/DDr72KH35BLWjg6RSyk+nZ8Hw38ytwhXwrWKh6RC5M
ehjaSLPxT5ypNDrNZpdB6dDYgg4n+ELMXz8xKvVTcRpGTeqoDKHxd+V++Uw0F60S/xfIZErTsrnY
t921QGlcN4r5w7Pa43FjxShWHG5oX/Y3YxN7B1kcZivIt5BCoGUx+ToC76jhSyb79TQNuqvi1DeN
9OnaVmwV5wlYVMGzgbc8Hk7Aa3yplS1ZFREhu+/OVT1XdSeic6/py5wzf2EO9G11SsHvsvutENMX
+HLrk36NxqwF3ekCbmt+qrsiu2/15vrajf1tJdBFMvpz/S2D1R5bXlNBSUvSviXUsKI+PmtGylO8
sr83UlgfN6ffxN1lg33zc0p72hpDNRvnF0WbBqdVLV20sDDeu2B+lqexfU48rNGrZZzSqHeVr1m5
OCuc79NxKqfL5TNqVIZQdV5mZdxhj9fMXspznvJpTYl4YyoV9pbEnZ7c6rGs4nm1IZM37sgdWDqQ
F6itTfHXgZe8dPw0/7Q8IMZm9x5DM6EX4TBy7f0zcWJrLV5Ri+trcXEtDtfi2lGuPmXVZWTodpTg
S0pwawmuLMGJElwCB45sQJhUUdK5o2s43z4Kt0H5OqwbHf80pYEdXeV4fr48OorRiKW3YRTbhuVL
Jv6SAphx3yvQj+h7U+ylmcnSP5GRN2ATU4a0ZOcOYSnPGXFm4+5PF6/Zv7Fj16JpEcGcN3vb/nWR
tlSOQSnjsFKr1kZL24v6ru+O8+669nkFq2/vjT7uKF0wPTKzsdYdrF1cm1pc48Vf737w8pasmWv2
fmNx16NfuXlltdpo1uqNFoPZLagMJkPbnkcWGX1OY8Xym/orl0wP6x1+81WPr87N71guxmmg2+fF
N7YS6J2U65zJjAibzMglfdoIUXounjJNQebmrGQkyEpeXbKSP2kBkR75P54CdBAsILmGgDRaHZCG
gwDfJlFNOIDJ/2CTUmvIy2ApxIt/TURN1oRpZms4JI5niC8kkpIS36YgRIM0uTke8kdHjV3kTSn2
ItjkOnHo/0DhTJ1DSoh9o8+fEZFNGdiW8c8n1w5dtePhFYn8NUN7dgIOGTyJ6vb87kum2X11y5vL
u6dBXMftvfvD4YH5j3z00L6PRHxs4L7Lustcc275zpo7frynMly/eNN1YHKPQ0j2oNyB8tCfUuGw
D4e9OJyBQx4cduOwS1onHRd1byY923xxLQ5Rdz5GRLUoLo0qxiWFxqXxtbik0LjUdY6TV8sMPie5
yKkl31qTZPCArxyEe5qkNYxT0o9LLxOB6uGKh0zYZDGP4tqDoc64MIqV9A3Wwtqxk+KYLvmcJMuk
2JsXRLMoMTl+0Sf14thiYehxKei4RVlEmvM0iY3ggwqNXjm2SKnTKhRqvQobPiUrongFBOjZMh0E
LU4Ind5RGdTyBjJqqxTcFrPbpOZ/ebdGpvc5TE5Bp3iWl8mwTKlVnLlNDeEAaHsTaPsBsOkatC+l
j5fihA/HvWQsKDXKXEcK24kV28WG1B4Qxxy43CNFEdhQhaTriie5K5GWKkdLRn60ZCbTVF4RCFSA
8eUdKbIr8roEcP1ZTEN0BDwpLh8gcwknJ/4AhagjcYznLOWQYZtzuoyKiWZCKb608oAcIpWxEoPN
qOQ1Rt2Z+asrzBklc4rFxcFKCNM4ucpZ1Xtp1eJb+/LsM65ff5IrUhm18pnkjRyl4LNbfQ6HHmsW
3bl9aSLRXpmZmZWpMvtsRrtgsIVDzpJFOxprdt72xKZX1WZx1mEl+IQ7QX89WH4MLQCVZRCVLcAF
KlBKAan4BaLeCojeCka5kpRmVld01iynBbenyJhjFE6JkqGwFKRGU7zBoxLYLIN4pScgLsyjJusB
zR8Wh3fE1bSkfhsk0zRI1m4gBWeBYjBUkUUbVSlxUKEKi6YrmXBKQxKrTFUme+ko1kIr3ZXzj0BA
3kJettJOvGyVPF0hTLxvlUiIo3CvTLxuJS5OIxP95gqBrYhITL5mXzplroK+jktH6M/v908Wos3H
83fWbHn00rqNPZVGlYI36NUlXesbpi9ryEx0Xd6+E8pKqdAa1Bunr26JuYs7SioH2go1ZPQIojBL
Zff61IIbF+YGahZU1a+fk4s39d62oszm9RsMEGeHMwKRQGZNd2FZTyoTqofN4jIqM1O9ZVktpf5Q
Vkhu9NiNDpPBAuWcN3frjGmrOyq0nLJkzqXg+8kbGz8X33DIQ2dSlWTgNBfHcnA4hsNRHMnAUQ8O
iQ4q4sQRB47acdSGo1YcFTAUcViOwzKc8GDRW5mpt8q1O4HYA4K0NouuyTp1lKzZysjLE0bHP0t5
4QyBVD+BWIRAphME0ogIJMAVyF+piSEZ9VUyaADYEteUhqxxleUnY548sYBliaAgaIKdGvpmBdS6
otOFhdLIX0KaVSEvUp8UcbIGnvPBZy/snKiaeNJX2XEIB/mfW813svfNx97RCXqIkzVK/LLc4svx
QZAl3Gmypb/KpRfih/GGYDT9HptKwIJC8DktPpdDz5tVZOkn9GI++0GI+8tYJalxy6HG3SM3gMd6
LqWPleFYqbiUgBc91hHqsMokr1Qm/uEt8sooedkkC1SfRV7AJfUiyzC7cH3hlYV84YVfLX6SKxLf
ZJHa0sPi+ifLKFlYQNYXWpyl5C+A6HIq/xkg70DIczqcZ1WdvtOk6iQTWHhVqjEn+l6hlYcql2j3
gn+Ugq7XCJ31p3egQyUtJuTvadozvKZ6zdxSo0L8SxVKTfaM1c31GzryYh275k3riWY4/V5umsqo
kVvNaW+oJX/9/vUV+KFVX1tfaXI5DTqT22zymFQurzvQsHJmzZJav84d4YzBgBqcYDgrfbecKxnY
Oz7OYklOwf9I/J8oB6EOPAGa96PXjiET+C6NKYjbTIIgvVx79ku3b0vt5MeiLW4RJ2iEUXaVINCp
BPEqQbpKPKwlc0BbBVJxFNL0T5CVbBBPeangl+KaZpvUIk9Zr/i29OcmTh2Ga2xy0yjOPeju0E68
BCk2yWIpJKT5GjZtMzljIw51Tx1R5Z/g5WpFOk9udITdmVETp8DvjN1lscg1BjX3gcGmVchOmL0e
l+HMizrotCug+y6bmRW2QLuiMGeAB+kEbe6HliIfTUdPpyzxPJwtx3FxriU7iqMa3EBcQ4BkswGa
Dz1rObw7CnBFQUvB6gI+UYALyCu5amQwBNAGxNH4XLTQU4eIhVaRdgIurSLxifiK4NYqXFrVVLWi
ig9X4apRLpEyJCM4kvogEFCW/jO7C6xWNaycNyVwF0N28fWJPilqL5xqs6LVys6dkC4760Vy2dmr
Zkr5/db8jp2PbEh01OVYQTlalTZrWmfRwM09OVzJvv41d/XGCi/5xqaOKxalYqYnMqf319Ytqspw
lS+Y3noL9+Tcxx68eVWVVjCb/W672yA3mo2tu/cv8udXrbila979lzXF29fu/WrTnifW5CdnLyup
WtoQEccGm9Aa/ojMjpLIOpId9pE/fqVTmFGy6OTYyaJ/9/rrOX9q5IhCY1ClR1WmDJvVawKm1msU
EI2pcIvK5LWSLjcwvVbOpchbW+l9ZLUfeUUSr1GZPRbyd6+A6dVyOX2jlkQOCH2Vbjj5udufuKVT
tp/SjW+9wHZItnBiO0M2edMFtwPyA4ps2LZPbsqI8vjkpir/nG1YNaxuU39EN80Lk5s2X9qeutCm
y9U9wzZ9VH/PxPb7i5v+94Y7Pm8zZhuPnL8J7dL27vmbaeP/3s28+ALb78lmWfg52+/JZt0lbs9O
braH7AVnbc9eeHPMg+3vzlV0c+VdYHv0/8nmrrzg9r7nBbZl9GY8wzbvxc/Fz/+/P/vO2b7v8/gG
fdf5XvK95Mfi1uMf+tztl1O2M/4zgamfusAqcRsO4v/Wlg3bX/+/3zLv/X+/hdrCfPjrkS9GF8VM
MVdsNDaatfH/su34xe3idnG7uF3cLm4Xt4vbxe3idnG7uF3cLm4Xt4vbxe3idnG7uF3c/idtiKxR
xWRqGVkRL+JxpCD/Jwd5Ox5SFmMfvgnfx3/Av8v/jT/N/4Ofh7eiGGpAy/gt/Hz+PbQDX4E5fBw1
4j58C9+NZHg9Xo0vw240H/8EmdAWfDtyIjOK8rvRKv5KbEQ1KAevQdV4AX4eC2gBPoz/V7v28xJF
GMYB/Pu+z/vuJkQLXSIIwbFI7ZCHhLA8lSlUkJ1czdS1CEkPrkRlgqeVaOkm2h4ioluY1aGIJMKQ
DhEEQfYfRJTQdpBAN6bn3Z1lp3U2Zg6F1bzweeed9/c771zmZeooKRZojL5gQpzAKPZSp3hJ0yKN
HXScunFUtdAQxRHHZVqhr3SaeukGmukKFF7A/EWuzCqyHbbNsTAx3yvgL1gB8nPdyvsgORVBFDjU
PzSYSA4WSsCja2yCv1BWL4us/VNGYa+htpSIN3y9jdrAujCrDqPf0zKXudBHn+5hVm9GdzmV434c
UgVwHVFD1XFbRj3eIu953IYKjmEgCGXxWEwnON3JaRdeX5unD4i5aQt3/VLXYEWr0VJO7UYj91W9
znMcCIXy3uFUUGofMpRAlx9ct8+N1tDjhxzBro2MFtHkh3lWRWIJqUA+2UtFdIefuYPLPEXOlMby
tJ/3I4hS2z75Chk3qkGHH3IONX8Kz3PKL7oJSz9BUzm6iHq6BWudesRDoVAo9J96hNSvCBsNcifa
2bzUmNGTmDZMfhF/AV5lewLbBuFFjqLVoJz9rYJVymGhSA4jxcZ+F7GItKEvAP8C/j4+v0G0szmW
ZOdYIzvrlA04ToYq4/f/iHPGVTmY8xH9bOThg/tPe2MHV7C9cKAy/3n8tbm+jV3KrK1+T1ctRx/z
bVX+zIbDDzq7aSYKZW5kc3RyZWFtCmVuZG9iago0NCAwIG9iago8PC9GaWx0ZXIvRmxhdGVEZWNv
ZGUKL0xlbmd0aDEgMzQxMjgvTGVuZ3RoIDEyMzk5Pj5zdHJlYW0KeJztnQlgVMX9+Gfe2yN7X9k7
ye5mrySb7OZONoTkEZKQg0BICCRAIOESFAsCAcGi2NYLRa33UYWq1VpUlgUxCioq1Vqltkq1am1t
tYdHlHq0Fc3m/5333Q0JYrXWX/9XdvLdz5vjzZv5znfOtwqhhBAN2Up40j6zM1JMxM/6N+FrzpIz
+9egf91R+HpvyYb17khzWTNc/5YQWdryNaed+cO36+6Ba0ivMJ22atNyTO+H+MhtK5b1L/3gI+41
Qi6wQWD5CgjQbDe2E6L7J/h9K85cfzamH6iGsIOrVi/pR3/XVkKyZp/Zf/aaDId1NyH6DAh0f6v/
zGXJ8h2Gr6w1q9etR//3WH7uNWuXrcl5cORcSA/5mXcSIr+VkMTV5MTnfHA/ILvI/eQh8hj5OXmB
fEiVpI9cQB4lb5C3yQfkU0qonJppBs0l39gn8V3pmUTDHyIyYiVk5PjIW4m7R94iRKodE3I1+KyS
wImQEePI0MlhiasTg4lfyFREL96r556B0GN0aOQ4V8v8I+XMz13ErsU7jslvTexO7BhXnDVkLRkg
Z5NNZDM5h2wh55LzyHfJheQicjG5BHRxHlxfSi4j28nl5ApyJfk+uYpcTa4h15LryPXkBnIjuYnc
DHq8hdxKdiTjmP9WcNeJsSzmNnInuZvcA7yd3EF+RO4iPwb/T0D795D7IAxD0H8vhOwkP4TQOyGU
pWJhu8HFyB4SJ3vJPmgz9Kd8g+QQ2U8eAD4IrXmAHCQPk0egHQ9Byz4uhrGQlP+LU+L3E+Qw+Sl5
kjxFfkaeBst4hjxLjpBfkOe+VsxPR0OY75fkV+R5sLWj5NfkRfISeZm8Sn5Hfk9eJ38Eq3v3c/G/
gRSvQJrXkqn+AKn+RN6ClEOQEtNhmt+KsX8VczgK975O3qRp5GPKkU/JCFyx1rtObKEbxXZkrcda
5w5Rz6w9doOftdBdo21zL+j4XmhP5mPXNyVb4z5Iuwc0mNLfqbX2i2TroL4PQhqmCxZzJKmLp5It
wfJ5ZPTeZ8S4uHjf46O5ntAo1vDXY7Tz2zE6/BP5s6gZ1B7GntAeS/EmpGFaZnmM1+0f4V7UPruX
hY+9h8W9Av63YHR4FzTN+I7YEu+Qv4xe/yUZP0TeI++Tj8XvY+RvMJ58SD4C/98h5Bj4Ph96csg/
wP2TfEKOQwt+RobH+IZPihkmCWhjQinlKE8SJ65OhIoioVIqgzEtjSqokqqphmqpjuohZHyMajTG
8LkY9SniFGKIkZpoOoyXVmqjDuqEcTOTZlEX9dDsMXH20Rg3xHipj/qTcRbxTvvovS5IYR2TNpcW
0o3wHaJhGoHrIlpKy2gFjUJIAfiLwV8FcYUi60g7WUxWkePSv3LPQv7pMKrsERoXLexdMH9eT3fX
7M6OWe0zZ7RNb21pbprW2FA/tW6KUFszuXpSVbSyorwsEi7Izwn4fd5sly3doNdpVEpFmlwmlfAc
JfkN3sY+dyzQF5MEvE1NBczv7YeA/jEBfTE3BDWOTxNz94nJ3ONTCpBy+UkpBUwpjKakenc1qS7I
dzd43bEj9V73IJ03qxuut9d7e9yxIfG6TbyWBESPBjweD9zhbrCtqHfHaJ+7Ida4YcW2hr56yG+P
SjnVO3WZsiCf7FGq4FIFV7Ec75o9NKeGihdcTkPVHo6kadhjY7y/oX9prH1Wd0O90+PpEcPIVDGv
mGxqTC7m5V7Jykwude/JP7TtskE9WdwXUi/1Lu1f0B3j++GmbXzDtm0XxQyhWK63Ppa7+U0bVHlZ
LN9b3xALeSGz1o7RB9CY1K/3urd9TKDw3qF3x4f0J0Nkfv3HhF2yKo6qCeJT1wTKBiWE+nk8rCyX
DgpkMXhiW2d1o99NFjvjRIiEemJcH4s5lIoxd7GYramY0dv7vB7WVA19yb8NK2yxrYvdBfmgffHP
D38Q747xgb7FS1Yw9i/b5q2vR73N7o4J9XAh9Cfr2rCnMALp+/ugEiuZGmZ1xyLeNbF0bx0mgAA3
a4OVnd3iLcnbYulTY6RvSfKuWKShnpXL3bCtrx4LyPLyzup+kJSMvL6n1O3cW0JKSQ8rR8wyFRol
0LCte+nymKvPuRTsc7m72+mJCT2gvh5v97Ie1kpefSz3dXicR3yieBfU7aTUqcSs5nJ/mrubc/I9
rLUgwN0IX966aojQQ3OJXtaiddXubuokqWTwlGQKdjUuH/Dw/qlNLIpnt05tcnp6PPj5F0VyJssk
9cfSxuSlh4DRMuFzvrBomJoVKNfdsKx+TAHHZSpNFjCZ26nLyTFdJB8Md6Sx5mxKRfF+6LkQxkE2
YhBrRZs7Rtrd3d5l3h4v2JDQ3s3qxnQttm9rp7d11rxusbWTVjJ7nA/jK9EXIx6ITnm4qWCDjSFn
qllF/zTRP+ptOim6ORXt3pbmbe3cxjL3JjMkbuhBUGlZoLn/0kpjKXTNRhjdvI39Xrfe3bitf3Bk
6+JtewRh25qGvhVVLA9v89Jt3s7uaqdY1o7uLc7N7FFG0kpbZ9cV5MPYU7fHSy+etUegF3fO634Q
1rLui2d3xznKTe2r69njg7juB92ECGIox0JZIPO4mYfl1AGeNDG980GBkK1irEQMEP1LBikRw9JS
YZQsGeQwTJ8K4yBMgmGCGMY+0Ei2FaBiGG4b3EtZ83y7Z8W2vh7WuYgFmhL+aIx6a0iM89bsoZxM
HVN6l9XFVN46Fl7LwmsxXMbC5WAYMBeCctiYtK3PC+MUGFQ3cVI0RZ5l6R4cGZnd7TniHOrxgKkt
AJnXHVOEYOyX+lsg3TQmfRA8LbZ1ST8rB+nqZvfK/c1LesBsUxlCkuaYAnJQJHOAFI3iPcwc4aYl
0DbQgOL9W8ET29oT6wmxh3av7BHNWR8jTd4qaHbMUxpgD4r0bDN6i8W+CV1B6b+IQQFlI53dGOIE
LzysB5UkV0PJl3ghakmfG7QtIUs6wdRxLFU6MWQZDImSwDJRlM5kJGHV4v0qjTKmCEOG8MeuVWHW
JaV+eU8PFl70XZRMAM/Wx1RQosAYVSZvAO1AVDMrC/xdBEVlSR9j2cwaJB3es2FkYYUWc5JDdEzj
b+6HwR/vV0GItzJ1cxobI1TJPA5jqJzVXA165/2zB0fu8m7yjPkU5HvZ5MAMkzgfBMMmPdtODojN
DxXkp50cqhGDt21L05z6BtRXmmaUEEjA1GGLmCD0sHLnp68cv1DxLgsZ++HfZyG6XOqGneTDRA4d
QU8isFcm6mUjI9AsdI+CH+Q+iWdluga5f8azQoB/xLPyAX9HfIz4COM+RN8HiL8hjiHeR7yHKYcQ
72LgO4i3EW8h/or4C+LPiD8h3oxnKQBvoO+PiD/EM42A1+OZdsDv45kRwO8QryF+i3gVk7yCvpcR
v0G8hHgR8WvEUcQLiOcRv0L8EvEc4hdYiCOIZxHPIH6Oj30aU/4M8RTiScRPEYcRTyAeRzyGOIR4
FPN8BPEwBh5EHEA8hHgQMYh4ALEfcT9iH2IvIo7YE88oBsQQu+MZJYD7EPci7kHsQvwknlEEuBvx
Y7zvLsSdiB8h7kDcjrgNb/8hYidiB+JWxC2IH2DWNyNuwttvRNyAuB5xHeJavO8axNWIqxDfR1yJ
uAJxOWa9HW+/DHEpYhviEsTFeMNFiAsRFyC+h/gu4jtxZyngfMRWxHmIcxFbEN9GnIPYjNiEOBux
EbEBMYBYj1iHWIs4C7EGsTruKAN8C3EmYhXiDMTpiJWIFYjTEMsRyxBLEUsQixH9iD7EIsRCRC9i
AWI+Yh6iJ26vAHQj5iLmILoQsxGdiA7ELEQ7YiZiBqINMR3RimhBNCOaENMQjYgGRD1iKqIOMQUh
IGoRNYjJiGrEJEQVIhq3RQGViApEOaIMUYooQRQjihCFIngat4XBF8HAMKIAkY8IIfIQuYgcRBAR
QPjj1kkAH8IbtzKDzo5bqwAeDHQjXIgsRCYiA+FEOBB2hA1hRVgQZnxCOj7BhIFGhAGhR+gQWoQG
oUaoEEqEAvNMQ8gxUIaQIiQIHsEhKIKIoCOIBGIY8RniU8RxxCeIfyL+IT6W/l2sEf0YAz9CfIj4
APE3xDHE+4j3EEOIdxHvIN5GvIX4K+Iv+Lw/xy1ewJ8Qb8YtYGD0DcQf45ZKwB8Qr8ctUwG/j1vq
Ab9DvIb4bdzSAHg1bmkEvIJ4GfEbzPolxIuY2a8xs6OIFxDPY2a/wvt+iXgO8QvEEcSziGfwvp9j
1k8jfoaFfwrxJD7vp3FLHeAw3vAEPuhxLPVjmNkhxKOIRxAPIw4iDiAewqwfxKwHMesHMOv9iPsR
+/BBexFxxB58bAyxG3EfZn0v4h7ELsRPEHfHzTDu0h/HzVMAdyHujJvbAD+Km2cA7oibZwJuj5s7
ALfFzQLgh5hkJybZgUluxSS3YNwPMOXN6LsJU96IuAFvuB5xXdzcDrgWb78GcTXiKizS9zHllZjy
CsTlcfMswHZMeRniUsS2eHo34JJ4eg/g4nj6AsBF8fRewIXx9BbABfH0+YDvYdx3MeV3MMn5wm7g
MV2D631tk+t19QzX4yCPgRwCeVQ1xxUH2QMSA9kNch/IvSD3gOwC+QnI3SA/BrkL5E6QH4HcAXI7
yG0gPwTZCbID5FblCtdNIDeC3AByPch1INeCXANyNchVIN8HuVKxwnUFyOUg20EuA5mi4D7jjpM5
xMV9ClxBXPS8uIl1x3PjRmZa6xHr4gZmWmsRZyHWIFYjvoU4E7EKcQbidEQ1YlJcz1CFiCIqERWI
ckQZohRRgiiO65idFiEKEUaEAaFH6BBahCYOjTJI1QgVQolQINIQ8riGNbVMmA98D2QI5F2Qd0De
BnkLmvP3IL8DeQ3ktyCvgrwC8jI0y29AXgJ5BORhkIMgB0AeArkFmuIHIIN0K2p6c9zATH4TKuds
xEbEBsQAYiqiDvUwBSEgahE1iMlYZTMiHWFieJDneS4uuO54hOfIPpDDIDxPsCznIDqx1TuwZLMQ
7YiZiBmINsR0RCuiBdGMaEJMQzQiGhD1iGyEBwvvRrgQWYhMRAbCiXAg7AgbVtOKsAg3A4dBPgP5
FOQ4yCfQwP8E+QfI30E+BvkI5ENo1Q9A/gbyF5A/g/wJ5E2QN0D+CPIHaN0jIM+CPAPyc5CnQX4G
8hTIkyA/BTkM8gTIIMgD0OL7Qe4H2QeyF+Rm1vrcMOp4C+LbiJVxAyyF6ArEaaiW5YhliKWIJYjF
iH5EH2IRYiGiF7EAMR8xD9GD6EbMRcxBdCFmIyKIMKq6AJGPCCHyELmIHEQQEUD4sW18CC9CipAg
eASHoNgjiXAbcAQkAfJXUOyLIL8GOQryAsjzIL8C+SXIcyC/AEU/CHIB73d9jw+7vkvDru80be06
f9fWrvOatnSdu2tLl2rLpC2tW3jVFifgnC27try6Rfbtps1d5+za3CXZnL6ZU25q2th19q6NXaqN
VL2haaBr9sCbAx8N8OkDsweWDqwfuGbgKATI7xjYN3B4gB8cOSQYByonNW4duHKAS4d4jgxQHQv2
DKi0jeub1nat27W2S7K2dC036aO19PW1lCtcS9vX9q3lINXetb6cRpa6bK3F0ahfW7hWWMuf1bS6
a82u1V0zV69efd7qHasfXS09b/UVq7ndcMUJqxWaxm81ndn1+zMpOciNED3IIW4kzitXH+AShJL3
uYQwQs8ABZwOilgZPq1rxa7TupaHl3Yt27W0a0l4cVd/uK9rUbi3a+Gu3q4F4Xld83fN6+oJd3fN
hfRzwrO7unbN7uoMz+rq2DWra2Z4RtcMCG8Lt3ZN39Xa1RJu6mre1dTV3kSnhRu7GvhyF8wgJAv+
1mRtzTqWJVH1Za7J5NZkvp55LJNfk3EsgzvPSXWO8xxXOHgdfHH4ZXfZr7DvsO+2S3XiBa9eY9xq
5NYYthq4QoNg+KXhdYOEGHYaON0Vuh263Tp+pm6R7n3diE6yW0d3ax/VPqflZ2oXaVdreZ2W+Xm9
oA0XNeo0Lo0wLaLhqyOaWs1MDX+FhgqacHGjoPEFG2vVM9WL1PwONRXUgdzG95UjSk5QQsT7ihEF
N6KghKduSgnVA/g0aJt91Oxq5B+m7HhJSii9kswOtQ7KRzpaY2nt82P04pi/k30Ls+bFZBfHSNe8
+d17KL28Zw/lps6OpbOzZ9F/wfbtJLOuNZbZ2R3nd+7MrOtpjW1l14IgXo+wawJJekIL1w2sW7c+
tC4EXyAL10HI+gH4E0HhGziwnsWsX0cgSegLPizFOoYBMdG6gUUDkAdEQPA6MZj5FopJviiP/+rn
C2vy3/jQ/50P///7Y1u0EHoXSazjX5VqCU/kJErayAwy+yDR0FuIlVTRZ/bV16cVyB8BL0fc9BmS
Br3xFsEk4TROZ623THYZP8vQXCu/jJtNaod/99qT8HXEGI0coZHXhl4c0g8/aYhGho4OFRVSg8cg
SrqWk8tlMm92mCsLBspLSopruLLSgDdby4lhpeUVNXxJcRbHp6dCajjmp/yrn83kG4Z93CbPpM4i
KQ35rS5TWhrvytL4S9y61jZveY5DKkmT8dI0ebC8ztu1sSX7F0pbMCMzaFMCMzOAw49Ltcc/kGo/
nSup//Qg99dod41Ptkmj4qSKtFtyssy+oozJrRqdRqp1Wh0Z8jSDVpnX1D98o8NvVSqtfkeGn+Xl
H54Eg9PMkXckaqkX9HYpG3m6uuMZJPQI9xTREhvtJx4SGPnrPpWOTg+wVYOpUwJLggfKCm0sqJAt
KwTFHGKrdbQNh44O1bIvCto6XFToPPh1Mygq7PGna1G9pcbyctCczJzUJNOxOT2LYypnGpWoeZnS
Ujt/oP6CF69r7771tQvKl3bVO5UyXqLUKnTh5mWNbZu68iNzz2lrXN4c0SjVaZLDdq/daPV5LB23
f3Tbjyi5b54xM+A0ZgQysvIcam/IWztw54q1d60q8+S402whAnaznRDJIbAwI3GRs1BPjxITdzMh
xMFdRRTElqykDVY+gkI7yynWz8lWRYJ0tli/oVDtUIiiKTkf/Mp3gDaYwXk92YEyQ2l5iQdqLS0F
TXgNTAmSQ733fXJP4hlPQYGHTr/3bz+akzgWWnTtpgsuWXXNkiLupvjwztZgvmRFfnDWjrdvX3Dr
+imfXVl51o+h5aFO/GVQp3wSwxrtcQQHuasEncLkNrmhTg6bBkrkeIjmsjbcr6FtgYDMPpgst10s
t2ZWUCx3kK34BNmYckMXCrH6RozRaCSiHyqGWu//JrJE8xivENE8PIaTLqF6Sp1ieAPTDXehQquU
SsEoEsX0IoWOXesUiU30eXZ9GnQvFapJaQ9mQSdTJQ6rrNDtAlZl4mqVLcjeJW0fOc4vAY0FyYNJ
jclNg9w1gkWTSbIy5Tk62ia3qTV0ulyvgsuH6FxiGjm2H65NJrtscOT1vZBCJtZWS6fLYI29T8ie
Ze+CGopVTFYwxLR22BAVVSYYvsF8R21prKZSY1RKl1BFFWiph25XaFVS8Xqd2lUcDJRkaUCP/SxU
cltWrk2duENpy8nKynGoElkqvUomgy/JtflBlT0PtNU88rbkZqmP1JJXUVt7MzJ0NvbqgQR1B7gb
SSnrA6zoNij6Xo3IY3vVjDS4Lzs7Gqk5QCMwviuT9qGEmgmKaGe6aB/pbP8iROak7IMNHQaoKSoQ
xqAh8KS62v/MY1L6HDcwlVcYvGCabMgXtQwKloyZBCSgFIVGoanqu6B74Q2rqiadfu28/Dn+j43p
zDjp/Xq7SWme0nfayrKbP/7JvL7YJzfO3nZavVMtacjMsyt9eb4pG+9atvrutVXp6TS/oDwjYFWp
LK704eGsAkdGurLn7g9v2jG8Z6HVE8goQZul10rTiZnkYSs8COPZNfcLSn2HVDQQGoFqgZr2pgJS
/QttAodZM71Wk4UmoHEVB4LFWRqfUq+UyeBL8mTqKtlHJDXwvBKyODVOFnLXwDSg5K6GQmRzT+7N
zzcrBrlnBa1AzMEOj1Lv7NB34bNrYbCAEh2FIjEV64eLWdEE1amSjZYzEAhSw+dKbKA4B5vTZXJK
LRZJjcpVnjslapcnNqlTdckqYXVR03Pk6e7iYE6pS220J26h37UogiqDSqaEXJcP3zRq20+osKaq
4Ze5gMaglECo0uALJiLDD+Q6sfays2CEqCYvY+0Flaaw0BqJKMM2m2OQW7rPV6RWK+HiAeIrn2VX
q2wHaAERSHjk2D69l5teBLYpuNmVVc++NfhtjRQWhWWunFmuLmNKB7VGa5StgUBXxcXFTGtDxYYS
PfsyRCdHSkoMJaC7+7/Zp4wzDi/V8uwqSL3jRhGmdistYQ0gtoDsLFVmod9XmKHmEpdIjK7C7OxC
l5FPXMepsiIQnqkqL7gnXFfoVlObhGZrXLmV/j3OoH2MjWV++ibom5eyVsj49I3R8PNLynXeaN5n
wzzNq/LptHBXygoHpUYymdyP7bA/qFOGdbp09p4pK1wM2EeyKjtymSKMugA3PTcnnK3Wsyu1SqYb
pFsegJmADaJhdvQyOg2JpjdkiEZDMAZEQ6h10HnEgOqOfwN5pnSMqgXr9los5s8r2JTFW0sCgRMW
LxnUO/2mNd6SUI498UhGlZWTSFTOsM8bdigrcrYHSnN9ps8soZyAkfK8OiPsyw7blQusPptK668t
5nrLt0xqumL68HwlmrtScmkkoskqCyaCoc7O9pzGGxq4RUq9WipVQ1fnRB3zYOsZJJdsTc6HPtkB
6OYGksk9JiiIwS+OoP5BGtork6m9qXneCwH7BPMs9egMJY6nTJfJdcK/d2NqGPaePJdJxi6U+Prv
PLx1VXIYUxfl0KJw5/qNs/MTQ4WNbblrNtR2lWfwF5z543XViSWj9nVZJCK31iw6b3F9d54q0Zw9
uStZ8zaoeTmpJ7dgzffpw4Zc5QHuSVgRVnA3x3NrDeK79rA+VXb9IPXvFQTr5FTA5EGau1/wzLKm
utpofaIwfRUfHRLnmSioY8/Xy2VMXw3yYf5z6rFYs3i2BpCDIVktFloaCAYCKW21pWVVFecVZ6ol
6805RUJeR0pxsMycWVLnnLFlbtgjLKzOLCnIMZ2pUyburapLLynYcGHl7MqMbJVOCbZnUFNP0fQS
R8I0qs/r84MSXlU+d2PblDNm15i0OdHm8EjAyy8Vuo1SWeL7zqJ61n9rR96CxZufNJMDqVlrCnf9
/b5iX7HayX4DQdRhNqRVECUt2G+oAGepTqmkepAWCOopTmlup0W0Iws7uBSko1M4624hAy5L9UPM
7MQ16pC4aQl/Q9meWBtIUts/3CeGZUn/yZsaGX/Z9O/ct2Tquu5JDpUElqXakvbVzYXTyzIK2xav
WNxW2DCwoye8oL0mXS7leLlGpSpsXFAREkLmyMylK5bOKKTfW37TaaUWV7ajKOzKc6g8OR5rXk0g
v7YoVDi5a/2s3u29Ya0tK11r9ToycxzqDI/T7C/NDGH8OtC7Gla4b4NlZ5OuZI8mMljh7rUZZMaU
Hozi+jJzTCcsppHDw0eYof7LVCdWn6N26Emti8SF59vikvwgm5XZ7Jw4qMQlu5K/ki3SJbdl5trV
nw6NGpNJbc/NzMqzq9iCE0ofGjkuT4e1RzU5Lzn7KiJKNakuLFTDiN8mKKvVVpvG7/Wqswe5awWj
YFNXdOR1FHpVvDGzY3TKgxkPlkX2iA2XIfZINGqM2vRHxWtjFPukoPvCW1m/S06MvJdPTZGBgLiT
hXG7xIQrk9SVxSKTS38vM+fVlUQbcozS57jDUmNwakUVeGSJVxScPVoSqchQ8m/QdyUaV3lBYdSl
lXzEvcErM0oj+UUWXjHVlqmTSnWZNr70s2etmXrxWrLSl2uR8iqz6TMP/xuTTSOVaGzpn+Xwv9Vb
NVKpJeQHnelhLLOBzvJIW6qnWblr4xq1m/3qJs9J2AZHKaj9HU6ZsUMmVtMYFVeNw9HXhvQvsl7z
wEmxrKVPNPKYqlss1pLy8orRanM34BLMpU7calJZayrCFW6d/Epzrpkz5Zgul+qySkPRWqvaSN9J
RFPtTp/iHvPnmqUSlVGbeDy8vLJ8eZhW601qidSc54PxeRqMHhv4l2ANKtDc5KmGwlo6yM3fR4JB
UjXINQh6A2+lH1qpdVBdSj8rpaXsPF3BNlmlpeEpeYPUJjhfz6b8luzt2ZyQ3Z7dl83rsl3ZnFqS
nS3JhE2XoFWDnWfa9LQt83i4hY3IggI8k98U1G0SYouktq1sOF60sLe3d1GvuHMI9Z411HsWjPGH
o2xfjNb0v7k04lzBjrRgQVGWPNpi/bKkrBTHp2SIRFxpyHHEsrDNDr8hPZRXkGuo2D5n2sa5hZM3
7ds41xCcUli7ZHqJXlxEZzQuXD1p5bV9+f/omzyn3D6ttqwn7NLq5XK9dtqkOn/zqqYZ61p95Xm1
eekZ2RlaR8Dq8mV6s0y5XRcueMXoK/FUCuWl7BTm3JG3JES6Bmx1Mrku2a5KT/kBrg92FiHue7Dk
MCvLyzwSaWFqGCocpK2CJtDibNRPj4qjdpS9dhSkbalRu5YdLFijycUHa4z9XzePMdvBoPnzGxLs
9dKkQuUGi0WcaUnp4ivmF8yY1uCDYSzLlWtXqmG17C/MVGfX1zflLNk2NyfxqSFvaom9sKQ8q6y/
rKi+IJ2+u/GRC5sMgarcfnGuVepUUm9q4ZYwwfpaO/PCvQPR0zuKtNnlOYnf1E8rbl8O/b1p5G3e
w79IylIrl3gGCT7CrRfP+1zERXzJWvvYi1VTi+Qh2kSKwBpVKtpWlC9WP5+9nRUUbalju9Dowd/h
4uTB33+W07gTwNRcKcOpUjb2+A+qIpXbqlrmhk/bsapi6tl3LM5pm1pmUUj5dL0hUNpUvHiFo6St
pLS1MqBRqOWSmMNr01k9Dr2wZd/6C5/YWgPToUVn89qrImB611/V9K0WvyvgUjrzmL21wjjyrPRM
EiBRcm1SWypn9AC3EFZ5EW6toDR5GlXRoFOizUsZC/TVZkFhaykV61cKvn2Ctk06PTULoqXUiueA
2PUVXzePsXuxsX0WFnajRscHAmOPTCv4Z5W23Cx3jl3VcP2C5dt7ckoWX7WodXO1SjS5DPXx8iXl
RdNCZmNufamjqKTcnZ0yryUtHWBRS5jZTZ5E30jZ2nBpfVNRx7KyytM7i3XZFTlMby2gt/0w/oZI
KZUmz35MJk8++zVhqFQyyDTn4fNN+Zwz/wkJG+qsGtpGJHoJN71d0ifhdkpiEti8ZEQG8eSGUXBD
msibgRbb34lWr+UMvFZhU9M2hQ0SKD4RMlJGFDoKw9tQcqTrPWthb2hoYS9bUb+WPBASFP/dZ4vD
gszrGWO35vHWzZmD5WI7yfn9ub7hPzgn9U6pW9pcqFOo03hOkqapmre+buPesyfVbLj79DU7lhd+
xM9fVDgtYufo8XB+tHdKtslqkhs9dovLotParIbqzQ9t2fjoBY11AzsXuk/f5JvcGYG+bx85zt0g
PRvWR+uSrWLRE1hOL9pbmOdXDtLMveXTHIHBE+f1rv1CYZN7ur5pdGdRXAvd/HDJ8OGSw+LRmvIr
3nTySZk5eTQzdlOSOjUrSZ2UcTdI0pQyucGebXUGHerb2SIw3XS7OqPY5yvKVK0xmaQQtNrXtnFW
sDFHq5BIPsj0muTyNLnBPynUobTmZFZEhsNKPOxVcs9HKjJzrMrW+ZfMD2t0GnuQ8MSZuJq/jX+B
1JAZZBHlkuvGmbpCOV/pbSlpeaKFd7XQlj88rabQ4uqnO2lWJ7V10s6/HTFTq5kSs97M6czmvkr+
k+qmPHd+3cE6jtTRuiOVLbr5VM/Pf1Zwz8SJAmyjdqi3FxZI4szLJmHw9r4oQpw/nELX2CerWuiX
P/zEs6vrnq3jJHVU9y+fv/BECcYVoDc1g0GjWCw4fwWCMhhvLdbkTjFlshWwSigtF79xvIHNJC0N
jK4KajgTbCaDWj7p42+z6FdaTKX9l8wOzTCrTSXhl6dvnBWqWr97YO0PT4sYPIWuUKQ85M2rWHxx
R16bhzoN5sTD7c3+Sr+xfVqg0m+a1FS71+EyyZYtiM4oTOf7CsO2yZ4ZmzpDZq3GZ8n0c2m8f+rC
6rqBOcU+oafMU11RbLXOjEzqD3oXN884p6tAqchPfNLUbg9FXfUzbXkVw3MKCjmpyevO0heXWgMR
tn84F3Y/z8P6opicmVoLq7hF8eK89EGuby9sNMZuw9sEhVDQ4mu0T8eBObXzxr07Owr6aunHH7eK
M5z8FKeZuII288+rM4p8/qIMtckXDRQuLkutFVKcclHz/C1t2dkpo6fDU1rKMhunDu9OhYxdJwi1
1SsuXcLG7DNGjtPt0hmwkPKQhtTJrYV7lGQQM6yvlMRFz7lfsOubsfQvQuFPvMv6fNwpD5FNbA5n
lgMmQzefXHJTzeyuSZO7ZlePlp3fDPMOlBRqUTi9qrJ5+qQothLdDK1kJrXJ3qrTmCksKlRKqiFU
JYEtSx874G7E4iQPuMU1b69zbyr41MfcnytV9ufVhmWQKWCGaye7kvvkRhMbR7OyipXsd//tNUG2
Ki2G7dUJA4i3tvgGT6yJ2gStMKWlprGgsrlg+gmrYEfbJ14WRo8OsdfPUVHN/1FmX2JnX2R45uTW
LXmYLlOoMwr9gcJMlcFb5i9YUA568jE9GbLLfeEFo+aodOS63HlWZcvV7RXdDcWGnLbW1mDP5lb3
qD45Q8FJhvn5EP7bqavT2tutoWp/qCZoqj5tW9tob4U2KCbnJ9sgz8SUniV2WpKlZ695YKkpdkJ1
qhOqoBPm2X3NozoyooaSp48pRf87d361Hmz+sh48qrIbO7+kB49TC6ijH/pvE+yNJKANEwmeeEOd
zg3ASjULvpUw+Y++ZHUICl2L15Y8Uc0Yu5MZ+4b6q94xZm5PrWdSm5zUulMiqd48eM7G2PrKyZsf
OOfs2LrKxLC5uLO2cna501I0uyY6u9xB31p78OKWunMHN6x9+KKWKecOnl+3uiOcO3P1NGBB7ozV
bAeYuFZCoJZjd4CecmVqB3jBv9oBNutn/sc7wC/LY+wO8BQm8EU7QFiELwxOmVztHrUFe64rC3aC
wdYZnZHFbAd43JA7tdhexHaAfaVFDflmOrTx0QubdK6wK7Fg9MT+dynDWJkzOTe97cL4xujKjiId
2wG+MrW5eNZy7DfcAfF0ZE2y3wR0MGIKauLQKV3KiJLX8Eq2+IUeAIvCTkEphFoCOrO72Twdz3fQ
7hexVfXhZI9Rfnn6k5aAp+oion5k3AFY8SrT0u1ZRnNeAXSUkzqIt6ayMkOT5bappBKOb/WFHUq2
5PNV5w8f/XwXWV08JaDj5Qql2oxvpd/iPoDaN5O3Tpwsh0dPluuFbKKWhGn4zQqYTpR/MVQIbCCo
cFdwvHgcrKum1ewFj1M8En6THQe3WPTspIZYqF5i+WDUKEA/yTPhXvFQeFFvSD/UC3/jDpwF9//w
077GOTT3QXTF5Z3F85sKLWpJmlqhCgld5dllwXT/5LZZbZP9xQsvmp03U8g3pUl4Xq5OUwSirYXZ
xW59oGbmrJk1AZo1ff2MoM5qMxfkZ3rNcnuWQ+vIcWSF3BnZ+cK8WuGM6Xlqo1mnM7uszux0udlm
1jq86a48d4YnX+iBVrKOvMtdLtlDqsjV2EoPGAyaSbnEW8BmV6umINUzC2C/sdfblKlJBWjYYYO1
qYj9jlyQJ5UDnfOIOLSVDBcfLjakfhdQ8HUywdFecuoty/iNjSW13eMuVxm9kYqM1m81ZZ9hSmdm
eboqE2eBx5XiruaJ8KR0t90gl6lk0s35ERMsfAIzz+6gT+Oe5Sno4lIpdPGncFeT6G1ulivkcrMP
tLWJnVPwT8JMeEayR6uCeEjh4hYJOlNBc1AltTf7bKnFwknHCfjSHYZ9cQei/SrJT3X2cGKxmvod
xOgpxLNsQPPk2mBy61iwpc0jVh66tNEPU2B/Rer0IXvsvLbikuXcaEAirVGcBLlZqRCotwVWAHuh
3vmptxVxvcc1yH1vv2D2uGUe7yDXK6gF4vbkNHtUjmbV9NThtT3isL0mHu479K85htgi3PnASYmS
/UY++o77xOxmNVkrkmf4/F7KSyWJj6SG4NTysqkBgzTxkUxOVRlF/lz28uwZmexnvCYjEvBHHEp+
h1RrsGg/e9lgVkukarOeD6a7tTKojESqMKiHz7LbuSvUBoVUotSxFY535Lj0BahfA7k+2QsyMo3h
/Hx93iA3VVBl6iu1eglfVaWvHuRCgkbg9VOaS5r1hSpdU9XgyC/3AvOBgpZdVOl5q7/ZOl0xPfWm
IhQKjX/PIb7bSL3oYC89xJNplucp7q5FDcnkqTccfPDEZWpnOE5XYy6lL8jS3pPqPZOLimq8esl1
HLdNovPVFBVPBt+7CinYhz+nOEPF7+G4O3mNI+L3h50qPs5zP+HYAtQfcSr5nSp31gldclkKxfAf
T2g206NS6hQSiZIpVq1mimVq1imHV6mSPolCx6wocS2/D7TsIyuSvxWgCoWWOGA2qNsv+BxupcM2
yK0TdILW4Wq2K03NylbJTNKaWmGPUWHSmtivR5nq1KdMDmrz8NhlKkzstyuB0jFvhth22pIu5767
StHellNo4+QbNWZp4ojGFo2EijO08uf5QzJTfkUo6kxLHLZb5HqbgYZkdi1f6vWb03i13Tq8i+t3
GNLSLH4729ntHPmQPsTvFleGzj0E9rKDDyizvLCM1TWR2iO1R2BYZG/dT17DGU7y04e0nvLc3HKP
Wo3UnuznLXmVPp3OV5kXqvLp9b6q4aa8KAuI5uVNYpzErNrKl9A7pWcTJ0nfo4e92uV7jSrrNMLK
MfQkFkMuR0OqMI0+/M40Y4b5QrnBlu3I9OmpdLM+u9TvLfbopNrglKqKzENKrdjYKpp+S3aeVS63
stmeS/yKnyN9DhaH9oOwj20jKtDIjLhSLyWRCDzvNZiCTclnJX8vJP9Mqs8MeXJLnRIZN0eizyhw
55U4JNLEsEavlKbp7QbZFRoDXsETJtEruEqul+iIIU7kqgeph0hIBPbGR1hVZOKvFJM/rOMqLbZE
n91isdOdaoNaSv9RFY5EK8NKWw7TyxmJHVyG9EriJdmPEgc9DsO3nn5CZITn1u81u1QXkFoo8vCL
Q+yVG5XBJGO0WtLRkIJhXjyXwSpw1tlz5nbILAU5GTlOHV/eXuZwls8s49S2XLcvbOOl3U8k+l95
NbHkSb1VnyaRq+QrXnjp1bPWvPrS0ZXSNDkv11qgPP1QHiOUx0N87Ddj6+JGs/QAFEsH2/1P95od
SiwQ+420WCLWbkyVgUBpRbmxrJQLBpJDgMXIGR1lM8t5nTMnI7fAIuucO6dLytsL/K4ch4pfsYpz
nPXqSy+sgIJI0qBIh+mOV1+hO57QWLRQmDTp84lOKE83IfxBqZ/UUGNy36+V5FNJiCqqqCJKVcLg
yKH9OmhjgVoGuff2l/jBkehD3HtENfK2oGRRKqrjVXmDdOV+Q2XU7Y46k+tcZ2rmd0KcoCmxyMKd
+tGVfs+Yn6EW4yIrBLtydkHZu7TQ0BF8619U2BsiC3t7aW+vUzCNKx2USsd/k08GjcOjk09L/SI2
eTwHdnDSeztZ8tQZupb4qv2gVKlXDtss7nSFTG9Pf31qR9hgzq3JmzS/IaxRaNKkvExpn7p4g7Ds
+qVFtunb1l5PEzCSys7IzHWo0qz5Xk/E7zUfa1y3qN3nmZRvz/K71BmRbKvLarD5vbaS+Vuaajdv
33XWzWo7/h9Gb/1yR4vGuJvRcaWncM/wl5/knvwiJ2kY76QK6YEvd7JK0b2FTv6jEy5N8iXu1hNO
kTbhxrmPvsgpr1Pln8L9DJ36ms87TdY367S+U7jbRPePL3e66Bj3qf4749zHp3aG65kzWpLurc87
09av5T47lUtfZXaNcVdMuAk34b7QvYTOovlSVzPGLfkCt8vy4f/LzvqrCTfhJtyEm3ATbsJNuAk3
4SbchJtwE27CTbgJN+Em3ISbcBPum3KE/bYF/zWPdMKL3EBkZDFhv6XIJxH+PdJAFpIA4ekGehPN
opfRXjpA6mk7vZ9eSeZSjurpJfxcYqNb6Gr6FH8uWc+fR3Oog19LdfQxEuRXkXl0HjGSapJBltJD
ZDM/n0gI+9c8JexfBiHkWP7ICHxT9g1+CfvPAv+HnkvEJxihzhxh/6iJmpCp/atWLl67Mr9u9aql
YiyB/KUk7Sv+c50npTtGjo2MC0j+SykS7Qmhz319kVSTmacSqYpsHyv8X76i3APp7aT5XwmXTbb/
uyLp+9ciS8BzG74ZkdSNkfPHC/8zUntK+TtR/yciF0joVCLJIfoJmZAvEv5DMu3fFUkrOZfvIU1f
RSBt6ziRk5avItzFxP5/svDPEOdXEaarlNB/kDO+ITn3VCL7zolnnVLaoD3+HRlzL/eb8cIXkeav
ItyTxPrfEijnpq8q/NPEIv078Z5K+J8Ty4RMyIRMyIRMyL8rXBnZOU70MD/9h8KvIdyphFtHJv1b
ci45A6R/Qv7vFNivdyfPRb74w/b40ofP2hPb/dAiXfXHxI6HAgfe+fazjM/rzm3/9JXh7Yp35T+F
tArx7AE+/wvVt6wbCmVuZHN0cmVhbQplbmRvYmoKNDUgMCBvYmoKPDwvRmlsdGVyL0ZsYXRlRGVj
b2RlL0xlbmd0aCA2Mjk+PnN0cmVhbQp4nF3UMXLbMBAF0F6n4A0E7IJkNONBYzcukskkuQBFgR4V
pji0XOT2+f9vlCLF92QDEMADIByfX19e1+u9O37fb/PPdu+W63rZ28ftc59bd25v1/WQrbtc5/vf
Sn/n92k7HJ+/Ttuv31vr0KEtUX+b3tvxR3H9T45v5tulfWzT3PZpfWuHp5Tq07LUQ1sv/zWNp/ji
vDy65hpJlipKq5HUO0uvkTT0LEuNpFGd+xpJY2E51EjygeVYI8mN5Rf886RS3041knxkea6R5GeW
c42k4cLyUiOpqHOrkVTUutRI6rmMDDxjKZOQgcsC+sQSuCygqzNwWcD+xBK4LOCwsAQuCzhklsBl
AUcCM3BZwNJYAsigs4aCNcs7kp9hzfLazBLWLG/RyLDm8KoV1izvoDXDmuUdNBGsWd6BBJNVBG6s
wWryjvzWYDV5C5dhsFp4uZMGq8WBcq8MVpO3aGRYTd6iVlgtvOQbrCYv/qKE1eTteVUMVgsvd8Ng
NXkHLQNWk7fQa7BanK+GgtXCy8tgsJq8hSWuj4JWdnZYPbycCHdNQSvX7LB6eDkvzlxBZy7SYfU4
X4pwbRWsmfcKF1NBZ+6Vw+ry9rwbDqvHfdZEsLq8Pbcdt1jByPoWVpe310Sweni1ZlhdXuP5Oqwu
70hggbXIaxwK90VBK28OTlXBUBThoBSsiovEMSr4LXAidFHQWa2wlvByY/HbUlCqFVbGknHNWKkC
guaFtYRXi4S1xO9XE8Fa5HWtCtbStAweNyZXUoyMa6tgVdw6DK9gXtMT9nir+JrxWXy8gt38ue9t
vevt1NvIN/G6tn/P63bb+FWHHP4ArfFQrAplbmRzdHJlYW0KZW5kb2JqCjQ2IDAgb2JqCjw8L0Zp
bHRlci9GbGF0ZURlY29kZS9MZW5ndGggNDI3Pj5zdHJlYW0KeJxd0zFu3DAQBdBep9ANdmaWomzA
YOM0LmIESS6gpShDhbWCvC58+/w/k02R4i/wV6TER4mn55dvL9t6608/jmv91W79sm7z0T6un0dt
/aW9rVun1s9rvf1t/lvfp707PX+f9t9fe+sxoC3RX6f3dvqZkv+jMade5/axT7Ud0/bWuieR8rQs
pWvb/N8lzPMZl+U+VEtE0mNBtRKRs7GeS0RSY00lIsOZdSgRSZk1l4iYsI4lItnnPpSIjIn1sUQk
D6xTicjoz72UiGRfVS0RyTPrXCKSvLYSkTyyLiUiI++s2AsGlWtWWNW9AxepsKp7s7LCqu7NPhhW
de/og2FV954nVljVvYkihVXDu7DCqu7NlRVWde9IkcKq7rUHVljVvQMJCqu613wwrOrezH1WWDW8
/lxY1b3G3cDee3CVO2mwmntH3tlgNfcmr7Cae41rNlgt3q/PhdXcm7lIg9XCy80xWM296cIKq7k3
cduxcA9uxUUarBbvlwSD1cJLoMHqEWwRv9r758kPmCfh/uH39fM42nbz4+LHgcdg3dq/E7Vfd87q
ke4PXQTdsgplbmRzdHJlYW0KZW5kb2JqCjQ3IDAgb2JqCjw8L0xlbmd0aCAgICAgICAgIDk5Ci9T
ICAgICAgICAgNjY+PgpzdHJlYW0KAAAAAAAAAwAAAQAAAAAAEAAAA6MAEAAADLEACwAAAAEAAQAB
emUAUtRGYEbIP0gAAAmyuwH8G6023jQNcPqgCiwAAAAAAAAAAAAAAAAOAAAADgAAAAEAAAAAAAAA
AQAAAAAACmVuZHN0cmVhbQplbmRvYmoKMSAwIG9iago8PC9UeXBlL1BhZ2UvTWVkaWFCb3ggWzAg
MCA2MTIgNzkyXQovUm90YXRlIDAvUGFyZW50IDI5IDAgUgovUmVzb3VyY2VzPDwvUHJvY1NldFsv
UERGIC9UZXh0XQovRXh0R1N0YXRlIDYgMCBSCi9Gb250IDcgMCBSCj4+Ci9Db250ZW50cyAyIDAg
Ugo+PgplbmRvYmoKMiAwIG9iago8PC9MZW5ndGggMyAwIFIvRmlsdGVyIC9GbGF0ZURlY29kZT4+
CnN0cmVhbQp4nM1dWY8ltRXWQJOBDiIh7GToabZw70xuUXbZ5bICWZBIoigvifqNyRMoSJGIBPlx
+Xs5rrLrHFd9Ltft9ADMA3dqs33W7yz2fHvdNkpft+FP+vHlN5cf/91df/2fy/b668tvL4emC/+N
9+TvL7+5/uyGHh2ulWpac33zz8u28X5oBzfeV9dOX7vWN/1wffPN5eHe8eZf9Lhq+XllGquvb/56
efPoi8PF0TROaXd45XjqG6etUYc36Frn2m44vHrswq9+OLxw1PS60v7wk+NJN70feicefOdIK3GD
6vi+OVzNbz/59/FEjw5dqw6/oKu+052VLz1/PKnGeD0cHh5Vo7Vy8sHr6UOtFtfix2m6/MZPwyjG
Da47PBN+DmboDvfnl39+PNHbxnQqDW3aTrwu7l/NL93fHudV9PVILG9nqvbi7XeOgRX9YA9v8ncm
UqrWHt4Nr5jOWR/fYUaozsykNPSbX4r0UzZwSulAI5MG752R96fJD23bi/fvH/9x85dL3blGK0Ni
dPPV5RfEyaFRXh/eDisbdGDke8eTbWynvVmxZzk5MQ5PKa6YPvr+0Tba2dYcPgif194TkaBsxIut
pCt/58Gxb6xXytB0wxoy1TjRW40y9vqkdWPMtKwu0MLSnf7w2vEUhnGGSGRpxLb3ShNj4vVx+GeD
PHvrPA3VNiTBjth1j5XgIU1K96oTD35w9M3Q9cofdBiL+G/t4S1627ZuIBV6kz/0eP32/EExyHPj
z1bT0lt+w0W6TA9qozXpc7wrhoMreDNIIXFXH148Gjmjq/QFSQTxNTWy2JMwiGHlsx+ENbe0ZCN/
mqPqGhX4/WIQy2EYfJyt9T5b4DSXljSJxJ4e7TXRkqaV3hdkEfcl++6NgqtoMUu6jWNFengdSDzJ
vWqGtkty/3B+8q1ApM4P+QLlUGkAc+hnZZXPPp6/Ja9OLG4HJd4Sy74/GS/fR26M7wtaThMYaMqd
+IB4gFdwtT3SBfq8oE+S3168Lpf/YJKidpCscEGhHZkdL966WBKVvjm90ymynpGObRJr8hVp8EEr
cXua/PiOeF0uM3D0lFh6it4u8PX56BNoDp5/vh34EkyJcUJwIjkMjf0qWUn6tlM1hZQcFvfL0pjr
PbIpQi/FjIRVMelJcVv8ZC2P/PG9Zw0XI2oyWao3bPv6ocVPPsZ6NN8nc9K0rTKZSLAi4ZfsUbXh
qpUvLZe5Iacs8C8fk0zci+7rXvQLygkMNDRtN/qFbrzy1eXhvxEpCfdh6f++7ye7QG5ufEDcD16N
hCjZjV8eg8z5LhOUZ+hi33baHj4MvtNZTTb0DXJppidohFmAeCVkh4kpHhSmXfxk6RIWXIyZyVdy
WuK+FGks/eK7kEnPERf04IyNiq2UE9wS3xTcvKq4BXFVEbsJN7o+lya2UFAINxR5Q7KZa8zUj+Zf
Ys1S40f/QuJm7CwnLfQJmcVYMCiuOlEyE5pRR4j6ma8E9FtJTXjyAX9+4r/WWGFIUUZCk0G1IWa5
G435WfAU5MnIfQKDCCHMLYVX6ER0T70KT5DZofCnm1FNl5nP7GPp0aUtXNhpZLvXK5HO1dpcztml
BsejWyMYul7TyLw0J1Px45kpxbNi4RUv8VTYvAscZ3K8Mf4Skis+VJB4uegJkVFIkeToC/FVODus
UFdgUmKdgHol7yYm6siIKZ1TDFquczCodBYUp3hSzOgsul5nzkLrnqivI8SZaCQhTsay78uJrIge
hhJRzNnw5wxDO7/z5EDj+L5VGcT47UhQRRd/QyM6pXwfroXwbyjY9s/CxRCeG2mefhXW2BNBCHJ/
Hp7oVKeseI3n90cenqfPv35NHkv1lujxp0B4MjTZOvnXKdDI9BRoPQorJtdZMM0zmFH2e7HL56Ab
aEuehmAC114wO1cIfazA18I7cqBTNeDYe/OoEOsKzWILWzSWuwNkiYTEENKcz0a8arEmw0x/H+YU
UaZBZIc665IIW6+qSovZAuFh1YWKq+xNXg9S2XnXGeziCnmLiAZcL10vdDhLaY3RaGKFuLhCx3oY
VhZ9Iq606LOKCG1YycKoDZLX4vJu51sIEjEcygWLaZBC5UmufKszfdhIY1kh97lZH21fq4db2XWh
K3mGqBbibPugAiUK6CxD2bOQxcTDYDcCkiRHJbgwRRf09zH9PwpMATlsgrpVwNB2ubnAJnH+KaaX
QYQ0aMoIZbYLf0osrxn9rLfWrTQq5pkiFnvEMgKFYOnOQOyVhVauVUQzkWkSGptzLSzQsDYR2VYQ
j1z9Us0jw34o4AZEAUI4flJoM5qdsDZMSfEgho0FDYsAWChK4mkV/dxdYDrVCEKlgWk4WZqOFlHI
jM+QF7IAJ+iYxoJe+3LZW6AsjyIYlPVGJoJxcjqLIDdTNp/OynY9DmRCQroUgCZ8BVOFGAjIq2zn
xVf5A7Xs0Vptzw7NRltraMC+Zmu3UWUhO1O1tgCAQrV+acQ8Rll1eHIMy7adMUpidWEPs9C37G0o
rsoy+GFYq9zkQqwnWZIJ/NnuZRl8MgyePiNuS6HKDGSkcjCQsWi3FoWlIqISllA0DNALiEj85LyP
MJfRM/WZVsvMM8pRbYUIZ2dgS4XFJCQ4XBBvsbzcYeIVxju3S7YWQicYzrw26qbyvvFGJ93MctBI
zwxC9uLRQqKMi64Rs5PcKjVWmG1fCJ/b3mBTPZdr5zqOGGu+KVwDywj8HgPwAtrdROCcRWTL/uGR
3Grn+km+6ZJ2319FJUzDOJOqnKF7Qri0khbh9C1Uo12uMgw7Z3qBpwxDbZfv5UuGMR1DJRCOY3wK
a14YM7PzFuHsssi4TNVWtUY8y/DBYLsBasMFswCWB8Ptq5iEMEESk5SIKf0BTCkPG3dGB7fMz/4w
nn8pZ5YAUXyrSylrgfLDbSESG+mIicwyTmHfyxJ/xYYExBsFF4u6ZeqJKwinW9a45NPYQc/GTVR4
YGCzPc8FzVm2KwWZ85JcDLEKIYa8DMFvdeYTtc1w64JpAfSD5GAd/o/Grtf9mfg/2TVhLTMQk3Cs
IMao+WpQplDdtMQ55X+IFHqiZ+bjgs8dVObBhMBfrD8orGU9JTjrBPaVLeOOhCZEzRTabSE0u1NN
68mNmsOMrlcq8ymPj4qZAF8m27TA7J24LT+ZJo+9444q1Kgd2jSq9UlAKonLH8uKPgk2wIZGKaHu
7PIKSUzJW2ZjKeOXW+OlPgv/1M5tXgl9R5pKFwUcE46WhEeYNWp3WjzV5PoizESl0PlBHMOugBAt
YrNdYdjPfZa3oqdLdpXTtfJRGPGV8/NRpCtiLuQPtrrEbw6d37/S7JuT5pH34f4buGaWwk9oHr33
xDEs8o+CittCY9lJGxdg192mI7kUnIWCq+SGEU5knYm1XtwuCeCCNNrmArgUB9N6JA5BLQTrluIQ
hoXiAPsEYUdhgYlQE4X6MxBZW5hFx/J+IyjqDzC+yoZK8AvDs9fJ9VOA0faF+WU2dsJcRBE19y5D
n1lLu+BgArsGAxCsCCbeDibKKMWUMIWVXIiZJP6tUMxoDepVNdiTnmWQRkioko/SyqYQTSsv4yLh
bLL6zZwFvU9i35rJ7EMgaZreuDsEkrLzpJp8YCv2wrwBBqaHMMsLFaFK0mkiSY4h67Wl+VGxBQLo
caHzd7MuATXvAl1E8RjMPLIbw9sPzkl3glWKteGWBhkUga06MDRNKK8riaolpzLcrad6byw4KO/8
eakyUAVDsrJdA6vI6e7cBdr0gWP7jG/sWRKHcSiLs2kY5hfwda0tGGf0skwDKKhjPwgzfrj4Dytr
saNTE3Tl7DxuwWEdvUAjRTNv/FDQQun9SqmLMQnAYFEk8gqzT6FSLXUqYx75GzvaQtUF8HIJf8YS
E5fg0n6ZlNk4JUrLmOgOkwdZDSk304uSWyXNcIazwR+QYFNMkHuD+AMQbK6bF92IkHWjFJnP98cM
jtJGxZ0djuSuGvnCxO/Tb5redkSP57iZbVPcmtCRE5hzEhz41dubATgWlWdsdWr1wYfCXqZQN6vF
Qkxfy/1tJUKJ6Yc/hw2mbadqfbbadg1Jyx1iOyFi0GOB3aFwCyffXsUPrrRxp1z+y+tp6zQG0nVc
0MgKT8m4/r8tfSW1jQa9orY4VrsC8KxWaitkP3H8lB4tFQMSprNuxnRbXUZLY/EuXfTG+lKnYLX/
GWpmVYdKvY8wyt6fOBYXV6g9hGPs/KKZMB72l4iwLVo2M/uyxa7TVhAlr4FNPJHOVOTH7ygZg7+Y
/GC9deVuU43O/tgzjZxFwapXkkshunnPaLQ831+DochTcEENMxpt6edAXnS4o01oBQyFwHdmupLs
4R5T0cMg0Mh8Gwdxm0131b3TGDove9KW93EzIrRwsDC6Z/8rihZhBqJwWgHvB4mnEShH0j/vfSvs
SEsauLEhrbcOG3umGkc3EPoVTD2s6MAyzm3runllu1eDX0ZJfj73YrTvIoWHa+x5A/ZEYdFfCPMT
aJ89PsZj1Rg32qNxsNAf1vusP+wVrg0LVUk2N9u18nIwv1OHJYRAMY5nuOJyM8+NEAjSsWsoyHy9
mepqnsBe+ChuZsYrgdk1zizkYQoR2KcINEKjA0GP6KB6+qk86ZqmLIkinGq4swlEeFm8BFp28QQ2
Wrh63XdVtMtmCHrn/fR5iEx27XiV4rY6uOs+C7IThWA/GVzgup3G9riBmYGoMEUIVELztDBKkfUS
aca4nbtHBwubdRabLHDeI1HnjE3368CwgKZqj4rLDyROSCgGuvzijoiTnrtUI3C7Dh0zVpltO54k
doRdlZoeTmBAIdlfMKgUJuBpOqxuz87FbELZ68OKiq0Y29tNxaOsr78bL6pey1AAHtyEE8GZ25qO
YdnbZmkOT74LQ6q2V4dVcjg2f8xcxAgSMw/urIPZY/F+BVhkzZOzCRCJWonucnWf2CgwyAOIoO9w
/yayBiJnByPKrG1SKDEYMpspSN9VIoTauRuTzI5n2MHc1hJ0LA18bo8qYLXWqsRwuVZRh06Q9YeF
DhZXUgOLazprk87jFDw85YKd0RwoYDOAYQ8DkNIG7sQdAeXWu3KWdJyeGFpNX6vVlAo9264ZyGP2
MsXIRK2n0WF/Ne6TL/ixpf/oSBrKZ3VEBq5bqQP2kscQJn3J3HjtyBqsBVih5nSCMDebubvCngaE
8TeNbRaj4MZWmBcsHAO0t1a33lmbl0muEIYuneywd9AzNjpJU5B0XXFlv2AVkshumIIlrEen2MBm
b2EK9m+YqFacIbipa+f+Lqws5Uk8HVOw9a7+ZdKz9T0wBMGrQziPAQA8AWJtEgKfpUngaP1qRv7C
VQoz8ADUfmYtRY0Ou2H1GVUiHgdDF7hpCp+ieiVsRBwozoJAqFx4VgMHElurMsjcl9htA2STETxD
8ALGvkIfhS0ID8WTyW6UOv1Sex85VW5dTUtqkYrvMHugPno3O5CmQxPqZzYkbTsDS22fHQk3vXI0
cbZhGmVL7FwWyl7cxCzDktBbeF46MvJYWgIh8byFdO9xgcuUJNxhNVsLeGhLbWf1NuIwq1Aj1Vbi
OczT4eMfj3LTeT5AeAmBWgBW2KbJNq5kPnDCdFdOcJGcnNfa0ApM2Em3uxFtJbIC8ZgdORRwCi2O
o/C5H2KelQ2RuMe30lhSP8vp8XZ4jWU3nZVJtpbhTyWZWNvuCk4RWUrkKY1Y2MEtMm+RWWr0yiZq
PRA4uX/6Nmd5wNZ63GG1lq7KlmaRO9mexI7K3XLWoNnjnDPYYMNEKRCotPzvOFwoKHXojxbqgCXn
3pya70wHNpHACIDjtMqeT5gT3NywlMe6O7sDVhPgBAjYXQE70spMUa0ZFof5Jv7ADQ14TcUajfbO
DQYmV1mr179mBY+ck/8IwF26npWevERrJtc/ZOVzXDgs+AImtYjyV0nVkk7WcYIs8Cfvb2ZEua7Z
YZOPK03b/25AYDSMKkWD2HfjlgfTGe0K4JR9yQXSqZpyFzL26eTZtu3zPg1Bs0XTyYJoODu8p4iQ
nT4DjkMQdCgEIZXjGHI0NDe8wMgE2IHfkwdRBE8KtRqmOIyFEOzfypEsurekjUz/OgBnNgXYFr1d
D/jnxgkHE7NPBFeSZaiHx2fsjxYrXOfA4IkEU2rG6CyQNsAWoZzcPoywJzuXpjN1GhgrWyizlvlV
wNk//XhzbT9Mqby0WYAu2Mk84ZsOHDHGc/59a6tHtWuyVpwTlBD4Fla6b7UDqVY+35MyR5BKduit
O/o3jpxY1ni2DpjGJnUV3009Qak5NAa2oXS0PuIkMFYaAIkHCntfYUp62hc8uOLUy+fZ69ab8G8e
haW5sD9FKPJ2FyiKV+EpKygkhZn3WtY/5R05x1xYLvRCO446WsS5T7+uXj9GBHRno1rqOkdu7VAq
AGyqcCkluHmgKlR2GJKIi3cB/1dtRUw7yC7cq4lSFcKfyx1PM0Z4MWzd8ANLdd7zyBih1NXNah+l
IDRmSwsAY3GwL6NaaIYueS7G7TjvB6koTMbDE2JniyLbKMZj87qYkaO/f8T5ufFvn99c/o3+/A+l
BrP2ZW5kc3RyZWFtCmVuZG9iagozIDAgb2JqCjQ4OTcKZW5kb2JqCjQgMCBvYmoKPDwvQmFzZUZv
bnQvU3ltYm9sL1R5cGUvRm9udAovU3VidHlwZS9UeXBlMT4+CmVuZG9iago1IDAgb2JqCjw8L0Jh
c2VGb250L0hlbHZldGljYS9UeXBlL0ZvbnQKL1N1YnR5cGUvVHlwZTE+PgplbmRvYmoKNiAwIG9i
ago8PC9SNwozNiAwIFI+PgplbmRvYmoKNyAwIG9iago8PC9SOAozNyAwIFIvUjEwCjM5IDAgUi9S
MTcKNCAwIFIvUjE4CjUgMCBSPj4KZW5kb2JqCjggMCBvYmoKPDwvVHlwZS9QYWdlL01lZGlhQm94
IFswIDAgNjEyIDc5Ml0KL1JvdGF0ZSAwL1BhcmVudCAyOSAwIFIKL1Jlc291cmNlczw8L1Byb2NT
ZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSAxMSAwIFIKL0ZvbnQgMTIgMCBSCj4+Ci9Db250ZW50
cyA5IDAgUgo+PgplbmRvYmoKOSAwIG9iago8PC9MZW5ndGggMTAgMCBSL0ZpbHRlciAvRmxhdGVE
ZWNvZGU+PgpzdHJlYW0KeJzVXFmvJDcVVkI2LihhQnaGe2+AJF0ZumK7XC5bWSCJIiTEC+i+ZXhK
RCSkIAX+v8RxuWwfV30ud/dcwSSjaHq6y9tZvrO6frgVvVS3wv+JH775/uqjv0233/3nStx+d/XD
le0H/9/8G//8zfe3X9zRo/ZWyl7o27t/XIneOSvsNP8ub6Wwt5NwvbG3d99fHZ7p7v55pVSv6dm/
XN19+PXhle449MJYpQ8/6Y6qd6Mdp8PbnehHMUmjD691uleGPh8edEf6OLrB0jz0qHHWTIfnOkW/
y4GGT70b1EgjjqY3yhmXf3xIEw5CTtMQl5kcn+Wt/Pt1J4dejnLiv3/ayX5Uwg6H2270v+rDG91x
7Ac3DfrwQmfo+EryEao7yn5S4ziyI/y80/P/et6XMn61ZYdsB8/PswjlxoP0Z6ZFiBCb3Qqth8Pv
/DKCVvEP2F46SROwrS2ndWogohKXBmdVZVbhtzI6Nx1e744kC5OVw0LC+dv8qRgfF508JyczjXx7
7Ch5erbm893f7/58pQZF1B1JYu6+vfqanpw5IIrds0HL9kZt4e4W4bHKRVGwgynOxHiT15oXmIQU
pjnXc2kQ+5Jxgm37ZuavsFE2lFbq8CiNx5woqBYfrTE9jbpBu+bHHulrYZxUdoxLiOHwWRLtZS4j
5OFlkvJRGzoAI/Y1FgClSPqF8ow8Rk4epaa/AzuDEgpTaPglSirig693UvSTVCtJX/SfjXiUwSHO
lz8l1Su01vWEOrZUWtqqdYKmRlvlFH7Lq5h0xOLrpOEFtCzDP6YPkxyUq3I9UhprwAZclNDLPq11
ignwwyw1gUCSgO0P80zSqJquSgI07dRk+KJM1kfPANpVJrYuIJKYMmkxeEl1vR20NbR60HTbj4OJ
mh7PYbh2FIdLS2bh42LMth9oKp0J6LqnCOykC8eExWttlMMT4uh/1sbYYlImimxXeaq8vwLKoiRD
IWTczxOx3VfOx5getjJIoQ7v0gxOjy7poRk5aDDtX4vPPJwBwcIhSxYvCNUwE6gEgsBoDgSLgNJ5
4mSTnnTWCn6ErCEX60+p99lQ9f67wSNPgowFz8wgI7aurDnbBH7gY4/TRgwTAw6GcTdxQxuB8vIS
0JYoswyZ6c1Anp2MLfmJF93REpeYwr3ZDb02kzAVI8GNPARRBDdZiyHaZGBhY7I7kBcqzMYMB9r0
tFiEg12EWaEzUFasGOxRphcPk94XHlIadeGq0cOqLbrSy1Mg4nkSXGUnfaZVOAk4Z0GrA6d3gpna
Z59hQc1h5AJ7zVypAgoWJnMoYKrBd9XU5q2Jv9n8uAHiWW0ZcTIocG2M8MAiEgAjTETQbpo4kSAs
w0RxmBh7MP5wAvHP6035YdBgFEcHqgpl8QLHRB+e7SQFd46k7r0ZksgCKAZJWFZfD1CgBqLHFKGA
Ow5poTW71AIjR9oShaVkbZbY8tscao7Gh5r0zw8oUJUiR6okjSkKfeB3Q+JIR3j8rxmkLHHx8FM6
rdCSeP0LLxROa2fZly/SwQY6lz285MeTw+Tk4VX6kihcfvkzP6eeHBm2N4nvwyTFGIcTh1/IdMk/
/7pLxpD9ziZ9L41ftkT8eSGJMTgH/R52p0hx44nI5KEtLT8TSSqr50Hs95c910n6ncO/v9oR1a1S
xZN5TwuZLG1/3omxJpF+JKPxEgkFwastKPa+H0RQh07nByHiPOvHWE0Gn335jh9DPo2JxknZ3kxJ
Ih/Q4qSw5KsWk5PA05L68EuPaBNJsGZTvuu/1INxw3I2K0gNFirK0S48lARVmV6vpO/Yg3nOZzzl
SODJdH1AR6MpzXh4fPAEEcbT8yHpOGHElKmk6Wzxu8edH09BGFEpkyZKiy52EmayfnVPkCLRcyT1
I1CwpHOE5DrQ6IxsDsOCj+bIe7DjyAIojOLXW0ROXz3ovCUKkTzZYHI+5sPS2sMg7MQBGYaXBSRl
TzQgkZEOOpMvBkkqA4TCSMQxn8d9ZivLgHdjVzxGYxeu4umzj+zhnnaqnd8fw1Hmh2WcXYfNa5Q/
3WMpPNcQ9cneigG4eVtKpaTJ2grxY+cNwEfzrgp7CLJK7QAxc+MmhfSQVDiVg7NCTNRgsJqj0lou
MMrfxudbXLGVdypS+m80/EEW37GPLD7MrsVns22XUm0ivcDcI5F3WNy7X3X+O0s7ZYkS9rEQ0ByN
RVUJ6QctXDsaY0mcSBLmWwK42IuzOZqcGmWvz/MwIRjbRwVasmvP3D20/TZKQceN6zHw+5rjmcRu
EdFjBhRJRjk+6u3FqJIDq2SEAqipRbgbZ80B4Ro+pNB2Yk+6bNwZ5yBQ5ERHudM0qpUTyxxku2KZ
ZJxTZzxcxH8cSwULmrXQitzbxautaNZMO01+mySv0SvMZKzcstdLUgqXthGyl7hMxZBTGFwRZsTw
Nn+Xk0rc/CprbU9eS3b92RoFuG4tKow2KuC8Sep4OhaGLvKsbUqhBV5HbvNmGKsz/2v2D8jHho6l
zXvHb4q84NGqE6KwWakMCcqYPFWolSxfA5OmYm0yVtmmjCW68WSFgTEJhAdNRHKpZmGMGaa8DjNN
UI2hv1Jhc1TOYWDDWJKDL1CYuYXG3sxFZcyVDebi8tQmU/Qi53zfWYlsME8RbmAKc/oSmEKY/cB2
LOVEsrNUEedMZ1zYwvaXPdsQyHt0J+umJ2wqK9FrKXB00kZ1zNSBbmWuFM18l1bqbADCRNwAPG0h
VkswU2J9Uyk2svDkmp4iKOblOfN3b3SjT0GJlfMP+MqEqUxCxkkZkDLOazZXfJIJLhcs6DMwJM5T
QZvRtj4hupp6JXUUt4q+lQ4cMoacBhmum2UIaM1ggfKstoRIWebisUGfA+WvRdNpED42roBmDF59
WvTzGKuVsFbPAqh1sBR4xa3IRve8QeHMYL4TOxgrS0PjyqZthBS54wWVyW/AiI1bE3xH5gHNORME
IWdMV7ou80nXPsGabYyZlRo48g/go6XDDiqyTJxqiWnCbR8ShyTz4J+np6QpfIRS7fKaRbsTgE6E
glAmCgwuAaWomzwpy1OkDh/dKZx4QNgp3q6YBfNQLRPNMHdHWeZJYensDG+g5XIzaFxC4kH3wlqQ
HdvYF4qrqigLdn3DzAtI8122/2Y9E5ZuGkXUG2QIV7XyEFFH12ghGneNPqE9GOdIdgoFg21F7MBY
P3IpiykVTEw95EAbfS9m65jTZLyjSJbuN3NaWrrJLengVcaJ7SMvyZRJAwUtFBBZgaaDtbEDnnEt
P7qeAVn3DrBdtYJhyIeQ+pic5cXFQpyjo1F6c8Elp0lU6js6K4W+Z+FXm835Dtq2j6dIZj5Inyqe
GQ5vGpH5l+Tl0idhc6wQTujLMeNeGvapSBadYVhQXR8tw9S48HdWMu19MtxJfI26OkuenR4YsDgX
zJqB748kMZKOJ7HzWSrCIkdcEcZeDmayFQNZeLxBDyY6zQhszTXygZZz+rL3WfmtVlFnlaqv2tp7
U72AQqQjWV0CIY5Li8A92I9IozksuE/zAfzAr+Z0p9Ta8tD+He+aaCltlYb10J4L957FCQIryRHZ
2JM1cLbaqDf5txl9Hu0I4k7HerUjeJXGxTnlSqEguGdEUytzNofZ1lilK5rhmHSC9AA7CezQESkd
BLvJ8him5hlXTy/SIjhpBshQSYuKFEgbYH1t9foF7oR9ndR4Hrh0DG09nlM6BdM5rH4OWDQQ9+AM
baWwlfJSrf71fUvGKo8g/+MbPOTcWCQbULeXmvHGL2133ag659fZGT+kfXi2RT0IfkWIZZ9ezyLA
ZSHqqEd9R+ZYneAU0wJDw0qdmH1kFuC8gg9Spvf9wsTLikW9rEUV5uhqfsYsIX4TNnXzVrKX0UnH
0XfZowp6dJ80mX+NSJmblZsICeLo1nWsbc7Ix/F7aLI2f3gF6BLlQ2/LCQt/fIjwtIfMGwfd96UR
tg/jVAQKvPQUN3qiPpU3iWBVeS0CrnpB4D6T+uDJiqMe9QO7R5WyKGgdKqxh7NgydkDx8obiT1K9
jg5aq2RdoSlKmDSaXm4QUeAtqVYxcduvsRCNxxQ/FkM5By2forgT38pBc+MKNsBTkYJyFGEwQsHb
k6drTUMBMurj4BUmMtuNDripKkTfNKEFkcQWWr0mZPvXvCKCMmt7BmilPhcboCeL2bO8sSD2C9q2
VdKeF63Eo26l1dOqvKNZhjOLeC1ZgZlB95gU+J9ayE8TIhX0PPrOcDue0KMHrsZhc5fT+ed0mbRi
PojN0N7sNdacdu/yZIexYjCCPhMPp1R5xy2MJ2sxbkvGqZNrYORgJhKH9LvqpDB8b9wvv1Bq22oW
1Gv+MvCn8+4qt4iKwH/hAQv8t2WxovK9Fw35B3G8BrU8J8MKNWloGXs2K1zNZC54gXPjxUsjgAFc
V8798fN9hs0QDyzMNYZ3m6ElrQTOPJiDlftW3hCXTRlZYfc89PuW1iyip7GpUxLdYz+rNoSbBDAk
tTKTDRsXBSRHc+EoPyZvc11yQc1jMCSrKBrLdK1qaPPJs7uaPc5lUmkqMMdLs5WeKSyVVbnZD9Iq
qnPOTcrG9eRgqUgwVLJUl16PXmWB/LsCsOfbbrf+v8EELDeDgtSJ95LrkSay0Wx0JfqIl3QWy2Cz
x+ypze6JzOjthNzYw8Bpftv6/gwi0751+Fu81ump9Zo3rRgZdWvl57hP/IYmAZrn8HsEWsb6rA4q
FNA17XEzoINJsLZOZMhuKu2zQVaEvxabytCtClQsfghl77eoCLpzk0f7Jz8nsUPwt16wB4sbJyCP
xY4yV1JIfRWmKrzFdFny6wa9WeoakqTo7opoz97swu5E4FuC9Vrcwt02BLVcbehSNVK6xSsYoquL
1TAhYLXbNqJh0Vi59yIh1bzAx9ficFu+bmrmy04NSoyuaG9IcnEPTUYee+zcYUQ7U9Hh9LD++N9+
dqMHraYC2B8Bx/EtxFHcefZ70kTis+a0Yy/227qTlcro484jEQWpQ3jBwKAJmfm3H+Zn+V0GK12v
Ba8PYnnbu3y58yax0wtt5wr8zgWaE0Vu9S6fsxJ5EaveTH2sTrkI6qhW+ll3dP1gXNHG6cf8KDJu
G9/h9OuNJ3fmNC86NiEPhUeXGf5LrxqjVO/nSYLghQ1caykMWwjfba9HCy46chsXnZFm/zUMADkG
AC+tqWzYTbswOuQ9iaBwziKDist3fy+vgpFX5b7EushupIVl2RDSxHdJ5XcV4IiHFc9XDsciFiwH
yPQAvskxqya7UtHw5WFOG7+LgOnFdsoiCPTeplYc02BzHlMEkCeJcrrwwNjyJujqtZVNdu3dn801
E5gtf/JXtEWFeBJ527wtKrxszu982AYdjQLAGc2+VcQsXjK7PtT2/mpxw6xx160GnY1YELoPyB+s
yMENIFqRnYi6vHm1xeoNJTjOWL9CLrCORxSFvU7Wl3sM6BoTbA3fqz34UBDm3U6/tAZdRVxWR++U
K/LC/sscCHoohEbst3NilUSu0jrC2873jdxFTRYVmWMGs504xeE7vohU7DdewZYOvxGBaWBUyy0W
jRPOGeTjYqcZdurBpKOPr+hBHfNnX91d/ZX+/BfaKRfsZW5kc3RyZWFtCmVuZG9iagoxMCAwIG9i
ago0MTc5CmVuZG9iagoxMSAwIG9iago8PC9SNwozNiAwIFI+PgplbmRvYmoKMTIgMCBvYmoKPDwv
UjgKMzcgMCBSL1IxMAozOSAwIFI+PgplbmRvYmoKMTMgMCBvYmoKPDwvVHlwZS9QYWdlL01lZGlh
Qm94IFswIDAgNjEyIDc5Ml0KL1JvdGF0ZSAwL1BhcmVudCAyOSAwIFIKL1Jlc291cmNlczw8L1By
b2NTZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSAxNiAwIFIKL0ZvbnQgMTcgMCBSCj4+Ci9Db250
ZW50cyAxNCAwIFIKPj4KZW5kb2JqCjE0IDAgb2JqCjw8L0xlbmd0aCAxNSAwIFIvRmlsdGVyIC9G
bGF0ZURlY29kZT4+CnN0cmVhbQp4nOVcW48ltREWy7CICQq5LdnAMjNJFvac3Zxe39sWN0GCohBe
guYN8kQUnohE8v+llLvbdrn9+fScWRJNlN2XM91td9lV9dXV/f2VGKS6EvF/+vHNd+fPvxyvvv3X
ubj69vz7cz/o+G+6x39/893Vp9f0qL+SchDm6vrv52IIwQs/TvfllRT+ahRhcP7q+rvzr3Zv7+VA
t53ZPdqLQQs5jnr38v6gBjMKIXfv7A800+i83D3YH4ig0Usddhd7NSgn9e4y/fgVDbdi9CrsfrE/
uMGp4MLupb0fZJA059X+YIeRhk6TBzsGGkJU6uAVu/Zrmi8YG8zup/uDGZQN2tMsdNsF78bdG/uD
HoTzyuzEXupBWjmy4exJtQ+DdMZbTk+m+5XpQaGCZWQsD3rt+G6sN2ahPS43vpy98nKmSBg+0zIm
KL17TCR5bbzjgyaSbAgjH/QK7Zvyo7H8yccTL6y1hk9axl/mX+xJNr5mYCJVxn3WYXTx2b9ef36u
tBiMlyQu138jCSmzPthLMYxSVbu3TGqN370Vf5rRW9pK9toxsmx0o00cW7+U7V/ZCuK9U6K6Lfdu
MEGNju+UyWPYk4w+ke8/nPgojOF7NsQndbC2Gv8wioQMwvOZqvt5KrzV8F1FGSB9jKdwT9hOL+OF
5hdf2ivlBiFUZOIhcfEgzWDVzMqzSfpFrezLDKMZTVGPIui/31t6k1ZJOAgYCFe+OL9++tXuA5rF
hUAjqlmOKMyEDwvznZZ8off2kuYOxNLXI3d9EMouLDcipH02SvL5ZzkRo9y9GfGFJEpH5CDh0JPs
OEUCS+L4IcGcVcJroE9xSq4aD8v0Gd0a1k63jwnH9AB7A37gArzgGcA19qZxP5JZUIHLC4SDjhD1
dXhafRHSBu9XIFNhLa1zVKQFxJFZTOSglE4YUobfDHcnxWHzn+Xx7D6mj21FB4/S/ir+LFsBn9cg
SH2ZOBC0lCdBzgk4YemicEGqYrvi1pT9mhXE+6AqYhkJBcDYBI1oODLwMwVaCrWYp9Eqfn9tnqYn
J/MUhFxjzsJ1jjlMBRJ9JLscLiqys2YwhnRN2NoHKbLbYSdSN/aoSLfhmPf3EUy0CtjfOCueUOvW
sDUW077goAmVh/NJmscgMWLUMtPFtIJZ1o8mRJWykv4nhIQRz1eilcG57CGT2GKOmehBNYCyP++c
DI5uz+jghyB9Qgfs4pytVdrZSrshEEEcKDuesROvvXIG0jawDe24HelJtjcQN6BTxxjKKCl7CwEb
uwp88TSc4EMm5yu6wUypizm8IvMurSrsVt7zDZ+9aCVDo+ozC7mq38uiVaIKRl7RBmar54Uq2/UP
gEYzf94kZcnaB52PMg0by2F2zcTJ+UB2Or+wMLO8ZgZQt7hK0UO6y+FVdpIOxHM/WL/7TSTByjCG
aqHIyVmbO+Y0rqSy6DE0+IyvReiZ0lR2c8XFOL7mIlar1T5EArt2E9jjAl/YOaqd2EoFxhrbH87w
Z+2gTIY/7Bl8kl8P7UAPDAB4s1EMoaBLxR7l+8ouQwD+iHnXiYB3I7BoN3pmPGaxVk7v/sBcMyxg
RRgqtOj7ubWzMg/XXnMwa0xGHNOPoBY2cYh7d1IzG2k9xMlMpApi3McRH0Yj7Ys5GB+hwGWWrVDH
T+9Ht5ZkL+cRaJ84VgAvSUfKSN/t7pd7PRg3Crf7+p+RNGe0USgkVqoT1BSSYULDAG0SXICyp5Kg
MyMa9xUNgHlGxG+J634cQ4A2otWZCiXZujg4WusHoTt+JAoQIZNbIa7M0ut7w0muPAGg3TDYwPEQ
I6wKBVImBoP2M3T/BYNQ7oaljBDM81QTzYBJbA26zUidIVGDGF5ejuGWJ6kA3D7K8VS7XxFEWvO8
CmYxyGIbA3aMTVo5fIBLZSWTvJArk7NcfuJSAsY6UphQZlG/Q9pwcvMG6+ZdL4HD8jJvx7Ru6Vju
6LiiVN5LXsnXu8gVQjQnd+9NAETKrfXu6310f7WdDMoMvbTFT2lh9H7SIJwkvgAvW0fPk4fHSX2U
AY7NVBzl53EzrSRr+Gm8LdxY41+rskTehhHHao4F9Azxmv2EIVzlNJcQzpCNk2TvYMBygSit4ukS
kEzKadxAFCTlZINg6qGTlIEvwAnvsrxXI/e9oUjhpOTshkfKQSXtGXanbqe+ifomwF2xsU0DTbmX
hWab86TSeg5FJTe8RrImyVN5Owsbo7djZlY20hPzrEx72M9sY7Pq4VQOjGbZo6hUU3ZsgTYne1lY
0Y45Eqj060VpscVhrfKWK6yf9hVjfU9BjycAS50Iu/kctrhPu9qn0XYiBoHNM7sPvYO5OKSH4HLs
AktWIu/akeWPQgqHdQCPWvuIh0QKN1J3Od5+sXLmGbBpKEHBk0yJ2Er9mZOLKOqUpkCqj2XLMMeg
e4IT/Kjyt2kSL1C5tYom52SjjreSxDKqL8BL23xZzzsse7JVzcOa/2GW5+eTPmhvs2/he9kOPFWJ
3tj4N2IspJR0lUP12bR8qSWP+Z7k0tspZnRdYJ/kC1cxmAAWS2mYGU7FdPYgNq51DnLmLA/QWY1B
5GonVCieA110ecnfSa7VVR1ilV3hRY1VGa3N07uAE/KFDpwIucy4wDSf5xxRNH6BBlXzg6R1JyfW
ZDqZTEeV6Xh0UDux/HaqNTBxt8413eWUwWapeDY3gqxRxdslJc5mP95aER0igcVkmQrn0MpCOiU2
pvgMN2Eby1asCuunOPlQUqccuf4UHyB5kyZGhTFRrY2RXH800aUdsSiHaMTVt5YgxVAoPIKK06dE
t1eSFvP5tJnaK7cIkhH02tX0IxEQpyd5pdFzgUIRA6pgiq21YBdMZMMqVVKHVEg4JOoPS/dFXMKP
J44a4njH1YZpqCLElTa0CcET5mQ6nd0nJrqVS59klGuL1EYN0kBPfbOXAlKE7dWzDV+zABYbxK0Y
ipG5YhZoyvkUmL6FzSi3bFkqYc7snZO0OZvEfKu3aKMcylw1WGxFw8sebY1+dty7hNy6oVVqYqyU
vOsUi05oxypdSks+SjvFPKl1D9bMDu6g4DrmjfoS44M360tcpYGYmUBGjk2E8tk58jBAu18k4i7u
FnP7WFIBlqhwVNApra86QOtMVKfC1XdQp13dLhwe67hpe1iS2hKhbX67GpUyJwYlJYrcYl1m9JWY
9MS1AHhMeVuhfCebWadYQUIdt4I+QxgIs2zMVhflZCHVOgxuqptVh+mq12MSSbNeeUyzPSoiy6S3
SrQfUt1xylfToKqxKvdQsTe18BHF4nbxzaogV2U3Tk8mtK0NLHWBCwIljcaoYowpFUXmnSIqwEq4
/0C7TeCWnUItfNXamVGrlcQ1jOLG1IE2gYTKYpQFVOJA44R2yiNVB99v6YbhUpH+WzYUICN5rLVL
xyJ0drTZoKpHLTVyb2VCMVXlpV1gBs5B2epONNXFh9IKtmpAtyPuPy8XzwCnO7ALuQaNCXxyTdwC
XRtdEhmjOm0SNR7NvO3gEWs7mF+mjFKgQ+sSKWS1D0vQWpWuE5Yc9y6g+8OGlHkY8q0zy0s+ee5x
//+Is6AF2WIUbhuvGrpYcNVW4rHj/se4DloSedMfRESzngYxLjTIbHzlFUJwqVzFlaTNXZbQS+nU
+uaeBDL0ToOMQnFdsGtzQrSxtQEC5djwWmE8hPvsDKKqSfqw3qm1eOLFNOmZaMtKrud3cbNGNWoN
Sj3LZvMEyF0u9bStlUXjSx8Fz25xn/ofNF5ElWb17T9P18Q47u6Xi1UFJ5FbVZdSCQDn5GDDcVXW
SRexJHeaIPm6Ot00LDUAooqNLspOeXPWSpJSObYJkM6BrA3vDCbqPp5GSadsp0ZySj/pLXy+EuWU
3Vk8mrXK9ZrLYXS2BmYnfQDKPjdKMmdiVeSLHgSror0V41bS5ba7cuYUdyZYHPFJDm6yA8FMJQsY
Ol49iBkwGFayFi/WcsEbk5ixzT4KNJz31q1SUx0pJSNu0/mwIIGrmm1fmy/SrwUyIjxspdAeoZNB
RaOelniec+42UQwumgKPoJM6msMJMwQVkj5Dx7c0afS74G7oS6NQYGX45r6FXhYK+kaFD9i1YDPA
zovNwOXyOKNxAvVYY2nVPMT0en7QaND5Mv3sRw4zG7myNwJfZzI2MudHPZtukzJrDATxROsv3uxo
6LHEZ8d1bo4XxZwDys2WB0tXzfG+4iZsP9qEVvSkXec6LwADXBirw87ZbRd40ngSkVHn0+edpAZW
VHzoPeVNmTEsYl4W0gkBMNWdvANPG3TSy+lAVWpPOaQFc9/2rhWyqzalmzbRHelmrwfVJx7nudsS
+MmnW/viAf3mTU1F9qw7KFNwmxb1SnxnM2gHZ5lSHD8e0DuyWLnaSlC0wqOkzplFtKhbn65KfFs7
w8Z1exBwFI8ybE0+wVhaodvHQ8mCeM1d7APsuAIWdcEPE7gdfH2v42dVcmlu1bAEzeRF1zbOvOW2
kas93vbj/m0HnjBwwF6hS6TmtzJ0tc2Yk1Ztm1Vlr5vI+8m6sDOSiWec+/mMTwQZkd1qkLLGhjf3
Ng6vHTfWwlRkhCHdkpAwVcgFvoJxRw9G8BwEUU8ojo5FYFa1mT11svKtNvZFlK/u0yjnF7bQH7UY
nPahB+xRQeel9DBMEjLaQXiXELtEhJ22gf4x53p1J3w/o9eGDnq+el4UoOomeYQT0x8xjTCncpWs
wg1mx05rDF02n0Pq0p4VqxP1xyfaY9xN2Zx/J+cIkG7DIjDwWf9xqxMGdfbss8Z5gq5ewdxObABq
tbN8+hl/F/GdP/nj6I8iKXe5BfO/tL1bLnCGXph4aCOT07zckxpd0qSdzsTjMIfPOeLDvXPfJeE3
qJHc/JTBxtqOnctpARFkRNioTnalGKGSaYIJLwy4N/t+Qn8D4HHqSzBmYaOvukxKaz0K2dmDW/a5
rclMrL2zJ0Tzwxt14KpjptstXUEOTtlcrM/vRAt2gzM2IOG3WUrrpyePyEydR9s4e7KODmoCi5rj
kzeMvgfo2NiNUG5StCkNKL00O3Dq64dNl9gfzOjcOKeHDzTi5qRe3S5R11oqPCWEriJFnU89gSzD
9kdYcBqRI0maCyfG8QmzTomhiGn6iOWoZPsBuhMK8T9g7hEnMXAe6VWSKKsCSaaPyzPGk4P2ai7w
fFFKQff5+WeAckxOEPp3QqFbuSAl1ELOALMz0JGv2iIPxysQ649cRi5zR78ct9qwQhs9OptKnNfO
nP3Eb/SFq2NJ+ZWxmzvrjVp9wYB9qGxpSdxsBVx7adUZ7QUKTPruw/9UNmPjK5od4a5quADU8CcF
qqOSVSQ0ffx0+3O7W1CCjqJix3FDp4u5vl3rwdobiAYSdMXdtTDvP2RxwVfjLsAicd9wk1dtjiff
lKn8q1o5ezR/f8q5yrOc9yaC66w8ofluL/395Pz5l1KUT4QftIvWu/LlH8d9IvHxYfezmOwmlfW7
d/ZZoMvFB/RrNPG8xv1Cx9tEnAgEhUSxjqfmXDwfQLTH/dL8yffi3tHe0IbMcypi50/i2wOJrty9
FmcysXHqft6Fe7nxoVz7UbxGwRv9ZKPL/aeRB/T2kb3mYWwVlJKoYKMvZoJNHBx37rPr87/Q/38D
iQUdcGVuZHN0cmVhbQplbmRvYmoKMTUgMCBvYmoKNDIwMgplbmRvYmoKMTYgMCBvYmoKPDwvUjcK
MzYgMCBSPj4KZW5kb2JqCjE3IDAgb2JqCjw8L1I4CjM3IDAgUi9SMTAKMzkgMCBSPj4KZW5kb2Jq
CjE4IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9Q
YXJlbnQgMjkgMCBSCi9SZXNvdXJjZXM8PC9Qcm9jU2V0Wy9QREYgL1RleHRdCi9FeHRHU3RhdGUg
MjEgMCBSCi9Gb250IDIyIDAgUgo+PgovQ29udGVudHMgMTkgMCBSCj4+CmVuZG9iagoxOSAwIG9i
ago8PC9MZW5ndGggMjAgMCBSL0ZpbHRlciAvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJzNXF2PJDcV
FZtBgVEECkoCZFczDQmkO0PX2q6yyxaEiA15QSR8aN4CT0FEQtqHiP8vYVeV7ePycVf37Cyw+7C9
9eGve++5515f17c70Um1E+Fv/PH1y+vnfx133/z7Wuy+uf722nZ9+DPdw99fv9y9uPeP2p2UnRh2
9/+8Fp1zVthxui93UtjdKFxn7O7+5fVX+18ejqIzyg3G7t8Nv+U4DuOw//Bw9C3oQcn9G4ej6pwe
3f47B9tJJ8d+/+bhOHR2sL2/5u8aZ824/8lBdL3wDfT724PqlJE9vLy0bmXvGi99eHCd7Y0s7mt/
XxgnldX7n/rfWoxKDPt3DoPvQIxy/9ZhwOf7MHAtnd5/dJCdEb3SyyR9L32//9HB+JXx03JpCt+L
l76fLr0dfinteguT/uJwNN2o9CD3v/VtayX8k/kXDOIuTF87N+6H9Ou7022h/Mhyk++EJo3ys8b7
Ir20LJ9TvZ+8l2nvrMKOcFGxK9spOw4a238r/LTWOuXfkqIbpW8UOn3j8Pf7P1yrvu+EMF5X7v/h
1eM2tZnH3IV3eqd1MTwZVqx3oymkkd+f5SyGIcp5sMWcF9la5fDRjYWEJ2GmN2TQy0uixzGroCte
oBqX/IYN+XdkHNBQnhHM/QeHo+76QWpZiEl6bRucGtOzRkiY59Kq0SPez73OXY1a4ZN5mb+cddR4
E0bNVMqruFBBwsco4qMc/P1Zzp9PMpXDYOeujPByBJHAtD5Jzf4iTNCPRF1k0EOEBoAYeOcm3v61
/zHKvmz8SbJp6PzHh74bzChMZYKhHVz7PKCMSwmqCrOKBjKPVpnCVBB8glE5qW3RT2FWSUs2jWns
XC/leJktTYuo9fAIxuQBRjph/fwiFDjvJxYoOGFVMM+gjY9oVmlyqMy+d+v6sDZJn8M4j0p1wzAP
dvYCSkgT27N+YFmlUFiwWEkXzlZIeHDRBeGV8yq+8yzfnsXrb8JzWQtvDrLvPFQUEmmo1CIopSLo
OePyMLN05rH1Uii0Nfi5tejvh/6H0erS6Yx+JjIYHrzV8EkZGKHZ3K333R6KpEcd3lS27BfhojDW
v/7Dw7EPP9XgHbu3U2+JfQSwXmp4aWYA2slFVZRWYeCzRvtr9//y2rNcC9qjzaw9H0w9yF6MBfmh
M8xumT6qwwj9vDTKCrQCfmZUGUP/ozFyPF8R1/ShJF9ZKZ6Ha2NvNWofmMBNfnnR12dZjaC/p35t
rfB4td9NSDwIT64+YWSIshG4r7yOSDNYzX04EkCAjnkRpDOgTjAN0KcVdDgVtWGGiz9e33/8FSoV
AMbSoB8dSKfghmkW2YBB0BXRKyy1VpiBesckiU1x189tizsOeyXvSeXOl3cDqtPrsL5i7lIMTfoY
Fw0oK5W8YG5sTTWANQUc4kCT70ff55HD9tH3beHUVeqo4Vi2yD8qeeVdpllDC36BvepKWdjjz0PH
WslEWnBdRM9XdVbqEE9xHvEs91/R1vUCp/eLJYqdXjEjhQVY39cJ+ybgAXaRp7SstfZiWVBYm1KR
Sto7ixRpb4WugfbG+SvHTQZlheIG2pPfa4FPwBwgKRh6t9qnMSmQiVlCg3CVZgZwAABiPiWDdIvK
JzjaQKGStJxuFUgLbzOD0zoqCo8ifVoayiS5QV7ApEqjiyuaFR3UMyv6RdpPGcNNwj/O85/OCCSd
b9FFBNoC3TP9bYglG4mGGHy0nEe8v+YKa/4ImNEQQS3hKaGTxlqsJhnW7IpGZ1urQoJxMM4c3N0w
qVah+EqUldSVtXsai9P4HnG0gKdF3ghPwEQ+ndqSxtv5Fj7dMEt8lmIGvigFPyGhSI3aFZGNHdBB
ncLBh3KvaLG5w/cO2i9uLwwfREbI8+jYBBdxWq8Y3lU4C9pzPjjSHADiGP4ukoeMGd8ATyBAvYQh
I5oMQNYW5avYdgivZrYNqTGY8DpvsNbhvJwFRY1qkDO/F7TJgn/wddQseADwq3B1VIaKMNH6T8NC
j37maXmWDJA5Zc0nMPZ8usu9BTLfSAaBIcL71G+AGuaRZoYOHcGY4aVuodue0AodnR1lkIASObMP
F0/QkoqZU3Xnj/JVuyOOkxpWsdKMYpfMIL52S8dSKGt0nLCYP/NvuZXUK3dUDr+mIH5YywJ7d7QY
wMTBM8dejMrmzaHg+BKgjRMeOKOmxO9CvmcBo3ejyYLbRMMZRP8eCAUP+ViGl6VBIMWScGFZCz9b
eLAgDitRnRxS5pOpVZjSkNDkRGocmEXplQChHkOV6sRugQBRwalZAW+7BfxpJW5fU/YFMPcUq1+5
/oF4WGL7VdY0io66epodJym5wiXXiZtMPDhReG0qcDnNbtD88wOpVj511hPj/5syMRxPqY5WpCQQ
8ZNpkhWW8OxLLSNhG17iBqwk+lbe0sM8FvSahwKmm5Mq4HzbmdFiU2VZ9samysX5ijTmrECM35Zt
RdIJGAwLVardA4zuJN3nCY88pvcmCutGv2Q4aQAiIKn5tbu0n1jEDmQo4GQLjCXJ02a5RDSlogwg
pjLpPkveYM3mz/U0q/QC6NJ2ekzbhY3MGGWO2XyXVQ3VKJQEbnFQboeZj8JClNFxaoGGMllp835O
A79osFZNMKgNDLtIHZKMBw/f8sYJXIRWoS/a6rKY2si64mTOtJUJilm+m/lTVEFwtjAH8Ju0FAWa
5Tucm+q+2p8XpW+tdpyK5ousx8qC2rt3yYfP85xKAhqOcctJb24sgJZzhW95LmJGaMan3dF2ihDS
DbPr9k0rlwsICHQ1LC8OFHqaN2WFG3UD+m5ZLjGv73bskPkAkwrPptBapgsE/IVffml6Y+Kmsxok
ZEV5hjjD9SS9ycXmbZFGCVBY0mHyxYuDn4WD+94zz+td4d4TSeb7gh94rbDj6Fr+/nnoWEu7vd1M
kzsllyp2OUkJT2uXYpUQL7dm6yKWEfOlfPsbIIorE83b0Lic5qtrxLdeLsbLUynhV7jzw/fxjC3a
BG15XftOHCJW2zRrIvM60Jbo0vlBe73QKsPS6GrPOhbM7kzH2izlrMsGStDiFY6NQgi6s/GgGsl3
08ZTXxd9UfTKF3lpx/l+5HXp+3GeDoYxr5xsyGzwol1TsmVb0KOTdURoRITcsB0JngXnQWUC1dsU
n1AinMODK6bY2DhUNp6fJN4uiajWaa0nx5P1lDxoHFOqwfRD1H2msTSxe4G5UzV+WLa/Woi1AGjU
1cj801Xnjq3I45OkQ77YjNXPz7BUGxkhLmGgVCfJQrYHKkRWwcwiagxmljn4hURcKHKAMbeMy5yr
8UAhg2opY6StA74lIUAjxqehsseE+SQqlsGmsYap0DkDA8uB8NTh6SMbNF3eyHZw+V3AhAv+HP0Y
P2uALovqe6OqmXi/7bq1iAzOUWQAKyb2yHWdB21XjArwXTOYKtvAkc2CtDjEdpp0FNLHFVnrdgcd
BiVaRS5xKBHG1eA5M+Ywoyi3ilXybnPBJaKk694DFFTznIvBYgUZXJw6cqLYsYIFe5J2vDDvtYaM
oAMIGX/bh1G5Xvh1XCc2QyoEbLPedChrllY2+qcgVuEGXVytjmmUBPqO1aC2+hNW7j8OrMKqqevH
rEoDuKBs5sQaUGafkfdUlN1aS45S1Nz/7CNrGSAW9+JWfUujSrPFPf51tp377gsYw5r4rfbnaYq/
FR2cOk3QAsi4W9eHOxEAGyVmOaKOtxt5RZjdugJp7j0i4ckKpBU+PksT4dzq5G7HPD1MhjxKlFyo
3sMqLDNFz9FpXdOSDGCb9fP8Sk5s8yObnDQkgGOZ0IWw+BHUhyOLohjOHfhGWFXitbIXfvQJvAdQ
itL51zXVeG4UdG7JbgrXiWQR1PsXjCTK8bPA7DxP7etQdW7xMWJVUnyQxQqirEFwABLKGVUSW0Op
4CetqHilbfELjt5UR7MqwCR4QSv9sU6Oup9L4PT86n/OjeLxBCv4pjip/No8nrB9dnFzT6LilqLw
Q606NFJwwmOGOuQKqYPzMwsnfFIVo59OIUCoeVGJwcI/eXgKWeYi4bw+wRCkjgz0KnHNAhQS+0vs
pMLFVR61odlZrGDLj1rMWwQOD/WXNLcW+6Ep3v9Zbk2y1FraRMcq2aWiVPfkPGqQ+C0DYpgXHJGu
CTc9Hw1KspX6pBvhm/mArcPhdC9mg+/EjZrlsaBG59CdALlmMO0EZlFdQw5R85qa98O6eCJRLNvm
9yAo6SGlJktNlAyiIejfIj/RJ3Duw3Oiy3KuvANNgGb3RHP7dJcAhDokus8LjzfK1LeDqTilB3JD
nm7im/D1DG1izBOkL2IdHPjJxumRsvpiEjlCPz8lDKdDWO7v3HOj4asq1DkIlmPYiLo3j3mdGMgt
cWAohsmQRzGshvmZDxO8i7V2T8pNf+Pf8QTXN1uEdlv7iwWbTQN8MkUOLn1hZXUWD9wUPesNxv32
ISSlp0oMExiMN0fcamrCRf2VCxZJcgIAz+aDCBSa2+mWNRy0Mp3ZSUeOXQRVrMTpv5AIyW561hPd
Oanq799sbIfRPEieKK/jOP/zF5cGGAq2xIBeZaBuVZkyJcMncpFNowByM1bK7Lw4OxC/agP0GAAU
mDL9AA689eb0NScxVgi6SBYhVCQu1fj21QwjfSS4/p+PSo72aiUzLE1LKVCm4TA4wIuj1rYTvd5m
YAlPoe+Euxw5bvIrZIdpC422EjZbn4e426h4bZBfLOGod295XrFREkpjX56OvFvCc+2biRhS8MQ4
FEAuiiyPeEz5ojxabB5K/vNXVDLcQfO8ojWzVxo9QNngC9+nlaGsL50VmlYP02D/b1ZGDnaCf+GU
4Yp0vfUlH8hJhLqBomd+EpNz1Y2t19ZX5CivPmlMF+48nFuZVKRkJgsbQgVk+kxday0A9cjeKq3W
2zqpcUOWonHcjlbbTr2XmyDsMCGHgkvKT0hLsDbZPuETZoVDnetFHV7MrhtTbIWTXeSCTvZuy8my
E7CzV4js/fP767/4v/8BtmwuWWVuZHN0cmVhbQplbmRvYmoKMjAgMCBvYmoKMzczMwplbmRvYmoK
MjEgMCBvYmoKPDwvUjcKMzYgMCBSPj4KZW5kb2JqCjIyIDAgb2JqCjw8L1I4CjM3IDAgUj4+CmVu
ZG9iagoyMyAwIG9iago8PC9UeXBlL1BhZ2UvTWVkaWFCb3ggWzAgMCA2MTIgNzkyXQovUm90YXRl
IDAvUGFyZW50IDI5IDAgUgovUmVzb3VyY2VzPDwvUHJvY1NldFsvUERGIC9UZXh0XQovRXh0R1N0
YXRlIDI2IDAgUgovRm9udCAyNyAwIFIKPj4KL0NvbnRlbnRzIDI0IDAgUgo+PgplbmRvYmoKMjQg
MCBvYmoKPDwvTGVuZ3RoIDI1IDAgUi9GaWx0ZXIgL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnictVvv
jyQ3EVWSzXFZToJEXHIXTrMDukDPLdNnu/1TKCBFAiQEQYn224VPQURCOqSI/1/C7m67yt3P3Tsb
yH3p9LTtcrnq1aty7fdH0Ut1FOlffvj27fXrr93xu/9ci+N3199f+35I/42/8edv3x6/uIuf+qOU
vdDHu39eiz4EL7wbf5dHKfzRidBbf7x7e/2mO59Ur7QbdPfe6az6YLxx3SG9tHLo+vRuCDZ076Qn
G7x13S9PZ9EbGVwYumcn0Q9COjd0z+OjEc6rwIaJkxx6aaTrfnY6296q9PIFDfpFXCloE3T34Sn+
PAidVtIuSi1ldzydTe+G0D1NS0rnZXzWWTg2DZPujyfXh0GZ7oM4T++1H7pP02jtvPGKf/n++ChU
MEzMWQsu8P3QSzacy/T8FPU9hDj//GlQlVBXSWYTgmNfzgrxg+3+lkQVUQ9Dp06hl1Z7w38/TOJN
ygHis0/ZB6Is+vQkRe9klOnjpNEhTOedFCXjntmYl6e/3/35Wg02jkymd/ePaCMkPdudOp1l75Qx
ZjYCofXQmfgobJDKV69pV2wttut3Tr6XQcaTfJK24r0PajrocdkXNBPbNZvfnmSvlBg8k1UXpbGT
pJ+Zzl6mrYi4E10fX5ZpNmdjHFOaTNJHTVrNx/8uCmKU8NXpfxFn8kp6y9XPpL9Z6tdmHxxfzpqO
M8zLD+P0StleCJXO65wP7Cx1XH46tXnXUe3ctZnTcAOed2P9uG1lrfRrYVejlscWhDL82/fTXN5p
w39nimGfvowWEs9CNl2sYFLjd2YYtCz/gBksh7W8g8ozsruT3WJvY5b1afIxLaVvQgywPDLx38Yn
J2Ww7MMGblXuFheN5lppdd9cRx+XvjfOZx+/DNiy0g5oU2zTbFY2nuCMfTqvarRns5JWGASwmchz
/pTWF0YLW8k/mZX2lZMzWTGKEV4yAeGyFXTmpdj8T04R4oSMm2LDuSno9BRxy53OQx9Px7uEIar3
RiUwn7x7PqqzUr3W6bziL3f/uo7/a+zx7i/Xd6/edEPaSYQeabm7TwocVFicajHbm+xWzBeLq9Ho
VtyJ4tuIMfz3T05Dr62LB/FuBEMrUiz+dXliH8IAOx+TjmC3No6FSbIPPkzmPWlysk41K29W2UpH
84xOO10FLb5SNSkCLT7wYRpYeNfDFXAfjjOf6nuZId1LZG1aiEYys6DC/HSTagndoEoNApQ9hs0E
qRRbH0NGBdlcZ6O1RGZsrMygCOF7X+zkFCpucCW1qJZ/oNSEvhic8FwM/uAEe/vbtmk4O9tf7SgP
WP6AfnfRkKUSqtBiK2SOfl4NjC2x6McZWhJEj9494ex8+oSzb7qfJFwW1quKRTFuRRh4IVxkLciY
+OigReApkgZspzgwB4OPTyaOHoTdT1IKrBPZsynUSFljTRbDhJlXy7i5eqKcLeWZBom5IDssZiIC
hc8dv4cGAOkZi+NwpkzUMk4qrdQ9TDHvTs0ZUvxcmwwUGz4/IdUPd/rNtK7yP4a6mQfjBJFpisTm
RkrbYqIQpbmI6GbUZ6KujHMcReRqvavk4NOsgxQKOJSmTEAM66NMidUyc5oOkmdOKyokop/P+YGN
XlOVMmIMimxD4fzhBrjxvZBU60V02kxTKBJWDlmWJCmZ6Nss7yr/urbdNJjxZk5dANle4i0jZpC8
PpyYFcwsO7shygOqOpRyNojWep4dZlXls4XGtRLe8gF71KwQNbO0SYFKFtcNY8Hrf0puFyG7ikAY
hW7Az3x6vizh0K4qoCjlHBjPxIaOM382DBY0CUdvx5WUXWtiCemtfBwmBOyLDV2seVr5gM9LOX2d
6JZxbLZbVkKb+G3cvXY5bLFY03LTcx7y/yJFFxkHOGherCmYJFZQwGZk3zWspLKzzM4QODIrwf7M
lr0trj1NP0Ywkh5WDqdSu5LJNvfMkKoqu7UYZiw0a5WOg9Jw08yJyE4m5lJ8ImYEil00Zi57OAC8
81aX1qEBVV3wmpu1JtyWgU8Cn+eIlKsrr7+Wgq5RzoNNW67c4DYt6YYUVz+JBj+4VID+KIb3qLtI
E16lxePRu+4RL4OZ3jgrTffj5Bnahbjfb/4drSzqPj7+JilksGEw3U/TY9CRaD0iovqjOH1cSOQl
pTDd43ScOqgguw+i5oSWUTVszUkkNVRfPipnwF5+VmaHE9FLEuNQnp7GpxhwHo1qre6gmO4mDVcQ
MtuAlQ4XlHYiLeAxGDM+Rx4GL4FQGKTZixCVc4G41YgGaD+riqO0VR2H6ahKELavnfYhAVy7VIVa
ADnPJjIpPE6v9sqkMOmY6cwQTUJYWH1ZFI0mIs+Sxw1IX2ZY402jiuyoIMC8Lvftr8Z1pBymdYyO
RxlmjiUXPLFFsdaImyySf8HMmHHMfCgflRvMEEUWafDj8oquN2nARavs2CO/WQERujKo/DtMnTF/
XN3oLs2Mck9mmw8qzPdRvhjCfZVbs4oQtEi6eeBOMlqp1RHmLHGoHCuRHmY1me20Nkn5TZdeh0Eo
z2gbLqBUd4egnIpXIPx7PQUuH92F7iZf0foQF+rrwsSKlKvC7kpqkG3PuuPZdpX95Gy7MCxEtZhF
wXJ0MXLIqX4eX3oRjwwbNq6YU2kNFC+Zfz05aVyIazQbzDnetKMgjcejMU2ifLv6NBVF60rTujXD
GIf3Qm7H5qSSD18e3jM2XHzPHZ/PAcD12ujsWtCgcC1tNiIvPesFoPGNTKlCDtBiAW/vYFhiopCj
Q/NjxEdA+WB8hkF51TcAITDVzAhhr9DP7O511o7ynn+QawtxK1OpSpjQ/SqBcbSVsCqpTafInTyH
spDYaIplUqeolkPYY9ars7xGrwgiIoAo79srm8N2gwPAGlTyIBct6AQrbJQ7rkvibjvLaTc3NL7A
VAda4Oep6M8K4ONLind6J/jg4MJvv0HgrvhpLqArr0GaCHsaLrgqgl5BhZ09CoFy02dQufiqE8bu
xqHdIvxo5Pkk1Yzv90CPsuhf0/RO2ch5pzsTJQMvpNOa6M5yOltnVPclzdOCj/zpusyejjthwsyw
eZGSAn+Wf4T3nAwy92nslQf/HF3XLTE2UMjdu7qChWD+khLCMmfl5vO7Q7E8Ju7olzLokvnwYjhO
PYi9la5IxpxQyxJ2n3WV/LDGtRd79bfNHqGau5QFV0RvoVDsWpBqMsiHOfC2lSzDJLiwPizDJLxM
3fqgwKRijOSA2DqUqno5mogJMapa0K/VojkZkHF1+f7kBONYg8YVcgYrAhgyMZJBdtvglFdwhqrj
L0mrZEUlCeG2Lw8ZvvEhFb7Np9NIbETBN1RaerGdn9+iNKT8uuAT6TuCAHYeDO8Ka0FVdCRBQ6mr
K/spOcv+eFOQ72G9Zai0C/t3mVVRcYrJyXJ92KVJDnTBVQ/+AJSeU2fGhPGuj6wmO3A27yzJWN29
oJ9yt7sbMJoLGpkb/WSwyfGCmy7cFMFGEQ+lJwwwEB92alGQJjL3po6hOZSnjJzxpMMiatSIQd2c
C3CYT56Rn2lzyTfQn13A6+pmTFt3813SN72utOAbf/Rzoy0cwQpb/d0x/wjRcMZSjBS2EY0uCEwX
XF798PylDGLAs5dW8Hb+jJrM83JSJGIWXP7uoipMZlxhPk7FxRcF9jAEkLE3/BpD4PZVdeN6gwhb
4+4PmiFJCGu4LepF9ZF86L8fB8UMxzTApkEhOF+Jc8VNSebaU9aVgglDg2nSlGqwpsNl3jOdKOcF
kAxcATdd9W8tChL3be6lPqPPxtTBpOyK2pC2mvCq9out3tvF33WxRwhmPA4vqpDp5qtxD4HiYOWD
Gxi0dELEDmDdGwYncX+iABflWctEDmJeTZXPZr0SQNt8cRAdTjVqvhfcCEJ+dGGDCyhaNBqsYA6B
8Rl3SMKOMzYKtoijYscEOl4alqztchUio6xqyq5RVkEtFUtWt9DpJWHeM+oN4UBY04nJVjimHBCm
tJo/cumTPHPnguMCd9xS2ggHM/PxsiqgEETkA8PdQIjN3BcGL2tZq2s1S2pCkFrxYFCux67RIDFg
841BgL1X4XL6Ey/dxzCWQWWPI5E5Q16DerF3r07vn9nhIsCqvX3BwJaFLZJvTDz3ihCNHAJofPeG
pvH3VftF4CSOCs7RRYce+whGvesA8rPpcibnHzA9qWlehR6zUXD0WN+tStv6W+P7twiAdAaUGeBN
zB7z2S6JrHhloxeY3xOXG5GkpFWvVzd2hP3h7vqr+O+/LM6flmVuZHN0cmVhbQplbmRvYmoKMjUg
MCBvYmoKMzE3NwplbmRvYmoKMjYgMCBvYmoKPDwvUjcKMzYgMCBSPj4KZW5kb2JqCjI3IDAgb2Jq
Cjw8L1I4CjM3IDAgUi9SMTAKMzkgMCBSPj4KZW5kb2JqCjI4IDAgb2JqCjw8L1Byb2R1Y2VyKFwz
NzZcMzc3XDAwMFBcMDAwRFwwMDBGXDAwMENcMDAwclwwMDBlXDAwMGFcMDAwdFwwMDBvXDAwMHJc
MDAwIFwwMDAyXDAwMC5cMDAwMlwwMDAuXDAwMDJcMDAwLlwwMDAwKQovQ3JlYXRpb25EYXRlKEQ6
MjAxNzA5MDgxMTE1MTAtMDUnMDAnKQovTW9kRGF0ZShEOjIwMTcwOTA4MTExNTEwLTA1JzAwJykK
L1RpdGxlKFwzNzZcMzc3XDAwMFNcMDAwZVwwMDBwXDAwMHRcMDAwIFwwMDA2XDAwMCBcMDAwSVww
MDBuXDAwMHRcMDAwZVwwMDByXDAwMGlcMDAwbVwwMDAgXDAwMG1cMDAwaVwwMDBuXDAwMHVcMDAw
dFwwMDBlXDAwMHNcMDAwIFwwMDB2XDAwMDEpCi9BdXRob3IoXDM3NlwzNzdcMDAwbFwwMDA3XDAw
MDNcMDAwNVwwMDAwXDAwMDQpCi9TdWJqZWN0KCkKL0tleXdvcmRzKCkKL0NyZWF0b3IoXDM3Nlwz
NzdcMDAwUFwwMDBEXDAwMEZcMDAwQ1wwMDByXDAwMGVcMDAwYVwwMDB0XDAwMG9cMDAwclwwMDAg
XDAwMDJcMDAwLlwwMDAyXDAwMC5cMDAwMlwwMDAuXDAwMDApPj5lbmRvYmoKMjkgMCBvYmoKPDwg
L1R5cGUgL1BhZ2VzIC9LaWRzIFsKMzMgMCBSCjEgMCBSCjggMCBSCjEzIDAgUgoxOCAwIFIKMjMg
MCBSCl0gL0NvdW50IDYKPj4KZW5kb2JqCjMwIDAgb2JqCjw8L1R5cGUvTWV0YWRhdGEKL1N1YnR5
cGUvWE1ML0xlbmd0aCAxNTc3Pj5zdHJlYW0KPD94cGFja2V0IGJlZ2luPSfvu78nIGlkPSdXNU0w
TXBDZWhpSHpyZVN6TlRjemtjOWQnPz4KPD9hZG9iZS14YXAtZmlsdGVycyBlc2M9IkNSTEYiPz4K
PHg6eG1wbWV0YSB4bWxuczp4PSdhZG9iZTpuczptZXRhLycgeDp4bXB0az0nWE1QIHRvb2xraXQg
Mi45LjEtMTMsIGZyYW1ld29yayAxLjYnPgo8cmRmOlJERiB4bWxuczpyZGY9J2h0dHA6Ly93d3cu
dzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMnIHhtbG5zOmlYPSdodHRwOi8vbnMuYWRv
YmUuY29tL2lYLzEuMC8nPgo8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0ndXVpZDo2MmQ5MzYy
OS05NzBjLTExZTctMDAwMC0xOTRlZWRiOWFkZmMnIHhtbG5zOnBkZj0naHR0cDovL25zLmFkb2Jl
LmNvbS9wZGYvMS4zLyc+PHBkZjpQcm9kdWNlcj5QREZDcmVhdG9yIDIuMi4yLjA8L3BkZjpQcm9k
dWNlcj4KPHBkZjpLZXl3b3Jkcz48L3BkZjpLZXl3b3Jkcz4KPC9yZGY6RGVzY3JpcHRpb24+Cjxy
ZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSd1dWlkOjYyZDkzNjI5LTk3MGMtMTFlNy0wMDAwLTE5
NGVlZGI5YWRmYycgeG1sbnM6eG1wPSdodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvJz48eG1w
Ok1vZGlmeURhdGU+MjAxNy0wOS0wOFQxMToxNToxMC0wNTowMDwveG1wOk1vZGlmeURhdGU+Cjx4
bXA6Q3JlYXRlRGF0ZT4yMDE3LTA5LTA4VDExOjE1OjEwLTA1OjAwPC94bXA6Q3JlYXRlRGF0ZT4K
PHhtcDpDcmVhdG9yVG9vbD5QREZDcmVhdG9yIDIuMi4yLjA8L3htcDpDcmVhdG9yVG9vbD48L3Jk
ZjpEZXNjcmlwdGlvbj4KPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9J3V1aWQ6NjJkOTM2Mjkt
OTcwYy0xMWU3LTAwMDAtMTk0ZWVkYjlhZGZjJyB4bWxuczp4YXBNTT0naHR0cDovL25zLmFkb2Jl
LmNvbS94YXAvMS4wL21tLycgeGFwTU06RG9jdW1lbnRJRD0ndXVpZDo2MmQ5MzYyOS05NzBjLTEx
ZTctMDAwMC0xOTRlZWRiOWFkZmMnLz4KPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9J3V1aWQ6
NjJkOTM2MjktOTcwYy0xMWU3LTAwMDAtMTk0ZWVkYjlhZGZjJyB4bWxuczpkYz0naHR0cDovL3B1
cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8nIGRjOmZvcm1hdD0nYXBwbGljYXRpb24vcGRmJz48ZGM6
dGl0bGU+PHJkZjpBbHQ+PHJkZjpsaSB4bWw6bGFuZz0neC1kZWZhdWx0Jz5TZXB0IDYgSW50ZXJp
bSBtaW51dGVzIHYxPC9yZGY6bGk+PC9yZGY6QWx0PjwvZGM6dGl0bGU+PGRjOmNyZWF0b3I+PHJk
ZjpTZXE+PHJkZjpsaT5sNzM1MDQ8L3JkZjpsaT48L3JkZjpTZXE+PC9kYzpjcmVhdG9yPjxkYzpk
ZXNjcmlwdGlvbj48cmRmOkFsdD48cmRmOmxpIHhtbDpsYW5nPSd4LWRlZmF1bHQnPjwvcmRmOmxp
PjwvcmRmOkFsdD48L2RjOmRlc2NyaXB0aW9uPjwvcmRmOkRlc2NyaXB0aW9uPgo8L3JkZjpSREY+
CjwveDp4bXBtZXRhPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCjw/eHBhY2tldCBl
bmQ9J3cnPz4KZW5kc3RyZWFtCmVuZG9iagp4cmVmCjAgMzEKMDAwMDAwMDAwMCA2NTUzNSBmIAow
MDAwMDQwNjY1IDAwMDAwIG4gCjAwMDAwNDA4MjQgMDAwMDAgbiAKMDAwMDA0NTc5MSAwMDAwMCBu
IAowMDAwMDQ1ODExIDAwMDAwIG4gCjAwMDAwNDU4NzIgMDAwMDAgbiAKMDAwMDA0NTkzNiAwMDAw
MCBuIAowMDAwMDQ1OTY2IDAwMDAwIG4gCjAwMDAwNDYwMjcgMDAwMDAgbiAKMDAwMDA0NjE4OCAw
MDAwMCBuIAowMDAwMDUwNDM4IDAwMDAwIG4gCjAwMDAwNTA0NTkgMDAwMDAgbiAKMDAwMDA1MDQ5
MCAwMDAwMCBuIAowMDAwMDUwNTMyIDAwMDAwIG4gCjAwMDAwNTA2OTUgMDAwMDAgbiAKMDAwMDA1
NDk2OSAwMDAwMCBuIAowMDAwMDU0OTkwIDAwMDAwIG4gCjAwMDAwNTUwMjEgMDAwMDAgbiAKMDAw
MDA1NTA2MyAwMDAwMCBuIAowMDAwMDU1MjI2IDAwMDAwIG4gCjAwMDAwNTkwMzEgMDAwMDAgbiAK
MDAwMDA1OTA1MiAwMDAwMCBuIAowMDAwMDU5MDgzIDAwMDAwIG4gCjAwMDAwNTkxMTQgMDAwMDAg
biAKMDAwMDA1OTI3NyAwMDAwMCBuIAowMDAwMDYyNTI2IDAwMDAwIG4gCjAwMDAwNjI1NDcgMDAw
MDAgbiAKMDAwMDA2MjU3OCAwMDAwMCBuIAowMDAwMDYyNjIwIDAwMDAwIG4gCjAwMDAwNjMxNDQg
MDAwMDAgbiAKMDAwMDA2MzIzOCAwMDAwMCBuIAp0cmFpbGVyCjw8L1NpemUgMzE+PgpzdGFydHhy
ZWYKMTQ3CiUlRU9GCg==

--_004_4A95BA014132FF49AE685FAB4B9F17F66B0CBA8Dsjceml521mbxchi_--


From nobody Mon Jul 16 21:44:00 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EDCC130E9B; Mon, 16 Jul 2018 21:43:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2m87TvaIakYd; Mon, 16 Jul 2018 21:43:54 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56B1A130E96; Mon, 16 Jul 2018 21:43:54 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id e7-v6so14361064wrs.9; Mon, 16 Jul 2018 21:43:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ulpEjP816QnYrukNp2U8NfamQoRqIryv5Av4/aSmQSI=; b=FOWd/5kpn1FrfbU4+d/CVxzkywL82iVBetFYjyngbOLinIJX0BGHR3jAjWYvIqWlpK 9263Bcz+O74J1a6+S2TOyENwm2EvXtDf4OnQqsl9fTKVO8hm/kK9nL/y5mV8PYS8r4h8 qvgYecMSsVcG2ng0md6xY8e0HWSXVwua8LObFaeattnddmXdUxdkYpiKj9Dky7hjD2MQ D8OVlEIYE7sXRVm7sWFxhQOcjnkns7aQTw6FORjfTKNYrgghh10esNmn63t8CWtTZfbH T/ALbudl+PKuwef9wgK+852cqgYCANaFPxSrnctoB2fPQK6qiht3TX5kzIfBl/+KVqt3 62Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ulpEjP816QnYrukNp2U8NfamQoRqIryv5Av4/aSmQSI=; b=Jjcf2+Ig9iw3T1AUYSQNUyYR1tWaEIzOMLG0QpaZCPsm5jphHd50IQLzWDgfvGqFfV lRvd07DZorNT1aVk/6xYExZBizpJEa3FCXuJLG6i7cOmN5ItEJsmQQABkmiN5rSqS7MK ZbADBnr6ESRE11FVpH8jZ8q1lyzkwz/FVqhu+uWxFV4O/5PfvziwlVBClhk5zvw9eNxB k2u2AtYSmFbvATqyJdxlD35PS2AvRSaO5EU257Huu2GwKvRF24byPK837QLcryUCa1xI /laaLUG+MCblJ2xlSldxRIfScvstav6eJzg8AZoVjJbh+1BGme7x5wRKRE+n84VmBtsM o8MA==
X-Gm-Message-State: AOUpUlFwF7smlXHk/knfCZDukcnCJxdK3nmjRXKxVbqVNgRagGmW9Dji RHRwEvozBd+IfA56P1dYp7yaI9RS
X-Google-Smtp-Source: AAOMgpdrjUA808PFw6jqzDEz0yYxyOchxU97tfxVcj92rGEm3QWrkVsv/StJxNKUmLjUmPFrO7jItw==
X-Received: by 2002:adf:9954:: with SMTP id x78-v6mr41120wrb.178.1531802632852;  Mon, 16 Jul 2018 21:43:52 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id q5-v6sm20388700wrs.87.2018.07.16.21.43.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Jul 2018 21:43:52 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <B4ED9CE5-EA34-4847-86FB-202A06C19515@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8AB61B35-A5DA-4495-A083-DF03530A91CE"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 17 Jul 2018 07:43:49 +0300
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com>
Cc: IPsecME WG <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>
To: Linda Dunbar <linda.dunbar@huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/BowIie2jlW-8oxr999VpEA7d3YM>
Subject: Re: [IPsec] How about simplified IKE? RE: IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 04:43:59 -0000

--Apple-Mail=_8AB61B35-A5DA-4495-A083-DF03530A91CE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

[no hats]

I=E2=80=99m not convinced by the necessity of either this or =E2=80=9CCase=
 2=E2=80=9D. =20

IKEv2 is supported by all operating systems, including every Linux =
distribution and phone OS since iPhone 2. It=E2=80=99s ubiquitous and =
isn=E2=80=99t hard. Given that, I=E2=80=99m not convinced we need to =
take care of nodes that do not support IKEv2. There just aren=E2=80=99t =
any such nodes in the NSF world. If we were talking about smart objects, =
then we could find such nodes, but not NSFs.

IKE performs two functions:
Authenticate the peers to one another
Exchange keys.

If I understand your proposal correctly, you would like to keep the =
peers exchanging keys (although not directly), but not authenticating. =
This kind of makes sense because the SDN controls identities and =
credentials. There is no meaningful authentication except to verify the =
credentials provided to the peer by the controller.

So I think the proposal makes sense, but I don=E2=80=99t see it as =
necessary.

Yoav
(again, no hats)

> On 17 Jul 2018, at 6:16, Linda Dunbar <linda.dunbar@huawei.com> wrote:
>=20
> There are two cases proposed by  SDN controlled IPsec Flow Protection:
> -        Case 1 is SDN controller only sending down the IPsec =
configuration attributes to End points, and End Points supports the IKEs =
and SA maintenance.
> -        Case 2 is end points not supporting IKEv2. SDN controller =
manage all the SA Key computation and distribute to all end nodes. We =
had an interim meeting discussing this. (see the attached Meeting =
minutes).
> =20
> Question to IPsecme WG: How about something in between?=20
> -        Assume that SDN controller maintain TLS (or DTLS) to all end =
points for distributing the IPsec configuration attributes (same as Case =
1 above).
> -        Instead of using IKEv2 for two end points (E1 & E2) to =
establish secure channel first for SA negotiation purpose, E1 can =
utilize the secure channel between E1 <-> SDN-Controller <->E2 to =
negotiate SA with E2 and responsible for its own SA computation.=20
> -        E1&E2 still compute SA and maintain SAD. Only utilize the =
secure channel through the SDN controller to exchange SA.
> =20
> This method not only doesn=E2=80=99t require the SDN controller to =
keep all the SAD for all nodes, but also simplify large SD-WAN =
deployment with large number of IPsec tunnels among many end points.
> =20
> Any opinion? Issues?=20
> =20
> Linda Dunbar
> =20
> =C2=A0 <>
> From: IPsec [mailto:ipsec-bounces@ietf.org =
<mailto:ipsec-bounces@ietf.org>] On Behalf Of Yoav Nir
> Sent: Monday, July 16, 2018 3:11 PM
> To: IPsecME WG <ipsec@ietf.org <mailto:ipsec@ietf.org>>
> Subject: [IPsec] IPsec Flow Protection @I2NSF
> =20
> Hi.
> =20
> I=E2=80=99d like to draw you attention to the agenda of the I2NSF =
working group: =
https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2nsf-00 =
<https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2nsf-00>
> =20
> The I2NSF working group will meet on Wednesday after lunch. On the =
agenda, there is this item which may be of interest to IPsec folks:
> =20
> 13:45-14:00 IPsec Flow Protection (15 min): Rafa Mar=C3=ADn-L=C3=B3pez
> In case you haven=E2=80=99t been following, the IPsec flow draft was =
adopted by I2NSF. The authors are making progress, including open source =
implementations.
> =20
> One issue that may come up in the discussion (either at I2NSF or here) =
is that other drafts about controlling IPsec VPNs with SDN ([1],[2]) are =
coming up. I=E2=80=99m wondering if these are competing, complementary, =
or what?
> =20
> We=E2=80=99ll be glad to see you all there.
> =20
> Yoav
> (co-chair of I2NSF)
> =20
> [1] https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00 =
<https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00>
> [2] =
https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-networks-02 =
<https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-networks-02=
>
> =20
> <Sept 6 Interim minutes v1.pdf>


--Apple-Mail=_8AB61B35-A5DA-4495-A083-DF03530A91CE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">[no =
hats]<div class=3D""><br class=3D""></div><div class=3D"">I=E2=80=99m =
not convinced by the necessity of either this or =E2=80=9CCase 2=E2=80=9D.=
 &nbsp;</div><div class=3D""><br class=3D""></div><div class=3D"">IKEv2 =
is supported by all operating systems, including every Linux =
distribution and phone OS since iPhone 2. It=E2=80=99s ubiquitous and =
isn=E2=80=99t hard. Given that, I=E2=80=99m not convinced we need to =
take care of nodes that do not support IKEv2. There just aren=E2=80=99t =
any such nodes in the NSF world. If we were talking about smart objects, =
then we could find such nodes, but not NSFs.</div><div class=3D""><br =
class=3D""></div><div class=3D"">IKE performs two functions:</div><div =
class=3D""><ul class=3D"MailOutline"><li class=3D"">Authenticate the =
peers to one another</li><li class=3D"">Exchange keys.</li></ul><div =
class=3D""><br class=3D""></div><div class=3D"">If I understand your =
proposal correctly, you would like to keep the peers exchanging keys =
(although not directly), but not authenticating. This kind of makes =
sense because the SDN controls identities and credentials. There is no =
meaningful authentication except to verify the credentials provided to =
the peer by the controller.</div><div class=3D""><br class=3D""></div><div=
 class=3D"">So I think the proposal makes sense, but I don=E2=80=99t see =
it as necessary.</div><div class=3D""><br class=3D""></div><div =
class=3D"">Yoav</div><div class=3D"">(again, no hats)</div><div><br =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">On 17 =
Jul 2018, at 6:16, Linda Dunbar &lt;<a =
href=3D"mailto:linda.dunbar@huawei.com" =
class=3D"">linda.dunbar@huawei.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div =
class=3D"WordSection1" style=3D"page: WordSection1; caret-color: rgb(0, =
0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none;"><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D"">There are two cases proposed by &nbsp;SDN controlled IPsec =
Flow Protection:<o:p class=3D""></o:p></div><div style=3D"margin: 0in =
0in 0.0001pt 0.5in; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif; text-indent: -0.25in;" class=3D""><span =
class=3D"">-<span style=3D"font-style: normal; font-variant-caps: =
normal; font-weight: normal; font-stretch: normal; font-size: 7pt; =
line-height: normal; font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Case 1 is SDN =
controller only sending down the IPsec configuration attributes to End =
points, and End Points supports the IKEs and SA maintenance.<o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Case 2 is end =
points not supporting IKEv2. SDN controller manage all the SA Key =
computation and distribute to all end nodes. We had an interim meeting =
discussing this. (see the attached Meeting minutes).<o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D""><o:p class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in =
0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D"">Question to IPsecme WG: How about something in =
between?<span class=3D"Apple-converted-space">&nbsp;</span><o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Assume that =
SDN controller maintain TLS (or DTLS) to all end points for distributing =
the IPsec configuration attributes (same as Case 1 above).<o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Instead of =
using IKEv2 for two end points (E1 &amp; E2) to establish secure channel =
first for SA negotiation purpose, E1 can utilize the secure channel =
between E1 &lt;-&gt; SDN-Controller &lt;-&gt;E2 to negotiate SA with E2 =
and responsible for its own SA computation.<span =
class=3D"Apple-converted-space">&nbsp;</span><o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>E1&amp;E2 =
still compute SA and maintain SAD. Only utilize the secure channel =
through the SDN controller to exchange SA.<o:p class=3D""></o:p></div><div=
 style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D"">This method not only doesn=E2=80=99t require the SDN =
controller to keep all the SAD for all nodes, but also simplify large =
SD-WAN deployment with large number of IPsec tunnels among many end =
points.<o:p class=3D""></o:p></div><div style=3D"margin: 0in 0in =
0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D""><o:p class=3D"">&nbsp;</o:p></div><div style=3D"margin:=
 0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">Any opinion? Issues?<span =
class=3D"Apple-converted-space">&nbsp;</span><o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D""><o:p class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in =
0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D"">Linda Dunbar<o:p class=3D""></o:p></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><span style=3D"font-size: =
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" =
class=3D""><o:p class=3D"">&nbsp;</o:p></span></div><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D""><a name=3D"_MailEndCompose" =
class=3D""><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; color: rgb(31, 73, 125);" class=3D""><o:p =
class=3D"">&nbsp;</o:p></span></a></div><div class=3D""><div =
style=3D"border-style: solid none none; border-top-width: 1pt; =
border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D""><b =
class=3D""><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif;" class=3D"">From:</span></b><span style=3D"font-size: 11pt; =
font-family: Calibri, sans-serif;" class=3D""><span =
class=3D"Apple-converted-space">&nbsp;</span>IPsec [<a =
href=3D"mailto:ipsec-bounces@ietf.org" style=3D"color: purple; =
text-decoration: underline;" =
class=3D"">mailto:ipsec-bounces@ietf.org</a>]<span =
class=3D"Apple-converted-space">&nbsp;</span><b class=3D"">On Behalf =
Of<span class=3D"Apple-converted-space">&nbsp;</span></b>Yoav Nir<br =
class=3D""><b class=3D"">Sent:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Monday, July 16, 2018 3:11 =
PM<br class=3D""><b class=3D"">To:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>IPsecME WG &lt;<a =
href=3D"mailto:ipsec@ietf.org" style=3D"color: purple; text-decoration: =
underline;" class=3D"">ipsec@ietf.org</a>&gt;<br class=3D""><b =
class=3D"">Subject:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>[IPsec] IPsec Flow =
Protection @I2NSF<o:p class=3D""></o:p></span></div></div></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D"">Hi.<o:p class=3D""></o:p></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">I=E2=80=99d like to draw you attention =
to the agenda of the I2NSF working group:&nbsp;<a =
href=3D"https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2ns=
f-00" style=3D"color: purple; text-decoration: underline;" =
class=3D"">https://datatracker.ietf.org/meeting/102/materials/agenda-102-i=
2nsf-00</a><o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">The I2NSF working group will meet on =
Wednesday after lunch. On the agenda, there is this item which may be of =
interest to IPsec folks:<o:p class=3D""></o:p></div></div><div =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><pre style=3D"margin: =
0in 0in 0.0001pt; font-size: 10pt; font-family: &quot;Courier New&quot;; =
word-wrap: break-word; white-space: pre-wrap;" class=3D"">13:45-14:00 =
IPsec Flow Protection (15 min): Rafa Mar=C3=ADn-L=C3=B3pez<o:p =
class=3D""></o:p></pre><div class=3D""><div style=3D"margin: 0in 0in =
0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D"">In case you haven=E2=80=99t been following, the IPsec =
flow draft was adopted by I2NSF. The authors are making progress, =
including open source implementations.<o:p =
class=3D""></o:p></div></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">One issue that may come up in the =
discussion (either at I2NSF or here) is that other drafts about =
controlling IPsec VPNs with SDN ([1],[2]) are coming up. I=E2=80=99m =
wondering if these are competing, complementary, or what?<o:p =
class=3D""></o:p></div></div><div class=3D""><div style=3D"margin: 0in =
0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D""><o:p class=3D"">&nbsp;</o:p></div></div><div =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D"">We=E2=80=99ll=
 be glad to see you all there.<o:p class=3D""></o:p></div></div><div =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">Yoav<o:p class=3D""></o:p></div></div><div=
 class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D"">(co-chair =
of I2NSF)<o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">[1]&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00=
" style=3D"color: purple; text-decoration: underline;" =
class=3D"">https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike=
-00</a><o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D"">[2]&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-netw=
orks-02" style=3D"color: purple; text-decoration: underline;" =
class=3D"">https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-n=
etworks-02</a><o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div></div><span =
id=3D"cid:C224C62C-222C-4256-B6AE-66E80F1702E0">&lt;Sept 6 Interim =
minutes v1.pdf&gt;</span></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_8AB61B35-A5DA-4495-A083-DF03530A91CE--


From nobody Tue Jul 17 01:38:43 2018
Return-Path: <rafa@um.es>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C5F12F1AB; Tue, 17 Jul 2018 01:38:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tl0d7hEgk4by; Tue, 17 Jul 2018 01:38:32 -0700 (PDT)
Received: from xenon42.um.es (xenon42.um.es [IPv6:2001:720:1710:601::42]) by ietfa.amsl.com (Postfix) with ESMTP id 14264130E26; Tue, 17 Jul 2018 01:38:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id 7ED802055C; Tue, 17 Jul 2018 10:38:29 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vBw738OHcIff; Tue, 17 Jul 2018 10:38:29 +0200 (CEST)
Received: from eduroam_um-69-49.inf.um.es (eduroam_um-69-49.inf.um.es [155.54.69.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon42.um.es (Postfix) with ESMTPSA id 729741FEC2; Tue, 17 Jul 2018 10:38:27 +0200 (CEST)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <93C3CD29-AD69-4D36-9253-37279962A2F9@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_41C603BB-2A39-47D3-ACCA-2F3A12BDAA0D"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Tue, 17 Jul 2018 10:38:26 +0200
In-Reply-To: <B4ED9CE5-EA34-4847-86FB-202A06C19515@gmail.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, Linda Dunbar <linda.dunbar@huawei.com>, IPsecME WG <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>
To: Yoav Nir <ynir.ietf@gmail.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com> <B4ED9CE5-EA34-4847-86FB-202A06C19515@gmail.com>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ItIDIk_eXpJ81zCC1pqY8bFoYys>
Subject: Re: [IPsec] [I2nsf] How about simplified IKE? RE: IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 08:38:36 -0000

--Apple-Mail=_41C603BB-2A39-47D3-ACCA-2F3A12BDAA0D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Yoav:

In my opinion, if the E1 and E2 will finally communicate through the =
controller to run a key management protocol, then I do not see the =
benefits instead of using case 1, that is IKEv2.=20

Regarding case 2. It follows a SDN model: control plane and data plane. =
Data plane the IPsec stack is the data plane, which deals with flows; =
control plane is implemented in the SDN controller. NSF are simpler. One =
of the key points here is that key material is seen by the SDN =
controller (which, we should not forget, it is a trusted entity). In =
this sense, for example, draft-carrel-ipsecme-controller-ike-00 proposes =
the usage of DH public/private keys trying to avoid this. Other options =
could be also considered.

Regarding the question about smart objects, I do not understand why a =
constrained device cannot be a flow-based NSF. =20

Best Regards.=20

> El 17 jul 2018, a las 6:43, Yoav Nir <ynir.ietf@gmail.com> escribi=C3=B3=
:
>=20
> [no hats]
>=20
> I=E2=80=99m not convinced by the necessity of either this or =E2=80=9CCa=
se 2=E2=80=9D. =20
>=20
> IKEv2 is supported by all operating systems, including every Linux =
distribution and phone OS since iPhone 2. It=E2=80=99s ubiquitous and =
isn=E2=80=99t hard. Given that, I=E2=80=99m not convinced we need to =
take care of nodes that do not support IKEv2. There just aren=E2=80=99t =
any such nodes in the NSF world. If we were talking about smart objects, =
then we could find such nodes, but not NSFs.
>=20
> IKE performs two functions:
> Authenticate the peers to one another
> Exchange keys.
>=20
> If I understand your proposal correctly, you would like to keep the =
peers exchanging keys (although not directly), but not authenticating. =
This kind of makes sense because the SDN controls identities and =
credentials. There is no meaningful authentication except to verify the =
credentials provided to the peer by the controller.
>=20
> So I think the proposal makes sense, but I don=E2=80=99t see it as =
necessary.
>=20
> Yoav
> (again, no hats)
>=20
>> On 17 Jul 2018, at 6:16, Linda Dunbar <linda.dunbar@huawei.com =
<mailto:linda.dunbar@huawei.com>> wrote:
>>=20
>> There are two cases proposed by  SDN controlled IPsec Flow =
Protection:
>> -        Case 1 is SDN controller only sending down the IPsec =
configuration attributes to End points, and End Points supports the IKEs =
and SA maintenance.
>> -        Case 2 is end points not supporting IKEv2. SDN controller =
manage all the SA Key computation and distribute to all end nodes. We =
had an interim meeting discussing this. (see the attached Meeting =
minutes).
>> =20
>> Question to IPsecme WG: How about something in between?=20
>> -        Assume that SDN controller maintain TLS (or DTLS) to all end =
points for distributing the IPsec configuration attributes (same as Case =
1 above).
>> -        Instead of using IKEv2 for two end points (E1 & E2) to =
establish secure channel first for SA negotiation purpose, E1 can =
utilize the secure channel between E1 <-> SDN-Controller <->E2 to =
negotiate SA with E2 and responsible for its own SA computation.=20
>> -        E1&E2 still compute SA and maintain SAD. Only utilize the =
secure channel through the SDN controller to exchange SA.
>> =20
>> This method not only doesn=E2=80=99t require the SDN controller to =
keep all the SAD for all nodes, but also simplify large SD-WAN =
deployment with large number of IPsec tunnels among many end points.
>> =20
>> Any opinion? Issues?=20
>> =20
>> Linda Dunbar
>> =20
>> =C2=A0 <>
>> From: IPsec [mailto:ipsec-bounces@ietf.org =
<mailto:ipsec-bounces@ietf.org>] On Behalf Of Yoav Nir
>> Sent: Monday, July 16, 2018 3:11 PM
>> To: IPsecME WG <ipsec@ietf.org <mailto:ipsec@ietf.org>>
>> Subject: [IPsec] IPsec Flow Protection @I2NSF
>> =20
>> Hi.
>> =20
>> I=E2=80=99d like to draw you attention to the agenda of the I2NSF =
working group: =
https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2nsf-00 =
<https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2nsf-00>
>> =20
>> The I2NSF working group will meet on Wednesday after lunch. On the =
agenda, there is this item which may be of interest to IPsec folks:
>> =20
>> 13:45-14:00 IPsec Flow Protection (15 min): Rafa Mar=C3=ADn-L=C3=B3pez
>> In case you haven=E2=80=99t been following, the IPsec flow draft was =
adopted by I2NSF. The authors are making progress, including open source =
implementations.
>> =20
>> One issue that may come up in the discussion (either at I2NSF or =
here) is that other drafts about controlling IPsec VPNs with SDN =
([1],[2]) are coming up. I=E2=80=99m wondering if these are competing, =
complementary, or what?
>> =20
>> We=E2=80=99ll be glad to see you all there.
>> =20
>> Yoav
>> (co-chair of I2NSF)
>> =20
>> [1] =
https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00 =
<https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00>
>> [2] =
https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-networks-02 =
<https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-networks-02=
>
>> =20
>> <Sept 6 Interim minutes v1.pdf>
>=20
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf


--Apple-Mail=_41C603BB-2A39-47D3-ACCA-2F3A12BDAA0D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><div =
class=3D"">Hi Yoav:</div><div class=3D""><br class=3D""></div>In my =
opinion, if the E1 and E2 will finally communicate through the =
controller to run a key management protocol, then I do not see the =
benefits instead of using case 1, that is IKEv2.&nbsp;<div class=3D""><br =
class=3D""></div><div class=3D"">Regarding case 2. It follows a SDN =
model: control plane and data plane. Data plane the IPsec stack is the =
data plane, which deals with flows; control plane is implemented in the =
SDN controller. NSF are simpler. One of the key points here is that key =
material is seen by the SDN controller (which, we should not forget, it =
is a trusted entity). In this sense, for example, =
draft-carrel-ipsecme-controller-ike-00 proposes the usage of DH =
public/private keys trying to avoid this. Other options could be also =
considered.</div><div class=3D""><br class=3D""></div><div =
class=3D"">Regarding the question about smart objects, I do not =
understand why a constrained device cannot be a flow-based NSF. =
&nbsp;</div><div class=3D""><br class=3D""></div><div class=3D"">Best =
Regards.&nbsp;</div><div class=3D""><br class=3D""><div><blockquote =
type=3D"cite" class=3D""><div class=3D"">El 17 jul 2018, a las 6:43, =
Yoav Nir &lt;<a href=3D"mailto:ynir.ietf@gmail.com" =
class=3D"">ynir.ietf@gmail.com</a>&gt; escribi=C3=B3:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><meta =
http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; line-break: after-white-space;" class=3D"">[no hats]<div =
class=3D""><br class=3D""></div><div class=3D"">I=E2=80=99m not =
convinced by the necessity of either this or =E2=80=9CCase 2=E2=80=9D. =
&nbsp;</div><div class=3D""><br class=3D""></div><div class=3D"">IKEv2 =
is supported by all operating systems, including every Linux =
distribution and phone OS since iPhone 2. It=E2=80=99s ubiquitous and =
isn=E2=80=99t hard. Given that, I=E2=80=99m not convinced we need to =
take care of nodes that do not support IKEv2. There just aren=E2=80=99t =
any such nodes in the NSF world. If we were talking about smart objects, =
then we could find such nodes, but not NSFs.</div><div class=3D""><br =
class=3D""></div><div class=3D"">IKE performs two functions:</div><div =
class=3D""><ul class=3D"MailOutline"><li class=3D"">Authenticate the =
peers to one another</li><li class=3D"">Exchange keys.</li></ul><div =
class=3D""><br class=3D""></div><div class=3D"">If I understand your =
proposal correctly, you would like to keep the peers exchanging keys =
(although not directly), but not authenticating. This kind of makes =
sense because the SDN controls identities and credentials. There is no =
meaningful authentication except to verify the credentials provided to =
the peer by the controller.</div><div class=3D""><br class=3D""></div><div=
 class=3D"">So I think the proposal makes sense, but I don=E2=80=99t see =
it as necessary.</div><div class=3D""><br class=3D""></div><div =
class=3D"">Yoav</div><div class=3D"">(again, no hats)</div><div =
class=3D""><br class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D"">On 17 Jul 2018, at 6:16, Linda Dunbar &lt;<a =
href=3D"mailto:linda.dunbar@huawei.com" =
class=3D"">linda.dunbar@huawei.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div =
class=3D"WordSection1" style=3D"page: WordSection1; caret-color: rgb(0, =
0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none;"><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D"">There are two cases proposed by &nbsp;SDN controlled IPsec =
Flow Protection:<o:p class=3D""></o:p></div><div style=3D"margin: 0in =
0in 0.0001pt 0.5in; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif; text-indent: -0.25in;" class=3D""><span =
class=3D"">-<span style=3D"font-style: normal; font-variant-caps: =
normal; font-weight: normal; font-stretch: normal; font-size: 7pt; =
line-height: normal; font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Case 1 is SDN =
controller only sending down the IPsec configuration attributes to End =
points, and End Points supports the IKEs and SA maintenance.<o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Case 2 is end =
points not supporting IKEv2. SDN controller manage all the SA Key =
computation and distribute to all end nodes. We had an interim meeting =
discussing this. (see the attached Meeting minutes).<o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D""><o:p class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in =
0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D"">Question to IPsecme WG: How about something in =
between?<span class=3D"Apple-converted-space">&nbsp;</span><o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Assume that =
SDN controller maintain TLS (or DTLS) to all end points for distributing =
the IPsec configuration attributes (same as Case 1 above).<o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>Instead of =
using IKEv2 for two end points (E1 &amp; E2) to establish secure channel =
first for SA negotiation purpose, E1 can utilize the secure channel =
between E1 &lt;-&gt; SDN-Controller &lt;-&gt;E2 to negotiate SA with E2 =
and responsible for its own SA computation.<span =
class=3D"Apple-converted-space">&nbsp;</span><o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt 0.5in; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif; =
text-indent: -0.25in;" class=3D""><span class=3D"">-<span =
style=3D"font-style: normal; font-variant-caps: normal; font-weight: =
normal; font-stretch: normal; font-size: 7pt; line-height: normal; =
font-family: &quot;Times New Roman&quot;;" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span =
class=3D"Apple-converted-space">&nbsp;</span></span></span>E1&amp;E2 =
still compute SA and maintain SAD. Only utilize the secure channel =
through the SDN controller to exchange SA.<o:p class=3D""></o:p></div><div=
 style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D"">This method not only doesn=E2=80=99t require the SDN =
controller to keep all the SAD for all nodes, but also simplify large =
SD-WAN deployment with large number of IPsec tunnels among many end =
points.<o:p class=3D""></o:p></div><div style=3D"margin: 0in 0in =
0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D""><o:p class=3D"">&nbsp;</o:p></div><div style=3D"margin:=
 0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">Any opinion? Issues?<span =
class=3D"Apple-converted-space">&nbsp;</span><o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D""><o:p class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in =
0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D"">Linda Dunbar<o:p class=3D""></o:p></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><span style=3D"font-size: =
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" =
class=3D""><o:p class=3D"">&nbsp;</o:p></span></div><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D""><a name=3D"_MailEndCompose" =
class=3D""><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; color: rgb(31, 73, 125);" class=3D""><o:p =
class=3D"">&nbsp;</o:p></span></a></div><div class=3D""><div =
style=3D"border-style: solid none none; border-top-width: 1pt; =
border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D""><b =
class=3D""><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif;" class=3D"">From:</span></b><span style=3D"font-size: 11pt; =
font-family: Calibri, sans-serif;" class=3D""><span =
class=3D"Apple-converted-space">&nbsp;</span>IPsec [<a =
href=3D"mailto:ipsec-bounces@ietf.org" style=3D"color: purple; =
text-decoration: underline;" =
class=3D"">mailto:ipsec-bounces@ietf.org</a>]<span =
class=3D"Apple-converted-space">&nbsp;</span><b class=3D"">On Behalf =
Of<span class=3D"Apple-converted-space">&nbsp;</span></b>Yoav Nir<br =
class=3D""><b class=3D"">Sent:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Monday, July 16, 2018 3:11 =
PM<br class=3D""><b class=3D"">To:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>IPsecME WG &lt;<a =
href=3D"mailto:ipsec@ietf.org" style=3D"color: purple; text-decoration: =
underline;" class=3D"">ipsec@ietf.org</a>&gt;<br class=3D""><b =
class=3D"">Subject:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>[IPsec] IPsec Flow =
Protection @I2NSF<o:p class=3D""></o:p></span></div></div></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: &quot;Times New Roman&quot;, serif;" =
class=3D"">Hi.<o:p class=3D""></o:p></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">I=E2=80=99d like to draw you attention =
to the agenda of the I2NSF working group:&nbsp;<a =
href=3D"https://datatracker.ietf.org/meeting/102/materials/agenda-102-i2ns=
f-00" style=3D"color: purple; text-decoration: underline;" =
class=3D"">https://datatracker.ietf.org/meeting/102/materials/agenda-102-i=
2nsf-00</a><o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">The I2NSF working group will meet on =
Wednesday after lunch. On the agenda, there is this item which may be of =
interest to IPsec folks:<o:p class=3D""></o:p></div></div><div =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><pre style=3D"margin: =
0in 0in 0.0001pt; font-size: 10pt; font-family: &quot;Courier New&quot;; =
word-wrap: break-word; white-space: pre-wrap;" class=3D"">13:45-14:00 =
IPsec Flow Protection (15 min): Rafa Mar=C3=ADn-L=C3=B3pez<o:p =
class=3D""></o:p></pre><div class=3D""><div style=3D"margin: 0in 0in =
0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D"">In case you haven=E2=80=99t been following, the IPsec =
flow draft was adopted by I2NSF. The authors are making progress, =
including open source implementations.<o:p =
class=3D""></o:p></div></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">One issue that may come up in the =
discussion (either at I2NSF or here) is that other drafts about =
controlling IPsec VPNs with SDN ([1],[2]) are coming up. I=E2=80=99m =
wondering if these are competing, complementary, or what?<o:p =
class=3D""></o:p></div></div><div class=3D""><div style=3D"margin: 0in =
0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New Roman&quot;, =
serif;" class=3D""><o:p class=3D"">&nbsp;</o:p></div></div><div =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D"">We=E2=80=99ll=
 be glad to see you all there.<o:p class=3D""></o:p></div></div><div =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">Yoav<o:p class=3D""></o:p></div></div><div=
 class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: &quot;Times New Roman&quot;, serif;" class=3D"">(co-chair =
of I2NSF)<o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 12pt; font-family: &quot;Times New =
Roman&quot;, serif;" class=3D"">[1]&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00=
" style=3D"color: purple; text-decoration: underline;" =
class=3D"">https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike=
-00</a><o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D"">[2]&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-netw=
orks-02" style=3D"color: purple; text-decoration: underline;" =
class=3D"">https://tools.ietf.org/html/draft-dunbar-sr-sdwan-over-hybrid-n=
etworks-02</a><o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: =
&quot;Times New Roman&quot;, serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div></div><span =
id=3D"cid:C224C62C-222C-4256-B6AE-66E80F1702E0" class=3D"">&lt;Sept 6 =
Interim minutes v1.pdf&gt;</span></div></blockquote></div><br =
class=3D""></div></div>_______________________________________________<br =
class=3D"">I2nsf mailing list<br class=3D""><a =
href=3D"mailto:I2nsf@ietf.org" class=3D"">I2nsf@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/i2nsf<br =
class=3D""></div></blockquote></div><br class=3D""></div></body></html>=

--Apple-Mail=_41C603BB-2A39-47D3-ACCA-2F3A12BDAA0D--


From nobody Tue Jul 17 08:16:12 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E46E130F50 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 08:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vmJU62iJ9L6H for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 08:15:56 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0669130EAE for <ipsec@ietf.org>; Tue, 17 Jul 2018 08:15:55 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6HFFqT9012231 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Tue, 17 Jul 2018 18:15:52 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6HFFqUn016004; Tue, 17 Jul 2018 18:15:52 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23374.2088.627941.395947@fireball.acr.fi>
Date: Tue, 17 Jul 2018 18:15:52 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 41 min
X-Total-Time: 1059 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/c1ckPQdJOsO1pv8J_95JDrV32N8>
Subject: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 15:16:05 -0000

When we greated RFC3526 [1] in 2003 we included 1536, 2048, 3072,
4096, 6144, and 8192 bit modp groups. I did also create 12288 and
16384 bit modp groups [2], but we did not include those as we assumed
they would be too slow for normal use.

Now sometimes there is requirement to align all security parameters
with AES-256 also (because AES-128 is not enough if someone gets
quantum computers some day). 

SP800-57 part 1 rev 4 [3] has table 2 that says:

Security  Symmetric     FCC               IFC           ECC
Strength  key           (e.g. DSA,        (e.g.,        (e.g., 
          algorithms    D-H)              RSA)          ECDSA)
<=80      2TDEA         L=1024, N=160     k=1024        f=160-233
112       3TDEA         L=2048, N=224     k=2048        f=224-255
128       AES-128       L=3072, N=256     k=3072        f=256-383
192       AES-192       L=7680, N=384     k=7680        f=384-511
256       AES-256       L=15360, N=512    k=15360       f=512+

Meaning that we do not have any MODP groups with IANA numbers that
would match AES-256. For vendor to add elliptic curve support to
simply be able to mark that tick mark saying we do support AES-256 is
bit much. Adding 16384 bit MODP group is much faster and easier, and
nobody does not need to use it (I think the recommended group in NIST
documents is still the 2048 bit group).

NIST SP 800-56A Rev 3 [4] aligns with this and says that MODP-8192 is
for less than 200 bits of security, i.e., not enough for AES-256.

In the SP 800-56B rev2 draft [5], there is formula in Appendix D,
which allows you to calculate the strength for different bit lengths
and if you plug in the 15360 you get 264 bits. To get 256 bits of
maximum strength the nBits needs to be between 14446-14993. 15000
would already give you 264, i.e., the same than 15360 gives. 15360 is
of course 1024*15 so it is nice round number in binary.

If you plug in 12288 to that formula you get strength of 240 and 16384
gives you 272.

Checking old performance numbers I can see that in 2008 the speed of
6144 group was same as 16384 is with current machines, which most
likely matched what 2048 or 3072 bit group speed was in 2003 (i.e.
about half a second per full Diffie-Hellman).

So my question is do other people think it would be useful to allocate
IANA numbers for the 12288 and 16384 bit MODP groups?

You can of course use private numbers, but I myself think it would be
good idea to have IANA numbers for those groups too, just in case
someone wants interoperability with them at some point. Also we do not
yet know how quantum computers are going to do for different
algorithms, i.e., whether P-521 is harder or easier than MODP 16384.

[1] https://datatracker.ietf.org/doc/rfc3526/
[2] https://kivinen.iki.fi/primes/
[3] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
[4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
[5] https://csrc.nist.gov/CSRC/media/Publications/sp/800-56b/rev-2/draft/documents/sp800-56Br2-draft.pdf
-- 
kivinen@iki.fi


From nobody Tue Jul 17 08:26:38 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD455130F35 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 08:26:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIB04qEn9aej for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 08:26:12 -0700 (PDT)
Received: from mail-io0-x241.google.com (mail-io0-x241.google.com [IPv6:2607:f8b0:4001:c06::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87792130FAB for <ipsec@ietf.org>; Tue, 17 Jul 2018 08:26:12 -0700 (PDT)
Received: by mail-io0-x241.google.com with SMTP id q9-v6so1312410ioj.8 for <ipsec@ietf.org>; Tue, 17 Jul 2018 08:26:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=hqVyD+D+W9LbSOF2qC4kTLNGF/7IPslcGSbkFqCxkFQ=; b=QKbUJZ+SUQlX97oiYUn0aGyulGv6Ylsrd5+HoztdVP3RrRCrXLxf0Tjto0vTcvcJZN sPPnOdveJZW86lALjRnSS3/zbdHO/8Y5x4L1ixqLb5Zetc48knvsTvsNmMwvMlMZEJ3z vfpxej/GtXe68de9daF5GpRHutz85Bag05OL/Xp5HWxDIpwObU+brUkh1REwivyUFl07 uy1KWS4dpYir8t90I24LNxI0Tm65ne17qLdrYGiR2QpDFCaqRhjNv454KvHeGuj+OcKc EfluGU3NpGNBU9uZgh4m0AEYRU7GhfcZOC031eP2MvLLlT4n72yeGOWiTdMfzoCED613 oVwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=hqVyD+D+W9LbSOF2qC4kTLNGF/7IPslcGSbkFqCxkFQ=; b=Drslv7+b3gorxIscgYChIkd1vHPe0SQn4l7SrL7iyfoUFOGCj9M54j5Rl+qh3kAlyj 286mo1WrX2A7arET7+xWiK85PVggRRis+62IiQNOoVVY/fgi5DoiaFDeTW0uGaj/hacW /7UuvSbv3KP4CHfsNUBf3pLzlqoOhMViY9PnJ7d/lUpkcpvRpk2D6T6yJPgq+Yng5PRq i0+I8PZBRVISPaXKYJvQSHVa2g5wT1ARHWYefR1AzHZ/s/s7GL4w/DWTb4BGevCzB1Yi DHSIQzfcS7zowQENEPcUjwmf8OWxheLk04bt+AiqhL6ltFXrzS0Ct8aKdtgLoQm+Bg7y i9oA==
X-Gm-Message-State: AOUpUlGqtk/BVpE2qQ6kJI+8eQudZ/MJl5oUtwy2AQtO7dAqZbJzBVzU nlQcH/JLF6PU6TCz5V79ayYsXQ==
X-Google-Smtp-Source: AAOMgpfWLt5sALw1pKP5Bg/ORN7ftsgy5w0oQJCqh8zVHOfO9yA/fBoRNux/H202iffuut3kwd0c1Q==
X-Received: by 2002:a6b:b791:: with SMTP id h139-v6mr1821868iof.274.1531841171722;  Tue, 17 Jul 2018 08:26:11 -0700 (PDT)
Received: from svannotebook ([2001:67c:370:128:917:f67c:7cae:fdfc]) by smtp.gmail.com with ESMTPSA id y3-v6sm521629iod.26.2018.07.17.08.26.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jul 2018 08:26:11 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Tero Kivinen'" <kivinen@iki.fi>, <ipsec@ietf.org>
References: <23374.2088.627941.395947@fireball.acr.fi>
In-Reply-To: <23374.2088.627941.395947@fireball.acr.fi>
Date: Tue, 17 Jul 2018 11:26:10 -0400
Message-ID: <036001d41de2$7dbc8bf0$7935a3d0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG4Kjkcm/opSV3cBbx1stePgv+bhqTLb4Dg
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/CV--sl3hlecPTZH1YWKF0qIOcjY>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 15:26:35 -0000

Hi,

my concern is that these MODP groups will have public keys of  1.5-2 Kb in
size,
so it can make using them problematic in real world due to fragmentation
issues...

Regards,
Valery.

> When we greated RFC3526 [1] in 2003 we included 1536, 2048, 3072, 4096,
> 6144, and 8192 bit modp groups. I did also create 12288 and
> 16384 bit modp groups [2], but we did not include those as we assumed they
> would be too slow for normal use.
> 
> Now sometimes there is requirement to align all security parameters with
> AES-256 also (because AES-128 is not enough if someone gets quantum
> computers some day).
> 
> SP800-57 part 1 rev 4 [3] has table 2 that says:
> 
> Security  Symmetric     FCC               IFC           ECC
> Strength  key           (e.g. DSA,        (e.g.,        (e.g.,
>           algorithms    D-H)              RSA)          ECDSA)
> <=80      2TDEA         L=1024, N=160     k=1024        f=160-233
> 112       3TDEA         L=2048, N=224     k=2048        f=224-255
> 128       AES-128       L=3072, N=256     k=3072        f=256-383
> 192       AES-192       L=7680, N=384     k=7680        f=384-511
> 256       AES-256       L=15360, N=512    k=15360       f=512+
> 
> Meaning that we do not have any MODP groups with IANA numbers that
> would match AES-256. For vendor to add elliptic curve support to simply be
> able to mark that tick mark saying we do support AES-256 is bit much.
Adding
> 16384 bit MODP group is much faster and easier, and nobody does not need
> to use it (I think the recommended group in NIST documents is still the
2048
> bit group).
> 
> NIST SP 800-56A Rev 3 [4] aligns with this and says that MODP-8192 is for
less
> than 200 bits of security, i.e., not enough for AES-256.
> 
> In the SP 800-56B rev2 draft [5], there is formula in Appendix D, which
allows
> you to calculate the strength for different bit lengths and if you plug in
the
> 15360 you get 264 bits. To get 256 bits of maximum strength the nBits
needs
> to be between 14446-14993. 15000 would already give you 264, i.e., the
same
> than 15360 gives. 15360 is of course 1024*15 so it is nice round number in
> binary.
> 
> If you plug in 12288 to that formula you get strength of 240 and 16384
gives
> you 272.
> 
> Checking old performance numbers I can see that in 2008 the speed of
> 6144 group was same as 16384 is with current machines, which most likely
> matched what 2048 or 3072 bit group speed was in 2003 (i.e.
> about half a second per full Diffie-Hellman).
> 
> So my question is do other people think it would be useful to allocate
IANA
> numbers for the 12288 and 16384 bit MODP groups?
> 
> You can of course use private numbers, but I myself think it would be good
> idea to have IANA numbers for those groups too, just in case someone wants
> interoperability with them at some point. Also we do not yet know how
> quantum computers are going to do for different algorithms, i.e., whether
P-
> 521 is harder or easier than MODP 16384.
> 
> [1] https://datatracker.ietf.org/doc/rfc3526/
> [2] https://kivinen.iki.fi/primes/
> [3] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
> 57pt1r4.pdf
> [4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
> 56Ar3.pdf
> [5] https://csrc.nist.gov/CSRC/media/Publications/sp/800-56b/rev-
> 2/draft/documents/sp800-56Br2-draft.pdf
> --
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Tue Jul 17 08:28:09 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8FB8130F7B for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 08:27:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level: 
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CoKx1IhWJbm2 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 08:27:46 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0BF130FA3 for <ipsec@ietf.org>; Tue, 17 Jul 2018 08:27:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4321; q=dns/txt; s=iport; t=1531841258; x=1533050858; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=SynyJdPvoPNZ3liPnfJqlrP3I8RmOH0YqipgFUeUcfs=; b=bKB6/eGUL+TshQY8LnjFLpfSUZGsDDch5hnOv/2IZKBrcpGox8KZrJYY nu9bP7Z80nsBqgYElP8ZK4rC5wd6T3Zsaz1WPk0mTviBXGcwU2qqJrvO8 01JkWE3AbpFEtGba8N5uCF+zLzeHMg19wlhw51IqvVjC9omxkYGy2ofRh g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C2AAAFCk5b/4sNJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNJY38oCot3jDyCDJU5gXoLGAuESQKCcCE0GAECAQECAQE?= =?us-ascii?q?CbRwMhTYBAQEEAQE4NBcEAgEIEQQBAR8QJwsdCAIEARIIgxmBfw+sLopABYk?= =?us-ascii?q?CgVc/gRGDEYMZAQECAQGHMgKZXAkChgiJFY1tCoovhzQCERSBJB04gVJwFTu?= =?us-ascii?q?CaYIlF4RfZYMVhT5vAQGMJIEaAQE?=
X-IronPort-AV: E=Sophos;i="5.51,366,1526342400"; d="scan'208";a="143848025"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jul 2018 15:27:37 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id w6HFRbjY012393 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 17 Jul 2018 15:27:37 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 17 Jul 2018 11:27:36 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Tue, 17 Jul 2018 11:27:36 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQ
Date: Tue, 17 Jul 2018 15:27:36 +0000
Message-ID: <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi>
In-Reply-To: <23374.2088.627941.395947@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/r0E3nvdXrFPAqtCCdSzOnnyB2Sk>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 15:27:52 -0000

If the requirement for AES-256 is to handle the scenario "someone gets a qu=
antum computer", then in that scenario, there is no realistic DH group size=
 that is secure.

Hence, I personally see no point in allocating IANA numbers for the larger =
than 8k MODP groups.  The only scenario I can think of where they might be =
useful would be one where all of the following apply:

	- We believe that there's an adversary that can perform significantly more=
 than circa 2**128 computations'
	- We are not concerned with adversaries with a Quantum Computer
	- For some reason, we don't want to use ECDH.

> -----Original Message-----
> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Tero Kivinen
> Sent: Tuesday, July 17, 2018 11:16 AM
> To: ipsec@ietf.org
> Subject: [IPsec] Modp-12288 and Modp-16384
>=20
> When we greated RFC3526 [1] in 2003 we included 1536, 2048, 3072, 4096,
> 6144, and 8192 bit modp groups. I did also create 12288 and
> 16384 bit modp groups [2], but we did not include those as we assumed the=
y
> would be too slow for normal use.
>=20
> Now sometimes there is requirement to align all security parameters with
> AES-256 also (because AES-128 is not enough if someone gets quantum
> computers some day).
>=20
> SP800-57 part 1 rev 4 [3] has table 2 that says:
>=20
> Security  Symmetric     FCC               IFC           ECC
> Strength  key           (e.g. DSA,        (e.g.,        (e.g.,
>           algorithms    D-H)              RSA)          ECDSA)
> <=3D80      2TDEA         L=3D1024, N=3D160     k=3D1024        f=3D160-2=
33
> 112       3TDEA         L=3D2048, N=3D224     k=3D2048        f=3D224-255
> 128       AES-128       L=3D3072, N=3D256     k=3D3072        f=3D256-383
> 192       AES-192       L=3D7680, N=3D384     k=3D7680        f=3D384-511
> 256       AES-256       L=3D15360, N=3D512    k=3D15360       f=3D512+
>=20
> Meaning that we do not have any MODP groups with IANA numbers that
> would match AES-256. For vendor to add elliptic curve support to simply b=
e
> able to mark that tick mark saying we do support AES-256 is bit much. Add=
ing
> 16384 bit MODP group is much faster and easier, and nobody does not need
> to use it (I think the recommended group in NIST documents is still the 2=
048
> bit group).
>=20
> NIST SP 800-56A Rev 3 [4] aligns with this and says that MODP-8192 is for=
 less
> than 200 bits of security, i.e., not enough for AES-256.
>=20
> In the SP 800-56B rev2 draft [5], there is formula in Appendix D, which a=
llows
> you to calculate the strength for different bit lengths and if you plug i=
n the
> 15360 you get 264 bits. To get 256 bits of maximum strength the nBits nee=
ds
> to be between 14446-14993. 15000 would already give you 264, i.e., the sa=
me
> than 15360 gives. 15360 is of course 1024*15 so it is nice round number i=
n
> binary.
>=20
> If you plug in 12288 to that formula you get strength of 240 and 16384 gi=
ves
> you 272.
>=20
> Checking old performance numbers I can see that in 2008 the speed of
> 6144 group was same as 16384 is with current machines, which most likely
> matched what 2048 or 3072 bit group speed was in 2003 (i.e.
> about half a second per full Diffie-Hellman).
>=20
> So my question is do other people think it would be useful to allocate IA=
NA
> numbers for the 12288 and 16384 bit MODP groups?
>=20
> You can of course use private numbers, but I myself think it would be goo=
d
> idea to have IANA numbers for those groups too, just in case someone
> wants interoperability with them at some point. Also we do not yet know
> how quantum computers are going to do for different algorithms, i.e.,
> whether P-521 is harder or easier than MODP 16384.
>=20
> [1] https://datatracker.ietf.org/doc/rfc3526/
> [2] https://kivinen.iki.fi/primes/
> [3] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
> 57pt1r4.pdf
> [4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
> 56Ar3.pdf
> [5] https://csrc.nist.gov/CSRC/media/Publications/sp/800-56b/rev-
> 2/draft/documents/sp800-56Br2-draft.pdf
> --
> kivinen@iki.fi
>=20
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Tue Jul 17 08:44:29 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA62B130E10; Tue, 17 Jul 2018 08:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6azvN8E_guLN; Tue, 17 Jul 2018 08:44:19 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B7F4130DF1; Tue, 17 Jul 2018 08:44:18 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6HFi3kv012014 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 17 Jul 2018 18:44:04 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6HFi31K004659; Tue, 17 Jul 2018 18:44:03 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID: <23374.3779.410716.55651@fireball.acr.fi>
Date: Tue, 17 Jul 2018 18:44:03 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: Yoav Nir <ynir.ietf@gmail.com>, IPsecME WG <ipsec@ietf.org>, "i2nsf\@ietf.org" <i2nsf@ietf.org>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 6 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/C7yruirS_QVNGWiWbhtldldSSHA>
Subject: [IPsec] How about simplified IKE? RE: IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 15:44:21 -0000

Linda Dunbar writes:
> There are two cases proposed by  SDN controlled IPsec Flow Protection=
:
>=20
> - Case 1 is SDN controller only sending down the IPsec configuration
> attributes to End points, and End Points supports the IKEs and SA
> maintenance.
>=20
> - Case 2 is end points not supporting IKEv2. SDN controller manage
> all the SA Key computation and distribute to all end nodes. We had
> an interim meeting discussing this. (see the attached Meeting
> minutes).
>=20
> Question to IPsecme WG: How about something in between=3F
>=20
> - Assume that SDN controller maintain TLS (or DTLS) to all end
> points for distributing the IPsec configuration attributes (same as
> Case 1 above).
>=20
> - Instead of using IKEv2 for two end points (E1 & E2) to establish
> secure channel first for SA negotiation purpose, E1 can utilize the
> secure channel between E1 <-> SDN-Controller <-> E2 to negotiate SA
> with E2 and responsible for its own SA computation.
>=20
> - E1&E2 still compute SA and maintain SAD. Only utilize the secure
> channel through the SDN controller to exchange SA.
>=20
> This method not only doesn=E2=80=99t require the SDN controller to ke=
ep all
> the SAD for all nodes, but also simplify large SD-WAN deployment
> with large number of IPsec tunnels among many end points.

There is lots of TLA who would like that kind of setup, including some
goverments, as this would allow very easy way to keep track of all
traffic keys, as they are always transmitted through the SDN
controller, so there is no need to hack..., I mean install trusted 3rd
party key backup software to every single node.

I think this has exactly same bad properties than case 2 has, i.e., it
will provide traffic keys in one centralized location where they are
convinently available for those who will need them, without any
co-operation from the actual nodes sending or receiving traffic, and
it does not solve the issue of providing the ways to do proper key
management parts that IKEv2 also does.=20

If the nodes are doing Diffie-Hellman through the SDN controller, then
I do not see any benefit from the case 1, I mean then you still have
all the calculations to be done, so why not run full IKEv2 instead and
that will also solve all other management issues we have talked before
(rekeying, deleting SAs, negotiation per flow SAs, NAT detection and
NAT-T, etc).
--=20
kivinen@iki.fi


From nobody Tue Jul 17 11:19:55 2018
Return-Path: <carrel@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4FFD130E4C; Tue, 17 Jul 2018 11:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7iekKzF8YTf3; Tue, 17 Jul 2018 11:19:50 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E778130E44; Tue, 17 Jul 2018 11:19:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26888; q=dns/txt; s=iport; t=1531851590; x=1533061190; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=1Il1NGZ3PcMoo8nAzYgPJJYZ8ZrvAJ/h+8LckzHeDA0=; b=TRzIYqeIeZ8ye7+UgyI7SKAbPdDJA6lrLcuUcUi+UoS+g6SnNZgH9gUQ l1XmjCuyC4Cd4+SUxBjcDIBAJusbL1P75PGWpeAbshz8gFt2YhTh6JzUO MprMka9WYYXHrZwwN4L0mLUU4O2o0vvnOhnis+tN8Mag0KEi89lfi+qoC s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C4AAD5MU5b/40NJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYJTSC5jfygKg3OIBIw8gWgkiDmNAIF6CyWERwIXglkhNBg?= =?us-ascii?q?BAgEBAgEBAm0cDIU2AQEBBCMEBkwQAgEIEQMBAQEhBwMCAgIfERQJCAEBBAE?= =?us-ascii?q?NBYMgAYEbTAMVD6pvezOHEQ2DBQWJAoIWgREnDIJeglZDAQEDgSlUFoJLMYI?= =?us-ascii?q?kAoVZk1grCQKGCIVbNoMMiziCLYI2iANPhmUCERSBJB04JoEscBVlAYI+ixW?= =?us-ascii?q?FPm+MJoEaAQE?=
X-IronPort-AV: E=Sophos;i="5.51,366,1526342400";  d="scan'208,217";a="144525617"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jul 2018 18:19:49 +0000
Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id w6HIJn2p015076 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 17 Jul 2018 18:19:49 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 17 Jul 2018 14:19:48 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Tue, 17 Jul 2018 14:19:48 -0400
From: "David Carrel (carrel)" <carrel@cisco.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, Yoav Nir <ynir.ietf@gmail.com>, IPsecME WG <ipsec@ietf.org>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: [I2nsf] How about simplified IKE? RE: [IPsec] IPsec Flow Protection @I2NSF
Thread-Index: AdQded/1kRiNEMLaSMyP+ZJwQpIh+QAgN42A
Date: Tue, 17 Jul 2018 18:19:48 +0000
Message-ID: <C653D797-A4BD-4338-BFCA-A02F5E7EBFE7@cisco.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.52.112]
Content-Type: multipart/alternative; boundary="_000_C653D797A4BD4338BFCAA02F5E7EBFE7ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/FB4nZRdPoaiKMfcj8AoMDNMZCHw>
Subject: Re: [IPsec] [I2nsf] How about simplified IKE? RE: IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 18:19:53 -0000

--_000_C653D797A4BD4338BFCAA02F5E7EBFE7ciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

TGluZGEsDQoNCkJyaWFuIGFuZCBJIHB1dCB0b2dldGhlciBhIGRyYWZ0IHRvIGFkZHJlc3MgdGhl
IENhc2UgIzIgd2l0aCBzdHJvbmdlciBwcm90ZWN0aW9ucyBmb3Iga2V5IHNlY3VyaXR5LiAgV2Ug
d2lsbCBiZSBwcmVzZW50aW5nIHRoaXMgaW4gdGhlIElQU0VNRSBtZWV0aW5nLiAgVGhlIGhpZ2hs
aWdodHMgb2YgdGhlIGRyYWZ0IGFyZSB0aGF0IGl0IHVzZXMgRGlmZmllLUhlbGxtYW4gdG8gZW5z
dXJlIHRoYXQgYWxsIGtleXMgYXJlIG9ubHkga25vd24gdG8gdGhlIGVuZCBub2RlcyBhbmQgd2hp
bGUgdGhlIGNvbnRyb2xsZXIgY29udmV5cyBhbGwgbWVzc2FnaW5nIHRvIHRoZSBlbmQgbm9kZXMs
IGl0IGRvZXMgTk9UIGV2ZXIgc2VlIHRoZSBrZXlzLiAgVGhlIGRldmlsaXNoIGRldGFpbHMgYXJl
IGluIGhvdyBzeW5jaHJvbml6YXRpb24gaXMgYWNoaWV2ZWQgd2hlbiBsYXJnZSBudW1iZXJzIG9m
IGVuZCBub2RlcyByZS1rZXkuICBPdXIgZHJhZnQgaXMgd3JpdHRlbiBhcyBhbiBlbWJlZGRhYmxl
IG1ldGhvZCBzdWl0YWJsZSBmb3IgaW5jbHVzaW9uIGluIEkyTlNGIGRyYWZ0cyBhbmQgb3RoZXJz
Lg0KDQpJIHdvdWxkIGJlIGhhcHB5IHRvIHNwZWFrIHRvIHRoaXMgaW4gSTJOU0YgYXMgd2VsbCBp
ZiB5b3UgbGlrZS4NCg0KRGF2ZQ0KDQoNCkZyb206IEkybnNmIDxpMm5zZi1ib3VuY2VzQGlldGYu
b3JnPiBvbiBiZWhhbGYgb2YgTGluZGEgRHVuYmFyIDxsaW5kYS5kdW5iYXJAaHVhd2VpLmNvbT4N
CkRhdGU6IE1vbmRheSwgSnVseSAxNiwgMjAxOCBhdCAxMToxNyBQTQ0KVG86IFlvYXYgTmlyIDx5
bmlyLmlldGZAZ21haWwuY29tPiwgSVBzZWNNRSBXRyA8aXBzZWNAaWV0Zi5vcmc+DQpDYzogImky
bnNmQGlldGYub3JnIiA8aTJuc2ZAaWV0Zi5vcmc+DQpTdWJqZWN0OiBbSTJuc2ZdIEhvdyBhYm91
dCBzaW1wbGlmaWVkIElLRT8gUkU6IFtJUHNlY10gSVBzZWMgRmxvdyBQcm90ZWN0aW9uIEBJMk5T
Rg0KDQpUaGVyZSBhcmUgdHdvIGNhc2VzIHByb3Bvc2VkIGJ5ICBTRE4gY29udHJvbGxlZCBJUHNl
YyBGbG93IFByb3RlY3Rpb246DQoNCi0gICAgICAgICAgQ2FzZSAxIGlzIFNETiBjb250cm9sbGVy
IG9ubHkgc2VuZGluZyBkb3duIHRoZSBJUHNlYyBjb25maWd1cmF0aW9uIGF0dHJpYnV0ZXMgdG8g
RW5kIHBvaW50cywgYW5kIEVuZCBQb2ludHMgc3VwcG9ydHMgdGhlIElLRXMgYW5kIFNBIG1haW50
ZW5hbmNlLg0KDQotICAgICAgICAgIENhc2UgMiBpcyBlbmQgcG9pbnRzIG5vdCBzdXBwb3J0aW5n
IElLRXYyLiBTRE4gY29udHJvbGxlciBtYW5hZ2UgYWxsIHRoZSBTQSBLZXkgY29tcHV0YXRpb24g
YW5kIGRpc3RyaWJ1dGUgdG8gYWxsIGVuZCBub2Rlcy4gV2UgaGFkIGFuIGludGVyaW0gbWVldGlu
ZyBkaXNjdXNzaW5nIHRoaXMuIChzZWUgdGhlIGF0dGFjaGVkIE1lZXRpbmcgbWludXRlcykuDQoN
ClF1ZXN0aW9uIHRvIElQc2VjbWUgV0c6IEhvdyBhYm91dCBzb21ldGhpbmcgaW4gYmV0d2Vlbj8N
Cg0KLSAgICAgICAgICBBc3N1bWUgdGhhdCBTRE4gY29udHJvbGxlciBtYWludGFpbiBUTFMgKG9y
IERUTFMpIHRvIGFsbCBlbmQgcG9pbnRzIGZvciBkaXN0cmlidXRpbmcgdGhlIElQc2VjIGNvbmZp
Z3VyYXRpb24gYXR0cmlidXRlcyAoc2FtZSBhcyBDYXNlIDEgYWJvdmUpLg0KDQotICAgICAgICAg
IEluc3RlYWQgb2YgdXNpbmcgSUtFdjIgZm9yIHR3byBlbmQgcG9pbnRzIChFMSAmIEUyKSB0byBl
c3RhYmxpc2ggc2VjdXJlIGNoYW5uZWwgZmlyc3QgZm9yIFNBIG5lZ290aWF0aW9uIHB1cnBvc2Us
IEUxIGNhbiB1dGlsaXplIHRoZSBzZWN1cmUgY2hhbm5lbCBiZXR3ZWVuIEUxIDwtPiBTRE4tQ29u
dHJvbGxlciA8LT5FMiB0byBuZWdvdGlhdGUgU0Egd2l0aCBFMiBhbmQgcmVzcG9uc2libGUgZm9y
IGl0cyBvd24gU0EgY29tcHV0YXRpb24uDQoNCi0gICAgICAgICAgRTEmRTIgc3RpbGwgY29tcHV0
ZSBTQSBhbmQgbWFpbnRhaW4gU0FELiBPbmx5IHV0aWxpemUgdGhlIHNlY3VyZSBjaGFubmVsIHRo
cm91Z2ggdGhlIFNETiBjb250cm9sbGVyIHRvIGV4Y2hhbmdlIFNBLg0KDQpUaGlzIG1ldGhvZCBu
b3Qgb25seSBkb2VzbuKAmXQgcmVxdWlyZSB0aGUgU0ROIGNvbnRyb2xsZXIgdG8ga2VlcCBhbGwg
dGhlIFNBRCBmb3IgYWxsIG5vZGVzLCBidXQgYWxzbyBzaW1wbGlmeSBsYXJnZSBTRC1XQU4gZGVw
bG95bWVudCB3aXRoIGxhcmdlIG51bWJlciBvZiBJUHNlYyB0dW5uZWxzIGFtb25nIG1hbnkgZW5k
IHBvaW50cy4NCg0KQW55IG9waW5pb24/IElzc3Vlcz8NCg0KTGluZGEgRHVuYmFyDQoNCg0KRnJv
bTogSVBzZWMgW21haWx0bzppcHNlYy1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgWW9h
diBOaXINClNlbnQ6IE1vbmRheSwgSnVseSAxNiwgMjAxOCAzOjExIFBNDQpUbzogSVBzZWNNRSBX
RyA8aXBzZWNAaWV0Zi5vcmc+DQpTdWJqZWN0OiBbSVBzZWNdIElQc2VjIEZsb3cgUHJvdGVjdGlv
biBASTJOU0YNCg0KSGkuDQoNCknigJlkIGxpa2UgdG8gZHJhdyB5b3UgYXR0ZW50aW9uIHRvIHRo
ZSBhZ2VuZGEgb2YgdGhlIEkyTlNGIHdvcmtpbmcgZ3JvdXA6IGh0dHBzOi8vZGF0YXRyYWNrZXIu
aWV0Zi5vcmcvbWVldGluZy8xMDIvbWF0ZXJpYWxzL2FnZW5kYS0xMDItaTJuc2YtMDANCg0KVGhl
IEkyTlNGIHdvcmtpbmcgZ3JvdXAgd2lsbCBtZWV0IG9uIFdlZG5lc2RheSBhZnRlciBsdW5jaC4g
T24gdGhlIGFnZW5kYSwgdGhlcmUgaXMgdGhpcyBpdGVtIHdoaWNoIG1heSBiZSBvZiBpbnRlcmVz
dCB0byBJUHNlYyBmb2xrczoNCg0KDQoxMzo0NS0xNDowMCBJUHNlYyBGbG93IFByb3RlY3Rpb24g
KDE1IG1pbik6IFJhZmEgTWFyw61uLUzDs3Bleg0KSW4gY2FzZSB5b3UgaGF2ZW7igJl0IGJlZW4g
Zm9sbG93aW5nLCB0aGUgSVBzZWMgZmxvdyBkcmFmdCB3YXMgYWRvcHRlZCBieSBJMk5TRi4gVGhl
IGF1dGhvcnMgYXJlIG1ha2luZyBwcm9ncmVzcywgaW5jbHVkaW5nIG9wZW4gc291cmNlIGltcGxl
bWVudGF0aW9ucy4NCg0KT25lIGlzc3VlIHRoYXQgbWF5IGNvbWUgdXAgaW4gdGhlIGRpc2N1c3Np
b24gKGVpdGhlciBhdCBJMk5TRiBvciBoZXJlKSBpcyB0aGF0IG90aGVyIGRyYWZ0cyBhYm91dCBj
b250cm9sbGluZyBJUHNlYyBWUE5zIHdpdGggU0ROIChbMV0sWzJdKSBhcmUgY29taW5nIHVwLiBJ
4oCZbSB3b25kZXJpbmcgaWYgdGhlc2UgYXJlIGNvbXBldGluZywgY29tcGxlbWVudGFyeSwgb3Ig
d2hhdD8NCg0KV2XigJlsbCBiZSBnbGFkIHRvIHNlZSB5b3UgYWxsIHRoZXJlLg0KDQpZb2F2DQoo
Y28tY2hhaXIgb2YgSTJOU0YpDQoNClsxXSBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh
ZnQtY2FycmVsLWlwc2VjbWUtY29udHJvbGxlci1pa2UtMDANClsyXSBodHRwczovL3Rvb2xzLmll
dGYub3JnL2h0bWwvZHJhZnQtZHVuYmFyLXNyLXNkd2FuLW92ZXItaHlicmlkLW5ldHdvcmtzLTAy
DQoNCg==

--_000_C653D797A4BD4338BFCAA02F5E7EBFE7ciscocom_
Content-Type: text/html; charset="utf-8"
Content-ID: <B92DE82B91D3DD41AEAEF5C76FC7A489@emea.cisco.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseTpXaW5nZGluZ3M7DQoJcGFub3NlLTE6NSAwIDAgMCAwIDAgMCAwIDAg
MDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlNpbVN1bjsNCglwYW5vc2UtMToyIDEgNiAw
IDMgMSAxIDEgMSAxO30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7
DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFt
aWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDExIDYgOSAyIDIgNCAzIDIg
NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQFNpbVN1biI7DQoJcGFub3NlLTE6MiAx
IDYgMCAzIDEgMSAxIDEgMTt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg
Um9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph
OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5
Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt
c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLk1zb0xpc3RQYXJh
Z3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29MaXN0UGFyYWdyYXBoDQoJe21zby1z
dHlsZS1wcmlvcml0eTozNDsNCgltYXJnaW4tdG9wOjBpbjsNCgltYXJnaW4tcmlnaHQ6MGluOw0K
CW1hcmdpbi1ib3R0b206MGluOw0KCW1hcmdpbi1sZWZ0Oi41aW47DQoJbWFyZ2luLWJvdHRvbTou
MDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21h
biIsc2VyaWY7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0K
CXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJ
bWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4t
bGVmdDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu
cy1zZXJpZjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJI
VE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0
eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseTpDb25zb2xhczt9DQpz
cGFuLkVtYWlsU3R5bGUyMQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWls
eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHls
ZTIyDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxp
YnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7
bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBX
b3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEu
MGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyog
TGlzdCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6NTQwMTY1MzQ3Ow0K
CW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMTgxMTUzNjIx
NCAyNjYyNzUxNiA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2
NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVs
LXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl
bC10ZXh0Oi07DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1w
b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiVGltZXMg
TmV3IFJvbWFuIixzZXJpZjsNCgltc28tZmFyZWFzdC1mb250LWZhbWlseTpTaW1TdW47fQ0KQGxp
c3QgbDA6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2
ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt
cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJp
ZXIgTmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVs
bGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt
c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZv
bnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJl
ci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0
b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6
LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxl
dmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVs
LXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQt
aW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwwOmxl
dmVsNg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6
74KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp
b246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30N
CkBsaXN0IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNv
LWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1u
dW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6
U3ltYm9sO30NCkBsaXN0IGwwOmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxs
ZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28t
bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQt
ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1i
ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1z
dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50
Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDENCgl7bXNvLWxpc3Qt
aWQ6MTM4NTk1NjQzMzsNCgltc28tbGlzdC10eXBlOmh5YnJpZDsNCgltc28tbGlzdC10ZW1wbGF0
ZS1pZHM6LTE5Nzk0MzQ3NzYgMjY2Mjc1MTYgNjc2OTg2OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2
OTg2OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2OTEgNjc2OTg2OTM7fQ0KQGxpc3QgbDE6bGV2
ZWwxDQoJe21zby1sZXZlbC1zdGFydC1hdDowOw0KCW1zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1
bGxldDsNCgltc28tbGV2ZWwtdGV4dDotOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1z
by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9u
dC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsc2VyaWY7DQoJbXNvLWZhcmVhc3QtZm9udC1mYW1p
bHk6U2ltU3VuO30NCkBsaXN0IGwxOmxldmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpi
dWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt
c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZv
bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDE6bGV2ZWwzDQoJe21zby1sZXZlbC1u
dW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRh
Yi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k
ZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw0DQoJ
e21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJ
bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0
Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6
bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4
dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp
b246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3
Ijt9DQpAbGlzdCBsMTpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K
CW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2
ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFt
aWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMTpsZXZlbDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt
YXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9u
ZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWlu
Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMTpsZXZlbDgNCgl7bXNvLWxldmVsLW51
bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1z
dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50
Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwxOmxldmVsOQ0K
CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0K
CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm
dDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCm9sDQoJ
e21hcmdpbi1ib3R0b206MGluO30NCnVsDQoJe21hcmdpbi1ib3R0b206MGluO30NCi0tPjwvc3R5
bGU+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBs
ZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OyxzYW5zLXNlcmlmIj5MaW5kYSw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt
aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+QnJpYW4gYW5kIEkgcHV0IHRvZ2V0
aGVyIGEgZHJhZnQgdG8gYWRkcmVzcyB0aGUgQ2FzZSAjMiB3aXRoIHN0cm9uZ2VyIHByb3RlY3Rp
b25zIGZvciBrZXkgc2VjdXJpdHkuJm5ic3A7IFdlIHdpbGwgYmUgcHJlc2VudGluZyB0aGlzIGlu
IHRoZSBJUFNFTUUgbWVldGluZy4mbmJzcDsgVGhlIGhpZ2hsaWdodHMgb2YgdGhlDQogZHJhZnQg
YXJlIHRoYXQgaXQgdXNlcyBEaWZmaWUtSGVsbG1hbiB0byBlbnN1cmUgdGhhdCBhbGwga2V5cyBh
cmUgb25seSBrbm93biB0byB0aGUgZW5kIG5vZGVzIGFuZCB3aGlsZSB0aGUgY29udHJvbGxlciBj
b252ZXlzIGFsbCBtZXNzYWdpbmcgdG8gdGhlIGVuZCBub2RlcywgaXQgZG9lcyBOT1QgZXZlciBz
ZWUgdGhlIGtleXMuJm5ic3A7IFRoZSBkZXZpbGlzaCBkZXRhaWxzIGFyZSBpbiBob3cgc3luY2hy
b25pemF0aW9uIGlzIGFjaGlldmVkIHdoZW4NCiBsYXJnZSBudW1iZXJzIG9mIGVuZCBub2RlcyBy
ZS1rZXkuJm5ic3A7IE91ciBkcmFmdCBpcyB3cml0dGVuIGFzIGFuIGVtYmVkZGFibGUgbWV0aG9k
IHN1aXRhYmxlIGZvciBpbmNsdXNpb24gaW4gSTJOU0YgZHJhZnRzIGFuZCBvdGhlcnMuPG86cD48
L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj48
bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh
bnMtc2VyaWYiPkkgd291bGQgYmUgaGFwcHkgdG8gc3BlYWsgdG8gdGhpcyBpbiBJMk5TRiBhcyB3
ZWxsIGlmIHlvdSBsaWtlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5EYXZlPG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl
OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10
b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48Yj48c3BhbiBzdHlsZT0i
Y29sb3I6YmxhY2siPkZyb206IDwvc3Bhbj4NCjwvYj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2si
PkkybnNmICZsdDtpMm5zZi1ib3VuY2VzQGlldGYub3JnJmd0OyBvbiBiZWhhbGYgb2YgTGluZGEg
RHVuYmFyICZsdDtsaW5kYS5kdW5iYXJAaHVhd2VpLmNvbSZndDs8YnI+DQo8Yj5EYXRlOiA8L2I+
TW9uZGF5LCBKdWx5IDE2LCAyMDE4IGF0IDExOjE3IFBNPGJyPg0KPGI+VG86IDwvYj5Zb2F2IE5p
ciAmbHQ7eW5pci5pZXRmQGdtYWlsLmNvbSZndDssIElQc2VjTUUgV0cgJmx0O2lwc2VjQGlldGYu
b3JnJmd0Ozxicj4NCjxiPkNjOiA8L2I+JnF1b3Q7aTJuc2ZAaWV0Zi5vcmcmcXVvdDsgJmx0O2ky
bnNmQGlldGYub3JnJmd0Ozxicj4NCjxiPlN1YmplY3Q6IDwvYj5bSTJuc2ZdIEhvdyBhYm91dCBz
aW1wbGlmaWVkIElLRT8gUkU6IFtJUHNlY10gSVBzZWMgRmxvdyBQcm90ZWN0aW9uIEBJMk5TRjxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+VGhlcmUgYXJlIHR3byBjYXNlcyBwcm9wb3NlZCBi
eSAmbmJzcDtTRE4gY29udHJvbGxlZCBJUHNlYyBGbG93IFByb3RlY3Rpb246PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGlu
O3RleHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMSBsZXZlbDEgbGZvMiI+DQo8IVtpZiAhc3Vw
cG9ydExpc3RzXT48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9ImZv
bnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PCFbZW5k
aWZdPkNhc2UgMSBpcyBTRE4gY29udHJvbGxlciBvbmx5IHNlbmRpbmcgZG93biB0aGUgSVBzZWMg
Y29uZmlndXJhdGlvbiBhdHRyaWJ1dGVzIHRvIEVuZCBwb2ludHMsIGFuZCBFbmQgUG9pbnRzIHN1
cHBvcnRzIHRoZSBJS0VzIGFuZCBTQSBtYWludGVuYW5jZS4NCjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbjt0ZXh0LWlu
ZGVudDotLjI1aW47bXNvLWxpc3Q6bDEgbGV2ZWwxIGxmbzIiPg0KPCFbaWYgIXN1cHBvcnRMaXN0
c10+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+LTxzcGFuIHN0eWxlPSJmb250OjcuMHB0
ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT5DYXNl
IDIgaXMgZW5kIHBvaW50cyBub3Qgc3VwcG9ydGluZyBJS0V2Mi4gU0ROIGNvbnRyb2xsZXIgbWFu
YWdlIGFsbCB0aGUgU0EgS2V5IGNvbXB1dGF0aW9uIGFuZCBkaXN0cmlidXRlIHRvIGFsbCBlbmQg
bm9kZXMuIFdlIGhhZCBhbiBpbnRlcmltIG1lZXRpbmcgZGlzY3Vzc2luZyB0aGlzLiAoc2VlIHRo
ZSBhdHRhY2hlZCBNZWV0aW5nIG1pbnV0ZXMpLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+Jm5ic3A7PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+UXVlc3Rpb24g
dG8gSVBzZWNtZSBXRzogSG93IGFib3V0IHNvbWV0aGluZyBpbiBiZXR3ZWVuPw0KPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEu
MGluO3RleHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvNCI+DQo8IVtpZiAh
c3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9
ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PCFb
ZW5kaWZdPkFzc3VtZSB0aGF0IFNETiBjb250cm9sbGVyIG1haW50YWluIFRMUyAob3IgRFRMUykg
dG8gYWxsIGVuZCBwb2ludHMgZm9yIGRpc3RyaWJ1dGluZyB0aGUgSVBzZWMgY29uZmlndXJhdGlv
biBhdHRyaWJ1dGVzIChzYW1lIGFzIENhc2UgMSBhYm92ZSkuDQo8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MS4waW47dGV4dC1p
bmRlbnQ6LS4yNWluO21zby1saXN0OmwwIGxldmVsMSBsZm80Ij4NCjwhW2lmICFzdXBwb3J0TGlz
dHNdPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPi08c3BhbiBzdHlsZT0iZm9udDo3LjBw
dCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+SW5z
dGVhZCBvZiB1c2luZyBJS0V2MiBmb3IgdHdvIGVuZCBwb2ludHMgKEUxICZhbXA7IEUyKSB0byBl
c3RhYmxpc2ggc2VjdXJlIGNoYW5uZWwgZmlyc3QgZm9yIFNBIG5lZ290aWF0aW9uIHB1cnBvc2Us
IEUxIGNhbiB1dGlsaXplIHRoZSBzZWN1cmUgY2hhbm5lbCBiZXR3ZWVuIEUxICZsdDstJmd0OyBT
RE4tQ29udHJvbGxlciAmbHQ7LSZndDtFMiB0byBuZWdvdGlhdGUgU0Egd2l0aCBFMiBhbmQgcmVz
cG9uc2libGUgZm9yIGl0cyBvd24NCiBTQSBjb21wdXRhdGlvbi4gPG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluO3RleHQt
aW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvNCI+DQo8IVtpZiAhc3VwcG9ydExp
c3RzXT48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9ImZvbnQ6Ny4w
cHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkUx
JmFtcDtFMiBzdGlsbCBjb21wdXRlIFNBIGFuZCBtYWludGFpbiBTQUQuIE9ubHkgdXRpbGl6ZSB0
aGUgc2VjdXJlIGNoYW5uZWwgdGhyb3VnaCB0aGUgU0ROIGNvbnRyb2xsZXIgdG8gZXhjaGFuZ2Ug
U0EuDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t
bGVmdDouNWluIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtYXJnaW4tbGVmdDouNWluIj5UaGlzIG1ldGhvZCBub3Qgb25seSBkb2VzbuKAmXQgcmVx
dWlyZSB0aGUgU0ROIGNvbnRyb2xsZXIgdG8ga2VlcCBhbGwgdGhlIFNBRCBmb3IgYWxsIG5vZGVz
LCBidXQgYWxzbyBzaW1wbGlmeSBsYXJnZSBTRC1XQU4gZGVwbG95bWVudCB3aXRoIGxhcmdlIG51
bWJlciBvZiBJUHNlYyB0dW5uZWxzIGFtb25nIG1hbnkgZW5kIHBvaW50cy4NCjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNw
OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0
Oi41aW4iPkFueSBvcGluaW9uPyBJc3N1ZXM/IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPkxpbmRhIER1bmJh
cjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0
Oi41aW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwv
cD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUx
RTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bh
bj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gSVBzZWMgW21haWx0bzppcHNlYy1ib3VuY2VzQGlldGYu
b3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5Zb2F2IE5pcjxicj4NCjxiPlNlbnQ6PC9iPiBNb25k
YXksIEp1bHkgMTYsIDIwMTggMzoxMSBQTTxicj4NCjxiPlRvOjwvYj4gSVBzZWNNRSBXRyAmbHQ7
aXBzZWNAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFtJUHNlY10gSVBzZWMgRmxv
dyBQcm90ZWN0aW9uIEBJMk5TRjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+Jm5ic3A7PG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp
biI+SGkuPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPknigJlkIGxpa2Ug
dG8gZHJhdyB5b3UgYXR0ZW50aW9uIHRvIHRoZSBhZ2VuZGEgb2YgdGhlIEkyTlNGIHdvcmtpbmcg
Z3JvdXA6Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9tZWV0aW5n
LzEwMi9tYXRlcmlhbHMvYWdlbmRhLTEwMi1pMm5zZi0wMCI+aHR0cHM6Ly9kYXRhdHJhY2tlci5p
ZXRmLm9yZy9tZWV0aW5nLzEwMi9tYXRlcmlhbHMvYWdlbmRhLTEwMi1pMm5zZi0wMDwvYT48bzpw
PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
YXJnaW4tbGVmdDouNWluIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5UaGUgSTJOU0Ygd29y
a2luZyBncm91cCB3aWxsIG1lZXQgb24gV2VkbmVzZGF5IGFmdGVyIGx1bmNoLiBPbiB0aGUgYWdl
bmRhLCB0aGVyZSBpcyB0aGlzIGl0ZW0gd2hpY2ggbWF5IGJlIG9mIGludGVyZXN0IHRvIElQc2Vj
IGZvbGtzOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbjt3b3JkLXdyYXA6IGJyZWFrLXdv
cmQ7d2hpdGUtc3BhY2U6cHJlLXdyYXAiPjEzOjQ1LTE0OjAwIElQc2VjIEZsb3cgUHJvdGVjdGlv
biAoMTUgbWluKTogUmFmYSBNYXLDrW4tTMOzcGV6PG86cD48L286cD48L3ByZT4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+SW4gY2FzZSB5b3Ug
aGF2ZW7igJl0IGJlZW4gZm9sbG93aW5nLCB0aGUgSVBzZWMgZmxvdyBkcmFmdCB3YXMgYWRvcHRl
ZCBieSBJMk5TRi4gVGhlIGF1dGhvcnMgYXJlIG1ha2luZyBwcm9ncmVzcywgaW5jbHVkaW5nIG9w
ZW4gc291cmNlIGltcGxlbWVudGF0aW9ucy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZu
YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPk9uZSBpc3N1ZSB0aGF0IG1heSBjb21lIHVwIGluIHRo
ZSBkaXNjdXNzaW9uIChlaXRoZXIgYXQgSTJOU0Ygb3IgaGVyZSkgaXMgdGhhdCBvdGhlciBkcmFm
dHMgYWJvdXQgY29udHJvbGxpbmcgSVBzZWMgVlBOcyB3aXRoIFNETiAoWzFdLFsyXSkgYXJlIGNv
bWluZyB1cC4gSeKAmW0gd29uZGVyaW5nIGlmIHRoZXNlIGFyZSBjb21wZXRpbmcsIGNvbXBsZW1l
bnRhcnksIG9yDQogd2hhdD88bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mbmJzcDs8bzpwPjwvbzpwPjwv
cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm
dDouNWluIj5XZeKAmWxsIGJlIGdsYWQgdG8gc2VlIHlvdSBhbGwgdGhlcmUuPG86cD48L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl
ZnQ6LjVpbiI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+WW9hdjxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41
aW4iPihjby1jaGFpciBvZiBJMk5TRik8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mbmJzcDs8bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn
aW4tbGVmdDouNWluIj5bMV0mbmJzcDs8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0
bWwvZHJhZnQtY2FycmVsLWlwc2VjbWUtY29udHJvbGxlci1pa2UtMDAiPmh0dHBzOi8vdG9vbHMu
aWV0Zi5vcmcvaHRtbC9kcmFmdC1jYXJyZWwtaXBzZWNtZS1jb250cm9sbGVyLWlrZS0wMDwvYT48
bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtYXJnaW4tbGVmdDouNWluIj5bMl0mbmJzcDs8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYu
b3JnL2h0bWwvZHJhZnQtZHVuYmFyLXNyLXNkd2FuLW92ZXItaHlicmlkLW5ldHdvcmtzLTAyIj5o
dHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtZHVuYmFyLXNyLXNkd2FuLW92ZXItaHli
cmlkLW5ldHdvcmtzLTAyPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_C653D797A4BD4338BFCAA02F5E7EBFE7ciscocom_--


From nobody Tue Jul 17 11:29:31 2018
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BEB13102D; Tue, 17 Jul 2018 11:29:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8X78q5r2aYCk; Tue, 17 Jul 2018 11:29:19 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 839C1130DF3; Tue, 17 Jul 2018 11:29:18 -0700 (PDT)
Received: from lhreml702-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 2A7ABC2E30E52; Tue, 17 Jul 2018 19:29:14 +0100 (IST)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 17 Jul 2018 19:29:15 +0100
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.107]) by SJCEML701-CHM.china.huawei.com ([169.254.3.200]) with mapi id 14.03.0399.000;  Tue, 17 Jul 2018 11:29:13 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "David Carrel (carrel)" <carrel@cisco.com>, Yoav Nir <ynir.ietf@gmail.com>, IPsecME WG <ipsec@ietf.org>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: [I2nsf] How about simplified IKE? RE: [IPsec] IPsec Flow Protection @I2NSF
Thread-Index: AQHUHfrIbM9Y5M2wnUyCwX7ZCv7IBaSTu+Ng
Date: Tue, 17 Jul 2018 18:29:13 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B0CC013@sjceml521-mbx.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com> <C653D797-A4BD-4338-BFCA-A02F5E7EBFE7@cisco.com>
In-Reply-To: <C653D797-A4BD-4338-BFCA-A02F5E7EBFE7@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.124.182.197]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B0CC013sjceml521mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/SgvrHVO0WyPdE1PiNmgF8PCtUCI>
Subject: Re: [IPsec] [I2nsf] How about simplified IKE? RE: IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 18:29:28 -0000

--_000_4A95BA014132FF49AE685FAB4B9F17F66B0CC013sjceml521mbxchi_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

RGF2ZSwNCg0KVGhhdCB3b3VsZCBiZSBncmVhdCEgQW55IHN1Z2dlc3Rpb25zIHRvIHByb3ZpZGUg
c3Ryb25nZXIgcHJvdGVjdGlvbnMgYXJlIGFwcHJlY2lhdGVkLg0KDQpUaGFua3MsIExpbmRhDQoN
CkZyb206IERhdmlkIENhcnJlbCAoY2FycmVsKSBbbWFpbHRvOmNhcnJlbEBjaXNjby5jb21dDQpT
ZW50OiBUdWVzZGF5LCBKdWx5IDE3LCAyMDE4IDE6MjAgUE0NClRvOiBMaW5kYSBEdW5iYXIgPGxp
bmRhLmR1bmJhckBodWF3ZWkuY29tPjsgWW9hdiBOaXIgPHluaXIuaWV0ZkBnbWFpbC5jb20+OyBJ
UHNlY01FIFdHIDxpcHNlY0BpZXRmLm9yZz4NCkNjOiBpMm5zZkBpZXRmLm9yZw0KU3ViamVjdDog
UmU6IFtJMm5zZl0gSG93IGFib3V0IHNpbXBsaWZpZWQgSUtFPyBSRTogW0lQc2VjXSBJUHNlYyBG
bG93IFByb3RlY3Rpb24gQEkyTlNGDQoNCkxpbmRhLA0KDQpCcmlhbiBhbmQgSSBwdXQgdG9nZXRo
ZXIgYSBkcmFmdCB0byBhZGRyZXNzIHRoZSBDYXNlICMyIHdpdGggc3Ryb25nZXIgcHJvdGVjdGlv
bnMgZm9yIGtleSBzZWN1cml0eS4gIFdlIHdpbGwgYmUgcHJlc2VudGluZyB0aGlzIGluIHRoZSBJ
UFNFTUUgbWVldGluZy4gIFRoZSBoaWdobGlnaHRzIG9mIHRoZSBkcmFmdCBhcmUgdGhhdCBpdCB1
c2VzIERpZmZpZS1IZWxsbWFuIHRvIGVuc3VyZSB0aGF0IGFsbCBrZXlzIGFyZSBvbmx5IGtub3du
IHRvIHRoZSBlbmQgbm9kZXMgYW5kIHdoaWxlIHRoZSBjb250cm9sbGVyIGNvbnZleXMgYWxsIG1l
c3NhZ2luZyB0byB0aGUgZW5kIG5vZGVzLCBpdCBkb2VzIE5PVCBldmVyIHNlZSB0aGUga2V5cy4g
IFRoZSBkZXZpbGlzaCBkZXRhaWxzIGFyZSBpbiBob3cgc3luY2hyb25pemF0aW9uIGlzIGFjaGll
dmVkIHdoZW4gbGFyZ2UgbnVtYmVycyBvZiBlbmQgbm9kZXMgcmUta2V5LiAgT3VyIGRyYWZ0IGlz
IHdyaXR0ZW4gYXMgYW4gZW1iZWRkYWJsZSBtZXRob2Qgc3VpdGFibGUgZm9yIGluY2x1c2lvbiBp
biBJMk5TRiBkcmFmdHMgYW5kIG90aGVycy4NCg0KSSB3b3VsZCBiZSBoYXBweSB0byBzcGVhayB0
byB0aGlzIGluIEkyTlNGIGFzIHdlbGwgaWYgeW91IGxpa2UuDQoNCkRhdmUNCg0KDQpGcm9tOiBJ
Mm5zZiA8aTJuc2YtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86aTJuc2YtYm91bmNlc0BpZXRmLm9y
Zz4+IG9uIGJlaGFsZiBvZiBMaW5kYSBEdW5iYXIgPGxpbmRhLmR1bmJhckBodWF3ZWkuY29tPG1h
aWx0bzpsaW5kYS5kdW5iYXJAaHVhd2VpLmNvbT4+DQpEYXRlOiBNb25kYXksIEp1bHkgMTYsIDIw
MTggYXQgMTE6MTcgUE0NClRvOiBZb2F2IE5pciA8eW5pci5pZXRmQGdtYWlsLmNvbTxtYWlsdG86
eW5pci5pZXRmQGdtYWlsLmNvbT4+LCBJUHNlY01FIFdHIDxpcHNlY0BpZXRmLm9yZzxtYWlsdG86
aXBzZWNAaWV0Zi5vcmc+Pg0KQ2M6ICJpMm5zZkBpZXRmLm9yZzxtYWlsdG86aTJuc2ZAaWV0Zi5v
cmc+IiA8aTJuc2ZAaWV0Zi5vcmc8bWFpbHRvOmkybnNmQGlldGYub3JnPj4NClN1YmplY3Q6IFtJ
Mm5zZl0gSG93IGFib3V0IHNpbXBsaWZpZWQgSUtFPyBSRTogW0lQc2VjXSBJUHNlYyBGbG93IFBy
b3RlY3Rpb24gQEkyTlNGDQoNClRoZXJlIGFyZSB0d28gY2FzZXMgcHJvcG9zZWQgYnkgIFNETiBj
b250cm9sbGVkIElQc2VjIEZsb3cgUHJvdGVjdGlvbjoNCg0KLSAgICAgICAgQ2FzZSAxIGlzIFNE
TiBjb250cm9sbGVyIG9ubHkgc2VuZGluZyBkb3duIHRoZSBJUHNlYyBjb25maWd1cmF0aW9uIGF0
dHJpYnV0ZXMgdG8gRW5kIHBvaW50cywgYW5kIEVuZCBQb2ludHMgc3VwcG9ydHMgdGhlIElLRXMg
YW5kIFNBIG1haW50ZW5hbmNlLg0KDQotICAgICAgICBDYXNlIDIgaXMgZW5kIHBvaW50cyBub3Qg
c3VwcG9ydGluZyBJS0V2Mi4gU0ROIGNvbnRyb2xsZXIgbWFuYWdlIGFsbCB0aGUgU0EgS2V5IGNv
bXB1dGF0aW9uIGFuZCBkaXN0cmlidXRlIHRvIGFsbCBlbmQgbm9kZXMuIFdlIGhhZCBhbiBpbnRl
cmltIG1lZXRpbmcgZGlzY3Vzc2luZyB0aGlzLiAoc2VlIHRoZSBhdHRhY2hlZCBNZWV0aW5nIG1p
bnV0ZXMpLg0KDQpRdWVzdGlvbiB0byBJUHNlY21lIFdHOiBIb3cgYWJvdXQgc29tZXRoaW5nIGlu
IGJldHdlZW4/DQoNCi0gICAgICAgIEFzc3VtZSB0aGF0IFNETiBjb250cm9sbGVyIG1haW50YWlu
IFRMUyAob3IgRFRMUykgdG8gYWxsIGVuZCBwb2ludHMgZm9yIGRpc3RyaWJ1dGluZyB0aGUgSVBz
ZWMgY29uZmlndXJhdGlvbiBhdHRyaWJ1dGVzIChzYW1lIGFzIENhc2UgMSBhYm92ZSkuDQoNCi0g
ICAgICAgIEluc3RlYWQgb2YgdXNpbmcgSUtFdjIgZm9yIHR3byBlbmQgcG9pbnRzIChFMSAmIEUy
KSB0byBlc3RhYmxpc2ggc2VjdXJlIGNoYW5uZWwgZmlyc3QgZm9yIFNBIG5lZ290aWF0aW9uIHB1
cnBvc2UsIEUxIGNhbiB1dGlsaXplIHRoZSBzZWN1cmUgY2hhbm5lbCBiZXR3ZWVuIEUxIDwtPiBT
RE4tQ29udHJvbGxlciA8LT5FMiB0byBuZWdvdGlhdGUgU0Egd2l0aCBFMiBhbmQgcmVzcG9uc2li
bGUgZm9yIGl0cyBvd24gU0EgY29tcHV0YXRpb24uDQoNCi0gICAgICAgIEUxJkUyIHN0aWxsIGNv
bXB1dGUgU0EgYW5kIG1haW50YWluIFNBRC4gT25seSB1dGlsaXplIHRoZSBzZWN1cmUgY2hhbm5l
bCB0aHJvdWdoIHRoZSBTRE4gY29udHJvbGxlciB0byBleGNoYW5nZSBTQS4NCg0KVGhpcyBtZXRo
b2Qgbm90IG9ubHkgZG9lc27igJl0IHJlcXVpcmUgdGhlIFNETiBjb250cm9sbGVyIHRvIGtlZXAg
YWxsIHRoZSBTQUQgZm9yIGFsbCBub2RlcywgYnV0IGFsc28gc2ltcGxpZnkgbGFyZ2UgU0QtV0FO
IGRlcGxveW1lbnQgd2l0aCBsYXJnZSBudW1iZXIgb2YgSVBzZWMgdHVubmVscyBhbW9uZyBtYW55
IGVuZCBwb2ludHMuDQoNCkFueSBvcGluaW9uPyBJc3N1ZXM/DQoNCkxpbmRhIER1bmJhcg0KDQoN
CkZyb206IElQc2VjIFttYWlsdG86aXBzZWMtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9m
IFlvYXYgTmlyDQpTZW50OiBNb25kYXksIEp1bHkgMTYsIDIwMTggMzoxMSBQTQ0KVG86IElQc2Vj
TUUgV0cgPGlwc2VjQGlldGYub3JnPG1haWx0bzppcHNlY0BpZXRmLm9yZz4+DQpTdWJqZWN0OiBb
SVBzZWNdIElQc2VjIEZsb3cgUHJvdGVjdGlvbiBASTJOU0YNCg0KSGkuDQoNCknigJlkIGxpa2Ug
dG8gZHJhdyB5b3UgYXR0ZW50aW9uIHRvIHRoZSBhZ2VuZGEgb2YgdGhlIEkyTlNGIHdvcmtpbmcg
Z3JvdXA6IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvbWVldGluZy8xMDIvbWF0ZXJpYWxz
L2FnZW5kYS0xMDItaTJuc2YtMDANCg0KVGhlIEkyTlNGIHdvcmtpbmcgZ3JvdXAgd2lsbCBtZWV0
IG9uIFdlZG5lc2RheSBhZnRlciBsdW5jaC4gT24gdGhlIGFnZW5kYSwgdGhlcmUgaXMgdGhpcyBp
dGVtIHdoaWNoIG1heSBiZSBvZiBpbnRlcmVzdCB0byBJUHNlYyBmb2xrczoNCg0KDQoxMzo0NS0x
NDowMCBJUHNlYyBGbG93IFByb3RlY3Rpb24gKDE1IG1pbik6IFJhZmEgTWFyw61uLUzDs3Bleg0K
SW4gY2FzZSB5b3UgaGF2ZW7igJl0IGJlZW4gZm9sbG93aW5nLCB0aGUgSVBzZWMgZmxvdyBkcmFm
dCB3YXMgYWRvcHRlZCBieSBJMk5TRi4gVGhlIGF1dGhvcnMgYXJlIG1ha2luZyBwcm9ncmVzcywg
aW5jbHVkaW5nIG9wZW4gc291cmNlIGltcGxlbWVudGF0aW9ucy4NCg0KT25lIGlzc3VlIHRoYXQg
bWF5IGNvbWUgdXAgaW4gdGhlIGRpc2N1c3Npb24gKGVpdGhlciBhdCBJMk5TRiBvciBoZXJlKSBp
cyB0aGF0IG90aGVyIGRyYWZ0cyBhYm91dCBjb250cm9sbGluZyBJUHNlYyBWUE5zIHdpdGggU0RO
IChbMV0sWzJdKSBhcmUgY29taW5nIHVwLiBJ4oCZbSB3b25kZXJpbmcgaWYgdGhlc2UgYXJlIGNv
bXBldGluZywgY29tcGxlbWVudGFyeSwgb3Igd2hhdD8NCg0KV2XigJlsbCBiZSBnbGFkIHRvIHNl
ZSB5b3UgYWxsIHRoZXJlLg0KDQpZb2F2DQooY28tY2hhaXIgb2YgSTJOU0YpDQoNClsxXSBodHRw
czovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtY2FycmVsLWlwc2VjbWUtY29udHJvbGxlci1p
a2UtMDANClsyXSBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtZHVuYmFyLXNyLXNk
d2FuLW92ZXItaHlicmlkLW5ldHdvcmtzLTAyDQoNCg==

--_000_4A95BA014132FF49AE685FAB4B9F17F66B0CC013sjceml521mbxchi_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseTpTaW1TdW47DQoJcGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0xOjIgNCA1
IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBh
bm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IlxAU2ltU3VuIjsNCglwYW5vc2UtMToyIDEgNiAwIDMgMSAxIDEgMSAxO30NCkBmb250LWZhY2UN
Cgl7Zm9udC1mYW1pbHk6Q29uc29sYXM7DQoJcGFub3NlLTE6MiAxMSA2IDkgMiAyIDQgMyAyIDQ7
fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRp
di5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9u
dC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z
b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw
bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJn
aW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZv
bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29MaXN0UGFyYWdyYXBoLCBsaS5Nc29MaXN0
UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXttc28tc3R5bGUtcHJpb3JpdHk6MzQ7
DQoJbWFyZ2luLXRvcDowaW47DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltYXJnaW4tYm90dG9tOjBp
bjsNCgltYXJnaW4tbGVmdDouNWluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp
emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4u
SFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVk
IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQ
cmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnAubXNvbm9ybWFsMCwgbGku
bXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0eWxlLW5hbWU6bXNvbm9ybWFsOw0K
CW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbXNvLW1hcmdp
bi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGluOw0KCWZvbnQtc2l6ZToxMS4wcHQ7
DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjEN
Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMt
c2VyaWY7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28tc3R5bGUt
dHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xv
cjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNv
bmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMx
RjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJ
Zm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4w
aW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjEN
Cgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyogTGlzdCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDAN
Cgl7bXNvLWxpc3QtaWQ6NTQwMTY1MzQ3Ow0KCW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1s
aXN0LXRlbXBsYXRlLWlkczotMTgxMTUzNjIxNCAyNjYyNzUxNiA2NzY5ODY5MSA2NzY5ODY5MyA2
NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5Mzt9DQpA
bGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLW51bWJl
ci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Oi07DQoJbXNvLWxldmVsLXRhYi1zdG9w
Om5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0u
MjVpbjsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjsNCgltc28tZmFyZWFz
dC1mb250LWZhbWlseTpTaW1TdW47fQ0KQGxpc3QgbDA6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1i
ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3Rv
cDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDot
LjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDMNCgl7
bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCglt
c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7
DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBs
MDpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10
ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBv
c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9
DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1z
by1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51
bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToi
Q291cmllciBOZXciO30NCkBsaXN0IGwwOmxldmVsNg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1h
dDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25l
Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47
DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsNw0KCXttc28tbGV2ZWwt
bnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10
YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWlu
ZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwwOmxldmVsOA0KCXtt
c28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28t
bGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ
dGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3Qg
bDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwt
dGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1w
b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGlu
Z3M7fQ0KQGxpc3QgbDENCgl7bXNvLWxpc3QtaWQ6MTM4NTk1NjQzMzsNCgltc28tbGlzdC10eXBl
Omh5YnJpZDsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTE5Nzk0MzQ3NzYgMjY2Mjc1MTYgNjc2
OTg2OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2
OTEgNjc2OTg2OTM7fQ0KQGxpc3QgbDE6bGV2ZWwxDQoJe21zby1sZXZlbC1zdGFydC1hdDowOw0K
CW1zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDotOw0KCW1z
by1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsN
Cgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsc2Vy
aWY7DQoJbXNvLWZhcmVhc3QtZm9udC1mYW1pbHk6U2ltU3VuO30NCkBsaXN0IGwxOmxldmVsMg0K
CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCglt
c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7
DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxp
c3QgbDE6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2
ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJl
ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5n
ZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl
dDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNv
LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250
LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9y
bWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25l
Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47
DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMTpsZXZlbDYNCgl7bXNvLWxl
dmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2
ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4
dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMTpsZXZl
bDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+C
tzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9u
OmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlz
dCBsMTpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl
bC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1w
b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmll
ciBOZXciO30NCkBsaXN0IGwxOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxs
ZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1z
by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9u
dC1mYW1pbHk6V2luZ2RpbmdzO30NCm9sDQoJe21hcmdpbi1ib3R0b206MGluO30NCnVsDQoJe21h
cmdpbi1ib3R0b206MGluO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8
bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFb
ZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0i
ZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91
dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJi
bHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom
cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+RGF2ZSwNCjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtj
b2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+VGhhdCB3b3VsZCBiZSBncmVh
dCEgQW55IHN1Z2dlc3Rpb25zIHRvIHByb3ZpZGUgc3Ryb25nZXIgcHJvdGVjdGlvbnMgYXJlIGFw
cHJlY2lhdGVkLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv
bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5U
aGFua3MsIExpbmRhPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PGEgbmFtZT0iX01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9hPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3Jk
ZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4g
MGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXpl
OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206
PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv
dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiBEYXZpZCBDYXJyZWwgKGNhcnJlbCkgW21haWx0
bzpjYXJyZWxAY2lzY28uY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFR1ZXNkYXksIEp1bHkgMTcs
IDIwMTggMToyMCBQTTxicj4NCjxiPlRvOjwvYj4gTGluZGEgRHVuYmFyICZsdDtsaW5kYS5kdW5i
YXJAaHVhd2VpLmNvbSZndDs7IFlvYXYgTmlyICZsdDt5bmlyLmlldGZAZ21haWwuY29tJmd0Ozsg
SVBzZWNNRSBXRyAmbHQ7aXBzZWNAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBpMm5zZkBp
ZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW0kybnNmXSBIb3cgYWJvdXQgc2ltcGxp
ZmllZCBJS0U/IFJFOiBbSVBzZWNdIElQc2VjIEZsb3cgUHJvdGVjdGlvbiBASTJOU0Y8bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86
cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYi
PkxpbmRhLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss
c2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OyxzYW5zLXNlcmlmIj5CcmlhbiBhbmQgSSBwdXQgdG9nZXRoZXIgYSBkcmFmdCB0
byBhZGRyZXNzIHRoZSBDYXNlICMyIHdpdGggc3Ryb25nZXIgcHJvdGVjdGlvbnMgZm9yIGtleSBz
ZWN1cml0eS4mbmJzcDsgV2Ugd2lsbCBiZSBwcmVzZW50aW5nIHRoaXMgaW4gdGhlIElQU0VNRSBt
ZWV0aW5nLiZuYnNwOyBUaGUgaGlnaGxpZ2h0cyBvZiB0aGUNCiBkcmFmdCBhcmUgdGhhdCBpdCB1
c2VzIERpZmZpZS1IZWxsbWFuIHRvIGVuc3VyZSB0aGF0IGFsbCBrZXlzIGFyZSBvbmx5IGtub3du
IHRvIHRoZSBlbmQgbm9kZXMgYW5kIHdoaWxlIHRoZSBjb250cm9sbGVyIGNvbnZleXMgYWxsIG1l
c3NhZ2luZyB0byB0aGUgZW5kIG5vZGVzLCBpdCBkb2VzIE5PVCBldmVyIHNlZSB0aGUga2V5cy4m
bmJzcDsgVGhlIGRldmlsaXNoIGRldGFpbHMgYXJlIGluIGhvdyBzeW5jaHJvbml6YXRpb24gaXMg
YWNoaWV2ZWQgd2hlbg0KIGxhcmdlIG51bWJlcnMgb2YgZW5kIG5vZGVzIHJlLWtleS4mbmJzcDsg
T3VyIGRyYWZ0IGlzIHdyaXR0ZW4gYXMgYW4gZW1iZWRkYWJsZSBtZXRob2Qgc3VpdGFibGUgZm9y
IGluY2x1c2lvbiBpbiBJMk5TRiBkcmFmdHMgYW5kIG90aGVycy48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+SSB3
b3VsZCBiZSBoYXBweSB0byBzcGVhayB0byB0aGlzIGluIEkyTlNGIGFzIHdlbGwgaWYgeW91IGxp
a2UuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z
LXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp
JnF1b3Q7LHNhbnMtc2VyaWYiPkRhdmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv
dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt
ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVD
NERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+
RnJvbTogPC9zcGFuPg0KPC9iPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+STJuc2YgJmx0Ozxh
IGhyZWY9Im1haWx0bzppMm5zZi1ib3VuY2VzQGlldGYub3JnIj5pMm5zZi1ib3VuY2VzQGlldGYu
b3JnPC9hPiZndDsgb24gYmVoYWxmIG9mIExpbmRhIER1bmJhciAmbHQ7PGEgaHJlZj0ibWFpbHRv
OmxpbmRhLmR1bmJhckBodWF3ZWkuY29tIj5saW5kYS5kdW5iYXJAaHVhd2VpLmNvbTwvYT4mZ3Q7
PGJyPg0KPGI+RGF0ZTogPC9iPk1vbmRheSwgSnVseSAxNiwgMjAxOCBhdCAxMToxNyBQTTxicj4N
CjxiPlRvOiA8L2I+WW9hdiBOaXIgJmx0OzxhIGhyZWY9Im1haWx0bzp5bmlyLmlldGZAZ21haWwu
Y29tIj55bmlyLmlldGZAZ21haWwuY29tPC9hPiZndDssIElQc2VjTUUgV0cgJmx0OzxhIGhyZWY9
Im1haWx0bzppcHNlY0BpZXRmLm9yZyI+aXBzZWNAaWV0Zi5vcmc8L2E+Jmd0Ozxicj4NCjxiPkNj
OiA8L2I+JnF1b3Q7PGEgaHJlZj0ibWFpbHRvOmkybnNmQGlldGYub3JnIj5pMm5zZkBpZXRmLm9y
ZzwvYT4mcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzppMm5zZkBpZXRmLm9yZyI+aTJuc2ZAaWV0
Zi5vcmc8L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6IDwvYj5bSTJuc2ZdIEhvdyBhYm91dCBzaW1w
bGlmaWVkIElLRT8gUkU6IFtJUHNlY10gSVBzZWMgRmxvdyBQcm90ZWN0aW9uIEBJMk5TRjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86
cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+VGhlcmUgYXJlIHR3byBjYXNlcyBwcm9wb3NlZCBieSAm
bmJzcDtTRE4gY29udHJvbGxlZCBJUHNlYyBGbG93IFByb3RlY3Rpb246PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluO3Rl
eHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMSBsZXZlbDEgbGZvMiI+DQo8IVtpZiAhc3VwcG9y
dExpc3RzXT48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9ImZvbnQ6
Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkNhc2UgMSBpcyBT
RE4gY29udHJvbGxlciBvbmx5IHNlbmRpbmcgZG93biB0aGUgSVBzZWMgY29uZmlndXJhdGlvbiBh
dHRyaWJ1dGVzIHRvIEVuZCBwb2ludHMsIGFuZCBFbmQgUG9pbnRzIHN1cHBvcnRzIHRoZSBJS0Vz
IGFuZCBTQSBtYWludGVuYW5jZS4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQ
YXJhZ3JhcGgiIHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbjt0ZXh0LWluZGVudDotLjI1aW47bXNv
LWxpc3Q6bDEgbGV2ZWwxIGxmbzIiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9
Im1zby1saXN0Oklnbm9yZSI+LTxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5l
dyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
DQo8L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT5DYXNlIDIgaXMgZW5kIHBvaW50cyBub3Qgc3VwcG9y
dGluZyBJS0V2Mi4gU0ROIGNvbnRyb2xsZXIgbWFuYWdlIGFsbCB0aGUgU0EgS2V5IGNvbXB1dGF0
aW9uIGFuZCBkaXN0cmlidXRlIHRvIGFsbCBlbmQgbm9kZXMuIFdlIGhhZCBhbiBpbnRlcmltIG1l
ZXRpbmcgZGlzY3Vzc2luZyB0aGlzLiAoc2VlIHRoZSBhdHRhY2hlZCBNZWV0aW5nIG1pbnV0ZXMp
Lg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl
ZnQ6LjVpbiI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWxlZnQ6LjVpbiI+UXVlc3Rpb24gdG8gSVBzZWNtZSBXRzogSG93IGFib3V0IHNv
bWV0aGluZyBpbiBiZXR3ZWVuPw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBh
cmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluO3RleHQtaW5kZW50Oi0uMjVpbjttc28t
bGlzdDpsMCBsZXZlbDEgbGZvNCI+DQo8IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0i
bXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3
IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsN
Cjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkFzc3VtZSB0aGF0IFNETiBjb250cm9sbGVyIG1haW50
YWluIFRMUyAob3IgRFRMUykgdG8gYWxsIGVuZCBwb2ludHMgZm9yIGRpc3RyaWJ1dGluZyB0aGUg
SVBzZWMgY29uZmlndXJhdGlvbiBhdHRyaWJ1dGVzIChzYW1lIGFzIENhc2UgMSBhYm92ZSkuDQo8
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0ibWFyZ2lu
LWxlZnQ6MS4waW47dGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwwIGxldmVsMSBsZm80Ij4N
CjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPi08c3Bh
biBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48IVtlbmRp
Zl0+SW5zdGVhZCBvZiB1c2luZyBJS0V2MiBmb3IgdHdvIGVuZCBwb2ludHMgKEUxICZhbXA7IEUy
KSB0byBlc3RhYmxpc2ggc2VjdXJlIGNoYW5uZWwgZmlyc3QgZm9yIFNBIG5lZ290aWF0aW9uIHB1
cnBvc2UsIEUxIGNhbiB1dGlsaXplIHRoZSBzZWN1cmUgY2hhbm5lbCBiZXR3ZWVuIEUxICZsdDst
Jmd0OyBTRE4tQ29udHJvbGxlciAmbHQ7LSZndDtFMiB0byBuZWdvdGlhdGUgU0Egd2l0aCBFMiBh
bmQgcmVzcG9uc2libGUgZm9yIGl0cyBvd24NCiBTQSBjb21wdXRhdGlvbi4gPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGlu
O3RleHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvNCI+DQo8IVtpZiAhc3Vw
cG9ydExpc3RzXT48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4gc3R5bGU9ImZv
bnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkUxJmFtcDtF
MiBzdGlsbCBjb21wdXRlIFNBIGFuZCBtYWludGFpbiBTQUQuIE9ubHkgdXRpbGl6ZSB0aGUgc2Vj
dXJlIGNoYW5uZWwgdGhyb3VnaCB0aGUgU0ROIGNvbnRyb2xsZXIgdG8gZXhjaGFuZ2UgU0EuDQo8
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDou
NWluIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
YXJnaW4tbGVmdDouNWluIj5UaGlzIG1ldGhvZCBub3Qgb25seSBkb2VzbuKAmXQgcmVxdWlyZSB0
aGUgU0ROIGNvbnRyb2xsZXIgdG8ga2VlcCBhbGwgdGhlIFNBRCBmb3IgYWxsIG5vZGVzLCBidXQg
YWxzbyBzaW1wbGlmeSBsYXJnZSBTRC1XQU4gZGVwbG95bWVudCB3aXRoIGxhcmdlIG51bWJlciBv
ZiBJUHNlYyB0dW5uZWxzIGFtb25nIG1hbnkgZW5kIHBvaW50cy4NCjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i
PkFueSBvcGluaW9uPyBJc3N1ZXM/IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPkxpbmRhIER1bmJhcjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz
YW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxk
aXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4w
cHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48L2I+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OyxzYW5zLXNlcmlmIj4gSVBzZWMgWzxhIGhyZWY9Im1haWx0bzppcHNlYy1ib3VuY2VzQGll
dGYub3JnIj5tYWlsdG86aXBzZWMtYm91bmNlc0BpZXRmLm9yZzwvYT5dDQo8Yj5PbiBCZWhhbGYg
T2YgPC9iPllvYXYgTmlyPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgSnVseSAxNiwgMjAxOCAz
OjExIFBNPGJyPg0KPGI+VG86PC9iPiBJUHNlY01FIFdHICZsdDs8YSBocmVmPSJtYWlsdG86aXBz
ZWNAaWV0Zi5vcmciPmlwc2VjQGlldGYub3JnPC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g
W0lQc2VjXSBJUHNlYyBGbG93IFByb3RlY3Rpb24gQEkyTlNGPC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm
dDouNWluIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtYXJnaW4tbGVmdDouNWluIj5IaS48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+Jm5ic3A7PG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6
LjVpbiI+SeKAmWQgbGlrZSB0byBkcmF3IHlvdSBhdHRlbnRpb24gdG8gdGhlIGFnZW5kYSBvZiB0
aGUgSTJOU0Ygd29ya2luZyBncm91cDombmJzcDs8YSBocmVmPSJodHRwczovL2RhdGF0cmFja2Vy
LmlldGYub3JnL21lZXRpbmcvMTAyL21hdGVyaWFscy9hZ2VuZGEtMTAyLWkybnNmLTAwIj5odHRw
czovL2RhdGF0cmFja2VyLmlldGYub3JnL21lZXRpbmcvMTAyL21hdGVyaWFscy9hZ2VuZGEtMTAy
LWkybnNmLTAwPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41
aW4iPlRoZSBJMk5TRiB3b3JraW5nIGdyb3VwIHdpbGwgbWVldCBvbiBXZWRuZXNkYXkgYWZ0ZXIg
bHVuY2guIE9uIHRoZSBhZ2VuZGEsIHRoZXJlIGlzIHRoaXMgaXRlbSB3aGljaCBtYXkgYmUgb2Yg
aW50ZXJlc3QgdG8gSVBzZWMgZm9sa3M6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+Jm5ic3A7PG86cD48
L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluO3dv
cmQtd3JhcDogYnJlYWstd29yZDt3aGl0ZS1zcGFjZTpwcmUtd3JhcCI+MTM6NDUtMTQ6MDAgSVBz
ZWMgRmxvdyBQcm90ZWN0aW9uICgxNSBtaW4pOiBSYWZhIE1hcsOtbi1Mw7NwZXo8bzpwPjwvbzpw
PjwvcHJlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDou
NWluIj5JbiBjYXNlIHlvdSBoYXZlbuKAmXQgYmVlbiBmb2xsb3dpbmcsIHRoZSBJUHNlYyBmbG93
IGRyYWZ0IHdhcyBhZG9wdGVkIGJ5IEkyTlNGLiBUaGUgYXV0aG9ycyBhcmUgbWFraW5nIHByb2dy
ZXNzLCBpbmNsdWRpbmcgb3BlbiBzb3VyY2UgaW1wbGVtZW50YXRpb25zLjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy
Z2luLWxlZnQ6LjVpbiI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+T25lIGlzc3VlIHRoYXQg
bWF5IGNvbWUgdXAgaW4gdGhlIGRpc2N1c3Npb24gKGVpdGhlciBhdCBJMk5TRiBvciBoZXJlKSBp
cyB0aGF0IG90aGVyIGRyYWZ0cyBhYm91dCBjb250cm9sbGluZyBJUHNlYyBWUE5zIHdpdGggU0RO
IChbMV0sWzJdKSBhcmUgY29taW5nIHVwLiBJ4oCZbSB3b25kZXJpbmcgaWYgdGhlc2UgYXJlIGNv
bXBldGluZywgY29tcGxlbWVudGFyeSwgb3INCiB3aGF0PzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZu
YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPldl4oCZbGwgYmUgZ2xhZCB0byBzZWUgeW91IGFsbCB0
aGVyZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5Zb2F2
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWxlZnQ6LjVpbiI+KGNvLWNoYWlyIG9mIEkyTlNGKTxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41
aW4iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlsxXSZuYnNwOzxhIGhyZWY9Imh0dHBzOi8v
dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1jYXJyZWwtaXBzZWNtZS1jb250cm9sbGVyLWlrZS0w
MCI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWNhcnJlbC1pcHNlY21lLWNvbnRy
b2xsZXItaWtlLTAwPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlsyXSZuYnNwOzxhIGhyZWY9Imh0
dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1kdW5iYXItc3Itc2R3YW4tb3Zlci1oeWJy
aWQtbmV0d29ya3MtMDIiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1kdW5iYXIt
c3Itc2R3YW4tb3Zlci1oeWJyaWQtbmV0d29ya3MtMDI8L2E+PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+
Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_4A95BA014132FF49AE685FAB4B9F17F66B0CC013sjceml521mbxchi_--


From nobody Tue Jul 17 11:56:59 2018
Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51C57130E08 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 11:56:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Frm4D_1usP7P for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 11:56:54 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C729C130DF3 for <ipsec@ietf.org>; Tue, 17 Jul 2018 11:56:54 -0700 (PDT)
Received: from trixy.bergandi.net ([76.93.146.89]) by wwwlocal.goatley.com (PMDF V6.7-x02 #1001) with ESMTP id <0PC000IBKXYUJY@wwwlocal.goatley.com> for ipsec@ietf.org; Tue, 17 Jul 2018 13:56:54 -0500 (CDT)
Received: from thinny.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0PC000BIGXY9UU@trixy.bergandi.net> for ipsec@ietf.org; Tue, 17 Jul 2018 11:56:34 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO thinny.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Tue, 17 Jul 2018 11:56:34 -0700
Date: Tue, 17 Jul 2018 11:56:52 -0700
From: Daniel Harkins <dharkins@lounge.org>
In-reply-to: <4CA644B5-5668-48BD-A2D1-5E9EE1AAF7AD@cisco.com>
To: ipsec@ietf.org
Message-id: <f681c87d-d763-3be2-66c9-8375377d9f28@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_lXdfgzreb0r1/6SR4Bl2+g)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO thinny.local)
References: <4CA644B5-5668-48BD-A2D1-5E9EE1AAF7AD@cisco.com>
X-PMAS-Software: PreciseMail V3.3 [180712] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mGyej_G1SotEsmR3LgLD96AhYHY>
Subject: Re: [IPsec] draft-carrel-ipsecme-controller-ike-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 18:56:58 -0000

This is a multi-part message in MIME format.

--Boundary_(ID_lXdfgzreb0r1/6SR4Bl2+g)
Content-type: text/plain; charset=utf-8; format=flowed
Content-transfer-encoding: 8BIT


   Hey Dave,

   I like your draft, and I have a few comments...

1. It seems both A and B are trusting their receipt of each other's
public key because it comes from the controller. That would imply that
the message from Controller --> [A|B] needs to be protected with some
key shared between the Controller and the recipient. Might I suggest
a deterministic key-wrapping technique like RFC 5297? So if A gets
B's public key (and some identity of B) all wrapped in a message
secured with a secret known only by the Controller, then A can
assume that the trusted third party (Controller) actually sent it
and therefore its contents can be trusted.

2. there's no proof of possession of the secret before it's use in a
protocol that requires trust of the key (ESP). It's a Diffie-Hellman
exchange and then direct use of a resultant key. Is this a problem?
If not, you should explain why (e.g. in Security Considerations).

3. there is a lot of text covering the various scenarios-- initial
keying, rekeying, asymmetric rekeying-- that make this kind of
complicated. What if you made a simple peer-to-peer state machine
for each peer (A and B) ala what I did for IKEv3? So you send a
DH public value or receive a DH public value and are in an awaiting
state, you get a DH public value or send a DH public value, respectively,
and advance state. That way every keying, including rekeying, is done
the same way. It might make for a simpler description too. It would
be a simple key derivation tree based on time starting at n=0:

If An and Bn are the nth Diffie-Hellman values sent by A and B,
respectively, and NAn and NBn are the nth nonces sent by A and B,
respectively, then it becomes:

   Sn = DH(An, Bn)
   rxn | txn | kn = HKDF(min(NAn, NBn) | max(NAn, NBn),
                         Sn, "Controller IKE Key Derivation")

where rxn and txn are used in the ESP SAs and kn is used for
subsequent key management. Then for n = 0, you have NULL nonces and
A0 and B0 are the initial DH public values received from the Controller.
Each n > 0 uses n-1 for protection of the nth exchange.

Then to rekey, either side initiates. For example, assume Bob initiates
at time n where {N}m indicates RFC 5297 encryption of plaintext N using
key m:

   <-- { Bn, NBn }kn-1

then he waits for Alice (or really they could both "initiate"
simultaneously, it would work just fine):

   ---> {An, NAn }kn-1

Their ability to unwrap the new public key and nonce using the previously
authenticated secret provides the necessary authentication to the current,
nth, key exchange. Then they generate new rxn, txn, and kn and continue.

   regards,

   Dan.

On 7/2/18 1:53 PM, David Carrel (carrel) wrote:
>
> Folks,
>
> Brian and I posted the following draft this morning:
>
> URL: 
> https://www.ietf.org/internet-drafts/draft-carrel-ipsecme-controller-ike-00.txt
>
> Htmlized: 
> https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00
>
> Htmlized: 
> https://datatracker.ietf.org/doc/html/draft-carrel-ipsecme-controller-ike
>
> We would appreciate any discussion and feedback.  The motivation for 
> this work began in very large SD-WAN network implementations where 
> there is full-mesh, multi-path IPsec connections between 10s of 
> thousands of nodes, and where bi-directional peer-to-peer connectivity 
> is not always present.  In these networks, centralized controllers do 
> actively manage all IPsec endpoints.  With this approach, we are 
> looking to reduce session establishment time, improve scalability and 
> preserve confidentiality of IPsec keys.  Without direct peer-to-peer 
> key messages, synchronization becomes a key challenge and we have also 
> provided a solution for that.
>
> This method would be compatible with an I2NSF controller based 
> approach.  Additionally, we have had interest from other use cases for 
> a controller based key management scheme.  So we are proposing this as 
> a method that can be used within multiple controller based management 
> protocols to provide endpoint key management.
>
> David Carrel
>
> carrel@cisco.com <mailto:carrel@cisco.com>
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


--Boundary_(ID_lXdfgzreb0r1/6SR4Bl2+g)
Content-type: text/html; charset=utf-8
Content-transfer-encoding: 8BIT

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <tt>  Hey Dave,<br>
      <br>
        I like your draft, and I have a few comments...<br>
      <br>
      1. It seems both A and B are trusting their receipt of each
      other's<br>
      public key because it comes from the controller. That would imply
      that<br>
      the message from Controller --&gt; [A|B] needs to be protected
      with some<br>
      key shared between the Controller and the recipient. Might I
      suggest<br>
      a deterministic key-wrapping technique like RFC 5297? So if A gets<br>
      B's public key (and some identity of B) all wrapped in a message<br>
      secured with a secret known only by the Controller, then A can<br>
      assume that the trusted third party (Controller) actually sent it<br>
      and therefore its contents can be trusted.<br>
      <br>
      2. there's no proof of possession of the secret before it's use in
      a<br>
      protocol that requires trust of the key (ESP). It's a
      Diffie-Hellman<br>
      exchange and then direct use of a resultant key. Is this a
      problem?<br>
      If not, you should explain why (e.g. in Security Considerations).<br>
      <br>
      3. there is a lot of text covering the various scenarios-- initial<br>
      keying, rekeying, asymmetric rekeying-- that make this kind of <br>
      complicated. What if you made a simple peer-to-peer state machine<br>
      for each peer (A and B) ala what I did for IKEv3? So you send a<br>
      DH public value or receive a DH public value and are in an awaiting<br>
      state, you get a DH public value or send a DH public value,
      respectively,<br>
      and advance state. That way every keying, including rekeying, is
      done<br>
      the same way. It might make for a simpler description too. It
      would<br>
      be a simple key derivation tree based on time starting at n=0:<br>
      <br>
      If An and Bn are the nth Diffie-Hellman values sent by A and B,<br>
      respectively, and NAn and NBn are the nth nonces sent by A and B,<br>
      respectively, then it becomes:<br>
      <br>
        Sn = DH(An, Bn)<br>
        rxn | txn | kn = HKDF(min(NAn, NBn) | max(NAn, NBn), <br>
                              Sn, "Controller IKE Key Derivation")<br>
      <br>
      where rxn and txn are used in the ESP SAs and kn is used for<br>
      subsequent key management. Then for n = 0, you have NULL nonces
      and<br>
      A0 and B0 are the initial DH public values received from the
      Controller.<br>
      Each n &gt; 0 uses n-1 for protection of the nth exchange.<br>
      <br>
      Then to rekey, either side initiates. For example, assume Bob
      initiates<br>
      at time n where {N}m indicates RFC 5297 encryption of plaintext N
      using<br>
      key m:<br>
      <br>
        &lt;-- { Bn, NBn }kn-1<br>
      <br>
      then he waits for Alice (or really they could both "initiate"<br>
      simultaneously, it would work just fine):<br>
      <br>
        ---&gt; {An, NAn }kn-1<br>
      <br>
      Their ability to unwrap the new public key and nonce using the
      previously<br>
      authenticated secret provides the necessary authentication to the
      current,<br>
      nth, key exchange. Then they generate new rxn, txn, and kn and
      continue.<br>
      <br>
        regards,<br>
      <br>
        Dan.<br>
      <br>
    </tt>
    <div class="moz-cite-prefix">On 7/2/18 1:53 PM, David Carrel
      (carrel) wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:4CA644B5-5668-48BD-A2D1-5E9EE1AAF7AD@cisco.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
	{font-family:Courier;
	panose-1:2 0 5 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
span.apple-tab-span
	{mso-style-name:apple-tab-span;}
span.apple-converted-space
	{mso-style-name:apple-converted-space;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier">Folks,<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier">Brian and I
            posted the following draft this morning:<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier;color:black">URL:       
            <a
href="https://www.ietf.org/internet-drafts/draft-carrel-ipsecme-controller-ike-00.txt"
              moz-do-not-send="true">
https://www.ietf.org/internet-drafts/draft-carrel-ipsecme-controller-ike-00.txt</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier;color:black">Htmlized:  
            <a
href="https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00"
              moz-do-not-send="true">https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-00</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier;color:black">Htmlized:  
            <a
href="https://datatracker.ietf.org/doc/html/draft-carrel-ipsecme-controller-ike"
              moz-do-not-send="true">
https://datatracker.ietf.org/doc/html/draft-carrel-ipsecme-controller-ike</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier">We would
            appreciate any discussion and feedback.  The motivation for
            this work began in very large SD-WAN network implementations
            where there is full-mesh, multi-path IPsec connections
            between 10s of thousands of nodes, and where bi-directional
            peer-to-peer connectivity is not always present.  In these
            networks, centralized controllers do actively manage all
            IPsec endpoints.  With this approach, we are looking to
            reduce session establishment time, improve scalability and
            preserve confidentiality of IPsec keys.  Without direct
            peer-to-peer key messages, synchronization becomes a key
            challenge and we have also provided a solution for that.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier">This method
            would be compatible with an I2NSF controller based
            approach.  Additionally, we have had interest from other use
            cases for a controller based key management scheme.  So we
            are proposing this as a method that can be used within
            multiple controller based management protocols to provide
            endpoint key management.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier">David Carrel<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier"><a
              href="mailto:carrel@cisco.com" moz-do-not-send="true">carrel@cisco.com</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:10.0pt;font-family:Courier"><o:p> </o:p></span></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
IPsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:IPsec@ietf.org">IPsec@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/ipsec">https://www.ietf.org/mailman/listinfo/ipsec</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--Boundary_(ID_lXdfgzreb0r1/6SR4Bl2+g)--


From nobody Tue Jul 17 13:36:46 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7C9130DE6 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 13:36:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xXetRcspcv3 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 13:36:44 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A511B130DE2 for <ipsec@ietf.org>; Tue, 17 Jul 2018 13:36:43 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6HKaexh016738 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 17 Jul 2018 23:36:40 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6HKaei6022911; Tue, 17 Jul 2018 23:36:40 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23374.21336.235050.583184@fireball.acr.fi>
Date: Tue, 17 Jul 2018 23:36:40 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Valery Smyslov" <smyslov.ietf@gmail.com>
Cc: <ipsec@ietf.org>
In-Reply-To: <036001d41de2$7dbc8bf0$7935a3d0$@gmail.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <036001d41de2$7dbc8bf0$7935a3d0$@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 8 min
X-Total-Time: 8 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/vtp0cZMdo2Vs2LmS6n212A6IxSk>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 20:36:45 -0000

Valery Smyslov writes:
> my concern is that these MODP groups will have public keys of 1.5-2
> Kb in size, so it can make using them problematic in real world due
> to fragmentation issues...

In most of those cases the uses are not really road warriors or
similar setups, but more in a line of SGW between two offices, and the
network can often be required to behave properly. I.e., if your
companies ISP drops all fragments, better switch to another ISP or
complain to ISP and require them to fix the issue. This is very
different than normal cases where there is no point of trying to get
big udp packets through the hotel captive portal, or nat etc.

We were mostly able to get IKE work with certificates and so even
before IKE fragmentation with similar packet sizes, and we do have
text in section 2 of the RFC7296 which says that implementation SHOULD
work with 3000 octets long packets:

   All IKEv2 implementations MUST be able to send, receive, and process
   IKE messages that are up to 1280 octets long, and they SHOULD be able
   to send, receive, and process messages that are up to 3000 octets
   long.  

This of course does not mean that long packets work through your
network, but in SGW <-> SGW setting that can quite often be taken care
of. IKEv2 implementations themselves should still work with such
packets if the network work.
-- 
kivinen@iki.fi


From nobody Tue Jul 17 14:12:04 2018
Return-Path: <frank.xialiang@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C7F130DEB; Tue, 17 Jul 2018 14:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9lVXO3g2kMa; Tue, 17 Jul 2018 14:11:58 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6883129C6B; Tue, 17 Jul 2018 14:11:57 -0700 (PDT)
Received: from lhreml708-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 66FD664BBE9E9; Tue, 17 Jul 2018 22:11:52 +0100 (IST)
Received: from DGGEML402-HUB.china.huawei.com (10.3.17.38) by lhreml708-cah.china.huawei.com (10.201.108.49) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 17 Jul 2018 22:11:52 +0100
Received: from DGGEML522-MBX.china.huawei.com ([169.254.7.38]) by DGGEML402-HUB.china.huawei.com ([fe80::fca6:7568:4ee3:c776%31]) with mapi id 14.03.0382.000; Wed, 18 Jul 2018 05:11:38 +0800
From: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Linda Dunbar <linda.dunbar@huawei.com>
CC: IPsecME WG <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: [I2nsf] How about simplified IKE? RE: [IPsec] IPsec Flow Protection @I2NSF
Thread-Index: AdQded/1kRiNEMLaSMyP+ZJwQpIh+f//l6WA//57hmA=
Date: Tue, 17 Jul 2018 21:11:37 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F12BE6BFB8@DGGEML522-MBX.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com> <B4ED9CE5-EA34-4847-86FB-202A06C19515@gmail.com>
In-Reply-To: <B4ED9CE5-EA34-4847-86FB-202A06C19515@gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.124.182.231]
Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12BE6BFB8DGGEML522MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/T8B82jyBZEU0KT6WbJK8f5CHMIk>
Subject: [IPsec] =?utf-8?b?562U5aSNOiBbSTJuc2ZdIEhvdyBhYm91dCBzaW1wbGlm?= =?utf-8?q?ied_IKE=3F_RE=3A__IPsec_Flow_Protection_=40I2NSF?=
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 21:12:01 -0000

--_000_C02846B1344F344EB4FAA6FA7AF481F12BE6BFB8DGGEML522MBXchi_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgYWxsLA0KSSBkb27igJl0IGhhdmUgdGhlIGNsZWFyIG9ic2VydmF0aW9uIG9mIGhvdyBwb3B1
bGFyIHRoZSBJS0V2MiBpcyBzdXBwb3J0ZWQgYnkgbW9zdCBvZiB0aGUgT1MsIG15IHN0cmFpZ2h0
IHRob3VnaHQgaXMgc29tZXRoaW5nIHdpdGhvdXQgSUtFdjIgZm9yIHNpbXBsaWNpdHksIGxpZ2h0
IHdlaWdodCBpbXBsZW1lbnRhdGlvbiBhbmQgY29zdCBzYXZpbmcgaGFzIGl0cyBmZWFzaWJpbGl0
eSBub3cgYW5kIGluIHRoZSBmdXR1cmUuDQoNClRoZSBvdGhlciBwb2ludCB3ZSBzaG91bGQgY29u
c2lkZXIgaXMgdGhlIHBlcmZvcm1hbmNlIGltcHJvdmVtZW50IGJ5IHNraXBwaW5nIHRoZSBJS0V2
MiBuZWdvdGlhdGlvbiBhbmQgREggY2FsY3VsYXRpb24uIFRha2UgYSBsYXJnZSBzY2FsZSBuZXR3
b3JrIGFzIHRoZSBleGFtcGxlLCBpdCB3aWxsIHRha2UgYSBsb25nIHRpbWUgZm9yIG11bHRpcGxl
IHBlZXJzIHRvIHNldCB1cCB0aGUgU0FzIHdpdGggb25lIHBlZXIgYnkgSUtFdjIgYW5kIERIIGtl
eSBleGNoYW5nZSwgc2luY2Ugb25lIHBlZXIgaGFzIHRoZSBjcHUvbWVtb3J5IHVwLWxpbWl0IHRv
IGNvbnN0cmFpbiB0aGUgbWF4aW1hbCBudW1iZXIgb2YgSUtFdjIgc2Vzc2lvbnMgYXQgdGhlIHNh
bWUgdGltZS4gQnV0LCBieSByZXBsYWNpbmcgdGhlIElLRXYyIGFuZCBESCB3aXRoIHRoZSBrZXkg
Y2FsY3VsYXRpb24gKGJ5IHBlZXIgaXRzZWxmLCBvciBieSBjb250cm9sbGVyKSBhbmQga2V5IGRp
c3RyaWJ1dGlvbiAodGhyb3VnaCB0aGUgY29udHJvbGxlciksIHRoZSB0b3RhbCB0aW1lIGZvciBj
cmVhdGluZyBTQXMgYW1vbmcgYSBsYXJnZSBudW1iZXIgb2YgcGVlcnMgY2FuIGJlIGRlY3JlYXNl
ZCBkcmFtYXRpY2FsbHkgYW5kIGtlZXAgdW5kZXIgY2VydGFpbiB0aW1lLg0KDQpPZiBjb3Vyc2Us
IHRoZSBTRE4tYmFzZWQgSVBTZWMgU0FzIG1hbmFnZW1lbnQgc29sdXRpb24gc2hvdWxkIGJlIGJh
c2VkIG9uIHRoZSBiYXNpYyBhc3N1bXB0aW9uIHRoYXQgdGhlIGNvbnRyb2xsZXIgYW5kIHRoZSBt
YW5hZ2VtZW50IHBsYW5lIGxpbmtzIGFyZSBhbGwgd2VsbCBwcm90ZWN0ZWQuDQoNClRoZSBTQSBz
ZXNzaW9uIGtleSBjYW4gYmUgY2FsY3VsYXRlZCBieSB0aGUgY29udHJvbGxlciBhbmQgZGlzdHJp
YnV0ZWQgdG8gZXZlcnkgcGVlcnMgaW4gYSBjb21tdW5pY2F0aW9uIGdyb3VwLCBvciBjYW4gYmUg
Y2FsY3VsYXRlZCBieSB0aGUgcGVlciBpdHNlbGYgYW5kIGRpc3RyaWJ1dGVkIHRvIHRoZSByZXF1
aXJlZCBwZWVycyB0aHJvdWdoIHRoZSBjb250cm9sbGVyLCBvciBjYW4gYmUgREggZXhjaGFuZ2Vk
IHRocm91Z2ggY29udHJvbGxlci4gQWxsIHRoZSB0aHJlZSB3YXlzIGhhdmUgdGhlaXIgcmVzcGVj
dGl2ZSBwcm9zIGFuZCBjb25zLiBNb3JlIHN0dWR5IGFuZCBkaXNjdXNzaW9uIHdpbGwgYmUgaGVs
cGZ1bC4NCg0KRmluYWxseSwgSSBiZWxpZXZlIHdlIGRvIG5lZWQgYSBuZXcgd2F5IChlLmcuLCB0
aGUgc2RuLWJhc2VkIHdheSkgdG8gZGVhbCB3aXRoIHRoZSBJUFNlYyBTQXMgbWFuYWdlbWVudCwg
ZXNwZWNpYWxseSBmb3IgdGhlIGxhcmdlIG51bWJlciBvZiBJUFNlYyBTQXMuIEFuZCB3ZSBhbHJl
YWR5IGhhdmUgZ29vZCBwcm9ncmVzcyBvbiB0aGUgcmlnaHQgZGlyZWN0aW9uLg0KDQpCLlIuDQpG
cmFuaw0KDQrlj5Hku7bkuro6IEkybnNmIFttYWlsdG86aTJuc2YtYm91bmNlc0BpZXRmLm9yZ10g
5Luj6KGoIFlvYXYgTmlyDQrlj5HpgIHml7bpl7Q6IDIwMTjlubQ35pyIMTfml6UgMTI6NDQNCuaU
tuS7tuS6ujogTGluZGEgRHVuYmFyIDxsaW5kYS5kdW5iYXJAaHVhd2VpLmNvbT4NCuaKhOmAgTog
SVBzZWNNRSBXRyA8aXBzZWNAaWV0Zi5vcmc+OyBpMm5zZkBpZXRmLm9yZw0K5Li76aKYOiBSZTog
W0kybnNmXSBIb3cgYWJvdXQgc2ltcGxpZmllZCBJS0U/IFJFOiBbSVBzZWNdIElQc2VjIEZsb3cg
UHJvdGVjdGlvbiBASTJOU0YNCg0KW25vIGhhdHNdDQoNCknigJltIG5vdCBjb252aW5jZWQgYnkg
dGhlIG5lY2Vzc2l0eSBvZiBlaXRoZXIgdGhpcyBvciDigJxDYXNlIDLigJ0uDQoNCklLRXYyIGlz
IHN1cHBvcnRlZCBieSBhbGwgb3BlcmF0aW5nIHN5c3RlbXMsIGluY2x1ZGluZyBldmVyeSBMaW51
eCBkaXN0cmlidXRpb24gYW5kIHBob25lIE9TIHNpbmNlIGlQaG9uZSAyLiBJdOKAmXMgdWJpcXVp
dG91cyBhbmQgaXNu4oCZdCBoYXJkLiBHaXZlbiB0aGF0LCBJ4oCZbSBub3QgY29udmluY2VkIHdl
IG5lZWQgdG8gdGFrZSBjYXJlIG9mIG5vZGVzIHRoYXQgZG8gbm90IHN1cHBvcnQgSUtFdjIuIFRo
ZXJlIGp1c3QgYXJlbuKAmXQgYW55IHN1Y2ggbm9kZXMgaW4gdGhlIE5TRiB3b3JsZC4gSWYgd2Ug
d2VyZSB0YWxraW5nIGFib3V0IHNtYXJ0IG9iamVjdHMsIHRoZW4gd2UgY291bGQgZmluZCBzdWNo
IG5vZGVzLCBidXQgbm90IE5TRnMuDQoNCklLRSBwZXJmb3JtcyB0d28gZnVuY3Rpb25zOg0KDQog
ICogICBBdXRoZW50aWNhdGUgdGhlIHBlZXJzIHRvIG9uZSBhbm90aGVyDQogICogICBFeGNoYW5n
ZSBrZXlzLg0KDQpJZiBJIHVuZGVyc3RhbmQgeW91ciBwcm9wb3NhbCBjb3JyZWN0bHksIHlvdSB3
b3VsZCBsaWtlIHRvIGtlZXAgdGhlIHBlZXJzIGV4Y2hhbmdpbmcga2V5cyAoYWx0aG91Z2ggbm90
IGRpcmVjdGx5KSwgYnV0IG5vdCBhdXRoZW50aWNhdGluZy4gVGhpcyBraW5kIG9mIG1ha2VzIHNl
bnNlIGJlY2F1c2UgdGhlIFNETiBjb250cm9scyBpZGVudGl0aWVzIGFuZCBjcmVkZW50aWFscy4g
VGhlcmUgaXMgbm8gbWVhbmluZ2Z1bCBhdXRoZW50aWNhdGlvbiBleGNlcHQgdG8gdmVyaWZ5IHRo
ZSBjcmVkZW50aWFscyBwcm92aWRlZCB0byB0aGUgcGVlciBieSB0aGUgY29udHJvbGxlci4NCg0K
U28gSSB0aGluayB0aGUgcHJvcG9zYWwgbWFrZXMgc2Vuc2UsIGJ1dCBJIGRvbuKAmXQgc2VlIGl0
IGFzIG5lY2Vzc2FyeS4NCg0KWW9hdg0KKGFnYWluLCBubyBoYXRzKQ0KDQoNCk9uIDE3IEp1bCAy
MDE4LCBhdCA2OjE2LCBMaW5kYSBEdW5iYXIgPGxpbmRhLmR1bmJhckBodWF3ZWkuY29tPG1haWx0
bzpsaW5kYS5kdW5iYXJAaHVhd2VpLmNvbT4+IHdyb3RlOg0KDQpUaGVyZSBhcmUgdHdvIGNhc2Vz
IHByb3Bvc2VkIGJ5ICBTRE4gY29udHJvbGxlZCBJUHNlYyBGbG93IFByb3RlY3Rpb246DQotICAg
ICAgICBDYXNlIDEgaXMgU0ROIGNvbnRyb2xsZXIgb25seSBzZW5kaW5nIGRvd24gdGhlIElQc2Vj
IGNvbmZpZ3VyYXRpb24gYXR0cmlidXRlcyB0byBFbmQgcG9pbnRzLCBhbmQgRW5kIFBvaW50cyBz
dXBwb3J0cyB0aGUgSUtFcyBhbmQgU0EgbWFpbnRlbmFuY2UuDQotICAgICAgICBDYXNlIDIgaXMg
ZW5kIHBvaW50cyBub3Qgc3VwcG9ydGluZyBJS0V2Mi4gU0ROIGNvbnRyb2xsZXIgbWFuYWdlIGFs
bCB0aGUgU0EgS2V5IGNvbXB1dGF0aW9uIGFuZCBkaXN0cmlidXRlIHRvIGFsbCBlbmQgbm9kZXMu
IFdlIGhhZCBhbiBpbnRlcmltIG1lZXRpbmcgZGlzY3Vzc2luZyB0aGlzLiAoc2VlIHRoZSBhdHRh
Y2hlZCBNZWV0aW5nIG1pbnV0ZXMpLg0KDQpRdWVzdGlvbiB0byBJUHNlY21lIFdHOiBIb3cgYWJv
dXQgc29tZXRoaW5nIGluIGJldHdlZW4/DQotICAgICAgICBBc3N1bWUgdGhhdCBTRE4gY29udHJv
bGxlciBtYWludGFpbiBUTFMgKG9yIERUTFMpIHRvIGFsbCBlbmQgcG9pbnRzIGZvciBkaXN0cmli
dXRpbmcgdGhlIElQc2VjIGNvbmZpZ3VyYXRpb24gYXR0cmlidXRlcyAoc2FtZSBhcyBDYXNlIDEg
YWJvdmUpLg0KLSAgICAgICAgSW5zdGVhZCBvZiB1c2luZyBJS0V2MiBmb3IgdHdvIGVuZCBwb2lu
dHMgKEUxICYgRTIpIHRvIGVzdGFibGlzaCBzZWN1cmUgY2hhbm5lbCBmaXJzdCBmb3IgU0EgbmVn
b3RpYXRpb24gcHVycG9zZSwgRTEgY2FuIHV0aWxpemUgdGhlIHNlY3VyZSBjaGFubmVsIGJldHdl
ZW4gRTEgPC0+IFNETi1Db250cm9sbGVyIDwtPkUyIHRvIG5lZ290aWF0ZSBTQSB3aXRoIEUyIGFu
ZCByZXNwb25zaWJsZSBmb3IgaXRzIG93biBTQSBjb21wdXRhdGlvbi4NCi0gICAgICAgIEUxJkUy
IHN0aWxsIGNvbXB1dGUgU0EgYW5kIG1haW50YWluIFNBRC4gT25seSB1dGlsaXplIHRoZSBzZWN1
cmUgY2hhbm5lbCB0aHJvdWdoIHRoZSBTRE4gY29udHJvbGxlciB0byBleGNoYW5nZSBTQS4NCg0K
VGhpcyBtZXRob2Qgbm90IG9ubHkgZG9lc27igJl0IHJlcXVpcmUgdGhlIFNETiBjb250cm9sbGVy
IHRvIGtlZXAgYWxsIHRoZSBTQUQgZm9yIGFsbCBub2RlcywgYnV0IGFsc28gc2ltcGxpZnkgbGFy
Z2UgU0QtV0FOIGRlcGxveW1lbnQgd2l0aCBsYXJnZSBudW1iZXIgb2YgSVBzZWMgdHVubmVscyBh
bW9uZyBtYW55IGVuZCBwb2ludHMuDQoNCkFueSBvcGluaW9uPyBJc3N1ZXM/DQoNCkxpbmRhIER1
bmJhcg0KDQoNCkZyb206IElQc2VjIFttYWlsdG86aXBzZWMtYm91bmNlc0BpZXRmLm9yZ10gT24g
QmVoYWxmIE9mIFlvYXYgTmlyDQpTZW50OiBNb25kYXksIEp1bHkgMTYsIDIwMTggMzoxMSBQTQ0K
VG86IElQc2VjTUUgV0cgPGlwc2VjQGlldGYub3JnPG1haWx0bzppcHNlY0BpZXRmLm9yZz4+DQpT
dWJqZWN0OiBbSVBzZWNdIElQc2VjIEZsb3cgUHJvdGVjdGlvbiBASTJOU0YNCg0KSGkuDQoNCkni
gJlkIGxpa2UgdG8gZHJhdyB5b3UgYXR0ZW50aW9uIHRvIHRoZSBhZ2VuZGEgb2YgdGhlIEkyTlNG
IHdvcmtpbmcgZ3JvdXA6IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvbWVldGluZy8xMDIv
bWF0ZXJpYWxzL2FnZW5kYS0xMDItaTJuc2YtMDANCg0KVGhlIEkyTlNGIHdvcmtpbmcgZ3JvdXAg
d2lsbCBtZWV0IG9uIFdlZG5lc2RheSBhZnRlciBsdW5jaC4gT24gdGhlIGFnZW5kYSwgdGhlcmUg
aXMgdGhpcyBpdGVtIHdoaWNoIG1heSBiZSBvZiBpbnRlcmVzdCB0byBJUHNlYyBmb2xrczoNCg0K
DQoxMzo0NS0xNDowMCBJUHNlYyBGbG93IFByb3RlY3Rpb24gKDE1IG1pbik6IFJhZmEgTWFyw61u
LUzDs3Bleg0KSW4gY2FzZSB5b3UgaGF2ZW7igJl0IGJlZW4gZm9sbG93aW5nLCB0aGUgSVBzZWMg
ZmxvdyBkcmFmdCB3YXMgYWRvcHRlZCBieSBJMk5TRi4gVGhlIGF1dGhvcnMgYXJlIG1ha2luZyBw
cm9ncmVzcywgaW5jbHVkaW5nIG9wZW4gc291cmNlIGltcGxlbWVudGF0aW9ucy4NCg0KT25lIGlz
c3VlIHRoYXQgbWF5IGNvbWUgdXAgaW4gdGhlIGRpc2N1c3Npb24gKGVpdGhlciBhdCBJMk5TRiBv
ciBoZXJlKSBpcyB0aGF0IG90aGVyIGRyYWZ0cyBhYm91dCBjb250cm9sbGluZyBJUHNlYyBWUE5z
IHdpdGggU0ROIChbMV0sWzJdKSBhcmUgY29taW5nIHVwLiBJ4oCZbSB3b25kZXJpbmcgaWYgdGhl
c2UgYXJlIGNvbXBldGluZywgY29tcGxlbWVudGFyeSwgb3Igd2hhdD8NCg0KV2XigJlsbCBiZSBn
bGFkIHRvIHNlZSB5b3UgYWxsIHRoZXJlLg0KDQpZb2F2DQooY28tY2hhaXIgb2YgSTJOU0YpDQoN
ClsxXSBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtY2FycmVsLWlwc2VjbWUtY29u
dHJvbGxlci1pa2UtMDANClsyXSBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtZHVu
YmFyLXNyLXNkd2FuLW92ZXItaHlicmlkLW5ldHdvcmtzLTAyDQoNCjxTZXB0IDYgSW50ZXJpbSBt
aW51dGVzIHYxLnBkZj4NCg0K

--_000_C02846B1344F344EB4FAA6FA7AF481F12BE6BFB8DGGEML522MBXchi_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseTrlrovkvZM7DQoJcGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0xOjIgNCA1
IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBh
bm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
5b6u6L2v6ZuF6buROw0KCXBhbm9zZS0xOjIgMTEgNSAzIDIgMiA0IDIgMiA0O30NCkBmb250LWZh
Y2UNCgl7Zm9udC1mYW1pbHk6IlxA5b6u6L2v6ZuF6buRIjsNCglwYW5vc2UtMToyIDExIDUgMyAy
IDIgNCAyIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQOWui+S9kyI7DQoJcGFu
b3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N
c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1h
cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OuWu
i+S9kzt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5
OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVk
LCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj
b2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0
eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIOmihOiuvuagvOW8jyBDaGFy
IjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIu
MHB0Ow0KCWZvbnQtZmFtaWx5OuWui+S9kzt9DQpzcGFuLmFwcGxlLWNvbnZlcnRlZC1zcGFjZQ0K
CXttc28tc3R5bGUtbmFtZTphcHBsZS1jb252ZXJ0ZWQtc3BhY2U7fQ0Kc3Bhbi5IVE1MQ2hhcg0K
CXttc28tc3R5bGUtbmFtZToiSFRNTCDpooTorr7moLzlvI8gQ2hhciI7DQoJbXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIOmihOiuvuagvOW8jyI7DQoJZm9udC1m
YW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28tc3R5bGUtdHlw
ZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglj
b2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1v
bmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6NjEy
LjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgOTAuMHB0IDcyLjBwdCA5MC4wcHQ7fQ0KZGl2
LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25z
ICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDoyMDIzODQ5MjQ5Ow0KCW1zby1saXN0LXRlbXBs
YXRlLWlkczoxMjM2Mjk5MzM4O30NCkBsaXN0IGwwOmxldmVsMQ0KCXttc28tbGV2ZWwtbnVtYmVy
LWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3Rv
cDozNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50
Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1i
b2w7fQ0KQGxpc3QgbDA6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsN
Cgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDo3Mi4wcHQ7DQoJbXNvLWxl
dmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFu
c2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciOw0KCW1zby1i
aWRpLWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iO30NCkBsaXN0IGwwOmxldmVsMw0KCXtt
c28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1z
by1sZXZlbC10YWItc3RvcDoxMDguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm
dDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJ
Zm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtbnVt
YmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWIt
c3RvcDoxNDQuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWlu
ZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6
V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpi
dWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDoxODAuMHB0
Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0
Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30N
CkBsaXN0IGwwOmxldmVsNg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNv
LWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDoyMTYuMHB0Ow0KCW1zby1sZXZl
bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNp
LWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxl
dmVsNw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6
74KnOw0KCW1zby1sZXZlbC10YWItc3RvcDoyNTIuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9z
aXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZTox
MC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsOA0KCXttc28t
bGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1s
ZXZlbC10YWItc3RvcDoyODguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsN
Cgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9u
dC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVy
LWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3Rv
cDozMjQuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVu
dDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6V2lu
Z2RpbmdzO30NCm9sDQoJe21hcmdpbi1ib3R0b206MGNtO30NCnVsDQoJe21hcmdpbi1ib3R0b206
MGNtO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1
bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEt
LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzpp
ZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtl
bmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IlpILUNOIiBsaW5rPSJibHVlIiB2bGluaz0i
cHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPkhpIGFsbCw8bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V
UyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPkkgZG9u4oCZdCBoYXZlIHRoZSBjbGVhciBvYnNl
cnZhdGlvbiBvZiBob3cgcG9wdWxhciB0aGUgSUtFdjIgaXMgc3VwcG9ydGVkIGJ5IG1vc3Qgb2Yg
dGhlIE9TLCBteSBzdHJhaWdodCB0aG91Z2h0IGlzIHNvbWV0aGluZyB3aXRob3V0IElLRXYyIGZv
ciBzaW1wbGljaXR5LA0KIGxpZ2h0IHdlaWdodCBpbXBsZW1lbnRhdGlvbiBhbmQgY29zdCBzYXZp
bmcgaGFzIGl0cyBmZWFzaWJpbGl0eSBub3cgYW5kIGluIHRoZSBmdXR1cmUuPG86cD48L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl
PSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z
ZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7
Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Qi
PlRoZSBvdGhlciBwb2ludCB3ZSBzaG91bGQgY29uc2lkZXIgaXMgdGhlIHBlcmZvcm1hbmNlIGlt
cHJvdmVtZW50IGJ5IHNraXBwaW5nIHRoZSBJS0V2MiBuZWdvdGlhdGlvbiBhbmQgREggY2FsY3Vs
YXRpb24uIFRha2UgYSBsYXJnZSBzY2FsZSBuZXR3b3JrDQogYXMgdGhlIGV4YW1wbGUsIGl0IHdp
bGwgdGFrZSBhIGxvbmcgdGltZSBmb3IgbXVsdGlwbGUgcGVlcnMgdG8gc2V0IHVwIHRoZSBTQXMg
d2l0aCBvbmUgcGVlciBieSBJS0V2MiBhbmQgREgga2V5IGV4Y2hhbmdlLCBzaW5jZSBvbmUgcGVl
ciBoYXMgdGhlIGNwdS9tZW1vcnkgdXAtbGltaXQgdG8gY29uc3RyYWluIHRoZSBtYXhpbWFsIG51
bWJlciBvZiBJS0V2MiBzZXNzaW9ucyBhdCB0aGUgc2FtZSB0aW1lLiBCdXQsIGJ5IHJlcGxhY2lu
ZyB0aGUgSUtFdjINCiBhbmQgREggd2l0aCB0aGUga2V5IGNhbGN1bGF0aW9uIChieSBwZWVyIGl0
c2VsZiwgb3IgYnkgY29udHJvbGxlcikgYW5kIGtleSBkaXN0cmlidXRpb24gKHRocm91Z2ggdGhl
IGNvbnRyb2xsZXIpLCB0aGUgdG90YWwgdGltZSBmb3IgY3JlYXRpbmcgU0FzIGFtb25nIGEgbGFy
Z2UgbnVtYmVyIG9mIHBlZXJzIGNhbiBiZSBkZWNyZWFzZWQgZHJhbWF0aWNhbGx5IGFuZCBrZWVw
IHVuZGVyIGNlcnRhaW4gdGltZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m
YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9
IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp
JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+T2YgY291cnNlLCB0aGUgU0ROLWJhc2Vk
IElQU2VjIFNBcyBtYW5hZ2VtZW50IHNvbHV0aW9uIHNob3VsZCBiZSBiYXNlZCBvbiB0aGUgYmFz
aWMgYXNzdW1wdGlvbiB0aGF0IHRoZSBjb250cm9sbGVyIGFuZCB0aGUgbWFuYWdlbWVudCBwbGFu
ZSBsaW5rcw0KIGFyZSBhbGwgd2VsbCBwcm90ZWN0ZWQuPG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6
MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj
MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPlRoZSBTQSBzZXNz
aW9uIGtleSBjYW4gYmUgY2FsY3VsYXRlZCBieSB0aGUgY29udHJvbGxlciBhbmQgZGlzdHJpYnV0
ZWQgdG8gZXZlcnkgcGVlcnMgaW4gYSBjb21tdW5pY2F0aW9uIGdyb3VwLCBvciBjYW4gYmUgY2Fs
Y3VsYXRlZCBieSB0aGUgcGVlcg0KIGl0c2VsZiBhbmQgZGlzdHJpYnV0ZWQgdG8gdGhlIHJlcXVp
cmVkIHBlZXJzIHRocm91Z2ggdGhlIGNvbnRyb2xsZXIsIG9yIGNhbiBiZSBESCBleGNoYW5nZWQg
dGhyb3VnaCBjb250cm9sbGVyLiBBbGwgdGhlIHRocmVlIHdheXMgaGF2ZSB0aGVpciByZXNwZWN0
aXZlIHByb3MgYW5kIGNvbnMuIE1vcmUgc3R1ZHkgYW5kIGRpc2N1c3Npb24gd2lsbCBiZSBoZWxw
ZnVsLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh
bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJm
b250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp
Zjtjb2xvcjojMUY0OTdEIj5GaW5hbGx5LCBJIGJlbGlldmUgd2UgZG8gbmVlZCBhIG5ldyB3YXkg
KGUuZy4sIHRoZSBzZG4tYmFzZWQgd2F5KSB0byBkZWFsIHdpdGggdGhlIElQU2VjIFNBcyBtYW5h
Z2VtZW50LCBlc3BlY2lhbGx5IGZvciB0aGUgbGFyZ2UgbnVtYmVyIG9mIElQU2VjDQogU0FzLiBB
bmQgd2UgYWxyZWFkeSBoYXZlIGdvb2QgcHJvZ3Jlc3Mgb24gdGhlIHJpZ2h0IGRpcmVjdGlvbi48
bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJF
Ti1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1z
aXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29s
b3I6IzFGNDk3RCI+Qi5SLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWls
eTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+RnJhbms8bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V
UyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEg
MS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDvlvq7ova/p
m4Xpu5EmcXVvdDssc2Fucy1zZXJpZiI+5Y+R5Lu25Lq6PHNwYW4gbGFuZz0iRU4tVVMiPjo8L3Nw
YW4+PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7
Zm9udC1mYW1pbHk6JnF1b3Q75b6u6L2v6ZuF6buRJnF1b3Q7LHNhbnMtc2VyaWYiPiBJMm5zZiBb
bWFpbHRvOmkybnNmLWJvdW5jZXNAaWV0Zi5vcmddDQo8L3NwYW4+PGI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q75b6u6L2v6ZuF6buRJnF1b3Q7LHNhbnMt
c2VyaWYiPuS7o+ihqCA8L3NwYW4+DQo8L2I+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O+W+rui9r+mbhem7kSZxdW90OyxzYW5zLXNl
cmlmIj5Zb2F2IE5pcjxicj4NCjwvc3Bhbj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDvlvq7ova/pm4Xpu5EmcXVvdDssc2Fucy1zZXJpZiI+5Y+R6YCB
5pe26Ze0PHNwYW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJF
Ti1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q75b6u6L2v6ZuF
6buRJnF1b3Q7LHNhbnMtc2VyaWYiPiAyMDE4PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O+W+rui9r+mbhem7kSZxdW90OyxzYW5zLXNlcmlmIj7l
ubQ8c3BhbiBsYW5nPSJFTi1VUyI+Nzwvc3Bhbj7mnIg8c3BhbiBsYW5nPSJFTi1VUyI+MTc8L3Nw
YW4+5pelPHNwYW4gbGFuZz0iRU4tVVMiPg0KIDEyOjQ0PGJyPg0KPC9zcGFuPjxiPuaUtuS7tuS6
ujxzcGFuIGxhbmc9IkVOLVVTIj46PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyI+IExpbmRh
IER1bmJhciAmbHQ7bGluZGEuZHVuYmFyQGh1YXdlaS5jb20mZ3Q7PGJyPg0KPC9zcGFuPjxiPuaK
hOmAgTxzcGFuIGxhbmc9IkVOLVVTIj46PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyI+IElQ
c2VjTUUgV0cgJmx0O2lwc2VjQGlldGYub3JnJmd0OzsgaTJuc2ZAaWV0Zi5vcmc8YnI+DQo8L3Nw
YW4+PGI+5Li76aKYPHNwYW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVO
LVVTIj4gUmU6IFtJMm5zZl0gSG93IGFib3V0IHNpbXBsaWZpZWQgSUtFPyBSRTogW0lQc2VjXSBJ
UHNlYyBGbG93IFByb3RlY3Rpb24gQEkyTlNGPG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
bGFuZz0iRU4tVVMiPltubyBoYXRzXTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3Nw
YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tVVMiPknigJltIG5vdCBjb252aW5jZWQgYnkgdGhlIG5lY2Vzc2l0eSBvZiBlaXRoZXIgdGhp
cyBvciDigJxDYXNlIDLigJ0uICZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K
PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNw
OzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBsYW5nPSJFTi1VUyI+SUtFdjIgaXMgc3VwcG9ydGVkIGJ5IGFsbCBvcGVyYXRpbmcgc3lz
dGVtcywgaW5jbHVkaW5nIGV2ZXJ5IExpbnV4IGRpc3RyaWJ1dGlvbiBhbmQgcGhvbmUgT1Mgc2lu
Y2UgaVBob25lIDIuIEl04oCZcyB1YmlxdWl0b3VzIGFuZCBpc27igJl0IGhhcmQuIEdpdmVuIHRo
YXQsIEnigJltIG5vdCBjb252aW5jZWQgd2UgbmVlZCB0byB0YWtlIGNhcmUgb2Ygbm9kZXMgdGhh
dCBkbyBub3Qgc3VwcG9ydA0KIElLRXYyLiBUaGVyZSBqdXN0IGFyZW7igJl0IGFueSBzdWNoIG5v
ZGVzIGluIHRoZSBOU0Ygd29ybGQuIElmIHdlIHdlcmUgdGFsa2luZyBhYm91dCBzbWFydCBvYmpl
Y3RzLCB0aGVuIHdlIGNvdWxkIGZpbmQgc3VjaCBub2RlcywgYnV0IG5vdCBOU0ZzLjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+SUtFIHBlcmZvcm1zIHR3
byBmdW5jdGlvbnM6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHVsIHR5
cGU9ImRpc2MiPg0KPGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzttc28tbGlzdDpsMCBsZXZlbDEgbGZv
MSI+DQo8c3BhbiBsYW5nPSJFTi1VUyI+QXV0aGVudGljYXRlIHRoZSBwZWVycyB0byBvbmUgYW5v
dGhlcjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzttc28tbGlz
dDpsMCBsZXZlbDEgbGZvMSI+DQo8c3BhbiBsYW5nPSJFTi1VUyI+RXhjaGFuZ2Uga2V5cy48bzpw
PjwvbzpwPjwvc3Bhbj48L2xpPjwvdWw+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj5JZiBJIHVuZGVyc3Rh
bmQgeW91ciBwcm9wb3NhbCBjb3JyZWN0bHksIHlvdSB3b3VsZCBsaWtlIHRvIGtlZXAgdGhlIHBl
ZXJzIGV4Y2hhbmdpbmcga2V5cyAoYWx0aG91Z2ggbm90IGRpcmVjdGx5KSwgYnV0IG5vdCBhdXRo
ZW50aWNhdGluZy4gVGhpcyBraW5kIG9mIG1ha2VzIHNlbnNlIGJlY2F1c2UgdGhlIFNETiBjb250
cm9scyBpZGVudGl0aWVzIGFuZCBjcmVkZW50aWFscy4NCiBUaGVyZSBpcyBubyBtZWFuaW5nZnVs
IGF1dGhlbnRpY2F0aW9uIGV4Y2VwdCB0byB2ZXJpZnkgdGhlIGNyZWRlbnRpYWxzIHByb3ZpZGVk
IHRvIHRoZSBwZWVyIGJ5IHRoZSBjb250cm9sbGVyLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpw
PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+U28gSSB0aGluayB0aGUgcHJvcG9zYWwgbWFrZXMgc2Vu
c2UsIGJ1dCBJIGRvbuKAmXQgc2VlIGl0IGFzIG5lY2Vzc2FyeS48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V
UyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPllvYXY8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+
KGFnYWluLCBubyBoYXRzKTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj48YnI+DQo8YnI+DQo8bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJn
aW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1VUyI+T24gMTcgSnVsIDIwMTgsIGF0IDY6MTYsIExpbmRhIER1bmJhciAmbHQ7PGEgaHJl
Zj0ibWFpbHRvOmxpbmRhLmR1bmJhckBodWF3ZWkuY29tIj5saW5kYS5kdW5iYXJAaHVhd2VpLmNv
bTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv
cD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi
IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlRo
ZXJlIGFyZSB0d28gY2FzZXMgcHJvcG9zZWQgYnkgJm5ic3A7U0ROIGNvbnRyb2xsZWQgSVBzZWMg
RmxvdyBQcm90ZWN0aW9uOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHls
ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJ0ZXh0
LWluZGVudDotMTguMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZx
dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+LTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1V
UyIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t
YW4mcXVvdDssc2VyaWYiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+
PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t
YW4mcXVvdDssc2VyaWYiPkNhc2UNCiAxIGlzIFNETiBjb250cm9sbGVyIG9ubHkgc2VuZGluZyBk
b3duIHRoZSBJUHNlYyBjb25maWd1cmF0aW9uIGF0dHJpYnV0ZXMgdG8gRW5kIHBvaW50cywgYW5k
IEVuZCBQb2ludHMgc3VwcG9ydHMgdGhlIElLRXMgYW5kIFNBIG1haW50ZW5hbmNlLjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJ0ZXh0LWluZGVudDotMTguMHB0Ij48c3BhbiBs
YW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90
OyxzZXJpZiI+LTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBw
dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252
ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl
PSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkNhc2UNCiAy
IGlzIGVuZCBwb2ludHMgbm90IHN1cHBvcnRpbmcgSUtFdjIuIFNETiBjb250cm9sbGVyIG1hbmFn
ZSBhbGwgdGhlIFNBIEtleSBjb21wdXRhdGlvbiBhbmQgZGlzdHJpYnV0ZSB0byBhbGwgZW5kIG5v
ZGVzLiBXZSBoYWQgYW4gaW50ZXJpbSBtZWV0aW5nIGRpc2N1c3NpbmcgdGhpcy4gKHNlZSB0aGUg
YXR0YWNoZWQgTWVldGluZyBtaW51dGVzKS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZv
bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48
L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m
cXVvdDssc2VyaWYiPlF1ZXN0aW9uIHRvIElQc2VjbWUgV0c6IEhvdyBhYm91dCBzb21ldGhpbmcg
aW4gYmV0d2Vlbj88c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3Nw
YW4+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVm
dDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InRleHQtaW5kZW50Oi0xOC4w
cHQiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3
IFJvbWFuJnF1b3Q7LHNlcmlmIj4tPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u
dC1zaXplOjcuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp
ZiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PHNwYW4gY2xhc3M9
ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJF
Ti1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp
ZiI+QXNzdW1lDQogdGhhdCBTRE4gY29udHJvbGxlciBtYWludGFpbiBUTFMgKG9yIERUTFMpIHRv
IGFsbCBlbmQgcG9pbnRzIGZvciBkaXN0cmlidXRpbmcgdGhlIElQc2VjIGNvbmZpZ3VyYXRpb24g
YXR0cmlidXRlcyAoc2FtZSBhcyBDYXNlIDEgYWJvdmUpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N
CjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJ0ZXh0LWluZGVudDotMTguMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5
bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+LTwvc3Bh
bj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdDtmb250LWZhbWlseTom
cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZu
YnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTom
cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkluc3RlYWQNCiBvZiB1c2luZyBJS0V2
MiBmb3IgdHdvIGVuZCBwb2ludHMgKEUxICZhbXA7IEUyKSB0byBlc3RhYmxpc2ggc2VjdXJlIGNo
YW5uZWwgZmlyc3QgZm9yIFNBIG5lZ290aWF0aW9uIHB1cnBvc2UsIEUxIGNhbiB1dGlsaXplIHRo
ZSBzZWN1cmUgY2hhbm5lbCBiZXR3ZWVuIEUxICZsdDstJmd0OyBTRE4tQ29udHJvbGxlciAmbHQ7
LSZndDtFMiB0byBuZWdvdGlhdGUgU0Egd2l0aCBFMiBhbmQgcmVzcG9uc2libGUgZm9yIGl0cyBv
d24gU0EgY29tcHV0YXRpb24uPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i
c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFy
Z2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJ0ZXh0LWluZGVu
dDotMTguMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1Rp
bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+LTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5
bGU9ImZvbnQtc2l6ZTo3LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv
dDssc2VyaWYiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFu
IGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4g
bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv
dDssc2VyaWYiPkUxJmFtcDtFMg0KIHN0aWxsIGNvbXB1dGUgU0EgYW5kIG1haW50YWluIFNBRC4g
T25seSB1dGlsaXplIHRoZSBzZWN1cmUgY2hhbm5lbCB0aHJvdWdoIHRoZSBTRE4gY29udHJvbGxl
ciB0byBleGNoYW5nZSBTQS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5
OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3Nw
YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2Vy
aWYiPlRoaXMgbWV0aG9kIG5vdCBvbmx5IGRvZXNu4oCZdCByZXF1aXJlIHRoZSBTRE4gY29udHJv
bGxlciB0byBrZWVwIGFsbCB0aGUgU0FEIGZvciBhbGwgbm9kZXMsIGJ1dCBhbHNvIHNpbXBsaWZ5
IGxhcmdlIFNELVdBTiBkZXBsb3ltZW50IHdpdGggbGFyZ2UgbnVtYmVyIG9mIElQc2VjIHR1bm5l
bHMgYW1vbmcNCiBtYW55IGVuZCBwb2ludHMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJm
b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu
JnF1b3Q7LHNlcmlmIj5Bbnkgb3Bpbmlvbj8gSXNzdWVzPzxzcGFuIGNsYXNzPSJhcHBsZS1jb252
ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZv
bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48
L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m
cXVvdDssc2VyaWYiPkxpbmRhIER1bmJhcjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K
PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7
Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u
dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwv
c3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YSBuYW1lPSJf
TWFpbEVuZENvbXBvc2UiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3
RCI+Jm5ic3A7PC9zcGFuPjwvYT48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5
OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xp
ZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9z
cGFuPjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj48c3BhbiBsYW5nPSJF
Ti1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBz
dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh
bnMtc2VyaWYiPklQc2VjDQogWzxhIGhyZWY9Im1haWx0bzppcHNlYy1ib3VuY2VzQGlldGYub3Jn
Ij48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5tYWlsdG86aXBzZWMtYm91bmNlc0BpZXRmLm9y
Zzwvc3Bhbj48L2E+XTxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwv
c3Bhbj48Yj5PbiBCZWhhbGYgT2Y8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4m
bmJzcDs8L3NwYW4+PC9iPllvYXYgTmlyPGJyPg0KPGI+U2VudDo8L2I+PHNwYW4gY2xhc3M9ImFw
cGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPk1vbmRheSwgSnVseSAxNiwgMjAxOCAz
OjExIFBNPGJyPg0KPGI+VG86PC9iPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2Ui
PiZuYnNwOzwvc3Bhbj5JUHNlY01FIFdHICZsdDs8YSBocmVmPSJtYWlsdG86aXBzZWNAaWV0Zi5v
cmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmlwc2VjQGlldGYub3JnPC9zcGFuPjwvYT4m
Z3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFj
ZSI+Jm5ic3A7PC9zcGFuPltJUHNlY10gSVBzZWMgRmxvdyBQcm90ZWN0aW9uIEBJMk5TRjwvc3Bh
bj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS
b21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N
CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBz
dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJz
cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l
dyBSb21hbiZxdW90OyxzZXJpZiI+SGkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls
ZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8
bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZx
dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SeKAmWQgbGlrZSB0byBkcmF3IHlvdSBh
dHRlbnRpb24gdG8gdGhlIGFnZW5kYSBvZiB0aGUgSTJOU0Ygd29ya2luZyBncm91cDombmJzcDs8
YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL21lZXRpbmcvMTAyL21hdGVyaWFs
cy9hZ2VuZGEtMTAyLWkybnNmLTAwIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwczov
L2RhdGF0cmFja2VyLmlldGYub3JnL21lZXRpbmcvMTAyL21hdGVyaWFscy9hZ2VuZGEtMTAyLWky
bnNmLTAwPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K
PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5
bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7
PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTom
cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlRoZSBJMk5TRiB3b3JraW5nIGdyb3Vw
IHdpbGwgbWVldCBvbiBXZWRuZXNkYXkgYWZ0ZXIgbHVuY2guIE9uIHRoZSBhZ2VuZGEsIHRoZXJl
IGlzIHRoaXMgaXRlbSB3aGljaCBtYXkgYmUgb2YgaW50ZXJlc3QgdG8gSVBzZWMgZm9sa3M6PG86
cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVv
dDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwv
cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHByZSBzdHlsZT0id29yZC13cmFwOiBicmVhay13
b3JkO3doaXRlLXNwYWNlOnByZS13cmFwIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQt
c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPjEzOjQ1LTE0
OjAwIElQc2VjIEZsb3cgUHJvdGVjdGlvbiAoMTUgbWluKTogUmFmYSBNYXLDrW4tTMOzcGV6PG86
cD48L286cD48L3NwYW4+PC9wcmU+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv
bWFuJnF1b3Q7LHNlcmlmIj5JbiBjYXNlIHlvdSBoYXZlbuKAmXQgYmVlbiBmb2xsb3dpbmcsIHRo
ZSBJUHNlYyBmbG93IGRyYWZ0IHdhcyBhZG9wdGVkIGJ5IEkyTlNGLiBUaGUgYXV0aG9ycyBhcmUg
bWFraW5nIHByb2dyZXNzLCBpbmNsdWRpbmcgb3BlbiBzb3VyY2UgaW1wbGVtZW50YXRpb25zLjxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZh
bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg
TmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5PbmUgaXNzdWUgdGhhdCBtYXkgY29tZSB1cCBpbiB0aGUg
ZGlzY3Vzc2lvbiAoZWl0aGVyIGF0IEkyTlNGIG9yIGhlcmUpIGlzIHRoYXQgb3RoZXIgZHJhZnRz
IGFib3V0IGNvbnRyb2xsaW5nIElQc2VjIFZQTnMgd2l0aCBTRE4gKFsxXSxbMl0pIGFyZSBjb21p
bmcgdXAuIEnigJltIHdvbmRlcmluZyBpZiB0aGVzZQ0KIGFyZSBjb21wZXRpbmcsIGNvbXBsZW1l
bnRhcnksIG9yIHdoYXQ/PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl
PSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1
b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5XZeKAmWxsIGJlIGdsYWQgdG8gc2VlIHlv
dSBhbGwgdGhlcmUuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJm
b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7
VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5Zb2F2PG86cD48L286cD48L3NwYW4+PC9wPg0K
PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv
dDssc2VyaWYiPihjby1jaGFpciBvZiBJMk5TRik8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp
dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90Oyxz
ZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJm
b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlsxXSZuYnNwOzxh
IGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1jYXJyZWwtaXBzZWNtZS1j
b250cm9sbGVyLWlrZS0wMCI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly90b29s
cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWNhcnJlbC1pcHNlY21lLWNvbnRyb2xsZXItaWtlLTAwPC9z
cGFuPjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQt
ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+WzJdJm5ic3A7PGEgaHJl
Zj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWR1bmJhci1zci1zZHdhbi1vdmVy
LWh5YnJpZC1uZXR3b3Jrcy0wMiI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly90
b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWR1bmJhci1zci1zZHdhbi1vdmVyLWh5YnJpZC1uZXR3
b3Jrcy0wMjwvc3Bhbj48L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N
CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0
eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNw
OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+Jmx0O1NlcHQgNiBJbnRlcmltIG1pbnV0ZXMgdjEucGRm
Jmd0OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286
cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_C02846B1344F344EB4FAA6FA7AF481F12BE6BFB8DGGEML522MBXchi_--


From nobody Tue Jul 17 14:17:19 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5403A130E46 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 14:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FU1ieUwossRv for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 14:17:16 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7C54130DEB for <ipsec@ietf.org>; Tue, 17 Jul 2018 14:17:15 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6HLH7LJ027727 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 18 Jul 2018 00:17:07 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6HLH6lN018388; Wed, 18 Jul 2018 00:17:06 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23374.23762.892194.932776@fireball.acr.fi>
Date: Wed, 18 Jul 2018 00:17:06 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Scott Fluhrer \(sfluhrer\)" <sfluhrer@cisco.com>
Cc: "ipsec\@ietf.org" <ipsec@ietf.org>
In-Reply-To: <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 19 min
X-Total-Time: 39 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/DlJtDBJzKDNeNv_hdlTDF2lP9vo>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 21:17:18 -0000

Scott Fluhrer (sfluhrer) writes:
> If the requirement for AES-256 is to handle the scenario "someone
> gets a quantum computer", then in that scenario, there is no
> realistic DH group size that is secure.

That we do not know until we know what those quantum computers can
really do... I have not seen anybody saying how many qbits you need to
break MODP-2048. Most of the things I have seen talks about factoring
RSA, and even then they do not provide numbers.

draft-hoffman-c2pq also says that we might have machines breaking
AES-128 before than we have machines that can break Diffie-Hellman,
i.e., it is most likely easier to make machine running Grover's
algorithm than machine running Shor's algorithm. 

> Hence, I personally see no point in allocating IANA numbers for the
> larger than 8k MODP groups. The only scenario I can think of where
> they might be useful would be one where all of the following apply:
> 
> 	- We believe that there's an adversary that can perform
> 	  significantly more than circa 2**128 computations' 
> 	- We are not concerned with adversaries with a Quantum Computer
> 	- For some reason, we don't want to use ECDH.

Or cases where customer requires your product to include support
256-bits of security level. Perhaps they read from the paper that 128
bits is too little if someone gets quantum computer and thats why
256-bit security is what you need. I.e., there is no real security
reason for that, just to be able to tick check box saying "support
security level of 256-bits".

To provide that you need AES-256, and SHA2-512 for symmetric parts,
and then either P-521 or MODP-15360 for Diffie-Hellman. If you do not
have ECDH in your implementation it is much easier to add just
MODP-16384 in configuration especially as the main reason is to tick
that check box.
-- 
kivinen@iki.fi


From nobody Tue Jul 17 15:36:25 2018
Return-Path: <carrel@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9B2130E4D for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 15:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxJzMoOuPwe6 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 15:36:19 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF1C5130DF2 for <ipsec@ietf.org>; Tue, 17 Jul 2018 15:36:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19346; q=dns/txt; s=iport; t=1531866979; x=1533076579; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=rbWYFKkO3Kwwe3RUqbdTIylmKPhz39GqeLimFoqY5vw=; b=fGKBQZFrNAiuhS47/xZPtPyYVxBdfK03sLLUUXHy7MZbnyc4WULUkmaR S/if9gYpeTXtrTwrz6mkdyIRHFy6Cl//c0JGqnadRbsHTx2VHXopDMZRp 5yoDAwuLJPEmPyhH6V+kBp08ECoyGEsh+SD1+YgMJ64wsvsUvC2sNYZzz 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DJAgD5bk5b/5NdJa1TCRoBAQEBAQI?= =?us-ascii?q?BAQEBCAEBAQGCU3ZjfzKDc5RBgWiQToUPgXoLhGwCF4JZITUXAQIBAQIBAQJ?= =?us-ascii?q?tKIU3BiMESxcCAQgOIwIPAgICMCUCBAGDMgGBG2SrF3szhFuFTokCghaBESc?= =?us-ascii?q?Mgl6EUYEBB4IjMYIkAplcCQKPJY1lkW0CERSBJB8BNYFScBVlAYI/giQXjhe?= =?us-ascii?q?CM4kHgSyBGgEB?=
X-IronPort-AV: E=Sophos;i="5.51,367,1526342400";  d="scan'208,217";a="425208713"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jul 2018 22:36:00 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id w6HMa001009887 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 17 Jul 2018 22:36:00 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 17 Jul 2018 18:35:59 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Tue, 17 Jul 2018 18:35:59 -0400
From: "David Carrel (carrel)" <carrel@cisco.com>
To: Daniel Harkins <dharkins@lounge.org>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] draft-carrel-ipsecme-controller-ike-00.txt
Thread-Index: AQHUEkbFnr/KKAiTWkacsK64iiWMNaSUHlkA///6KQA=
Date: Tue, 17 Jul 2018 22:35:59 +0000
Message-ID: <7ED5CEA1-4339-40ED-8673-B89119D46CD1@cisco.com>
References: <4CA644B5-5668-48BD-A2D1-5E9EE1AAF7AD@cisco.com> <f681c87d-d763-3be2-66c9-8375377d9f28@lounge.org>
In-Reply-To: <f681c87d-d763-3be2-66c9-8375377d9f28@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.52.112]
Content-Type: multipart/alternative; boundary="_000_7ED5CEA1433940ED8673B89119D46CD1ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LLjFmKoM4j99VMtXIpijOeScW74>
Subject: Re: [IPsec] draft-carrel-ipsecme-controller-ike-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 22:36:23 -0000

--_000_7ED5CEA1433940ED8673B89119D46CD1ciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIG9yIHRoZSBjb21tZW50cyBEYW4uICBNeSByZXNwb25zZXMgYXJlIGlubGluZToNCg0K
MS4gSXQgc2VlbXMgYm90aCBBIGFuZCBCIGFyZSB0cnVzdGluZyB0aGVpciByZWNlaXB0IG9mIGVh
Y2ggb3RoZXIncw0KcHVibGljIGtleSBiZWNhdXNlIGl0IGNvbWVzIGZyb20gdGhlIGNvbnRyb2xs
ZXIuIFRoYXQgd291bGQgaW1wbHkgdGhhdA0KdGhlIG1lc3NhZ2UgZnJvbSBDb250cm9sbGVyIC0t
PiBbQXxCXSBuZWVkcyB0byBiZSBwcm90ZWN0ZWQgd2l0aCBzb21lDQprZXkgc2hhcmVkIGJldHdl
ZW4gdGhlIENvbnRyb2xsZXIgYW5kIHRoZSByZWNpcGllbnQuIE1pZ2h0IEkgc3VnZ2VzdA0KYSBk
ZXRlcm1pbmlzdGljIGtleS13cmFwcGluZyB0ZWNobmlxdWUgbGlrZSBSRkMgNTI5Nz8gU28gaWYg
QSBnZXRzDQpCJ3MgcHVibGljIGtleSAoYW5kIHNvbWUgaWRlbnRpdHkgb2YgQikgYWxsIHdyYXBw
ZWQgaW4gYSBtZXNzYWdlDQpzZWN1cmVkIHdpdGggYSBzZWNyZXQga25vd24gb25seSBieSB0aGUg
Q29udHJvbGxlciwgdGhlbiBBIGNhbg0KYXNzdW1lIHRoYXQgdGhlIHRydXN0ZWQgdGhpcmQgcGFy
dHkgKENvbnRyb2xsZXIpIGFjdHVhbGx5IHNlbnQgaXQNCmFuZCB0aGVyZWZvcmUgaXRzIGNvbnRl
bnRzIGNhbiBiZSB0cnVzdGVkLg0KDQpXaGF0IHdlIGhhdmUgZG9jdW1lbnRlZCBpcyBhIG1ldGhv
ZCBhbmQgbm90IGEgcHJvdG9jb2wuICBUaGlzIG1ldGhvZCBpcyBzdWl0YWJsZSBmb3IgZW1iZWRk
aW5nIGluIG90aGVyIHByb3RvY29scy4gIFdlIGRvIHNwZWNpZnkgdGhhdCB0aGVyZSBpcyBhIHJl
cXVpcmVtZW50IHRoYXQgdGhlIGNvbnRyb2xsZXIgcHJvdG9jb2wgcHJvdmlkZSBhdXRoZW50aWNh
dGlvbi9pbnRlZ3JpdHkgb2Ygc3VpdGFibGUgc3RyZW5ndGguICBTbyBpZiBBIHJlY2VpdmVzIELi
gJlzIHB1YiBrZXkgZnJvbSB0aGUgY29udHJvbGxlciwgaXQgd2lsbCBiZSBvdmVyIGEgc2VjdXJl
IGNvbm5lY3Rpb24gd2hpY2ggZW5zdXJlcyBpdCBjYW1lIGZyb20gdGhlIGNvbnRyb2xsZXIuICBU
aGUgZGV0YWlscyBvZiB0aGUgY29ubmVjdGlvbiBzZWN1cml0eSBhcmUgb3V0IG9mIHNjb3BlIGZv
ciB0aGlzIG1ldGhvZC4NCkluIHRoZSDigJxuZXh0IHN0ZXBz4oCdIGNhdGVnb3J5LCB3ZSBkbyBy
YWlzZSB0aGUgcXVlc3Rpb24gb2Ygd2hldGhlciBBIChub3QgdGhlIGNvbnRyb2xsZXIpIHNob3Vs
ZCBzaWduIEHigJlzIHB1YmxpYyBrZXkgc28gdGhhdCBCIGNhbiB2ZXJpZnkgdGhhdCBpdCB0cnVs
eSBjYW1lIGZyb20gQS4gIFlvdXIga2V5IHdyYXBwaW5nIHN1Z2dlc3Rpb24gY291bGQgYmUgdXNl
ZCB0aGVyZS4gIEJ1dCBpdCBpc27igJl0IGNsZWFyIHlldCB0aGF0IHdlIGV2ZW4gd2FudCB0aGlz
Lg0KDQoyLiB0aGVyZSdzIG5vIHByb29mIG9mIHBvc3Nlc3Npb24gb2YgdGhlIHNlY3JldCBiZWZv
cmUgaXQncyB1c2UgaW4gYQ0KcHJvdG9jb2wgdGhhdCByZXF1aXJlcyB0cnVzdCBvZiB0aGUga2V5
IChFU1ApLiBJdCdzIGEgRGlmZmllLUhlbGxtYW4NCmV4Y2hhbmdlIGFuZCB0aGVuIGRpcmVjdCB1
c2Ugb2YgYSByZXN1bHRhbnQga2V5LiBJcyB0aGlzIGEgcHJvYmxlbT8NCklmIG5vdCwgeW91IHNo
b3VsZCBleHBsYWluIHdoeSAoZS5nLiBpbiBTZWN1cml0eSBDb25zaWRlcmF0aW9ucykuDQpZZXMs
IHRoZXJlIGlzIG5vIHByb29mIG9mIHBvc3Nlc3Npb24gZGlyZWN0bHkgZnJvbSBBIHRvIEIuICBJ
c27igJl0IHRoaXMgdGhlIHNhbWUgYXMgREggcHVibGljIHZhbHVlcyBleGNoYW5nZWQgaW4gYW4g
SUtFdjIgY2hpbGQgU0E/ICBIb3dldmVyLCBpbiB0aGlzIG1ldGhvZCwgZWFjaCBwZWVyIGRvZXMg
ZXN0YWJsaXNoIGEgdHJ1c3QgcmVsYXRpb25zaGlwIHdpdGggdGhlIGNvbnRyb2xsZXIuICBJbiBh
IG5ldHdvcmsgZW52aXJvbm1lbnQgd2hlcmUgYSBjb250cm9sbGVyIGJhc2VkIGtleSBleGNoYW5n
ZSBpcyBpbiB1c2UsIHRoaXMgc2hvdWxkIHN1ZmZpY2UuICBBIGNvbnRyb2xsZXIgYmFzZWQga2V5
IGV4Y2hhbmdlIGlzIG5vdCB1bml2ZXJzYWxseSBhcHByb3ByaWF0ZS4NCkFzIGZvciB1c2luZyB0
aGUgcmVzdWx0YW50IGtleSBmcm9tIHRoZSBESCBleGNoYW5nZTogV2UgZG8gbm90IHJlY29tbWVu
ZCB1c2luZyBpdCBkaXJlY3RseS4gIEluIHRoZSBtYWluIGJvZHkgb2YgdGhlIGRyYWZ0IHdlIGRv
IHJlZmVyIHRvIERIIGtleXMgcmF0aGVyIGxvb3NlbHkuICBXZSB3aWxsIGNsYXJpZnkuICBXZSBk
byBzcGVjaWZ5IE5vbmNlcyBiZSBzZW50IHdpdGggdGhlIHB1YmxpYyBrZXlzLCBhbmQgaW4gdGhl
IEFwcGVuZGl4IHdlIGdpdmUgYSB1c2FnZSBleGFtcGxlIHdoZXJlIGEgS0RGIGlzIHVzZWQuDQoN
Cg0KMy4gdGhlcmUgaXMgYSBsb3Qgb2YgdGV4dCBjb3ZlcmluZyB0aGUgdmFyaW91cyBzY2VuYXJp
b3MtLSBpbml0aWFsDQprZXlpbmcsIHJla2V5aW5nLCBhc3ltbWV0cmljIHJla2V5aW5nLS0gdGhh
dCBtYWtlIHRoaXMga2luZCBvZg0KY29tcGxpY2F0ZWQuIFdoYXQgaWYgeW91IG1hZGUgYSBzaW1w
bGUgcGVlci10by1wZWVyIHN0YXRlIG1hY2hpbmUNCmZvciBlYWNoIHBlZXIgKEEgYW5kIEIpIGFs
YSB3aGF0IEkgZGlkIGZvciBJS0V2Mz8gU28geW91IHNlbmQgYQ0KREggcHVibGljIHZhbHVlIG9y
IHJlY2VpdmUgYSBESCBwdWJsaWMgdmFsdWUgYW5kIGFyZSBpbiBhbiBhd2FpdGluZw0Kc3RhdGUs
IHlvdSBnZXQgYSBESCBwdWJsaWMgdmFsdWUgb3Igc2VuZCBhIERIIHB1YmxpYyB2YWx1ZSwgcmVz
cGVjdGl2ZWx5LA0KYW5kIGFkdmFuY2Ugc3RhdGUuIFRoYXQgd2F5IGV2ZXJ5IGtleWluZywgaW5j
bHVkaW5nIHJla2V5aW5nLCBpcyBkb25lDQp0aGUgc2FtZSB3YXkuIEl0IG1pZ2h0IG1ha2UgZm9y
IGEgc2ltcGxlciBkZXNjcmlwdGlvbiB0b28uIEl0IHdvdWxkDQpiZSBhIHNpbXBsZSBrZXkgZGVy
aXZhdGlvbiB0cmVlIGJhc2VkIG9uIHRpbWUgc3RhcnRpbmcgYXQgbj0wOg0KDQpJZiBBbiBhbmQg
Qm4gYXJlIHRoZSBudGggRGlmZmllLUhlbGxtYW4gdmFsdWVzIHNlbnQgYnkgQSBhbmQgQiwNCnJl
c3BlY3RpdmVseSwgYW5kIE5BbiBhbmQgTkJuIGFyZSB0aGUgbnRoIG5vbmNlcyBzZW50IGJ5IEEg
YW5kIEIsDQpyZXNwZWN0aXZlbHksIHRoZW4gaXQgYmVjb21lczoNCg0KICBTbiA9IERIKEFuLCBC
bikNCiAgcnhuIHwgdHhuIHwga24gPSBIS0RGKG1pbihOQW4sIE5CbikgfCBtYXgoTkFuLCBOQm4p
LA0KICAgICAgICAgICAgICAgICAgICAgICAgU24sICJDb250cm9sbGVyIElLRSBLZXkgRGVyaXZh
dGlvbiIpDQoNCndoZXJlIHJ4biBhbmQgdHhuIGFyZSB1c2VkIGluIHRoZSBFU1AgU0FzIGFuZCBr
biBpcyB1c2VkIGZvcg0Kc3Vic2VxdWVudCBrZXkgbWFuYWdlbWVudC4gVGhlbiBmb3IgbiA9IDAs
IHlvdSBoYXZlIE5VTEwgbm9uY2VzIGFuZA0KQTAgYW5kIEIwIGFyZSB0aGUgaW5pdGlhbCBESCBw
dWJsaWMgdmFsdWVzIHJlY2VpdmVkIGZyb20gdGhlIENvbnRyb2xsZXIuDQpFYWNoIG4gPiAwIHVz
ZXMgbi0xIGZvciBwcm90ZWN0aW9uIG9mIHRoZSBudGggZXhjaGFuZ2UuDQoNClRoZW4gdG8gcmVr
ZXksIGVpdGhlciBzaWRlIGluaXRpYXRlcy4gRm9yIGV4YW1wbGUsIGFzc3VtZSBCb2IgaW5pdGlh
dGVzDQphdCB0aW1lIG4gd2hlcmUge059bSBpbmRpY2F0ZXMgUkZDIDUyOTcgZW5jcnlwdGlvbiBv
ZiBwbGFpbnRleHQgTiB1c2luZw0Ka2V5IG06DQoNCiAgPC0tIHsgQm4sIE5CbiB9a24tMQ0KDQp0
aGVuIGhlIHdhaXRzIGZvciBBbGljZSAob3IgcmVhbGx5IHRoZXkgY291bGQgYm90aCAiaW5pdGlh
dGUiDQpzaW11bHRhbmVvdXNseSwgaXQgd291bGQgd29yayBqdXN0IGZpbmUpOg0KDQogIC0tLT4g
e0FuLCBOQW4gfWtuLTENCg0KVGhlaXIgYWJpbGl0eSB0byB1bndyYXAgdGhlIG5ldyBwdWJsaWMg
a2V5IGFuZCBub25jZSB1c2luZyB0aGUgcHJldmlvdXNseQ0KYXV0aGVudGljYXRlZCBzZWNyZXQg
cHJvdmlkZXMgdGhlIG5lY2Vzc2FyeSBhdXRoZW50aWNhdGlvbiB0byB0aGUgY3VycmVudCwNCm50
aCwga2V5IGV4Y2hhbmdlLiBUaGVuIHRoZXkgZ2VuZXJhdGUgbmV3IHJ4biwgdHhuLCBhbmQga24g
YW5kIGNvbnRpbnVlLg0KDQpUaGVyZSBpcyBhIHByb2JsZW0gd2l0aCB5b3VyIGtuIHVzYWdlLiAg
S24gd291bGQgYmUgYSB1bmlxdWUga2V5IGtub3duIG9ubHkgdG8gQWxpY2UgYW5kIEJvYi4gIEJ1
dCB3aGVuIEFsaWNlIGFuZCBCb2IgcmVrZXksIHRoZXkgZG8gbm90IHJla2V5IGp1c3Qgd2l0aCBl
YWNoIG90aGVyLiAgSW5zdGVhZCB0aGV5IHJla2V5IHdpdGggZXZlcnkgcGVlciBpbiB0aGUgbmV0
d29yay4gIFNvIHlvdSBjYW7igJl0IHdyYXAgQW4gaW4ga24tMSBiZWNhdXNlIEFuIGlzIHNlbnQg
dG8gdGhlIGNvbnRyb2xsZXIgZm9yIGRpc3RyaWJ1dGlvbiB0byBldmVyeW9uZS4NClRoYW5rcyBh
Z2Fpbg0KRGF2ZQ0KDQo=

--_000_7ED5CEA1433940ED8673B89119D46CD1ciscocom_
Content-Type: text/html; charset="utf-8"
Content-ID: <6BCB58FA8D560247990E962C74196A5D@emea.cisco.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2
IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy
IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFz
Ow0KCXBhbm9zZS0xOjIgMTEgNiA5IDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25z
ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow
aW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1m
YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6IzA1NjNDMTsNCgl0ZXh0LWRlY29yYXRp
b246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXtt
c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Izk1NEY3MjsNCgl0ZXh0LWRlY29yYXRpb246
dW5kZXJsaW5lO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxp
bms6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRv
bTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3
Ijt9DQp0dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIg
TmV3Ijt9DQpwLk1zb0xpc3RQYXJhZ3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29M
aXN0UGFyYWdyYXBoDQoJe21zby1zdHlsZS1wcmlvcml0eTozNDsNCgltYXJnaW4tdG9wOjBpbjsN
CgltYXJnaW4tcmlnaHQ6MGluOw0KCW1hcmdpbi1ib3R0b206MGluOw0KCW1hcmdpbi1sZWZ0Oi41
aW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1m
YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWww
LCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1h
bHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZh
bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5
bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglj
b2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uYXBwbGUtdGFiLXNwYW4NCgl7bXNvLXN0eWxlLW5hbWU6
YXBwbGUtdGFiLXNwYW47fQ0Kc3Bhbi5hcHBsZS1jb252ZXJ0ZWQtc3BhY2UNCgl7bXNvLXN0eWxl
LW5hbWU6YXBwbGUtY29udmVydGVkLXNwYWNlO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXIN
Cgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1w
cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQt
ZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHlsZTI0DQoJe21zby1zdHlsZS10eXBlOnBl
cnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9y
OndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9u
bHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVp
biAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2Vj
dGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5
IGxhbmc9IkVOLVVTIiBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNz
PSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMS4wcHQiPlRoYW5rcyBvciB0aGUgY29tbWVudHMgRGFuLiZuYnNwOyBNeSByZXNwb25z
ZXMgYXJlIGlubGluZTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1i
b3R0b206MTIuMHB0O21hcmdpbi1sZWZ0Oi41aW4iPg0KPGI+PG86cD4mbmJzcDs8L286cD48L2I+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowaW47
bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjEyLjBwdDttYXJnaW4tbGVmdDouNWluIj4N
Cjx0dD48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+MS4gSXQgc2VlbXMgYm90aCBBIGFu
ZCBCIGFyZSB0cnVzdGluZyB0aGVpciByZWNlaXB0IG9mIGVhY2ggb3RoZXInczwvc3Bhbj48L3R0
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg
TmV3JnF1b3Q7Ij48YnI+DQo8dHQ+cHVibGljIGtleSBiZWNhdXNlIGl0IGNvbWVzIGZyb20gdGhl
IGNvbnRyb2xsZXIuIFRoYXQgd291bGQgaW1wbHkgdGhhdDwvdHQ+PGJyPg0KPHR0PnRoZSBtZXNz
YWdlIGZyb20gQ29udHJvbGxlciAtLSZndDsgW0F8Ql0gbmVlZHMgdG8gYmUgcHJvdGVjdGVkIHdp
dGggc29tZTwvdHQ+PGJyPg0KPHR0PmtleSBzaGFyZWQgYmV0d2VlbiB0aGUgQ29udHJvbGxlciBh
bmQgdGhlIHJlY2lwaWVudC4gTWlnaHQgSSBzdWdnZXN0PC90dD48YnI+DQo8dHQ+YSBkZXRlcm1p
bmlzdGljIGtleS13cmFwcGluZyB0ZWNobmlxdWUgbGlrZSBSRkMgNTI5Nz8gU28gaWYgQSBnZXRz
PC90dD48YnI+DQo8dHQ+QidzIHB1YmxpYyBrZXkgKGFuZCBzb21lIGlkZW50aXR5IG9mIEIpIGFs
bCB3cmFwcGVkIGluIGEgbWVzc2FnZTwvdHQ+PGJyPg0KPHR0PnNlY3VyZWQgd2l0aCBhIHNlY3Jl
dCBrbm93biBvbmx5IGJ5IHRoZSBDb250cm9sbGVyLCB0aGVuIEEgY2FuPC90dD48YnI+DQo8dHQ+
YXNzdW1lIHRoYXQgdGhlIHRydXN0ZWQgdGhpcmQgcGFydHkgKENvbnRyb2xsZXIpIGFjdHVhbGx5
IHNlbnQgaXQ8L3R0Pjxicj4NCjx0dD5hbmQgdGhlcmVmb3JlIGl0cyBjb250ZW50cyBjYW4gYmUg
dHJ1c3RlZC48L3R0Pjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQiPldoYXQgd2UgaGF2ZSBkb2N1bWVudGVkIGlzIGEgbWV0aG9kIGFuZCBu
b3QgYSBwcm90b2NvbC4mbmJzcDsgVGhpcyBtZXRob2QgaXMgc3VpdGFibGUgZm9yIGVtYmVkZGlu
ZyBpbiBvdGhlciBwcm90b2NvbHMuJm5ic3A7IFdlIGRvIHNwZWNpZnkgdGhhdCB0aGVyZSBpcyBh
IHJlcXVpcmVtZW50IHRoYXQgdGhlIGNvbnRyb2xsZXINCiBwcm90b2NvbCBwcm92aWRlIGF1dGhl
bnRpY2F0aW9uL2ludGVncml0eSBvZiBzdWl0YWJsZSBzdHJlbmd0aC4mbmJzcDsgU28gaWYgQSBy
ZWNlaXZlcyBC4oCZcyBwdWIga2V5IGZyb20gdGhlIGNvbnRyb2xsZXIsIGl0IHdpbGwgYmUgb3Zl
ciBhIHNlY3VyZSBjb25uZWN0aW9uIHdoaWNoIGVuc3VyZXMgaXQgY2FtZSBmcm9tIHRoZSBjb250
cm9sbGVyLiZuYnNwOyBUaGUgZGV0YWlscyBvZiB0aGUgY29ubmVjdGlvbiBzZWN1cml0eSBhcmUg
b3V0IG9mIHNjb3BlIGZvciB0aGlzDQogbWV0aG9kLiZuYnNwOyA8bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5JbiB0aGUg4oCcbmV4dCBzdGVwc+KAnSBjYXRl
Z29yeSwgd2UgZG8gcmFpc2UgdGhlIHF1ZXN0aW9uIG9mIHdoZXRoZXIgQSAobm90IHRoZSBjb250
cm9sbGVyKSBzaG91bGQgc2lnbiBB4oCZcyBwdWJsaWMga2V5IHNvIHRoYXQgQiBjYW4gdmVyaWZ5
IHRoYXQgaXQgdHJ1bHkgY2FtZSBmcm9tIEEuJm5ic3A7IFlvdXIga2V5IHdyYXBwaW5nDQogc3Vn
Z2VzdGlvbiBjb3VsZCBiZSB1c2VkIHRoZXJlLiZuYnNwOyBCdXQgaXQgaXNu4oCZdCBjbGVhciB5
ZXQgdGhhdCB3ZSBldmVuIHdhbnQgdGhpcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjttYXJnaW4tcmlnaHQ6
MGluO21hcmdpbi1ib3R0b206MTIuMHB0O21hcmdpbi1sZWZ0Oi41aW4iPg0KPHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPjxi
cj4NCjx0dD4yLiB0aGVyZSdzIG5vIHByb29mIG9mIHBvc3Nlc3Npb24gb2YgdGhlIHNlY3JldCBi
ZWZvcmUgaXQncyB1c2UgaW4gYTwvdHQ+PGJyPg0KPHR0PnByb3RvY29sIHRoYXQgcmVxdWlyZXMg
dHJ1c3Qgb2YgdGhlIGtleSAoRVNQKS4gSXQncyBhIERpZmZpZS1IZWxsbWFuPC90dD48YnI+DQo8
dHQ+ZXhjaGFuZ2UgYW5kIHRoZW4gZGlyZWN0IHVzZSBvZiBhIHJlc3VsdGFudCBrZXkuIElzIHRo
aXMgYSBwcm9ibGVtPzwvdHQ+PGJyPg0KPHR0PklmIG5vdCwgeW91IHNob3VsZCBleHBsYWluIHdo
eSAoZS5nLiBpbiBTZWN1cml0eSBDb25zaWRlcmF0aW9ucykuPG86cD48L286cD48L3R0Pjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5ZZXMsIHRoZXJlIGlzIG5vIHByb29mIG9m
IHBvc3Nlc3Npb24gZGlyZWN0bHkgZnJvbSBBIHRvIEIuJm5ic3A7IElzbuKAmXQgdGhpcyB0aGUg
c2FtZSBhcyBESCBwdWJsaWMgdmFsdWVzIGV4Y2hhbmdlZCBpbiBhbiBJS0V2MiBjaGlsZCBTQT8m
bmJzcDsgSG93ZXZlciwgaW4gdGhpcyBtZXRob2QsIGVhY2ggcGVlciBkb2VzIGVzdGFibGlzaA0K
IGEgdHJ1c3QgcmVsYXRpb25zaGlwIHdpdGggdGhlIGNvbnRyb2xsZXIuJm5ic3A7IEluIGEgbmV0
d29yayBlbnZpcm9ubWVudCB3aGVyZSBhIGNvbnRyb2xsZXIgYmFzZWQga2V5IGV4Y2hhbmdlIGlz
IGluIHVzZSwgdGhpcyBzaG91bGQgc3VmZmljZS4mbmJzcDsgQSBjb250cm9sbGVyIGJhc2VkIGtl
eSBleGNoYW5nZSBpcyBub3QgdW5pdmVyc2FsbHkgYXBwcm9wcmlhdGUuPG86cD48L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+QXMgZm9yIHVzaW5nIHRoZSByZXN1bHRh
bnQga2V5IGZyb20gdGhlIERIIGV4Y2hhbmdlOiBXZSBkbyBub3QgcmVjb21tZW5kIHVzaW5nIGl0
IGRpcmVjdGx5LiZuYnNwOyBJbiB0aGUgbWFpbiBib2R5IG9mIHRoZSBkcmFmdCB3ZSBkbyByZWZl
ciB0byBESCBrZXlzIHJhdGhlciBsb29zZWx5LiZuYnNwOyBXZSB3aWxsIGNsYXJpZnkuDQogJm5i
c3A7V2UgZG8gc3BlY2lmeSBOb25jZXMgYmUgc2VudCB3aXRoIHRoZSBwdWJsaWMga2V5cywgYW5k
IGluIHRoZSBBcHBlbmRpeCB3ZSBnaXZlIGEgdXNhZ2UgZXhhbXBsZSB3aGVyZSBhIEtERiBpcyB1
c2VkLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6MGluO21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbToxMi4w
cHQ7bWFyZ2luLWxlZnQ6LjVpbiI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250
LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+PGJyPg0KPGJyPg0KPHR0PjMuIHRoZXJl
IGlzIGEgbG90IG9mIHRleHQgY292ZXJpbmcgdGhlIHZhcmlvdXMgc2NlbmFyaW9zLS0gaW5pdGlh
bDwvdHQ+PGJyPg0KPHR0PmtleWluZywgcmVrZXlpbmcsIGFzeW1tZXRyaWMgcmVrZXlpbmctLSB0
aGF0IG1ha2UgdGhpcyBraW5kIG9mIDwvdHQ+PGJyPg0KPHR0PmNvbXBsaWNhdGVkLiBXaGF0IGlm
IHlvdSBtYWRlIGEgc2ltcGxlIHBlZXItdG8tcGVlciBzdGF0ZSBtYWNoaW5lPC90dD48YnI+DQo8
dHQ+Zm9yIGVhY2ggcGVlciAoQSBhbmQgQikgYWxhIHdoYXQgSSBkaWQgZm9yIElLRXYzPyBTbyB5
b3Ugc2VuZCBhPC90dD48YnI+DQo8dHQ+REggcHVibGljIHZhbHVlIG9yIHJlY2VpdmUgYSBESCBw
dWJsaWMgdmFsdWUgYW5kIGFyZSBpbiBhbiBhd2FpdGluZzwvdHQ+PGJyPg0KPHR0PnN0YXRlLCB5
b3UgZ2V0IGEgREggcHVibGljIHZhbHVlIG9yIHNlbmQgYSBESCBwdWJsaWMgdmFsdWUsIHJlc3Bl
Y3RpdmVseSw8L3R0Pjxicj4NCjx0dD5hbmQgYWR2YW5jZSBzdGF0ZS4gVGhhdCB3YXkgZXZlcnkg
a2V5aW5nLCBpbmNsdWRpbmcgcmVrZXlpbmcsIGlzIGRvbmU8L3R0Pjxicj4NCjx0dD50aGUgc2Ft
ZSB3YXkuIEl0IG1pZ2h0IG1ha2UgZm9yIGEgc2ltcGxlciBkZXNjcmlwdGlvbiB0b28uIEl0IHdv
dWxkPC90dD48YnI+DQo8dHQ+YmUgYSBzaW1wbGUga2V5IGRlcml2YXRpb24gdHJlZSBiYXNlZCBv
biB0aW1lIHN0YXJ0aW5nIGF0IG49MDo8L3R0Pjxicj4NCjxicj4NCjx0dD5JZiBBbiBhbmQgQm4g
YXJlIHRoZSBudGggRGlmZmllLUhlbGxtYW4gdmFsdWVzIHNlbnQgYnkgQSBhbmQgQiw8L3R0Pjxi
cj4NCjx0dD5yZXNwZWN0aXZlbHksIGFuZCBOQW4gYW5kIE5CbiBhcmUgdGhlIG50aCBub25jZXMg
c2VudCBieSBBIGFuZCBCLDwvdHQ+PGJyPg0KPHR0PnJlc3BlY3RpdmVseSwgdGhlbiBpdCBiZWNv
bWVzOjwvdHQ+PGJyPg0KPGJyPg0KPHR0PiZuYnNwOyBTbiA9IERIKEFuLCBCbik8L3R0Pjxicj4N
Cjx0dD4mbmJzcDsgcnhuIHwgdHhuIHwga24gPSBIS0RGKG1pbihOQW4sIE5CbikgfCBtYXgoTkFu
LCBOQm4pLCA8L3R0Pjxicj4NCjx0dD4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgU24sICZxdW90
O0NvbnRyb2xsZXIgSUtFIEtleSBEZXJpdmF0aW9uJnF1b3Q7KTwvdHQ+PGJyPg0KPGJyPg0KPHR0
PndoZXJlIHJ4biBhbmQgdHhuIGFyZSB1c2VkIGluIHRoZSBFU1AgU0FzIGFuZCBrbiBpcyB1c2Vk
IGZvcjwvdHQ+PGJyPg0KPHR0PnN1YnNlcXVlbnQga2V5IG1hbmFnZW1lbnQuIFRoZW4gZm9yIG4g
PSAwLCB5b3UgaGF2ZSBOVUxMIG5vbmNlcyBhbmQ8L3R0Pjxicj4NCjx0dD5BMCBhbmQgQjAgYXJl
IHRoZSBpbml0aWFsIERIIHB1YmxpYyB2YWx1ZXMgcmVjZWl2ZWQgZnJvbSB0aGUgQ29udHJvbGxl
ci48L3R0Pjxicj4NCjx0dD5FYWNoIG4gJmd0OyAwIHVzZXMgbi0xIGZvciBwcm90ZWN0aW9uIG9m
IHRoZSBudGggZXhjaGFuZ2UuPC90dD48YnI+DQo8YnI+DQo8dHQ+VGhlbiB0byByZWtleSwgZWl0
aGVyIHNpZGUgaW5pdGlhdGVzLiBGb3IgZXhhbXBsZSwgYXNzdW1lIEJvYiBpbml0aWF0ZXM8L3R0
Pjxicj4NCjx0dD5hdCB0aW1lIG4gd2hlcmUge059bSBpbmRpY2F0ZXMgUkZDIDUyOTcgZW5jcnlw
dGlvbiBvZiBwbGFpbnRleHQgTiB1c2luZzwvdHQ+PGJyPg0KPHR0PmtleSBtOjwvdHQ+PGJyPg0K
PGJyPg0KPHR0PiZuYnNwOyAmbHQ7LS0geyBCbiwgTkJuIH1rbi0xPC90dD48YnI+DQo8YnI+DQo8
dHQ+dGhlbiBoZSB3YWl0cyBmb3IgQWxpY2UgKG9yIHJlYWxseSB0aGV5IGNvdWxkIGJvdGggJnF1
b3Q7aW5pdGlhdGUmcXVvdDs8L3R0Pjxicj4NCjx0dD5zaW11bHRhbmVvdXNseSwgaXQgd291bGQg
d29yayBqdXN0IGZpbmUpOjwvdHQ+PGJyPg0KPGJyPg0KPHR0PiZuYnNwOyAtLS0mZ3Q7IHtBbiwg
TkFuIH1rbi0xPC90dD48YnI+DQo8YnI+DQo8dHQ+VGhlaXIgYWJpbGl0eSB0byB1bndyYXAgdGhl
IG5ldyBwdWJsaWMga2V5IGFuZCBub25jZSB1c2luZyB0aGUgcHJldmlvdXNseTwvdHQ+PGJyPg0K
PHR0PmF1dGhlbnRpY2F0ZWQgc2VjcmV0IHByb3ZpZGVzIHRoZSBuZWNlc3NhcnkgYXV0aGVudGlj
YXRpb24gdG8gdGhlIGN1cnJlbnQsPC90dD48YnI+DQo8dHQ+bnRoLCBrZXkgZXhjaGFuZ2UuIFRo
ZW4gdGhleSBnZW5lcmF0ZSBuZXcgcnhuLCB0eG4sIGFuZCBrbiBhbmQgY29udGludWUuPC90dD48
YnI+DQo8YnI+DQo8dHQ+PG86cD48L286cD48L3R0Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0Ij5UaGVyZSBpcyBhIHByb2JsZW0gd2l0aCB5b3VyIGtuIHVzYWdlLiZuYnNwOyBL
biB3b3VsZCBiZSBhIHVuaXF1ZSBrZXkga25vd24gb25seSB0byBBbGljZSBhbmQgQm9iLiZuYnNw
OyBCdXQgd2hlbiBBbGljZSBhbmQgQm9iIHJla2V5LCB0aGV5IGRvIG5vdCByZWtleSBqdXN0IHdp
dGggZWFjaCBvdGhlci4mbmJzcDsgSW5zdGVhZCB0aGV5DQogcmVrZXkgd2l0aCBldmVyeSBwZWVy
IGluIHRoZSBuZXR3b3JrLiZuYnNwOyBTbyB5b3UgY2Fu4oCZdCB3cmFwIEFuIGluIGtuLTEgYmVj
YXVzZSBBbiBpcyBzZW50IHRvIHRoZSBjb250cm9sbGVyIGZvciBkaXN0cmlidXRpb24gdG8gZXZl
cnlvbmUuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+VGhh
bmtzIGFnYWluPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+
RGF2ZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
YXJnaW4tYm90dG9tOjEyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_7ED5CEA1433940ED8673B89119D46CD1ciscocom_--


From nobody Tue Jul 17 15:43:56 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33F9D130F1D; Tue, 17 Jul 2018 15:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d6Ux9YeVIg5w; Tue, 17 Jul 2018 15:43:46 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 023FD130E1E; Tue, 17 Jul 2018 15:43:45 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6HMhMK8022335 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 18 Jul 2018 01:43:22 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6HMhLZX018427; Wed, 18 Jul 2018 01:43:21 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23374.28937.907246.426539@fireball.acr.fi>
Date: Wed, 18 Jul 2018 01:43:21 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Xialiang \(Frank\, Network Integration Technology Research Dept\)" <frank.xialiang@huawei.com>
Cc: Yoav Nir <ynir.ietf@gmail.com>, Linda Dunbar <linda.dunbar@huawei.com>, IPsecME WG <ipsec@ietf.org>, "i2nsf\@ietf.org" <i2nsf@ietf.org>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BE6BFB8@DGGEML522-MBX.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com> <B4ED9CE5-EA34-4847-86FB-202A06C19515@gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BE6BFB8@DGGEML522-MBX.china.huawei.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 30 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/bARi4ftgQ9PTqDbKvqQGbSQdZhg>
Subject: [IPsec] =?utf-8?b?562U5aSNOiBbSTJuc2ZdIEhvdyBhYm91dCBzaW1wbGlm?= =?utf-8?q?ied_IKE=3F_RE=3A_IPsec_Flow_Protection_=40I2NSF?=
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 22:43:50 -0000

Xialiang (Frank, Network Integration Technology Research Dept) writes:
> The other point we should consider is the performance improvement by
> skipping the IKEv2 negotiation and DH calculation. Take a large
> scale network as the example, it will take a long time for multiple
> peers to set up the SAs with one peer by IKEv2 and DH key exchange,
> since one peer has the cpu/memory up-limit to constrain the maximal
> number of IKEv2 sessions at the same time. But, by replacing the
> IKEv2 and DH with the key calculation (by peer itself, or by
> controller) and key distribution (through the controller), the total
> time for creating SAs among a large number of peers can be decreased
> dramatically and keep under certain time.

How about update your machines so they are using CPUs made in last
decade or something. My home firewall can do 200 Diffie-Hellman
calculations in second (using MODP-2048 which is the current
recommended size), so doing 10000 Diffie-Hellman operations will take
less than minute. My firewall is 3 years old, with CPU that is 5 years
old (came out Q2 of 2013 Intel Xeon E3-1225v3 3.2GHz), and this test
was only using single core out of the 4 it has.

Yes, if you have more than connections than that, then it is even more
important to use IKEv2, as you do not want to create all of them at
startup, but instead create them dynamically when you need them, i.e.
create SA when you are trying to send first packet to it. 
-- 
kivinen@iki.fi


From nobody Tue Jul 17 16:42:15 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B5CD130E2E; Tue, 17 Jul 2018 16:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBd5IWvKaO3F; Tue, 17 Jul 2018 16:42:11 -0700 (PDT)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C938130E4A; Tue, 17 Jul 2018 16:42:11 -0700 (PDT)
Received: by mail-wm0-x22c.google.com with SMTP id a19-v6so957617wmb.2; Tue, 17 Jul 2018 16:42:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OeAK4Z4LsmQentW5Y8f3+tjz7GscTwKA/EtHvIuolDk=; b=J1r4G9c9c9QuSSgYhGSVBQUkryXeE7aj9ZDYP/C0PFKcSGHsnFQ7BssX338sQQhAdN zhHhRH6r/nvT0VtRTHCwoJLTnWn823SlfoYg+EIF867AddFQZL+w07RGY7943cyw8Rau rrjWrJ2HYVipW3JvRpSwnY95VifXM6vOtmoLGd3e5mIeCLStuXUX6hIau2cRaOocboOw jlJAOa8FAynOZQuUwxhQgCQx+5izZzWN71iYiKUJEu87pNpnOT6gg9gzYZ5BVyPuxRl/ /dOpFOC5h5sPifJAAxEf338J5t4wIC5TZJNAA9LRjcNcJjPa19w3XydZjSSStVUCzpa1 aMFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OeAK4Z4LsmQentW5Y8f3+tjz7GscTwKA/EtHvIuolDk=; b=VLRuvQhk2AwbJFJWpkcO/evRUykjbQfW49s0WFWdUvAibEub6txAg20IZkPR/8MibG VGhncdhHK1CeYw6fT94eI/C1nEAr4BcXnD5zkixyiH4Ow9/+Gj5EVmNGGzd6n6+BHm/q 0im/TP9bZALzQ0I8QNFgp8KQ8bJ+vO9t3Ic1Vn8a0eq28fAmO/A7FcNNaSf2V7FyMRm3 HLmm2Suc5n7VuW2HxSX1RkfHrtixfPE57VNYRkDnT2a9oVxZFq8BUdzWxTu4UNskfYbZ DGAxFGzxcmUHHaW8LsKhlq4HcDr4fiyruNH5cT93c0Shjuw7x8YNhVTUD0CmDUA6SwNw ciNA==
X-Gm-Message-State: AOUpUlFDvhvrVW4YPnr8GbPzht1DMjSb1yonfJsP1VJWw2FVamSiLVcc HSfi7wKHem6LE7Daz4Og6tA=
X-Google-Smtp-Source: AAOMgpfhu4lMx5xbyecYp9bnbkxmK4prqiVq5pajGAhMeJkeJPUbjCmPFCrlyGgq9YcGHnaFYnsiLQ==
X-Received: by 2002:a1c:9a16:: with SMTP id c22-v6mr114166wme.114.1531870929693;  Tue, 17 Jul 2018 16:42:09 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id z5-v6sm3474235wrv.2.2018.07.17.16.42.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jul 2018 16:42:08 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <93C3CD29-AD69-4D36-9253-37279962A2F9@um.es>
Date: Wed, 18 Jul 2018 02:42:06 +0300
Cc: IPsecME WG <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Linda Dunbar <linda.dunbar@huawei.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE6DF549-5605-4A46-895D-A417F3950473@gmail.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0CBA8D@sjceml521-mbx.china.huawei.com> <B4ED9CE5-EA34-4847-86FB-202A06C19515@gmail.com> <93C3CD29-AD69-4D36-9253-37279962A2F9@um.es>
To: Rafa Marin-Lopez <rafa@um.es>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/j9GCilp9ATzFdRoMGhTPWEVTTJc>
Subject: Re: [IPsec] [I2nsf] How about simplified IKE? RE: IPsec Flow Protection @I2NSF
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 23:42:14 -0000

> On 17 Jul 2018, at 11:38, Rafa Marin-Lopez <rafa@um.es> wrote:

<snip/>

> Regarding the question about smart objects, I do not understand why a =
constrained device cannot be a flow-based NSF. =20
>=20

I don=E2=80=99t think IOT devices are going to be NSFs.  There is no =
hard definition for what a smart object is, but some common features =
are:
 - low power
 - intermittent operation
 - (relatively) weak in terms of CPU / memory /  network bandwidth. =
Often this is measured in tens of kilobytes of memory and 100/250 kbps.
 - interacts with the real world - has sensors and/or actuators

So none of this says NSF to me, especially the bandwidth.

Which is why I believe that any device that is actually used as an NSF =
implementing IPsec is also likely to have enough power to run IKE.

> Regarding case 2. It follows a SDN model: control plane and data =
plane. Data plane the IPsec stack is the data plane, which deals with =
flows; control plane is implemented in the SDN controller. NSF are =
simpler. One of the key points here is that key material is seen by the =
SDN controller (which, we should not forget, it is a trusted entity). In =
this sense, for example, draft-carrel-ipsecme-controller-ike-00 proposes =
the usage of DH public/private keys trying to avoid this. Other options =
could be also considered.

It is true that the SDN controller is a trusted entity. We still prefer =
to limit the attack surface by not giving it access to traffic keys. =
There is no doubt that a malicious controller can make the NSFs tunnel =
all traffic through a pervasive monitoring server. We have to trust it =
not to do that. What we can prevent is having it leak the traffic keys =
through printing them to logs, crashing and storing them in core files, =
swapping them from memory to disk and all the other ways that =
applications leak sensitive information.  That=E2=80=99s just not good =
key hygiene.

That said, a simpler NSF is an NSF that needs less maintenance, less =
software updates, less angst over random-number generators that turn out =
to be not random enough. It=E2=80=99s possible that there is a use case =
for your case #2 or draft-carrel=E2=80=99s modification.  It would be =
interesting if someone has market data about whether people would like =
to deploy such configurations.=20

Unfortunately, the slot this work has in I2NSF is not long enough to =
hash this out.=


From nobody Tue Jul 17 19:27:13 2018
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3656F131090 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 19:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level: 
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfI_WSdtabv3 for <ipsec@ietfa.amsl.com>; Tue, 17 Jul 2018 19:27:10 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1B0113108B for <ipsec@ietf.org>; Tue, 17 Jul 2018 19:27:09 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id g6-v6so2276869lfb.11 for <ipsec@ietf.org>; Tue, 17 Jul 2018 19:27:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=hljAsELiAlWAHqV0+Bx+4Co/2p4YNaiubqvxqX46tjE=; b=InTDIjs1MMJreIbjkixzRXBg8EYdVw/kEc/532SPLHvuHSRmvbus8S2BEF0X5Atx/4 58pdsQvwKGhc1C09HrQzzAr6yRMEHSHt8l4F70Dqf+ebAg4X92agA+4Ri5jpzlMXvxGC 3o0cfRf2BEjtjVYze0PTGnQhC9wxPz3G7ARcy7W+WXATXXewibXElBfFcAXT/6BiByBO D9JJPDf4I+LjL8wL0el6PcYMZ4vFDhkr1TL0pLwAEW8Xx0HAbP+OmyZW9UsXfLJYTbLw SiLGILcQhJK94uItpj5JtjQdgjP+epHnekubfbTNtZpls9oSR19+UYSu0ptx3tyi/wkv V19w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=hljAsELiAlWAHqV0+Bx+4Co/2p4YNaiubqvxqX46tjE=; b=VH6ibAW+GchGATKt5DsmmPpiYUTkjNI2RVW+yr9FefGqF2maDUPZGl81AjfXDZF9Fm 3e504EP+3iLB4WIv8dwCUbzLQu1dW9Jnie1NiQo2VgkABNKnk2ARXE87uXY0sF/sZaSL X3IFvWcGa5J6237MKkw7pzFqhHGkEGEI3LTQCny1gow27o5ejNL4f0BsZXL6RGkOlz+k 8N5OqmOZCTojYgE5XRSEh+5BLICo9wsbFZCjqvxPVQxxKjhM485dYyD6YokbBkHEZGea i8fpRW0v3koSX1+cnqKKj1mh0o+KbGhMvr4hta2gpTJiwfDtxxtLicXrpV32EbPF9lG7 40Xw==
X-Gm-Message-State: AOUpUlFvBu2JugNiUHNRC4/EGnCPaY8Ln5e2JNYQCtNJKGnzDdYBeERP bL1CNYXuooI1t+cXTnxO+Yls02NZqnr3oSyHovE=
X-Google-Smtp-Source: AAOMgpe3orxDUhn8YuSpdiNfpQRC6TqY9ScHdYUu4qLarlKvCJn9ITm8v7cE4EaFIopSQploNK/Arfr9zjo/+xF4m4M=
X-Received: by 2002:a19:1749:: with SMTP id n70-v6mr2546019lfi.54.1531880828137;  Tue, 17 Jul 2018 19:27:08 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:119d:0:0:0:0:0 with HTTP; Tue, 17 Jul 2018 19:27:07 -0700 (PDT)
In-Reply-To: <7ED5CEA1-4339-40ED-8673-B89119D46CD1@cisco.com>
References: <4CA644B5-5668-48BD-A2D1-5E9EE1AAF7AD@cisco.com> <f681c87d-d763-3be2-66c9-8375377d9f28@lounge.org> <7ED5CEA1-4339-40ED-8673-B89119D46CD1@cisco.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Tue, 17 Jul 2018 22:27:07 -0400
X-Google-Sender-Auth: 4tE-hLohpc8QiUKfE1LK6D4lFmE
Message-ID: <CADZyTk=FNc-pkwK1kVrU--Hi2HECwGD7d_Q6BzVv=0o7KM7Ydw@mail.gmail.com>
To: "David Carrel (carrel)" <carrel=40cisco.com@dmarc.ietf.org>
Cc: Daniel Harkins <dharkins@lounge.org>, "ipsec@ietf.org" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009974d905713ccc42"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YL83qbPE137_rtFiqoAGxFDany0>
Subject: Re: [IPsec] draft-carrel-ipsecme-controller-ike-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 02:27:12 -0000

--0000000000009974d905713ccc42
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

As discussed privately. I also like the draft.
Yours,
Daniel

On Tue, Jul 17, 2018 at 6:35 PM, David Carrel (carrel) <
carrel=3D40cisco.com@dmarc.ietf.org> wrote:

> Thanks or the comments Dan.  My responses are inline:
>
>
>
> 1. It seems both A and B are trusting their receipt of each other's
> public key because it comes from the controller. That would imply that
> the message from Controller --> [A|B] needs to be protected with some
> key shared between the Controller and the recipient. Might I suggest
> a deterministic key-wrapping technique like RFC 5297? So if A gets
> B's public key (and some identity of B) all wrapped in a message
> secured with a secret known only by the Controller, then A can
> assume that the trusted third party (Controller) actually sent it
> and therefore its contents can be trusted.
>
> What we have documented is a method and not a protocol.  This method is
> suitable for embedding in other protocols.  We do specify that there is a
> requirement that the controller protocol provide authentication/integrity
> of suitable strength.  So if A receives B=E2=80=99s pub key from the cont=
roller, it
> will be over a secure connection which ensures it came from the
> controller.  The details of the connection security are out of scope for
> this method.
>
> In the =E2=80=9Cnext steps=E2=80=9D category, we do raise the question of=
 whether A (not
> the controller) should sign A=E2=80=99s public key so that B can verify t=
hat it
> truly came from A.  Your key wrapping suggestion could be used there.  Bu=
t
> it isn=E2=80=99t clear yet that we even want this.
>
>
> 2. there's no proof of possession of the secret before it's use in a
> protocol that requires trust of the key (ESP). It's a Diffie-Hellman
> exchange and then direct use of a resultant key. Is this a problem?
> If not, you should explain why (e.g. in Security Considerations).
>
> Yes, there is no proof of possession directly from A to B.  Isn=E2=80=99t=
 this the
> same as DH public values exchanged in an IKEv2 child SA?  However, in thi=
s
> method, each peer does establish a trust relationship with the controller=
.
> In a network environment where a controller based key exchange is in use,
> this should suffice.  A controller based key exchange is not universally
> appropriate.
>
> As for using the resultant key from the DH exchange: We do not recommend
> using it directly.  In the main body of the draft we do refer to DH keys
> rather loosely.  We will clarify.  We do specify Nonces be sent with the
> public keys, and in the Appendix we give a usage example where a KDF is
> used.
>
>
>
> 3. there is a lot of text covering the various scenarios-- initial
> keying, rekeying, asymmetric rekeying-- that make this kind of
> complicated. What if you made a simple peer-to-peer state machine
> for each peer (A and B) ala what I did for IKEv3? So you send a
> DH public value or receive a DH public value and are in an awaiting
> state, you get a DH public value or send a DH public value, respectively,
> and advance state. That way every keying, including rekeying, is done
> the same way. It might make for a simpler description too. It would
> be a simple key derivation tree based on time starting at n=3D0:
>
> If An and Bn are the nth Diffie-Hellman values sent by A and B,
> respectively, and NAn and NBn are the nth nonces sent by A and B,
> respectively, then it becomes:
>
>   Sn =3D DH(An, Bn)
>   rxn | txn | kn =3D HKDF(min(NAn, NBn) | max(NAn, NBn),
>                         Sn, "Controller IKE Key Derivation")
>
> where rxn and txn are used in the ESP SAs and kn is used for
> subsequent key management. Then for n =3D 0, you have NULL nonces and
> A0 and B0 are the initial DH public values received from the Controller.
> Each n > 0 uses n-1 for protection of the nth exchange.
>
> Then to rekey, either side initiates. For example, assume Bob initiates
> at time n where {N}m indicates RFC 5297 encryption of plaintext N using
> key m:
>
>   <-- { Bn, NBn }kn-1
>
> then he waits for Alice (or really they could both "initiate"
> simultaneously, it would work just fine):
>
>   ---> {An, NAn }kn-1
>
> Their ability to unwrap the new public key and nonce using the previously
> authenticated secret provides the necessary authentication to the current=
,
> nth, key exchange. Then they generate new rxn, txn, and kn and continue.
>
> There is a problem with your kn usage.  Kn would be a unique key known
> only to Alice and Bob.  But when Alice and Bob rekey, they do not rekey
> just with each other.  Instead they rekey with every peer in the network.
> So you can=E2=80=99t wrap An in kn-1 because An is sent to the controller=
 for
> distribution to everyone.
>
> Thanks again
>
> Dave
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>

--0000000000009974d905713ccc42
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>As discussed privately. I also like the draft.</div><=
div>Yours, <br></div><div>Daniel<br></div></div><div class=3D"gmail_extra">=
<br><div class=3D"gmail_quote">On Tue, Jul 17, 2018 at 6:35 PM, David Carre=
l (carrel) <span dir=3D"ltr">&lt;<a href=3D"mailto:carrel=3D40cisco.com@dma=
rc.ietf.org" target=3D"_blank">carrel=3D40cisco.com@dmarc.ietf.org</a>&gt;<=
/span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex">





<div link=3D"#0563C1" vlink=3D"#954F72" lang=3D"EN-US">
<div class=3D"m_2165485486965108347WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt">Thanks or the comme=
nts Dan.=C2=A0 My responses are inline:<u></u><u></u></span></p><span class=
=3D"">
<p class=3D"MsoNormal" style=3D"margin-right:0in;margin-bottom:12.0pt;margi=
n-left:.5in">
<b><u></u>=C2=A0<u></u></b></p>
<p class=3D"MsoNormal" style=3D"margin-right:0in;margin-bottom:12.0pt;margi=
n-left:.5in">
<tt><span style=3D"font-size:10.0pt">1. It seems both A and B are trusting =
their receipt of each other&#39;s</span></tt><span style=3D"font-size:10.0p=
t;font-family:&quot;Courier New&quot;"><br>
<tt>public key because it comes from the controller. That would imply that<=
/tt><br>
<tt>the message from Controller --&gt; [A|B] needs to be protected with som=
e</tt><br>
<tt>key shared between the Controller and the recipient. Might I suggest</t=
t><br>
<tt>a deterministic key-wrapping technique like RFC 5297? So if A gets</tt>=
<br>
<tt>B&#39;s public key (and some identity of B) all wrapped in a message</t=
t><br>
<tt>secured with a secret known only by the Controller, then A can</tt><br>
<tt>assume that the trusted third party (Controller) actually sent it</tt><=
br>
<tt>and therefore its contents can be trusted.</tt><br>
<br>
<u></u><u></u></span></p>
</span><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D=
"font-size:11.0pt">What we have documented is a method and not a protocol.=
=C2=A0 This method is suitable for embedding in other protocols.=C2=A0 We d=
o specify that there is a requirement that the controller
 protocol provide authentication/integrity of suitable strength.=C2=A0 So i=
f A receives B=E2=80=99s pub key from the controller, it will be over a sec=
ure connection which ensures it came from the controller.=C2=A0 The details=
 of the connection security are out of scope for this
 method.=C2=A0 <u></u><u></u></span></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-s=
ize:11.0pt">In the =E2=80=9Cnext steps=E2=80=9D category, we do raise the q=
uestion of whether A (not the controller) should sign A=E2=80=99s public ke=
y so that B can verify that it truly came from A.=C2=A0 Your key wrapping
 suggestion could be used there.=C2=A0 But it isn=E2=80=99t clear yet that =
we even want this.<u></u><u></u></span></p><span class=3D"">
<p class=3D"MsoNormal" style=3D"margin-right:0in;margin-bottom:12.0pt;margi=
n-left:.5in">
<span style=3D"font-size:10.0pt;font-family:&quot;Courier New&quot;"><br>
<tt>2. there&#39;s no proof of possession of the secret before it&#39;s use=
 in a</tt><br>
<tt>protocol that requires trust of the key (ESP). It&#39;s a Diffie-Hellma=
n</tt><br>
<tt>exchange and then direct use of a resultant key. Is this a problem?</tt=
><br>
<tt>If not, you should explain why (e.g. in Security Considerations).<u></u=
><u></u></tt></span></p>
</span><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D=
"font-size:11.0pt">Yes, there is no proof of possession directly from A to =
B.=C2=A0 Isn=E2=80=99t this the same as DH public values exchanged in an IK=
Ev2 child SA?=C2=A0 However, in this method, each peer does establish
 a trust relationship with the controller.=C2=A0 In a network environment w=
here a controller based key exchange is in use, this should suffice.=C2=A0 =
A controller based key exchange is not universally appropriate.<u></u><u></=
u></span></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-s=
ize:11.0pt">As for using the resultant key from the DH exchange: We do not =
recommend using it directly.=C2=A0 In the main body of the draft we do refe=
r to DH keys rather loosely.=C2=A0 We will clarify.
 =C2=A0We do specify Nonces be sent with the public keys, and in the Append=
ix we give a usage example where a KDF is used.<u></u><u></u></span></p><di=
v><div class=3D"h5">
<p class=3D"MsoNormal" style=3D"margin-right:0in;margin-bottom:12.0pt;margi=
n-left:.5in">
<span style=3D"font-size:10.0pt;font-family:&quot;Courier New&quot;"><br>
<br>
<tt>3. there is a lot of text covering the various scenarios-- initial</tt>=
<br>
<tt>keying, rekeying, asymmetric rekeying-- that make this kind of </tt><br=
>
<tt>complicated. What if you made a simple peer-to-peer state machine</tt><=
br>
<tt>for each peer (A and B) ala what I did for IKEv3? So you send a</tt><br=
>
<tt>DH public value or receive a DH public value and are in an awaiting</tt=
><br>
<tt>state, you get a DH public value or send a DH public value, respectivel=
y,</tt><br>
<tt>and advance state. That way every keying, including rekeying, is done</=
tt><br>
<tt>the same way. It might make for a simpler description too. It would</tt=
><br>
<tt>be a simple key derivation tree based on time starting at n=3D0:</tt><b=
r>
<br>
<tt>If An and Bn are the nth Diffie-Hellman values sent by A and B,</tt><br=
>
<tt>respectively, and NAn and NBn are the nth nonces sent by A and B,</tt><=
br>
<tt>respectively, then it becomes:</tt><br>
<br>
<tt>=C2=A0 Sn =3D DH(An, Bn)</tt><br>
<tt>=C2=A0 rxn | txn | kn =3D HKDF(min(NAn, NBn) | max(NAn, NBn), </tt><br>
<tt>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Sn, &=
quot;Controller IKE Key Derivation&quot;)</tt><br>
<br>
<tt>where rxn and txn are used in the ESP SAs and kn is used for</tt><br>
<tt>subsequent key management. Then for n =3D 0, you have NULL nonces and</=
tt><br>
<tt>A0 and B0 are the initial DH public values received from the Controller=
.</tt><br>
<tt>Each n &gt; 0 uses n-1 for protection of the nth exchange.</tt><br>
<br>
<tt>Then to rekey, either side initiates. For example, assume Bob initiates=
</tt><br>
<tt>at time n where {N}m indicates RFC 5297 encryption of plaintext N using=
</tt><br>
<tt>key m:</tt><br>
<br>
<tt>=C2=A0 &lt;-- { Bn, NBn }kn-1</tt><br>
<br>
<tt>then he waits for Alice (or really they could both &quot;initiate&quot;=
</tt><br>
<tt>simultaneously, it would work just fine):</tt><br>
<br>
<tt>=C2=A0 ---&gt; {An, NAn }kn-1</tt><br>
<br>
<tt>Their ability to unwrap the new public key and nonce using the previous=
ly</tt><br>
<tt>authenticated secret provides the necessary authentication to the curre=
nt,</tt><br>
<tt>nth, key exchange. Then they generate new rxn, txn, and kn and continue=
.</tt><br>
<br>
<tt><u></u><u></u></tt></span></p>
</div></div><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span sty=
le=3D"font-size:11.0pt">There is a problem with your kn usage.=C2=A0 Kn wou=
ld be a unique key known only to Alice and Bob.=C2=A0 But when Alice and Bo=
b rekey, they do not rekey just with each other.=C2=A0 Instead they
 rekey with every peer in the network.=C2=A0 So you can=E2=80=99t wrap An i=
n kn-1 because An is sent to the controller for distribution to everyone.<u=
></u><u></u></span></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-s=
ize:11.0pt">Thanks again<u></u><u></u></span></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-s=
ize:11.0pt">Dave<u></u><u></u></span></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-s=
ize:11.0pt"><u></u>=C2=A0<u></u></span></p>
</div>
</div>

<br>______________________________<wbr>_________________<br>
IPsec mailing list<br>
<a href=3D"mailto:IPsec@ietf.org">IPsec@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/ipsec" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/ipsec</a><br>
<br></blockquote></div><br></div>

--0000000000009974d905713ccc42--


From nobody Wed Jul 18 07:55:35 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A97C130F9F for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 07:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yap2ZgRN2ssw for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 07:55:29 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE92D130F34 for <ipsec@ietf.org>; Wed, 18 Jul 2018 07:55:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2366; q=dns/txt; s=iport; t=1531925729; x=1533135329; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=1Ohj4yuY+Vtl+uYVLt5AMavrGYLeb0tITXjhLbOHTMM=; b=k0AFe22xXI+wA07/gd6Cb6EBEVgZUz0OrNz6oF2YeRxrAnWKALKWhJHI vsdsNvDIZhXRVUN7RUAxI7w6xQbAQhhliemyYRZktM5DwQpFRKMlYOQNh JG2205fswC1syz+9iUqSqtYn3uhJIbZ1oU/OTM8qE5eMjEScbkG4e6+dD E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CcAADNU09b/5NdJa1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNJY38oCot4jCyCDHWURIF6Cx+ETQKCeSE0GAECAQECAQE?= =?us-ascii?q?CbRwMhTYBAQECAQE6PwUHBAIBCBEEAQEfEDIdCAIEDgUIgxmBdwgPqnGKRAW?= =?us-ascii?q?JAoFXP4ERglw1gxkDhzUCmWAJAoYIiRWNbgqKMYc1AhEUgSQdOIFScBWDJIs?= =?us-ascii?q?VhT5vAYt5gRoBAQ?=
X-IronPort-AV: E=Sophos;i="5.51,370,1526342400"; d="scan'208";a="144906185"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2018 14:55:29 +0000
Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id w6IEtS2Z008032 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Jul 2018 14:55:28 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 18 Jul 2018 10:55:28 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Wed, 18 Jul 2018 10:55:27 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wA==
Date: Wed, 18 Jul 2018 14:55:27 +0000
Message-ID: <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi>
In-Reply-To: <23374.23762.892194.932776@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/03kmimbhhYboGSjE_L6apU5DAoY>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 14:55:33 -0000

Answering to give some info about what we know about the likely capabilitie=
s of Quantum Computers.

> -----Original Message-----
> From: Tero Kivinen <kivinen@iki.fi>
> Sent: Tuesday, July 17, 2018 5:17 PM
> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
> Cc: ipsec@ietf.org
> Subject: RE: [IPsec] Modp-12288 and Modp-16384
>=20
> Scott Fluhrer (sfluhrer) writes:
> > If the requirement for AES-256 is to handle the scenario "someone gets
> > a quantum computer", then in that scenario, there is no realistic DH
> > group size that is secure.
>=20
> That we do not know until we know what those quantum computers can
> really do... I have not seen anybody saying how many qbits you need to
> break MODP-2048.

It's about twice as many as you need to factor a 2048 bit composite; so abo=
ut 4k (logical) qubits.

> Most of the things I have seen talks about factoring RSA,
> and even then they do not provide numbers.

How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n bit numbe=
r, you can do it with circa 2n qubits.

If you want other references, we have https://arxiv.org/abs/1611.07995  and=
 https://arxiv.org/pdf/1706.07884.pdf both with similar results.  We also h=
ave https://arxiv.org/abs/quant-ph/0601097 which suggests a way with 1.5n q=
ubits; however that paper makes some assumptions about errors that might no=
t be true.

Of course, these papers are focusing in on minimizing the number of qubits;=
 it's quite possible a trade-off that increases the number of qubits, while=
 decreasing the number of (say) T gates, would be advantageous; we don't kn=
ow enough about the relative costs to know.

>=20
> draft-hoffman-c2pq also says that we might have machines breaking
> AES-128 before than we have machines that can break Diffie-Hellman, i.e.,=
 it
> is most likely easier to make machine running Grover's algorithm than
> machine running Shor's algorithm.

That work totally ignores the amount of time we're talking about with O(2**=
64) computations (and parallelization is less helpful than usual; Grover's =
becomes less efficient the more we parallelize it).

Also, the interesting algorithms in Quantum Chemical modelling are signific=
antly different from Grover's.  It's possible that there are some proposed =
protein folding problems that would use Grover's...


From nobody Wed Jul 18 08:03:30 2018
Return-Path: <Paul.Koning@dell.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9F1130EC0 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level: 
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JXtKl_5BsGew for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:03:22 -0700 (PDT)
Received: from esa7.dell-outbound.iphmx.com (esa7.dell-outbound.iphmx.com [68.232.153.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5FCB130E24 for <ipsec@ietf.org>; Wed, 18 Jul 2018 08:03:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1531926092; x=1563462092; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=eYFEFGunhFy2ERWj+u/vQDiOWP+A+KCONaHO6i/1qXs=; b=QXiUph6Ul+QoZoamZ6P0kDJoZVmXR5i7wl6e9+6Kjl3wWd/heQYSu5rA yFQ2ZvSUpA3xKrO7ma+2IBu8BaMBB5mzoPT5U28eHkscMf9ucXLzTlqWA 9b31Ca9uByGX4+54f5EDi2kno0DqgPIMH3VxKh+CxJFZrRJ0JtM+XWTff E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2FfAAB+VU9bmMuZ6ERcGgEBAQEBAgEBA?= =?us-ascii?q?QEIAQEBAYQsgScKi3iMLIFoJJU5gXoLHw+EPgKCeiE0GAECAQECAQECAQECEAE?= =?us-ascii?q?BAQEBCAsLBikjDII1IhFLagEBAQEBASMCFFwBAQEDATo/BQcEAgEIEQQBAQEeE?= =?us-ascii?q?E8IAgQOBYMgAYF3CA+qcopDBQkBiHiCFoERJwyCXoMZBIFeTYJlgiQCmWAHAoY?= =?us-ascii?q?KiR2NZgqKMYdcgUGCC3B6AYI+gjOIYoU+bwGLeYEaAQE?=
X-IPAS-Result: =?us-ascii?q?A2FfAAB+VU9bmMuZ6ERcGgEBAQEBAgEBAQEIAQEBAYQsgSc?= =?us-ascii?q?Ki3iMLIFoJJU5gXoLHw+EPgKCeiE0GAECAQECAQECAQECEAEBAQEBCAsLBikjD?= =?us-ascii?q?II1IhFLagEBAQEBASMCFFwBAQEDATo/BQcEAgEIEQQBAQEeEE8IAgQOBYMgAYF?= =?us-ascii?q?3CA+qcopDBQkBiHiCFoERJwyCXoMZBIFeTYJlgiQCmWAHAoYKiR2NZgqKMYdcg?= =?us-ascii?q?UGCC3B6AYI+gjOIYoU+bwGLeYEaAQE?=
Received: from esa5.dell-outbound2.iphmx.com ([68.232.153.203]) by esa7.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2018 10:01:31 -0500
From: <Paul.Koning@dell.com>
Received: from ausxipps310.us.dell.com ([143.166.148.211]) by esa5.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2018 21:03:21 +0600
X-LoopCount0: from 10.166.135.75
X-IronPort-AV: E=Sophos;i="5.51,370,1526360400"; d="scan'208";a="206977958"
To: <sfluhrer=40cisco.com@dmarc.ietf.org>
CC: <kivinen@iki.fi>, <ipsec@ietf.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEs0cCToksn4kGTdmPEQlVTT6ST3XAAgABhpgCAASezgIAAAi6A
Date: Wed, 18 Jul 2018 15:03:17 +0000
Message-ID: <F24B0316-4622-41C0-9E0A-B721543D9D22@dell.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com>
In-Reply-To: <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.166.134.87]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D189EEACC31B384A8235F93196972D60@dell.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/beSc-i-EI8C3E68P_xNKVwXmGKg>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 15:03:26 -0000

> On Jul 18, 2018, at 10:55 AM, Scott Fluhrer (sfluhrer) <sfluhrer=3D40cisc=
o.com@dmarc.ietf.org> wrote:
>=20
> Answering to give some info about what we know about the likely capabilit=
ies of Quantum Computers.
>=20
>> -----Original Message-----
>> From: Tero Kivinen <kivinen@iki.fi>
>> Sent: Tuesday, July 17, 2018 5:17 PM
>> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
>> Cc: ipsec@ietf.org
>> Subject: RE: [IPsec] Modp-12288 and Modp-16384
>>=20
>> Scott Fluhrer (sfluhrer) writes:
>>> If the requirement for AES-256 is to handle the scenario "someone gets
>>> a quantum computer", then in that scenario, there is no realistic DH
>>> group size that is secure.
>>=20
>> That we do not know until we know what those quantum computers can
>> really do... I have not seen anybody saying how many qbits you need to
>> break MODP-2048.
>=20
> It's about twice as many as you need to factor a 2048 bit composite; so a=
bout 4k (logical) qubits.
>=20
>> Most of the things I have seen talks about factoring RSA,
>> and even then they do not provide numbers.
>=20
> How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n bit num=
ber, you can do it with circa 2n qubits.

That, times a factor for error correction.  I've seen various opionions on =
how large that factor is; one estimate was 100 if not higher.  An interesti=
ng question is whether coherence across half a million qubits is achievable=
.

	paul


From nobody Wed Jul 18 08:22:58 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43204130F34 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7akHl4X4wkJ for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:22:52 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42D82130F2B for <ipsec@ietf.org>; Wed, 18 Jul 2018 08:22:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2384; q=dns/txt; s=iport; t=1531927372; x=1533136972; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Ypb5zY3kLk6lZCNGWjrp7fWAhj65KYqWh3PX3rGGS4s=; b=koDtDxMSRNBeAsBP14+a3GkZ+PA+tyd6eYAxWxB5x4xr76V9YsGWhYuS JLCxn7Abe+VkqC+yxtw7pq0RN8lNqDb+Mvl3T3WvCqt6G8t/QGTCIo798 NbVAd6oHcwQVKefw+wQLa4BvDR1kbkNjhHOVf0/SoqZN3qKLOJ8g94Ddc 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CcAABtWk9b/4YNJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNJY38oCot4jCyCDJU5gXoLH4RNAoJ5ITQYAQIBAQIBAQJ?= =?us-ascii?q?tHAyFNgEBAQMBOj8FBwQCAQgRBAEBAR4QMh0IAgQBDQUIgxmBdwgPqwOKRAW?= =?us-ascii?q?JAoFXP4ERgxGDGQSHNAKZYAkChgiJFY1uCooxhzUCERSBJB04gVJwFYMkixW?= =?us-ascii?q?FPm8Bi3mBGgEB?=
X-IronPort-AV: E=Sophos;i="5.51,370,1526342400"; d="scan'208";a="207568219"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2018 15:22:51 +0000
Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id w6IFMo7b030292 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Jul 2018 15:22:51 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 18 Jul 2018 11:22:50 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Wed, 18 Jul 2018 11:22:50 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Paul.Koning@dell.com" <Paul.Koning@dell.com>, "sfluhrer=40cisco.com@dmarc.ietf.org" <sfluhrer=40cisco.com@dmarc.ietf.org>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "kivinen@iki.fi" <kivinen@iki.fi>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wIABDKeA//++cEA=
Date: Wed, 18 Jul 2018 15:22:49 +0000
Message-ID: <91651d0fa560414b8bb6bc90287a5ab3@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <F24B0316-4622-41C0-9E0A-B721543D9D22@dell.com>
In-Reply-To: <F24B0316-4622-41C0-9E0A-B721543D9D22@dell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/g5dfKdsa38GUmENvHzCGE-qZSsQ>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 15:22:56 -0000

> -----Original Message-----
> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Paul.Koning@dell.com
> Sent: Wednesday, July 18, 2018 11:03 AM
> To: sfluhrer=3D40cisco.com@dmarc.ietf.org
> Cc: ipsec@ietf.org; kivinen@iki.fi
> Subject: Re: [IPsec] Modp-12288 and Modp-16384
>=20
>=20
>=20
> > On Jul 18, 2018, at 10:55 AM, Scott Fluhrer (sfluhrer)
> <sfluhrer=3D40cisco.com@dmarc.ietf.org> wrote:
> >
> > Answering to give some info about what we know about the likely
> capabilities of Quantum Computers.
> >
> >> -----Original Message-----
> >> From: Tero Kivinen <kivinen@iki.fi>
> >> Sent: Tuesday, July 17, 2018 5:17 PM
> >> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
> >> Cc: ipsec@ietf.org
> >> Subject: RE: [IPsec] Modp-12288 and Modp-16384
> >>
> >> Scott Fluhrer (sfluhrer) writes:
> >>> If the requirement for AES-256 is to handle the scenario "someone
> >>> gets a quantum computer", then in that scenario, there is no
> >>> realistic DH group size that is secure.
> >>
> >> That we do not know until we know what those quantum computers can
> >> really do... I have not seen anybody saying how many qbits you need
> >> to break MODP-2048.
> >
> > It's about twice as many as you need to factor a 2048 bit composite; so
> about 4k (logical) qubits.
> >
> >> Most of the things I have seen talks about factoring RSA, and even
> >> then they do not provide numbers.
> >
> > How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n bit
> number, you can do it with circa 2n qubits.
>=20
> That, times a factor for error correction.  I've seen various opionions o=
n how
> large that factor is; one estimate was 100 if not higher.

Well, yes, this is logical qubits.  As for how many physical qubits you nee=
d to implement a logical one, well, that depends on the error correction lo=
gic you use (and that selection depends a great deal on the error rate you =
get on the physical qubit operations, and various proposed implementations =
of quantum computing differ quite a bit on their likely error rate).

> An interesting
> question is whether coherence across half a million qubits is achievable.

Actually, that's the point of quantum error correction; you don't need to a=
chieve consistent coherence across all those physical qubits; it suffices i=
f you get coherence across enough of them..



From nobody Wed Jul 18 08:35:21 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A09130F63 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:35:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level: 
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVlO982p9AbM for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 08:35:18 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C750E1311AC for <ipsec@ietf.org>; Wed, 18 Jul 2018 08:35:17 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6IFYivd016646 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 18 Jul 2018 18:34:44 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6IFYhot011911; Wed, 18 Jul 2018 18:34:43 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23375.24083.491329.962989@fireball.acr.fi>
Date: Wed, 18 Jul 2018 18:34:43 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Scott Fluhrer \(sfluhrer\)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Cc: "ipsec\@ietf.org" <ipsec@ietf.org>, paul.hoffman@icann.org
In-Reply-To: <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 22 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oTcTKosPGm7Q1Qr__USHIXDEuhI>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 15:35:20 -0000

Scott Fluhrer \(sfluhrer\) writes:
> > That we do not know until we know what those quantum computers can
> > really do... I have not seen anybody saying how many qbits you need to
> > break MODP-2048.
> 
> It's about twice as many as you need to factor a 2048 bit composite;
> so about 4k (logical) qubits.
> 
> > Most of the things I have seen talks about factoring RSA,
> > and even then they do not provide numbers.
> 
> How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n
> bit number, you can do it with circa 2n qubits.
> 
> If you want other references, we have
> https://arxiv.org/abs/1611.07995 and
> https://arxiv.org/pdf/1706.07884.pdf both with similar results. We
> also have https://arxiv.org/abs/quant-ph/0601097 which suggests a
> way with 1.5n qubits; however that paper makes some assumptions
> about errors that might not be true.

It would be good idea to get draft-hoffman-c2pq updated with these
references. 

> Of course, these papers are focusing in on minimizing the number of
> qubits; it's quite possible a trade-off that increases the number of
> qubits, while decreasing the number of (say) T gates, would be
> advantageous; we don't know enough about the relative costs to know.

Yep, and how many bits we need more because of error correcting stuff
etc. 

> > draft-hoffman-c2pq also says that we might have machines breaking
> > AES-128 before than we have machines that can break Diffie-Hellman, i.e., it
> > is most likely easier to make machine running Grover's algorithm than
> > machine running Shor's algorithm.
> 
> That work totally ignores the amount of time we're talking about
> with O(2**64) computations (and parallelization is less helpful than
> usual; Grover's becomes less efficient the more we parallelize it).

Any idea how many computations needs to be done for the shor's
algorithm, i.e., breaking 2048 bit Diffie-Hellman. I have just seen
text saying it is polynominal time, but I have not really seen any
guesses what the actual numbers are going to be. And I understand that
there is also quite big classical computation pre- and post-processing
steps too.

> Also, the interesting algorithms in Quantum Chemical modelling are
> significantly different from Grover's.  It's possible that there are
> some proposed protein folding problems that would use Grover's... 
-- 
kivinen@iki.fi


From nobody Wed Jul 18 09:08:16 2018
Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07A97130F17 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 09:08:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level: 
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOlMm9GW1Wag for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 09:08:11 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEFAC130EEE for <ipsec@ietf.org>; Wed, 18 Jul 2018 09:08:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11473; q=dns/txt; s=iport; t=1531930091; x=1533139691; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=YACPal+lLMduQyBxfHQ96mc+gC/II8QQGJJusrkPOsA=; b=Ik14qqqLzjNjmXM//lqsyJtzAGng41+q/4f0cTcQvFgei6a3v57PB7cE lYopxyoTfavzn6YwEQljergqbTbFoUwYBVfzY62pgpZ33aXK5WAacTUlB Y10ObFyDLi7ubWJc8hVkOWTbez/eAjzCEXR1B3irKNDuuDuH2dJK4dDQl 4=;
X-Files: smime.p7s : 4990
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DQAABsZU9b/4wNJK1cGgEBAQEBAgE?= =?us-ascii?q?BAQEIAQEBAYNJY38oCoN0iASMLIFolV0UgWYIAxgNhEcCIIJZITQYAQIBAQI?= =?us-ascii?q?BAQJtHAyFNwICAgEBIUsbAgEIQgICAiULJQIEARIODYMFAYEcYw+pdoEuhFu?= =?us-ascii?q?FXwoFiQKBVz+BEScMgl6DGQEBAQEBAYEkFTqCajGCJAKZYAkCg1uBWVSJHY1?= =?us-ascii?q?mCooxhzUCERSBJB04gVJwFTsqAYI+giUFEoRfZYMVhT5vAQEBim2BCoEaAQE?=
X-IronPort-AV: E=Sophos;i="5.51,370,1526342400";  d="p7s'?scan'208";a="415220044"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2018 16:08:10 +0000
Received: from XCH-RCD-010.cisco.com (xch-rcd-010.cisco.com [173.37.102.20]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id w6IG8Aa5031374 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Jul 2018 16:08:10 GMT
Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-RCD-010.cisco.com (173.37.102.20) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 18 Jul 2018 11:08:10 -0500
Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1320.000; Wed, 18 Jul 2018 11:08:09 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEtaoGIL3dP10CV0Uni0Pcg8KSVi9sA
Date: Wed, 18 Jul 2018 16:08:09 +0000
Message-ID: <BF664561-23B0-4445-9DE2-6738C2C40DA8@cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi>
In-Reply-To: <23374.2088.627941.395947@fireball.acr.fi>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.c.0.180410
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.142.75]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3614778488_1121159584"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/DeXQBqIU70wUESkZJU3ab3HusV0>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 16:08:15 -0000

--B_3614778488_1121159584
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: quoted-printable

Hi Tero

I've no issues per se with this, but as per our chat in London, most VPN co=
nsumers pick the group with the highest number (of course group24 is more se=
cure than group21, 24 is bigger than 21 ...!)..

Maybe some words of warning around potential performance impact. I=E2=80=99m sure=
 someone somewhere in the world will want this..=20

I feel for the poor vendors support desk "dear customer, I know you enabled=
 group38 (RSA 16384) and now your 5000 device full mesh solution is not conv=
erging as quickly as it did before.."..

cheers=20

=EF=BB=BFOn 17/07/2018, 16:16, "IPsec on behalf of Tero Kivinen" <ipsec-bounces@i=
etf.org on behalf of kivinen@iki.fi> wrote:

    When we greated RFC3526 [1] in 2003 we included 1536, 2048, 3072,
    4096, 6144, and 8192 bit modp groups. I did also create 12288 and
    16384 bit modp groups [2], but we did not include those as we assumed
    they would be too slow for normal use.
   =20
    Now sometimes there is requirement to align all security parameters
    with AES-256 also (because AES-128 is not enough if someone gets
    quantum computers some day).=20
   =20
    SP800-57 part 1 rev 4 [3] has table 2 that says:
   =20
    Security  Symmetric     FCC               IFC           ECC
    Strength  key           (e.g. DSA,        (e.g.,        (e.g.,=20
              algorithms    D-H)              RSA)          ECDSA)
    <=3D80      2TDEA         L=3D1024, N=3D160     k=3D1024        f=3D160-233
    112       3TDEA         L=3D2048, N=3D224     k=3D2048        f=3D224-255
    128       AES-128       L=3D3072, N=3D256     k=3D3072        f=3D256-383
    192       AES-192       L=3D7680, N=3D384     k=3D7680        f=3D384-511
    256       AES-256       L=3D15360, N=3D512    k=3D15360       f=3D512+
   =20
    Meaning that we do not have any MODP groups with IANA numbers that
    would match AES-256. For vendor to add elliptic curve support to
    simply be able to mark that tick mark saying we do support AES-256 is
    bit much. Adding 16384 bit MODP group is much faster and easier, and
    nobody does not need to use it (I think the recommended group in NIST
    documents is still the 2048 bit group).
   =20
    NIST SP 800-56A Rev 3 [4] aligns with this and says that MODP-8192 is
    for less than 200 bits of security, i.e., not enough for AES-256.
   =20
    In the SP 800-56B rev2 draft [5], there is formula in Appendix D,
    which allows you to calculate the strength for different bit lengths
    and if you plug in the 15360 you get 264 bits. To get 256 bits of
    maximum strength the nBits needs to be between 14446-14993. 15000
    would already give you 264, i.e., the same than 15360 gives. 15360 is
    of course 1024*15 so it is nice round number in binary.
   =20
    If you plug in 12288 to that formula you get strength of 240 and 16384
    gives you 272.
   =20
    Checking old performance numbers I can see that in 2008 the speed of
    6144 group was same as 16384 is with current machines, which most
    likely matched what 2048 or 3072 bit group speed was in 2003 (i.e.
    about half a second per full Diffie-Hellman).
   =20
    So my question is do other people think it would be useful to allocate
    IANA numbers for the 12288 and 16384 bit MODP groups?
   =20
    You can of course use private numbers, but I myself think it would be
    good idea to have IANA numbers for those groups too, just in case
    someone wants interoperability with them at some point. Also we do not
    yet know how quantum computers are going to do for different
    algorithms, i.e., whether P-521 is harder or easier than MODP 16384.
   =20
    [1] https://datatracker.ietf.org/doc/rfc3526/
    [2] https://kivinen.iki.fi/primes/
    [3] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-5=
7pt1r4.pdf
    [4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-5=
6Ar3.pdf
    [5] https://csrc.nist.gov/CSRC/media/Publications/sp/800-56b/rev-2/draf=
t/documents/sp800-56Br2-draft.pdf
    --=20
    kivinen@iki.fi
   =20
    _______________________________________________
    IPsec mailing list
    IPsec@ietf.org
    https://www.ietf.org/mailman/listinfo/ipsec
   =20

--B_3614778488_1121159584
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIITegYJKoZIhvcNAQcCoIITazCCE2cCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B
BwGgghD6MIIFMDCCBBigAwIBAgIRANt/amHBbAccGfNNQCnZKy4wDQYJKoZIhvcNAQELBQAw
gZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcT
B1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8g
UlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE4MDUy
MTAwMDAwMFoXDTE5MDUyMTIzNTk1OVowIzEhMB8GCSqGSIb3DQEJARYSZ3JiYXJ0bGVAY2lz
Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRs+W1UFSzWjG08ekQlb
STJne0QxIugjwOxmlVsWuadzNpHs/9Lolp5hHrgLnFC+tPP+qZqtJX+l9vD9KnrUNyVD7l8O
Q+EIFSiLKBF2WA4Qps6znQRJS+Bk5ggfMRo9ni1Or6B5QIgLF1fbRqPitM0TINq+Sj9xnSbq
5vJ8TmEyzU90HNJNtBzZaYxKbHImoXgTpONJtSIt94bDRcI3UXrvHhn9Zn2MmIXqGzIDLUjl
RCzkBDx6wqZ9ZZ78vyo+Ewa1so7L+NV/rDpGQQiPCDxd+6QLvUIZkNdl9ViWRR+1LPAq55Rw
ZkfFSziuCJwlHz0MHbGiUpKfk+rrmtEiqwIDAQABo4IB6DCCAeQwHwYDVR0jBBgwFoAUgq9s
jPjF/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFPBG1SAHV8aiV0IwohMhtCqrdwsaMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIx
AQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzAp
BggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBP
oE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAC
hklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlv
bmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9j
YS5jb20wHQYDVR0RBBYwFIESZ3JiYXJ0bGVAY2lzY28uY29tMA0GCSqGSIb3DQEBCwUAA4IB
AQAonuiVei61mvmBh/zsM5gRCZKZrv5CxaOiz1726DZ+zbNY0NFlJ7011HxD1LKWIp3f9AOU
ec0GFrTmdYsJPU9+K9GuxtaH1hk3LOM3MwHxyyvm4JONbWfF+VCuRstEA+zPD0hsUn4BMVTc
f2IkgoysAb1bmvJdAzwuiswPgIZaCJ12vY9WWcPwZXqgGL72/sUw+XQxKbXH/PtqYcTKhYHS
GRTHQJSOi2GeG+faXHjBmo9vrJV3500EcmzATQYuhNl/L4XwPtiFoAqJ74hXvdKE5hgSqbUc
B5XCEQYNABPD41fVjm1uCBmGs//8s/5hGm/20zNOe/D9Njoum9HyoRHGMIIF5jCCA86gAwIB
AgIQapvhODv/K2ufAdXZuKdSVjANBgkqhkiG9w0BAQwFADCBhTELMAkGA1UEBhMCR0IxGzAZ
BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwHhcNMTMwMTEwMDAwMDAwWhcNMjgwMTA5MjM1OTU5WjCBlzELMAkGA1UEBhMC
R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC+s55XrCh2dUAWxzgDmNPGGHYhUPMleQtMtaDRfTpYPpynMS6n9jR22YRq
2tA9NEjk6vW7rN/5sYFLIP1of3l0NKZ6fLWfF2VgJ5cijKYy/qlAckY1wgOkUMgzKlWlVJGy
K+UlNEQ1/5ErCsHq9x9aU/x1KwTdF/LCrT03Rl/FwFrf1XTCwa2QZYL55AqLPikFlgqOtzk0
6kb2qvGlnHJvijjI03BOrNpo+kZGpcHsgyO1/u1OZTaOo8wvEU17VVeP1cHWse9tGKTDyUGg
2hJZjrqck39UIm/nKbpDSZ0JsMoIw/JtOOg0JC56VzQgBo7ictReTQE5LFLG3yQK+xS1AgMB
AAGjggE8MIIBODAfBgNVHSMEGDAWgBS7r34CPfqm8TyEjq3uOJjs2TIy1DAdBgNVHQ4EFgQU
gq9sjPjF/pZhfOgfPStxSF7Ei8AwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwEQYDVR0gBAowCDAGBgRVHSAAMEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9jcmwuY29t
b2RvY2EuY29tL0NPTU9ET1JTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHEGCCsGAQUF
BwEBBGUwYzA7BggrBgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNB
QWRkVHJ1c3RDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAN
BgkqhkiG9w0BAQwFAAOCAgEAeFyygSg0TzzuX1bOn5dW7I+iaxf28/ZJCAbU2C81zd9A/tNx
4+jsQgwRGiHjZrAYayZrrm78hOx7aEpkfNPQIHGG6Fvq3EzWf/Lvx7/hk6zSPwIal9v5IkDc
ZoFD7f3iT7PdkHJY9B51csvU50rxpEg1OyOT8fk2zvvPBuM4qQNqbGWlnhMpIMwpWZT89RY0
wpJO+2V6eXEGGHsROs3njeP9DqqqAJaBa4wBeKOdGCWn1/Jp2oY6dyNmNppI4ZNMUH4Tam85
S1j6E95u4+1Nuru84OrMIzqvISE2HN/56ebTOWlcrurffade2022O/tUU1gb4jfWCcyvB8cz
m12FgX/y/lRjmDbEA08QJNB2729Y+io1IYO3ztveBdvUCIYZojTq/OCR6MvnzS6X72HP0PRL
RTiOSEmIDsS5N5w/8IW1Hva5hEFy6fDAfd9yI+O+IMMAj1KcL/Zo9jzJ16HO5m60ttl1Enk8
MQkz/W3JlHaeI5iKFn4UJu1/cP2YHXYPiWf2JyBzsLBrGk1II+3yL8aorYew6CQvdVifC3Ht
wlSam9V1niiCfOBe2C12TdKGu05LWIA3ZkFcWJGaNXOZ6Ggyh/TqvXG5v7zmEVDNXFnHn9tF
pMpOUvxhcsjycBtH0dZ0WrNw6gH+HF8TIhCnH3+zzWuDN0Rk6h9KVkfKehIwggXYMIIDwKAD
AgECAhBMqvnK22Nv4B/3TthbA4adMA0GCSqGSIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEb
MBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQK
ExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0xMDAxMTkwMDAwMDBaFw0zODAxMTgyMzU5NTlaMIGFMQswCQYDVQQG
EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRow
GAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJHoVJLS
ClaxrA0k3cXPRGd0mSs3o30jcABxvFPfxPoqEo9LfxBWvZ9wcrdhf8lLDxenPeOwBGHu/xGX
x/SGPgr6Plz5k+Y0etkUa+ecs4Wggnp2r3GQ1+z9DfqcbPrfsIL0FH75vsSmL09/mX+1/GdD
cr0MANaJ62ss0+2PmBwUq37l42782KjkkiTaQ2tiuFX96sG8bLaL8w6NmuSbbGmZ+HhIMEXV
reENPEVg/DKWUSe8Z8PKLrZr6kbHxyCgsR9l3kgIuqROqfKDRjeE6+jMgUhDZ05yKptcvUwb
KIpcInu0q5jZ7uBRg8MJRk5tPpn6lRfafDNXQTyNUe0LtlyvLGMa31fIP7zpXcSbr0WZ4qNa
JLS6qVY9z2+q/0lYvvCo//S4rek3+7q49As6+ehDQh6J2ITLE/HZu+GJYLiMKFasFB2cCudx
688O3T2plqFIvTz3r7UNIkzAEYHsVjv206LiW7eyBCJSlYCTaeiOTGXxkQMtcHQC6otnFSlp
UgK7199QalVGv6CjKGF/cNDDoqosIapHziicBkV2v4IYJ7TVrrTLUOZr9EyGcTDppt8WhuDY
/0Dd+9BCiH+jMzouXB5BEYFjzhhxayvspoq3MVw6akfgw3lZ1iAar/JqmKpyvFdK0kuduxD8
sExB5e0dPV4onZzMv7NR2qdH5YRTAgMBAAGjQjBAMB0GA1UdDgQWBBS7r34CPfqm8TyEjq3u
OJjs2TIy1DAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQwF
AAOCAgEACvHVRoS3rlG7bLJNQRQAk0ycy+XAVM+gJY4C+f2wog31IJg8Ey2sVqKw1n4Rkuku
up4umnKxvRlEbGE1opq0FhJpWozh1z6kGugvA/SuYR0QGyqki3rF/gWm4cDWyP6ero8ruj2Z
+NhzCVhGbqac9Ncn05XaN4NyHNNz4KJHmQM4XdVJeQApHMfsmyAcByRpV3iyOfw6hKC1nHyN
vy6TYie3OdoXGK69PAlo/4SbPNXWCwPjV54U99HrT8i9hyO3tklDeYVcuuuSC6HG6GioTBax
GpkK6FMskruhCRh1DGWoe8sjtxrCKIXDG//QK2LvpHsJkZhnjBQBzWgGamMhdQOAiIpugcaF
8qmkLef0pSQQR4PKzfSNeVixBpvnGirZnQHXlH3tA0rK8NvoqQE+9VaZyR6OST275Qm54E9J
kj0WgkDMzFnG5jrtEi5pPGyVsf2qHXt/hr4eDjJG+/sTj3V/TItLRmP+ADRAcMHDuaHdpnDi
BLNBvOmAkepknHrhIgOpnG5vDmVPbIeHXvNuoPl1pZtA6FOyJ51KucB3IY3/h/LevIzvF9+3
SQvR8m4wCxoOTnbtEfz16Vayfb/HbQqTjKXQwLYdvjpOlKLXbmwLwop8+iDzxOTlzQ2oy5GS
sXyF7LUUaWYOgufNzsgtplF/IcE1U4UGSl2frbsbX3QxggJEMIICQAIBATCBrTCBlzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xp
ZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEQDbf2phwWwHHBnzTUAp
2SsuMA0GCWCGSAFlAwQCAQUAoGkwLwYJKoZIhvcNAQkEMSIEIBOPIhOXkv8mEmla/TJsEclI
zg5sXxj9MPyUK/l6/g1+MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTE4MDcxODE2MDgwOFowDQYJKoZIhvcNAQEBBQAEggEAnrkUYBjmY1oIUVYzplPxgX0y
JWi6PEXNCEl1Z2O9uqrI2e+ryg/DyoUFk2UynLDqIhlzmpcGshxUnJ30NMXll5nqTN2p/9fu
ebRJGCFFqFQdyyeBl6uYNB9TQbBOV1EGFZMESAtZaScWvG3eeicD+SO7j14LrJZroeM1uljf
wxyLmK4VI6E6W0mxw4aVw334B84KOZ75DWPniran2PmtUd+xBvA+bj4tRbDkUp7frNfF7NQA
tbY7KtvHtYWoci5e0pe3YBE89YowJPZaw7TBGKXXl84eqS9KnrQIZ2ZhF1MGT/iY/bhu6IaZ
T5adyCSX+66JXuiK8VO3cCnd5YK7qw==

--B_3614778488_1121159584--


From nobody Wed Jul 18 10:23:35 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E030130E2B for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 10:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e_mk3gQvFgl0 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 10:23:31 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B39A130E0A for <ipsec@ietf.org>; Wed, 18 Jul 2018 10:23:31 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id r16-v6so5441574wrt.11 for <ipsec@ietf.org>; Wed, 18 Jul 2018 10:23:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SlMpDb1RrnUHtU/wRQzLV6Bp30MqCgK0KJ+i/XSx2ng=; b=fkX0z+3j+keRR75HjY+Ud+yf4uywb+liULtj/ihySY/D2IrJf7RJy9ZPUbBiURLUPd unZvatAq+XC4Fh9neKt3yufG2cd5ZOZkHI/rCzl5szSp8NICB9wJOJQgQkM2EKqPKGL4 TUxDS0OrO+Hb1kn8GNNBpD76kUR5NsLPSXDOTroCWqnBZDdfGpvlhxZQ7b+KRdJw/EIO reANJT7ceofBWrlAaorFHe3brX1QjkGRUSaM6kLVwC9mQQsUF10M9dtE11dj1QjkEdQW z+mVd+/C/YRajr58/3ssG8PeYgyFNw9H0RRFCD05vxPAw+SaSg/nSkROI0IFfPffwthk CK4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SlMpDb1RrnUHtU/wRQzLV6Bp30MqCgK0KJ+i/XSx2ng=; b=BdOn/qIWkF+uSbmlHlpj21eTETSMOCvF7fUIPsvE4NuGWV1a4qVGxd7GXSmFql4D6O ObPSikOKLK/Vi7/J1r8tNM7dwe2R8MlwbZsU0Tx00h167/AaTMTR2cQdFUFZ7kTHGaVm sat6ieXqMq1uW6QwtD546gMklOXuLl1/r1N9aAtIue6zhBGaox4mhTA39EDsAGy6y8yI tL5Fgm7DBLt+vHDqNPqIQLpK+gWAuQdIVbhVls6Fj/8mdbPB2bbayrtb0jP50PVJHOUa ENP86IPZYw1AE4uzpo7pSg9zPnrfh7LtpY9c06lDxPb8YXgJDh0f5RYvXaKyts6hyv/o 8Blw==
X-Gm-Message-State: AOUpUlFmc8Kv1w9jFGbei6rVvHd1sRryMimstVIz+lXA61rXwVHnXgrY XnXSoTQhoLPq5qL21wX6iYk=
X-Google-Smtp-Source: AAOMgpe8j7hIgrM2o8id6oLIZmBAkBFqHCeNqXppuJZMO4aN/ShQB/6PWMWJmcjJDOpas4eTSGZVxQ==
X-Received: by 2002:a5d:6103:: with SMTP id v3-v6mr5313888wrt.265.1531934609725;  Wed, 18 Jul 2018 10:23:29 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id y5-v6sm2657800wrs.86.2018.07.18.10.23.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jul 2018 10:23:28 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <BF664561-23B0-4445-9DE2-6738C2C40DA8@cisco.com>
Date: Wed, 18 Jul 2018 20:23:26 +0300
Cc: Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D4B207D3-C039-4A13-A904-C931727C672B@gmail.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <BF664561-23B0-4445-9DE2-6738C2C40DA8@cisco.com>
To: "Graham Bartlett (grbartle)" <grbartle=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ZGJfkWq90sYxFQQZuXywJg8DWu0>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 17:23:33 -0000

> On 18 Jul 2018, at 19:08, Graham Bartlett (grbartle) =
<grbartle=3D40cisco.com@dmarc.ietf.org> wrote:
>=20
> Hi Tero
>=20
> I've no issues per se with this, but as per our chat in London, most =
VPN consumers pick the group with the highest number (of course group24 =
is more secure than group21, 24 is bigger than 21 ...!)..

Hasn=E2=80=99t been my experience. Most customers stay with the default. =
Sophisticated customers compare number of bits. So again 2048-bit group =
24 is much better than 521-bit group 21, but nowhere near as good as =
8192-bit group 18.

> Maybe some words of warning around potential performance impact. I=E2=80=
=99m sure someone somewhere in the world will want this..=20

They only need 16384-bit DH if they use 16384-bit RSA, no?

> I feel for the poor vendors support desk "dear customer, I know you =
enabled group38 (RSA 16384) and now your 5000 device full mesh solution =
is not converging as quickly as it did before..=E2=80=9D..

Publish it and they will come. I once had to tackle a customer request =
to filter by the RFC 3514 security flag.  As it turns out, this was =
totally possible with my employer=E2=80=99s firewall product. It just =
wasn=E2=80=99t a good idea.

Yoav



From nobody Wed Jul 18 11:04:41 2018
Return-Path: <internet-drafts@ietf.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6801292F1; Wed, 18 Jul 2018 11:04:39 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: ipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.82.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: ipsec@ietf.org
Message-ID: <153193707906.2997.5031914885270752823@ietfa.amsl.com>
Date: Wed, 18 Jul 2018 11:04:39 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YQ-XdeF4gcCdmpotfhyQJv9rA34>
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-09.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 18:04:39 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.

        Title           : Split DNS Configuration for IKEv2
        Authors         : Tommy Pauly
                          Paul Wouters
	Filename        : draft-ietf-ipsecme-split-dns-09.txt
	Pages           : 13
	Date            : 2018-07-18

Abstract:
   This document defines two Configuration Payload Attribute Types for
   the IKEv2 protocol that add support for private DNS domains.  These
   domains are intended to be resolved using DNS servers reachable
   through an IPsec connection, while leaving all other DNS resolution
   unchanged.  This approach of resolving a subset of domains using non-
   public DNS servers is referred to as "Split DNS".


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-split-dns/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-09
https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-split-dns-09

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-09


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Wed Jul 18 11:27:40 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 908C3130EC5 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 11:27:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaIHdzk7vrbT for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 11:27:36 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B418B130EB2 for <ipsec@ietf.org>; Wed, 18 Jul 2018 11:27:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3455; q=dns/txt; s=iport; t=1531938456; x=1533148056; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=WO0wxJolJKfYq/E1W+DEtQBcUtmvXwXp/Bu71DHLZCs=; b=mwa/HEg3iiR5K0e0zk8x4lpNtaTIBr2+K3vKARRFBDBz7uV9W+wG1uSM yOlgUJhIG1pSJSmURTMemBwLK6kg242TfyeLcXCEk0CcKQi6fXRqiNUXQ A/HuwcLaOMwDu/7bcsQ0nHBuyYvWUP67wmELzbbinNWSZ52qiDEKhUm0w g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C+AAA+hU9b/5xdJa1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNJY38oCot4jCyCDHWURIF6Cx+ETQKCeSE0GAECAQECAQE?= =?us-ascii?q?CbRwMhTYBAQECAQE6PwUHBAIBCBEEAQEfEDIdCAIEDgUIgxmBdwgPqx+KRwW?= =?us-ascii?q?JAoFXP4ERglw1gxkDhzUCmWAJAoYIiRWNbgqKMYc1AhEUgSQdOIFScBWDJIs?= =?us-ascii?q?VhT5vAYtvgRoBAQ?=
X-IronPort-AV: E=Sophos;i="5.51,371,1526342400"; d="scan'208";a="415283476"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2018 18:27:35 +0000
Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id w6IIRZWn020786 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Jul 2018 18:27:35 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 18 Jul 2018 14:27:34 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Wed, 18 Jul 2018 14:27:34 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "paul.hoffman@icann.org" <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wIABFW+A///q+XA=
Date: Wed, 18 Jul 2018 18:27:34 +0000
Message-ID: <194410e85ae845f690944e6b354427b4@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi>
In-Reply-To: <23375.24083.491329.962989@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/5a-_e9Dspf5jwHbzgMnR87JioHo>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 18:27:40 -0000

> -----Original Message-----
> From: Tero Kivinen <kivinen@iki.fi>
> Sent: Wednesday, July 18, 2018 11:35 AM
> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
> Cc: ipsec@ietf.org; paul.hoffman@icann.org
> Subject: Re: [IPsec] Modp-12288 and Modp-16384
>=20
> Scott Fluhrer \(sfluhrer\) writes:
> > > That we do not know until we know what those quantum computers can
> > > really do... I have not seen anybody saying how many qbits you need
> > > to break MODP-2048.
> >
> > It's about twice as many as you need to factor a 2048 bit composite;
> > so about 4k (logical) qubits.
> >
> > > Most of the things I have seen talks about factoring RSA, and even
> > > then they do not provide numbers.
> >
> > How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n bit
> > number, you can do it with circa 2n qubits.
> >
> > If you want other references, we have
> > https://arxiv.org/abs/1611.07995 and
> > https://arxiv.org/pdf/1706.07884.pdf both with similar results. We
> > also have https://arxiv.org/abs/quant-ph/0601097 which suggests a way
> > with 1.5n qubits; however that paper makes some assumptions about
> > errors that might not be true.
>=20
> It would be good idea to get draft-hoffman-c2pq updated with these
> references.
>=20
> > Of course, these papers are focusing in on minimizing the number of
> > qubits; it's quite possible a trade-off that increases the number of
> > qubits, while decreasing the number of (say) T gates, would be
> > advantageous; we don't know enough about the relative costs to know.
>=20
> Yep, and how many bits we need more because of error correcting stuff etc=
.

It multiplies it by a factor of N, whose value depends on the quantum error=
 correction algorithm.

In the quantum computing space, they mostly talk about "logical queue bits"=
, that is, they assume that the error correction problem is already solved =
(unless, of course, they are specifically working on quantum error correcti=
on algorithms).

>=20
> > > draft-hoffman-c2pq also says that we might have machines breaking
> > > AES-128 before than we have machines that can break Diffie-Hellman,
> > > i.e., it is most likely easier to make machine running Grover's
> > > algorithm than machine running Shor's algorithm.
> >
> > That work totally ignores the amount of time we're talking about with
> > O(2**64) computations (and parallelization is less helpful than usual;
> > Grover's becomes less efficient the more we parallelize it).
>=20
> Any idea how many computations needs to be done for the shor's algorithm,
> i.e., breaking 2048 bit Diffie-Hellman. I have just seen text saying it i=
s
> polynominal time, but I have not really seen any guesses what the actual
> numbers are going to be.

Very good question; the references I find all essentially say "cubic"; howe=
ver they don't immediately talk about the constant factor.  I suspect that =
this constant factor won't be that large; however that most certainly merit=
s further investigation.

> And I understand that there is also quite big
> classical computation pre- and post-processing steps too.

Not really; there is computation needed there, but it is quite straight-for=
ward.

Shor's algorithm gives you a value k where a^x =3D a^(x+k) mod n; once you =
have that value k, factoring n is a well understood (and fairly easy) probl=
em, solvable by, say, Miller's algorithm.



From nobody Wed Jul 18 13:26:44 2018
Return-Path: <internet-drafts@ietf.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BB1FF130E3A; Wed, 18 Jul 2018 13:26:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: ipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.82.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: ipsec@ietf.org
Message-ID: <153194560266.3055.9527130210039846300@ietfa.amsl.com>
Date: Wed, 18 Jul 2018 13:26:42 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0lhGxMks7373o_64QFadLgWuK5Q>
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 20:26:43 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.

        Title           : Split DNS Configuration for IKEv2
        Authors         : Tommy Pauly
                          Paul Wouters
	Filename        : draft-ietf-ipsecme-split-dns-10.txt
	Pages           : 13
	Date            : 2018-07-18

Abstract:
   This document defines two Configuration Payload Attribute Types for
   the IKEv2 protocol that add support for private DNS domains.  These
   domains are intended to be resolved using DNS servers reachable
   through an IPsec connection, while leaving all other DNS resolution
   unchanged.  This approach of resolving a subset of domains using non-
   public DNS servers is referred to as "Split DNS".


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-split-dns/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-10
https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-split-dns-10

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-10


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Wed Jul 18 13:28:38 2018
Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 074EB130E3A for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 13:28:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level: 
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lziWjo-uHU4O for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 13:28:33 -0700 (PDT)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A2CA124BE5 for <ipsec@ietf.org>; Wed, 18 Jul 2018 13:28:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple;  q=dns/txt; i=@apple.com; t=1531945713; x=2395859313; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=51Slhgf8xrzl5WMYa40VE+Gr5hSeTnNg89+iBwoWjUw=; b=nKhfcyaoVahG0JuOkFNRYMsey4MBseW143Rqg6bQaMVYzSttwC8mqce74xJK/CLO 9Q7u8Ex/GAcXpQTE+C2OcSIdjwHJ6jMIQ/g5Xy6aTty87LN2UHz6gpAAQWRhL5HA YPkWZC2kJBEgjyVIKuyfipoHRBGbiqBvoN3NPxkFQHuu5KtTFrVIYVAQJC5w+xHr vLQ2lE0hfEAwq1M90I2h0BvDuEJbuZzHyhAg6FyFYbGmk9Ua30NsoULFwttNq4NJ vG2YzS/L/hBBLbLVSfhVJk0Kf6e0S0GVzkxXMjUApONRFvXgMd3phWm8wnd0I2eT Ym8YQfEwpMBJOd9UBjznvg==;
X-AuditID: 11973e16-6f1ff7000000740c-7a-5b4fa2f12d2a
Received: from mr2-mtap-s02.rno.apple.com (mr2-mtap-s02.rno.apple.com [17.179.226.134]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 8E.DD.29708.1F2AF4B5; Wed, 18 Jul 2018 13:28:33 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by mr2-mtap-s02.rno.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PC200KOMWVLDR40@mr2-mtap-s02.rno.apple.com>; Wed, 18 Jul 2018 13:28:33 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PC200800W17AU00@nwk-mmpp-sz12.apple.com>; Wed, 18 Jul 2018 13:28:32 -0700 (PDT)
X-Va-A: 
X-Va-T-CD: f8e11c451f5807124f71528764a82678
X-Va-E-CD: 017370ac642f479379adf6eadf1cf17f
X-Va-R-CD: aa6b4087cd1010142f061325c629c355
X-Va-CD: 0
X-Va-ID: 36fa9612-936a-4e26-8a20-448df2096ef2
X-V-A: 
X-V-T-CD: f8e11c451f5807124f71528764a82678
X-V-E-CD: 017370ac642f479379adf6eadf1cf17f
X-V-R-CD: aa6b4087cd1010142f061325c629c355
X-V-CD: 0
X-V-ID: a8ce8cfb-e417-4e33-bb4e-9e27fb30fb28
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PC200I00WQDPO00@nwk-mmpp-sz12.apple.com>; Wed, 18 Jul 2018 13:28:32 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-18_06:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp18.corp.apple.com-10000_instance1
Received: from [17.235.20.70] (unknown [17.235.20.70]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PC200KIDWVJY770@nwk-mmpp-sz12.apple.com>; Wed, 18 Jul 2018 13:28:32 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Date: Wed, 18 Jul 2018 16:28:30 -0400
References: <153194560266.3055.9527130210039846300@ietfa.amsl.com>
To: IPsecME WG <ipsec@ietf.org>, Eric Rescorla <ekr@rtfm.com>
In-reply-to: <153194560266.3055.9527130210039846300@ietfa.amsl.com>
Message-id: <851ECC17-9C52-4868-A3F3-4DAF0BF28911@apple.com>
X-Mailer: Apple Mail (2.3445.100.13.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrMIsWRmVeSWpSXmKPExsUiuPlRm+7HRf7RBnfv8FqseH2O3WL/lhds DkweS5b8ZPKY/LiNOYApissmJTUnsyy1SN8ugSvj55OrbAW/+Cv2X7/G3sC4j6eLkZNDQsBE 4sLbi6xdjFwcQgIHmCT+b3rKBJLgFRCU+DH5HksXIwcHs4C8xMHzsiBhZgEtie+PWlkg6tcz SUy4uYwZwulikpixdx8jxFR2iT+/doA1SwhoS7RMz4EIa0t0dS5lgbH3zDnPDGFzSSzYepoV wtaVWHP+BzuEzSax/sQSJghbS2Lu7tPsMHZ/Tytc/MLj31A2p8T5LxOhanQkjn8/AfVYJ5PE t51boW7Llrhy6j87xG3BEvvfKkPU9DNJnHr8E+xmYQEJic17EkHK2QRUJI5/2wB2p7CAi8SX jvdMICUsAqoSb+8ogoSFBJwkVr6fwwwSFhGwlXh7GqyTU8BZ4uXaOayQ0LSReLv3AxvEAWoS 82+/YJ3AqDALKaBnIQJ6FlJAL2BkXsUolJuYmaObmWeul1hQkJOql5yfu4kRlAqm24ntYHy4 yuoQowAHoxIPb8Zf32gh1sSy4srcQ4zSHCxK4rzik/yjhQTSE0tSs1NTC1KL4otKc1KLDzEy cXBKNTCWKsq+WDpx8+XAf1af/8ztVV63/tZO4wzHn+/idhSrOp6Z0bjaRZTTWefzl0+zdj6+ fDAkUuLs9P6POw9xnJheo7hreobrzF3LtwsvCgv56hp2wP62xZvIvD17L7PbBnE5fajRdYiz vdVa5quoc1G20veLiuqsN9yO9z4tr71zNPVx9z6NGNYtSizFGYmGWsxFxYkAXpZ3nOYCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/y-hdltqOIFQiSApSfwVIHPzWpzQ>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 20:28:36 -0000

Hello all,

This new rev of the Split DNS document includes the feedback from our WG discussion today for handling of the DNSSEC domain whitelist.

Please take a look! The document should be ready to progress at this point.

Best,
Tommy

> On Jul 18, 2018, at 4:26 PM, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.
> 
>        Title           : Split DNS Configuration for IKEv2
>        Authors         : Tommy Pauly
>                          Paul Wouters
> 	Filename        : draft-ietf-ipsecme-split-dns-10.txt
> 	Pages           : 13
> 	Date            : 2018-07-18
> 
> Abstract:
>   This document defines two Configuration Payload Attribute Types for
>   the IKEv2 protocol that add support for private DNS domains.  These
>   domains are intended to be resolved using DNS servers reachable
>   through an IPsec connection, while leaving all other DNS resolution
>   unchanged.  This approach of resolving a subset of domains using non-
>   public DNS servers is referred to as "Split DNS".
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-split-dns/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-10
> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-split-dns-10
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-10
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Wed Jul 18 13:35:28 2018
Return-Path: <david.waltermire@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99273130E44 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 13:35:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level: 
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5D4doqkvQgE for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 13:35:16 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0712.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::712]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B873E130F4C for <ipsec@ietf.org>; Wed, 18 Jul 2018 13:35:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1;  h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gU4MD6wOECW/GGf9dxi594CMMBewmjFAs8KpiBLj32s=; b=bfQn4GYeOtH6Vrkq8TaPEbBZDZuDZvwVD1d9wxlVXPb/BW0Euers5Nz6Ao0VYAdvdEB98t/DKeAaDrIugjziw28utLpcgl5Je27zECL6R+wIshqQ0O2mrw2sgR7CVYa8oEFXXeftvoTOZwKiRUVTYgo0fITol+xeRuVqNZn/JI4=
Received: from BL0PR0901MB2306.namprd09.prod.outlook.com (52.132.18.148) by BL0PR0901MB2307.namprd09.prod.outlook.com (52.132.18.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Wed, 18 Jul 2018 20:35:13 +0000
Received: from BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::d015:c4b9:a7a2:b5a5]) by BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::d015:c4b9:a7a2:b5a5%3]) with mapi id 15.20.0973.016; Wed, 18 Jul 2018 20:35:13 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: Tommy Pauly <tpauly@apple.com>, IPsecME WG <ipsec@ietf.org>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt
Thread-Index: AQHUHtW2ghQ+Qd+wv0WC2nhrTuw9J6SVbhwAgAABc0I=
Date: Wed, 18 Jul 2018 20:35:13 +0000
Message-ID: <BL0PR0901MB23066EFC9E4736BA590446FDF0530@BL0PR0901MB2306.namprd09.prod.outlook.com>
References: <153194560266.3055.9527130210039846300@ietfa.amsl.com>, <851ECC17-9C52-4868-A3F3-4DAF0BF28911@apple.com>
In-Reply-To: <851ECC17-9C52-4868-A3F3-4DAF0BF28911@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov; 
x-originating-ip: [2001:67c:370:128:30b9:2754:5d34:1d0e]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BL0PR0901MB2307; 6:zsWElitAogUT2rXhiEepPmbDtP0mH/o4fanKQlibubN+wmlSePfM0/RbkDvuqu5HN6yzu66/CeviFliIfgC7TXT0zXwx6srzkxPiRKMnidxbN/sqeB5Ey2VD5+w5qvhPcxvzwstLucgOHjVuYIFYWKPTSuKaIhIpm3E/8ZPb1MdzsHsxK/wjHBC90+VkVMiQavnQM6eOaQlOOBVXMleUnvOp/aDKtkdhPSwOnIgOi8lwcgi/etJCKLY7tKC6aJgi2eoebj3Tu57e60UF1ioaTF1bvMXeskzJifF4sqdYI7QSMwP3VqQ08zH+184qd2Cn6gkHUeZ97afvv3tHbr+3iYtVOTxwPAOWSuly0ICtndQPO6diOeMu1c06cv6p7dx38x6xO6apBcxz2lQVXq4E8jzQKKycg8+0qlW0ATO1Qz4AuD8yt6pl1ru3ULxjaV77eC2uazSKyPh6Q8ym0Cmjcw==; 5:nLNA00CrMhgrOSUxq8sEblb2wJUdSHT2lzKAgBuMVswQrD/6n6r64Cu+wvXaoUxCS+LB3CAXaKJ0xKEwDDgqbacOtbuenZLtexdCMWvIXNec+dlhrkbopNIOZ12BKTzkfetg3Wdow9FuTTo/jrIBELej+gOvb2dE3e6HhDhat4o=; 7:/QL7iyUI2gf1K/oZihp82reDjTVB2rT1PSvDztTjIfk4rHffZ8iJTnIbMVVZC7ZbjTXJERUzzrrDbph7LyXET1m6XH3M1iFiN+gtwJRMxHlgtpQEfs1ocycTEoVimBSyyaXhiVDQohfFlQIdhdAPJ+qJNMdoAGszUglwLne199dWYKNxRqxGHRl72NTPGFZ4FT4H5o1PkTaPNqKMtfxsvsbVunFR1rLRUYZY03SUKzaJlLM6VR5PkCyyJVws9/t1
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 86ec6328-be3f-4933-8b1e-08d5ecedf6b0
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(7193020); SRVR:BL0PR0901MB2307; 
x-ms-traffictypediagnostic: BL0PR0901MB2307:
x-microsoft-antispam-prvs: <BL0PR0901MB230795F4433F3938A677B095F0530@BL0PR0901MB2307.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(80524489315369)(192374486261705)(189930954265078)(219752817060721)(31960201722614);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231311)(944501410)(52105095)(3002001)(6055026)(149027)(150027)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:BL0PR0901MB2307; BCL:0; PCL:0; RULEID:; SRVR:BL0PR0901MB2307; 
x-forefront-prvs: 0737B96801
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(346002)(136003)(376002)(39860400002)(53754006)(189003)(199004)(68736007)(2900100001)(6116002)(486006)(476003)(316002)(446003)(8936002)(11346002)(102836004)(110136005)(7696005)(256004)(46003)(33656002)(229853002)(106356001)(5250100002)(105586002)(6506007)(14444005)(53546011)(76176011)(99286004)(186003)(25786009)(5660300001)(53936002)(7736002)(19627405001)(606006)(86362001)(6606003)(575784001)(45080400002)(6246003)(55016002)(8676002)(81156014)(9686003)(2906002)(81166006)(6436002)(54896002)(6306002)(97736004)(236005)(966005)(14454004)(74316002)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR0901MB2307; H:BL0PR0901MB2306.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; 
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-microsoft-antispam-message-info: tNpWKTGx4e/PxfXUorpMGtZzd/hy4rUrsLWwKPXZHOYB3Q+2CTe6DvtOJRnpj6aRtb5ZipIExITLSDaAMMCN/h6p5ZedyvXNwjCto5jgeB0AQG5FSvBVK6zMmcqMAfY+IvV861YutqBNuX0bi7pnsuDO8Ryvozy1zyyJM5KZRvjvSnpgiDDjnbFdn13TrmsYPhb33rgJ0CTI9Njrbzhj0hgVIjhNYYy6m6rtQQ9dQYWhPn2AHPycu0GUn2gmaN8gBLd5b+d1FYb97/8pR9eMjNq1G1ReFOhFRg/7IuD9Ct+z7J3Bzc/2de97BZNIR5B5nDUgaTBOw2GaT72U4SjLPu4w+xdvOP9j6bGtxOhytAA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BL0PR0901MB23066EFC9E4736BA590446FDF0530BL0PR0901MB2306_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 86ec6328-be3f-4933-8b1e-08d5ecedf6b0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2018 20:35:13.1556 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR0901MB2307
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HMTj8zM1xAtOlL1a_yA1y5jwC9c>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 20:35:26 -0000

--_000_BL0PR0901MB23066EFC9E4736BA590446FDF0530BL0PR0901MB2306_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I think the two "may" entries and the "should" in the following sentence sh=
ould be capitalized.


Regards,

Dave

________________________________
From: IPsec <ipsec-bounces@ietf.org> on behalf of Tommy Pauly <tpauly@apple=
.com>
Sent: Wednesday, July 18, 2018 4:28:30 PM
To: IPsecME WG; Eric Rescorla
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt

Hello all,

This new rev of the Split DNS document includes the feedback from our WG di=
scussion today for handling of the DNSSEC domain whitelist.

Please take a look! The document should be ready to progress at this point.

Best,
Tommy

> On Jul 18, 2018, at 4:26 PM, internet-drafts@ietf.org wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts direct=
ories.
> This draft is a work item of the IP Security Maintenance and Extensions W=
G of the IETF.
>
>        Title           : Split DNS Configuration for IKEv2
>        Authors         : Tommy Pauly
>                          Paul Wouters
>        Filename        : draft-ietf-ipsecme-split-dns-10.txt
>        Pages           : 13
>        Date            : 2018-07-18
>
> Abstract:
>   This document defines two Configuration Payload Attribute Types for
>   the IKEv2 protocol that add support for private DNS domains.  These
>   domains are intended to be resolved using DNS servers reachable
>   through an IPsec connection, while leaving all other DNS resolution
>   unchanged.  This approach of resolving a subset of domains using non-
>   public DNS servers is referred to as "Split DNS".
>
>
> The IETF datatracker status page for this draft is:
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatr=
acker.ietf.org%2Fdoc%2Fdraft-ietf-ipsecme-split-dns%2F&amp;data=3D02%7C01%7=
Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd=
8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=3Dk%2F6Juy9h=
DJucBOTXoJgrwBeVfzw6iL3JcOsH1oP%2F4rk%3D&amp;reserved=3D0
>
> There are also htmlized versions available at:
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftools.=
ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;data=3D02%7C01%7Cdavi=
d.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa47=
97a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=3DanQJZuOh9jiwQY0=
DRjnkJF9t6rwoKUnCTkTtGD4pRjI%3D&amp;reserved=3D0
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatr=
acker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;data=3D02=
%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2a=
b5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=3D3%2=
FHdtPgHVzi%2B1gXSLO7m029WGCUJM2p0w940mZ8uH4I%3D&amp;reserved=3D0
>
> A diff from the previous version is available at:
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-ipsecme-split-dns-10&amp;data=3D02%7C0=
1%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d8=
2fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=3Db6TiXdC=
bVieE5xT7lx3gludJT3DZi%2FyCpEkYXPb3Bx4%3D&amp;reserved=3D0
>
>
> Please note that it may take a couple of minutes from the time of submiss=
ion
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Fipsec&amp;data=3D02%7C01%7Cdavid.waltermire%4=
0nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c6=
1dec%7C1%7C0%7C636675425355607080&amp;sdata=3DX%2FXEIPG%2BAZH5dG7EzMMZrRs5Y=
svxxujN8roweX15YHs%3D&amp;reserved=3D0

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Fipsec&amp;data=3D02%7C01%7Cdavid.waltermire%40n=
ist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61d=
ec%7C1%7C0%7C636675425355607080&amp;sdata=3DX%2FXEIPG%2BAZH5dG7EzMMZrRs5Ysv=
xxujN8roweX15YHs%3D&amp;reserved=3D0

--_000_BL0PR0901MB23066EFC9E4736BA590446FDF0530BL0PR0901MB2306_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Helvetica,sans-serif;" dir=3D"ltr">
<p style=3D"margin-top: 0px; margin-bottom: 0px;">I think the two &quot;may=
&quot; entries and the &quot;should&quot; in the following sentence should =
be capitalized.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">Regards,</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">Dave<br>
</p>
</div>
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st=
yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> IPsec &lt;ipsec-bounc=
es@ietf.org&gt; on behalf of Tommy Pauly &lt;tpauly@apple.com&gt;<br>
<b>Sent:</b> Wednesday, July 18, 2018 4:28:30 PM<br>
<b>To:</b> IPsecME WG; Eric Rescorla<br>
<b>Subject:</b> Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt=
</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt;=
">
<div class=3D"PlainText">Hello all,<br>
<br>
This new rev of the Split DNS document includes the feedback from our WG di=
scussion today for handling of the DNSSEC domain whitelist.<br>
<br>
Please take a look! The document should be ready to progress at this point.=
<br>
<br>
Best,<br>
Tommy<br>
<br>
&gt; On Jul 18, 2018, at 4:26 PM, internet-drafts@ietf.org wrote:<br>
&gt; <br>
&gt; <br>
&gt; A New Internet-Draft is available from the on-line Internet-Drafts dir=
ectories.<br>
&gt; This draft is a work item of the IP Security Maintenance and Extension=
s WG of the IETF.<br>
&gt; <br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Title&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Split DNS Configuration for IKEv2<b=
r>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Authors&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; : Tommy Pauly<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp; Paul Wouters<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filename&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp; : draft-ietf-ipsecme-split-dns-10.txt<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pages&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 13<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Date&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2018-07-18<br>
&gt; <br>
&gt; Abstract:<br>
&gt;&nbsp;&nbsp; This document defines two Configuration Payload Attribute =
Types for<br>
&gt;&nbsp;&nbsp; the IKEv2 protocol that add support for private DNS domain=
s.&nbsp; These<br>
&gt;&nbsp;&nbsp; domains are intended to be resolved using DNS servers reac=
hable<br>
&gt;&nbsp;&nbsp; through an IPsec connection, while leaving all other DNS r=
esolution<br>
&gt;&nbsp;&nbsp; unchanged.&nbsp; This approach of resolving a subset of do=
mains using non-<br>
&gt;&nbsp;&nbsp; public DNS servers is referred to as &quot;Split DNS&quot;=
.<br>
&gt; <br>
&gt; <br>
&gt; The IETF datatracker status page for this draft is:<br>
&gt; <a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%=
3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ipsecme-split-dns%2F&amp;am=
p;data=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5ec=
ed14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;=
amp;sdata=3Dk%2F6Juy9hDJucBOTXoJgrwBeVfzw6iL3JcOsH1oP%2F4rk%3D&amp;amp;rese=
rved=3D0">
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatrac=
ker.ietf.org%2Fdoc%2Fdraft-ietf-ipsecme-split-dns%2F&amp;amp;data=3D02%7C01=
%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82=
fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3Dk%2F=
6Juy9hDJucBOTXoJgrwBeVfzw6iL3JcOsH1oP%2F4rk%3D&amp;amp;reserved=3D0</a><br>
&gt; <br>
&gt; There are also htmlized versions available at:<br>
&gt; <a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%=
3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;amp;dat=
a=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e=
3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;s=
data=3DanQJZuOh9jiwQY0DRjnkJF9t6rwoKUnCTkTtGD4pRjI%3D&amp;amp;reserved=3D0"=
>
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftools.ie=
tf.org%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;amp;data=3D02%7C01%7Cda=
vid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa=
4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DanQJZuOh9=
jiwQY0DRjnkJF9t6rwoKUnCTkTtGD4pRjI%3D&amp;amp;reserved=3D0</a><br>
&gt; <a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%=
3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10=
&amp;amp;data=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912=
608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C6366754253556070=
80&amp;amp;sdata=3D3%2FHdtPgHVzi%2B1gXSLO7m029WGCUJM2p0w940mZ8uH4I%3D&amp;a=
mp;reserved=3D0">
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatrac=
ker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;amp;data=3D=
02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C=
2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=
=3D3%2FHdtPgHVzi%2B1gXSLO7m029WGCUJM2p0w940mZ8uH4I%3D&amp;amp;reserved=3D0<=
/a><br>
&gt; <br>
&gt; A diff from the previous version is available at:<br>
&gt; <a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%=
3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-ipsecme-split-dns-10&amp=
;amp;data=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d=
5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&a=
mp;amp;sdata=3Db6TiXdCbVieE5xT7lx3gludJT3DZi%2FyCpEkYXPb3Bx4%3D&amp;amp;res=
erved=3D0">
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Frfcdiff%3Furl2%3Ddraft-ietf-ipsecme-split-dns-10&amp;amp;data=3D02%7=
C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5=
d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3Db=
6TiXdCbVieE5xT7lx3gludJT3DZi%2FyCpEkYXPb3Bx4%3D&amp;amp;reserved=3D0</a><br=
>
&gt; <br>
&gt; <br>
&gt; Please note that it may take a couple of minutes from the time of subm=
ission<br>
&gt; until the htmlized version and diff are available at tools.ietf.org.<b=
r>
&gt; <br>
&gt; Internet-Drafts are also available by anonymous FTP at:<br>
&gt; <a href=3D"ftp://ftp.ietf.org/internet-drafts/">ftp://ftp.ietf.org/int=
ernet-drafts/</a><br>
&gt; <br>
&gt; _______________________________________________<br>
&gt; IPsec mailing list<br>
&gt; IPsec@ietf.org<br>
&gt; <a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%=
3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7C=
david.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8=
fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DX%2FXEI=
PG%2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;amp;reserved=3D0">
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7Cdavid.waltermire=
%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655=
c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DX%2FXEIPG%2BAZH5dG7EzMM=
ZrRs5YsvxxujN8roweX15YHs%3D&amp;amp;reserved=3D0</a><br>
<br>
_______________________________________________<br>
IPsec mailing list<br>
IPsec@ietf.org<br>
<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F=
%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7Cdavid=
.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa479=
7a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DX%2FXEIPG%2B=
AZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;amp;reserved=3D0">https://na01.s=
afelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman=
%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7Cdavid.waltermire%40nist.gov%7C=
ff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0=
%7C636675425355607080&amp;amp;sdata=3DX%2FXEIPG%2BAZH5dG7EzMMZrRs5YsvxxujN8=
roweX15YHs%3D&amp;amp;reserved=3D0</a><br>
</div>
</span></font></div>
</body>
</html>

--_000_BL0PR0901MB23066EFC9E4736BA590446FDF0530BL0PR0901MB2306_--


From nobody Wed Jul 18 13:53:32 2018
Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FA84130EA7 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 13:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.32
X-Spam-Level: 
X-Spam-Status: No, score=-2.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id viPG65QGJcm2 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 13:53:26 -0700 (PDT)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63BB1130E21 for <ipsec@ietf.org>; Wed, 18 Jul 2018 13:53:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple;  q=dns/txt; i=@apple.com; t=1531947206; x=2395860806; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=D7J4qL94oAAWn1va6fYSnXO0gdSgHxnt7WyT4kLFMLw=; b=xyZE7zlPH6Oac+5EnPRE4NdLn1HyMosk+jmabn3vtez4pCvA9E/oNXJTDOHAUl0c a595C+dOk8kIoG0dSzETSKrVs+dtPiv8yBnIzRIzh5V2XC6XsK5BV7u0hcdaFz1c BU8GPWVY0v55ImvEne/qquGUWUyF4U1fNJqKdKVbHbVF2M7uz+1kydmt748brYAA CtiAEOniL6qpLbsNgVoD6WNlOxDz80ZWji8bL//UECNF/NZ5A1rdRaIcRyyqjciR yAq0dXyvaRu9V2Zx+YK1emp8Of4E+ba8aIQ5gJTDaeAEnj1jgvf/530GXC96VLFJ JclurZchoLukMyVMp/8A0w==;
X-AuditID: 11973e12-9e9ff700000010b7-24-5b4fa8c5eda7
Received: from mr2-mtap-s03.rno.apple.com (mr2-mtap-s03.rno.apple.com [17.179.226.135]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 85.72.04279.6C8AF4B5; Wed, 18 Jul 2018 13:53:26 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_Iv4CAM/RbYjUHpjriWk+bw)"
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by mr2-mtap-s03.rno.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PC200GA4Y11KBD0@mr2-mtap-s03.rno.apple.com>; Wed, 18 Jul 2018 13:53:25 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PC200300XB3PO00@nwk-mmpp-sz12.apple.com>; Wed, 18 Jul 2018 13:53:25 -0700 (PDT)
X-Va-A: 
X-Va-T-CD: e0206ef20bbd3dd9fb664ff7d1804601
X-Va-E-CD: 017370ac642f479379adf6eadf1cf17f
X-Va-R-CD: aa6b4087cd1010142f061325c629c355
X-Va-CD: 0
X-Va-ID: 899ee23e-e1d1-43ce-ab1e-117df34042c4
X-V-A: 
X-V-T-CD: e0206ef20bbd3dd9fb664ff7d1804601
X-V-E-CD: 017370ac642f479379adf6eadf1cf17f
X-V-R-CD: aa6b4087cd1010142f061325c629c355
X-V-CD: 0
X-V-ID: 24cbf990-8446-4710-b955-26e24c60cdce
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PC200700XI81Y00@nwk-mmpp-sz12.apple.com>; Wed, 18 Jul 2018 13:53:24 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-18_06:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp15.corp.apple.com-10000_instance1
Received: from [17.235.20.70] (unknown [17.235.20.70]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PC200M8EY0XS5A0@nwk-mmpp-sz12.apple.com>; Wed, 18 Jul 2018 13:53:24 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <7F342B36-4F75-40E0-B5A2-6CC057C5D312@apple.com>
Date: Wed, 18 Jul 2018 16:53:21 -0400
In-reply-to: <BL0PR0901MB23066EFC9E4736BA590446FDF0530@BL0PR0901MB2306.namprd09.prod.outlook.com>
Cc: IPsecME WG <ipsec@ietf.org>, Eric Rescorla <ekr@rtfm.com>
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
References: <153194560266.3055.9527130210039846300@ietfa.amsl.com> <851ECC17-9C52-4868-A3F3-4DAF0BF28911@apple.com> <BL0PR0901MB23066EFC9E4736BA590446FDF0530@BL0PR0901MB2306.namprd09.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.100.13.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnleLIzCtJLcpLzFFi42IR3PyoXffYCv9og78tHBYbe/6xWax4fY7d Yv+WF2wOzB5Llvxk8rh28i+rx+THbcwBzFFcNimpOZllqUX6dglcGW8bDrAW3LrAWNGz+wJb A2PnXsYuRk4OCQETiYk3W9i7GLk4hAQOMEnM2XaUFSTBKyAo8WPyPZYuRg4OZoEwiY2PNCFq 1jNJXF4xlQ3C6WKS2Pl6HhvEJHaJP792sEDY2hJ77l9khLG7OpcixOecZ4awuSQWbD3NCmHr Skx/0w5Vwyax/sQSJghbS2JX+yUWGLu/pxUufuHxbyibU+L8l4nsELaOxI7zO1khjutkknjd eQCqKFviyqn/UEXBEn8O9TBDFPUzSRxpvM0M8qawgITE5j2JIDVsAioSx79tYIaEhI3Ep1cz wY4QFnCR+NLxHmwmi4CqxJ9nm8Ee4BRIlpj36TvYw8wCthLL2x+B2SJAvRcmP4A66AyjxKlL G6GhpSYx//YL1gmMCrOQQnsWIrRngY3Skvj+qBUqLC9x8LwsRFhT4tm9T+wQtrbEk3cXWBcw sq1iFMpNzMzRzcwz0UssKMhJ1UvOz93ECEo50+2EdjCeWmV1iFGAg1GJh/fAf99oIdbEsuLK 3EOM0hwsSuK84pP8o4UE0hNLUrNTUwtSi+KLSnNSiw8xMnFwSjUwMnhw8h+8kxiYOs3sv77G +cs1c0+mrTZ/LOUaJ/He2u9RsU6C5p9V2966uT6TjGKeYyJo1P9EXOKwTm+9qvdCw/drEneK ljuUrdgp+m/mEbWt6bzSped+qsWmf3u6l9Nzw+6ZfyZl3a1S9jFY9kBw9t3bV+P57v09YMe5 TlDMVHlhwu60431zlViKMxINtZiLihMBzqstdRoDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/JdRoD5vrPz3AEntl2bnxDBAP_kM>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 20:53:30 -0000

--Boundary_(ID_Iv4CAM/RbYjUHpjriWk+bw)
Content-type: text/plain; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT



> On Jul 18, 2018, at 4:35 PM, Waltermire, David A. (Fed) <david.waltermire@nist.gov> wrote:
> 
> I think the two "may" entries and the "should" in the following sentence should be capitalized.

The "may" references are not intended to be capitalized MAYs; we are stating a fact (like "can"), since the normative language about the lists of domain requests comes above in the text. Specifying both a MAY and its opposite doesn't seem to add much textual value?

Similarly, the "should" that is not capitalized is not intended to be a normative command, but a description to introduce the following two normative statements.

IKE clients MUST use a preconfigured whitelist of one or more domain
   names for which it will allow INTERNAL_DNSSEC_TA updates.  This list
   may be sent in the CFG_REQUEST payload, or may be applied after
   reception of the CFG_REPLY payload.

   IKE clients should take care to only whitelist domains that apply to
   internal or managed domains, rather than to generic Internet traffic.
   The DNS root zone (".") MUST NOT be whitelisted.  Other generic or
   public domains, such as top-level domains, similarly SHOULD NOT be
   whitelisted.

> 
> Regards,
> Dave
> From: IPsec <ipsec-bounces@ietf.org <mailto:ipsec-bounces@ietf.org>> on behalf of Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>>
> Sent: Wednesday, July 18, 2018 4:28:30 PM
> To: IPsecME WG; Eric Rescorla
> Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-10.txt
>  
> Hello all,
> 
> This new rev of the Split DNS document includes the feedback from our WG discussion today for handling of the DNSSEC domain whitelist.
> 
> Please take a look! The document should be ready to progress at this point.
> 
> Best,
> Tommy
> 
> > On Jul 18, 2018, at 4:26 PM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
> > 
> > 
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.
> > 
> >        Title           : Split DNS Configuration for IKEv2
> >        Authors         : Tommy Pauly
> >                          Paul Wouters
> >        Filename        : draft-ietf-ipsecme-split-dns-10.txt
> >        Pages           : 13
> >        Date            : 2018-07-18
> > 
> > Abstract:
> >   This document defines two Configuration Payload Attribute Types for
> >   the IKEv2 protocol that add support for private DNS domains.  These
> >   domains are intended to be resolved using DNS servers reachable
> >   through an IPsec connection, while leaving all other DNS resolution
> >   unchanged.  This approach of resolving a subset of domains using non-
> >   public DNS servers is referred to as "Split DNS"..
> > 
> > 
> > The IETF datatracker status page for this draft is:
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ipsecme-split-dns%2F&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=k%2F6Juy9hDJucBOTXoJgrwBeVfzw6iL3JcOsH1oP%2F4rk%3D&amp;reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https://datatracker.ietf.org/doc/draft-ietf-ipsecme-split-dns/&amp;data=02|01|david.waltermire@nist.gov|ff7ef1c6c1be4bdf912608d5eced14e3|2ab5d82fd8fa4797a93e054655c61dec|1|0|636675425355607080&amp;sdata=k/6Juy9hDJucBOTXoJgrwBeVfzw6iL3JcOsH1oP/4rk=&amp;reserved=0>
> > 
> > There are also htmlized versions available at:
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=anQJZuOh9jiwQY0DRjnkJF9t6rwoKUnCTkTtGD4pRjI%3D&amp;reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=anQJZuOh9jiwQY0DRjnkJF9t6rwoKUnCTkTtGD4pRjI%3D&amp;reserved=0>
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=3%2FHdtPgHVzi%2B1gXSLO7m029WGCUJM2p0w940mZ8uH4I%3D&amp;reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=3%2FHdtPgHVzi%2B1gXSLO7m029WGCUJM2p0w940mZ8uH4I%3D&amp;reserved=0>
> > 
> > A diff from the previous version is available at:
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf..org%2Frfcdiff%3Furl2%3Ddraft-ietf-ipsecme-split-dns-10&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=b6TiXdCbVieE5xT7lx3gludJT3DZi%2FyCpEkYXPb3Bx4%3D&amp;reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-ipsecme-split-dns-10&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=b6TiXdCbVieE5xT7lx3gludJT3DZi%2FyCpEkYXPb3Bx4%3D&amp;reserved=0>
> > 
> > 
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
> > 
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org <mailto:IPsec@ietf.org>
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf..org%2Fmailman%2Flistinfo%2Fipsec&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=X%2FXEIPG%2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=X%2FXEIPG%2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;reserved=0>
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org>
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=X%2FXEIPG%2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;data=02%7C01%7Cdavid..waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;sdata=X%2FXEIPG%2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;reserved=0>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org>
> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>


--Boundary_(ID_Iv4CAM/RbYjUHpjriWk+bw)
Content-type: text/html; CHARSET=US-ASCII
Content-transfer-encoding: quoted-printable

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><br =
class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Jul 18, 2018, at 4:35 PM, Waltermire, David A. (Fed) =
&lt;<a href=3D"mailto:david.waltermire@nist.gov" =
class=3D"">david.waltermire@nist.gov</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div =
id=3D"divtagdefaultwrapper" dir=3D"ltr" style=3D"caret-color: rgb(0, 0, =
0); font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; font-size: 12pt; =
font-family: Calibri, Helvetica, sans-serif;" class=3D""><div =
style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"">I think the =
two "may" entries and the "should" in the following sentence should be =
capitalized.</div></div></div></blockquote><div><br class=3D""></div>The =
"may" references are not intended to be capitalized MAYs; we are stating =
a fact (like "can"), since the normative language about the lists of =
domain requests comes above in the text. Specifying both a MAY and its =
opposite doesn't seem to add much textual value?</div><div><br =
class=3D""></div><div>Similarly, the "should" that is not capitalized is =
not intended to be a normative command, but a description to introduce =
the following two normative statements.</div><div><br =
class=3D""></div><div><pre class=3D"newpage" style=3D"font-size: =
13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: =
page;">IKE clients MUST use a preconfigured whitelist of one or more =
domain
   names for which it will allow INTERNAL_DNSSEC_TA updates.  This list
   may be sent in the CFG_REQUEST payload, or may be applied after
   reception of the CFG_REPLY payload.

   IKE clients should take care to only whitelist domains that apply to
   internal or managed domains, rather than to generic Internet traffic.
   The DNS root zone (".") MUST NOT be whitelisted.  Other generic or
   public domains, such as top-level domains, similarly SHOULD NOT be
   whitelisted.</pre><div class=3D""><br class=3D""></div><blockquote =
type=3D"cite" class=3D""><div class=3D""><div id=3D"divtagdefaultwrapper" =
dir=3D"ltr" style=3D"caret-color: rgb(0, 0, 0); font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none; font-size: 12pt; font-family: Calibri, Helvetica, =
sans-serif;" class=3D""><div style=3D"margin-top: 0px; margin-bottom: =
0px;" class=3D""><br class=3D""></div><div style=3D"margin-top: 0px; =
margin-bottom: 0px;" class=3D"">Regards,</div><div style=3D"margin-top: =
0px; margin-bottom: 0px;" class=3D"">Dave<br class=3D""></div></div><hr =
tabindex=3D"-1" style=3D"caret-color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: =
none; display: inline-block; width: 887.875px;" class=3D""><span =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; =
display: inline !important;" class=3D""></span><div id=3D"divRplyFwdMsg" =
dir=3D"ltr" style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant-caps: normal; =
font-weight: normal; letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: =
none;" class=3D""><font face=3D"Calibri, sans-serif" style=3D"font-size: =
11pt;" class=3D""><b class=3D"">From:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>IPsec &lt;<a =
href=3D"mailto:ipsec-bounces@ietf.org" =
class=3D"">ipsec-bounces@ietf.org</a>&gt; on behalf of Tommy Pauly =
&lt;<a href=3D"mailto:tpauly@apple.com" =
class=3D"">tpauly@apple.com</a>&gt;<br class=3D""><b =
class=3D"">Sent:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Wednesday, July 18, 2018 =
4:28:30 PM<br class=3D""><b class=3D"">To:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>IPsecME WG; Eric =
Rescorla<br class=3D""><b class=3D"">Subject:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Re: [IPsec] I-D Action: =
draft-ietf-ipsecme-split-dns-10.txt</font><div =
class=3D"">&nbsp;</div></div><div class=3D"BodyFragment" =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;"><font size=3D"2" =
class=3D""><span style=3D"font-size: 11pt;" class=3D""><div =
class=3D"PlainText">Hello all,<br class=3D""><br class=3D"">This new rev =
of the Split DNS document includes the feedback from our WG discussion =
today for handling of the DNSSEC domain whitelist.<br class=3D""><br =
class=3D"">Please take a look! The document should be ready to progress =
at this point.<br class=3D""><br class=3D"">Best,<br class=3D"">Tommy<br =
class=3D""><br class=3D"">&gt; On Jul 18, 2018, at 4:26 PM,<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"mailto:internet-drafts@ietf.org" =
class=3D"">internet-drafts@ietf.org</a><span =
class=3D"Apple-converted-space">&nbsp;</span>wrote:<br =
class=3D"">&gt;<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">&gt;<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">&gt; A New Internet-Draft is available from the on-line =
Internet-Drafts directories.<br class=3D"">&gt; This draft is a work =
item of the IP Security Maintenance and Extensions WG of the IETF.<br =
class=3D"">&gt;<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Title&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : =
Split DNS Configuration for IKEv2<br =
class=3D"">&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Authors&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Tommy Pauly<br =
class=3D"">&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp; Paul Wouters<br =
class=3D"">&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Filename&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : =
draft-ietf-ipsecme-split-dns-10.txt<br =
class=3D"">&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Pages&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : =
13<br class=3D"">&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Date&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : =
2018-07-18<br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt; =
Abstract:<br class=3D"">&gt;&nbsp;&nbsp; This document defines two =
Configuration Payload Attribute Types for<br class=3D"">&gt;&nbsp;&nbsp; =
the IKEv2 protocol that add support for private DNS domains.&nbsp; =
These<br class=3D"">&gt;&nbsp;&nbsp; domains are intended to be resolved =
using DNS servers reachable<br class=3D"">&gt;&nbsp;&nbsp; through an =
IPsec connection, while leaving all other DNS resolution<br =
class=3D"">&gt;&nbsp;&nbsp; unchanged.&nbsp; This approach of resolving =
a subset of domains using non-<br class=3D"">&gt;&nbsp;&nbsp; public DNS =
servers is referred to as "Split DNS"..<br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt; The =
IETF datatracker status page for this draft is:<br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps://datat=
racker.ietf.org/doc/draft-ietf-ipsecme-split-dns/&amp;amp;data=3D02|01|dav=
id.waltermire@nist.gov|ff7ef1c6c1be4bdf912608d5eced14e3|2ab5d82fd8fa4797a9=
3e054655c61dec|1|0|636675425355607080&amp;amp;sdata=3Dk/6Juy9hDJucBOTXoJgr=
wBeVfzw6iL3JcOsH1oP/4rk=3D&amp;amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ipsecme-split-dns%2F&amp;amp;d=
ata=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced=
14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;a=
mp;sdata=3Dk%2F6Juy9hDJucBOTXoJgrwBeVfzw6iL3JcOsH1oP%2F4rk%3D&amp;amp;rese=
rved=3D0</a><br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt; There =
are also htmlized versions available at:<br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;amp;data=3D02=
%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2=
ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=
=3DanQJZuOh9jiwQY0DRjnkJF9t6rwoKUnCTkTtGD4pRjI%3D&amp;amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;amp;data=3D=
02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7=
C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sda=
ta=3DanQJZuOh9jiwQY0DRjnkJF9t6rwoKUnCTkTtGD4pRjI%3D&amp;amp;reserved=3D0</=
a><br class=3D"">&gt;<span class=3D"Apple-converted-space">&nbsp;</span><a=
 =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&amp;a=
mp;data=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5=
eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&a=
mp;amp;sdata=3D3%2FHdtPgHVzi%2B1gXSLO7m029WGCUJM2p0w940mZ8uH4I%3D&amp;amp;=
reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ipsecme-split-dns-10&am=
p;amp;data=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf91260=
8d5eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C63667542535560708=
0&amp;amp;sdata=3D3%2FHdtPgHVzi%2B1gXSLO7m029WGCUJM2p0w940mZ8uH4I%3D&amp;a=
mp;reserved=3D0</a><br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt; A diff =
from the previous version is available at:<br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-ipsecme-split-dns-10&amp;amp;d=
ata=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced=
14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;a=
mp;sdata=3Db6TiXdCbVieE5xT7lx3gludJT3DZi%2FyCpEkYXPb3Bx4%3D&amp;amp;reserv=
ed=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.ietf..org%2Frfcdiff%3Furl2%3Ddraft-ietf-ipsecme-split-dns-10&amp;a=
mp;data=3D02%7C01%7Cdavid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5=
eced14e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636675425355607080&a=
mp;amp;sdata=3Db6TiXdCbVieE5xT7lx3gludJT3DZi%2FyCpEkYXPb3Bx4%3D&amp;amp;re=
served=3D0</a><br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt; Please =
note that it may take a couple of minutes from the time of submission<br =
class=3D"">&gt; until the htmlized version and diff are available =
at<span class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"http://tools.ietf.org/" class=3D"">tools.ietf.org</a>.<br =
class=3D"">&gt;<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">&gt; Internet-Drafts are also available by anonymous FTP =
at:<br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"ftp://ftp.ietf.org/internet-drafts/" =
class=3D"">ftp://ftp.ietf.org/internet-drafts/</a><br class=3D"">&gt;<span=
 class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&gt; =
_______________________________________________<br class=3D"">&gt; IPsec =
mailing list<br class=3D"">&gt;<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"mailto:IPsec@ietf.org" class=3D"">IPsec@ietf.org</a><br =
class=3D"">&gt;<span class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7Cdavid.=
waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa479=
7a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DX%2FXEIPG%2=
BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.ietf..org%2Fmailman%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7Cda=
vid.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8f=
a4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DX%2FXEI=
PG%2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;amp;reserved=3D0</a><br =
class=3D""><br =
class=3D"">_______________________________________________<br =
class=3D"">IPsec mailing list<br class=3D""><a =
href=3D"mailto:IPsec@ietf.org" class=3D"">IPsec@ietf.org</a><br =
class=3D""><a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7Cdavid.=
.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa47=
97a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DX%2FXEIPG%=
2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fipsec&amp;amp;data=3D02%7C01%7Cdav=
id.waltermire%40nist.gov%7Cff7ef1c6c1be4bdf912608d5eced14e3%7C2ab5d82fd8fa=
4797a93e054655c61dec%7C1%7C0%7C636675425355607080&amp;amp;sdata=3DX%2FXEIP=
G%2BAZH5dG7EzMMZrRs5YsvxxujN8roweX15YHs%3D&amp;amp;reserved=3D0</a><br =
class=3D""></div></span></font></div><span style=3D"caret-color: rgb(0, =
0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none; float: none; display: inline !important;" =
class=3D"">_______________________________________________</span><br =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;" class=3D""><span =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; =
display: inline !important;" class=3D"">IPsec mailing list</span><br =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;" class=3D""><a =
href=3D"mailto:IPsec@ietf.org" style=3D"font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant-caps: normal; =
font-weight: normal; letter-spacing: normal; orphans: auto; text-align: =
start; text-indent: 0px; text-transform: none; white-space: normal; =
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px;" class=3D"">IPsec@ietf.org</a><br =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;" class=3D""><a =
href=3D"https://www.ietf.org/mailman/listinfo/ipsec" style=3D"font-family:=
 Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px;" =
class=3D"">https://www.ietf.org/mailman/listinfo/ipsec</a><br =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;" =
class=3D""></div></blockquote></div><br class=3D""></body></html>=

--Boundary_(ID_Iv4CAM/RbYjUHpjriWk+bw)--


From nobody Wed Jul 18 14:00:55 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679BF12F18C for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 14:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level: 
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdC_CB3-lvGx for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 14:00:50 -0700 (PDT)
Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99AD91271FF for <ipsec@ietf.org>; Wed, 18 Jul 2018 14:00:49 -0700 (PDT)
Received: by mail-wm0-x244.google.com with SMTP id h20-v6so4167907wmb.4 for <ipsec@ietf.org>; Wed, 18 Jul 2018 14:00:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=D1D8XeOrgOosPe5mIhSyRkLqu3IZ6GKZi37e1fOvkzI=; b=m+jMgKU93Lx4OyubDKVly0fkUUJLASNI/umLREnrFr+VadOqE9zs6NaXD7fZgP7ag5 BUYEHBT/5o5YvIlmJZzbpjy//IJYRNwsE0QRxNjLgg7HOLdT6yYB58dvuUVwVa6+52L1 +zOmI8vlAzR6tx74ZYUixVb8mGOLkWKTuWjKshQsoLvGDZmEEqNOm7XIk1CsWICRQxEm RGi8L9h5Ut/PPgwFVSWgx+poYaO3geODmF/C2HKpH4C919AOhko0xHgky08xOmIQNo01 IHddsYlI7kUw2bEHZx73acbZla3QzWY6dv7nXU83ccvwS5Ql3xj/VEBuFoshbRFgA45M Wr9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=D1D8XeOrgOosPe5mIhSyRkLqu3IZ6GKZi37e1fOvkzI=; b=X+QN8Y3Rsv1LY4zjpLphjczSc6F2k9+Eq2JWfw5iLjcKAtiAaFyeDp4uuw0iLML56U osS8/Aa/86oYrtFdtiV/fav9rR4SqbhvHJ6QAgWn7z97zTNsXQllZT0hbVbNOWZyBICM 5gEKb3Vq91OwLPh6MVqMBm+vnBE0qOkRIzSRZI8bpMY/nrQ2flpjcx4toE20d0i9fJjv T8mn7bFC8JCiKJ/q0hDleuqIkyiX4l6ftXAT+dJv2MV0DQNZqS5Zocte2Ps/GLJPzCjt y3OBXYKsYnHfJENx6iXVeGZC6unaq/rKoFTJec5Zh7MR63AxnSe+ZyVzRx8JOZMk9aBT JC9w==
X-Gm-Message-State: AOUpUlFZGlhr3MS5XdsSnKs7ssaQJbtfFbr9K86gtEkEMAyB0nGV4JNz IWtiXp59hK4Drj/vNrDfyUj4+Ogn
X-Google-Smtp-Source: AAOMgpd2cLdILeznCCvndW3ddJCQnlGOinU+3yDGyAGmOgwsqGP5DjMYWaxYAEXEAgYybyT/ceym+A==
X-Received: by 2002:a1c:c019:: with SMTP id q25-v6mr2470617wmf.148.1531947648079;  Wed, 18 Jul 2018 14:00:48 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id g204-v6sm1635330wmd.26.2018.07.18.14.00.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jul 2018 14:00:47 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <5A8727C5-B4B6-4742-8737-E2DC9AFE4B50@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_31CA52CB-459C-40B8-A39A-871DF4548A74"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 19 Jul 2018 00:00:45 +0300
In-Reply-To: <23374.2088.627941.395947@fireball.acr.fi>
Cc: ipsec@ietf.org
To: Tero Kivinen <kivinen@iki.fi>
References: <23374.2088.627941.395947@fireball.acr.fi>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/QMzXun52LRt6_SKQh9Q2BtF1Bps>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 21:00:54 -0000

--Apple-Mail=_31CA52CB-459C-40B8-A39A-871DF4548A74
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi.

Since my message got lost in the overtime, I=E2=80=99ll say it again =
here.

AFAIK there is very little usage of anything beyond 4096-bit groups. I =
don't sense a need for 16K.  Engineering should be about creating what =
people need (or at least want).=20

I haven=E2=80=99t heard anyone say they would like to use 16384-bit DH =
groups or RSA keys. If they want more =E2=80=9Cbits=E2=80=9D then 2048, =
they usually go to ECDSA/ECDHE or the CFRG curves.

I don=E2=80=99t feel strongly about this as in =E2=80=9Coh my god, this =
is horrible for the Internet=E2=80=9D, but I think this is something we =
should not do.

Yoav

> On 17 Jul 2018, at 18:15, Tero Kivinen <kivinen@iki.fi> wrote:
>=20
> When we greated RFC3526 [1] in 2003 we included 1536, 2048, 3072,
> 4096, 6144, and 8192 bit modp groups. I did also create 12288 and
> 16384 bit modp groups [2], but we did not include those as we assumed
> they would be too slow for normal use.
>=20
> Now sometimes there is requirement to align all security parameters
> with AES-256 also (because AES-128 is not enough if someone gets
> quantum computers some day).=20
>=20
> SP800-57 part 1 rev 4 [3] has table 2 that says:
>=20
> Security  Symmetric     FCC               IFC           ECC
> Strength  key           (e.g. DSA,        (e.g.,        (e.g.,=20
>          algorithms    D-H)              RSA)          ECDSA)
> <=3D80      2TDEA         L=3D1024, N=3D160     k=3D1024        =
f=3D160-233
> 112       3TDEA         L=3D2048, N=3D224     k=3D2048        =
f=3D224-255
> 128       AES-128       L=3D3072, N=3D256     k=3D3072        =
f=3D256-383
> 192       AES-192       L=3D7680, N=3D384     k=3D7680        =
f=3D384-511
> 256       AES-256       L=3D15360, N=3D512    k=3D15360       f=3D512+
>=20
> Meaning that we do not have any MODP groups with IANA numbers that
> would match AES-256. For vendor to add elliptic curve support to
> simply be able to mark that tick mark saying we do support AES-256 is
> bit much. Adding 16384 bit MODP group is much faster and easier, and
> nobody does not need to use it (I think the recommended group in NIST
> documents is still the 2048 bit group).
>=20
> NIST SP 800-56A Rev 3 [4] aligns with this and says that MODP-8192 is
> for less than 200 bits of security, i.e., not enough for AES-256.
>=20
> In the SP 800-56B rev2 draft [5], there is formula in Appendix D,
> which allows you to calculate the strength for different bit lengths
> and if you plug in the 15360 you get 264 bits. To get 256 bits of
> maximum strength the nBits needs to be between 14446-14993. 15000
> would already give you 264, i.e., the same than 15360 gives. 15360 is
> of course 1024*15 so it is nice round number in binary.
>=20
> If you plug in 12288 to that formula you get strength of 240 and 16384
> gives you 272.
>=20
> Checking old performance numbers I can see that in 2008 the speed of
> 6144 group was same as 16384 is with current machines, which most
> likely matched what 2048 or 3072 bit group speed was in 2003 (i.e.
> about half a second per full Diffie-Hellman).
>=20
> So my question is do other people think it would be useful to allocate
> IANA numbers for the 12288 and 16384 bit MODP groups?
>=20
> You can of course use private numbers, but I myself think it would be
> good idea to have IANA numbers for those groups too, just in case
> someone wants interoperability with them at some point. Also we do not
> yet know how quantum computers are going to do for different
> algorithms, i.e., whether P-521 is harder or easier than MODP 16384.
>=20
> [1] https://datatracker.ietf.org/doc/rfc3526/
> [2] https://kivinen.iki.fi/primes/
> [3] =
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.=
pdf
> [4] =
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pd=
f
> [5] =
https://csrc.nist.gov/CSRC/media/Publications/sp/800-56b/rev-2/draft/docum=
ents/sp800-56Br2-draft.pdf
> --=20
> kivinen@iki.fi
>=20
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


--Apple-Mail=_31CA52CB-459C-40B8-A39A-871DF4548A74
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D"">Hi.<div class=3D""><br class=3D""></div><div class=3D"">Since =
my message got lost in the overtime, I=E2=80=99ll say it again =
here.</div><div class=3D""><br class=3D""></div><div class=3D""><span =
style=3D"color: rgb(102, 102, 102); font-family: &quot;Helvetica =
Neue&quot;, Helvetica, Arial, sans-serif; font-variant-ligatures: =
normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" =
class=3D"">AFAIK there is very little usage of anything beyond 4096-bit =
groups. I don't sense a need for 16K. &nbsp;Engineering should be about =
creating what people need (or at least want).&nbsp;</span></div><div =
class=3D""><div style=3D"orphans: 2; widows: 2;" class=3D""><font =
color=3D"#666666" face=3D"Helvetica Neue, Helvetica, Arial, sans-serif" =
class=3D""><span style=3D"caret-color: rgb(102, 102, 102); =
background-color: rgb(255, 255, 255);" class=3D""><br =
class=3D""></span></font></div><div style=3D"orphans: 2; widows: 2;" =
class=3D""><font color=3D"#666666" face=3D"Helvetica Neue, Helvetica, =
Arial, sans-serif" class=3D""><span style=3D"background-color: rgb(255, =
255, 255);" class=3D"">I haven=E2=80=99t heard anyone say they would =
like to use 16384-bit DH groups or RSA keys. If they want =
more&nbsp;=E2=80=9Cbits=E2=80=9D then 2048, they usually go to =
ECDSA/ECDHE or the CFRG curves.</span></font></div><div style=3D"orphans: =
2; widows: 2;" class=3D""><font color=3D"#666666" face=3D"Helvetica =
Neue, Helvetica, Arial, sans-serif" class=3D""><span =
style=3D"background-color: rgb(255, 255, 255);" class=3D""><br =
class=3D""></span></font></div><div style=3D"orphans: 2; widows: 2;" =
class=3D""><font color=3D"#666666" face=3D"Helvetica Neue, Helvetica, =
Arial, sans-serif" class=3D""><span style=3D"background-color: rgb(255, =
255, 255);" class=3D"">I don=E2=80=99t feel strongly about this as =
in&nbsp;=E2=80=9Coh my god, this is horrible for the Internet=E2=80=9D, =
but I think this is something we should not do.</span></font></div><div =
style=3D"orphans: 2; widows: 2;" class=3D""><font color=3D"#666666" =
face=3D"Helvetica Neue, Helvetica, Arial, sans-serif" class=3D""><span =
style=3D"background-color: rgb(255, 255, 255);" class=3D""><br =
class=3D""></span></font></div><div style=3D"orphans: 2; widows: 2;" =
class=3D""><font color=3D"#666666" face=3D"Helvetica Neue, Helvetica, =
Arial, sans-serif" class=3D""><span style=3D"background-color: rgb(255, =
255, 255);" class=3D"">Yoav</span></font></div><div><br =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">On 17 =
Jul 2018, at 18:15, Tero Kivinen &lt;<a href=3D"mailto:kivinen@iki.fi" =
class=3D"">kivinen@iki.fi</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">When =
we greated RFC3526 [1] in 2003 we included 1536, 2048, 3072,<br =
class=3D"">4096, 6144, and 8192 bit modp groups. I did also create 12288 =
and<br class=3D"">16384 bit modp groups [2], but we did not include =
those as we assumed<br class=3D"">they would be too slow for normal =
use.<br class=3D""><br class=3D"">Now sometimes there is requirement to =
align all security parameters<br class=3D"">with AES-256 also (because =
AES-128 is not enough if someone gets<br class=3D"">quantum computers =
some day). <br class=3D""><br class=3D"">SP800-57 part 1 rev 4 [3] has =
table 2 that says:<br class=3D""><br class=3D"">Security &nbsp;Symmetric =
&nbsp;&nbsp;&nbsp;&nbsp;FCC =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;IFC =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ECC<br =
class=3D"">Strength &nbsp;key =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(e.g. DSA, =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(e.g., =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(e.g., <br class=3D""> =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;algorithms =
&nbsp;&nbsp;&nbsp;D-H) =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;RSA) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ECDSA)<br =
class=3D"">&lt;=3D80 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;2TDEA =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;L=3D1024, N=3D160 =
&nbsp;&nbsp;&nbsp;&nbsp;k=3D1024 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f=3D160-233<br class=3D"">112 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;3TDEA =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;L=3D2048, N=3D224 =
&nbsp;&nbsp;&nbsp;&nbsp;k=3D2048 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f=3D224-255<br class=3D"">128 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;AES-128 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;L=3D3072, N=3D256 =
&nbsp;&nbsp;&nbsp;&nbsp;k=3D3072 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f=3D256-383<br class=3D"">192 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;AES-192 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;L=3D7680, N=3D384 =
&nbsp;&nbsp;&nbsp;&nbsp;k=3D7680 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f=3D384-511<br class=3D"">256 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;AES-256 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;L=3D15360, N=3D512 =
&nbsp;&nbsp;&nbsp;k=3D15360 =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f=3D512+<br class=3D""><br =
class=3D"">Meaning that we do not have any MODP groups with IANA numbers =
that<br class=3D"">would match AES-256. For vendor to add elliptic curve =
support to<br class=3D"">simply be able to mark that tick mark saying we =
do support AES-256 is<br class=3D"">bit much. Adding 16384 bit MODP =
group is much faster and easier, and<br class=3D"">nobody does not need =
to use it (I think the recommended group in NIST<br class=3D"">documents =
is still the 2048 bit group).<br class=3D""><br class=3D"">NIST SP =
800-56A Rev 3 [4] aligns with this and says that MODP-8192 is<br =
class=3D"">for less than 200 bits of security, i.e., not enough for =
AES-256.<br class=3D""><br class=3D"">In the SP 800-56B rev2 draft [5], =
there is formula in Appendix D,<br class=3D"">which allows you to =
calculate the strength for different bit lengths<br class=3D"">and if =
you plug in the 15360 you get 264 bits. To get 256 bits of<br =
class=3D"">maximum strength the nBits needs to be between 14446-14993. =
15000<br class=3D"">would already give you 264, i.e., the same than =
15360 gives. 15360 is<br class=3D"">of course 1024*15 so it is nice =
round number in binary.<br class=3D""><br class=3D"">If you plug in =
12288 to that formula you get strength of 240 and 16384<br =
class=3D"">gives you 272.<br class=3D""><br class=3D"">Checking old =
performance numbers I can see that in 2008 the speed of<br class=3D"">6144=
 group was same as 16384 is with current machines, which most<br =
class=3D"">likely matched what 2048 or 3072 bit group speed was in 2003 =
(i.e.<br class=3D"">about half a second per full Diffie-Hellman).<br =
class=3D""><br class=3D"">So my question is do other people think it =
would be useful to allocate<br class=3D"">IANA numbers for the 12288 and =
16384 bit MODP groups?<br class=3D""><br class=3D"">You can of course =
use private numbers, but I myself think it would be<br class=3D"">good =
idea to have IANA numbers for those groups too, just in case<br =
class=3D"">someone wants interoperability with them at some point. Also =
we do not<br class=3D"">yet know how quantum computers are going to do =
for different<br class=3D"">algorithms, i.e., whether P-521 is harder or =
easier than MODP 16384.<br class=3D""><br class=3D"">[1] <a =
href=3D"https://datatracker.ietf.org/doc/rfc3526/" =
class=3D"">https://datatracker.ietf.org/doc/rfc3526/</a><br class=3D"">[2]=
 <a href=3D"https://kivinen.iki.fi/primes/" =
class=3D"">https://kivinen.iki.fi/primes/</a><br class=3D"">[3] <a =
href=3D"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-=
57pt1r4.pdf" =
class=3D"">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8=
00-57pt1r4.pdf</a><br class=3D"">[4] <a =
href=3D"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-=
56Ar3.pdf" =
class=3D"">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8=
00-56Ar3.pdf</a><br class=3D"">[5] <a =
href=3D"https://csrc.nist.gov/CSRC/media/Publications/sp/800-56b/rev-2/dra=
ft/documents/sp800-56Br2-draft.pdf" =
class=3D"">https://csrc.nist.gov/CSRC/media/Publications/sp/800-56b/rev-2/=
draft/documents/sp800-56Br2-draft.pdf</a><br class=3D"">-- <br =
class=3D""><a href=3D"mailto:kivinen@iki.fi" =
class=3D"">kivinen@iki.fi</a><br class=3D""><br =
class=3D"">_______________________________________________<br =
class=3D"">IPsec mailing list<br class=3D"">IPsec@ietf.org<br =
class=3D"">https://www.ietf.org/mailman/listinfo/ipsec<br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_31CA52CB-459C-40B8-A39A-871DF4548A74--


From nobody Wed Jul 18 15:22:27 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0360D130E46 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 15:22:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level: 
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VsEF0hPMmxb for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 15:22:22 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1672A130E03 for <ipsec@ietf.org>; Wed, 18 Jul 2018 15:22:21 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6IMMJva006733 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 19 Jul 2018 01:22:19 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6IMMJfQ005587; Thu, 19 Jul 2018 01:22:19 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23375.48539.497803.842773@fireball.acr.fi>
Date: Thu, 19 Jul 2018 01:22:19 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 4 min
X-Total-Time: 4 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/fGdsqbLrmRiWxNjKVuIfk_H7nDQ>
Subject: [IPsec] IPsecME@IETF102 Montreal meeting mnutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 22:22:25 -0000

Thanks for Brian Weis taking minutes from the IPsecME WG meeting. I
did some editing and posted them on the datatracker:
https://datatracker.ietf.org/meeting/102/materials/minutes-102-ipsecme-00

If you find something that needs to be fixed send me email (I did add
Yoav's comments that did not get relayed to mic from jabber, and added
comment that I did check the one item where there was no answer about
whether you get same keys if you run KEYMAT twice (you do get same
keys, there is only nonce there, no SPI).

----------------------------------------------------------------------
IETF 102 IPsecME WG meeting in Montreal
Wednesday, July 18, 2018
15:20-16:50 SAint-Paul/Sainte-Catherine

Agenda: 
    
- Agenda bashing, Logistics -- Chairs (5 min)                    15:20
- Rechartering (5 min)                                           15:25
- Draft status -- Chairs, Valery (10 min)                        15:30
  - draft-ietf-ipsecme-eddsa
  - draft-ietf-ipsecme-implicit-iv
  - draft-ietf-qr-ikev2
- Work items
  - Split-dns (10 min)                                           15:40
    - draft-ietf-ipsecme-split-dns
  - Auxiliary Exchange in the IKEv2 Protocol (15 min)            15:50
    Valery Smyslov
    - draft-smyslov-ipsecme-ikev2-aux
  - Postquantum Key Exchange for IKEv2 (10 min)                  16:05
    - draft-tjhai-ipsecme-hybrid-qske-ikev2
  - Labeled IPsec (10 min)                                       16:15
    - draft-sprasad-ipsecme-labeled-ipsec
  - Diet ESP (10 min)                                            16:25
    - draft-mglt-ipsecme-diet-esp
  - Controller IKE (10 min)                                      16:35
    - draft-carrel-ipsecme-controller-ike


Agenda bashing, Logistics
=========================
Slides: https://datatracker.ietf.org/meeting/102/materials/slides-102-ipsecme-chair-slides-01

No agenda bashing.

Rechartering
============

EKR has a draft charter, will re-revise it. He doesn't see any problems.

Draft Status
============
Slides: https://datatracker.ietf.org/meeting/102/materials/slides-102-ipsecme-quantum-resistant-ikev2-00

Some of the drafts in RFC editor status are out of the 48hours author
review (some of the same documents in the same cluster as EDDSA).
Split DNS had some issues, and would come back later.

draft-ietf-ipsecme-qr-ikev2 (done after IKE_AUX presentation, but
added to minutes here, where it was supposed to be presented):

Valery presenting. There are a few clarifications since -02, no
changes on the wire. At least four vendors have implemented. Believes
it is ready for LC.

Jonathan Hammell: Why send N(USE_PPK) with IKE_SA_INIT, which allows
	 	  an attacker to profile which connections might be QR
	 	  and which not?

Valery: Needed for support of legacy, and implementations that don't
	support PPK.

Jonathan: Cant you handle that as if the responder didn't know what
	  <something> is?

Valery: There are more advantages than disadvantages.

Jonathan: Suggesting to just remove the Notify from the IKE_SA_INIT.

Tommy: With the current structure, if you do support the PPK then you
       are replacing the AUTH payload with the PPK derived key. If you
       don't want to negotiate up front they will not recognize the
       NO_PPK_AUTH payload, and the AUTH payload won't match.

Stanislav Smyshlyaev: DO you have any formal security analysis of the
	  draft?

Valery: None he is aware of. But <missed it>.

Chairs: Should be ready for WGLC. They'll be starting it soon


Split Dns
=========
(draft-ietf-ipsecme-split-dns)
Slides: posted part as chair slides

Tommy presenting. Document was about done, then EKR gave some good
comments about ossible mis-use by DNS server. They want to resolve
this issue. A new version was posted addressing this, and we'll
discuss this now.

IKE clients MUST uses a set of whitelisted names. Updates to the list
of trusted servers must be done on the client, or done
administratively out-of-band.

Paul W: Issue is that the VPN headend might try to re-configure the
     	clients.

Tommy: Should add that they should only include domains that are
       really considered "internal".

EKR: Explain that serious thought should be given before adding it to
     the white list.

Tero: Everytime you go below a dot you have problems.

Paul W: Were talking about opening redirections, not installing trust
     	anchors.


No objections the text on the slide, plus text that would be added to
make EKR's points more clear: that a white list is not required to be
sent. The draft will then go back to the AD (EKR) and he'll progress
it.


Auxiliary Exchange in IKEv2 Protocol
====================================
(draft-smyslov-ipsecme-ikev2-aux)
Slides: https://datatracker.ietf.org/meeting/102/materials/slides-102-ipsecme-auxiliary-exchange-in-ikev2-protocol-00

Valery presenting. The auxiliary exchange takes place between
IKE_SA_INIT and IKE_AUTH, to distribute large amount of data (probably
large keys as part of a quantum resistent algorithm. They are so large
that they are likely to be fragmented.


Current draft says that IKE_AUX messages are authenticated by
including their ICVs in the signature calculation in IKE_AUTH. Some
issues were found with this. The slides show possible solutions.

Tero: (slide 7) We are using the PRF of the data for auth payload so
      what is the difference.

Valery: In the auth payload calculation the key is not known, here it
	might be.

Paul W: We have at this point exchanged algorithsm.

Valery: We haven't finished the negotiation until IKE_AUTH.

Propsed solution 3 seems like the best compromise and he'll update the
draft with that, other comments welcome though.


Postquantum Key Exchange for IKEv2
==================================
(draft-tjhai-ipsecme-hybrid-qske-ikev2)
Slides: https://datatracker.ietf.org/meeting/102/materials/slides-102-ipsecme-postquantum-ikev2-00

Scott F presenting. Framework to Integrate Post-Quantum Key eXchanges
in IKEv2"

Skipping to Slide 3.  Slide 4: Revised ideas, which were pretty
complex. Using the IKE_AUX exchange now.

Valery: I like it. You outlined that <missed it>. Is it neceesary for
	security?

Scott: No, but I put it in there because <missed it>.

Valery: I think we should not allow multiple key exchanges per IKE SA.

Scott: We didn't want to break compaibility with existing IKE
       implementations, and play games with the SA payload where they
       might get confused.

Dan H: Are only NIST protocols two message protocols?

Scott: Pretty much. Only one requires a three-pass protocol and we're
       ignoring that.


Labeled IPsec
=============
(draft-sprasad-ipsecme-labeled-ipsec)
Slides: no slides

Paul W presenting. There some some discussion, but wasn't enough
guidance to decide which way to go. So was hoping for more guidance.


Tero: There were different ideas on what the labelling was. We need to
      understand what the labels are before we can decide how to
      transport / negotiate them.

Paul: With SE-Linux there's no hierarchy. The question is what to do
      with other systems that have hierarchy.

Paul: The problem with hierarchy is underspecifying is as bad as
      overspecifying.

Valery: If label is presented it <missed it>.

Paul: The problem is that selectors is that then we have to define the
      properies of those selectors.

Valery: If you define labeled IPsec then you have to define the labels
	and how to use them.

Tero: Are the labels numbers?

Paul: No variable strings.

Tero: Then the comparisons get uglier.

Paul: I here two voices in favor of traffic selector type, who was in
      favor of the other mthod?

Tero: The meanings of the lables ... negotiated? A mapping? That's
      hard.

Paul: It's not a negotiation. It's either "I need this label" or "I
      don't need a label".

Tero: What happens when the peer ignores the label and sends back
      traffic without the label?

Tero: Pick one method and go with it.

Diet ESP
========
(draft-mglt-ipsecme-diet-esp)
Slides: https://datatracker.ietf.org/meeting/102/materials/slides-102-ipsecme-esp-header-compression-00

Daniel M. presenting. ESP header compression. Compress for
transmission, and uncompress before ESP receive processing. In the
maximum case (for IoT), the ESP header bytes are greatly reduced and
when combined with Implicit IV it's even smaller. In the VPN use case,
the savings might not be so great.

Believes that the draft is ready for adoption. Have one
implementaiton, and should have another except that it's delayed due
to unavailabilty of students.

David: The one snag is that we're waiting for the charter to be
       approved.

Tommy: Going back to slide 7: I do like the solution. Has it been
       added to the IKE document how to negotiate this?

Daniel: Could have a list of Notify payloads, and one is returned.

Tommy: It would be like the Notify for Transport mode. That's good. In
       terms of deploying it, if we're in a place where we don't allow
       fragmentations and IP options, then it would make sense to only
       offer this.

Tero: You could also created on the fly, i.e., when you first time
      send packet with does not work with compression, you cause
      trigger to go to IKE, and IKE negotiates new child SA without
      ESP compression and then you send the frame through it.

Tommy: You should mantion this more in the document, about adding an
       additional Child SA.

Valery: One drawback, which is to do DH twice.

Tero: You don't have to.

Valery: You save bandwidth, but you spend on compution.

Daniel: Focus was on reducing bandwidth, the computation costs much
	less than sending one more byte.

Tero: You can't use the same key, because the sequence numbers would
      be differnet. You could do KEYMAT twice.

Daniel: would it use exactly the same keys for the two?

<no answer> ([Tero] checking this later yes, KEYMAT does not include
    	    SPI in, thus they keys would be same, so that is not
    	    option, needs to do new CREATE_CHILD_SA)?


Controller IKE
==============
(draft-carrel-ipsecme-controller-ike)
Slides: https://datatracker.ietf.org/meeting/102/materials/slides-102-ipsecme-controller-ike-00

Dave Carrel presenting. Building a controller-based network in a full
mesh, need to have IPsec gateways ready to do IPsec immediately. Don't
want a man in the middle for the session keys.

Paul W: One one hand you're saying you don't have enough memory to do
     	full DH, but you're doing it.

Dave: There's a lot of state going on in IKE, it's not that there
      isn't enough memory to keep all the DHs.

Q: So you have a controller to control all the communication, why
   can't it create the keys?

Davie: Don't want to do that.

Q: But controller can hold all of the DH public numbers, can be a MITM
   by replacing all of the shares.

Dave: Right, you could have nodes signing their DH public numbers
      before sending them up.

Q: So the two nodes have the communicaton where they can sign/verify
   signatures ... what more do they need?

Dave: But they may not have bi-directional communication between them.

Q: Seems like the controller has everyting

EKR: What makes this "IKE"

David: It's on the Internet and it's a key exchange?

EKR: It's out of charter for this WG.

Tero: I2NSF is doing similair things, this is better. Not in our
      charter now, but might be intersting to people so that's why its
      presented here.

Dave: It's a key exchange protocol for IPsec.

EKR: But it's not IPsec maintenance, so it needs to either be
     rechartered or start a new WG.

Tero: Or go to I2NSF.

Valery: Each peer has a private key, uses it with every peer in the
	network. The key must be changed. How often do you see that
	happening, e.g. based on volume. Then different connections to
	differnet peers have different bandwidths.

David: You are limited by your business connection, but standard key
       lifetimes today are so long that time-based will happen first.

Linda Dunbar: Question for the WG. In our environment we have similar
      	      environment, don't want to a peer authentication for
      	      every remote node. Could the name be "simplified IPsec"
      	      or something? In I2NSF we talk about constrained devices
      	      (maybe in the cloud).

David: The controllers are in the most well protected places, the
       devices less so.

Q: In that scenario, and in his application the node has to use
   signatures.

David: In our environments we don't sign, but it could be done.

Q: If you don't sign the DH shares than you don't need to do DH
   because it could just send keys.

David: No we want to know that customers keys, can't come in a supoena
       records from the controller. We want the keys just on the end
       nodes.

Q: Then just have the controller not keep the keys that are generated.

[The chairs cut the discussion because its not part of the charter.]

EKR: This sounds like a new WG. You can ask for a mailing list.


Open Discussion
===============

Tero: (not as WG chair). Send an email recently on the list regarding
      using larger DH groups. Does it make sense?.

Paul W: I think its OK as long as you also add "don't add this to your
     	default proposals"

Daniel van Geest: If your just doing this to check a box, it's false
       	   	  security.

Tero: It does actually provide 256-bit security.

Daniel van Geest: Does DH provide 256-bits of quantum security?

Tero: We don't know what security will be left with current methods
      after quantum computers.

Tero: Most people aren't required to use 256-bit crypto, but that it
      must be able to do it.

Daniel van Geest: Because they are scared of quantum computers.

Tero: Yes

Valery: Looks useful, but the public key exponent for these groups are
	quite huge, exceeding the typical IP packet size, and will
	make life a little bit difficult. But lets define them, why
	not?

Yoav Nir: from jabber, not relayed on the mic because of time
     	  constrains: mic: I haven't heard anyone say they want this.
     	  I don't think anyone does. I think we should not do this.

--

Paul W: I opened a case where someone wants to do mutual NULL
     	authentication first, then upgrade them. What we used was the
     	same trick as the PPK case. We've implemented it, squatting on
     	a private use number. Should we write a draft and get a real
     	number?

David: Anyone intersted in the solution?

Valery: Please bring it to the list.

Tommy: Sounds intersting enough, one concern is does having that other
       option encourage people to use the wrong one (the NULL auth if
       they don't know what they're doing)? Is it somehtin we want to
       encourage long term or make it easy?

David: Please take it to the list and summarize.




-- 
kivinen@iki.fi


From nobody Wed Jul 18 15:24:42 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0D3313102D for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 15:24:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level: 
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GeYd-0hcbQu3 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 15:24:37 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 392BF13125A for <ipsec@ietf.org>; Wed, 18 Jul 2018 15:24:37 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6IMOMi9011477 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Jul 2018 01:24:22 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6IMOMJA028368; Thu, 19 Jul 2018 01:24:22 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID: <23375.48662.244076.606610@fireball.acr.fi>
Date: Thu, 19 Jul 2018 01:24:22 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: ipsec@ietf.org
In-Reply-To: <5A8727C5-B4B6-4742-8737-E2DC9AFE4B50@gmail.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <5A8727C5-B4B6-4742-8737-E2DC9AFE4B50@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 1 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uuAqAN8E8fnpRh14ZnIqRnMPJ58>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 22:24:41 -0000

Yoav Nir writes:
> Since my message got lost in the overtime, I=E2=80=99ll say it again =
here.

Btw, I copied your comment from jabber to the minutes, as it should
have been releayed, but as our jabber relay was on the microphone, it
got skipped...
--=20
kivinen@iki.fi


From nobody Wed Jul 18 18:28:57 2018
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7899A130E78 for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 18:28:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level: 
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvASfrjVdveZ for <ipsec@ietfa.amsl.com>; Wed, 18 Jul 2018 18:28:53 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED89A130DCA for <ipsec@ietf.org>; Wed, 18 Jul 2018 18:28:52 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 860092008C; Wed, 18 Jul 2018 21:44:42 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id A7B121A76; Wed, 18 Jul 2018 21:24:18 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id A58351A54; Wed, 18 Jul 2018 21:24:18 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Valery Smyslov" <smyslov.ietf@gmail.com>
cc: "'Tero Kivinen'" <kivinen@iki.fi>, ipsec@ietf.org
In-Reply-To: <036001d41de2$7dbc8bf0$7935a3d0$@gmail.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <036001d41de2$7dbc8bf0$7935a3d0$@gmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Wed, 18 Jul 2018 21:24:18 -0400
Message-ID: <16977.1531963458@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/BZ9JwYu1uCKfz3_LUV_ALl4i-lw>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 01:28:56 -0000

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


Valery Smyslov <smyslov.ietf@gmail.com> wrote:
    > my concern is that these MODP groups will have public keys of  1.5-2 =
Kb
    > in size,
    > so it can make using them problematic in real world due to fragmentat=
ion
    > issues...

I think, what you mean you say, is that thanks to these MODP groups, we can
more effectively test interoperability of fragmentation handling :-)

=2D-=20
]               Never tell me the odds!                 | ipv6 mesh network=
s [=20
]   Michael Richardson, Sandelman Software Works        | network architect=
  [=20
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails  =
  [=20
=09

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBW0/oP4CLcPvd0N1lAQJEhwgAuzkLcKxy6Ysd5Sx2Txg6SdTECGmmhINz
sG9lIcsP0wIpf9kq8C3Z7xQZm/aBJfdYuD0DnJuqqBgd1dKeg4BI01MMHsfwr5nt
dTPzxcYMlPsUB0gkt2zQx7vw1D5wip3ofHNOjLGq+Dz+stwfKunz/dcMzl3x0jAg
v5bNCOtBY70bTocznMhbTjr3M+Jn05b0FGK1xm9LdrOyWqghHLBZyHgKVdX1rEUN
iYkhp4iCKwurdwMzsofmH3UPZrasS19ABiKq0vEo2uHM0aMZpqr3AvO+sg1BHlz0
wB90U3wclIwY5/0Qp9beMwgmdV3B8mzjFPG5O4gGrkD6DTTp6bOK6A==
=Sp47
-----END PGP SIGNATURE-----
--=-=-=--


From nobody Thu Jul 19 06:50:19 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883CC130E50 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 06:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id skwunmxvwd3K for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 06:50:13 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38C0B130EA1 for <ipsec@ietf.org>; Thu, 19 Jul 2018 06:50:13 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41Wb4L11Fkz7vr; Thu, 19 Jul 2018 15:50:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532008210; bh=tpbhj+N82ErsaoJYr7O8ztgpdc5aleBr++uEzkFCi4U=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=k3M1O+YbvEoXuPTNDmWj/Ir5BXsZ49JPtih8v48i6/U/8EGMiuHXLeKO+iHrmd48G Dcv7jFK6qNdaLS2oHEMJxHuJXOVmZxVK/OoPQaWfwdTOrRtbeiOM3+7LF/akMr6jVN abuWh3lEltbfrVCga06guKhCsV5h26KG/tyL4CfU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Flbti-MB7EY5; Thu, 19 Jul 2018 15:50:08 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 19 Jul 2018 15:50:08 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E6BFA288A6; Thu, 19 Jul 2018 09:50:06 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E6BFA288A6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DFC3D4009E70; Thu, 19 Jul 2018 09:50:06 -0400 (EDT)
Date: Thu, 19 Jul 2018 09:50:06 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: ipsec@ietf.org
In-Reply-To: <23375.48539.497803.842773@fireball.acr.fi>
Message-ID: <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca>
References: <23375.48539.497803.842773@fireball.acr.fi>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LwtO4xSBOTZGV74ccljn8CqEEMk>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 13:50:17 -0000

On Thu, 19 Jul 2018, Tero Kivinen wrote:

> Thanks for Brian Weis taking minutes from the IPsecME WG meeting. I
> did some editing and posted them on the datatracker:
> https://datatracker.ietf.org/meeting/102/materials/minutes-102-ipsecme-00

ossible mis-use by DNS server -> possible mis-use by VPN server

(added after meeting to clarify: It is assumed a CA/provisioning server
  is more secure then a VPN gateway)

Regarding:

 	Valery: I like it. You outlined that <missed it>. Is it neceesary for security?

 	Scott: No, but I put it in there because <missed it>.

I believe this was about sending KE payloads for each exchange? And
Scott left it in because it kept the existing code/protocol intact?

 	Dan H: Are only NIST protocols two message protocols?

That should be "Are all NIst protocols two message protocols?"


 	Paul W: One one hand you're saying you don't have enough memory to do
      		full DH, but you're doing it.

My question was actually:

 	Paul W: One one hand you're saying you don't have enough memory to do
 		thousands of DH, but on the other hand you can store 1000 DH
 		keys?


From nobody Thu Jul 19 07:15:14 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 979001310C4 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zCbPGjJ1Efgc for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:14:55 -0700 (PDT)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D36013108B for <ipsec@ietf.org>; Thu, 19 Jul 2018 07:14:55 -0700 (PDT)
Received: by mail-it0-x232.google.com with SMTP id h2-v6so9737498itj.1 for <ipsec@ietf.org>; Thu, 19 Jul 2018 07:14:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :thread-index:content-language; bh=oOvoNBJDr4BqVWkb2LGzio7RG3vLjqpxxHH5fh+Wmho=; b=gRjNaUUzMILnNjVUO3kb6af5ytVITV9ybtfGb2Zs9p2RgApZjY+yZejaI75RMvSGAC 4cfY4b3SoZGW4uRyW7jJ73RfcM0hCwoZj0RFGmCEe/Dn8JI8oGikMuQ+MTFEMFjGS0Rv cPHiTbe5ttvl9toh+5JvNU9hPqJLdwqRMQaMTSEWeyxg5P0BiuaaGis81qOlTWQia/1S Ih15C0C8K3viB28Oh8yfjtCDrDKTNzM8V2ZqIkSkMuA4Aww1Yj3+iWW+s4s9oFpLBuSM weMMczRdAABRZ7pMtch5xyHm1lgT3q568SSYyzl1Do1ZRVLStKhtX4PTRuK7t84BS5t8 r9AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=oOvoNBJDr4BqVWkb2LGzio7RG3vLjqpxxHH5fh+Wmho=; b=WrjMU8vt/W3kSh3k62NApbEsmXyM//K8PCqquI2i4SBgoaMP1gp3YwaitX9rzdiEIn xVcZLp0HR22mob7P05Z3jqmP3mYYxwWOCagKDuTnielJ7xD0ZSkiWxtxQRWY8YqKpYpp 2vokAnqIGDtZWb34A8ohYOB19O8+74jkOlVCusNUC7Y7V3OG6b6q9oS5RzhazjCJhw1B BAN+FSOd+H7hqCTGOE9RVuyNzKdwA6TashQ5OunLpNa6f/jJ20CVUUkRRugwFbVdR77R phewj+uk18Iy5KgyJ+/aUA0ERwtjaBjIKSkTWB+cit56mFZC/qhjg77zpWBBbFOUXuG+ 9UJA==
X-Gm-Message-State: AOUpUlF088mGNI9wPKROOyp/BPWMmPq7va3tlLT/fYiIFQ5mwASRHg5A lr8lAyhrxflgoX/u8LhnfnOSsI1Um1o=
X-Google-Smtp-Source: AAOMgpcHWw0ulYjmSF7KHqW3VqRZmvhCce5UjvdrcgqCcygPcfqi61vSiVmOeHeyS43OJMon6rfKow==
X-Received: by 2002:a24:db05:: with SMTP id c5-v6mr6184746itg.44.1532009694891;  Thu, 19 Jul 2018 07:14:54 -0700 (PDT)
Received: from svannotebook ([2001:67c:370:128:b1af:7b97:768c:2d1d]) by smtp.gmail.com with ESMTPSA id h14-v6sm2414198ioj.21.2018.07.19.07.14.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Jul 2018 07:14:54 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer@cisco.com>, <ipsec@ietf.org>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com>
In-Reply-To: <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com>
Date: Thu, 19 Jul 2018 10:14:51 -0400
Message-ID: <055c01d41f6a$dc6e7d50$954b77f0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_055D_01D41F49.5562F7D0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEciSsDD1zqgCWGCuqENOVpeeZcmAIUjD3lAYKjZjwC2ApLZAEyIKg0At8cjcylsbf1UA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/SiLgeBWktA3xfdYf8YHLLWbx4ws>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 14:15:08 -0000

This is a multipart message in MIME format.

------=_NextPart_000_055D_01D41F49.5562F7D0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

=20

as it often happens, good thoughts come a bit late...

While I agreed before on using all-zero key for PRF and even=20

put this into my yesterday's presentation, while keeping thinking

about the issue I came across a good reason to use SK_pi/SK_pr

instead of all-zero keys.

=20

My reasoning is as follows. We define IKE_AUX as a more generic =
mechanism

for transporting large amount of data in initial IKE exchanges.=20

While currently QSKE looks like primary application for this mechanism,

I can imagine that it can be applicable for other use cases too.

Then, while we all are waiting for appearing Quantum Computers

and are trying to be prepared to this, we really don't know when

it happens and whether it happens at all (the story of TOKAMAK

https://en.wikipedia.org/wiki/Tokamak is a good example of situation,

when engineering issues keep unresolved for decades).

So we can expect that at least for some period of time there=20

will be applications that would not be concerned with Quantum Computers,

but they would probably use IKE_AUX. For such use cases we can assume =
that

initial shared keys computed as a result of IKE_SA_INIT are not known

to attacker, and if we use SK_pi/SK_pr as a keys for PRF, then there is =
no

reason to restrict choice of PRFs by excluding XCBC and CMAC.

=20

On the other hand, if later some new QSKE method appear, that

will have small enough public keys, so that it can be used in =
IKE_SA_INIT,

and IKE_AUX would be used for some purposes other then QSKE,

then again the key would not be known to attacker and there would be

no reason to restrict the choice of PRFs.

=20

So, my suggestions:=20

=20

1. use SK_pi/SK_pr as keys for PRF that authenticate IKE_AUX messages

2. don't impose any restrictions on the choice of PRF in the IKE_AUX =
draft=20

     (but probably write some words in the Security Considerations)

3. in QSKE document add a restriction on PRF choice, excluding those,

    that a) are not secure in PQ world and b) are not secure against

     preimage attack in case of known key.

=20

Any opinions? Scott, Daniel, what do you think about this?

=20

Regards,

Valery.

=20

=20

=20

=20

=20

All three work (that is, they prevent any undetected modifications to =
the IKE_AUX payloads); I quite understand if  (1) would be considered an =
undesirable option.  As for (2) and (3), they are largely the same; (3) =
limits the PRF=E2=80=99s to the ones which include =
second-preimage-resistant hash functions.  I can see the attraction of =
not requiring a separate negotiation; I=E2=80=99m just worried about =
someone ignoring our =E2=80=98don=E2=80=99t use XCBC/CMAC=E2=80=99 =
mandate=E2=80=A6

=20

Also, for (3), you have to be careful to specify which SK_p[ir] to use; =
in our draft, the IKE_AUX message updates them; the obvious thing to do =
is specify that you=E2=80=99ll use the SK_p[ir] values that were in =
effect at the beginning of the IKE_AUX message in question.  Actually, =
for security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6

=20

Using an all zero key does feel weird, however it could help avoid =
potential incompatible implementation errors.  There are two sets of =
SK_p[ir] available to use in the case where an IKE_AUX includes a key =
exchange, the values in effect at the beginning of the IKE_AUX exchange, =
and the updated values resulting from the IKE_AUX exchange.  Depending =
on the order in which implementations recalculate the SKEYSEED and SK_* =
keys, vs when they perform the PRF on the IXE_AUX data, the =
=E2=80=9Ccurrent=E2=80=9D SK_p[ir] values could be the old or new values =
and so some implementations may have to maintain both the old and new =
keys until the IKE_AUX digest is calculated.  All this is to say, if it =
doesn=E2=80=99t affect the security it may just be simpler and easier =
for compatibility to use an all zero key.

=20

=20

Regards,

Valery.

=20

=20

=20

Thanks,

Daniel

=20


------=_NextPart_000_055D_01D41F49.5562F7D0
Content-Type: text/html;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 15 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New",serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman",serif;}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#44546A;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#1F497D;}
span.EmailStyle24
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#44546A;}
span.EmailStyle25
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#1F497D;}
span.EmailStyle26
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
span.EmailStyle28
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DRU =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>Hi,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>as it often happens, good thoughts =
come a bit late...<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'mso-fareast-language:EN-US'>While I agreed before =
on using all-zero key for PRF and even <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>put this into my yesterday's =
presentation, while keeping thinking<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>about the issue I came across a =
good reason to use SK_pi/SK_pr<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>instead of all-zero =
keys.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>My reasoning is as follows. We =
define IKE_AUX as a more generic mechanism<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>for transporting large amount of =
data in initial IKE exchanges. <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>While currently QSKE looks like =
primary application for this mechanism,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>I can imagine that it can be =
applicable for other use cases too.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>Then, while we all are waiting for =
appearing Quantum Computers<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>and are trying to be prepared to =
this, we really don't know when<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>it happens and whether it happens =
at all (the story of TOKAMAK<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>https://en.wikipedia.org/wiki/Tokama=
k is a good example of situation,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>when engineering issues keep =
unresolved for decades).<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'mso-fareast-language:EN-US'>So we can expect that =
at least for some period of time there <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>will be applications that would not =
be concerned with Quantum Computers,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>but they would probably use =
IKE_AUX. For such use cases we can assume that<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>initial shared keys computed as a =
result of IKE_SA_INIT are not known<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>to attacker, and if we use =
SK_pi/SK_pr as a keys for PRF, then there is no<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>reason to restrict choice of PRFs =
by excluding XCBC and CMAC.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>On the other hand, if later some =
new QSKE method appear, that<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>will have small enough public keys, =
so that it can be used in IKE_SA_INIT,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>and IKE_AUX would be used for some =
purposes other then QSKE,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>then again the key would not be =
known to attacker and there would be<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>no reason to restrict the choice of =
PRFs.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>So, my suggestions: =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>1. use SK_pi/SK_pr as keys for PRF =
that authenticate IKE_AUX messages<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>2. don't impose any restrictions on =
the choice of PRF in the IKE_AUX draft <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0(but =
probably write some words in the Security =
Considerations)<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'mso-fareast-language:EN-US'>3. in QSKE document =
add a restriction on PRF choice, excluding =
those,<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>=C2=A0=C2=A0=C2=A0 that a) are not =
secure in PQ world and b) are not secure against<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>=C2=A0=C2=A0=C2=A0=C2=A0 preimage =
attack in case of known key.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>Any opinions? Scott, Daniel, what =
do you think about this?<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>Regards,<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'>Valery.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><div style=3D'border:none;border-left:solid blue =
1.5pt;padding:0cm 0cm 0cm 4.0pt'><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><div style=3D'border:none;border-left:solid blue =
1.5pt;padding:0cm 0cm 0cm 4.0pt'><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><p class=3DMsoNormal style=3D'margin-left:36.0pt'><span =
lang=3DEN-CA style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>All three work (that is, they =
prevent any undetected modifications to the IKE_AUX payloads); I quite =
understand if &nbsp;(1) would be considered an undesirable option.&nbsp; =
As for (2) and (3), they are largely the same; (3) limits the =
PRF=E2=80=99s to the ones which include second-preimage-resistant hash =
functions.&nbsp; I can see the attraction of not requiring a separate =
negotiation; I=E2=80=99m just worried about someone ignoring our =
=E2=80=98don=E2=80=99t use XCBC/CMAC=E2=80=99 =
mandate=E2=80=A6</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>Also, for (3), you have to be =
careful to specify which SK_p[ir] to use; in our draft, the IKE_AUX =
message updates them; the obvious thing to do is specify that =
you=E2=80=99ll use the SK_p[ir] values that were in effect at the =
beginning of the IKE_AUX message in question.&nbsp; Actually, for =
security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA style=3D'font-size:11.0pt'>Using an =
all zero key does feel weird, however it could help avoid potential =
incompatible implementation errors.&nbsp; There are two sets of SK_p[ir] =
available to use in the case where an IKE_AUX includes a key exchange, =
the values in effect at the beginning of the IKE_AUX exchange, and the =
updated values resulting from the IKE_AUX exchange.&nbsp; Depending on =
the order in which implementations recalculate the SKEYSEED and SK_* =
keys, vs when they perform the PRF on the IXE_AUX data, the =
=E2=80=9Ccurrent=E2=80=9D SK_p[ir] values could be the old or new values =
and so some implementations may have to maintain both the old and new =
keys until the IKE_AUX digest is calculated.&nbsp; All this is to say, =
if it doesn=E2=80=99t affect the security it may just be simpler and =
easier for compatibility to use an all zero key.<o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span lang=3DEN-CA =
style=3D'font-size:11.0pt'><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Regards,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Valery.</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>Thanks,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>Daniel</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p></div></div></div></div></div></div></=
body></html>
------=_NextPart_000_055D_01D41F49.5562F7D0--


From nobody Thu Jul 19 07:21:40 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5B61310B9 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Dv0YjogBHSZ for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:21:23 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27277130F13 for <ipsec@ietf.org>; Thu, 19 Jul 2018 07:21:23 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id p17-v6so9880545itc.2 for <ipsec@ietf.org>; Thu, 19 Jul 2018 07:21:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=Pa/zFfphWBLlXOdSIi5KdIOh1u2HqxG0zCse8RCru9A=; b=VhA2OQ9p1IjC2WaoJ+Jf3cisWI3NoOekGS+8W2UwWW6mweHv2ouI3bMNHaCywlvl4k KE+ebHQHdc63s2k/uDZTjtwyfWbniJ57dxILgJZ50Hcl9Oz3ArGcNRTCsoyBLmKk9Vkb 3eaR7M2V14pIoz6sJDl+dmistDur2lMbtyG/JBW4ZAS04LQ+CzZbkVTGmQBFIekIcr7p SD1cyFp2V+Kls0vdMsuvVzn2sS630lFYa5h/pPJGaEm/4A2czcy8G6kVrE7fJKxxWel/ IhmNeqPlW1CVMOGAub+yhlSWStFXr9K7JWrVHlPZWzE/5n1D3PVZUn71xb8ast/4/Vtx hXZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=Pa/zFfphWBLlXOdSIi5KdIOh1u2HqxG0zCse8RCru9A=; b=rSjXviSEH1JjgeLaCPzsE1Hx+I2il4PCPpL8U645I+aXJG/R8OuiysfrcorRxLr10l 34RbQ3n45Ps7Fc2KQUs9iJIm1AexqEhPa7Fn/OkyWwTQERrnz+FMC4jp6lBrskh4Bcm/ WZzfx+GMjLQI5p9d9CDAGcriv7mkiLvckTCQ/RMJ6gu2tEmoaojYwp87Ced8o6Rfatlo G6g8FdxTkjRcVGFclOrwMI8HojHTtTY/AQP+F62rGRpqLdcDLT9is+GE/A32+Qvlxyas Cf+nqsW9irZnI15u7Q9exDL1VADuoPRZ0I0uYTWHGbShZczhZ/fE30XBElbjJPUoLLIe cqWw==
X-Gm-Message-State: AOUpUlETiK0bBtGsz1mD9AGfoM46uUF4D7byiNg1YEIVg9HUb80slxSK eUaSTepXBzfrK5SmGQaE6hLTeTHVD9Y=
X-Google-Smtp-Source: AAOMgpc7x364Q/QHndVtL/4Fq1PDXfaZ5OM4vDPmpwNLZNgrdzUT3SrvW99j7Jw3hunpSdpvfvDpEA==
X-Received: by 2002:a02:579a:: with SMTP id b26-v6mr9667988jad.107.1532010082470;  Thu, 19 Jul 2018 07:21:22 -0700 (PDT)
Received: from svannotebook ([2001:67c:370:128:b1af:7b97:768c:2d1d]) by smtp.gmail.com with ESMTPSA id c91-v6sm2896318itd.19.2018.07.19.07.21.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Jul 2018 07:21:21 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Paul Wouters'" <paul@nohats.ca>, "'Tero Kivinen'" <kivinen@iki.fi>
Cc: <ipsec@ietf.org>
References: <23375.48539.497803.842773@fireball.acr.fi> <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca>
Date: Thu, 19 Jul 2018 10:21:19 -0400
Message-ID: <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG0smRJmVOlvga81SShQKwyLneOEwHHI22ypMc4klA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/E8I8qpJWDk0xftfdssji6_dX-rk>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 14:21:37 -0000

Hi Paul,

>  	Valery: I like it. You outlined that <missed it>. Is it neceesary
for
> security?
> 
>  	Scott: No, but I put it in there because <missed it>.
> 
> I believe this was about sending KE payloads for each exchange? And Scott
left
> it in because it kept the existing code/protocol intact?

No, I asked why each new KE in IKE_AUX incorporates its own nonce, instead
of re-using
nonces from IKE_SA_INIT. I have no problem with this if it is needed
for security, my question was driven by curiosity.

Regards,
Valery


From nobody Thu Jul 19 07:27:31 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EB191310EF for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqHp4AFELEKu for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:27:18 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C50E2130F06 for <ipsec@ietf.org>; Thu, 19 Jul 2018 07:27:17 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41Wbv76swHzCb9; Thu, 19 Jul 2018 16:27:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532010435; bh=lV/NQgb21TO5rp1yyXof/5RE5lmoYQCMvMJ/yJwWn68=; h=Date:From:To:cc:Subject; b=Y0yeSX5vOcEP/3N53P6O4eVfHyILgYyAwAA3QkPRppohCatSOQv9d3JkhNiczml1A /z4bNLy1fNJdx3UP0a0EYyfs9e9VapEyIEifcBmPYRz/QC3YcJ1QFaNW/AVEX5DOtN IqGhjECtQLw81whLtoJPtV4mN9Xj6Q02/u9CEu7M=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id hqGH6Sv3HsgU; Thu, 19 Jul 2018 16:27:13 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 19 Jul 2018 16:27:12 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9310E288A6; Thu, 19 Jul 2018 10:27:11 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 9310E288A6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8D0604009E71; Thu, 19 Jul 2018 10:27:11 -0400 (EDT)
Date: Thu, 19 Jul 2018 10:27:11 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
cc: Vukasin Karadzic <vukasin.karadzic@gmail.com>
Message-ID: <alpine.LRH.2.21.1807190952200.21273@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/vBE0qq6Ly9sLEirY84kg_6dXmAs>
Subject: [IPsec] Mutual authnull to mutual authenticated upgrade
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 14:27:29 -0000

We had to support the following deployment.

A large group of nodes is deployed with mutual authnull. This
offers passive attack protection on the network. At a later
stage, nodes are given their certificate for authentication.

The goal was to go from mutual authnull to mutual RSA. If either
node does not yet support authentication, both nodes use auth null.

So we have the following possibilities:

1) authby=authnull -> authby=authnull
2) authby=authnull,cert -> authby=authnull
3) authby=authnull,cert -> authby=authnull,cert  (must yield real authentication)
4) authby=authnull -> authby=authnull,cert

When all nodes have gotten a cert, you can remove authnull so end up with:

5) authby=cert -> authby=cert

1 and 5 are existing known working deployments.

2-4 have a scenario where you have to pick an IKE_AUTH method. Depending
on the responder you got it right or wrong. If wrong, you have to
restart IKE_INIT to try the other method. We wanted to do this IKE_AUTH
in 1 roundtrip without a restart of IKE_INIT.

Note all these scenarions yield a symmetric authentication. It will be
either authnull or mutual "real" authentication (eg RSA or DigitalSignature)

So what we ended up doing is similar to the NO_PPK_AUTH trick. We added
sending a notify N(AUTHNULL) (40960 private use number) to the IKE_AUTH
exchange on the initiator which is a notify containing an AUTH payload
using authnull. So this becomes:

request             --> IDi, [CERT+,]
                            [N(INITIAL_CONTACT),]
                            [N(AUTHNULL)]                     <----- New item
                            [[N(HTTP_CERT_LOOKUP_SUPPORTED),] CERTREQ+,]
                            [IDr,]
                            AUTH,
                            [CP(CFG_REQUEST),]
                            [N(IPCOMP_SUPPORTED)+,]
                            [N(USE_TRANSPORT_MODE),]
                            [N(ESP_TFC_PADDING_NOT_SUPPORTED),]
                            [N(NON_FIRST_FRAGMENTS_ALSO),]
                            SA, TSi, TSr,
                            [V+][N+]


The IKE_AUTH response is unmodified.

If the responder supports this payload, AND local policy can do
authentication, it will ignore this payload and use the regular AUTH
payload. If it only has a configuration for authnull, it will use the
N(AUTHNULL) as the received AUTH payload instead or the actual AUTH
payload. The responder will send back only a real AUTH payload. If the
initiator had N(AUTHNULL) but the responder can do regular authentication,
it will just send back an real authentication AUTH payload. If the
responder can only do authnull, it will send an authnull based AUTH
payload. The responder never sends a N(AUTHNULL) payload as we did
not need/want to support asymmetrical authentication where one part
is authnull and the other is not, as we either have a CA+EE cert for
ourselves AND the peer, or we only have authnull for everything.

See our test cases:

http://testing.libreswan.org/results/testing/v3.25-195-gb3ef436-master/mixoe-03-authanon-anon/
http://testing.libreswan.org/results/testing/v3.25-195-gb3ef436-master/mixoe-02-anon-authanon/
http://testing.libreswan.org/results/testing/v3.25-195-gb3ef436-master/mixoe-01-authanon-authanon/


My questions are:

1) Is this useful enough to write up as RFC ?
2) Are we correct with our assumption that you either end up on mutual
    authnull or with mutual authentication, or do people believe there
    is a use case for asymmetric authentication as well, in which case
    the responder could also send AUTH plus N(AUTHNULL)

Paul and Vukasin


From nobody Thu Jul 19 07:35:30 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE3A1310E6 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level: 
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByXtAYg4gf5A for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 07:35:07 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72D451310F2 for <ipsec@ietf.org>; Thu, 19 Jul 2018 07:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1485; q=dns/txt; s=iport; t=1532010904; x=1533220504; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=2AQT1jGwx2Wa3278R4lyweC4BWMaGGLKxxIlHXTvecQ=; b=bx62I864cUb93/SCqL6gnXKlscdqtOhEJsYkrBVaSlJmdZeCf9+syiAv +gjJVk+/DjhuEbJjwZpqlYWKR72Z2ukK88udyWx+MbRa/tW/Pg5U8DAjD 0VeDSkt0x6ilyHXmve2XiSDx4radQlDSiQny2POiQdEC5EzUBxUPjEu/9 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DEAADUoFBb/4sNJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNNY38oCot4jCuCDJU7gXoLGAuESQKDBSE0GAECAQECAQE?= =?us-ascii?q?CbRwMhTYBAQEBAgEBATg0CwwEAgEIEQQBAR8QJwsdCAIEAQ0FCIMZgXcID6p?= =?us-ascii?q?tikUFiQKBVz+EIoFBgVgBAYc2AploCQKPIoFMjCiCOIVIiXYCERSBJB04gVJ?= =?us-ascii?q?wFTuCaYsVhT5vilSBGgEB?=
X-IronPort-AV: E=Sophos;i="5.51,374,1526342400"; d="scan'208";a="145714738"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Jul 2018 14:35:03 +0000
Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id w6JEZ3bV002015 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Jul 2018 14:35:03 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 19 Jul 2018 10:35:02 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Thu, 19 Jul 2018 10:35:02 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Paul Wouters'" <paul@nohats.ca>, "'Tero Kivinen'" <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] IPsecME@IETF102 Montreal meeting minutes
Thread-Index: AQHUH2d2edMKfO7EkkSxqSBjAjA4m6SW28SA//+9rSA=
Date: Thu, 19 Jul 2018 14:35:02 +0000
Message-ID: <ce9358f8e1db4a48be30173cb842e71d@XCH-RTP-006.cisco.com>
References: <23375.48539.497803.842773@fireball.acr.fi> <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca> <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com>
In-Reply-To: <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.149, xch-rtp-009.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/o2cho9v23UodxuryZcPLz3IXFwk>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 14:35:21 -0000

> -----Original Message-----
> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Valery Smyslov
> Sent: Thursday, July 19, 2018 10:21 AM
> To: 'Paul Wouters' <paul@nohats.ca>; 'Tero Kivinen' <kivinen@iki.fi>
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
>=20
> Hi Paul,
>=20
> >  	Valery: I like it. You outlined that <missed it>. Is it neceesary
> for
> > security?
> >
> >  	Scott: No, but I put it in there because <missed it>.

"I put it in there because we reused an existing key update mechanism, and =
as that mechanism used nonces, we included them"

> >
> > I believe this was about sending KE payloads for each exchange? And
> > Scott
> left
> > it in because it kept the existing code/protocol intact?

>=20
> No, I asked why each new KE in IKE_AUX incorporates its own nonce, instea=
d
> of re-using nonces from IKE_SA_INIT. I have no problem with this if it is
> needed for security, my question was driven by curiosity.

I don't know if we really thought about it; the mechanism needed nonces, so=
 we included them.  We didn't really consider reusing previously exchanged =
nonces...

If you ask my opinion, I think it's cleaner if we use fresh nonces; however=
 I do not believe that there is any security difference.

>=20
> Regards,
> Valery
>=20
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Thu Jul 19 07:47:17 2018
Return-Path: <internet-drafts@ietf.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6853C130DF5; Thu, 19 Jul 2018 07:47:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: ipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.82.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: ipsec@ietf.org
Message-ID: <153201163536.5326.15945035511748956971@ietfa.amsl.com>
Date: Thu, 19 Jul 2018 07:47:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LW9AGrxUgFlaIeXCp2DAkHY3I4Y>
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 14:47:16 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.

        Title           : Split DNS Configuration for IKEv2
        Authors         : Tommy Pauly
                          Paul Wouters
	Filename        : draft-ietf-ipsecme-split-dns-11.txt
	Pages           : 13
	Date            : 2018-07-19

Abstract:
   This document defines two Configuration Payload Attribute Types for
   the IKEv2 protocol that add support for private DNS domains.  These
   domains are intended to be resolved using DNS servers reachable
   through an IPsec connection, while leaving all other DNS resolution
   unchanged.  This approach of resolving a subset of domains using non-
   public DNS servers is referred to as "Split DNS".


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-split-dns/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-11
https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-split-dns-11

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-11


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu Jul 19 08:13:57 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983B1131134 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRKoKq2Lo2FS for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:13:46 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC6BF13111F for <ipsec@ietf.org>; Thu, 19 Jul 2018 08:13:45 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6JFDho8020474 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Jul 2018 18:13:43 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6JFDhcZ010671; Thu, 19 Jul 2018 18:13:43 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23376.43687.887354.235008@fireball.acr.fi>
Date: Thu, 19 Jul 2018 18:13:43 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: ipsec@ietf.org
In-Reply-To: <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca>
References: <23375.48539.497803.842773@fireball.acr.fi> <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/lD5F-wNVw8wMgU3MI-39neSVmRc>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 15:13:55 -0000

Paul Wouters writes:
> On Thu, 19 Jul 2018, Tero Kivinen wrote:
> 
> > Thanks for Brian Weis taking minutes from the IPsecME WG meeting. I
> > did some editing and posted them on the datatracker:
> > https://datatracker.ietf.org/meeting/102/materials/minutes-102-ipsecme-00
> 
> ossible mis-use by DNS server -> possible mis-use by VPN server
> 
> (added after meeting to clarify: It is assumed a CA/provisioning server
>   is more secure then a VPN gateway)

Fixed and added.

> Regarding:
> 
>  	Valery: I like it. You outlined that <missed it>. Is it neceesary for security?
> 
>  	Scott: No, but I put it in there because <missed it>.
> 
> I believe this was about sending KE payloads for each exchange? And
> Scott left it in because it kept the existing code/protocol intact?

Like this:

Valery: I like it. You outlined that sending KE payload for each
	exchange. Is it neceesary for security?

Scott: No, but I put it in there because it kept the existing
       code/protocol intact.

>  	Dan H: Are only NIST protocols two message protocols?
> 
> That should be "Are all NIst protocols two message protocols?"

Fixed.

>  	Paul W: One one hand you're saying you don't have enough memory to do
>       		full DH, but you're doing it.
> 
> My question was actually:
> 
>  	Paul W: One one hand you're saying you don't have enough memory to do
>  		thousands of DH, but on the other hand you can store 1000 DH
>  		keys?

Or "On one hand ..."?

Paul W: On one hand you're saying you don't have enough memory to do
     	thousands of DH, but on the other hand you can store 1000 DH
     	keys?
-- 
kivinen@iki.fi


From nobody Thu Jul 19 08:23:11 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 202001310CC for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNyDdlAKwhT4 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:23:06 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBDC0130E54 for <ipsec@ietf.org>; Thu, 19 Jul 2018 08:23:04 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6JFMlPZ003705 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Jul 2018 18:22:47 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6JFMlRN026165; Thu, 19 Jul 2018 18:22:47 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23376.44231.582495.414941@fireball.acr.fi>
Date: Thu, 19 Jul 2018 18:22:47 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Valery Smyslov" <smyslov.ietf@gmail.com>
Cc: "'Paul Wouters'" <paul@nohats.ca>, <ipsec@ietf.org>
In-Reply-To: <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com>
References: <23375.48539.497803.842773@fireball.acr.fi> <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca> <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 2 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/q6y8ruoIo6Pmsdbl6jYOAkHrsSM>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 15:23:09 -0000

Valery Smyslov writes:
> No, I asked why each new KE in IKE_AUX incorporates its own nonce, instead
> of re-using
> nonces from IKE_SA_INIT. I have no problem with this if it is needed
> for security, my question was driven by curiosity.

I.e., so this would be (more?) correct:
----------------------------------------------------------------------
Valery: I like it. You outlined that you send Nonce payload for each
	KE exchange, and not reuse one from IKE_SA_INIT. Is it
	neceesary for security?

Scott: No, but I put it in there because it kept the existing
       code/protocol intact.
-- 
kivinen@iki.fi


From nobody Thu Jul 19 08:34:15 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA28C130E1B for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:34:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level: 
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id unowBL6XefJM for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:34:11 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F8B4130D7A for <ipsec@ietf.org>; Thu, 19 Jul 2018 08:34:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1015; q=dns/txt; s=iport; t=1532014451; x=1533224051; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=cntQqErNCgA/+U0AEtJw5/hRMCqGuNpnjI/HhiE/4bE=; b=I5bZCcD7ofI0Ar7nJmhi7lFOZcui/STmJQ6LTR2rlAjihJrmvpXPZbOy rXDuKhUk1BUgesgAUXF6RltUBdg4DyP3Yhcah6OJwRDXjtFXxMBz7yLfT FBcLa53706uqX7RQSAHn4soDGIjV5HNXsta4kYu+Cac4hey/c16O9Trtb Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DEAADIrlBb/4MNJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNNgWIoCot4jCuCDIg5jQKBeguEbAKDBSE0GAECAQECAQE?= =?us-ascii?q?CbSiFNgEBAQEDOj8MBAIBCBEEAQEfECERHQgCBAENBQiFAAMVqnOHDw2DLok?= =?us-ascii?q?CgVc/hCKBQYEVh3sCh2qRUysJAowegwSNdII4iFiGZgIRFIEkHTiBUnAVgyS?= =?us-ascii?q?QU2+KVIEaAQE?=
X-IronPort-AV: E=Sophos;i="5.51,375,1526342400"; d="scan'208";a="145744251"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Jul 2018 15:34:10 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id w6JFYA1T003424 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Jul 2018 15:34:10 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 19 Jul 2018 11:34:09 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Thu, 19 Jul 2018 11:34:09 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, Valery Smyslov <smyslov.ietf@gmail.com>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "'Paul Wouters'" <paul@nohats.ca>
Thread-Topic: [IPsec] IPsecME@IETF102 Montreal meeting minutes
Thread-Index: AQHUH2d2edMKfO7EkkSxqSBjAjA4m6SW28SAgAARLYD//7/ysA==
Date: Thu, 19 Jul 2018 15:34:09 +0000
Message-ID: <80bfa6a09bd3467c947589e1ac43e8dc@XCH-RTP-006.cisco.com>
References: <23375.48539.497803.842773@fireball.acr.fi> <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca> <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com> <23376.44231.582495.414941@fireball.acr.fi>
In-Reply-To: <23376.44231.582495.414941@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.150, xch-rtp-010.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/N0kzPKpV_4ryyTQ9y9ALFJjWtOg>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 15:34:14 -0000

> -----Original Message-----
> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Tero Kivinen
> Sent: Thursday, July 19, 2018 11:23 AM
> To: Valery Smyslov <smyslov.ietf@gmail.com>
> Cc: ipsec@ietf.org; 'Paul Wouters' <paul@nohats.ca>
> Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
>=20
> Valery Smyslov writes:
> > No, I asked why each new KE in IKE_AUX incorporates its own nonce,
> > instead of re-using nonces from IKE_SA_INIT. I have no problem with
> > this if it is needed for security, my question was driven by
> > curiosity.
>=20
> I.e., so this would be (more?) correct:
> ----------------------------------------------------------------------
> Valery: I like it. You outlined that you send Nonce payload for each
> 	KE exchange, and not reuse one from IKE_SA_INIT. Is it
> 	neceesary for security?
>=20
> Scott: No, but I put it in there because it kept the existing
>        code/protocol intact.

Yes; not the wording I used, but that's what I meant.

=20


From nobody Thu Jul 19 08:55:40 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B3DE130E19 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tIATC6mjXzl0 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 08:55:36 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76ECD130E17 for <ipsec@ietf.org>; Thu, 19 Jul 2018 08:55:36 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6JFtIM7000602 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Jul 2018 18:55:18 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6JFtI28003513; Thu, 19 Jul 2018 18:55:18 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23376.46182.215462.817479@fireball.acr.fi>
Date: Thu, 19 Jul 2018 18:55:18 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec\@ietf.org WG" <ipsec@ietf.org>, Vukasin Karadzic <vukasin.karadzic@gmail.com>
In-Reply-To: <alpine.LRH.2.21.1807190952200.21273@bofh.nohats.ca>
References: <alpine.LRH.2.21.1807190952200.21273@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 28 min
X-Total-Time: 28 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HtNUSAkDdyoOVnKaAjcKqSVeTmQ>
Subject: [IPsec] Mutual authnull to mutual authenticated upgrade
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 15:55:38 -0000

Paul Wouters writes:
> So we have the following possibilities:
> 
> 1) authby=authnull -> authby=authnull
> 2) authby=authnull,cert -> authby=authnull
> 3) authby=authnull,cert -> authby=authnull,cert  (must yield real authentication)
> 4) authby=authnull -> authby=authnull,cert

Actually all of those (including the last one) are just authnull
always. If you do not require authentication then Man in the middle
attacker can just modify the exchange so that authnull is only one
offered.

I.e., the option 4 is still insecure until you go and change
configuration to 5. So the question there is if you do not care about
authentication you should just install certs everywhere, and then
start requiring authentication like you have in your case 5 below:

> When all nodes have gotten a cert, you can remove authnull so end up with:
> 
> 5) authby=cert -> authby=cert
> 
> 1 and 5 are existing known working deployments.

And 2-4 are exactly same as 1 from security point of view.

> 1) Is this useful enough to write up as RFC ?

As all cases 2-4 are just authnull really, and do not offer anything
for security, I am not sure there is point of adding them as RFC.

Note, that you can already do this in standardized ways by using
multiple authentications RFC 4739. I.e., initially do normal authnull
and include MULTIPLE_AUTH_SUPPORTED in IKE_SA_INIT response and 1st
IKE_AUTH request. If both included it, then you know they have
certificates, thus you can do 2nd round of authentication by adding
ANOTHER_AUTH_FOLLOWS too to the 1st IKE_AUTH request.

Then you do 2nd IKE_AUTH exchange which does the certificate based
authentication.

This has exactly same (bad) security properties than what you are
doing, meaning man in the middle can still remove the payloads and
cause us fall back to authnull, but at least it uses already
specified protocol. 

      Initiator                   Responder
     -----------                 -----------
      1. HDR, SA, KE, Ni -->
                              <--  2. HDR, SA, KE, Nr, [CERTREQ],
                                           N(MULTIPLE_AUTH_SUPPORTED)
      3. HDR, SK { IDi, [CERT+], [CERTREQ+], [IDr], AUTH,
      	      	   SA, TSi, TSr, N(MULTIPLE_AUTH_SUPPORTED),
		   N(ANOTHER_AUTH_FOLLOWS) }  -->
			      <-- 4. HDR, SK { IDr, [CERT+], AUTH }
      5. HDR, SK { IDi, [CERT+], AUTH }  -->
                              <-- 6. HDR, SK { SA, TSi, TSr }

> 2) Are we correct with our assumption that you either end up on mutual
>     authnull or with mutual authentication, or do people believe there
>     is a use case for asymmetric authentication as well, in which case
>     the responder could also send AUTH plus N(AUTHNULL)

Actually doesn't that automatically already happen with authnull? I
mean authentication can be asymmetric, i.e., one end can use
pre-shared keys and another certificates, and I think authnull also
allows that, i.e., responder can use certificates to authenticate
himself and initiator can use authnull. At least Introduction section
lists all those asymmetric cases as uses cases for NULL auth.

So I do not think you actually need to do MULTIPLE_AUTH_SUPPORTED or
hacks what you are doing.

Are the certificates signed by known trust anchor, and is that trust
anchor already configured in all nodes initially?

If so then asymmetric authentication should just work. I.e., in case 2
the initiator will authenticate himself with certificates, and
responder can verify that, but still use NULL auth himself. In case 4
it will be other way around.

On the other hand if you have not trust anchors installed and you need
to find that out during the handshake, you can use the fact whether
you get CERTREQs in the exchange to indicate that other end has proper
trust anchors installed, and if you do not get trust anchors mathing
your certificate from the other you use NULL auth, and if you do get
matching trust anchors and you have certificate, then you use
signatures.

Or am I missing something now?
-- 
kivinen@iki.fi


From nobody Thu Jul 19 09:02:24 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCF151310F7 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 09:02:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2U95TL-B_at for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 09:02:11 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02F62130F13 for <ipsec@ietf.org>; Thu, 19 Jul 2018 09:02:10 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6JG1qnX027720 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Jul 2018 19:01:52 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6JG1qDs015371; Thu, 19 Jul 2018 19:01:52 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23376.46576.556092.395987@fireball.acr.fi>
Date: Thu, 19 Jul 2018 19:01:52 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Scott Fluhrer \(sfluhrer\)" <sfluhrer@cisco.com>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, "'Paul Wouters'" <paul@nohats.ca>, "ipsec\@ietf.org" <ipsec@ietf.org>
In-Reply-To: <ce9358f8e1db4a48be30173cb842e71d@XCH-RTP-006.cisco.com>
References: <23375.48539.497803.842773@fireball.acr.fi> <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca> <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com> <ce9358f8e1db4a48be30173cb842e71d@XCH-RTP-006.cisco.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 3 min
X-Total-Time: 3 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/XkJ6iV7lQw2eesca22S5IYc4OFo>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 16:02:21 -0000

Scott Fluhrer (sfluhrer) writes:
> "I put it in there because we reused an existing key update
> mechanism, and as that mechanism used nonces, we included them"

Updated to:


Valery: I like it. You outlined that you send Nonce payload for each
	KE exchange, and not reuse one from IKE_SA_INIT. Is it
	neceesary for security?

Scott: No, but I put it in there because we reused an existing key
       update mechanism, and as that mechanism used nonces, we
       included them.
	      
> I don't know if we really thought about it; the mechanism needed
> nonces, so we included them. We didn't really consider reusing
> previously exchanged nonces...
> 
> If you ask my opinion, I think it's cleaner if we use fresh nonces;
> however I do not believe that there is any security difference. 

I agree on that, and we might have cases where there might be security
resons to do it, for example the nonce length required might be
different (i.e., some method requiring exactly 512 bits of nonces,
i.e., 256 bits from both ends). 
-- 
kivinen@iki.fi


From nobody Thu Jul 19 09:13:53 2018
Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0B2130F9F for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 09:13:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIkv3q-4_DiP for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 09:13:36 -0700 (PDT)
Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41804130EAF for <ipsec@ietf.org>; Thu, 19 Jul 2018 09:13:36 -0700 (PDT)
Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip1.isaracorp.com with ESMTP; 19 Jul 2018 16:13:34 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 19 Jul 2018 12:11:22 -0400
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.003; Thu, 19 Jul 2018 12:11:22 -0400
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Scott Fluhrer (sfluhrer)'" <sfluhrer@cisco.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6qR/B9KAgADxt4CAAN9PAP//vjnggACO1oCAFc0OgP//3YAA
Date: Thu, 19 Jul 2018 16:11:22 +0000
Message-ID: <094A8A21-D156-460E-B011-910F1BFC756F@isara.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com> <055c01d41f6a$dc6e7d50$954b77f0$@gmail.com>
In-Reply-To: <055c01d41f6a$dc6e7d50$954b77f0$@gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.5.17.30]
Content-Type: multipart/alternative; boundary="_000_094A8A21D156460EB011910F1BFC756Fisaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nB0IIpf62yKD8XpEcYww92d-DEs>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 16:13:44 -0000

--_000_094A8A21D156460EB011910F1BFC756Fisaracom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgVmFsZXJ5LCBvcGluaW9ucyBpbmxpbmUNCg0KT24gMjAxOC0wNy0xOSwgMTA6MTQgQU0sICJW
YWxlcnkgU215c2xvdiIgPHNteXNsb3YuaWV0ZkBnbWFpbC5jb208bWFpbHRvOnNteXNsb3YuaWV0
ZkBnbWFpbC5jb20+PiB3cm90ZToNCg0KSGksDQoNCmFzIGl0IG9mdGVuIGhhcHBlbnMsIGdvb2Qg
dGhvdWdodHMgY29tZSBhIGJpdCBsYXRlLi4uDQpXaGlsZSBJIGFncmVlZCBiZWZvcmUgb24gdXNp
bmcgYWxsLXplcm8ga2V5IGZvciBQUkYgYW5kIGV2ZW4NCnB1dCB0aGlzIGludG8gbXkgeWVzdGVy
ZGF5J3MgcHJlc2VudGF0aW9uLCB3aGlsZSBrZWVwaW5nIHRoaW5raW5nDQphYm91dCB0aGUgaXNz
dWUgSSBjYW1lIGFjcm9zcyBhIGdvb2QgcmVhc29uIHRvIHVzZSBTS19waS9TS19wcg0KaW5zdGVh
ZCBvZiBhbGwtemVybyBrZXlzLg0KDQpNeSByZWFzb25pbmcgaXMgYXMgZm9sbG93cy4gV2UgZGVm
aW5lIElLRV9BVVggYXMgYSBtb3JlIGdlbmVyaWMgbWVjaGFuaXNtDQpmb3IgdHJhbnNwb3J0aW5n
IGxhcmdlIGFtb3VudCBvZiBkYXRhIGluIGluaXRpYWwgSUtFIGV4Y2hhbmdlcy4NCldoaWxlIGN1
cnJlbnRseSBRU0tFIGxvb2tzIGxpa2UgcHJpbWFyeSBhcHBsaWNhdGlvbiBmb3IgdGhpcyBtZWNo
YW5pc20sDQpJIGNhbiBpbWFnaW5lIHRoYXQgaXQgY2FuIGJlIGFwcGxpY2FibGUgZm9yIG90aGVy
IHVzZSBjYXNlcyB0b28uDQpUaGVuLCB3aGlsZSB3ZSBhbGwgYXJlIHdhaXRpbmcgZm9yIGFwcGVh
cmluZyBRdWFudHVtIENvbXB1dGVycw0KYW5kIGFyZSB0cnlpbmcgdG8gYmUgcHJlcGFyZWQgdG8g
dGhpcywgd2UgcmVhbGx5IGRvbid0IGtub3cgd2hlbg0KaXQgaGFwcGVucyBhbmQgd2hldGhlciBp
dCBoYXBwZW5zIGF0IGFsbCAodGhlIHN0b3J5IG9mIFRPS0FNQUsNCmh0dHBzOi8vZW4ud2lraXBl
ZGlhLm9yZy93aWtpL1Rva2FtYWsgaXMgYSBnb29kIGV4YW1wbGUgb2Ygc2l0dWF0aW9uLA0Kd2hl
biBlbmdpbmVlcmluZyBpc3N1ZXMga2VlcCB1bnJlc29sdmVkIGZvciBkZWNhZGVzKS4NClNvIHdl
IGNhbiBleHBlY3QgdGhhdCBhdCBsZWFzdCBmb3Igc29tZSBwZXJpb2Qgb2YgdGltZSB0aGVyZQ0K
d2lsbCBiZSBhcHBsaWNhdGlvbnMgdGhhdCB3b3VsZCBub3QgYmUgY29uY2VybmVkIHdpdGggUXVh
bnR1bSBDb21wdXRlcnMsDQpidXQgdGhleSB3b3VsZCBwcm9iYWJseSB1c2UgSUtFX0FVWC4gRm9y
IHN1Y2ggdXNlIGNhc2VzIHdlIGNhbiBhc3N1bWUgdGhhdA0KaW5pdGlhbCBzaGFyZWQga2V5cyBj
b21wdXRlZCBhcyBhIHJlc3VsdCBvZiBJS0VfU0FfSU5JVCBhcmUgbm90IGtub3duDQp0byBhdHRh
Y2tlciwgYW5kIGlmIHdlIHVzZSBTS19waS9TS19wciBhcyBhIGtleXMgZm9yIFBSRiwgdGhlbiB0
aGVyZSBpcyBubw0KcmVhc29uIHRvIHJlc3RyaWN0IGNob2ljZSBvZiBQUkZzIGJ5IGV4Y2x1ZGlu
ZyBYQ0JDIGFuZCBDTUFDLg0KDQpPbiB0aGUgb3RoZXIgaGFuZCwgaWYgbGF0ZXIgc29tZSBuZXcg
UVNLRSBtZXRob2QgYXBwZWFyLCB0aGF0DQp3aWxsIGhhdmUgc21hbGwgZW5vdWdoIHB1YmxpYyBr
ZXlzLCBzbyB0aGF0IGl0IGNhbiBiZSB1c2VkIGluIElLRV9TQV9JTklULA0KYW5kIElLRV9BVVgg
d291bGQgYmUgdXNlZCBmb3Igc29tZSBwdXJwb3NlcyBvdGhlciB0aGVuIFFTS0UsDQp0aGVuIGFn
YWluIHRoZSBrZXkgd291bGQgbm90IGJlIGtub3duIHRvIGF0dGFja2VyIGFuZCB0aGVyZSB3b3Vs
ZCBiZQ0Kbm8gcmVhc29uIHRvIHJlc3RyaWN0IHRoZSBjaG9pY2Ugb2YgUFJGcy4NCg0KSW4gdGhp
cyBleGFtcGxlLCBhc3N1bWluZyB0aGF0IG9uZSBpcyB1c2luZyBhIFFTS0UgYmVjYXVzZSB0aGV5
IHdhbnQgcXVhbnR1bSBzYWZldHksIHRoZSBQUkZzIHdpbGwgc3RpbGwgaGF2ZSB0byBiZSByZXN0
cmljdGVkIHNpbXBseSBiZWNhdXNlIFBSRl9BRVMxMjhfWENCQyBhbmQgUFJGX0FFUzEyOF9DTUFD
IG9ubHkgcHJvdmlkZSA2NCBiaXRzIG9mIHByb3RlY3Rpb24gYWdhaW5zdCBhIHF1YW50dW0gY29t
cHV0ZXIuDQoNClNvLCBteSBzdWdnZXN0aW9uczoNCg0KDQogIDEuICB1c2UgU0tfcGkvU0tfcHIg
YXMga2V5cyBmb3IgUFJGIHRoYXQgYXV0aGVudGljYXRlIElLRV9BVVggbWVzc2FnZXMNCklmIHVz
aW5nIElLRV9BVVggaW4gYSBub24tUVNLRSB1c2UtY2FzZSB0aGVuIGFueSBlbmNyeXB0ZWQgcGF5
bG9hZCBpcyBhbHJlYWR5IHByb3RlY3RlZCBieSB0aGUgZW5jcnlwdGlvbiBhbGdvcml0aG0gKyBp
bnRlZ3JpdHkgYWxnb3JpdGhtIChvciBBRUFEIGVuY3J5cHRpb24pLCBidXQgYW55IHVuZW5jcnlw
dGVkIHBheWxvYWRzICsgdGhlIElLRSBoZWFkZXIgd291bGRu4oCZdCBiZSBwcm90ZWN0ZWQgdXNp
bmcgYSAwIGtleSwgc28geW91ciBwcm9wb3NhbCBzb3VuZHMgcmVhc29uYWJsZS4NCjIuIGRvbid0
IGltcG9zZSBhbnkgcmVzdHJpY3Rpb25zIG9uIHRoZSBjaG9pY2Ugb2YgUFJGIGluIHRoZSBJS0Vf
QVVYIGRyYWZ0DQogICAgIChidXQgcHJvYmFibHkgd3JpdGUgc29tZSB3b3JkcyBpbiB0aGUgU2Vj
dXJpdHkgQ29uc2lkZXJhdGlvbnMpDQozLiBpbiBRU0tFIGRvY3VtZW50IGFkZCBhIHJlc3RyaWN0
aW9uIG9uIFBSRiBjaG9pY2UsIGV4Y2x1ZGluZyB0aG9zZSwNCiAgICB0aGF0IGEpIGFyZSBub3Qg
c2VjdXJlIGluIFBRIHdvcmxkIGFuZCBiKSBhcmUgbm90IHNlY3VyZSBhZ2FpbnN0DQogICAgIHBy
ZWltYWdlIGF0dGFjayBpbiBjYXNlIG9mIGtub3duIGtleS4NClNvdW5kcyByZWFzb25hYmxlLCBz
aW5jZSBpbiBvcmRlciB0byBlc3RhYmxpc2ggYSBRUyBTQSB0aGVyZSB3aWxsIGhhdmUgdG8gYmUg
cmVzdHJpY3Rpb25zIG9uIGVuY3J5cHRpb24vaW50ZWdyaXR5IGFsZ29yaXRobXMgYW55d2F5cywg
d2l0aCB0aGUgY2F2ZWF0IHRoYXQgZm9yIGVuY3J5cHRpb24vaW50ZWdyaXR5IHdlIG9ubHkgaGF2
ZSB0byBzYXkg4oCcdXNlIHNvbWV0aGluZyB3aXRoIDI1NiBiaXRzIG9mIHNlY3VyaXR54oCdLCB3
aGVyZWFzIGZvciBQUkYgdGhhdCB3b3VsZG7igJl0IGJlIHN1ZmZpY2llbnQgaWYgZm9yIGV4YW1w
bGUgUFJGX0FFUzI1Nl9DTUFDIGJlY2FtZSBhIHRoaW5nLg0KDQpBbnkgb3BpbmlvbnM/IFNjb3R0
LCBEYW5pZWwsIHdoYXQgZG8geW91IHRoaW5rIGFib3V0IHRoaXM/DQoNClJlZ2FyZHMsDQpWYWxl
cnkuDQoNCg0KDQoNCg0KQWxsIHRocmVlIHdvcmsgKHRoYXQgaXMsIHRoZXkgcHJldmVudCBhbnkg
dW5kZXRlY3RlZCBtb2RpZmljYXRpb25zIHRvIHRoZSBJS0VfQVVYIHBheWxvYWRzKTsgSSBxdWl0
ZSB1bmRlcnN0YW5kIGlmICAoMSkgd291bGQgYmUgY29uc2lkZXJlZCBhbiB1bmRlc2lyYWJsZSBv
cHRpb24uICBBcyBmb3IgKDIpIGFuZCAoMyksIHRoZXkgYXJlIGxhcmdlbHkgdGhlIHNhbWU7ICgz
KSBsaW1pdHMgdGhlIFBSRuKAmXMgdG8gdGhlIG9uZXMgd2hpY2ggaW5jbHVkZSBzZWNvbmQtcHJl
aW1hZ2UtcmVzaXN0YW50IGhhc2ggZnVuY3Rpb25zLiAgSSBjYW4gc2VlIHRoZSBhdHRyYWN0aW9u
IG9mIG5vdCByZXF1aXJpbmcgYSBzZXBhcmF0ZSBuZWdvdGlhdGlvbjsgSeKAmW0ganVzdCB3b3Jy
aWVkIGFib3V0IHNvbWVvbmUgaWdub3Jpbmcgb3VyIOKAmGRvbuKAmXQgdXNlIFhDQkMvQ01BQ+KA
mSBtYW5kYXRl4oCmDQoNCkFsc28sIGZvciAoMyksIHlvdSBoYXZlIHRvIGJlIGNhcmVmdWwgdG8g
c3BlY2lmeSB3aGljaCBTS19wW2lyXSB0byB1c2U7IGluIG91ciBkcmFmdCwgdGhlIElLRV9BVVgg
bWVzc2FnZSB1cGRhdGVzIHRoZW07IHRoZSBvYnZpb3VzIHRoaW5nIHRvIGRvIGlzIHNwZWNpZnkg
dGhhdCB5b3XigJlsbCB1c2UgdGhlIFNLX3BbaXJdIHZhbHVlcyB0aGF0IHdlcmUgaW4gZWZmZWN0
IGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIElLRV9BVVggbWVzc2FnZSBpbiBxdWVzdGlvbi4gIEFj
dHVhbGx5LCBmb3Igc2VjdXJpdHksIHdlIGRvbuKAmXQgbmVlZCBhIHNlY3JldCBrZXksIGhhdmlu
ZyBib3RoIHNpZGVzIHVzZSwgc2F5LCBhbiBhbGwgemVybyBrZXksIHdvdWxkIGFjaGlldmUgdGhl
IHNhbWUgc2VjdXJpdHkgZ29hbCwgaG93ZXZlciB0aGF0IGRvZXMgZmVlbCB3ZWlyZOKApg0KDQpV
c2luZyBhbiBhbGwgemVybyBrZXkgZG9lcyBmZWVsIHdlaXJkLCBob3dldmVyIGl0IGNvdWxkIGhl
bHAgYXZvaWQgcG90ZW50aWFsIGluY29tcGF0aWJsZSBpbXBsZW1lbnRhdGlvbiBlcnJvcnMuICBU
aGVyZSBhcmUgdHdvIHNldHMgb2YgU0tfcFtpcl0gYXZhaWxhYmxlIHRvIHVzZSBpbiB0aGUgY2Fz
ZSB3aGVyZSBhbiBJS0VfQVVYIGluY2x1ZGVzIGEga2V5IGV4Y2hhbmdlLCB0aGUgdmFsdWVzIGlu
IGVmZmVjdCBhdCB0aGUgYmVnaW5uaW5nIG9mIHRoZSBJS0VfQVVYIGV4Y2hhbmdlLCBhbmQgdGhl
IHVwZGF0ZWQgdmFsdWVzIHJlc3VsdGluZyBmcm9tIHRoZSBJS0VfQVVYIGV4Y2hhbmdlLiAgRGVw
ZW5kaW5nIG9uIHRoZSBvcmRlciBpbiB3aGljaCBpbXBsZW1lbnRhdGlvbnMgcmVjYWxjdWxhdGUg
dGhlIFNLRVlTRUVEIGFuZCBTS18qIGtleXMsIHZzIHdoZW4gdGhleSBwZXJmb3JtIHRoZSBQUkYg
b24gdGhlIElYRV9BVVggZGF0YSwgdGhlIOKAnGN1cnJlbnTigJ0gU0tfcFtpcl0gdmFsdWVzIGNv
dWxkIGJlIHRoZSBvbGQgb3IgbmV3IHZhbHVlcyBhbmQgc28gc29tZSBpbXBsZW1lbnRhdGlvbnMg
bWF5IGhhdmUgdG8gbWFpbnRhaW4gYm90aCB0aGUgb2xkIGFuZCBuZXcga2V5cyB1bnRpbCB0aGUg
SUtFX0FVWCBkaWdlc3QgaXMgY2FsY3VsYXRlZC4gIEFsbCB0aGlzIGlzIHRvIHNheSwgaWYgaXQg
ZG9lc27igJl0IGFmZmVjdCB0aGUgc2VjdXJpdHkgaXQgbWF5IGp1c3QgYmUgc2ltcGxlciBhbmQg
ZWFzaWVyIGZvciBjb21wYXRpYmlsaXR5IHRvIHVzZSBhbiBhbGwgemVybyBrZXkuDQoNCg0KUmVn
YXJkcywNClZhbGVyeS4NCg0KDQoNClRoYW5rcywNCkRhbmllbA0KDQo=

--_000_094A8A21D156460EB011910F1BFC756Fisaracom_
Content-Type: text/html; charset="utf-8"
Content-ID: <222256EF463BFF408E39DDF30AF327FF@isara.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2
IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy
IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt
YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1i
b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9
DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpw
cmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZv
cm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglm
b250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29MaXN0
UGFyYWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXtt
c28tc3R5bGUtcHJpb3JpdHk6MzQ7DQoJbWFyZ2luLXRvcDowY207DQoJbWFyZ2luLXJpZ2h0OjBj
bTsNCgltYXJnaW4tYm90dG9tOjBjbTsNCgltYXJnaW4tbGVmdDozNi4wcHQ7DQoJbWFyZ2luLWJv
dHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki
LHNhbnMtc2VyaWY7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFs
MA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJn
aW4tbGVmdDowY207DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3
IFJvbWFuIixzZXJpZjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1u
YW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJ
bXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmll
ciBOZXciO30NCnNwYW4uRW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0K
CWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0K
c3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1p
bHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzQ0NTQ2QTt9DQpzcGFuLkVtYWlsU3R5
bGUyMw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs
c2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTI0DQoJe21zby1z
dHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0K
CWNvbG9yOiM0NDU0NkE7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjUNCgl7bXNvLXN0eWxlLXR5cGU6cGVy
c29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzFGNDk3
RDt9DQpzcGFuLkVtYWlsU3R5bGUyNg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250
LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4u
RW1haWxTdHlsZTI3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJD
YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxl
MjgNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGli
cmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXtt
c28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdv
cmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBw
dCA3Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7
fQ0KLyogTGlzdCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6NTE1Mzg5
NDEzOw0KCW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotODY3
MDM3Nzc2IC0xMDQ4MDUwNzAyIDY3Njk4NzEzIDY3Njk4NzE1IDY3Njk4NzAzIDY3Njk4NzEzIDY3
Njk4NzE1IDY3Njk4NzAzIDY3Njk4NzEzIDY3Njk4NzE1O30NCkBsaXN0IGwwOmxldmVsMQ0KCXtt
c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7
DQoJbWFyZ2luLWxlZnQ6NTQuMHB0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6
bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLWxvd2VyOw0KCW1zby1sZXZl
bC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgltYXJn
aW4tbGVmdDo5MC4wcHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDMN
Cgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6cm9tYW4tbG93ZXI7DQoJbXNvLWxldmVsLXRhYi1z
dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpyaWdodDsNCgltYXJnaW4tbGVm
dDoxMjYuMHB0Ow0KCXRleHQtaW5kZW50Oi05LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDQNCgl7bXNv
LWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K
CW1hcmdpbi1sZWZ0OjE2Mi4wcHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDps
ZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7DQoJbXNvLWxldmVs
LXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1hcmdp
bi1sZWZ0OjE5OC4wcHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDYN
Cgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6cm9tYW4tbG93ZXI7DQoJbXNvLWxldmVsLXRhYi1z
dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpyaWdodDsNCgltYXJnaW4tbGVm
dDoyMzQuMHB0Ow0KCXRleHQtaW5kZW50Oi05LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDcNCgl7bXNv
LWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K
CW1hcmdpbi1sZWZ0OjI3MC4wcHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDps
ZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7DQoJbXNvLWxldmVs
LXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1hcmdp
bi1sZWZ0OjMwNi4wcHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDkN
Cgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6cm9tYW4tbG93ZXI7DQoJbXNvLWxldmVsLXRhYi1z
dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpyaWdodDsNCgltYXJnaW4tbGVm
dDozNDIuMHB0Ow0KCXRleHQtaW5kZW50Oi05LjBwdDt9DQpvbA0KCXttYXJnaW4tYm90dG9tOjBj
bTt9DQp1bA0KCXttYXJnaW4tYm90dG9tOjBjbTt9DQotLT48L3N0eWxlPg0KPC9oZWFkPg0KPGJv
ZHkgbGFuZz0iRU4tQ0EiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxkaXYgY2xh
c3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdCI+SGkgVmFsZXJ5LCBvcGluaW9ucyBpbmxpbmU8bzpwPjwvbzpwPjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5PbiAyMDE4LTA3LTE5LCAxMDox
NCBBTSwgJnF1b3Q7VmFsZXJ5IFNteXNsb3YmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzbXlz
bG92LmlldGZAZ21haWwuY29tIj5zbXlzbG92LmlldGZAZ21haWwuY29tPC9hPiZndDsgd3JvdGU6
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s
ZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5IaSw8
L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu
LWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNw
YW4gbGFuZz0iRU4tVVMiPmFzIGl0IG9mdGVuIGhhcHBlbnMsIGdvb2QgdGhvdWdodHMgY29tZSBh
IGJpdCBsYXRlLi4uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPldoaWxlIEkgYWdy
ZWVkIGJlZm9yZSBvbiB1c2luZyBhbGwtemVybyBrZXkgZm9yIFBSRiBhbmQgZXZlbg0KPC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0
OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPnB1dCB0aGlzIGludG8gbXkgeWVzdGVyZGF5J3Mg
cHJlc2VudGF0aW9uLCB3aGlsZSBrZWVwaW5nIHRoaW5raW5nPC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4g
bGFuZz0iRU4tVVMiPmFib3V0IHRoZSBpc3N1ZSBJIGNhbWUgYWNyb3NzIGEgZ29vZCByZWFzb24g
dG8gdXNlIFNLX3BpL1NLX3ByPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPmluc3Rl
YWQgb2YgYWxsLXplcm8ga2V5cy48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+Jm5i
c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h
cmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPk15IHJlYXNvbmluZyBpcyBhcyBm
b2xsb3dzLiBXZSBkZWZpbmUgSUtFX0FVWCBhcyBhIG1vcmUgZ2VuZXJpYyBtZWNoYW5pc208L3Nw
YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl
ZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+Zm9yIHRyYW5zcG9ydGluZyBsYXJnZSBhbW91
bnQgb2YgZGF0YSBpbiBpbml0aWFsIElLRSBleGNoYW5nZXMuDQo8L3NwYW4+PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3Bh
biBsYW5nPSJFTi1VUyI+V2hpbGUgY3VycmVudGx5IFFTS0UgbG9va3MgbGlrZSBwcmltYXJ5IGFw
cGxpY2F0aW9uIGZvciB0aGlzIG1lY2hhbmlzbSw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJF
Ti1VUyI+SSBjYW4gaW1hZ2luZSB0aGF0IGl0IGNhbiBiZSBhcHBsaWNhYmxlIGZvciBvdGhlciB1
c2UgY2FzZXMgdG9vLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5UaGVuLCB3aGls
ZSB3ZSBhbGwgYXJlIHdhaXRpbmcgZm9yIGFwcGVhcmluZyBRdWFudHVtIENvbXB1dGVyczwvc3Bh
bj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm
dDozNi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5hbmQgYXJlIHRyeWluZyB0byBiZSBwcmVwYXJl
ZCB0byB0aGlzLCB3ZSByZWFsbHkgZG9uJ3Qga25vdyB3aGVuPC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4g
bGFuZz0iRU4tVVMiPml0IGhhcHBlbnMgYW5kIHdoZXRoZXIgaXQgaGFwcGVucyBhdCBhbGwgKHRo
ZSBzdG9yeSBvZiBUT0tBTUFLPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPmh0dHBz
Oi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1Rva2FtYWsgaXMgYSBnb29kIGV4YW1wbGUgb2Ygc2l0
dWF0aW9uLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj53aGVuIGVuZ2luZWVyaW5n
IGlzc3VlcyBrZWVwIHVucmVzb2x2ZWQgZm9yIGRlY2FkZXMpLjwvc3Bhbj48bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFu
IGxhbmc9IkVOLVVTIj5TbyB3ZSBjYW4gZXhwZWN0IHRoYXQgYXQgbGVhc3QgZm9yIHNvbWUgcGVy
aW9kIG9mIHRpbWUgdGhlcmUNCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj53aWxs
IGJlIGFwcGxpY2F0aW9ucyB0aGF0IHdvdWxkIG5vdCBiZSBjb25jZXJuZWQgd2l0aCBRdWFudHVt
IENvbXB1dGVycyw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+YnV0IHRoZXkgd291
bGQgcHJvYmFibHkgdXNlIElLRV9BVVguIEZvciBzdWNoIHVzZSBjYXNlcyB3ZSBjYW4gYXNzdW1l
IHRoYXQ8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+aW5pdGlhbCBzaGFyZWQga2V5
cyBjb21wdXRlZCBhcyBhIHJlc3VsdCBvZiBJS0VfU0FfSU5JVCBhcmUgbm90IGtub3duPC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0
OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPnRvIGF0dGFja2VyLCBhbmQgaWYgd2UgdXNlIFNL
X3BpL1NLX3ByIGFzIGEga2V5cyBmb3IgUFJGLCB0aGVuIHRoZXJlIGlzIG5vPC9zcGFuPjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw
dCI+PHNwYW4gbGFuZz0iRU4tVVMiPnJlYXNvbiB0byByZXN0cmljdCBjaG9pY2Ugb2YgUFJGcyBi
eSBleGNsdWRpbmcgWENCQyBhbmQgQ01BQy48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1V
UyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPk9uIHRoZSBvdGhlciBo
YW5kLCBpZiBsYXRlciBzb21lIG5ldyBRU0tFIG1ldGhvZCBhcHBlYXIsIHRoYXQ8L3NwYW4+PG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu
MHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+d2lsbCBoYXZlIHNtYWxsIGVub3VnaCBwdWJsaWMga2V5
cywgc28gdGhhdCBpdCBjYW4gYmUgdXNlZCBpbiBJS0VfU0FfSU5JVCw8L3NwYW4+PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48
c3BhbiBsYW5nPSJFTi1VUyI+YW5kIElLRV9BVVggd291bGQgYmUgdXNlZCBmb3Igc29tZSBwdXJw
b3NlcyBvdGhlciB0aGVuIFFTS0UsPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPnRo
ZW4gYWdhaW4gdGhlIGtleSB3b3VsZCBub3QgYmUga25vd24gdG8gYXR0YWNrZXIgYW5kIHRoZXJl
IHdvdWxkIGJlPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPm5vIHJlYXNvbiB0byBy
ZXN0cmljdCB0aGUgY2hvaWNlIG9mIFBSRnMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0Ij5JbiB0aGlzIGV4YW1wbGUsIGFzc3VtaW5nIHRoYXQgb25lIGlzIHVzaW5n
IGEgUVNLRSBiZWNhdXNlIHRoZXkgd2FudCBxdWFudHVtIHNhZmV0eSwgdGhlIFBSRnMgd2lsbCBz
dGlsbCBoYXZlIHRvIGJlIHJlc3RyaWN0ZWQgc2ltcGx5IGJlY2F1c2UgUFJGX0FFUzEyOF9YQ0JD
IGFuZCBQUkZfQUVTMTI4X0NNQUMgb25seSBwcm92aWRlIDY0IGJpdHMgb2YgcHJvdGVjdGlvbg0K
IGFnYWluc3QgYSBxdWFudHVtIGNvbXB1dGVyLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVO
LVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+U28sIG15IHN1Z2dl
c3Rpb25zOg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMiPiZuYnNwOzwvc3Bhbj48
bzpwPjwvbzpwPjwvcD4NCjxvbCBzdHlsZT0ibWFyZ2luLXRvcDowY20iIHN0YXJ0PSIxIiB0eXBl
PSIxIj4NCjxsaSBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjE4
LjBwdDttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSI+PHNwYW4gbGFuZz0iRU4tVVMiPnVzZSBTS19w
aS9TS19wciBhcyBrZXlzIGZvciBQUkYgdGhhdCBhdXRoZW50aWNhdGUgSUtFX0FVWCBtZXNzYWdl
czxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PC9vbD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5JZiB1c2luZyBJS0VfQVVYIGluIGEgbm9uLVFTS0Ug
dXNlLWNhc2UgdGhlbiBhbnkgZW5jcnlwdGVkIHBheWxvYWQgaXMgYWxyZWFkeSBwcm90ZWN0ZWQg
YnkgdGhlIGVuY3J5cHRpb24gYWxnb3JpdGhtICYjNDM7IGludGVncml0eSBhbGdvcml0aG0gKG9y
IEFFQUQgZW5jcnlwdGlvbiksIGJ1dCBhbnkgdW5lbmNyeXB0ZWQgcGF5bG9hZHMgJiM0MzsgdGhl
IElLRSBoZWFkZXINCiB3b3VsZG7igJl0IGJlIHByb3RlY3RlZCB1c2luZyBhIDAga2V5LCBzbyB5
b3VyIHByb3Bvc2FsIHNvdW5kcyByZWFzb25hYmxlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9
IkVOLVVTIj4yLiBkb24ndCBpbXBvc2UgYW55IHJlc3RyaWN0aW9ucyBvbiB0aGUgY2hvaWNlIG9m
IFBSRiBpbiB0aGUgSUtFX0FVWCBkcmFmdA0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4t
VVMiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyhidXQgcHJvYmFibHkgd3JpdGUgc29t
ZSB3b3JkcyBpbiB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMpPC9zcGFuPjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNw
YW4gbGFuZz0iRU4tVVMiPjMuIGluIFFTS0UgZG9jdW1lbnQgYWRkIGEgcmVzdHJpY3Rpb24gb24g
UFJGIGNob2ljZSwgZXhjbHVkaW5nIHRob3NlLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVO
LVVTIj4mbmJzcDsmbmJzcDsmbmJzcDsgdGhhdCBhKSBhcmUgbm90IHNlY3VyZSBpbiBQUSB3b3Js
ZCBhbmQgYikgYXJlIG5vdCBzZWN1cmUgYWdhaW5zdDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9
IkVOLVVTIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgcHJlaW1hZ2UgYXR0YWNrIGluIGNhc2Ug
b2Yga25vd24ga2V5LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Tb3VuZHMgcmVhc29uYWJsZSwgc2luY2Ug
aW4gb3JkZXIgdG8gZXN0YWJsaXNoIGEgUVMgU0EgdGhlcmUgd2lsbCBoYXZlIHRvIGJlIHJlc3Ry
aWN0aW9ucyBvbiBlbmNyeXB0aW9uL2ludGVncml0eSBhbGdvcml0aG1zIGFueXdheXMsIHdpdGgg
dGhlIGNhdmVhdCB0aGF0IGZvciBlbmNyeXB0aW9uL2ludGVncml0eSB3ZSBvbmx5IGhhdmUgdG8g
c2F5IOKAnHVzZQ0KIHNvbWV0aGluZyB3aXRoIDI1NiBiaXRzIG9mIHNlY3VyaXR54oCdLCB3aGVy
ZWFzIGZvciBQUkYgdGhhdCB3b3VsZG7igJl0IGJlIHN1ZmZpY2llbnQgaWYgZm9yIGV4YW1wbGUg
UFJGX0FFUzI1Nl9DTUFDIGJlY2FtZSBhIHRoaW5nLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9
IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+QW55IG9waW5p
b25zPyBTY290dCwgRGFuaWVsLCB3aGF0IGRvIHlvdSB0aGluayBhYm91dCB0aGlzPzwvc3Bhbj48
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz
Ni4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5n
PSJFTi1VUyI+UmVnYXJkcyw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+VmFsZXJ5
Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn
aW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48
c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gbGFuZz0iRU4tVVMi
PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86
cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBi
bHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdiBzdHlsZT0iYm9yZGVy
Om5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQu
MHB0Ij4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41
cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti
b3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0K
PGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRk
aW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn
aW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5
N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Nv
bG9yOiMxRjQ5N0QiPkFsbCB0aHJlZSB3b3JrICh0aGF0IGlzLCB0aGV5IHByZXZlbnQgYW55IHVu
ZGV0ZWN0ZWQgbW9kaWZpY2F0aW9ucyB0byB0aGUgSUtFX0FVWCBwYXlsb2Fkcyk7IEkgcXVpdGUg
dW5kZXJzdGFuZCBpZiAmbmJzcDsoMSkgd291bGQgYmUgY29uc2lkZXJlZCBhbiB1bmRlc2lyYWJs
ZSBvcHRpb24uJm5ic3A7DQogQXMgZm9yICgyKSBhbmQgKDMpLCB0aGV5IGFyZSBsYXJnZWx5IHRo
ZSBzYW1lOyAoMykgbGltaXRzIHRoZSBQUkbigJlzIHRvIHRoZSBvbmVzIHdoaWNoIGluY2x1ZGUg
c2Vjb25kLXByZWltYWdlLXJlc2lzdGFudCBoYXNoIGZ1bmN0aW9ucy4mbmJzcDsgSSBjYW4gc2Vl
IHRoZSBhdHRyYWN0aW9uIG9mIG5vdCByZXF1aXJpbmcgYSBzZXBhcmF0ZSBuZWdvdGlhdGlvbjsg
SeKAmW0ganVzdCB3b3JyaWVkIGFib3V0IHNvbWVvbmUgaWdub3Jpbmcgb3VyIOKAmGRvbuKAmXQg
dXNlDQogWENCQy9DTUFD4oCZIG1hbmRhdGXigKY8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5BbHNvLCBmb3IgKDMpLCB5
b3UgaGF2ZSB0byBiZSBjYXJlZnVsIHRvIHNwZWNpZnkgd2hpY2ggU0tfcFtpcl0gdG8gdXNlOyBp
biBvdXIgZHJhZnQsIHRoZSBJS0VfQVVYIG1lc3NhZ2UgdXBkYXRlcyB0aGVtOyB0aGUgb2J2aW91
cyB0aGluZyB0byBkbyBpcyBzcGVjaWZ5IHRoYXQgeW914oCZbGwNCiB1c2UgdGhlIFNLX3BbaXJd
IHZhbHVlcyB0aGF0IHdlcmUgaW4gZWZmZWN0IGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIElLRV9B
VVggbWVzc2FnZSBpbiBxdWVzdGlvbi4mbmJzcDsgQWN0dWFsbHksIGZvciBzZWN1cml0eSwgd2Ug
ZG9u4oCZdCBuZWVkIGEgc2VjcmV0IGtleSwgaGF2aW5nIGJvdGggc2lkZXMgdXNlLCBzYXksIGFu
IGFsbCB6ZXJvIGtleSwgd291bGQgYWNoaWV2ZSB0aGUgc2FtZSBzZWN1cml0eSBnb2FsLCBob3dl
dmVyIHRoYXQgZG9lcyBmZWVsDQogd2VpcmTigKY8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMS4wcHQiPlVzaW5nIGFuIGFsbCB6ZXJvIGtleSBkb2VzIGZlZWwgd2VpcmQsIGhvd2V2
ZXIgaXQgY291bGQgaGVscCBhdm9pZCBwb3RlbnRpYWwgaW5jb21wYXRpYmxlIGltcGxlbWVudGF0
aW9uIGVycm9ycy4mbmJzcDsgVGhlcmUgYXJlIHR3byBzZXRzIG9mIFNLX3BbaXJdIGF2YWlsYWJs
ZSB0byB1c2UgaW4gdGhlIGNhc2Ugd2hlcmUNCiBhbiBJS0VfQVVYIGluY2x1ZGVzIGEga2V5IGV4
Y2hhbmdlLCB0aGUgdmFsdWVzIGluIGVmZmVjdCBhdCB0aGUgYmVnaW5uaW5nIG9mIHRoZSBJS0Vf
QVVYIGV4Y2hhbmdlLCBhbmQgdGhlIHVwZGF0ZWQgdmFsdWVzIHJlc3VsdGluZyBmcm9tIHRoZSBJ
S0VfQVVYIGV4Y2hhbmdlLiZuYnNwOyBEZXBlbmRpbmcgb24gdGhlIG9yZGVyIGluIHdoaWNoIGlt
cGxlbWVudGF0aW9ucyByZWNhbGN1bGF0ZSB0aGUgU0tFWVNFRUQgYW5kIFNLXyoga2V5cywgdnMg
d2hlbg0KIHRoZXkgcGVyZm9ybSB0aGUgUFJGIG9uIHRoZSBJWEVfQVVYIGRhdGEsIHRoZSDigJxj
dXJyZW504oCdIFNLX3BbaXJdIHZhbHVlcyBjb3VsZCBiZSB0aGUgb2xkIG9yIG5ldyB2YWx1ZXMg
YW5kIHNvIHNvbWUgaW1wbGVtZW50YXRpb25zIG1heSBoYXZlIHRvIG1haW50YWluIGJvdGggdGhl
IG9sZCBhbmQgbmV3IGtleXMgdW50aWwgdGhlIElLRV9BVVggZGlnZXN0IGlzIGNhbGN1bGF0ZWQu
Jm5ic3A7IEFsbCB0aGlzIGlzIHRvIHNheSwgaWYgaXQgZG9lc27igJl0IGFmZmVjdA0KIHRoZSBz
ZWN1cml0eSBpdCBtYXkganVzdCBiZSBzaW1wbGVyIGFuZCBlYXNpZXIgZm9yIGNvbXBhdGliaWxp
dHkgdG8gdXNlIGFuIGFsbCB6ZXJvIGtleS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBz
dHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj4mbmJzcDs8L3NwYW4+PG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj5SZWdhcmRzLDwv
c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t
bGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEi
PlZhbGVyeS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xv
cjojNDQ1NDZBIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0
LjBwdDtjb2xvcjojNDQ1NDZBIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQiPlRoYW5rcyw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdCI+RGFuaWVsPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQi
PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_094A8A21D156460EB011910F1BFC756Fisaracom_--


From nobody Thu Jul 19 10:48:57 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89E2A130DC6 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 10:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b6lrmV-C4j5s for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 10:48:53 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55496130E20 for <ipsec@ietf.org>; Thu, 19 Jul 2018 10:48:53 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41WhMl5900zF0k for <ipsec@ietf.org>; Thu, 19 Jul 2018 19:48:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532022531; bh=5TjVhDLWIu9MHkv2wk1S+AMOTAs35WspjW6Mg2mz74A=; h=Date:From:To:Subject:In-Reply-To:References; b=IstfFbVyG4EW5PJ0hEsvkxzBjFoPeYrZstW3iXgHH8xcWeF+AHDLMOxoXJSVVxFf/ kdwzEHCZKfaC1+OGyOPjMv9bCKaWzsCxmYcC1apS+eE898B5EIdyCvbPGMVyrf6VbR zV/cHMakOdFo5xh3dS/80nWI0a3hzwYqoSKZIXII=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ATQ7IX2vrTsP for <ipsec@ietf.org>; Thu, 19 Jul 2018 19:48:50 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <ipsec@ietf.org>; Thu, 19 Jul 2018 19:48:50 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 14261288A6; Thu, 19 Jul 2018 13:48:49 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 14261288A6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 100374009E70 for <ipsec@ietf.org>; Thu, 19 Jul 2018 13:48:49 -0400 (EDT)
Date: Thu, 19 Jul 2018 13:48:49 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <ce9358f8e1db4a48be30173cb842e71d@XCH-RTP-006.cisco.com>
Message-ID: <alpine.LRH.2.21.1807191347320.10582@bofh.nohats.ca>
References: <23375.48539.497803.842773@fireball.acr.fi> <alpine.LRH.2.21.1807190941150.21273@bofh.nohats.ca> <056101d41f6b$c37e67f0$4a7b37d0$@gmail.com> <ce9358f8e1db4a48be30173cb842e71d@XCH-RTP-006.cisco.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/EAdyTyg39yi5deizhhVDtOS8b9c>
Subject: Re: [IPsec] IPsecME@IETF102 Montreal meeting minutes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 17:48:56 -0000

On Thu, 19 Jul 2018, Scott Fluhrer (sfluhrer) wrote:

> If you ask my opinion, I think it's cleaner if we use fresh nonces; however I do not believe that there is any security difference.

Yes, let us never ever re-use nonces just to make it super clear what a
nonce is, even if it would be harmless.

Paul


From nobody Thu Jul 19 11:09:31 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B55FA130E30 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 11:09:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BesaydG-8Wxw for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 11:09:27 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F8F1130F67 for <ipsec@ietf.org>; Thu, 19 Jul 2018 11:09:26 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41WhqT07kbz2fR; Thu, 19 Jul 2018 20:09:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532023765; bh=s5WFDDvJkYxBYe83oZJdIWZD+CJbksBf0ZOKPlM2qbM=; h=Date:From:To:Subject:In-Reply-To:References; b=d2n6A47vtSOwzXYvbl7aQq6AtPrWhxHZdggjOe7O4DHj7e1/QDovB/CCXt7QPt9So lWrTSggto2HT2AYxjwdDCnq99RFoZw+wGM3/aQqSs144SZTJjDRBlQd1nz8u5N+eRY mwYW5I/mPhR/F51+9kC6Qe52LaweN7KyjiJBaxAs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ke9BqVcPAs-2; Thu, 19 Jul 2018 20:09:23 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 19 Jul 2018 20:09:23 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id BC693288A6; Thu, 19 Jul 2018 14:09:21 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca BC693288A6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B13944009E70; Thu, 19 Jul 2018 14:09:21 -0400 (EDT)
Date: Thu, 19 Jul 2018 14:09:21 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>, Tommy Pauly <tpauly@apple.com>
In-Reply-To: <153201163536.5326.15945035511748956971@ietfa.amsl.com>
Message-ID: <alpine.LRH.2.21.1807191351180.10582@bofh.nohats.ca>
References: <153201163536.5326.15945035511748956971@ietfa.amsl.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AbaukBNH0pn2I9rcIY_jkr76U1U>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 18:09:30 -0000

On Thu, 19 Jul 2018, internet-drafts@ietf.org wrote:

> Subject: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt

> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-11

This is probably wrong:

 	Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
 	INTERNAL_DNS_DOMAIN attribute MUST be ignored and treated as aprotocol error.

Because you can have more then one INTERNAL_DNSSEC_TA for one domain.
Instead, it should read:

 	Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
 	INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying to
 	the same domain name MUST be ignored and treated as a protocol error.

>From the previous diff, I'm confused about:

 	IKE clients MUST use a preconfigured whitelist of one or more domain
 	which it will allow INTERNAL_DNSSEC_TA updates.

It could have an empty white list and use direct IP without split-dns ?
Or use the VPN as an "encrypted DNS" provider for everything (which is
allowed according to the spec, that is it does not violate a MUST NOT)

Also, since we allow signaling of "upgrade your IKE config out of band"
if you see a new unconfigured domain name in the reply, it could be that
you start with 0 and get a new one. Which also requires an empty list.

Paul


From nobody Thu Jul 19 11:32:37 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A063130E3F for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 11:32:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYSLX9R3BOKR for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 11:32:33 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F9A7130E27 for <ipsec@ietf.org>; Thu, 19 Jul 2018 11:32:33 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41WjL736KPzF13; Thu, 19 Jul 2018 20:32:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532025151; bh=AUDEbthEfb5NmdFmmzWPt6fosQrQUmlO4con8MuA9sU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=uZfpZp+54YNXEfQJ6QuNwkd2aINg/lVBdk6LCqzPCI2xKzQ+IrQRgrY5l183QGG5y x62Cwt2sydnUPo7gWpTc3yAZXR5VBNtVG6hLhUbpncSDAezpZn9DqyXdWxeJYh1jSW iGZGsB4nbLgYrw98ltyI9Q6C2TBOMfoCG2Pd12pE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id k13pflTlOePP; Thu, 19 Jul 2018 20:32:29 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 19 Jul 2018 20:32:28 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E66D7288A6; Thu, 19 Jul 2018 14:32:26 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E66D7288A6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D7A9E4009E71; Thu, 19 Jul 2018 14:32:26 -0400 (EDT)
Date: Thu, 19 Jul 2018 14:32:26 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: "ipsec@ietf.org WG" <ipsec@ietf.org>,  Vukasin Karadzic <vukasin.karadzic@gmail.com>
In-Reply-To: <23376.46182.215462.817479@fireball.acr.fi>
Message-ID: <alpine.LRH.2.21.1807191422490.18666@bofh.nohats.ca>
References: <alpine.LRH.2.21.1807190952200.21273@bofh.nohats.ca> <23376.46182.215462.817479@fireball.acr.fi>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/UwGVM62P4PWWuiMMh3qt4Tex1J0>
Subject: Re: [IPsec] Mutual authnull to mutual authenticated upgrade
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 18:32:36 -0000

On Thu, 19 Jul 2018, Tero Kivinen wrote:

> Paul Wouters writes:
>> So we have the following possibilities:
>>
>> 1) authby=authnull -> authby=authnull
>> 2) authby=authnull,cert -> authby=authnull
>> 3) authby=authnull,cert -> authby=authnull,cert  (must yield real authentication)
>> 4) authby=authnull -> authby=authnull,cert
>
> Actually all of those (including the last one) are just authnull
> always. If you do not require authentication then Man in the middle
> attacker can just modify the exchange so that authnull is only one
> offered.

You can prefer authentication over unauthenticated. You could do
different things. But yes, this is a migration path that mostly
avoids some kind of flag day or a rollout where one non-updated
node prevents all the network from using authenticated communication.

>> 1 and 5 are existing known working deployments.
>
> And 2-4 are exactly same as 1 from security point of view.

No, a cert-cert connection is still proving there is no MITM :P

> Note, that you can already do this in standardized ways by using
> multiple authentications RFC 4739. I.e., initially do normal authnull
> and include MULTIPLE_AUTH_SUPPORTED in IKE_SA_INIT response and 1st
> IKE_AUTH request. If both included it, then you know they have
> certificates, thus you can do 2nd round of authentication by adding
> ANOTHER_AUTH_FOLLOWS too to the 1st IKE_AUTH request.
>
> Then you do 2nd IKE_AUTH exchange which does the certificate based
> authentication.

I guess we did not support that, but it is a fair point.

>> 2) Are we correct with our assumption that you either end up on mutual
>>     authnull or with mutual authentication, or do people believe there
>>     is a use case for asymmetric authentication as well, in which case
>>     the responder could also send AUTH plus N(AUTHNULL)
>
> Actually doesn't that automatically already happen with authnull? I
> mean authentication can be asymmetric, i.e., one end can use
> pre-shared keys and another certificates, and I think authnull also
> allows that, i.e., responder can use certificates to authenticate
> himself and initiator can use authnull. At least Introduction section
> lists all those asymmetric cases as uses cases for NULL auth.

That doesn't end up favouring authenticated over authnull. See above
disagreement that this matters :)

> Are the certificates signed by known trust anchor, and is that trust
> anchor already configured in all nodes initially?

No. Some nodes still have no certificates whatsoever, and some nodes
have been updated to have certificates.

> On the other hand if you have not trust anchors installed and you need
> to find that out during the handshake, you can use the fact whether
> you get CERTREQs in the exchange to indicate that other end has proper
> trust anchors installed, and if you do not get trust anchors mathing
> your certificate from the other you use NULL auth, and if you do get
> matching trust anchors and you have certificate, then you use
> signatures.

Some implementations always send CERTREQs even if they only allow PSK,
in case the other end wants to use CERT based auth while this end
uses something else (eg psk or null)

Paul


From nobody Thu Jul 19 13:22:36 2018
Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A62130E2A for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 13:22:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level: 
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kU6eaLoK79Zw for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 13:22:31 -0700 (PDT)
Received: from mail-in5.apple.com (mail-out5.apple.com [17.151.62.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3427130EB2 for <ipsec@ietf.org>; Thu, 19 Jul 2018 13:22:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple;  q=dns/txt; i=@apple.com; t=1532031751; x=2395945351; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FwCKh2XfJHZLWdfkqEwJGTktVGtXcUlRErnkU/XJt4Y=; b=W5nNAhhkcZxwQwB74SG/3MkQSr4ZhRm5xbIFI7o8gBCsugy3ZUfV1IHDS34pqZo1 zBG1FfenE/rUYnSqisNoZrUaoed8pZb7VDEejMZKvKpS/I61rTw8kzz273vcGjl6 t0hYxj0LbQhUa6i8GwhlN9AJmza7JgJogcQqdEmFYS3dm9jGz5crA/mPTeOc5NjQ 1x7zu/RLl+FTxDY3G9vk5HQqP2D55BNitFVhc5aB5lLC3JaHb1Ks6NkOFZ1Ps+si xrjfw0juKEFNV5XN+66p4Rnz/50TEUYBhJWF9bx3Uj39ggoCZoxuMdK+txjCbh+c eYyOSq2ioz3eh6NBKV06tw==;
X-AuditID: 11973e13-b209c9e00000242c-37-5b50f307c8f5
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id 2C.42.09260.703F05B5; Thu, 19 Jul 2018 13:22:31 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PC4007VKR9IFZ00@ma1-mtap-s02.corp.apple.com>; Thu, 19 Jul 2018 13:22:30 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PC400G00R7SNJ00@nwk-mmpp-sz11.apple.com>; Thu, 19 Jul 2018 13:22:30 -0700 (PDT)
X-Va-A: 
X-Va-T-CD: ea60b8343800f880b1c61dc7448049d3
X-Va-E-CD: 5c1fa6d011ed90d5f4fa05d3d542b1d6
X-Va-R-CD: 6b5b35676123f70e9323935135f919b3
X-Va-CD: 0
X-Va-ID: 838db2be-3d82-47eb-a24c-59c07c322e33
X-V-A: 
X-V-T-CD: ea60b8343800f880b1c61dc7448049d3
X-V-E-CD: 5c1fa6d011ed90d5f4fa05d3d542b1d6
X-V-R-CD: 6b5b35676123f70e9323935135f919b3
X-V-CD: 0
X-V-ID: 7d3c480c-d7ff-4063-9622-384dc10a4a5e
Received: from process_milters-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PC400G00R7LN600@nwk-mmpp-sz11.apple.com>; Thu, 19 Jul 2018 13:22:30 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-19_07:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp16.corp.apple.com-10000_instance1
Received: from [17.235.54.43] (unknown [17.235.54.43]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PC400EWRR9GFJ40@nwk-mmpp-sz11.apple.com>; Thu, 19 Jul 2018 13:22:30 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <alpine.LRH.2.21.1807191351180.10582@bofh.nohats.ca>
Date: Thu, 19 Jul 2018 16:22:27 -0400
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-id: <AB7F335A-B1B9-4359-BC25-7EEE2878FBB7@apple.com>
References: <153201163536.5326.15945035511748956971@ietfa.amsl.com> <alpine.LRH.2.21.1807191351180.10582@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3445.100.13.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrEIsWRmVeSWpSXmKPExsUiqOHDpsv+OSDaYMtXEYv9W16wWby/dYnJ gcljyZKfTB7f5zEFMEVx2aSk5mSWpRbp2yVwZVycs5yl4BJPxdwVS5kbGDu4uhg5OCQETCSu PZHpYuTiEBLYxySx+/I89i5GTg5eAUGJH5PvsYDUMAvISxw8LwsSZhbQkvj+qJUFon4jk8Tq KXNZIZwuJomfl84zglRJCLBL/Pm1gwXC1pY4u+IwE4z9f28jO4zdu/ExG4TNJbFg62lWCFtX 4vjd1VBxNon1J5ZA9WpJnDu4gg3Gnnj+JyOM3XDyADOEzSlx/stEqPk6Ep/ebGeCOK6TSaLz 802og7Il3i78DTUoWOL6ljZ2iKJ+JokTHzrYQV4WFpCQ2LwnEcJ0kZiwpQyknE1AReL4tw3M IGFOAUeJlpmuIGEWAVWJva0/2SABpCFx8clJaBjaSPS33gYbKCRQJXFqTQVIWERAUWLSmUcs ExgVZyGF9CxESM9CCukFjMyrGIVyEzNzdDPzTPUSCwpyUvWS83M3MYISwXQ74R2Mp1dZHWIU 4GBU4uGNuBsQLcSaWFZcmXuIUZqDRUmc9/hGoJBAemJJanZqakFqUXxRaU5q8SFGJg5OqQbG BbVzVjGHfDh5Ji7Bb15U3/Rre86aPLg70/TesRMXl12eJzhFZeHM3Pj/iWFyhgcsOB6ut7zM tVuyq0ljgmzjlkOfhNe9ZTYWLWPgmSTYYmM1wz5p7aKNE+5O3zv1Zf7KJ7eCePf+4pzNNNtK xPCUaNdWY13J5FM8sv+ti5Ie/VGuOGG48GOUuhJLcUaioRZzUXEiAOLJUY7lAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uNkpUWQax-Uq1xEzfc0wGew_M_w>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 20:22:34 -0000

> On Jul 19, 2018, at 2:09 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Thu, 19 Jul 2018, internet-drafts@ietf.org wrote:
> 
>> Subject: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
> 
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-11
> 
> This is probably wrong:
> 
> 	Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
> 	INTERNAL_DNS_DOMAIN attribute MUST be ignored and treated as aprotocol error.
> 
> Because you can have more then one INTERNAL_DNSSEC_TA for one domain.
> Instead, it should read:
> 
> 	Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
> 	INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying to
> 	the same domain name MUST be ignored and treated as a protocol error.

Good point, agreed on this text.
> 
> From the previous diff, I'm confused about:
> 
> 	IKE clients MUST use a preconfigured whitelist of one or more domain
> 	which it will allow INTERNAL_DNSSEC_TA updates.
> 
> It could have an empty white list and use direct IP without split-dns ?
> Or use the VPN as an "encrypted DNS" provider for everything (which is
> allowed according to the spec, that is it does not violate a MUST NOT)
> 
> Also, since we allow signaling of "upgrade your IKE config out of band"
> if you see a new unconfigured domain name in the reply, it could be that
> you start with 0 and get a new one. Which also requires an empty list.

That's fair. Can you propose a sentence here to replace with?

Tommy
> 
> Paul


From nobody Thu Jul 19 14:14:34 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 831B6130F67 for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 14:14:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8t1uGYwBTMgH for <ipsec@ietfa.amsl.com>; Thu, 19 Jul 2018 14:14:29 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3085130F59 for <ipsec@ietf.org>; Thu, 19 Jul 2018 14:14:28 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6JLE8Ja006216 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 20 Jul 2018 00:14:08 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6JLE8nH025326; Fri, 20 Jul 2018 00:14:08 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23376.65312.60499.594483@fireball.acr.fi>
Date: Fri, 20 Jul 2018 00:14:08 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec\@ietf.org WG" <ipsec@ietf.org>, Vukasin Karadzic <vukasin.karadzic@gmail.com>
In-Reply-To: <alpine.LRH.2.21.1807191422490.18666@bofh.nohats.ca>
References: <alpine.LRH.2.21.1807190952200.21273@bofh.nohats.ca> <23376.46182.215462.817479@fireball.acr.fi> <alpine.LRH.2.21.1807191422490.18666@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 6 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oKAQhnh6t3qYotldulisg2Ro2p4>
Subject: Re: [IPsec] Mutual authnull to mutual authenticated upgrade
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 21:14:32 -0000

Paul Wouters writes:
> >> 2) Are we correct with our assumption that you either end up on mutual
> >>     authnull or with mutual authentication, or do people believe there
> >>     is a use case for asymmetric authentication as well, in which case
> >>     the responder could also send AUTH plus N(AUTHNULL)
> >
> > Actually doesn't that automatically already happen with authnull? I
> > mean authentication can be asymmetric, i.e., one end can use
> > pre-shared keys and another certificates, and I think authnull also
> > allows that, i.e., responder can use certificates to authenticate
> > himself and initiator can use authnull. At least Introduction section
> > lists all those asymmetric cases as uses cases for NULL auth.
> 
> That doesn't end up favouring authenticated over authnull. See above
> disagreement that this matters :)

I think it does. See below

> > Are the certificates signed by known trust anchor, and is that trust
> > anchor already configured in all nodes initially?
> 
> No. Some nodes still have no certificates whatsoever, and some nodes
> have been updated to have certificates.

Ok.

> > On the other hand if you have not trust anchors installed and you need
> > to find that out during the handshake, you can use the fact whether
> > you get CERTREQs in the exchange to indicate that other end has proper
> > trust anchors installed, and if you do not get trust anchors mathing
> > your certificate from the other you use NULL auth, and if you do get
> > matching trust anchors and you have certificate, then you use
> > signatures.
> 
> Some implementations always send CERTREQs even if they only allow PSK,
> in case the other end wants to use CERT based auth while this end
> uses something else (eg psk or null)

So how does they manage to send CERTREQ having hash in them matching
your trust anchor, if they have not been configured with that trust
anchor?

If you have manually configured them to send CERTREQs with trust
anchor hashes you do not trust, then I think that is configuration
error and it must be fixed.

I.e. if you see CERTREQ which has hash matching the trust anchor that
signed your certificate, then you can quite safely assume that the
other end do support certificates, and has the required trust anchor
installed, so you can always use the certificate based authentication
yourself. This will cause you to favor certificate based
authentications over auth null if it is possible. 

If remote end sends empty CERTREQ, then fix the configuration in the
other end so it will include the hashes of the trust anchors instead.
It should be easier to do that, than to implement new protocol...
-- 
kivinen@iki.fi


From nobody Sun Jul 22 12:01:34 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F2F130FE8 for <ipsec@ietfa.amsl.com>; Sun, 22 Jul 2018 12:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BiaEDfPn7ljc for <ipsec@ietfa.amsl.com>; Sun, 22 Jul 2018 12:01:30 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9146E130FDE for <ipsec@ietf.org>; Sun, 22 Jul 2018 12:01:23 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41YYr12tGvzKDP; Sun, 22 Jul 2018 21:01:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532286081; bh=ysGhBRgcKRjhEjLTjIlyl/q8C10UJAkx6jyt1/CAy/I=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=CZLqPnr6KZxYl06/+eysDKxxltsMI9cwhPrcnzSRNcItPNHzmP411GqV2HbkO6iC6 s67mp3q4V1zcndrlEu5//3TGJ0dNyFJjMSDMjqKCM8nQMPKLnbUQq5zlABuuXz2rgT uKWcVubUe/xziBMNmGLtzWPPEnNEHrHqJIChjJQ8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FVyvY5PNoxbf; Sun, 22 Jul 2018 21:01:18 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 22 Jul 2018 21:01:17 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id B3A2CA7E07; Sun, 22 Jul 2018 15:01:16 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca B3A2CA7E07
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A9B4B40008AB; Sun, 22 Jul 2018 15:01:16 -0400 (EDT)
Date: Sun, 22 Jul 2018 15:01:16 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Tommy Pauly <tpauly@apple.com>
cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <AB7F335A-B1B9-4359-BC25-7EEE2878FBB7@apple.com>
Message-ID: <alpine.LRH.2.21.1807221453310.5582@bofh.nohats.ca>
References: <153201163536.5326.15945035511748956971@ietfa.amsl.com> <alpine.LRH.2.21.1807191351180.10582@bofh.nohats.ca> <AB7F335A-B1B9-4359-BC25-7EEE2878FBB7@apple.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/GMNe-6iHou-e2ZnLKbc3YBChu5Y>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jul 2018 19:01:33 -0000

On Thu, 19 Jul 2018, Tommy Pauly wrote:

>> Because you can have more then one INTERNAL_DNSSEC_TA for one domain.
>> Instead, it should read:
>>
>> 	Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
>> 	INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying to
>> 	the same domain name MUST be ignored and treated as a protocol error.
>
> Good point, agreed on this text.
>>
>> From the previous diff, I'm confused about:
>>
>> 	IKE clients MUST use a preconfigured whitelist of one or more domain
>> 	which it will allow INTERNAL_DNSSEC_TA updates.
>>
>> It could have an empty white list and use direct IP without split-dns ?
>> Or use the VPN as an "encrypted DNS" provider for everything (which is
>> allowed according to the spec, that is it does not violate a MUST NOT)
>>
>> Also, since we allow signaling of "upgrade your IKE config out of band"
>> if you see a new unconfigured domain name in the reply, it could be that
>> you start with 0 and get a new one. Which also requires an empty list.
>
> That's fair. Can you propose a sentence here to replace with?

How about:

IKE clients willing to accept INTERNAL_DNSSEC_TA updates MUST use a
whitelist of one or more domains that can be updated. IKE clients with
an empty whitelist MUST NOT accept any INTERNAL_DNSSEC_TA and MUST NOT
use any INTERNAL_DNSSEC_TA received over IKE. Such clients MAY interpret
receiving a INTERNAL_DNSSEC_TA for a non-whitelisted domain as a trigger
to update their local configuration out of band.

the only issue left I see is that it is kind of weird that we would
allow domain redirection (eg google.com to 192.168.1.1) but not
INTERNAL_DNSSEC_TA redirection. So my question is still, should this
whitelist text apply to INTERNAL_DNSSEC_TA or to both INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA?

Paul


From nobody Sun Jul 22 12:41:30 2018
Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AE51130FFE for <ipsec@ietfa.amsl.com>; Sun, 22 Jul 2018 12:41:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level: 
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QiuKGELAETiL for <ipsec@ietfa.amsl.com>; Sun, 22 Jul 2018 12:41:27 -0700 (PDT)
Received: from mail-in25.apple.com (mail-out25.apple.com [17.171.2.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FF92130DF0 for <ipsec@ietf.org>; Sun, 22 Jul 2018 12:41:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple;  q=dns/txt; i=@apple.com; t=1532288485; x=2396202085; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=0Ogpes59ngYTp/smhNML16IZ0/LiU4s6CSCMCjabFzE=; b=dK6hpTZCzIomX9/Mj4u9C33nMrrbV/GyIRxeR5+9Rwx1QpW7oK8DrPTvYMJtRLtC KelQzfigke0wR/4ZeEfe3Yg9ILXpl5/4XmSfji3i+rd9rY8BWRJJXNUiyt/D1Lm+ 7SCHeCfmpfIm4iEcYoJR57uy4SoQVv6jez+Wscv3+RhQO/uL7LDQkrCKVK0AbNpD /TvvbmJIP0zjtEcXZCI+EjpIS5khk7AvcZzCQN+m2AGd7id3m7uK95Qr8Qy6DPiW Y0rGQ0vYYD8c1jfLe1YuJg1u/AaI1lfQHGdjP2lCbNz0I6cI3oPMcOKcU3MU96bU EfPkf8CqJDZg3CGRuVBc0Q==;
X-AuditID: 11ab0219-56fff70000004c1b-a5-5b54dde5d1ca
Received: from mr2-mtap-s03.rno.apple.com (mr2-mtap-s03.rno.apple.com [17.179.226.135]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail-in25.apple.com (Apple Secure Mail Relay) with SMTP id CF.4D.19483.5EDD45B5; Sun, 22 Jul 2018 12:41:25 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by mr2-mtap-s03.rno.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PCA0054O9D1YZ60@mr2-mtap-s03.rno.apple.com>; Sun, 22 Jul 2018 12:41:25 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz10.apple.com by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PCA004009B1IZ00@nwk-mmpp-sz10.apple.com>; Sun, 22 Jul 2018 12:41:25 -0700 (PDT)
X-Va-A: 
X-Va-T-CD: ea60b8343800f880b1c61dc7448049d3
X-Va-E-CD: 5c1fa6d011ed90d5f4fa05d3d542b1d6
X-Va-R-CD: 6b5b35676123f70e9323935135f919b3
X-Va-CD: 0
X-Va-ID: d15c93cc-e04b-4a1c-a13c-d7cb1906554b
X-V-A: 
X-V-T-CD: ea60b8343800f880b1c61dc7448049d3
X-V-E-CD: 5c1fa6d011ed90d5f4fa05d3d542b1d6
X-V-R-CD: 6b5b35676123f70e9323935135f919b3
X-V-CD: 0
X-V-ID: 7988f318-ed83-403a-8ed2-d7cea495ec71
Received: from process_milters-daemon.nwk-mmpp-sz10.apple.com by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PCA00A007YI0O00@nwk-mmpp-sz10.apple.com>; Sun, 22 Jul 2018 12:41:24 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-22_09:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp18.corp.apple.com-10000_instance1
Received: from [17.234.96.209] (unknown [17.234.96.209]) by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PCA003LP9D03J10@nwk-mmpp-sz10.apple.com>; Sun, 22 Jul 2018 12:41:24 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <alpine.LRH.2.21.1807221453310.5582@bofh.nohats.ca>
Date: Sun, 22 Jul 2018 12:41:23 -0700
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-id: <5E206E3B-9871-49C1-8EF3-23355ED60437@apple.com>
References: <153201163536.5326.15945035511748956971@ietfa.amsl.com> <alpine.LRH.2.21.1807191351180.10582@bofh.nohats.ca> <AB7F335A-B1B9-4359-BC25-7EEE2878FBB7@apple.com> <alpine.LRH.2.21.1807221453310.5582@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3445.100.13.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKIsWRmVeSWpSXmKPExsUiuPlRu+7TuyHRBq2HrS32b3nBZvH+1iUm ByaPJUt+Mnl8n8cUwBTFZZOSmpNZllqkb5fAldHQ95O94KlwxdMdd1kbGN/wdzFyckgImEhM 7d3F2MXIxSEkcJBJ4uWPHewgCV4BQYkfk++xdDFycDALyEscPC8LEmYW0JL4/qiVBaJ+PZPE 6S2v2SGcLiaJg59fs0NMZZf482sHC4StLXF2xWEmGPv/3kZ2GLt342M2CJtLYsHW06wQtq7E su9noOJsEutPLIHq1ZI4d3AFG4w98fxPRhi74eQBZgibU+L8l4nsIEdLCOhI/FlpDHFbJ5PE 3AmHoe7JluhcfoAJoiZYYv9bZYiaiUwSzVNbwHqFBSQkNu9JhDBdJCZsKQPpZBNQkTj+bQPY Jk4BB4nzT16DXcAioCqxd9Z6Zkj4aEhcfHISGoQ2Eru7jkKD5zGjxJXPTWBFIgKKEpPOPGKZ wKg4CymoZyGCehZSUC9gZF7FKJybmJmjm5lnZKqXWFCQk6qXnJ+7iRGUDlYzSe5g/Pra8BCj AAejEg8vR2twtBBrYllxZe4hRmkOFiVx3o+7xKKFBNITS1KzU1MLUovii0pzUosPMTJxcEo1 MAacYOxzmxLQfdOMpalzudO0X8K7RO518ry/ccvLRW3vCeO4VTtyHFYyXtz+dtaUErOT6gL6 YW8n1Hw9deuu5ayb/86ULGid0LPbUPqGoWbNGkcBuZJD3++HJi/d6693OqFZ46ab5LUcj/37 Pjfyt4R6yjf2dNQq6lyau+GP0G9HwZWH3B/ovFdiKc5INNRiLipOBABuW37/6AIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/K37_ddYUNDZFeoBt0Xa-UyXC2v4>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jul 2018 19:41:29 -0000

> On Jul 22, 2018, at 12:01 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Thu, 19 Jul 2018, Tommy Pauly wrote:
> 
>>> Because you can have more then one INTERNAL_DNSSEC_TA for one domain.
>>> Instead, it should read:
>>> 
>>> 	Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
>>> 	INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying to
>>> 	the same domain name MUST be ignored and treated as a protocol error.
>> 
>> Good point, agreed on this text.
>>> 
>>> From the previous diff, I'm confused about:
>>> 
>>> 	IKE clients MUST use a preconfigured whitelist of one or more domain
>>> 	which it will allow INTERNAL_DNSSEC_TA updates.
>>> 
>>> It could have an empty white list and use direct IP without split-dns ?
>>> Or use the VPN as an "encrypted DNS" provider for everything (which is
>>> allowed according to the spec, that is it does not violate a MUST NOT)
>>> 
>>> Also, since we allow signaling of "upgrade your IKE config out of band"
>>> if you see a new unconfigured domain name in the reply, it could be that
>>> you start with 0 and get a new one. Which also requires an empty list.
>> 
>> That's fair. Can you propose a sentence here to replace with?
> 
> How about:
> 
> IKE clients willing to accept INTERNAL_DNSSEC_TA updates MUST use a
> whitelist of one or more domains that can be updated. IKE clients with
> an empty whitelist MUST NOT accept any INTERNAL_DNSSEC_TA and MUST NOT
> use any INTERNAL_DNSSEC_TA received over IKE. Such clients MAY interpret
> receiving a INTERNAL_DNSSEC_TA for a non-whitelisted domain as a trigger
> to update their local configuration out of band.

That sounds fine to me.
> 
> the only issue left I see is that it is kind of weird that we would
> allow domain redirection (eg google.com to 192.168.1.1) but not
> INTERNAL_DNSSEC_TA redirection. So my question is still, should this
> whitelist text apply to INTERNAL_DNSSEC_TA or to both INTERNAL_DNS_DOMAIN
> and INTERNAL_DNSSEC_TA?

I'd rather not add this restriction to the normal DNS domain redirection, since claiming a DNS
domain for resolution does not imply changing the trust/validation properties of that domain.
Moreover, since by default, all DNS queries will be sent to the VPN's DNS server,
INTERNAL_DNS_DOMAIN strictly reduces the set of domains that will be resolved using
The VPN's DNS server. INTERNAL_DNSSEC_TA does add some new properties, and
thus is not merely a reduction.

Thanks,
Tommy

> 
> Paul


From nobody Wed Jul 25 06:03:20 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6360C12D949 for <ipsec@ietfa.amsl.com>; Wed, 25 Jul 2018 06:03:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level: 
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w71j8BEMSQOO for <ipsec@ietfa.amsl.com>; Wed, 25 Jul 2018 06:03:16 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADCA41292AD for <ipsec@ietf.org>; Wed, 25 Jul 2018 06:03:15 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id a134-v6so5387349lfe.6 for <ipsec@ietf.org>; Wed, 25 Jul 2018 06:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :thread-index:content-language; bh=eD6PuIi3m2jcZl1zDdUvVUTmY8U/dpLAnU67uUuuGHg=; b=vUyD0WL0jsiKHg2KD5cpw44yTcPKuKrHyeFidmU/MfoNmdPbYcRjis4cnvFGbcLJK1 nzE1bO6KGJZcfVxWOq3yK8UJXxPdpd3IyAvfyENNRbaAW0Vqgq47jCwQVrs+FKc7NOxM Ny52p+g/lwKQIkJpq+BkZL85pNjMIZP5ah5RUkzyKubd3HcKIcaONOM/3zaXlEtkqUIv 9ytJy4C+qbeJD4x5lmNLFEWvOQB4/PWJxWEqn5Q3yHMeGBz6uOE065et+jjXTIblhghL 9oGX9mxOzrs23pSuAZkLgXugRhd58xramp/Aeyh42WEzgATlMoHl5jHGeWAHV6I/L/WE O9ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=eD6PuIi3m2jcZl1zDdUvVUTmY8U/dpLAnU67uUuuGHg=; b=UyV13uMtOoJJONSPJVVwNAIXDjqh3GPjWDx9HByWKVrzs9S+3UtkLM5xoGo3lFUvXo dx3bTsc/kvOAY3CrVk1Dv3CEmcQSrtrtEmKBLYXLdy1/jQgbqfbKcLwlpjwzWHe4jbuc q5A2NRDFvqJaoxX0kf/6lfVowmiIfNBsow5S+vtnEau+7tr8TUhgJGwa8Y/MbO2eLRNt z2awQpa6mwY+tKiuvsT6dXl+7ihBh8Y5l1d1XoD1CAWon134CNSU2wXGyj7fGFh9oENT KaivnEze5VFfHM+Xm7hcQpDp0rhHUJ3a7jWm96RgreVdBApJ47aYpqWY1GjsL23cFrG0 m6tg==
X-Gm-Message-State: AOUpUlFB5u71rfUV4spgba9M7k/HaYKcrxqI1G4BvsgqB8MOTrJ0EeJA 5lvd6QKdASgpnBnLo5fQi4Y=
X-Google-Smtp-Source: AAOMgpfyrB4Qx41jVBAaSj6P9EpYFpG9vDdCqflJ0c8tM6qCvw2D5R/9TTMJSThi/s366qnu4QUsaA==
X-Received: by 2002:a19:548e:: with SMTP id b14-v6mr12047109lfl.10.1532523793917;  Wed, 25 Jul 2018 06:03:13 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id n6-v6sm2194776lfi.24.2018.07.25.06.03.12 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 Jul 2018 06:03:13 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer@cisco.com>, <ipsec@ietf.org>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com> <055c01d41f6a$dc6e7d50$954b77f0$@gmail.com> <094A8A21-D156-460E-B011-910F1BFC756F@isara.com>
In-Reply-To: <094A8A21-D156-460E-B011-910F1BFC756F@isara.com>
Date: Wed, 25 Jul 2018 16:03:13 +0300
Message-ID: <0ac101d42417$d8f83560$8ae8a020$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0AC2_01D42430.FE4A0140"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEciSsDD1zqgCWGCuqENOVpeeZcmAIUjD3lAYKjZjwC2ApLZAEyIKg0At8cjcwBlz/yKgD8/J0kpaZ1RHA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/h6Qdv27aWX0IijjabwEd8UcdQKw>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 13:03:19 -0000

This is a multipart message in MIME format.

------=_NextPart_000_0AC2_01D42430.FE4A0140
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Daniel,

=20

 On the other hand, if later some new QSKE method appear, that

will have small enough public keys, so that it can be used in =
IKE_SA_INIT,

and IKE_AUX would be used for some purposes other then QSKE,

then again the key would not be known to attacker and there would be

no reason to restrict the choice of PRFs.

=20

In this example, assuming that one is using a QSKE because they want =
quantum safety, the PRFs will still have to be restricted simply because =
PRF_AES128_XCBC and PRF_AES128_CMAC only provide 64 bits of protection =
against a quantum computer.

=20

Sorry, I should have been more clear. I meant that if tomorrow a new PRF =
appears=20

that will provide 128 (or more) bits of security against quantum =
computers, but=20

will not be second preimage resistant in case of known key, then this =
PRF

can be used if IKE_SA_INIT key exchange uses quantum safe methods

and we change all-zero key to SK_pi/SK_pr. I didn=E2=80=99t mean =
PRF_AES128_XCBC/CMAC,

just some imaginary PRF with the same properties, but quantum safe.

=20

So, my suggestions:=20

=20

1.     use SK_pi/SK_pr as keys for PRF that authenticate IKE_AUX =
messages

If using IKE_AUX in a non-QSKE use-case then any encrypted payload is =
already protected by the encryption algorithm + integrity algorithm (or =
AEAD encryption), but any unencrypted payloads + the IKE header =
wouldn=E2=80=99t be protected using a 0 key, so your proposal sounds =
reasonable.

=20

Good.

=20

2. don't impose any restrictions on the choice of PRF in the IKE_AUX =
draft=20

     (but probably write some words in the Security Considerations)

3. in QSKE document add a restriction on PRF choice, excluding those,

    that a) are not secure in PQ world and b) are not secure against

     preimage attack in case of known key.

Sounds reasonable, since in order to establish a QS SA there will have =
to be restrictions on encryption/integrity algorithms anyways, with the =
caveat that for encryption/integrity we only have to say =E2=80=9Cuse =
something with 256 bits of security=E2=80=9D, whereas for PRF that =
wouldn=E2=80=99t be sufficient if for example PRF_AES256_CMAC became a =
thing.

=20

OK, if nobody disagrees, I=E2=80=99ll update IKE_AUX draft accordingly.

=20

Regards,

Valery.

=20

=20

Any opinions? Scott, Daniel, what do you think about this?

=20

Regards,

Valery.

=20

=20

=20

=20

=20

All three work (that is, they prevent any undetected modifications to =
the IKE_AUX payloads); I quite understand if  (1) would be considered an =
undesirable option.  As for (2) and (3), they are largely the same; (3) =
limits the PRF=E2=80=99s to the ones which include =
second-preimage-resistant hash functions.  I can see the attraction of =
not requiring a separate negotiation; I=E2=80=99m just worried about =
someone ignoring our =E2=80=98don=E2=80=99t use XCBC/CMAC=E2=80=99 =
mandate=E2=80=A6

=20

Also, for (3), you have to be careful to specify which SK_p[ir] to use; =
in our draft, the IKE_AUX message updates them; the obvious thing to do =
is specify that you=E2=80=99ll use the SK_p[ir] values that were in =
effect at the beginning of the IKE_AUX message in question.  Actually, =
for security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6

=20

Using an all zero key does feel weird, however it could help avoid =
potential incompatible implementation errors.  There are two sets of =
SK_p[ir] available to use in the case where an IKE_AUX includes a key =
exchange, the values in effect at the beginning of the IKE_AUX exchange, =
and the updated values resulting from the IKE_AUX exchange.  Depending =
on the order in which implementations recalculate the SKEYSEED and SK_* =
keys, vs when they perform the PRF on the IXE_AUX data, the =
=E2=80=9Ccurrent=E2=80=9D SK_p[ir] values could be the old or new values =
and so some implementations may have to maintain both the old and new =
keys until the IKE_AUX digest is calculated.  All this is to say, if it =
doesn=E2=80=99t affect the security it may just be simpler and easier =
for compatibility to use an all zero key.

=20

=20

Regards,

Valery.

=20

=20

=20

Thanks,

Daniel

=20


------=_NextPart_000_0AC2_01D42430.FE4A0140
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 14 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle24
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle25
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle26
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle27
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle28
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle29
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:638189871;
	mso-list-template-ids:812141800;}
ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DRU =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Hi =
Daniel,<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><div=
 style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><p class=3DMsoNormal style=3D'margin-left:36.0pt'><span =
lang=3DEN-US>&nbsp;On the other hand, if later some new QSKE method =
appear, that</span><span lang=3DEN-CA =
style=3D'color:#44546A'><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>will have small enough =
public keys, so that it can be used in IKE_SA_INIT,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>and IKE_AUX would be =
used for some purposes other then QSKE,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>then again the key would =
not be known to attacker and there would be</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>no reason to restrict =
the choice of PRFs.<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-CA style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA style=3D'font-size:11.0pt'>In this =
example, assuming that one is using a QSKE because they want quantum =
safety, the PRFs will still have to be restricted simply because =
PRF_AES128_XCBC and PRF_AES128_CMAC only provide 64 bits of protection =
against a quantum computer.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Sorry, I should have been more =
clear. I meant that if tomorrow a new PRF appears =
<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>that will provide 128 (or more) =
bits of security against quantum computers, but <o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>will not be second preimage =
resistant in case of known key, then this PRF<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>can be used if IKE_SA_INIT key =
exchange uses quantum safe methods<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>and we change all-zero key to =
SK_pi/SK_pr. I didn=E2=80=99t mean =
PRF_AES128_XCBC/CMAC,<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-CA style=3D'font-size:14.0pt;color:#44546A'>just some =
imaginary PRF with the same properties, but quantum =
safe.<o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>So, my suggestions: =
</span><span lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span lang=3DEN-US><span =
style=3D'mso-list:Ignore'>1.<span style=3D'font:7.0pt "Times New =
Roman"'>&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><![endif]><span =
lang=3DEN-US>use SK_pi/SK_pr as keys for PRF that authenticate IKE_AUX =
messages<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>If using IKE_AUX in a non-QSKE use-case then =
any encrypted payload is already protected by the encryption algorithm + =
integrity algorithm (or AEAD encryption), but any unencrypted payloads + =
the IKE header wouldn=E2=80=99t be protected using a 0 key, so your =
proposal sounds reasonable.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Good.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-US>2. =
don't impose any restrictions on the choice of PRF in the IKE_AUX draft =
</span><span lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span =
lang=3DEN-US>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(but probably write some =
words in the Security Considerations)</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>3. in QSKE document add =
a restriction on PRF choice, excluding those,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;&nbsp;&nbsp; that =
a) are not secure in PQ world and b) are not secure against</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;&nbsp;&nbsp;&nbsp; =
preimage attack in case of known key.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA style=3D'font-size:11.0pt'>Sounds =
reasonable, since in order to establish a QS SA there will have to be =
restrictions on encryption/integrity algorithms anyways, with the caveat =
that for encryption/integrity we only have to say =E2=80=9Cuse something =
with 256 bits of security=E2=80=9D, whereas for PRF that =
wouldn=E2=80=99t be sufficient if for example PRF_AES256_CMAC became a =
thing.<o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US =
style=3D'color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>OK, if nobody disagrees, =
I=E2=80=99ll update IKE_AUX draft accordingly.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Regards,<o:p></o:p></span></p><p=
 class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Valery.<o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span =
lang=3DEN-US>&nbsp;</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:36.0pt'><span lang=3DEN-US>Any =
opinions? Scott, Daniel, what do you think about this?</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>Regards,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>Valery.</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-US>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><div style=3D'border:none;border-left:solid blue =
1.5pt;padding:0cm 0cm 0cm 4.0pt'><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><div style=3D'border:none;border-left:solid blue =
1.5pt;padding:0cm 0cm 0cm 4.0pt'><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><p class=3DMsoNormal style=3D'margin-left:72.0pt'><span =
lang=3DEN-CA style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>All three work (that is, they =
prevent any undetected modifications to the IKE_AUX payloads); I quite =
understand if &nbsp;(1) would be considered an undesirable option.&nbsp; =
As for (2) and (3), they are largely the same; (3) limits the =
PRF=E2=80=99s to the ones which include second-preimage-resistant hash =
functions.&nbsp; I can see the attraction of not requiring a separate =
negotiation; I=E2=80=99m just worried about someone ignoring our =
=E2=80=98don=E2=80=99t use XCBC/CMAC=E2=80=99 =
mandate=E2=80=A6</span><span lang=3DEN-CA><o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>Also, for (3), you have to be =
careful to specify which SK_p[ir] to use; in our draft, the IKE_AUX =
message updates them; the obvious thing to do is specify that =
you=E2=80=99ll use the SK_p[ir] values that were in effect at the =
beginning of the IKE_AUX message in question.&nbsp; Actually, for =
security, we don=E2=80=99t need a secret key, having both sides use, =
say, an all zero key, would achieve the same security goal, however that =
does feel weird=E2=80=A6</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:36.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>Using an all zero key does feel weird, =
however it could help avoid potential incompatible implementation =
errors.&nbsp; There are two sets of SK_p[ir] available to use in the =
case where an IKE_AUX includes a key exchange, the values in effect at =
the beginning of the IKE_AUX exchange, and the updated values resulting =
from the IKE_AUX exchange.&nbsp; Depending on the order in which =
implementations recalculate the SKEYSEED and SK_* keys, vs when they =
perform the PRF on the IXE_AUX data, the =E2=80=9Ccurrent=E2=80=9D =
SK_p[ir] values could be the old or new values and so some =
implementations may have to maintain both the old and new keys until the =
IKE_AUX digest is calculated.&nbsp; All this is to say, if it =
doesn=E2=80=99t affect the security it may just be simpler and easier =
for compatibility to use an all zero key.</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt;color:#1F497D'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Regards,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>Valery.</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:14.0pt;color:#44546A'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>Thanks,</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>Daniel</span><span =
lang=3DEN-CA><o:p></o:p></span></p><p class=3DMsoNormal =
style=3D'margin-left:72.0pt'><span lang=3DEN-CA =
style=3D'font-size:11.0pt'>&nbsp;</span><span =
lang=3DEN-CA><o:p></o:p></span></p></div></div></div></div></div></div></=
div></body></html>
------=_NextPart_000_0AC2_01D42430.FE4A0140--


From nobody Wed Jul 25 08:28:07 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4141112DD85 for <ipsec@ietfa.amsl.com>; Wed, 25 Jul 2018 08:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZOIKW3g_2tV for <ipsec@ietfa.amsl.com>; Wed, 25 Jul 2018 08:28:02 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C13D1271FF for <ipsec@ietf.org>; Wed, 25 Jul 2018 08:28:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=31732; q=dns/txt; s=iport; t=1532532482; x=1533742082; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=hwTLQHhqVqdlkyyB4DgnA+6Z3L3TNyxiGwU41rig0Bo=; b=f/eK5O9KcRGz14HZhqjBVqvGBSwXUf98G5e2w2CwOmru0TQmBwBZD99r Rpm5dlVwdouoQtBKYpDP1QD+BHvwXpkSBit7IUVJpm4ws2Ma6jhh0UnQX EMfqxo2mdZBRo6780AVGJq4nHmgzHMdsotDcbugI1ZEmViwWNbPOdSu8F A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B7AgDglVhb/5BdJa1cGgEBAQEBAgE?= =?us-ascii?q?BAQEIAQEBAYJXSAQqY38oCoN0lEGCDJdDC4RsAheCTyE4FAECAQECAQECbSi?= =?us-ascii?q?FNgEBAQQjClwCAQgRBAEBIQoCAgIwHQgCBAESCIMZgRtksBSBLopZhj6CJx0?= =?us-ascii?q?XgUE/gRGDEoUEB4JzglUCh02FFIUfh3UJAoh5hjKBTow5K4dciX8CERSBJDQ?= =?us-ascii?q?hgVJwFYMkgiQYegEBjRtvjVaBGwEB?=
X-IronPort-AV: E=Sophos;i="5.51,401,1526342400";  d="scan'208,217";a="147544186"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Jul 2018 15:27:00 +0000
Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id w6PFR0TP020286 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 25 Jul 2018 15:27:00 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 25 Jul 2018 11:26:59 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Wed, 25 Jul 2018 11:26:59 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6qR/B9KAgADxt4CAAN9PAP//vjnggACO1oCAFc0OgP//3YAAgAl8eYD//+ImUA==
Date: Wed, 25 Jul 2018 15:26:59 +0000
Message-ID: <3cdc26c904714c7ca907cea8bca99aab@XCH-RTP-006.cisco.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com> <055c01d41f6a$dc6e7d50$954b77f0$@gmail.com> <094A8A21-D156-460E-B011-910F1BFC756F@isara.com> <0ac101d42417$d8f83560$8ae8a020$@gmail.com>
In-Reply-To: <0ac101d42417$d8f83560$8ae8a020$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: multipart/alternative; boundary="_000_3cdc26c904714c7ca907cea8bca99aabXCHRTP006ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.149, xch-rtp-009.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/_7tJn-ZP7J5_NXGgCIeVuYYfDds>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 15:28:05 -0000

--_000_3cdc26c904714c7ca907cea8bca99aabXCHRTP006ciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

DQpGcm9tOiBJUHNlYyA8aXBzZWMtYm91bmNlc0BpZXRmLm9yZz4gT24gQmVoYWxmIE9mIFZhbGVy
eSBTbXlzbG92DQpTZW50OiBXZWRuZXNkYXksIEp1bHkgMjUsIDIwMTggOTowMyBBTQ0KVG86ICdE
YW5pZWwgVmFuIEdlZXN0JyA8RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbT47IFNjb3R0IEZsdWhy
ZXIgKHNmbHVocmVyKSA8c2ZsdWhyZXJAY2lzY28uY29tPjsgaXBzZWNAaWV0Zi5vcmcNClN1Ympl
Y3Q6IFJlOiBbSVBzZWNdIElLRV9BVVggY29tbWVudHMNCg0KSGkgRGFuaWVsLA0KDQogT24gdGhl
IG90aGVyIGhhbmQsIGlmIGxhdGVyIHNvbWUgbmV3IFFTS0UgbWV0aG9kIGFwcGVhciwgdGhhdA0K
d2lsbCBoYXZlIHNtYWxsIGVub3VnaCBwdWJsaWMga2V5cywgc28gdGhhdCBpdCBjYW4gYmUgdXNl
ZCBpbiBJS0VfU0FfSU5JVCwNCmFuZCBJS0VfQVVYIHdvdWxkIGJlIHVzZWQgZm9yIHNvbWUgcHVy
cG9zZXMgb3RoZXIgdGhlbiBRU0tFLA0KdGhlbiBhZ2FpbiB0aGUga2V5IHdvdWxkIG5vdCBiZSBr
bm93biB0byBhdHRhY2tlciBhbmQgdGhlcmUgd291bGQgYmUNCm5vIHJlYXNvbiB0byByZXN0cmlj
dCB0aGUgY2hvaWNlIG9mIFBSRnMuDQoNCkluIHRoaXMgZXhhbXBsZSwgYXNzdW1pbmcgdGhhdCBv
bmUgaXMgdXNpbmcgYSBRU0tFIGJlY2F1c2UgdGhleSB3YW50IHF1YW50dW0gc2FmZXR5LCB0aGUg
UFJGcyB3aWxsIHN0aWxsIGhhdmUgdG8gYmUgcmVzdHJpY3RlZCBzaW1wbHkgYmVjYXVzZSBQUkZf
QUVTMTI4X1hDQkMgYW5kIFBSRl9BRVMxMjhfQ01BQyBvbmx5IHByb3ZpZGUgNjQgYml0cyBvZiBw
cm90ZWN0aW9uIGFnYWluc3QgYSBxdWFudHVtIGNvbXB1dGVyLg0KDQpTb3JyeSwgSSBzaG91bGQg
aGF2ZSBiZWVuIG1vcmUgY2xlYXIuIEkgbWVhbnQgdGhhdCBpZiB0b21vcnJvdyBhIG5ldyBQUkYg
YXBwZWFycw0KdGhhdCB3aWxsIHByb3ZpZGUgMTI4IChvciBtb3JlKSBiaXRzIG9mIHNlY3VyaXR5
IGFnYWluc3QgcXVhbnR1bSBjb21wdXRlcnMsIGJ1dA0Kd2lsbCBub3QgYmUgc2Vjb25kIHByZWlt
YWdlIHJlc2lzdGFudCBpbiBjYXNlIG9mIGtub3duIGtleSwgdGhlbiB0aGlzIFBSRg0KY2FuIGJl
IHVzZWQgaWYgSUtFX1NBX0lOSVQga2V5IGV4Y2hhbmdlIHVzZXMgcXVhbnR1bSBzYWZlIG1ldGhv
ZHMNCmFuZCB3ZSBjaGFuZ2UgYWxsLXplcm8ga2V5IHRvIFNLX3BpL1NLX3ByLiBJIGRpZG7igJl0
IG1lYW4gUFJGX0FFUzEyOF9YQ0JDL0NNQUMsDQpqdXN0IHNvbWUgaW1hZ2luYXJ5IFBSRiB3aXRo
IHRoZSBzYW1lIHByb3BlcnRpZXMsIGJ1dCBxdWFudHVtIHNhZmUuDQoNClNvLCBteSBzdWdnZXN0
aW9uczoNCg0KMS4gICAgICB1c2UgU0tfcGkvU0tfcHIgYXMga2V5cyBmb3IgUFJGIHRoYXQgYXV0
aGVudGljYXRlIElLRV9BVVggbWVzc2FnZXMNCklmIHVzaW5nIElLRV9BVVggaW4gYSBub24tUVNL
RSB1c2UtY2FzZSB0aGVuIGFueSBlbmNyeXB0ZWQgcGF5bG9hZCBpcyBhbHJlYWR5IHByb3RlY3Rl
ZCBieSB0aGUgZW5jcnlwdGlvbiBhbGdvcml0aG0gKyBpbnRlZ3JpdHkgYWxnb3JpdGhtIChvciBB
RUFEIGVuY3J5cHRpb24pLCBidXQgYW55IHVuZW5jcnlwdGVkIHBheWxvYWRzICsgdGhlIElLRSBo
ZWFkZXIgd291bGRu4oCZdCBiZSBwcm90ZWN0ZWQgdXNpbmcgYSAwIGtleSwgc28geW91ciBwcm9w
b3NhbCBzb3VuZHMgcmVhc29uYWJsZS4NCg0KR29vZC4NCg0KVGhlIHJlYXNvbiB0aGF0IHRoZSDi
gJhhbGwtMC1iaXRz4oCZIHN1Z2dlc3Rpb24gd2FzIHB1dCBvdXQgdGhlcmUgd2FzIGFuIGF0dGVt
cHQgdG8gYXZvaWQgY29uZnVzaW9uIGFzIHRvIHdoaWNoIFNLX3BpL3ByIGtleXMgdG8gdXNlIChh
cyB0aGV5IGdldCB1cGRhdGVkIGluIG91ciBkcmFmdCBhZnRlciBlYWNoIFFTS0UgSUtFX0FVWCBt
ZXNzYWdlKS4gIElmIHdlIGV4cGVjdCB0aGF0IGltcGxlbWVudGF0aW9ucyB3aWxsIGJlIGFibGUg
dG8gaGFuZGxlIGl0LCB0aGVuIEkgc2VlIG5vIHJlYXNvbiBub3QgdG8gdXNlIHRoZSBjdXJyZW50
IGtleSB2YWx1ZXMuDQoNCjIuIGRvbid0IGltcG9zZSBhbnkgcmVzdHJpY3Rpb25zIG9uIHRoZSBj
aG9pY2Ugb2YgUFJGIGluIHRoZSBJS0VfQVVYIGRyYWZ0DQogICAgIChidXQgcHJvYmFibHkgd3Jp
dGUgc29tZSB3b3JkcyBpbiB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMpDQozLiBpbiBRU0tF
IGRvY3VtZW50IGFkZCBhIHJlc3RyaWN0aW9uIG9uIFBSRiBjaG9pY2UsIGV4Y2x1ZGluZyB0aG9z
ZSwNCiAgICB0aGF0IGEpIGFyZSBub3Qgc2VjdXJlIGluIFBRIHdvcmxkIGFuZCBiKSBhcmUgbm90
IHNlY3VyZSBhZ2FpbnN0DQogICAgIHByZWltYWdlIGF0dGFjayBpbiBjYXNlIG9mIGtub3duIGtl
eS4NClNvdW5kcyByZWFzb25hYmxlLCBzaW5jZSBpbiBvcmRlciB0byBlc3RhYmxpc2ggYSBRUyBT
QSB0aGVyZSB3aWxsIGhhdmUgdG8gYmUgcmVzdHJpY3Rpb25zIG9uIGVuY3J5cHRpb24vaW50ZWdy
aXR5IGFsZ29yaXRobXMgYW55d2F5cywgd2l0aCB0aGUgY2F2ZWF0IHRoYXQgZm9yIGVuY3J5cHRp
b24vaW50ZWdyaXR5IHdlIG9ubHkgaGF2ZSB0byBzYXkg4oCcdXNlIHNvbWV0aGluZyB3aXRoIDI1
NiBiaXRzIG9mIHNlY3VyaXR54oCdLCB3aGVyZWFzIGZvciBQUkYgdGhhdCB3b3VsZG7igJl0IGJl
IHN1ZmZpY2llbnQgaWYgZm9yIGV4YW1wbGUgUFJGX0FFUzI1Nl9DTUFDIGJlY2FtZSBhIHRoaW5n
Lg0KDQpPSywgaWYgbm9ib2R5IGRpc2FncmVlcywgSeKAmWxsIHVwZGF0ZSBJS0VfQVVYIGRyYWZ0
IGFjY29yZGluZ2x5Lg0KDQpObyBkaXNhZ3JlZW1lbnQgaGVyZS4NCg0KSSBkbyBoYXZlIG9uZSBp
c3N1ZSBJ4oCZdmUgYmVlbiBwb25kZXJpbmcsIHRob3VnaDsgd2UgZG8gYW4gSUtFX0FVWCBleGNo
YW5nZSwgYW5kIHRoZW4gZm9sbG93IGl0IHVwIHdpdGggYW4gSUtFX0FVVEggZXhjaGFuZ2UuICBB
dCBsZWFzdCB3aXRoIG15IGFjY2VudCwgdGhvc2UgYXJlIHBob25ldGljYWxseSBxdWl0ZSBjbG9z
ZS4gIEl0IHdvdWxkIGJlIG5pY2UgaWYgd2UgY291bGQgY29tZSB1cCB3aXRoIGFuIGFsdGVybmF0
aXZlIG5hbWUgdG8gSUtFX0FVWCB0aGF0IHdhcyBqdXN0IGFzIGRlc2NyaXB0aXZlLCBidXQgd2Fz
buKAmXQgc3VjaCBhIG5lYXIgY29sbGlzaW9uIChhbmQgbm8sIEkgZG9u4oCZdCBoYXZlIGFueSBp
bW1lZGlhdGUgc3VnZ2VzdGlvbnMpLg0KDQpSZWdhcmRzLA0KVmFsZXJ5Lg0KDQoNCkFueSBvcGlu
aW9ucz8gU2NvdHQsIERhbmllbCwgd2hhdCBkbyB5b3UgdGhpbmsgYWJvdXQgdGhpcz8NCg0KUmVn
YXJkcywNClZhbGVyeS4NCg0KDQoNCg0KDQpBbGwgdGhyZWUgd29yayAodGhhdCBpcywgdGhleSBw
cmV2ZW50IGFueSB1bmRldGVjdGVkIG1vZGlmaWNhdGlvbnMgdG8gdGhlIElLRV9BVVggcGF5bG9h
ZHMpOyBJIHF1aXRlIHVuZGVyc3RhbmQgaWYgICgxKSB3b3VsZCBiZSBjb25zaWRlcmVkIGFuIHVu
ZGVzaXJhYmxlIG9wdGlvbi4gIEFzIGZvciAoMikgYW5kICgzKSwgdGhleSBhcmUgbGFyZ2VseSB0
aGUgc2FtZTsgKDMpIGxpbWl0cyB0aGUgUFJG4oCZcyB0byB0aGUgb25lcyB3aGljaCBpbmNsdWRl
IHNlY29uZC1wcmVpbWFnZS1yZXNpc3RhbnQgaGFzaCBmdW5jdGlvbnMuICBJIGNhbiBzZWUgdGhl
IGF0dHJhY3Rpb24gb2Ygbm90IHJlcXVpcmluZyBhIHNlcGFyYXRlIG5lZ290aWF0aW9uOyBJ4oCZ
bSBqdXN0IHdvcnJpZWQgYWJvdXQgc29tZW9uZSBpZ25vcmluZyBvdXIg4oCYZG9u4oCZdCB1c2Ug
WENCQy9DTUFD4oCZIG1hbmRhdGXigKYNCg0KQWxzbywgZm9yICgzKSwgeW91IGhhdmUgdG8gYmUg
Y2FyZWZ1bCB0byBzcGVjaWZ5IHdoaWNoIFNLX3BbaXJdIHRvIHVzZTsgaW4gb3VyIGRyYWZ0LCB0
aGUgSUtFX0FVWCBtZXNzYWdlIHVwZGF0ZXMgdGhlbTsgdGhlIG9idmlvdXMgdGhpbmcgdG8gZG8g
aXMgc3BlY2lmeSB0aGF0IHlvdeKAmWxsIHVzZSB0aGUgU0tfcFtpcl0gdmFsdWVzIHRoYXQgd2Vy
ZSBpbiBlZmZlY3QgYXQgdGhlIGJlZ2lubmluZyBvZiB0aGUgSUtFX0FVWCBtZXNzYWdlIGluIHF1
ZXN0aW9uLiAgQWN0dWFsbHksIGZvciBzZWN1cml0eSwgd2UgZG9u4oCZdCBuZWVkIGEgc2VjcmV0
IGtleSwgaGF2aW5nIGJvdGggc2lkZXMgdXNlLCBzYXksIGFuIGFsbCB6ZXJvIGtleSwgd291bGQg
YWNoaWV2ZSB0aGUgc2FtZSBzZWN1cml0eSBnb2FsLCBob3dldmVyIHRoYXQgZG9lcyBmZWVsIHdl
aXJk4oCmDQoNClVzaW5nIGFuIGFsbCB6ZXJvIGtleSBkb2VzIGZlZWwgd2VpcmQsIGhvd2V2ZXIg
aXQgY291bGQgaGVscCBhdm9pZCBwb3RlbnRpYWwgaW5jb21wYXRpYmxlIGltcGxlbWVudGF0aW9u
IGVycm9ycy4gIFRoZXJlIGFyZSB0d28gc2V0cyBvZiBTS19wW2lyXSBhdmFpbGFibGUgdG8gdXNl
IGluIHRoZSBjYXNlIHdoZXJlIGFuIElLRV9BVVggaW5jbHVkZXMgYSBrZXkgZXhjaGFuZ2UsIHRo
ZSB2YWx1ZXMgaW4gZWZmZWN0IGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIElLRV9BVVggZXhjaGFu
Z2UsIGFuZCB0aGUgdXBkYXRlZCB2YWx1ZXMgcmVzdWx0aW5nIGZyb20gdGhlIElLRV9BVVggZXhj
aGFuZ2UuICBEZXBlbmRpbmcgb24gdGhlIG9yZGVyIGluIHdoaWNoIGltcGxlbWVudGF0aW9ucyBy
ZWNhbGN1bGF0ZSB0aGUgU0tFWVNFRUQgYW5kIFNLXyoga2V5cywgdnMgd2hlbiB0aGV5IHBlcmZv
cm0gdGhlIFBSRiBvbiB0aGUgSVhFX0FVWCBkYXRhLCB0aGUg4oCcY3VycmVudOKAnSBTS19wW2ly
XSB2YWx1ZXMgY291bGQgYmUgdGhlIG9sZCBvciBuZXcgdmFsdWVzIGFuZCBzbyBzb21lIGltcGxl
bWVudGF0aW9ucyBtYXkgaGF2ZSB0byBtYWludGFpbiBib3RoIHRoZSBvbGQgYW5kIG5ldyBrZXlz
IHVudGlsIHRoZSBJS0VfQVVYIGRpZ2VzdCBpcyBjYWxjdWxhdGVkLiAgQWxsIHRoaXMgaXMgdG8g
c2F5LCBpZiBpdCBkb2VzbuKAmXQgYWZmZWN0IHRoZSBzZWN1cml0eSBpdCBtYXkganVzdCBiZSBz
aW1wbGVyIGFuZCBlYXNpZXIgZm9yIGNvbXBhdGliaWxpdHkgdG8gdXNlIGFuIGFsbCB6ZXJvIGtl
eS4NCg0KDQpSZWdhcmRzLA0KVmFsZXJ5Lg0KDQoNCg0KVGhhbmtzLA0KRGFuaWVsDQoNCg==

--_000_3cdc26c904714c7ca907cea8bca99aabXCHRTP006ciscocom_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu
Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjoj
OTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1w
cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJ
bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsN
Cglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNv
TGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5
OjM0Ow0KCW1hcmdpbi10b3A6MGluOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbWFyZ2luLWJvdHRv
bTowaW47DQoJbWFyZ2luLWxlZnQ6LjVpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9u
dC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFu
LkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRl
ZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwg
UHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnAubXNvbm9ybWFs
MCwgbGkubXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0eWxlLW5hbWU6bXNvbm9y
bWFsOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGluOw0KCWZvbnQtc2l6ZTox
Mi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsc2VyaWY7fQ0Kc3Bhbi5FbWFp
bFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGli
cmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0K
CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1z
ZXJpZjsNCgljb2xvcjojNDQ1NDZBO30NCnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10
eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9y
OiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7
DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzQ0NTQ2QTt9DQpz
cGFuLkVtYWlsU3R5bGUyNQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWls
eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHls
ZTI2DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz
YW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjcNCgl7bXNv
LXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7
DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyOA0KCXttc28tc3R5bGUtdHlw
ZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3
aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTI5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFs
Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiM0NDU0NkE7fQ0K
c3Bhbi5FbWFpbFN0eWxlMzANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9u
dC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hw
RGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0
O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4w
aW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0
aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDo2
MzgxODk4NzE7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOjgxMjE0MTgwMDt9DQpAbGlzdCBsMDps
ZXZlbDENCgl7bXNvLWxldmVsLXRhYi1zdG9wOi41aW47DQoJbXNvLWxldmVsLW51bWJlci1wb3Np
dGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjt9DQpAbGlzdCBsMDpsZXZlbDINCgl7bXNv
LWxldmVsLXRhYi1zdG9wOjEuMGluOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsN
Cgl0ZXh0LWluZGVudDotLjI1aW47fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1sZXZlbC10YWIt
c3RvcDoxLjVpbjsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRl
bnQ6LS4yNWluO30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtdGFiLXN0b3A6Mi4waW47
DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjt9
DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjIuNWluOw0KCW1zby1sZXZl
bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47fQ0KQGxpc3QgbDA6
bGV2ZWw2DQoJe21zby1sZXZlbC10YWItc3RvcDozLjBpbjsNCgltc28tbGV2ZWwtbnVtYmVyLXBv
c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluO30NCkBsaXN0IGwwOmxldmVsNw0KCXtt
c28tbGV2ZWwtdGFiLXN0b3A6My41aW47DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0
Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjt9DQpAbGlzdCBsMDpsZXZlbDgNCgl7bXNvLWxldmVsLXRh
Yi1zdG9wOjQuMGluOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWlu
ZGVudDotLjI1aW47fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC10YWItc3RvcDo0LjVp
bjsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWlu
O30NCm9sDQoJe21hcmdpbi1ib3R0b206MGluO30NCnVsDQoJe21hcmdpbi1ib3R0b206MGluO30N
Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6
ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn
dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2
OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t
LT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1
NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8
L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29s
aWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0
eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzoz
LjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0Ij4gSVBzZWMgJmx0O2lwc2VjLWJvdW5jZXNAaWV0Zi5vcmcmZ3Q7DQo8Yj5PbiBCZWhh
bGYgT2YgPC9iPlZhbGVyeSBTbXlzbG92PGJyPg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgSnVs
eSAyNSwgMjAxOCA5OjAzIEFNPGJyPg0KPGI+VG86PC9iPiAnRGFuaWVsIFZhbiBHZWVzdCcgJmx0
O0RhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20mZ3Q7OyBTY290dCBGbHVocmVyIChzZmx1aHJlcikg
Jmx0O3NmbHVocmVyQGNpc2NvLmNvbSZndDs7IGlwc2VjQGlldGYub3JnPGJyPg0KPGI+U3ViamVj
dDo8L2I+IFJlOiBbSVBzZWNdIElLRV9BVVggY29tbWVudHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtj
b2xvcjojNDQ1NDZBIj5IaSBEYW5pZWwsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9y
ZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mbmJzcDtPbiB0aGUg
b3RoZXIgaGFuZCwgaWYgbGF0ZXIgc29tZSBuZXcgUVNLRSBtZXRob2QgYXBwZWFyLCB0aGF0PHNw
YW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJjb2xvcjojNDQ1NDZBIj48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+d2lsbCBo
YXZlIHNtYWxsIGVub3VnaCBwdWJsaWMga2V5cywgc28gdGhhdCBpdCBjYW4gYmUgdXNlZCBpbiBJ
S0VfU0FfSU5JVCw8c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPmFuZCBJS0VfQVVYIHdv
dWxkIGJlIHVzZWQgZm9yIHNvbWUgcHVycG9zZXMgb3RoZXIgdGhlbiBRU0tFLDxzcGFuIGxhbmc9
IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWxlZnQ6LjVpbiI+dGhlbiBhZ2FpbiB0aGUga2V5IHdvdWxkIG5vdCBiZSBrbm93
biB0byBhdHRhY2tlciBhbmQgdGhlcmUgd291bGQgYmU8c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48
L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0
Oi41aW4iPm5vIHJlYXNvbiB0byByZXN0cmljdCB0aGUgY2hvaWNlIG9mIFBSRnMuPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+SW4g
dGhpcyBleGFtcGxlLCBhc3N1bWluZyB0aGF0IG9uZSBpcyB1c2luZyBhIFFTS0UgYmVjYXVzZSB0
aGV5IHdhbnQgcXVhbnR1bSBzYWZldHksIHRoZSBQUkZzIHdpbGwgc3RpbGwgaGF2ZSB0byBiZSBy
ZXN0cmljdGVkIHNpbXBseSBiZWNhdXNlIFBSRl9BRVMxMjhfWENCQyBhbmQgUFJGX0FFUzEyOF9D
TUFDIG9ubHkgcHJvdmlkZSA2NA0KIGJpdHMgb2YgcHJvdGVjdGlvbiBhZ2FpbnN0IGEgcXVhbnR1
bSBjb21wdXRlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
bGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPlNvcnJ5
LCBJIHNob3VsZCBoYXZlIGJlZW4gbW9yZSBjbGVhci4gSSBtZWFudCB0aGF0IGlmIHRvbW9ycm93
IGEgbmV3IFBSRiBhcHBlYXJzDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6
IzQ0NTQ2QSI+dGhhdCB3aWxsIHByb3ZpZGUgMTI4IChvciBtb3JlKSBiaXRzIG9mIHNlY3VyaXR5
IGFnYWluc3QgcXVhbnR1bSBjb21wdXRlcnMsIGJ1dA0KPG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6
MTQuMHB0O2NvbG9yOiM0NDU0NkEiPndpbGwgbm90IGJlIHNlY29uZCBwcmVpbWFnZSByZXNpc3Rh
bnQgaW4gY2FzZSBvZiBrbm93biBrZXksIHRoZW4gdGhpcyBQUkY8bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQt
c2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Y2FuIGJlIHVzZWQgaWYgSUtFX1NBX0lOSVQga2V5
IGV4Y2hhbmdlIHVzZXMgcXVhbnR1bSBzYWZlIG1ldGhvZHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6
ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+YW5kIHdlIGNoYW5nZSBhbGwtemVybyBrZXkgdG8gU0tf
cGkvU0tfcHIuIEkgZGlkbuKAmXQgbWVhbiBQUkZfQUVTMTI4X1hDQkMvQ01BQyw8bzpwPjwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5
bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+anVzdCBzb21lIGltYWdpbmFyeSBQ
UkYgd2l0aCB0aGUgc2FtZSBwcm9wZXJ0aWVzLCBidXQgcXVhbnR1bSBzYWZlLjxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu
Ij4mbmJzcDs8c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlNvLCBteSBzdWdnZXN0aW9u
czogPHNwYW4gbGFuZz0iRU4tQ0EiPg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOzxzcGFuIGxhbmc9IkVO
LUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bWFyZ2luLWxlZnQ6Ljc1aW47dGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwwIGxldmVsMSBs
Zm8yIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUi
PjEuPHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4m
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPnVz
ZSBTS19waS9TS19wciBhcyBrZXlzIGZvciBQUkYgdGhhdCBhdXRoZW50aWNhdGUgSUtFX0FVWCBt
ZXNzYWdlczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5JZiB1c2luZyBJS0VfQVVYIGluIGEgbm9u
LVFTS0UgdXNlLWNhc2UgdGhlbiBhbnkgZW5jcnlwdGVkIHBheWxvYWQgaXMgYWxyZWFkeSBwcm90
ZWN0ZWQgYnkgdGhlIGVuY3J5cHRpb24gYWxnb3JpdGhtICYjNDM7IGludGVncml0eSBhbGdvcml0
aG0gKG9yIEFFQUQgZW5jcnlwdGlvbiksIGJ1dCBhbnkgdW5lbmNyeXB0ZWQgcGF5bG9hZHMgJiM0
MzsgdGhlDQogSUtFIGhlYWRlciB3b3VsZG7igJl0IGJlIHByb3RlY3RlZCB1c2luZyBhIDAga2V5
LCBzbyB5b3VyIHByb3Bvc2FsIHNvdW5kcyByZWFzb25hYmxlLjxvOnA+PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1z
aXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZTox
NC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+R29vZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7
Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9y
OiMxRjQ5N0QiPlRoZSByZWFzb24gdGhhdCB0aGUg4oCYYWxsLTAtYml0c+KAmSBzdWdnZXN0aW9u
IHdhcyBwdXQgb3V0IHRoZXJlIHdhcyBhbiBhdHRlbXB0IHRvIGF2b2lkIGNvbmZ1c2lvbiBhcyB0
byB3aGljaCBTS19waS9wciBrZXlzIHRvIHVzZSAoYXMgdGhleSBnZXQgdXBkYXRlZCBpbiBvdXIg
ZHJhZnQgYWZ0ZXIgZWFjaCBRU0tFDQogSUtFX0FVWCBtZXNzYWdlKS4mbmJzcDsgSWYgd2UgZXhw
ZWN0IHRoYXQgaW1wbGVtZW50YXRpb25zIHdpbGwgYmUgYWJsZSB0byBoYW5kbGUgaXQsIHRoZW4g
SSBzZWUgbm8gcmVhc29uIG5vdCB0byB1c2UgdGhlIGN1cnJlbnQga2V5IHZhbHVlcy48bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIg
c3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i
PjIuIGRvbid0IGltcG9zZSBhbnkgcmVzdHJpY3Rpb25zIG9uIHRoZSBjaG9pY2Ugb2YgUFJGIGlu
IHRoZSBJS0VfQVVYIGRyYWZ0DQo8c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyhidXQgcHJvYmFibHkgd3JpdGUgc29tZSB3b3JkcyBp
biB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMpPHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDou
NWluIj4zLiBpbiBRU0tFIGRvY3VtZW50IGFkZCBhIHJlc3RyaWN0aW9uIG9uIFBSRiBjaG9pY2Us
IGV4Y2x1ZGluZyB0aG9zZSw8c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiZuYnNwOyZu
YnNwOyZuYnNwOyB0aGF0IGEpIGFyZSBub3Qgc2VjdXJlIGluIFBRIHdvcmxkIGFuZCBiKSBhcmUg
bm90IHNlY3VyZSBhZ2FpbnN0PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsgcHJlaW1hZ2UgYXR0YWNrIGluIGNhc2Ugb2Yga25vd24ga2V5Ljxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Tb3VuZHMgcmVhc29uYWJsZSwgc2luY2UgaW4gb3JkZXIg
dG8gZXN0YWJsaXNoIGEgUVMgU0EgdGhlcmUgd2lsbCBoYXZlIHRvIGJlIHJlc3RyaWN0aW9ucyBv
biBlbmNyeXB0aW9uL2ludGVncml0eSBhbGdvcml0aG1zIGFueXdheXMsIHdpdGggdGhlIGNhdmVh
dCB0aGF0IGZvciBlbmNyeXB0aW9uL2ludGVncml0eSB3ZSBvbmx5IGhhdmUNCiB0byBzYXkg4oCc
dXNlIHNvbWV0aGluZyB3aXRoIDI1NiBiaXRzIG9mIHNlY3VyaXR54oCdLCB3aGVyZWFzIGZvciBQ
UkYgdGhhdCB3b3VsZG7igJl0IGJlIHN1ZmZpY2llbnQgaWYgZm9yIGV4YW1wbGUgUFJGX0FFUzI1
Nl9DTUFDIGJlY2FtZSBhIHRoaW5nLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBzdHlsZT0iY29sb3I6IzQ0
NTQ2QSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+T0ssIGlmIG5vYm9k
eSBkaXNhZ3JlZXMsIEnigJlsbCB1cGRhdGUgSUtFX0FVWCBkcmFmdCBhY2NvcmRpbmdseS48bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv
cjojMUY0OTdEIj5ObyBkaXNhZ3JlZW1lbnQgaGVyZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjoj
MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5JIGRvIGhhdmUg
b25lIGlzc3VlIEnigJl2ZSBiZWVuIHBvbmRlcmluZywgdGhvdWdoOyB3ZSBkbyBhbiBJS0VfQVU8
Yj5YPC9iPiBleGNoYW5nZSwgYW5kIHRoZW4gZm9sbG93IGl0IHVwIHdpdGggYW4gSUtFX0FVPGI+
VEgNCjwvYj5leGNoYW5nZS4mbmJzcDsgQXQgbGVhc3Qgd2l0aCBteSBhY2NlbnQsIHRob3NlIGFy
ZSBwaG9uZXRpY2FsbHkgcXVpdGUgY2xvc2UuJm5ic3A7IEl0IHdvdWxkIGJlIG5pY2UgaWYgd2Ug
Y291bGQgY29tZSB1cCB3aXRoIGFuIGFsdGVybmF0aXZlIG5hbWUgdG8gSUtFX0FVWCB0aGF0IHdh
cyBqdXN0IGFzIGRlc2NyaXB0aXZlLCBidXQgd2FzbuKAmXQgc3VjaCBhIG5lYXIgY29sbGlzaW9u
IChhbmQgbm8sIEkgZG9u4oCZdCBoYXZlIGFueSBpbW1lZGlhdGUgc3VnZ2VzdGlvbnMpLjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0O2NvbG9y
OiM0NDU0NkEiPlJlZ2FyZHMsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+VmFsZXJ5
LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTQuMHB0O2NvbG9yOiM0NDU0NkEiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mbmJz
cDs8c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPkFueSBvcGluaW9ucz8gU2NvdHQsIERh
bmllbCwgd2hhdCBkbyB5b3UgdGhpbmsgYWJvdXQgdGhpcz88c3BhbiBsYW5nPSJFTi1DQSI+PG86
cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s
ZWZ0Oi41aW4iPiZuYnNwOzxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+UmVnYXJkcyw8
c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlZhbGVyeS48c3BhbiBsYW5nPSJFTi1DQSI+
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp
bi1sZWZ0Oi41aW4iPiZuYnNwOzxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+Jm5ic3A7
PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mbmJzcDs8c3BhbiBsYW5nPSJFTi1DQSI+
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp
bi1sZWZ0Oi41aW4iPiZuYnNwOzxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0
O3BhZGRpbmc6MGluIDBpbiAwaW4gNC4wcHQiPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9y
ZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxk
aXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGlu
ZzowaW4gMGluIDBpbiA0LjBwdCI+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVm
dDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNC4wcHQiPg0KPGRpdiBzdHls
ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAw
aW4gMGluIDQuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDox
LjBpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMx
RjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluIj48c3Bh
biBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+QWxs
IHRocmVlIHdvcmsgKHRoYXQgaXMsIHRoZXkgcHJldmVudCBhbnkgdW5kZXRlY3RlZCBtb2RpZmlj
YXRpb25zIHRvIHRoZSBJS0VfQVVYIHBheWxvYWRzKTsgSSBxdWl0ZSB1bmRlcnN0YW5kIGlmICZu
YnNwOygxKSB3b3VsZCBiZSBjb25zaWRlcmVkIGFuIHVuZGVzaXJhYmxlDQogb3B0aW9uLiZuYnNw
OyBBcyBmb3IgKDIpIGFuZCAoMyksIHRoZXkgYXJlIGxhcmdlbHkgdGhlIHNhbWU7ICgzKSBsaW1p
dHMgdGhlIFBSRuKAmXMgdG8gdGhlIG9uZXMgd2hpY2ggaW5jbHVkZSBzZWNvbmQtcHJlaW1hZ2Ut
cmVzaXN0YW50IGhhc2ggZnVuY3Rpb25zLiZuYnNwOyBJIGNhbiBzZWUgdGhlIGF0dHJhY3Rpb24g
b2Ygbm90IHJlcXVpcmluZyBhIHNlcGFyYXRlIG5lZ290aWF0aW9uOyBJ4oCZbSBqdXN0IHdvcnJp
ZWQgYWJvdXQgc29tZW9uZSBpZ25vcmluZyBvdXINCiDigJhkb27igJl0IHVzZSBYQ0JDL0NNQUPi
gJkgbWFuZGF0ZeKApjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluIj48c3Bh
biBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+Jm5i
c3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MS4waW4iPjxzcGFuIGxhbmc9IkVO
LUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5BbHNvLCBmb3IgKDMp
LCB5b3UgaGF2ZSB0byBiZSBjYXJlZnVsIHRvIHNwZWNpZnkgd2hpY2ggU0tfcFtpcl0gdG8gdXNl
OyBpbiBvdXIgZHJhZnQsIHRoZSBJS0VfQVVYIG1lc3NhZ2UgdXBkYXRlcyB0aGVtOyB0aGUgb2J2
aW91cyB0aGluZyB0byBkbyBpcyBzcGVjaWZ5DQogdGhhdCB5b3XigJlsbCB1c2UgdGhlIFNLX3Bb
aXJdIHZhbHVlcyB0aGF0IHdlcmUgaW4gZWZmZWN0IGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIElL
RV9BVVggbWVzc2FnZSBpbiBxdWVzdGlvbi4mbmJzcDsgQWN0dWFsbHksIGZvciBzZWN1cml0eSwg
d2UgZG9u4oCZdCBuZWVkIGEgc2VjcmV0IGtleSwgaGF2aW5nIGJvdGggc2lkZXMgdXNlLCBzYXks
IGFuIGFsbCB6ZXJvIGtleSwgd291bGQgYWNoaWV2ZSB0aGUgc2FtZSBzZWN1cml0eSBnb2FsLCBo
b3dldmVyIHRoYXQNCiBkb2VzIGZlZWwgd2VpcmTigKY8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0Ei
PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn
aW4tbGVmdDoxLjBpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
Ij4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5n
PSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlVzaW5nIGFuIGFsbCB6ZXJvIGtleSBk
b2VzIGZlZWwgd2VpcmQsIGhvd2V2ZXIgaXQgY291bGQgaGVscCBhdm9pZCBwb3RlbnRpYWwgaW5j
b21wYXRpYmxlIGltcGxlbWVudGF0aW9uIGVycm9ycy4mbmJzcDsgVGhlcmUgYXJlIHR3byBzZXRz
IG9mIFNLX3BbaXJdIGF2YWlsYWJsZSB0byB1c2UgaW4gdGhlDQogY2FzZSB3aGVyZSBhbiBJS0Vf
QVVYIGluY2x1ZGVzIGEga2V5IGV4Y2hhbmdlLCB0aGUgdmFsdWVzIGluIGVmZmVjdCBhdCB0aGUg
YmVnaW5uaW5nIG9mIHRoZSBJS0VfQVVYIGV4Y2hhbmdlLCBhbmQgdGhlIHVwZGF0ZWQgdmFsdWVz
IHJlc3VsdGluZyBmcm9tIHRoZSBJS0VfQVVYIGV4Y2hhbmdlLiZuYnNwOyBEZXBlbmRpbmcgb24g
dGhlIG9yZGVyIGluIHdoaWNoIGltcGxlbWVudGF0aW9ucyByZWNhbGN1bGF0ZSB0aGUgU0tFWVNF
RUQgYW5kIFNLXyoga2V5cywNCiB2cyB3aGVuIHRoZXkgcGVyZm9ybSB0aGUgUFJGIG9uIHRoZSBJ
WEVfQVVYIGRhdGEsIHRoZSDigJxjdXJyZW504oCdIFNLX3BbaXJdIHZhbHVlcyBjb3VsZCBiZSB0
aGUgb2xkIG9yIG5ldyB2YWx1ZXMgYW5kIHNvIHNvbWUgaW1wbGVtZW50YXRpb25zIG1heSBoYXZl
IHRvIG1haW50YWluIGJvdGggdGhlIG9sZCBhbmQgbmV3IGtleXMgdW50aWwgdGhlIElLRV9BVVgg
ZGlnZXN0IGlzIGNhbGN1bGF0ZWQuJm5ic3A7IEFsbCB0aGlzIGlzIHRvIHNheSwgaWYgaXQgZG9l
c27igJl0DQogYWZmZWN0IHRoZSBzZWN1cml0eSBpdCBtYXkganVzdCBiZSBzaW1wbGVyIGFuZCBl
YXNpZXIgZm9yIGNvbXBhdGliaWxpdHkgdG8gdXNlIGFuIGFsbCB6ZXJvIGtleS48L3NwYW4+PHNw
YW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJF
Ti1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1hcmdpbi1sZWZ0OjEuMGluIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZTox
NC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl
ZnQ6MS4waW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xv
cjojNDQ1NDZBIj5SZWdhcmRzLDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGlu
Ij48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2
QSI+VmFsZXJ5Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluIj48c3BhbiBs
YW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQ7Y29sb3I6IzQ0NTQ2QSI+Jm5ic3A7
PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MS4waW4iPjxzcGFuIGxhbmc9IkVOLUNB
IiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdDtjb2xvcjojNDQ1NDZBIj4mbmJzcDs8L3NwYW4+PHNw
YW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDox
LjBpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5UaGFua3Ms
PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MS4waW4iPjxzcGFuIGxhbmc9IkVOLUNB
IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+RGFuaWVsPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNB
Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy
Z2luLWxlZnQ6MS4waW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dCI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N
CjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_3cdc26c904714c7ca907cea8bca99aabXCHRTP006ciscocom_--


From nobody Wed Jul 25 18:39:42 2018
Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5F212F18C for <ipsec@ietfa.amsl.com>; Wed, 25 Jul 2018 18:39:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level: 
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05130Hj1xRDg for <ipsec@ietfa.amsl.com>; Wed, 25 Jul 2018 18:39:38 -0700 (PDT)
Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 223C2127333 for <ipsec@ietf.org>; Wed, 25 Jul 2018 18:39:37 -0700 (PDT)
Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip1.isaracorp.com with ESMTP; 26 Jul 2018 01:39:34 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Wed, 25 Jul 2018 21:39:33 -0400
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.003; Wed, 25 Jul 2018 21:39:33 -0400
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, Valery Smyslov <smyslov.ietf@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6qR/B9KAgADxt4CAAN9PAP//vjnggACO1oCAFc0OgP//3YAAgAl8eYD//+ImUAAVw72A
Date: Thu, 26 Jul 2018 01:39:33 +0000
Message-ID: <DAB3B043-09AF-421E-B852-120FAEA1A2E1@isara.com>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com> <055c01d41f6a$dc6e7d50$954b77f0$@gmail.com> <094A8A21-D156-460E-B011-910F1BFC756F@isara.com> <0ac101d42417$d8f83560$8ae8a020$@gmail.com> <3cdc26c904714c7ca907cea8bca99aab@XCH-RTP-006.cisco.com>
In-Reply-To: <3cdc26c904714c7ca907cea8bca99aab@XCH-RTP-006.cisco.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.5.17.50]
Content-Type: multipart/alternative; boundary="_000_DAB3B04309AF421EB852120FAEA1A2E1isaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/dOjnZuITHkggazZvg6SoXTNp7y8>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 01:39:40 -0000

--_000_DAB3B04309AF421EB852120FAEA1A2E1isaracom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

DQoNCk9uIDIwMTgtMDctMjUsIDU6MjcgUE0sICJTY290dCBGbHVocmVyIChzZmx1aHJlcikiIDxz
Zmx1aHJlckBjaXNjby5jb208bWFpbHRvOnNmbHVocmVyQGNpc2NvLmNvbT4+IHdyb3RlOg0KDQoN
CkkgZG8gaGF2ZSBvbmUgaXNzdWUgSeKAmXZlIGJlZW4gcG9uZGVyaW5nLCB0aG91Z2g7IHdlIGRv
IGFuIElLRV9BVVggZXhjaGFuZ2UsIGFuZCB0aGVuIGZvbGxvdyBpdCB1cCB3aXRoIGFuIElLRV9B
VVRIIGV4Y2hhbmdlLiAgQXQgbGVhc3Qgd2l0aCBteSBhY2NlbnQsIHRob3NlIGFyZSBwaG9uZXRp
Y2FsbHkgcXVpdGUgY2xvc2UuICBJdCB3b3VsZCBiZSBuaWNlIGlmIHdlIGNvdWxkIGNvbWUgdXAg
d2l0aCBhbiBhbHRlcm5hdGl2ZSBuYW1lIHRvIElLRV9BVVggdGhhdCB3YXMganVzdCBhcyBkZXNj
cmlwdGl2ZSwgYnV0IHdhc27igJl0IHN1Y2ggYSBuZWFyIGNvbGxpc2lvbiAoYW5kIG5vLCBJIGRv
buKAmXQgaGF2ZSBhbnkgaW1tZWRpYXRlIHN1Z2dlc3Rpb25zKS4NCg0KSSBoYXZlIHRoZSBzYW1l
IGlzc3VlIHdoZW4gZGlzY3Vzc2luZyB0aGUgZHJhZnQuICBPZmYgdGhlIHRvcCBvZiBteSBoZWFk
LCBJS0VfUFJFX0FVVEggY291bGQgd29yay4NCg0KDQo=

--_000_DAB3B04309AF421EB852120FAEA1A2E1isaracom_
Content-Type: text/html; charset="utf-8"
Content-ID: <B4343288DEF4F046B674F9D00320413E@isara.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2
IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy
IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt
YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1i
b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9
DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpw
cmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZv
cm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglm
b250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29MaXN0
UGFyYWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXtt
c28tc3R5bGUtcHJpb3JpdHk6MzQ7DQoJbWFyZ2luLXRvcDowY207DQoJbWFyZ2luLXJpZ2h0OjBj
bTsNCgltYXJnaW4tYm90dG9tOjBjbTsNCgltYXJnaW4tbGVmdDozNi4wcHQ7DQoJbWFyZ2luLWJv
dHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki
LHNhbnMtc2VyaWY7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFs
MA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJn
aW4tbGVmdDowY207DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3
IFJvbWFuIixzZXJpZjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1u
YW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJ
bXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmll
ciBOZXciO30NCnNwYW4uRW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0K
CWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0K
c3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1p
bHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzQ0NTQ2QTt9DQpzcGFuLkVtYWlsU3R5
bGUyMw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs
c2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTI0DQoJe21zby1z
dHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0K
CWNvbG9yOiM0NDU0NkE7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjUNCgl7bXNvLXN0eWxlLXR5cGU6cGVy
c29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzFGNDk3
RDt9DQpzcGFuLkVtYWlsU3R5bGUyNg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250
LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4u
RW1haWxTdHlsZTI3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJD
YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxl
MjgNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh
bnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyOQ0KCXttc28t
c3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsN
Cgljb2xvcjojNDQ1NDZBO30NCnNwYW4uRW1haWxTdHlsZTMwDQoJe21zby1zdHlsZS10eXBlOnBl
cnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMxRjQ5
N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMzENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7
DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9
DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNp
emU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsN
CgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjEN
Cgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyogTGlzdCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDAN
Cgl7bXNvLWxpc3QtaWQ6NjM4MTg5ODcxOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczo4MTIxNDE4
MDA7fQ0KQGxpc3QgbDA6bGV2ZWwxDQoJe21zby1sZXZlbC10YWItc3RvcDozNi4wcHQ7DQoJbXNv
LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxp
c3QgbDA6bGV2ZWwyDQoJe21zby1sZXZlbC10YWItc3RvcDo3Mi4wcHQ7DQoJbXNvLWxldmVsLW51
bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2
ZWwzDQoJe21zby1sZXZlbC10YWItc3RvcDoxMDguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9z
aXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwwOmxldmVsNA0KCXtt
c28tbGV2ZWwtdGFiLXN0b3A6MTQ0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxl
ZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVs
LXRhYi1zdG9wOjE4MC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRl
eHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJe21zby1sZXZlbC10YWItc3Rv
cDoyMTYuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVu
dDotMTguMHB0O30NCkBsaXN0IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtdGFiLXN0b3A6MjUyLjBw
dDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBw
dDt9DQpAbGlzdCBsMDpsZXZlbDgNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjI4OC4wcHQ7DQoJbXNv
LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxp
c3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC10YWItc3RvcDozMjQuMHB0Ow0KCW1zby1sZXZlbC1u
dW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCm9sDQoJe21hcmdp
bi1ib3R0b206MGNtO30NCnVsDQoJe21hcmdpbi1ib3R0b206MGNtO30NCi0tPjwvc3R5bGU+DQo8
L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1DQSIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIi
Pg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4m
bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5PbiAyMDE4LTA3LTI1LCA1OjI3IFBNLCAmcXVv
dDtTY290dCBGbHVocmVyIChzZmx1aHJlcikmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzZmx1
aHJlckBjaXNjby5jb20iPnNmbHVocmVyQGNpc2NvLmNvbTwvYT4mZ3Q7IHdyb3RlOjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w
cHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9u
ZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQi
Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtw
YWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
YXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMx
RjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
O2NvbG9yOiMxRjQ5N0QiPkkgZG8gaGF2ZSBvbmUgaXNzdWUgSeKAmXZlIGJlZW4gcG9uZGVyaW5n
LCB0aG91Z2g7IHdlIGRvIGFuIElLRV9BVTxiPlg8L2I+IGV4Y2hhbmdlLCBhbmQgdGhlbiBmb2xs
b3cgaXQgdXAgd2l0aCBhbiBJS0VfQVU8Yj5USA0KPC9iPmV4Y2hhbmdlLiZuYnNwOyBBdCBsZWFz
dCB3aXRoIG15IGFjY2VudCwgdGhvc2UgYXJlIHBob25ldGljYWxseSBxdWl0ZSBjbG9zZS4mbmJz
cDsgSXQgd291bGQgYmUgbmljZSBpZiB3ZSBjb3VsZCBjb21lIHVwIHdpdGggYW4gYWx0ZXJuYXRp
dmUgbmFtZSB0byBJS0VfQVVYIHRoYXQgd2FzIGp1c3QgYXMgZGVzY3JpcHRpdmUsIGJ1dCB3YXNu
4oCZdCBzdWNoIGEgbmVhciBjb2xsaXNpb24gKGFuZCBubywgSSBkb27igJl0IGhhdmUgYW55IGlt
bWVkaWF0ZSBzdWdnZXN0aW9ucykuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkkgaGF2ZSB0aGUg
c2FtZSBpc3N1ZSB3aGVuIGRpc2N1c3NpbmcgdGhlIGRyYWZ0LiZuYnNwOyBPZmYgdGhlIHRvcCBv
ZiBteSBoZWFkLCBJS0VfUFJFX0FVVEggY291bGQgd29yay48bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86
cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy
LWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXYg
c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzow
Y20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz
b2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdiBzdHlsZT0i
Ym9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20g
MGNtIDQuMHB0Ij4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJs
dWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+
DQo=

--_000_DAB3B04309AF421EB852120FAEA1A2E1isaracom_--


From nobody Thu Jul 26 00:18:13 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBFE1130E15 for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 00:18:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level: 
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNuw9TEVADJo for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 00:18:09 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 907B4130DF4 for <ipsec@ietf.org>; Thu, 26 Jul 2018 00:18:08 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id p6-v6so598344ljc.5 for <ipsec@ietf.org>; Thu, 26 Jul 2018 00:18:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :thread-index:content-language; bh=MXXgom7Oan09dW8KT2mFNyYX7HnOvE/m0jkYjQb7YKE=; b=GSq/6MnfC6896DiqlOjksYPbm0lOD+TGk8mNFFgbzhcHxydGRRVyNiPHyqFRWIaOIC wToXvP11af+99xCrvWKjgGwecAm0bFvnaj0rwbBnuruP5YKvfGwvvpq61mvhK2G2wYox 1nBKQQUZWWV52pQUKEV64ipxvwVqVzGIjsgX6JNkP9/1i4JZprzX8LjtNeCQYKxr13pV 3iI4slj07G/EUR+BS2ZVzpYcngZgLGS5NCn1zw3Ci25DRK1DW66pawoV+QHd1ycTc1Pj t+KGV5tfXu3VY7IhmGci/PSoiDIk5BWS0GIqXIydVHLPm/YuTWq7P3Sv4sgg9WNFddwP aw5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=MXXgom7Oan09dW8KT2mFNyYX7HnOvE/m0jkYjQb7YKE=; b=clrTp6TrVBW7BNyQQFh5bSuI6JqjLt1uspxUrTTdphKOXp0YX6XtaUD2u75B45KHt7 udeA89ueV+Mu7Ix9c2VMueZ7wm4EoCHouWLKPHab76C8frwbT+KD2pKBdhVyLIRWW+QB u87fDEnPSPv+fqtPhoOjjFcB/ntK65o1ANerOXhz2TEDsJyE3ilxuBE8z9B0JC4/BW7j cWIzIjitT95r637ZuheaONyjOr1Cydr+ORR0Z8Dcmgt6EbXOVCS3/+s9ZP1YDJ0WgWce uk3rqZ2yRxcrI11QsGt0Z//v6AVUzpeY+ggO9hdE7nypGdmXcTQtudIT97iOx+Hd85rw 4/oA==
X-Gm-Message-State: AOUpUlEa7zEujfbbEU7U7Tt+/OXdGkcqF00bb1MaWdY7jkyWg5HAYDa7 Omg/5icQXKbAR9KDXFbCZ98=
X-Google-Smtp-Source: AAOMgpc+5V6J+NdGqlZXykdKA+ThxHzLh+i5384a5r0WwjWXqxd63Bl+Jid/HSNtguTBOFkDnQaz3w==
X-Received: by 2002:a2e:498:: with SMTP id a24-v6mr671154ljf.27.1532589486925;  Thu, 26 Jul 2018 00:18:06 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id o13-v6sm100007lja.23.2018.07.26.00.18.05 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Jul 2018 00:18:06 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Daniel Van Geest'" <Daniel.VanGeest@isara.com>, "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer@cisco.com>, <ipsec@ietf.org>
References: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com> <038701d41375$4a5bab50$df1301f0$@gmail.com> <4ce0380da4d147bb98d80dbc71315a68@XCH-RTP-006.cisco.com> <002201d4145d$cdd13160$69739420$@gmail.com> <cca9b3323ad441e59643b6ff2afb7ee1@XCH-RTP-006.cisco.com> <C35D70B2-C47C-45FF-9728-19C22514C058@isara.com> <055c01d41f6a$dc6e7d50$954b77f0$@gmail.com> <094A8A21-D156-460E-B011-910F1BFC756F@isara.com> <0ac101d42417$d8f83560$8ae8a020$@gmail.com> <3cdc26c904714c7ca907cea8bca99aab@XCH-RTP-006.cisco.com> <DAB3B043-09AF-421E-B852-120FAEA1A2E1@isara.com>
In-Reply-To: <DAB3B043-09AF-421E-B852-120FAEA1A2E1@isara.com>
Date: Thu, 26 Jul 2018 10:17:58 +0300
Message-ID: <00cc01d424b0$c88a7c30$599f7490$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00CD_01D424C9.EDD93AD0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEciSsDD1zqgCWGCuqENOVpeeZcmAIUjD3lAYKjZjwC2ApLZAEyIKg0At8cjcwBlz/yKgD8/J0kAUrXxd0CDTNbHwIBxhLcpXzZ7QA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/cbu9eIMZBtLOHUwGO6DNDx4TZkU>
Subject: Re: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 07:18:11 -0000

This is a multipart message in MIME format.

------=_NextPart_000_00CD_01D424C9.EDD93AD0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Probably IKE_INT (intermediate)? Actually I was thinking of this name =
when started writing the draft...

=20

IKE_PRE_AUTH sounds to me like it is somehow bound to authentication, =
while in fact it is multi-purpose

and can be used for transferring any additional data before IKE_AUTH...

=20

I do have one issue I=E2=80=99ve been pondering, though; we do an =
IKE_AUX exchange, and then follow it up with an IKE_AUTH exchange.  At =
least with my accent, those are phonetically quite close.  It would be =
nice if we could come up with an alternative name to IKE_AUX that was =
just as descriptive, but wasn=E2=80=99t such a near collision (and no, I =
don=E2=80=99t have any immediate suggestions).

=20

I have the same issue when discussing the draft.  Off the top of my =
head, IKE_PRE_AUTH could work.


------=_NextPart_000_00CD_01D424C9.EDD93AD0
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 14 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle24
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle25
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle26
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle27
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle28
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle29
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
span.EmailStyle30
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle31
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle32
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#44546A;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DRU =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>Probably IKE_INT =
(intermediate)? Actually I was thinking of this name when started =
writing the draft...<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'>IKE_PRE_AUTH sounds to me like =
it is somehow bound to authentication, while in fact it is =
multi-purpose<o:p></o:p></span></p><p class=3DMsoNormal><span =
lang=3DEN-US style=3D'font-size:14.0pt;color:#44546A'>and can be used =
for transferring any additional data before =
IKE_AUTH...<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:14.0pt;color:#44546A'><o:p>&nbsp;</o:p></span></p><div=
 style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><div style=3D'border:none;border-left:solid blue =
1.5pt;padding:0cm 0cm 0cm 4.0pt'><div =
style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt'><p class=3DMsoNormal style=3D'margin-left:36.0pt'><span =
lang=3DEN-CA style=3D'font-size:11.0pt;color:#1F497D'>I do have one =
issue I=E2=80=99ve been pondering, though; we do an IKE_AU<b>X</b> =
exchange, and then follow it up with an IKE_AU<b>TH </b>exchange.&nbsp; =
At least with my accent, those are phonetically quite close.&nbsp; It =
would be nice if we could come up with an alternative name to IKE_AUX =
that was just as descriptive, but wasn=E2=80=99t such a near collision =
(and no, I don=E2=80=99t have any immediate suggestions).</span><span =
lang=3DEN-CA style=3D'font-size:11.0pt'><o:p></o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA =
style=3D'font-size:11.0pt'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span lang=3DEN-CA style=3D'font-size:11.0pt'>I have =
the same issue when discussing the draft.&nbsp; Off the top of my head, =
IKE_PRE_AUTH could work.<span =
style=3D'color:#44546A'><o:p></o:p></span></span></p></div></div></div></=
div></body></html>
------=_NextPart_000_00CD_01D424C9.EDD93AD0--


From nobody Thu Jul 26 11:29:38 2018
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 760D1124D68 for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 11:29:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2mJwKVfCZIk for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 11:29:33 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F0A3130DCB for <ipsec@ietf.org>; Thu, 26 Jul 2018 11:29:33 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id D548CB8125E; Thu, 26 Jul 2018 11:29:23 -0700 (PDT)
To: ynir.ietf@gmail.com, kaduk@mit.edu, ekr@rtfm.com, david.waltermire@nist.gov, kivinen@iki.fi
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: andrew.cagney@gmail.com, ipsec@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20180726182923.D548CB8125E@rfc-editor.org>
Date: Thu, 26 Jul 2018 11:29:23 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zQaRejiNq_GatPOnBw9Jmp5fh9U>
Subject: [IPsec] [Technical Errata Reported] RFC7634 (5441)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 18:29:37 -0000

The following errata report has been submitted for RFC7634,
"ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5441

--------------------------------------
Type: Technical
Reported by: Andrew Cagney <andrew.cagney@gmail.com>

Section: 4

Original Text
-------------
   When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
   IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
   transform substructure of the SA payload as the ENCR (type 1)
   transform ID.  As with other AEAD algorithms, INTEG (type 3)
   transform substructures MUST NOT be specified, or just one INTEG
   transform MAY be included with value NONE (0).

Corrected Text
--------------
   When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
   IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
   transform substructure of the SA payload as the ENCR (type 1)
   transform ID.
   As with other transforms that use a fixed-length key, the Key Length
   attribute MUST NOT be specified.
   As with other AEAD algorithms, INTEG (type 3)
   transform substructures MUST NOT be specified, or just one INTEG
   transform MAY be included with value NONE (0).

Notes
-----
Reading both RFC7634 and RFC7539 there seems to be a single fixed-length key of 256-bits. 
Hence, I think https://tools.ietf.org/html/rfc7296#section-3.3.5:
   o  The Key Length attribute MUST NOT be used with transforms that use
      a fixed-length key.  For example, this includes ENCR_DES,
      ENCR_IDEA,...
applies (my intent is to clarify this).

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC7634 (draft-ietf-ipsecme-chacha20-poly1305-12)
--------------------------------------
Title               : ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec
Publication Date    : August 2015
Author(s)           : Y. Nir
Category            : PROPOSED STANDARD
Source              : IP Security Maintenance and Extensions
Area                : Security
Stream              : IETF
Verifying Party     : IESG


From nobody Thu Jul 26 12:06:44 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89032130DF5 for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 12:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level: 
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L94jnbRwQcZ7 for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 12:06:39 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DB93130E0F for <ipsec@ietf.org>; Thu, 26 Jul 2018 12:06:39 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id j5-v6so2741175wrr.8 for <ipsec@ietf.org>; Thu, 26 Jul 2018 12:06:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=y3ugDwXNz8TpSRqgYUOQKYIXmW4cl2eq0M5hVuK5RRg=; b=KEfqlHESa6yodWI44vstOFJ10SU3DEspacjo9Vnkt9MKtq7KbNg7veKCktfh946/CW 4IlRn5rl5HYKrE8u/NqYrW97JERnNLPJT7GNiVNuqbI8/N1RGv10NCo44ftfV2Hs/RQx xQ9RBOb3emn1e/CMVjMCJ8aqLT9t/bx72dazUYa6BIeRiyBa8bxJSZQwerWK+qRUt/G5 LKYQMqH716NDAK2L4hhrZs7Rg2iNC3Dacrro93dM1vM/Xlly+cuH3Orhp9evFjXSSTxl pyWgtHOsIYgmYD3G/XE+3EZV/m+OKgXN7waXph24nnW8JIE/o0hsc7isClRIii07BH01 h7PQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=y3ugDwXNz8TpSRqgYUOQKYIXmW4cl2eq0M5hVuK5RRg=; b=Pc0wk/Nk1E94KIk/HY0pfy2HSg23ljmBgIiFAvWUTAEcw4AvKcuLDRGtG+v8qFExyL Dl8hG4nNdDtky86qGmaQ2p/JZHmu57hC2uaa3qhCtq8iZDjMUPOHEyb3QmQFfYXqezDB 5vCxLa5UBNSKa5nRsBB9c9WEQumCge63ZjaWESmVE31AblugE1AfTIE4taaX+97IZrUh HvDRzE5Jmvt3xgnTEHWS1FNrjbJNBevvYScJgKf27y+r3wCKN1gdf9Asq4wLlcbGmwH2 CQwJL8zU4UtgLlxQo/Bby3hjShigetIgtrTI+0b7IlHv+oxXHuWwb2aHvcGw8a81LgW7 0f7w==
X-Gm-Message-State: AOUpUlGObutIgFhcEULOmtOH0mMnrvXBV8y5EQ66+t1bTDp+T0kBbu+u 3FMEM76Fy2JCVQr+JS07/y0=
X-Google-Smtp-Source: AAOMgpd71fBsSpREP2XkElrF80vJePHsSqm0OiFAf0i3vC/jbjWhjHhlTlkO/26dRdb7wuCZ3gsP8w==
X-Received: by 2002:adf:93a3:: with SMTP id 32-v6mr2444556wrp.140.1532631997882;  Thu, 26 Jul 2018 12:06:37 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id h14-v6sm1391767wro.15.2018.07.26.12.06.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 12:06:36 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <20FE97E3-768B-426D-9DF1-A228E8DEB143@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_97951598-C06E-409E-8117-7DF201AC9F06"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 26 Jul 2018 22:06:30 +0300
In-Reply-To: <20180726182923.D548CB8125E@rfc-editor.org>
Cc: kaduk@mit.edu, ekr@rtfm.com, david.waltermire@nist.gov, kivinen@iki.fi, andrew.cagney@gmail.com, ipsec@ietf.org
To: RFC Errata System <rfc-editor@rfc-editor.org>
References: <20180726182923.D548CB8125E@rfc-editor.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/K9HttQDQ_K7aJmu8eQ143T5O3XI>
Subject: Re: [IPsec] [Technical Errata Reported] RFC7634 (5441)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 19:06:43 -0000

--Apple-Mail=_97951598-C06E-409E-8117-7DF201AC9F06
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_972C7D31-8050-4F3B-8D61-E62639A91449"


--Apple-Mail=_972C7D31-8050-4F3B-8D61-E62639A91449
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

This errata proposes to add the following sentence to section 4 of RFC =
7634 <https://tools.ietf.org/html/rfc7634#section-4>:

As with other transforms that use a fixed-length key, the Key Length =
attribute MUST NOT be specified.

This sentence is correct. If this came up as a suggestion during WG =
processing or during LC, I think we would add it.

Looking back in RFC 7296, we have in section 3.3.5 =
<https://tools.ietf.org/html/rfc7296#section-3.3.5>:

   o  The Key Length attribute MUST NOT be used with transforms that use
      a fixed-length key.  For example, this includes ENCR_DES,
      ENCR_IDEA, and all the Type 2 (Pseudorandom Function) and Type 3
      (Integrity Algorithm) transforms specified in this document.  It
      is recommended that future Type 2 or 3 transforms do not use this
      attribute.

And RFC 7634 says:

   o  The encryption key is 256 bits.

Given that, I don=E2=80=99t think there is any chance for a =
conscientious implementer to make the mistake of including the Key =
Length attribute.

I don=E2=80=99t believe adding clarifying text is a proper use of the =
errata system. At best it should be marked as editorial and held for =
document update, if not rejected outright.

Yoav

> On 26 Jul 2018, at 21:29, RFC Errata System =
<rfc-editor@rfc-editor.org> wrote:
>=20
> The following errata report has been submitted for RFC7634,
> "ChaCha20, Poly1305, and Their Use in the Internet Key Exchange =
Protocol (IKE) and IPsec".
>=20
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5441
>=20
> --------------------------------------
> Type: Technical
> Reported by: Andrew Cagney <andrew.cagney@gmail.com>
>=20
> Section: 4
>=20
> Original Text
> -------------
>   When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
>   IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
>   transform substructure of the SA payload as the ENCR (type 1)
>   transform ID.  As with other AEAD algorithms, INTEG (type 3)
>   transform substructures MUST NOT be specified, or just one INTEG
>   transform MAY be included with value NONE (0).
>=20
> Corrected Text
> --------------
>   When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
>   IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
>   transform substructure of the SA payload as the ENCR (type 1)
>   transform ID.
>   As with other transforms that use a fixed-length key, the Key Length
>   attribute MUST NOT be specified.
>   As with other AEAD algorithms, INTEG (type 3)
>   transform substructures MUST NOT be specified, or just one INTEG
>   transform MAY be included with value NONE (0).
>=20
> Notes
> -----
> Reading both RFC7634 and RFC7539 there seems to be a single =
fixed-length key of 256-bits.
> Hence, I think https://tools.ietf.org/html/rfc7296#section-3.3.5:
>   o  The Key Length attribute MUST NOT be used with transforms that =
use
>      a fixed-length key.  For example, this includes ENCR_DES,
>      ENCR_IDEA,...
> applies (my intent is to clarify this).
>=20
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> can log in to change the status and edit the report, if necessary.
>=20
> --------------------------------------
> RFC7634 (draft-ietf-ipsecme-chacha20-poly1305-12)
> --------------------------------------
> Title               : ChaCha20, Poly1305, and Their Use in the =
Internet Key Exchange Protocol (IKE) and IPsec
> Publication Date    : August 2015
> Author(s)           : Y. Nir
> Category            : PROPOSED STANDARD
> Source              : IP Security Maintenance and Extensions
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG


--Apple-Mail=_972C7D31-8050-4F3B-8D61-E62639A91449
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">This =
errata proposes to add the following sentence to&nbsp;<a =
href=3D"https://tools.ietf.org/html/rfc7634#section-4" class=3D"">section =
4 of RFC 7634</a>:<div class=3D""><br class=3D""></div><div =
class=3D""><div class=3D""><font face=3D"Menlo" size=3D"2" class=3D"">As =
with other transforms that use a fixed-length key, the Key =
Length&nbsp;attribute MUST NOT be specified.</font></div><div =
class=3D""><br class=3D""></div><div class=3D"">This sentence is =
correct. If this came up as a suggestion during WG processing or during =
LC, I think we would add it.&nbsp;</div><div class=3D""><br =
class=3D""></div><div class=3D"">Looking back in RFC 7296, we have =
in&nbsp;<a href=3D"https://tools.ietf.org/html/rfc7296#section-3.3.5" =
class=3D"">section 3.3.5</a>:</div><div class=3D""><br =
class=3D""></div><div class=3D""><pre class=3D"newpage" =
style=3D"font-size: 13.333333015441895px; margin-top: 0px; =
margin-bottom: 0px; break-before: page;">   o  The Key Length attribute =
MUST NOT be used with transforms that use
      a fixed-length key.  For example, this includes ENCR_DES,
      ENCR_IDEA, and all the Type 2 (Pseudorandom Function) and Type 3
      (Integrity Algorithm) transforms specified in this document.  It
      is recommended that future Type 2 or 3 transforms do not use this
      attribute.</pre><div class=3D""><br class=3D""></div></div><div =
class=3D"">And RFC 7634 says:</div><div class=3D""><br =
class=3D""></div><div class=3D""><pre class=3D"newpage" =
style=3D"font-size: 13.333333015441895px; margin-top: 0px; =
margin-bottom: 0px; break-before: page;">   o  The encryption key is 256 =
bits.</pre><div class=3D""><br class=3D""></div></div><div>Given that, I =
don=E2=80=99t think there is any chance for a conscientious implementer =
to make the mistake of including the Key Length attribute.</div><div><br =
class=3D""></div><div>I don=E2=80=99t believe adding clarifying text is =
a proper use of the errata system. At best it should be marked as =
editorial and held for document update, if not rejected =
outright.</div><div><br class=3D""></div><div>Yoav</div><div><br =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">On 26 =
Jul 2018, at 21:29, RFC Errata System &lt;<a =
href=3D"mailto:rfc-editor@rfc-editor.org" =
class=3D"">rfc-editor@rfc-editor.org</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">The =
following errata report has been submitted for RFC7634,<br =
class=3D"">"ChaCha20, Poly1305, and Their Use in the Internet Key =
Exchange Protocol (IKE) and IPsec".<br class=3D""><br =
class=3D"">--------------------------------------<br class=3D"">You may =
review the report below and at:<br class=3D""><a =
href=3D"http://www.rfc-editor.org/errata/eid5441" =
class=3D"">http://www.rfc-editor.org/errata/eid5441</a><br class=3D""><br =
class=3D"">--------------------------------------<br class=3D"">Type: =
Technical<br class=3D"">Reported by: Andrew Cagney =
&lt;andrew.cagney@gmail.com&gt;<br class=3D""><br class=3D"">Section: =
4<br class=3D""><br class=3D"">Original Text<br =
class=3D"">-------------<br class=3D""> &nbsp;&nbsp;When negotiating the =
ChaCha20-Poly1305 algorithm for use in IKE or<br class=3D""> =
&nbsp;&nbsp;IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used =
in the<br class=3D""> &nbsp;&nbsp;transform substructure of the SA =
payload as the ENCR (type 1)<br class=3D""> &nbsp;&nbsp;transform ID. =
&nbsp;As with other AEAD algorithms, INTEG (type 3)<br class=3D""> =
&nbsp;&nbsp;transform substructures MUST NOT be specified, or just one =
INTEG<br class=3D""> &nbsp;&nbsp;transform MAY be included with value =
NONE (0).<br class=3D""><br class=3D"">Corrected Text<br =
class=3D"">--------------<br class=3D""> &nbsp;&nbsp;When negotiating =
the ChaCha20-Poly1305 algorithm for use in IKE or<br class=3D""> =
&nbsp;&nbsp;IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used =
in the<br class=3D""> &nbsp;&nbsp;transform substructure of the SA =
payload as the ENCR (type 1)<br class=3D""> &nbsp;&nbsp;transform ID.<br =
class=3D""> &nbsp;&nbsp;As with other transforms that use a fixed-length =
key, the Key Length<br class=3D""> &nbsp;&nbsp;attribute MUST NOT be =
specified.<br class=3D""> &nbsp;&nbsp;As with other AEAD algorithms, =
INTEG (type 3)<br class=3D""> &nbsp;&nbsp;transform substructures MUST =
NOT be specified, or just one INTEG<br class=3D""> &nbsp;&nbsp;transform =
MAY be included with value NONE (0).<br class=3D""><br class=3D"">Notes<br=
 class=3D"">-----<br class=3D"">Reading both RFC7634 and RFC7539 there =
seems to be a single fixed-length key of 256-bits. <br class=3D"">Hence, =
I think https://tools.ietf.org/html/rfc7296#section-3.3.5:<br class=3D""> =
&nbsp;&nbsp;o &nbsp;The Key Length attribute MUST NOT be used with =
transforms that use<br class=3D""> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;a =
fixed-length key. &nbsp;For example, this includes ENCR_DES,<br =
class=3D""> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ENCR_IDEA,...<br =
class=3D"">applies (my intent is to clarify this).<br class=3D""><br =
class=3D"">Instructions:<br class=3D"">-------------<br class=3D"">This =
erratum is currently posted as "Reported". If necessary, please<br =
class=3D"">use "Reply All" to discuss whether it should be verified =
or<br class=3D"">rejected. When a decision is reached, the verifying =
party &nbsp;<br class=3D"">can log in to change the status and edit the =
report, if necessary. <br class=3D""><br =
class=3D"">--------------------------------------<br class=3D"">RFC7634 =
(draft-ietf-ipsecme-chacha20-poly1305-12)<br =
class=3D"">--------------------------------------<br class=3D"">Title =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;: ChaCha20, Poly1305, and Their Use in the Internet Key =
Exchange Protocol (IKE) and IPsec<br class=3D"">Publication Date =
&nbsp;&nbsp;&nbsp;: August 2015<br class=3D"">Author(s) =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: Y. Nir<br =
class=3D"">Category =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: =
PROPOSED STANDARD<br class=3D"">Source =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;: IP Security Maintenance and Extensions<br class=3D"">Area =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;: Security<br class=3D"">Stream =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;: IETF<br class=3D"">Verifying Party &nbsp;&nbsp;&nbsp;&nbsp;: =
IESG<br class=3D""></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_972C7D31-8050-4F3B-8D61-E62639A91449--

--Apple-Mail=_97951598-C06E-409E-8117-7DF201AC9F06
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE9OWnAqT2UIzvSbaAuEkLFQpYzJkFAltaG7YACgkQuEkLFQpY
zJm/oggAlMnQWkQjnIGGf7DV9UBsTfIT1muroMRFuQMhTleHM17HP3by9fXCVhba
QwsLJN+sYBhrAN2VSoriV9WcJ2P53YJG7g0TGHKOcI32CHE4LkUjQMkZPC9sjNB+
ZYRcU6HFCqaBDtewVskROi42viSnFayGoGKeLa3ImN47YdQn51r+t69rGn093Rhf
19WTMwUSo7ok2uKEcDdPQM+tLmquEmPy8nl6GIVDpQU6kAFlxt+qjhGH8/8sWkBZ
vm+X2p9Nb3e01iYXNBid+Fx2cFGDp3nlAkdmugaibo5Wt8zAjjNJvYK8yHO7exD1
YQSI42ruJDaKp1bYW1XvI3ZRmJPR/g==
=u4Kd
-----END PGP SIGNATURE-----

--Apple-Mail=_97951598-C06E-409E-8117-7DF201AC9F06--


From nobody Thu Jul 26 12:31:06 2018
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF651130E6F for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 12:31:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level: 
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S381cATCz4ir for <ipsec@ietfa.amsl.com>; Thu, 26 Jul 2018 12:31:00 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01527130E66 for <ipsec@ietf.org>; Thu, 26 Jul 2018 12:30:59 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41c2JL0z80z34r; Thu, 26 Jul 2018 21:30:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532633458; bh=pwLbJ8teNV+U547Vk3JaJZCgtCOG2lFr5J31vBQiy3s=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=qdQrcDiG8ZxEviHSpRDSkcv7MR4Ek4WToHNfM5X1gpj++MB7F9DfoL7UPiiAzSw7X ih1v9JRX7hG+tXRPCrpFsBd8jySOcBs6trdff5WGo5q9CX2GZ0VS12dZyJ741VwnOM emr8mj0taKy4+fSjK6ci4dPgRh858E7EAXaZG9D8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id BaumzfWnJG0S; Thu, 26 Jul 2018 21:30:55 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 26 Jul 2018 21:30:54 +0200 (CEST)
Received: from [172.20.10.3] (unknown [172.58.91.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id BC9A8381FC0; Thu, 26 Jul 2018 15:30:52 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca BC9A8381FC0
Content-Type: multipart/alternative; boundary=Apple-Mail-DC649E73-2431-42DB-B49B-DBE8B8D80AB9
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (15G77)
In-Reply-To: <20FE97E3-768B-426D-9DF1-A228E8DEB143@gmail.com>
Date: Thu, 26 Jul 2018 12:30:50 -0700
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, ekr@rtfm.com, andrew.cagney@gmail.com, kivinen@iki.fi, ipsec@ietf.org, kaduk@mit.edu, david.waltermire@nist.gov
Content-Transfer-Encoding: 7bit
Message-Id: <F27D6E34-2DDC-45FD-B5D6-DE4F4BE50D91@nohats.ca>
References: <20180726182923.D548CB8125E@rfc-editor.org> <20FE97E3-768B-426D-9DF1-A228E8DEB143@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/PevySL4MebNAGkWxfHLpnl0EY_E>
Subject: Re: [IPsec] [Technical Errata Reported] RFC7634 (5441)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 19:31:04 -0000

--Apple-Mail-DC649E73-2431-42DB-B49B-DBE8B8D80AB9
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Some note would be good because apparently strongswan insists of the KEY_LEN=
GTH attribute they shouldn=E2=80=99t be there?

Sent from my phone

> On Jul 26, 2018, at 12:06, Yoav Nir <ynir.ietf@gmail.com> wrote:
>=20
> This errata proposes to add the following sentence to section 4 of RFC 763=
4:
>=20
> As with other transforms that use a fixed-length key, the Key Length attri=
bute MUST NOT be specified.
>=20
> This sentence is correct. If this came up as a suggestion during WG proces=
sing or during LC, I think we would add it.=20
>=20
> Looking back in RFC 7296, we have in section 3.3.5:
>=20
>    o  The Key Length attribute MUST NOT be used with transforms that use
>       a fixed-length key.  For example, this includes ENCR_DES,
>       ENCR_IDEA, and all the Type 2 (Pseudorandom Function) and Type 3
>       (Integrity Algorithm) transforms specified in this document.  It
>       is recommended that future Type 2 or 3 transforms do not use this
>       attribute.
>=20
> And RFC 7634 says:
>=20
>    o  The encryption key is 256 bits.
>=20
> Given that, I don=E2=80=99t think there is any chance for a conscientious i=
mplementer to make the mistake of including the Key Length attribute.
>=20
> I don=E2=80=99t believe adding clarifying text is a proper use of the erra=
ta system. At best it should be marked as editorial and held for document up=
date, if not rejected outright.
>=20
> Yoav
>=20
>> On 26 Jul 2018, at 21:29, RFC Errata System <rfc-editor@rfc-editor.org> w=
rote:
>>=20
>> The following errata report has been submitted for RFC7634,
>> "ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (=
IKE) and IPsec".
>>=20
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata/eid5441
>>=20
>> --------------------------------------
>> Type: Technical
>> Reported by: Andrew Cagney <andrew.cagney@gmail.com>
>>=20
>> Section: 4
>>=20
>> Original Text
>> -------------
>>   When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
>>   IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
>>   transform substructure of the SA payload as the ENCR (type 1)
>>   transform ID.  As with other AEAD algorithms, INTEG (type 3)
>>   transform substructures MUST NOT be specified, or just one INTEG
>>   transform MAY be included with value NONE (0).
>>=20
>> Corrected Text
>> --------------
>>   When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
>>   IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
>>   transform substructure of the SA payload as the ENCR (type 1)
>>   transform ID.
>>   As with other transforms that use a fixed-length key, the Key Length
>>   attribute MUST NOT be specified.
>>   As with other AEAD algorithms, INTEG (type 3)
>>   transform substructures MUST NOT be specified, or just one INTEG
>>   transform MAY be included with value NONE (0).
>>=20
>> Notes
>> -----
>> Reading both RFC7634 and RFC7539 there seems to be a single fixed-length k=
ey of 256-bits.=20
>> Hence, I think https://tools.ietf.org/html/rfc7296#section-3.3.5:
>>   o  The Key Length attribute MUST NOT be used with transforms that use
>>      a fixed-length key.  For example, this includes ENCR_DES,
>>      ENCR_IDEA,...
>> applies (my intent is to clarify this).
>>=20
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party =20
>> can log in to change the status and edit the report, if necessary.=20
>>=20
>> --------------------------------------
>> RFC7634 (draft-ietf-ipsecme-chacha20-poly1305-12)
>> --------------------------------------
>> Title               : ChaCha20, Poly1305, and Their Use in the Internet K=
ey Exchange Protocol (IKE) and IPsec
>> Publication Date    : August 2015
>> Author(s)           : Y. Nir
>> Category            : PROPOSED STANDARD
>> Source              : IP Security Maintenance and Extensions
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG
>=20
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

--Apple-Mail-DC649E73-2431-42DB-B49B-DBE8B8D80AB9
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto">Some note would be good because apparently s=
trongswan insists of the KEY_LENGTH attribute they shouldn=E2=80=99t be ther=
e?<br><br><div id=3D"AppleMailSignature">Sent from my phone</div><div><br>On=
 Jul 26, 2018, at 12:06, Yoav Nir &lt;<a href=3D"mailto:ynir.ietf@gmail.com"=
>ynir.ietf@gmail.com</a>&gt; wrote:<br><br></div><blockquote type=3D"cite"><=
div><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"=
>This errata proposes to add the following sentence to&nbsp;<a href=3D"https=
://tools.ietf.org/html/rfc7634#section-4" class=3D"">section 4 of RFC 7634</=
a>:<div class=3D""><br class=3D""></div><div class=3D""><div class=3D""><fon=
t face=3D"Menlo" size=3D"2" class=3D"">As with other transforms that use a f=
ixed-length key, the Key Length&nbsp;attribute MUST NOT be specified.</font>=
</div><div class=3D""><br class=3D""></div><div class=3D"">This sentence is c=
orrect. If this came up as a suggestion during WG processing or during LC, I=
 think we would add it.&nbsp;</div><div class=3D""><br class=3D""></div><div=
 class=3D"">Looking back in RFC 7296, we have in&nbsp;<a href=3D"https://too=
ls.ietf.org/html/rfc7296#section-3.3.5" class=3D"">section 3.3.5</a>:</div><=
div class=3D""><br class=3D""></div><div class=3D""><pre class=3D"newpage" s=
tyle=3D"font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px=
; break-before: page;">   o  The Key Length attribute MUST NOT be used with t=
ransforms that use
      a fixed-length key.  For example, this includes ENCR_DES,
      ENCR_IDEA, and all the Type 2 (Pseudorandom Function) and Type 3
      (Integrity Algorithm) transforms specified in this document.  It
      is recommended that future Type 2 or 3 transforms do not use this
      attribute.</pre><div class=3D""><br class=3D""></div></div><div class=3D=
"">And RFC 7634 says:</div><div class=3D""><br class=3D""></div><div class=3D=
""><pre class=3D"newpage" style=3D"font-size: 13.333333015441895px; margin-t=
op: 0px; margin-bottom: 0px; break-before: page;">   o  The encryption key i=
s 256 bits.</pre><div class=3D""><br class=3D""></div></div><div>Given that,=
 I don=E2=80=99t think there is any chance for a conscientious implementer t=
o make the mistake of including the Key Length attribute.</div><div><br clas=
s=3D""></div><div>I don=E2=80=99t believe adding clarifying text is a proper=
 use of the errata system. At best it should be marked as editorial and held=
 for document update, if not rejected outright.</div><div><br class=3D""></d=
iv><div>Yoav</div><div><br class=3D""><blockquote type=3D"cite" class=3D""><=
div class=3D"">On 26 Jul 2018, at 21:29, RFC Errata System &lt;<a href=3D"ma=
ilto:rfc-editor@rfc-editor.org" class=3D"">rfc-editor@rfc-editor.org</a>&gt;=
 wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div cl=
ass=3D"">The following errata report has been submitted for RFC7634,<br clas=
s=3D"">"ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Proto=
col (IKE) and IPsec".<br class=3D""><br class=3D"">-------------------------=
-------------<br class=3D"">You may review the report below and at:<br class=
=3D""><a href=3D"http://www.rfc-editor.org/errata/eid5441" class=3D"">http:/=
/www.rfc-editor.org/errata/eid5441</a><br class=3D""><br class=3D"">--------=
------------------------------<br class=3D"">Type: Technical<br class=3D"">R=
eported by: Andrew Cagney &lt;<a href=3D"mailto:andrew.cagney@gmail.com">and=
rew.cagney@gmail.com</a>&gt;<br class=3D""><br class=3D"">Section: 4<br clas=
s=3D""><br class=3D"">Original Text<br class=3D"">-------------<br class=3D"=
"> &nbsp;&nbsp;When negotiating the ChaCha20-Poly1305 algorithm for use in I=
KE or<br class=3D""> &nbsp;&nbsp;IPsec, the value ENCR_CHACHA20_POLY1305 (28=
) should be used in the<br class=3D""> &nbsp;&nbsp;transform substructure of=
 the SA payload as the ENCR (type 1)<br class=3D""> &nbsp;&nbsp;transform ID=
. &nbsp;As with other AEAD algorithms, INTEG (type 3)<br class=3D""> &nbsp;&=
nbsp;transform substructures MUST NOT be specified, or just one INTEG<br cla=
ss=3D""> &nbsp;&nbsp;transform MAY be included with value NONE (0).<br class=
=3D""><br class=3D"">Corrected Text<br class=3D"">--------------<br class=3D=
""> &nbsp;&nbsp;When negotiating the ChaCha20-Poly1305 algorithm for use in I=
KE or<br class=3D""> &nbsp;&nbsp;IPsec, the value ENCR_CHACHA20_POLY1305 (28=
) should be used in the<br class=3D""> &nbsp;&nbsp;transform substructure of=
 the SA payload as the ENCR (type 1)<br class=3D""> &nbsp;&nbsp;transform ID=
.<br class=3D""> &nbsp;&nbsp;As with other transforms that use a fixed-lengt=
h key, the Key Length<br class=3D""> &nbsp;&nbsp;attribute MUST NOT be speci=
fied.<br class=3D""> &nbsp;&nbsp;As with other AEAD algorithms, INTEG (type 3=
)<br class=3D""> &nbsp;&nbsp;transform substructures MUST NOT be specified, o=
r just one INTEG<br class=3D""> &nbsp;&nbsp;transform MAY be included with v=
alue NONE (0).<br class=3D""><br class=3D"">Notes<br class=3D"">-----<br cla=
ss=3D"">Reading both RFC7634 and RFC7539 there seems to be a single fixed-le=
ngth key of 256-bits. <br class=3D"">Hence, I think <a href=3D"https://tools=
.ietf.org/html/rfc7296#section-3.3.5:">https://tools.ietf.org/html/rfc7296#s=
ection-3.3.5:</a><br class=3D""> &nbsp;&nbsp;o &nbsp;The Key Length attribut=
e MUST NOT be used with transforms that use<br class=3D""> &nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;a fixed-length key. &nbsp;For example, this includes ENCR_DES,<=
br class=3D""> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ENCR_IDEA,...<br class=3D"">app=
lies (my intent is to clarify this).<br class=3D""><br class=3D"">Instructio=
ns:<br class=3D"">-------------<br class=3D"">This erratum is currently post=
ed as "Reported". If necessary, please<br class=3D"">use "Reply All" to disc=
uss whether it should be verified or<br class=3D"">rejected. When a decision=
 is reached, the verifying party &nbsp;<br class=3D"">can log in to change t=
he status and edit the report, if necessary. <br class=3D""><br class=3D"">-=
-------------------------------------<br class=3D"">RFC7634 (draft-ietf-ipse=
cme-chacha20-poly1305-12)<br class=3D"">------------------------------------=
--<br class=3D"">Title &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: ChaCha20, Poly1305, and Their Use in the In=
ternet Key Exchange Protocol (IKE) and IPsec<br class=3D"">Publication Date &=
nbsp;&nbsp;&nbsp;: August 2015<br class=3D"">Author(s) &nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: Y. Nir<br class=3D"">Category &nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: PROPOSED STAN=
DARD<br class=3D"">Source &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;: IP Security Maintenance and Extensions<br clas=
s=3D"">Area &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;: Security<br class=3D"">Stream &nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: IETF<br class=3D=
"">Verifying Party &nbsp;&nbsp;&nbsp;&nbsp;: IESG<br class=3D""></div></div>=
</blockquote></div><br class=3D""></div></div></blockquote><blockquote type=3D=
"cite"><div><span>_______________________________________________</span><br>=
<span>IPsec mailing list</span><br><span><a href=3D"mailto:IPsec@ietf.org">I=
Psec@ietf.org</a></span><br><span><a href=3D"https://www.ietf.org/mailman/li=
stinfo/ipsec">https://www.ietf.org/mailman/listinfo/ipsec</a></span><br></di=
v></blockquote></body></html>=

--Apple-Mail-DC649E73-2431-42DB-B49B-DBE8B8D80AB9--


From nobody Fri Jul 27 00:01:19 2018
Return-Path: <tobias.brunner@hsr.ch>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5A3130E92 for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 00:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKpvZBnKOFqB for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 00:01:12 -0700 (PDT)
Received: from mx2.hsr.ch (mx2.hsr.ch [IPv6:2001:620:130:a036::32]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33E9D130E88 for <ipsec@ietf.org>; Fri, 27 Jul 2018 00:01:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx2.hsr.ch (Postfix) with ESMTP id 5B71823C65FE; Fri, 27 Jul 2018 09:01:08 +0200 (CEST)
Received: from mx2.hsr.ch ([127.0.0.1]) by localhost (mx2.hsr.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id aaW-HnJ5NwP1; Fri, 27 Jul 2018 09:01:06 +0200 (CEST)
Received: from webmail.hsr.ch (sid00233.hsr.ch [152.96.21.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx2.hsr.ch (Postfix) with ESMTPS id D739523C6606; Fri, 27 Jul 2018 09:01:04 +0200 (CEST)
Received: from [192.168.2.100] (152.96.21.199) by sid00233.hsr.ch (152.96.21.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Fri, 27 Jul 2018 09:01:03 +0200
To: Paul Wouters <paul@nohats.ca>, Yoav Nir <ynir.ietf@gmail.com>
CC: <ekr@rtfm.com>, <david.waltermire@nist.gov>, <andrew.cagney@gmail.com>, <kivinen@iki.fi>, <ipsec@ietf.org>, <kaduk@mit.edu>, RFC Errata System <rfc-editor@rfc-editor.org>
References: <20180726182923.D548CB8125E@rfc-editor.org> <20FE97E3-768B-426D-9DF1-A228E8DEB143@gmail.com> <F27D6E34-2DDC-45FD-B5D6-DE4F4BE50D91@nohats.ca>
From: Tobias Brunner <tobias.brunner@hsr.ch>
Message-ID: <ecd5b519-a382-e1a9-10b2-2ba6bd6e5961@hsr.ch>
Date: Fri, 27 Jul 2018 09:00:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <F27D6E34-2DDC-45FD-B5D6-DE4F4BE50D91@nohats.ca>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [152.96.21.199]
X-ClientProxiedBy: sid00234.hsr.ch (152.96.21.234) To sid00233.hsr.ch (152.96.21.233)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/FMug6R2hBB0Pha2TVEr6vtqaAU8>
Subject: Re: [IPsec] [Technical Errata Reported] RFC7634 (5441)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 07:01:16 -0000

Hi Paul,

> Some note would be good because apparently strongswan insists of the
> KEY_LENGTH attribute they shouldn’t be there?

Yes, we did that incorrectly before 5.6.3 [1].  Since then the key
length attribute is omitted, but it's still possible to add a transform
with it to a proposal by using the chacha20poly1305compat keyword (for
compatibility with older releases).

Regards,
Tobias

[1] https://wiki.strongswan.org/versions/69


From nobody Fri Jul 27 07:17:12 2018
Return-Path: <kaduk@mit.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1C8B130E0F for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 07:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level: 
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u06QxBH2RRw5 for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 07:17:08 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28786130DE7 for <ipsec@ietf.org>; Fri, 27 Jul 2018 07:17:07 -0700 (PDT)
X-AuditID: 1209190c-d11ff700000021fe-2f-5b5b29625ab5
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id A4.0C.08702.2692B5B5; Fri, 27 Jul 2018 10:17:06 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w6REH5Dk030452; Fri, 27 Jul 2018 10:17:05 -0400
Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6REGw6R017601 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 27 Jul 2018 10:17:00 -0400
Date: Fri, 27 Jul 2018 09:16:58 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, ekr@rtfm.com, david.waltermire@nist.gov, kivinen@iki.fi, andrew.cagney@gmail.com, ipsec@ietf.org
Message-ID: <20180727141658.GC12983@mit.edu>
References: <20180726182923.D548CB8125E@rfc-editor.org> <20FE97E3-768B-426D-9DF1-A228E8DEB143@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6"
Content-Disposition: inline
In-Reply-To: <20FE97E3-768B-426D-9DF1-A228E8DEB143@gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrNKsWRmVeSWpSXmKPExsUixG6nopukGR1t0D5H3+L13ByLjT3/2CxW vD7HbrF/yws2i6Pnn7NZNO3/ymax9NgHJgd2j52z7rJ7LFnyk8nj8NeFLB7XTv5l9WhoO8bq MflxG3MAWxSXTUpqTmZZapG+XQJXxuRd31gKNglXHN2/lamBcYVAFyMnh4SAicSP5ZfYQWwh gcVMEldbFCDsjYwS7/+4dDFyAdlnmSSeP1vFCJJgEVCV6H55nQnEZhNQkWjovswMYosIKEkc vvKVGaSBWWApo8Tio29ZQBLCAuYSk679A0pwcPAK6Eg8mM8PsSBL4sTFfrDFvAKCEidnPgEr ZxYok2j7sZEFpJxZQFpi+T8OEJNTwFZi0g47kApRAWWJvX2H2CcwCsxC0jwLSfMshGaIsLrE n3mXmDGEtSWWLXzNDGHbSqxb955lASP7KkbZlNwq3dzEzJzi1GTd4uTEvLzUIl1DvdzMEr3U lNJNjKC44pTk2cF45o3XIUYBDkYlHt4fLyKjhVgTy4orcw8xSnIwKYnyrvkbFS3El5SfUpmR WJwRX1Sak1p8iFEFaNejDasvMEqx5OXnpSqJ8AqrREcL8aYkVlalFuXDlElzsCiJ896tCY8W EkhPLEnNTk0tSC2CycpwcChJ8DZqADUKFqWmp1akZeaUIKSZODgPMUpw8AANtwWp4S0uSMwt zkyHyJ9i1OX4837qJGYhsAukxHn/qAMVCYAUZZTmwc0BpUmJ7P01rxjFgV4U5p0BMooHmGLh Jr0CWsIEtOR4XCTIkpJEhJRUA+ONXdfqpdqPzTTVWfqlr3lxbtqiZM6Jcrc1xT+2Fcg2va+f 7/jypFiWP1/mNA2L/OtLNxf7iE/7M+/5k4xs1jZ1r//bFs6Rm753x0K9udceux78cWnV/sx7 BptCv8a/OL+1uGjKnIf5eY0f3RhDzeyaFzYFhH5fo6UdaH/stWDlP/YYzfZUIU4lluKMREMt 5qLiRACEY2eLbgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/NbNqJR5ybhZYDBBTciHoMTvV4oU>
Subject: Re: [IPsec] [Technical Errata Reported] RFC7634 (5441)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 14:17:10 -0000

--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 26, 2018 at 10:06:30PM +0300, Yoav Nir wrote:
> This errata proposes to add the following sentence to section 4 of RFC 76=
34 <https://tools.ietf.org/html/rfc7634#section-4>:
>=20
> As with other transforms that use a fixed-length key, the Key Length attr=
ibute MUST NOT be specified.
>=20
> This sentence is correct. If this came up as a suggestion during WG proce=
ssing or during LC, I think we would add it.
>=20
> Looking back in RFC 7296, we have in section 3.3.5 <https://tools.ietf.or=
g/html/rfc7296#section-3.3.5>:
>=20
>    o  The Key Length attribute MUST NOT be used with transforms that use
>       a fixed-length key.  For example, this includes ENCR_DES,
>       ENCR_IDEA, and all the Type 2 (Pseudorandom Function) and Type 3
>       (Integrity Algorithm) transforms specified in this document.  It
>       is recommended that future Type 2 or 3 transforms do not use this
>       attribute.
>=20
> And RFC 7634 says:
>=20
>    o  The encryption key is 256 bits.
>=20
> Given that, I don=E2=80=99t think there is any chance for a conscientious=
 implementer to make the mistake of including the Key Length attribute.
>=20
> I don=E2=80=99t believe adding clarifying text is a proper use of the err=
ata system. At best it should be marked as editorial and held for document =
update, if not rejected outright.

I generally agree with this sentiment.  I would probably be willing to mark
as editorial/hold for document update in this case, though.  How would that
work for people?

-Ben

--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQG3BAABCgAdFiEE2WGV4E2ARf9BYP0XKNmm82TrdRIFAltbKVUACgkQKNmm82Tr
dRJDjQwgvFiVXJTFqPIsJ6aSsZ85zpvYwQS6kDV7GWSdiX5by1SFsJq9Gnf5b2De
ys+5Lnuf0EHLS1jfm8NL11r+Zw4gSOFYOnmmz5T2elSdeAU9Mt9CEOF6ZGo7wyIP
UhiCgcWcOAXVBpAQAMaILpGImv+4yNjtOMuhAI5sxw29Tr6M7SmM9lWLkh5U0OUY
0+onOWGnkaYdqfO9B7Nmfx9JSfeu+PSPQ6hPE3CBOfdCExKxZsrWc/XbCV7Tln9T
NRKAgz9ziLrPZpFUnIxs1Eg9Qv3McOfYzwCveQzEm5Vq8JtaM1uR9hCWFhe/9kTG
7FpqY5O9Z4xMfC4SGTtyKM2qX98Z9qfZTuxA4Sm7QtbI0EuMZGwS6/VdVjbHYdVn
6QM8ZGnOFBN21JzmPGHl69umBbkYblXHjDLpZOPMxy3YpMaqf5GuA4zB1WeIDPqE
kvnwknUIjdPfl+DqLqTGb/MLLsaR4Ofqc1CYRk3+m5VV7uQsoFzE6wnkxXuki3ps
2/s3pyi+zoO1vA==
=+Brv
-----END PGP SIGNATURE-----

--y0ulUmNC+osPPQO6--


From nobody Fri Jul 27 07:59:34 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 623CB130EF9 for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 07:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rSyTxN7dQkb for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 07:59:31 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67EE9130E25 for <ipsec@ietf.org>; Fri, 27 Jul 2018 07:59:31 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id a134-v6so3725884lfe.6 for <ipsec@ietf.org>; Fri, 27 Jul 2018 07:59:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=pxYJuAtXcb1dFNl5CSyTMa2uIqm1/foEJEemLV80ltI=; b=TNodAUd/euzsFsYKhDlG3uE5+WO0dBNQggxWkgnMtDznkGcBGDdq5Ivst+oAlf7u+J g+/g9QGL51F03ZzwntlPL2YViKkvlWaCyRaxad3WcQg0WXBUf+qtA5AwV0PaDVqdxSrv Rq5X4mQGBKPZ0qKkA5p7vzRLIaRw59YRIRiakOWCOf7K0qJFzYaq0hfYdDY3pN7B1/lt 6AZpALR/72VDHHIab6UCPKh8pGFVWYvA9xGK/pFcuUDeMSJ+rSflNHZwy7e1DCT1Ml1a bIMod7XeDa9lYTmXux5/oLTJPcMD6DMiUDSZX6VXVTO/SbckxCwFn8YvwbTdqfbIEE13 BK2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=pxYJuAtXcb1dFNl5CSyTMa2uIqm1/foEJEemLV80ltI=; b=PE2soMyQZTVlIEmWYyuna0dshRkSWOZhANai0SfwLXfNqJlVbOXMdgzZbgNH0JxYm3 f7wNVgkelCk/9tfhx7oF9qs2xl3NpCTGUwR5ToB0fUCcqEG+PoCbcS+tmnmEjhFGJUzj RL8y17uab7i3MMqb0yjkAwSvs+xSTacgIpN6KPfkZsacWsWkHF75Druvmqk6eXr1Mp4l dR4Ye2RSeM2pqbU08U/9nNliVOHCOWG2zbSLD2jjCT2Cz2DVhLek4wRIW62+rv5vl+Nb N/GyxAOc/LgPH2Sr7+1h9HOg5PLnVzRnk029+djMOWBI50Hwekc2cGNnXVsOr95eMq4a B1ig==
X-Gm-Message-State: AOUpUlHNp0vVJmDPaVVj/sjd4dwfs/QxE+lWND64YR8ohWFxjumunIEC gER0tXQFintAuvNMr8ldMsA=
X-Google-Smtp-Source: AAOMgpfnWY3FFcsvWf4dM/v3fPqHk94EA4+hrr4n3ua723py539njXZkiQocg1j/C3kSdJAvZEhVxg==
X-Received: by 2002:a19:1863:: with SMTP id o96-v6mr4511926lfi.134.1532703569660;  Fri, 27 Jul 2018 07:59:29 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id k10-v6sm714936ljh.5.2018.07.27.07.59.28 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 27 Jul 2018 07:59:28 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Benjamin Kaduk'" <kaduk@mit.edu>, "'Yoav Nir'" <ynir.ietf@gmail.com>
Cc: <ekr@rtfm.com>, <andrew.cagney@gmail.com>, <kivinen@iki.fi>, <ipsec@ietf.org>, <david.waltermire@nist.gov>, "'RFC Errata System'" <rfc-editor@rfc-editor.org>
References: <20180726182923.D548CB8125E@rfc-editor.org> <20FE97E3-768B-426D-9DF1-A228E8DEB143@gmail.com> <20180727141658.GC12983@mit.edu>
In-Reply-To: <20180727141658.GC12983@mit.edu>
Date: Fri, 27 Jul 2018 17:59:22 +0300
Message-ID: <01e201d425ba$677b0fd0$36712f70$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGYblzrU7jz7pTlhpgmWna88nmmAQHZoxp7AjcKXvik+g+EsA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HXVrn_kOInUh1wWfzSV9i7Ta5aM>
Subject: Re: [IPsec] [Technical Errata Reported] RFC7634 (5441)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 14:59:34 -0000

Hi,

while this clarification wouldn't hurt if it were present in the RFC =
7634,
I think that generally speaking it is redundant. RFC 7634 doesn't exist
in vacuum, it is expected that its readers are familiar with RFC 7296,
which has a clear rule that algorithms with fixed key size MUST NOT
include Key Length attribute. I see no reason to repeat this rule in =
every RFC
specifying new algorithm. It definitely wouldn't hurt if it were =
repeated,
but if it isn't then that is that. Go and read RFC 7296.

Regards,
Valery.


> > This errata proposes to add the following sentence to section 4 of =
RFC 7634
> <https://tools.ietf.org/html/rfc7634#section-4>:
> >
> > As with other transforms that use a fixed-length key, the Key Length =
attribute MUST NOT be specified.
> >
> > This sentence is correct. If this came up as a suggestion during WG =
processing or during LC, I think we would
> add it.
> >
> > Looking back in RFC 7296, we have in section 3.3.5 =
<https://tools.ietf.org/html/rfc7296#section-3.3.5>:
> >
> >    o  The Key Length attribute MUST NOT be used with transforms that =
use
> >       a fixed-length key.  For example, this includes ENCR_DES,
> >       ENCR_IDEA, and all the Type 2 (Pseudorandom Function) and Type =
3
> >       (Integrity Algorithm) transforms specified in this document.  =
It
> >       is recommended that future Type 2 or 3 transforms do not use =
this
> >       attribute.
> >
> > And RFC 7634 says:
> >
> >    o  The encryption key is 256 bits.
> >
> > Given that, I don=E2=80=99t think there is any chance for a =
conscientious implementer to make the mistake of
> including the Key Length attribute.
> >
> > I don=E2=80=99t believe adding clarifying text is a proper use of =
the errata system. At best it should be marked as
> editorial and held for document update, if not rejected outright.
>=20
> I generally agree with this sentiment.  I would probably be willing to =
mark
> as editorial/hold for document update in this case, though.  How would =
that
> work for people?
>=20
> -Ben


From nobody Fri Jul 27 08:18:16 2018
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2A9130EBD for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 08:18:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jyIk0ispNUpG for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 08:18:12 -0700 (PDT)
Received: from akamail.elvis.ru (akamail.elvis.ru [82.138.51.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58581292AD for <ipsec@ietf.org>; Fri, 27 Jul 2018 08:18:11 -0700 (PDT)
Received: from kmail.elvis.ru ([93.188.44.208]) by akamail.elvis.ru with esmtp (Exim 4.88) (envelope-from <svan@elvis.ru>) id 1fj4VM-0001bt-AA for ipsec@ietf.org; Fri, 27 Jul 2018 18:18:09 +0300
Received: from robin.office.elvis.ru ([10.111.1.40]) by kmail.elvis.ru with esmtp (Exim 4.88) (envelope-from <svan@elvis.ru>) id 1fj4VK-0001gV-Q6 for ipsec@ietf.org; Fri, 27 Jul 2018 18:18:08 +0300
Received: from buildpc (10.111.10.33) by robin.office.elvis.ru (10.111.1.40) with Microsoft SMTP Server id 14.3.382.0; Fri, 27 Jul 2018 18:18:06 +0300
From: Valery Smyslov <svan@elvis.ru>
To: IPsecME WG <ipsec@ietf.org>
References: <153270390270.32575.6073181813652783620.idtracker@ietfa.amsl.com>
In-Reply-To: <153270390270.32575.6073181813652783620.idtracker@ietfa.amsl.com>
Date: Fri, 27 Jul 2018 18:18:00 +0300
Message-ID: <01e301d425bd$01b60620$05221260$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLlmB5fieQHRlfwhE2rptz2fhiK4KKARyNw
Content-Language: ru
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-AntiPhishing: Clean, 2018/07/26 18:07:33
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 8.0.1.721, bases: 2018/07/27 09:45:00 #8681873
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Z4EPsakpyj2IGXptjzzoZpt8KGw>
Subject: [IPsec] FW: New Version Notification for draft-smyslov-ipsecme-ikev2-aux-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 15:18:15 -0000

Hi,

a new (-01) version of IKE_AUX draft is just posted.

Changes from -00 version:
1. Authentication of IKE_AUX messages is completely rewritten 
    based on recent discussions in the WG. More details
    are provided regarding selecting keys for authentication
    and for message protection.

2. As a result of changing a way the messages are authenticated
    the restrictions on using IKE fragmentation are lifted and 
    the correspondent section is deleted.

3. Some words are added regarding handling errors in IKE_AUX.

4. Security considerations are updated based on recent discussion
     in the WG.

5. Editorial nits.

I still stick with IKE_AUX name for now waiting for more suggestions from 
people who find this name confusing...

Regards,
Valery.


-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
Sent: Friday, July 27, 2018 6:05 PM
To: Valery Smyslov
Subject: New Version Notification for draft-smyslov-ipsecme-ikev2-aux-01.txt


A new version of I-D, draft-smyslov-ipsecme-ikev2-aux-01.txt
has been successfully submitted by Valery Smyslov and posted to the
IETF repository.

Name:		draft-smyslov-ipsecme-ikev2-aux
Revision:	01
Title:		Auxiliary Exchange in the IKEv2 Protocol
Document date:	2018-07-27
Group:		Individual Submission
Pages:		9
URL:            https://www.ietf.org/internet-drafts/draft-smyslov-ipsecme-ikev2-aux-01.txt
Status:         https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-aux/
Htmlized:       https://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-aux-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-smyslov-ipsecme-ikev2-aux
Diff:           https://www.ietf.org/rfcdiff?url2=draft-smyslov-ipsecme-ikev2-aux-01

Abstract:
   This documents defines a new exchange, called Auxiliary Exchange, for
   the Internet Key Exchange protocol Version 2 (IKEv2).  This exchange
   can be used for transferring large amount of data in the process of
   IKEv2 Security Association (SA) establishment.  Introducing Auxiliary
   Exchange allows to re-use existing IKE Fragmentation mechanism, that
   helps to avoid IP fragmentation of large IKE messages, but cannot be
   used in the initial IKEv2 exchange.

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


From nobody Fri Jul 27 08:20:43 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C999130EBD for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 08:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-2fq9238s7I for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 08:20:39 -0700 (PDT)
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E96A130E63 for <ipsec@ietf.org>; Fri, 27 Jul 2018 08:20:39 -0700 (PDT)
Received: by mail-lf1-x143.google.com with SMTP id y200-v6so3771189lfd.7 for <ipsec@ietf.org>; Fri, 27 Jul 2018 08:20:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=FVjHBRtXpGQQflubYK3CqF9uz53NlKFcC2XC0+KFlGM=; b=rIEqX9TVyCE2g5xlURJn88SMVB3AARWPP0nt22T/SsESht1DemM+qAO4ttTo2IgJ++ YtnUtsQM77XR8wNiCgQqEp7F9LPd9Afxx3C7/I/1ituBgjDpKNdJN8PIi6DS05JT75Kj Zfy8LcOb2hWY6ho+xknYDP5LF+fvgWm5xsCFd0gkG8GwQU8eFcE0I0RVeXETouMDx37B S1aiKmBPZ5smhjg5P7XjkZs9sUJyI5FBOEDlcJ2LDrTF7mHBtniOJ+hBTmeuCNiDxKYo yokc8Ffkl66m4K85ZmsznseyBPYXNA65rRpHDej348LovHc2Wz0anPE6Hi6sBJJfMUb2 fu6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=FVjHBRtXpGQQflubYK3CqF9uz53NlKFcC2XC0+KFlGM=; b=jINhBAiQtu9JaeTvi/WRruF+y8U3FAa7fgibULuAPaSV+SQcQxVoix4s1huEjXK0bZ 9hpPFmtK3oAeSvqsSLZaVPcjVFS7FfO5/bNzNlHya1cjjseFu1kIkSq8UrwY38EowUS7 gALvr27Ddan5z9UcCM1xFgWa8p7aNES1RNPjvYsTMQiiqdTmgx3FAgxvE/oQ+ZewOl4G NeZWnR8RXs9+arZNoAuNSwNLW+xPGvDXQiRmf8D+d8w3NVyeY4etkrEGNVWuQ+RRpsHL ViZyVUS/IXVvKXqBS43tulNffBJ0eOBgegdywZHC0YVGjb+wJzI9yo8n/PhFQqNOwfQs 6CAQ==
X-Gm-Message-State: AOUpUlENfgFkA2xNYAnkE952O+M+rpji4mmui7MPnY82FvPZP8zr8Od4 5uA9e4Olgh3PfwJA5pw6H3dpzIei
X-Google-Smtp-Source: AAOMgpcdZShGqQnFXNrcU3y9V87KeqMzcTIIUZLSbXH6NcSlegdIL1CMoY5uCKfMt5lOc1sn45nXXQ==
X-Received: by 2002:a19:6d0f:: with SMTP id i15-v6mr4445731lfc.95.1532704837153;  Fri, 27 Jul 2018 08:20:37 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id d23-v6sm717234ljg.17.2018.07.27.08.20.36 for <ipsec@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 27 Jul 2018 08:20:36 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "IPsecME WG" <ipsec@ietf.org>
References: <153270390270.32575.6073181813652783620.idtracker@ietfa.amsl.com> 
In-Reply-To: 
Date: Fri, 27 Jul 2018 18:20:30 +0300
Message-ID: <01e401d425bd$5b0778d0$11166a70$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLlmB5fieQHRlfwhE2rptz2fhiK4KKARyNwgAAC2dA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nJMK6pGS2wsKjC8VR8IBbeNoftA>
Subject: [IPsec] New Version Notification for draft-smyslov-ipsecme-ikev2-aux-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 15:20:42 -0000

Hi,

a new (-01) version of IKE_AUX draft is just posted.

Changes from -00 version:
1. Authentication of IKE_AUX messages is completely rewritten 
    based on recent discussions in the WG. More details
    are provided regarding selecting keys for authentication
    and for message protection.

2. As a result of changing a way the messages are authenticated
    the restrictions on using IKE fragmentation are lifted and 
    the correspondent section is deleted.

3. Some words are added regarding handling errors in IKE_AUX.

4. Security considerations are updated based on recent discussion
     in the WG.

5. Editorial nits.

I still stick with IKE_AUX name for now waiting for more suggestions from 
people who find this name confusing...

Regards,
Valery.


-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
Sent: Friday, July 27, 2018 6:05 PM
To: Valery Smyslov
Subject: New Version Notification for draft-smyslov-ipsecme-ikev2-aux-01.txt


A new version of I-D, draft-smyslov-ipsecme-ikev2-aux-01.txt
has been successfully submitted by Valery Smyslov and posted to the
IETF repository.

Name:		draft-smyslov-ipsecme-ikev2-aux
Revision:	01
Title:		Auxiliary Exchange in the IKEv2 Protocol
Document date:	2018-07-27
Group:		Individual Submission
Pages:		9
URL:            https://www.ietf.org/internet-drafts/draft-smyslov-ipsecme-ikev2-aux-01.txt
Status:         https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-aux/
Htmlized:       https://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-aux-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-smyslov-ipsecme-ikev2-aux
Diff:           https://www.ietf.org/rfcdiff?url2=draft-smyslov-ipsecme-ikev2-aux-01

Abstract:
   This documents defines a new exchange, called Auxiliary Exchange, for
   the Internet Key Exchange protocol Version 2 (IKEv2).  This exchange
   can be used for transferring large amount of data in the process of
   IKEv2 Security Association (SA) establishment.  Introducing Auxiliary
   Exchange allows to re-use existing IKE Fragmentation mechanism, that
   helps to avoid IP fragmentation of large IKE messages, but cannot be
   used in the initial IKEv2 exchange.

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


From nobody Fri Jul 27 10:33:18 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B439130FF7 for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 10:33:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3C1SglsRpvO for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 10:33:13 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 647BB130E20 for <ipsec@ietf.org>; Fri, 27 Jul 2018 10:33:13 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6RHWrx8023966 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 27 Jul 2018 20:32:53 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6RHWp4b028729; Fri, 27 Jul 2018 20:32:51 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23387.22339.790204.618031@fireball.acr.fi>
Date: Fri, 27 Jul 2018 20:32:51 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: ynir.ietf@gmail.com, kaduk@mit.edu, ekr@rtfm.com, david.waltermire@nist.gov, ipsec@ietf.org, andrew.cagney@gmail.com
In-Reply-To: <20180726182923.D548CB8125E@rfc-editor.org>
References: <20180726182923.D548CB8125E@rfc-editor.org>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 4 min
X-Total-Time: 3 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/EgdBeaZ-Ml74jSAqHNgr_c5h9qA>
Subject: [IPsec] [Technical Errata Reported] RFC7634 (5441)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 17:33:17 -0000

RFC Errata System writes:
> The following errata report has been submitted for RFC7634,
> "ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5441
> 
> --------------------------------------
> Type: Technical
> Reported by: Andrew Cagney <andrew.cagney@gmail.com>
> 
> Section: 4
> 
> Original Text
> -------------
>    When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
>    IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
>    transform substructure of the SA payload as the ENCR (type 1)
>    transform ID.  As with other AEAD algorithms, INTEG (type 3)
>    transform substructures MUST NOT be specified, or just one INTEG
>    transform MAY be included with value NONE (0).
> 
> Corrected Text
> --------------
>    When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
>    IPsec, the value ENCR_CHACHA20_POLY1305 (28) should be used in the
>    transform substructure of the SA payload as the ENCR (type 1)
>    transform ID.
>    As with other transforms that use a fixed-length key, the Key Length
>    attribute MUST NOT be specified.
>    As with other AEAD algorithms, INTEG (type 3)
>    transform substructures MUST NOT be specified, or just one INTEG
>    transform MAY be included with value NONE (0).
> 
> Notes
> -----
> Reading both RFC7634 and RFC7539 there seems to be a single fixed-length key of 256-bits. 
> Hence, I think https://tools.ietf.org/html/rfc7296#section-3.3.5:
>    o  The Key Length attribute MUST NOT be used with transforms that use
>       a fixed-length key.  For example, this includes ENCR_DES,
>       ENCR_IDEA,...
> applies (my intent is to clarify this).

I think RFC7634 is clear that there is fixed-length key and RFC7296 is
clear how those fixed-length keys are negotiated (i.e., no Key Length
attribute), I think the current text is clear.

Your change would be techinically correct, but not needed, as the same
thing is already explained in general processing rules for the Key
Length attribute.

We could mark this as hold for document update, but I do not really
expect that there would be update of this document...
-- 
kivinen@iki.fi


From nobody Fri Jul 27 11:51:43 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F0B124D68 for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 11:51:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level: 
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xFrW8-fdZ9WR for <ipsec@ietfa.amsl.com>; Fri, 27 Jul 2018 11:51:37 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0EE3130E45 for <ipsec@ietf.org>; Fri, 27 Jul 2018 11:51:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8902; q=dns/txt; s=iport; t=1532717497; x=1533927097; h=from:to:cc:subject:date:message-id:references: content-transfer-encoding:mime-version; bh=C3Nvrxn5aSxvuQKPBNLZwVjRcpzx8yf1Crf38fRLORk=; b=GGJa2b5SXMZOKYtXZxbZ5idpUvKajvDtrdCT6QjvkjylvNncSLnUwafu mHS2wQl4EVrRnYn++kg43kN0q/FVnOJQpYedjmuVHCleBSLdYWZFEBplk bTm5gYc9uk7QKr34qW1awRW7mH0NiCFiutN1MAaYwVSKQMREPiVPSZUot I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CCAgBFaVtb/5BdJa1bGgEBAQEBAgE?= =?us-ascii?q?BAQEIAQEBAYMgLmN/KAqYNYIMl0sLJ4RFgn0hOBQBAgEBAgEBAm0cDIU2AQE?= =?us-ascii?q?BAgEBOj8FCwIBCBUhEDIlAgQOBQiDGYF3CA+vDIpOhj6CRBeBQT+DJUk1gxs?= =?us-ascii?q?BAQEBhzQCmgsJAoYUgmaGMoFQhBqIJAqKRIc/AhEUgSQ0IYFScBWDJAkJghM?= =?us-ascii?q?Xg0WEWTuFPm8BjjaBGwEB?=
X-IronPort-AV: E=Sophos;i="5.51,410,1526342400"; d="scan'208";a="148731939"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jul 2018 18:51:36 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id w6RIpawM020306 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 27 Jul 2018 18:51:36 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 27 Jul 2018 14:51:35 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Fri, 27 Jul 2018 14:51:35 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "paul.hoffman@icann.org" <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wIABFW+A///q+XCADMB1cA==
Date: Fri, 27 Jul 2018 18:51:35 +0000
Message-ID: <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi> 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.150, xch-rtp-010.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/EC5KPzE4JyuNkgH2N_TmrXCRXaE>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 18:51:41 -0000

> From: Scott Fluhrer (sfluhrer)
> > From: Tero Kivinen <kivinen@iki.fi>
> >
> > Any idea how many computations needs to be done for the shor's
> > algorithm, i.e., breaking 2048 bit Diffie-Hellman. I have just seen
> > text saying it is polynominal time, but I have not really seen any
> > guesses what the actual numbers are going to be.
>=20
> Very good question; the references I find all essentially say "cubic"; ho=
wever
> they don't immediately talk about the constant factor.  I suspect that th=
is
> constant factor won't be that large; however that most certainly merits
> further investigation.

Ok, I went through the literature, and while the short answer is "it's comp=
lex", I do have some partial answers, including what I believe is a defensi=
ble time estimate.

I went through a number of academic papers, and came to the conclusion that=
 factoring 2kbit numbers on a Quantum Computer with circa 4700 qubits avail=
able could reasonably be done in time circa 8 billion times the time taken =
by a single quantum gate (details on how I came to that conclusion are list=
ed below); increasing the size of the numbers to 16k would increase the att=
ack time by a factor of perhaps 60 to 100.

The other factor to address is the actual gate speed.  One result is http:/=
/www.nature.com/articles/nature25737 which gives a high fidelity (but not e=
rror corrected) gate speed of 1.6usec (using trapped ion qubits).  Adding e=
rror correction logic to that would add some overhead, if we take the guess=
 that it slows things down by a factor of 10 (which is the approximate spee=
d of the original Shor error correction code), then that gives us an error =
corrected speed of 16usec (or 60k gate operations per second).

Combining those two results would give an estimate of less than 2 days to f=
actor a 2k integer.  As for computing a discrete log for a 16k modulus (whi=
ch is what the original discussion was about), a somewhat larger quantum co=
mputer (circa 250k qubit) that ran at the same speed would take several mon=
ths to compute the discrete log.

Of course, this time estimate is based on current published literature; thi=
s is quite an active field, and future work (especially in the realm of gat=
e speed) could easily shrink these numbers significantly.

As a side note, if we look at the time it would take Grover's algorithm to =
break AES-128, we have https://www.researchgate.net/publication/287249961_A=
pplying_Grover%27s_algorithm_to_AES_quantum_resource_estimates where they e=
stimate a time of 1.16 2^81 =3D 2.8E24 circuit depth, or about 300 trillion=
 times longer than our estimate for factoring a 2k integer.  Now, this isn'=
t quite an apples-to-apples comparison (for one, with Grover's, you could d=
o some parallelism with independent Quantum Computers, however that costs m=
ore in terms of parallel units than you'd naively expect); however the fact=
 remains that Grover's algorithm appears to be vastly more expensive than S=
hor's.  The only thing in favor of Grover's is that attacking AES-128 would=
 take circa 1000 qubits (same paper), while factoring a 2k integer could be=
 done with about 4 times more.

Also, while I did go through a number of papers, I cannot pretend that I di=
d anything close to a full literature search.  If someone spots a relevant =
result that I missed (or one that I misinterpreted, or two results that I c=
ombined incorrectly), please correct me.


Further details on my assumptions and the research:

For one, I assumed that what we care about is "time taken", not "number of =
operations performed"; that is, our quantum hardware is able to perform som=
e level of parallelism for independent operations; the Quantum Computing li=
terature refers to this as the "Circuit Depth" (as opposed to "Circuit Size=
", which is the number of gate operations performed).

In addition, the vast majority of the computation is done performing the mo=
dular exponentiation; the other quantum operation, the quantum Fourier tran=
sform, is comparatively inexpensive (ref: https://arxiv.org/abs/quant-ph/00=
06004 ); the other operations are the classical pre- and post-computations,=
 which are also comparatively cheap.

The most aggressive result I found for performing the modular exponentiatio=
n is https://arxiv.org/abs/1207.0511 ; this gives us a concrete result of 2=
000 n^2 operations (where n is the size of the modulus in bits).  This resu=
lt is quadratic (meaning that doubling the modulus size only increases the =
attack time by a factor of 4); however, it is a comparatively expensive alt=
ernative (requiring about 9n qubits), and for 2k modulii, it would appear w=
e can actually do better.  It does show that going to, say, a 16k modulus m=
ight not give us as much security as we would have hoped.

In the other extreme (how few resources do we need), there are a number of =
papers examining that, in particular, how we can solve the problem while mi=
nimizing the number of qubits used.  The results I cited earlier were all f=
rom this stream of research.  These results use 2n+epsilon qubits, where ep=
silon may be as small as 1.  Unfortunately, they use algorithms such as rip=
ple addition, which is just as slow in the quantum realm as it is in the cl=
assical.  This algorithms result in a Shor's implementation that takes time=
 cn^3 for some c; if we hit a hard bound on the number of qubits we can aff=
ord, that appears to be the best we can do.  Unfortunately, none of the pap=
ers I've seen actually give a concrete value for 'c'; on the other hand, we=
 can do better anyways.

As an intermediate result, I did find https://pdfs.semanticscholar.org/a1dc=
/59b51794cf9737a7985da38a7230db89740a.pdf , which shows how to do moderatel=
y fast addition (they claim 30 log n circuit depth) using 3n/log n addition=
al qubits (these are referred to as "ancillary" in the literature).  My opi=
nion is that if you need to factor a 2048 bit number, then having 4700 qubi=
ts isn't that much more difficult than having 4100, and the additional 600 =
qubits allows you to speed up your computation by over an order of magnitud=
e, which is likely to make it worth it.  If we take this adder, and use it =
to replace the serial adder within https://arxiv.org/abs/1611.07995, this w=
ould give you an implementation of Shor's algorithm with a depth of approxi=
mately 180 n^2 log n).  If this estimate is right, for a 2048 bit modulus, =
this would give us a depth of about 8 billion, which is approximately the s=
ame as the more aggressive implementation, but using far fewer qubits.

In addition, I referred to a 'gate time'; actually, there are a number of d=
ifferent types of quantum gates, including some that have no classical anal=
ogue, and it is certainly reasonable to expect them to take different amoun=
ts of time.  On the other hand, according to https://arxiv.org/abs/1202.587=
2, the speed difference is not drastic, most of the papers ignore this diff=
erence (the AES paper is the only one I could find that doesn't), and so I =
ignored this difference as well.

Note on the discrete log problem: I previously stated that you would need a=
pproximately double the number of qubits required to factor a modulus of th=
e same size, and the time would approximately remain the same.  Digging fur=
ther into this, it appears that the time might increase somewhat (but less =
than a factor of 2); that's because for factoring, you select a value 'a' a=
nd compute a^b (for entangled values of b); it turns out that using a=3D2 w=
ill yield a factorization (various strategies to select p and q in a manner=
 to frustrate Shor with a=3D2 turn out not to work), and can (depending on =
the algorithm) make it more efficient.  Against the discrete log, you compu=
te both g^b and h^b, where h is the value you're taking the discrete log of=
; this is a large value, and so the optimization you could take advantage o=
f during factorization isn't available.  On the other hand, this doesn't in=
crease the amount of time drastically.

Also, again, all the qubit numbers I quoted were "logical qubits", that is,=
 qubits that have error correction logic applied.  Each "logical qubit" is =
made up of a number of "physical qubits"; the exact number depends on the q=
uantum error correction algorithm used.

>=20
> > And I understand that there is also quite big classical computation
> > pre- and post-processing steps too.
>=20
> Not really; there is computation needed there, but it is quite straight-
> forward.
>=20
> Shor's algorithm gives you a value k where a^x =3D a^(x+k) mod n; once yo=
u
> have that value k, factoring n is a well understood (and fairly easy) pro=
blem,
> solvable by, say, Miller's algorithm.
>=20


From nobody Mon Jul 30 01:05:01 2018
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EB3130ECB for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 01:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level: 
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3F8KQcWFOOIO for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 01:04:57 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ED23130E08 for <ipsec@ietf.org>; Mon, 30 Jul 2018 01:04:56 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id p10-v6so9630336ljg.2 for <ipsec@ietf.org>; Mon, 30 Jul 2018 01:04:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=1PS0ufYjpXOxTRv3ivKnqFuazN/JobON9O79RFgb7ck=; b=RtPNHrxjlZkIfGMuqznRsEeCYPBFtwl/XC+QTgtv4G1MBns3TxmWpwdDDb4XgJclDK uMFkhIsOA5xVmx73rTHuOJeikgaz2THkBmO1kp9JKOJEEkwLO2GJqabDeqHAI4IdSeQi P2ptiIUfsOzox0L4Y+C5Q5LGQWW8H8Sj8SqG9C1Jsq1PXzhs6Ry9WltGiOV1m1M5qrPQ xfFzYf2dUXkrH6/gwVZIy8BbewTVppN9oGrFJCaaYBiQhiqmZ3B7gBmW1gmyMZ+fssY1 /NqObmF0qsdHUBIUh1HBnjoKjd2wrFZOd7+yzmr5HMZ92/jzunArHNZyU3UtEA99h4PA y2Dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=1PS0ufYjpXOxTRv3ivKnqFuazN/JobON9O79RFgb7ck=; b=mSyeh0NGaBnpIRWrUqj28hwtHTi+F0Im6sGZ72c+r4/CfS1R84RdCUJi5RLJIqcMLF KqJ0D7MOezIOYTHQe4oHZZGgcTu3af70xKpr/fyulrPgyLvDhXqw+jVYhMWjy6FRUQXO OxUKZiXyi6+cRIz1Z5OxZxC9SaYXuMy0Lmt9MwkCB93LxgHl3wQCVjL3J/yxtiPSQSLu 8OzkCculHo5NV144zqQlnO+gWCp8cg4z4HpfE9gecxzd322pJQfbyXPOsmMnuYOffbPV fgTPahHqUFplAtG48e+s/f1DdtInoKOI59f8bya9VY04XsoXjGk0NtE1iZlBbyvJm5Is EPxw==
X-Gm-Message-State: AOUpUlF22ZpGJHVnLe7YRofZpM2X3vkSW5VHfcBlWtyvThq1Z9g7Q/B6 Ao6n4Kj+B3/UVBDQMMcReOCYPdJM
X-Google-Smtp-Source: AAOMgpcvk36sjDfYZYM1ruWiL17lj5f4rkWUvlPPJpP5G1bbkpt8GcM+7ekKBGfCSWXWEw8kogZ8LQ==
X-Received: by 2002:a2e:80d3:: with SMTP id r19-v6mr11596088ljg.85.1532937894469;  Mon, 30 Jul 2018 01:04:54 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id 84-v6sm1948779lje.48.2018.07.30.01.04.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 30 Jul 2018 01:04:53 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Scott Fluhrer \(sfluhrer\)'" <sfluhrer=40cisco.com@dmarc.ietf.org>, "'Tero Kivinen'" <kivinen@iki.fi>
Cc: <ipsec@ietf.org>, <paul.hoffman@icann.org>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi> <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com>
In-Reply-To: <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com>
Date: Mon, 30 Jul 2018 11:04:47 +0300
Message-ID: <02e301d427db$fc98cb20$f5ca6160$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG4Kjkcm/opSV3cBbx1stePgv+bhgExC2ovAegX7WECSGs56gBO1ASFAW3XSe2kpm6YIA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/gO2UBXrMm94aIvZwXWgyqHNUzZg>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 08:05:00 -0000

Thanks Scott, it was extremely helpful.

So, as far as I understand, it is not feasible for QC to break 2K or larger MODP groups in real time
(say in few seconds), and this restriction seems hard to overcome (at least with our current understanding).

What about ECDH groups? Can you estimate how long would it take for QC to break Ed448 or 521-bit groups?

Regards,
Valery.


> > > Any idea how many computations needs to be done for the shor's
> > > algorithm, i.e., breaking 2048 bit Diffie-Hellman. I have just seen
> > > text saying it is polynominal time, but I have not really seen any
> > > guesses what the actual numbers are going to be.
> >
> > Very good question; the references I find all essentially say "cubic"; however
> > they don't immediately talk about the constant factor.  I suspect that this
> > constant factor won't be that large; however that most certainly merits
> > further investigation.
> 
> Ok, I went through the literature, and while the short answer is "it's complex", I do have some partial answers,
> including what I believe is a defensible time estimate.
> 
> I went through a number of academic papers, and came to the conclusion that factoring 2kbit numbers on a
> Quantum Computer with circa 4700 qubits available could reasonably be done in time circa 8 billion times the
> time taken by a single quantum gate (details on how I came to that conclusion are listed below); increasing
> the size of the numbers to 16k would increase the attack time by a factor of perhaps 60 to 100.
> 
> The other factor to address is the actual gate speed.  One result is
> http://www.nature.com/articles/nature25737 which gives a high fidelity (but not error corrected) gate speed
> of 1.6usec (using trapped ion qubits).  Adding error correction logic to that would add some overhead, if we
> take the guess that it slows things down by a factor of 10 (which is the approximate speed of the original Shor
> error correction code), then that gives us an error corrected speed of 16usec (or 60k gate operations per
> second).
> 
> Combining those two results would give an estimate of less than 2 days to factor a 2k integer.  As for
> computing a discrete log for a 16k modulus (which is what the original discussion was about), a somewhat
> larger quantum computer (circa 250k qubit) that ran at the same speed would take several months to
> compute the discrete log.
> 
> Of course, this time estimate is based on current published literature; this is quite an active field, and future
> work (especially in the realm of gate speed) could easily shrink these numbers significantly.
> 
> As a side note, if we look at the time it would take Grover's algorithm to break AES-128, we have
> https://www.researchgate.net/publication/287249961_Applying_Grover%27s_algorithm_to_AES_quantum_
> resource_estimates where they estimate a time of 1.16 2^81 = 2.8E24 circuit depth, or about 300 trillion
> times longer than our estimate for factoring a 2k integer.  Now, this isn't quite an apples-to-apples
> comparison (for one, with Grover's, you could do some parallelism with independent Quantum Computers,
> however that costs more in terms of parallel units than you'd naively expect); however the fact remains that
> Grover's algorithm appears to be vastly more expensive than Shor's.  The only thing in favor of Grover's is that
> attacking AES-128 would take circa 1000 qubits (same paper), while factoring a 2k integer could be done with
> about 4 times more.
> 
> Also, while I did go through a number of papers, I cannot pretend that I did anything close to a full literature
> search.  If someone spots a relevant result that I missed (or one that I misinterpreted, or two results that I
> combined incorrectly), please correct me.
> 
> 
> Further details on my assumptions and the research:
> 
> For one, I assumed that what we care about is "time taken", not "number of operations performed"; that is,
> our quantum hardware is able to perform some level of parallelism for independent operations; the Quantum
> Computing literature refers to this as the "Circuit Depth" (as opposed to "Circuit Size", which is the number of
> gate operations performed).
> 
> In addition, the vast majority of the computation is done performing the modular exponentiation; the other
> quantum operation, the quantum Fourier transform, is comparatively inexpensive (ref:
> https://arxiv.org/abs/quant-ph/0006004 ); the other operations are the classical pre- and post-computations,
> which are also comparatively cheap.
> 
> The most aggressive result I found for performing the modular exponentiation is
> https://arxiv.org/abs/1207.0511 ; this gives us a concrete result of 2000 n^2 operations (where n is the size
> of the modulus in bits).  This result is quadratic (meaning that doubling the modulus size only increases the
> attack time by a factor of 4); however, it is a comparatively expensive alternative (requiring about 9n qubits),
> and for 2k modulii, it would appear we can actually do better.  It does show that going to, say, a 16k modulus
> might not give us as much security as we would have hoped.
> 
> In the other extreme (how few resources do we need), there are a number of papers examining that, in
> particular, how we can solve the problem while minimizing the number of qubits used.  The results I cited
> earlier were all from this stream of research.  These results use 2n+epsilon qubits, where epsilon may be as
> small as 1.  Unfortunately, they use algorithms such as ripple addition, which is just as slow in the quantum
> realm as it is in the classical.  This algorithms result in a Shor's implementation that takes time cn^3 for some
> c; if we hit a hard bound on the number of qubits we can afford, that appears to be the best we can do.
> Unfortunately, none of the papers I've seen actually give a concrete value for 'c'; on the other hand, we can do
> better anyways.
> 
> As an intermediate result, I did find
> https://pdfs.semanticscholar.org/a1dc/59b51794cf9737a7985da38a7230db89740a.pdf , which shows how
> to do moderately fast addition (they claim 30 log n circuit depth) using 3n/log n additional qubits (these are
> referred to as "ancillary" in the literature).  My opinion is that if you need to factor a 2048 bit number, then
> having 4700 qubits isn't that much more difficult than having 4100, and the additional 600 qubits allows you
> to speed up your computation by over an order of magnitude, which is likely to make it worth it.  If we take
> this adder, and use it to replace the serial adder within https://arxiv.org/abs/1611.07995, this would give you
> an implementation of Shor's algorithm with a depth of approximately 180 n^2 log n).  If this estimate is right,
> for a 2048 bit modulus, this would give us a depth of about 8 billion, which is approximately the same as the
> more aggressive implementation, but using far fewer qubits.
> 
> In addition, I referred to a 'gate time'; actually, there are a number of different types of quantum gates,
> including some that have no classical analogue, and it is certainly reasonable to expect them to take different
> amounts of time.  On the other hand, according to https://arxiv.org/abs/1202.5872, the speed difference is
> not drastic, most of the papers ignore this difference (the AES paper is the only one I could find that doesn't),
> and so I ignored this difference as well.
> 
> Note on the discrete log problem: I previously stated that you would need approximately double the number
> of qubits required to factor a modulus of the same size, and the time would approximately remain the same.
> Digging further into this, it appears that the time might increase somewhat (but less than a factor of 2); that's
> because for factoring, you select a value 'a' and compute a^b (for entangled values of b); it turns out that
> using a=2 will yield a factorization (various strategies to select p and q in a manner to frustrate Shor with a=2
> turn out not to work), and can (depending on the algorithm) make it more efficient.  Against the discrete log,
> you compute both g^b and h^b, where h is the value you're taking the discrete log of; this is a large value, and
> so the optimization you could take advantage of during factorization isn't available.  On the other hand, this
> doesn't increase the amount of time drastically.
> 
> Also, again, all the qubit numbers I quoted were "logical qubits", that is, qubits that have error correction logic
> applied.  Each "logical qubit" is made up of a number of "physical qubits"; the exact number depends on the
> quantum error correction algorithm used.
> 
> >
> > > And I understand that there is also quite big classical computation
> > > pre- and post-processing steps too.
> >
> > Not really; there is computation needed there, but it is quite straight-
> > forward.
> >
> > Shor's algorithm gives you a value k where a^x = a^(x+k) mod n; once you
> > have that value k, factoring n is a well understood (and fairly easy) problem,
> > solvable by, say, Miller's algorithm.
> >
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


From nobody Mon Jul 30 07:46:38 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7123C1310D9 for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 07:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eonnqr2hLdk4 for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 07:46:32 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06EB11277BB for <ipsec@ietf.org>; Mon, 30 Jul 2018 07:46:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12989; q=dns/txt; s=iport; t=1532961992; x=1534171592; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=71YbW0wTtfd1SFqD4tHSPIlyNxXlOhX+g+70Abfc1BA=; b=fJ/ng+Bi1FD3UkpoTv3rQUAjEVl5DoV/FNQ4NjUmLaUTxZS7hcAl8fum K/8Rr/Xro1SW6D8I2d4+Ew8JrNKKKFeNn3EEXFMUmf/AYZDJn6str2Pb9 nRjBeEklJwktfbkxlfJ1UWLbU9V6wHsFgIyavWcGESe7toZbowCU2PdhW E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CcAQDoD19b/5pdJa1bGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNOY38oCpg2gg12h0yPCQsYC4RJAoMTITgUAQIBAQIBAQJ?= =?us-ascii?q?tHAyFNgEBAQECAQEBODQLDAQCAQgRBAEBHxAhBgsdCAIEAQ0FCIMZgWcDDQg?= =?us-ascii?q?PrEaHEg2DKoY+gkQXgUE/gRKCFEk1glZFAQEChzUCmWUrCQKGFYJmgy6DBIF?= =?us-ascii?q?QhBqIJwqKRlOGbQIRFIEkNCGBUnAVO4JpCQmCExeDRYRZO4U+bwqOKIEbAQE?=
X-IronPort-AV: E=Sophos;i="5.51,422,1526342400"; d="scan'208";a="427820870"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Jul 2018 14:46:30 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id w6UEkUGO008559 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 30 Jul 2018 14:46:30 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 30 Jul 2018 10:46:29 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Mon, 30 Jul 2018 10:46:29 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Tero Kivinen'" <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "paul.hoffman@icann.org" <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wIABFW+A///q+XCADMB1cIAFstaAgAAQcyA=
Date: Mon, 30 Jul 2018 14:46:29 +0000
Message-ID: <c7b20dc69eb64d3389d96cbaba7c4b03@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi> <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com> <02e301d427db$fc98cb20$f5ca6160$@gmail.com>
In-Reply-To: <02e301d427db$fc98cb20$f5ca6160$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.150, xch-rtp-010.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/EuRIUUGYrGro6Yx7n5_big6mK-Q>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 14:46:36 -0000

> -----Original Message-----
> From: Valery Smyslov <smyslov.ietf@gmail.com>
> Sent: Monday, July 30, 2018 4:05 AM
> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Tero Kivinen'
> <kivinen@iki.fi>
> Cc: ipsec@ietf.org; paul.hoffman@icann.org
> Subject: RE: [IPsec] Modp-12288 and Modp-16384
>=20
> Thanks Scott, it was extremely helpful.
>=20
> So, as far as I understand, it is not feasible for QC to break 2K or larg=
er MODP
> groups in real time (say in few seconds), and this restriction seems hard=
 to
> overcome (at least with our current understanding).

Note that this estimates were based on currently published results; it is e=
xtremely likely that these will be improved on, and it would be difficult t=
o guess by how much.

It would appear that the speed of a Quantum Gate would need to increase by =
perhaps a factor of 1000 (along with some algorithm improvements) in order =
to make breaking MODP in real time feasible; I would personally be uncomfor=
table in making the implausibility of this to be a security assumption.

>=20
> What about ECDH groups? Can you estimate how long would it take for QC to
> break Ed448 or 521-bit groups?

Well, I didn't see any papers talking about a Quantum attack of ECDH.  Howe=
ver, based on what I've seen:

- The DLOG approach of performing two parallel modular exponentiations woul=
d certainly appear to be applicable to ECC; hence the time would essentiall=
y be bounded by twice the time taken to perform a point multiplication (not=
e: we assume that the two point multiplies are done in parallel; the twice =
mentioned is the amount of data that Shor's algorithm needs to do its QFFT)=
.

- From the previous results, we should be able to perform an n-bit modular =
multiply in 90n log n gate delays time (log is base 2).

- Constant time ECC algorithms would appear to translate directly into the =
Quantum realm; these take circa 10 modular multiplies (and some modular add=
s/subtracts, but they're cheap) per bit of the multiplier; however if we al=
low parallel multiplies (which uses a few more qubits), we might be able to=
 manage with as few as 3 modular multiplies (or might not; in Quantum Compu=
ting, all operations need to be invertible, and the parallel multiplies mig=
ht make this difficult; if we can't get to this level of parallelism, this =
estimate might be off by a factor of 2).  We also have to do a modular inve=
rsion at the end (as the QFFT algorithm at the end will need equivalent poi=
nts to have the same bit pattern).

- Adding everything together (and assuming we can go with the full parallel=
 multiply option), we get  around 600 n^2 log n gate delays (where I'm usin=
g n to mean both the characteristic of the field and the curve group size; =
they're close enough that the difference doesn't matter for this crude esti=
mate).

With n=3D448, we get circa 1 billion, a fraction of the time we estimated t=
o break RSA-2048, with our 60,000 gate operations per second, that's about =
5 hours.  If we count Qubits, it would appear that ECC also uses considerab=
ly fewer; however coming up with an exact number is nontrivial (the paralle=
l multiples may share sources, and so some additional ancillary qubits may =
be needed)

So, with this rather crude (and off-the-cuff) analysis, ECC looks to be not=
iceably weaker against a Quantum Computer.  Of course, this is a such a cru=
de estimate, it's not clear if it ought to be used to make any real securit=
y decisions...

>=20
> Regards,
> Valery.
>=20
>=20
> > > > Any idea how many computations needs to be done for the shor's
> > > > algorithm, i.e., breaking 2048 bit Diffie-Hellman. I have just
> > > > seen text saying it is polynominal time, but I have not really
> > > > seen any guesses what the actual numbers are going to be.
> > >
> > > Very good question; the references I find all essentially say
> > > "cubic"; however they don't immediately talk about the constant
> > > factor.  I suspect that this constant factor won't be that large;
> > > however that most certainly merits further investigation.
> >
> > Ok, I went through the literature, and while the short answer is "it's
> > complex", I do have some partial answers, including what I believe is a
> defensible time estimate.
> >
> > I went through a number of academic papers, and came to the conclusion
> > that factoring 2kbit numbers on a Quantum Computer with circa 4700
> > qubits available could reasonably be done in time circa 8 billion
> > times the time taken by a single quantum gate (details on how I came to
> that conclusion are listed below); increasing the size of the numbers to =
16k
> would increase the attack time by a factor of perhaps 60 to 100.
> >
> > The other factor to address is the actual gate speed.  One result is
> > http://www.nature.com/articles/nature25737 which gives a high fidelity
> > (but not error corrected) gate speed of 1.6usec (using trapped ion
> > qubits).  Adding error correction logic to that would add some
> > overhead, if we take the guess that it slows things down by a factor
> > of 10 (which is the approximate speed of the original Shor error correc=
tion
> code), then that gives us an error corrected speed of 16usec (or 60k gate
> operations per second).
> >
> > Combining those two results would give an estimate of less than 2 days
> > to factor a 2k integer.  As for computing a discrete log for a 16k
> > modulus (which is what the original discussion was about), a somewhat
> > larger quantum computer (circa 250k qubit) that ran at the same speed
> would take several months to compute the discrete log.
> >
> > Of course, this time estimate is based on current published
> > literature; this is quite an active field, and future work (especially =
in the
> realm of gate speed) could easily shrink these numbers significantly.
> >
> > As a side note, if we look at the time it would take Grover's
> > algorithm to break AES-128, we have
> >
> https://www.researchgate.net/publication/287249961_Applying_Grover%27
> s
> > _algorithm_to_AES_quantum_ resource_estimates where they estimate a
> > time of 1.16 2^81 =3D 2.8E24 circuit depth, or about 300 trillion times
> > longer than our estimate for factoring a 2k integer.  Now, this isn't
> > quite an apples-to-apples comparison (for one, with Grover's, you
> > could do some parallelism with independent Quantum Computers,
> however
> > that costs more in terms of parallel units than you'd naively expect);
> > however the fact remains that Grover's algorithm appears to be vastly
> > more expensive than Shor's.  The only thing in favor of Grover's is tha=
t
> attacking AES-128 would take circa 1000 qubits (same paper), while factor=
ing
> a 2k integer could be done with about 4 times more.
> >
> > Also, while I did go through a number of papers, I cannot pretend that
> > I did anything close to a full literature search.  If someone spots a
> > relevant result that I missed (or one that I misinterpreted, or two res=
ults
> that I combined incorrectly), please correct me.
> >
> >
> > Further details on my assumptions and the research:
> >
> > For one, I assumed that what we care about is "time taken", not
> > "number of operations performed"; that is, our quantum hardware is
> > able to perform some level of parallelism for independent operations;
> > the Quantum Computing literature refers to this as the "Circuit Depth" =
(as
> opposed to "Circuit Size", which is the number of gate operations
> performed).
> >
> > In addition, the vast majority of the computation is done performing
> > the modular exponentiation; the other quantum operation, the quantum
> Fourier transform, is comparatively inexpensive (ref:
> > https://arxiv.org/abs/quant-ph/0006004 ); the other operations are the
> > classical pre- and post-computations, which are also comparatively chea=
p.
> >
> > The most aggressive result I found for performing the modular
> > exponentiation is
> > https://arxiv.org/abs/1207.0511 ; this gives us a concrete result of
> > 2000 n^2 operations (where n is the size of the modulus in bits).
> > This result is quadratic (meaning that doubling the modulus size only
> > increases the attack time by a factor of 4); however, it is a
> > comparatively expensive alternative (requiring about 9n qubits), and fo=
r 2k
> modulii, it would appear we can actually do better.  It does show that go=
ing
> to, say, a 16k modulus might not give us as much security as we would hav=
e
> hoped.
> >
> > In the other extreme (how few resources do we need), there are a
> > number of papers examining that, in particular, how we can solve the
> > problem while minimizing the number of qubits used.  The results I
> > cited earlier were all from this stream of research.  These results
> > use 2n+epsilon qubits, where epsilon may be as small as 1.
> > Unfortunately, they use algorithms such as ripple addition, which is ju=
st as
> slow in the quantum realm as it is in the classical.  This algorithms res=
ult in a
> Shor's implementation that takes time cn^3 for some c; if we hit a hard
> bound on the number of qubits we can afford, that appears to be the best
> we can do.
> > Unfortunately, none of the papers I've seen actually give a concrete
> > value for 'c'; on the other hand, we can do better anyways.
> >
> > As an intermediate result, I did find
> >
> https://pdfs.semanticscholar.org/a1dc/59b51794cf9737a7985da38a7230db89
> > 740a.pdf , which shows how to do moderately fast addition (they claim
> > 30 log n circuit depth) using 3n/log n additional qubits (these are
> > referred to as "ancillary" in the literature).  My opinion is that if
> > you need to factor a 2048 bit number, then having 4700 qubits isn't
> > that much more difficult than having 4100, and the additional 600
> > qubits allows you to speed up your computation by over an order of
> > magnitude, which is likely to make it worth it.  If we take this
> > adder, and use it to replace the serial adder within
> https://arxiv.org/abs/1611.07995, this would give you an implementation o=
f
> Shor's algorithm with a depth of approximately 180 n^2 log n).  If this
> estimate is right, for a 2048 bit modulus, this would give us a depth of =
about 8
> billion, which is approximately the same as the more aggressive
> implementation, but using far fewer qubits.
> >
> > In addition, I referred to a 'gate time'; actually, there are a number
> > of different types of quantum gates, including some that have no
> > classical analogue, and it is certainly reasonable to expect them to
> > take different amounts of time.  On the other hand, according to
> > https://arxiv.org/abs/1202.5872, the speed difference is not drastic, m=
ost
> of the papers ignore this difference (the AES paper is the only one I cou=
ld
> find that doesn't), and so I ignored this difference as well.
> >
> > Note on the discrete log problem: I previously stated that you would
> > need approximately double the number of qubits required to factor a
> modulus of the same size, and the time would approximately remain the
> same.
> > Digging further into this, it appears that the time might increase
> > somewhat (but less than a factor of 2); that's because for factoring,
> > you select a value 'a' and compute a^b (for entangled values of b); it
> > turns out that using a=3D2 will yield a factorization (various
> > strategies to select p and q in a manner to frustrate Shor with a=3D2
> > turn out not to work), and can (depending on the algorithm) make it
> > more efficient.  Against the discrete log, you compute both g^b and h^b=
,
> where h is the value you're taking the discrete log of; this is a large v=
alue, and
> so the optimization you could take advantage of during factorization isn'=
t
> available.  On the other hand, this doesn't increase the amount of time
> drastically.
> >
> > Also, again, all the qubit numbers I quoted were "logical qubits",
> > that is, qubits that have error correction logic applied.  Each
> > "logical qubit" is made up of a number of "physical qubits"; the exact
> number depends on the quantum error correction algorithm used.
> >
> > >
> > > > And I understand that there is also quite big classical
> > > > computation
> > > > pre- and post-processing steps too.
> > >
> > > Not really; there is computation needed there, but it is quite
> > > straight- forward.
> > >
> > > Shor's algorithm gives you a value k where a^x =3D a^(x+k) mod n; onc=
e
> > > you have that value k, factoring n is a well understood (and fairly
> > > easy) problem, solvable by, say, Miller's algorithm.
> > >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec


From nobody Mon Jul 30 11:20:24 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2DD4130E63 for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 11:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIQxCKfvL9xk for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 11:20:20 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31FA1129619 for <ipsec@ietf.org>; Mon, 30 Jul 2018 11:20:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2374; q=dns/txt; s=iport; t=1532974820; x=1534184420; h=from:to:cc:subject:date:message-id:references: content-transfer-encoding:mime-version; bh=P3ua1Cn6kn+89sdwb1TNQwFJbUk3g8Z57cq7pVY6TtA=; b=e+j+w18lVLesXEy1IWe8o6fCaPNwwY8LVsLdi7WOB6CpJnIPJC/vC7gj 8UbUMySHR2+0e5gPOyfNyytmg/D8CgiqfvotFwxQj4Mg1CqBNXb2CZ9Nt xTo1q32mIrru/f/tzp1dJa6SMsUEYihYFhlEhaEA1PHG/zC8fQPT54R94 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DhAQDaVV9b/5RdJa1bGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNOgWIoCpg2gg2IQo0PgXoLhGwCgxMhNhYBAgEBAgEBAm0?= =?us-ascii?q?ohTYBAQEBAzo/DAQCAQgRBAEBHxAhER0IAgQBDQUIhQADFa1nhxMNgyaGPoJ?= =?us-ascii?q?EF4FBP4ESgxKCVod+AodVkhArCQKMKYMEjhEKixmGbQIRFIEkJAwlgVJwFYM?= =?us-ascii?q?kkFNvjjGBGwEB?=
X-IronPort-AV: E=Sophos;i="5.51,422,1526342400"; d="scan'208";a="150695509"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Jul 2018 18:20:19 +0000
Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id w6UIKJlX025365 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 30 Jul 2018 18:20:19 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 30 Jul 2018 14:20:18 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Mon, 30 Jul 2018 14:20:18 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "'Tero Kivinen'" <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "paul.hoffman@icann.org" <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wIABFW+A///q+XCADMB1cIAFstaAgAAQcyCAAFSocA==
Date: Mon, 30 Jul 2018 18:20:18 +0000
Message-ID: <e8265091bc534ed1a68f94bd0d5c1222@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi> <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com> <02e301d427db$fc98cb20$f5ca6160$@gmail.com> 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.146, xch-rtp-006.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8Px_Toc2F8d2LSHwuvSkxUjDyxE>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 18:20:22 -0000

Sigh, a rather major correction here...

> -----Original Message-----
> From: Scott Fluhrer (sfluhrer)
> Sent: Monday, July 30, 2018 10:46 AM
> To: 'Valery Smyslov' <smyslov.ietf@gmail.com>; 'Tero Kivinen'
> <kivinen@iki.fi>
> Cc: ipsec@ietf.org; paul.hoffman@icann.org
> Subject: RE: [IPsec] Modp-12288 and Modp-16384
>=20
>=20
>=20
> > -----Original Message-----
> > From: Valery Smyslov <smyslov.ietf@gmail.com>
> > Sent: Monday, July 30, 2018 4:05 AM
> > To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Tero Kivinen'
> > <kivinen@iki.fi>
> > Cc: ipsec@ietf.org; paul.hoffman@icann.org
> > Subject: RE: [IPsec] Modp-12288 and Modp-16384
> >
>=20
> >
> > What about ECDH groups? Can you estimate how long would it take for QC
> > to break Ed448 or 521-bit groups?
>=20
> Well, I didn't see any papers talking about a Quantum attack of ECDH.
> However, based on what I've seen:

Oops, my analysis of ECC is broken, and should be disregarded.

One major problem is my blithe assertion that:

> - Constant time ECC algorithms would appear to translate directly into th=
e
> Quantum realm

Nope; they rely on operations that are easy in the classical realm, but don=
't directly translate into the Quantum.  For one, they do operations such a=
s:

    u :=3D u^2 mod p

A classical computer has no problem with this, however a Quantum Computer i=
s forbidden from doing that exact operation.  The problem is that all compu=
tations done by a Quantum Computer (other than the measurement operation, w=
hich this is not) must be invertible.  However, with this operation, if the=
 final u value is '1', we have no idea if the original 'u' value was either=
 1 or p-1; hence it's not invertbile, and so we cannot do it.

The standard Quantum Computing way to express this is something like:

   (u, v) :=3D (u, v + (u^2 mod p))

for some reasonable meaning of '+', possibly xor, possibly modular addition=
.  However, just cutting/pasting this into the standard ECC algorithms woul=
d chew up massive numbers of ancillary qubits, and so that's not an option.=
  One probably could restructure the ECC computations to avoid these proble=
ms (uncomputing the ancillary qubits so they can be used in later iteration=
s), however I cannot guess how expensive that would be.

Sorry for the wrong answer I gave earlier.


From nobody Mon Jul 30 11:38:03 2018
Return-Path: <danibrown@blackberry.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5904E131176 for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 11:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYWrBlYRcZxV for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 11:37:50 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D96AB13114F for <ipsec@ietf.org>; Mon, 30 Jul 2018 11:37:48 -0700 (PDT)
X-Spoof: 
Received: from xct105cnc.rim.net ([10.65.161.205]) by mhs210cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Jul 2018 14:37:47 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT105CNC.rim.net ([fe80::d13d:b7a2:ae5e:db06%16]) with mapi id 14.03.0319.002; Mon, 30 Jul 2018 14:37:46 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, "Valery Smyslov" <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "paul.hoffman@icann.org" <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEoIkfqR6IGxkqHvLuO3lN0AqSTh0TQgACnDgCAAB09wIABFW+A///q+XCADMB1cIAFstaAgAAQcyCAAFSocIAACLK1
Date: Mon, 30 Jul 2018 18:37:46 +0000
Message-ID: <20180730183744.8642646.62709.27042@blackberry.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi> <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com> <02e301d427db$fc98cb20$f5ca6160$@gmail.com> ,<e8265091bc534ed1a68f94bd0d5c1222@XCH-RTP-006.cisco.com>
In-Reply-To: <e8265091bc534ed1a68f94bd0d5c1222@XCH-RTP-006.cisco.com>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mNc8VAMe7eACASBJBkMa8wKbmoE>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 18:38:02 -0000

For ECC v QC, see also

=FDhttps://ia.cr/2017/598

  Original Message
From: Scott Fluhrer (sfluhrer)
Sent: Monday, July 30, 2018 2:20 PM
To: Valery Smyslov; 'Tero Kivinen'
Cc: ipsec@ietf.org; paul.hoffman@icann.org
Subject: Re: [IPsec] Modp-12288 and Modp-16384


Sigh, a rather major correction here...

> -----Original Message-----
> From: Scott Fluhrer (sfluhrer)
> Sent: Monday, July 30, 2018 10:46 AM
> To: 'Valery Smyslov' <smyslov.ietf@gmail.com>; 'Tero Kivinen'
> <kivinen@iki.fi>
> Cc: ipsec@ietf.org; paul.hoffman@icann.org
> Subject: RE: [IPsec] Modp-12288 and Modp-16384
>
>
>
> > -----Original Message-----
> > From: Valery Smyslov <smyslov.ietf@gmail.com>
> > Sent: Monday, July 30, 2018 4:05 AM
> > To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Tero Kivinen'
> > <kivinen@iki.fi>
> > Cc: ipsec@ietf.org; paul.hoffman@icann.org
> > Subject: RE: [IPsec] Modp-12288 and Modp-16384
> >
>
> >
> > What about ECDH groups? Can you estimate how long would it take for QC
> > to break Ed448 or 521-bit groups?
>
> Well, I didn't see any papers talking about a Quantum attack of ECDH.
> However, based on what I've seen:

Oops, my analysis of ECC is broken, and should be disregarded.

One major problem is my blithe assertion that:

> - Constant time ECC algorithms would appear to translate directly into th=
e
> Quantum realm

Nope; they rely on operations that are easy in the classical realm, but don=
't directly translate into the Quantum.  For one, they do operations such a=
s:

    u :=3D u^2 mod p

A classical computer has no problem with this, however a Quantum Computer i=
s forbidden from doing that exact operation.  The problem is that all compu=
tations done by a Quantum Computer (other than the measurement operation, w=
hich this is not) must be invertible.  However, with this operation, if the=
 final u value is '1', we have no idea if the original 'u' value was either=
 1 or p-1; hence it's not invertbile, and so we cannot do it.

The standard Quantum Computing way to express this is something like:

   (u, v) :=3D (u, v + (u^2 mod p))

for some reasonable meaning of '+', possibly xor, possibly modular addition=
.  However, just cutting/pasting this into the standard ECC algorithms woul=
d chew up massive numbers of ancillary qubits, and so that's not an option.=
  One probably could restructure the ECC computations to avoid these proble=
ms (uncomputing the ancillary qubits so they can be used in later iteration=
s), however I cannot guess how expensive that would be.

Sorry for the wrong answer I gave earlier.

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


From nobody Mon Jul 30 11:52:34 2018
Return-Path: <Paul.Koning@dell.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED01130EAE for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 11:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level: 
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-L71-e0Cjdv for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 11:52:31 -0700 (PDT)
Received: from esa8.dell-outbound.iphmx.com (esa8.dell-outbound.iphmx.com [68.232.149.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBE7C130DF3 for <ipsec@ietf.org>; Mon, 30 Jul 2018 11:52:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1532976750; x=1564512750; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=IE97eCOrUhygBgzeOpxrP7sTUepdeZa96G9VTJiGbfw=; b=o8dpYXKiA8K73fK3sgz4D3e+DY94QpwacF8iLNZrEOqyOsZRemGyBS0H Zy7GtFmxbvZiR3bWWMvwuSY+WOBob2SBrlC9n8Uxve8LjDkoNDMlrsBGO bNV/FSNs2PuIUBQgXUCJcoRvRhsi7HOOyUch2xDl1c5wPeDUoo7V07m4S A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2HYBQCZXV9bh2Oa6ERbHAEBAQQBAQoBA?= =?us-ascii?q?YQiD38oCoN0lEKCDYM8lA8LG4EVgzYEAgIXgn0hNxUBAgEBAgEBAgEBAhABAQE?= =?us-ascii?q?KCwkIKSMMgjUigUVfPQEBAQECASMRRQULAgEIGAICJgICAkUQAgQOBYMgAYF3C?= =?us-ascii?q?Kw9gS6KQQWBC4d3gheBOR+CTIR+TYI0MYIkApoQBwKGF4kggTqMTwqKRoRYAYM?= =?us-ascii?q?OgVeBdXB6AYI+H4IUg2SKPG+OMYEbAQE?=
X-IPAS-Result: =?us-ascii?q?A2HYBQCZXV9bh2Oa6ERbHAEBAQQBAQoBAYQiD38oCoN0lEK?= =?us-ascii?q?CDYM8lA8LG4EVgzYEAgIXgn0hNxUBAgEBAgEBAgEBAhABAQEKCwkIKSMMgjUig?= =?us-ascii?q?UVfPQEBAQECASMRRQULAgEIGAICJgICAkUQAgQOBYMgAYF3CKw9gS6KQQWBC4d?= =?us-ascii?q?3gheBOR+CTIR+TYI0MYIkApoQBwKGF4kggTqMTwqKRoRYAYMOgVeBdXB6AYI+H?= =?us-ascii?q?4IUg2SKPG+OMYEbAQE?=
Received: from esa6.dell-outbound2.iphmx.com ([68.232.154.99]) by esa8.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Jul 2018 13:52:30 -0500
From: <Paul.Koning@dell.com>
Received: from ausxippc106.us.dell.com ([143.166.85.156]) by esa6.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Jul 2018 00:52:29 +0600
X-LoopCount0: from 10.166.132.71
X-IronPort-AV: E=Sophos;i="5.51,424,1526360400"; d="scan'208";a="274603105"
To: <danibrown@blackberry.com>
CC: <sfluhrer=40cisco.com@dmarc.ietf.org>, <smyslov.ietf@gmail.com>, <kivinen@iki.fi>, <ipsec@ietf.org>, <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQG4Kjkcm/opSV3cBbx1stePgv+bhqSTh0TQgACnDgCAAB09wIABFW+A///q+XCADMB1cIAFstaAgAAQcyCAAFSocIA4Q9MAgAAEG4A=
Date: Mon, 30 Jul 2018 18:52:28 +0000
Message-ID: <5BC3D439-1ADC-4DF1-B981-68227AAFDD3E@dell.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi> <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com> <02e301d427db$fc98cb20$f5ca6160$@gmail.com> <e8265091bc534ed1a68f94bd0d5c1222@XCH-RTP-006.cisco.com> <20180730183744.8642646.62709.27042@blackberry.com>
In-Reply-To: <20180730183744.8642646.62709.27042@blackberry.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.143.18.86]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3F25DA54813E614DBB2D3EB5F04D7714@dell.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/FpMTTN0wvPyPgr9bv5ghJ-ws_n0>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 18:52:33 -0000

SW50ZXJlc3RpbmcgaXRlbSBpbiB0aGUgYWJzdHJhY3Q6ICAiLi4uIHVzaW5nIGEgcXVhbnR1bSBj
aXJjdWl0IG9mIGF0IG1vc3QgNDQ4Lm5eMy5sb2cyKG4pKzQwOTAubl4zIFRvZmZvbGkgZ2F0ZXMu
IiAgSW4gdGhlIHBhc3QgSSd2ZSBzZWVuIG1lbnRpb24gb2YgcXViaXQgY291bnRzIGJ1dCBub3Qg
Z2F0ZSBjb3VudHMuICBXaGlsZSB0aGUgZ2F0ZSBjb3VudCBpc24ndCBleHBvbmVudGlhbCwgaXQn
cyBuZXZlcnRoZWxlc3MgZm9ybWlkYWJsZS4gIEZvciAxMDAwIGJpdCBpbnB1dHMgaXQgdHJhbnNs
YXRlcyB0byBzZXZlcmFsIHRlcmFnYXRlcy4gIEhvdyB0aWdodCBpcyB0aGF0IHVwcGVyIGJvdW5k
Pw0KDQpBcmUgdGhlIG51bWJlcnMgZm9yIFJTQSBvciBkaXNjcmV0ZSBsb2cgKGNvbnZlbnRpb25h
bCBEaWZmaWUtSGVsbG1hbikgc2ltaWxhcj8gIElmIHNvLCBkb2VzIHRoYXQgdHJhbnNsYXRlIGlu
dG8gInF1YW50dW0gY29tcHV0ZXJzIGFyZSBub3QgYSBwcmFjdGljYWwgaXNzdWUiPw0KDQoJcGF1
bA0KDQo+IE9uIEp1bCAzMCwgMjAxOCwgYXQgMjozNyBQTSwgRGFuIEJyb3duIDxkYW5pYnJvd25A
YmxhY2tiZXJyeS5jb20+IHdyb3RlOg0KPiANCj4gRm9yIEVDQyB2IFFDLCBzZWUgYWxzbw0KPiAN
Cj4g4oCOaHR0cHM6Ly9pYS5jci8yMDE3LzU5OA==


From nobody Mon Jul 30 13:26:08 2018
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADB90130E29 for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 13:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KHbcqOVIwcEn for <ipsec@ietfa.amsl.com>; Mon, 30 Jul 2018 13:26:04 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B67C130E07 for <ipsec@ietf.org>; Mon, 30 Jul 2018 13:26:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2008; q=dns/txt; s=iport; t=1532982364; x=1534191964; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=xsI8Vl+htKDo67hgU7GppGvihh9vujBSJYVxyrFFuEc=; b=ZNcjdJla8IUmtM6daazlMHf0jL/N6WUaTP+5rQkpnY04eLC8h420ZE59 I/jU9AI8khjlhVMjJeQnyrn3FS58tuV4CYdo6w3PWHs/cEL74NRmu8SVx OvmvdwdC3FIcd3coahmf7araGHWBMzECm1WHCvr/OK7rFTZM3SJKc4+3b Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A9AwDEc19b/4ENJK1bGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNOgWIoCoN0lEKCDYM8hQaPCQuEbAIXgnwhOBQBAgEBAgE?= =?us-ascii?q?BAm0ohTYBAQEBAyMRRQwEAgEIEQQBAQMCJgICAh8RFQgIAgQBDQUIhQADFax?= =?us-ascii?q?BgS6HEw2DJoELh3cXgUE/hCSCVoIvM4JHglUCmWUrCQKMKYMEjhEKixmGbQI?= =?us-ascii?q?RFIEkNCGBUnAVgySQU2+OLYEbAQE?=
X-IronPort-AV: E=Sophos;i="5.51,424,1526342400"; d="scan'208";a="149898214"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Jul 2018 20:26:03 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id w6UKQ2mq011501 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 30 Jul 2018 20:26:02 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 30 Jul 2018 16:26:01 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Mon, 30 Jul 2018 16:26:01 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Paul.Koning@dell.com" <Paul.Koning@dell.com>, "danibrown@blackberry.com" <danibrown@blackberry.com>
CC: "smyslov.ietf@gmail.com" <smyslov.ietf@gmail.com>, "kivinen@iki.fi" <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>, "paul.hoffman@icann.org" <paul.hoffman@icann.org>
Thread-Topic: [IPsec] Modp-12288 and Modp-16384
Thread-Index: AQHUHeEt9Kg9dsLIj0KCW8RHo8p9L6STh0TQgACnDgCAAB09wIABFW+A///q+XCADMB1cIAFstaAgAAQcyCAAFSocIAAS8AAgAAEGwD//9VasA==
Date: Mon, 30 Jul 2018 20:26:01 +0000
Message-ID: <9f507252713c498c941aed3ecc05758c@XCH-RTP-006.cisco.com>
References: <23374.2088.627941.395947@fireball.acr.fi> <bae851bfe5544c3b88d6dfbc8a84a5e0@XCH-RTP-006.cisco.com> <23374.23762.892194.932776@fireball.acr.fi> <573c2a4d6ecf41459726db7a976b1846@XCH-RTP-006.cisco.com> <23375.24083.491329.962989@fireball.acr.fi> <84371f3ca9be4a25b9cd9f0ce2e7321c@XCH-RTP-006.cisco.com> <02e301d427db$fc98cb20$f5ca6160$@gmail.com> <e8265091bc534ed1a68f94bd0d5c1222@XCH-RTP-006.cisco.com> <20180730183744.8642646.62709.27042@blackberry.com> <5BC3D439-1ADC-4DF1-B981-68227AAFDD3E@dell.com>
In-Reply-To: <5BC3D439-1ADC-4DF1-B981-68227AAFDD3E@dell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.150, xch-rtp-010.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/fjX1Cw73JuhBXKUnfll6eZ-g3lc>
Subject: Re: [IPsec] Modp-12288 and Modp-16384
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 20:26:07 -0000

DQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IFBhdWwuS29uaW5nQGRlbGwu
Y29tIDxQYXVsLktvbmluZ0BkZWxsLmNvbT4NCj4gU2VudDogTW9uZGF5LCBKdWx5IDMwLCAyMDE4
IDI6NTIgUE0NCj4gVG86IGRhbmlicm93bkBibGFja2JlcnJ5LmNvbQ0KPiBDYzogU2NvdHQgRmx1
aHJlciAoc2ZsdWhyZXIpIDxzZmx1aHJlckBjaXNjby5jb20+OyBzbXlzbG92LmlldGZAZ21haWwu
Y29tOw0KPiBraXZpbmVuQGlraS5maTsgaXBzZWNAaWV0Zi5vcmc7IHBhdWwuaG9mZm1hbkBpY2Fu
bi5vcmcNCj4gU3ViamVjdDogUmU6IFtJUHNlY10gTW9kcC0xMjI4OCBhbmQgTW9kcC0xNjM4NA0K
PiANCj4gSW50ZXJlc3RpbmcgaXRlbSBpbiB0aGUgYWJzdHJhY3Q6ICAiLi4uIHVzaW5nIGEgcXVh
bnR1bSBjaXJjdWl0IG9mIGF0IG1vc3QNCj4gNDQ4Lm5eMy5sb2cyKG4pKzQwOTAubl4zIFRvZmZv
bGkgZ2F0ZXMuIiAgSW4gdGhlIHBhc3QgSSd2ZSBzZWVuIG1lbnRpb24gb2YNCj4gcXViaXQgY291
bnRzIGJ1dCBub3QgZ2F0ZSBjb3VudHMuICBXaGlsZSB0aGUgZ2F0ZSBjb3VudCBpc24ndCBleHBv
bmVudGlhbCwgaXQncw0KPiBuZXZlcnRoZWxlc3MgZm9ybWlkYWJsZS4gIEZvciAxMDAwIGJpdCBp
bnB1dHMgaXQgdHJhbnNsYXRlcyB0byBzZXZlcmFsDQo+IHRlcmFnYXRlcy4gIEhvdyB0aWdodCBp
cyB0aGF0IHVwcGVyIGJvdW5kPw0KDQpJIGJlbGlldmUgdGhhdCBpcyBhIG1pc2xlYWRpbmcgc3Rh
dGlzdGljLg0KDQpXaGF0IHRoYXQgaXMgYSBtZWFzdXJlIG9mIGlzICJpZiB3ZSBpbXBsZW1lbnQg
dGhlIGNpcmN1aXQgYXMgYSBodWdlIGNvbWJpbmF0b3JpYWwgY2lyY3VpdCwgaG93IG1hbnkgaW5k
aXZpZHVhbCBxdWFudHVtIGdhdGVzIHdpbGwgd2UgbmVlZD8iDQoNCkl0J3MgbWlzbGVhZGluZyBi
ZWNhdXNlLCBpbiBwcmFjdGljZSwgd2UnZCBuZXZlciBpbXBsZW1lbnQgdGhpbmdzIHRoYXQgd2F5
LiAgSW5zdGVhZCwgd2UnZCBkZXZpc2Ugd2F5cyB3aGVyZSB0aGUgc2FtZSBwaHlzaWNhbCAgVG9m
b2xsaSBnYXRlIGlzIHVzZWQgbXVsdGlwbGUgdGltZXMgZHVyaW5nIHRoZSBjb21wdXRhdGlvbiAo
YW5hbG9nb3VzIHRvIGhvdywgb24gYSBjbGFzc2ljYWwgY29tcHV0ZXIsIHdlIHJldXNlIHRoZSBz
YW1lIGFkZGl0aW9uIGFuZCBtdWx0aXBsaWNhdGlvbiBjaXJjdWl0IHJlcGVhdGVkbHkgd2hlbiBw
ZXJmb3JtaW5nIGEgc2VyaWVzIG9mIG9wZXJhdGlvbnMpLg0KDQpOb3csIGluIHRoZSBRdWFudHVt
IHJlYWxtLCB0aGlzIHByb2JsZW0gdHVybnMgb3V0IHRvIGJlIGEgYml0IGRpZmZlcmVudCB0aGFu
IGluIHRoZSBjbGFzc2ljYWwgcmVhbG07IGhvd2V2ZXIgSSBiZWxpZXZlIHRoYXQgaXMgYSBwcm9i
bGVtIHRoYXQgY2FuIGJlIHNvbHZlZCAoYW5kLCBpbmRlZWQsIG5lZWRzIHRvIGJlIHNvbHZlZCBm
b3IgUXVhbnR1bSBDb21wdXRpbmcgdG8gYmUgcmVhbGlzdGljKQ0KDQo=