From nobody Mon Apr 1 23:34:00 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36575120106; Mon, 1 Apr 2019 23:33:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EzxyuV3bXZQr; Mon, 1 Apr 2019 23:33:57 -0700 (PDT) Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83B6C1200F6; Mon, 1 Apr 2019 23:33:57 -0700 (PDT) Received: from LHREML713-CAH.china.huawei.com (unknown [10.201.108.36]) by Forcepoint Email with ESMTP id 84FB3E60F4B9BEFD430A; Tue, 2 Apr 2019 07:33:55 +0100 (IST) Received: from lhreml703-chm.china.huawei.com (10.201.108.52) by LHREML713-CAH.china.huawei.com (10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 2 Apr 2019 07:33:54 +0100 Received: from lhreml703-chm.china.huawei.com (10.201.108.52) by lhreml703-chm.china.huawei.com (10.201.108.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Tue, 2 Apr 2019 07:33:54 +0100 Received: from NKGEML411-HUB.china.huawei.com (10.98.56.70) by lhreml703-chm.china.huawei.com (10.201.108.52) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1713.5 via Frontend Transport; Tue, 2 Apr 2019 07:33:54 +0100 Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.144]) by nkgeml411-hub.china.huawei.com ([10.98.56.70]) with mapi id 14.03.0415.000; Tue, 2 Apr 2019 14:33:49 +0800 From: Liyizhou To: NVO3 CC: "nvo3-chairs@ietf.org" Thread-Topic: NVO3 minutes for IETF 104 is available Thread-Index: AdTpHdXmLzwnacJbQumSrpoqTKwKgw== Date: Tue, 2 Apr 2019 06:33:49 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.134.186.90] Content-Type: multipart/alternative; boundary="_000_D408889639FC5E4FADB4E00A3E01FA8FB03C52BBnkgeml513mbxchi_" MIME-Version: 1.0 Archived-At: Subject: [nvo3] NVO3 minutes for IETF 104 is available X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 06:33:59 -0000 --_000_D408889639FC5E4FADB4E00A3E01FA8FB03C52BBnkgeml513mbxchi_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all, Please find the link for the minutes https://datatracker.ietf.org/meeting/1= 04/materials/minutes-104-nvo3-00 Any corrections, please let me know. Thanks, Yizhou --_000_D408889639FC5E4FADB4E00A3E01FA8FB03C52BBnkgeml513mbxchi_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi all,

 

Please find the link for the minutes https://datatracker.ietf.org/meeting/104/materials/minutes-104-nvo3-00<= o:p>

 

Any corrections, please let me know.

 

Thanks,

Yizhou

--_000_D408889639FC5E4FADB4E00A3E01FA8FB03C52BBnkgeml513mbxchi_-- From nobody Tue Apr 2 13:57:00 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27BCE1202CE for ; Tue, 2 Apr 2019 13:56:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.647 X-Spam-Level: X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CT6fbAJMa7VW for ; Tue, 2 Apr 2019 13:56:49 -0700 (PDT) Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5924B12028E for ; Tue, 2 Apr 2019 13:56:48 -0700 (PDT) Received: by mail-lf1-f47.google.com with SMTP id a6so10070796lfl.5 for ; Tue, 02 Apr 2019 13:56:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YQBqrtn2f5bwq3pEGTpcxLYMeYq1qSP9aYGI2gPtrz0=; b=mdKdpltUTRrkTu2eLghJ+Qe4WR73P/uVfr+/o54TkDeXeVz6oE9EfLcXHQNYvJIIWr /Ns9wFfeqVS4UMUg/JZfiez6TCEphbmNC4eBjWqT+WoqECgrBWmgsAVyCQ2dHVLN7vR9 CBheZYQtz/4Lje/kYVYsljg2HVvrg0zXz2cypo5BBxJFXMML4rdX7fxn0D2B8om9cbZD YZKZoMWBMOyrkBw5Ikbzc/jE5kBXyJsUOg3VzPBrz27gnEcqf3SA/XSapuS6NgDpeoXc 2NTg6PovcCweqM8NaW+LW6GVpwRX6xfW1q0m5E1UcF/o6gTJsj6LtL0K5clkrYDTZAP6 +N6w== X-Gm-Message-State: APjAAAXXw6NPZvjkhPzZLODZ8ICvtryDl6iblsLKSoQXyLdiy+whzEVt 1HmTzT/9/ENWwhs2++rHRKgNKyiz8aWfnEnGtNg= X-Google-Smtp-Source: APXvYqzCCrVS9gXvL6rqP5X8qGNLGf+iBVUu8y7pTaMagOXwumG287KqsHei7U0RAXQiAt0egWqaRW4Jq+2jv++Rt80= X-Received: by 2002:ac2:5b49:: with SMTP id i9mr30084898lfp.75.1554238606065; Tue, 02 Apr 2019 13:56:46 -0700 (PDT) MIME-Version: 1.0 References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> In-Reply-To: From: Daniel Migault Date: Tue, 2 Apr 2019 16:56:34 -0400 Message-ID: To: "Ganga, Ilango S" Cc: NVO3 Content-Type: multipart/alternative; boundary="00000000000002c5130585926019" Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - transit devices X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 20:56:57 -0000 --00000000000002c5130585926019 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Ilango, Thanks for the response. The use case of ECMP to justify transit devices does not seem - to my understanding aligned with RFC6438 which indicates TLV is inconvenient for ECMP or LAG, and that flow label should be used instead. In addition, the problem of ossification by transit devices is not he ability to bypass DTLS traffic, but rather the ability to detect a packet is a Geneve packet. Unless I misunderstood the use case, it does not seem sufficient (at least to me) to balance the complexity introduced by transit devices, i.e. negotiation with middle boxes, protocol ossification, incoherence in the architecture. I would be happy to hear what the WG thinks about it. Following the analogy with IPv6 to determine what options could be used by transit devices, RFC4306 lists hop-by-hop, routing, and fragmentation extension headers. RFC 2460 seems to limit that to hop-by-hops. From hop-by-hop options I do not see equivalence for transit devices with padding, jumbo or router alert options [1] Yours, Daniel [1] https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml On Wed, Mar 27, 2019 at 9:35 PM Ganga, Ilango S wrote: > Hi Daniel, > > > > Here is a specific example use case: > > A router (transit device) could use information in the Geneve header for > ECMP purposes. For example, an option could carry flow context and the > router may look at Geneve header information, such as VNI and/or flow > context (Flow ID) in an option or may skip over the options and use > information in payload for ECMP purposes. However if the NVEs decide to > secure the packet with for example DTLS, in this case, the transit device= s > will forward packets as any other UDP packets. It is not a requirement th= at > transit devices must see Geneve header information for its normal > operation; if a transit device cannot view or interpret Geneve headers th= en > it simply forwards like any other IP or UDP packets. > > > > This is very similar to how currently routers look into the IP payload > information like TCP/UDP port numbers for flow entropy purposes. If the > packets are encrypted, then routers don=E2=80=99t have visibility into th= e TCP/UDP > port numbers and simply forward based on outer header information. > > > > Thanks, > > Ilango > > > > > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] > *Sent:* Wednesday, March 27, 2019 11:38 AM > *To:* Ganga, Ilango S > *Cc:* NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - transit devices > > > > Hi Illango, > > > > Unless i am missing something, I am unclear how the text you provide > answers the questions/concerns, so perhaps you could elaborate and maybe = be > a bit more specific. > > > > My first concern was the use case you envision transit devices. The > transit device are supposed to read some Geneve options and process them.= I > expected you provided some example of options as well as some processing. > > > > My second concern was how the draft version 12 addresses a concrete > deployment. As a reminder here is the scenario mentioned is below. The > question is how the draft secures such a deployment. > > > > The basic scenario could be a Geneve deployment that processes options > > O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] in the > > Transit devices. While unprotected O_i and P_j are processed. Securing > > the deployment with DTLS prevents options P_j to be processed. > > > > Yours, > > Daniel > > > > On Wed, Mar 27, 2019 at 2:11 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > > > We will try to explain the transit devices and example use cases again. > Hopefully this clarifies your question. > > > > >The transit devices seems to me problematic, but maybe I am not really > > >catching what is their intent. I might be helpful if you could provide > > >some behaviour the transit devices is expected to implement. Typically > > >what are the use cases for these transit devices? > > Transit devices exist in the underlay network, these are simply forwardin= g > elements (e.g. switches, routers) that generally forward packets based on > outer header information, there is nothing that stops such devices from > reading or interpreting the contents. At present, this works with any > transport protocols (encapsulated or non-encapsulated), for example, IP, = IP > in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc. For example, routers > (transit device) may look at headers and/or inner payload for ECMP purpos= es > or for statistics or logging purposes. If the packet is encrypted then su= ch > transit devices cannot look into the packets but would simply forward bas= ed > on the outer headers and use information in outer headers for entropy. > There is no interoperability issue between the endpoints. Geneve is no > different. > > Recognizing the fact that such a device will exist in the network, Geneve > draft provides guidance on how to handle Geneve headers (if a device has > the option to do so). Geneve options are part of Geneve header, a transi= t > device that is capable of interpreting Geneve headers may interpret an > option or skip over the option to view the payload, etc. If a transit > device is either unable to, or does not need to interpret the Geneve head= er > (which may or may not include options), it simply uses the outer header t= o > forward the packet (outer IP/UDP). This is what the Geneve draft clarifie= s. > > These guidelines reduce possible interoperability issues compared to if > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. > > Thanks, > > Ilango > > > > > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] > *Sent:* Wednesday, March 20, 2019 1:58 PM > *To:* Ganga, Ilango S > *Cc:* NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - transit devices > > > > Hi, > > > > I am looking at the version 12 and see how it address my concern, > > regarding the transit devices and the compatibility with end to end > > security. Could you please point out how the text address this concern ? > > > > The basic scenario could be a Geneve deployment that processes options > > O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] in the > > Transit devices. While unprotected O_i and P_j are processed. Securing > > the deployment with DTLS prevents options P_j to be processed. I am > > unclear how the version 12 address this concern. > > > > The transit devices seems to me problematic, but maybe I am not really > > catching what is their intent. I might be helpful if you could provide > > some behaviour the transit devices is expected to implement. Typically > > what are the use cases for these transit devices? > > > > > > Transit devices exist in the underlay network, these are simply forwardin= g > elements (e.g. switches, routers) that generally forwards packets based o= n > outer header information, there is nothing that stops such devices from > reading or interpreting the contents. At present, this works with any > transport protocols (encapsulated or non-encapsulated), for example, IP, = IP > in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc. For example, routers ma= y > look at headers and/or inner payload for ECMP purposes or for statistics = or > logging purposes. If the packet is encrypted then such transit devices > cannot look into the packets but would simply forward based on the outer > headers and use information in outer headers for entropy. There is no > interoperability issue between the endpoints. Geneve is no different. > > Recognizing the fact that such a device will exist in the network, Geneve > draft provides guidance on how to handle Geneve headers (if a device has > the option to do so). Geneve options are part of Geneve header, a transi= t > device that is capable of interpreting Geneve headers may interpret an > option or skip over the option to view the payload, etc. If a transit > device is either unable to, or don=E2=80=99t have the option to interpret= the > header or option, it simply uses the outer header to forward the packet > (outer IP/UDP). This is what the Geneve draft clarifies. > > These guidelines reduce possible interoperability issues compared to if > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. > > It might also be worth mentioning that anything that could be considered = a > middlebox is not a transit device but needs to be modeled as an endpoint. > For example, if a middle box has a need to see an encrypted packet, then = it > has to implement tunnel endpoint functionality. > > > > > > Yours, > > Daniel > > > > > > On Mon, Mar 11, 2019 at 7:20 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > > > We posted a new version of the draft that we believe addresses your > comment on options processing. > > We have already provided clarification on the role transit devices as > noted in this thread below. > > > > Thanks, > Ilango > > > > > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] > *Sent:* Friday, March 8, 2019 6:51 PM > *To:* Ganga, Ilango S > *Cc:* NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - transit devices > > > > Hi, > > > > Thanks for the comment. Let me first recap my perception of the > > discussion. My comment was that end-to-end security (IPsec, DTLS) does > > not apply to Geneve with transit device. Your previous response was that > > Geneve was an end-to-end protocol since transit device are optional. My > > response was that an architecture that defines elements even optional > > that interfere between the two end points contradicts the status of > > end-to-end protocol. At that time my understanding was that the > > specification was targeting an end-to-end protocol, with transit devices > > with very limited capabilities. Thus I proposed to removed the transit > > devices from the architecture. These would have been a great step toward = a > > end-to-end architecture. However, from the current response, it > > seems that transit device play an important part in the architecture, and > > we are moving backward from the end-to-end protocol. As > > a result, there is - in my opinion to make a coherent choice to make > > between Geneve architecture and the security associated. This is > > currently very unclear and contradicting - at least to me reading of the > > geneve specification and the responses I receive to my comments.. > > > > My understanding of your latest response - and please correct me > > if I am wrong - is that transport protocols like IP, > > IP in IP, GRE or VXLAN among others are used to an architecture with > > transit nodes. These latter examples show that end-to-end security is > > incompatible with Geneve and that security in Geneve MUST be handled > > using options. In addition, these examples seems - up to my > > understanding - to challenge the optional status of the transit device > > as well as their ability to read-only does not always seems realistic. > > > > Overall, my impression is that Genve is not an end-to-end protocol, > > end-to-end security protocols such as DTLS or IPsec do not apply > > realistically. The alternative approach of using option is also > > compromised by the current specification of Geneve as well as by > > security documents being opposed. Geneve seems mandated to be unsecured. > > > > > > IP is the first protocol you cite. IP enables end-to-end security with > > IPsec. However there are a few major difference between IPsec and secure > > Geneve communications. > > 1. - IPsec leave in clear the information that > > need to be read in transit. This is not the case with Geneve over DTLS > > or IPsec as even the Geneve Header is encrypted. If we want this > > information to be accessible to transit device security must be handled > > by geneve security option in order to leave the header in clear text. > > 2. IPsec/ESP versus IPsec/AH clearly shows that transit elements do n= ot > > restrict from reading the options. As a result, the transit device are > > likely to evolve and become more active in the future. As a result, the > > security MUST consider this in early stage and I do not see that met. > > > > > > Yours, > > Daniel > > > > On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > > > Please see my responses inline below. > > > > Thanks, > > Ilango > > > > > > *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Daniel Migault > *Sent:* Monday, March 4, 2019 9:15 AM > *To:* Ganga, Ilango S > *Cc:* nvo3@ietf.org > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi Ilango, > > > > Thanks for the response. Please see a concrete example to illustrate my > concern > > for comment 1. For comment 2, it really helped you indicated that Geneve > is expected > > to be an end-to-end protocol. This will help me update the security > requirement > > document. However, the current Geneve specification with transit devices > seems - > > at least to me - to raise an architecture concern as raised in [1]. > > > > -- comment 1: > > > > Thanks for the feed back. I understand the purpose of keeping option > > independent one from each other, and favour this is strongly recommended. > > However, I am not convinced this applies always. More specifically, in a > > context of security, the purpose of a security option may be related to > > another option. Typically, a security option providing authentication or > > encryption is potentially authenticating/encryption another option or > > other information contained in the header. > > > > The typical scenario I have in mind would be an authentication option A > > authenticating option O. There will clearly some dependencies between A > > and O as O could only be used if A has been primarily been validated. > > The current statement "SHOULD NOT be dependent" enables this. However, I > > have concerns regarding the statement "MUST NOT affect the parsing or > > interpretation". In fact, the output of A, will determine if O should be > > dropped or processed normally. In case A shows O is not appropriately > > authenticated, O might be rejected based on its C value. The ambiguity I > > see is that A can be understood as affecting the parsing and > > interpretation of O or as a pre-processing operation before parsing or > > interpretation of O. > > > > I think, the text needs further clarifications to remove such ambiguity. > > Changing MUST NOT by SHOULD NOT was of course only one proposition and > > this could be also addressed otherwise. It might be better, I agree, to > > explicitly mention that some options may provide condition on the > > parsing of the options. This would leave the parsing of the options > unchanged. > > > > > > If I understand your example correctly, you want to have one option > authenticate the contents of another option and if that authentication > fails, drop the option. This would not drop the entire packet unless that > option is critical. Can you give a use case for this? This seems unusual > and not something that is supported by other security protocols such as > IPsec or TLS to the best of our knowledge. > > > > I believe a more common outcome of a failed authentication is that the > entire packet would be dropped. As previously noted, the current text doe= s > not preclude this. It seems like going beyond this would result in > significant complexity, both for processing options in this specific case > as well as the possibility of introducing ambiguity in how other options > might be defined or processed as an unintended consequence. Without a > strong use case, this does not seem desirable. > > > > > > -- comment 2: > > > > Thanks for the response that clarifies a bit my understanding of the > > transit devices.. I believe the issue I have is related to the transit > > devices which I do not see, unless I am wrong, meeting the requirements > > for being OPTIONAL and that seems - at least to me - contradicting the > > status of end-to-end protocol. As suggested in [1], transit devices seem > to raise > > architectural concerns that is not needed. > > > > You are correct that the text is clear that transit devices are > > OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there > > are two sides of it. One is that a vendor may implement it or not, but > > the other side is that interoperability with other implementations are > > not affected. In this case, two Geneve endpoints using TLS or IPsec will > > not be able to interoperate with an implementation based on transit > > devices (unless the process being performed by the transit devices is > > also performed by the NVE). In that sense, I believe OPTIONAL statement > > is not appropriated here. > > > > An implementation with transit devices seems to prevent the > > interoperability of with an implementation where options are treated > > by the NVE over a secure channel. If we suppose that NVE and > > transit devices support the same options, then transit devices are not > > necessary and could be removed from the specification. If options > > supported by transit devices are different from those supported by > > the NVE, interoperability will not be achieved. Transit device will not b= e > > able to process the options, resulting in options will be ignored (while > > being supported by the implementation).. In addition, if the options > > are critical, the NVE is likely to drop the packet as it does not support > > the option. > > > > In addition, I have some hard time to understand the end-to-end model > > with a transit device even optional. I believe that end-to-end protocol > > is a good path, though. However, my understanding of end-to-end protocol > > is that they should only involve two end points. I see the NVE as end > > points but the optional transit device does not seems to be one of > > these. However, to help me understand better this, as it seems Geneve is > > similar to other end-to-end protocol, maybe you could provide similar > > end-to-end protocol that involves a transit devices or something similar. > > > > > I also have another clarification regarding transit device. I see these > > transit devices as adding a lot of complexity to the end-to-end model > > with little benefits. Typically, as far as I understand, they can only > > read an option. I am thus wondering whether we should not be better off > > removing them from the specification. This would end up with a clear > > end-to-end model. Reversely, I do not see anything preventing a vendor > > to implement them at least for unsecure deployments. Removing them > > from the specification would leave the transit devices as implementation > > specific. What are actually the benefits of the transit devices that woul= d > > justify them to be part of the specification? > > > > > > Transit devices exists in the underlay network, these are simply > forwarding elements (e.g. switches, routers) that generally forwards > packets based on outer header information, there is nothing that stops su= ch > devices from reading the contents if the data is in the clear. This work= s > with any transport protocols like IP, IP in IP, GRE, VXLAN, etc. For > example, routers may look at headers and/or inner payload for ECMP purpos= es > or for statistics or logging purposes. If the packet is encrypted then su= ch > transit devices cannot look into the packets but would simply forward bas= ed > on the outer headers and use information in outer headers for entropy. > There is no interoperability issue between the endpoints. Geneve is no > different. > > > > Recognizing the fact that such a device is anyway going to exist in the > network, Geneve draft provides guidance on how to handle Geneve headers (= if > a device has the option to do so). Geneve options are part of Geneve > header, a transit device that is capable of interpreting Geneve headers m= ay > interpret an option or skip over the option to view the payload, etc. If= a > transit device is not able interpret the header or option, it has to simp= ly > use the outer header to forward the packet (outer IP/UDP). This is what t= he > Geneve draft clarifies. > > > > These guidelines reduce possible interoperability issues compared to if > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. It might also be worth mentioning that anything that could be > considered a middlebox is not a transit device but needs to be modeled as > an endpoint and so Geneve really should be viewed as a tunnel > endpoint-to-endpoint protocol. > > > > > > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhc= s > > > > > > Yours, > > Daniel > > > > On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > > > Let us be specific. I see that you have two comments on the latest > draft-ietf-nvo3-geneve-09. Please see below for responses to your commen= ts. > > > > Comment 1: > > OLD > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > > > NEW > > > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option SHOULD NOT affect the parsing or interpretation of any > > other option. > > > > > > Architecturally Geneve options can be processed independent of one > another. The second statement clearly states that parsing or interpretati= on > of one option must not affect the other. This is a reasonable constraint > to avoid nested dependencies. Options can be designed to work with the > requirements specified in Geneve. > > > > Let us take specific examples: > > We could think of a design of a Header Integrity check option (related to > your example). In this case if the header integrity check fails, as a > result the entire header is invalid and hence the most likely outcome of = a > failed check is that the packet being dropped (including any options in > that packet whether parsed/interpreted or not). The current text does not > preclude the packet being dropped as result of failure. > > > > It is possible to design options, including any security options, with > these constraints. We don=E2=80=99t see a reason to change this requirem= ent that > may have unintended consequences. > > > > Comment 2: > > > > NEW > > Security Consideration > > > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > > communication using IPsec or DTLS. However, such mechanisms cannot be > > applied for deployments that include transit devices.. > > > > Some deployment may not be able to secure the full communication using > > IPsec or DTLS between the NVEs. This could be motivated by the presence > > of transit devices or by a risk analysis that concludes that the Geneve > > packet be only partially protected - typically reduced to the Geneve > > Header information. In such cases Geneve specific mechanisms needs to be > > designed. > > > > The challenge is, you are asking to impose requirements that is > not supported by Geneve architecture. Geneve has an optional feature wher= e > transit devices may be able to interpret Geneve options. However this is > not a requirement for Geneve operation between tunnel end point to tunnel > end point. We have tried make this very clear by adding clarifying text > during the last two revisions. If the Geneve packet is in the clear then > transit devices may be able to view the Genve header, options, and the > payload. However if the packet is encrypted then transit devices cannot > view the packet contents. This is consistent with other transport protoco= ls > encrypting the packets. So we don=E2=80=99t see a reason why Geneve shoul= d be > different. > > > > Geneve is an end to end protocol between tunnel endpoints and the NVEs > decide to secure (encrypt) the packets between tunnel endpoints. If a > middle box has a need to see an encrypted packet, then it has to implemen= t > tunnel endpoint functionality. > > > > We already have text in 6.4 security consideration section that provides > clear guidance to the operators. > > > > So we don=E2=80=99t see a good reason to add the suggested text above. > > > > For a complete threat analysis, a security analysis of Geneve or some > > guide lines to secure a Geneve overlay network, please refer to > > [draft-mglt-nvo3-geneve-security-requirements] as well as > > [draft-ietf-nvo3-security-requirements]. > > > > > > The security requirements document makes certain assumptions that is > unsupported by Geneve architecture. We have tried to clarify this multipl= e > times, however you have still maintained this in the requirements documen= t. > So this needs to be addressed. Also the document is not yet adopted by th= e > working group. > > > > Moreover, Geneve security consideration section has been significantly > enhanced to provide guidance to operators and to address the comments. So > both documents can progress independently. > > > > Thanks, > > Ilango > > > > > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] > *Sent:* Saturday, March 2, 2019 8:49 AM > *To:* Bocci, Matthew (Nokia - GB) > *Cc:* draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg 40microsoft.com@dmarc.ietf.org>; NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi Matt, > > > > > > You are correct, this is at least not an regular process to have a > > standard track document being updated by an informational. I do not see > > either any requirements for having a WG status to become a reference, > > but that is something we could confirm with the RFC-editor. > > > > Back to the initial suggestion, I also believe the difficulties of > updating > > the Geneve specifications are far less complex than updating the > > implementation, and for that specific reason, it would be good we have a > > consensus on the security analyse. > > > > I agree that WG draft would be better, and RFC would be even better as > > we have seen WG document being stalled. I am confident we can make this > > happen or at least I do not see major issues. > > > > Yours, > > Daniel > > > > > > On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > > WG, Daniel, > > > > Apologies but I mis-spoke on the suggestion for the security requirements > to act as an update to the encapsulation RFC in future. This would be > difficult to do as it is informational. > > > > Nonetheless I think we should only be referencing a WG draft (at a > minimum) here. > > > > Matthew > > > > > > > > *From: *Dacheng Zhang on behalf of "Bocci, > Matthew (Nokia - GB)" > *Date: *Friday, 1 March 2019 at 16:24 > *To: *Daniel Migault > *Cc: *"draft-ietf-nvo3-geneve@ietf.org" = , > Pankaj Garg , NVO3 > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Daniel > > > > From a procedural perspective, referring to your draft creates a > dependency and that draft has not yet been adopted by the WG. The old > Security requirements framework expired a couple of years ago and does no= t > seem to be being progressed. > > Maybe a better approach to allow progress, as long as the WG can agree to > your text (if needed) to satisfy the concern that future security > mechanisms can be used, and that the evolving threat analysis is understo= od > by implementers and users of Geneve, would be to mark the Geneve security > requirements as an update to the geneve encapsulation RFC when it is > published. > > > > Matthew > > > > *From: *Daniel Migault > *Date: *Friday, 1 March 2019 at 16:11 > *To: *"Bocci, Matthew (Nokia - GB)" > *Cc: *Pankaj Garg , " > draft-ietf-nvo3-geneve@ietf.org" , NVO3 = < > nvo3@ietf.org> > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi Matthew, > > > > I am happy to clarify and be more specific. However, despite your > > reading of [1] I think [1] clearly indicates the changes I expected as > > well as that these changes needs to be made. > > > > I believe the responsibility of not addressing an acknowledged issue is > > more on the side of people ignoring the issue then on the side of the > > one raising this issue. My impression is that this is the situation we > > are in. > > > > I agree that my initial comment saying "I am fine with the text if we do > > not find something better." might have been confusing and I apology for > > this. At the time of writing the initial comment I was not sure I was > > not missing something nor that the problem could not be solved here or > > somewhere else (in another section). My meaning behind those words were > > that I was open to the way the concerned could be addressed. However, - > > from my point of view - the text does not say the issue does not need to > > be solved which is the way it has been interpreted. In addition, I > > believe I have clarified this right away after the concern has been > > acknowledged and not addressed. As result, I do not think my comment > > could be reasonably read as the text is fine. > > > > Please fine the below the initial comment its response and the response > > to the response from [1]. > > > > """ > > In case we have a option providing authentication, such option > > may affect the interpretation of the other options. > > s/interpretation/ndependance may not be better.... I think what we want > > to say is that option MUST be able to be processed in any order or in > > parallel. I am fine with the text if we do not find something better. > > > > > > This is a good point, however we believe that this text > > captures the intent. > > > > The problem I have is that the current text prevents security > > options, so I guess some clarification should be brought to clarify the > > intent. > > """ > > > > If I had to suggest some text I would suggest the following - or > > something around the following lines. > > > > > > OLD > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > > > NEW > > > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option SHOULD NOT affect the parsing or interpretation of any > > other option. > > > > There are rare cases were the parsing of one option affects the parsing > > or the interpretation of other option. Option related to security may > > fall into this category. Typically, if an option enables the > > authentication of another option and the authentication does not > > succeed, the authenticated option MUST NOT be processed. Other options > > may be designed in the future. > > > > NEW > > Security Consideration > > > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > > communication using IPsec or DTLS. However, such mechanisms cannot be > > applied for deployments that include transit devices. > > > > Some deployment may not be able to secure the full communication using > > IPsec or DTLS between the NVEs. This could be motivated by the presence > > of transit devices or by a risk analysis that concludes that the Geneve > > packet be only partially protected - typically reduced to the Geneve > > Header information. In such cases Geneve specific mechanisms needs to be > > designed. > > > > For a complete threat analysis, a security analysis of Geneve or some > > guide lines to secure a Geneve overlay network, please refer to > > [draft-mglt-nvo3-geneve-security-requirements] as well as > > [draft-ietf-nvo3-security-requirements]. > > > > For full disclosure I am a co-author of > > draft-mglt-nvo3-geneve-security-requirement. However the reason for > > referring to these documents is motivated by the fact that I believe > > these analysis provide a better security analysis than the current (OLD) > > security consideration section. > > > > Yours, > > Daniel > > > > > > On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > > Hi Daniel > > > > Thanks for reviewing the latest version. At this stage it would be helpfu= l > if you could be much more concrete and give specifics. > > > > I think that the main issue is whether the design of Geneve prevents > future security extensions. > > > > However, in [1], you stated that you were comfortable with the text if > nothing else could be found. > > > > What specifically do you want to change in the following, bearing in mind > that there are already claimed implementations of Geneve: > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > """ > > > > > > Matthew > > > > > > *From: *Daniel Migault > *Date: *Friday, 1 March 2019 at 03:06 > *To: *Pankaj Garg > *Cc: *"Bocci, Matthew (Nokia - GB)" , NVO3 < > nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" < > draft-ietf-nvo3-geneve@ietf.org> > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi, > > > > I just briefly went through the document quickly and in my opinion, the > document still faces some security issues. > > > > The current text (in my opinion) prevents any geneve security related > > options. Currently Geneve cannot be secured and this prevents future > > work to eventually secure Geneve. In my opinion the current text > > mandates Geneve to remain unsecure. > > > > Geneve security option that are willing to authenticate/encrypt a part > > of the Geneve Header will affect the parsing of the protected option and > > will affect the order in which option needs to be process. Typically a > > protected option (authenticated, encrypted) cannot or should not be > > processed before authenticated or decrypted. > > > > This has already been mentioned in [1], and the text needs in my opinion > > further clarifications. > > > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > """ > > > > > > > > As stated in [2] it remains unclear to me why this section is not > > referencing and leveraging on the security analysis [3-4] performed by > > two different independent teams.. > > > > My reading of the security consideration is that the message is that > > IPsec or TLS could be used to protect a geneve overlay network. This is > > - in my opinion- not correct as this does not consider the transit > > device. In addition, the security consideration only considers the case > > where the cloud provider and the overlay network provider are a single > > entity, which I believe oversimplifies the problem. > > > > The threat model seems to me very vague, so the current security > > consideration is limited to solving a problem that is not stated. > > > > My reading of the text indicates the tenant can handle by itself the > > confidentiality of its information without necessarily relying on the > > overlay service provider. This is not correct. Even when the tenant uses > > IPsec/TLS, it still leaks some information. The current text contradicts > > [3] section 6.2 and [4] section 5.1. > > > > My reading is that the text indicates that IPsec/DTLS could be used to > > protect the overlay service for both confidentiality and integrity. > > While this could be used in some deployment this is not compatible with > > transit devices. As such the generic statement is not correct. Section > > 6.4 indicates that transit device must be trusted which is incorrect. > > Instead the transit device with all nodes between the transit device and > > the NVE needs to be trusted. Overall the impression provided is that > > IPsec (or TLS) can be used by the service overlay provider, which is (in > > my opinion) not true. > > > > It is unclear to me how authentication of NVE peers differs from the > > authentication communication as the latest usually rely on the first. > > Maybe the section should insist on mutual authentication. > > > > Yours, > > Daniel > > > > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9= o > > [2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSG= w > > [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 > > [4] > https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-= 05 > > > > > > > > > > > > On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg 40microsoft.com@dmarc.ietf.org> wrote: > > I am not aware of any IP related to draft-ietf-nvo3-geneve which has not > already been disclosed. > > > > Thanks > > Pankaj > > > > *From:* Bocci, Matthew (Nokia - GB) > *Sent:* Tuesday, October 9, 2018 2:08 AM > *To:* NVO3 > *Cc:* draft-ietf-nvo3-geneve@ietf.org > *Subject:* Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > This email begins a two-week working group last call for > draft-ietf-nvo3-geneve-08.txt. > > > > Please review the draft and post any comments to the NVO3 working group > list. If you have read the latest version of the draft but have no commen= ts > and believe it is ready for publication as a standards track RFC, please > also indicate so to the WG email list. > > > > We are also polling for knowledge of any undisclosed IPR that applies to > this document, to ensure that IPR has been disclosed in compliance with > IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). > > If you are listed as an Author or a Contributor of this document, please > respond to this email and indicate whether or not you are aware of any > relevant undisclosed IPR. The Document won't progress without answers fro= m > all the Authors and Contributors. > > > > Currently there are two IPR disclosures against this document. > > > > If you are not listed as an Author or a Contributor, then please > explicitly respond only if you are aware of any IPR that has not yet been > disclosed in conformance with IETF rules. > > > > This poll will run until Friday 26th October. > > > > Regards > > > > Matthew and Sam > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --00000000000002c5130585926019 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Ilango,

= Thanks for the response. The use case of ECMP to justify transit devices
does not seem - to my understanding aligned with RFC6438 which indi= cates
TLV is inconvenient for ECMP or LAG, and that flow label sh= ould be used
instead.
In addition, the problem of ossif= ication by transit devices is not he
ability to bypass DTLS traff= ic, but rather the ability to detect a
packet is a Geneve packet.=

Unless I misunderstood the use case, it does not = seem sufficient (at
least to me) to balance the complexity introd= uced by transit devices,
i.e. negotiation with middle boxes, prot= ocol ossification, incoherence=C2=A0
in the architecture. I would= be happy to hear what the WG thinks about
it.

Following the analogy with IPv6 to determine what options could be u= sed
by transit devices, RFC4306 lists hop-by-hop, routing, and fr= agmentation
extension headers. RFC 2460 seems to limit that to ho= p-by-hops. From
hop-by-hop options I do not see equivalence for t= ransit devices with
padding, jumbo or router alert options [1]

Yours,
Daniel




On Wed, Mar 27, 2019 at 9= :35 PM Ganga, Ilango S <ilan= go.s.ganga@intel.com> wrote:

Hi Daniel,

=C2=A0

Here is a speci= fic example use case:

A router (trans= it device) could use information in the Geneve header for ECMP purposes. Fo= r example, an option could carry flow context and the router may look at Ge= neve header information, such as VNI and/or flow context (Flow ID) in an option or may skip over the options and use i= nformation in payload for ECMP purposes.=C2=A0 However if the NVEs decide t= o secure the packet with for example DTLS, in this case, the transit device= s will forward packets as any other UDP packets. It is not a requirement that transit devices must see Geneve head= er information for its normal operation; if a transit device cannot view or= interpret Geneve headers then it simply forwards like any other IP or UDP = packets.

=C2=A0

This is very si= milar to how currently routers look into the IP payload information like TC= P/UDP port numbers for flow entropy purposes. If the packets are encrypted,= then routers don=E2=80=99t have visibility into the TCP/UDP port numbers and simply forward based on outer header information.=

=C2=A0

Thanks,<= u>

Ilango

=C2=A0

<= span style=3D"font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73= ,125)">=C2=A0

Fro= m:= Daniel Migault [mailto:daniel.migault@ericsson.com]
Sent: Wednesday, March 27, 2019 11:38 AM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: NVO3 <nvo3= @ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt - transit devices

=C2=A0

Hi Illango,

=C2=A0

Unless i am missing something, I am unclear how the = text you provide answers the questions/concerns, so perhaps you could elabo= rate and maybe be a bit more specific.

=C2=A0

My first concern was the use case you envision trans= it devices. The transit device are supposed to read some Geneve options and= process them. I expected you provided some example of options as well as s= ome processing.

=C2=A0

My second concern was how the draft version 12 addre= sses a concrete deployment. As a reminder here is the scenario mentioned is= below. The question is how the draft secures such a deployment.=C2=A0

=C2=A0

The basic scenari= o could be a Geneve deployment that processes options<= /p>

O_i ( i in [1,,n]= ) in the NVE and that process option P_j [1, m] in the=

Transit devices. = While unprotected O_i and P_j are processed. Securing<= /p>

the deployment wi= th DTLS prevents options P_j to be processed.=C2=A0

=C2=A0<= /u>

Yours,=C2=A0

Daniel=C2=A0

=C2=A0

On Wed, Mar 27, 2019 at 2:11 PM Ganga, Ilango S <= ilango.s.gang= a@intel.com> wrote:

Hi Daniel,

=C2=A0

We will try to explain the transit devices a= nd example use cases again. Hopefully this clarifies your question.

=C2=A0

>The transit devices seems to me problematic, but= maybe I am not really

>catching what is their intent. I might be helpfu= l if you could provide

>some behaviour the transit devices is expected t= o implement. Typically

>what are the use cases for these transit devices= ?

Transit devices exist in the underlay networ= k, these are simply forwarding elements (e.g. switches, routers) that generally forward packets based on outer header information,= there is nothing that stops such devices from reading or interpreting the = contents.=C2=A0 At present, this works with any transport protocols (encaps= ulated or non-encapsulated), for example, IP, IP in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc.=C2=A0 For example,= routers (transit device) may look at headers and/or inner payload for ECMP= purposes or for statistics or logging purposes. If the packet is encrypted= then such transit devices cannot look into the packets but would simply forward based on the outer headers and u= se information in outer headers for entropy. There is no interoperability i= ssue between the endpoints. Geneve is no different.=C2=A0

Recognizing the fact that such a device will= exist in the network, Geneve draft provides guidance on how to handle Geneve headers (if a device has the option to do so).=C2=A0 = Geneve options are part of Geneve header, a transit device that is capable = of interpreting Geneve headers may interpret an option or skip over the opt= ion to view the payload, etc.=C2=A0 If a transit device is either unable to, or does not need to interpret the Geneve heade= r (which may or may not include options), it simply uses the outer header t= o forward the packet (outer IP/UDP). This is what the Geneve draft clarifie= s.

These guidelines reduce possible interoperab= ility issues compared to if behavior was left undefined. For example, transit devices are not allowed to drop packets or fall back = to a slow path on the basis of an unknown option. If this were to happen, i= t would hamper the introduction of new options.

Thanks,

Ilango

=C2=A0

=C2=A0

From: Daniel Migault [mailto:daniel.migault@ericsson.com]
Sent: Wednesday, March 20, 2019 1:58 PM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: NVO3 <nvo3= @ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt - transit devices

=C2=A0

Hi,

=C2=A0

I am looking at the version 12 and see how it addres= s my concern,

regarding the transit devices and the compatibility = with end to end

security. Could you please point out how the text ad= dress this concern ?

=C2=A0

The basic scenario could be a Geneve deployment that= processes options

O_i ( i in [1,,n]) in the NVE and that process optio= n P_j [1, m] in the

Transit devices. While unprotected O_i and P_j are p= rocessed. Securing

the deployment with DTLS prevents options P_j to be = processed. I am

unclear how the version 12 address this concern.<= /u>

=C2=A0

The transit devices seems to me problematic, but may= be I am not really

catching what is their intent. I might be helpful if= you could provide

some behaviour the transit devices is expected to im= plement. Typically

what are the use cases for these transit devices?=

=C2=A0

<Response>

Transit devices exist in the underlay networ= k, these are simply forwarding elements (e.g. switches, routers) that generally forwards packets based on outer header information= , there is nothing that stops such devices from reading or interpreting the= contents.=C2=A0 At present, this works with any transport protocols (encap= sulated or non-encapsulated), for example, IP, IP in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc.=C2=A0 For example,= routers may look at headers and/or inner payload for ECMP purposes or for = statistics or logging purposes. If the packet is encrypted then such transi= t devices cannot look into the packets but would simply forward based on the outer headers and use information in= outer headers for entropy. There is no interoperability issue between the = endpoints. Geneve is no different.

Recognizing the fact that such a device will= exist in the network, Geneve draft provides guidance on how to handle Geneve headers (if a device has the option to do so).=C2=A0 = Geneve options are part of Geneve header, a transit device that is capable = of interpreting Geneve headers may interpret an option or skip over the opt= ion to view the payload, etc.=C2=A0 If a transit device is either unable to, or don=E2=80=99t have the option to interpret = the header or option, it simply uses the outer header to forward the packet= (outer IP/UDP). This is what the Geneve draft clarifies.<= /u>

These guidelines reduce possible interoperab= ility issues compared to if behavior was left undefined. For example, transit devices are not allowed to drop packets or fall back = to a slow path on the basis of an unknown option. If this were to happen, i= t would hamper the introduction of new options.

It might also be worth mentioning that anyth= ing that could be considered a middlebox is not a transit device but needs to be modeled as an endpoint. For example, if a middle bo= x has a need to see an encrypted packet, then it has to implement tunnel en= dpoint functionality.

</end of response>

=C2=A0

Yours,

Daniel

=C2=A0

=C2=A0

On Mon, Mar 11, 2019 at 7:20 PM Ganga, Ilango S <= ilango.s.gang= a@intel.com> wrote:

Hi Daniel,

=C2=A0

We posted a new version of the draft that we= believe addresses your comment on options processing.=C2=A0

We have already provided clarification on th= e role transit devices as noted in this thread below.<= /p>

=C2=A0

Thanks,
Ilango

=C2=A0

=C2=A0

From: Daniel Migault [mailto:daniel.migault@ericsson.com]
Sent: Friday, March 8, 2019 6:51 PM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: NVO3 <nvo3= @ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt - transit devices

=C2=A0

Hi,

=C2=A0

Thanks for the comment. Let me first recap my percep= tion of the

discussion. My comment was that end-to-end security = (IPsec, DTLS) does

not apply to Geneve with transit device. Your previo= us response was that

Geneve was an end-to-end protocol since transit devi= ce are optional. My

response was that an architecture that defines eleme= nts even optional

that interfere between the two end points contradict= s the status of

end-to-end protocol. At that time my understanding w= as that the

specification was targeting an end-to-end protocol, = with transit devices

with very limited capabilities. Thus I proposed to r= emoved the transit

devices from the architecture. These would have been= a great step toward a=C2=A0

end-to-end architecture. However, from the current r= esponse, it

seems that transit device play an important part in = the architecture, and=C2=A0

we are moving backward from the end-to-end protocol.= As

a result, there is - in my opinion to make a coheren= t choice to make

between Geneve architecture and the security associa= ted. This is

currently very unclear and contradicting - at least = to me reading of the=C2=A0

geneve specification and the responses I receive to = my comments..

=C2=A0

My understanding of your latest response - and pleas= e correct me=C2=A0

if I am wrong - is that transport protocols like IP,=

IP in IP, GRE or VXLAN=C2=A0 among others are used t= o an architecture with

transit nodes.=C2=A0 These latter examples show that= end-to-end security is

incompatible with Geneve and that security in Geneve= MUST be handled

using options. In addition, these examples seems - u= p to my

understanding - to challenge the optional status of = the transit device

as well as their ability to read-only does not alway= s seems realistic.

=C2=A0

Overall, my impression is that Genve is not an end-t= o-end protocol,

end-to-end security protocols such as DTLS or IPsec = do not apply

realistically. The alternative approach of using opt= ion is also

compromised by the current specification of Geneve a= s well as by

security documents being opposed. Geneve seems manda= ted to be unsecured.

=C2=A0

=C2=A0

IP is the first protocol you cite. IP enables end-to= -end security with

IPsec. However there are a few major difference betw= een IPsec and secure

Geneve communications.

=C2=A0 =C2=A0 1. - IPsec leave in clear the informat= ion that

need to be read in transit. This is not the case wit= h Geneve over DTLS

or IPsec as even the Geneve Header is encrypted. If = we want this

information to be accessible to transit device secur= ity must be handled

by geneve security option in order to leave the head= er in clear text.

=C2=A0 =C2=A0 2. IPsec/ESP versus IPsec/AH clearly s= hows that transit elements do not

restrict from reading the options. As a result, the = transit device are

likely to evolve and become more active in the futur= e. As a result, the

security MUST consider this in early stage and I do = not see that met.

=C2=A0

=C2=A0

Yours,

Daniel

=C2=A0

On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S <<= a href=3D"mailto:ilango.s.ganga@intel.com" target=3D"_blank">ilango.s.ganga= @intel.com> wrote:

Hi Daniel,

=C2=A0

Please see my responses inline below.=

=C2=A0

Thanks,

Ilango

=C2=A0

=C2=A0

From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault
Sent: Monday, March 4, 2019 9:15 AM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: nvo3@ietf.org=
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt

=C2=A0

Hi Ilango,=C2=A0

=C2=A0

Thanks for the response.=C2=A0Please see a concrete = example to illustrate my concern=C2=A0

for comment 1. For comment 2, it really helped you i= ndicated that Geneve is expected=C2=A0

to be an end-to-end protocol. This will help me upda= te the security requirement=C2=A0

document. However, the current Geneve specification = with transit devices seems -=C2=A0

at least to me - to raise an architecture concern as= raised in [1].

=C2=A0

-- comment 1:

=C2=A0

Thanks for the feed back. I understand the purpose o= f keeping option

independent one from each other, and favour this is = strongly recommended.

However, I am not convinced this applies always. Mor= e specifically, in a

context of security, the purpose of a security optio= n may be related to

another option. Typically, a security option providi= ng authentication or

encryption is potentially authenticating/encryption = another option or

other information contained in the header.=

=C2=A0

The typical scenario I have in mind would be an auth= entication option A

authenticating option O. There will clearly some dep= endencies between A

and O as O could only be used if A has been primaril= y been validated.

The current statement "SHOULD NOT be dependent&= quot; enables this. However, I

have concerns regarding the statement "MUST NOT= affect the parsing or

interpretation". In fact, the output of A, will= determine if O should be

dropped or processed normally. In case A shows O is = not appropriately

authenticated, O might be rejected based on its C va= lue. The ambiguity I

see is that A can be understood as affecting the par= sing and

interpretation of O or as a pre-processing operation= before parsing or

interpretation of O.

=C2=A0

I think, the text needs further clarifications to re= move such ambiguity.

Changing MUST NOT by SHOULD NOT was of course only o= ne proposition and

this could be also addressed otherwise. It might be = better, I agree, to

explicitly mention that some options may provide con= dition on the

parsing of the options. This would leave the parsing= of the options unchanged.=C2=A0

=C2=A0

<Ilango>

If I understand your example correctly, you = want to have one option authenticate the contents of another option and if that authentication fails, drop the option. This would not d= rop the entire packet unless that option is critical. Can you give a use ca= se for this? This seems unusual and not something that is supported by othe= r security protocols such as IPsec or TLS to the best of our knowledge.

=C2=A0

I believe a more common outcome of a failed = authentication is that the entire packet would be dropped. As previously noted, the current text does not preclude this. It seems lik= e going beyond this would result in significant complexity, both for proces= sing options in this specific case as well as the possibility of introducin= g ambiguity in how other options might be defined or processed as an unintended consequence. Without a stro= ng use case, this does not seem desirable.

</>

=C2=A0

-- comment 2:

=C2=A0

Thanks for the response that clarifies a bit my unde= rstanding of the

transit devices.. I believe the issue I have is rela= ted to the transit

devices which I do not see, unless I am wrong, meeti= ng the requirements

for being OPTIONAL and that seems - at least to me -= contradicting the

status of end-to-end protocol. As suggested in [1], = transit devices seem to raise

architectural concerns that is not needed.=

=C2=A0

You are correct that the text is clear that transit = devices are

OPTIONAL. However, my understanding of OPTIONAL from= 2119 is that there=C2=A0

are two sides of it. One is that a vendor may implem= ent it or not, but

the other side is that interoperability with other i= mplementations are

not affected. In this case, two Geneve endpoints usi= ng TLS or IPsec will

not be able to interoperate with an implementation b= ased on transit

devices (unless the process being performed by the t= ransit devices is

also performed by the NVE). In that sense, I believe= OPTIONAL statement

is not appropriated here.=C2=A0

=C2=A0

An implementation with transit devices seems to prev= ent the=C2=A0

interoperability of with an implementation where=C2= =A0 options are treated=C2=A0

by the NVE over a secure channel. If we suppose that= NVE and=C2=A0

transit devices support the same options, then trans= it devices are not=C2=A0

necessary and could be removed from the specificatio= n. If options

supported by transit devices are different from thos= e supported by=C2=A0

the NVE, interoperability will not be achieved. Tran= sit device will not be=C2=A0

able to process the options, resulting in options wi= ll be ignored (while=C2=A0

being supported by the implementation).. In addition= ,=C2=A0if the options=C2=A0

are critical, the NVE is likely to drop the packet a= s it does not support=C2=A0

the option.=C2=A0

=C2=A0

In addition, I have some hard time to understand the= end-to-end model=C2=A0

with a transit device even optional. I believe that = end-to-end protocol

is a good path, though. However, my understanding of= end-to-end protocol

is that they should only involve two end points. I s= ee the NVE as end

points but the optional transit device does not seem= s to be one of

these. However, to help me understand better this, a= s it seems Geneve is=C2=A0

similar to other end-to-end protocol, maybe you coul= d provide similar=C2=A0

end-to-end protocol that involves a transit devices = or something similar.=C2=A0 =C2=A0

=C2=A0

I also have another clarification regarding transit = device. I see these

transit devices as adding a lot of complexity to the= end-to-end model

with little benefits. Typically, as far as I underst= and, they can only

read an option. I am thus wondering whether we shoul= d not be better off

removing them from the specification. This would end= up with a clear

end-to-end model. Reversely, I do not see anything p= reventing a vendor

to implement them at least for unsecure deployments.= Removing them=C2=A0

from the specification would leave the transit devic= es as implementation=C2=A0

specific. What are actually the benefits of the tran= sit devices that would=C2=A0

justify them to be part of the specification?=

=C2=A0

<Ilango>

Transit devices exists in the underlay netwo= rk, these are simply forwarding elements (e.g. switches, routers) that generally forwards packets based on outer header information= , there is nothing that stops such devices from reading the contents if the= data is in the clear.=C2=A0 This works with any transport protocols like I= P, IP in IP, GRE, VXLAN, etc.=C2=A0 For example, routers may look at headers and/or inner payload for ECMP purposes or for = statistics or logging purposes. If the packet is encrypted then such transi= t devices cannot look into the packets but would simply forward based on th= e outer headers and use information in outer headers for entropy. There is no interoperability issue between t= he endpoints. Geneve is no different.

=C2=A0

Recognizing the fact that such a device is a= nyway going to exist in the network, Geneve draft provides guidance on how to handle Geneve headers (if a device has the option to do= so).=C2=A0 Geneve options are part of Geneve header, a transit device that= is capable of interpreting Geneve headers may interpret an option or skip = over the option to view the payload, etc.=C2=A0 If a transit device is not able interpret the header or option,= it has to simply use the outer header to forward the packet (outer IP/UDP)= . This is what the Geneve draft clarifies.

=C2=A0

These guidelines reduce possible interoperab= ility issues compared to if behavior was left undefined. For example, transit devices are not allowed to drop packets or fall back = to a slow path on the basis of an unknown option. If this were to happen, i= t would hamper the introduction of new options. It might also be worth ment= ioning that anything that could be considered a middlebox is not a transit device but needs to be modeled = as an endpoint and so Geneve really should be viewed as a tunnel endpoint-t= o-endpoint protocol.

<end>

=C2=A0

=C2=A0

=C2=A0

=C2=A0

Yours,=C2=A0

Daniel=C2=A0

=C2=A0

On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S <<= a href=3D"mailto:ilango.s.ganga@intel.com" target=3D"_blank">ilango.s.ganga= @intel.com> wrote:

Hi Daniel,

=C2=A0

Let us be specific. I see that you have two = comments on the latest draft-ietf-nvo3-geneve-09.=C2=A0 Please see below for responses to your comments.

=C2=A0

Comment 1:

OLD

=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depende= nt upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be pr= ocessed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affect the p= arsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other option.

=C2=A0

NEW

=C2=A0

=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depende= nt upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be pr= ocessed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option SHOULD NOT affect the= parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other option.

=C2=A0

<Ilango>

Architecturally Geneve options can be proces= sed independent of one another. The second statement clearly states that parsing or interpretation of one option must not affect the ot= her.=C2=A0 This is a reasonable constraint to avoid nested dependencies. Op= tions can be designed to work with the requirements specified in Geneve.

=C2=A0

Let us take specific examples:=

We could think of a design of a Header Integ= rity check option (related to your example). In this case if the header integrity check fails, as a result the entire header is inva= lid and hence the most likely outcome of a failed check is that the packet = being dropped (including any options in that packet whether parsed/interpre= ted or not). The current text does not preclude the packet being dropped as result of failure. =

=C2=A0

It is possible to design options, including = any security options, with these constraints.=C2=A0 We don=E2=80=99t see a reason to change this requirement that may have unintended consequen= ces.

=C2=A0

Comment 2:

=C2=A0

NEW

Security Consideration

=C2=A0

Geneve Overlay may be secured using by protecting th= e NVE-to-NVE

communication using IPsec or DTLS. However, such mec= hanisms cannot be

applied for deployments that include transit devices= ..=C2=A0

=C2=A0

Some deployment may not be able to secure the full c= ommunication using

IPsec or DTLS between the NVEs. This could be motiva= ted by the presence

of transit devices or by a risk analysis that conclu= des that the Geneve

packet be only partially protected - typically reduc= ed to the Geneve

Header information. In such cases Geneve specific me= chanisms needs to be

designed.=C2=A0

=C2=A0

<Ilango> The challenge is, you are ask= ing to impose requirements that is not supported by Geneve architecture. Geneve has an optional feature where transit devices may be able to interp= ret Geneve options. However this is not a requirement for Geneve operation = between tunnel end point to tunnel end point. We have tried make this very = clear by adding clarifying text during the last two revisions. If the Geneve packet is in the clear then t= ransit devices may be able to view the Genve header, options, and the paylo= ad. However if the packet is encrypted then transit devices cannot view the= packet contents. This is consistent with other transport protocols encrypting the packets. So we don=E2=80=99t= see a reason why Geneve should be different. =C2=A0=C2=A0=

=C2=A0

Geneve is an end to end protocol between tun= nel endpoints and the NVEs decide to secure (encrypt) the packets between tunnel endpoints. If a middle box has a need to see an enc= rypted packet, then it has to implement tunnel endpoint functionality.

=C2=A0

We already have text in 6.4 security conside= ration section that provides clear guidance to the operators.

=C2=A0

So we don=E2=80=99t see a good reason to add= the suggested text above.

=C2=A0

For a complete threat analysis, a security analysis = of Geneve or some

guide lines to secure a Geneve overlay network, plea= se refer to

[draft-mglt-nvo3-geneve-security-requirements] as we= ll as

[draft-ietf-nvo3-security-requirements].

=C2=A0

<Ilango>

The security requirements document =C2=A0mak= es certain assumptions that is unsupported by Geneve architecture. We have tried to clarify this multiple times, however you have still maint= ained this in the requirements document. So this needs to be addressed. Als= o the document is not yet adopted by the working group.

=C2=A0

Moreover, Geneve security consideration sect= ion has been significantly enhanced to provide guidance to operators and to address the comments. So both documents can progress i= ndependently.

=C2=A0

Thanks,

Ilango

=C2=A0

=C2=A0

From: Daniel Migault [mailto:daniel.migault@ericsson.com]
Sent: Saturday, March 2, 2019 8:49 AM
To: Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>
Cc: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg <pankajg=3D40microsoft.co= m@dmarc.ietf.org>; NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt

=C2=A0

Hi Matt,

=C2=A0=C2=A0

=C2=A0

You are correct, this is at least not an regular pro= cess to have a

standard track document being updated by an informat= ional. I do not see

either any requirements for having a WG status to be= come a reference,

but that is something we could confirm with the RFC-= editor.

=C2=A0

Back to the initial suggestion, I also believe the d= ifficulties of updating=C2=A0

the Geneve specifications are far less complex than = updating the=C2=A0

implementation, and for that specific reason, it wou= ld be good we have a=C2=A0

consensus on the security analyse.

=C2=A0

I agree that WG draft would be better, and RFC would= be even better as

we have seen WG document being stalled. I am confide= nt we can make this

happen or at least I do not see major issues.=

=C2=A0

Yours,

Daniel

=C2=A0

=C2=A0

On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Noki= a - GB) <ma= tthew.bocci@nokia.com> wrote:

WG, Daniel,

=C2=A0

Apologies but I mis-spoke on th= e suggestion for the security requirements to act as an update to the encap= sulation RFC in future. This would be difficult to do as it is informational.

=C2=A0

Nonetheless I think we should o= nly be referencing a WG draft (at a minimum) here.

=C2=A0

Matthew

=C2=A0

=C2=A0

=C2=A0

=C2=A0

Daniel

=C2=A0

From a procedural perspective, = referring to your draft creates a dependency and that draft has not yet bee= n adopted by the WG. The old Security requirements framework expired a couple of years ago and does not seem to be being progressed.

Maybe a better approach to allo= w progress, as long as the WG can agree to your text (if needed) to satisfy= the concern that future security mechanisms can be used, and that the evolving threat analysis is understood by implementers = and users of Geneve, would be to mark the Geneve security requirements as a= n update to the geneve encapsulation RFC when it is published.

=C2=A0

Matthew

=C2=A0

=C2=A0

Hi Matthew,=C2=A0=

=C2=A0

I am happy to clarify and be mo= re specific. However, despite your

reading of [1] I think [1] clea= rly indicates the changes I expected as

well as that these changes need= s to be made.=C2=A0

=C2=A0

I believe the responsibility of= not addressing an acknowledged issue is

more on the side of people igno= ring the issue=C2=A0 then on the side of the

one raising this issue. My impr= ession is that this is the situation we

are in.=C2=A0<= /u>

=C2=A0=C2=A0

I agree that my initial comment= saying "I am fine with the text if we do

not find something better."= ; might have been confusing and I apology for

this. At the time of writing th= e initial comment I was not sure I was

not missing something nor that = the problem could not be solved here or

somewhere else (in another sect= ion). My meaning behind those words were

that I was open to the way the = concerned could be addressed. However, -

from my point of view - the tex= t does not say the issue does not need to

be solved which is the way it h= as been interpreted. In addition, I

believe I have clarified this r= ight away after the concern has been

acknowledged and not addressed.= As result, I do not think my comment

could be reasonably read as the= text is fine.

=C2=A0

Please fine the below the initi= al comment its response and the response

to the response from [1].=C2=A0=

=C2=A0

"""

<mglt> In case we have a = option providing authentication, such option

may affect the interpretation o= f the other options.

s/interpretation/ndependance ma= y not be better.... I think what we want

to say is that option MUST be a= ble to be processed in any order or in

parallel.=C2=A0 I am fine with = the text if we do not find something better.

</mglt><= /u>

=C2=A0

<Ilango> This is a good p= oint, however we believe that this text

captures the intent.=C2=A0 <= />=C2=A0

=C2=A0

<mglt2>The problem I have= is that the current text prevents security

options, so I guess some clarif= ication should be brought to clarify the

intent.</mglt2>=C2=A0

"""

=C2=A0

If I had to suggest some text I= would suggest the following - or

something around the following = lines.=C2=A0

=C2=A0

=C2=A0

OLD

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = MUST NOT affect the parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other opti= on.

=C2=A0

NEW

=C2=A0

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = SHOULD NOT affect the parsing or interpretation of any=

=C2=A0 =C2=A0 =C2=A0 other opti= on.

=C2=A0

There are rare cases were the p= arsing of one option affects the parsing

or the interpretation of other = option. Option related to security may

fall into this category. Typica= lly, if an option enables the

authentication of another optio= n and the authentication does not

succeed, the authenticated opti= on MUST NOT be processed. Other options

may be designed in the future.= =C2=A0=C2=A0

=C2=A0

NEW

Security Consideration

=C2=A0

Geneve Overlay may be secured u= sing by protecting the NVE-to-NVE

communication using IPsec or DT= LS. However, such mechanisms cannot be

applied for deployments that in= clude transit devices.=C2=A0

=C2=A0

Some deployment may not be able= to secure the full communication using

IPsec or DTLS between the NVEs.= This could be motivated by the presence

of transit devices or by a risk= analysis that concludes that the Geneve

packet be only partially protec= ted - typically reduced to the Geneve

Header information. In such cas= es Geneve specific mechanisms needs to be

designed.=C2=A0

=C2=A0

For a complete threat analysis,= a security analysis of Geneve or some

guide lines to secure a Geneve = overlay network, please refer to

[draft-mglt-nvo3-geneve-securit= y-requirements] as well as

[draft-ietf-nvo3-security-requi= rements].

=C2=A0

For full disclosure I am a co-a= uthor of

draft-mglt-nvo3-geneve-security= -requirement. However the reason for

referring to these documents is= motivated by the fact that I believe

these analysis provide a better= security analysis than the current (OLD)

security consideration section.= =C2=A0

=C2=A0

Yours,=C2=A0

Daniel

=C2=A0

=C2=A0

Hi Daniel<= /p>

=C2=A0

Thanks for reviewing the latest= version. At this stage it would be helpful if you could be much more concr= ete and give specifics.

=C2=A0

I think that the main issue is = whether the design of Geneve prevents future security extensions.=

=C2=A0

However, in [1], you stated tha= t you were comfortable with the text if nothing else could be found.

=C2=A0

What specifically do you want t= o change in the following, bearing in mind that there are already claimed i= mplementations of Geneve:

"""

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = MUST NOT affect the parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other opti= on.

"""

=C2=A0

=C2=A0

Matthew

=C2=A0

=C2=A0

From: Daniel Migault <daniel.migau= lt@ericsson.com>
Date: Friday, 1 March 2019 at 03:06
To: Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>
Cc: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, N= VO3 <nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <d= raft-ietf-nvo3-geneve@ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt

=C2=A0

Hi,=C2=A0<= /p>

=C2=A0

I just briefly went through the= document quickly and in my opinion, the document still faces some security= issues.

=C2=A0

The current text (in my opinion= ) prevents any geneve security related

options. Currently Geneve canno= t be secured and this prevents future

work to eventually secure Genev= e. In my opinion the current text

mandates Geneve to remain unsec= ure.=C2=A0

=C2=A0

Geneve security option that are= willing to authenticate/encrypt a part

of the Geneve Header will affec= t the parsing of the protected option and

will affect the order in which = option needs to be process. Typically a

protected option (authenticated= , encrypted) cannot or should not be

processed before authenticated = or decrypted.=C2=A0

=C2=A0

This has already been mentioned= in [1], and the text needs in my opinion

further clarifications.=C2=A0= =C2=A0

=C2=A0

"""

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = MUST NOT affect the parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other opti= on.

"""

=C2=A0

=C2=A0

=C2=A0

As stated in [2] it remains unc= lear to me why this section is not

referencing and leveraging on t= he security analysis [3-4] performed by

two different independent teams= ..=C2=A0

=C2=A0

My reading of the security cons= ideration is that the message is that

IPsec or TLS could be used to p= rotect a geneve overlay network. This is

- in my opinion- not correct as= this does not consider the transit

device. In addition, the securi= ty consideration only considers the case

where the cloud provider and th= e overlay network provider are a single

entity, which I believe oversim= plifies the problem.=C2=A0

=C2=A0

The threat model seems to me ve= ry vague, so the current security

consideration is limited to sol= ving a problem that is not stated.=C2=A0

=C2=A0

My reading of the text indicate= s the tenant can handle by itself the

confidentiality of its informat= ion without necessarily relying on the

overlay service provider. This = is not correct. Even when the tenant uses

IPsec/TLS, it still leaks some = information. The current text contradicts

[3] section 6.2 and [4] section= 5.1.

=C2=A0

My reading is that the text ind= icates that IPsec/DTLS could be used to

protect the overlay service for= both confidentiality and integrity.

While this could be used in som= e deployment this is not compatible with

transit devices. As such the ge= neric statement is not correct. Section

6.4 indicates that transit devi= ce must be trusted which is incorrect.

Instead the transit device with= all nodes between the transit device and

the NVE needs to be trusted.=C2= =A0 Overall the impression provided is that

IPsec (or TLS) can be used by t= he service overlay provider, which is (in

my opinion) not true.=C2=A0

=C2=A0

It is unclear to me how authent= ication of NVE peers differs from the

authentication communication as= the latest usually rely on the first.

Maybe the section should insist= on mutual authentication.=C2=A0=C2=A0

=C2=A0

Yours,=C2=A0

Daniel

=C2=A0

=C2=A0

=C2=A0

=C2=A0

=C2=A0

=C2=A0

=C2=A0

On Wed, Feb 27, 2019 at 7:30 PM= Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org> wrote:=

I am not aware of any IP related to draft-ietf-nvo3-= geneve which has not already been disclosed.

=C2=A0

Thanks

Pankaj

=C2=A0

From: Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.c= om>
Sent: Tuesday, October 9, 2018 2:08 AM
To: NVO3 <nvo3= @ietf.org>
Cc: draft-ietf-nvo3-geneve@ietf.org
Subject: Working Group Last Call and IPR Poll for draft-ietf-nvo3-ge= neve-08.txt

=C2=A0

This email begins a two-week wo= rking group last call for draft-ietf-nvo3-geneve-08.txt.

=C2=A0

Please review the draft and pos= t any comments to the NVO3 working group list. If you have read the latest = version of the draft but have no comments and believe it is ready for publication as a standards track RFC, please also indicate= so to the WG email list.

=C2=A0

We are also polling for knowled= ge of any undisclosed IPR that applies to this document, to ensure that IPR= has been disclosed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details).

If you are listed as an Author = or a Contributor of this document, please respond to this email and indicat= e whether or not you are aware of any relevant undisclosed IPR. The Document won't progress without answers from all the Authors = and Contributors.

=C2=A0

Currently there are two IPR dis= closures against this document.

=C2=A0

If you are not listed as an Aut= hor or a Contributor, then please explicitly respond only if you are aware = of any IPR that has not yet been disclosed in conformance with IETF rules.

=C2=A0

This poll will run until Friday= 26th October.

=C2=A0

Regards

=C2=A0

Matthew and Sam

_______________________________= ________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________= ________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--00000000000002c5130585926019-- From nobody Tue Apr 2 14:00:44 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329261202DE for ; Tue, 2 Apr 2019 14:00:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.647 X-Spam-Level: X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIDl4M1olaPp for ; Tue, 2 Apr 2019 14:00:35 -0700 (PDT) Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9D41202E0 for ; Tue, 2 Apr 2019 14:00:34 -0700 (PDT) Received: by mail-lj1-f179.google.com with SMTP id v22so8205980lje.9 for ; Tue, 02 Apr 2019 14:00:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q0mo/Psw9WsaXuP4kmuZ9HDd8//6dXhXntASowaXX78=; b=K3AXkDogTdz/ZtTLlhIGm9GOBqa2toyHh3lSIyjcVJuWHxxV9nPwmN8+rT/rq3vkK/ GpEY3sgkaRvcyBwYKC7VPUaHzPld67EGgC0Zk0byqmwyDMZzBBmSeGOAeBiZ8azSLwtW nU0CvRJD2gtX8c21fFOLKQBswE4sEVpZSSIXlTuZUg1CHN7/vHuHf3gEwdzOhgpdVz1A pBG/35ZSgqbAALtDNpiPMioGOtTDlRHPUZm2V+hAvEciNVYd/guLZZ5vhBLYueTfXFNl X9Dw1jvaB3Dxwz9JOgxxwicESR/zzvBteii475ibKxd76Ioxskz//3+LDlTzTR5Yl71h QpRA== X-Gm-Message-State: APjAAAX4STuFsw7WDwbxzdeZsjtu9FCrU53ozm5YhmckYciC3no1HC+Q BnlJJD25NTYBjGiT4O7AV0g6PSUBJNjYLkRqhQs= X-Google-Smtp-Source: APXvYqxNa8f5CXwUidfNfRWjHIhO0FsGhFa5tI74A3vK+0cf/HKUlfDgo1pKXFCWIPru5mmAt40d1nYMJVy9L5dq2J8= X-Received: by 2002:a2e:950:: with SMTP id 77mr37106820ljj.113.1554238832446; Tue, 02 Apr 2019 14:00:32 -0700 (PDT) MIME-Version: 1.0 References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> In-Reply-To: From: Daniel Migault Date: Tue, 2 Apr 2019 17:00:20 -0400 Message-ID: To: "Ganga, Ilango S" Cc: NVO3 Content-Type: multipart/alternative; boundary="0000000000008112cf0585926d06" Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 21:00:41 -0000 --0000000000008112cf0585926d06 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Ilango, Thank you for the update. The text addresses my concerns and I also think it indicates clearly the design principle for options. Yours, Daniel On Wed, Mar 27, 2019 at 1:31 AM Ganga, Ilango S wrote: > Hi Daniel, > > > > We updated the draft to restate the requirement on options processing, th= e > revised text is much simpler, provides better clarity, and retains the > original intent. We believe, this should address your concerns. > > > > https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg > > > > Revised text: > > =E2=80=9CAn option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independently of one > > another. Architecturally, options are intended to be self- > > descriptive and independent. This enables parallelism in option > > processing and reduces implementation complexity.=E2=80=9D > > > > Thanks > > Ilango > > > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] > *Sent:* Wednesday, March 20, 2019 1:56 PM > *To:* Ganga, Ilango S > *Cc:* NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - geneve options > > > > Hi, > > > > I am looking at the version 12 and see how it address my concern, > > regarding the integration of security options. > > > > The new text in version 12 mentions: > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. However, option processing by tunnel endpoints may > > result in the packet being dropped. Options may also be used in > > conjunction with each other or combined with packet data but this > > processing is done above the encapsulation layer. > > """ > > > > I am reading the text as a security option can be combined with another > > option or the data payload. More specifically, an authentication option > > that authenticates some options and/or the payload may result in the > > packet to be discarded or not. > > > > I think we are making progress. However, I am not clear about the text: > > > > """ but this processing is done above the encapsulation layer.""" > > > > I am reading the encapsulation layer as the Geneve protocol, but I am > > not clear what the layer above is. I am assuming that is a layer > > that takes the output of the Geneve decapsulation. If that is correct, > > I understand the text saying Geneve processes the options even though > > the authentication has failed. Typically, suppose option A covers > > options O. Upon verification of A fails, Geneve processes O and returns > > to some upper layers that O has been processed while its authentication > > did not succeed. I am sure that I misunderstood the text, but I suggest > > some clarification are provided to prevent such interpretation as the > > purpose of the authenticating O MUST be able to prevent the processing > > of the option O. > > > > In the current text I believe the text """but ...layer""" can be > > removed. Another way might be to clarify the layer above the > > encapsulation. > > > > > > Yours, > > Daniel > > > > > > > > On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault > wrote: > > Hi, > > > > Thanks for the response. Let me first recap the previous conversation, > > or at least my perception of them. My initial comment was that the > > current Geneve specification prevents the design of security options and > > I provided an example. My understanding is there is an agreement that > > such option is prevented by the current geneve specification and you > > challenge the usefulness of such an option (designated as A) as well as > > argue that an authentication upon failure MUST result in discarding the > > packet. > > > > The security options considered has been mentioned in two independent > > security analysis. The example has been described and commented > > extensively in the threat analysis as well. I argue further that > > mandating that dropping the packet, in our case is neither a decision > > that can be taken at the option level, nor at the geneve level. Instead, > > it belongs to a policy decision that is likely to result in incoherent > > deployments. > > > > As result, the current geneve specification prevents security options. > > Please see below for more additional information. > > > > The current option works similarly to IPsec: IPsec/ESP is IP option. AH > > is an option that authenticates the full IP packet. ESP > > authenticate/encrypt the IP payload and not the full packet. Upon > > authentication failure *the scope of the authentication* is discarded > > and in that sense the example I am providing is no more different. > > > > In our case, the option authenticate an portion of the geneve packet > > that is limited to the option. Tthe coverage of the security option is a > > portion of the geneve header. As such, the option cannot mandate > > anything outside of its coverage: the covered option O. As a result, > > dropping the full packet is outside of the scope. Mandating a packet > > drop hardly, in my opinion apply here. > > > > Options are usually non critical for interoperability. Mandating to drop > > the packet when option O cannot be authenticated would contradict the > > non critical status of that option, which is the packet can be processed > > without the option. This would be a policy that overwrite the geneve > > - as well as the geneve option - specification. > > A possible incoherence would be if option A and O are non critical would > > be that the implementation ignoring the option A and O will accept the > > packet, an implementation understanding option O but not option A will > > accept the packet while the implementation understanding option A and O > > will reject the packet. > > > > Yours, > > Daniel > > > > > > On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > > > Please see my responses inline below. > > > > Thanks, > > Ilango > > > > > > *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Daniel Migault > *Sent:* Monday, March 4, 2019 9:15 AM > *To:* Ganga, Ilango S > *Cc:* nvo3@ietf.org > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi Ilango, > > > > Thanks for the response. Please see a concrete example to illustrate my > concern > > for comment 1. For comment 2, it really helped you indicated that Geneve > is expected > > to be an end-to-end protocol. This will help me update the security > requirement > > document. However, the current Geneve specification with transit devices > seems - > > at least to me - to raise an architecture concern as raised in [1]. > > > > -- comment 1: > > > > Thanks for the feed back. I understand the purpose of keeping option > > independent one from each other, and favour this is strongly recommended. > > However, I am not convinced this applies always. More specifically, in a > > context of security, the purpose of a security option may be related to > > another option. Typically, a security option providing authentication or > > encryption is potentially authenticating/encryption another option or > > other information contained in the header. > > > > The typical scenario I have in mind would be an authentication option A > > authenticating option O. There will clearly some dependencies between A > > and O as O could only be used if A has been primarily been validated. > > The current statement "SHOULD NOT be dependent" enables this. However, I > > have concerns regarding the statement "MUST NOT affect the parsing or > > interpretation". In fact, the output of A, will determine if O should be > > dropped or processed normally. In case A shows O is not appropriately > > authenticated, O might be rejected based on its C value. The ambiguity I > > see is that A can be understood as affecting the parsing and > > interpretation of O or as a pre-processing operation before parsing or > > interpretation of O. > > > > I think, the text needs further clarifications to remove such ambiguity. > > Changing MUST NOT by SHOULD NOT was of course only one proposition and > > this could be also addressed otherwise. It might be better, I agree, to > > explicitly mention that some options may provide condition on the > > parsing of the options. This would leave the parsing of the options > unchanged. > > > > > > If I understand your example correctly, you want to have one option > authenticate the contents of another option and if that authentication > fails, drop the option. This would not drop the entire packet unless that > option is critical. Can you give a use case for this? This seems unusual > and not something that is supported by other security protocols such as > IPsec or TLS to the best of our knowledge. > > > > I believe a more common outcome of a failed authentication is that the > entire packet would be dropped. As previously noted, the current text doe= s > not preclude this. It seems like going beyond this would result in > significant complexity, both for processing options in this specific case > as well as the possibility of introducing ambiguity in how other options > might be defined or processed as an unintended consequence. Without a > strong use case, this does not seem desirable. > > > > > > -- comment 2: > > > > Thanks for the response that clarifies a bit my understanding of the > > transit devices.. I believe the issue I have is related to the transit > > devices which I do not see, unless I am wrong, meeting the requirements > > for being OPTIONAL and that seems - at least to me - contradicting the > > status of end-to-end protocol. As suggested in [1], transit devices seem > to raise > > architectural concerns that is not needed. > > > > You are correct that the text is clear that transit devices are > > OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there > > are two sides of it. One is that a vendor may implement it or not, but > > the other side is that interoperability with other implementations are > > not affected. In this case, two Geneve endpoints using TLS or IPsec will > > not be able to interoperate with an implementation based on transit > > devices (unless the process being performed by the transit devices is > > also performed by the NVE). In that sense, I believe OPTIONAL statement > > is not appropriated here. > > > > An implementation with transit devices seems to prevent the > > interoperability of with an implementation where options are treated > > by the NVE over a secure channel. If we suppose that NVE and > > transit devices support the same options, then transit devices are not > > necessary and could be removed from the specification. If options > > supported by transit devices are different from those supported by > > the NVE, interoperability will not be achieved. Transit device will not b= e > > able to process the options, resulting in options will be ignored (while > > being supported by the implementation).. In addition, if the options > > are critical, the NVE is likely to drop the packet as it does not support > > the option. > > > > In addition, I have some hard time to understand the end-to-end model > > with a transit device even optional. I believe that end-to-end protocol > > is a good path, though. However, my understanding of end-to-end protocol > > is that they should only involve two end points. I see the NVE as end > > points but the optional transit device does not seems to be one of > > these. However, to help me understand better this, as it seems Geneve is > > similar to other end-to-end protocol, maybe you could provide similar > > end-to-end protocol that involves a transit devices or something similar. > > > > > I also have another clarification regarding transit device. I see these > > transit devices as adding a lot of complexity to the end-to-end model > > with little benefits. Typically, as far as I understand, they can only > > read an option. I am thus wondering whether we should not be better off > > removing them from the specification. This would end up with a clear > > end-to-end model. Reversely, I do not see anything preventing a vendor > > to implement them at least for unsecure deployments. Removing them > > from the specification would leave the transit devices as implementation > > specific. What are actually the benefits of the transit devices that woul= d > > justify them to be part of the specification? > > > > > > Transit devices exists in the underlay network, these are simply > forwarding elements (e.g. switches, routers) that generally forwards > packets based on outer header information, there is nothing that stops su= ch > devices from reading the contents if the data is in the clear. This work= s > with any transport protocols like IP, IP in IP, GRE, VXLAN, etc. For > example, routers may look at headers and/or inner payload for ECMP purpos= es > or for statistics or logging purposes. If the packet is encrypted then su= ch > transit devices cannot look into the packets but would simply forward bas= ed > on the outer headers and use information in outer headers for entropy. > There is no interoperability issue between the endpoints. Geneve is no > different. > > > > Recognizing the fact that such a device is anyway going to exist in the > network, Geneve draft provides guidance on how to handle Geneve headers (= if > a device has the option to do so). Geneve options are part of Geneve > header, a transit device that is capable of interpreting Geneve headers m= ay > interpret an option or skip over the option to view the payload, etc. If= a > transit device is not able interpret the header or option, it has to simp= ly > use the outer header to forward the packet (outer IP/UDP). This is what t= he > Geneve draft clarifies. > > > > These guidelines reduce possible interoperability issues compared to if > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. It might also be worth mentioning that anything that could be > considered a middlebox is not a transit device but needs to be modeled as > an endpoint and so Geneve really should be viewed as a tunnel > endpoint-to-endpoint protocol. > > > > > > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhc= s > > > > > > Yours, > > Daniel > > > > On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > > > Let us be specific. I see that you have two comments on the latest > draft-ietf-nvo3-geneve-09. Please see below for responses to your commen= ts. > > > > Comment 1: > > OLD > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > > > NEW > > > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option SHOULD NOT affect the parsing or interpretation of any > > other option. > > > > > > Architecturally Geneve options can be processed independent of one > another. The second statement clearly states that parsing or interpretati= on > of one option must not affect the other. This is a reasonable constraint > to avoid nested dependencies. Options can be designed to work with the > requirements specified in Geneve. > > > > Let us take specific examples: > > We could think of a design of a Header Integrity check option (related to > your example). In this case if the header integrity check fails, as a > result the entire header is invalid and hence the most likely outcome of = a > failed check is that the packet being dropped (including any options in > that packet whether parsed/interpreted or not). The current text does not > preclude the packet being dropped as result of failure. > > > > It is possible to design options, including any security options, with > these constraints. We don=E2=80=99t see a reason to change this requirem= ent that > may have unintended consequences. > > > > Comment 2: > > > > NEW > > Security Consideration > > > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > > communication using IPsec or DTLS. However, such mechanisms cannot be > > applied for deployments that include transit devices.. > > > > Some deployment may not be able to secure the full communication using > > IPsec or DTLS between the NVEs. This could be motivated by the presence > > of transit devices or by a risk analysis that concludes that the Geneve > > packet be only partially protected - typically reduced to the Geneve > > Header information. In such cases Geneve specific mechanisms needs to be > > designed. > > > > The challenge is, you are asking to impose requirements that is > not supported by Geneve architecture. Geneve has an optional feature wher= e > transit devices may be able to interpret Geneve options. However this is > not a requirement for Geneve operation between tunnel end point to tunnel > end point. We have tried make this very clear by adding clarifying text > during the last two revisions. If the Geneve packet is in the clear then > transit devices may be able to view the Genve header, options, and the > payload. However if the packet is encrypted then transit devices cannot > view the packet contents. This is consistent with other transport protoco= ls > encrypting the packets. So we don=E2=80=99t see a reason why Geneve shoul= d be > different. > > > > Geneve is an end to end protocol between tunnel endpoints and the NVEs > decide to secure (encrypt) the packets between tunnel endpoints. If a > middle box has a need to see an encrypted packet, then it has to implemen= t > tunnel endpoint functionality. > > > > We already have text in 6.4 security consideration section that provides > clear guidance to the operators. > > > > So we don=E2=80=99t see a good reason to add the suggested text above. > > > > For a complete threat analysis, a security analysis of Geneve or some > > guide lines to secure a Geneve overlay network, please refer to > > [draft-mglt-nvo3-geneve-security-requirements] as well as > > [draft-ietf-nvo3-security-requirements]. > > > > > > The security requirements document makes certain assumptions that is > unsupported by Geneve architecture. We have tried to clarify this multipl= e > times, however you have still maintained this in the requirements documen= t. > So this needs to be addressed. Also the document is not yet adopted by th= e > working group. > > > > Moreover, Geneve security consideration section has been significantly > enhanced to provide guidance to operators and to address the comments. So > both documents can progress independently. > > > > Thanks, > > Ilango > > > > > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] > *Sent:* Saturday, March 2, 2019 8:49 AM > *To:* Bocci, Matthew (Nokia - GB) > *Cc:* draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg 40microsoft.com@dmarc.ietf.org>; NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi Matt, > > > > > > You are correct, this is at least not an regular process to have a > > standard track document being updated by an informational. I do not see > > either any requirements for having a WG status to become a reference, > > but that is something we could confirm with the RFC-editor. > > > > Back to the initial suggestion, I also believe the difficulties of > updating > > the Geneve specifications are far less complex than updating the > > implementation, and for that specific reason, it would be good we have a > > consensus on the security analyse. > > > > I agree that WG draft would be better, and RFC would be even better as > > we have seen WG document being stalled. I am confident we can make this > > happen or at least I do not see major issues. > > > > Yours, > > Daniel > > > > > > On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > > WG, Daniel, > > > > Apologies but I mis-spoke on the suggestion for the security requirements > to act as an update to the encapsulation RFC in future. This would be > difficult to do as it is informational. > > > > Nonetheless I think we should only be referencing a WG draft (at a > minimum) here. > > > > Matthew > > > > > > > > *From: *Dacheng Zhang on behalf of "Bocci, > Matthew (Nokia - GB)" > *Date: *Friday, 1 March 2019 at 16:24 > *To: *Daniel Migault > *Cc: *"draft-ietf-nvo3-geneve@ietf.org" = , > Pankaj Garg , NVO3 > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Daniel > > > > From a procedural perspective, referring to your draft creates a > dependency and that draft has not yet been adopted by the WG. The old > Security requirements framework expired a couple of years ago and does no= t > seem to be being progressed. > > Maybe a better approach to allow progress, as long as the WG can agree to > your text (if needed) to satisfy the concern that future security > mechanisms can be used, and that the evolving threat analysis is understo= od > by implementers and users of Geneve, would be to mark the Geneve security > requirements as an update to the geneve encapsulation RFC when it is > published. > > > > Matthew > > > > *From: *Daniel Migault > *Date: *Friday, 1 March 2019 at 16:11 > *To: *"Bocci, Matthew (Nokia - GB)" > *Cc: *Pankaj Garg , " > draft-ietf-nvo3-geneve@ietf.org" , NVO3 = < > nvo3@ietf.org> > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi Matthew, > > > > I am happy to clarify and be more specific. However, despite your > > reading of [1] I think [1] clearly indicates the changes I expected as > > well as that these changes needs to be made. > > > > I believe the responsibility of not addressing an acknowledged issue is > > more on the side of people ignoring the issue then on the side of the > > one raising this issue. My impression is that this is the situation we > > are in. > > > > I agree that my initial comment saying "I am fine with the text if we do > > not find something better." might have been confusing and I apology for > > this. At the time of writing the initial comment I was not sure I was > > not missing something nor that the problem could not be solved here or > > somewhere else (in another section). My meaning behind those words were > > that I was open to the way the concerned could be addressed. However, - > > from my point of view - the text does not say the issue does not need to > > be solved which is the way it has been interpreted. In addition, I > > believe I have clarified this right away after the concern has been > > acknowledged and not addressed. As result, I do not think my comment > > could be reasonably read as the text is fine. > > > > Please fine the below the initial comment its response and the response > > to the response from [1]. > > > > """ > > In case we have a option providing authentication, such option > > may affect the interpretation of the other options. > > s/interpretation/ndependance may not be better.... I think what we want > > to say is that option MUST be able to be processed in any order or in > > parallel. I am fine with the text if we do not find something better. > > > > > > This is a good point, however we believe that this text > > captures the intent. > > > > The problem I have is that the current text prevents security > > options, so I guess some clarification should be brought to clarify the > > intent. > > """ > > > > If I had to suggest some text I would suggest the following - or > > something around the following lines. > > > > > > OLD > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > > > NEW > > > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option SHOULD NOT affect the parsing or interpretation of any > > other option. > > > > There are rare cases were the parsing of one option affects the parsing > > or the interpretation of other option. Option related to security may > > fall into this category. Typically, if an option enables the > > authentication of another option and the authentication does not > > succeed, the authenticated option MUST NOT be processed. Other options > > may be designed in the future. > > > > NEW > > Security Consideration > > > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > > communication using IPsec or DTLS. However, such mechanisms cannot be > > applied for deployments that include transit devices. > > > > Some deployment may not be able to secure the full communication using > > IPsec or DTLS between the NVEs. This could be motivated by the presence > > of transit devices or by a risk analysis that concludes that the Geneve > > packet be only partially protected - typically reduced to the Geneve > > Header information. In such cases Geneve specific mechanisms needs to be > > designed. > > > > For a complete threat analysis, a security analysis of Geneve or some > > guide lines to secure a Geneve overlay network, please refer to > > [draft-mglt-nvo3-geneve-security-requirements] as well as > > [draft-ietf-nvo3-security-requirements]. > > > > For full disclosure I am a co-author of > > draft-mglt-nvo3-geneve-security-requirement. However the reason for > > referring to these documents is motivated by the fact that I believe > > these analysis provide a better security analysis than the current (OLD) > > security consideration section. > > > > Yours, > > Daniel > > > > > > On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > > Hi Daniel > > > > Thanks for reviewing the latest version. At this stage it would be helpfu= l > if you could be much more concrete and give specifics. > > > > I think that the main issue is whether the design of Geneve prevents > future security extensions. > > > > However, in [1], you stated that you were comfortable with the text if > nothing else could be found. > > > > What specifically do you want to change in the following, bearing in mind > that there are already claimed implementations of Geneve: > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > """ > > > > > > Matthew > > > > > > *From: *Daniel Migault > *Date: *Friday, 1 March 2019 at 03:06 > *To: *Pankaj Garg > *Cc: *"Bocci, Matthew (Nokia - GB)" , NVO3 < > nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" < > draft-ietf-nvo3-geneve@ietf.org> > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > Hi, > > > > I just briefly went through the document quickly and in my opinion, the > document still faces some security issues. > > > > The current text (in my opinion) prevents any geneve security related > > options. Currently Geneve cannot be secured and this prevents future > > work to eventually secure Geneve. In my opinion the current text > > mandates Geneve to remain unsecure. > > > > Geneve security option that are willing to authenticate/encrypt a part > > of the Geneve Header will affect the parsing of the protected option and > > will affect the order in which option needs to be process. Typically a > > protected option (authenticated, encrypted) cannot or should not be > > processed before authenticated or decrypted. > > > > This has already been mentioned in [1], and the text needs in my opinion > > further clarifications. > > > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > """ > > > > > > > > As stated in [2] it remains unclear to me why this section is not > > referencing and leveraging on the security analysis [3-4] performed by > > two different independent teams.. > > > > My reading of the security consideration is that the message is that > > IPsec or TLS could be used to protect a geneve overlay network. This is > > - in my opinion- not correct as this does not consider the transit > > device. In addition, the security consideration only considers the case > > where the cloud provider and the overlay network provider are a single > > entity, which I believe oversimplifies the problem. > > > > The threat model seems to me very vague, so the current security > > consideration is limited to solving a problem that is not stated. > > > > My reading of the text indicates the tenant can handle by itself the > > confidentiality of its information without necessarily relying on the > > overlay service provider. This is not correct. Even when the tenant uses > > IPsec/TLS, it still leaks some information. The current text contradicts > > [3] section 6.2 and [4] section 5.1. > > > > My reading is that the text indicates that IPsec/DTLS could be used to > > protect the overlay service for both confidentiality and integrity. > > While this could be used in some deployment this is not compatible with > > transit devices. As such the generic statement is not correct. Section > > 6.4 indicates that transit device must be trusted which is incorrect. > > Instead the transit device with all nodes between the transit device and > > the NVE needs to be trusted. Overall the impression provided is that > > IPsec (or TLS) can be used by the service overlay provider, which is (in > > my opinion) not true. > > > > It is unclear to me how authentication of NVE peers differs from the > > authentication communication as the latest usually rely on the first. > > Maybe the section should insist on mutual authentication. > > > > Yours, > > Daniel > > > > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9= o > > [2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSG= w > > [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 > > [4] > https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-= 05 > > > > > > > > > > > > On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg 40microsoft.com@dmarc.ietf.org> wrote: > > I am not aware of any IP related to draft-ietf-nvo3-geneve which has not > already been disclosed. > > > > Thanks > > Pankaj > > > > *From:* Bocci, Matthew (Nokia - GB) > *Sent:* Tuesday, October 9, 2018 2:08 AM > *To:* NVO3 > *Cc:* draft-ietf-nvo3-geneve@ietf.org > *Subject:* Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > > > This email begins a two-week working group last call for > draft-ietf-nvo3-geneve-08.txt. > > > > Please review the draft and post any comments to the NVO3 working group > list. If you have read the latest version of the draft but have no commen= ts > and believe it is ready for publication as a standards track RFC, please > also indicate so to the WG email list. > > > > We are also polling for knowledge of any undisclosed IPR that applies to > this document, to ensure that IPR has been disclosed in compliance with > IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). > > If you are listed as an Author or a Contributor of this document, please > respond to this email and indicate whether or not you are aware of any > relevant undisclosed IPR. The Document won't progress without answers fro= m > all the Authors and Contributors. > > > > Currently there are two IPR disclosures against this document. > > > > If you are not listed as an Author or a Contributor, then please > explicitly respond only if you are aware of any IPR that has not yet been > disclosed in conformance with IETF rules. > > > > This poll will run until Friday 26th October. > > > > Regards > > > > Matthew and Sam > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --0000000000008112cf0585926d06 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Ilango,=C2=A0

Thank you for the upda= te. The text addresses my concerns and I also think it indicates clearly th= e design principle for options.

Yours,=C2=A0
=
Daniel=C2=A0=C2=A0

On Wed, Mar 27, 2019 at 1:31 AM Ganga, Ilango= S <ilango.s.ganga@intel.com= > wrote:

Hi Daniel,

=C2=A0

We updated the draft to restate the requirem= ent on options processing, the revised text is much simpler, provides bette= r clarity, and retains the original intent. We believe, this should address your concerns.

=C2=A0

https://mailarchive.ietf.o= rg/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg

=C2=A0

Revised text:

=E2=80=9CAn option SHOULD NOT be dependent upon = any other option in the

packet, i.e., options can be processed independe= ntly of one

another.=C2=A0 Architecturally, options are inte= nded to be self-

descriptive and independent.=C2=A0 This en=
ables parallelism in option
processing and reduces implementation comp=
lexity.=E2=80=9D

=C2=A0

Thanks

Ilango

=C2=A0

From= : = Daniel Migault [mailto:daniel.migault@ericsson.com]
Sent: Wednesday, March 20, 2019 1:56 PM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: NVO3 <nvo3= @ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt - geneve options

=C2=A0

Hi,

=C2=A0

I am looking at the version 12 and see how it addres= s my concern,

regarding the integration of security options.

=C2=A0

The new text in version 12 mentions:

"""

=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depende= nt upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be pr= ocessed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affect the p= arsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other option.=C2=A0 However, op= tion processing by tunnel endpoints may

=C2=A0 =C2=A0 =C2=A0 result in the packet being drop= ped.=C2=A0 Options may also be used in

=C2=A0 =C2=A0 =C2=A0 conjunction with each other or = combined with packet data but this

=C2=A0 =C2=A0 =C2=A0 processing is done above the en= capsulation layer.

"""

=C2=A0

I am reading the text as a security option can be co= mbined with another

option or the data payload. More specifically, an au= thentication option

that authenticates some options and/or the payload m= ay result in the

packet to be discarded or not.

=C2=A0

I think we are making progress. However, I am not cl= ear about the text:

=C2=A0

""" but this processing is done above= the encapsulation layer."""

=C2=A0

I am reading the encapsulation layer as the Geneve p= rotocol, but I am

not clear what the layer above is. I am assuming tha= t is a layer

that takes the output of the Geneve decapsulation. I= f that is correct,

I understand the text saying Geneve processes the op= tions even though

the authentication has failed. Typically, suppose op= tion A covers

options O. Upon verification of A fails, Geneve proc= esses O and returns

to some upper layers that O has been processed while= its authentication

did not succeed. I am sure that I misunderstood the = text, but I suggest

some clarification are provided to prevent such inte= rpretation as the

purpose of the authenticating O MUST be able to prev= ent the processing

of the option O.

=C2=A0

In the current text I believe the text ""&= quot;but ...layer""" can be

removed. Another way might be to clarify the layer a= bove the

encapsulation.

=C2=A0

=C2=A0

Yours,

Daniel

=C2=A0

=C2=A0

=C2=A0

On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault <daniel.migau= lt@ericsson.com> wrote:

Hi,

=C2=A0

Thanks for the response. Let me first recap the prev= ious conversation,

or at least my perception of them. My initial commen= t was that the

current Geneve specification prevents the design of = security options and

I provided an example. My understanding is there is = an agreement that

such option is prevented by the current geneve speci= fication and you

challenge the usefulness of such an option (designat= ed as A) as well as

argue that an authentication upon failure MUST resul= t in discarding the

packet.

=C2=A0

The security options considered has been mentioned i= n two independent

security analysis. The example has been described an= d commented

extensively in the threat analysis as well.=C2=A0 I = argue further that

mandating that dropping the packet, in our case is n= either a decision

that can be taken at the option level, nor at the ge= neve level. Instead,

it belongs to a policy decision that is likely to re= sult in incoherent

deployments.

=C2=A0

As result, the current geneve specification prevents= security options.

Please see below for more additional information.=

=C2=A0

The current option works similarly to IPsec: IPsec/E= SP is IP option. AH

is an option that authenticates the full IP packet. = ESP

authenticate/encrypt the IP payload and not the full= packet.=C2=A0 Upon

authentication failure *the scope of the authenticat= ion* is discarded

and in that sense the example I am providing is no m= ore different.

=C2=A0

In our case, the option authenticate an portion of t= he geneve packet

that is limited to the option. Tthe coverage of the = security option is a

portion of the geneve header.=C2=A0 As such, the opt= ion cannot mandate

anything outside of its coverage: the covered option= O. As a result,

dropping the full packet is outside of the scope. Ma= ndating a packet=C2=A0

drop hardly, in my opinion apply here.=C2=A0<= u>

=C2=A0

Options are usually non critical for interoperabilit= y. Mandating to drop

the packet when option O cannot be authenticated wou= ld contradict the

non critical status of that option, which is the pac= ket can be processed

without the option. This would be a policy that over= write the geneve

=C2=A0- as well as the geneve option - specification= .

A possible incoherence would be if option A and O ar= e non critical would

be that the implementation ignoring the option A and= O will accept the

packet, an implementation understanding option O but= not option A will

accept the packet while the implementation understan= ding option A and O

will reject the packet.

=C2=A0

Yours,

Daniel

=C2=A0

=C2=A0

On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S <<= a href=3D"mailto:ilango.s.ganga@intel.com" target=3D"_blank">ilango.s.ganga= @intel.com> wrote:

Hi Daniel,

=C2=A0

Please see my responses inline below.=

=C2=A0

Thanks,

Ilango

=C2=A0

=C2=A0

From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault
Sent: Monday, March 4, 2019 9:15 AM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: nvo3@ietf.org=
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt

=C2=A0

Hi Ilango,=C2=A0

=C2=A0

Thanks for the response.=C2=A0Please see a concrete = example to illustrate my concern=C2=A0

for comment 1. For comment 2, it really helped you i= ndicated that Geneve is expected=C2=A0

to be an end-to-end protocol. This will help me upda= te the security requirement=C2=A0

document. However, the current Geneve specification = with transit devices seems -=C2=A0

at least to me - to raise an architecture concern as= raised in [1].

=C2=A0

-- comment 1:

=C2=A0

Thanks for the feed back. I understand the purpose o= f keeping option

independent one from each other, and favour this is = strongly recommended.

However, I am not convinced this applies always. Mor= e specifically, in a

context of security, the purpose of a security optio= n may be related to

another option. Typically, a security option providi= ng authentication or

encryption is potentially authenticating/encryption = another option or

other information contained in the header.=

=C2=A0

The typical scenario I have in mind would be an auth= entication option A

authenticating option O. There will clearly some dep= endencies between A

and O as O could only be used if A has been primaril= y been validated.

The current statement "SHOULD NOT be dependent&= quot; enables this. However, I

have concerns regarding the statement "MUST NOT= affect the parsing or

interpretation". In fact, the output of A, will= determine if O should be

dropped or processed normally. In case A shows O is = not appropriately

authenticated, O might be rejected based on its C va= lue. The ambiguity I

see is that A can be understood as affecting the par= sing and

interpretation of O or as a pre-processing operation= before parsing or

interpretation of O.

=C2=A0

I think, the text needs further clarifications to re= move such ambiguity.

Changing MUST NOT by SHOULD NOT was of course only o= ne proposition and

this could be also addressed otherwise. It might be = better, I agree, to

explicitly mention that some options may provide con= dition on the

parsing of the options. This would leave the parsing= of the options unchanged.=C2=A0

=C2=A0

<Ilango>

If I understand your example correctly, you = want to have one option authenticate the contents of another option and if that authentication fails, drop the option. This would not d= rop the entire packet unless that option is critical. Can you give a use ca= se for this? This seems unusual and not something that is supported by othe= r security protocols such as IPsec or TLS to the best of our knowledge.

=C2=A0

I believe a more common outcome of a failed = authentication is that the entire packet would be dropped. As previously noted, the current text does not preclude this. It seems lik= e going beyond this would result in significant complexity, both for proces= sing options in this specific case as well as the possibility of introducin= g ambiguity in how other options might be defined or processed as an unintended consequence. Without a stro= ng use case, this does not seem desirable.

</>

=C2=A0

-- comment 2:

=C2=A0

Thanks for the response that clarifies a bit my unde= rstanding of the

transit devices.. I believe the issue I have is rela= ted to the transit

devices which I do not see, unless I am wrong, meeti= ng the requirements

for being OPTIONAL and that seems - at least to me -= contradicting the

status of end-to-end protocol. As suggested in [1], = transit devices seem to raise

architectural concerns that is not needed.=

=C2=A0

You are correct that the text is clear that transit = devices are

OPTIONAL. However, my understanding of OPTIONAL from= 2119 is that there=C2=A0

are two sides of it. One is that a vendor may implem= ent it or not, but

the other side is that interoperability with other i= mplementations are

not affected. In this case, two Geneve endpoints usi= ng TLS or IPsec will

not be able to interoperate with an implementation b= ased on transit

devices (unless the process being performed by the t= ransit devices is

also performed by the NVE). In that sense, I believe= OPTIONAL statement

is not appropriated here.=C2=A0

=C2=A0

An implementation with transit devices seems to prev= ent the=C2=A0

interoperability of with an implementation where=C2= =A0 options are treated=C2=A0

by the NVE over a secure channel. If we suppose that= NVE and=C2=A0

transit devices support the same options, then trans= it devices are not=C2=A0

necessary and could be removed from the specificatio= n. If options

supported by transit devices are different from thos= e supported by=C2=A0

the NVE, interoperability will not be achieved. Tran= sit device will not be=C2=A0

able to process the options, resulting in options wi= ll be ignored (while=C2=A0

being supported by the implementation).. In addition= ,=C2=A0if the options=C2=A0

are critical, the NVE is likely to drop the packet a= s it does not support=C2=A0

the option.=C2=A0

=C2=A0

In addition, I have some hard time to understand the= end-to-end model=C2=A0

with a transit device even optional. I believe that = end-to-end protocol

is a good path, though. However, my understanding of= end-to-end protocol

is that they should only involve two end points. I s= ee the NVE as end

points but the optional transit device does not seem= s to be one of

these. However, to help me understand better this, a= s it seems Geneve is=C2=A0

similar to other end-to-end protocol, maybe you coul= d provide similar=C2=A0

end-to-end protocol that involves a transit devices = or something similar.=C2=A0 =C2=A0

=C2=A0

I also have another clarification regarding transit = device. I see these

transit devices as adding a lot of complexity to the= end-to-end model

with little benefits. Typically, as far as I underst= and, they can only

read an option. I am thus wondering whether we shoul= d not be better off

removing them from the specification. This would end= up with a clear

end-to-end model. Reversely, I do not see anything p= reventing a vendor

to implement them at least for unsecure deployments.= Removing them=C2=A0

from the specification would leave the transit devic= es as implementation=C2=A0

specific. What are actually the benefits of the tran= sit devices that would=C2=A0

justify them to be part of the specification?=

=C2=A0

<Ilango>

Transit devices exists in the underlay netwo= rk, these are simply forwarding elements (e.g. switches, routers) that generally forwards packets based on outer header information= , there is nothing that stops such devices from reading the contents if the= data is in the clear.=C2=A0 This works with any transport protocols like I= P, IP in IP, GRE, VXLAN, etc.=C2=A0 For example, routers may look at headers and/or inner payload for ECMP purposes or for = statistics or logging purposes. If the packet is encrypted then such transi= t devices cannot look into the packets but would simply forward based on th= e outer headers and use information in outer headers for entropy. There is no interoperability issue between t= he endpoints. Geneve is no different.

=C2=A0

Recognizing the fact that such a device is a= nyway going to exist in the network, Geneve draft provides guidance on how to handle Geneve headers (if a device has the option to do= so).=C2=A0 Geneve options are part of Geneve header, a transit device that= is capable of interpreting Geneve headers may interpret an option or skip = over the option to view the payload, etc.=C2=A0 If a transit device is not able interpret the header or option,= it has to simply use the outer header to forward the packet (outer IP/UDP)= . This is what the Geneve draft clarifies.

=C2=A0

These guidelines reduce possible interoperab= ility issues compared to if behavior was left undefined. For example, transit devices are not allowed to drop packets or fall back = to a slow path on the basis of an unknown option. If this were to happen, i= t would hamper the introduction of new options. It might also be worth ment= ioning that anything that could be considered a middlebox is not a transit device but needs to be modeled = as an endpoint and so Geneve really should be viewed as a tunnel endpoint-t= o-endpoint protocol.

<end>

=C2=A0

=C2=A0

=C2=A0

=C2=A0

Yours,=C2=A0

Daniel=C2=A0

=C2=A0

On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S <<= a href=3D"mailto:ilango.s.ganga@intel.com" target=3D"_blank">ilango.s.ganga= @intel.com> wrote:

Hi Daniel,

=C2=A0

Let us be specific. I see that you have two = comments on the latest draft-ietf-nvo3-geneve-09.=C2=A0 Please see below for responses to your comments.

=C2=A0

Comment 1:

OLD

=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depende= nt upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be pr= ocessed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affect the p= arsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other option.

=C2=A0

NEW

=C2=A0

=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depende= nt upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be pr= ocessed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option SHOULD NOT affect the= parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other option.

=C2=A0

<Ilango>

Architecturally Geneve options can be proces= sed independent of one another. The second statement clearly states that parsing or interpretation of one option must not affect the ot= her.=C2=A0 This is a reasonable constraint to avoid nested dependencies. Op= tions can be designed to work with the requirements specified in Geneve.

=C2=A0

Let us take specific examples:=

We could think of a design of a Header Integ= rity check option (related to your example). In this case if the header integrity check fails, as a result the entire header is inva= lid and hence the most likely outcome of a failed check is that the packet = being dropped (including any options in that packet whether parsed/interpre= ted or not). The current text does not preclude the packet being dropped as result of failure. =

=C2=A0

It is possible to design options, including = any security options, with these constraints.=C2=A0 We don=E2=80=99t see a reason to change this requirement that may have unintended consequen= ces.

=C2=A0

Comment 2:

=C2=A0

NEW

Security Consideration

=C2=A0

Geneve Overlay may be secured using by protecting th= e NVE-to-NVE

communication using IPsec or DTLS. However, such mec= hanisms cannot be

applied for deployments that include transit devices= ..=C2=A0

=C2=A0

Some deployment may not be able to secure the full c= ommunication using

IPsec or DTLS between the NVEs. This could be motiva= ted by the presence

of transit devices or by a risk analysis that conclu= des that the Geneve

packet be only partially protected - typically reduc= ed to the Geneve

Header information. In such cases Geneve specific me= chanisms needs to be

designed.=C2=A0

=C2=A0

<Ilango> The challenge is, you are ask= ing to impose requirements that is not supported by Geneve architecture. Geneve has an optional feature where transit devices may be able to interp= ret Geneve options. However this is not a requirement for Geneve operation = between tunnel end point to tunnel end point. We have tried make this very = clear by adding clarifying text during the last two revisions. If the Geneve packet is in the clear then t= ransit devices may be able to view the Genve header, options, and the paylo= ad. However if the packet is encrypted then transit devices cannot view the= packet contents. This is consistent with other transport protocols encrypting the packets. So we don=E2=80=99t= see a reason why Geneve should be different. =C2=A0=C2=A0=

=C2=A0

Geneve is an end to end protocol between tun= nel endpoints and the NVEs decide to secure (encrypt) the packets between tunnel endpoints. If a middle box has a need to see an enc= rypted packet, then it has to implement tunnel endpoint functionality.

=C2=A0

We already have text in 6.4 security conside= ration section that provides clear guidance to the operators.

=C2=A0

So we don=E2=80=99t see a good reason to add= the suggested text above.

=C2=A0

For a complete threat analysis, a security analysis = of Geneve or some

guide lines to secure a Geneve overlay network, plea= se refer to

[draft-mglt-nvo3-geneve-security-requirements] as we= ll as

[draft-ietf-nvo3-security-requirements].

=C2=A0

<Ilango>

The security requirements document =C2=A0mak= es certain assumptions that is unsupported by Geneve architecture. We have tried to clarify this multiple times, however you have still maint= ained this in the requirements document. So this needs to be addressed. Als= o the document is not yet adopted by the working group.

=C2=A0

Moreover, Geneve security consideration sect= ion has been significantly enhanced to provide guidance to operators and to address the comments. So both documents can progress i= ndependently.

=C2=A0

Thanks,

Ilango

=C2=A0

=C2=A0

From: Daniel Migault [mailto:daniel.migault@ericsson.com]
Sent: Saturday, March 2, 2019 8:49 AM
To: Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>
Cc: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg <pankajg=3D40microsoft.co= m@dmarc.ietf.org>; NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt

=C2=A0

Hi Matt,

=C2=A0=C2=A0

=C2=A0

You are correct, this is at least not an regular pro= cess to have a

standard track document being updated by an informat= ional. I do not see

either any requirements for having a WG status to be= come a reference,

but that is something we could confirm with the RFC-= editor.

=C2=A0

Back to the initial suggestion, I also believe the d= ifficulties of updating=C2=A0

the Geneve specifications are far less complex than = updating the=C2=A0

implementation, and for that specific reason, it wou= ld be good we have a=C2=A0

consensus on the security analyse.

=C2=A0

I agree that WG draft would be better, and RFC would= be even better as

we have seen WG document being stalled. I am confide= nt we can make this

happen or at least I do not see major issues.=

=C2=A0

Yours,

Daniel

=C2=A0

=C2=A0

On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Noki= a - GB) <ma= tthew.bocci@nokia.com> wrote:

WG, Daniel,

=C2=A0

Apologies but I mis-spoke on th= e suggestion for the security requirements to act as an update to the encap= sulation RFC in future. This would be difficult to do as it is informational.

=C2=A0

Nonetheless I think we should o= nly be referencing a WG draft (at a minimum) here.

=C2=A0

Matthew

=C2=A0

=C2=A0

=C2=A0

=C2=A0

Daniel

=C2=A0

From a procedural perspective, = referring to your draft creates a dependency and that draft has not yet bee= n adopted by the WG. The old Security requirements framework expired a couple of years ago and does not seem to be being progressed.

Maybe a better approach to allo= w progress, as long as the WG can agree to your text (if needed) to satisfy= the concern that future security mechanisms can be used, and that the evolving threat analysis is understood by implementers = and users of Geneve, would be to mark the Geneve security requirements as a= n update to the geneve encapsulation RFC when it is published.

=C2=A0

Matthew

=C2=A0

=C2=A0

Hi Matthew,=C2=A0=

=C2=A0

I am happy to clarify and be mo= re specific. However, despite your

reading of [1] I think [1] clea= rly indicates the changes I expected as

well as that these changes need= s to be made.=C2=A0

=C2=A0

I believe the responsibility of= not addressing an acknowledged issue is

more on the side of people igno= ring the issue=C2=A0 then on the side of the

one raising this issue. My impr= ession is that this is the situation we

are in.=C2=A0<= /u>

=C2=A0=C2=A0

I agree that my initial comment= saying "I am fine with the text if we do

not find something better."= ; might have been confusing and I apology for

this. At the time of writing th= e initial comment I was not sure I was

not missing something nor that = the problem could not be solved here or

somewhere else (in another sect= ion). My meaning behind those words were

that I was open to the way the = concerned could be addressed. However, -

from my point of view - the tex= t does not say the issue does not need to

be solved which is the way it h= as been interpreted. In addition, I

believe I have clarified this r= ight away after the concern has been

acknowledged and not addressed.= As result, I do not think my comment

could be reasonably read as the= text is fine.

=C2=A0

Please fine the below the initi= al comment its response and the response

to the response from [1].=C2=A0=

=C2=A0

"""

<mglt> In case we have a = option providing authentication, such option

may affect the interpretation o= f the other options.

s/interpretation/ndependance ma= y not be better.... I think what we want

to say is that option MUST be a= ble to be processed in any order or in

parallel.=C2=A0 I am fine with = the text if we do not find something better.

</mglt><= /u>

=C2=A0

<Ilango> This is a good p= oint, however we believe that this text

captures the intent.=C2=A0 <= />=C2=A0

=C2=A0

<mglt2>The problem I have= is that the current text prevents security

options, so I guess some clarif= ication should be brought to clarify the

intent.</mglt2>=C2=A0

"""

=C2=A0

If I had to suggest some text I= would suggest the following - or

something around the following = lines.=C2=A0

=C2=A0

=C2=A0

OLD

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = MUST NOT affect the parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other opti= on.

=C2=A0

NEW

=C2=A0

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = SHOULD NOT affect the parsing or interpretation of any=

=C2=A0 =C2=A0 =C2=A0 other opti= on.

=C2=A0

There are rare cases were the p= arsing of one option affects the parsing

or the interpretation of other = option. Option related to security may

fall into this category. Typica= lly, if an option enables the

authentication of another optio= n and the authentication does not

succeed, the authenticated opti= on MUST NOT be processed. Other options

may be designed in the future.= =C2=A0=C2=A0

=C2=A0

NEW

Security Consideration

=C2=A0

Geneve Overlay may be secured u= sing by protecting the NVE-to-NVE

communication using IPsec or DT= LS. However, such mechanisms cannot be

applied for deployments that in= clude transit devices.=C2=A0

=C2=A0

Some deployment may not be able= to secure the full communication using

IPsec or DTLS between the NVEs.= This could be motivated by the presence

of transit devices or by a risk= analysis that concludes that the Geneve

packet be only partially protec= ted - typically reduced to the Geneve

Header information. In such cas= es Geneve specific mechanisms needs to be

designed.=C2=A0

=C2=A0

For a complete threat analysis,= a security analysis of Geneve or some

guide lines to secure a Geneve = overlay network, please refer to

[draft-mglt-nvo3-geneve-securit= y-requirements] as well as

[draft-ietf-nvo3-security-requi= rements].

=C2=A0

For full disclosure I am a co-a= uthor of

draft-mglt-nvo3-geneve-security= -requirement. However the reason for

referring to these documents is= motivated by the fact that I believe

these analysis provide a better= security analysis than the current (OLD)

security consideration section.= =C2=A0

=C2=A0

Yours,=C2=A0

Daniel

=C2=A0

=C2=A0

Hi Daniel<= /p>

=C2=A0

Thanks for reviewing the latest= version. At this stage it would be helpful if you could be much more concr= ete and give specifics.

=C2=A0

I think that the main issue is = whether the design of Geneve prevents future security extensions.=

=C2=A0

However, in [1], you stated tha= t you were comfortable with the text if nothing else could be found.

=C2=A0

What specifically do you want t= o change in the following, bearing in mind that there are already claimed i= mplementations of Geneve:

"""

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = MUST NOT affect the parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other opti= on.

"""

=C2=A0

=C2=A0

Matthew

=C2=A0

=C2=A0

From: Daniel Migault <daniel.migau= lt@ericsson.com>
Date: Friday, 1 March 2019 at 03:06
To: Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>
Cc: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, N= VO3 <nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <d= raft-ietf-nvo3-geneve@ietf.org>
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-i= etf-nvo3-geneve-08.txt

=C2=A0

Hi,=C2=A0<= /p>

=C2=A0

I just briefly went through the= document quickly and in my opinion, the document still faces some security= issues.

=C2=A0

The current text (in my opinion= ) prevents any geneve security related

options. Currently Geneve canno= t be secured and this prevents future

work to eventually secure Genev= e. In my opinion the current text

mandates Geneve to remain unsec= ure.=C2=A0

=C2=A0

Geneve security option that are= willing to authenticate/encrypt a part

of the Geneve Header will affec= t the parsing of the protected option and

will affect the order in which = option needs to be process. Typically a

protected option (authenticated= , encrypted) cannot or should not be

processed before authenticated = or decrypted.=C2=A0

=C2=A0

This has already been mentioned= in [1], and the text needs in my opinion

further clarifications.=C2=A0= =C2=A0

=C2=A0

"""

=C2=A0 =C2=A0o=C2=A0 An option = SHOULD NOT be dependent upon any other option in the

=C2=A0 =C2=A0 =C2=A0 packet, i.= e., options can be processed independent of one another.

=C2=A0 =C2=A0 =C2=A0 An option = MUST NOT affect the parsing or interpretation of any

=C2=A0 =C2=A0 =C2=A0 other opti= on.

"""

=C2=A0

=C2=A0

=C2=A0

As stated in [2] it remains unc= lear to me why this section is not

referencing and leveraging on t= he security analysis [3-4] performed by

two different independent teams= ..=C2=A0

=C2=A0

My reading of the security cons= ideration is that the message is that

IPsec or TLS could be used to p= rotect a geneve overlay network. This is

- in my opinion- not correct as= this does not consider the transit

device. In addition, the securi= ty consideration only considers the case

where the cloud provider and th= e overlay network provider are a single

entity, which I believe oversim= plifies the problem.=C2=A0

=C2=A0

The threat model seems to me ve= ry vague, so the current security

consideration is limited to sol= ving a problem that is not stated.=C2=A0

=C2=A0

My reading of the text indicate= s the tenant can handle by itself the

confidentiality of its informat= ion without necessarily relying on the

overlay service provider. This = is not correct. Even when the tenant uses

IPsec/TLS, it still leaks some = information. The current text contradicts

[3] section 6.2 and [4] section= 5.1.

=C2=A0

My reading is that the text ind= icates that IPsec/DTLS could be used to

protect the overlay service for= both confidentiality and integrity.

While this could be used in som= e deployment this is not compatible with

transit devices. As such the ge= neric statement is not correct. Section

6.4 indicates that transit devi= ce must be trusted which is incorrect.

Instead the transit device with= all nodes between the transit device and

the NVE needs to be trusted.=C2= =A0 Overall the impression provided is that

IPsec (or TLS) can be used by t= he service overlay provider, which is (in

my opinion) not true.=C2=A0

=C2=A0

It is unclear to me how authent= ication of NVE peers differs from the

authentication communication as= the latest usually rely on the first.

Maybe the section should insist= on mutual authentication.=C2=A0=C2=A0

=C2=A0

Yours,=C2=A0

Daniel

=C2=A0

=C2=A0

=C2=A0

=C2=A0

=C2=A0

=C2=A0

=C2=A0

On Wed, Feb 27, 2019 at 7:30 PM= Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org> wrote:=

I am not aware of any IP related to draft-ietf-nvo3-= geneve which has not already been disclosed.

=C2=A0

Thanks

Pankaj

=C2=A0

From: Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.c= om>
Sent: Tuesday, October 9, 2018 2:08 AM
To: NVO3 <nvo3= @ietf.org>
Cc: draft-ietf-nvo3-geneve@ietf.org
Subject: Working Group Last Call and IPR Poll for draft-ietf-nvo3-ge= neve-08.txt

=C2=A0

This email begins a two-week wo= rking group last call for draft-ietf-nvo3-geneve-08.txt.

=C2=A0

Please review the draft and pos= t any comments to the NVO3 working group list. If you have read the latest = version of the draft but have no comments and believe it is ready for publication as a standards track RFC, please also indicate= so to the WG email list.

=C2=A0

We are also polling for knowled= ge of any undisclosed IPR that applies to this document, to ensure that IPR= has been disclosed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details).

If you are listed as an Author = or a Contributor of this document, please respond to this email and indicat= e whether or not you are aware of any relevant undisclosed IPR. The Document won't progress without answers from all the Authors = and Contributors.

=C2=A0

Currently there are two IPR dis= closures against this document.

=C2=A0

If you are not listed as an Aut= hor or a Contributor, then please explicitly respond only if you are aware = of any IPR that has not yet been disclosed in conformance with IETF rules.

=C2=A0

This poll will run until Friday= 26th October.

=C2=A0

Regards

=C2=A0

Matthew and Sam

_______________________________= ________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________= ________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--0000000000008112cf0585926d06-- From nobody Tue Apr 2 14:07:11 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E360312003E for ; Tue, 2 Apr 2019 14:07:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.647 X-Spam-Level: X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1rJJqQN5DsB for ; Tue, 2 Apr 2019 14:07:06 -0700 (PDT) Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EF30120077 for ; Tue, 2 Apr 2019 14:07:06 -0700 (PDT) Received: by mail-lf1-f53.google.com with SMTP id b7so10054370lfg.9 for ; Tue, 02 Apr 2019 14:07:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FzK07VQEVVkAb22CKCMJlk0W5gIshZ98iIbTecK+2W4=; b=l106zdooB20xPIE4J/Y4IlJtMQU72X0IUkl7HkeDtmDNRaCjaCpem0otpMwiXxoMd0 6V6szUSduRsxBRr566CzzFuc353LAltdYRM9YyXaL9nyEV/5yS/JR41g1aKXLli9jP5b dXnDPR35VgSnxSloTkJknp1wLc2BV3q2pwqkVFkvFh1bRjtEcU2ZPQUGVRN/U0VDXazw j4k75AO0sR6exd1ojk92sRtTWPAqxmBfAKIgBVrevzulW7jrfhp3KWT2N/VdsR3A/o6o uH3TlV8AQO6VwpYjFTLZeHAe7ldoC3QEhkkGrU7N4vtVqs0mLJe/EqB+DksIQe0bAcHF xgQw== X-Gm-Message-State: APjAAAVSjBGOEe4AxUhxumejzZmaWzdK8FO/2/8EG9nuck49bOZNDVor Q8aF+x/lUMM0Z1HVM99VickHJwPl/2XddAwBgoE= X-Google-Smtp-Source: APXvYqzYW4kQ51lhBWDHhNmdS0+EPicfMvk1Cts3kMGVi3Owz+8KZJoAum7kuo/9KpnDvf85qRbcNs0dZOR/35ymcgQ= X-Received: by 2002:ac2:5b49:: with SMTP id i9mr30106125lfp.75.1554239224436; Tue, 02 Apr 2019 14:07:04 -0700 (PDT) MIME-Version: 1.0 References: <155140820316.28736.16220301811782333020.idtracker@ietfa.amsl.com> In-Reply-To: From: Daniel Migault Date: Tue, 2 Apr 2019 17:06:53 -0400 Message-ID: To: "Ganga, Ilango S" Cc: "nvo3@ietf.org" Content-Type: multipart/alternative; boundary="000000000000de5d0e058592844f" Archived-At: Subject: Re: [nvo3] New Version Notification for draft-mglt-nvo3-geneve-security-requirements-06.txt X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 21:07:09 -0000 --000000000000de5d0e058592844f Content-Type: text/plain; charset="UTF-8" Hi Ilango, I would appreciate that you go through the requirements mostly the SEC-GEN of the latest version and let us know your concerns. I believe that would be also helpful to understand what it seems I am missing regarding the transit devices. If I remember correctly, the need to protect Geneve Options for transit devices has been stated to the mike. Yours, Daniel On Mon, Mar 11, 2019 at 2:42 AM Daniel Migault wrote: > Hi Illango, > > Though we would appreciate your comment on the new version. We would also > appreciate you go through the issues [1] we opened and answered based on > your previous comments. More specifically, in case the issue has not been > addressed, we would be able to keep the discussion based on the provided > responses rather than re-opening parallel issues. We believe that would be > beneficial to reach consensus. > > Yours, > Daniel > > > [1] https://github.com/mglt/draft-mglt-nvo3-geneve-security-requirements > /issues > > > On Sat, Mar 2, 2019 at 10:29 PM Ganga, Ilango S > wrote: > >> Hi Daniel, >> >> I quickly glanced through the document, the draft still makes assumptions >> and imposes requirements that is unsupported by Geneve architecture. We had >> provided this input on the previous draft version. However this is still >> maintained in this version. The new draft was posted 2 days ago, I will >> review the document in detail and provide my feedback. >> >> Regards, >> Ilango >> >> >> >> -----Original Message----- >> From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault >> Sent: Thursday, February 28, 2019 6:48 PM >> To: nvo3@ietf.org >> Subject: [nvo3] FW: New Version Notification for >> draft-mglt-nvo3-geneve-security-requirements-06.txt >> >> Hi, >> >> Please find an update of the draft. We considered the feed back received >> during the meeting in Bangkok as well as the comments from Magnus. >> >> So far no issue has been raised that could prevent the draft from being >> adopted, and we believe the draft can be adopted. >> >> Yours, >> Daniel >> >> -----Original Message----- >> From: internet-drafts@ietf.org >> Sent: Thursday, February 28, 2019 9:43 PM >> To: Sami Boutros ; Dan Wings ; Dan >> Wing ; Daniel Migault ; >> Suresh Krishnan >> Subject: New Version Notification for >> draft-mglt-nvo3-geneve-security-requirements-06.txt >> >> >> A new version of I-D, draft-mglt-nvo3-geneve-security-requirements-06.txt >> has been successfully submitted by Daniel Migault and posted to the IETF >> repository. >> >> Name: draft-mglt-nvo3-geneve-security-requirements >> Revision: 06 >> Title: Geneve Security Requirements >> Document date: 2019-02-28 >> Group: Individual Submission >> Pages: 26 >> URL: >> https://www.ietf.org/internet-drafts/draft-mglt-nvo3-geneve-security-requirements-06.txt >> Status: >> https://datatracker.ietf.org/doc/draft-mglt-nvo3-geneve-security-requirements/ >> Htmlized: >> https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-06 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-mglt-nvo3-geneve-security-requirements >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-mglt-nvo3-geneve-security-requirements-06 >> >> Abstract: >> The document defines the security requirements to protect tenants >> overlay traffic against security threats from the NVO3 network >> components that are interconnected with tunnels implemented using >> Generic Network Virtualization Encapsulation (Geneve). >> >> The document provides two sets of security requirements: 1. >> requirements to evaluate the data plane security of a given >> deployment of Geneve overlay. Such requirements are intended to >> Geneve overlay provider to evaluate a given deployment. >> 2. requirement a security mechanism need to fulfill to secure any >> deployment of Geneve overlay deployment >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission until the htmlized version and diff are available at >> tools.ietf.org. >> >> The IETF Secretariat >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> > --000000000000de5d0e058592844f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Ilango,=C2=A0

I would appreciate tha= t you go through the requirements mostly the SEC-GEN of the latest version = and let us know your concerns. I believe that would be also helpful to unde= rstand what it seems I am missing regarding the transit devices. If I remem= ber correctly, the need to protect Geneve Options for transit devices has b= een stated to the mike.=C2=A0

Yours,=C2=A0
Daniel=C2=A0=C2=A0=C2=A0

On Mon, Mar 11, 2019 at 2:42 AM Daniel Mig= ault <daniel.migault@eric= sson.com> wrote:
Hi Illango,=C2=A0

<= div>Though we would appreciate your comment on the new version. We would al= so appreciate you go through the issues [1] we opened and answered based on= your previous comments. More specifically, in case the issue has not been = addressed, we would be able to keep the discussion based on the provided re= sponses rather than re-opening parallel issues. We believe that would be be= neficial to reach consensus.

Yours,=C2=A0
Daniel=C2=A0



On Sat, Mar 2, 2019 at 10:29 P= M Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:
Hi Daniel,

I quickly glanced through the document, the draft still makes assumptions a= nd imposes requirements that is unsupported by Geneve architecture. We had = provided this input on the previous draft version. However this is still ma= intained in this version. The new draft was posted 2 days ago, I will revie= w the document in detail and provide my feedback.

Regards,
Ilango



-----Original Message-----
From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault
Sent: Thursday, February 28, 2019 6:48 PM
To: nvo3@ietf.org Subject: [nvo3] FW: New Version Notification for draft-mglt-nvo3-geneve-sec= urity-requirements-06.txt

Hi,

Please find an update of the draft. We considered the feed back received du= ring the meeting in Bangkok as well as the comments from Magnus.

So far no issue has been raised that could prevent the draft from being ado= pted, and we believe the draft can be adopted.

Yours,
Daniel

-----Original Message-----
From: interne= t-drafts@ietf.org <internet-drafts@ietf.org>
Sent: Thursday, February 28, 2019 9:43 PM
To: Sami Boutros <boutros@vmware.com>; Dan Wings <dwing@vmware.com>; Dan Wing <dwing@vmware.com>; Daniel M= igault <daniel.migault@ericsson.com>; Suresh Krishnan <suresh@kaloom.com>
Subject: New Version Notification for draft-mglt-nvo3-geneve-security-requi= rements-06.txt


A new version of I-D, draft-mglt-nvo3-geneve-security-requirements-06.txt has been successfully submitted by Daniel Migault and posted to the IETF re= pository.

Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-mglt-nvo3-geneve-securi= ty-requirements
Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A006
Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Geneve Security Requirements
Document date:=C2=A0 2019-02-28
Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Individual Submission
Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 26
URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/internet-drafts/draf= t-mglt-nvo3-geneve-security-requirements-06.txt
Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-mglt-nvo3-geneve-= security-requirements/
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-req= uirements-06
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/html/draft-mglt-nvo3-gen= eve-security-requirements
Diff:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/rfcdiff?url2=3Ddraft-mglt= -nvo3-geneve-security-requirements-06

Abstract:
=C2=A0 =C2=A0The document defines the security requirements to protect tena= nts
=C2=A0 =C2=A0overlay traffic against security threats from the NVO3 network=
=C2=A0 =C2=A0components that are interconnected with tunnels implemented us= ing
=C2=A0 =C2=A0Generic Network Virtualization Encapsulation (Geneve).

=C2=A0 =C2=A0The document provides two sets of security requirements: 1. =C2=A0 =C2=A0requirements to evaluate the data plane security of a given =C2=A0 =C2=A0deployment of Geneve overlay.=C2=A0 Such requirements are inte= nded to
=C2=A0 =C2=A0Geneve overlay provider to evaluate a given deployment.
=C2=A0 =C2=A02. requirement a security mechanism need to fulfill to secure = any
=C2=A0 =C2=A0deployment of Geneve overlay deployment




Please note that it may take a couple of minutes from the time of submissio= n until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--000000000000de5d0e058592844f-- From nobody Tue Apr 2 19:45:46 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33AD6120446 for ; Tue, 2 Apr 2019 19:45:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.001 X-Spam-Level: X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kernel.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YVD-DUutjmAa for ; Tue, 2 Apr 2019 19:45:39 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9207412044D for ; Tue, 2 Apr 2019 19:45:39 -0700 (PDT) Received: from mail-qt1-f179.google.com (mail-qt1-f179.google.com [209.85.160.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9C0CE2146E for ; Wed, 3 Apr 2019 02:45:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554259538; bh=9NBmp4PS+o7c/Ghqv99u7RadMrySZC7iayhzB/FI6fg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=LhXfLl+Jksjq/+8wcuVarwYPirDfapWzA4clom7MDX0C7AKCZLytG9AIse3++TtRS jGQ1B2rPYy1KwHEIjOFX8AccmYe0YgxYOJaBgPO2zgURq6LukXluPzK/azLr42c3ha wIft/7xwqEVvYGQS8FR0EN+USKWzo0ppMHh3S4Ag= Received: by mail-qt1-f179.google.com with SMTP id k14so17879794qtb.0 for ; Tue, 02 Apr 2019 19:45:38 -0700 (PDT) X-Gm-Message-State: APjAAAXpLPeTrZ+J+ongB5Vs1L1fZSGZSOf0rtggN5eFeeSwXTxE+4WB 2lqatlsKUArdjh0t7b8mXxHDUfaj5E6hh6bdIy7ldQ== X-Google-Smtp-Source: APXvYqzWQWplPR5IDmxGXZOocxxd0gBDem48OSfiqVsag1OmVp03DYKqlH4T8/hStpsw+NF/njm2EQqsxXMxBY0fTFk= X-Received: by 2002:ac8:4815:: with SMTP id g21mr38071095qtq.48.1554259537575; Tue, 02 Apr 2019 19:45:37 -0700 (PDT) MIME-Version: 1.0 References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> In-Reply-To: From: Jesse Gross Date: Tue, 2 Apr 2019 19:45:26 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Daniel Migault Cc: "Ganga, Ilango S" , NVO3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - transit devices X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 02:45:45 -0000 Daniel, Speaking as a member of the working group rather than as a coauthor, I think there is confusion about the NVO3 architecture that is independent of Geneve. Transit devices are not middle boxes. They are routers and switches, used to move packets between endpoints in an L3 network. This is fundamental to the NVO3 architecture and to remove them is not possible. What would be possible is to remove mention of them from the protocol document. However, transit devices would continue to exist and would still be able to read unencrypted packets. Again, there is no getting around this. The only way to prevent transit devices from interacting with packets at the encapsulation layer and above is through the use of end-to-end encryption. What the Geneve draft does do is provide guidelines for how these transit devices should behave to ensure that they are good citizens. For example, routers today look into packets beyond the IP header and it's likely that this will continue when encapsulation is in use. The Geneve draft specifies that if they do this, they must not drop or slow path packets even if they encounter unknown options. Describing this behavior is not incoherence in the architecture - it is a method of ensuring that the protocol remains flexible for end-to-end users. Jesse On Tue, Apr 2, 2019 at 1:57 PM Daniel Migault wrote: > > Hi Ilango, > > Thanks for the response. The use case of ECMP to justify transit devices > does not seem - to my understanding aligned with RFC6438 which indicates > TLV is inconvenient for ECMP or LAG, and that flow label should be used > instead. > In addition, the problem of ossification by transit devices is not he > ability to bypass DTLS traffic, but rather the ability to detect a > packet is a Geneve packet. > > Unless I misunderstood the use case, it does not seem sufficient (at > least to me) to balance the complexity introduced by transit devices, > i.e. negotiation with middle boxes, protocol ossification, incoherence > in the architecture. I would be happy to hear what the WG thinks about > it. > > Following the analogy with IPv6 to determine what options could be used > by transit devices, RFC4306 lists hop-by-hop, routing, and fragmentation > extension headers. RFC 2460 seems to limit that to hop-by-hops. From > hop-by-hop options I do not see equivalence for transit devices with > padding, jumbo or router alert options [1] > > Yours, > Daniel > > [1] https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtm= l > > > > On Wed, Mar 27, 2019 at 9:35 PM Ganga, Ilango S wrote: >> >> Hi Daniel, >> >> >> >> Here is a specific example use case: >> >> A router (transit device) could use information in the Geneve header for= ECMP purposes. For example, an option could carry flow context and the rou= ter may look at Geneve header information, such as VNI and/or flow context = (Flow ID) in an option or may skip over the options and use information in = payload for ECMP purposes. However if the NVEs decide to secure the packet= with for example DTLS, in this case, the transit devices will forward pack= ets as any other UDP packets. It is not a requirement that transit devices = must see Geneve header information for its normal operation; if a transit d= evice cannot view or interpret Geneve headers then it simply forwards like = any other IP or UDP packets. >> >> >> >> This is very similar to how currently routers look into the IP payload i= nformation like TCP/UDP port numbers for flow entropy purposes. If the pack= ets are encrypted, then routers don=E2=80=99t have visibility into the TCP/= UDP port numbers and simply forward based on outer header information. >> >> >> >> Thanks, >> >> Ilango >> >> >> >> >> >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] >> Sent: Wednesday, March 27, 2019 11:38 AM >> To: Ganga, Ilango S >> Cc: NVO3 >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt - transit devices >> >> >> >> Hi Illango, >> >> >> >> Unless i am missing something, I am unclear how the text you provide ans= wers the questions/concerns, so perhaps you could elaborate and maybe be a = bit more specific. >> >> >> >> My first concern was the use case you envision transit devices. The tran= sit device are supposed to read some Geneve options and process them. I exp= ected you provided some example of options as well as some processing. >> >> >> >> My second concern was how the draft version 12 addresses a concrete depl= oyment. As a reminder here is the scenario mentioned is below. The question= is how the draft secures such a deployment. >> >> >> >> The basic scenario could be a Geneve deployment that processes options >> >> O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] in the >> >> Transit devices. While unprotected O_i and P_j are processed. Securing >> >> the deployment with DTLS prevents options P_j to be processed. >> >> >> >> Yours, >> >> Daniel >> >> >> >> On Wed, Mar 27, 2019 at 2:11 PM Ganga, Ilango S wrote: >> >> Hi Daniel, >> >> >> >> We will try to explain the transit devices and example use cases again. = Hopefully this clarifies your question. >> >> >> >> >The transit devices seems to me problematic, but maybe I am not really >> >> >catching what is their intent. I might be helpful if you could provide >> >> >some behaviour the transit devices is expected to implement. Typically >> >> >what are the use cases for these transit devices? >> >> Transit devices exist in the underlay network, these are simply forwardi= ng elements (e.g. switches, routers) that generally forward packets based o= n outer header information, there is nothing that stops such devices from r= eading or interpreting the contents. At present, this works with any trans= port protocols (encapsulated or non-encapsulated), for example, IP, IP in I= P, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc. For example, routers (transit= device) may look at headers and/or inner payload for ECMP purposes or for = statistics or logging purposes. If the packet is encrypted then such transi= t devices cannot look into the packets but would simply forward based on th= e outer headers and use information in outer headers for entropy. There is = no interoperability issue between the endpoints. Geneve is no different. >> >> Recognizing the fact that such a device will exist in the network, Genev= e draft provides guidance on how to handle Geneve headers (if a device has = the option to do so). Geneve options are part of Geneve header, a transit = device that is capable of interpreting Geneve headers may interpret an opti= on or skip over the option to view the payload, etc. If a transit device i= s either unable to, or does not need to interpret the Geneve header (which = may or may not include options), it simply uses the outer header to forward= the packet (outer IP/UDP). This is what the Geneve draft clarifies. >> >> These guidelines reduce possible interoperability issues compared to if = behavior was left undefined. For example, transit devices are not allowed t= o drop packets or fall back to a slow path on the basis of an unknown optio= n. If this were to happen, it would hamper the introduction of new options. >> >> Thanks, >> >> Ilango >> >> >> >> >> >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] >> Sent: Wednesday, March 20, 2019 1:58 PM >> To: Ganga, Ilango S >> Cc: NVO3 >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt - transit devices >> >> >> >> Hi, >> >> >> >> I am looking at the version 12 and see how it address my concern, >> >> regarding the transit devices and the compatibility with end to end >> >> security. Could you please point out how the text address this concern ? >> >> >> >> The basic scenario could be a Geneve deployment that processes options >> >> O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] in the >> >> Transit devices. While unprotected O_i and P_j are processed. Securing >> >> the deployment with DTLS prevents options P_j to be processed. I am >> >> unclear how the version 12 address this concern. >> >> >> >> The transit devices seems to me problematic, but maybe I am not really >> >> catching what is their intent. I might be helpful if you could provide >> >> some behaviour the transit devices is expected to implement. Typically >> >> what are the use cases for these transit devices? >> >> >> >> >> >> Transit devices exist in the underlay network, these are simply forwardi= ng elements (e.g. switches, routers) that generally forwards packets based = on outer header information, there is nothing that stops such devices from = reading or interpreting the contents. At present, this works with any tran= sport protocols (encapsulated or non-encapsulated), for example, IP, IP in = IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc. For example, routers may loo= k at headers and/or inner payload for ECMP purposes or for statistics or lo= gging purposes. If the packet is encrypted then such transit devices cannot= look into the packets but would simply forward based on the outer headers = and use information in outer headers for entropy. There is no interoperabil= ity issue between the endpoints. Geneve is no different. >> >> Recognizing the fact that such a device will exist in the network, Genev= e draft provides guidance on how to handle Geneve headers (if a device has = the option to do so). Geneve options are part of Geneve header, a transit = device that is capable of interpreting Geneve headers may interpret an opti= on or skip over the option to view the payload, etc. If a transit device i= s either unable to, or don=E2=80=99t have the option to interpret the heade= r or option, it simply uses the outer header to forward the packet (outer I= P/UDP). This is what the Geneve draft clarifies. >> >> These guidelines reduce possible interoperability issues compared to if = behavior was left undefined. For example, transit devices are not allowed t= o drop packets or fall back to a slow path on the basis of an unknown optio= n. If this were to happen, it would hamper the introduction of new options. >> >> It might also be worth mentioning that anything that could be considered= a middlebox is not a transit device but needs to be modeled as an endpoint= . For example, if a middle box has a need to see an encrypted packet, then = it has to implement tunnel endpoint functionality. >> >> >> >> >> >> Yours, >> >> Daniel >> >> >> >> >> >> On Mon, Mar 11, 2019 at 7:20 PM Ganga, Ilango S wrote: >> >> Hi Daniel, >> >> >> >> We posted a new version of the draft that we believe addresses your comm= ent on options processing. >> >> We have already provided clarification on the role transit devices as no= ted in this thread below. >> >> >> >> Thanks, >> Ilango >> >> >> >> >> >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] >> Sent: Friday, March 8, 2019 6:51 PM >> To: Ganga, Ilango S >> Cc: NVO3 >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt - transit devices >> >> >> >> Hi, >> >> >> >> Thanks for the comment. Let me first recap my perception of the >> >> discussion. My comment was that end-to-end security (IPsec, DTLS) does >> >> not apply to Geneve with transit device. Your previous response was that >> >> Geneve was an end-to-end protocol since transit device are optional. My >> >> response was that an architecture that defines elements even optional >> >> that interfere between the two end points contradicts the status of >> >> end-to-end protocol. At that time my understanding was that the >> >> specification was targeting an end-to-end protocol, with transit devices >> >> with very limited capabilities. Thus I proposed to removed the transit >> >> devices from the architecture. These would have been a great step toward= a >> >> end-to-end architecture. However, from the current response, it >> >> seems that transit device play an important part in the architecture, an= d >> >> we are moving backward from the end-to-end protocol. As >> >> a result, there is - in my opinion to make a coherent choice to make >> >> between Geneve architecture and the security associated. This is >> >> currently very unclear and contradicting - at least to me reading of the >> >> geneve specification and the responses I receive to my comments.. >> >> >> >> My understanding of your latest response - and please correct me >> >> if I am wrong - is that transport protocols like IP, >> >> IP in IP, GRE or VXLAN among others are used to an architecture with >> >> transit nodes. These latter examples show that end-to-end security is >> >> incompatible with Geneve and that security in Geneve MUST be handled >> >> using options. In addition, these examples seems - up to my >> >> understanding - to challenge the optional status of the transit device >> >> as well as their ability to read-only does not always seems realistic. >> >> >> >> Overall, my impression is that Genve is not an end-to-end protocol, >> >> end-to-end security protocols such as DTLS or IPsec do not apply >> >> realistically. The alternative approach of using option is also >> >> compromised by the current specification of Geneve as well as by >> >> security documents being opposed. Geneve seems mandated to be unsecured. >> >> >> >> >> >> IP is the first protocol you cite. IP enables end-to-end security with >> >> IPsec. However there are a few major difference between IPsec and secure >> >> Geneve communications. >> >> 1. - IPsec leave in clear the information that >> >> need to be read in transit. This is not the case with Geneve over DTLS >> >> or IPsec as even the Geneve Header is encrypted. If we want this >> >> information to be accessible to transit device security must be handled >> >> by geneve security option in order to leave the header in clear text. >> >> 2. IPsec/ESP versus IPsec/AH clearly shows that transit elements do = not >> >> restrict from reading the options. As a result, the transit device are >> >> likely to evolve and become more active in the future. As a result, the >> >> security MUST consider this in early stage and I do not see that met. >> >> >> >> >> >> Yours, >> >> Daniel >> >> >> >> On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S wrote: >> >> Hi Daniel, >> >> >> >> Please see my responses inline below. >> >> >> >> Thanks, >> >> Ilango >> >> >> >> >> >> From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault >> Sent: Monday, March 4, 2019 9:15 AM >> To: Ganga, Ilango S >> Cc: nvo3@ietf.org >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt >> >> >> >> Hi Ilango, >> >> >> >> Thanks for the response. Please see a concrete example to illustrate my = concern >> >> for comment 1. For comment 2, it really helped you indicated that Geneve= is expected >> >> to be an end-to-end protocol. This will help me update the security requ= irement >> >> document. However, the current Geneve specification with transit devices= seems - >> >> at least to me - to raise an architecture concern as raised in [1]. >> >> >> >> -- comment 1: >> >> >> >> Thanks for the feed back. I understand the purpose of keeping option >> >> independent one from each other, and favour this is strongly recommended= . >> >> However, I am not convinced this applies always. More specifically, in a >> >> context of security, the purpose of a security option may be related to >> >> another option. Typically, a security option providing authentication or >> >> encryption is potentially authenticating/encryption another option or >> >> other information contained in the header. >> >> >> >> The typical scenario I have in mind would be an authentication option A >> >> authenticating option O. There will clearly some dependencies between A >> >> and O as O could only be used if A has been primarily been validated. >> >> The current statement "SHOULD NOT be dependent" enables this. However, I >> >> have concerns regarding the statement "MUST NOT affect the parsing or >> >> interpretation". In fact, the output of A, will determine if O should be >> >> dropped or processed normally. In case A shows O is not appropriately >> >> authenticated, O might be rejected based on its C value. The ambiguity I >> >> see is that A can be understood as affecting the parsing and >> >> interpretation of O or as a pre-processing operation before parsing or >> >> interpretation of O. >> >> >> >> I think, the text needs further clarifications to remove such ambiguity. >> >> Changing MUST NOT by SHOULD NOT was of course only one proposition and >> >> this could be also addressed otherwise. It might be better, I agree, to >> >> explicitly mention that some options may provide condition on the >> >> parsing of the options. This would leave the parsing of the options unch= anged. >> >> >> >> >> >> If I understand your example correctly, you want to have one option auth= enticate the contents of another option and if that authentication fails, d= rop the option. This would not drop the entire packet unless that option is= critical. Can you give a use case for this? This seems unusual and not som= ething that is supported by other security protocols such as IPsec or TLS t= o the best of our knowledge. >> >> >> >> I believe a more common outcome of a failed authentication is that the e= ntire packet would be dropped. As previously noted, the current text does n= ot preclude this. It seems like going beyond this would result in significa= nt complexity, both for processing options in this specific case as well as= the possibility of introducing ambiguity in how other options might be def= ined or processed as an unintended consequence. Without a strong use case, = this does not seem desirable. >> >> >> >> >> >> -- comment 2: >> >> >> >> Thanks for the response that clarifies a bit my understanding of the >> >> transit devices.. I believe the issue I have is related to the transit >> >> devices which I do not see, unless I am wrong, meeting the requirements >> >> for being OPTIONAL and that seems - at least to me - contradicting the >> >> status of end-to-end protocol. As suggested in [1], transit devices seem= to raise >> >> architectural concerns that is not needed. >> >> >> >> You are correct that the text is clear that transit devices are >> >> OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there >> >> are two sides of it. One is that a vendor may implement it or not, but >> >> the other side is that interoperability with other implementations are >> >> not affected. In this case, two Geneve endpoints using TLS or IPsec will >> >> not be able to interoperate with an implementation based on transit >> >> devices (unless the process being performed by the transit devices is >> >> also performed by the NVE). In that sense, I believe OPTIONAL statement >> >> is not appropriated here. >> >> >> >> An implementation with transit devices seems to prevent the >> >> interoperability of with an implementation where options are treated >> >> by the NVE over a secure channel. If we suppose that NVE and >> >> transit devices support the same options, then transit devices are not >> >> necessary and could be removed from the specification. If options >> >> supported by transit devices are different from those supported by >> >> the NVE, interoperability will not be achieved. Transit device will not = be >> >> able to process the options, resulting in options will be ignored (while >> >> being supported by the implementation).. In addition, if the options >> >> are critical, the NVE is likely to drop the packet as it does not suppor= t >> >> the option. >> >> >> >> In addition, I have some hard time to understand the end-to-end model >> >> with a transit device even optional. I believe that end-to-end protocol >> >> is a good path, though. However, my understanding of end-to-end protocol >> >> is that they should only involve two end points. I see the NVE as end >> >> points but the optional transit device does not seems to be one of >> >> these. However, to help me understand better this, as it seems Geneve is >> >> similar to other end-to-end protocol, maybe you could provide similar >> >> end-to-end protocol that involves a transit devices or something similar= . >> >> >> >> I also have another clarification regarding transit device. I see these >> >> transit devices as adding a lot of complexity to the end-to-end model >> >> with little benefits. Typically, as far as I understand, they can only >> >> read an option. I am thus wondering whether we should not be better off >> >> removing them from the specification. This would end up with a clear >> >> end-to-end model. Reversely, I do not see anything preventing a vendor >> >> to implement them at least for unsecure deployments. Removing them >> >> from the specification would leave the transit devices as implementation >> >> specific. What are actually the benefits of the transit devices that wou= ld >> >> justify them to be part of the specification? >> >> >> >> >> >> Transit devices exists in the underlay network, these are simply forward= ing elements (e.g. switches, routers) that generally forwards packets based= on outer header information, there is nothing that stops such devices from= reading the contents if the data is in the clear. This works with any tra= nsport protocols like IP, IP in IP, GRE, VXLAN, etc. For example, routers = may look at headers and/or inner payload for ECMP purposes or for statistic= s or logging purposes. If the packet is encrypted then such transit devices= cannot look into the packets but would simply forward based on the outer h= eaders and use information in outer headers for entropy. There is no intero= perability issue between the endpoints. Geneve is no different. >> >> >> >> Recognizing the fact that such a device is anyway going to exist in the = network, Geneve draft provides guidance on how to handle Geneve headers (if= a device has the option to do so). Geneve options are part of Geneve head= er, a transit device that is capable of interpreting Geneve headers may int= erpret an option or skip over the option to view the payload, etc. If a tr= ansit device is not able interpret the header or option, it has to simply u= se the outer header to forward the packet (outer IP/UDP).. This is what the= Geneve draft clarifies. >> >> >> >> These guidelines reduce possible interoperability issues compared to if = behavior was left undefined. For example, transit devices are not allowed t= o drop packets or fall back to a slow path on the basis of an unknown optio= n. If this were to happen, it would hamper the introduction of new options.= It might also be worth mentioning that anything that could be considered a= middlebox is not a transit device but needs to be modeled as an endpoint a= nd so Geneve really should be viewed as a tunnel endpoint-to-endpoint proto= col. >> >> >> >> >> >> >> >> [1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdh= cs >> >> >> >> >> >> Yours, >> >> Daniel >> >> >> >> On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S wrote: >> >> Hi Daniel, >> >> >> >> Let us be specific. I see that you have two comments on the latest draft= -ietf-nvo3-geneve-09. Please see below for responses to your comments. >> >> >> >> Comment 1: >> >> OLD >> >> o An option SHOULD NOT be dependent upon any other option in the >> >> packet, i.e., options can be processed independent of one another. >> >> An option MUST NOT affect the parsing or interpretation of any >> >> other option. >> >> >> >> NEW >> >> >> >> o An option SHOULD NOT be dependent upon any other option in the >> >> packet, i.e., options can be processed independent of one another. >> >> An option SHOULD NOT affect the parsing or interpretation of any >> >> other option. >> >> >> >> >> >> Architecturally Geneve options can be processed independent of one anoth= er. The second statement clearly states that parsing or interpretation of o= ne option must not affect the other. This is a reasonable constraint to av= oid nested dependencies. Options can be designed to work with the requireme= nts specified in Geneve. >> >> >> >> Let us take specific examples: >> >> We could think of a design of a Header Integrity check option (related t= o your example). In this case if the header integrity check fails, as a res= ult the entire header is invalid and hence the most likely outcome of a fai= led check is that the packet being dropped (including any options in that p= acket whether parsed/interpreted or not). The current text does not preclud= e the packet being dropped as result of failure. >> >> >> >> It is possible to design options, including any security options, with t= hese constraints. We don=E2=80=99t see a reason to change this requirement= that may have unintended consequences. >> >> >> >> Comment 2: >> >> >> >> NEW >> >> Security Consideration >> >> >> >> Geneve Overlay may be secured using by protecting the NVE-to-NVE >> >> communication using IPsec or DTLS. However, such mechanisms cannot be >> >> applied for deployments that include transit devices... >> >> >> >> Some deployment may not be able to secure the full communication using >> >> IPsec or DTLS between the NVEs. This could be motivated by the presence >> >> of transit devices or by a risk analysis that concludes that the Geneve >> >> packet be only partially protected - typically reduced to the Geneve >> >> Header information. In such cases Geneve specific mechanisms needs to be >> >> designed. >> >> >> >> The challenge is, you are asking to impose requirements that is= not supported by Geneve architecture. Geneve has an optional feature where= transit devices may be able to interpret Geneve options. However this is n= ot a requirement for Geneve operation between tunnel end point to tunnel en= d point. We have tried make this very clear by adding clarifying text durin= g the last two revisions. If the Geneve packet is in the clear then transit= devices may be able to view the Genve header, options, and the payload. Ho= wever if the packet is encrypted then transit devices cannot view the packe= t contents. This is consistent with other transport protocols encrypting th= e packets. So we don=E2=80=99t see a reason why Geneve should be different. >> >> >> >> Geneve is an end to end protocol between tunnel endpoints and the NVEs d= ecide to secure (encrypt) the packets between tunnel endpoints. If a middle= box has a need to see an encrypted packet, then it has to implement tunnel= endpoint functionality. >> >> >> >> We already have text in 6.4 security consideration section that provides= clear guidance to the operators. >> >> >> >> So we don=E2=80=99t see a good reason to add the suggested text above. >> >> >> >> For a complete threat analysis, a security analysis of Geneve or some >> >> guide lines to secure a Geneve overlay network, please refer to >> >> [draft-mglt-nvo3-geneve-security-requirements] as well as >> >> [draft-ietf-nvo3-security-requirements]. >> >> >> >> >> >> The security requirements document makes certain assumptions that is un= supported by Geneve architecture. We have tried to clarify this multiple ti= mes, however you have still maintained this in the requirements document. S= o this needs to be addressed. Also the document is not yet adopted by the w= orking group. >> >> >> >> Moreover, Geneve security consideration section has been significantly e= nhanced to provide guidance to operators and to address the comments. So bo= th documents can progress independently. >> >> >> >> Thanks, >> >> Ilango >> >> >> >> >> >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] >> Sent: Saturday, March 2, 2019 8:49 AM >> To: Bocci, Matthew (Nokia - GB) >> Cc: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg ; NVO3 >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt >> >> >> >> Hi Matt, >> >> >> >> >> >> You are correct, this is at least not an regular process to have a >> >> standard track document being updated by an informational. I do not see >> >> either any requirements for having a WG status to become a reference, >> >> but that is something we could confirm with the RFC-editor. >> >> >> >> Back to the initial suggestion, I also believe the difficulties of updat= ing >> >> the Geneve specifications are far less complex than updating the >> >> implementation, and for that specific reason, it would be good we have a >> >> consensus on the security analyse. >> >> >> >> I agree that WG draft would be better, and RFC would be even better as >> >> we have seen WG document being stalled. I am confident we can make this >> >> happen or at least I do not see major issues. >> >> >> >> Yours, >> >> Daniel >> >> >> >> >> >> On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) wrote: >> >> WG, Daniel, >> >> >> >> Apologies but I mis-spoke on the suggestion for the security requirement= s to act as an update to the encapsulation RFC in future. This would be dif= ficult to do as it is informational. >> >> >> >> Nonetheless I think we should only be referencing a WG draft (at a minim= um) here. >> >> >> >> Matthew >> >> >> >> >> >> >> >> From: Dacheng Zhang on behalf of "Bocci, Matthew= (Nokia - GB)" >> Date: Friday, 1 March 2019 at 16:24 >> To: Daniel Migault >> Cc: "draft-ietf-nvo3-geneve@ietf.org" ,= Pankaj Garg , NVO3 >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt >> >> >> >> Daniel >> >> >> >> From a procedural perspective, referring to your draft creates a depende= ncy and that draft has not yet been adopted by the WG. The old Security req= uirements framework expired a couple of years ago and does not seem to be b= eing progressed. >> >> Maybe a better approach to allow progress, as long as the WG can agree t= o your text (if needed) to satisfy the concern that future security mechani= sms can be used, and that the evolving threat analysis is understood by imp= lementers and users of Geneve, would be to mark the Geneve security require= ments as an update to the geneve encapsulation RFC when it is published. >> >> >> >> Matthew >> >> >> >> From: Daniel Migault >> Date: Friday, 1 March 2019 at 16:11 >> To: "Bocci, Matthew (Nokia - GB)" >> Cc: Pankaj Garg , "draft-ietf-= nvo3-geneve@ietf.org" , NVO3 >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt >> >> >> >> Hi Matthew, >> >> >> >> I am happy to clarify and be more specific. However, despite your >> >> reading of [1] I think [1] clearly indicates the changes I expected as >> >> well as that these changes needs to be made. >> >> >> >> I believe the responsibility of not addressing an acknowledged issue is >> >> more on the side of people ignoring the issue then on the side of the >> >> one raising this issue. My impression is that this is the situation we >> >> are in. >> >> >> >> I agree that my initial comment saying "I am fine with the text if we do >> >> not find something better." might have been confusing and I apology for >> >> this. At the time of writing the initial comment I was not sure I was >> >> not missing something nor that the problem could not be solved here or >> >> somewhere else (in another section). My meaning behind those words were >> >> that I was open to the way the concerned could be addressed. However, - >> >> from my point of view - the text does not say the issue does not need to >> >> be solved which is the way it has been interpreted. In addition, I >> >> believe I have clarified this right away after the concern has been >> >> acknowledged and not addressed. As result, I do not think my comment >> >> could be reasonably read as the text is fine. >> >> >> >> Please fine the below the initial comment its response and the response >> >> to the response from [1]. >> >> >> >> """ >> >> In case we have a option providing authentication, such option >> >> may affect the interpretation of the other options. >> >> s/interpretation/ndependance may not be better.... I think what we want >> >> to say is that option MUST be able to be processed in any order or in >> >> parallel. I am fine with the text if we do not find something better. >> >> >> >> >> >> This is a good point, however we believe that this text >> >> captures the intent. >> >> >> >> The problem I have is that the current text prevents security >> >> options, so I guess some clarification should be brought to clarify the >> >> intent. >> >> """ >> >> >> >> If I had to suggest some text I would suggest the following - or >> >> something around the following lines. >> >> >> >> >> >> OLD >> >> o An option SHOULD NOT be dependent upon any other option in the >> >> packet, i.e., options can be processed independent of one another. >> >> An option MUST NOT affect the parsing or interpretation of any >> >> other option. >> >> >> >> NEW >> >> >> >> o An option SHOULD NOT be dependent upon any other option in the >> >> packet, i.e., options can be processed independent of one another. >> >> An option SHOULD NOT affect the parsing or interpretation of any >> >> other option. >> >> >> >> There are rare cases were the parsing of one option affects the parsing >> >> or the interpretation of other option. Option related to security may >> >> fall into this category. Typically, if an option enables the >> >> authentication of another option and the authentication does not >> >> succeed, the authenticated option MUST NOT be processed. Other options >> >> may be designed in the future. >> >> >> >> NEW >> >> Security Consideration >> >> >> >> Geneve Overlay may be secured using by protecting the NVE-to-NVE >> >> communication using IPsec or DTLS. However, such mechanisms cannot be >> >> applied for deployments that include transit devices. >> >> >> >> Some deployment may not be able to secure the full communication using >> >> IPsec or DTLS between the NVEs. This could be motivated by the presence >> >> of transit devices or by a risk analysis that concludes that the Geneve >> >> packet be only partially protected - typically reduced to the Geneve >> >> Header information. In such cases Geneve specific mechanisms needs to be >> >> designed. >> >> >> >> For a complete threat analysis, a security analysis of Geneve or some >> >> guide lines to secure a Geneve overlay network, please refer to >> >> [draft-mglt-nvo3-geneve-security-requirements] as well as >> >> [draft-ietf-nvo3-security-requirements]. >> >> >> >> For full disclosure I am a co-author of >> >> draft-mglt-nvo3-geneve-security-requirement. However the reason for >> >> referring to these documents is motivated by the fact that I believe >> >> these analysis provide a better security analysis than the current (OLD) >> >> security consideration section. >> >> >> >> Yours, >> >> Daniel >> >> >> >> >> >> On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) wrote: >> >> Hi Daniel >> >> >> >> Thanks for reviewing the latest version. At this stage it would be helpf= ul if you could be much more concrete and give specifics. >> >> >> >> I think that the main issue is whether the design of Geneve prevents fut= ure security extensions. >> >> >> >> However, in [1], you stated that you were comfortable with the text if n= othing else could be found. >> >> >> >> What specifically do you want to change in the following, bearing in min= d that there are already claimed implementations of Geneve: >> >> """ >> >> o An option SHOULD NOT be dependent upon any other option in the >> >> packet, i.e., options can be processed independent of one another. >> >> An option MUST NOT affect the parsing or interpretation of any >> >> other option. >> >> """ >> >> >> >> >> >> Matthew >> >> >> >> >> >> From: Daniel Migault >> Date: Friday, 1 March 2019 at 03:06 >> To: Pankaj Garg >> Cc: "Bocci, Matthew (Nokia - GB)" , NVO3 , "draft-ietf-nvo3-geneve@ietf.org" >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-= nvo3-geneve-08.txt >> >> >> >> Hi, >> >> >> >> I just briefly went through the document quickly and in my opinion, the = document still faces some security issues. >> >> >> >> The current text (in my opinion) prevents any geneve security related >> >> options. Currently Geneve cannot be secured and this prevents future >> >> work to eventually secure Geneve. In my opinion the current text >> >> mandates Geneve to remain unsecure. >> >> >> >> Geneve security option that are willing to authenticate/encrypt a part >> >> of the Geneve Header will affect the parsing of the protected option and >> >> will affect the order in which option needs to be process. Typically a >> >> protected option (authenticated, encrypted) cannot or should not be >> >> processed before authenticated or decrypted. >> >> >> >> This has already been mentioned in [1], and the text needs in my opinion >> >> further clarifications. >> >> >> >> """ >> >> o An option SHOULD NOT be dependent upon any other option in the >> >> packet, i.e., options can be processed independent of one another. >> >> An option MUST NOT affect the parsing or interpretation of any >> >> other option. >> >> """ >> >> >> >> >> >> >> >> As stated in [2] it remains unclear to me why this section is not >> >> referencing and leveraging on the security analysis [3-4] performed by >> >> two different independent teams... >> >> >> >> My reading of the security consideration is that the message is that >> >> IPsec or TLS could be used to protect a geneve overlay network. This is >> >> - in my opinion- not correct as this does not consider the transit >> >> device. In addition, the security consideration only considers the case >> >> where the cloud provider and the overlay network provider are a single >> >> entity, which I believe oversimplifies the problem. >> >> >> >> The threat model seems to me very vague, so the current security >> >> consideration is limited to solving a problem that is not stated. >> >> >> >> My reading of the text indicates the tenant can handle by itself the >> >> confidentiality of its information without necessarily relying on the >> >> overlay service provider. This is not correct. Even when the tenant uses >> >> IPsec/TLS, it still leaks some information. The current text contradicts >> >> [3] section 6.2 and [4] section 5.1. >> >> >> >> My reading is that the text indicates that IPsec/DTLS could be used to >> >> protect the overlay service for both confidentiality and integrity. >> >> While this could be used in some deployment this is not compatible with >> >> transit devices. As such the generic statement is not correct. Section >> >> 6.4 indicates that transit device must be trusted which is incorrect. >> >> Instead the transit device with all nodes between the transit device and >> >> the NVE needs to be trusted. Overall the impression provided is that >> >> IPsec (or TLS) can be used by the service overlay provider, which is (in >> >> my opinion) not true. >> >> >> >> It is unclear to me how authentication of NVE peers differs from the >> >> authentication communication as the latest usually rely on the first. >> >> Maybe the section should insist on mutual authentication. >> >> >> >> Yours, >> >> Daniel >> >> >> >> >> >> [1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk= 9o >> >> [2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrS= Gw >> >> [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 >> >> [4] https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirem= ents-05 >> >> >> >> >> >> >> >> >> >> >> >> On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg wrote: >> >> I am not aware of any IP related to draft-ietf-nvo3-geneve which has not= already been disclosed. >> >> >> >> Thanks >> >> Pankaj >> >> >> >> From: Bocci, Matthew (Nokia - GB) >> Sent: Tuesday, October 9, 2018 2:08 AM >> To: NVO3 >> Cc: draft-ietf-nvo3-geneve@ietf.org >> Subject: Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve= -08.txt >> >> >> >> This email begins a two-week working group last call for draft-ietf-nvo3= -geneve-08.txt. >> >> >> >> Please review the draft and post any comments to the NVO3 working group = list. If you have read the latest version of the draft but have no comments= and believe it is ready for publication as a standards track RFC, please a= lso indicate so to the WG email list. >> >> >> >> We are also polling for knowledge of any undisclosed IPR that applies to= this document, to ensure that IPR has been disclosed in compliance with IE= TF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). >> >> If you are listed as an Author or a Contributor of this document, please= respond to this email and indicate whether or not you are aware of any rel= evant undisclosed IPR. The Document won't progress without answers from all= the Authors and Contributors. >> >> >> >> Currently there are two IPR disclosures against this document. >> >> >> >> If you are not listed as an Author or a Contributor, then please explici= tly respond only if you are aware of any IPR that has not yet been disclose= d in conformance with IETF rules. >> >> >> >> This poll will run until Friday 26th October. >> >> >> >> Regards >> >> >> >> Matthew and Sam >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 From nobody Tue Apr 2 20:36:28 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF441201B3 for ; Tue, 2 Apr 2019 20:36:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.219 X-Spam-Level: X-Spam-Status: No, score=-1.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7q03ZY1X3G9V for ; Tue, 2 Apr 2019 20:36:21 -0700 (PDT) Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA47A12035A for ; Tue, 2 Apr 2019 20:36:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=iA3kdOj8rI6Ay9c+x/Ox482Ib4+V1BC6a/6vQ2HnypM=; b=OlXdUDVJuBKeILNDV4hYDN5Mz nhOQxmdwVLjePRw78iYsKC0UIYaflcWtGnDQNrG8fLlsXHPWOANFeO6/HiyaR+l18nLnFMCi9RHDC cfl9dXcq3b9CcM1P9PddddRwj+0hE3nJ64pIEYYdbBMZ1BqxhBY9GGsFaOCk0SNCEA+VfJmO35pFt Mz79P3pwFrOIqVI6cwbS8gGRmkut3Ch7XznCaglXxq/YQFXKrWzcc/SQXPP5iSreOufCL6ATotlw5 z35496t/CLGIVjWJofviZHpk74Pxejf2xxii1MmJRHgHxZBo0pIoe+H/IzET5tyhMkV5yawO2DdUo 2IhG/QtOA==; Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:62915 helo=[192.168.1.77]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1hBWh7-002Y74-D4; Tue, 02 Apr 2019 23:36:16 -0400 Content-Type: multipart/alternative; boundary="Apple-Mail=_9FD84FCB-97AD-40FB-A60B-25005C6C1AC0" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Joe Touch In-Reply-To: Date: Tue, 2 Apr 2019 20:36:08 -0700 Cc: Daniel Migault , NVO3 Message-Id: <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> To: "Ganga, Ilango S" X-Mailer: Apple Mail (2.3445.9.1) X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server217.web-hosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - strayalpha.com X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com X-Source: X-Source-Args: X-Source-Dir: X-From-Rewrite: unmodified, already matched Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 03:36:27 -0000 --Apple-Mail=_9FD84FCB-97AD-40FB-A60B-25005C6C1AC0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, all, FWIW - I don=E2=80=99t understand this requirement. Clearly, an option MUST NOT depend on options that come before it in the = order they occur, otherwise you could have options defined in a circular = manner that cannot be resolved. However, if you prevent options that depend on other, later options you = would undermine the ability to have an option that provides = authentication (which is useful only when it includes both the payload = and subsequent options) or encryption (which should at least = authenticate the option area, even if it isn=E2=80=99t encrypted). It = also undermines the ability to have options that create new checksum = algorithms. Are you really seeking to prevent these future possibilities? Joe > On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S = wrote: >=20 > Hi Daniel, > =20 > We updated the draft to restate the requirement on options processing, = the revised text is much simpler, provides better clarity, and retains = the original intent. We believe, this should address your concerns. > =20 > https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg = > =20 > Revised text: > =E2=80=9CAn option SHOULD NOT be dependent upon any other option in = the > packet, i.e., options can be processed independently of one > another. Architecturally, options are intended to be self- > descriptive and independent. This enables parallelism in option > processing and reduces implementation complexity.=E2=80=9D > =20 > Thanks > Ilango > =C2=A0 <> > <>From: Daniel Migault [mailto:daniel.migault@ericsson.com = ]=20 > Sent: Wednesday, March 20, 2019 1:56 PM > To: Ganga, Ilango S > > Cc: NVO3 > > Subject: Re: [nvo3] Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt - geneve options > =20 > Hi, > =20 > I am looking at the version 12 and see how it address my concern, > regarding the integration of security options. > =20 > The new text in version 12 mentions: > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one = another. > An option MUST NOT affect the parsing or interpretation of any > other option. However, option processing by tunnel endpoints = may > result in the packet being dropped. Options may also be used in > conjunction with each other or combined with packet data but = this > processing is done above the encapsulation layer. > """ > =20 > I am reading the text as a security option can be combined with = another > option or the data payload. More specifically, an authentication = option > that authenticates some options and/or the payload may result in the > packet to be discarded or not. > =20 > I think we are making progress. However, I am not clear about the = text: > =20 > """ but this processing is done above the encapsulation layer.""" > =20 > I am reading the encapsulation layer as the Geneve protocol, but I am > not clear what the layer above is. I am assuming that is a layer > that takes the output of the Geneve decapsulation. If that is correct, > I understand the text saying Geneve processes the options even though > the authentication has failed. Typically, suppose option A covers > options O. Upon verification of A fails, Geneve processes O and = returns > to some upper layers that O has been processed while its = authentication > did not succeed. I am sure that I misunderstood the text, but I = suggest > some clarification are provided to prevent such interpretation as the > purpose of the authenticating O MUST be able to prevent the processing > of the option O. > =20 > In the current text I believe the text """but ...layer""" can be > removed. Another way might be to clarify the layer above the > encapsulation. > =20 > =20 > Yours, > Daniel > =20 > =20 > =20 > On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault = > = wrote: > Hi, > =20 > Thanks for the response. Let me first recap the previous conversation, > or at least my perception of them. My initial comment was that the > current Geneve specification prevents the design of security options = and > I provided an example. My understanding is there is an agreement that > such option is prevented by the current geneve specification and you > challenge the usefulness of such an option (designated as A) as well = as > argue that an authentication upon failure MUST result in discarding = the > packet. > =20 > The security options considered has been mentioned in two independent > security analysis. The example has been described and commented > extensively in the threat analysis as well. I argue further that > mandating that dropping the packet, in our case is neither a decision > that can be taken at the option level, nor at the geneve level. = Instead, > it belongs to a policy decision that is likely to result in incoherent > deployments. > =20 > As result, the current geneve specification prevents security options. > Please see below for more additional information. > =20 > The current option works similarly to IPsec: IPsec/ESP is IP option. = AH > is an option that authenticates the full IP packet. ESP > authenticate/encrypt the IP payload and not the full packet. Upon > authentication failure *the scope of the authentication* is discarded > and in that sense the example I am providing is no more different. > =20 > In our case, the option authenticate an portion of the geneve packet > that is limited to the option. Tthe coverage of the security option is = a > portion of the geneve header. As such, the option cannot mandate > anything outside of its coverage: the covered option O. As a result, > dropping the full packet is outside of the scope. Mandating a packet=20= > drop hardly, in my opinion apply here.=20 > =20 > Options are usually non critical for interoperability. Mandating to = drop > the packet when option O cannot be authenticated would contradict the > non critical status of that option, which is the packet can be = processed > without the option. This would be a policy that overwrite the geneve > - as well as the geneve option - specification. > A possible incoherence would be if option A and O are non critical = would > be that the implementation ignoring the option A and O will accept the > packet, an implementation understanding option O but not option A will > accept the packet while the implementation understanding option A and = O > will reject the packet. > =20 > Yours, > Daniel > =20 > =20 > On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S = > wrote: > Hi Daniel, > =20 > Please see my responses inline below. > =20 > Thanks, > Ilango > =20 > =20 > From: nvo3 [mailto:nvo3-bounces@ietf.org = ] On Behalf Of Daniel Migault > Sent: Monday, March 4, 2019 9:15 AM > To: Ganga, Ilango S > > Cc: nvo3@ietf.org > Subject: Re: [nvo3] Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt > =20 > Hi Ilango,=20 > =20 > Thanks for the response. Please see a concrete example to illustrate = my concern=20 > for comment 1. For comment 2, it really helped you indicated that = Geneve is expected=20 > to be an end-to-end protocol. This will help me update the security = requirement=20 > document. However, the current Geneve specification with transit = devices seems -=20 > at least to me - to raise an architecture concern as raised in [1]. > =20 > -- comment 1: > =20 > Thanks for the feed back. I understand the purpose of keeping option > independent one from each other, and favour this is strongly = recommended. > However, I am not convinced this applies always. More specifically, in = a > context of security, the purpose of a security option may be related = to > another option. Typically, a security option providing authentication = or > encryption is potentially authenticating/encryption another option or > other information contained in the header. > =20 > The typical scenario I have in mind would be an authentication option = A > authenticating option O. There will clearly some dependencies between = A > and O as O could only be used if A has been primarily been validated. > The current statement "SHOULD NOT be dependent" enables this. However, = I > have concerns regarding the statement "MUST NOT affect the parsing or > interpretation". In fact, the output of A, will determine if O should = be > dropped or processed normally. In case A shows O is not appropriately > authenticated, O might be rejected based on its C value. The ambiguity = I > see is that A can be understood as affecting the parsing and > interpretation of O or as a pre-processing operation before parsing or > interpretation of O. > =20 > I think, the text needs further clarifications to remove such = ambiguity. > Changing MUST NOT by SHOULD NOT was of course only one proposition and > this could be also addressed otherwise. It might be better, I agree, = to > explicitly mention that some options may provide condition on the > parsing of the options. This would leave the parsing of the options = unchanged.=20 > =20 > > If I understand your example correctly, you want to have one option = authenticate the contents of another option and if that authentication = fails, drop the option. This would not drop the entire packet unless = that option is critical. Can you give a use case for this? This seems = unusual and not something that is supported by other security protocols = such as IPsec or TLS to the best of our knowledge. > =20 > I believe a more common outcome of a failed authentication is that the = entire packet would be dropped. As previously noted, the current text = does not preclude this. It seems like going beyond this would result in = significant complexity, both for processing options in this specific = case as well as the possibility of introducing ambiguity in how other = options might be defined or processed as an unintended consequence. = Without a strong use case, this does not seem desirable. > > =20 > -- comment 2: > =20 > Thanks for the response that clarifies a bit my understanding of the > transit devices.. I believe the issue I have is related to the transit > devices which I do not see, unless I am wrong, meeting the = requirements > for being OPTIONAL and that seems - at least to me - contradicting the > status of end-to-end protocol. As suggested in [1], transit devices = seem to raise > architectural concerns that is not needed. > =20 > You are correct that the text is clear that transit devices are > OPTIONAL. However, my understanding of OPTIONAL from 2119 is that = there=20 > are two sides of it. One is that a vendor may implement it or not, but > the other side is that interoperability with other implementations are > not affected. In this case, two Geneve endpoints using TLS or IPsec = will > not be able to interoperate with an implementation based on transit > devices (unless the process being performed by the transit devices is > also performed by the NVE). In that sense, I believe OPTIONAL = statement > is not appropriated here.=20 > =20 > An implementation with transit devices seems to prevent the=20 > interoperability of with an implementation where options are treated=20= > by the NVE over a secure channel. If we suppose that NVE and=20 > transit devices support the same options, then transit devices are not=20= > necessary and could be removed from the specification. If options > supported by transit devices are different from those supported by=20 > the NVE, interoperability will not be achieved. Transit device will = not be=20 > able to process the options, resulting in options will be ignored = (while=20 > being supported by the implementation).. In addition, if the options=20= > are critical, the NVE is likely to drop the packet as it does not = support=20 > the option.=20 > =20 > In addition, I have some hard time to understand the end-to-end model=20= > with a transit device even optional. I believe that end-to-end = protocol > is a good path, though. However, my understanding of end-to-end = protocol > is that they should only involve two end points. I see the NVE as end > points but the optional transit device does not seems to be one of > these. However, to help me understand better this, as it seems Geneve = is=20 > similar to other end-to-end protocol, maybe you could provide similar=20= > end-to-end protocol that involves a transit devices or something = similar. =20 > =20 > I also have another clarification regarding transit device. I see = these > transit devices as adding a lot of complexity to the end-to-end model > with little benefits. Typically, as far as I understand, they can only > read an option. I am thus wondering whether we should not be better = off > removing them from the specification. This would end up with a clear > end-to-end model. Reversely, I do not see anything preventing a vendor > to implement them at least for unsecure deployments. Removing them=20 > from the specification would leave the transit devices as = implementation=20 > specific. What are actually the benefits of the transit devices that = would=20 > justify them to be part of the specification? > =20 > > Transit devices exists in the underlay network, these are simply = forwarding elements (e.g. switches, routers) that generally forwards = packets based on outer header information, there is nothing that stops = such devices from reading the contents if the data is in the clear. = This works with any transport protocols like IP, IP in IP, GRE, VXLAN, = etc. For example, routers may look at headers and/or inner payload for = ECMP purposes or for statistics or logging purposes. If the packet is = encrypted then such transit devices cannot look into the packets but = would simply forward based on the outer headers and use information in = outer headers for entropy. There is no interoperability issue between = the endpoints. Geneve is no different. > =20 > Recognizing the fact that such a device is anyway going to exist in = the network, Geneve draft provides guidance on how to handle Geneve = headers (if a device has the option to do so). Geneve options are part = of Geneve header, a transit device that is capable of interpreting = Geneve headers may interpret an option or skip over the option to view = the payload, etc. If a transit device is not able interpret the header = or option, it has to simply use the outer header to forward the packet = (outer IP/UDP). This is what the Geneve draft clarifies. > =20 > These guidelines reduce possible interoperability issues compared to = if behavior was left undefined. For example, transit devices are not = allowed to drop packets or fall back to a slow path on the basis of an = unknown option. If this were to happen, it would hamper the introduction = of new options. It might also be worth mentioning that anything that = could be considered a middlebox is not a transit device but needs to be = modeled as an endpoint and so Geneve really should be viewed as a tunnel = endpoint-to-endpoint protocol. > > =20 > =20 > [1] = https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhcs = > =20 > =20 > Yours,=20 > Daniel=20 > =20 > On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S = > wrote: > Hi Daniel, > =20 > Let us be specific. I see that you have two comments on the latest = draft-ietf-nvo3-geneve-09. Please see below for responses to your = comments. > =20 > Comment 1: > OLD > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one = another. > An option MUST NOT affect the parsing or interpretation of any > other option. > =20 > NEW > =20 > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one = another. > An option SHOULD NOT affect the parsing or interpretation of any > other option. > =20 > > Architecturally Geneve options can be processed independent of one = another. The second statement clearly states that parsing or = interpretation of one option must not affect the other. This is a = reasonable constraint to avoid nested dependencies. Options can be = designed to work with the requirements specified in Geneve. > =20 > Let us take specific examples: > We could think of a design of a Header Integrity check option (related = to your example). In this case if the header integrity check fails, as a = result the entire header is invalid and hence the most likely outcome of = a failed check is that the packet being dropped (including any options = in that packet whether parsed/interpreted or not). The current text does = not preclude the packet being dropped as result of failure.=20 > =20 > It is possible to design options, including any security options, with = these constraints. We don=E2=80=99t see a reason to change this = requirement that may have unintended consequences. > =20 > Comment 2: > =20 > NEW > Security Consideration > =20 > Geneve Overlay may be secured using by protecting the NVE-to-NVE > communication using IPsec or DTLS. However, such mechanisms cannot be > applied for deployments that include transit devices..=20 > =20 > Some deployment may not be able to secure the full communication using > IPsec or DTLS between the NVEs. This could be motivated by the = presence > of transit devices or by a risk analysis that concludes that the = Geneve > packet be only partially protected - typically reduced to the Geneve > Header information. In such cases Geneve specific mechanisms needs to = be > designed.=20 > =20 > The challenge is, you are asking to impose requirements that = is not supported by Geneve architecture. Geneve has an optional feature = where transit devices may be able to interpret Geneve options. However = this is not a requirement for Geneve operation between tunnel end point = to tunnel end point. We have tried make this very clear by adding = clarifying text during the last two revisions. If the Geneve packet is = in the clear then transit devices may be able to view the Genve header, = options, and the payload. However if the packet is encrypted then = transit devices cannot view the packet contents. This is consistent with = other transport protocols encrypting the packets. So we don=E2=80=99t = see a reason why Geneve should be different. =20 > =20 > Geneve is an end to end protocol between tunnel endpoints and the NVEs = decide to secure (encrypt) the packets between tunnel endpoints. If a = middle box has a need to see an encrypted packet, then it has to = implement tunnel endpoint functionality. > =20 > We already have text in 6.4 security consideration section that = provides clear guidance to the operators. > =20 > So we don=E2=80=99t see a good reason to add the suggested text above. > =20 > For a complete threat analysis, a security analysis of Geneve or some > guide lines to secure a Geneve overlay network, please refer to > [draft-mglt-nvo3-geneve-security-requirements] as well as > [draft-ietf-nvo3-security-requirements]. > =20 > > The security requirements document makes certain assumptions that is = unsupported by Geneve architecture. We have tried to clarify this = multiple times, however you have still maintained this in the = requirements document. So this needs to be addressed. Also the document = is not yet adopted by the working group. > =20 > Moreover, Geneve security consideration section has been significantly = enhanced to provide guidance to operators and to address the comments. = So both documents can progress independently. > =20 > Thanks, > Ilango > =20 > =20 > <>From: Daniel Migault [mailto:daniel.migault@ericsson.com = ]=20 > Sent: Saturday, March 2, 2019 8:49 AM > To: Bocci, Matthew (Nokia - GB) > > Cc: draft-ietf-nvo3-geneve@ietf.org = ; Pankaj Garg = >; NVO3 > > Subject: Re: [nvo3] Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt > =20 > Hi Matt, > =20 > =20 > You are correct, this is at least not an regular process to have a > standard track document being updated by an informational. I do not = see > either any requirements for having a WG status to become a reference, > but that is something we could confirm with the RFC-editor. > =20 > Back to the initial suggestion, I also believe the difficulties of = updating=20 > the Geneve specifications are far less complex than updating the=20 > implementation, and for that specific reason, it would be good we have = a=20 > consensus on the security analyse. > =20 > I agree that WG draft would be better, and RFC would be even better as > we have seen WG document being stalled. I am confident we can make = this > happen or at least I do not see major issues. > =20 > Yours, > Daniel > =20 > =20 > On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) = > wrote: > WG, Daniel, > =20 > Apologies but I mis-spoke on the suggestion for the security = requirements to act as an update to the encapsulation RFC in future. = This would be difficult to do as it is informational. > =20 > Nonetheless I think we should only be referencing a WG draft (at a = minimum) here. > =20 > Matthew > =20 > =20 > =20 > From: Dacheng Zhang > on behalf of "Bocci, Matthew (Nokia - = GB)" > > Date: Friday, 1 March 2019 at 16:24 > To: Daniel Migault > > Cc: "draft-ietf-nvo3-geneve@ietf.org = " = >, Pankaj Garg = >, NVO3 > > Subject: Re: [nvo3] Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt > =20 > Daniel > =20 > =46rom a procedural perspective, referring to your draft creates a = dependency and that draft has not yet been adopted by the WG. The old = Security requirements framework expired a couple of years ago and does = not seem to be being progressed.=20 > Maybe a better approach to allow progress, as long as the WG can agree = to your text (if needed) to satisfy the concern that future security = mechanisms can be used, and that the evolving threat analysis is = understood by implementers and users of Geneve, would be to mark the = Geneve security requirements as an update to the geneve encapsulation = RFC when it is published. > =20 > Matthew > =20 > From: Daniel Migault > > Date: Friday, 1 March 2019 at 16:11 > To: "Bocci, Matthew (Nokia - GB)" > > Cc: Pankaj Garg >, = "draft-ietf-nvo3-geneve@ietf.org = " = >, NVO3 > > Subject: Re: [nvo3] Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt > =20 > Hi Matthew,=20 > =20 > I am happy to clarify and be more specific. However, despite your > reading of [1] I think [1] clearly indicates the changes I expected as > well as that these changes needs to be made.=20 > =20 > I believe the responsibility of not addressing an acknowledged issue = is > more on the side of people ignoring the issue then on the side of the > one raising this issue. My impression is that this is the situation we > are in.=20 > =20 > I agree that my initial comment saying "I am fine with the text if we = do > not find something better." might have been confusing and I apology = for > this. At the time of writing the initial comment I was not sure I was > not missing something nor that the problem could not be solved here or > somewhere else (in another section). My meaning behind those words = were > that I was open to the way the concerned could be addressed. However, = - > from my point of view - the text does not say the issue does not need = to > be solved which is the way it has been interpreted. In addition, I > believe I have clarified this right away after the concern has been > acknowledged and not addressed. As result, I do not think my comment > could be reasonably read as the text is fine. > =20 > Please fine the below the initial comment its response and the = response > to the response from [1].=20 > =20 > """ > In case we have a option providing authentication, such option > may affect the interpretation of the other options. > s/interpretation/ndependance may not be better.... I think what we = want > to say is that option MUST be able to be processed in any order or in > parallel. I am fine with the text if we do not find something better. > > =20 > This is a good point, however we believe that this text > captures the intent. =20 > =20 > The problem I have is that the current text prevents security > options, so I guess some clarification should be brought to clarify = the > intent.=20 > """ > =20 > If I had to suggest some text I would suggest the following - or > something around the following lines.=20 > =20 > =20 > OLD > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one = another. > An option MUST NOT affect the parsing or interpretation of any > other option. > =20 > NEW > =20 > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one = another. > An option SHOULD NOT affect the parsing or interpretation of any > other option. > =20 > There are rare cases were the parsing of one option affects the = parsing > or the interpretation of other option. Option related to security may > fall into this category. Typically, if an option enables the > authentication of another option and the authentication does not > succeed, the authenticated option MUST NOT be processed. Other options > may be designed in the future. =20 > =20 > NEW > Security Consideration > =20 > Geneve Overlay may be secured using by protecting the NVE-to-NVE > communication using IPsec or DTLS. However, such mechanisms cannot be > applied for deployments that include transit devices.=20 > =20 > Some deployment may not be able to secure the full communication using > IPsec or DTLS between the NVEs. This could be motivated by the = presence > of transit devices or by a risk analysis that concludes that the = Geneve > packet be only partially protected - typically reduced to the Geneve > Header information. In such cases Geneve specific mechanisms needs to = be > designed.=20 > =20 > For a complete threat analysis, a security analysis of Geneve or some > guide lines to secure a Geneve overlay network, please refer to > [draft-mglt-nvo3-geneve-security-requirements] as well as > [draft-ietf-nvo3-security-requirements]. > =20 > For full disclosure I am a co-author of > draft-mglt-nvo3-geneve-security-requirement. However the reason for > referring to these documents is motivated by the fact that I believe > these analysis provide a better security analysis than the current = (OLD) > security consideration section.=20 > =20 > Yours,=20 > Daniel > =20 > =20 > On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) = > wrote: > Hi Daniel > =20 > Thanks for reviewing the latest version. At this stage it would be = helpful if you could be much more concrete and give specifics. > =20 > I think that the main issue is whether the design of Geneve prevents = future security extensions. > =20 > However, in [1], you stated that you were comfortable with the text if = nothing else could be found. > =20 > What specifically do you want to change in the following, bearing in = mind that there are already claimed implementations of Geneve: > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one = another. > An option MUST NOT affect the parsing or interpretation of any > other option. > """ > =20 > =20 > Matthew > =20 > =20 > From: Daniel Migault > > Date: Friday, 1 March 2019 at 03:06 > To: Pankaj Garg > > Cc: "Bocci, Matthew (Nokia - GB)" >, NVO3 >, "draft-ietf-nvo3-geneve@ietf.org = " = > > Subject: Re: [nvo3] Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt > =20 > Hi,=20 > =20 > I just briefly went through the document quickly and in my opinion, = the document still faces some security issues. > =20 > The current text (in my opinion) prevents any geneve security related > options. Currently Geneve cannot be secured and this prevents future > work to eventually secure Geneve. In my opinion the current text > mandates Geneve to remain unsecure.=20 > =20 > Geneve security option that are willing to authenticate/encrypt a part > of the Geneve Header will affect the parsing of the protected option = and > will affect the order in which option needs to be process. Typically a > protected option (authenticated, encrypted) cannot or should not be > processed before authenticated or decrypted.=20 > =20 > This has already been mentioned in [1], and the text needs in my = opinion > further clarifications. =20 > =20 > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one = another. > An option MUST NOT affect the parsing or interpretation of any > other option. > """ > =20 > =20 > =20 > As stated in [2] it remains unclear to me why this section is not > referencing and leveraging on the security analysis [3-4] performed by > two different independent teams..=20 > =20 > My reading of the security consideration is that the message is that > IPsec or TLS could be used to protect a geneve overlay network. This = is > - in my opinion- not correct as this does not consider the transit > device. In addition, the security consideration only considers the = case > where the cloud provider and the overlay network provider are a single > entity, which I believe oversimplifies the problem.=20 > =20 > The threat model seems to me very vague, so the current security > consideration is limited to solving a problem that is not stated.=20 > =20 > My reading of the text indicates the tenant can handle by itself the > confidentiality of its information without necessarily relying on the > overlay service provider. This is not correct. Even when the tenant = uses > IPsec/TLS, it still leaks some information. The current text = contradicts > [3] section 6.2 and [4] section 5.1. > =20 > My reading is that the text indicates that IPsec/DTLS could be used to > protect the overlay service for both confidentiality and integrity. > While this could be used in some deployment this is not compatible = with > transit devices. As such the generic statement is not correct. Section > 6.4 indicates that transit device must be trusted which is incorrect. > Instead the transit device with all nodes between the transit device = and > the NVE needs to be trusted. Overall the impression provided is that > IPsec (or TLS) can be used by the service overlay provider, which is = (in > my opinion) not true.=20 > =20 > It is unclear to me how authentication of NVE peers differs from the > authentication communication as the latest usually rely on the first. > Maybe the section should insist on mutual authentication. =20 > =20 > Yours,=20 > Daniel > =20 > =20 > [1] = https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o = > [2] = https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSGw = > [3] = https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 = > [4] = https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-0= 5 = > =20 > =20 > =20 > =20 > =20 > On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg = > wrote: > I am not aware of any IP related to draft-ietf-nvo3-geneve which has = not already been disclosed. > =20 > Thanks > Pankaj > =20 > From: Bocci, Matthew (Nokia - GB) >=20 > Sent: Tuesday, October 9, 2018 2:08 AM > To: NVO3 > > Cc: draft-ietf-nvo3-geneve@ietf.org = > Subject: Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt > =20 > This email begins a two-week working group last call for = draft-ietf-nvo3-geneve-08.txt. > =20 > Please review the draft and post any comments to the NVO3 working = group list. If you have read the latest version of the draft but have no = comments and believe it is ready for publication as a standards track = RFC, please also indicate so to the WG email list. > =20 > We are also polling for knowledge of any undisclosed IPR that applies = to this document, to ensure that IPR has been disclosed in compliance = with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more = details). > If you are listed as an Author or a Contributor of this document, = please respond to this email and indicate whether or not you are aware = of any relevant undisclosed IPR. The Document won't progress without = answers from all the Authors and Contributors. > =20 > Currently there are two IPR disclosures against this document. > =20 > If you are not listed as an Author or a Contributor, then please = explicitly respond only if you are aware of any IPR that has not yet = been disclosed in conformance with IETF rules. > =20 > This poll will run until Friday 26th October. > =20 > Regards > =20 > Matthew and Sam > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 = > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 = > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 = > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 = > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 = ______________________________= _________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 = --Apple-Mail=_9FD84FCB-97AD-40FB-A60B-25005C6C1AC0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi, = all,

FWIW - I = don=E2=80=99t understand this requirement.

Clearly, an option MUST NOT depend on = options that come before it in the order they occur, otherwise you could = have options defined in a circular manner that cannot be = resolved.

However, if you prevent options that depend on other, later = options you would undermine the ability to have an option that provides = authentication (which is useful only when it includes both the payload = and subsequent options) or encryption (which should at least = authenticate the option area, even if it isn=E2=80=99t encrypted). It = also undermines the ability to have options that create new checksum = algorithms.

Are = you really seeking to prevent these future possibilities?

Joe
On Mar = 26, 2019, at 10:30 PM, Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:

Hi Daniel,
 
We updated the draft to = restate the requirement on options processing, the revised text is much = simpler, provides better clarity, and retains the original intent. We = believe, this should address your concerns.
 
https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7= Iheiegg
 
Revised text:
=E2=80=9CAn option SHOULD NOT be dependent upon = any other option in the
packet, i.e., = options can be processed independently of one
another.  Architecturally, options are = intended to be self-
descriptive and independent.  This enables parallelism =
in option
processing and reduces =
implementation complexity.=E2=80=9D
 
Thanks
Ilango
 
From: Daniel Migault [mailto:daniel.migault@ericsson.com] 
Sent: Wednesday, March 20, 2019 = 1:56 PM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: NVO3 = <nvo3@ietf.org>
Subject: Re: [nvo3] Working Group = Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve = options
 
Hi,
 
I am looking at the version 12 and see = how it address my concern,
regarding = the integration of security options.
 
The new text in version 12 mentions:
"""
  =  o  An option SHOULD NOT be dependent upon any other option in = the
      packet, i.e., = options can be processed independent of one another.
      An option MUST NOT affect the = parsing or interpretation of any
  =     other option.  However, option processing by tunnel = endpoints may
      = result in the packet being dropped.  Options may also be used = in
      conjunction with = each other or combined with packet data but this
      processing is done above the = encapsulation layer.
"""
 
I am = reading the text as a security option can be combined with another
option or the data payload. More specifically, an = authentication option
that = authenticates some options and/or the payload may result in the
packet to be discarded or not.
 
I think we = are making progress. However, I am not clear about the text:
 
""" but = this processing is done above the encapsulation layer."""
 
I am = reading the encapsulation layer as the Geneve protocol, but I am
not clear what the layer above is. I am assuming that = is a layer
that takes the output of = the Geneve decapsulation. If that is correct,
I understand the text saying Geneve processes the = options even though
the authentication has = failed. Typically, suppose option A covers
options O. Upon verification of A fails, Geneve = processes O and returns
to some = upper layers that O has been processed while its authentication
did not succeed. I am sure that I misunderstood the = text, but I suggest
some clarification are = provided to prevent such interpretation as the
purpose of the authenticating O MUST be able to = prevent the processing
of the = option O.
 
In the current text I believe the text = """but ...layer""" can be
removed. = Another way might be to clarify the layer above the
encapsulation.
 
 
Yours,
Daniel
 
 
 
On Fri, Mar = 8, 2019 at 9:44 PM Daniel Migault <daniel.migault@ericsson.com> wrote:
Hi,
 
Thanks for the response. Let me first = recap the previous conversation,
or at least = my perception of them. My initial comment was that the
current Geneve specification prevents the design of = security options and
I provided an example. = My understanding is there is an agreement that
such option is prevented by the current geneve = specification and you
challenge = the usefulness of such an option (designated as A) as well as
argue that an authentication upon failure MUST result = in discarding the
packet.
 
The = security options considered has been mentioned in two independent
security analysis. The example has been described and = commented
extensively in the = threat analysis as well.  I argue further that
mandating that dropping the packet, in our case is = neither a decision
that can be taken at the = option level, nor at the geneve level. Instead,
it belongs to a policy decision that is likely to = result in incoherent
deployments.
 
As result, = the current geneve specification prevents security options.
Please see below for more additional information.
 
The current = option works similarly to IPsec: IPsec/ESP is IP option. AH
is an option that authenticates the full IP packet. = ESP
authenticate/encrypt the IP payload and = not the full packet.  Upon
authentication failure *the scope of the authentication* is = discarded
and in that sense the = example I am providing is no more different.
 
In our = case, the option authenticate an portion of the geneve packet
that is limited to the option. Tthe coverage of the = security option is a
portion of the geneve = header.  As such, the option cannot mandate
anything outside of its coverage: the covered option = O. As a result,
dropping the full packet = is outside of the scope. Mandating a packet 
drop hardly, in my opinion apply here. 
 
Options are = usually non critical for interoperability. Mandating to drop
the packet when option O cannot be authenticated = would contradict the
non critical status of = that option, which is the packet can be processed
without the option. This would be a policy that = overwrite the geneve
 - as well as the = geneve option - specification.
A possible = incoherence would be if option A and O are non critical would
be that the implementation ignoring the option A and = O will accept the
packet, an = implementation understanding option O but not option A will
accept the packet while the implementation = understanding option A and O
will reject = the packet.
 
Yours,
Daniel
 
 
On Wed, Mar = 6, 2019 at 9:33 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:
Hi = Daniel,
 
Please see my responses = inline below.
 
Thanks,
Ilango
 
 
From: nvo3 = [mailto:nvo3-bounces@ietf.org] On Behalf = Of Daniel = Migault
Sent: Monday, March 4, 2019 9:15 = AM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: nvo3@ietf.org
Subject: Re: [nvo3] Working Group = Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt
 
Hi Ilango, 
 
Thanks for the response. Please see a concrete = example to illustrate my concern 
for comment 1. For comment 2, it really helped you = indicated that Geneve is expected 
to be an end-to-end protocol. This will help me = update the security requirement 
document. However, the current Geneve specification = with transit devices seems - 
at least to = me - to raise an architecture concern as raised in [1].
 
-- comment 1:
 
Thanks for the feed back. I understand the purpose of = keeping option
independent one from = each other, and favour this is strongly recommended.
However, I am not convinced this applies always. More = specifically, in a
context of security, the = purpose of a security option may be related to
another option. Typically, a security option = providing authentication or
encryption = is potentially authenticating/encryption another option or
other information contained in the header.
 
The typical = scenario I have in mind would be an authentication option A
authenticating option O. There will clearly some = dependencies between A
and O as O = could only be used if A has been primarily been validated.
The current statement "SHOULD NOT be dependent" = enables this. However, I
have = concerns regarding the statement "MUST NOT affect the parsing or
interpretation". In fact, the output of A, will = determine if O should be
dropped or = processed normally. In case A shows O is not appropriately
authenticated, O might be rejected based on its C = value. The ambiguity I
see is that = A can be understood as affecting the parsing and
interpretation of O or as a pre-processing operation = before parsing or
interpretation of O.
 
I think, = the text needs further clarifications to remove such ambiguity.
Changing MUST NOT by SHOULD NOT was of course only = one proposition and
this could be also = addressed otherwise. It might be better, I agree, to
explicitly mention that some options may provide = condition on the
parsing of the options. = This would leave the parsing of the options unchanged. 
 
<Ilango>
If I understand your = example correctly, you want to have one option authenticate the contents = of another option and if that authentication fails, drop the option. = This would not drop the entire packet unless that option is critical. = Can you give a use case for this? This seems unusual and not something = that is supported by other security protocols such as IPsec or TLS to = the best of our knowledge.
 
I = believe a more common outcome of a failed authentication is that the = entire packet would be dropped. As previously noted, the current text = does not preclude this. It seems like going beyond this would result in = significant complexity, both for processing options in this specific = case as well as the possibility of introducing ambiguity in how other = options might be defined or processed as an unintended consequence. = Without a strong use case, this does not seem desirable.
</>
 
-- comment = 2:
 
Thanks for the response that clarifies a bit my = understanding of the
transit devices.. I = believe the issue I have is related to the transit
devices which I do not see, unless I am wrong, = meeting the requirements
for being = OPTIONAL and that seems - at least to me - contradicting the
status of end-to-end protocol. As suggested in [1], = transit devices seem to raise
architectural= concerns that is not needed.
 
You are correct that the text is clear that transit = devices are
OPTIONAL. However, my = understanding of OPTIONAL from 2119 is that there 
are two sides of it. One is that a vendor may = implement it or not, but
the other = side is that interoperability with other implementations are
not affected. In this case, two Geneve endpoints = using TLS or IPsec will
not be able = to interoperate with an implementation based on transit
devices (unless the process being performed by the = transit devices is
also performed by the = NVE). In that sense, I believe OPTIONAL statement
is not appropriated here. 
 
An = implementation with transit devices seems to prevent the 
interoperability of with an implementation = where  options are treated 
by the NVE over a secure channel. If we suppose that = NVE and 
transit devices support = the same options, then transit devices are not 
necessary and could be removed from the = specification. If options
supported = by transit devices are different from those supported by 
the NVE, interoperability will not be achieved. = Transit device will not be 
able to = process the options, resulting in options will be ignored = (while 
being supported by the = implementation).. In addition, if the options 
are critical, the NVE is likely to drop the packet as = it does not support 
the = option. 
 
In addition, I have some hard time to understand the = end-to-end model 
with a = transit device even optional. I believe that end-to-end protocol
is a good path, though. However, my understanding of = end-to-end protocol
is that they should only = involve two end points. I see the NVE as end
points but the optional transit device does not seems = to be one of
these. However, to help = me understand better this, as it seems Geneve is 
similar to other end-to-end protocol, maybe you could = provide similar 
end-to-end = protocol that involves a transit devices or something similar.  =  
 
I also have another = clarification regarding transit device. I see these
transit devices as adding a lot of complexity to the = end-to-end model
with little benefits. = Typically, as far as I understand, they can only
read an option. I am thus wondering whether we should = not be better off
removing them from the = specification. This would end up with a clear
end-to-end model. Reversely, I do not see anything = preventing a vendor
to implement them at = least for unsecure deployments. Removing them 
from the specification would leave the transit = devices as implementation 
specific. = What are actually the benefits of the transit devices that = would 
justify them to be part = of the specification?
 
<Ilango>
Transit devices exists in the underlay network, these are = simply forwarding elements (e.g. switches, routers) that generally = forwards packets based on outer header information, there is nothing = that stops such devices from reading the contents if the data is in the = clear.  This works with any transport protocols like IP, IP in IP, = GRE, VXLAN, etc.  For example, routers may look at headers and/or = inner payload for ECMP purposes or for statistics or logging purposes. = If the packet is encrypted then such transit devices cannot look into = the packets but would simply forward based on the outer headers and use = information in outer headers for entropy. There is no interoperability = issue between the endpoints. Geneve is no different.
 
Recognizing the fact = that such a device is anyway going to exist in the network, Geneve draft = provides guidance on how to handle Geneve headers (if a device has the = option to do so).  Geneve options are part of Geneve header, a = transit device that is capable of interpreting Geneve headers may = interpret an option or skip over the option to view the payload, = etc.  If a transit device is not able interpret the header or = option, it has to simply use the outer header to forward the packet = (outer IP/UDP). This is what the Geneve draft clarifies.
 
These guidelines reduce = possible interoperability issues compared to if behavior was left = undefined. For example, transit devices are not allowed to drop packets = or fall back to a slow path on the basis of an unknown option. If this = were to happen, it would hamper the introduction of new options. It = might also be worth mentioning that anything that could be considered a = middlebox is not a transit device but needs to be modeled as an endpoint = and so Geneve really should be viewed as a tunnel endpoint-to-endpoint = protocol.
<end>
 
 
[1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N= _SCdhcs
 
 
Yours, 
Daniel 
 
On Sat, Mar 2, 2019 at = 8:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:
Hi Daniel,
 
Let us be specific. I = see that you have two comments on the latest = draft-ietf-nvo3-geneve-09.  Please see below for responses to your = comments.
 
Comment 1:
OLD
   o  An option SHOULD NOT be = dependent upon any other option in the
      = packet, i.e., options can be processed independent of one another.
      An option MUST NOT affect the parsing or = interpretation of any
      other option.
 
NEW
 
   o  An = option SHOULD NOT be dependent upon any other option in the
      packet, i.e., options can be processed = independent of one another.
      An = option SHOULD NOT affect the parsing or interpretation of any
      other option.
 
<Ilango>
Architecturally Geneve = options can be processed independent of one another. The second = statement clearly states that parsing or interpretation of one option = must not affect the other.  This is a reasonable constraint to = avoid nested dependencies. Options can be designed to work with the = requirements specified in Geneve.
 
Let= us take specific examples:
We could think of a design of a Header Integrity check option = (related to your example). In this case if the header integrity check = fails, as a result the entire header is invalid and hence the most = likely outcome of a failed check is that the packet being dropped = (including any options in that packet whether parsed/interpreted or = not). The current text does not preclude the packet being dropped as = result of failure. 
 
It is possible to = design options, including any security options, with these = constraints.  We don=E2=80=99t see a reason to change this = requirement that may have unintended consequences.
 
Comment 2:
 
NEW
Security Consideration
 
Geneve Overlay may be secured using by protecting the = NVE-to-NVE
communication using IPsec or DTLS. However, such = mechanisms cannot be
applied for deployments that include = transit devices.. 
 
Some deployment may not = be able to secure the full communication using
IPsec or DTLS between the NVEs. This could be motivated by = the presence
of transit devices or by a risk analysis that = concludes that the Geneve
packet be only partially protected - = typically reduced to the Geneve
Header information. In = such cases Geneve specific mechanisms needs to be
designed. 
 
<Ilango> The challenge is, you are asking to impose = requirements that is not supported by Geneve architecture. Geneve has an = optional feature where transit devices may be able to interpret Geneve = options. However this is not a requirement for Geneve operation between = tunnel end point to tunnel end point. We have tried make this very clear = by adding clarifying text during the last two revisions. If the Geneve = packet is in the clear then transit devices may be able to view the = Genve header, options, and the payload. However if the packet is = encrypted then transit devices cannot view the packet contents. This is = consistent with other transport protocols encrypting the packets. So we = don=E2=80=99t see a reason why Geneve should be different. =   
 
Geneve is an end to end = protocol between tunnel endpoints and the NVEs decide to secure = (encrypt) the packets between tunnel endpoints. If a middle box has a = need to see an encrypted packet, then it has to implement tunnel = endpoint functionality.
 
We = already have text in 6.4 security consideration section that provides = clear guidance to the operators.
 
So = we don=E2=80=99t see a good reason to add the suggested text = above.
 
For a complete threat analysis, a security analysis of Geneve = or some
guide lines to secure a Geneve overlay network, = please refer to
[draft-mglt-nvo3-geneve-security-requirements] as = well as
[draft-ietf-nvo3-security-requirements].
 
<Ilango>
The security = requirements document  makes certain assumptions that is = unsupported by Geneve architecture. We have tried to clarify this = multiple times, however you have still maintained this in the = requirements document. So this needs to be addressed. Also the document = is not yet adopted by the working group.
 
Moreover, Geneve = security consideration section has been significantly enhanced to = provide guidance to operators and to address the comments. So both = documents can progress independently.
 
Thanks,
Ilango
 
 
From: Daniel = Migault [mailto:daniel.migault@ericsson.com] 
Sent: Saturday, March 2, 2019 = 8:49 AM
To: Bocci, Matthew (Nokia - GB) = <matthew.bocci@nokia.com>
Cc: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg = <pankajg=3D40microsoft.com@dmarc.ietf.org>; NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Working Group = Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt
 
Hi Matt,
  
 
You are = correct, this is at least not an regular process to have a
standard track document being updated by an = informational. I do not see
either any = requirements for having a WG status to become a reference,
but that is something we could confirm with the = RFC-editor.
 
Back to the initial suggestion, I also believe the = difficulties of updating 
the Geneve = specifications are far less complex than updating the 
implementation, and for that specific reason, it = would be good we have a 
consensus = on the security analyse.
 
I agree that WG draft would be better, and RFC would = be even better as
we have seen WG document = being stalled. I am confident we can make this
happen or at least I do not see major issues.
 
Yours,
Daniel
 
 
On Fri, Mar = 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> wrote:
WG, Daniel,
 
Apologies = but I mis-spoke on the suggestion for the security requirements to act = as an update to the encapsulation RFC in future. This would be difficult = to do as it is informational.
 
Nonetheless I think we should only be referencing a WG draft = (at a minimum) here.
 
Matthew
 
 
 
From: Dacheng Zhang <nvo3-bounces@ietf.org> on behalf of "Bocci, Matthew = (Nokia - GB)" <matthew.bocci@nokia.com>
Date: Friday, 1 March 2019 at = 16:24
To: Daniel Migault <daniel.migault@ericsson.com>
Cc: "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>, Pankaj Garg = <pankajg=3D40microsoft.com@dmarc.ietf.org>, NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Working = Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt
 
Daniel
 
=46rom a procedural = perspective, referring to your draft creates a dependency and that draft = has not yet been adopted by the WG. The old Security requirements = framework expired a couple of years ago and does not seem to be being = progressed. 
Maybe a better approach to = allow progress, as long as the WG can agree to your text (if needed) to = satisfy the concern that future security mechanisms can be used, and = that the evolving threat analysis is understood by implementers and = users of Geneve, would be to mark the Geneve security requirements as an = update to the geneve encapsulation RFC when it is published.
 
Matthew
 
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Friday, 1 March 2019 at = 16:11
To: "Bocci, Matthew (Nokia = - GB)" <matthew.bocci@nokia.com>
Cc: Pankaj Garg = <pankajg=3D40microsoft.com@dmarc.ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>, NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Working = Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt
 
Hi Matthew, 
 
I am happy to clarify = and be more specific. However, despite your
reading of [1] I = think [1] clearly indicates the changes I expected as
well as that these = changes needs to be made. 
 
I believe the = responsibility of not addressing an acknowledged issue is
more on the side of = people ignoring the issue  then on the side of the
one raising this = issue. My impression is that this is the situation we
are = in. 
  
I agree that my initial comment saying "I am = fine with the text if we do
not find something better." might have been = confusing and I apology for
this. At the time of writing the initial = comment I was not sure I was
not missing something nor that the problem = could not be solved here or
somewhere else (in another section). My = meaning behind those words were
that I was open to = the way the concerned could be addressed. However, -
from my point of view = - the text does not say the issue does not need to
be solved which is = the way it has been interpreted. In addition, I
believe I have = clarified this right away after the concern has been
acknowledged and not = addressed. As result, I do not think my comment
could be reasonably = read as the text is fine.
 
Please fine the below = the initial comment its response and the response
to the response from = [1]. 
 
"""
<mglt> In case we have a option = providing authentication, such option
may affect the = interpretation of the other options.
s/interpretation/ndependance may not be better.... I think = what we want
to say is that option MUST be able to be processed in any = order or in
parallel.  I am fine with the text if we do not find = something better.
</mglt>
 
<Ilango> This = is a good point, however we believe that this text
captures the = intent.  </> 
 
<mglt2>The = problem I have is that the current text prevents security
options, so I guess = some clarification should be brought to clarify the
intent.</mglt2> 
"""
 
If I had to suggest = some text I would suggest the following - or
something around the = following lines. 
 
 
OLD
   o  = An option SHOULD NOT be dependent upon any other option in = the
      packet, i.e., options can be processed = independent of one another.
      An option MUST NOT affect = the parsing or interpretation of any
      = other option.
 
NEW
 
   o  = An option SHOULD NOT be dependent upon any other option in = the
      packet, i.e., options can be processed = independent of one another.
      An option SHOULD NOT = affect the parsing or interpretation of any
      = other option.
 
There are rare cases were the parsing of one = option affects the parsing
or the interpretation of other option. Option = related to security may
fall into this category. Typically, if an = option enables the
authentication of another option and the = authentication does not
succeed, the authenticated option MUST NOT be = processed. Other options
may be designed in the = future.  
 
NEW
Security = Consideration
 
Geneve Overlay may be secured using by = protecting the NVE-to-NVE
communication using IPsec or DTLS. However, = such mechanisms cannot be
applied for deployments that include transit = devices. 
 
Some deployment may = not be able to secure the full communication using
IPsec or DTLS between = the NVEs. This could be motivated by the presence
of transit devices or = by a risk analysis that concludes that the Geneve
packet be only = partially protected - typically reduced to the Geneve
Header information. = In such cases Geneve specific mechanisms needs to be
designed. 
 
For a complete threat = analysis, a security analysis of Geneve or some
guide lines to secure = a Geneve overlay network, please refer to
[draft-mglt-nvo3-geneve-security-requirements] as well = as
[draft-ietf-nvo3-security-requirements].
 
For full disclosure I = am a co-author of
draft-mglt-nvo3-geneve-security-requirement. = However the reason for
referring to these documents is motivated by = the fact that I believe
these analysis provide a better security = analysis than the current (OLD)
security = consideration section. 
 
Yours, 
Daniel
 
 
On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) = <matthew.bocci@nokia.com> wrote:
Hi Daniel
 
Thanks for reviewing the = latest version. At this stage it would be helpful if you could be much = more concrete and give specifics.
 
I think = that the main issue is whether the design of Geneve prevents future = security extensions.
 
However, = in [1], you stated that you were comfortable with the text if nothing = else could be found.
 
What = specifically do you want to change in the following, bearing in mind = that there are already claimed implementations of Geneve:
"""
   o  An = option SHOULD NOT be dependent upon any other option in the
      packet, = i.e., options can be processed independent of one another.
      An = option MUST NOT affect the parsing or interpretation of any
      other = option.
"""
 
 
Matthew
 
 
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Friday, 1 March 2019 at = 03:06
To: Pankaj Garg = <pankajg=3D40microsoft.com@dmarc.ietf.org>
Cc: "Bocci, Matthew (Nokia = - GB)" <matthew.bocci@nokia.com>, NVO3 <nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>
Subject: Re: [nvo3] Working = Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt
 
Hi, 
 
I just briefly went = through the document quickly and in my opinion, the document still faces = some security issues.
 
The current text (in = my opinion) prevents any geneve security related
options. Currently = Geneve cannot be secured and this prevents future
work to eventually = secure Geneve. In my opinion the current text
mandates Geneve to = remain unsecure. 
 
Geneve security = option that are willing to authenticate/encrypt a part
of the Geneve Header = will affect the parsing of the protected option and
will affect the order = in which option needs to be process. Typically a
protected option = (authenticated, encrypted) cannot or should not be
processed before = authenticated or decrypted. 
 
This has already been = mentioned in [1], and the text needs in my opinion
further = clarifications.  
 
"""
   o  = An option SHOULD NOT be dependent upon any other option in = the
      packet, i.e., options can be processed = independent of one another.
      An option MUST NOT affect = the parsing or interpretation of any
      = other option.
"""
 
 
 
As stated in [2] it = remains unclear to me why this section is not
referencing and = leveraging on the security analysis [3-4] performed by
two different = independent teams.. 
 
My reading of the = security consideration is that the message is that
IPsec or TLS could be = used to protect a geneve overlay network. This is
- in my opinion- not = correct as this does not consider the transit
device. In addition, = the security consideration only considers the case
where the cloud = provider and the overlay network provider are a single
entity, which I = believe oversimplifies the problem. 
 
The threat model = seems to me very vague, so the current security
consideration is = limited to solving a problem that is not stated. 
 
My reading of the = text indicates the tenant can handle by itself the
confidentiality of = its information without necessarily relying on the
overlay service = provider. This is not correct. Even when the tenant uses
IPsec/TLS, it still = leaks some information. The current text contradicts
[3] section 6.2 and = [4] section 5.1.
 
My reading is that = the text indicates that IPsec/DTLS could be used to
protect the overlay = service for both confidentiality and integrity.
While this could be = used in some deployment this is not compatible with
transit devices. As = such the generic statement is not correct. Section
6.4 indicates that = transit device must be trusted which is incorrect.
Instead the transit = device with all nodes between the transit device and
the NVE needs to be = trusted.  Overall the impression provided is that
IPsec (or TLS) can be = used by the service overlay provider, which is (in
my opinion) not = true. 
 
It is unclear to me how authentication of NVE = peers differs from the
authentication communication as the latest = usually rely on the first.
Maybe the section should insist on mutual = authentication.  
 
Yours, 
Daniel
 
 
[1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtd= OJOIk9o
[2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7j= yHIrSGw
[3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requiremen= ts-07
[4] https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-req= uirements-05
 
 
 
 
 
On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org> wrote:
I am not aware of any IP related to = draft-ietf-nvo3-geneve which has not already been disclosed.
 
Thanks
Pankaj
 
From: Bocci, Matthew (Nokia - GB) = <matthew.bocci@nokia.com> 
Sent: Tuesday, October 9, 2018 = 2:08 AM
To: NVO3 <nvo3@ietf.org>
Cc: draft-ietf-nvo3-geneve@ietf.org
Subject: Working Group Last Call and = IPR Poll for draft-ietf-nvo3-geneve-08.txt
 
This = email begins a two-week working group last call for = draft-ietf-nvo3-geneve-08.txt.
 
Please = review the draft and post any comments to the NVO3 working group list. = If you have read the latest version of the draft but have no comments = and believe it is ready for publication as a standards track RFC, please = also indicate so to the WG email list.
 
We are also polling for = knowledge of any undisclosed IPR that applies to this document, to = ensure that IPR has been disclosed in compliance with IETF IPR rules = (see RFCs 3979, 4879, 3669 and 5378 for more details).
If you are listed as an = Author or a Contributor of this document, please respond to this email = and indicate whether or not you are aware of any relevant undisclosed = IPR. The Document won't progress without answers from all the Authors = and Contributors.
 
Currently = there are two IPR disclosures against this document.
 
If you are not listed as an = Author or a Contributor, then please explicitly respond only if you are = aware of any IPR that has not yet been disclosed in conformance with = IETF rules.
 
This poll will run until = Friday 26th October.
 
Regards
 
Matthew and Sam
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3<= /div>_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
= --Apple-Mail=_9FD84FCB-97AD-40FB-A60B-25005C6C1AC0-- From nobody Wed Apr 3 08:30:38 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6897712010F for ; Wed, 3 Apr 2019 08:30:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.253 X-Spam-Level: X-Spam-Status: No, score=0.253 tagged_above=-999 required=5 tests=[FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-avEXfKF-G8 for ; Wed, 3 Apr 2019 08:30:30 -0700 (PDT) Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E3EC12008B for ; Wed, 3 Apr 2019 08:30:29 -0700 (PDT) Received: by mail-lj1-f174.google.com with SMTP id v13so15288269ljk.4 for ; Wed, 03 Apr 2019 08:30:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Hj9ZJtyZptPn0u8OeR2mQQ8g3Vnhl2+swtqLYvWmPZw=; b=A5IEGi+1inGoFWIJM0xKB0fdVzsnxxCSmpHbszOqu1tjrQw7NNTi6fZH5dh2WyPP4C H2gG3q/JTRFHpPBA6GFufE7uiShv+qXWjbPwvN/NcuTCTdGDGB4ffkzLjSRga8mONV9b MdwUEGG46mvZNjtfOFHp2ai7wblwkM8nZvzMMAKTEml6LGXPYcYTI4FBh9/ya641B/UA J8Y2GAOuBvYcIdVigdoS+duB+wkfzsVgm4Ha7J5MfNnVFANGq8oKpt9X4WKSxSQNCtSa c871Aj+S5kIy24ZfVJqVRQ7YMRZjLbKlp5nEOyhEK6j8iiKYxxhBL+NkrQ+WuLL7Pr14 6W2Q== X-Gm-Message-State: APjAAAXj8GGLNTHpXuFVlZPatbrxzni5MHXXllm2fe1kF1PEuRgpAUUW JDMh74CWAjcPUMHVaoPAUbJCdZkdgc29ThE3OLw= X-Google-Smtp-Source: APXvYqwDJNZJdruB8iBO7FKNUYtOj5YMQw9BDrID48SMpKGIgo3hcNVcWGSkhcKFSTJV9MI6PJ2Qj64MVEGBlxzyzeU= X-Received: by 2002:a2e:1245:: with SMTP id t66mr258835lje.18.1554305427120; Wed, 03 Apr 2019 08:30:27 -0700 (PDT) MIME-Version: 1.0 References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> In-Reply-To: From: Daniel Migault Date: Wed, 3 Apr 2019 11:30:15 -0400 Message-ID: To: Jesse Gross Cc: "Ganga, Ilango S" , NVO3 Content-Type: multipart/alternative; boundary="000000000000db246f0585a1eebe" Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - transit devices X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 15:30:36 -0000 --000000000000db246f0585a1eebe Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Jesse, Thanks for the response. I am definitively willing to understand these transit devices to move forward the geneve specification as well as associated security documents. I do not see them mentioned in in RFC 8014 but maybe a different terminology is used or I am reading the wrong document. >From your response, I understand that transit devices will be part of the deployments and inspect the Geneve Header. What would be clarifying to me is: 1) what is a typical behavior for such transit devices, what Geneve information will they look at, what would be the outcome. Currently I have not seen a use case for it. 2) I am not so familiar with routing, be my understanding is that router forwards based on unprotected information. One reason is that end points may not share some specific context with these intermediary nodes. In the case of Geneve, the main issue I have, is to understand the relation between NVE and transit devices. It is fairly easy to have a key exchange between two NVEs, but this is very difficult to have a key exchange between NVEs and transit devices. In my view - and I might be completely wrong - NVEs should not be aware of transit devices that are on-path. This would mean that that Geneve option accessed by the NVE could be left unprotected or NVE will be configured by an admin to protect these options in a certain way. This will avoid a key negotiation between the NVEs to consider the transit devices. If we do not have any valid use case, removing transit devices from the Geneve specification would work for me, or add a section in the security consideration to avoid ossification. If we assume there is a valid use case, I am wondering if the following assumptions seem reasonable to you. If that does not seem reasonable, feel free to let me know what is not acceptable: * Geneve is an end-to-end protocol between two NVE. * transit device are intermediary nodes NVE may not know their existence. * transit devices may access certain Geneve Options. * The specification of Geneve Options MUST specify whether the option is made visible to the transit device or only to the NVE. * Geneve Options made visible to transit devices are configured in the NVE. * The protection of the Geneve information accessed to the transit device is left to the underlay infrastructure, or configuration by an admin. It may remain un-protected by Geneve, but could also be protected by an option. However, it remains outside the scope of the NVE. * NVEs may agree on cryptographic material via a Key Exchange Protocol but the protection of information accessed by transit devices is outside the scope of that cryptographic material. * Because we have two classes of options, those read (processed) by the transit devices and those processed by the NVE. The security of Geneve needs to involve a mechanisms based on security options ( similar to IPsec) in the general case. On the other hand, when transit devices are not deployed DTLS could be used as an alternative. As this document does not describes any Geneve Options DTLS can be used here. * In order to prevent transit devices to interfere and ossify Geneve, traffic that is not understood MUST be bypassed. Yours, Daniel On Tue, Apr 2, 2019 at 10:46 PM Jesse Gross wrote: > Daniel, > > Speaking as a member of the working group rather than as a coauthor, I > think there is confusion about the NVO3 architecture that is > independent of Geneve. > > Transit devices are not middle boxes. They are routers and switches, > used to move packets between endpoints in an L3 network. This is > fundamental to the NVO3 architecture and to remove them is not > possible. > > What would be possible is to remove mention of them from the protocol > document. However, transit devices would continue to exist and would > still be able to read unencrypted packets. Again, there is no getting > around this. The only way to prevent transit devices from interacting > with packets at the encapsulation layer and above is through the use > of end-to-end encryption. > > What the Geneve draft does do is provide guidelines for how these > transit devices should behave to ensure that they are good citizens. > For example, routers today look into packets beyond the IP header and > it's likely that this will continue when encapsulation is in use. The > Geneve draft specifies that if they do this, they must not drop or > slow path packets even if they encounter unknown options. Describing > this behavior is not incoherence in the architecture - it is a method > of ensuring that the protocol remains flexible for end-to-end users. > > Jesse > > On Tue, Apr 2, 2019 at 1:57 PM Daniel Migault > wrote: > > > > Hi Ilango, > > > > Thanks for the response. The use case of ECMP to justify transit device= s > > does not seem - to my understanding aligned with RFC6438 which indicate= s > > TLV is inconvenient for ECMP or LAG, and that flow label should be used > > instead. > > In addition, the problem of ossification by transit devices is not he > > ability to bypass DTLS traffic, but rather the ability to detect a > > packet is a Geneve packet. > > > > Unless I misunderstood the use case, it does not seem sufficient (at > > least to me) to balance the complexity introduced by transit devices, > > i.e. negotiation with middle boxes, protocol ossification, incoherence > > in the architecture. I would be happy to hear what the WG thinks about > > it. > > > > Following the analogy with IPv6 to determine what options could be used > > by transit devices, RFC4306 lists hop-by-hop, routing, and fragmentatio= n > > extension headers. RFC 2460 seems to limit that to hop-by-hops. From > > hop-by-hop options I do not see equivalence for transit devices with > > padding, jumbo or router alert options [1] > > > > Yours, > > Daniel > > > > [1] > https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml > > > > > > > > On Wed, Mar 27, 2019 at 9:35 PM Ganga, Ilango S < > ilango.s.ganga@intel.com> wrote: > >> > >> Hi Daniel, > >> > >> > >> > >> Here is a specific example use case: > >> > >> A router (transit device) could use information in the Geneve header > for ECMP purposes. For example, an option could carry flow context and th= e > router may look at Geneve header information, such as VNI and/or flow > context (Flow ID) in an option or may skip over the options and use > information in payload for ECMP purposes. However if the NVEs decide to > secure the packet with for example DTLS, in this case, the transit device= s > will forward packets as any other UDP packets. It is not a requirement th= at > transit devices must see Geneve header information for its normal > operation; if a transit device cannot view or interpret Geneve headers th= en > it simply forwards like any other IP or UDP packets. > >> > >> > >> > >> This is very similar to how currently routers look into the IP payload > information like TCP/UDP port numbers for flow entropy purposes. If the > packets are encrypted, then routers don=E2=80=99t have visibility into th= e TCP/UDP > port numbers and simply forward based on outer header information. > >> > >> > >> > >> Thanks, > >> > >> Ilango > >> > >> > >> > >> > >> > >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] > >> Sent: Wednesday, March 27, 2019 11:38 AM > >> To: Ganga, Ilango S > >> Cc: NVO3 > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - transit devices > >> > >> > >> > >> Hi Illango, > >> > >> > >> > >> Unless i am missing something, I am unclear how the text you provide > answers the questions/concerns, so perhaps you could elaborate and maybe = be > a bit more specific. > >> > >> > >> > >> My first concern was the use case you envision transit devices. The > transit device are supposed to read some Geneve options and process them.= I > expected you provided some example of options as well as some processing. > >> > >> > >> > >> My second concern was how the draft version 12 addresses a concrete > deployment. As a reminder here is the scenario mentioned is below. The > question is how the draft secures such a deployment. > >> > >> > >> > >> The basic scenario could be a Geneve deployment that processes options > >> > >> O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] in th= e > >> > >> Transit devices. While unprotected O_i and P_j are processed. Securing > >> > >> the deployment with DTLS prevents options P_j to be processed. > >> > >> > >> > >> Yours, > >> > >> Daniel > >> > >> > >> > >> On Wed, Mar 27, 2019 at 2:11 PM Ganga, Ilango S < > ilango.s.ganga@intel.com> wrote: > >> > >> Hi Daniel, > >> > >> > >> > >> We will try to explain the transit devices and example use cases again= . > Hopefully this clarifies your question. > >> > >> > >> > >> >The transit devices seems to me problematic, but maybe I am not reall= y > >> > >> >catching what is their intent. I might be helpful if you could provid= e > >> > >> >some behaviour the transit devices is expected to implement. Typicall= y > >> > >> >what are the use cases for these transit devices? > >> > >> Transit devices exist in the underlay network, these are simply > forwarding elements (e.g. switches, routers) that generally forward packe= ts > based on outer header information, there is nothing that stops such devic= es > from reading or interpreting the contents. At present, this works with a= ny > transport protocols (encapsulated or non-encapsulated), for example, IP, = IP > in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc. For example, routers > (transit device) may look at headers and/or inner payload for ECMP purpos= es > or for statistics or logging purposes. If the packet is encrypted then su= ch > transit devices cannot look into the packets but would simply forward bas= ed > on the outer headers and use information in outer headers for entropy. > There is no interoperability issue between the endpoints. Geneve is no > different. > >> > >> Recognizing the fact that such a device will exist in the network, > Geneve draft provides guidance on how to handle Geneve headers (if a devi= ce > has the option to do so). Geneve options are part of Geneve header, a > transit device that is capable of interpreting Geneve headers may interpr= et > an option or skip over the option to view the payload, etc. If a transit > device is either unable to, or does not need to interpret the Geneve head= er > (which may or may not include options), it simply uses the outer header t= o > forward the packet (outer IP/UDP). This is what the Geneve draft clarifie= s. > >> > >> These guidelines reduce possible interoperability issues compared to i= f > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. > >> > >> Thanks, > >> > >> Ilango > >> > >> > >> > >> > >> > >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] > >> Sent: Wednesday, March 20, 2019 1:58 PM > >> To: Ganga, Ilango S > >> Cc: NVO3 > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - transit devices > >> > >> > >> > >> Hi, > >> > >> > >> > >> I am looking at the version 12 and see how it address my concern, > >> > >> regarding the transit devices and the compatibility with end to end > >> > >> security. Could you please point out how the text address this concern= ? > >> > >> > >> > >> The basic scenario could be a Geneve deployment that processes options > >> > >> O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] in th= e > >> > >> Transit devices. While unprotected O_i and P_j are processed. Securing > >> > >> the deployment with DTLS prevents options P_j to be processed. I am > >> > >> unclear how the version 12 address this concern. > >> > >> > >> > >> The transit devices seems to me problematic, but maybe I am not really > >> > >> catching what is their intent. I might be helpful if you could provide > >> > >> some behaviour the transit devices is expected to implement. Typically > >> > >> what are the use cases for these transit devices? > >> > >> > >> > >> > >> > >> Transit devices exist in the underlay network, these are simply > forwarding elements (e.g. switches, routers) that generally forwards > packets based on outer header information, there is nothing that stops su= ch > devices from reading or interpreting the contents. At present, this work= s > with any transport protocols (encapsulated or non-encapsulated), for > example, IP, IP in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc. For > example, routers may look at headers and/or inner payload for ECMP purpos= es > or for statistics or logging purposes. If the packet is encrypted then su= ch > transit devices cannot look into the packets but would simply forward bas= ed > on the outer headers and use information in outer headers for entropy. > There is no interoperability issue between the endpoints. Geneve is no > different. > >> > >> Recognizing the fact that such a device will exist in the network, > Geneve draft provides guidance on how to handle Geneve headers (if a devi= ce > has the option to do so). Geneve options are part of Geneve header, a > transit device that is capable of interpreting Geneve headers may interpr= et > an option or skip over the option to view the payload, etc. If a transit > device is either unable to, or don=E2=80=99t have the option to interpret= the > header or option, it simply uses the outer header to forward the packet > (outer IP/UDP). This is what the Geneve draft clarifies. > >> > >> These guidelines reduce possible interoperability issues compared to i= f > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. > >> > >> It might also be worth mentioning that anything that could be > considered a middlebox is not a transit device but needs to be modeled as > an endpoint. For example, if a middle box has a need to see an encrypted > packet, then it has to implement tunnel endpoint functionality. > >> > >> > >> > >> > >> > >> Yours, > >> > >> Daniel > >> > >> > >> > >> > >> > >> On Mon, Mar 11, 2019 at 7:20 PM Ganga, Ilango S < > ilango.s.ganga@intel.com> wrote: > >> > >> Hi Daniel, > >> > >> > >> > >> We posted a new version of the draft that we believe addresses your > comment on options processing. > >> > >> We have already provided clarification on the role transit devices as > noted in this thread below. > >> > >> > >> > >> Thanks, > >> Ilango > >> > >> > >> > >> > >> > >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] > >> Sent: Friday, March 8, 2019 6:51 PM > >> To: Ganga, Ilango S > >> Cc: NVO3 > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - transit devices > >> > >> > >> > >> Hi, > >> > >> > >> > >> Thanks for the comment. Let me first recap my perception of the > >> > >> discussion. My comment was that end-to-end security (IPsec, DTLS) does > >> > >> not apply to Geneve with transit device. Your previous response was th= at > >> > >> Geneve was an end-to-end protocol since transit device are optional. M= y > >> > >> response was that an architecture that defines elements even optional > >> > >> that interfere between the two end points contradicts the status of > >> > >> end-to-end protocol. At that time my understanding was that the > >> > >> specification was targeting an end-to-end protocol, with transit devic= es > >> > >> with very limited capabilities. Thus I proposed to removed the transit > >> > >> devices from the architecture. These would have been a great step > toward a > >> > >> end-to-end architecture. However, from the current response, it > >> > >> seems that transit device play an important part in the architecture, > and > >> > >> we are moving backward from the end-to-end protocol. As > >> > >> a result, there is - in my opinion to make a coherent choice to make > >> > >> between Geneve architecture and the security associated. This is > >> > >> currently very unclear and contradicting - at least to me reading of t= he > >> > >> geneve specification and the responses I receive to my comments.. > >> > >> > >> > >> My understanding of your latest response - and please correct me > >> > >> if I am wrong - is that transport protocols like IP, > >> > >> IP in IP, GRE or VXLAN among others are used to an architecture with > >> > >> transit nodes. These latter examples show that end-to-end security is > >> > >> incompatible with Geneve and that security in Geneve MUST be handled > >> > >> using options. In addition, these examples seems - up to my > >> > >> understanding - to challenge the optional status of the transit device > >> > >> as well as their ability to read-only does not always seems realistic. > >> > >> > >> > >> Overall, my impression is that Genve is not an end-to-end protocol, > >> > >> end-to-end security protocols such as DTLS or IPsec do not apply > >> > >> realistically. The alternative approach of using option is also > >> > >> compromised by the current specification of Geneve as well as by > >> > >> security documents being opposed. Geneve seems mandated to be unsecure= d. > >> > >> > >> > >> > >> > >> IP is the first protocol you cite. IP enables end-to-end security with > >> > >> IPsec. However there are a few major difference between IPsec and secu= re > >> > >> Geneve communications. > >> > >> 1. - IPsec leave in clear the information that > >> > >> need to be read in transit. This is not the case with Geneve over DTLS > >> > >> or IPsec as even the Geneve Header is encrypted. If we want this > >> > >> information to be accessible to transit device security must be handle= d > >> > >> by geneve security option in order to leave the header in clear text. > >> > >> 2. IPsec/ESP versus IPsec/AH clearly shows that transit elements d= o > not > >> > >> restrict from reading the options. As a result, the transit device are > >> > >> likely to evolve and become more active in the future. As a result, th= e > >> > >> security MUST consider this in early stage and I do not see that met. > >> > >> > >> > >> > >> > >> Yours, > >> > >> Daniel > >> > >> > >> > >> On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S < > ilango.s.ganga@intel.com> wrote: > >> > >> Hi Daniel, > >> > >> > >> > >> Please see my responses inline below. > >> > >> > >> > >> Thanks, > >> > >> Ilango > >> > >> > >> > >> > >> > >> From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault > >> Sent: Monday, March 4, 2019 9:15 AM > >> To: Ganga, Ilango S > >> Cc: nvo3@ietf.org > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > >> > >> > >> > >> Hi Ilango, > >> > >> > >> > >> Thanks for the response. Please see a concrete example to illustrate m= y > concern > >> > >> for comment 1. For comment 2, it really helped you indicated that > Geneve is expected > >> > >> to be an end-to-end protocol. This will help me update the security > requirement > >> > >> document. However, the current Geneve specification with transit > devices seems - > >> > >> at least to me - to raise an architecture concern as raised in [1]. > >> > >> > >> > >> -- comment 1: > >> > >> > >> > >> Thanks for the feed back. I understand the purpose of keeping option > >> > >> independent one from each other, and favour this is strongly > recommended. > >> > >> However, I am not convinced this applies always. More specifically, in= a > >> > >> context of security, the purpose of a security option may be related t= o > >> > >> another option. Typically, a security option providing authentication = or > >> > >> encryption is potentially authenticating/encryption another option or > >> > >> other information contained in the header. > >> > >> > >> > >> The typical scenario I have in mind would be an authentication option = A > >> > >> authenticating option O. There will clearly some dependencies between = A > >> > >> and O as O could only be used if A has been primarily been validated. > >> > >> The current statement "SHOULD NOT be dependent" enables this. However,= I > >> > >> have concerns regarding the statement "MUST NOT affect the parsing or > >> > >> interpretation". In fact, the output of A, will determine if O should = be > >> > >> dropped or processed normally. In case A shows O is not appropriately > >> > >> authenticated, O might be rejected based on its C value. The ambiguity= I > >> > >> see is that A can be understood as affecting the parsing and > >> > >> interpretation of O or as a pre-processing operation before parsing or > >> > >> interpretation of O. > >> > >> > >> > >> I think, the text needs further clarifications to remove such ambiguit= y. > >> > >> Changing MUST NOT by SHOULD NOT was of course only one proposition and > >> > >> this could be also addressed otherwise. It might be better, I agree, t= o > >> > >> explicitly mention that some options may provide condition on the > >> > >> parsing of the options. This would leave the parsing of the options > unchanged. > >> > >> > >> > >> > >> > >> If I understand your example correctly, you want to have one option > authenticate the contents of another option and if that authentication > fails, drop the option. This would not drop the entire packet unless that > option is critical. Can you give a use case for this? This seems unusual > and not something that is supported by other security protocols such as > IPsec or TLS to the best of our knowledge. > >> > >> > >> > >> I believe a more common outcome of a failed authentication is that the > entire packet would be dropped. As previously noted, the current text doe= s > not preclude this. It seems like going beyond this would result in > significant complexity, both for processing options in this specific case > as well as the possibility of introducing ambiguity in how other options > might be defined or processed as an unintended consequence. Without a > strong use case, this does not seem desirable. > >> > >> > >> > >> > >> > >> -- comment 2: > >> > >> > >> > >> Thanks for the response that clarifies a bit my understanding of the > >> > >> transit devices.. I believe the issue I have is related to the transit > >> > >> devices which I do not see, unless I am wrong, meeting the requirement= s > >> > >> for being OPTIONAL and that seems - at least to me - contradicting the > >> > >> status of end-to-end protocol. As suggested in [1], transit devices > seem to raise > >> > >> architectural concerns that is not needed. > >> > >> > >> > >> You are correct that the text is clear that transit devices are > >> > >> OPTIONAL. However, my understanding of OPTIONAL from 2119 is that ther= e > >> > >> are two sides of it. One is that a vendor may implement it or not, but > >> > >> the other side is that interoperability with other implementations are > >> > >> not affected. In this case, two Geneve endpoints using TLS or IPsec wi= ll > >> > >> not be able to interoperate with an implementation based on transit > >> > >> devices (unless the process being performed by the transit devices is > >> > >> also performed by the NVE). In that sense, I believe OPTIONAL statemen= t > >> > >> is not appropriated here. > >> > >> > >> > >> An implementation with transit devices seems to prevent the > >> > >> interoperability of with an implementation where options are treated > >> > >> by the NVE over a secure channel. If we suppose that NVE and > >> > >> transit devices support the same options, then transit devices are not > >> > >> necessary and could be removed from the specification. If options > >> > >> supported by transit devices are different from those supported by > >> > >> the NVE, interoperability will not be achieved. Transit device will no= t > be > >> > >> able to process the options, resulting in options will be ignored (whi= le > >> > >> being supported by the implementation).. In addition, if the options > >> > >> are critical, the NVE is likely to drop the packet as it does not > support > >> > >> the option. > >> > >> > >> > >> In addition, I have some hard time to understand the end-to-end model > >> > >> with a transit device even optional. I believe that end-to-end protoco= l > >> > >> is a good path, though. However, my understanding of end-to-end protoc= ol > >> > >> is that they should only involve two end points. I see the NVE as end > >> > >> points but the optional transit device does not seems to be one of > >> > >> these. However, to help me understand better this, as it seems Geneve = is > >> > >> similar to other end-to-end protocol, maybe you could provide similar > >> > >> end-to-end protocol that involves a transit devices or something > similar. > >> > >> > >> > >> I also have another clarification regarding transit device. I see thes= e > >> > >> transit devices as adding a lot of complexity to the end-to-end model > >> > >> with little benefits. Typically, as far as I understand, they can only > >> > >> read an option. I am thus wondering whether we should not be better of= f > >> > >> removing them from the specification. This would end up with a clear > >> > >> end-to-end model. Reversely, I do not see anything preventing a vendor > >> > >> to implement them at least for unsecure deployments. Removing them > >> > >> from the specification would leave the transit devices as implementati= on > >> > >> specific. What are actually the benefits of the transit devices that > would > >> > >> justify them to be part of the specification? > >> > >> > >> > >> > >> > >> Transit devices exists in the underlay network, these are simply > forwarding elements (e.g. switches, routers) that generally forwards > packets based on outer header information, there is nothing that stops su= ch > devices from reading the contents if the data is in the clear. This work= s > with any transport protocols like IP, IP in IP, GRE, VXLAN, etc. For > example, routers may look at headers and/or inner payload for ECMP purpos= es > or for statistics or logging purposes. If the packet is encrypted then su= ch > transit devices cannot look into the packets but would simply forward bas= ed > on the outer headers and use information in outer headers for entropy. > There is no interoperability issue between the endpoints. Geneve is no > different. > >> > >> > >> > >> Recognizing the fact that such a device is anyway going to exist in th= e > network, Geneve draft provides guidance on how to handle Geneve headers (= if > a device has the option to do so). Geneve options are part of Geneve > header, a transit device that is capable of interpreting Geneve headers m= ay > interpret an option or skip over the option to view the payload, etc. If= a > transit device is not able interpret the header or option, it has to simp= ly > use the outer header to forward the packet (outer IP/UDP).. This is what > the Geneve draft clarifies. > >> > >> > >> > >> These guidelines reduce possible interoperability issues compared to i= f > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. It might also be worth mentioning that anything that could be > considered a middlebox is not a transit device but needs to be modeled as > an endpoint and so Geneve really should be viewed as a tunnel > endpoint-to-endpoint protocol. > >> > >> > >> > >> > >> > >> > >> > >> [1] > https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhcs > >> > >> > >> > >> > >> > >> Yours, > >> > >> Daniel > >> > >> > >> > >> On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S < > ilango.s.ganga@intel.com> wrote: > >> > >> Hi Daniel, > >> > >> > >> > >> Let us be specific. I see that you have two comments on the latest > draft-ietf-nvo3-geneve-09. Please see below for responses to your commen= ts. > >> > >> > >> > >> Comment 1: > >> > >> OLD > >> > >> o An option SHOULD NOT be dependent upon any other option in the > >> > >> packet, i.e., options can be processed independent of one anothe= r. > >> > >> An option MUST NOT affect the parsing or interpretation of any > >> > >> other option. > >> > >> > >> > >> NEW > >> > >> > >> > >> o An option SHOULD NOT be dependent upon any other option in the > >> > >> packet, i.e., options can be processed independent of one anothe= r. > >> > >> An option SHOULD NOT affect the parsing or interpretation of any > >> > >> other option. > >> > >> > >> > >> > >> > >> Architecturally Geneve options can be processed independent of one > another. The second statement clearly states that parsing or interpretati= on > of one option must not affect the other. This is a reasonable constraint > to avoid nested dependencies. Options can be designed to work with the > requirements specified in Geneve. > >> > >> > >> > >> Let us take specific examples: > >> > >> We could think of a design of a Header Integrity check option (related > to your example). In this case if the header integrity check fails, as a > result the entire header is invalid and hence the most likely outcome of = a > failed check is that the packet being dropped (including any options in > that packet whether parsed/interpreted or not). The current text does not > preclude the packet being dropped as result of failure. > >> > >> > >> > >> It is possible to design options, including any security options, with > these constraints. We don=E2=80=99t see a reason to change this requirem= ent that > may have unintended consequences. > >> > >> > >> > >> Comment 2: > >> > >> > >> > >> NEW > >> > >> Security Consideration > >> > >> > >> > >> Geneve Overlay may be secured using by protecting the NVE-to-NVE > >> > >> communication using IPsec or DTLS. However, such mechanisms cannot be > >> > >> applied for deployments that include transit devices... > >> > >> > >> > >> Some deployment may not be able to secure the full communication using > >> > >> IPsec or DTLS between the NVEs. This could be motivated by the presenc= e > >> > >> of transit devices or by a risk analysis that concludes that the Genev= e > >> > >> packet be only partially protected - typically reduced to the Geneve > >> > >> Header information. In such cases Geneve specific mechanisms needs to = be > >> > >> designed. > >> > >> > >> > >> The challenge is, you are asking to impose requirements that > is not supported by Geneve architecture. Geneve has an optional feature > where transit devices may be able to interpret Geneve options. However th= is > is not a requirement for Geneve operation between tunnel end point to > tunnel end point. We have tried make this very clear by adding clarifying > text during the last two revisions. If the Geneve packet is in the clear > then transit devices may be able to view the Genve header, options, and t= he > payload. However if the packet is encrypted then transit devices cannot > view the packet contents. This is consistent with other transport protoco= ls > encrypting the packets. So we don=E2=80=99t see a reason why Geneve shoul= d be > different. > >> > >> > >> > >> Geneve is an end to end protocol between tunnel endpoints and the NVEs > decide to secure (encrypt) the packets between tunnel endpoints. If a > middle box has a need to see an encrypted packet, then it has to implemen= t > tunnel endpoint functionality. > >> > >> > >> > >> We already have text in 6.4 security consideration section that > provides clear guidance to the operators. > >> > >> > >> > >> So we don=E2=80=99t see a good reason to add the suggested text above. > >> > >> > >> > >> For a complete threat analysis, a security analysis of Geneve or some > >> > >> guide lines to secure a Geneve overlay network, please refer to > >> > >> [draft-mglt-nvo3-geneve-security-requirements] as well as > >> > >> [draft-ietf-nvo3-security-requirements]. > >> > >> > >> > >> > >> > >> The security requirements document makes certain assumptions that is > unsupported by Geneve architecture. We have tried to clarify this multipl= e > times, however you have still maintained this in the requirements documen= t. > So this needs to be addressed. Also the document is not yet adopted by th= e > working group. > >> > >> > >> > >> Moreover, Geneve security consideration section has been significantly > enhanced to provide guidance to operators and to address the comments. So > both documents can progress independently. > >> > >> > >> > >> Thanks, > >> > >> Ilango > >> > >> > >> > >> > >> > >> From: Daniel Migault [mailto:daniel.migault@ericsson.com] > >> Sent: Saturday, March 2, 2019 8:49 AM > >> To: Bocci, Matthew (Nokia - GB) > >> Cc: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg 40microsoft.com@dmarc.ietf.org>; NVO3 > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > >> > >> > >> > >> Hi Matt, > >> > >> > >> > >> > >> > >> You are correct, this is at least not an regular process to have a > >> > >> standard track document being updated by an informational. I do not se= e > >> > >> either any requirements for having a WG status to become a reference, > >> > >> but that is something we could confirm with the RFC-editor. > >> > >> > >> > >> Back to the initial suggestion, I also believe the difficulties of > updating > >> > >> the Geneve specifications are far less complex than updating the > >> > >> implementation, and for that specific reason, it would be good we have= a > >> > >> consensus on the security analyse. > >> > >> > >> > >> I agree that WG draft would be better, and RFC would be even better as > >> > >> we have seen WG document being stalled. I am confident we can make thi= s > >> > >> happen or at least I do not see major issues. > >> > >> > >> > >> Yours, > >> > >> Daniel > >> > >> > >> > >> > >> > >> On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > >> > >> WG, Daniel, > >> > >> > >> > >> Apologies but I mis-spoke on the suggestion for the security > requirements to act as an update to the encapsulation RFC in future. This > would be difficult to do as it is informational. > >> > >> > >> > >> Nonetheless I think we should only be referencing a WG draft (at a > minimum) here. > >> > >> > >> > >> Matthew > >> > >> > >> > >> > >> > >> > >> > >> From: Dacheng Zhang on behalf of "Bocci, > Matthew (Nokia - GB)" > >> Date: Friday, 1 March 2019 at 16:24 > >> To: Daniel Migault > >> Cc: "draft-ietf-nvo3-geneve@ietf.org" , > Pankaj Garg , NVO3 > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > >> > >> > >> > >> Daniel > >> > >> > >> > >> From a procedural perspective, referring to your draft creates a > dependency and that draft has not yet been adopted by the WG. The old > Security requirements framework expired a couple of years ago and does no= t > seem to be being progressed. > >> > >> Maybe a better approach to allow progress, as long as the WG can agree > to your text (if needed) to satisfy the concern that future security > mechanisms can be used, and that the evolving threat analysis is understo= od > by implementers and users of Geneve, would be to mark the Geneve security > requirements as an update to the geneve encapsulation RFC when it is > published. > >> > >> > >> > >> Matthew > >> > >> > >> > >> From: Daniel Migault > >> Date: Friday, 1 March 2019 at 16:11 > >> To: "Bocci, Matthew (Nokia - GB)" > >> Cc: Pankaj Garg , " > draft-ietf-nvo3-geneve@ietf.org" , NVO3 = < > nvo3@ietf.org> > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > >> > >> > >> > >> Hi Matthew, > >> > >> > >> > >> I am happy to clarify and be more specific. However, despite your > >> > >> reading of [1] I think [1] clearly indicates the changes I expected as > >> > >> well as that these changes needs to be made. > >> > >> > >> > >> I believe the responsibility of not addressing an acknowledged issue i= s > >> > >> more on the side of people ignoring the issue then on the side of the > >> > >> one raising this issue. My impression is that this is the situation we > >> > >> are in. > >> > >> > >> > >> I agree that my initial comment saying "I am fine with the text if we = do > >> > >> not find something better." might have been confusing and I apology fo= r > >> > >> this. At the time of writing the initial comment I was not sure I was > >> > >> not missing something nor that the problem could not be solved here or > >> > >> somewhere else (in another section). My meaning behind those words wer= e > >> > >> that I was open to the way the concerned could be addressed. However, = - > >> > >> from my point of view - the text does not say the issue does not need = to > >> > >> be solved which is the way it has been interpreted. In addition, I > >> > >> believe I have clarified this right away after the concern has been > >> > >> acknowledged and not addressed. As result, I do not think my comment > >> > >> could be reasonably read as the text is fine. > >> > >> > >> > >> Please fine the below the initial comment its response and the respons= e > >> > >> to the response from [1]. > >> > >> > >> > >> """ > >> > >> In case we have a option providing authentication, such option > >> > >> may affect the interpretation of the other options. > >> > >> s/interpretation/ndependance may not be better.... I think what we wan= t > >> > >> to say is that option MUST be able to be processed in any order or in > >> > >> parallel. I am fine with the text if we do not find something better. > >> > >> > >> > >> > >> > >> This is a good point, however we believe that this text > >> > >> captures the intent. > >> > >> > >> > >> The problem I have is that the current text prevents security > >> > >> options, so I guess some clarification should be brought to clarify th= e > >> > >> intent. > >> > >> """ > >> > >> > >> > >> If I had to suggest some text I would suggest the following - or > >> > >> something around the following lines. > >> > >> > >> > >> > >> > >> OLD > >> > >> o An option SHOULD NOT be dependent upon any other option in the > >> > >> packet, i.e., options can be processed independent of one anothe= r. > >> > >> An option MUST NOT affect the parsing or interpretation of any > >> > >> other option. > >> > >> > >> > >> NEW > >> > >> > >> > >> o An option SHOULD NOT be dependent upon any other option in the > >> > >> packet, i.e., options can be processed independent of one anothe= r. > >> > >> An option SHOULD NOT affect the parsing or interpretation of any > >> > >> other option. > >> > >> > >> > >> There are rare cases were the parsing of one option affects the parsin= g > >> > >> or the interpretation of other option. Option related to security may > >> > >> fall into this category. Typically, if an option enables the > >> > >> authentication of another option and the authentication does not > >> > >> succeed, the authenticated option MUST NOT be processed. Other options > >> > >> may be designed in the future. > >> > >> > >> > >> NEW > >> > >> Security Consideration > >> > >> > >> > >> Geneve Overlay may be secured using by protecting the NVE-to-NVE > >> > >> communication using IPsec or DTLS. However, such mechanisms cannot be > >> > >> applied for deployments that include transit devices. > >> > >> > >> > >> Some deployment may not be able to secure the full communication using > >> > >> IPsec or DTLS between the NVEs. This could be motivated by the presenc= e > >> > >> of transit devices or by a risk analysis that concludes that the Genev= e > >> > >> packet be only partially protected - typically reduced to the Geneve > >> > >> Header information. In such cases Geneve specific mechanisms needs to = be > >> > >> designed. > >> > >> > >> > >> For a complete threat analysis, a security analysis of Geneve or some > >> > >> guide lines to secure a Geneve overlay network, please refer to > >> > >> [draft-mglt-nvo3-geneve-security-requirements] as well as > >> > >> [draft-ietf-nvo3-security-requirements]. > >> > >> > >> > >> For full disclosure I am a co-author of > >> > >> draft-mglt-nvo3-geneve-security-requirement. However the reason for > >> > >> referring to these documents is motivated by the fact that I believe > >> > >> these analysis provide a better security analysis than the current (OL= D) > >> > >> security consideration section. > >> > >> > >> > >> Yours, > >> > >> Daniel > >> > >> > >> > >> > >> > >> On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > >> > >> Hi Daniel > >> > >> > >> > >> Thanks for reviewing the latest version. At this stage it would be > helpful if you could be much more concrete and give specifics. > >> > >> > >> > >> I think that the main issue is whether the design of Geneve prevents > future security extensions. > >> > >> > >> > >> However, in [1], you stated that you were comfortable with the text if > nothing else could be found. > >> > >> > >> > >> What specifically do you want to change in the following, bearing in > mind that there are already claimed implementations of Geneve: > >> > >> """ > >> > >> o An option SHOULD NOT be dependent upon any other option in the > >> > >> packet, i.e., options can be processed independent of one anothe= r. > >> > >> An option MUST NOT affect the parsing or interpretation of any > >> > >> other option. > >> > >> """ > >> > >> > >> > >> > >> > >> Matthew > >> > >> > >> > >> > >> > >> From: Daniel Migault > >> Date: Friday, 1 March 2019 at 03:06 > >> To: Pankaj Garg > >> Cc: "Bocci, Matthew (Nokia - GB)" , NVO3 < > nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" < > draft-ietf-nvo3-geneve@ietf.org> > >> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > >> > >> > >> > >> Hi, > >> > >> > >> > >> I just briefly went through the document quickly and in my opinion, th= e > document still faces some security issues. > >> > >> > >> > >> The current text (in my opinion) prevents any geneve security related > >> > >> options. Currently Geneve cannot be secured and this prevents future > >> > >> work to eventually secure Geneve. In my opinion the current text > >> > >> mandates Geneve to remain unsecure. > >> > >> > >> > >> Geneve security option that are willing to authenticate/encrypt a part > >> > >> of the Geneve Header will affect the parsing of the protected option a= nd > >> > >> will affect the order in which option needs to be process. Typically a > >> > >> protected option (authenticated, encrypted) cannot or should not be > >> > >> processed before authenticated or decrypted. > >> > >> > >> > >> This has already been mentioned in [1], and the text needs in my opini= on > >> > >> further clarifications. > >> > >> > >> > >> """ > >> > >> o An option SHOULD NOT be dependent upon any other option in the > >> > >> packet, i.e., options can be processed independent of one anothe= r. > >> > >> An option MUST NOT affect the parsing or interpretation of any > >> > >> other option. > >> > >> """ > >> > >> > >> > >> > >> > >> > >> > >> As stated in [2] it remains unclear to me why this section is not > >> > >> referencing and leveraging on the security analysis [3-4] performed by > >> > >> two different independent teams... > >> > >> > >> > >> My reading of the security consideration is that the message is that > >> > >> IPsec or TLS could be used to protect a geneve overlay network. This i= s > >> > >> - in my opinion- not correct as this does not consider the transit > >> > >> device. In addition, the security consideration only considers the cas= e > >> > >> where the cloud provider and the overlay network provider are a single > >> > >> entity, which I believe oversimplifies the problem. > >> > >> > >> > >> The threat model seems to me very vague, so the current security > >> > >> consideration is limited to solving a problem that is not stated. > >> > >> > >> > >> My reading of the text indicates the tenant can handle by itself the > >> > >> confidentiality of its information without necessarily relying on the > >> > >> overlay service provider. This is not correct. Even when the tenant us= es > >> > >> IPsec/TLS, it still leaks some information. The current text contradic= ts > >> > >> [3] section 6.2 and [4] section 5.1. > >> > >> > >> > >> My reading is that the text indicates that IPsec/DTLS could be used to > >> > >> protect the overlay service for both confidentiality and integrity. > >> > >> While this could be used in some deployment this is not compatible wit= h > >> > >> transit devices. As such the generic statement is not correct. Section > >> > >> 6.4 indicates that transit device must be trusted which is incorrect. > >> > >> Instead the transit device with all nodes between the transit device a= nd > >> > >> the NVE needs to be trusted. Overall the impression provided is that > >> > >> IPsec (or TLS) can be used by the service overlay provider, which is (= in > >> > >> my opinion) not true. > >> > >> > >> > >> It is unclear to me how authentication of NVE peers differs from the > >> > >> authentication communication as the latest usually rely on the first. > >> > >> Maybe the section should insist on mutual authentication. > >> > >> > >> > >> Yours, > >> > >> Daniel > >> > >> > >> > >> > >> > >> [1] > https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o > >> > >> [2] > https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSGw > >> > >> [3] > https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 > >> > >> [4] > https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-= 05 > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg 40microsoft.com@dmarc.ietf.org> wrote: > >> > >> I am not aware of any IP related to draft-ietf-nvo3-geneve which has > not already been disclosed. > >> > >> > >> > >> Thanks > >> > >> Pankaj > >> > >> > >> > >> From: Bocci, Matthew (Nokia - GB) > >> Sent: Tuesday, October 9, 2018 2:08 AM > >> To: NVO3 > >> Cc: draft-ietf-nvo3-geneve@ietf.org > >> Subject: Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > >> > >> > >> > >> This email begins a two-week working group last call for > draft-ietf-nvo3-geneve-08.txt. > >> > >> > >> > >> Please review the draft and post any comments to the NVO3 working grou= p > list. If you have read the latest version of the draft but have no commen= ts > and believe it is ready for publication as a standards track RFC, please > also indicate so to the WG email list. > >> > >> > >> > >> We are also polling for knowledge of any undisclosed IPR that applies > to this document, to ensure that IPR has been disclosed in compliance wit= h > IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). > >> > >> If you are listed as an Author or a Contributor of this document, > please respond to this email and indicate whether or not you are aware of > any relevant undisclosed IPR. The Document won't progress without answers > from all the Authors and Contributors. > >> > >> > >> > >> Currently there are two IPR disclosures against this document. > >> > >> > >> > >> If you are not listed as an Author or a Contributor, then please > explicitly respond only if you are aware of any IPR that has not yet been > disclosed in conformance with IETF rules. > >> > >> > >> > >> This poll will run until Friday 26th October. > >> > >> > >> > >> Regards > >> > >> > >> > >> Matthew and Sam > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > > > > _______________________________________________ > > nvo3 mailing list > > nvo3@ietf.org > > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --000000000000db246f0585a1eebe Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Jesse,

Thanks for the response. I am definitively willing to under= stand these
transit devices to move forward the geneve specificat= ion as well as
associated security documents. I do not see them m= entioned in in=C2=A0
RFC 8014 but maybe a different terminology i= s used or I am reading=C2=A0
the wrong document.=C2=A0
=
From your response, I understand that transit devices will b= e part of
the deployments and inspect the Geneve Header. What wou= ld be clarifying
to me is:

1) what is a = typical behavior for such transit devices, what
Geneve informatio= n will they look at, what would be the outcome.
Currently I have = not seen a use case for it.

2) I am not so familia= r with routing, be my understanding is that router
forwards based= on unprotected information. One reason is that end points
may no= t share some specific context with these intermediary nodes. In
t= he case of Geneve, the main issue I have, is to understand the relation
between NVE and transit devices. It is fairly easy to have a key
exchange between two NVEs, but this is very difficult to have a key<= /div>
exchange between NVEs and transit devices. In my view - and I mig= ht be
completely wrong - NVEs should not be aware of transit devi= ces that are
on-path. This would mean that that Geneve option acc= essed by the NVE
could be left unprotected or NVE will be configu= red by an admin to
protect these options in a certain way. This w= ill avoid a key
negotiation between the NVEs to consider the tran= sit devices.

If we do not have any valid use case,= removing transit devices from the
Geneve specification would wor= k for me, or add a section in the security
consideration to avoid= ossification.

If we assume there is a valid use c= ase, I am wondering if the following
assumptions seem reasonable = to you. If that does not seem reasonable,
feel free to let me kno= w what is not acceptable:

* Geneve is an end-to-en= d protocol between two NVE.
* transit device are intermediary nod= es NVE may not know their existence.
* transit devices may access= certain Geneve Options.
* The specification of Geneve Options MU= ST specify whether the option is
made visible to the transit devi= ce or only to the NVE.
* Geneve Options made visible to transit d= evices are configured in the
NVE.

* The = protection of the Geneve information accessed to the transit
devi= ce is left to the underlay infrastructure, or configuration by an
admin. It may remain un-protected by Geneve, but could also be protected
by an option. However, it remains outside the scope of the NVE.

* NVEs may agree on cryptographic material via a Key= Exchange Protocol
but the protection of information accessed by = transit devices is
outside the scope of that cryptographic materi= al.

* Because we have two classes of options, thos= e read (processed) by the transit
=C2=A0devices and those process= ed by the NVE. The security of Geneve needs to
involve a mechanis= ms based on security options ( similar to IPsec) in
the general c= ase. On the other hand, when transit devices are not
deployed DTL= S could be used as an alternative. As this document does not
desc= ribes any Geneve Options DTLS can be used here.

* = In order to prevent transit devices to interfere and ossify Geneve,
traffic that is not understood MUST be bypassed.

Yours,
Daniel


=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0

On Tue, Apr 2, 2019 at 10:= 46 PM Jesse Gross <jesse@kernel.org<= /a>> wrote:
D= aniel,

Speaking as a member of the working group rather than as a coauthor, I
think there is confusion about the NVO3 architecture that is
independent of Geneve.

Transit devices are not middle boxes. They are routers and switches,
used to move packets between endpoints in an L3 network. This is
fundamental to the NVO3 architecture and to remove them is not
possible.

What would be possible is to remove mention of them from the protocol
document. However, transit devices would continue to exist and would
still be able to read unencrypted packets. Again, there is no getting
around this. The only way to prevent transit devices from interacting
with packets at the encapsulation layer and above is through the use
of end-to-end encryption.

What the Geneve draft does do is provide guidelines for how these
transit devices should behave to ensure that they are good citizens.
For example, routers today look into packets beyond the IP header and
it's likely that this will continue when encapsulation is in use. The Geneve draft specifies that if they do this, they must not drop or
slow path packets even if they encounter unknown options. Describing
this behavior is not incoherence in the architecture - it is a method
of ensuring that the protocol remains flexible for end-to-end users.

Jesse

On Tue, Apr 2, 2019 at 1:57 PM Daniel Migault
<daniel= .migault@ericsson.com> wrote:
>
> Hi Ilango,
>
> Thanks for the response. The use case of ECMP to justify transit devic= es
> does not seem - to my understanding aligned with RFC6438 which indicat= es
> TLV is inconvenient for ECMP or LAG, and that flow label should be use= d
> instead.
> In addition, the problem of ossification by transit devices is not he<= br> > ability to bypass DTLS traffic, but rather the ability to detect a
> packet is a Geneve packet.
>
> Unless I misunderstood the use case, it does not seem sufficient (at > least to me) to balance the complexity introduced by transit devices,<= br> > i.e. negotiation with middle boxes, protocol ossification, incoherence=
> in the architecture. I would be happy to hear what the WG thinks about=
> it.
>
> Following the analogy with IPv6 to determine what options could be use= d
> by transit devices, RFC4306 lists hop-by-hop, routing, and fragmentati= on
> extension headers. RFC 2460 seems to limit that to hop-by-hops. From > hop-by-hop options I do not see equivalence for transit devices with > padding, jumbo or router alert options [1]
>
> Yours,
> Daniel
>
> [1] https://www.iana.org/= assignments/ipv6-parameters/ipv6-parameters.xhtml
>
>
>
> On Wed, Mar 27, 2019 at 9:35 PM Ganga, Ilango S <ilango.s.ganga@intel.com>= ; wrote:
>>
>> Hi Daniel,
>>
>>
>>
>> Here is a specific example use case:
>>
>> A router (transit device) could use information in the Geneve head= er for ECMP purposes. For example, an option could carry flow context and t= he router may look at Geneve header information, such as VNI and/or flow co= ntext (Flow ID) in an option or may skip over the options and use informati= on in payload for ECMP purposes.=C2=A0 However if the NVEs decide to secure= the packet with for example DTLS, in this case, the transit devices will f= orward packets as any other UDP packets. It is not a requirement that trans= it devices must see Geneve header information for its normal operation; if = a transit device cannot view or interpret Geneve headers then it simply for= wards like any other IP or UDP packets.
>>
>>
>>
>> This is very similar to how currently routers look into the IP pay= load information like TCP/UDP port numbers for flow entropy purposes. If th= e packets are encrypted, then routers don=E2=80=99t have visibility into th= e TCP/UDP port numbers and simply forward based on outer header information= .
>>
>>
>>
>> Thanks,
>>
>> Ilango
>>
>>
>>
>>
>>
>> From: Daniel Migault [mailto:daniel.migault@ericsson.com]
>> Sent: Wednesday, March 27, 2019 11:38 AM
>> To: Ganga, Ilango S <ilango.s.ganga@intel.com>
>> Cc: NVO3 <nv= o3@ietf.org>
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt - transit devices
>>
>>
>>
>> Hi Illango,
>>
>>
>>
>> Unless i am missing something, I am unclear how the text you provi= de answers the questions/concerns, so perhaps you could elaborate and maybe= be a bit more specific.
>>
>>
>>
>> My first concern was the use case you envision transit devices. Th= e transit device are supposed to read some Geneve options and process them.= I expected you provided some example of options as well as some processing= .
>>
>>
>>
>> My second concern was how the draft version 12 addresses a concret= e deployment. As a reminder here is the scenario mentioned is below. The qu= estion is how the draft secures such a deployment.
>>
>>
>>
>> The basic scenario could be a Geneve deployment that processes opt= ions
>>
>> O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] i= n the
>>
>> Transit devices. While unprotected O_i and P_j are processed. Secu= ring
>>
>> the deployment with DTLS prevents options P_j to be processed.
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>> On Wed, Mar 27, 2019 at 2:11 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:
>>
>> Hi Daniel,
>>
>>
>>
>> We will try to explain the transit devices and example use cases a= gain. Hopefully this clarifies your question.
>>
>>
>>
>> >The transit devices seems to me problematic, but maybe I am no= t really
>>
>> >catching what is their intent. I might be helpful if you could= provide
>>
>> >some behaviour the transit devices is expected to implement. T= ypically
>>
>> >what are the use cases for these transit devices?
>>
>> Transit devices exist in the underlay network, these are simply fo= rwarding elements (e.g. switches, routers) that generally forward packets b= ased on outer header information, there is nothing that stops such devices = from reading or interpreting the contents.=C2=A0 At present, this works wit= h any transport protocols (encapsulated or non-encapsulated), for example, = IP, IP in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc.=C2=A0 For example, = routers (transit device) may look at headers and/or inner payload for ECMP = purposes or for statistics or logging purposes. If the packet is encrypted = then such transit devices cannot look into the packets but would simply for= ward based on the outer headers and use information in outer headers for en= tropy. There is no interoperability issue between the endpoints. Geneve is = no different.
>>
>> Recognizing the fact that such a device will exist in the network,= Geneve draft provides guidance on how to handle Geneve headers (if a devic= e has the option to do so).=C2=A0 Geneve options are part of Geneve header,= a transit device that is capable of interpreting Geneve headers may interp= ret an option or skip over the option to view the payload, etc.=C2=A0 If a = transit device is either unable to, or does not need to interpret the Genev= e header (which may or may not include options), it simply uses the outer h= eader to forward the packet (outer IP/UDP). This is what the Geneve draft c= larifies.
>>
>> These guidelines reduce possible interoperability issues compared = to if behavior was left undefined. For example, transit devices are not all= owed to drop packets or fall back to a slow path on the basis of an unknown= option. If this were to happen, it would hamper the introduction of new op= tions.
>>
>> Thanks,
>>
>> Ilango
>>
>>
>>
>>
>>
>> From: Daniel Migault [mailto:daniel.migault@ericsson.com]
>> Sent: Wednesday, March 20, 2019 1:58 PM
>> To: Ganga, Ilango S <ilango.s.ganga@intel.com>
>> Cc: NVO3 <nv= o3@ietf.org>
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt - transit devices
>>
>>
>>
>> Hi,
>>
>>
>>
>> I am looking at the version 12 and see how it address my concern,<= br> >>
>> regarding the transit devices and the compatibility with end to en= d
>>
>> security. Could you please point out how the text address this con= cern ?
>>
>>
>>
>> The basic scenario could be a Geneve deployment that processes opt= ions
>>
>> O_i ( i in [1,,n]) in the NVE and that process option P_j [1, m] i= n the
>>
>> Transit devices. While unprotected O_i and P_j are processed. Secu= ring
>>
>> the deployment with DTLS prevents options P_j to be processed. I a= m
>>
>> unclear how the version 12 address this concern.
>>
>>
>>
>> The transit devices seems to me problematic, but maybe I am not re= ally
>>
>> catching what is their intent. I might be helpful if you could pro= vide
>>
>> some behaviour the transit devices is expected to implement. Typic= ally
>>
>> what are the use cases for these transit devices?
>>
>>
>>
>> <Response>
>>
>> Transit devices exist in the underlay network, these are simply fo= rwarding elements (e.g. switches, routers) that generally forwards packets = based on outer header information, there is nothing that stops such devices= from reading or interpreting the contents.=C2=A0 At present, this works wi= th any transport protocols (encapsulated or non-encapsulated), for example,= IP, IP in IP, GRE, VXLAN, MPLS in UDP, GRE-in-UDP, etc.=C2=A0 For example,= routers may look at headers and/or inner payload for ECMP purposes or for = statistics or logging purposes. If the packet is encrypted then such transi= t devices cannot look into the packets but would simply forward based on th= e outer headers and use information in outer headers for entropy. There is = no interoperability issue between the endpoints. Geneve is no different. >>
>> Recognizing the fact that such a device will exist in the network,= Geneve draft provides guidance on how to handle Geneve headers (if a devic= e has the option to do so).=C2=A0 Geneve options are part of Geneve header,= a transit device that is capable of interpreting Geneve headers may interp= ret an option or skip over the option to view the payload, etc.=C2=A0 If a = transit device is either unable to, or don=E2=80=99t have the option to int= erpret the header or option, it simply uses the outer header to forward the= packet (outer IP/UDP). This is what the Geneve draft clarifies.
>>
>> These guidelines reduce possible interoperability issues compared = to if behavior was left undefined. For example, transit devices are not all= owed to drop packets or fall back to a slow path on the basis of an unknown= option. If this were to happen, it would hamper the introduction of new op= tions.
>>
>> It might also be worth mentioning that anything that could be cons= idered a middlebox is not a transit device but needs to be modeled as an en= dpoint. For example, if a middle box has a need to see an encrypted packet,= then it has to implement tunnel endpoint functionality.
>>
>> </end of response>
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>>
>>
>> On Mon, Mar 11, 2019 at 7:20 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:
>>
>> Hi Daniel,
>>
>>
>>
>> We posted a new version of the draft that we believe addresses you= r comment on options processing.
>>
>> We have already provided clarification on the role transit devices= as noted in this thread below.
>>
>>
>>
>> Thanks,
>> Ilango
>>
>>
>>
>>
>>
>> From: Daniel Migault [mailto:daniel.migault@ericsson.com]
>> Sent: Friday, March 8, 2019 6:51 PM
>> To: Ganga, Ilango S <ilango.s.ganga@intel.com>
>> Cc: NVO3 <nv= o3@ietf.org>
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt - transit devices
>>
>>
>>
>> Hi,
>>
>>
>>
>> Thanks for the comment. Let me first recap my perception of the >>
>> discussion. My comment was that end-to-end security (IPsec, DTLS) = does
>>
>> not apply to Geneve with transit device. Your previous response wa= s that
>>
>> Geneve was an end-to-end protocol since transit device are optiona= l. My
>>
>> response was that an architecture that defines elements even optio= nal
>>
>> that interfere between the two end points contradicts the status o= f
>>
>> end-to-end protocol. At that time my understanding was that the >>
>> specification was targeting an end-to-end protocol, with transit d= evices
>>
>> with very limited capabilities. Thus I proposed to removed the tra= nsit
>>
>> devices from the architecture. These would have been a great step = toward a
>>
>> end-to-end architecture. However, from the current response, it >>
>> seems that transit device play an important part in the architectu= re, and
>>
>> we are moving backward from the end-to-end protocol. As
>>
>> a result, there is - in my opinion to make a coherent choice to ma= ke
>>
>> between Geneve architecture and the security associated. This is >>
>> currently very unclear and contradicting - at least to me reading = of the
>>
>> geneve specification and the responses I receive to my comments..<= br> >>
>>
>>
>> My understanding of your latest response - and please correct me >>
>> if I am wrong - is that transport protocols like IP,
>>
>> IP in IP, GRE or VXLAN=C2=A0 among others are used to an architect= ure with
>>
>> transit nodes.=C2=A0 These latter examples show that end-to-end se= curity is
>>
>> incompatible with Geneve and that security in Geneve MUST be handl= ed
>>
>> using options. In addition, these examples seems - up to my
>>
>> understanding - to challenge the optional status of the transit de= vice
>>
>> as well as their ability to read-only does not always seems realis= tic.
>>
>>
>>
>> Overall, my impression is that Genve is not an end-to-end protocol= ,
>>
>> end-to-end security protocols such as DTLS or IPsec do not apply >>
>> realistically. The alternative approach of using option is also >>
>> compromised by the current specification of Geneve as well as by >>
>> security documents being opposed. Geneve seems mandated to be unse= cured.
>>
>>
>>
>>
>>
>> IP is the first protocol you cite. IP enables end-to-end security = with
>>
>> IPsec. However there are a few major difference between IPsec and = secure
>>
>> Geneve communications.
>>
>>=C2=A0 =C2=A0 =C2=A01. - IPsec leave in clear the information that<= br> >>
>> need to be read in transit. This is not the case with Geneve over = DTLS
>>
>> or IPsec as even the Geneve Header is encrypted. If we want this >>
>> information to be accessible to transit device security must be ha= ndled
>>
>> by geneve security option in order to leave the header in clear te= xt.
>>
>>=C2=A0 =C2=A0 =C2=A02. IPsec/ESP versus IPsec/AH clearly shows that= transit elements do not
>>
>> restrict from reading the options. As a result, the transit device= are
>>
>> likely to evolve and become more active in the future. As a result= , the
>>
>> security MUST consider this in early stage and I do not see that m= et.
>>
>>
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>> On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S <ilango.s.ganga@intel.com= > wrote:
>>
>> Hi Daniel,
>>
>>
>>
>> Please see my responses inline below.
>>
>>
>>
>> Thanks,
>>
>> Ilango
>>
>>
>>
>>
>>
>> From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault
>> Sent: Monday, March 4, 2019 9:15 AM
>> To: Ganga, Ilango S <ilango.s.ganga@intel.com>
>> Cc: nvo3@ietf.o= rg
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt
>>
>>
>>
>> Hi Ilango,
>>
>>
>>
>> Thanks for the response. Please see a concrete example to illustra= te my concern
>>
>> for comment 1. For comment 2, it really helped you indicated that = Geneve is expected
>>
>> to be an end-to-end protocol. This will help me update the securit= y requirement
>>
>> document. However, the current Geneve specification with transit d= evices seems -
>>
>> at least to me - to raise an architecture concern as raised in [1]= .
>>
>>
>>
>> -- comment 1:
>>
>>
>>
>> Thanks for the feed back. I understand the purpose of keeping opti= on
>>
>> independent one from each other, and favour this is strongly recom= mended.
>>
>> However, I am not convinced this applies always. More specifically= , in a
>>
>> context of security, the purpose of a security option may be relat= ed to
>>
>> another option. Typically, a security option providing authenticat= ion or
>>
>> encryption is potentially authenticating/encryption another option= or
>>
>> other information contained in the header.
>>
>>
>>
>> The typical scenario I have in mind would be an authentication opt= ion A
>>
>> authenticating option O. There will clearly some dependencies betw= een A
>>
>> and O as O could only be used if A has been primarily been validat= ed.
>>
>> The current statement "SHOULD NOT be dependent" enables = this. However, I
>>
>> have concerns regarding the statement "MUST NOT affect the pa= rsing or
>>
>> interpretation". In fact, the output of A, will determine if = O should be
>>
>> dropped or processed normally. In case A shows O is not appropriat= ely
>>
>> authenticated, O might be rejected based on its C value. The ambig= uity I
>>
>> see is that A can be understood as affecting the parsing and
>>
>> interpretation of O or as a pre-processing operation before parsin= g or
>>
>> interpretation of O.
>>
>>
>>
>> I think, the text needs further clarifications to remove such ambi= guity.
>>
>> Changing MUST NOT by SHOULD NOT was of course only one proposition= and
>>
>> this could be also addressed otherwise. It might be better, I agre= e, to
>>
>> explicitly mention that some options may provide condition on the<= br> >>
>> parsing of the options. This would leave the parsing of the option= s unchanged.
>>
>>
>>
>> <Ilango>
>>
>> If I understand your example correctly, you want to have one optio= n authenticate the contents of another option and if that authentication fa= ils, drop the option. This would not drop the entire packet unless that opt= ion is critical. Can you give a use case for this? This seems unusual and n= ot something that is supported by other security protocols such as IPsec or= TLS to the best of our knowledge.
>>
>>
>>
>> I believe a more common outcome of a failed authentication is that= the entire packet would be dropped. As previously noted, the current text = does not preclude this. It seems like going beyond this would result in sig= nificant complexity, both for processing options in this specific case as w= ell as the possibility of introducing ambiguity in how other options might = be defined or processed as an unintended consequence. Without a strong use = case, this does not seem desirable.
>>
>> </>
>>
>>
>>
>> -- comment 2:
>>
>>
>>
>> Thanks for the response that clarifies a bit my understanding of t= he
>>
>> transit devices.. I believe the issue I have is related to the tra= nsit
>>
>> devices which I do not see, unless I am wrong, meeting the require= ments
>>
>> for being OPTIONAL and that seems - at least to me - contradicting= the
>>
>> status of end-to-end protocol. As suggested in [1], transit device= s seem to raise
>>
>> architectural concerns that is not needed.
>>
>>
>>
>> You are correct that the text is clear that transit devices are >>
>> OPTIONAL. However, my understanding of OPTIONAL from 2119 is that = there
>>
>> are two sides of it. One is that a vendor may implement it or not,= but
>>
>> the other side is that interoperability with other implementations= are
>>
>> not affected. In this case, two Geneve endpoints using TLS or IPse= c will
>>
>> not be able to interoperate with an implementation based on transi= t
>>
>> devices (unless the process being performed by the transit devices= is
>>
>> also performed by the NVE). In that sense, I believe OPTIONAL stat= ement
>>
>> is not appropriated here.
>>
>>
>>
>> An implementation with transit devices seems to prevent the
>>
>> interoperability of with an implementation where=C2=A0 options are= treated
>>
>> by the NVE over a secure channel. If we suppose that NVE and
>>
>> transit devices support the same options, then transit devices are= not
>>
>> necessary and could be removed from the specification. If options<= br> >>
>> supported by transit devices are different from those supported by=
>>
>> the NVE, interoperability will not be achieved. Transit device wil= l not be
>>
>> able to process the options, resulting in options will be ignored = (while
>>
>> being supported by the implementation).. In addition, if the optio= ns
>>
>> are critical, the NVE is likely to drop the packet as it does not = support
>>
>> the option.
>>
>>
>>
>> In addition, I have some hard time to understand the end-to-end mo= del
>>
>> with a transit device even optional. I believe that end-to-end pro= tocol
>>
>> is a good path, though. However, my understanding of end-to-end pr= otocol
>>
>> is that they should only involve two end points. I see the NVE as = end
>>
>> points but the optional transit device does not seems to be one of=
>>
>> these. However, to help me understand better this, as it seems Gen= eve is
>>
>> similar to other end-to-end protocol, maybe you could provide simi= lar
>>
>> end-to-end protocol that involves a transit devices or something s= imilar.
>>
>>
>>
>> I also have another clarification regarding transit device. I see = these
>>
>> transit devices as adding a lot of complexity to the end-to-end mo= del
>>
>> with little benefits. Typically, as far as I understand, they can = only
>>
>> read an option. I am thus wondering whether we should not be bette= r off
>>
>> removing them from the specification. This would end up with a cle= ar
>>
>> end-to-end model. Reversely, I do not see anything preventing a ve= ndor
>>
>> to implement them at least for unsecure deployments. Removing them=
>>
>> from the specification would leave the transit devices as implemen= tation
>>
>> specific. What are actually the benefits of the transit devices th= at would
>>
>> justify them to be part of the specification?
>>
>>
>>
>> <Ilango>
>>
>> Transit devices exists in the underlay network, these are simply f= orwarding elements (e.g. switches, routers) that generally forwards packets= based on outer header information, there is nothing that stops such device= s from reading the contents if the data is in the clear.=C2=A0 This works w= ith any transport protocols like IP, IP in IP, GRE, VXLAN, etc.=C2=A0 For e= xample, routers may look at headers and/or inner payload for ECMP purposes = or for statistics or logging purposes. If the packet is encrypted then such= transit devices cannot look into the packets but would simply forward base= d on the outer headers and use information in outer headers for entropy. Th= ere is no interoperability issue between the endpoints. Geneve is no differ= ent.
>>
>>
>>
>> Recognizing the fact that such a device is anyway going to exist i= n the network, Geneve draft provides guidance on how to handle Geneve heade= rs (if a device has the option to do so).=C2=A0 Geneve options are part of = Geneve header, a transit device that is capable of interpreting Geneve head= ers may interpret an option or skip over the option to view the payload, et= c.=C2=A0 If a transit device is not able interpret the header or option, it= has to simply use the outer header to forward the packet (outer IP/UDP).. = This is what the Geneve draft clarifies.
>>
>>
>>
>> These guidelines reduce possible interoperability issues compared = to if behavior was left undefined. For example, transit devices are not all= owed to drop packets or fall back to a slow path on the basis of an unknown= option. If this were to happen, it would hamper the introduction of new op= tions. It might also be worth mentioning that anything that could be consid= ered a middlebox is not a transit device but needs to be modeled as an endp= oint and so Geneve really should be viewed as a tunnel endpoint-to-endpoint= protocol.
>>
>> <end>
>>
>>
>>
>>
>>
>> [1] https://mailarchi= ve.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhcs
>>
>>
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>> On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com= > wrote:
>>
>> Hi Daniel,
>>
>>
>>
>> Let us be specific. I see that you have two comments on the latest= draft-ietf-nvo3-geneve-09.=C2=A0 Please see below for responses to your co= mments.
>>
>>
>>
>> Comment 1:
>>
>> OLD
>>
>>=C2=A0 =C2=A0 o=C2=A0 An option SHOULD NOT be dependent upon any ot= her option in the
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0packet, i.e., options can be processed i= ndependent of one another.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0An option MUST NOT affect the parsing or= interpretation of any
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0other option.
>>
>>
>>
>> NEW
>>
>>
>>
>>=C2=A0 =C2=A0 o=C2=A0 An option SHOULD NOT be dependent upon any ot= her option in the
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0packet, i.e., options can be processed i= ndependent of one another.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0An option SHOULD NOT affect the parsing = or interpretation of any
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0other option.
>>
>>
>>
>> <Ilango>
>>
>> Architecturally Geneve options can be processed independent of one= another. The second statement clearly states that parsing or interpretatio= n of one option must not affect the other.=C2=A0 This is a reasonable const= raint to avoid nested dependencies. Options can be designed to work with th= e requirements specified in Geneve.
>>
>>
>>
>> Let us take specific examples:
>>
>> We could think of a design of a Header Integrity check option (rel= ated to your example). In this case if the header integrity check fails, as= a result the entire header is invalid and hence the most likely outcome of= a failed check is that the packet being dropped (including any options in = that packet whether parsed/interpreted or not). The current text does not p= reclude the packet being dropped as result of failure.
>>
>>
>>
>> It is possible to design options, including any security options, = with these constraints.=C2=A0 We don=E2=80=99t see a reason to change this = requirement that may have unintended consequences.
>>
>>
>>
>> Comment 2:
>>
>>
>>
>> NEW
>>
>> Security Consideration
>>
>>
>>
>> Geneve Overlay may be secured using by protecting the NVE-to-NVE >>
>> communication using IPsec or DTLS. However, such mechanisms cannot= be
>>
>> applied for deployments that include transit devices...
>>
>>
>>
>> Some deployment may not be able to secure the full communication u= sing
>>
>> IPsec or DTLS between the NVEs. This could be motivated by the pre= sence
>>
>> of transit devices or by a risk analysis that concludes that the G= eneve
>>
>> packet be only partially protected - typically reduced to the Gene= ve
>>
>> Header information. In such cases Geneve specific mechanisms needs= to be
>>
>> designed.
>>
>>
>>
>> <Ilango> The challenge is, you are asking to impose requirem= ents that is not supported by Geneve architecture. Geneve has an optional f= eature where transit devices may be able to interpret Geneve options. Howev= er this is not a requirement for Geneve operation between tunnel end point = to tunnel end point. We have tried make this very clear by adding clarifyin= g text during the last two revisions. If the Geneve packet is in the clear = then transit devices may be able to view the Genve header, options, and the= payload. However if the packet is encrypted then transit devices cannot vi= ew the packet contents. This is consistent with other transport protocols e= ncrypting the packets. So we don=E2=80=99t see a reason why Geneve should b= e different.
>>
>>
>>
>> Geneve is an end to end protocol between tunnel endpoints and the = NVEs decide to secure (encrypt) the packets between tunnel endpoints. If a = middle box has a need to see an encrypted packet, then it has to implement = tunnel endpoint functionality.
>>
>>
>>
>> We already have text in 6.4 security consideration section that pr= ovides clear guidance to the operators.
>>
>>
>>
>> So we don=E2=80=99t see a good reason to add the suggested text ab= ove.
>>
>>
>>
>> For a complete threat analysis, a security analysis of Geneve or s= ome
>>
>> guide lines to secure a Geneve overlay network, please refer to >>
>> [draft-mglt-nvo3-geneve-security-requirements] as well as
>>
>> [draft-ietf-nvo3-security-requirements].
>>
>>
>>
>> <Ilango>
>>
>> The security requirements document=C2=A0 makes certain assumptions= that is unsupported by Geneve architecture. We have tried to clarify this = multiple times, however you have still maintained this in the requirements = document. So this needs to be addressed. Also the document is not yet adopt= ed by the working group.
>>
>>
>>
>> Moreover, Geneve security consideration section has been significa= ntly enhanced to provide guidance to operators and to address the comments.= So both documents can progress independently.
>>
>>
>>
>> Thanks,
>>
>> Ilango
>>
>>
>>
>>
>>
>> From: Daniel Migault [mailto:daniel.migault@ericsson.com]
>> Sent: Saturday, March 2, 2019 8:49 AM
>> To: Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>
>> Cc: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg <pankajg=3D40microsoft.= com@dmarc.ietf.org>; NVO3 <nvo3@ietf.org>
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt
>>
>>
>>
>> Hi Matt,
>>
>>
>>
>>
>>
>> You are correct, this is at least not an regular process to have a=
>>
>> standard track document being updated by an informational. I do no= t see
>>
>> either any requirements for having a WG status to become a referen= ce,
>>
>> but that is something we could confirm with the RFC-editor.
>>
>>
>>
>> Back to the initial suggestion, I also believe the difficulties of= updating
>>
>> the Geneve specifications are far less complex than updating the >>
>> implementation, and for that specific reason, it would be good we = have a
>>
>> consensus on the security analyse.
>>
>>
>>
>> I agree that WG draft would be better, and RFC would be even bette= r as
>>
>> we have seen WG document being stalled. I am confident we can make= this
>>
>> happen or at least I do not see major issues.
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>>
>>
>> On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) <matthew.bocci@no= kia.com> wrote:
>>
>> WG, Daniel,
>>
>>
>>
>> Apologies but I mis-spoke on the suggestion for the security requi= rements to act as an update to the encapsulation RFC in future. This would = be difficult to do as it is informational.
>>
>>
>>
>> Nonetheless I think we should only be referencing a WG draft (at a= minimum) here.
>>
>>
>>
>> Matthew
>>
>>
>>
>>
>>
>>
>>
>> From: Dacheng Zhang <nvo3-bounces@ietf.org> on behalf of "Bocci, Ma= tthew (Nokia - GB)" <matthew.bocci@nokia.com>
>> Date: Friday, 1 March 2019 at 16:24
>> To: Daniel Migault <daniel.migault@ericsson.com>
>> Cc: "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve= @ietf.org>, Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>= ;, NVO3 <nvo3@ietf.or= g>
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt
>>
>>
>>
>> Daniel
>>
>>
>>
>> From a procedural perspective, referring to your draft creates a d= ependency and that draft has not yet been adopted by the WG. The old Securi= ty requirements framework expired a couple of years ago and does not seem t= o be being progressed.
>>
>> Maybe a better approach to allow progress, as long as the WG can a= gree to your text (if needed) to satisfy the concern that future security m= echanisms can be used, and that the evolving threat analysis is understood = by implementers and users of Geneve, would be to mark the Geneve security r= equirements as an update to the geneve encapsulation RFC when it is publish= ed.
>>
>>
>>
>> Matthew
>>
>>
>>
>> From: Daniel Migault <daniel.migault@ericsson.com>
>> Date: Friday, 1 March 2019 at 16:11
>> To: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com><= br> >> Cc: Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>, &qu= ot;dra= ft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>= ;, NVO3 <nvo3@ietf.or= g>
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt
>>
>>
>>
>> Hi Matthew,
>>
>>
>>
>> I am happy to clarify and be more specific. However, despite your<= br> >>
>> reading of [1] I think [1] clearly indicates the changes I expecte= d as
>>
>> well as that these changes needs to be made.
>>
>>
>>
>> I believe the responsibility of not addressing an acknowledged iss= ue is
>>
>> more on the side of people ignoring the issue=C2=A0 then on the si= de of the
>>
>> one raising this issue. My impression is that this is the situatio= n we
>>
>> are in.
>>
>>
>>
>> I agree that my initial comment saying "I am fine with the te= xt if we do
>>
>> not find something better." might have been confusing and I a= pology for
>>
>> this. At the time of writing the initial comment I was not sure I = was
>>
>> not missing something nor that the problem could not be solved her= e or
>>
>> somewhere else (in another section). My meaning behind those words= were
>>
>> that I was open to the way the concerned could be addressed. Howev= er, -
>>
>> from my point of view - the text does not say the issue does not n= eed to
>>
>> be solved which is the way it has been interpreted. In addition, I=
>>
>> believe I have clarified this right away after the concern has bee= n
>>
>> acknowledged and not addressed. As result, I do not think my comme= nt
>>
>> could be reasonably read as the text is fine.
>>
>>
>>
>> Please fine the below the initial comment its response and the res= ponse
>>
>> to the response from [1].
>>
>>
>>
>> """
>>
>> <mglt> In case we have a option providing authentication, su= ch option
>>
>> may affect the interpretation of the other options.
>>
>> s/interpretation/ndependance may not be better.... I think what we= want
>>
>> to say is that option MUST be able to be processed in any order or= in
>>
>> parallel.=C2=A0 I am fine with the text if we do not find somethin= g better.
>>
>> </mglt>
>>
>>
>>
>> <Ilango> This is a good point, however we believe that this = text
>>
>> captures the intent.=C2=A0 </>
>>
>>
>>
>> <mglt2>The problem I have is that the current text prevents = security
>>
>> options, so I guess some clarification should be brought to clarif= y the
>>
>> intent.</mglt2>
>>
>> """
>>
>>
>>
>> If I had to suggest some text I would suggest the following - or >>
>> something around the following lines.
>>
>>
>>
>>
>>
>> OLD
>>
>>=C2=A0 =C2=A0 o=C2=A0 An option SHOULD NOT be dependent upon any ot= her option in the
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0packet, i.e., options can be processed i= ndependent of one another.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0An option MUST NOT affect the parsing or= interpretation of any
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0other option.
>>
>>
>>
>> NEW
>>
>>
>>
>>=C2=A0 =C2=A0 o=C2=A0 An option SHOULD NOT be dependent upon any ot= her option in the
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0packet, i.e., options can be processed i= ndependent of one another.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0An option SHOULD NOT affect the parsing = or interpretation of any
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0other option.
>>
>>
>>
>> There are rare cases were the parsing of one option affects the pa= rsing
>>
>> or the interpretation of other option. Option related to security = may
>>
>> fall into this category. Typically, if an option enables the
>>
>> authentication of another option and the authentication does not >>
>> succeed, the authenticated option MUST NOT be processed. Other opt= ions
>>
>> may be designed in the future.
>>
>>
>>
>> NEW
>>
>> Security Consideration
>>
>>
>>
>> Geneve Overlay may be secured using by protecting the NVE-to-NVE >>
>> communication using IPsec or DTLS. However, such mechanisms cannot= be
>>
>> applied for deployments that include transit devices.
>>
>>
>>
>> Some deployment may not be able to secure the full communication u= sing
>>
>> IPsec or DTLS between the NVEs. This could be motivated by the pre= sence
>>
>> of transit devices or by a risk analysis that concludes that the G= eneve
>>
>> packet be only partially protected - typically reduced to the Gene= ve
>>
>> Header information. In such cases Geneve specific mechanisms needs= to be
>>
>> designed.
>>
>>
>>
>> For a complete threat analysis, a security analysis of Geneve or s= ome
>>
>> guide lines to secure a Geneve overlay network, please refer to >>
>> [draft-mglt-nvo3-geneve-security-requirements] as well as
>>
>> [draft-ietf-nvo3-security-requirements].
>>
>>
>>
>> For full disclosure I am a co-author of
>>
>> draft-mglt-nvo3-geneve-security-requirement. However the reason fo= r
>>
>> referring to these documents is motivated by the fact that I belie= ve
>>
>> these analysis provide a better security analysis than the current= (OLD)
>>
>> security consideration section.
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>>
>>
>> On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) <matthew.bocci@nok= ia.com> wrote:
>>
>> Hi Daniel
>>
>>
>>
>> Thanks for reviewing the latest version. At this stage it would be= helpful if you could be much more concrete and give specifics.
>>
>>
>>
>> I think that the main issue is whether the design of Geneve preven= ts future security extensions.
>>
>>
>>
>> However, in [1], you stated that you were comfortable with the tex= t if nothing else could be found.
>>
>>
>>
>> What specifically do you want to change in the following, bearing = in mind that there are already claimed implementations of Geneve:
>>
>> """
>>
>>=C2=A0 =C2=A0 o=C2=A0 An option SHOULD NOT be dependent upon any ot= her option in the
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0packet, i.e., options can be processed i= ndependent of one another.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0An option MUST NOT affect the parsing or= interpretation of any
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0other option.
>>
>> """
>>
>>
>>
>>
>>
>> Matthew
>>
>>
>>
>>
>>
>> From: Daniel Migault <daniel.migault@ericsson.com>
>> Date: Friday, 1 March 2019 at 03:06
>> To: Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>
>> Cc: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>,= NVO3 <nvo3@ietf.org<= /a>>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@iet= f.org>
>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt
>>
>>
>>
>> Hi,
>>
>>
>>
>> I just briefly went through the document quickly and in my opinion= , the document still faces some security issues.
>>
>>
>>
>> The current text (in my opinion) prevents any geneve security rela= ted
>>
>> options. Currently Geneve cannot be secured and this prevents futu= re
>>
>> work to eventually secure Geneve. In my opinion the current text >>
>> mandates Geneve to remain unsecure.
>>
>>
>>
>> Geneve security option that are willing to authenticate/encrypt a = part
>>
>> of the Geneve Header will affect the parsing of the protected opti= on and
>>
>> will affect the order in which option needs to be process. Typical= ly a
>>
>> protected option (authenticated, encrypted) cannot or should not b= e
>>
>> processed before authenticated or decrypted.
>>
>>
>>
>> This has already been mentioned in [1], and the text needs in my o= pinion
>>
>> further clarifications.
>>
>>
>>
>> """
>>
>>=C2=A0 =C2=A0 o=C2=A0 An option SHOULD NOT be dependent upon any ot= her option in the
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0packet, i.e., options can be processed i= ndependent of one another.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0An option MUST NOT affect the parsing or= interpretation of any
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0other option.
>>
>> """
>>
>>
>>
>>
>>
>>
>>
>> As stated in [2] it remains unclear to me why this section is not<= br> >>
>> referencing and leveraging on the security analysis [3-4] performe= d by
>>
>> two different independent teams...
>>
>>
>>
>> My reading of the security consideration is that the message is th= at
>>
>> IPsec or TLS could be used to protect a geneve overlay network. Th= is is
>>
>> - in my opinion- not correct as this does not consider the transit=
>>
>> device. In addition, the security consideration only considers the= case
>>
>> where the cloud provider and the overlay network provider are a si= ngle
>>
>> entity, which I believe oversimplifies the problem.
>>
>>
>>
>> The threat model seems to me very vague, so the current security >>
>> consideration is limited to solving a problem that is not stated.<= br> >>
>>
>>
>> My reading of the text indicates the tenant can handle by itself t= he
>>
>> confidentiality of its information without necessarily relying on = the
>>
>> overlay service provider. This is not correct. Even when the tenan= t uses
>>
>> IPsec/TLS, it still leaks some information. The current text contr= adicts
>>
>> [3] section 6.2 and [4] section 5.1.
>>
>>
>>
>> My reading is that the text indicates that IPsec/DTLS could be use= d to
>>
>> protect the overlay service for both confidentiality and integrity= .
>>
>> While this could be used in some deployment this is not compatible= with
>>
>> transit devices. As such the generic statement is not correct. Sec= tion
>>
>> 6.4 indicates that transit device must be trusted which is incorre= ct.
>>
>> Instead the transit device with all nodes between the transit devi= ce and
>>
>> the NVE needs to be trusted.=C2=A0 Overall the impression provided= is that
>>
>> IPsec (or TLS) can be used by the service overlay provider, which = is (in
>>
>> my opinion) not true.
>>
>>
>>
>> It is unclear to me how authentication of NVE peers differs from t= he
>>
>> authentication communication as the latest usually rely on the fir= st.
>>
>> Maybe the section should insist on mutual authentication.
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>>
>>
>> [1] https://mailarchi= ve.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o
>>
>> [2] https://mailarchi= ve.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSGw
>>
>> [3] https://tools.ietf.= org/html/draft-ietf-nvo3-security-requirements-07
>>
>> [4] https://tool= s.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-05
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg <pankajg=3D40microsoft.co= m@dmarc.ietf.org> wrote:
>>
>> I am not aware of any IP related to draft-ietf-nvo3-geneve which h= as not already been disclosed.
>>
>>
>>
>> Thanks
>>
>> Pankaj
>>
>>
>>
>> From: Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>
>> Sent: Tuesday, October 9, 2018 2:08 AM
>> To: NVO3 <nv= o3@ietf.org>
>> Cc: draft-ietf-nvo3-geneve@ietf.org
>> Subject: Working Group Last Call and IPR Poll for draft-ietf-nvo3-= geneve-08.txt
>>
>>
>>
>> This email begins a two-week working group last call for draft-iet= f-nvo3-geneve-08.txt.
>>
>>
>>
>> Please review the draft and post any comments to the NVO3 working = group list. If you have read the latest version of the draft but have no co= mments and believe it is ready for publication as a standards track RFC, pl= ease also indicate so to the WG email list.
>>
>>
>>
>> We are also polling for knowledge of any undisclosed IPR that appl= ies to this document, to ensure that IPR has been disclosed in compliance w= ith IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). >>
>> If you are listed as an Author or a Contributor of this document, = please respond to this email and indicate whether or not you are aware of a= ny relevant undisclosed IPR. The Document won't progress without answer= s from all the Authors and Contributors.
>>
>>
>>
>> Currently there are two IPR disclosures against this document.
>>
>>
>>
>> If you are not listed as an Author or a Contributor, then please e= xplicitly respond only if you are aware of any IPR that has not yet been di= sclosed in conformance with IETF rules.
>>
>>
>>
>> This poll will run until Friday 26th October.
>>
>>
>>
>> Regards
>>
>>
>>
>> Matthew and Sam
>>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >>
>> _______________________________________________
>> nvo3 mailing list
>> nvo3@ietf.org
>> https://www.ietf.org/mailman/listinfo/nvo3 >
> _______________________________________________
> nvo3 mailing list
> nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--000000000000db246f0585a1eebe-- From nobody Wed Apr 3 08:34:06 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BDE412008B for ; Wed, 3 Apr 2019 08:34:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.253 X-Spam-Level: X-Spam-Status: No, score=0.253 tagged_above=-999 required=5 tests=[FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAVOtBwY2W4a for ; Wed, 3 Apr 2019 08:33:58 -0700 (PDT) Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 114C212010F for ; Wed, 3 Apr 2019 08:33:57 -0700 (PDT) Received: by mail-lj1-f182.google.com with SMTP id f23so15297846ljc.0 for ; Wed, 03 Apr 2019 08:33:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FyCNE+Nj7yfop5xEcSjCGCwbLRuerE6xKqKj9gL64pA=; b=VGhFMe/fb0HETG6eC72KacTXCOYfQ/gPDvc14JZyM3ryJrwKdt8zrp28g4ZuAPZaqG OuYJ+jQs4xb+kltOcV09yJQ7zgbai9vpkmjui8gXj2OJ1zK58N8OMgyk6uuIqjnBYNAA 4IR9KX099vCBcpnr7M6YaKoYCuyMkvH2otQX4ZaK5uiOpr5Hg38dpt6WNKQKa3kywnLP PJzGyydIbqfgJ1U0Kju5doqBh4voaie63DVsgjhZteLldpP7utuInvRrImPx5JH5wNie jZOY57vCFlC4I54L86dBc0Va49iuUssH6cWyfObTkhWQbUAIAPi12sxG09v8agg4EFik 1lYA== X-Gm-Message-State: APjAAAWRZLmmtYj/tNDCP4m1vvujmlB3Vjg+FucORZmrzuc7H7Rd5F1K zabKG6TLyhLiY5Cicx8PM7vN2yu/hpPdvLQAbAwDsQ== X-Google-Smtp-Source: APXvYqzJkRjBZVK1qa/TO8R/1NBLEf8HcsBKAU7FDtf6lGuwaGiTigjdBcyopj55W38TiHfF9oY6Vu24cZ9hVmdwgag= X-Received: by 2002:a2e:1245:: with SMTP id t66mr270020lje.18.1554305634854; Wed, 03 Apr 2019 08:33:54 -0700 (PDT) MIME-Version: 1.0 References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> In-Reply-To: <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> From: Daniel Migault Date: Wed, 3 Apr 2019 11:33:41 -0400 Message-ID: To: Joe Touch Cc: "Ganga, Ilango S" , NVO3 Content-Type: multipart/alternative; boundary="0000000000003cec800585a1fb2a" Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 15:34:05 -0000 --0000000000003cec800585a1fb2a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, My reading is that SHOULD NOT means MUST NOT unless we have a good reason for it and security or checksum options fall in that category. AM I missing something ? Yours, Daniel On Tue, Apr 2, 2019 at 11:36 PM Joe Touch wrote: > Hi, all, > > FWIW - I don=E2=80=99t understand this requirement. > > Clearly, an option MUST NOT depend on options that come before it in the > order they occur, otherwise you could have options defined in a circular > manner that cannot be resolved. > > However, if you prevent options that depend on other, later options you > would undermine the ability to have an option that provides authenticatio= n > (which is useful only when it includes both the payload and subsequent > options) or encryption (which should at least authenticate the option are= a, > even if it isn=E2=80=99t encrypted). It also undermines the ability to ha= ve options > that create new checksum algorithms. > > Are you really seeking to prevent these future possibilities? > > Joe > > On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S > wrote: > > Hi Daniel, > > We updated the draft to restate the requirement on options processing, th= e > revised text is much simpler, provides better clarity, and retains the > original intent. We believe, this should address your concerns. > > https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg > > Revised text: > =E2=80=9CAn option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independently of one > another. Architecturally, options are intended to be self- > > descriptive and independent. This enables parallelism in option > > processing and reduces implementation complexity.=E2=80=9D > > > Thanks > Ilango > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com > ] > *Sent:* Wednesday, March 20, 2019 1:56 PM > *To:* Ganga, Ilango S > *Cc:* NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt - geneve options > > Hi, > > I am looking at the version 12 and see how it address my concern, > regarding the integration of security options. > > The new text in version 12 mentions: > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. However, option processing by tunnel endpoints may > result in the packet being dropped. Options may also be used in > conjunction with each other or combined with packet data but this > processing is done above the encapsulation layer. > """ > > I am reading the text as a security option can be combined with another > option or the data payload. More specifically, an authentication option > that authenticates some options and/or the payload may result in the > packet to be discarded or not. > > I think we are making progress. However, I am not clear about the text: > > """ but this processing is done above the encapsulation layer.""" > > I am reading the encapsulation layer as the Geneve protocol, but I am > not clear what the layer above is. I am assuming that is a layer > that takes the output of the Geneve decapsulation. If that is correct, > I understand the text saying Geneve processes the options even though > the authentication has failed. Typically, suppose option A covers > options O. Upon verification of A fails, Geneve processes O and returns > to some upper layers that O has been processed while its authentication > did not succeed. I am sure that I misunderstood the text, but I suggest > some clarification are provided to prevent such interpretation as the > purpose of the authenticating O MUST be able to prevent the processing > of the option O. > > In the current text I believe the text """but ...layer""" can be > removed. Another way might be to clarify the layer above the > encapsulation. > > > Yours, > Daniel > > > > On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault > wrote: > > Hi, > > Thanks for the response. Let me first recap the previous conversation, > or at least my perception of them. My initial comment was that the > current Geneve specification prevents the design of security options and > I provided an example. My understanding is there is an agreement that > such option is prevented by the current geneve specification and you > challenge the usefulness of such an option (designated as A) as well as > argue that an authentication upon failure MUST result in discarding the > packet. > > The security options considered has been mentioned in two independent > security analysis. The example has been described and commented > extensively in the threat analysis as well. I argue further that > mandating that dropping the packet, in our case is neither a decision > that can be taken at the option level, nor at the geneve level. Instead, > it belongs to a policy decision that is likely to result in incoherent > deployments. > > As result, the current geneve specification prevents security options. > Please see below for more additional information. > > The current option works similarly to IPsec: IPsec/ESP is IP option. AH > is an option that authenticates the full IP packet. ESP > authenticate/encrypt the IP payload and not the full packet. Upon > authentication failure *the scope of the authentication* is discarded > and in that sense the example I am providing is no more different. > > In our case, the option authenticate an portion of the geneve packet > that is limited to the option. Tthe coverage of the security option is a > portion of the geneve header. As such, the option cannot mandate > anything outside of its coverage: the covered option O. As a result, > dropping the full packet is outside of the scope. Mandating a packet > drop hardly, in my opinion apply here. > > Options are usually non critical for interoperability. Mandating to drop > the packet when option O cannot be authenticated would contradict the > non critical status of that option, which is the packet can be processed > without the option. This would be a policy that overwrite the geneve > - as well as the geneve option - specification. > A possible incoherence would be if option A and O are non critical would > be that the implementation ignoring the option A and O will accept the > packet, an implementation understanding option O but not option A will > accept the packet while the implementation understanding option A and O > will reject the packet. > > Yours, > Daniel > > > On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > Please see my responses inline below. > > Thanks, > Ilango > > > *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Daniel Migault > *Sent:* Monday, March 4, 2019 9:15 AM > *To:* Ganga, Ilango S > *Cc:* nvo3@ietf.org > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > Hi Ilango, > > Thanks for the response. Please see a concrete example to illustrate my > concern > for comment 1. For comment 2, it really helped you indicated that Geneve > is expected > to be an end-to-end protocol. This will help me update the security > requirement > document. However, the current Geneve specification with transit devices > seems - > at least to me - to raise an architecture concern as raised in [1]. > > -- comment 1: > > Thanks for the feed back. I understand the purpose of keeping option > independent one from each other, and favour this is strongly recommended. > However, I am not convinced this applies always. More specifically, in a > context of security, the purpose of a security option may be related to > another option. Typically, a security option providing authentication or > encryption is potentially authenticating/encryption another option or > other information contained in the header. > > The typical scenario I have in mind would be an authentication option A > authenticating option O. There will clearly some dependencies between A > and O as O could only be used if A has been primarily been validated. > The current statement "SHOULD NOT be dependent" enables this. However, I > have concerns regarding the statement "MUST NOT affect the parsing or > interpretation". In fact, the output of A, will determine if O should be > dropped or processed normally. In case A shows O is not appropriately > authenticated, O might be rejected based on its C value. The ambiguity I > see is that A can be understood as affecting the parsing and > interpretation of O or as a pre-processing operation before parsing or > interpretation of O. > > I think, the text needs further clarifications to remove such ambiguity. > Changing MUST NOT by SHOULD NOT was of course only one proposition and > this could be also addressed otherwise. It might be better, I agree, to > explicitly mention that some options may provide condition on the > parsing of the options. This would leave the parsing of the options > unchanged. > > > If I understand your example correctly, you want to have one option > authenticate the contents of another option and if that authentication > fails, drop the option. This would not drop the entire packet unless that > option is critical. Can you give a use case for this? This seems unusual > and not something that is supported by other security protocols such as > IPsec or TLS to the best of our knowledge. > > I believe a more common outcome of a failed authentication is that the > entire packet would be dropped. As previously noted, the current text doe= s > not preclude this. It seems like going beyond this would result in > significant complexity, both for processing options in this specific case > as well as the possibility of introducing ambiguity in how other options > might be defined or processed as an unintended consequence. Without a > strong use case, this does not seem desirable. > > > -- comment 2: > > Thanks for the response that clarifies a bit my understanding of the > transit devices.. I believe the issue I have is related to the transit > devices which I do not see, unless I am wrong, meeting the requirements > for being OPTIONAL and that seems - at least to me - contradicting the > status of end-to-end protocol. As suggested in [1], transit devices seem > to raise > architectural concerns that is not needed. > > You are correct that the text is clear that transit devices are > OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there > are two sides of it. One is that a vendor may implement it or not, but > the other side is that interoperability with other implementations are > not affected. In this case, two Geneve endpoints using TLS or IPsec will > not be able to interoperate with an implementation based on transit > devices (unless the process being performed by the transit devices is > also performed by the NVE). In that sense, I believe OPTIONAL statement > is not appropriated here. > > An implementation with transit devices seems to prevent the > interoperability of with an implementation where options are treated > by the NVE over a secure channel. If we suppose that NVE and > transit devices support the same options, then transit devices are not > necessary and could be removed from the specification. If options > supported by transit devices are different from those supported by > the NVE, interoperability will not be achieved. Transit device will not b= e > able to process the options, resulting in options will be ignored (while > being supported by the implementation).. In addition, if the options > are critical, the NVE is likely to drop the packet as it does not support > the option. > > In addition, I have some hard time to understand the end-to-end model > with a transit device even optional. I believe that end-to-end protocol > is a good path, though. However, my understanding of end-to-end protocol > is that they should only involve two end points. I see the NVE as end > points but the optional transit device does not seems to be one of > these. However, to help me understand better this, as it seems Geneve is > similar to other end-to-end protocol, maybe you could provide similar > end-to-end protocol that involves a transit devices or something similar. > > > I also have another clarification regarding transit device. I see these > transit devices as adding a lot of complexity to the end-to-end model > with little benefits. Typically, as far as I understand, they can only > read an option. I am thus wondering whether we should not be better off > removing them from the specification. This would end up with a clear > end-to-end model. Reversely, I do not see anything preventing a vendor > to implement them at least for unsecure deployments. Removing them > from the specification would leave the transit devices as implementation > specific. What are actually the benefits of the transit devices that woul= d > justify them to be part of the specification? > > > Transit devices exists in the underlay network, these are simply > forwarding elements (e.g. switches, routers) that generally forwards > packets based on outer header information, there is nothing that stops su= ch > devices from reading the contents if the data is in the clear. This work= s > with any transport protocols like IP, IP in IP, GRE, VXLAN, etc. For > example, routers may look at headers and/or inner payload for ECMP purpos= es > or for statistics or logging purposes. If the packet is encrypted then su= ch > transit devices cannot look into the packets but would simply forward bas= ed > on the outer headers and use information in outer headers for entropy. > There is no interoperability issue between the endpoints. Geneve is no > different. > > Recognizing the fact that such a device is anyway going to exist in the > network, Geneve draft provides guidance on how to handle Geneve headers (= if > a device has the option to do so). Geneve options are part of Geneve > header, a transit device that is capable of interpreting Geneve headers m= ay > interpret an option or skip over the option to view the payload, etc. If= a > transit device is not able interpret the header or option, it has to simp= ly > use the outer header to forward the packet (outer IP/UDP). This is what t= he > Geneve draft clarifies. > > These guidelines reduce possible interoperability issues compared to if > behavior was left undefined. For example, transit devices are not allowed > to drop packets or fall back to a slow path on the basis of an unknown > option. If this were to happen, it would hamper the introduction of new > options. It might also be worth mentioning that anything that could be > considered a middlebox is not a transit device but needs to be modeled as > an endpoint and so Geneve really should be viewed as a tunnel > endpoint-to-endpoint protocol. > > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhc= s > > > Yours, > Daniel > > On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S > wrote: > > Hi Daniel, > > Let us be specific. I see that you have two comments on the latest > draft-ietf-nvo3-geneve-09. Please see below for responses to your commen= ts. > > Comment 1: > OLD > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > > NEW > > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option SHOULD NOT affect the parsing or interpretation of any > other option. > > > Architecturally Geneve options can be processed independent of one > another. The second statement clearly states that parsing or interpretati= on > of one option must not affect the other. This is a reasonable constraint > to avoid nested dependencies. Options can be designed to work with the > requirements specified in Geneve. > > Let us take specific examples: > We could think of a design of a Header Integrity check option (related to > your example). In this case if the header integrity check fails, as a > result the entire header is invalid and hence the most likely outcome of = a > failed check is that the packet being dropped (including any options in > that packet whether parsed/interpreted or not). The current text does not > preclude the packet being dropped as result of failure. > > It is possible to design options, including any security options, with > these constraints. We don=E2=80=99t see a reason to change this requirem= ent that > may have unintended consequences. > > Comment 2: > > > > NEW > Security Consideration > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > communication using IPsec or DTLS. However, such mechanisms cannot be > applied for deployments that include transit devices.. > > Some deployment may not be able to secure the full communication using > IPsec or DTLS between the NVEs. This could be motivated by the presence > of transit devices or by a risk analysis that concludes that the Geneve > packet be only partially protected - typically reduced to the Geneve > Header information. In such cases Geneve specific mechanisms needs to be > designed. > > The challenge is, you are asking to impose requirements that is > not supported by Geneve architecture. Geneve has an optional feature wher= e > transit devices may be able to interpret Geneve options. However this is > not a requirement for Geneve operation between tunnel end point to tunnel > end point. We have tried make this very clear by adding clarifying text > during the last two revisions. If the Geneve packet is in the clear then > transit devices may be able to view the Genve header, options, and the > payload. However if the packet is encrypted then transit devices cannot > view the packet contents. This is consistent with other transport protoco= ls > encrypting the packets. So we don=E2=80=99t see a reason why Geneve shoul= d be > different. > > Geneve is an end to end protocol between tunnel endpoints and the NVEs > decide to secure (encrypt) the packets between tunnel endpoints. If a > middle box has a need to see an encrypted packet, then it has to implemen= t > tunnel endpoint functionality. > > We already have text in 6.4 security consideration section that provides > clear guidance to the operators. > > So we don=E2=80=99t see a good reason to add the suggested text above. > > For a complete threat analysis, a security analysis of Geneve or some > guide lines to secure a Geneve overlay network, please refer to > [draft-mglt-nvo3-geneve-security-requirements] as well as > [draft-ietf-nvo3-security-requirements]. > > > The security requirements document makes certain assumptions that is > unsupported by Geneve architecture. We have tried to clarify this multipl= e > times, however you have still maintained this in the requirements documen= t. > So this needs to be addressed. Also the document is not yet adopted by th= e > working group. > > Moreover, Geneve security consideration section has been significantly > enhanced to provide guidance to operators and to address the comments. So > both documents can progress independently. > > Thanks, > Ilango > > > *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] > *Sent:* Saturday, March 2, 2019 8:49 AM > *To:* Bocci, Matthew (Nokia - GB) > *Cc:* draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg 40microsoft.com@dmarc.ietf.org>; NVO3 > *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > Hi Matt, > > > You are correct, this is at least not an regular process to have a > standard track document being updated by an informational. I do not see > either any requirements for having a WG status to become a reference, > but that is something we could confirm with the RFC-editor. > > Back to the initial suggestion, I also believe the difficulties of > updating > the Geneve specifications are far less complex than updating the > implementation, and for that specific reason, it would be good we have a > consensus on the security analyse. > > I agree that WG draft would be better, and RFC would be even better as > we have seen WG document being stalled. I am confident we can make this > happen or at least I do not see major issues. > > Yours, > Daniel > > > On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > > WG, Daniel, > > Apologies but I mis-spoke on the suggestion for the security requirements > to act as an update to the encapsulation RFC in future. This would be > difficult to do as it is informational. > > Nonetheless I think we should only be referencing a WG draft (at a > minimum) here. > > Matthew > > > > *From: *Dacheng Zhang on behalf of "Bocci, > Matthew (Nokia - GB)" > *Date: *Friday, 1 March 2019 at 16:24 > *To: *Daniel Migault > *Cc: *"draft-ietf-nvo3-geneve@ietf.org" = , > Pankaj Garg , NVO3 > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > Daniel > > From a procedural perspective, referring to your draft creates a > dependency and that draft has not yet been adopted by the WG. The old > Security requirements framework expired a couple of years ago and does no= t > seem to be being progressed. > Maybe a better approach to allow progress, as long as the WG can agree to > your text (if needed) to satisfy the concern that future security > mechanisms can be used, and that the evolving threat analysis is understo= od > by implementers and users of Geneve, would be to mark the Geneve security > requirements as an update to the geneve encapsulation RFC when it is > published. > > Matthew > > *From: *Daniel Migault > *Date: *Friday, 1 March 2019 at 16:11 > *To: *"Bocci, Matthew (Nokia - GB)" > *Cc: *Pankaj Garg , " > draft-ietf-nvo3-geneve@ietf.org" , NVO3 = < > nvo3@ietf.org> > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > Hi Matthew, > > I am happy to clarify and be more specific. However, despite your > reading of [1] I think [1] clearly indicates the changes I expected as > well as that these changes needs to be made. > > I believe the responsibility of not addressing an acknowledged issue is > more on the side of people ignoring the issue then on the side of the > one raising this issue. My impression is that this is the situation we > are in. > > I agree that my initial comment saying "I am fine with the text if we do > not find something better." might have been confusing and I apology for > this. At the time of writing the initial comment I was not sure I was > not missing something nor that the problem could not be solved here or > somewhere else (in another section). My meaning behind those words were > that I was open to the way the concerned could be addressed. However, - > from my point of view - the text does not say the issue does not need to > be solved which is the way it has been interpreted. In addition, I > believe I have clarified this right away after the concern has been > acknowledged and not addressed. As result, I do not think my comment > could be reasonably read as the text is fine. > > Please fine the below the initial comment its response and the response > to the response from [1]. > > """ > In case we have a option providing authentication, such option > may affect the interpretation of the other options. > s/interpretation/ndependance may not be better.... I think what we want > to say is that option MUST be able to be processed in any order or in > parallel. I am fine with the text if we do not find something better. > > > This is a good point, however we believe that this text > captures the intent. > > The problem I have is that the current text prevents security > options, so I guess some clarification should be brought to clarify the > intent. > """ > > If I had to suggest some text I would suggest the following - or > something around the following lines. > > > OLD > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > > NEW > > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option SHOULD NOT affect the parsing or interpretation of any > other option. > > There are rare cases were the parsing of one option affects the parsing > or the interpretation of other option. Option related to security may > fall into this category. Typically, if an option enables the > authentication of another option and the authentication does not > succeed, the authenticated option MUST NOT be processed. Other options > may be designed in the future. > > NEW > Security Consideration > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > communication using IPsec or DTLS. However, such mechanisms cannot be > applied for deployments that include transit devices. > > Some deployment may not be able to secure the full communication using > IPsec or DTLS between the NVEs. This could be motivated by the presence > of transit devices or by a risk analysis that concludes that the Geneve > packet be only partially protected - typically reduced to the Geneve > Header information. In such cases Geneve specific mechanisms needs to be > designed. > > For a complete threat analysis, a security analysis of Geneve or some > guide lines to secure a Geneve overlay network, please refer to > [draft-mglt-nvo3-geneve-security-requirements] as well as > [draft-ietf-nvo3-security-requirements]. > > For full disclosure I am a co-author of > draft-mglt-nvo3-geneve-security-requirement. However the reason for > referring to these documents is motivated by the fact that I believe > these analysis provide a better security analysis than the current (OLD) > security consideration section. > > Yours, > Daniel > > > On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) < > matthew.bocci@nokia.com> wrote: > > Hi Daniel > > Thanks for reviewing the latest version. At this stage it would be helpfu= l > if you could be much more concrete and give specifics. > > I think that the main issue is whether the design of Geneve prevents > future security extensions. > > However, in [1], you stated that you were comfortable with the text if > nothing else could be found. > > What specifically do you want to change in the following, bearing in mind > that there are already claimed implementations of Geneve: > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > """ > > > Matthew > > > *From: *Daniel Migault > *Date: *Friday, 1 March 2019 at 03:06 > *To: *Pankaj Garg > *Cc: *"Bocci, Matthew (Nokia - GB)" , NVO3 < > nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" < > draft-ietf-nvo3-geneve@ietf.org> > *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > Hi, > > I just briefly went through the document quickly and in my opinion, the > document still faces some security issues. > > The current text (in my opinion) prevents any geneve security related > options. Currently Geneve cannot be secured and this prevents future > work to eventually secure Geneve. In my opinion the current text > mandates Geneve to remain unsecure. > > Geneve security option that are willing to authenticate/encrypt a part > of the Geneve Header will affect the parsing of the protected option and > will affect the order in which option needs to be process. Typically a > protected option (authenticated, encrypted) cannot or should not be > processed before authenticated or decrypted. > > This has already been mentioned in [1], and the text needs in my opinion > further clarifications. > > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > """ > > > > As stated in [2] it remains unclear to me why this section is not > referencing and leveraging on the security analysis [3-4] performed by > two different independent teams.. > > My reading of the security consideration is that the message is that > IPsec or TLS could be used to protect a geneve overlay network. This is > - in my opinion- not correct as this does not consider the transit > device. In addition, the security consideration only considers the case > where the cloud provider and the overlay network provider are a single > entity, which I believe oversimplifies the problem. > > The threat model seems to me very vague, so the current security > consideration is limited to solving a problem that is not stated. > > My reading of the text indicates the tenant can handle by itself the > confidentiality of its information without necessarily relying on the > overlay service provider. This is not correct. Even when the tenant uses > IPsec/TLS, it still leaks some information. The current text contradicts > [3] section 6.2 and [4] section 5.1. > > My reading is that the text indicates that IPsec/DTLS could be used to > protect the overlay service for both confidentiality and integrity. > While this could be used in some deployment this is not compatible with > transit devices. As such the generic statement is not correct. Section > 6.4 indicates that transit device must be trusted which is incorrect. > Instead the transit device with all nodes between the transit device and > the NVE needs to be trusted. Overall the impression provided is that > IPsec (or TLS) can be used by the service overlay provider, which is (in > my opinion) not true. > > It is unclear to me how authentication of NVE peers differs from the > authentication communication as the latest usually rely on the first. > Maybe the section should insist on mutual authentication. > > Yours, > Daniel > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9= o > [2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSG= w > [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 > [4] > https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-= 05 > > > > > > On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg 40microsoft.com@dmarc.ietf.org> wrote: > > I am not aware of any IP related to draft-ietf-nvo3-geneve which has not > already been disclosed. > > Thanks > Pankaj > > *From:* Bocci, Matthew (Nokia - GB) > *Sent:* Tuesday, October 9, 2018 2:08 AM > *To:* NVO3 > *Cc:* draft-ietf-nvo3-geneve@ietf.org > *Subject:* Working Group Last Call and IPR Poll for > draft-ietf-nvo3-geneve-08.txt > > This email begins a two-week working group last call for > draft-ietf-nvo3-geneve-08.txt. > > Please review the draft and post any comments to the NVO3 working group > list. If you have read the latest version of the draft but have no commen= ts > and believe it is ready for publication as a standards track RFC, please > also indicate so to the WG email list. > > We are also polling for knowledge of any undisclosed IPR that applies to > this document, to ensure that IPR has been disclosed in compliance with > IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). > If you are listed as an Author or a Contributor of this document, please > respond to this email and indicate whether or not you are aware of any > relevant undisclosed IPR. The Document won't progress without answers fro= m > all the Authors and Contributors. > > Currently there are two IPR disclosures against this document. > > If you are not listed as an Author or a Contributor, then please > explicitly respond only if you are aware of any IPR that has not yet been > disclosed in conformance with IETF rules. > > This poll will run until Friday 26th October. > > Regards > > Matthew and Sam > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --0000000000003cec800585a1fb2a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,=C2=A0

My reading is that SHOU= LD NOT means MUST NOT unless we have a good reason for it and security or c= hecksum options fall in that category. AM I missing something ?

Yours,=C2=A0
Daniel

On Tue, Apr 2, 2019 at 11:36 PM = Joe Touch <touch@strayalpha.com<= /a>> wrote:
<= div style=3D"overflow-wrap: break-word;">Hi, all,

FWIW -= I don=E2=80=99t understand this requirement.

Clea= rly, an option MUST NOT depend on options that come before it in the order = they occur, otherwise you could have options defined in a circular manner t= hat cannot be resolved.

However, if you prevent op= tions that depend on other, later options you would undermine the ability t= o have an option that provides authentication (which is useful only when it= includes both the payload and subsequent options) or encryption (which sho= uld at least authenticate the option area, even if it isn=E2=80=99t encrypt= ed). It also undermines the ability to have options that create new checksu= m algorithms.

Are you really seeking to prevent th= ese future possibilities?

Joe


Hi Daniel,
=C2=A0
We updated the draft to restate t= he requirement on options processing, the revised text is much simpler, pro= vides better clarity, and retains the original intent. We believe, this sho= uld address your concerns.
=C2=A0
=C2=A0
Revised text:
=E2=80=9CAn option SHOULD NOT be dependent upon any othe= r option in the
packet, i.e., op= tions can be processed independently of one
another.=C2=A0 Architecturally, options are intended to be self= -
descriptive and independen=
t.=C2=A0 This enables parallelism in option
processing and reduces implementation complexity.=E2=80=9D<=
u>
=C2=A0=
Thanks
Ilango
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">
From:=C2=A0Daniel Migault [mailto:daniel.migault@ericsson.com]=C2=A0
Sent:=C2=A0= Wednesday, March 20, 2019 1:56 PM
To:=C2=A0Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc:=C2=A0NVO3 <nvo3@ietf.org>
Subject:= =C2=A0= Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-= geneve-08.txt - geneve options
=C2=A0
Hi= ,
=C2=A0
I am looking at the version 12 = and see how it address my concern,
regarding the integration of security options.=
=C2=A0
<= div>
The new text in version 12 mentions:=
"""<= /u>
=C2=A0 =C2=A0o=C2=A0 An option= SHOULD NOT be dependent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., option= s can be processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affect t= he parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.=C2=A0 However, option pr= ocessing by tunnel endpoints may
=C2=A0 =C2=A0 =C2=A0 result in the packet being dropped.=C2= =A0 Options may also be used in
=C2=A0 =C2=A0 =C2=A0 conjunction with each other or combined wi= th packet data but this
=C2=A0 =C2=A0 =C2=A0 processing is done above the encapsulation layer.<= u>
"""
=C2=A0<= /div>
I am reading the text as a securit= y option can be combined with another
option or the data payload. More specifically, an authent= ication option
that = authenticates some options and/or the payload may result in the
packet to be discarded or not.<= u>
=C2=A0=
I think we are making progress. H= owever, I am not clear about the text:
=C2=A0
""" but this processing is done above the encapsulatio= n layer."""
=C2=A0
I am r= eading the encapsulation layer as the Geneve protocol, but I am
not clear what the layer above = is. I am assuming that is a layer
that takes the output of the Geneve decapsulation. If that i= s correct,
I underst= and the text saying Geneve processes the options even though<= /div>
the authentication has failed. Typ= ically, suppose option A covers
options O. Upon verification of A fails, Geneve processes O and= returns
to some upp= er layers that O has been processed while its authentication<= /div>
did not succeed. I am sure that I = misunderstood the text, but I suggest
some clarification are provided to prevent such interpret= ation as the
purpose= of the authenticating O MUST be able to prevent the processing
of the option O.<= /div>
=C2=A0
In the current text I believe the text "&q= uot;"but ...layer""" can be
removed. Another way might be to clarify the la= yer above the
encaps= ulation.
=C2= =A0
=C2=A0
Yours,
Daniel
=C2=A0
<= /u>=C2=A0
On Fri, Mar 8, 201= 9 at 9:44 PM Daniel Migault <dani= el.migault@ericsson.com> wrote:
Hi,
<= /div>
=C2=A0
Thanks for the response. Let me first recap the = previous conversation,
or at least my perception of them. My initial comment was that the
current Geneve specificat= ion prevents the design of security options and
I provided an example. My understanding is ther= e is an agreement that
such option is prevented by the current geneve specification and you<= /u>
challenge the usefulnes= s of such an option (designated as A) as well as
<= div>
argue that an authentication upon failure MUST= result in discarding the
packet.
=C2=A0
The security option= s considered has been mentioned in two independent
security analysis. The example has been desc= ribed and commented
= extensively in the threat analysis as well.=C2=A0 I argue further that
mandating that dropping = the packet, in our case is neither a decision
that can be taken at the option level, nor at the= geneve level. Instead,
it belongs to a policy decision that is likely to result in incoherent<= u>
deployments.<= u>
=C2=A0
<= /div>
As result, the current geneve specificat= ion prevents security options.
Please see below for more additional information.<= /div>
=C2=A0
The current option works similarly to IPsec: IP= sec/ESP is IP option. AH
is an option that authenticates the full IP packet. ESP<= /div>
authenticate/encrypt the IP payloa= d and not the full packet.=C2=A0 Upon
authentication failure *the scope of the authentication* = is discarded
and in = that sense the example I am providing is no more different.
=C2=A0
In our case, the option authenticate an portion = of the geneve packet
that is limited to the option. Tthe coverage of the security option is a
portion of the geneve= header.=C2=A0 As such, the option cannot mandate
=
anything outside of its coverage: the covered= option O. As a result,
dropping the full packet is outside of the scope. Mandating a packet=C2= =A0
drop hardly, in = my opinion apply here.=C2=A0
=C2=A0
Opti= ons are usually non critical for interoperability. Mandating to drop=
the packet when option O c= annot be authenticated would contradict the
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">non critical status of that option, which is the pa= cket can be processed
=C2=A0- as well as the g= eneve option - specification.
A possible incoherence would be if option A and O are non critica= l would
be that the = implementation ignoring the option A and O will accept the
packet, an implementation understand= ing option O but not option A will
accept the packet while the implementation understanding opt= ion A and O
will rej= ect the packet.
<= /u>=C2=A0
Yours,<= /u>
Daniel
=C2=A0
=C2=A0
On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:
Hi= Daniel,
=C2=A0<= /span>
Please see my re= sponses inline below.
=C2=A0
Tha= nks,
Ilango
=C2=A0=
=C2=A0
From:=C2=A0nvo3 [mailto:nvo3= -bounces@ietf.org]=C2=A0On Behalf Of=C2=A0Daniel Migault
Sent:=C2=A0Monday, March 4, 2019 9:15 AM
To:=C2=A0Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc:<= /b>=C2=A0<= /span>nvo3@ietf.org
Subject:=C2=A0Re: [= nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.tx= t
=C2=A0
Hi Ilango,=C2=A0=
=C2=A0
Thanks for the response.=C2=A0Please see a= concrete example to illustrate my concern=C2=A0
<= div>
for comment 1. For comment 2, it really helped= you indicated that Geneve is expected=C2=A0
=
to be an end-to-end protocol. This will help me up= date the security requirement=C2=A0
document. However, the current Geneve specification with tr= ansit devices seems -=C2=A0
at least to me - to raise an architecture concern as raised in [1].=
=C2=A0
-- comment 1:=
=C2=A0
<= div>
Thanks for the feed back. I understand the pur= pose of keeping option
independent one from each other, and favour this is strongly recommended= .
However, I am not = convinced this applies always. More specifically, in a
<= /div>
context of security, the purpose of a se= curity option may be related to
another option. Typically, a security option providing authenti= cation or
encryption= is potentially authenticating/encryption another option or
other information contained in the = header.
=C2=A0
The typical scenario I ha= ve in mind would be an authentication option A
authenticating option O. There will clearly some= dependencies between A
and O as O could only be used if A has been primarily been validated.
The current statement= "SHOULD NOT be dependent" enables this. However, I=
have concerns regarding the state= ment "MUST NOT affect the parsing or
interpretation". In fact, the output of A, will = determine if O should be
dropped or processed normally. In case A shows O is not appropriately<= u>
authenticated, O mig= ht be rejected based on its C value. The ambiguity I
see is that A can be understood as affecti= ng the parsing and
i= nterpretation of O or as a pre-processing operation before parsing or
interpretation of O.
=C2=A0
I think, the text needs further clari= fications to remove such ambiguity.
Changing MUST NOT by SHOULD NOT was of course only one prop= osition and
this cou= ld be also addressed otherwise. It might be better, I agree, to
explicitly mention that some op= tions may provide condition on the
parsing of the options. This would leave the parsing of the = options unchanged.=C2=A0
=C2=A0
<Ila= ngo>
If I und= erstand your example correctly, you want to have one option authenticate th= e contents of another option and if that authentication fails, drop the opt= ion. This would not drop the entire packet unless that option is critical. = Can you give a use case for this? This seems unusual and not something that= is supported by other security protocols such as IPsec or TLS to the best = of our knowledge.
=C2=A0
I belie= ve a more common outcome of a failed authentication is that the entire pack= et would be dropped. As previously noted, the current text does not preclud= e this. It seems like going beyond this would result in significant complex= ity, both for processing options in this specific case as well as the possi= bility of introducing ambiguity in how other options might be defined or pr= ocessed as an unintended consequence. Without a strong use case, this does = not seem desirable.
</>
=C2=A0
-- comment 2= :
=C2=A0
Thanks for the response that cl= arifies a bit my understanding of the
transit devices.. I believe the issue I have is related t= o the transit
device= s which I do not see, unless I am wrong, meeting the requirements=
for being OPTIONAL and that s= eems - at least to me - contradicting the
status of end-to-end protocol. As suggested in [1], t= ransit devices seem to raise
architectural concerns that is not needed.
=C2=A0
You are correct that the text is clear that transit devi= ces are
OPTIONAL. Ho= wever, my understanding of OPTIONAL from 2119 is that there=C2=A0=
are two sides of it. One is t= hat a vendor may implement it or not, but
the other side is that interoperability with other im= plementations are
no= t affected. In this case, two Geneve endpoints using TLS or IPsec will
not be able to interoper= ate with an implementation based on transit
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">devices (unless the process being performed by the = transit devices is
a= lso performed by the NVE). In that sense, I believe OPTIONAL statement
is not appropriated here= .=C2=A0
=C2=A0
An implementation with tr= ansit devices seems to prevent the=C2=A0
interoperability of with an implementation where=C2=A0= options are treated=C2=A0
by the NVE over a secure channel. If we suppose that NVE and=C2=A0
transit devices suppo= rt the same options, then transit devices are not=C2=A0
=
necessary and could be removed from the= specification. If options
supported by transit devices are different from those supported by= =C2=A0
the NVE, inte= roperability will not be achieved. Transit device will not be=C2=A0<= u>
able to process the options= , resulting in options will be ignored (while=C2=A0
being supported by the implementation).. In= addition,=C2=A0if the options=C2=A0
are critical, the NVE is likely to drop the packet as it d= oes not support=C2=A0
= =C2=A0
In addition, = I have some hard time to understand the end-to-end model=C2=A0
with a transit device even optio= nal. I believe that end-to-end protocol
is a good path, though. However, my understanding of en= d-to-end protocol
is= that they should only involve two end points. I see the NVE as end<= u>
points but the optional tra= nsit device does not seems to be one of
these. However, to help me understand better this, as i= t seems Geneve is=C2=A0
similar to other end-to-end protocol, maybe you could provide similar= =C2=A0
end-to-end pr= otocol that involves a transit devices or something similar.=C2=A0 =C2=A0
=C2=A0<= /div>
I also have another cla= rification regarding transit device. I see these
<= div>
transit devices as adding a lot of complexity = to the end-to-end model
with little benefits. Typically, as far as I understand, they can only<= u>
read an option. I am= thus wondering whether we should not be better off
removing them from the specification. This = would end up with a clear
end-to-end model. Reversely, I do not see anything preventing a vendo= r
to implement them = at least for unsecure deployments. Removing them=C2=A0
<= /div>
from the specification would leave the t= ransit devices as implementation=C2=A0
specific. What are actually the benefits of the transit = devices that would=C2=A0
justify them to be part of the specification?
=C2=A0
<Ilango>
Transit devices exists in the underlay network, these are= simply forwarding elements (e.g. switches, routers) that generally forward= s packets based on outer header information, there is nothing that stops su= ch devices from reading the contents if the data is in the clear.=C2=A0 Thi= s works with any transport protocols like IP, IP in IP, GRE, VXLAN, etc.=C2= =A0 For example, routers may look at headers and/or inner payload for ECMP = purposes or for statistics or logging purposes. If the packet is encrypted = then such transit devices cannot look into the packets but would simply for= ward based on the outer headers and use information in outer headers for en= tropy. There is no interoperability issue between the endpoints. Geneve is = no different.
= =C2=A0
Recognizi= ng the fact that such a device is anyway going to exist in the network, Gen= eve draft provides guidance on how to handle Geneve headers (if a device ha= s the option to do so).=C2=A0 Geneve options are part of Geneve header, a t= ransit device that is capable of interpreting Geneve headers may interpret = an option or skip over the option to view the payload, etc.=C2=A0 If a tran= sit device is not able interpret the header or option, it has to simply use= the outer header to forward the packet (outer IP/UDP). This is what the Ge= neve draft clarifies.
=C2=A0
The= se guidelines reduce possible interoperability issues compared to if behavi= or was left undefined. For example, transit devices are not allowed to drop= packets or fall back to a slow path on the basis of an unknown option. If = this were to happen, it would hamper the introduction of new options. It mi= ght also be worth mentioning that anything that could be considered a middl= ebox is not a transit device but needs to be modeled as an endpoint and so = Geneve really should be viewed as a tunnel endpoint-to-endpoint protocol.
<end>
=C2=A0
You= rs,=C2=A0
Daniel=C2= =A0
=C2=A0<= /div>
On Sat, Mar 2, 2019 at 8:18 PM Gang= a, Ilango S <ilango.s.ganga@intel.co= m> wrote:
Hi Daniel,
=C2=A0
Let us be specific. I see that you have two comments on the latest= draft-ietf-nvo3-geneve-09.=C2=A0 Please see below for responses to your co= mments.
=C2=A0
Comment 1:=
OLD
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be dependent up= on any other option in the
=C2= =A0 =C2=A0 =C2=A0 packet, i.e., options can be processed independent of one= another.
=C2=A0 =C2=A0 =C2=A0 = An option MUST NOT affect the parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.
=C2=A0
NEW
=C2=A0
=C2=A0 =C2=A0o=C2=A0 An option SHOULD N= OT be dependent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be processed = independent of one another.
=C2= =A0 =C2=A0 =C2=A0 An option SHOULD NOT affect the parsing or interpretation= of any
=C2=A0 =C2=A0 =C2=A0 ot= her option.
=C2=A0
<Ilango>
Architecturally Genev= e options can be processed independent of one another. The second statement= clearly states that parsing or interpretation of one option must not affec= t the other.=C2=A0 This is a reasonable constraint to avoid nested dependen= cies. Options can be designed to work with the requirements specified in Ge= neve.
=C2=A0
Let us take specifi= c examples:
We = could think of a design of a Header Integrity check option (related to your= example). In this case if the header integrity check fails, as a result th= e entire header is invalid and hence the most likely outcome of a failed ch= eck is that the packet being dropped (including any options in that packet = whether parsed/interpreted or not). The current text does not preclude the = packet being dropped as result of failure.=C2=A0
=C2=A0
It is possible to design options, including any secu= rity options, with these constraints.=C2=A0 We don=E2=80=99t see a reason t= o change this requirement that may have unintended consequences.<= /u>
=C2=A0
Comment 2:
=C2=A0
NEW<= /u>
Security Consideration
=C2=A0
communication using IPsec or DTLS. Howe= ver, such mechanisms cannot be
= applied for deployments that include transit devices..=C2=A0<= /div>
=C2=A0
Some deployment may not be able to secure the full communication usin= g
IPsec or DTLS between the NVE= s. This could be motivated by the presence
of transit devices or by a risk analysis that concludes that th= e Geneve
packet be only partial= ly protected - typically reduced to the Geneve
Header information. In such cases Geneve specific mechanism= s needs to be
designed.=C2=A0
=C2=A0<= /u>
<Ilango> The challenge is, = you are asking to impose requirements that is not supported by Geneve archi= tecture. Geneve has an optional feature where transit devices may be able t= o interpret Geneve options. However this is not a requirement for Geneve op= eration between tunnel end point to tunnel end point. We have tried make th= is very clear by adding clarifying text during the last two revisions. If t= he Geneve packet is in the clear then transit devices may be able to view t= he Genve header, options, and the payload. However if the packet is encrypt= ed then transit devices cannot view the packet contents. This is consistent= with other transport protocols encrypting the packets. So we don=E2=80=99t= see a reason why Geneve should be different. =C2=A0=C2=A0=
=C2=A0
Geneve is an end to end protocol between = tunnel endpoints and the NVEs decide to secure (encrypt) the packets betwee= n tunnel endpoints. If a middle box has a need to see an encrypted packet, = then it has to implement tunnel endpoint functionality.
=C2=A0
We already have text in 6.4 security conside= ration section that provides clear guidance to the operators.=
=C2=A0
So we don=E2=80=99t see a good reason = to add the suggested text above.
=C2=A0
= For a complete threat analysis, a security analysis of Geneve or some
guide lines to secure a Geneve overl= ay network, please refer to
[dr= aft-mglt-nvo3-geneve-security-requirements] as well as
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">[draft-ietf-nvo3-security-requirements].<= /u>
=C2=A0
=
<Ilango>
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">The security requirements document =C2=A0ma= kes certain assumptions that is unsupported by Geneve architecture. We have= tried to clarify this multiple times, however you have still maintained th= is in the requirements document. So this needs to be addressed. Also the do= cument is not yet adopted by the working group.
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">=C2=A0
Moreover, Geneve security consideration section has = been significantly enhanced to provide guidance to operators and to address= the comments. So both documents can progress independently.<= u>
=C2=A0
Thanks,
Ilango
=C2=A0
=C2=A0
= From:<= /b>=C2=A0Daniel = Migault [mailto:daniel.migault@erics= son.com]=C2=A0
Sent:=C2=A0Saturday, March 2, 2019 8:49 AM
To:= =C2=A0= Bocci, Matthew (Nokia - GB) <m= atthew.bocci@nokia.com>
Cc:=C2=A0draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg <pankajg= =3D40microsoft.com@dmarc.ietf.org= >; NVO3 <nvo3@ietf.org>
Sub= ject:= =C2=A0Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf= -nvo3-geneve-08.txt
=C2= =A0
Hi Matt,<= /u>
=C2=A0=C2=A0<= /u>
=C2=A0
You are correct, this is at least not an re= gular process to have a
standard track document being updated by an informational. I do not see=
either any requirem= ents for having a WG status to become a reference,
but that is something we could confirm with = the RFC-editor.
=C2= =A0
Back to the init= ial suggestion, I also believe the difficulties of updating=C2=A0=
the Geneve specifications are= far less complex than updating the=C2=A0
implementation, and for that specific reason, it woul= d be good we have a=C2=A0
consensus on the security analyse.
=C2=A0
I agree that WG draft would be better, and RFC would be even better= as
we have seen WG = document being stalled. I am confident we can make this
=
happen or at least I do not see major i= ssues.
=C2=A0=
Yours,
=
Daniel
=C2=A0
=C2=A0
On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> wrote:
WG, Daniel,<= /u>
=C2=A0=
Apologies= but I mis-spoke on the suggestion for the security requirements to act as = an update to the encapsulation RFC in future. This would be difficult to do= as it is informational.
=C2=A0
Nonetheless I think we should only be referencing= a WG draft (at a minimum) here.
=C2=A0
Matthew
=C2=A0
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">=C2=A0
=C2=A0
From:=C2=A0Dacheng Zh= ang <nvo3-bounces@ietf.org> on b= ehalf of "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Date:=C2=A0Friday, 1 Ma= rch 2019 at 16:24
To:=C2=A0Daniel Migault <daniel.migault@ericsson.com>
Cc:=C2=A0&quo= t;draft-ietf-nvo3-geneve@ietf.or= g" <draft-ietf-nvo3-= geneve@ietf.org>, Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>, NVO3 <nvo3@ietf.org>
Subject:=C2=A0Re: [nvo3] Wor= king Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt<= u>
=C2=A0
Daniel
=C2=A0
From a procedural perspective, referring to your draft c= reates a dependency and that draft has not yet been adopted by the WG. The = old Security requirements framework expired a couple of years ago and does = not seem to be being progressed.=C2=A0
Maybe a better approach to allow progress,= as long as the WG can agree to your text (if needed) to satisfy the concer= n that future security mechanisms can be used, and that the evolving threat= analysis is understood by implementers and users of Geneve, would be to ma= rk the Geneve security requirements as an update to the geneve encapsulatio= n RFC when it is published.
=C2=A0
Matthew
=C2=A0
From:=C2=A0Daniel Migault <daniel.migault@ericsson.com>
<= b>Date:=C2= =A0Friday, 1 March 2019 at 16:11
To:=C2=A0"Bocci, Ma= tthew (Nokia - GB)" <matthew.boc= ci@nokia.com>
Cc:=C2=A0Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>, "= ;draft-ietf-nvo3-geneve@ietf.org= " <draft-ietf-nvo3-g= eneve@ietf.org>, NVO3 <nvo3@ietf.org= >
Subject:=C2=A0Re: [nvo3] Working Group Last Call and IPR Poll f= or draft-ietf-nvo3-geneve-08.txt
=C2=A0
<= /div>
Hi Matthe= w,=C2=A0
=C2=A0
I am happy to clarify and be more specific.= However, despite your
reading of [1] I think [1] clearly indicates= the changes I expected as
well as that these changes needs to be = made.=C2=A0
<= span lang=3D"EN-GB">=C2=A0
I believe the responsibility of not add= ressing an acknowledged issue is
more on the side of people ignorin= g the issue=C2=A0 then on the side of the
<= div>
one raising this issue. M= y impression is that this is the situation we
are in.=C2=A0<= u>
=C2=A0=C2=A0
I agree that my initial comment saying "I am fin= e with the text if we do
not find something better." might hav= e been confusing and I apology for
this. At the time of writing the= initial comment I was not sure I was
=
not missing something nor tha= t the problem could not be solved here or
<= div>
somewhere else (in anothe= r section). My meaning behind those words were
that I was open to t= he way the concerned could be addressed. However, -
from my point o= f view - the text does not say the issue does not need to<= /u>
be solved= which is the way it has been interpreted. In addition, I<= /u>
believe I= have clarified this right away after the concern has been=
acknowle= dged and not addressed. As result, I do not think my comment<= u>
could = be reasonably read as the text is fine.
=C2=A0=
Please fine = the below the initial comment its response and the response
to the = response from [1].=C2=A0
=C2=A0
"""
= <mglt> In case we have a option providing authentication, such option=
may affect the interpretation of the other options.
s/in= terpretation/ndependance may not be better.... I think what we want<= u>
to say is that option MUST be able to be processed in any order or in
parallel.=C2=A0 I am fine with the text if we do not find something bet= ter.
</mglt>
=C2=A0
=
<Ilango> This is a= good point, however we believe that this text
captures the intent.= =C2=A0 </>=C2=A0
=C2=A0
=
<mglt2>The problem I ha= ve is that the current text prevents security
options, so I guess s= ome clarification should be brought to clarify the
intent.</mglt= 2>=C2=A0
<= span lang=3D"EN-GB">"""
=C2=A0<= /div>
If I had to s= uggest some text I would suggest the following - or
something aroun= d the following lines.=C2=A0
=C2=A0
=C2=A0=
OLD
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be dependent upon any other o= ption in the
= =C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be proc= essed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MU= ST NOT affect the parsing or interpretation of any
=C2=A0 =C2=A0 = =C2=A0 other option.
=C2=A0
NEW
<= /div>
=C2=A0
=C2= =A0 =C2=A0o=C2=A0 An option SHOULD NOT be dependent upon any other option i= n the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be processed i= ndependent of one another.
=C2=A0 =C2=A0 =C2=A0 An option SHOULD N= OT affect the parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0= other option.
=C2=A0
There are rare cases were the parsing= of one option affects the parsing
or the interpretation of other o= ption. Option related to security may
=
fall into this category. Typi= cally, if an option enables the
authentication of another option an= d the authentication does not
succeed, the authenticated option MUS= T NOT be processed. Other options
may be designed in the future.=C2= =A0=C2=A0
=C2=A0
NEW
<= div style=3D"margin:0in 0in 0.0001pt;font-size:12pt;font-family:"Times= New Roman",serif">Security Consideration<= u>
=C2=A0
Geneve Overlay may be secured using by protecting the NVE-t= o-NVE
communication using IPsec or DTLS. However, such mechanisms c= annot be
applied for deployments that include transit devices.=C2= =A0
=C2=A0
Some deployment may not be able to secure the fu= ll communication using
IPsec or DTLS between the NVEs. This could b= e motivated by the presence
of transit devices or by a risk analysi= s that concludes that the Geneve
packet be only partially protected= - typically reduced to the Geneve
Header information. In such case= s Geneve specific mechanisms needs to be
designed.=C2=A0<= /u>
= =C2=A0
For a complete threat analysis, a security analysis of Genev= e or some
guide lines to secure a Geneve overlay network, please re= fer to
[draft-mglt-nvo3-geneve-security-requirements] as well as
[draft-ietf-nvo3-security-requirements].
=C2=A0=
For f= ull disclosure I am a co-author of
draft-mglt-nvo3-geneve-security-= requirement. However the reason for
referring to these documents is= motivated by the fact that I believe
=
these analysis provide a bett= er security analysis than the current (OLD)
security consideration = section.=C2=A0
=C2=A0
Yours,=C2=A0
Daniel=
= =C2=A0
=C2=A0
On Fri, Mar 1, 2019 at 6:03 AM Bocci, M= atthew (Nokia - GB) <matthew.bocci@no= kia.com> wrote:
Hi Daniel<= /u>
=C2=A0=
Thanks for revie= wing the latest version. At this stage it would be helpful if you could be = much more concrete and give specifics.
=C2=A0
I think that the main issue is whet= her the design of Geneve prevents future security extensions.=
=C2=A0=
However, in = [1], you stated that you were comfortable with the text if nothing else cou= ld be found.
=C2=A0
What specifically do you want to change in the following, be= aring in mind that there are already claimed implementations of Geneve:
"= ""
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be dependent upon any = other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be processe= d independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affect t= he parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.<= u>
"&quo= t;"
=C2=A0
=C2=A0
Matthew
<= span lang=3D"EN-GB">=C2=A0
=C2=A0
= From:=C2= =A0Daniel Migault <daniel.migault@ericsson.com>
Date:=C2=A0= Friday, 1 March 2019 at 03:06
To:=C2=A0Pankaj Garg <pankajg= =3D40microsoft.com@dmarc.ietf.org= >
Cc:=C2=A0"Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, NVO3 <nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>
= Subject:=C2=A0Re: [nvo3] Working Group Last Call and IPR Poll for draft= -ietf-nvo3-geneve-08.txt
=C2=A0
Hi,=C2=A0<= u>
=C2=A0
I just briefly went through the document quickly and in my = opinion, the document still faces some security issues.
=C2=A0
The current text (in my opinion) prevents any geneve security related
options. Currently Geneve cannot be secured and this prevents future=
work to eventually secure Geneve. In my opinion the current text=
mandates Geneve to remain unsecure.=C2=A0
=C2=A0<= u>
Geneve security option that are willing to authenticate/encrypt a part
of the Geneve Header will affect the parsing of the protected option a= nd
will affect the order in which option needs to be process. Typic= ally a
protected option (authenticated, encrypted) cannot or should= not be
processed before authenticated or decrypted.=C2=A0
= =C2=A0
This has already been mentioned in [1], and the text needs i= n my opinion
= further clarifications.=C2=A0=C2=A0
=C2=A0
"""
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT b= e dependent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packe= t, i.e., options can be processed independent of one another.=
=C2= =A0 =C2=A0 =C2=A0 An option MUST NOT affect the parsing or interpretation o= f any
=C2=A0 =C2=A0 =C2=A0 other option.
=
"""=
=C2=A0
=C2=A0
=C2=A0
<= /div>
As stated in [2] it= remains unclear to me why this section is not
referencing and leve= raging on the security analysis [3-4] performed by
two different in= dependent teams..=C2=A0
=C2=A0
My reading of the security c= onsideration is that the message is that
IPsec or TLS could be used= to protect a geneve overlay network. This is
- in my opinion- not = correct as this does not consider the transit
device. In addition, = the security consideration only considers the case
where the cloud = provider and the overlay network provider are a single=
entity, whic= h I believe oversimplifies the problem.=C2=A0
=C2=A0<= u>
The th= reat model seems to me very vague, so the current security=
consider= ation is limited to solving a problem that is not stated.=C2=A0
=C2= =A0
My reading of the text indicates the tenant can handle by itsel= f the
confidentiality of its information without necessarily relyin= g on the
overlay service provider. This is not correct. Even when t= he tenant uses
IPsec/TLS, it still leaks some information. The curr= ent text contradicts
[3] section 6.2 and [4] section 5.1.=
= =C2=A0
My reading is that the text indicates that IPsec/DTLS could = be used to
protect the overlay service for both confidentiality and= integrity.
<= span lang=3D"EN-GB">While this could be used in some deployment this is not= compatible with
transit devices. As such the generic statement is = not correct. Section
6.4 indicates that transit device must be trus= ted which is incorrect.
Instead the transit device with all nodes b= etween the transit device and
the NVE needs to be trusted.=C2=A0 Ov= erall the impression provided is that
=
IPsec (or TLS) can be used by= the service overlay provider, which is (in
my opinion) not true.= =C2=A0
=C2=A0
It is unclear to me how authentication of NVE= peers differs from the
authentication communication as the latest = usually rely on the first.
Maybe the section should insist on mutu= al authentication.=C2=A0=C2=A0
=C2=A0
On Wed, Feb 27, 2019 at 7:30 PM P= ankaj Garg <pankajg=3D40micros= oft.com@dmarc.ietf.org> wrote:
I am not aware of any IP related = to draft-ietf-nvo3-geneve which has not already been disclosed.
=C2=A0
Thanks
Pankaj
=C2=A0
From:=C2=A0Bocci, Matthew (Nokia - GB) <matthew= .bocci@nokia.com>=C2=A0
Sent:=C2=A0Tuesday, October 9, 2018 2:08= AM
To:=C2=A0NVO3 <nvo3@ietf.org>=
Cc:=C2=A0draft-ietf-nv= o3-geneve@ietf.org
Subject:=C2=A0Working Group Last Call and IPR= Poll for draft-ietf-nvo3-geneve-08.txt
=C2=A0
This email begins a two-week working group last call for = draft-ietf-nvo3-geneve-08.txt.
=C2=A0
Please review the draft and post any commen= ts to the NVO3 working group list. If you have read the latest version of t= he draft but have no comments and believe it is ready for publication as a = standards track RFC, please also indicate so to the WG email list.
=C2=A0
We are = also polling for knowledge of any undisclosed IPR that applies to this docu= ment, to ensure that IPR has been disclosed in compliance with IETF IPR rul= es (see RFCs 3979, 4879, 3669 and 5378 for more details).<= /u>
If you are listed as= an Author or a Contributor of this document, please respond to this email = and indicate whether or not you are aware of any relevant undisclosed IPR. = The Document won't progress without answers from all the Authors and Co= ntributors.
=C2=A0
Currently there are two IPR disclosures against this documen= t.
= =C2=A0
If you are not listed as an Author or a Contributor, then please explic= itly respond only if you are aware of any IPR that has not yet been disclos= ed in conformance with IETF rules.
=C2=A0
This poll will run until Friday 26= th= =C2=A0October.
=C2=A0
Regards
=C2=A0
Matthew and Sam
<= /div>
__________________= _____________________________
nvo3 mailing list
nvo3@ietf.org
htt= ps://www.ietf.org/mailman/listinfo/nvo3
___= ____________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3=
_________= ______________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
______________________= _________________________
nvo3 mailing list
= nvo3@ietf.org
https:/= /www.ietf.org/mailman/listinfo/nvo3
_________________= ______________________________
nvo3 mailing list
nvo3@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________nvo3 maili= ng list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo= /nvo3

_________________________= ______________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--0000000000003cec800585a1fb2a-- From nobody Wed Apr 3 08:43:57 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F791200F7 for ; Wed, 3 Apr 2019 08:43:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.219 X-Spam-Level: X-Spam-Status: No, score=-1.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aka6FER6AucT for ; Wed, 3 Apr 2019 08:43:46 -0700 (PDT) Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB0212008B for ; Wed, 3 Apr 2019 08:43:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Type:MIME-Version:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mPQa87puMut85XI1Xu4Oc/e8YhQT+ZPyRrqQHee1LMw=; b=Sp4FbP5TuHUj0a6tUfqwxFTCy RT39aM05o2p9bp3QWRtln18k7alERrdYDX1UPOY1E6j7tLr/6Y36+Rdpy1V933AX/IuQxdMC52cv6 1CZpCYHm6TFpi1w6sJimaH9peWaEjCFaI6WXdLqYPsbxqu2YpC/9MJMKlxc1FZGsJr42ekGIFjb00 O/EicXJFncVyqE81yg5p4Q/eI4Zqhfo4nBxrhqHWvyiKHTmdCzdteiGF7ZvgDo5q/4i4EWHIiMvWn CbznPebI8lwvHqU2xOKhk/VzgGrFGV9NgEFymE+8/aeDHqWiK+ABc2YxPsJnqSJOTlfxzzusZkI/5 E/lGJfSwQ==; Received: from [::1] (port=44730 helo=server217.web-hosting.com) by server217.web-hosting.com with esmtpa (Exim 4.91) (envelope-from ) id 1hBi35-000VTJ-Nx; Wed, 03 Apr 2019 11:43:42 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_726e7fe1c9fb89365ed9eb853987bd44" Date: Wed, 03 Apr 2019 08:43:35 -0700 From: Joe Touch To: Daniel Migault Cc: "Ganga, Ilango S" , NVO3 In-Reply-To: References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> Message-ID: X-Sender: touch@strayalpha.com User-Agent: Roundcube Webmail/1.3.7 X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server217.web-hosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - strayalpha.com X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com X-Source: X-Source-Args: X-Source-Dir: X-From-Rewrite: unmodified, already matched Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 15:43:55 -0000 --=_726e7fe1c9fb89365ed9eb853987bd44 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII FWIW, IMO SHOULD NOT needs to come with a description of what would qualify as an exception. However, you can't allow two such exceptions UNLESS they're deconflicted, i.e., who goes first. That never works well in practice because every new option says "I come first". I.e., the point isn't whether you have exceptions - you will. The point is to specify how those cases work, in which case you don't need the SHOULD NOT. Joe On 2019-04-03 08:33, Daniel Migault wrote: > Hi, > My reading is that SHOULD NOT means MUST NOT unless we have a good reason for it and security or checksum options fall in that category. AM I missing something ? > > Yours, > Daniel > > On Tue, Apr 2, 2019 at 11:36 PM Joe Touch wrote: > Hi, all, > > FWIW - I don't understand this requirement. > > Clearly, an option MUST NOT depend on options that come before it in the order they occur, otherwise you could have options defined in a circular manner that cannot be resolved. > > However, if you prevent options that depend on other, later options you would undermine the ability to have an option that provides authentication (which is useful only when it includes both the payload and subsequent options) or encryption (which should at least authenticate the option area, even if it isn't encrypted). It also undermines the ability to have options that create new checksum algorithms. > > Are you really seeking to prevent these future possibilities? > > Joe > > On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S wrote: > > Hi Daniel, > > We updated the draft to restate the requirement on options processing, the revised text is much simpler, provides better clarity, and retains the original intent. We believe, this should address your concerns. > > https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg > > Revised text: > "An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independently of one > another. Architecturally, options are intended to be self- > > descriptive and independent. This enables parallelism in option > > processing and reduces implementation complexity." > > Thanks > Ilango > > FROM: Daniel Migault [mailto:daniel.migault@ericsson.com] > SENT: Wednesday, March 20, 2019 1:56 PM > TO: Ganga, Ilango S > CC: NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options > > Hi, > > I am looking at the version 12 and see how it address my concern, > > regarding the integration of security options. > > The new text in version 12 mentions: > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. However, option processing by tunnel endpoints may > > result in the packet being dropped. Options may also be used in > > conjunction with each other or combined with packet data but this > > processing is done above the encapsulation layer. > > """ > > I am reading the text as a security option can be combined with another > > option or the data payload. More specifically, an authentication option > > that authenticates some options and/or the payload may result in the > > packet to be discarded or not. > > I think we are making progress. However, I am not clear about the text: > > """ but this processing is done above the encapsulation layer.""" > > I am reading the encapsulation layer as the Geneve protocol, but I am > > not clear what the layer above is. I am assuming that is a layer > > that takes the output of the Geneve decapsulation. If that is correct, > > I understand the text saying Geneve processes the options even though > > the authentication has failed. Typically, suppose option A covers > > options O. Upon verification of A fails, Geneve processes O and returns > > to some upper layers that O has been processed while its authentication > > did not succeed. I am sure that I misunderstood the text, but I suggest > > some clarification are provided to prevent such interpretation as the > > purpose of the authenticating O MUST be able to prevent the processing > > of the option O. > > In the current text I believe the text """but ...layer""" can be > > removed. Another way might be to clarify the layer above the > > encapsulation. > > Yours, > > Daniel > > On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault wrote: > > Hi, > > Thanks for the response. Let me first recap the previous conversation, > > or at least my perception of them. My initial comment was that the > > current Geneve specification prevents the design of security options and > > I provided an example. My understanding is there is an agreement that > > such option is prevented by the current geneve specification and you > > challenge the usefulness of such an option (designated as A) as well as > > argue that an authentication upon failure MUST result in discarding the > > packet. > > The security options considered has been mentioned in two independent > > security analysis. The example has been described and commented > > extensively in the threat analysis as well. I argue further that > > mandating that dropping the packet, in our case is neither a decision > > that can be taken at the option level, nor at the geneve level. Instead, > > it belongs to a policy decision that is likely to result in incoherent > > deployments. > > As result, the current geneve specification prevents security options. > > Please see below for more additional information. > > The current option works similarly to IPsec: IPsec/ESP is IP option. AH > > is an option that authenticates the full IP packet. ESP > > authenticate/encrypt the IP payload and not the full packet. Upon > > authentication failure *the scope of the authentication* is discarded > > and in that sense the example I am providing is no more different. > > In our case, the option authenticate an portion of the geneve packet > > that is limited to the option. Tthe coverage of the security option is a > > portion of the geneve header. As such, the option cannot mandate > > anything outside of its coverage: the covered option O. As a result, > > dropping the full packet is outside of the scope. Mandating a packet > > drop hardly, in my opinion apply here. > > Options are usually non critical for interoperability. Mandating to drop > > the packet when option O cannot be authenticated would contradict the > > non critical status of that option, which is the packet can be processed > > without the option. This would be a policy that overwrite the geneve > > - as well as the geneve option - specification. > > A possible incoherence would be if option A and O are non critical would > > be that the implementation ignoring the option A and O will accept the > > packet, an implementation understanding option O but not option A will > > accept the packet while the implementation understanding option A and O > > will reject the packet. > > Yours, > > Daniel > > On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S wrote: > > Hi Daniel, > > Please see my responses inline below. > > Thanks, > Ilango > > FROM: nvo3 [mailto:nvo3-bounces@ietf.org] ON BEHALF OF Daniel Migault > SENT: Monday, March 4, 2019 9:15 AM > TO: Ganga, Ilango S > CC: nvo3@ietf.org > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Hi Ilango, > > Thanks for the response. Please see a concrete example to illustrate my concern > > for comment 1. For comment 2, it really helped you indicated that Geneve is expected > > to be an end-to-end protocol. This will help me update the security requirement > > document. However, the current Geneve specification with transit devices seems - > > at least to me - to raise an architecture concern as raised in [1]. > > -- comment 1: > > Thanks for the feed back. I understand the purpose of keeping option > > independent one from each other, and favour this is strongly recommended.. > > However, I am not convinced this applies always. More specifically, in a > > context of security, the purpose of a security option may be related to > > another option. Typically, a security option providing authentication or > > encryption is potentially authenticating/encryption another option or > > other information contained in the header. > > The typical scenario I have in mind would be an authentication option A > > authenticating option O. There will clearly some dependencies between A > > and O as O could only be used if A has been primarily been validated. > > The current statement "SHOULD NOT be dependent" enables this. However, I > > have concerns regarding the statement "MUST NOT affect the parsing or > > interpretation". In fact, the output of A, will determine if O should be > > dropped or processed normally. In case A shows O is not appropriately > > authenticated, O might be rejected based on its C value. The ambiguity I > > see is that A can be understood as affecting the parsing and > > interpretation of O or as a pre-processing operation before parsing or > > interpretation of O. > > I think, the text needs further clarifications to remove such ambiguity. > > Changing MUST NOT by SHOULD NOT was of course only one proposition and > > this could be also addressed otherwise. It might be better, I agree, to > > explicitly mention that some options may provide condition on the > > parsing of the options. This would leave the parsing of the options unchanged. > > > If I understand your example correctly, you want to have one option authenticate the contents of another option and if that authentication fails, drop the option. This would not drop the entire packet unless that option is critical. Can you give a use case for this? This seems unusual and not something that is supported by other security protocols such as IPsec or TLS to the best of our knowledge. > > I believe a more common outcome of a failed authentication is that the entire packet would be dropped. As previously noted, the current text does not preclude this. It seems like going beyond this would result in significant complexity, both for processing options in this specific case as well as the possibility of introducing ambiguity in how other options might be defined or processed as an unintended consequence. Without a strong use case, this does not seem desirable. > > > -- comment 2: > > Thanks for the response that clarifies a bit my understanding of the > > transit devices.. I believe the issue I have is related to the transit > > devices which I do not see, unless I am wrong, meeting the requirements > > for being OPTIONAL and that seems - at least to me - contradicting the > > status of end-to-end protocol. As suggested in [1], transit devices seem to raise > > architectural concerns that is not needed. > > You are correct that the text is clear that transit devices are > > OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there > > are two sides of it. One is that a vendor may implement it or not, but > > the other side is that interoperability with other implementations are > > not affected. In this case, two Geneve endpoints using TLS or IPsec will > > not be able to interoperate with an implementation based on transit > > devices (unless the process being performed by the transit devices is > > also performed by the NVE). In that sense, I believe OPTIONAL statement > > is not appropriated here.. > > An implementation with transit devices seems to prevent the > > interoperability of with an implementation where options are treated > > by the NVE over a secure channel. If we suppose that NVE and > > transit devices support the same options, then transit devices are not > > necessary and could be removed from the specification. If options > > supported by transit devices are different from those supported by > > the NVE, interoperability will not be achieved. Transit device will not be > > able to process the options, resulting in options will be ignored (while > > being supported by the implementation).. In addition, if the options > > are critical, the NVE is likely to drop the packet as it does not support > > the option. > > In addition, I have some hard time to understand the end-to-end model > > with a transit device even optional. I believe that end-to-end protocol > > is a good path, though. However, my understanding of end-to-end protocol > > is that they should only involve two end points. I see the NVE as end > > points but the optional transit device does not seems to be one of > > these. However, to help me understand better this, as it seems Geneve is > > similar to other end-to-end protocol, maybe you could provide similar > > end-to-end protocol that involves a transit devices or something similar. > > I also have another clarification regarding transit device. I see these > > transit devices as adding a lot of complexity to the end-to-end model > > with little benefits. Typically, as far as I understand, they can only > > read an option. I am thus wondering whether we should not be better off > > removing them from the specification. This would end up with a clear > > end-to-end model. Reversely, I do not see anything preventing a vendor > > to implement them at least for unsecure deployments. Removing them > > from the specification would leave the transit devices as implementation > > specific. What are actually the benefits of the transit devices that would > > justify them to be part of the specification? > > > Transit devices exists in the underlay network, these are simply forwarding elements (e.g. switches, routers) that generally forwards packets based on outer header information, there is nothing that stops such devices from reading the contents if the data is in the clear. This works with any transport protocols like IP, IP in IP, GRE, VXLAN, etc. For example, routers may look at headers and/or inner payload for ECMP purposes or for statistics or logging purposes. If the packet is encrypted then such transit devices cannot look into the packets but would simply forward based on the outer headers and use information in outer headers for entropy. There is no interoperability issue between the endpoints. Geneve is no different. > > Recognizing the fact that such a device is anyway going to exist in the network, Geneve draft provides guidance on how to handle Geneve headers (if a device has the option to do so). Geneve options are part of Geneve header, a transit device that is capable of interpreting Geneve headers may interpret an option or skip over the option to view the payload, etc. If a transit device is not able interpret the header or option, it has to simply use the outer header to forward the packet (outer IP/UDP). This is what the Geneve draft clarifies. > > These guidelines reduce possible interoperability issues compared to if behavior was left undefined. For example, transit devices are not allowed to drop packets or fall back to a slow path on the basis of an unknown option. If this were to happen, it would hamper the introduction of new options. It might also be worth mentioning that anything that could be considered a middlebox is not a transit device but needs to be modeled as an endpoint and so Geneve really should be viewed as a tunnel endpoint-to-endpoint protocol. > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhcs > > Yours, > > Daniel > > On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S wrote: > > Hi Daniel, > > Let us be specific. I see that you have two comments on the latest draft-ietf-nvo3-geneve-09. Please see below for responses to your comments. > > Comment 1: > OLD > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > > NEW > > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option SHOULD NOT affect the parsing or interpretation of any > other option. > > > Architecturally Geneve options can be processed independent of one another. The second statement clearly states that parsing or interpretation of one option must not affect the other. This is a reasonable constraint to avoid nested dependencies. Options can be designed to work with the requirements specified in Geneve. > > Let us take specific examples: > We could think of a design of a Header Integrity check option (related to your example). In this case if the header integrity check fails, as a result the entire header is invalid and hence the most likely outcome of a failed check is that the packet being dropped (including any options in that packet whether parsed/interpreted or not). The current text does not preclude the packet being dropped as result of failure. > > It is possible to design options, including any security options, with these constraints. We don't see a reason to change this requirement that may have unintended consequences. > > Comment 2: > > NEW > Security Consideration > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > communication using IPsec or DTLS. However, such mechanisms cannot be > applied for deployments that include transit devices.. > > Some deployment may not be able to secure the full communication using > IPsec or DTLS between the NVEs. This could be motivated by the presence > of transit devices or by a risk analysis that concludes that the Geneve > packet be only partially protected - typically reduced to the Geneve > Header information. In such cases Geneve specific mechanisms needs to be > designed. > > The challenge is, you are asking to impose requirements that is not supported by Geneve architecture. Geneve has an optional feature where transit devices may be able to interpret Geneve options. However this is not a requirement for Geneve operation between tunnel end point to tunnel end point. We have tried make this very clear by adding clarifying text during the last two revisions. If the Geneve packet is in the clear then transit devices may be able to view the Genve header, options, and the payload. However if the packet is encrypted then transit devices cannot view the packet contents. This is consistent with other transport protocols encrypting the packets. So we don't see a reason why Geneve should be different. > > Geneve is an end to end protocol between tunnel endpoints and the NVEs decide to secure (encrypt) the packets between tunnel endpoints. If a middle box has a need to see an encrypted packet, then it has to implement tunnel endpoint functionality. > > We already have text in 6.4 security consideration section that provides clear guidance to the operators. > > So we don't see a good reason to add the suggested text above. > > For a complete threat analysis, a security analysis of Geneve or some > guide lines to secure a Geneve overlay network, please refer to > [draft-mglt-nvo3-geneve-security-requirements] as well as > [draft-ietf-nvo3-security-requirements]. > > > The security requirements document makes certain assumptions that is unsupported by Geneve architecture. We have tried to clarify this multiple times, however you have still maintained this in the requirements document. So this needs to be addressed. Also the document is not yet adopted by the working group. > > Moreover, Geneve security consideration section has been significantly enhanced to provide guidance to operators and to address the comments. So both documents can progress independently. > > Thanks, > Ilango > > FROM: Daniel Migault [mailto:daniel.migault@ericsson.com] > SENT: Saturday, March 2, 2019 8:49 AM > TO: Bocci, Matthew (Nokia - GB) > CC: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg ; NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Hi Matt, > > You are correct, this is at least not an regular process to have a > > standard track document being updated by an informational. I do not see > > either any requirements for having a WG status to become a reference, > > but that is something we could confirm with the RFC-editor. > > Back to the initial suggestion, I also believe the difficulties of updating > > the Geneve specifications are far less complex than updating the > > implementation, and for that specific reason, it would be good we have a > > consensus on the security analyse. > > I agree that WG draft would be better, and RFC would be even better as > > we have seen WG document being stalled. I am confident we can make this > > happen or at least I do not see major issues. > > Yours, > > Daniel > > On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) wrote: > > WG, Daniel, > > Apologies but I mis-spoke on the suggestion for the security requirements to act as an update to the encapsulation RFC in future. This would be difficult to do as it is informational. > > Nonetheless I think we should only be referencing a WG draft (at a minimum) here. > > Matthew > > FROM: Dacheng Zhang on behalf of "Bocci, Matthew (Nokia - GB)" > DATE: Friday, 1 March 2019 at 16:24 > TO: Daniel Migault > CC: "draft-ietf-nvo3-geneve@ietf.org" , Pankaj Garg , NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Daniel > > From a procedural perspective, referring to your draft creates a dependency and that draft has not yet been adopted by the WG. The old Security requirements framework expired a couple of years ago and does not seem to be being progressed. > Maybe a better approach to allow progress, as long as the WG can agree to your text (if needed) to satisfy the concern that future security mechanisms can be used, and that the evolving threat analysis is understood by implementers and users of Geneve, would be to mark the Geneve security requirements as an update to the geneve encapsulation RFC when it is published. > > Matthew > > FROM: Daniel Migault > DATE: Friday, 1 March 2019 at 16:11 > TO: "Bocci, Matthew (Nokia - GB)" > CC: Pankaj Garg , "draft-ietf-nvo3-geneve@ietf.org" , NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Hi Matthew, > > I am happy to clarify and be more specific. However, despite your > > reading of [1] I think [1] clearly indicates the changes I expected as > > well as that these changes needs to be made. > > I believe the responsibility of not addressing an acknowledged issue is > > more on the side of people ignoring the issue then on the side of the > > one raising this issue. My impression is that this is the situation we > > are in. > > I agree that my initial comment saying "I am fine with the text if we do > > not find something better." might have been confusing and I apology for > > this. At the time of writing the initial comment I was not sure I was > > not missing something nor that the problem could not be solved here or > > somewhere else (in another section). My meaning behind those words were > > that I was open to the way the concerned could be addressed. However, - > > from my point of view - the text does not say the issue does not need to > > be solved which is the way it has been interpreted. In addition, I > > believe I have clarified this right away after the concern has been > > acknowledged and not addressed. As result, I do not think my comment > > could be reasonably read as the text is fine. > > Please fine the below the initial comment its response and the response > > to the response from [1]. > > """ > > In case we have a option providing authentication, such option > > may affect the interpretation of the other options. > > s/interpretation/ndependance may not be better.... I think what we want > > to say is that option MUST be able to be processed in any order or in > > parallel. I am fine with the text if we do not find something better. > > > > This is a good point, however we believe that this text > > captures the intent. > > The problem I have is that the current text prevents security > > options, so I guess some clarification should be brought to clarify the > > intent. > > """ > > If I had to suggest some text I would suggest the following - or > > something around the following lines. > > OLD > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > NEW > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option SHOULD NOT affect the parsing or interpretation of any > > other option. > > There are rare cases were the parsing of one option affects the parsing > > or the interpretation of other option. Option related to security may > > fall into this category. Typically, if an option enables the > > authentication of another option and the authentication does not > > succeed, the authenticated option MUST NOT be processed. Other options > > may be designed in the future. > > NEW > > Security Consideration > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > > communication using IPsec or DTLS. However, such mechanisms cannot be > > applied for deployments that include transit devices. > > Some deployment may not be able to secure the full communication using > > IPsec or DTLS between the NVEs. This could be motivated by the presence > > of transit devices or by a risk analysis that concludes that the Geneve > > packet be only partially protected - typically reduced to the Geneve > > Header information. In such cases Geneve specific mechanisms needs to be > > designed. > > For a complete threat analysis, a security analysis of Geneve or some > > guide lines to secure a Geneve overlay network, please refer to > > [draft-mglt-nvo3-geneve-security-requirements] as well as > > [draft-ietf-nvo3-security-requirements]. > > For full disclosure I am a co-author of > > draft-mglt-nvo3-geneve-security-requirement. However the reason for > > referring to these documents is motivated by the fact that I believe > > these analysis provide a better security analysis than the current (OLD) > > security consideration section. > > Yours, > > Daniel > > On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) wrote: > > Hi Daniel > > Thanks for reviewing the latest version. At this stage it would be helpful if you could be much more concrete and give specifics. > > I think that the main issue is whether the design of Geneve prevents future security extensions. > > However, in [1], you stated that you were comfortable with the text if nothing else could be found. > > What specifically do you want to change in the following, bearing in mind that there are already claimed implementations of Geneve: > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > """ > > Matthew > > FROM: Daniel Migault > DATE: Friday, 1 March 2019 at 03:06 > TO: Pankaj Garg > CC: "Bocci, Matthew (Nokia - GB)" , NVO3 , "draft-ietf-nvo3-geneve@ietf.org" > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Hi, > > I just briefly went through the document quickly and in my opinion, the document still faces some security issues. > > The current text (in my opinion) prevents any geneve security related > > options. Currently Geneve cannot be secured and this prevents future > > work to eventually secure Geneve. In my opinion the current text > > mandates Geneve to remain unsecure. > > Geneve security option that are willing to authenticate/encrypt a part > > of the Geneve Header will affect the parsing of the protected option and > > will affect the order in which option needs to be process. Typically a > > protected option (authenticated, encrypted) cannot or should not be > > processed before authenticated or decrypted. > > This has already been mentioned in [1], and the text needs in my opinion > > further clarifications. > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > """ > > As stated in [2] it remains unclear to me why this section is not > > referencing and leveraging on the security analysis [3-4] performed by > > two different independent teams.. > > My reading of the security consideration is that the message is that > > IPsec or TLS could be used to protect a geneve overlay network. This is > > - in my opinion- not correct as this does not consider the transit > > device. In addition, the security consideration only considers the case > > where the cloud provider and the overlay network provider are a single > > entity, which I believe oversimplifies the problem. > > The threat model seems to me very vague, so the current security > > consideration is limited to solving a problem that is not stated. > > My reading of the text indicates the tenant can handle by itself the > > confidentiality of its information without necessarily relying on the > > overlay service provider. This is not correct. Even when the tenant uses > > IPsec/TLS, it still leaks some information. The current text contradicts > > [3] section 6.2 and [4] section 5.1. > > My reading is that the text indicates that IPsec/DTLS could be used to > > protect the overlay service for both confidentiality and integrity. > > While this could be used in some deployment this is not compatible with > > transit devices. As such the generic statement is not correct. Section > > 6.4 indicates that transit device must be trusted which is incorrect. > > Instead the transit device with all nodes between the transit device and > > the NVE needs to be trusted. Overall the impression provided is that > > IPsec (or TLS) can be used by the service overlay provider, which is (in > > my opinion) not true. > > It is unclear to me how authentication of NVE peers differs from the > > authentication communication as the latest usually rely on the first. > > Maybe the section should insist on mutual authentication. > > Yours, > > Daniel > > [1] https://mailarchive.ietf..org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o [1] > > [2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSGw > > [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 > > [4] https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-05 > > On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg wrote: > > I am not aware of any IP related to draft-ietf-nvo3-geneve which has not already been disclosed. > > Thanks > Pankaj > > FROM: Bocci, Matthew (Nokia - GB) > SENT: Tuesday, October 9, 2018 2:08 AM > TO: NVO3 > CC: draft-ietf-nvo3-geneve@ietf.org > SUBJECT: Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > This email begins a two-week working group last call for draft-ietf-nvo3-geneve-08.txt. > > Please review the draft and post any comments to the NVO3 working group list. If you have read the latest version of the draft but have no comments and believe it is ready for publication as a standards track RFC, please also indicate so to the WG email list. > > We are also polling for knowledge of any undisclosed IPR that applies to this document, to ensure that IPR has been disclosed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). > If you are listed as an Author or a Contributor of this document, please respond to this email and indicate whether or not you are aware of any relevant undisclosed IPR. The Document won't progress without answers from all the Authors and Contributors. > > Currently there are two IPR disclosures against this document. > > If you are not listed as an Author or a Contributor, then please explicitly respond only if you are aware of any IPR that has not yet been disclosed in conformance with IETF rules. > > This poll will run until Friday 26th October. > > Regards > > Matthew and Sam > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 Links: ------ [1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o --=_726e7fe1c9fb89365ed9eb853987bd44 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

FWIW, IMO SHOULD NOT needs to come with a description of what would qual= ify as an exception.

However, you can't allow two such exceptions UNLESS they're deconflicted= , i.e., who goes first. That never works well in practice because ever= y new option says "I come first".

I.e., the point isn't whether you have exceptions - you will. The point = is to specify how those cases work, in which case you don't need the SHOULD= NOT.

Joe

 


On 2019-04-03 08:33, Daniel Migault wrote:

Hi, 
 
My reading is that SHOULD NOT means MUST NOT unless we have a good reason f= or it and security or checksum options fall in that category. AM I missing = something ?
 
Yours, 
Daniel

On Tue, Apr 2, 2019 at 11:36 PM Joe T= ouch <touch@strayalpha.com&g= t; wrote:
Hi, all,
 
FWIW - I don't understand this requirement.
 
Clearly, an option MUST NOT depend on options that come before it in t= he order they occur, otherwise you could have options defined in a circular= manner that cannot be resolved.
 
However, if you prevent options that depend on other, later options yo= u would undermine the ability to have an option that provides authenticatio= n (which is useful only when it includes both the payload and subsequent op= tions) or encryption (which should at least authenticate the option area, e= ven if it isn't encrypted). It also undermines the ability to have options = that create new checksum algorithms.
 
Are you really seeking to prevent these future possibilities?
 
Joe

On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:

Hi Daniel,
 
We updated the draft to restate the requirement= on options processing, the revised text is much simpler, provides better c= larity, and retains the original intent. We believe, this should address yo= ur concerns.
 
 
Revised text:
"An option SHOULD NOT be dependent upon any other option in the
packet, i.e., options can be processed independently of one
another.  Architecturally, options are intended to be self-<= /u>
descriptive and independent.  This enables parallelis=
m in option
processing and reduces implementation complexity."<=
u>
 
Thanks
Ilango
 
=  
= From: Daniel Migault [mailto:daniel.mi= gault@ericsson.com] 
Sent: Wednesday, March 2= 0, 2019 1:56 PM
To: Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: NVO= 3 <nvo3@ietf.org>
Subject: Re:= [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08= =2Etxt - geneve options
 
Hi,
 
I am looking at the version 12 and see how it address = my concern,
regarding the integration of security options.<= u>
 
The new text in version 12 mentions:
"""
   o  An option SHOULD NOT be dependent= upon any other option in the
      packet, i.e., options can be proc= essed independent of one another.
      An option MUST NOT affect the par= sing or interpretation of any
      other option.  However, opti= on processing by tunnel endpoints may
      result in the packet being droppe= d.  Options may also be used in
      conjunction with each other or co= mbined with packet data but this
      processing is done above the enca= psulation layer.
"""
 
I am reading the text as a security option can be comb= ined with another
option or the data payload. More specifically, an auth= entication option
that authenticates some options and/or the payload ma= y result in the
packet to be discarded or not.
 
I think we are making progress. However, I am not clea= r about the text:
 
""" but this processing is done above the encapsulatio= n layer."""
 
I am reading the encapsulation layer as the Geneve pro= tocol, but I am
not clear what the layer above is. I am assuming that = is a layer
that takes the output of the Geneve decapsulation. If = that is correct,
I understand the text saying Geneve processes the opti= ons even though
the authentication has failed. Typically, suppose opti= on A covers
options O. Upon verification of A fails, Geneve proces= ses O and returns
to some upper layers that O has been processed while i= ts authentication
did not succeed. I am sure that I misunderstood the te= xt, but I suggest
some clarification are provided to prevent such interp= retation as the
purpose of the authenticating O MUST be able to preven= t the processing
of the option O.
 
In the current text I believe the text """but ...layer= """ can be
removed. Another way might be to clarify the layer abo= ve the
encapsulation.
 
 
Yours,
Daniel
 
 
 
On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault <daniel.migault@ericsson.com> wrote:<= u>
Hi,
 
Thanks for the response. Let me first recap the previo= us conversation,
or at least my perception of them. My initial comment = was that the
current Geneve specification prevents the design of se= curity options and
I provided an example. My understanding is there is an= agreement that
such option is prevented by the current geneve specifi= cation and you
challenge the usefulness of such an option (designated= as A) as well as
argue that an authentication upon failure MUST result = in discarding the
packet.
 
The security options considered has been mentioned in = two independent
security analysis. The example has been described and = commented
extensively in the threat analysis as well.  I ar= gue further that
mandating that dropping the packet, in our case is nei= ther a decision
that can be taken at the option level, nor at the gene= ve level. Instead,
it belongs to a policy decision that is likely to resu= lt in incoherent
deployments.
 
As result, the current geneve specification prevents s= ecurity options.
Please see below for more additional information.
 
The current option works similarly to IPsec: IPsec/ESP= is IP option. AH
is an option that authenticates the full IP packet. ES= P
authenticate/encrypt the IP payload and not the full p= acket.  Upon
authentication failure *the scope of the authenticatio= n* is discarded
and in that sense the example I am providing is no mor= e different.
 
In our case, the option authenticate an portion of the= geneve packet
that is limited to the option. Tthe coverage of the se= curity option is a
portion of the geneve header.  As such, the optio= n cannot mandate
anything outside of its coverage: the covered option O= =2E As a result,
dropping the full packet is outside of the scope. Mand= ating a packet 
drop hardly, in my opinion apply here. =
 
Options are usually non critical for interoperability= =2E Mandating to drop
the packet when option O cannot be authenticated would= contradict the
non critical status of that option, which is the packe= t can be processed
without the option. This would be a policy that overwr= ite the geneve
 - as well as the geneve option - specification= =2E
A possible incoherence would be if option A and O are = non critical would
be that the implementation ignoring the option A and O= will accept the
packet, an implementation understanding option O but n= ot option A will
accept the packet while the implementation understandi= ng option A and O
will reject the packet.
 
Yours,
Daniel
 
 
On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:=
Hi Daniel,
 
Please see my responses inline below.=
 
Thanks,
Ilango
 
 
From: nvo3 [mailto:nvo3-bou= nces@ietf.org] On Behalf Of Daniel Migault
Sent: Monday, March 4, 2019 9:15 AM
To: <= /span>Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc: nvo3@ietf.org
Subject: Re: [nvo3] Working Group Last Call and IPR Poll for dr= aft-ietf-nvo3-geneve-08.txt
 
Hi Ilango, 
 
Thanks for the response. Please see a concrete ex= ample to illustrate my concern 
for comment 1. For comment 2, it really helped you ind= icated that Geneve is expected 
to be an end-to-end protocol. This will help me update= the security requirement 
document. However, the current Geneve specification wi= th transit devices seems - 
at least to me - to raise an architecture concern as r= aised in [1].
 
-- comment 1:
 
Thanks for the feed back. I understand the purpose of = keeping option
independent one from each other, and favour this is st= rongly recommended..
However, I am not convinced this applies always. More = specifically, in a
context of security, the purpose of a security option = may be related to
another option. Typically, a security option providing= authentication or
encryption is potentially authenticating/encryption an= other option or
other information contained in the header.
 
The typical scenario I have in mind would be an authen= tication option A
authenticating option O. There will clearly some depen= dencies between A
and O as O could only be used if A has been primarily = been validated.
The current statement "SHOULD NOT be dependent" enable= s this. However, I
have concerns regarding the statement "MUST NOT affect= the parsing or
interpretation". In fact, the output of A, will determ= ine if O should be
dropped or processed normally. In case A shows O is no= t appropriately
authenticated, O might be rejected based on its C valu= e. The ambiguity I
see is that A can be understood as affecting the parsi= ng and
interpretation of O or as a pre-processing operation b= efore parsing or
interpretation of O.
 
I think, the text needs further clarifications to remo= ve such ambiguity.
Changing MUST NOT by SHOULD NOT was of course only one= proposition and
this could be also addressed otherwise. It might be be= tter, I agree, to
explicitly mention that some options may provide condi= tion on the
parsing of the options. This would leave the parsing o= f the options unchanged. 
 
<Ilango>
If I understand your example correctly, you wan= t to have one option authenticate the contents of another option and if tha= t authentication fails, drop the option. This would not drop the entire pac= ket unless that option is critical. Can you give a use case for this? This = seems unusual and not something that is supported by other security protoco= ls such as IPsec or TLS to the best of our knowledge.<= /div>
 
I believe a more common outcome of a failed aut= hentication is that the entire packet would be dropped. As previously noted= , the current text does not preclude this. It seems like going beyond this = would result in significant complexity, both for processing options in this= specific case as well as the possibility of introducing ambiguity in how o= ther options might be defined or processed as an unintended consequence. Wi= thout a strong use case, this does not seem desirable.=
</>
 
-- comment 2:
 
Thanks for the response that clarifies a bit my unders= tanding of the
transit devices.. I believe the issue I have is relate= d to the transit
devices which I do not see, unless I am wrong, meeting= the requirements
for being OPTIONAL and that seems - at least to me - c= ontradicting the
status of end-to-end protocol. As suggested in [1], tr= ansit devices seem to raise
architectural concerns that is not needed.
 
You are correct that the text is clear that transit de= vices are
OPTIONAL. However, my understanding of OPTIONAL from 2= 119 is that there 
are two sides of it. One is that a vendor may implemen= t it or not, but
the other side is that interoperability with other imp= lementations are
not affected. In this case, two Geneve endpoints using= TLS or IPsec will
not be able to interoperate with an implementation bas= ed on transit
devices (unless the process being performed by the tra= nsit devices is
also performed by the NVE). In that sense, I believe O= PTIONAL statement
is not appropriated here.. 
 
An implementation with transit devices seems to preven= t the 
interoperability of with an implementation where = options are treated 
by the NVE over a secure channel. If we suppose that N= VE and 
transit devices support the same options, then transit= devices are not 
necessary and could be removed from the specification= =2E If options
supported by transit devices are different from those = supported by 
the NVE, interoperability will not be achieved. Transi= t device will not be 
able to process the options, resulting in options will= be ignored (while 
being supported by the implementation).. In addition,&= nbsp;if the options 
are critical, the NVE is likely to drop the packet as = it does not support 
the option. 
 
In addition, I have some hard time to understand the e= nd-to-end model 
with a transit device even optional. I believe that en= d-to-end protocol
is a good path, though. However, my understanding of e= nd-to-end protocol
is that they should only involve two end points. I see= the NVE as end
points but the optional transit device does not seems = to be one of
these. However, to help me understand better this, as = it seems Geneve is 
similar to other end-to-end protocol, maybe you could = provide similar 
end-to-end protocol that involves a transit devices or= something similar.   
 
I also have another clarification regarding transit de= vice. I see these
transit devices as adding a lot of complexity to the e= nd-to-end model
with little benefits. Typically, as far as I understan= d, they can only
read an option. I am thus wondering whether we should = not be better off
removing them from the specification. This would end u= p with a clear
end-to-end model. Reversely, I do not see anything pre= venting a vendor
to implement them at least for unsecure deployments. R= emoving them 
from the specification would leave the transit devices= as implementation 
specific. What are actually the benefits of the transi= t devices that would 
justify them to be part of the specification?
 
<Ilango>
Transit devices exists in the underlay network,= these are simply forwarding elements (e.g. switches, routers) that general= ly forwards packets based on outer header information, there is nothing tha= t stops such devices from reading the contents if the data is in the clear= =2E  This works with any transport protocols like IP, IP in IP, GRE, V= XLAN, etc.  For example, routers may look at headers and/or inner payl= oad for ECMP purposes or for statistics or logging purposes. If the packet = is encrypted then such transit devices cannot look into the packets but wou= ld simply forward based on the outer headers and use information in outer h= eaders for entropy. There is no interoperability issue between the endpoint= s. Geneve is no different.
 
Recognizing the fact that such a device is anyw= ay going to exist in the network, Geneve draft provides guidance on how to = handle Geneve headers (if a device has the option to do so).  Geneve o= ptions are part of Geneve header, a transit device that is capable of inter= preting Geneve headers may interpret an option or skip over the option to v= iew the payload, etc.  If a transit device is not able interpret the h= eader or option, it has to simply use the outer header to forward the packe= t (outer IP/UDP). This is what the Geneve draft clarifies.=
 
These guidelines reduce possible interoperabili= ty issues compared to if behavior was left undefined. For example, transit = devices are not allowed to drop packets or fall back to a slow path on the = basis of an unknown option. If this were to happen, it would hamper the int= roduction of new options. It might also be worth mentioning that anything t= hat could be considered a middlebox is not a transit device but needs to be= modeled as an endpoint and so Geneve really should be viewed as a tunnel e= ndpoint-to-endpoint protocol.
<end>
 
 
Yours, 
Daniel 
 
On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:=
Hi Daniel,
 
Let us be specific. I see that you have two com= ments on the latest draft-ietf-nvo3-geneve-09.  Please see below for r= esponses to your comments.
 
Comment 1:
OLD
   o  An option SHOULD NOT be dependent= upon any other option in the
      packet, i.e., options can be proc= essed independent of one another.
      An option MUST NOT affect the par= sing or interpretation of any
      other option.
 
NEW
 
   o  An option SHOULD NOT be dependent= upon any other option in the
      packet, i.e., options can be proc= essed independent of one another.
      An option SHOULD NOT affect the p= arsing or interpretation of any
      other option.
 
<Ilango>
Architecturally Geneve options can be processed= independent of one another. The second statement clearly states that parsi= ng or interpretation of one option must not affect the other.  This is= a reasonable constraint to avoid nested dependencies. Options can be desig= ned to work with the requirements specified in Geneve.=
 
Let us take specific examples:=
We could think of a design of a Header Integrit= y check option (related to your example). In this case if the header integr= ity check fails, as a result the entire header is invalid and hence the mos= t likely outcome of a failed check is that the packet being dropped (includ= ing any options in that packet whether parsed/interpreted or not). The curr= ent text does not preclude the packet being dropped as result of failure. 
 
It is possible to design options, including any= security options, with these constraints.  We don't see a reason to c= hange this requirement that may have unintended consequences.=
 
Comment 2:
 
NEW
Security Consideration
 
Geneve Overlay may be secured using by protecting the = NVE-to-NVE
communication using IPsec or DTLS. However, such mecha= nisms cannot be
applied for deployments that include transit devices= =2E. 
 
Some deployment may not be able to secure the full com= munication using
IPsec or DTLS between the NVEs. This could be motivate= d by the presence
of transit devices or by a risk analysis that conclude= s that the Geneve
packet be only partially protected - typically reduced= to the Geneve
Header information. In such cases Geneve specific mech= anisms needs to be
designed. 
 
<Ilango> The challenge is, you are asking= to impose requirements that is not supported by Geneve architecture. Genev= e has an optional feature where transit devices may be able to interpret Ge= neve options. However this is not a requirement for Geneve operation betwee= n tunnel end point to tunnel end point. We have tried make this very clear = by adding clarifying text during the last two revisions. If the Geneve pack= et is in the clear then transit devices may be able to view the Genve heade= r, options, and the payload. However if the packet is encrypted then transi= t devices cannot view the packet contents. This is consistent with other tr= ansport protocols encrypting the packets. So we don't see a reason why Gene= ve should be different.   
 
Geneve is an end to end protocol between tunnel= endpoints and the NVEs decide to secure (encrypt) the packets between tunn= el endpoints. If a middle box has a need to see an encrypted packet, then i= t has to implement tunnel endpoint functionality.
 
We already have text in 6.4 security considerat= ion section that provides clear guidance to the operators.=
 
So we don't see a good reason to add the sugges= ted text above.
 
For a complete threat analysis, a security analysis of= Geneve or some
guide lines to secure a Geneve overlay network, please= refer to
[draft-mglt-nvo3-geneve-security-requirements] as well= as
[draft-ietf-nvo3-security-requirements].=
 
<Ilango>
The security requirements document  makes = certain assumptions that is unsupported by Geneve architecture. We have tri= ed to clarify this multiple times, however you have still maintained this i= n the requirements document. So this needs to be addressed. Also the docume= nt is not yet adopted by the working group.
 
Moreover, Geneve security consideration section= has been significantly enhanced to provide guidance to operators and to ad= dress the comments. So both documents can progress independently.=
 
Thanks,
Ilango
 
 
From: Daniel Migault [mailto:daniel.migault@ericsson.com] 
Sent:=  Saturday, March 2, 2019 8:49 AM
To: Bocci, Matth= ew (Nokia - GB) <matthew.bocci@nokia.com>Cc: draft-ietf-nvo3-gene= ve@ietf.org; Pankaj Garg <pankajg=3D40mi= crosoft.com@dmarc.ietf.org>; NVO3 <nvo3@ietf.org&g= t;
Subject: Re: [nvo3] Working Group Last Call and = IPR Poll for draft-ietf-nvo3-geneve-08.txt
 
Hi Matt,
  
 
You are correct, this is at least not an regular proce= ss to have a
standard track document being updated by an informatio= nal. I do not see
either any requirements for having a WG status to beco= me a reference,
but that is something we could confirm with the RFC-ed= itor.
 
Back to the initial suggestion, I also believe the dif= ficulties of updating 
the Geneve specifications are far less complex than up= dating the 
implementation, and for that specific reason, it would= be good we have a 
consensus on the security analyse.
 
I agree that WG draft would be better, and RFC would b= e even better as
we have seen WG document being stalled. I am confident= we can make this
happen or at least I do not see major issues.
 
Yours,
Daniel
 
 
On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia = - GB) <matthew.bocci@nokia.com> wrote:
WG, Daniel,
 
Apologies but I mis-spoke on the suggestion for = the security requirements to act as an update to the encapsulation RFC in f= uture. This would be difficult to do as it is informational.<= u>
 
Nonetheless I think we should only be referencin= g a WG draft (at a minimum) here.
 
Matthew
 
 
 
From: Dacheng Zh= ang <nvo3-bounces@ietf.org> on behalf of "Bocc= i, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Date: Friday, 1 March 2019 at 16:24
To:&n= bsp;Daniel Migault <daniel.miga= ult@ericsson.com>
Cc: "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>, Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>, NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] W= orking Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt
 
Daniel
 
From a procedural perspective, referring to your= draft creates a dependency and that draft has not yet been adopted by the = WG. The old Security requirements framework expired a couple of years ago a= nd does not seem to be being progressed. 
Maybe a better approach to allow progress, as lo= ng as the WG can agree to your text (if needed) to satisfy the concern that= future security mechanisms can be used, and that the evolving threat analy= sis is understood by implementers and users of Geneve, would be to mark the= Geneve security requirements as an update to the geneve encapsulation RFC = when it is published.
 
Matthew
 
From: Daniel Mig= ault <daniel.migault@ericsson.com>
= Date: Friday, 1 March 2019 at 16:11
To: <= /strong>"Bocci, Matthew (Nokia - GB)" <matthew.bocc= i@nokia.com>
Cc: Pankaj Garg <pankajg=3D<= a style=3D"color: purple; text-decoration: underline;" href=3D"mailto:40mic= rosoft.com@dmarc.ietf.org">40microsoft.com@dmarc.ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>, NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Workin= g Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt<= /u>
 
Hi Matthew, 
 
I am happy to clarify and be more specific. Howe= ver, despite your
reading of [1] I think [1] clearly indicates the= changes I expected as
well as that these changes needs to be made.&nbs= p;
 
I believe the responsibility of not addressing a= n acknowledged issue is
more on the side of people ignoring the issue&nb= sp; then on the side of the
one raising this issue. My impression is that th= is is the situation we
are in. 
  
I agree that my initial comment saying "I am fin= e with the text if we do
not find something better." might have been conf= using and I apology for
this. At the time of writing the initial comment= I was not sure I was
not missing something nor that the problem could= not be solved here or
somewhere else (in another section). My meaning = behind those words were
that I was open to the way the concerned could b= e addressed. However, -
from my point of view - the text does not say th= e issue does not need to
be solved which is the way it has been interpret= ed. In addition, I
believe I have clarified this right away after t= he concern has been
acknowledged and not addressed. As result, I do = not think my comment
could be reasonably read as the text is fine.
 
Please fine the below the initial comment its re= sponse and the response
to the response from [1]. =
 
"""
<mglt> In case we have a option providing = authentication, such option
may affect the interpretation of the other optio= ns.
s/interpretation/ndependance may not be better= =2E... I think what we want
to say is that option MUST be able to be process= ed in any order or in
parallel.  I am fine with the text if we do= not find something better.
</mglt>
 
<Ilango> This is a good point, however we = believe that this text
captures the intent.  </> 
 
<mglt2>The problem I have is that the curr= ent text prevents security
options, so I guess some clarification should be= brought to clarify the
intent.</mglt2> =
"""
 
If I had to suggest some text I would suggest th= e following - or
something around the following lines. 
 
 
OLD
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option MUST NOT affect t= he parsing or interpretation of any
      other option.=
 
NEW
 
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option SHOULD NOT affect= the parsing or interpretation of any
      other option.=
 
There are rare cases were the parsing of one opt= ion affects the parsing
or the interpretation of other option. Option re= lated to security may
fall into this category. Typically, if an option= enables the
authentication of another option and the authent= ication does not
succeed, the authenticated option MUST NOT be pr= ocessed. Other options
may be designed in the future.  
 
NEW
Security Consideration
 
Geneve Overlay may be secured using by protecti= ng the NVE-to-NVE
communication using IPsec or DTLS. However, such= mechanisms cannot be
applied for deployments that include transit dev= ices. 
 
Some deployment may not be able to secure the fu= ll communication using
IPsec or DTLS between the NVEs. This could be mo= tivated by the presence
of transit devices or by a risk analysis that co= ncludes that the Geneve
packet be only partially protected - typically r= educed to the Geneve
Header information. In such cases Geneve specifi= c mechanisms needs to be
designed. 
 
For a complete threat analysis, a security analy= sis of Geneve or some
guide lines to secure a Geneve overlay network, = please refer to
[draft-mglt-nvo3-geneve-security-requirements] a= s well as
[draft-ietf-nvo3-security-requirements].<= u>
 
For full disclosure I am a co-author of
draft-mglt-nvo3-geneve-security-requirement. How= ever the reason for
referring to these documents is motivated by the= fact that I believe
these analysis provide a better security analysi= s than the current (OLD)
security consideration section. <= /u>
 
Yours, 
Daniel
 
 
On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (N= okia - GB) <matthew.bocci@nokia.com> wrote:<= /span>
Hi Daniel
 
Thanks for reviewing the latest version. At this= stage it would be helpful if you could be much more concrete and give spec= ifics.
 
I think that the main issue is whether the desig= n of Geneve prevents future security extensions.
 
However, in [1], you stated that you were comfor= table with the text if nothing else could be found.
 
What specifically do you want to change in the f= ollowing, bearing in mind that there are already claimed implementations of= Geneve:
"""
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option MUST NOT affect t= he parsing or interpretation of any
      other option.=
"""
 
 
Matthew
 
 
From: Daniel Mig= ault <daniel.migault@ericsson.com>
= Date: Friday, 1 March 2019 at 03:06
To: <= /strong>Pankaj Garg <pankajg=3D40microsoft= =2Ecom@dmarc.ietf.org>
Cc: "Bocci, Matthew (= Nokia - GB)" <matthew.bocci@nokia.com>, NVO3= <nvo3@ietf.org>, "draft-= ietf-nvo3-geneve@ietf.org" <draft-ietf-= nvo3-geneve@ietf.org>
Subject: Re: [nvo3] Wo= rking Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt=
 
Hi, 
 
I just briefly went through the document quickl= y and in my opinion, the document still faces some security issues.<= u>
 
The current text (in my opinion) prevents any ge= neve security related
options. Currently Geneve cannot be secured and = this prevents future
work to eventually secure Geneve. In my opinion = the current text
mandates Geneve to remain unsecure. =
 
Geneve security option that are willing to authe= nticate/encrypt a part
of the Geneve Header will affect the parsing of = the protected option and
will affect the order in which option needs to b= e process. Typically a
protected option (authenticated, encrypted) cann= ot or should not be
processed before authenticated or decrypted.&nb= sp;
 
This has already been mentioned in [1], and the = text needs in my opinion
further clarifications.  
 
"""
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option MUST NOT affect t= he parsing or interpretation of any
      other option.=
"""
 
 
 
As stated in [2] it remains unclear to me why th= is section is not
referencing and leveraging on the security analy= sis [3-4] performed by
two different independent teams.. 
 
My reading of the security consideration is that= the message is that
IPsec or TLS could be used to protect a geneve o= verlay network. This is
- in my opinion- not correct as this does not co= nsider the transit
device. In addition, the security consideration = only considers the case
where the cloud provider and the overlay network= provider are a single
entity, which I believe oversimplifies the probl= em. 
 
The threat model seems to me very vague, so the = current security
consideration is limited to solving a problem th= at is not stated. 
 
My reading of the text indicates the tenant can = handle by itself the
confidentiality of its information without neces= sarily relying on the
overlay service provider. This is not correct. E= ven when the tenant uses
IPsec/TLS, it still leaks some information. The = current text contradicts
[3] section 6.2 and [4] section 5.1.
 
My reading is that the text indicates that IPsec= /DTLS could be used to
protect the overlay service for both confidentia= lity and integrity.
While this could be used in some deployment this= is not compatible with
transit devices. As such the generic statement i= s not correct. Section
6.4 indicates that transit device must be truste= d which is incorrect.
Instead the transit device with all nodes betwee= n the transit device and
the NVE needs to be trusted.  Overall the i= mpression provided is that
IPsec (or TLS) can be used by the service overla= y provider, which is (in
my opinion) not true. =
 
It is unclear to me how authentication of NVE pe= ers differs from the
authentication communication as the latest usual= ly rely on the first.
Maybe the section should insist on mutual authen= tication.  
 
Yours, 
Daniel
 
 
 
 
 
 
 
On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg <= pankajg=3D40microsoft.com@dmarc.ietf.org>= ; wrote:
I am not aware of any IP related to draft-ietf-nvo3-ge= neve which has not already been disclosed.
 
Thanks
Pankaj
 
From: Bocci, Matthew (Nokia - GB) &= lt;matthew..bocci@nokia.com> 
Se= nt: Tuesday, October 9, 2018 2:08 AM
To: NVO3 <nvo3@ietf.org>
Cc: draft-ietf-nvo3-geneve@ietf.org
S= ubject: Working Group Last Call and IPR Poll for draft-ietf-nvo3= -geneve-08.txt
 
This email begins a two-week working group last = call for draft-ietf-nvo3-geneve-08.txt.
 
Please review the draft and post any comments to= the NVO3 working group list. If you have read the latest version of the dr= aft but have no comments and believe it is ready for publication as a stand= ards track RFC, please also indicate so to the WG email list.=
 
We are also polling for knowledge of any undiscl= osed IPR that applies to this document, to ensure that IPR has been disclos= ed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 fo= r more details).
If you are listed as an Author or a Contributor = of this document, please respond to this email and indicate whether or not = you are aware of any relevant undisclosed IPR. The Document won't progress = without answers from all the Authors and Contributors.=
 
Currently there are two IPR disclosures against = this document.
 
If you are not listed as an Author or a Contribu= tor, then please explicitly respond only if you are aware of any IPR that h= as not yet been disclosed in conformance with IETF rules.<= /u>
 
This poll will run until Friday 26th<= span class=3D"gmail-m_2557827608072206691Apple-converted-space"> October.
 
Regards
 
Matthew and Sam
_______________________________________________<= br />nvo3 mailing list
nvo3@ietf.org
https://w= ww.ietf.org/mailman/listinfo/nvo3
_______________________________________________<= br />nvo3 mailing list
nvo3@ietf.org
https://w= ww.ietf.org/mailman/listinfo/nvo3
_______________________________________________
n= vo3 mailing list
nvo3@ietf.org
https://www.iet= f.org/mailman/listinfo/nvo3
_______________________________________________
n= vo3 mailing list
nvo3@ietf.org
https://www.iet= f.org/mailman/listinfo/nvo3
_______________________________________________
n= vo3 mailing list
nvo3@ietf.org
https://www.iet= f.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listin= fo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3

= _______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--=_726e7fe1c9fb89365ed9eb853987bd44-- From nobody Wed Apr 3 09:18:48 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B21120133 for ; Wed, 3 Apr 2019 09:18:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.647 X-Spam-Level: X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsituQ0CZwXv for ; Wed, 3 Apr 2019 09:18:42 -0700 (PDT) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 064D8120126 for ; Wed, 3 Apr 2019 09:18:41 -0700 (PDT) Received: by mail-lj1-f180.google.com with SMTP id f18so15396209lja.10 for ; Wed, 03 Apr 2019 09:18:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0+OcovO6qK/mltyFXPyjxO2CtXAe2X51PMLYlgQNf6g=; b=MnlwVtVdcXIk9Pd7KrAXJVQKQkEwDELEcTCc7Ah0UyC48NE4wq2UtD6o8R9HxOiHvy 1MNNCHPpIhF5XO1ch63RaXEsmrpL/hlRrPLC3qN5OMdYYZXXsHUCf/zulHWF003Rtcnr 2a+oquuNc24wIRmvMgTFh4s8qDCxUNt/VmCsag0kN2qUI/SLRv4cMkB+yMMT7CXJwnHU c0UOjZ/PR2vpW8DMpMN1jH5CiZrqsgMYvXY1zXiYYYDo6S1oOSwTdC0Q1mS+wVhNoUcS bBFoJwn7SxcPmDtO6BIU4tf9iiC8AXFLwPrOS6Lm2+gBtuqljRiqC5TKLA4/QuJH01+0 GqJw== X-Gm-Message-State: APjAAAVlla4q7E0+NEzcL68nLpg9efNSIrOACdNCreufs/JKSjF9hxdv DnIVDQw83ouROvCvntScN4Ttow3wh2+38sL6TFg= X-Google-Smtp-Source: APXvYqwqVHveuKBwZymWdxYTmNU/OwMZlCfiIqbmR+avkVyLlKFGbGBc4tahjN3SmcRv6TYDrXVqqLFKSa405RXLFc8= X-Received: by 2002:a2e:4a1a:: with SMTP id x26mr354766lja.49.1554308318927; Wed, 03 Apr 2019 09:18:38 -0700 (PDT) MIME-Version: 1.0 References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> In-Reply-To: From: Daniel Migault Date: Wed, 3 Apr 2019 12:18:26 -0400 Message-ID: To: Joe Touch Cc: "Ganga, Ilango S" , NVO3 Content-Type: multipart/alternative; boundary="00000000000038a0f50585a29b94" Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 16:18:47 -0000 --00000000000038a0f50585a29b94 Content-Type: text/plain; charset="UTF-8" I agree that would be better, however I do not have a clear idea on what could qualify as an exception. I see security as such an exception, but I cannot say for sure that is the only exception. My concern was that the previous text prevent such security extensions. The current text address that concern. I am happy to hear how we could do better. Yours, Daniel On Wed, Apr 3, 2019 at 11:44 AM Joe Touch wrote: > FWIW, IMO SHOULD NOT needs to come with a description of what would > qualify as an exception. > > However, you can't allow two such exceptions UNLESS they're > deconflicted, i.e., who goes first. That never works well in practice > because every new option says "I come first". > > I.e., the point isn't whether you have exceptions - you will. The point is > to specify how those cases work, in which case you don't need the SHOULD > NOT. > > Joe > > > > On 2019-04-03 08:33, Daniel Migault wrote: > > Hi, > > My reading is that SHOULD NOT means MUST NOT unless we have a good reason > for it and security or checksum options fall in that category. AM I missing > something ? > > Yours, > Daniel > > On Tue, Apr 2, 2019 at 11:36 PM Joe Touch wrote: > >> Hi, all, >> >> FWIW - I don't understand this requirement. >> >> Clearly, an option MUST NOT depend on options that come before it in the >> order they occur, otherwise you could have options defined in a circular >> manner that cannot be resolved. >> >> However, if you prevent options that depend on other, later options you >> would undermine the ability to have an option that provides authentication >> (which is useful only when it includes both the payload and subsequent >> options) or encryption (which should at least authenticate the option area, >> even if it isn't encrypted). It also undermines the ability to have options >> that create new checksum algorithms. >> >> Are you really seeking to prevent these future possibilities? >> >> Joe >> >> On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S >> wrote: >> >> Hi Daniel, >> >> We updated the draft to restate the requirement on options processing, >> the revised text is much simpler, provides better clarity, and retains the >> original intent. We believe, this should address your concerns. >> >> https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg >> >> Revised text: >> "An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independently of one >> another. Architecturally, options are intended to be self- >> >> descriptive and independent. This enables parallelism in option >> >> processing and reduces implementation complexity." >> >> >> Thanks >> Ilango >> >> >> *From:* Daniel Migault [mailto:daniel.migault@ericsson.com >> ] >> *Sent:* Wednesday, March 20, 2019 1:56 PM >> *To:* Ganga, Ilango S >> *Cc:* NVO3 >> *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for >> draft-ietf-nvo3-geneve-08.txt - geneve options >> >> Hi, >> >> I am looking at the version 12 and see how it address my concern, >> regarding the integration of security options. >> >> The new text in version 12 mentions: >> """ >> o An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independent of one another. >> An option MUST NOT affect the parsing or interpretation of any >> other option. However, option processing by tunnel endpoints may >> result in the packet being dropped. Options may also be used in >> conjunction with each other or combined with packet data but this >> processing is done above the encapsulation layer. >> """ >> >> I am reading the text as a security option can be combined with another >> option or the data payload. More specifically, an authentication option >> that authenticates some options and/or the payload may result in the >> packet to be discarded or not. >> >> I think we are making progress. However, I am not clear about the text: >> >> """ but this processing is done above the encapsulation layer.""" >> >> I am reading the encapsulation layer as the Geneve protocol, but I am >> not clear what the layer above is. I am assuming that is a layer >> that takes the output of the Geneve decapsulation. If that is correct, >> I understand the text saying Geneve processes the options even though >> the authentication has failed. Typically, suppose option A covers >> options O. Upon verification of A fails, Geneve processes O and returns >> to some upper layers that O has been processed while its authentication >> did not succeed. I am sure that I misunderstood the text, but I suggest >> some clarification are provided to prevent such interpretation as the >> purpose of the authenticating O MUST be able to prevent the processing >> of the option O. >> >> In the current text I believe the text """but ...layer""" can be >> removed. Another way might be to clarify the layer above the >> encapsulation. >> >> >> Yours, >> Daniel >> >> >> >> On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault < >> daniel.migault@ericsson.com> wrote: >> >> Hi, >> >> Thanks for the response. Let me first recap the previous conversation, >> or at least my perception of them. My initial comment was that the >> current Geneve specification prevents the design of security options and >> I provided an example. My understanding is there is an agreement that >> such option is prevented by the current geneve specification and you >> challenge the usefulness of such an option (designated as A) as well as >> argue that an authentication upon failure MUST result in discarding the >> packet. >> >> The security options considered has been mentioned in two independent >> security analysis. The example has been described and commented >> extensively in the threat analysis as well. I argue further that >> mandating that dropping the packet, in our case is neither a decision >> that can be taken at the option level, nor at the geneve level. Instead, >> it belongs to a policy decision that is likely to result in incoherent >> deployments. >> >> As result, the current geneve specification prevents security options. >> Please see below for more additional information. >> >> The current option works similarly to IPsec: IPsec/ESP is IP option. AH >> is an option that authenticates the full IP packet. ESP >> authenticate/encrypt the IP payload and not the full packet. Upon >> authentication failure *the scope of the authentication* is discarded >> and in that sense the example I am providing is no more different. >> >> In our case, the option authenticate an portion of the geneve packet >> that is limited to the option. Tthe coverage of the security option is a >> portion of the geneve header. As such, the option cannot mandate >> anything outside of its coverage: the covered option O. As a result, >> dropping the full packet is outside of the scope. Mandating a packet >> drop hardly, in my opinion apply here. >> >> Options are usually non critical for interoperability. Mandating to drop >> the packet when option O cannot be authenticated would contradict the >> non critical status of that option, which is the packet can be processed >> without the option. This would be a policy that overwrite the geneve >> - as well as the geneve option - specification. >> A possible incoherence would be if option A and O are non critical would >> be that the implementation ignoring the option A and O will accept the >> packet, an implementation understanding option O but not option A will >> accept the packet while the implementation understanding option A and O >> will reject the packet. >> >> Yours, >> Daniel >> >> >> On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S >> wrote: >> >> Hi Daniel, >> >> Please see my responses inline below. >> >> Thanks, >> Ilango >> >> >> *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Daniel Migault >> *Sent:* Monday, March 4, 2019 9:15 AM >> *To:* Ganga, Ilango S >> *Cc:* nvo3@ietf.org >> *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for >> draft-ietf-nvo3-geneve-08.txt >> >> Hi Ilango, >> >> Thanks for the response. Please see a concrete example to illustrate my >> concern >> for comment 1. For comment 2, it really helped you indicated that Geneve >> is expected >> to be an end-to-end protocol. This will help me update the security >> requirement >> document. However, the current Geneve specification with transit devices >> seems - >> at least to me - to raise an architecture concern as raised in [1]. >> >> -- comment 1: >> >> Thanks for the feed back. I understand the purpose of keeping option >> independent one from each other, and favour this is strongly recommended.. >> However, I am not convinced this applies always. More specifically, in a >> context of security, the purpose of a security option may be related to >> another option. Typically, a security option providing authentication or >> encryption is potentially authenticating/encryption another option or >> other information contained in the header. >> >> The typical scenario I have in mind would be an authentication option A >> authenticating option O. There will clearly some dependencies between A >> and O as O could only be used if A has been primarily been validated. >> The current statement "SHOULD NOT be dependent" enables this. However, I >> have concerns regarding the statement "MUST NOT affect the parsing or >> interpretation". In fact, the output of A, will determine if O should be >> dropped or processed normally. In case A shows O is not appropriately >> authenticated, O might be rejected based on its C value. The ambiguity I >> see is that A can be understood as affecting the parsing and >> interpretation of O or as a pre-processing operation before parsing or >> interpretation of O. >> >> I think, the text needs further clarifications to remove such ambiguity. >> Changing MUST NOT by SHOULD NOT was of course only one proposition and >> this could be also addressed otherwise. It might be better, I agree, to >> explicitly mention that some options may provide condition on the >> parsing of the options. This would leave the parsing of the options >> unchanged. >> >> >> If I understand your example correctly, you want to have one option >> authenticate the contents of another option and if that authentication >> fails, drop the option. This would not drop the entire packet unless that >> option is critical. Can you give a use case for this? This seems unusual >> and not something that is supported by other security protocols such as >> IPsec or TLS to the best of our knowledge. >> >> I believe a more common outcome of a failed authentication is that the >> entire packet would be dropped. As previously noted, the current text does >> not preclude this. It seems like going beyond this would result in >> significant complexity, both for processing options in this specific case >> as well as the possibility of introducing ambiguity in how other options >> might be defined or processed as an unintended consequence. Without a >> strong use case, this does not seem desirable. >> >> >> -- comment 2: >> >> Thanks for the response that clarifies a bit my understanding of the >> transit devices.. I believe the issue I have is related to the transit >> devices which I do not see, unless I am wrong, meeting the requirements >> for being OPTIONAL and that seems - at least to me - contradicting the >> status of end-to-end protocol. As suggested in [1], transit devices seem >> to raise >> architectural concerns that is not needed. >> >> You are correct that the text is clear that transit devices are >> OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there >> are two sides of it. One is that a vendor may implement it or not, but >> the other side is that interoperability with other implementations are >> not affected. In this case, two Geneve endpoints using TLS or IPsec will >> not be able to interoperate with an implementation based on transit >> devices (unless the process being performed by the transit devices is >> also performed by the NVE). In that sense, I believe OPTIONAL statement >> is not appropriated here.. >> >> An implementation with transit devices seems to prevent the >> interoperability of with an implementation where options are treated >> by the NVE over a secure channel. If we suppose that NVE and >> transit devices support the same options, then transit devices are not >> necessary and could be removed from the specification. If options >> supported by transit devices are different from those supported by >> the NVE, interoperability will not be achieved. Transit device will not >> be >> able to process the options, resulting in options will be ignored (while >> being supported by the implementation).. In addition, if the options >> are critical, the NVE is likely to drop the packet as it does not support >> the option. >> >> In addition, I have some hard time to understand the end-to-end model >> with a transit device even optional. I believe that end-to-end protocol >> is a good path, though. However, my understanding of end-to-end protocol >> is that they should only involve two end points. I see the NVE as end >> points but the optional transit device does not seems to be one of >> these. However, to help me understand better this, as it seems Geneve is >> similar to other end-to-end protocol, maybe you could provide similar >> end-to-end protocol that involves a transit devices or something >> similar. >> >> I also have another clarification regarding transit device. I see these >> transit devices as adding a lot of complexity to the end-to-end model >> with little benefits. Typically, as far as I understand, they can only >> read an option. I am thus wondering whether we should not be better off >> removing them from the specification. This would end up with a clear >> end-to-end model. Reversely, I do not see anything preventing a vendor >> to implement them at least for unsecure deployments. Removing them >> from the specification would leave the transit devices as implementation >> specific. What are actually the benefits of the transit devices that >> would >> justify them to be part of the specification? >> >> >> Transit devices exists in the underlay network, these are simply >> forwarding elements (e.g. switches, routers) that generally forwards >> packets based on outer header information, there is nothing that stops such >> devices from reading the contents if the data is in the clear. This works >> with any transport protocols like IP, IP in IP, GRE, VXLAN, etc. For >> example, routers may look at headers and/or inner payload for ECMP purposes >> or for statistics or logging purposes. If the packet is encrypted then such >> transit devices cannot look into the packets but would simply forward based >> on the outer headers and use information in outer headers for entropy. >> There is no interoperability issue between the endpoints. Geneve is no >> different. >> >> Recognizing the fact that such a device is anyway going to exist in the >> network, Geneve draft provides guidance on how to handle Geneve headers (if >> a device has the option to do so). Geneve options are part of Geneve >> header, a transit device that is capable of interpreting Geneve headers may >> interpret an option or skip over the option to view the payload, etc. If a >> transit device is not able interpret the header or option, it has to simply >> use the outer header to forward the packet (outer IP/UDP). This is what the >> Geneve draft clarifies. >> >> These guidelines reduce possible interoperability issues compared to if >> behavior was left undefined. For example, transit devices are not allowed >> to drop packets or fall back to a slow path on the basis of an unknown >> option. If this were to happen, it would hamper the introduction of new >> options. It might also be worth mentioning that anything that could be >> considered a middlebox is not a transit device but needs to be modeled as >> an endpoint and so Geneve really should be viewed as a tunnel >> endpoint-to-endpoint protocol. >> >> >> >> [1] >> https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhcs >> >> >> Yours, >> Daniel >> >> On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S >> wrote: >> >> Hi Daniel, >> >> Let us be specific. I see that you have two comments on the latest >> draft-ietf-nvo3-geneve-09. Please see below for responses to your comments. >> >> Comment 1: >> OLD >> o An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independent of one another. >> An option MUST NOT affect the parsing or interpretation of any >> other option. >> >> NEW >> >> o An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independent of one another. >> An option SHOULD NOT affect the parsing or interpretation of any >> other option. >> >> >> Architecturally Geneve options can be processed independent of one >> another. The second statement clearly states that parsing or interpretation >> of one option must not affect the other. This is a reasonable constraint >> to avoid nested dependencies. Options can be designed to work with the >> requirements specified in Geneve. >> >> Let us take specific examples: >> We could think of a design of a Header Integrity check option (related to >> your example). In this case if the header integrity check fails, as a >> result the entire header is invalid and hence the most likely outcome of a >> failed check is that the packet being dropped (including any options in >> that packet whether parsed/interpreted or not). The current text does not >> preclude the packet being dropped as result of failure. >> >> It is possible to design options, including any security options, with >> these constraints. We don't see a reason to change this requirement that >> may have unintended consequences. >> >> Comment 2: >> >> >> >> NEW >> Security Consideration >> >> Geneve Overlay may be secured using by protecting the NVE-to-NVE >> communication using IPsec or DTLS. However, such mechanisms cannot be >> applied for deployments that include transit devices.. >> >> Some deployment may not be able to secure the full communication using >> IPsec or DTLS between the NVEs. This could be motivated by the presence >> of transit devices or by a risk analysis that concludes that the Geneve >> packet be only partially protected - typically reduced to the Geneve >> Header information. In such cases Geneve specific mechanisms needs to be >> designed. >> >> The challenge is, you are asking to impose requirements that is >> not supported by Geneve architecture. Geneve has an optional feature where >> transit devices may be able to interpret Geneve options. However this is >> not a requirement for Geneve operation between tunnel end point to tunnel >> end point. We have tried make this very clear by adding clarifying text >> during the last two revisions. If the Geneve packet is in the clear then >> transit devices may be able to view the Genve header, options, and the >> payload. However if the packet is encrypted then transit devices cannot >> view the packet contents. This is consistent with other transport protocols >> encrypting the packets. So we don't see a reason why Geneve should be >> different. >> >> Geneve is an end to end protocol between tunnel endpoints and the NVEs >> decide to secure (encrypt) the packets between tunnel endpoints. If a >> middle box has a need to see an encrypted packet, then it has to implement >> tunnel endpoint functionality. >> >> We already have text in 6.4 security consideration section that provides >> clear guidance to the operators. >> >> So we don't see a good reason to add the suggested text above. >> >> For a complete threat analysis, a security analysis of Geneve or some >> guide lines to secure a Geneve overlay network, please refer to >> [draft-mglt-nvo3-geneve-security-requirements] as well as >> [draft-ietf-nvo3-security-requirements]. >> >> >> The security requirements document makes certain assumptions that is >> unsupported by Geneve architecture. We have tried to clarify this multiple >> times, however you have still maintained this in the requirements document. >> So this needs to be addressed. Also the document is not yet adopted by the >> working group. >> >> Moreover, Geneve security consideration section has been significantly >> enhanced to provide guidance to operators and to address the comments. So >> both documents can progress independently. >> >> Thanks, >> Ilango >> >> >> *From:* Daniel Migault [mailto:daniel.migault@ericsson.com] >> *Sent:* Saturday, March 2, 2019 8:49 AM >> *To:* Bocci, Matthew (Nokia - GB) >> *Cc:* draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg > 40microsoft.com@dmarc.ietf.org>; NVO3 >> *Subject:* Re: [nvo3] Working Group Last Call and IPR Poll for >> draft-ietf-nvo3-geneve-08.txt >> >> Hi Matt, >> >> >> You are correct, this is at least not an regular process to have a >> standard track document being updated by an informational. I do not see >> either any requirements for having a WG status to become a reference, >> but that is something we could confirm with the RFC-editor. >> >> Back to the initial suggestion, I also believe the difficulties of >> updating >> the Geneve specifications are far less complex than updating the >> implementation, and for that specific reason, it would be good we have a >> consensus on the security analyse. >> >> I agree that WG draft would be better, and RFC would be even better as >> we have seen WG document being stalled. I am confident we can make this >> happen or at least I do not see major issues. >> >> Yours, >> Daniel >> >> >> On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) < >> matthew.bocci@nokia.com> wrote: >> >> WG, Daniel, >> >> Apologies but I mis-spoke on the suggestion for the security requirements >> to act as an update to the encapsulation RFC in future. This would be >> difficult to do as it is informational. >> >> Nonetheless I think we should only be referencing a WG draft (at a >> minimum) here. >> >> Matthew >> >> >> >> *From: *Dacheng Zhang on behalf of "Bocci, >> Matthew (Nokia - GB)" >> *Date: *Friday, 1 March 2019 at 16:24 >> *To: *Daniel Migault >> *Cc: *"draft-ietf-nvo3-geneve@ietf.org" , >> Pankaj Garg , NVO3 > > >> *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for >> draft-ietf-nvo3-geneve-08.txt >> >> Daniel >> >> From a procedural perspective, referring to your draft creates a >> dependency and that draft has not yet been adopted by the WG. The old >> Security requirements framework expired a couple of years ago and does not >> seem to be being progressed. >> Maybe a better approach to allow progress, as long as the WG can agree to >> your text (if needed) to satisfy the concern that future security >> mechanisms can be used, and that the evolving threat analysis is understood >> by implementers and users of Geneve, would be to mark the Geneve security >> requirements as an update to the geneve encapsulation RFC when it is >> published. >> >> Matthew >> >> *From: *Daniel Migault >> *Date: *Friday, 1 March 2019 at 16:11 >> *To: *"Bocci, Matthew (Nokia - GB)" >> *Cc: *Pankaj Garg , " >> draft-ietf-nvo3-geneve@ietf.org" , NVO3 >> >> *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for >> draft-ietf-nvo3-geneve-08.txt >> >> Hi Matthew, >> >> I am happy to clarify and be more specific. However, despite your >> reading of [1] I think [1] clearly indicates the changes I expected as >> well as that these changes needs to be made. >> >> I believe the responsibility of not addressing an acknowledged issue is >> more on the side of people ignoring the issue then on the side of the >> one raising this issue. My impression is that this is the situation we >> are in. >> >> I agree that my initial comment saying "I am fine with the text if we do >> not find something better." might have been confusing and I apology for >> this. At the time of writing the initial comment I was not sure I was >> not missing something nor that the problem could not be solved here or >> somewhere else (in another section). My meaning behind those words were >> that I was open to the way the concerned could be addressed. However, - >> from my point of view - the text does not say the issue does not need to >> be solved which is the way it has been interpreted. In addition, I >> believe I have clarified this right away after the concern has been >> acknowledged and not addressed. As result, I do not think my comment >> could be reasonably read as the text is fine. >> >> Please fine the below the initial comment its response and the response >> to the response from [1]. >> >> """ >> In case we have a option providing authentication, such option >> may affect the interpretation of the other options. >> s/interpretation/ndependance may not be better.... I think what we want >> to say is that option MUST be able to be processed in any order or in >> parallel. I am fine with the text if we do not find something better. >> >> >> This is a good point, however we believe that this text >> captures the intent. >> >> The problem I have is that the current text prevents security >> options, so I guess some clarification should be brought to clarify the >> intent. >> """ >> >> If I had to suggest some text I would suggest the following - or >> something around the following lines. >> >> >> OLD >> o An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independent of one another. >> An option MUST NOT affect the parsing or interpretation of any >> other option. >> >> NEW >> >> o An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independent of one another. >> An option SHOULD NOT affect the parsing or interpretation of any >> other option. >> >> There are rare cases were the parsing of one option affects the parsing >> or the interpretation of other option. Option related to security may >> fall into this category. Typically, if an option enables the >> authentication of another option and the authentication does not >> succeed, the authenticated option MUST NOT be processed. Other options >> may be designed in the future. >> >> NEW >> Security Consideration >> >> Geneve Overlay may be secured using by protecting the NVE-to-NVE >> communication using IPsec or DTLS. However, such mechanisms cannot be >> applied for deployments that include transit devices. >> >> Some deployment may not be able to secure the full communication using >> IPsec or DTLS between the NVEs. This could be motivated by the presence >> of transit devices or by a risk analysis that concludes that the Geneve >> packet be only partially protected - typically reduced to the Geneve >> Header information. In such cases Geneve specific mechanisms needs to be >> designed. >> >> For a complete threat analysis, a security analysis of Geneve or some >> guide lines to secure a Geneve overlay network, please refer to >> [draft-mglt-nvo3-geneve-security-requirements] as well as >> [draft-ietf-nvo3-security-requirements]. >> >> For full disclosure I am a co-author of >> draft-mglt-nvo3-geneve-security-requirement. However the reason for >> referring to these documents is motivated by the fact that I believe >> these analysis provide a better security analysis than the current (OLD) >> security consideration section. >> >> Yours, >> Daniel >> >> >> On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) < >> matthew.bocci@nokia.com> wrote: >> >> Hi Daniel >> >> Thanks for reviewing the latest version. At this stage it would be >> helpful if you could be much more concrete and give specifics. >> >> I think that the main issue is whether the design of Geneve prevents >> future security extensions. >> >> However, in [1], you stated that you were comfortable with the text if >> nothing else could be found. >> >> What specifically do you want to change in the following, bearing in mind >> that there are already claimed implementations of Geneve: >> """ >> o An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independent of one another. >> An option MUST NOT affect the parsing or interpretation of any >> other option. >> """ >> >> >> Matthew >> >> >> *From: *Daniel Migault >> *Date: *Friday, 1 March 2019 at 03:06 >> *To: *Pankaj Garg >> *Cc: *"Bocci, Matthew (Nokia - GB)" , NVO3 < >> nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" < >> draft-ietf-nvo3-geneve@ietf.org> >> *Subject: *Re: [nvo3] Working Group Last Call and IPR Poll for >> draft-ietf-nvo3-geneve-08.txt >> >> Hi, >> >> I just briefly went through the document quickly and in my opinion, the >> document still faces some security issues. >> >> The current text (in my opinion) prevents any geneve security related >> options. Currently Geneve cannot be secured and this prevents future >> work to eventually secure Geneve. In my opinion the current text >> mandates Geneve to remain unsecure. >> >> Geneve security option that are willing to authenticate/encrypt a part >> of the Geneve Header will affect the parsing of the protected option and >> will affect the order in which option needs to be process. Typically a >> protected option (authenticated, encrypted) cannot or should not be >> processed before authenticated or decrypted. >> >> This has already been mentioned in [1], and the text needs in my opinion >> further clarifications. >> >> """ >> o An option SHOULD NOT be dependent upon any other option in the >> packet, i.e., options can be processed independent of one another. >> An option MUST NOT affect the parsing or interpretation of any >> other option. >> """ >> >> >> >> As stated in [2] it remains unclear to me why this section is not >> referencing and leveraging on the security analysis [3-4] performed by >> two different independent teams.. >> >> My reading of the security consideration is that the message is that >> IPsec or TLS could be used to protect a geneve overlay network. This is >> - in my opinion- not correct as this does not consider the transit >> device. In addition, the security consideration only considers the case >> where the cloud provider and the overlay network provider are a single >> entity, which I believe oversimplifies the problem. >> >> The threat model seems to me very vague, so the current security >> consideration is limited to solving a problem that is not stated. >> >> My reading of the text indicates the tenant can handle by itself the >> confidentiality of its information without necessarily relying on the >> overlay service provider. This is not correct. Even when the tenant uses >> IPsec/TLS, it still leaks some information. The current text contradicts >> [3] section 6.2 and [4] section 5.1. >> >> My reading is that the text indicates that IPsec/DTLS could be used to >> protect the overlay service for both confidentiality and integrity. >> While this could be used in some deployment this is not compatible with >> transit devices. As such the generic statement is not correct. Section >> 6.4 indicates that transit device must be trusted which is incorrect. >> Instead the transit device with all nodes between the transit device and >> the NVE needs to be trusted. Overall the impression provided is that >> IPsec (or TLS) can be used by the service overlay provider, which is (in >> my opinion) not true. >> >> It is unclear to me how authentication of NVE peers differs from the >> authentication communication as the latest usually rely on the first. >> Maybe the section should insist on mutual authentication. >> >> Yours, >> Daniel >> >> >> [1] >> https://mailarchive.ietf..org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o >> >> [2] >> https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSGw >> [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 >> [4] >> https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-05 >> >> >> >> >> >> On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg > 40microsoft.com@dmarc.ietf.org> wrote: >> >> I am not aware of any IP related to draft-ietf-nvo3-geneve which has not >> already been disclosed. >> >> Thanks >> Pankaj >> >> *From:* Bocci, Matthew (Nokia - GB) > > >> *Sent:* Tuesday, October 9, 2018 2:08 AM >> *To:* NVO3 >> *Cc:* draft-ietf-nvo3-geneve@ietf.org >> *Subject:* Working Group Last Call and IPR Poll for >> draft-ietf-nvo3-geneve-08.txt >> >> This email begins a two-week working group last call for >> draft-ietf-nvo3-geneve-08.txt. >> >> Please review the draft and post any comments to the NVO3 working group >> list. If you have read the latest version of the draft but have no comments >> and believe it is ready for publication as a standards track RFC, please >> also indicate so to the WG email list. >> >> We are also polling for knowledge of any undisclosed IPR that applies to >> this document, to ensure that IPR has been disclosed in compliance with >> IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). >> If you are listed as an Author or a Contributor of this document, please >> respond to this email and indicate whether or not you are aware of any >> relevant undisclosed IPR. The Document won't progress without answers from >> all the Authors and Contributors. >> >> Currently there are two IPR disclosures against this document. >> >> If you are not listed as an Author or a Contributor, then please >> explicitly respond only if you are aware of any IPR that has not yet been >> disclosed in conformance with IETF rules. >> >> This poll will run until Friday 26th October. >> >> Regards >> >> Matthew and Sam >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --00000000000038a0f50585a29b94 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I agree that would be better, however I do not have a clea= r idea on what could qualify as an exception. I see security as such an exc= eption, but I cannot say for sure that is the only exception. My concern wa= s that the previous text prevent such security extensions. The current text= address that concern. I am happy to hear how we could do better.=C2=A0Yours,=C2=A0
Daniel

On Wed, Apr 3, 2019 at 11:44 AM Joe Touch <= ;touch@strayalpha.com> wrote= :

FWIW, IMO SHOULD NOT needs to come with a description of what would qual= ify as an exception.

However, you can't allow two such exceptions UNLESS they're deco= nflicted,=C2=A0i.e., who goes first. That never works well in practice beca= use every new option says "I come first".

I.e., the point isn't whether you have exceptions - you will. The po= int is to specify how those cases work, in which case you don't need th= e SHOULD NOT.

Joe

=C2=A0


On 2019-04-03 08:33, Daniel Migault wrote:

Hi,=C2=A0
=C2=A0
My reading is that SHOULD NOT means MUST NOT unless we have a good reason f= or it and security or checksum options fall in that category. AM I missing = something ?
=C2=A0
Yours,=C2=A0
Daniel

On Tue, Apr 2, 2019 at 11:36 PM Joe T= ouch <touch@st= rayalpha.com> wrote:
Hi, all,
=C2=A0
FWIW - I don't understand this requirement.
=C2=A0
Clearly, an option MUST NOT depend on options that come before it in t= he order they occur, otherwise you could have options defined in a circular= manner that cannot be resolved.
=C2=A0
However, if you prevent options that depend on other, later options yo= u would undermine the ability to have an option that provides authenticatio= n (which is useful only when it includes both the payload and subsequent op= tions) or encryption (which should at least authenticate the option area, e= ven if it isn't encrypted). It also undermines the ability to have opti= ons that create new checksum algorithms.
=C2=A0
Are you really seeking to prevent these future possibilities?
=C2=A0
Joe

On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S <ilango.s.ganga@intel.com> = wrote:

Hi Daniel,
=C2=A0
We updated the draft to restate the requir= ement on options processing, the revised text is much simpler, provides bet= ter clarity, and retains the original intent. We believe, this should addre= ss your concerns.
=C2=A0
=C2=A0
Revised text:
"An option SHOULD NOT be dependent upon any other opt= ion in the
packet, i.e., options can be processed independently of on= e
another.=C2=A0 Architecturally, options are intended to be= self-
descriptive and independent.=C2=A0 This enables parall=
elism in option
processing and reduces implementation complexity."=
;
=C2=A0
Thanks
Ilango
=C2=A0
=C2=A0
From:=C2=A0Daniel Mig= ault [mailto:daniel.migault@ericsson= .com]=C2=A0
Sent:=C2=A0Wednesday, March 20, 2019 1:56 PM
To:=C2=A0Ganga, Ilango S <ilango.s.ganga@intel.com>
Cc:=C2=A0NVO3 <nvo3@ietf.org= >
Subject:=C2=A0Re: [nv= o3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt = - geneve options
=C2=A0
Hi,
=C2=A0
I am looking at the version 12 and see how it addr= ess my concern,
regarding the integration of security options.<= /u>
=C2=A0
The new text in version 12 mentions:=
"""
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depen= dent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be = processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affect the= parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.=C2=A0 However, = option processing by tunnel endpoints may
=C2=A0 =C2=A0 =C2=A0 result in the packet being dr= opped.=C2=A0 Options may also be used in
=C2=A0 =C2=A0 =C2=A0 conjunction with each other o= r combined with packet data but this
=C2=A0 =C2=A0 =C2=A0 processing is done above the = encapsulation layer.
"""
=C2=A0
I am reading the text as a security option can be = combined with another
option or the data payload. More specifically, an = authentication option
that authenticates some options and/or the payload may result in the
packet to be discarded or not.
=C2=A0
I think we are making progress. However, I am not = clear about the text:
=C2=A0
""" but this processing is done abo= ve the encapsulation layer."""
=C2=A0
I am reading the encapsulation layer as the Geneve= protocol, but I am
not clear what the layer above is. I am assuming t= hat is a layer
that takes the output of the Geneve decapsulation.= If that is correct,
I understand the text saying Geneve processes the = options even though
the authentication has failed. Typically, suppose = option A covers
options O. Upon verification of A fails, Geneve pr= ocesses O and returns
to some upper layers that O has been processed whi= le its authentication
did not succeed. I am sure that I misunderstood th= e text, but I suggest
some clarification are provided to prevent such in= terpretation as the
purpose of the authenticating O MUST be able to pr= event the processing
of the option O.
=C2=A0
In the current text I believe the text ""= ;"but ...layer""" can be
removed. Another way might be to clarify the layer= above the
encapsulation.
=C2=A0
=C2=A0
Yours,
Daniel
=C2=A0
=C2=A0
=C2=A0
On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault <= daniel.migault@ericsson.com> = wrote:
Hi,
=C2=A0
Thanks for the response. Let me first recap the pr= evious conversation,
or at least my perception of them. My initial comm= ent was that the
current Geneve specification prevents the design o= f security options and
I provided an example. My understanding is there i= s an agreement that
such option is prevented by the current geneve spe= cification and you
challenge the usefulness of such an option (design= ated as A) as well as
argue that an authentication upon failure MUST res= ult in discarding the
packet.
=C2=A0
The security options considered has been mentioned= in two independent
security analysis. The example has been described = and commented
extensively in the threat analysis as well.=C2=A0 = I argue further that
mandating that dropping the packet, in our case is= neither a decision
that can be taken at the option level, nor at the = geneve level. Instead,
it belongs to a policy decision that is likely to = result in incoherent
deployments.
=C2=A0
As result, the current geneve specification preven= ts security options.
Please see below for more additional information.<= u>
=C2=A0
The current option works similarly to IPsec: IPsec= /ESP is IP option. AH
is an option that authenticates the full IP packet= . ESP
authenticate/encrypt the IP payload and not the fu= ll packet.=C2=A0 Upon
authentication failure *the scope of the authentic= ation* is discarded
and in that sense the example I am providing is no= more different.
=C2=A0
In our case, the option authenticate an portion of= the geneve packet
that is limited to the option. Tthe coverage of th= e security option is a
portion of the geneve header.=C2=A0 As such, the o= ption cannot mandate
anything outside of its coverage: the covered opti= on O. As a result,
dropping the full packet is outside of the scope. = Mandating a packet=C2=A0
drop hardly, in my opinion apply here.=C2=A0
=C2=A0
Options are usually non critical for interoperabil= ity. Mandating to drop
the packet when option O cannot be authenticated w= ould contradict the
non critical status of that option, which is the p= acket can be processed
without the option. This would be a policy that ov= erwrite the geneve
=C2=A0- as well as the geneve option - specificati= on.
A possible incoherence would be if option A and O = are non critical would
be that the implementation ignoring the option A a= nd O will accept the
packet, an implementation understanding option O b= ut not option A will
accept the packet while the implementation underst= anding option A and O
will reject the packet.
=C2=A0
Yours,
Daniel
=C2=A0
=C2=A0
On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S <= ;ilango.s.ganga@intel.com> wrote= :
Hi Daniel,
=C2=A0
Please see my responses inline below.
=C2=A0
Thanks,
Ilango
=C2=A0
=C2=A0
From:=C2=A0nvo3 [mailto:nvo3-bounces@ietf.org]= =C2=A0On Behalf Of=C2=A0Da= niel Migault
Sent:=C2=A0Monday= , March 4, 2019 9:15 AM
To:=C2=A0Ganga, Ilango S <ilango.s.ganga@i= ntel.com>
Cc:=C2=A0nvo3@ietf.org
Subject:=C2=A0Re: [nvo3] Working Group Last Call and IPR Poll for = draft-ietf-nvo3-geneve-08.txt
=C2=A0
Hi Ilango,=C2=A0
=C2=A0
Thanks for the response.=C2=A0Please see a concret= e example to illustrate my concern=C2=A0
for comment 1. For comment 2, it really helped you= indicated that Geneve is expected=C2=A0
to be an end-to-end protocol. This will help me up= date the security requirement=C2=A0
document. However, the current Geneve specificatio= n with transit devices seems -=C2=A0
at least to me - to raise an architecture concern = as raised in [1].
=C2=A0
-- comment 1:
=C2=A0
Thanks for the feed back. I understand the purpose= of keeping option
independent one from each other, and favour this i= s strongly recommended..
However, I am not convinced this applies always. M= ore specifically, in a
context of security, the purpose of a security opt= ion may be related to
another option. Typically, a security option provi= ding authentication or
encryption is potentially authenticating/encryptio= n another option or
other information contained in the header.<= u>
=C2=A0
The typical scenario I have in mind would be an au= thentication option A
authenticating option O. There will clearly some d= ependencies between A
and O as O could only be used if A has been primar= ily been validated.
The current statement "SHOULD NOT be dependen= t" enables this. However, I
have concerns regarding the statement "MUST N= OT affect the parsing or
interpretation". In fact, the output of A, wi= ll determine if O should be
dropped or processed normally. In case A shows O i= s not appropriately
authenticated, O might be rejected based on its C = value. The ambiguity I
see is that A can be understood as affecting the p= arsing and
interpretation of O or as a pre-processing operati= on before parsing or
interpretation of O.
=C2=A0
I think, the text needs further clarifications to = remove such ambiguity.
Changing MUST NOT by SHOULD NOT was of course only= one proposition and
this could be also addressed otherwise. It might b= e better, I agree, to
explicitly mention that some options may provide c= ondition on the
parsing of the options. This would leave the parsi= ng of the options unchanged.=C2=A0
=C2=A0
<Ilango>
If I understand your example correctly, yo= u want to have one option authenticate the contents of another option and i= f that authentication fails, drop the option. This would not drop the entir= e packet unless that option is critical. Can you give a use case for this? = This seems unusual and not something that is supported by other security pr= otocols such as IPsec or TLS to the best of our knowledge.=
=C2=A0
I believe a more common outcome of a faile= d authentication is that the entire packet would be dropped. As previously = noted, the current text does not preclude this. It seems like going beyond = this would result in significant complexity, both for processing options in= this specific case as well as the possibility of introducing ambiguity in = how other options might be defined or processed as an unintended consequenc= e. Without a strong use case, this does not seem desirable.
</>
=C2=A0
-- comment 2:
=C2=A0
Thanks for the response that clarifies a bit my un= derstanding of the
transit devices.. I believe the issue I have is re= lated to the transit
devices which I do not see, unless I am wrong, mee= ting the requirements
for being OPTIONAL and that seems - at least to me= - contradicting the
status of end-to-end protocol. As suggested in [1]= , transit devices seem to raise
architectural concerns that is not needed.<= u>
=C2=A0
You are correct that the text is clear that transi= t devices are
OPTIONAL. However, my understanding of OPTIONAL fr= om 2119 is that there=C2=A0
are two sides of it. One is that a vendor may impl= ement it or not, but
the other side is that interoperability with other= implementations are
not affected. In this case, two Geneve endpoints u= sing TLS or IPsec will
not be able to interoperate with an implementation= based on transit
devices (unless the process being performed by the= transit devices is
also performed by the NVE). In that sense, I belie= ve OPTIONAL statement
is not appropriated here..=C2=A0
=C2=A0
An implementation with transit devices seems to pr= event the=C2=A0
interoperability of with an implementation where= =C2=A0 options are treated=C2=A0
by the NVE over a secure channel. If we suppose th= at NVE and=C2=A0
transit devices support the same options, then tra= nsit devices are not=C2=A0
necessary and could be removed from the specificat= ion. If options
supported by transit devices are different from th= ose supported by=C2=A0
the NVE, interoperability will not be achieved. Tr= ansit device will not be=C2=A0
able to process the options, resulting in options = will be ignored (while=C2=A0
being supported by the implementation).. In additi= on,=C2=A0if the options=C2=A0
are critical, the NVE is likely to drop the packet= as it does not support=C2=A0
the option.=C2=A0
=C2=A0
In addition, I have some hard time to understand t= he end-to-end model=C2=A0
with a transit device even optional. I believe tha= t end-to-end protocol
is a good path, though. However, my understanding = of end-to-end protocol
is that they should only involve two end points. I= see the NVE as end
points but the optional transit device does not se= ems to be one of
these. However, to help me understand better this,= as it seems Geneve is=C2=A0
similar to other end-to-end protocol, maybe you co= uld provide similar=C2=A0
end-to-end protocol that involves a transit device= s or something similar.=C2=A0 =C2=A0
=C2=A0
I also have another clarification regarding transi= t device. I see these
transit devices as adding a lot of complexity to t= he end-to-end model
with little benefits. Typically, as far as I under= stand, they can only
read an option. I am thus wondering whether we sho= uld not be better off
removing them from the specification. This would e= nd up with a clear
end-to-end model. Reversely, I do not see anything= preventing a vendor
to implement them at least for unsecure deployment= s. Removing them=C2=A0
from the specification would leave the transit dev= ices as implementation=C2=A0
specific. What are actually the benefits of the tr= ansit devices that would=C2=A0
justify them to be part of the specification?
=C2=A0
<Ilango>
Transit devices exists in the underlay net= work, these are simply forwarding elements (e.g. switches, routers) that ge= nerally forwards packets based on outer header information, there is nothin= g that stops such devices from reading the contents if the data is in the c= lear.=C2=A0 This works with any transport protocols like IP, IP in IP, GRE,= VXLAN, etc.=C2=A0 For example, routers may look at headers and/or inner pa= yload for ECMP purposes or for statistics or logging purposes. If the packe= t is encrypted then such transit devices cannot look into the packets but w= ould simply forward based on the outer headers and use information in outer= headers for entropy. There is no interoperability issue between the endpoi= nts. Geneve is no different.
=C2=A0
Recognizing the fact that such a device is= anyway going to exist in the network, Geneve draft provides guidance on ho= w to handle Geneve headers (if a device has the option to do so).=C2=A0 Gen= eve options are part of Geneve header, a transit device that is capable of = interpreting Geneve headers may interpret an option or skip over the option= to view the payload, etc.=C2=A0 If a transit device is not able interpret = the header or option, it has to simply use the outer header to forward the = packet (outer IP/UDP). This is what the Geneve draft clarifies.
=C2=A0
These guidelines reduce possible interoper= ability issues compared to if behavior was left undefined. For example, tra= nsit devices are not allowed to drop packets or fall back to a slow path on= the basis of an unknown option. If this were to happen, it would hamper th= e introduction of new options. It might also be worth mentioning that anyth= ing that could be considered a middlebox is not a transit device but needs = to be modeled as an endpoint and so Geneve really should be viewed as a tun= nel endpoint-to-endpoint protocol.
<end>
=C2=A0
=C2=A0
=C2=A0
=C2=A0
Yours,=C2=A0
Daniel=C2=A0
=C2=A0
On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S <= ;ilango.s.ganga@intel.com> wrote= :
Hi Daniel,
=C2=A0
Let us be specific. I see that you have tw= o comments on the latest draft-ietf-nvo3-geneve-09.=C2=A0 Please see below = for responses to your comments.
=C2=A0
Comment 1:
OLD
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depen= dent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be = processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affect the= parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.
=C2=A0
NEW
=C2=A0
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be depen= dent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options can be = processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option SHOULD NOT affect t= he parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.
=C2=A0
<Ilango>
Architecturally Geneve options can be proc= essed independent of one another. The second statement clearly states that = parsing or interpretation of one option must not affect the other.=C2=A0 Th= is is a reasonable constraint to avoid nested dependencies. Options can be = designed to work with the requirements specified in Geneve.
=C2=A0
Let us take specific examples:
We could think of a design of a Header Int= egrity check option (related to your example). In this case if the header i= ntegrity check fails, as a result the entire header is invalid and hence th= e most likely outcome of a failed check is that the packet being dropped (i= ncluding any options in that packet whether parsed/interpreted or not). The= current text does not preclude the packet being dropped as result of failu= re.=C2=A0
=C2=A0
It is possible to design options, includin= g any security options, with these constraints.=C2=A0 We don't see a re= ason to change this requirement that may have unintended consequences.
=C2=A0
Comment 2:
=C2=A0
NEW
Security Consideration
=C2=A0
Geneve Overlay may be secured using by protecting = the NVE-to-NVE
communication using IPsec or DTLS. However, such m= echanisms cannot be
applied for deployments that include transit devic= es..=C2=A0
=C2=A0
Some deployment may not be able to secure the full= communication using
IPsec or DTLS between the NVEs. This could be moti= vated by the presence
of transit devices or by a risk analysis that conc= ludes that the Geneve
packet be only partially protected - typically red= uced to the Geneve
Header information. In such cases Geneve specific = mechanisms needs to be
designed.=C2=A0
=C2=A0
<Ilango> The challenge is, you are a= sking to impose requirements that is not supported by Geneve architecture. = Geneve has an optional feature where transit devices may be able to interpr= et Geneve options. However this is not a requirement for Geneve operation b= etween tunnel end point to tunnel end point. We have tried make this very c= lear by adding clarifying text during the last two revisions. If the Geneve= packet is in the clear then transit devices may be able to view the Genve = header, options, and the payload. However if the packet is encrypted then t= ransit devices cannot view the packet contents. This is consistent with oth= er transport protocols encrypting the packets. So we don't see a reason= why Geneve should be different. =C2=A0=C2=A0
=C2=A0
Geneve is an end to end protocol between t= unnel endpoints and the NVEs decide to secure (encrypt) the packets between= tunnel endpoints. If a middle box has a need to see an encrypted packet, t= hen it has to implement tunnel endpoint functionality.=
=C2=A0
We already have text in 6.4 security consi= deration section that provides clear guidance to the operators.
=C2=A0
So we don't see a good reason to add t= he suggested text above.
=C2=A0
For a complete threat analysis, a security analysi= s of Geneve or some
guide lines to secure a Geneve overlay network, pl= ease refer to
[draft-mglt-nvo3-geneve-security-requirements] as = well as
[draft-ietf-nvo3-security-requirements].=
=C2=A0
<Ilango>
The security requirements document =C2=A0m= akes certain assumptions that is unsupported by Geneve architecture. We hav= e tried to clarify this multiple times, however you have still maintained t= his in the requirements document. So this needs to be addressed. Also the d= ocument is not yet adopted by the working group.
=C2=A0
Moreover, Geneve security consideration se= ction has been significantly enhanced to provide guidance to operators and = to address the comments. So both documents can progress independently.
=C2=A0
Thanks,
Ilango
=C2=A0
=C2=A0
From:= =C2=A0Daniel Migault [mailto:= daniel.migault@ericsson.com]=C2=A0
= Sent:=C2=A0Saturday, March 2, 2019 8:49 A= M
To:=C2=A0Bocci, Matthew (Nok= ia - GB) <matthew.bocci@nokia.com= >
Cc:=C2=A0draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg= <pankajg=3D40microsoft.com@dm= arc.ietf.org>; NVO3 <nvo3@ietf.org&g= t;
Subject:=C2=A0Re: [nvo3] Wo= rking Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt=
=C2=A0
Hi Matt,
=C2=A0=C2=A0
=C2=A0
You are correct, this is at least not an regular p= rocess to have a
standard track document being updated by an inform= ational. I do not see
either any requirements for having a WG status to = become a reference,
but that is something we could confirm with the RF= C-editor.
=C2=A0
Back to the initial suggestion, I also believe the= difficulties of updating=C2=A0
the Geneve specifications are far less complex tha= n updating the=C2=A0
implementation, and for that specific reason, it w= ould be good we have a=C2=A0
consensus on the security analyse.
=C2=A0
I agree that WG draft would be better, and RFC wou= ld be even better as
we have seen WG document being stalled. I am confi= dent we can make this
happen or at least I do not see major issues.
=C2=A0
Yours,
Daniel
=C2=A0
=C2=A0
On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (No= kia - GB) <matthew.bocci@nokia.com> wrote:
WG, Daniel,
=C2=A0
Apologies but I mis-spoke on the suggestion = for the security requirements to act as an update to the encapsulation RFC = in future. This would be difficult to do as it is informational.<= /u>
=C2=A0
Nonetheless I think we should only be refere= ncing a WG draft (at a minimum) here.
=C2=A0
Matthew
=C2=A0
=C2=A0
=C2=A0
From:=C2=A0= Dacheng Zhang <nv= o3-bounces@ietf.org> on behalf of "Bocci, Matthew (Nokia - GB)&= quot; <matthew.bocci@nokia.com>= ;
Date:=C2=A0Friday, 1 March 2= 019 at 16:24
To:=C2=A0Daniel M= igault <daniel.migault@ericsson.c= om>
Cc:=C2=A0"draft-ietf-nvo3-geneve@ietf.org&= quot; <draft-ietf-nvo3-geneve= @ietf.org>, Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>, NVO3 <nvo3@ietf.org>
Subject:=C2= =A0Re: [nvo3] Working Group Last Call and IPR Poll for draf= t-ietf-nvo3-geneve-08.txt
=C2=A0
Daniel
=C2=A0
From a procedural perspective, referring to = your draft creates a dependency and that draft has not yet been adopted by = the WG. The old Security requirements framework expired a couple of years a= go and does not seem to be being progressed.=C2=A0=
Maybe a better approach to allow progress, a= s long as the WG can agree to your text (if needed) to satisfy the concern = that future security mechanisms can be used, and that the evolving threat a= nalysis is understood by implementers and users of Geneve, would be to mark= the Geneve security requirements as an update to the geneve encapsulation = RFC when it is published.
=C2=A0
Matthew
=C2=A0
From:=C2=A0= Daniel Migault <daniel.migault@ericsson.com>
Date:= =C2=A0Friday, 1 March 2019 at 16:11
To:=C2=A0"Bocci, Matthew (Nokia - GB)" <= matthew.bocci@nokia.com>
Cc:=C2=A0Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org&g= t;, "draft-ietf-nvo3-geneve= @ietf.org" <draft-ie= tf-nvo3-geneve@ietf.org>, NVO3 <nvo3@iet= f.org>
Subject:=C2=A0Re= : [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08= .txt
=C2=A0
Hi Matthew,=C2=A0
=C2=A0
I am happy to clarify and be more specific. = However, despite your
reading of [1] I think [1] clearly indicates= the changes I expected as
well as that these changes needs to be made.= =C2=A0
=C2=A0
I believe the responsibility of not addressi= ng an acknowledged issue is
more on the side of people ignoring the issu= e=C2=A0 then on the side of the
one raising this issue. My impression is tha= t this is the situation we
are in.=C2=A0
=C2=A0=C2=A0
I agree that my initial comment saying "= ;I am fine with the text if we do
not find something better." might have = been confusing and I apology for
this. At the time of writing the initial com= ment I was not sure I was
not missing something nor that the problem c= ould not be solved here or
somewhere else (in another section). My mean= ing behind those words were
that I was open to the way the concerned cou= ld be addressed. However, -
from my point of view - the text does not sa= y the issue does not need to
be solved which is the way it has been inter= preted. In addition, I
believe I have clarified this right away aft= er the concern has been
acknowledged and not addressed. As result, I= do not think my comment
could be reasonably read as the text is fine= .
=C2=A0
Please fine the below the initial comment it= s response and the response
to the response from [1].=C2=A0
=C2=A0
"""
<mglt> In case we have a option provid= ing authentication, such option
may affect the interpretation of the other o= ptions.
s/interpretation/ndependance may not be bett= er.... I think what we want
to say is that option MUST be able to be pro= cessed in any order or in
parallel.=C2=A0 I am fine with the text if w= e do not find something better.
</mglt>
=C2=A0
<Ilango> This is a good point, however= we believe that this text
captures the intent.=C2=A0 </>=C2=A0
=C2=A0
<mglt2>The problem I have is that the = current text prevents security
options, so I guess some clarification shoul= d be brought to clarify the
intent.</mglt2>=C2=A0=
"""
=C2=A0
If I had to suggest some text I would sugges= t the following - or
something around the following lines.=C2=A0<= /span>
=C2=A0
=C2=A0
OLD
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be= dependent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options c= an be processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affe= ct the parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.=
=C2=A0
NEW
=C2=A0
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be= dependent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options c= an be processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option SHOULD NOT af= fect the parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.=
=C2=A0
There are rare cases were the parsing of one= option affects the parsing
or the interpretation of other option. Optio= n related to security may
fall into this category. Typically, if an op= tion enables the
authentication of another option and the aut= hentication does not
succeed, the authenticated option MUST NOT b= e processed. Other options
may be designed in the future.=C2=A0=C2=A0
=C2=A0
NEW
Security Consideration<= /div>
=C2=A0
Geneve Overlay may be secured using by protecting the NVE-to-NVE=
communication using IPsec or DTLS. However, = such mechanisms cannot be
applied for deployments that include transit= devices.=C2=A0
=C2=A0
Some deployment may not be able to secure th= e full communication using
IPsec or DTLS between the NVEs. This could b= e motivated by the presence
of transit devices or by a risk analysis tha= t concludes that the Geneve
packet be only partially protected - typical= ly reduced to the Geneve
Header information. In such cases Geneve spe= cific mechanisms needs to be
designed.=C2=A0
=C2=A0
For a complete threat analysis, a security a= nalysis of Geneve or some
guide lines to secure a Geneve overlay netwo= rk, please refer to
[draft-mglt-nvo3-geneve-security-requirement= s] as well as
[draft-ietf-nvo3-security-requirements].
=C2=A0
For full disclosure I am a co-author of
draft-mglt-nvo3-geneve-security-requirement.= However the reason for
referring to these documents is motivated by= the fact that I believe
these analysis provide a better security ana= lysis than the current (OLD)
security consideration section.=C2=A0=
=C2=A0
Yours,=C2=A0
Daniel
=C2=A0
=C2=A0
On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthe= w (Nokia - GB) <matthew.bocci@nokia.c= om> wrote:
Hi Daniel
=C2=A0
Thanks for reviewing the latest version. At = this stage it would be helpful if you could be much more concrete and give = specifics.
=C2=A0
I think that the main issue is whether the d= esign of Geneve prevents future security extensions.
=C2=A0
However, in [1], you stated that you were co= mfortable with the text if nothing else could be found.
=C2=A0
What specifically do you want to change in t= he following, bearing in mind that there are already claimed implementation= s of Geneve:
"""
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be= dependent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options c= an be processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affe= ct the parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.=
"""
=C2=A0
=C2=A0
Matthew
=C2=A0
=C2=A0
From:=C2=A0= Daniel Migault <daniel.migault@ericsson.com>
Date:= =C2=A0Friday, 1 March 2019 at 03:06
To:=C2=A0Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>
C= c:=C2=A0"Bocci, Matthew (Nokia - GB)= " <matthew.bocci@nokia.com&g= t;, NVO3 <nvo3@ietf.org>, "draft-ietf-nvo3-geneve@ietf.org"= ; <draft-ietf-nvo3-geneve@iet= f.org>
Subject:=C2=A0Re= : [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08= .txt
=C2=A0
Hi,=C2=A0
=C2=A0
I just briefly went through the document quickly and in my opini= on, the document still faces some security issues.
=C2=A0
The current text (in my opinion) prevents an= y geneve security related
options. Currently Geneve cannot be secured = and this prevents future
work to eventually secure Geneve. In my opin= ion the current text
mandates Geneve to remain unsecure.=C2=A0
=C2=A0
Geneve security option that are willing to a= uthenticate/encrypt a part
of the Geneve Header will affect the parsing= of the protected option and
will affect the order in which option needs = to be process. Typically a
protected option (authenticated, encrypted) = cannot or should not be
processed before authenticated or decrypted.=C2=A0=
=C2=A0
This has already been mentioned in [1], and = the text needs in my opinion
further clarifications.=C2=A0=C2=A0
=C2=A0
"""
=C2=A0 =C2=A0o=C2=A0 An option SHOULD NOT be= dependent upon any other option in the
=C2=A0 =C2=A0 =C2=A0 packet, i.e., options c= an be processed independent of one another.
=C2=A0 =C2=A0 =C2=A0 An option MUST NOT affe= ct the parsing or interpretation of any
=C2=A0 =C2=A0 =C2=A0 other option.=
"""
=C2=A0
=C2=A0
=C2=A0
As stated in [2] it remains unclear to me wh= y this section is not
referencing and leveraging on the security a= nalysis [3-4] performed by
two different independent teams..=C2=A0
=C2=A0
My reading of the security consideration is = that the message is that
IPsec or TLS could be used to protect a gene= ve overlay network. This is
- in my opinion- not correct as this does no= t consider the transit
device. In addition, the security considerat= ion only considers the case
where the cloud provider and the overlay net= work provider are a single
entity, which I believe oversimplifies the p= roblem.=C2=A0
=C2=A0
The threat model seems to me very vague, so = the current security
consideration is limited to solving a proble= m that is not stated.=C2=A0
=C2=A0
My reading of the text indicates the tenant = can handle by itself the
confidentiality of its information without n= ecessarily relying on the
overlay service provider. This is not correc= t. Even when the tenant uses
IPsec/TLS, it still leaks some information. = The current text contradicts
[3] section 6.2 and [4] section 5.1.<= u>
=C2=A0
My reading is that the text indicates that I= Psec/DTLS could be used to
protect the overlay service for both confide= ntiality and integrity.
While this could be used in some deployment = this is not compatible with
transit devices. As such the generic stateme= nt is not correct. Section
6.4 indicates that transit device must be tr= usted which is incorrect.
Instead the transit device with all nodes be= tween the transit device and
the NVE needs to be trusted.=C2=A0 Overall t= he impression provided is that
IPsec (or TLS) can be used by the service ov= erlay provider, which is (in
my opinion) not true.=C2=A0=
=C2=A0
It is unclear to me how authentication of NV= E peers differs from the
authentication communication as the latest u= sually rely on the first.
Maybe the section should insist on mutual au= thentication.=C2=A0=C2=A0
=C2=A0
Yours,=C2=A0
Daniel
=C2=A0
=C2=A0
=C2=A0
=C2=A0
=C2=A0
=C2=A0
=C2=A0
On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg = <pankajg=3D40microsoft.com@dma= rc.ietf.org> wrote:
I am not aware of any IP related to draft-ietf-nvo= 3-geneve which has not already been disclosed.
=C2=A0
Thanks
Pankaj
=C2=A0
From:=C2=A0Bocci, Matthew (Nokia - GB) <matth= ew..bocci@nokia.com>=C2=A0
Sent:= =C2=A0Tuesday, October 9, 2018 2:08 AMTo:=C2=A0NVO3 <nvo3@ietf.org>
Cc:= =C2=A0draft-ietf-nvo3-gen= eve@ietf.org
Subject:=C2=A0Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt<= /u>
=C2=A0
This email begins a two-week working group l= ast call for draft-ietf-nvo3-geneve-08.txt.
=C2=A0
Please review the draft and post any comment= s to the NVO3 working group list. If you have read the latest version of th= e draft but have no comments and believe it is ready for publication as a s= tandards track RFC, please also indicate so to the WG email list.=
=C2=A0
We are also polling for knowledge of any und= isclosed IPR that applies to this document, to ensure that IPR has been dis= closed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 537= 8 for more details).
If you are listed as an Author or a Contribu= tor of this document, please respond to this email and indicate whether or = not you are aware of any relevant undisclosed IPR. The Document won't p= rogress without answers from all the Authors and Contributors.
=C2=A0
Currently there are two IPR disclosures agai= nst this document.
=C2=A0
If you are not listed as an Author or a Cont= ributor, then please explicitly respond only if you are aware of any IPR th= at has not yet been disclosed in conformance with IETF rules.=
=C2=A0
This poll will run until Friday 26th=C2=A0October.
=C2=A0
Regards
=C2=A0
Matthew and Sam
____________________________________________= ___
nvo3 mailing list
nvo3@ietf.org
<= a style=3D"color:purple;text-decoration:underline" href=3D"https://www.ietf= .org/mailman/listinfo/nvo3" rel=3D"noopener noreferrer" target=3D"_blank">h= ttps://www.ietf.org/mailman/listinfo/nvo3
____________________________________________= ___
nvo3 mailing list
nvo3@ietf.org
<= a style=3D"color:purple;text-decoration:underline" href=3D"https://www.ietf= .org/mailman/listinfo/nvo3" rel=3D"noopener noreferrer" target=3D"_blank">h= ttps://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________nvo3 mailing list
nvo3@ietf.org
https:/= /www.ietf.org/mailman/listinfo/nvo3
_______________________________________________nvo3 mailing list
nvo3@ietf.org
https:/= /www.ietf.org/mailman/listinfo/nvo3
_______________________________________________nvo3 mailing list
nvo3@ietf.org
https:/= /www.ietf.org/mailman/listinfo/nvo3
___________________________= ____________________
nvo3 mailing list
n= vo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3

_______________________________________________<= br> nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailma= n/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--00000000000038a0f50585a29b94-- From nobody Wed Apr 3 09:47:41 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0011120094 for ; Wed, 3 Apr 2019 09:47:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.219 X-Spam-Level: X-Spam-Status: No, score=-1.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4kPtJsPiPRG for ; Wed, 3 Apr 2019 09:47:31 -0700 (PDT) Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FA921200C5 for ; Wed, 3 Apr 2019 09:47:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Type:MIME-Version:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=aXnuNJn3AdjLTK73NZA5qUht9/PRTqnN0WYj8D/xpfU=; b=Lmgb29p6ud5Nku7jf2qI+Qy44 xYhJ3RCIgwqzROW35K6BH2PhuxQgjk8k9dSAhdPlJnKWBy5h8wFC9uSekJA44t6oOfA77Ofnvq5Ps qzljtov475ijMuoH1vwjV/ZFxXsT7oCXFOsXx/lythhPOUJfPlyUJ1YTaNJWkoomN9ZsZMdCYPz96 dPVTOetLinoBD6hbVNN5ovyAjUUOojdkc5NfErZxcImq/fBKcHXeF+nhJ4B6rX0OV+Lcg+Ya+lnbG jivjb40MHUM9ZV2kB2/xg5/OLcuwRAnJa4GRWhjlb8D7wiSjKgBGc7uBZDlXUWusrEmao+pSCwfL/ 35WTaXB1A==; Received: from [::1] (port=45322 helo=server217.web-hosting.com) by server217.web-hosting.com with esmtpa (Exim 4.91) (envelope-from ) id 1hBj2p-001NqZ-RQ; Wed, 03 Apr 2019 12:47:30 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_5546cf928b226aa29570c4bbf70037ab" Date: Wed, 03 Apr 2019 09:47:23 -0700 From: Joe Touch To: Daniel Migault Cc: "FY\"Ganga, Ilango S\"" , NVO3 In-Reply-To: References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> Message-ID: <9e18391a85bb2077cc3be318f1aed316@strayalpha.com> X-Sender: touch@strayalpha.com User-Agent: Roundcube Webmail/1.3.7 X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server217.web-hosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - strayalpha.com X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com X-Source: X-Source-Args: X-Source-Dir: X-From-Rewrite: unmodified, already matched Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 16:47:40 -0000 --=_5546cf928b226aa29570c4bbf70037ab Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII FYI, I provided suggestions in my initial post: - MUST process in-order - MUST not depend on information in earlier options, in the order they are proceessed If you have some other reason for SHOULD NOT depend on option contents or payload contents, they that's a separate issue. I.e., if you retain that SHOULD NOT, it would be useful to indicate authentication, encryption, and integrity checks as possible exceptions. Joe On 2019-04-03 09:18, Daniel Migault wrote: > I agree that would be better, however I do not have a clear idea on what could qualify as an exception. I see security as such an exception, but I cannot say for sure that is the only exception. My concern was that the previous text prevent such security extensions. The current text address that concern. I am happy to hear how we could do better. > Yours, > Daniel > > On Wed, Apr 3, 2019 at 11:44 AM Joe Touch wrote: > > FWIW, IMO SHOULD NOT needs to come with a description of what would qualify as an exception. > > However, you can't allow two such exceptions UNLESS they're deconflicted, i.e., who goes first. That never works well in practice because every new option says "I come first". > > I.e., the point isn't whether you have exceptions - you will. The point is to specify how those cases work, in which case you don't need the SHOULD NOT. > > Joe > > On 2019-04-03 08:33, Daniel Migault wrote: > > Hi, > My reading is that SHOULD NOT means MUST NOT unless we have a good reason for it and security or checksum options fall in that category. AM I missing something ? > > Yours, > Daniel > > On Tue, Apr 2, 2019 at 11:36 PM Joe Touch wrote: > Hi, all, > > FWIW - I don't understand this requirement. > > Clearly, an option MUST NOT depend on options that come before it in the order they occur, otherwise you could have options defined in a circular manner that cannot be resolved. > > However, if you prevent options that depend on other, later options you would undermine the ability to have an option that provides authentication (which is useful only when it includes both the payload and subsequent options) or encryption (which should at least authenticate the option area, even if it isn't encrypted). It also undermines the ability to have options that create new checksum algorithms. > > Are you really seeking to prevent these future possibilities? > > Joe > > On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S wrote: > > Hi Daniel, > > We updated the draft to restate the requirement on options processing, the revised text is much simpler, provides better clarity, and retains the original intent. We believe, this should address your concerns. > > https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg > > Revised text: > "An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independently of one > another. Architecturally, options are intended to be self- > > descriptive and independent. This enables parallelism in option > > processing and reduces implementation complexity." > > Thanks > Ilango > > FROM: Daniel Migault [mailto:daniel.migault@ericsson..com] > SENT: Wednesday, March 20, 2019 1:56 PM > TO: Ganga, Ilango S > CC: NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options > > Hi, > > I am looking at the version 12 and see how it address my concern, > > regarding the integration of security options. > > The new text in version 12 mentions: > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. However, option processing by tunnel endpoints may > > result in the packet being dropped. Options may also be used in > > conjunction with each other or combined with packet data but this > > processing is done above the encapsulation layer. > > """ > > I am reading the text as a security option can be combined with another > > option or the data payload. More specifically, an authentication option > > that authenticates some options and/or the payload may result in the > > packet to be discarded or not. > > I think we are making progress. However, I am not clear about the text: > > """ but this processing is done above the encapsulation layer.""" > > I am reading the encapsulation layer as the Geneve protocol, but I am > > not clear what the layer above is. I am assuming that is a layer > > that takes the output of the Geneve decapsulation. If that is correct, > > I understand the text saying Geneve processes the options even though > > the authentication has failed. Typically, suppose option A covers > > options O. Upon verification of A fails, Geneve processes O and returns > > to some upper layers that O has been processed while its authentication > > did not succeed. I am sure that I misunderstood the text, but I suggest > > some clarification are provided to prevent such interpretation as the > > purpose of the authenticating O MUST be able to prevent the processing > > of the option O. > > In the current text I believe the text """but ...layer""" can be > > removed. Another way might be to clarify the layer above the > > encapsulation. > > Yours, > > Daniel > > On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault wrote: > > Hi, > > Thanks for the response. Let me first recap the previous conversation, > > or at least my perception of them. My initial comment was that the > > current Geneve specification prevents the design of security options and > > I provided an example. My understanding is there is an agreement that > > such option is prevented by the current geneve specification and you > > challenge the usefulness of such an option (designated as A) as well as > > argue that an authentication upon failure MUST result in discarding the > > packet. > > The security options considered has been mentioned in two independent > > security analysis. The example has been described and commented > > extensively in the threat analysis as well. I argue further that > > mandating that dropping the packet, in our case is neither a decision > > that can be taken at the option level, nor at the geneve level. Instead, > > it belongs to a policy decision that is likely to result in incoherent > > deployments. > > As result, the current geneve specification prevents security options. > > Please see below for more additional information. > > The current option works similarly to IPsec: IPsec/ESP is IP option. AH > > is an option that authenticates the full IP packet.. ESP > > authenticate/encrypt the IP payload and not the full packet. Upon > > authentication failure *the scope of the authentication* is discarded > > and in that sense the example I am providing is no more different. > > In our case, the option authenticate an portion of the geneve packet > > that is limited to the option. Tthe coverage of the security option is a > > portion of the geneve header. As such, the option cannot mandate > > anything outside of its coverage: the covered option O. As a result, > > dropping the full packet is outside of the scope. Mandating a packet > > drop hardly, in my opinion apply here. > > Options are usually non critical for interoperability. Mandating to drop > > the packet when option O cannot be authenticated would contradict the > > non critical status of that option, which is the packet can be processed > > without the option. This would be a policy that overwrite the geneve > > - as well as the geneve option - specification. > > A possible incoherence would be if option A and O are non critical would > > be that the implementation ignoring the option A and O will accept the > > packet, an implementation understanding option O but not option A will > > accept the packet while the implementation understanding option A and O > > will reject the packet. > > Yours, > > Daniel > > On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S wrote: > > Hi Daniel, > > Please see my responses inline below. > > Thanks, > Ilango > > FROM: nvo3 [mailto:nvo3-bounces@ietf.org] ON BEHALF OF Daniel Migault > SENT: Monday, March 4, 2019 9:15 AM > TO: Ganga, Ilango S > CC: nvo3@ietf.org > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Hi Ilango, > > Thanks for the response. Please see a concrete example to illustrate my concern > > for comment 1. For comment 2, it really helped you indicated that Geneve is expected > > to be an end-to-end protocol. This will help me update the security requirement > > document. However, the current Geneve specification with transit devices seems - > > at least to me - to raise an architecture concern as raised in [1]. > > -- comment 1: > > Thanks for the feed back. I understand the purpose of keeping option > > independent one from each other, and favour this is strongly recommended.. > > However, I am not convinced this applies always. More specifically, in a > > context of security, the purpose of a security option may be related to > > another option. Typically, a security option providing authentication or > > encryption is potentially authenticating/encryption another option or > > other information contained in the header. > > The typical scenario I have in mind would be an authentication option A > > authenticating option O. There will clearly some dependencies between A > > and O as O could only be used if A has been primarily been validated. > > The current statement "SHOULD NOT be dependent" enables this. However, I > > have concerns regarding the statement "MUST NOT affect the parsing or > > interpretation". In fact, the output of A, will determine if O should be > > dropped or processed normally. In case A shows O is not appropriately > > authenticated, O might be rejected based on its C value. The ambiguity I > > see is that A can be understood as affecting the parsing and > > interpretation of O or as a pre-processing operation before parsing or > > interpretation of O. > > I think, the text needs further clarifications to remove such ambiguity. > > Changing MUST NOT by SHOULD NOT was of course only one proposition and > > this could be also addressed otherwise. It might be better, I agree, to > > explicitly mention that some options may provide condition on the > > parsing of the options. This would leave the parsing of the options unchanged. > > > If I understand your example correctly, you want to have one option authenticate the contents of another option and if that authentication fails, drop the option. This would not drop the entire packet unless that option is critical. Can you give a use case for this? This seems unusual and not something that is supported by other security protocols such as IPsec or TLS to the best of our knowledge. > > I believe a more common outcome of a failed authentication is that the entire packet would be dropped. As previously noted, the current text does not preclude this. It seems like going beyond this would result in significant complexity, both for processing options in this specific case as well as the possibility of introducing ambiguity in how other options might be defined or processed as an unintended consequence. Without a strong use case, this does not seem desirable. > > > -- comment 2: > > Thanks for the response that clarifies a bit my understanding of the > > transit devices.. I believe the issue I have is related to the transit > > devices which I do not see, unless I am wrong, meeting the requirements > > for being OPTIONAL and that seems - at least to me - contradicting the > > status of end-to-end protocol. As suggested in [1], transit devices seem to raise > > architectural concerns that is not needed. > > You are correct that the text is clear that transit devices are > > OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there > > are two sides of it. One is that a vendor may implement it or not, but > > the other side is that interoperability with other implementations are > > not affected. In this case, two Geneve endpoints using TLS or IPsec will > > not be able to interoperate with an implementation based on transit > > devices (unless the process being performed by the transit devices is > > also performed by the NVE). In that sense, I believe OPTIONAL statement > > is not appropriated here.. > > An implementation with transit devices seems to prevent the > > interoperability of with an implementation where options are treated > > by the NVE over a secure channel. If we suppose that NVE and > > transit devices support the same options, then transit devices are not > > necessary and could be removed from the specification. If options > > supported by transit devices are different from those supported by > > the NVE, interoperability will not be achieved. Transit device will not be > > able to process the options, resulting in options will be ignored (while > > being supported by the implementation).. In addition, if the options > > are critical, the NVE is likely to drop the packet as it does not support > > the option. > > In addition, I have some hard time to understand the end-to-end model > > with a transit device even optional. I believe that end-to-end protocol > > is a good path, though. However, my understanding of end-to-end protocol > > is that they should only involve two end points. I see the NVE as end > > points but the optional transit device does not seems to be one of > > these. However, to help me understand better this, as it seems Geneve is > > similar to other end-to-end protocol, maybe you could provide similar > > end-to-end protocol that involves a transit devices or something similar. > > I also have another clarification regarding transit device. I see these > > transit devices as adding a lot of complexity to the end-to-end model > > with little benefits. Typically, as far as I understand, they can only > > read an option. I am thus wondering whether we should not be better off > > removing them from the specification. This would end up with a clear > > end-to-end model. Reversely, I do not see anything preventing a vendor > > to implement them at least for unsecure deployments. Removing them > > from the specification would leave the transit devices as implementation > > specific. What are actually the benefits of the transit devices that would > > justify them to be part of the specification? > > > Transit devices exists in the underlay network, these are simply forwarding elements (e.g. switches, routers) that generally forwards packets based on outer header information, there is nothing that stops such devices from reading the contents if the data is in the clear. This works with any transport protocols like IP, IP in IP, GRE, VXLAN, etc. For example, routers may look at headers and/or inner payload for ECMP purposes or for statistics or logging purposes. If the packet is encrypted then such transit devices cannot look into the packets but would simply forward based on the outer headers and use information in outer headers for entropy. There is no interoperability issue between the endpoints. Geneve is no different. > > Recognizing the fact that such a device is anyway going to exist in the network, Geneve draft provides guidance on how to handle Geneve headers (if a device has the option to do so). Geneve options are part of Geneve header, a transit device that is capable of interpreting Geneve headers may interpret an option or skip over the option to view the payload, etc. If a transit device is not able interpret the header or option, it has to simply use the outer header to forward the packet (outer IP/UDP). This is what the Geneve draft clarifies. > > These guidelines reduce possible interoperability issues compared to if behavior was left undefined. For example, transit devices are not allowed to drop packets or fall back to a slow path on the basis of an unknown option. If this were to happen, it would hamper the introduction of new options. It might also be worth mentioning that anything that could be considered a middlebox is not a transit device but needs to be modeled as an endpoint and so Geneve really should be viewed as a tunnel endpoint-to-endpoint protocol. > > > [1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCdhcs > > Yours, > > Daniel > > On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S wrote: > > Hi Daniel, > > Let us be specific. I see that you have two comments on the latest draft-ietf-nvo3-geneve-09. Please see below for responses to your comments. > > Comment 1: > OLD > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > > NEW > > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option SHOULD NOT affect the parsing or interpretation of any > other option. > > > Architecturally Geneve options can be processed independent of one another. The second statement clearly states that parsing or interpretation of one option must not affect the other. This is a reasonable constraint to avoid nested dependencies. Options can be designed to work with the requirements specified in Geneve. > > Let us take specific examples: > We could think of a design of a Header Integrity check option (related to your example). In this case if the header integrity check fails, as a result the entire header is invalid and hence the most likely outcome of a failed check is that the packet being dropped (including any options in that packet whether parsed/interpreted or not). The current text does not preclude the packet being dropped as result of failure. > > It is possible to design options, including any security options, with these constraints. We don't see a reason to change this requirement that may have unintended consequences. > > Comment 2: > > NEW > Security Consideration > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > communication using IPsec or DTLS. However, such mechanisms cannot be > applied for deployments that include transit devices.. > > Some deployment may not be able to secure the full communication using > IPsec or DTLS between the NVEs. This could be motivated by the presence > of transit devices or by a risk analysis that concludes that the Geneve > packet be only partially protected - typically reduced to the Geneve > Header information. In such cases Geneve specific mechanisms needs to be > designed. > > The challenge is, you are asking to impose requirements that is not supported by Geneve architecture. Geneve has an optional feature where transit devices may be able to interpret Geneve options. However this is not a requirement for Geneve operation between tunnel end point to tunnel end point. We have tried make this very clear by adding clarifying text during the last two revisions. If the Geneve packet is in the clear then transit devices may be able to view the Genve header, options, and the payload. However if the packet is encrypted then transit devices cannot view the packet contents. This is consistent with other transport protocols encrypting the packets. So we don't see a reason why Geneve should be different. > > Geneve is an end to end protocol between tunnel endpoints and the NVEs decide to secure (encrypt) the packets between tunnel endpoints. If a middle box has a need to see an encrypted packet, then it has to implement tunnel endpoint functionality. > > We already have text in 6.4 security consideration section that provides clear guidance to the operators. > > So we don't see a good reason to add the suggested text above. > > For a complete threat analysis, a security analysis of Geneve or some > guide lines to secure a Geneve overlay network, please refer to > [draft-mglt-nvo3-geneve-security-requirements] as well as > [draft-ietf-nvo3-security-requirements]. > > > The security requirements document makes certain assumptions that is unsupported by Geneve architecture. We have tried to clarify this multiple times, however you have still maintained this in the requirements document. So this needs to be addressed. Also the document is not yet adopted by the working group. > > Moreover, Geneve security consideration section has been significantly enhanced to provide guidance to operators and to address the comments. So both documents can progress independently. > > Thanks, > Ilango > > FROM: Daniel Migault [mailto:daniel.migault@ericsson.com] > SENT: Saturday, March 2, 2019 8:49 AM > TO: Bocci, Matthew (Nokia - GB) > CC: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg ; NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Hi Matt, > > You are correct, this is at least not an regular process to have a > > standard track document being updated by an informational. I do not see > > either any requirements for having a WG status to become a reference, > > but that is something we could confirm with the RFC-editor. > > Back to the initial suggestion, I also believe the difficulties of updating > > the Geneve specifications are far less complex than updating the > > implementation, and for that specific reason, it would be good we have a > > consensus on the security analyse. > > I agree that WG draft would be better, and RFC would be even better as > > we have seen WG document being stalled. I am confident we can make this > > happen or at least I do not see major issues. > > Yours, > > Daniel > > On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) wrote: > > WG, Daniel, > > Apologies but I mis-spoke on the suggestion for the security requirements to act as an update to the encapsulation RFC in future. This would be difficult to do as it is informational. > > Nonetheless I think we should only be referencing a WG draft (at a minimum) here. > > Matthew > > FROM: Dacheng Zhang on behalf of "Bocci, Matthew (Nokia - GB)" > DATE: Friday, 1 March 2019 at 16:24 > TO: Daniel Migault > CC: "draft-ietf-nvo3-geneve@ietf.org" , Pankaj Garg , NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > Daniel > > From a procedural perspective, referring to your draft creates a dependency and that draft has not yet been adopted by the WG. The old Security requirements framework expired a couple of years ago and does not seem to be being progressed. > Maybe a better approach to allow progress, as long as the WG can agree to your text (if needed) to satisfy the concern that future security mechanisms can be used, and that the evolving threat analysis is understood by implementers and users of Geneve, would be to mark the Geneve security requirements as an update to the geneve encapsulation RFC when it is published. > > Matthew > > FROM: Daniel Migault > DATE: Friday, 1 March 2019 at 16:11 > TO: "Bocci, Matthew (Nokia - GB)" > CC: Pankaj Garg , "draft-ietf-nvo3-geneve@ietf.org" , NVO3 > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08..txt > > Hi Matthew, > > I am happy to clarify and be more specific. However, despite your > > reading of [1] I think [1] clearly indicates the changes I expected as > > well as that these changes needs to be made. > > I believe the responsibility of not addressing an acknowledged issue is > > more on the side of people ignoring the issue then on the side of the > > one raising this issue. My impression is that this is the situation we > > are in. > > I agree that my initial comment saying "I am fine with the text if we do > > not find something better." might have been confusing and I apology for > > this. At the time of writing the initial comment I was not sure I was > > not missing something nor that the problem could not be solved here or > > somewhere else (in another section). My meaning behind those words were > > that I was open to the way the concerned could be addressed. However, - > > from my point of view - the text does not say the issue does not need to > > be solved which is the way it has been interpreted. In addition, I > > believe I have clarified this right away after the concern has been > > acknowledged and not addressed. As result, I do not think my comment > > could be reasonably read as the text is fine.. > > Please fine the below the initial comment its response and the response > > to the response from [1]. > > """ > > In case we have a option providing authentication, such option > > may affect the interpretation of the other options. > > s/interpretation/ndependance may not be better.... I think what we want > > to say is that option MUST be able to be processed in any order or in > > parallel. I am fine with the text if we do not find something better. > > > > This is a good point, however we believe that this text > > captures the intent. > > The problem I have is that the current text prevents security > > options, so I guess some clarification should be brought to clarify the > > intent. > > """ > > If I had to suggest some text I would suggest the following - or > > something around the following lines. > > OLD > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > NEW > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option SHOULD NOT affect the parsing or interpretation of any > > other option. > > There are rare cases were the parsing of one option affects the parsing > > or the interpretation of other option. Option related to security may > > fall into this category. Typically, if an option enables the > > authentication of another option and the authentication does not > > succeed, the authenticated option MUST NOT be processed. Other options > > may be designed in the future. > > NEW > > Security Consideration > > Geneve Overlay may be secured using by protecting the NVE-to-NVE > > communication using IPsec or DTLS. However, such mechanisms cannot be > > applied for deployments that include transit devices. > > Some deployment may not be able to secure the full communication using > > IPsec or DTLS between the NVEs. This could be motivated by the presence > > of transit devices or by a risk analysis that concludes that the Geneve > > packet be only partially protected - typically reduced to the Geneve > > Header information. In such cases Geneve specific mechanisms needs to be > > designed. > > For a complete threat analysis, a security analysis of Geneve or some > > guide lines to secure a Geneve overlay network, please refer to > > [draft-mglt-nvo3-geneve-security-requirements] as well as > > [draft-ietf-nvo3-security-requirements]. > > For full disclosure I am a co-author of > > draft-mglt-nvo3-geneve-security-requirement. However the reason for > > referring to these documents is motivated by the fact that I believe > > these analysis provide a better security analysis than the current (OLD) > > security consideration section. > > Yours, > > Daniel > > On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) wrote: > > Hi Daniel > > Thanks for reviewing the latest version. At this stage it would be helpful if you could be much more concrete and give specifics. > > I think that the main issue is whether the design of Geneve prevents future security extensions. > > However, in [1], you stated that you were comfortable with the text if nothing else could be found. > > What specifically do you want to change in the following, bearing in mind that there are already claimed implementations of Geneve: > """ > o An option SHOULD NOT be dependent upon any other option in the > packet, i.e., options can be processed independent of one another. > An option MUST NOT affect the parsing or interpretation of any > other option. > """ > > Matthew > > FROM: Daniel Migault > DATE: Friday, 1 March 2019 at 03:06 > TO: Pankaj Garg > CC: "Bocci, Matthew (Nokia - GB)" , NVO3 , "draft-ietf-nvo3-geneve@ietf.org" > SUBJECT: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08..txt > > Hi, > > I just briefly went through the document quickly and in my opinion, the document still faces some security issues. > > The current text (in my opinion) prevents any geneve security related > > options. Currently Geneve cannot be secured and this prevents future > > work to eventually secure Geneve. In my opinion the current text > > mandates Geneve to remain unsecure. > > Geneve security option that are willing to authenticate/encrypt a part > > of the Geneve Header will affect the parsing of the protected option and > > will affect the order in which option needs to be process. Typically a > > protected option (authenticated, encrypted) cannot or should not be > > processed before authenticated or decrypted. > > This has already been mentioned in [1], and the text needs in my opinion > > further clarifications. > > """ > > o An option SHOULD NOT be dependent upon any other option in the > > packet, i.e., options can be processed independent of one another. > > An option MUST NOT affect the parsing or interpretation of any > > other option. > > """ > > As stated in [2] it remains unclear to me why this section is not > > referencing and leveraging on the security analysis [3-4] performed by > > two different independent teams.. > > My reading of the security consideration is that the message is that > > IPsec or TLS could be used to protect a geneve overlay network. This is > > - in my opinion- not correct as this does not consider the transit > > device. In addition, the security consideration only considers the case > > where the cloud provider and the overlay network provider are a single > > entity, which I believe oversimplifies the problem. > > The threat model seems to me very vague, so the current security > > consideration is limited to solving a problem that is not stated. > > My reading of the text indicates the tenant can handle by itself the > > confidentiality of its information without necessarily relying on the > > overlay service provider. This is not correct. Even when the tenant uses > > IPsec/TLS, it still leaks some information. The current text contradicts > > [3] section 6.2 and [4] section 5.1. > > My reading is that the text indicates that IPsec/DTLS could be used to > > protect the overlay service for both confidentiality and integrity. > > While this could be used in some deployment this is not compatible with > > transit devices. As such the generic statement is not correct. Section > > 6.4 indicates that transit device must be trusted which is incorrect. > > Instead the transit device with all nodes between the transit device and > > the NVE needs to be trusted. Overall the impression provided is that > > IPsec (or TLS) can be used by the service overlay provider, which is (in > > my opinion) not true. > > It is unclear to me how authentication of NVE peers differs from the > > authentication communication as the latest usually rely on the first. > > Maybe the section should insist on mutual authentication. > > Yours, > > Daniel > > [1] https://mailarchive.ietf..org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o [1] > > [2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIrSGw > > [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07 > > [4] https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-requirements-05 > > On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg wrote: > > I am not aware of any IP related to draft-ietf-nvo3-geneve which has not already been disclosed. > > Thanks > Pankaj > > FROM: Bocci, Matthew (Nokia - GB) > SENT: Tuesday, October 9, 2018 2:08 AM > TO: NVO3 > CC: draft-ietf-nvo3-geneve@ietf.org > SUBJECT: Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt > > This email begins a two-week working group last call for draft-ietf-nvo3-geneve-08.txt. > > Please review the draft and post any comments to the NVO3 working group list. If you have read the latest version of the draft but have no comments and believe it is ready for publication as a standards track RFC, please also indicate so to the WG email list. > > We are also polling for knowledge of any undisclosed IPR that applies to this document, to ensure that IPR has been disclosed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). > If you are listed as an Author or a Contributor of this document, please respond to this email and indicate whether or not you are aware of any relevant undisclosed IPR. The Document won't progress without answers from all the Authors and Contributors. > > Currently there are two IPR disclosures against this document. > > If you are not listed as an Author or a Contributor, then please explicitly respond only if you are aware of any IPR that has not yet been disclosed in conformance with IETF rules. > > This poll will run until Friday 26th October. > > Regards > > Matthew and Sam > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 [2] > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 [2] _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3 Links: ------ [1] https://mailarchive.ietf.org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJOIk9o [2] https://www.ietf..org/mailman/listinfo/nvo3 --=_5546cf928b226aa29570c4bbf70037ab Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

FYI, I provided suggestions in my initial post:

- MUST process in-order

- MUST not depend on information in earlier options, in the order they a= re proceessed

If you have some other reason for SHOULD NOT depend on option contents o= r payload contents, they that's a separate issue. I.e., if you retain that = SHOULD NOT, it would be useful to indicate authentication, encryption, and = integrity checks as possible exceptions.

Joe

 


On 2019-04-03 09:18, Daniel Migault wrote:

I agree that would be better, however I do not have a clea= r idea on what could qualify as an exception. I see security as such an exc= eption, but I cannot say for sure that is the only exception. My concern wa= s that the previous text prevent such security extensions. The current text= address that concern. I am happy to hear how we could do better. 
Yours, 
Daniel

On Wed, Apr 3, 2019 at 11:44 AM Joe T= ouch <touch@strayalpha.com&g= t; wrote:

FWIW, IMO SHOULD NOT needs to come with a description of what would qual= ify as an exception.

However, you can't allow two such exceptions UNLESS they're deconflicted= , i.e., who goes first. That never works well in practice because ever= y new option says "I come first".

I.e., the point isn't whether you have exceptions - you will. The point = is to specify how those cases work, in which case you don't need the SHOULD= NOT.

Joe

 


On 2019-04-03 08:33, Daniel Migault wrote:

Hi, 
 
My reading is that SHOULD NOT means MUST NOT unless we have a good reason f= or it and security or checksum options fall in that category. AM I missing = something ?
 
Yours, 
Daniel

On Tue, Apr 2, 2019 at 11:36 PM Joe T= ouch <touch@strayalpha.com&g= t; wrote:
Hi, all,
 
FWIW - I don't understand this requirement.
 
Clearly, an option MUST NOT depend on options that come before it in t= he order they occur, otherwise you could have options defined in a circular= manner that cannot be resolved.
 
However, if you prevent options that depend on other, later options yo= u would undermine the ability to have an option that provides authenticatio= n (which is useful only when it includes both the payload and subsequent op= tions) or encryption (which should at least authenticate the option area, e= ven if it isn't encrypted). It also undermines the ability to have options = that create new checksum algorithms.
 
Are you really seeking to prevent these future possibilities?
 
Joe

On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:

Hi Daniel,
 
We updated the draft to restate the requirement= on options processing, the revised text is much simpler, provides better c= larity, and retains the original intent. We believe, this should address yo= ur concerns.
 
 
Revised text:
"An option SHOULD NOT be dependent upon any other option in the
packet, i.e., options can be processed independently of one
another.  Architecturally, options are intended to be self-<= /u>
descriptive and independent.  This enables parallelis=
m in option
processing and reduces implementation complexity."<=
u>
 
Thanks
Ilango
 
 
From: Daniel= Migault [mailto:daniel.migault@ericsson..com]=  
Sent: Ganga, Ilango S <ila= ngo.s.ganga@intel.com>
Cc:&n= bsp;NVO3 <nvo3@ietf.org>
Subject:<= /strong> Re: [nvo3] Working Group Last Call a= nd IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options
 
Hi,
 
I am looking at the version 12 and see how it address = my concern,
regarding the integration of security options.<= u>
 
The new text in version 12 mentions:
"""
   o  An option SHOULD NOT be dependent= upon any other option in the
      packet, i.e., options can be proc= essed independent of one another.
      An option MUST NOT affect the par= sing or interpretation of any
      other option.  However, opti= on processing by tunnel endpoints may
      result in the packet being droppe= d.  Options may also be used in
      conjunction with each other or co= mbined with packet data but this
      processing is done above the enca= psulation layer.
"""
 
I am reading the text as a security option can be comb= ined with another
option or the data payload. More specifically, an auth= entication option
that authenticates some options and/or the payload may result in the
packet to be discarded or not.
 
I think we are making progress. However, I am not clea= r about the text:
 
""" but this processing is done above the encapsulatio= n layer."""
 
I am reading the encapsulation layer as the Geneve pro= tocol, but I am
not clear what the layer above is. I am assuming that = is a layer
that takes the output of the Geneve decapsulation. If = that is correct,
I understand the text saying Geneve processes the opti= ons even though
the authentication has failed. Typically, suppose opti= on A covers
options O. Upon verification of A fails, Geneve proces= ses O and returns
to some upper layers that O has been processed while i= ts authentication
did not succeed. I am sure that I misunderstood the te= xt, but I suggest
some clarification are provided to prevent such interp= retation as the
purpose of the authenticating O MUST be able to preven= t the processing
of the option O.
 
In the current text I believe the text """but ...layer= """ can be
removed. Another way might be to clarify the layer abo= ve the
encapsulation.
 
 
Yours,
Daniel
 
 
 
On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault <daniel.migault@ericsson.com> wrote:<= u>
Hi,
 
Thanks for the response. Let me first recap the previo= us conversation,
or at least my perception of them. My initial comment = was that the
current Geneve specification prevents the design of se= curity options and
I provided an example. My understanding is there is an= agreement that
such option is prevented by the current geneve specifi= cation and you
challenge the usefulness of such an option (designated= as A) as well as
argue that an authentication upon failure MUST result = in discarding the
packet.
 
The security options considered has been mentioned in = two independent
security analysis. The example has been described and = commented
extensively in the threat analysis as well.  I ar= gue further that
mandating that dropping the packet, in our case is nei= ther a decision
that can be taken at the option level, nor at the gene= ve level. Instead,
it belongs to a policy decision that is likely to resu= lt in incoherent
deployments.
 
As result, the current geneve specification prevents s= ecurity options.
Please see below for more additional information.
 
The current option works similarly to IPsec: IPsec/ESP= is IP option. AH
is an option that authenticates the full IP packet.. E= SP
authenticate/encrypt the IP payload and not the full p= acket.  Upon
authentication failure *the scope of the authenticatio= n* is discarded
and in that sense the example I am providing is no mor= e different.
 
In our case, the option authenticate an portion of the= geneve packet
that is limited to the option. Tthe coverage of the se= curity option is a
portion of the geneve header.  As such, the optio= n cannot mandate
anything outside of its coverage: the covered option O= =2E As a result,
dropping the full packet is outside of the scope. Mand= ating a packet 
drop hardly, in my opinion apply here. =
 
Options are usually non critical for interoperability= =2E Mandating to drop
the packet when option O cannot be authenticated would= contradict the
non critical status of that option, which is the packe= t can be processed
without the option. This would be a policy that overwr= ite the geneve
 - as well as the geneve option - specification= =2E
A possible incoherence would be if option A and O are = non critical would
be that the implementation ignoring the option A and O= will accept the
packet, an implementation understanding option O but n= ot option A will
accept the packet while the implementation understandi= ng option A and O
will reject the packet.
 
Yours,
Daniel
 
 
On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:=
Hi Daniel,
 
Please see my responses inline below.=
 
Thanks,
Ilango
 
 
From: nvo3 [mailto= :nvo3-bounces@ietf.org] On Behalf Of Daniel Migaul= t
Sent: Monday, March 4= , 2019 9:15 AM
To: Gang= a, Ilango S <ilango.s.ganga@intel.com>
Cc: nvo3@ietf.or= g
Subject: Re: [nvo= 3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt
 
Hi Ilango, 
 
Thanks for the response. Please see a concrete ex= ample to illustrate my concern 
for comment 1. For comment 2, it really helped you ind= icated that Geneve is expected 
to be an end-to-end protocol. This will help me update= the security requirement 
document. However, the current Geneve specification wi= th transit devices seems - 
at least to me - to raise an architecture concern as r= aised in [1].
 
-- comment 1:
 
Thanks for the feed back. I understand the purpose of = keeping option
independent one from each other, and favour this is st= rongly recommended..
However, I am not convinced this applies always. More = specifically, in a
context of security, the purpose of a security option = may be related to
another option. Typically, a security option providing= authentication or
encryption is potentially authenticating/encryption an= other option or
other information contained in the header.
 
The typical scenario I have in mind would be an authen= tication option A
authenticating option O. There will clearly some depen= dencies between A
and O as O could only be used if A has been primarily = been validated.
The current statement "SHOULD NOT be dependent" enable= s this. However, I
have concerns regarding the statement "MUST NOT affect= the parsing or
interpretation". In fact, the output of A, will determ= ine if O should be
dropped or processed normally. In case A shows O is no= t appropriately
authenticated, O might be rejected based on its C valu= e. The ambiguity I
see is that A can be understood as affecting the parsi= ng and
interpretation of O or as a pre-processing operation b= efore parsing or
interpretation of O.
 
I think, the text needs further clarifications to remo= ve such ambiguity.
Changing MUST NOT by SHOULD NOT was of course only one= proposition and
this could be also addressed otherwise. It might be be= tter, I agree, to
explicitly mention that some options may provide condi= tion on the
parsing of the options. This would leave the parsing o= f the options unchanged. 
 
<Ilango>
If I understand your example correctly, you wan= t to have one option authenticate the contents of another option and if tha= t authentication fails, drop the option. This would not drop the entire pac= ket unless that option is critical. Can you give a use case for this? This = seems unusual and not something that is supported by other security protoco= ls such as IPsec or TLS to the best of our knowledge.<= /div>
 
I believe a more common outcome of a failed aut= hentication is that the entire packet would be dropped. As previously noted= , the current text does not preclude this. It seems like going beyond this = would result in significant complexity, both for processing options in this= specific case as well as the possibility of introducing ambiguity in how o= ther options might be defined or processed as an unintended consequence. Wi= thout a strong use case, this does not seem desirable.=
</>
 
-- comment 2:
 
Thanks for the response that clarifies a bit my unders= tanding of the
transit devices.. I believe the issue I have is relate= d to the transit
devices which I do not see, unless I am wrong, meeting= the requirements
for being OPTIONAL and that seems - at least to me - c= ontradicting the
status of end-to-end protocol. As suggested in [1], tr= ansit devices seem to raise
architectural concerns that is not needed.
 
You are correct that the text is clear that transit de= vices are
OPTIONAL. However, my understanding of OPTIONAL from 2= 119 is that there 
are two sides of it. One is that a vendor may implemen= t it or not, but
the other side is that interoperability with other imp= lementations are
not affected. In this case, two Geneve endpoints using= TLS or IPsec will
not be able to interoperate with an implementation bas= ed on transit
devices (unless the process being performed by the tra= nsit devices is
also performed by the NVE). In that sense, I believe O= PTIONAL statement
is not appropriated here.. 
 
An implementation with transit devices seems to preven= t the 
interoperability of with an implementation where = options are treated 
by the NVE over a secure channel. If we suppose that N= VE and 
transit devices support the same options, then transit= devices are not 
necessary and could be removed from the specification= =2E If options
supported by transit devices are different from those = supported by 
the NVE, interoperability will not be achieved. Transi= t device will not be 
able to process the options, resulting in options will= be ignored (while 
being supported by the implementation).. In addition,&= nbsp;if the options 
are critical, the NVE is likely to drop the packet as = it does not support 
the option. 
 
In addition, I have some hard time to understand the e= nd-to-end model 
with a transit device even optional. I believe that en= d-to-end protocol
is a good path, though. However, my understanding of e= nd-to-end protocol
is that they should only involve two end points. I see= the NVE as end
points but the optional transit device does not seems = to be one of
these. However, to help me understand better this, as = it seems Geneve is 
similar to other end-to-end protocol, maybe you could = provide similar 
end-to-end protocol that involves a transit devices or= something similar.   
 
I also have another clarification regarding transit de= vice. I see these
transit devices as adding a lot of complexity to the e= nd-to-end model
with little benefits. Typically, as far as I understan= d, they can only
read an option. I am thus wondering whether we should = not be better off
removing them from the specification. This would end u= p with a clear
end-to-end model. Reversely, I do not see anything pre= venting a vendor
to implement them at least for unsecure deployments. R= emoving them 
from the specification would leave the transit devices= as implementation 
specific. What are actually the benefits of the transi= t devices that would 
justify them to be part of the specification?
 
<Ilango>
Transit devices exists in the underlay network,= these are simply forwarding elements (e.g. switches, routers) that general= ly forwards packets based on outer header information, there is nothing tha= t stops such devices from reading the contents if the data is in the clear= =2E  This works with any transport protocols like IP, IP in IP, GRE, V= XLAN, etc.  For example, routers may look at headers and/or inner payl= oad for ECMP purposes or for statistics or logging purposes. If the packet = is encrypted then such transit devices cannot look into the packets but wou= ld simply forward based on the outer headers and use information in outer h= eaders for entropy. There is no interoperability issue between the endpoint= s. Geneve is no different.
 
Recognizing the fact that such a device is anyw= ay going to exist in the network, Geneve draft provides guidance on how to = handle Geneve headers (if a device has the option to do so).  Geneve o= ptions are part of Geneve header, a transit device that is capable of inter= preting Geneve headers may interpret an option or skip over the option to v= iew the payload, etc.  If a transit device is not able interpret the h= eader or option, it has to simply use the outer header to forward the packe= t (outer IP/UDP). This is what the Geneve draft clarifies.=
 
These guidelines reduce possible interoperabili= ty issues compared to if behavior was left undefined. For example, transit = devices are not allowed to drop packets or fall back to a slow path on the = basis of an unknown option. If this were to happen, it would hamper the int= roduction of new options. It might also be worth mentioning that anything t= hat could be considered a middlebox is not a transit device but needs to be= modeled as an endpoint and so Geneve really should be viewed as a tunnel e= ndpoint-to-endpoint protocol.
<end>
 
 
 
 
Yours, 
Daniel 
 
On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S <ilango.s.ganga@intel.com> wrote:=
Hi Daniel,
 
Let us be specific. I see that you have two com= ments on the latest draft-ietf-nvo3-geneve-09.  Please see below for r= esponses to your comments.
 
Comment 1:
OLD
   o  An option SHOULD NOT be dependent= upon any other option in the
      packet, i.e., options can be proc= essed independent of one another.
      An option MUST NOT affect the par= sing or interpretation of any
      other option.
 
NEW
 
   o  An option SHOULD NOT be dependent= upon any other option in the
      packet, i.e., options can be proc= essed independent of one another.
      An option SHOULD NOT affect the p= arsing or interpretation of any
      other option.
 
<Ilango>
Architecturally Geneve options can be processed= independent of one another. The second statement clearly states that parsi= ng or interpretation of one option must not affect the other.  This is= a reasonable constraint to avoid nested dependencies. Options can be desig= ned to work with the requirements specified in Geneve.=
 
Let us take specific examples:=
We could think of a design of a Header Integrit= y check option (related to your example). In this case if the header integr= ity check fails, as a result the entire header is invalid and hence the mos= t likely outcome of a failed check is that the packet being dropped (includ= ing any options in that packet whether parsed/interpreted or not). The curr= ent text does not preclude the packet being dropped as result of failure. 
 
It is possible to design options, including any= security options, with these constraints.  We don't see a reason to c= hange this requirement that may have unintended consequences.=
 
Comment 2:
 
NEW
Security Consideration
 
Geneve Overlay may be secured using by protecting the = NVE-to-NVE
communication using IPsec or DTLS. However, such mecha= nisms cannot be
applied for deployments that include transit devices= =2E. 
 
Some deployment may not be able to secure the full com= munication using
IPsec or DTLS between the NVEs. This could be motivate= d by the presence
of transit devices or by a risk analysis that conclude= s that the Geneve
packet be only partially protected - typically reduced= to the Geneve
Header information. In such cases Geneve specific mech= anisms needs to be
designed. 
 
<Ilango> The challenge is, you are asking= to impose requirements that is not supported by Geneve architecture. Genev= e has an optional feature where transit devices may be able to interpret Ge= neve options. However this is not a requirement for Geneve operation betwee= n tunnel end point to tunnel end point. We have tried make this very clear = by adding clarifying text during the last two revisions. If the Geneve pack= et is in the clear then transit devices may be able to view the Genve heade= r, options, and the payload. However if the packet is encrypted then transi= t devices cannot view the packet contents. This is consistent with other tr= ansport protocols encrypting the packets. So we don't see a reason why Gene= ve should be different.   
 
Geneve is an end to end protocol between tunnel= endpoints and the NVEs decide to secure (encrypt) the packets between tunn= el endpoints. If a middle box has a need to see an encrypted packet, then i= t has to implement tunnel endpoint functionality.
 
We already have text in 6.4 security considerat= ion section that provides clear guidance to the operators.=
 
So we don't see a good reason to add the sugges= ted text above.
 
For a complete threat analysis, a security analysis of= Geneve or some
guide lines to secure a Geneve overlay network, please= refer to
[draft-mglt-nvo3-geneve-security-requirements] as well= as
[draft-ietf-nvo3-security-requirements].=
 
<Ilango>
The security requirements document  makes = certain assumptions that is unsupported by Geneve architecture. We have tri= ed to clarify this multiple times, however you have still maintained this i= n the requirements document. So this needs to be addressed. Also the docume= nt is not yet adopted by the working group.
 
Moreover, Geneve security consideration section= has been significantly enhanced to provide guidance to operators and to ad= dress the comments. So both documents can progress independently.=
 
Thanks,
Ilango
 
 
From:daniel.migau= lt@ericsson.com] 
Sent: Saturday, March 2, 2019 8:49 AM
To: Bocci, Matthew (Nokia - GB)= <matthew.bocci@nokia.com>
Cc:<= /strong> draft-i= etf-nvo3-geneve@ietf.org; Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>; NVO3 <nv= o3@ietf.org>
Subject: <= /span>Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-g= eneve-08.txt
 
Hi Matt,
  
 
You are correct, this is at least not an regular proce= ss to have a
standard track document being updated by an informatio= nal. I do not see
either any requirements for having a WG status to beco= me a reference,
but that is something we could confirm with the RFC-ed= itor.
 
Back to the initial suggestion, I also believe the dif= ficulties of updating 
the Geneve specifications are far less complex than up= dating the 
implementation, and for that specific reason, it would= be good we have a 
consensus on the security analyse.
 
I agree that WG draft would be better, and RFC would b= e even better as
we have seen WG document being stalled. I am confident= we can make this
happen or at least I do not see major issues.
 
Yours,
Daniel
 
 
On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia = - GB) <matthew.bocci@nokia.com> wrote:
WG, Daniel,
 
Apologies but I mis-spoke on the suggestion for = the security requirements to act as an update to the encapsulation RFC in f= uture. This would be difficult to do as it is informational.<= u>
 
Nonetheless I think we should only be referencin= g a WG draft (at a minimum) here.
 
Matthew
 
 
 
From: Dacheng Zhang <nvo3-bounces@ietf.or= g> on behalf of "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Date:&nbs= p;Friday, 1 March 2019 at 16:24
To: Daniel Migault <da= niel.migault@ericsson.com>
Cc: <= /span>"draft-ietf-nvo3-geneve@ietf.or= g" <draft-ietf-nvo3-geneve@ietf.org= >, Pankaj Garg <pankajg=3D40microsoft.com= @dmarc.ietf.org>, NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Working Gro= up Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt
 
Daniel
 
From a procedural perspective, referring to your= draft creates a dependency and that draft has not yet been adopted by the = WG. The old Security requirements framework expired a couple of years ago a= nd does not seem to be being progressed. 
Maybe a better approach to allow progress, as lo= ng as the WG can agree to your text (if needed) to satisfy the concern that= future security mechanisms can be used, and that the evolving threat analy= sis is understood by implementers and users of Geneve, would be to mark the= Geneve security requirements as an update to the geneve encapsulation RFC = when it is published.
 
Matthew
 
From: Daniel Migault <daniel.migaul= t@ericsson.com>
Date: Friday, 1 March 2019 at 16:11
To: = ;"Bocci, Matthew (Nokia - GB)" <mat= thew.bocci@nokia.com>
Cc: Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>, "draft-ietf-nvo3-geneve@ietf.org" <draft-ietf-nvo3-geneve@ietf.org>, NVO3 <nvo3@ietf.org>
Subject: <= /span>Re: [nvo3] Working Group Last Call and IPR Poll for draft-ie= tf-nvo3-geneve-08..txt
 
Hi Matthew, 
 
I am happy to clarify and be more specific. Howe= ver, despite your
reading of [1] I think [1] clearly indicates the= changes I expected as
well as that these changes needs to be made.&nbs= p;
 
I believe the responsibility of not addressing a= n acknowledged issue is
more on the side of people ignoring the issue&nb= sp; then on the side of the
one raising this issue. My impression is that th= is is the situation we
are in. 
  
I agree that my initial comment saying "I am fin= e with the text if we do
not find something better." might have been conf= using and I apology for
this. At the time of writing the initial comment= I was not sure I was
not missing something nor that the problem could= not be solved here or
somewhere else (in another section). My meaning = behind those words were
that I was open to the way the concerned could b= e addressed. However, -
from my point of view - the text does not say th= e issue does not need to
be solved which is the way it has been interpret= ed. In addition, I
believe I have clarified this right away after t= he concern has been
acknowledged and not addressed. As result, I do = not think my comment
could be reasonably read as the text is fine..
 
Please fine the below the initial comment its re= sponse and the response
to the response from [1]. =
 
"""
<mglt> In case we have a option providing = authentication, such option
may affect the interpretation of the other optio= ns.
s/interpretation/ndependance may not be better= =2E... I think what we want
to say is that option MUST be able to be process= ed in any order or in
parallel.  I am fine with the text if we do= not find something better.
</mglt>
 
<Ilango> This is a good point, however we = believe that this text
captures the intent.  </> 
 
<mglt2>The problem I have is that the curr= ent text prevents security
options, so I guess some clarification should be= brought to clarify the
intent.</mglt2> =
"""
 
If I had to suggest some text I would suggest th= e following - or
something around the following lines. 
 
 
OLD
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option MUST NOT affect t= he parsing or interpretation of any
      other option.=
 
NEW
 
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option SHOULD NOT affect= the parsing or interpretation of any
      other option.=
 
There are rare cases were the parsing of one opt= ion affects the parsing
or the interpretation of other option. Option re= lated to security may
fall into this category. Typically, if an option= enables the
authentication of another option and the authent= ication does not
succeed, the authenticated option MUST NOT be pr= ocessed. Other options
may be designed in the future.  
 
NEW
Security Consideration
 
Geneve Overlay may be secured using by protecting the NVE-to-NVE=
communication using IPsec or DTLS. However, such= mechanisms cannot be
applied for deployments that include transit dev= ices. 
 
Some deployment may not be able to secure the fu= ll communication using
IPsec or DTLS between the NVEs. This could be mo= tivated by the presence
of transit devices or by a risk analysis that co= ncludes that the Geneve
packet be only partially protected - typically r= educed to the Geneve
Header information. In such cases Geneve specifi= c mechanisms needs to be
designed. 
 
For a complete threat analysis, a security analy= sis of Geneve or some
guide lines to secure a Geneve overlay network, = please refer to
[draft-mglt-nvo3-geneve-security-requirements] a= s well as
[draft-ietf-nvo3-security-requirements].<= u>
 
For full disclosure I am a co-author of
draft-mglt-nvo3-geneve-security-requirement. How= ever the reason for
referring to these documents is motivated by the= fact that I believe
these analysis provide a better security analysi= s than the current (OLD)
security consideration section. <= /u>
 
Yours, 
Daniel
 
 
On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (N= okia - GB) <matthew.bocci@nokia.com> wrote:<= /span>
Hi Daniel
 
Thanks for reviewing the latest version. At this= stage it would be helpful if you could be much more concrete and give spec= ifics.
 
I think that the main issue is whether the desig= n of Geneve prevents future security extensions.
 
However, in [1], you stated that you were comfor= table with the text if nothing else could be found.
 
What specifically do you want to change in the f= ollowing, bearing in mind that there are already claimed implementations of= Geneve:
"""
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option MUST NOT affect t= he parsing or interpretation of any
      other option.=
"""
 
 
Matthew
 
 
From: Daniel Migault <daniel.migaul= t@ericsson.com>
Date: Friday, 1 March 2019 at 03:06
To: = ;Pankaj Garg <pankajg=3D40microsoft.com@dmarc.ietf.org>= ;
Cc: "Bocci, Matthew (= Nokia - GB)" <matthew.bocci@nokia.com>, NVO3= <nvo3@ietf.org>, "draft-= ietf-nvo3-geneve@ietf.org" <draft-ietf-= nvo3-geneve@ietf.org>
Subject: <= /span>Re: [nvo3] Working Group Last Call and IPR Poll for draft-ie= tf-nvo3-geneve-08..txt
 
Hi, 
 
I just briefly went through the document quickly and in my opini= on, the document still faces some security issues.
 
The current text (in my opinion) prevents any ge= neve security related
options. Currently Geneve cannot be secured and = this prevents future
work to eventually secure Geneve. In my opinion = the current text
mandates Geneve to remain unsecure. =
 
Geneve security option that are willing to authe= nticate/encrypt a part
of the Geneve Header will affect the parsing of = the protected option and
will affect the order in which option needs to b= e process. Typically a
protected option (authenticated, encrypted) cann= ot or should not be
processed before authenticated or decrypted. =
 
This has already been mentioned in [1], and the = text needs in my opinion
further clarifications.  
 
"""
   o  An option SHOULD NOT be dep= endent upon any other option in the
      packet, i.e., options can b= e processed independent of one another.
      An option MUST NOT affect t= he parsing or interpretation of any
      other option.=
"""
 
 
 
As stated in [2] it remains unclear to me why th= is section is not
referencing and leveraging on the security analy= sis [3-4] performed by
two different independent teams.. 
 
My reading of the security consideration is that= the message is that
IPsec or TLS could be used to protect a geneve o= verlay network. This is
- in my opinion- not correct as this does not co= nsider the transit
device. In addition, the security consideration = only considers the case
where the cloud provider and the overlay network= provider are a single
entity, which I believe oversimplifies the probl= em. 
 
The threat model seems to me very vague, so the = current security
consideration is limited to solving a problem th= at is not stated. 
 
My reading of the text indicates the tenant can = handle by itself the
confidentiality of its information without neces= sarily relying on the
overlay service provider. This is not correct. E= ven when the tenant uses
IPsec/TLS, it still leaks some information. The = current text contradicts
[3] section 6.2 and [4] section 5.1.
 
My reading is that the text indicates that IPsec= /DTLS could be used to
protect the overlay service for both confidentia= lity and integrity.
While this could be used in some deployment this= is not compatible with
transit devices. As such the generic statement i= s not correct. Section
6.4 indicates that transit device must be truste= d which is incorrect.
Instead the transit device with all nodes betwee= n the transit device and
the NVE needs to be trusted.  Overall the i= mpression provided is that
IPsec (or TLS) can be used by the service overla= y provider, which is (in
my opinion) not true. =
 
It is unclear to me how authentication of NVE pe= ers differs from the
authentication communication as the latest usual= ly rely on the first.
Maybe the section should insist on mutual authen= tication.  
 
Yours, 
Daniel
 
 
 
 
 
 
 
On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg <= pankajg=3D40microsoft.com@dmarc.ietf.org>= ; wrote:
I am not aware of any IP related to draft-ietf-nvo3-ge= neve which has not already been disclosed.
 
Thanks
Pankaj
 
From: B= occi, Matthew (Nokia - GB) <matthew..bocci@nokia.co= m> 
Sent: Tuesday, October 9, 2018 2:08 AM
To: NVO3 <nvo3@ietf.org= >
Cc: draft-ietf-nvo3-geneve@ietf.org
Subject: Working Group Last Call and IPR Poll f= or draft-ietf-nvo3-geneve-08.txt
 
This email begins a two-week working group last = call for draft-ietf-nvo3-geneve-08.txt.
 
Please review the draft and post any comments to= the NVO3 working group list. If you have read the latest version of the dr= aft but have no comments and believe it is ready for publication as a stand= ards track RFC, please also indicate so to the WG email list.=
 
We are also polling for knowledge of any undiscl= osed IPR that applies to this document, to ensure that IPR has been disclos= ed in compliance with IETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 fo= r more details).
If you are listed as an Author or a Contributor = of this document, please respond to this email and indicate whether or not = you are aware of any relevant undisclosed IPR. The Document won't progress = without answers from all the Authors and Contributors.=
 
Currently there are two IPR disclosures against = this document.
 
If you are not listed as an Author or a Contribu= tor, then please explicitly respond only if you are aware of any IPR that h= as not yet been disclosed in conformance with IETF rules.<= /u>
 
This poll will run until Friday 26th<= span class=3D"gmail-m_-3437265814411256455gmail-m_2557827608072206691Apple-= converted-space"> October.
 
Regards
 
Matthew and Sam
_______________________________________________<= br />nvo3 mailing list
nvo3@ietf.org
https://= www.ietf.org/mailman/listinfo/nvo3
_______________________________________________<= br />nvo3 mailing list
nvo3@ietf.org
https://= www.ietf.org/mailman/listinfo/nvo3
_______________________________________________
n= vo3 mailing list
nvo3@ietf.org
https://www.iet= f.org/mailman/listinfo/nvo3
_______________________________________________
n= vo3 mailing list
nvo3@ietf.org
https://www.iet= f.org/mailman/listinfo/nvo3
_______________________________________________
n= vo3 mailing list
nvo3@ietf.org
https://www.iet= f.org/mailman/listinfo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listin= fo/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3

__________________________________________= _____
nvo3 mailing list
nvo3@ie= tf.org
https://www.ietf.org/mailman/list= info/nvo3
_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3

= _______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3
--=_5546cf928b226aa29570c4bbf70037ab-- From nobody Wed Apr 3 09:53:37 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 910021200F7 for ; Wed, 3 Apr 2019 09:53:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzgzMeRUsNN1 for ; Wed, 3 Apr 2019 09:53:26 -0700 (PDT) Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810080.outbound.protection.outlook.com [40.107.81.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEF18120046 for ; Wed, 3 Apr 2019 09:53:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=df4704Fowbvwvo6FnrwkF3S0WobSUwxXbOu3ezn+IIg=; b=l5+fmWx5P6Xj+4ZorOcD28zc1e5Y5zFVOxSte9Wd4Z/J34yIdnk9vSKk71ckXv40UnLuf3XR9PLX0Co2POit/Sxm3XCYFtyVBZ1kApx5aN+RX9nuKsKtLBl8GXo8d9fGv+BPEw9G/vPB1iqkwdqt1rynHG9SZPdkHpVKhxI6Gk0= Received: from MN2PR15MB3310.namprd15.prod.outlook.com (20.179.21.142) by MN2PR15MB3072.namprd15.prod.outlook.com (20.178.253.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.16; Wed, 3 Apr 2019 16:53:20 +0000 Received: from MN2PR15MB3310.namprd15.prod.outlook.com ([fe80::7da8:cba6:329d:1206]) by MN2PR15MB3310.namprd15.prod.outlook.com ([fe80::7da8:cba6:329d:1206%4]) with mapi id 15.20.1750.014; Wed, 3 Apr 2019 16:53:20 +0000 From: Daniel Migault To: Joe Touch CC: "FY\"Ganga, Ilango S\"" , NVO3 Thread-Topic: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options Thread-Index: AQHU5F5JIMXuwGYN8ESEYLAFjU2hnKYp1AIAgADLcjCAABHP6IAAAK7w Date: Wed, 3 Apr 2019 16:53:19 +0000 Message-ID: References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> <9e18391a85bb2077cc3be318f1aed316@strayalpha.com> In-Reply-To: <9e18391a85bb2077cc3be318f1aed316@strayalpha.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=daniel.migault@ericsson.com; x-originating-ip: [70.80.131.240] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cf4e4c6f-e59a-41b9-d00c-08d6b854e0e5 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:MN2PR15MB3072; x-ms-traffictypediagnostic: MN2PR15MB3072: x-ms-exchange-purlcount: 9 x-microsoft-antispam-prvs: x-forefront-prvs: 0996D1900D x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(39860400002)(346002)(396003)(136003)(199004)(189003)(51444003)(51914003)(68736007)(4326008)(71200400001)(53936002)(5070765005)(9686003)(14444005)(71190400001)(8936002)(105586002)(2906002)(25786009)(44832011)(53546011)(76176011)(53946003)(6306002)(236005)(106356001)(54896002)(55016002)(86362001)(3846002)(6116002)(790700001)(6916009)(6506007)(102836004)(6436002)(81156014)(81166006)(7696005)(6246003)(446003)(11346002)(97736004)(8676002)(30864003)(33656002)(74316002)(476003)(93886005)(486006)(966005)(5660300002)(52536014)(606006)(14454004)(478600001)(66066001)(54906003)(7736002)(186003)(256004)(229853002)(99286004)(316002)(26005)(569006); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR15MB3072; H:MN2PR15MB3310.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: rQazpE7gAQxxtfX+8WhNWkqGQ4qDEVMwRSnFau2yRsbdFzgtHEnv4HI1bJR7DTH5R2lVCCcU0Paz8eMcOErkg3SeKTUbv4RVHI03EnrBp7NdIJVSp1vhBJz5iaYz1Orhsb1FZF9Kh+9NCsNdMd/naUefeLXlyQsznrLlTghHRYJbY5GsV6Uq7S9nlQN8A8NgF2LLplRdDGcA9doMe+rrGlpk1KKFUxoNCbImMsZhR5IHVrtbSaCnGMWEi3FPjoFHTa/qvIcKjxvh4xB5pHqlaP5/HoegUEXGDcsCj/L7JRutN1Pl2JbYUF5oMn+ygCNBJVPh3Z9L5FSmO0StT6I6LWJiS+YCBc/YmnzeGNW5/c1gNEcOJqrrbadYbBuD65oUpu0fGa45KFyTqpbDGoLT58BctTtRgrJBAMVUwozOADs= Content-Type: multipart/alternative; boundary="_000_MN2PR15MB3310AE0958697EB6412E96CBE3570MN2PR15MB3310namp_" MIME-Version: 1.0 X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-Network-Message-Id: cf4e4c6f-e59a-41b9-d00c-08d6b854e0e5 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2019 16:53:19.3293 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR15MB3072 Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 16:53:35 -0000 --_000_MN2PR15MB3310AE0958697EB6412E96CBE3570MN2PR15MB3310namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SWYgdGhlIHRleHQgbWVudGlvbnMgdGhhdCBvcHRpb25zICBmb3IgYXV0aGVudGljYXRpb24sIGVu Y3J5cHRpb24sIGFuZCBpbnRlZ3JpdHkgY2hlY2tzIGFyZSBleGNlcHRpb25zIHRvIHRoZXNlIHJ1 bGVzLiBJIGFtIGZpbmUgYXMgd2VsbC4NCllvdXJzLA0KRGFuaWVsDQoNCkZyb206IEpvZSBUb3Vj aCA8dG91Y2hAc3RyYXlhbHBoYS5jb20+DQpTZW50OiBXZWRuZXNkYXksIEFwcmlsIDAzLCAyMDE5 IDY6NDcgUE0NClRvOiBEYW5pZWwgTWlnYXVsdCA8ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24uY29t Pg0KQ2M6IEZZIkdhbmdhLCBJbGFuZ28gUyIgPGlsYW5nby5zLmdhbmdhQGludGVsLmNvbT47IE5W TzMgPG52bzNAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW252bzNdIFdvcmtpbmcgR3JvdXAgTGFz dCBDYWxsIGFuZCBJUFIgUG9sbCBmb3IgZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZS0wOC50eHQgLSBn ZW5ldmUgb3B0aW9ucw0KDQoNCkZZSSwgSSBwcm92aWRlZCBzdWdnZXN0aW9ucyBpbiBteSBpbml0 aWFsIHBvc3Q6DQoNCi0gTVVTVCBwcm9jZXNzIGluLW9yZGVyDQoNCi0gTVVTVCBub3QgZGVwZW5k IG9uIGluZm9ybWF0aW9uIGluIGVhcmxpZXIgb3B0aW9ucywgaW4gdGhlIG9yZGVyIHRoZXkgYXJl IHByb2NlZXNzZWQNCg0KSWYgeW91IGhhdmUgc29tZSBvdGhlciByZWFzb24gZm9yIFNIT1VMRCBO T1QgZGVwZW5kIG9uIG9wdGlvbiBjb250ZW50cyBvciBwYXlsb2FkIGNvbnRlbnRzLCB0aGV5IHRo YXQncyBhIHNlcGFyYXRlIGlzc3VlLiBJLmUuLCBpZiB5b3UgcmV0YWluIHRoYXQgU0hPVUxEIE5P VCwgaXQgd291bGQgYmUgdXNlZnVsIHRvIGluZGljYXRlIGF1dGhlbnRpY2F0aW9uLCBlbmNyeXB0 aW9uLCBhbmQgaW50ZWdyaXR5IGNoZWNrcyBhcyBwb3NzaWJsZSBleGNlcHRpb25zLg0KDQpKb2UN Cg0KDQoNCg0KT24gMjAxOS0wNC0wMyAwOToxOCwgRGFuaWVsIE1pZ2F1bHQgd3JvdGU6DQpJIGFn cmVlIHRoYXQgd291bGQgYmUgYmV0dGVyLCBob3dldmVyIEkgZG8gbm90IGhhdmUgYSBjbGVhciBp ZGVhIG9uIHdoYXQgY291bGQgcXVhbGlmeSBhcyBhbiBleGNlcHRpb24uIEkgc2VlIHNlY3VyaXR5 IGFzIHN1Y2ggYW4gZXhjZXB0aW9uLCBidXQgSSBjYW5ub3Qgc2F5IGZvciBzdXJlIHRoYXQgaXMg dGhlIG9ubHkgZXhjZXB0aW9uLiBNeSBjb25jZXJuIHdhcyB0aGF0IHRoZSBwcmV2aW91cyB0ZXh0 IHByZXZlbnQgc3VjaCBzZWN1cml0eSBleHRlbnNpb25zLiBUaGUgY3VycmVudCB0ZXh0IGFkZHJl c3MgdGhhdCBjb25jZXJuLiBJIGFtIGhhcHB5IHRvIGhlYXIgaG93IHdlIGNvdWxkIGRvIGJldHRl ci4NCllvdXJzLA0KRGFuaWVsDQoNCk9uIFdlZCwgQXByIDMsIDIwMTkgYXQgMTE6NDQgQU0gSm9l IFRvdWNoIDx0b3VjaEBzdHJheWFscGhhLmNvbTxtYWlsdG86dG91Y2hAc3RyYXlhbHBoYS5jb20+ PiB3cm90ZToNCg0KRldJVywgSU1PIFNIT1VMRCBOT1QgbmVlZHMgdG8gY29tZSB3aXRoIGEgZGVz Y3JpcHRpb24gb2Ygd2hhdCB3b3VsZCBxdWFsaWZ5IGFzIGFuIGV4Y2VwdGlvbi4NCg0KSG93ZXZl ciwgeW91IGNhbid0IGFsbG93IHR3byBzdWNoIGV4Y2VwdGlvbnMgVU5MRVNTIHRoZXkncmUgZGVj b25mbGljdGVkLCBpLmUuLCB3aG8gZ29lcyBmaXJzdC4gVGhhdCBuZXZlciB3b3JrcyB3ZWxsIGlu IHByYWN0aWNlIGJlY2F1c2UgZXZlcnkgbmV3IG9wdGlvbiBzYXlzICJJIGNvbWUgZmlyc3QiLg0K DQpJLmUuLCB0aGUgcG9pbnQgaXNuJ3Qgd2hldGhlciB5b3UgaGF2ZSBleGNlcHRpb25zIC0geW91 IHdpbGwuIFRoZSBwb2ludCBpcyB0byBzcGVjaWZ5IGhvdyB0aG9zZSBjYXNlcyB3b3JrLCBpbiB3 aGljaCBjYXNlIHlvdSBkb24ndCBuZWVkIHRoZSBTSE9VTEQgTk9ULg0KDQpKb2UNCg0KDQoNCg0K T24gMjAxOS0wNC0wMyAwODozMywgRGFuaWVsIE1pZ2F1bHQgd3JvdGU6DQpIaSwNCg0KTXkgcmVh ZGluZyBpcyB0aGF0IFNIT1VMRCBOT1QgbWVhbnMgTVVTVCBOT1QgdW5sZXNzIHdlIGhhdmUgYSBn b29kIHJlYXNvbiBmb3IgaXQgYW5kIHNlY3VyaXR5IG9yIGNoZWNrc3VtIG9wdGlvbnMgZmFsbCBp biB0aGF0IGNhdGVnb3J5LiBBTSBJIG1pc3Npbmcgc29tZXRoaW5nID8NCg0KWW91cnMsDQpEYW5p ZWwNCg0KT24gVHVlLCBBcHIgMiwgMjAxOSBhdCAxMTozNiBQTSBKb2UgVG91Y2ggPHRvdWNoQHN0 cmF5YWxwaGEuY29tPG1haWx0bzp0b3VjaEBzdHJheWFscGhhLmNvbT4+IHdyb3RlOg0KSGksIGFs bCwNCg0KRldJVyAtIEkgZG9uJ3QgdW5kZXJzdGFuZCB0aGlzIHJlcXVpcmVtZW50Lg0KDQpDbGVh cmx5LCBhbiBvcHRpb24gTVVTVCBOT1QgZGVwZW5kIG9uIG9wdGlvbnMgdGhhdCBjb21lIGJlZm9y ZSBpdCBpbiB0aGUgb3JkZXIgdGhleSBvY2N1ciwgb3RoZXJ3aXNlIHlvdSBjb3VsZCBoYXZlIG9w dGlvbnMgZGVmaW5lZCBpbiBhIGNpcmN1bGFyIG1hbm5lciB0aGF0IGNhbm5vdCBiZSByZXNvbHZl ZC4NCg0KSG93ZXZlciwgaWYgeW91IHByZXZlbnQgb3B0aW9ucyB0aGF0IGRlcGVuZCBvbiBvdGhl ciwgbGF0ZXIgb3B0aW9ucyB5b3Ugd291bGQgdW5kZXJtaW5lIHRoZSBhYmlsaXR5IHRvIGhhdmUg YW4gb3B0aW9uIHRoYXQgcHJvdmlkZXMgYXV0aGVudGljYXRpb24gKHdoaWNoIGlzIHVzZWZ1bCBv bmx5IHdoZW4gaXQgaW5jbHVkZXMgYm90aCB0aGUgcGF5bG9hZCBhbmQgc3Vic2VxdWVudCBvcHRp b25zKSBvciBlbmNyeXB0aW9uICh3aGljaCBzaG91bGQgYXQgbGVhc3QgYXV0aGVudGljYXRlIHRo ZSBvcHRpb24gYXJlYSwgZXZlbiBpZiBpdCBpc24ndCBlbmNyeXB0ZWQpLiBJdCBhbHNvIHVuZGVy bWluZXMgdGhlIGFiaWxpdHkgdG8gaGF2ZSBvcHRpb25zIHRoYXQgY3JlYXRlIG5ldyBjaGVja3N1 bSBhbGdvcml0aG1zLg0KDQpBcmUgeW91IHJlYWxseSBzZWVraW5nIHRvIHByZXZlbnQgdGhlc2Ug ZnV0dXJlIHBvc3NpYmlsaXRpZXM/DQoNCkpvZQ0KDQpPbiBNYXIgMjYsIDIwMTksIGF0IDEwOjMw IFBNLCBHYW5nYSwgSWxhbmdvIFMgPGlsYW5nby5zLmdhbmdhQGludGVsLmNvbTxtYWlsdG86aWxh bmdvLnMuZ2FuZ2FAaW50ZWwuY29tPj4gd3JvdGU6DQoNCkhpIERhbmllbCwNCg0KV2UgdXBkYXRl ZCB0aGUgZHJhZnQgdG8gcmVzdGF0ZSB0aGUgcmVxdWlyZW1lbnQgb24gb3B0aW9ucyBwcm9jZXNz aW5nLCB0aGUgcmV2aXNlZCB0ZXh0IGlzIG11Y2ggc2ltcGxlciwgcHJvdmlkZXMgYmV0dGVyIGNs YXJpdHksIGFuZCByZXRhaW5zIHRoZSBvcmlnaW5hbCBpbnRlbnQuIFdlIGJlbGlldmUsIHRoaXMg c2hvdWxkIGFkZHJlc3MgeW91ciBjb25jZXJucy4NCg0KaHR0cHM6Ly9tYWlsYXJjaGl2ZS5pZXRm Lm9yZy9hcmNoL21zZy9udm8zLy1qd3ExZmp3RHVmdlBsOFFjYms3SWhlaWVnZw0KDQpSZXZpc2Vk IHRleHQ6DQoiQW4gb3B0aW9uIFNIT1VMRCBOT1QgYmUgZGVwZW5kZW50IHVwb24gYW55IG90aGVy IG9wdGlvbiBpbiB0aGUNCnBhY2tldCwgaS5lLiwgb3B0aW9ucyBjYW4gYmUgcHJvY2Vzc2VkIGlu ZGVwZW5kZW50bHkgb2Ygb25lDQphbm90aGVyLiAgQXJjaGl0ZWN0dXJhbGx5LCBvcHRpb25zIGFy ZSBpbnRlbmRlZCB0byBiZSBzZWxmLQ0KDQpkZXNjcmlwdGl2ZSBhbmQgaW5kZXBlbmRlbnQuICBU aGlzIGVuYWJsZXMgcGFyYWxsZWxpc20gaW4gb3B0aW9uDQoNCnByb2Nlc3NpbmcgYW5kIHJlZHVj ZXMgaW1wbGVtZW50YXRpb24gY29tcGxleGl0eS4iDQoNClRoYW5rcw0KSWxhbmdvDQoNCg0KRnJv bTogRGFuaWVsIE1pZ2F1bHQgW21haWx0bzpkYW5pZWwubWlnYXVsdEBlcmljc3Nvbi4uY29tPG1h aWx0bzpkYW5pZWwubWlnYXVsdEBlcmljc3Nvbi5jb20+XQ0KU2VudDogV2VkbmVzZGF5LCBNYXJj aCAyMCwgMjAxOSAxOjU2IFBNDQpUbzogR2FuZ2EsIElsYW5nbyBTIDxpbGFuZ28ucy5nYW5nYUBp bnRlbC5jb208bWFpbHRvOmlsYW5nby5zLmdhbmdhQGludGVsLmNvbT4+DQpDYzogTlZPMyA8bnZv M0BpZXRmLm9yZzxtYWlsdG86bnZvM0BpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW252bzNdIFdv cmtpbmcgR3JvdXAgTGFzdCBDYWxsIGFuZCBJUFIgUG9sbCBmb3IgZHJhZnQtaWV0Zi1udm8zLWdl bmV2ZS0wOC50eHQgLSBnZW5ldmUgb3B0aW9ucw0KDQpIaSwNCg0KSSBhbSBsb29raW5nIGF0IHRo ZSB2ZXJzaW9uIDEyIGFuZCBzZWUgaG93IGl0IGFkZHJlc3MgbXkgY29uY2VybiwNCnJlZ2FyZGlu ZyB0aGUgaW50ZWdyYXRpb24gb2Ygc2VjdXJpdHkgb3B0aW9ucy4NCg0KVGhlIG5ldyB0ZXh0IGlu IHZlcnNpb24gMTIgbWVudGlvbnM6DQoiIiINCiAgIG8gIEFuIG9wdGlvbiBTSE9VTEQgTk9UIGJl IGRlcGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhlDQogICAgICBwYWNrZXQsIGku ZS4sIG9wdGlvbnMgY2FuIGJlIHByb2Nlc3NlZCBpbmRlcGVuZGVudCBvZiBvbmUgYW5vdGhlci4N CiAgICAgIEFuIG9wdGlvbiBNVVNUIE5PVCBhZmZlY3QgdGhlIHBhcnNpbmcgb3IgaW50ZXJwcmV0 YXRpb24gb2YgYW55DQogICAgICBvdGhlciBvcHRpb24uICBIb3dldmVyLCBvcHRpb24gcHJvY2Vz c2luZyBieSB0dW5uZWwgZW5kcG9pbnRzIG1heQ0KICAgICAgcmVzdWx0IGluIHRoZSBwYWNrZXQg YmVpbmcgZHJvcHBlZC4gIE9wdGlvbnMgbWF5IGFsc28gYmUgdXNlZCBpbg0KICAgICAgY29uanVu Y3Rpb24gd2l0aCBlYWNoIG90aGVyIG9yIGNvbWJpbmVkIHdpdGggcGFja2V0IGRhdGEgYnV0IHRo aXMNCiAgICAgIHByb2Nlc3NpbmcgaXMgZG9uZSBhYm92ZSB0aGUgZW5jYXBzdWxhdGlvbiBsYXll ci4NCiIiIg0KDQpJIGFtIHJlYWRpbmcgdGhlIHRleHQgYXMgYSBzZWN1cml0eSBvcHRpb24gY2Fu IGJlIGNvbWJpbmVkIHdpdGggYW5vdGhlcg0Kb3B0aW9uIG9yIHRoZSBkYXRhIHBheWxvYWQuIE1v cmUgc3BlY2lmaWNhbGx5LCBhbiBhdXRoZW50aWNhdGlvbiBvcHRpb24NCnRoYXQgYXV0aGVudGlj YXRlcyBzb21lIG9wdGlvbnMgYW5kL29yIHRoZSBwYXlsb2FkIG1heSByZXN1bHQgaW4gdGhlDQpw YWNrZXQgdG8gYmUgZGlzY2FyZGVkIG9yIG5vdC4NCg0KSSB0aGluayB3ZSBhcmUgbWFraW5nIHBy b2dyZXNzLiBIb3dldmVyLCBJIGFtIG5vdCBjbGVhciBhYm91dCB0aGUgdGV4dDoNCg0KIiIiIGJ1 dCB0aGlzIHByb2Nlc3NpbmcgaXMgZG9uZSBhYm92ZSB0aGUgZW5jYXBzdWxhdGlvbiBsYXllci4i IiINCg0KSSBhbSByZWFkaW5nIHRoZSBlbmNhcHN1bGF0aW9uIGxheWVyIGFzIHRoZSBHZW5ldmUg cHJvdG9jb2wsIGJ1dCBJIGFtDQpub3QgY2xlYXIgd2hhdCB0aGUgbGF5ZXIgYWJvdmUgaXMuIEkg YW0gYXNzdW1pbmcgdGhhdCBpcyBhIGxheWVyDQp0aGF0IHRha2VzIHRoZSBvdXRwdXQgb2YgdGhl IEdlbmV2ZSBkZWNhcHN1bGF0aW9uLiBJZiB0aGF0IGlzIGNvcnJlY3QsDQpJIHVuZGVyc3RhbmQg dGhlIHRleHQgc2F5aW5nIEdlbmV2ZSBwcm9jZXNzZXMgdGhlIG9wdGlvbnMgZXZlbiB0aG91Z2gN CnRoZSBhdXRoZW50aWNhdGlvbiBoYXMgZmFpbGVkLiBUeXBpY2FsbHksIHN1cHBvc2Ugb3B0aW9u IEEgY292ZXJzDQpvcHRpb25zIE8uIFVwb24gdmVyaWZpY2F0aW9uIG9mIEEgZmFpbHMsIEdlbmV2 ZSBwcm9jZXNzZXMgTyBhbmQgcmV0dXJucw0KdG8gc29tZSB1cHBlciBsYXllcnMgdGhhdCBPIGhh cyBiZWVuIHByb2Nlc3NlZCB3aGlsZSBpdHMgYXV0aGVudGljYXRpb24NCmRpZCBub3Qgc3VjY2Vl ZC4gSSBhbSBzdXJlIHRoYXQgSSBtaXN1bmRlcnN0b29kIHRoZSB0ZXh0LCBidXQgSSBzdWdnZXN0 DQpzb21lIGNsYXJpZmljYXRpb24gYXJlIHByb3ZpZGVkIHRvIHByZXZlbnQgc3VjaCBpbnRlcnBy ZXRhdGlvbiBhcyB0aGUNCnB1cnBvc2Ugb2YgdGhlIGF1dGhlbnRpY2F0aW5nIE8gTVVTVCBiZSBh YmxlIHRvIHByZXZlbnQgdGhlIHByb2Nlc3NpbmcNCm9mIHRoZSBvcHRpb24gTy4NCg0KSW4gdGhl IGN1cnJlbnQgdGV4dCBJIGJlbGlldmUgdGhlIHRleHQgIiIiYnV0IC4uLmxheWVyIiIiIGNhbiBi ZQ0KcmVtb3ZlZC4gQW5vdGhlciB3YXkgbWlnaHQgYmUgdG8gY2xhcmlmeSB0aGUgbGF5ZXIgYWJv dmUgdGhlDQplbmNhcHN1bGF0aW9uLg0KDQoNCllvdXJzLA0KRGFuaWVsDQoNCg0KDQpPbiBGcmks IE1hciA4LCAyMDE5IGF0IDk6NDQgUE0gRGFuaWVsIE1pZ2F1bHQgPGRhbmllbC5taWdhdWx0QGVy aWNzc29uLmNvbTxtYWlsdG86ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24uY29tPj4gd3JvdGU6DQpI aSwNCg0KVGhhbmtzIGZvciB0aGUgcmVzcG9uc2UuIExldCBtZSBmaXJzdCByZWNhcCB0aGUgcHJl dmlvdXMgY29udmVyc2F0aW9uLA0Kb3IgYXQgbGVhc3QgbXkgcGVyY2VwdGlvbiBvZiB0aGVtLiBN eSBpbml0aWFsIGNvbW1lbnQgd2FzIHRoYXQgdGhlDQpjdXJyZW50IEdlbmV2ZSBzcGVjaWZpY2F0 aW9uIHByZXZlbnRzIHRoZSBkZXNpZ24gb2Ygc2VjdXJpdHkgb3B0aW9ucyBhbmQNCkkgcHJvdmlk ZWQgYW4gZXhhbXBsZS4gTXkgdW5kZXJzdGFuZGluZyBpcyB0aGVyZSBpcyBhbiBhZ3JlZW1lbnQg dGhhdA0Kc3VjaCBvcHRpb24gaXMgcHJldmVudGVkIGJ5IHRoZSBjdXJyZW50IGdlbmV2ZSBzcGVj aWZpY2F0aW9uIGFuZCB5b3UNCmNoYWxsZW5nZSB0aGUgdXNlZnVsbmVzcyBvZiBzdWNoIGFuIG9w dGlvbiAoZGVzaWduYXRlZCBhcyBBKSBhcyB3ZWxsIGFzDQphcmd1ZSB0aGF0IGFuIGF1dGhlbnRp Y2F0aW9uIHVwb24gZmFpbHVyZSBNVVNUIHJlc3VsdCBpbiBkaXNjYXJkaW5nIHRoZQ0KcGFja2V0 Lg0KDQpUaGUgc2VjdXJpdHkgb3B0aW9ucyBjb25zaWRlcmVkIGhhcyBiZWVuIG1lbnRpb25lZCBp biB0d28gaW5kZXBlbmRlbnQNCnNlY3VyaXR5IGFuYWx5c2lzLiBUaGUgZXhhbXBsZSBoYXMgYmVl biBkZXNjcmliZWQgYW5kIGNvbW1lbnRlZA0KZXh0ZW5zaXZlbHkgaW4gdGhlIHRocmVhdCBhbmFs eXNpcyBhcyB3ZWxsLiAgSSBhcmd1ZSBmdXJ0aGVyIHRoYXQNCm1hbmRhdGluZyB0aGF0IGRyb3Bw aW5nIHRoZSBwYWNrZXQsIGluIG91ciBjYXNlIGlzIG5laXRoZXIgYSBkZWNpc2lvbg0KdGhhdCBj YW4gYmUgdGFrZW4gYXQgdGhlIG9wdGlvbiBsZXZlbCwgbm9yIGF0IHRoZSBnZW5ldmUgbGV2ZWwu IEluc3RlYWQsDQppdCBiZWxvbmdzIHRvIGEgcG9saWN5IGRlY2lzaW9uIHRoYXQgaXMgbGlrZWx5 IHRvIHJlc3VsdCBpbiBpbmNvaGVyZW50DQpkZXBsb3ltZW50cy4NCg0KQXMgcmVzdWx0LCB0aGUg Y3VycmVudCBnZW5ldmUgc3BlY2lmaWNhdGlvbiBwcmV2ZW50cyBzZWN1cml0eSBvcHRpb25zLg0K UGxlYXNlIHNlZSBiZWxvdyBmb3IgbW9yZSBhZGRpdGlvbmFsIGluZm9ybWF0aW9uLg0KDQpUaGUg Y3VycmVudCBvcHRpb24gd29ya3Mgc2ltaWxhcmx5IHRvIElQc2VjOiBJUHNlYy9FU1AgaXMgSVAg b3B0aW9uLiBBSA0KaXMgYW4gb3B0aW9uIHRoYXQgYXV0aGVudGljYXRlcyB0aGUgZnVsbCBJUCBw YWNrZXQuLiBFU1ANCmF1dGhlbnRpY2F0ZS9lbmNyeXB0IHRoZSBJUCBwYXlsb2FkIGFuZCBub3Qg dGhlIGZ1bGwgcGFja2V0LiAgVXBvbg0KYXV0aGVudGljYXRpb24gZmFpbHVyZSAqdGhlIHNjb3Bl IG9mIHRoZSBhdXRoZW50aWNhdGlvbiogaXMgZGlzY2FyZGVkDQphbmQgaW4gdGhhdCBzZW5zZSB0 aGUgZXhhbXBsZSBJIGFtIHByb3ZpZGluZyBpcyBubyBtb3JlIGRpZmZlcmVudC4NCg0KSW4gb3Vy IGNhc2UsIHRoZSBvcHRpb24gYXV0aGVudGljYXRlIGFuIHBvcnRpb24gb2YgdGhlIGdlbmV2ZSBw YWNrZXQNCnRoYXQgaXMgbGltaXRlZCB0byB0aGUgb3B0aW9uLiBUdGhlIGNvdmVyYWdlIG9mIHRo ZSBzZWN1cml0eSBvcHRpb24gaXMgYQ0KcG9ydGlvbiBvZiB0aGUgZ2VuZXZlIGhlYWRlci4gIEFz IHN1Y2gsIHRoZSBvcHRpb24gY2Fubm90IG1hbmRhdGUNCmFueXRoaW5nIG91dHNpZGUgb2YgaXRz IGNvdmVyYWdlOiB0aGUgY292ZXJlZCBvcHRpb24gTy4gQXMgYSByZXN1bHQsDQpkcm9wcGluZyB0 aGUgZnVsbCBwYWNrZXQgaXMgb3V0c2lkZSBvZiB0aGUgc2NvcGUuIE1hbmRhdGluZyBhIHBhY2tl dA0KZHJvcCBoYXJkbHksIGluIG15IG9waW5pb24gYXBwbHkgaGVyZS4NCg0KT3B0aW9ucyBhcmUg dXN1YWxseSBub24gY3JpdGljYWwgZm9yIGludGVyb3BlcmFiaWxpdHkuIE1hbmRhdGluZyB0byBk cm9wDQp0aGUgcGFja2V0IHdoZW4gb3B0aW9uIE8gY2Fubm90IGJlIGF1dGhlbnRpY2F0ZWQgd291 bGQgY29udHJhZGljdCB0aGUNCm5vbiBjcml0aWNhbCBzdGF0dXMgb2YgdGhhdCBvcHRpb24sIHdo aWNoIGlzIHRoZSBwYWNrZXQgY2FuIGJlIHByb2Nlc3NlZA0Kd2l0aG91dCB0aGUgb3B0aW9uLiBU aGlzIHdvdWxkIGJlIGEgcG9saWN5IHRoYXQgb3ZlcndyaXRlIHRoZSBnZW5ldmUNCiAtIGFzIHdl bGwgYXMgdGhlIGdlbmV2ZSBvcHRpb24gLSBzcGVjaWZpY2F0aW9uLg0KQSBwb3NzaWJsZSBpbmNv aGVyZW5jZSB3b3VsZCBiZSBpZiBvcHRpb24gQSBhbmQgTyBhcmUgbm9uIGNyaXRpY2FsIHdvdWxk DQpiZSB0aGF0IHRoZSBpbXBsZW1lbnRhdGlvbiBpZ25vcmluZyB0aGUgb3B0aW9uIEEgYW5kIE8g d2lsbCBhY2NlcHQgdGhlDQpwYWNrZXQsIGFuIGltcGxlbWVudGF0aW9uIHVuZGVyc3RhbmRpbmcg b3B0aW9uIE8gYnV0IG5vdCBvcHRpb24gQSB3aWxsDQphY2NlcHQgdGhlIHBhY2tldCB3aGlsZSB0 aGUgaW1wbGVtZW50YXRpb24gdW5kZXJzdGFuZGluZyBvcHRpb24gQSBhbmQgTw0Kd2lsbCByZWpl Y3QgdGhlIHBhY2tldC4NCg0KWW91cnMsDQpEYW5pZWwNCg0KDQpPbiBXZWQsIE1hciA2LCAyMDE5 IGF0IDk6MzMgUE0gR2FuZ2EsIElsYW5nbyBTIDxpbGFuZ28ucy5nYW5nYUBpbnRlbC5jb208bWFp bHRvOmlsYW5nby5zLmdhbmdhQGludGVsLmNvbT4+IHdyb3RlOg0KSGkgRGFuaWVsLA0KDQpQbGVh c2Ugc2VlIG15IHJlc3BvbnNlcyBpbmxpbmUgYmVsb3cuDQoNClRoYW5rcywNCklsYW5nbw0KDQoN CkZyb206IG52bzMgW21haWx0bzpudm8zLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOm52bzMtYm91 bmNlc0BpZXRmLm9yZz5dIE9uIEJlaGFsZiBPZiBEYW5pZWwgTWlnYXVsdA0KU2VudDogTW9uZGF5 LCBNYXJjaCA0LCAyMDE5IDk6MTUgQU0NClRvOiBHYW5nYSwgSWxhbmdvIFMgPGlsYW5nby5zLmdh bmdhQGludGVsLmNvbTxtYWlsdG86aWxhbmdvLnMuZ2FuZ2FAaW50ZWwuY29tPj4NCkNjOiBudm8z QGlldGYub3JnPG1haWx0bzpudm8zQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtudm8zXSBXb3Jr aW5nIEdyb3VwIExhc3QgQ2FsbCBhbmQgSVBSIFBvbGwgZm9yIGRyYWZ0LWlldGYtbnZvMy1nZW5l dmUtMDgudHh0DQoNCkhpIElsYW5nbywNCg0KVGhhbmtzIGZvciB0aGUgcmVzcG9uc2UuIFBsZWFz ZSBzZWUgYSBjb25jcmV0ZSBleGFtcGxlIHRvIGlsbHVzdHJhdGUgbXkgY29uY2Vybg0KZm9yIGNv bW1lbnQgMS4gRm9yIGNvbW1lbnQgMiwgaXQgcmVhbGx5IGhlbHBlZCB5b3UgaW5kaWNhdGVkIHRo YXQgR2VuZXZlIGlzIGV4cGVjdGVkDQp0byBiZSBhbiBlbmQtdG8tZW5kIHByb3RvY29sLiBUaGlz IHdpbGwgaGVscCBtZSB1cGRhdGUgdGhlIHNlY3VyaXR5IHJlcXVpcmVtZW50DQpkb2N1bWVudC4g SG93ZXZlciwgdGhlIGN1cnJlbnQgR2VuZXZlIHNwZWNpZmljYXRpb24gd2l0aCB0cmFuc2l0IGRl dmljZXMgc2VlbXMgLQ0KYXQgbGVhc3QgdG8gbWUgLSB0byByYWlzZSBhbiBhcmNoaXRlY3R1cmUg Y29uY2VybiBhcyByYWlzZWQgaW4gWzFdLg0KDQotLSBjb21tZW50IDE6DQoNClRoYW5rcyBmb3Ig dGhlIGZlZWQgYmFjay4gSSB1bmRlcnN0YW5kIHRoZSBwdXJwb3NlIG9mIGtlZXBpbmcgb3B0aW9u DQppbmRlcGVuZGVudCBvbmUgZnJvbSBlYWNoIG90aGVyLCBhbmQgZmF2b3VyIHRoaXMgaXMgc3Ry b25nbHkgcmVjb21tZW5kZWQuLg0KSG93ZXZlciwgSSBhbSBub3QgY29udmluY2VkIHRoaXMgYXBw bGllcyBhbHdheXMuIE1vcmUgc3BlY2lmaWNhbGx5LCBpbiBhDQpjb250ZXh0IG9mIHNlY3VyaXR5 LCB0aGUgcHVycG9zZSBvZiBhIHNlY3VyaXR5IG9wdGlvbiBtYXkgYmUgcmVsYXRlZCB0bw0KYW5v dGhlciBvcHRpb24uIFR5cGljYWxseSwgYSBzZWN1cml0eSBvcHRpb24gcHJvdmlkaW5nIGF1dGhl bnRpY2F0aW9uIG9yDQplbmNyeXB0aW9uIGlzIHBvdGVudGlhbGx5IGF1dGhlbnRpY2F0aW5nL2Vu Y3J5cHRpb24gYW5vdGhlciBvcHRpb24gb3INCm90aGVyIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBp biB0aGUgaGVhZGVyLg0KDQpUaGUgdHlwaWNhbCBzY2VuYXJpbyBJIGhhdmUgaW4gbWluZCB3b3Vs ZCBiZSBhbiBhdXRoZW50aWNhdGlvbiBvcHRpb24gQQ0KYXV0aGVudGljYXRpbmcgb3B0aW9uIE8u IFRoZXJlIHdpbGwgY2xlYXJseSBzb21lIGRlcGVuZGVuY2llcyBiZXR3ZWVuIEENCmFuZCBPIGFz IE8gY291bGQgb25seSBiZSB1c2VkIGlmIEEgaGFzIGJlZW4gcHJpbWFyaWx5IGJlZW4gdmFsaWRh dGVkLg0KVGhlIGN1cnJlbnQgc3RhdGVtZW50ICJTSE9VTEQgTk9UIGJlIGRlcGVuZGVudCIgZW5h YmxlcyB0aGlzLiBIb3dldmVyLCBJDQpoYXZlIGNvbmNlcm5zIHJlZ2FyZGluZyB0aGUgc3RhdGVt ZW50ICJNVVNUIE5PVCBhZmZlY3QgdGhlIHBhcnNpbmcgb3INCmludGVycHJldGF0aW9uIi4gSW4g ZmFjdCwgdGhlIG91dHB1dCBvZiBBLCB3aWxsIGRldGVybWluZSBpZiBPIHNob3VsZCBiZQ0KZHJv cHBlZCBvciBwcm9jZXNzZWQgbm9ybWFsbHkuIEluIGNhc2UgQSBzaG93cyBPIGlzIG5vdCBhcHBy b3ByaWF0ZWx5DQphdXRoZW50aWNhdGVkLCBPIG1pZ2h0IGJlIHJlamVjdGVkIGJhc2VkIG9uIGl0 cyBDIHZhbHVlLiBUaGUgYW1iaWd1aXR5IEkNCnNlZSBpcyB0aGF0IEEgY2FuIGJlIHVuZGVyc3Rv b2QgYXMgYWZmZWN0aW5nIHRoZSBwYXJzaW5nIGFuZA0KaW50ZXJwcmV0YXRpb24gb2YgTyBvciBh cyBhIHByZS1wcm9jZXNzaW5nIG9wZXJhdGlvbiBiZWZvcmUgcGFyc2luZyBvcg0KaW50ZXJwcmV0 YXRpb24gb2YgTy4NCg0KSSB0aGluaywgdGhlIHRleHQgbmVlZHMgZnVydGhlciBjbGFyaWZpY2F0 aW9ucyB0byByZW1vdmUgc3VjaCBhbWJpZ3VpdHkuDQpDaGFuZ2luZyBNVVNUIE5PVCBieSBTSE9V TEQgTk9UIHdhcyBvZiBjb3Vyc2Ugb25seSBvbmUgcHJvcG9zaXRpb24gYW5kDQp0aGlzIGNvdWxk IGJlIGFsc28gYWRkcmVzc2VkIG90aGVyd2lzZS4gSXQgbWlnaHQgYmUgYmV0dGVyLCBJIGFncmVl LCB0bw0KZXhwbGljaXRseSBtZW50aW9uIHRoYXQgc29tZSBvcHRpb25zIG1heSBwcm92aWRlIGNv bmRpdGlvbiBvbiB0aGUNCnBhcnNpbmcgb2YgdGhlIG9wdGlvbnMuIFRoaXMgd291bGQgbGVhdmUg dGhlIHBhcnNpbmcgb2YgdGhlIG9wdGlvbnMgdW5jaGFuZ2VkLg0KDQo8SWxhbmdvPg0KSWYgSSB1 bmRlcnN0YW5kIHlvdXIgZXhhbXBsZSBjb3JyZWN0bHksIHlvdSB3YW50IHRvIGhhdmUgb25lIG9w dGlvbiBhdXRoZW50aWNhdGUgdGhlIGNvbnRlbnRzIG9mIGFub3RoZXIgb3B0aW9uIGFuZCBpZiB0 aGF0IGF1dGhlbnRpY2F0aW9uIGZhaWxzLCBkcm9wIHRoZSBvcHRpb24uIFRoaXMgd291bGQgbm90 IGRyb3AgdGhlIGVudGlyZSBwYWNrZXQgdW5sZXNzIHRoYXQgb3B0aW9uIGlzIGNyaXRpY2FsLiBD YW4geW91IGdpdmUgYSB1c2UgY2FzZSBmb3IgdGhpcz8gVGhpcyBzZWVtcyB1bnVzdWFsIGFuZCBu b3Qgc29tZXRoaW5nIHRoYXQgaXMgc3VwcG9ydGVkIGJ5IG90aGVyIHNlY3VyaXR5IHByb3RvY29s cyBzdWNoIGFzIElQc2VjIG9yIFRMUyB0byB0aGUgYmVzdCBvZiBvdXIga25vd2xlZGdlLg0KDQpJ IGJlbGlldmUgYSBtb3JlIGNvbW1vbiBvdXRjb21lIG9mIGEgZmFpbGVkIGF1dGhlbnRpY2F0aW9u IGlzIHRoYXQgdGhlIGVudGlyZSBwYWNrZXQgd291bGQgYmUgZHJvcHBlZC4gQXMgcHJldmlvdXNs eSBub3RlZCwgdGhlIGN1cnJlbnQgdGV4dCBkb2VzIG5vdCBwcmVjbHVkZSB0aGlzLiBJdCBzZWVt cyBsaWtlIGdvaW5nIGJleW9uZCB0aGlzIHdvdWxkIHJlc3VsdCBpbiBzaWduaWZpY2FudCBjb21w bGV4aXR5LCBib3RoIGZvciBwcm9jZXNzaW5nIG9wdGlvbnMgaW4gdGhpcyBzcGVjaWZpYyBjYXNl IGFzIHdlbGwgYXMgdGhlIHBvc3NpYmlsaXR5IG9mIGludHJvZHVjaW5nIGFtYmlndWl0eSBpbiBo b3cgb3RoZXIgb3B0aW9ucyBtaWdodCBiZSBkZWZpbmVkIG9yIHByb2Nlc3NlZCBhcyBhbiB1bmlu dGVuZGVkIGNvbnNlcXVlbmNlLiBXaXRob3V0IGEgc3Ryb25nIHVzZSBjYXNlLCB0aGlzIGRvZXMg bm90IHNlZW0gZGVzaXJhYmxlLg0KPC8+DQoNCi0tIGNvbW1lbnQgMjoNCg0KVGhhbmtzIGZvciB0 aGUgcmVzcG9uc2UgdGhhdCBjbGFyaWZpZXMgYSBiaXQgbXkgdW5kZXJzdGFuZGluZyBvZiB0aGUN CnRyYW5zaXQgZGV2aWNlcy4uIEkgYmVsaWV2ZSB0aGUgaXNzdWUgSSBoYXZlIGlzIHJlbGF0ZWQg dG8gdGhlIHRyYW5zaXQNCmRldmljZXMgd2hpY2ggSSBkbyBub3Qgc2VlLCB1bmxlc3MgSSBhbSB3 cm9uZywgbWVldGluZyB0aGUgcmVxdWlyZW1lbnRzDQpmb3IgYmVpbmcgT1BUSU9OQUwgYW5kIHRo YXQgc2VlbXMgLSBhdCBsZWFzdCB0byBtZSAtIGNvbnRyYWRpY3RpbmcgdGhlDQpzdGF0dXMgb2Yg ZW5kLXRvLWVuZCBwcm90b2NvbC4gQXMgc3VnZ2VzdGVkIGluIFsxXSwgdHJhbnNpdCBkZXZpY2Vz IHNlZW0gdG8gcmFpc2UNCmFyY2hpdGVjdHVyYWwgY29uY2VybnMgdGhhdCBpcyBub3QgbmVlZGVk Lg0KDQpZb3UgYXJlIGNvcnJlY3QgdGhhdCB0aGUgdGV4dCBpcyBjbGVhciB0aGF0IHRyYW5zaXQg ZGV2aWNlcyBhcmUNCk9QVElPTkFMLiBIb3dldmVyLCBteSB1bmRlcnN0YW5kaW5nIG9mIE9QVElP TkFMIGZyb20gMjExOSBpcyB0aGF0IHRoZXJlDQphcmUgdHdvIHNpZGVzIG9mIGl0LiBPbmUgaXMg dGhhdCBhIHZlbmRvciBtYXkgaW1wbGVtZW50IGl0IG9yIG5vdCwgYnV0DQp0aGUgb3RoZXIgc2lk ZSBpcyB0aGF0IGludGVyb3BlcmFiaWxpdHkgd2l0aCBvdGhlciBpbXBsZW1lbnRhdGlvbnMgYXJl DQpub3QgYWZmZWN0ZWQuIEluIHRoaXMgY2FzZSwgdHdvIEdlbmV2ZSBlbmRwb2ludHMgdXNpbmcg VExTIG9yIElQc2VjIHdpbGwNCm5vdCBiZSBhYmxlIHRvIGludGVyb3BlcmF0ZSB3aXRoIGFuIGlt cGxlbWVudGF0aW9uIGJhc2VkIG9uIHRyYW5zaXQNCmRldmljZXMgKHVubGVzcyB0aGUgcHJvY2Vz cyBiZWluZyBwZXJmb3JtZWQgYnkgdGhlIHRyYW5zaXQgZGV2aWNlcyBpcw0KYWxzbyBwZXJmb3Jt ZWQgYnkgdGhlIE5WRSkuIEluIHRoYXQgc2Vuc2UsIEkgYmVsaWV2ZSBPUFRJT05BTCBzdGF0ZW1l bnQNCmlzIG5vdCBhcHByb3ByaWF0ZWQgaGVyZS4uDQoNCkFuIGltcGxlbWVudGF0aW9uIHdpdGgg dHJhbnNpdCBkZXZpY2VzIHNlZW1zIHRvIHByZXZlbnQgdGhlDQppbnRlcm9wZXJhYmlsaXR5IG9m IHdpdGggYW4gaW1wbGVtZW50YXRpb24gd2hlcmUgIG9wdGlvbnMgYXJlIHRyZWF0ZWQNCmJ5IHRo ZSBOVkUgb3ZlciBhIHNlY3VyZSBjaGFubmVsLiBJZiB3ZSBzdXBwb3NlIHRoYXQgTlZFIGFuZA0K dHJhbnNpdCBkZXZpY2VzIHN1cHBvcnQgdGhlIHNhbWUgb3B0aW9ucywgdGhlbiB0cmFuc2l0IGRl dmljZXMgYXJlIG5vdA0KbmVjZXNzYXJ5IGFuZCBjb3VsZCBiZSByZW1vdmVkIGZyb20gdGhlIHNw ZWNpZmljYXRpb24uIElmIG9wdGlvbnMNCnN1cHBvcnRlZCBieSB0cmFuc2l0IGRldmljZXMgYXJl IGRpZmZlcmVudCBmcm9tIHRob3NlIHN1cHBvcnRlZCBieQ0KdGhlIE5WRSwgaW50ZXJvcGVyYWJp bGl0eSB3aWxsIG5vdCBiZSBhY2hpZXZlZC4gVHJhbnNpdCBkZXZpY2Ugd2lsbCBub3QgYmUNCmFi bGUgdG8gcHJvY2VzcyB0aGUgb3B0aW9ucywgcmVzdWx0aW5nIGluIG9wdGlvbnMgd2lsbCBiZSBp Z25vcmVkICh3aGlsZQ0KYmVpbmcgc3VwcG9ydGVkIGJ5IHRoZSBpbXBsZW1lbnRhdGlvbikuLiBJ biBhZGRpdGlvbiwgaWYgdGhlIG9wdGlvbnMNCmFyZSBjcml0aWNhbCwgdGhlIE5WRSBpcyBsaWtl bHkgdG8gZHJvcCB0aGUgcGFja2V0IGFzIGl0IGRvZXMgbm90IHN1cHBvcnQNCnRoZSBvcHRpb24u DQoNCkluIGFkZGl0aW9uLCBJIGhhdmUgc29tZSBoYXJkIHRpbWUgdG8gdW5kZXJzdGFuZCB0aGUg ZW5kLXRvLWVuZCBtb2RlbA0Kd2l0aCBhIHRyYW5zaXQgZGV2aWNlIGV2ZW4gb3B0aW9uYWwuIEkg YmVsaWV2ZSB0aGF0IGVuZC10by1lbmQgcHJvdG9jb2wNCmlzIGEgZ29vZCBwYXRoLCB0aG91Z2gu IEhvd2V2ZXIsIG15IHVuZGVyc3RhbmRpbmcgb2YgZW5kLXRvLWVuZCBwcm90b2NvbA0KaXMgdGhh dCB0aGV5IHNob3VsZCBvbmx5IGludm9sdmUgdHdvIGVuZCBwb2ludHMuIEkgc2VlIHRoZSBOVkUg YXMgZW5kDQpwb2ludHMgYnV0IHRoZSBvcHRpb25hbCB0cmFuc2l0IGRldmljZSBkb2VzIG5vdCBz ZWVtcyB0byBiZSBvbmUgb2YNCnRoZXNlLiBIb3dldmVyLCB0byBoZWxwIG1lIHVuZGVyc3RhbmQg YmV0dGVyIHRoaXMsIGFzIGl0IHNlZW1zIEdlbmV2ZSBpcw0Kc2ltaWxhciB0byBvdGhlciBlbmQt dG8tZW5kIHByb3RvY29sLCBtYXliZSB5b3UgY291bGQgcHJvdmlkZSBzaW1pbGFyDQplbmQtdG8t ZW5kIHByb3RvY29sIHRoYXQgaW52b2x2ZXMgYSB0cmFuc2l0IGRldmljZXMgb3Igc29tZXRoaW5n IHNpbWlsYXIuDQoNCkkgYWxzbyBoYXZlIGFub3RoZXIgY2xhcmlmaWNhdGlvbiByZWdhcmRpbmcg dHJhbnNpdCBkZXZpY2UuIEkgc2VlIHRoZXNlDQp0cmFuc2l0IGRldmljZXMgYXMgYWRkaW5nIGEg bG90IG9mIGNvbXBsZXhpdHkgdG8gdGhlIGVuZC10by1lbmQgbW9kZWwNCndpdGggbGl0dGxlIGJl bmVmaXRzLiBUeXBpY2FsbHksIGFzIGZhciBhcyBJIHVuZGVyc3RhbmQsIHRoZXkgY2FuIG9ubHkN CnJlYWQgYW4gb3B0aW9uLiBJIGFtIHRodXMgd29uZGVyaW5nIHdoZXRoZXIgd2Ugc2hvdWxkIG5v dCBiZSBiZXR0ZXIgb2ZmDQpyZW1vdmluZyB0aGVtIGZyb20gdGhlIHNwZWNpZmljYXRpb24uIFRo aXMgd291bGQgZW5kIHVwIHdpdGggYSBjbGVhcg0KZW5kLXRvLWVuZCBtb2RlbC4gUmV2ZXJzZWx5 LCBJIGRvIG5vdCBzZWUgYW55dGhpbmcgcHJldmVudGluZyBhIHZlbmRvcg0KdG8gaW1wbGVtZW50 IHRoZW0gYXQgbGVhc3QgZm9yIHVuc2VjdXJlIGRlcGxveW1lbnRzLiBSZW1vdmluZyB0aGVtDQpm cm9tIHRoZSBzcGVjaWZpY2F0aW9uIHdvdWxkIGxlYXZlIHRoZSB0cmFuc2l0IGRldmljZXMgYXMg aW1wbGVtZW50YXRpb24NCnNwZWNpZmljLiBXaGF0IGFyZSBhY3R1YWxseSB0aGUgYmVuZWZpdHMg b2YgdGhlIHRyYW5zaXQgZGV2aWNlcyB0aGF0IHdvdWxkDQpqdXN0aWZ5IHRoZW0gdG8gYmUgcGFy dCBvZiB0aGUgc3BlY2lmaWNhdGlvbj8NCg0KPElsYW5nbz4NClRyYW5zaXQgZGV2aWNlcyBleGlz dHMgaW4gdGhlIHVuZGVybGF5IG5ldHdvcmssIHRoZXNlIGFyZSBzaW1wbHkgZm9yd2FyZGluZyBl bGVtZW50cyAoZS5nLiBzd2l0Y2hlcywgcm91dGVycykgdGhhdCBnZW5lcmFsbHkgZm9yd2FyZHMg cGFja2V0cyBiYXNlZCBvbiBvdXRlciBoZWFkZXIgaW5mb3JtYXRpb24sIHRoZXJlIGlzIG5vdGhp bmcgdGhhdCBzdG9wcyBzdWNoIGRldmljZXMgZnJvbSByZWFkaW5nIHRoZSBjb250ZW50cyBpZiB0 aGUgZGF0YSBpcyBpbiB0aGUgY2xlYXIuICBUaGlzIHdvcmtzIHdpdGggYW55IHRyYW5zcG9ydCBw cm90b2NvbHMgbGlrZSBJUCwgSVAgaW4gSVAsIEdSRSwgVlhMQU4sIGV0Yy4gIEZvciBleGFtcGxl LCByb3V0ZXJzIG1heSBsb29rIGF0IGhlYWRlcnMgYW5kL29yIGlubmVyIHBheWxvYWQgZm9yIEVD TVAgcHVycG9zZXMgb3IgZm9yIHN0YXRpc3RpY3Mgb3IgbG9nZ2luZyBwdXJwb3Nlcy4gSWYgdGhl IHBhY2tldCBpcyBlbmNyeXB0ZWQgdGhlbiBzdWNoIHRyYW5zaXQgZGV2aWNlcyBjYW5ub3QgbG9v ayBpbnRvIHRoZSBwYWNrZXRzIGJ1dCB3b3VsZCBzaW1wbHkgZm9yd2FyZCBiYXNlZCBvbiB0aGUg b3V0ZXIgaGVhZGVycyBhbmQgdXNlIGluZm9ybWF0aW9uIGluIG91dGVyIGhlYWRlcnMgZm9yIGVu dHJvcHkuIFRoZXJlIGlzIG5vIGludGVyb3BlcmFiaWxpdHkgaXNzdWUgYmV0d2VlbiB0aGUgZW5k cG9pbnRzLiBHZW5ldmUgaXMgbm8gZGlmZmVyZW50Lg0KDQpSZWNvZ25pemluZyB0aGUgZmFjdCB0 aGF0IHN1Y2ggYSBkZXZpY2UgaXMgYW55d2F5IGdvaW5nIHRvIGV4aXN0IGluIHRoZSBuZXR3b3Jr LCBHZW5ldmUgZHJhZnQgcHJvdmlkZXMgZ3VpZGFuY2Ugb24gaG93IHRvIGhhbmRsZSBHZW5ldmUg aGVhZGVycyAoaWYgYSBkZXZpY2UgaGFzIHRoZSBvcHRpb24gdG8gZG8gc28pLiAgR2VuZXZlIG9w dGlvbnMgYXJlIHBhcnQgb2YgR2VuZXZlIGhlYWRlciwgYSB0cmFuc2l0IGRldmljZSB0aGF0IGlz IGNhcGFibGUgb2YgaW50ZXJwcmV0aW5nIEdlbmV2ZSBoZWFkZXJzIG1heSBpbnRlcnByZXQgYW4g b3B0aW9uIG9yIHNraXAgb3ZlciB0aGUgb3B0aW9uIHRvIHZpZXcgdGhlIHBheWxvYWQsIGV0Yy4g IElmIGEgdHJhbnNpdCBkZXZpY2UgaXMgbm90IGFibGUgaW50ZXJwcmV0IHRoZSBoZWFkZXIgb3Ig b3B0aW9uLCBpdCBoYXMgdG8gc2ltcGx5IHVzZSB0aGUgb3V0ZXIgaGVhZGVyIHRvIGZvcndhcmQg dGhlIHBhY2tldCAob3V0ZXIgSVAvVURQKS4gVGhpcyBpcyB3aGF0IHRoZSBHZW5ldmUgZHJhZnQg Y2xhcmlmaWVzLg0KDQpUaGVzZSBndWlkZWxpbmVzIHJlZHVjZSBwb3NzaWJsZSBpbnRlcm9wZXJh YmlsaXR5IGlzc3VlcyBjb21wYXJlZCB0byBpZiBiZWhhdmlvciB3YXMgbGVmdCB1bmRlZmluZWQu IEZvciBleGFtcGxlLCB0cmFuc2l0IGRldmljZXMgYXJlIG5vdCBhbGxvd2VkIHRvIGRyb3AgcGFj a2V0cyBvciBmYWxsIGJhY2sgdG8gYSBzbG93IHBhdGggb24gdGhlIGJhc2lzIG9mIGFuIHVua25v d24gb3B0aW9uLiBJZiB0aGlzIHdlcmUgdG8gaGFwcGVuLCBpdCB3b3VsZCBoYW1wZXIgdGhlIGlu dHJvZHVjdGlvbiBvZiBuZXcgb3B0aW9ucy4gSXQgbWlnaHQgYWxzbyBiZSB3b3J0aCBtZW50aW9u aW5nIHRoYXQgYW55dGhpbmcgdGhhdCBjb3VsZCBiZSBjb25zaWRlcmVkIGEgbWlkZGxlYm94IGlz IG5vdCBhIHRyYW5zaXQgZGV2aWNlIGJ1dCBuZWVkcyB0byBiZSBtb2RlbGVkIGFzIGFuIGVuZHBv aW50IGFuZCBzbyBHZW5ldmUgcmVhbGx5IHNob3VsZCBiZSB2aWV3ZWQgYXMgYSB0dW5uZWwgZW5k cG9pbnQtdG8tZW5kcG9pbnQgcHJvdG9jb2wuDQo8ZW5kPg0KDQoNClsxXSBodHRwczovL21haWxh cmNoaXZlLmlldGYub3JnL2FyY2gvbXNnL252bzMvZWtMb2ZocThlclJMRV9Nc3VrOE5fU0NkaGNz DQoNCg0KWW91cnMsDQpEYW5pZWwNCg0KT24gU2F0LCBNYXIgMiwgMjAxOSBhdCA4OjE4IFBNIEdh bmdhLCBJbGFuZ28gUyA8aWxhbmdvLnMuZ2FuZ2FAaW50ZWwuY29tPG1haWx0bzppbGFuZ28ucy5n YW5nYUBpbnRlbC5jb20+PiB3cm90ZToNCkhpIERhbmllbCwNCg0KTGV0IHVzIGJlIHNwZWNpZmlj LiBJIHNlZSB0aGF0IHlvdSBoYXZlIHR3byBjb21tZW50cyBvbiB0aGUgbGF0ZXN0IGRyYWZ0LWll dGYtbnZvMy1nZW5ldmUtMDkuICBQbGVhc2Ugc2VlIGJlbG93IGZvciByZXNwb25zZXMgdG8geW91 ciBjb21tZW50cy4NCg0KQ29tbWVudCAxOg0KT0xEDQogICBvICBBbiBvcHRpb24gU0hPVUxEIE5P VCBiZSBkZXBlbmRlbnQgdXBvbiBhbnkgb3RoZXIgb3B0aW9uIGluIHRoZQ0KICAgICAgcGFja2V0 LCBpLmUuLCBvcHRpb25zIGNhbiBiZSBwcm9jZXNzZWQgaW5kZXBlbmRlbnQgb2Ygb25lIGFub3Ro ZXIuDQogICAgICBBbiBvcHRpb24gTVVTVCBOT1QgYWZmZWN0IHRoZSBwYXJzaW5nIG9yIGludGVy cHJldGF0aW9uIG9mIGFueQ0KICAgICAgb3RoZXIgb3B0aW9uLg0KDQpORVcNCg0KICAgbyAgQW4g b3B0aW9uIFNIT1VMRCBOT1QgYmUgZGVwZW5kZW50IHVwb24gYW55IG90aGVyIG9wdGlvbiBpbiB0 aGUNCiAgICAgIHBhY2tldCwgaS5lLiwgb3B0aW9ucyBjYW4gYmUgcHJvY2Vzc2VkIGluZGVwZW5k ZW50IG9mIG9uZSBhbm90aGVyLg0KICAgICAgQW4gb3B0aW9uIFNIT1VMRCBOT1QgYWZmZWN0IHRo ZSBwYXJzaW5nIG9yIGludGVycHJldGF0aW9uIG9mIGFueQ0KICAgICAgb3RoZXIgb3B0aW9uLg0K DQo8SWxhbmdvPg0KQXJjaGl0ZWN0dXJhbGx5IEdlbmV2ZSBvcHRpb25zIGNhbiBiZSBwcm9jZXNz ZWQgaW5kZXBlbmRlbnQgb2Ygb25lIGFub3RoZXIuIFRoZSBzZWNvbmQgc3RhdGVtZW50IGNsZWFy bHkgc3RhdGVzIHRoYXQgcGFyc2luZyBvciBpbnRlcnByZXRhdGlvbiBvZiBvbmUgb3B0aW9uIG11 c3Qgbm90IGFmZmVjdCB0aGUgb3RoZXIuICBUaGlzIGlzIGEgcmVhc29uYWJsZSBjb25zdHJhaW50 IHRvIGF2b2lkIG5lc3RlZCBkZXBlbmRlbmNpZXMuIE9wdGlvbnMgY2FuIGJlIGRlc2lnbmVkIHRv IHdvcmsgd2l0aCB0aGUgcmVxdWlyZW1lbnRzIHNwZWNpZmllZCBpbiBHZW5ldmUuDQoNCkxldCB1 cyB0YWtlIHNwZWNpZmljIGV4YW1wbGVzOg0KV2UgY291bGQgdGhpbmsgb2YgYSBkZXNpZ24gb2Yg YSBIZWFkZXIgSW50ZWdyaXR5IGNoZWNrIG9wdGlvbiAocmVsYXRlZCB0byB5b3VyIGV4YW1wbGUp LiBJbiB0aGlzIGNhc2UgaWYgdGhlIGhlYWRlciBpbnRlZ3JpdHkgY2hlY2sgZmFpbHMsIGFzIGEg cmVzdWx0IHRoZSBlbnRpcmUgaGVhZGVyIGlzIGludmFsaWQgYW5kIGhlbmNlIHRoZSBtb3N0IGxp a2VseSBvdXRjb21lIG9mIGEgZmFpbGVkIGNoZWNrIGlzIHRoYXQgdGhlIHBhY2tldCBiZWluZyBk cm9wcGVkIChpbmNsdWRpbmcgYW55IG9wdGlvbnMgaW4gdGhhdCBwYWNrZXQgd2hldGhlciBwYXJz ZWQvaW50ZXJwcmV0ZWQgb3Igbm90KS4gVGhlIGN1cnJlbnQgdGV4dCBkb2VzIG5vdCBwcmVjbHVk ZSB0aGUgcGFja2V0IGJlaW5nIGRyb3BwZWQgYXMgcmVzdWx0IG9mIGZhaWx1cmUuDQoNCkl0IGlz IHBvc3NpYmxlIHRvIGRlc2lnbiBvcHRpb25zLCBpbmNsdWRpbmcgYW55IHNlY3VyaXR5IG9wdGlv bnMsIHdpdGggdGhlc2UgY29uc3RyYWludHMuICBXZSBkb24ndCBzZWUgYSByZWFzb24gdG8gY2hh bmdlIHRoaXMgcmVxdWlyZW1lbnQgdGhhdCBtYXkgaGF2ZSB1bmludGVuZGVkIGNvbnNlcXVlbmNl cy4NCg0KQ29tbWVudCAyOg0KDQpORVcNClNlY3VyaXR5IENvbnNpZGVyYXRpb24NCg0KR2VuZXZl IE92ZXJsYXkgbWF5IGJlIHNlY3VyZWQgdXNpbmcgYnkgcHJvdGVjdGluZyB0aGUgTlZFLXRvLU5W RQ0KY29tbXVuaWNhdGlvbiB1c2luZyBJUHNlYyBvciBEVExTLiBIb3dldmVyLCBzdWNoIG1lY2hh bmlzbXMgY2Fubm90IGJlDQphcHBsaWVkIGZvciBkZXBsb3ltZW50cyB0aGF0IGluY2x1ZGUgdHJh bnNpdCBkZXZpY2VzLi4NCg0KU29tZSBkZXBsb3ltZW50IG1heSBub3QgYmUgYWJsZSB0byBzZWN1 cmUgdGhlIGZ1bGwgY29tbXVuaWNhdGlvbiB1c2luZw0KSVBzZWMgb3IgRFRMUyBiZXR3ZWVuIHRo ZSBOVkVzLiBUaGlzIGNvdWxkIGJlIG1vdGl2YXRlZCBieSB0aGUgcHJlc2VuY2UNCm9mIHRyYW5z aXQgZGV2aWNlcyBvciBieSBhIHJpc2sgYW5hbHlzaXMgdGhhdCBjb25jbHVkZXMgdGhhdCB0aGUg R2VuZXZlDQpwYWNrZXQgYmUgb25seSBwYXJ0aWFsbHkgcHJvdGVjdGVkIC0gdHlwaWNhbGx5IHJl ZHVjZWQgdG8gdGhlIEdlbmV2ZQ0KSGVhZGVyIGluZm9ybWF0aW9uLiBJbiBzdWNoIGNhc2VzIEdl bmV2ZSBzcGVjaWZpYyBtZWNoYW5pc21zIG5lZWRzIHRvIGJlDQpkZXNpZ25lZC4NCg0KPElsYW5n bz4gVGhlIGNoYWxsZW5nZSBpcywgeW91IGFyZSBhc2tpbmcgdG8gaW1wb3NlIHJlcXVpcmVtZW50 cyB0aGF0IGlzIG5vdCBzdXBwb3J0ZWQgYnkgR2VuZXZlIGFyY2hpdGVjdHVyZS4gR2VuZXZlIGhh cyBhbiBvcHRpb25hbCBmZWF0dXJlIHdoZXJlIHRyYW5zaXQgZGV2aWNlcyBtYXkgYmUgYWJsZSB0 byBpbnRlcnByZXQgR2VuZXZlIG9wdGlvbnMuIEhvd2V2ZXIgdGhpcyBpcyBub3QgYSByZXF1aXJl bWVudCBmb3IgR2VuZXZlIG9wZXJhdGlvbiBiZXR3ZWVuIHR1bm5lbCBlbmQgcG9pbnQgdG8gdHVu bmVsIGVuZCBwb2ludC4gV2UgaGF2ZSB0cmllZCBtYWtlIHRoaXMgdmVyeSBjbGVhciBieSBhZGRp bmcgY2xhcmlmeWluZyB0ZXh0IGR1cmluZyB0aGUgbGFzdCB0d28gcmV2aXNpb25zLiBJZiB0aGUg R2VuZXZlIHBhY2tldCBpcyBpbiB0aGUgY2xlYXIgdGhlbiB0cmFuc2l0IGRldmljZXMgbWF5IGJl IGFibGUgdG8gdmlldyB0aGUgR2VudmUgaGVhZGVyLCBvcHRpb25zLCBhbmQgdGhlIHBheWxvYWQu IEhvd2V2ZXIgaWYgdGhlIHBhY2tldCBpcyBlbmNyeXB0ZWQgdGhlbiB0cmFuc2l0IGRldmljZXMg Y2Fubm90IHZpZXcgdGhlIHBhY2tldCBjb250ZW50cy4gVGhpcyBpcyBjb25zaXN0ZW50IHdpdGgg b3RoZXIgdHJhbnNwb3J0IHByb3RvY29scyBlbmNyeXB0aW5nIHRoZSBwYWNrZXRzLiBTbyB3ZSBk b24ndCBzZWUgYSByZWFzb24gd2h5IEdlbmV2ZSBzaG91bGQgYmUgZGlmZmVyZW50Lg0KDQpHZW5l dmUgaXMgYW4gZW5kIHRvIGVuZCBwcm90b2NvbCBiZXR3ZWVuIHR1bm5lbCBlbmRwb2ludHMgYW5k IHRoZSBOVkVzIGRlY2lkZSB0byBzZWN1cmUgKGVuY3J5cHQpIHRoZSBwYWNrZXRzIGJldHdlZW4g dHVubmVsIGVuZHBvaW50cy4gSWYgYSBtaWRkbGUgYm94IGhhcyBhIG5lZWQgdG8gc2VlIGFuIGVu Y3J5cHRlZCBwYWNrZXQsIHRoZW4gaXQgaGFzIHRvIGltcGxlbWVudCB0dW5uZWwgZW5kcG9pbnQg ZnVuY3Rpb25hbGl0eS4NCg0KV2UgYWxyZWFkeSBoYXZlIHRleHQgaW4gNi40IHNlY3VyaXR5IGNv bnNpZGVyYXRpb24gc2VjdGlvbiB0aGF0IHByb3ZpZGVzIGNsZWFyIGd1aWRhbmNlIHRvIHRoZSBv cGVyYXRvcnMuDQoNClNvIHdlIGRvbid0IHNlZSBhIGdvb2QgcmVhc29uIHRvIGFkZCB0aGUgc3Vn Z2VzdGVkIHRleHQgYWJvdmUuDQoNCkZvciBhIGNvbXBsZXRlIHRocmVhdCBhbmFseXNpcywgYSBz ZWN1cml0eSBhbmFseXNpcyBvZiBHZW5ldmUgb3Igc29tZQ0KZ3VpZGUgbGluZXMgdG8gc2VjdXJl IGEgR2VuZXZlIG92ZXJsYXkgbmV0d29yaywgcGxlYXNlIHJlZmVyIHRvDQpbZHJhZnQtbWdsdC1u dm8zLWdlbmV2ZS1zZWN1cml0eS1yZXF1aXJlbWVudHNdIGFzIHdlbGwgYXMNCltkcmFmdC1pZXRm LW52bzMtc2VjdXJpdHktcmVxdWlyZW1lbnRzXS4NCg0KPElsYW5nbz4NClRoZSBzZWN1cml0eSBy ZXF1aXJlbWVudHMgZG9jdW1lbnQgIG1ha2VzIGNlcnRhaW4gYXNzdW1wdGlvbnMgdGhhdCBpcyB1 bnN1cHBvcnRlZCBieSBHZW5ldmUgYXJjaGl0ZWN0dXJlLiBXZSBoYXZlIHRyaWVkIHRvIGNsYXJp ZnkgdGhpcyBtdWx0aXBsZSB0aW1lcywgaG93ZXZlciB5b3UgaGF2ZSBzdGlsbCBtYWludGFpbmVk IHRoaXMgaW4gdGhlIHJlcXVpcmVtZW50cyBkb2N1bWVudC4gU28gdGhpcyBuZWVkcyB0byBiZSBh ZGRyZXNzZWQuIEFsc28gdGhlIGRvY3VtZW50IGlzIG5vdCB5ZXQgYWRvcHRlZCBieSB0aGUgd29y a2luZyBncm91cC4NCg0KTW9yZW92ZXIsIEdlbmV2ZSBzZWN1cml0eSBjb25zaWRlcmF0aW9uIHNl Y3Rpb24gaGFzIGJlZW4gc2lnbmlmaWNhbnRseSBlbmhhbmNlZCB0byBwcm92aWRlIGd1aWRhbmNl IHRvIG9wZXJhdG9ycyBhbmQgdG8gYWRkcmVzcyB0aGUgY29tbWVudHMuIFNvIGJvdGggZG9jdW1l bnRzIGNhbiBwcm9ncmVzcyBpbmRlcGVuZGVudGx5Lg0KDQpUaGFua3MsDQpJbGFuZ28NCg0KDQpG cm9tOiBEYW5pZWwgTWlnYXVsdCBbbWFpbHRvOmRhbmllbC5taWdhdWx0QGVyaWNzc29uLmNvbTxt YWlsdG86ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24uY29tPl0NClNlbnQ6IFNhdHVyZGF5LCBNYXJj aCAyLCAyMDE5IDg6NDkgQU0NClRvOiBCb2NjaSwgTWF0dGhldyAoTm9raWEgLSBHQikgPG1hdHRo ZXcuYm9jY2lAbm9raWEuY29tPG1haWx0bzptYXR0aGV3LmJvY2NpQG5va2lhLmNvbT4+DQpDYzog ZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1udm8zLWdl bmV2ZUBpZXRmLm9yZz47IFBhbmthaiBHYXJnIDxwYW5rYWpnPTQwbWljcm9zb2Z0LmNvbUBkbWFy Yy5pZXRmLm9yZzxtYWlsdG86NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYub3JnPj47IE5WTzMg PG52bzNAaWV0Zi5vcmc8bWFpbHRvOm52bzNAaWV0Zi5vcmc+Pg0KU3ViamVjdDogUmU6IFtudm8z XSBXb3JraW5nIEdyb3VwIExhc3QgQ2FsbCBhbmQgSVBSIFBvbGwgZm9yIGRyYWZ0LWlldGYtbnZv My1nZW5ldmUtMDgudHh0DQoNCkhpIE1hdHQsDQoNCg0KWW91IGFyZSBjb3JyZWN0LCB0aGlzIGlz IGF0IGxlYXN0IG5vdCBhbiByZWd1bGFyIHByb2Nlc3MgdG8gaGF2ZSBhDQpzdGFuZGFyZCB0cmFj ayBkb2N1bWVudCBiZWluZyB1cGRhdGVkIGJ5IGFuIGluZm9ybWF0aW9uYWwuIEkgZG8gbm90IHNl ZQ0KZWl0aGVyIGFueSByZXF1aXJlbWVudHMgZm9yIGhhdmluZyBhIFdHIHN0YXR1cyB0byBiZWNv bWUgYSByZWZlcmVuY2UsDQpidXQgdGhhdCBpcyBzb21ldGhpbmcgd2UgY291bGQgY29uZmlybSB3 aXRoIHRoZSBSRkMtZWRpdG9yLg0KDQpCYWNrIHRvIHRoZSBpbml0aWFsIHN1Z2dlc3Rpb24sIEkg YWxzbyBiZWxpZXZlIHRoZSBkaWZmaWN1bHRpZXMgb2YgdXBkYXRpbmcNCnRoZSBHZW5ldmUgc3Bl Y2lmaWNhdGlvbnMgYXJlIGZhciBsZXNzIGNvbXBsZXggdGhhbiB1cGRhdGluZyB0aGUNCmltcGxl bWVudGF0aW9uLCBhbmQgZm9yIHRoYXQgc3BlY2lmaWMgcmVhc29uLCBpdCB3b3VsZCBiZSBnb29k IHdlIGhhdmUgYQ0KY29uc2Vuc3VzIG9uIHRoZSBzZWN1cml0eSBhbmFseXNlLg0KDQpJIGFncmVl IHRoYXQgV0cgZHJhZnQgd291bGQgYmUgYmV0dGVyLCBhbmQgUkZDIHdvdWxkIGJlIGV2ZW4gYmV0 dGVyIGFzDQp3ZSBoYXZlIHNlZW4gV0cgZG9jdW1lbnQgYmVpbmcgc3RhbGxlZC4gSSBhbSBjb25m aWRlbnQgd2UgY2FuIG1ha2UgdGhpcw0KaGFwcGVuIG9yIGF0IGxlYXN0IEkgZG8gbm90IHNlZSBt YWpvciBpc3N1ZXMuDQoNCllvdXJzLA0KRGFuaWVsDQoNCg0KT24gRnJpLCBNYXIgMSwgMjAxOSBh dCAxMTo1MSBBTSBCb2NjaSwgTWF0dGhldyAoTm9raWEgLSBHQikgPG1hdHRoZXcuYm9jY2lAbm9r aWEuY29tPG1haWx0bzptYXR0aGV3LmJvY2NpQG5va2lhLmNvbT4+IHdyb3RlOg0KV0csIERhbmll bCwNCg0KQXBvbG9naWVzIGJ1dCBJIG1pcy1zcG9rZSBvbiB0aGUgc3VnZ2VzdGlvbiBmb3IgdGhl IHNlY3VyaXR5IHJlcXVpcmVtZW50cyB0byBhY3QgYXMgYW4gdXBkYXRlIHRvIHRoZSBlbmNhcHN1 bGF0aW9uIFJGQyBpbiBmdXR1cmUuIFRoaXMgd291bGQgYmUgZGlmZmljdWx0IHRvIGRvIGFzIGl0 IGlzIGluZm9ybWF0aW9uYWwuDQoNCk5vbmV0aGVsZXNzIEkgdGhpbmsgd2Ugc2hvdWxkIG9ubHkg YmUgcmVmZXJlbmNpbmcgYSBXRyBkcmFmdCAoYXQgYSBtaW5pbXVtKSBoZXJlLg0KDQpNYXR0aGV3 DQoNCg0KDQpGcm9tOiBEYWNoZW5nIFpoYW5nIDxudm8zLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRv Om52bzMtYm91bmNlc0BpZXRmLm9yZz4+IG9uIGJlaGFsZiBvZiAiQm9jY2ksIE1hdHRoZXcgKE5v a2lhIC0gR0IpIiA8bWF0dGhldy5ib2NjaUBub2tpYS5jb208bWFpbHRvOm1hdHRoZXcuYm9jY2lA bm9raWEuY29tPj4NCkRhdGU6IEZyaWRheSwgMSBNYXJjaCAyMDE5IGF0IDE2OjI0DQpUbzogRGFu aWVsIE1pZ2F1bHQgPGRhbmllbC5taWdhdWx0QGVyaWNzc29uLmNvbTxtYWlsdG86ZGFuaWVsLm1p Z2F1bHRAZXJpY3Nzb24uY29tPj4NCkNjOiAiZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9y ZzxtYWlsdG86ZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZz4iIDxkcmFmdC1pZXRmLW52 bzMtZ2VuZXZlQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3Jn Pj4sIFBhbmthaiBHYXJnIDxwYW5rYWpnPTQwbWljcm9zb2Z0LmNvbUBkbWFyYy5pZXRmLm9yZzxt YWlsdG86NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYub3JnPj4sIE5WTzMgPG52bzNAaWV0Zi5v cmc8bWFpbHRvOm52bzNAaWV0Zi5vcmc+Pg0KU3ViamVjdDogUmU6IFtudm8zXSBXb3JraW5nIEdy b3VwIExhc3QgQ2FsbCBhbmQgSVBSIFBvbGwgZm9yIGRyYWZ0LWlldGYtbnZvMy1nZW5ldmUtMDgu dHh0DQoNCkRhbmllbA0KDQpGcm9tIGEgcHJvY2VkdXJhbCBwZXJzcGVjdGl2ZSwgcmVmZXJyaW5n IHRvIHlvdXIgZHJhZnQgY3JlYXRlcyBhIGRlcGVuZGVuY3kgYW5kIHRoYXQgZHJhZnQgaGFzIG5v dCB5ZXQgYmVlbiBhZG9wdGVkIGJ5IHRoZSBXRy4gVGhlIG9sZCBTZWN1cml0eSByZXF1aXJlbWVu dHMgZnJhbWV3b3JrIGV4cGlyZWQgYSBjb3VwbGUgb2YgeWVhcnMgYWdvIGFuZCBkb2VzIG5vdCBz ZWVtIHRvIGJlIGJlaW5nIHByb2dyZXNzZWQuDQpNYXliZSBhIGJldHRlciBhcHByb2FjaCB0byBh bGxvdyBwcm9ncmVzcywgYXMgbG9uZyBhcyB0aGUgV0cgY2FuIGFncmVlIHRvIHlvdXIgdGV4dCAo aWYgbmVlZGVkKSB0byBzYXRpc2Z5IHRoZSBjb25jZXJuIHRoYXQgZnV0dXJlIHNlY3VyaXR5IG1l Y2hhbmlzbXMgY2FuIGJlIHVzZWQsIGFuZCB0aGF0IHRoZSBldm9sdmluZyB0aHJlYXQgYW5hbHlz aXMgaXMgdW5kZXJzdG9vZCBieSBpbXBsZW1lbnRlcnMgYW5kIHVzZXJzIG9mIEdlbmV2ZSwgd291 bGQgYmUgdG8gbWFyayB0aGUgR2VuZXZlIHNlY3VyaXR5IHJlcXVpcmVtZW50cyBhcyBhbiB1cGRh dGUgdG8gdGhlIGdlbmV2ZSBlbmNhcHN1bGF0aW9uIFJGQyB3aGVuIGl0IGlzIHB1Ymxpc2hlZC4N Cg0KTWF0dGhldw0KDQpGcm9tOiBEYW5pZWwgTWlnYXVsdCA8ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nz b24uY29tPG1haWx0bzpkYW5pZWwubWlnYXVsdEBlcmljc3Nvbi5jb20+Pg0KRGF0ZTogRnJpZGF5 LCAxIE1hcmNoIDIwMTkgYXQgMTY6MTENClRvOiAiQm9jY2ksIE1hdHRoZXcgKE5va2lhIC0gR0Ip IiA8bWF0dGhldy5ib2NjaUBub2tpYS5jb208bWFpbHRvOm1hdHRoZXcuYm9jY2lAbm9raWEuY29t Pj4NCkNjOiBQYW5rYWogR2FyZyA8cGFua2FqZz00MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0Zi5v cmc+LCAiZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1u dm8zLWdlbmV2ZUBpZXRmLm9yZz4iIDxkcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnPG1h aWx0bzpkcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnPj4sIE5WTzMgPG52bzNAaWV0Zi5v cmc8bWFpbHRvOm52bzNAaWV0Zi5vcmc+Pg0KU3ViamVjdDogUmU6IFtudm8zXSBXb3JraW5nIEdy b3VwIExhc3QgQ2FsbCBhbmQgSVBSIFBvbGwgZm9yIGRyYWZ0LWlldGYtbnZvMy1nZW5ldmUtMDgu LnR4dA0KDQpIaSBNYXR0aGV3LA0KDQpJIGFtIGhhcHB5IHRvIGNsYXJpZnkgYW5kIGJlIG1vcmUg c3BlY2lmaWMuIEhvd2V2ZXIsIGRlc3BpdGUgeW91cg0KcmVhZGluZyBvZiBbMV0gSSB0aGluayBb MV0gY2xlYXJseSBpbmRpY2F0ZXMgdGhlIGNoYW5nZXMgSSBleHBlY3RlZCBhcw0Kd2VsbCBhcyB0 aGF0IHRoZXNlIGNoYW5nZXMgbmVlZHMgdG8gYmUgbWFkZS4NCg0KSSBiZWxpZXZlIHRoZSByZXNw b25zaWJpbGl0eSBvZiBub3QgYWRkcmVzc2luZyBhbiBhY2tub3dsZWRnZWQgaXNzdWUgaXMNCm1v cmUgb24gdGhlIHNpZGUgb2YgcGVvcGxlIGlnbm9yaW5nIHRoZSBpc3N1ZSAgdGhlbiBvbiB0aGUg c2lkZSBvZiB0aGUNCm9uZSByYWlzaW5nIHRoaXMgaXNzdWUuIE15IGltcHJlc3Npb24gaXMgdGhh dCB0aGlzIGlzIHRoZSBzaXR1YXRpb24gd2UNCmFyZSBpbi4NCg0KSSBhZ3JlZSB0aGF0IG15IGlu aXRpYWwgY29tbWVudCBzYXlpbmcgIkkgYW0gZmluZSB3aXRoIHRoZSB0ZXh0IGlmIHdlIGRvDQpu b3QgZmluZCBzb21ldGhpbmcgYmV0dGVyLiIgbWlnaHQgaGF2ZSBiZWVuIGNvbmZ1c2luZyBhbmQg SSBhcG9sb2d5IGZvcg0KdGhpcy4gQXQgdGhlIHRpbWUgb2Ygd3JpdGluZyB0aGUgaW5pdGlhbCBj b21tZW50IEkgd2FzIG5vdCBzdXJlIEkgd2FzDQpub3QgbWlzc2luZyBzb21ldGhpbmcgbm9yIHRo YXQgdGhlIHByb2JsZW0gY291bGQgbm90IGJlIHNvbHZlZCBoZXJlIG9yDQpzb21ld2hlcmUgZWxz ZSAoaW4gYW5vdGhlciBzZWN0aW9uKS4gTXkgbWVhbmluZyBiZWhpbmQgdGhvc2Ugd29yZHMgd2Vy ZQ0KdGhhdCBJIHdhcyBvcGVuIHRvIHRoZSB3YXkgdGhlIGNvbmNlcm5lZCBjb3VsZCBiZSBhZGRy ZXNzZWQuIEhvd2V2ZXIsIC0NCmZyb20gbXkgcG9pbnQgb2YgdmlldyAtIHRoZSB0ZXh0IGRvZXMg bm90IHNheSB0aGUgaXNzdWUgZG9lcyBub3QgbmVlZCB0bw0KYmUgc29sdmVkIHdoaWNoIGlzIHRo ZSB3YXkgaXQgaGFzIGJlZW4gaW50ZXJwcmV0ZWQuIEluIGFkZGl0aW9uLCBJDQpiZWxpZXZlIEkg aGF2ZSBjbGFyaWZpZWQgdGhpcyByaWdodCBhd2F5IGFmdGVyIHRoZSBjb25jZXJuIGhhcyBiZWVu DQphY2tub3dsZWRnZWQgYW5kIG5vdCBhZGRyZXNzZWQuIEFzIHJlc3VsdCwgSSBkbyBub3QgdGhp bmsgbXkgY29tbWVudA0KY291bGQgYmUgcmVhc29uYWJseSByZWFkIGFzIHRoZSB0ZXh0IGlzIGZp bmUuLg0KDQpQbGVhc2UgZmluZSB0aGUgYmVsb3cgdGhlIGluaXRpYWwgY29tbWVudCBpdHMgcmVz cG9uc2UgYW5kIHRoZSByZXNwb25zZQ0KdG8gdGhlIHJlc3BvbnNlIGZyb20gWzFdLg0KDQoiIiIN CjxtZ2x0PiBJbiBjYXNlIHdlIGhhdmUgYSBvcHRpb24gcHJvdmlkaW5nIGF1dGhlbnRpY2F0aW9u LCBzdWNoIG9wdGlvbg0KbWF5IGFmZmVjdCB0aGUgaW50ZXJwcmV0YXRpb24gb2YgdGhlIG90aGVy IG9wdGlvbnMuDQpzL2ludGVycHJldGF0aW9uL25kZXBlbmRhbmNlIG1heSBub3QgYmUgYmV0dGVy Li4uLiBJIHRoaW5rIHdoYXQgd2Ugd2FudA0KdG8gc2F5IGlzIHRoYXQgb3B0aW9uIE1VU1QgYmUg YWJsZSB0byBiZSBwcm9jZXNzZWQgaW4gYW55IG9yZGVyIG9yIGluDQpwYXJhbGxlbC4gIEkgYW0g ZmluZSB3aXRoIHRoZSB0ZXh0IGlmIHdlIGRvIG5vdCBmaW5kIHNvbWV0aGluZyBiZXR0ZXIuDQo8 L21nbHQ+DQoNCjxJbGFuZ28+IFRoaXMgaXMgYSBnb29kIHBvaW50LCBob3dldmVyIHdlIGJlbGll dmUgdGhhdCB0aGlzIHRleHQNCmNhcHR1cmVzIHRoZSBpbnRlbnQuICA8Lz4NCg0KPG1nbHQyPlRo ZSBwcm9ibGVtIEkgaGF2ZSBpcyB0aGF0IHRoZSBjdXJyZW50IHRleHQgcHJldmVudHMgc2VjdXJp dHkNCm9wdGlvbnMsIHNvIEkgZ3Vlc3Mgc29tZSBjbGFyaWZpY2F0aW9uIHNob3VsZCBiZSBicm91 Z2h0IHRvIGNsYXJpZnkgdGhlDQppbnRlbnQuPC9tZ2x0Mj4NCiIiIg0KDQpJZiBJIGhhZCB0byBz dWdnZXN0IHNvbWUgdGV4dCBJIHdvdWxkIHN1Z2dlc3QgdGhlIGZvbGxvd2luZyAtIG9yDQpzb21l dGhpbmcgYXJvdW5kIHRoZSBmb2xsb3dpbmcgbGluZXMuDQoNCg0KT0xEDQogICBvICBBbiBvcHRp b24gU0hPVUxEIE5PVCBiZSBkZXBlbmRlbnQgdXBvbiBhbnkgb3RoZXIgb3B0aW9uIGluIHRoZQ0K ICAgICAgcGFja2V0LCBpLmUuLCBvcHRpb25zIGNhbiBiZSBwcm9jZXNzZWQgaW5kZXBlbmRlbnQg b2Ygb25lIGFub3RoZXIuDQogICAgICBBbiBvcHRpb24gTVVTVCBOT1QgYWZmZWN0IHRoZSBwYXJz aW5nIG9yIGludGVycHJldGF0aW9uIG9mIGFueQ0KICAgICAgb3RoZXIgb3B0aW9uLg0KDQpORVcN Cg0KICAgbyAgQW4gb3B0aW9uIFNIT1VMRCBOT1QgYmUgZGVwZW5kZW50IHVwb24gYW55IG90aGVy IG9wdGlvbiBpbiB0aGUNCiAgICAgIHBhY2tldCwgaS5lLiwgb3B0aW9ucyBjYW4gYmUgcHJvY2Vz c2VkIGluZGVwZW5kZW50IG9mIG9uZSBhbm90aGVyLg0KICAgICAgQW4gb3B0aW9uIFNIT1VMRCBO T1QgYWZmZWN0IHRoZSBwYXJzaW5nIG9yIGludGVycHJldGF0aW9uIG9mIGFueQ0KICAgICAgb3Ro ZXIgb3B0aW9uLg0KDQpUaGVyZSBhcmUgcmFyZSBjYXNlcyB3ZXJlIHRoZSBwYXJzaW5nIG9mIG9u ZSBvcHRpb24gYWZmZWN0cyB0aGUgcGFyc2luZw0Kb3IgdGhlIGludGVycHJldGF0aW9uIG9mIG90 aGVyIG9wdGlvbi4gT3B0aW9uIHJlbGF0ZWQgdG8gc2VjdXJpdHkgbWF5DQpmYWxsIGludG8gdGhp cyBjYXRlZ29yeS4gVHlwaWNhbGx5LCBpZiBhbiBvcHRpb24gZW5hYmxlcyB0aGUNCmF1dGhlbnRp Y2F0aW9uIG9mIGFub3RoZXIgb3B0aW9uIGFuZCB0aGUgYXV0aGVudGljYXRpb24gZG9lcyBub3QN CnN1Y2NlZWQsIHRoZSBhdXRoZW50aWNhdGVkIG9wdGlvbiBNVVNUIE5PVCBiZSBwcm9jZXNzZWQu IE90aGVyIG9wdGlvbnMNCm1heSBiZSBkZXNpZ25lZCBpbiB0aGUgZnV0dXJlLg0KDQpORVcNClNl Y3VyaXR5IENvbnNpZGVyYXRpb24NCg0KR2VuZXZlIE92ZXJsYXkgbWF5IGJlIHNlY3VyZWQgdXNp bmcgYnkgcHJvdGVjdGluZyB0aGUgTlZFLXRvLU5WRQ0KY29tbXVuaWNhdGlvbiB1c2luZyBJUHNl YyBvciBEVExTLiBIb3dldmVyLCBzdWNoIG1lY2hhbmlzbXMgY2Fubm90IGJlDQphcHBsaWVkIGZv ciBkZXBsb3ltZW50cyB0aGF0IGluY2x1ZGUgdHJhbnNpdCBkZXZpY2VzLg0KDQpTb21lIGRlcGxv eW1lbnQgbWF5IG5vdCBiZSBhYmxlIHRvIHNlY3VyZSB0aGUgZnVsbCBjb21tdW5pY2F0aW9uIHVz aW5nDQpJUHNlYyBvciBEVExTIGJldHdlZW4gdGhlIE5WRXMuIFRoaXMgY291bGQgYmUgbW90aXZh dGVkIGJ5IHRoZSBwcmVzZW5jZQ0Kb2YgdHJhbnNpdCBkZXZpY2VzIG9yIGJ5IGEgcmlzayBhbmFs eXNpcyB0aGF0IGNvbmNsdWRlcyB0aGF0IHRoZSBHZW5ldmUNCnBhY2tldCBiZSBvbmx5IHBhcnRp YWxseSBwcm90ZWN0ZWQgLSB0eXBpY2FsbHkgcmVkdWNlZCB0byB0aGUgR2VuZXZlDQpIZWFkZXIg aW5mb3JtYXRpb24uIEluIHN1Y2ggY2FzZXMgR2VuZXZlIHNwZWNpZmljIG1lY2hhbmlzbXMgbmVl ZHMgdG8gYmUNCmRlc2lnbmVkLg0KDQpGb3IgYSBjb21wbGV0ZSB0aHJlYXQgYW5hbHlzaXMsIGEg c2VjdXJpdHkgYW5hbHlzaXMgb2YgR2VuZXZlIG9yIHNvbWUNCmd1aWRlIGxpbmVzIHRvIHNlY3Vy ZSBhIEdlbmV2ZSBvdmVybGF5IG5ldHdvcmssIHBsZWFzZSByZWZlciB0bw0KW2RyYWZ0LW1nbHQt bnZvMy1nZW5ldmUtc2VjdXJpdHktcmVxdWlyZW1lbnRzXSBhcyB3ZWxsIGFzDQpbZHJhZnQtaWV0 Zi1udm8zLXNlY3VyaXR5LXJlcXVpcmVtZW50c10uDQoNCkZvciBmdWxsIGRpc2Nsb3N1cmUgSSBh bSBhIGNvLWF1dGhvciBvZg0KZHJhZnQtbWdsdC1udm8zLWdlbmV2ZS1zZWN1cml0eS1yZXF1aXJl bWVudC4gSG93ZXZlciB0aGUgcmVhc29uIGZvcg0KcmVmZXJyaW5nIHRvIHRoZXNlIGRvY3VtZW50 cyBpcyBtb3RpdmF0ZWQgYnkgdGhlIGZhY3QgdGhhdCBJIGJlbGlldmUNCnRoZXNlIGFuYWx5c2lz IHByb3ZpZGUgYSBiZXR0ZXIgc2VjdXJpdHkgYW5hbHlzaXMgdGhhbiB0aGUgY3VycmVudCAoT0xE KQ0Kc2VjdXJpdHkgY29uc2lkZXJhdGlvbiBzZWN0aW9uLg0KDQpZb3VycywNCkRhbmllbA0KDQoN Ck9uIEZyaSwgTWFyIDEsIDIwMTkgYXQgNjowMyBBTSBCb2NjaSwgTWF0dGhldyAoTm9raWEgLSBH QikgPG1hdHRoZXcuYm9jY2lAbm9raWEuY29tPG1haWx0bzptYXR0aGV3LmJvY2NpQG5va2lhLmNv bT4+IHdyb3RlOg0KSGkgRGFuaWVsDQoNClRoYW5rcyBmb3IgcmV2aWV3aW5nIHRoZSBsYXRlc3Qg dmVyc2lvbi4gQXQgdGhpcyBzdGFnZSBpdCB3b3VsZCBiZSBoZWxwZnVsIGlmIHlvdSBjb3VsZCBi ZSBtdWNoIG1vcmUgY29uY3JldGUgYW5kIGdpdmUgc3BlY2lmaWNzLg0KDQpJIHRoaW5rIHRoYXQg dGhlIG1haW4gaXNzdWUgaXMgd2hldGhlciB0aGUgZGVzaWduIG9mIEdlbmV2ZSBwcmV2ZW50cyBm dXR1cmUgc2VjdXJpdHkgZXh0ZW5zaW9ucy4NCg0KSG93ZXZlciwgaW4gWzFdLCB5b3Ugc3RhdGVk IHRoYXQgeW91IHdlcmUgY29tZm9ydGFibGUgd2l0aCB0aGUgdGV4dCBpZiBub3RoaW5nIGVsc2Ug Y291bGQgYmUgZm91bmQuDQoNCldoYXQgc3BlY2lmaWNhbGx5IGRvIHlvdSB3YW50IHRvIGNoYW5n ZSBpbiB0aGUgZm9sbG93aW5nLCBiZWFyaW5nIGluIG1pbmQgdGhhdCB0aGVyZSBhcmUgYWxyZWFk eSBjbGFpbWVkIGltcGxlbWVudGF0aW9ucyBvZiBHZW5ldmU6DQoiIiINCiAgIG8gIEFuIG9wdGlv biBTSE9VTEQgTk9UIGJlIGRlcGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhlDQog ICAgICBwYWNrZXQsIGkuZS4sIG9wdGlvbnMgY2FuIGJlIHByb2Nlc3NlZCBpbmRlcGVuZGVudCBv ZiBvbmUgYW5vdGhlci4NCiAgICAgIEFuIG9wdGlvbiBNVVNUIE5PVCBhZmZlY3QgdGhlIHBhcnNp bmcgb3IgaW50ZXJwcmV0YXRpb24gb2YgYW55DQogICAgICBvdGhlciBvcHRpb24uDQoiIiINCg0K DQpNYXR0aGV3DQoNCg0KRnJvbTogRGFuaWVsIE1pZ2F1bHQgPGRhbmllbC5taWdhdWx0QGVyaWNz c29uLmNvbTxtYWlsdG86ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24uY29tPj4NCkRhdGU6IEZyaWRh eSwgMSBNYXJjaCAyMDE5IGF0IDAzOjA2DQpUbzogUGFua2FqIEdhcmcgPHBhbmthamc9NDBtaWNy b3NvZnQuY29tQGRtYXJjLmlldGYub3JnPg0KQ2M6ICJCb2NjaSwgTWF0dGhldyAoTm9raWEgLSBH QikiIDxtYXR0aGV3LmJvY2NpQG5va2lhLmNvbTxtYWlsdG86bWF0dGhldy5ib2NjaUBub2tpYS5j b20+PiwgTlZPMyA8bnZvM0BpZXRmLm9yZzxtYWlsdG86bnZvM0BpZXRmLm9yZz4+LCAiZHJhZnQt aWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBp ZXRmLm9yZz4iIDxkcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnPG1haWx0bzpkcmFmdC1p ZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnPj4NClN1YmplY3Q6IFJlOiBbbnZvM10gV29ya2luZyBH cm91cCBMYXN0IENhbGwgYW5kIElQUiBQb2xsIGZvciBkcmFmdC1pZXRmLW52bzMtZ2VuZXZlLTA4 Li50eHQNCg0KSGksDQoNCkkganVzdCBicmllZmx5IHdlbnQgdGhyb3VnaCB0aGUgZG9jdW1lbnQg cXVpY2tseSBhbmQgaW4gbXkgb3BpbmlvbiwgdGhlIGRvY3VtZW50IHN0aWxsIGZhY2VzIHNvbWUg c2VjdXJpdHkgaXNzdWVzLg0KDQpUaGUgY3VycmVudCB0ZXh0IChpbiBteSBvcGluaW9uKSBwcmV2 ZW50cyBhbnkgZ2VuZXZlIHNlY3VyaXR5IHJlbGF0ZWQNCm9wdGlvbnMuIEN1cnJlbnRseSBHZW5l dmUgY2Fubm90IGJlIHNlY3VyZWQgYW5kIHRoaXMgcHJldmVudHMgZnV0dXJlDQp3b3JrIHRvIGV2 ZW50dWFsbHkgc2VjdXJlIEdlbmV2ZS4gSW4gbXkgb3BpbmlvbiB0aGUgY3VycmVudCB0ZXh0DQpt YW5kYXRlcyBHZW5ldmUgdG8gcmVtYWluIHVuc2VjdXJlLg0KDQpHZW5ldmUgc2VjdXJpdHkgb3B0 aW9uIHRoYXQgYXJlIHdpbGxpbmcgdG8gYXV0aGVudGljYXRlL2VuY3J5cHQgYSBwYXJ0DQpvZiB0 aGUgR2VuZXZlIEhlYWRlciB3aWxsIGFmZmVjdCB0aGUgcGFyc2luZyBvZiB0aGUgcHJvdGVjdGVk IG9wdGlvbiBhbmQNCndpbGwgYWZmZWN0IHRoZSBvcmRlciBpbiB3aGljaCBvcHRpb24gbmVlZHMg dG8gYmUgcHJvY2Vzcy4gVHlwaWNhbGx5IGENCnByb3RlY3RlZCBvcHRpb24gKGF1dGhlbnRpY2F0 ZWQsIGVuY3J5cHRlZCkgY2Fubm90IG9yIHNob3VsZCBub3QgYmUNCnByb2Nlc3NlZCBiZWZvcmUg YXV0aGVudGljYXRlZCBvciBkZWNyeXB0ZWQuDQoNClRoaXMgaGFzIGFscmVhZHkgYmVlbiBtZW50 aW9uZWQgaW4gWzFdLCBhbmQgdGhlIHRleHQgbmVlZHMgaW4gbXkgb3Bpbmlvbg0KZnVydGhlciBj bGFyaWZpY2F0aW9ucy4NCg0KIiIiDQogICBvICBBbiBvcHRpb24gU0hPVUxEIE5PVCBiZSBkZXBl bmRlbnQgdXBvbiBhbnkgb3RoZXIgb3B0aW9uIGluIHRoZQ0KICAgICAgcGFja2V0LCBpLmUuLCBv cHRpb25zIGNhbiBiZSBwcm9jZXNzZWQgaW5kZXBlbmRlbnQgb2Ygb25lIGFub3RoZXIuDQogICAg ICBBbiBvcHRpb24gTVVTVCBOT1QgYWZmZWN0IHRoZSBwYXJzaW5nIG9yIGludGVycHJldGF0aW9u IG9mIGFueQ0KICAgICAgb3RoZXIgb3B0aW9uLg0KIiIiDQoNCg0KDQpBcyBzdGF0ZWQgaW4gWzJd IGl0IHJlbWFpbnMgdW5jbGVhciB0byBtZSB3aHkgdGhpcyBzZWN0aW9uIGlzIG5vdA0KcmVmZXJl bmNpbmcgYW5kIGxldmVyYWdpbmcgb24gdGhlIHNlY3VyaXR5IGFuYWx5c2lzIFszLTRdIHBlcmZv cm1lZCBieQ0KdHdvIGRpZmZlcmVudCBpbmRlcGVuZGVudCB0ZWFtcy4uDQoNCk15IHJlYWRpbmcg b2YgdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb24gaXMgdGhhdCB0aGUgbWVzc2FnZSBpcyB0aGF0 DQpJUHNlYyBvciBUTFMgY291bGQgYmUgdXNlZCB0byBwcm90ZWN0IGEgZ2VuZXZlIG92ZXJsYXkg bmV0d29yay4gVGhpcyBpcw0KLSBpbiBteSBvcGluaW9uLSBub3QgY29ycmVjdCBhcyB0aGlzIGRv ZXMgbm90IGNvbnNpZGVyIHRoZSB0cmFuc2l0DQpkZXZpY2UuIEluIGFkZGl0aW9uLCB0aGUgc2Vj dXJpdHkgY29uc2lkZXJhdGlvbiBvbmx5IGNvbnNpZGVycyB0aGUgY2FzZQ0Kd2hlcmUgdGhlIGNs b3VkIHByb3ZpZGVyIGFuZCB0aGUgb3ZlcmxheSBuZXR3b3JrIHByb3ZpZGVyIGFyZSBhIHNpbmds ZQ0KZW50aXR5LCB3aGljaCBJIGJlbGlldmUgb3ZlcnNpbXBsaWZpZXMgdGhlIHByb2JsZW0uDQoN ClRoZSB0aHJlYXQgbW9kZWwgc2VlbXMgdG8gbWUgdmVyeSB2YWd1ZSwgc28gdGhlIGN1cnJlbnQg c2VjdXJpdHkNCmNvbnNpZGVyYXRpb24gaXMgbGltaXRlZCB0byBzb2x2aW5nIGEgcHJvYmxlbSB0 aGF0IGlzIG5vdCBzdGF0ZWQuDQoNCk15IHJlYWRpbmcgb2YgdGhlIHRleHQgaW5kaWNhdGVzIHRo ZSB0ZW5hbnQgY2FuIGhhbmRsZSBieSBpdHNlbGYgdGhlDQpjb25maWRlbnRpYWxpdHkgb2YgaXRz IGluZm9ybWF0aW9uIHdpdGhvdXQgbmVjZXNzYXJpbHkgcmVseWluZyBvbiB0aGUNCm92ZXJsYXkg c2VydmljZSBwcm92aWRlci4gVGhpcyBpcyBub3QgY29ycmVjdC4gRXZlbiB3aGVuIHRoZSB0ZW5h bnQgdXNlcw0KSVBzZWMvVExTLCBpdCBzdGlsbCBsZWFrcyBzb21lIGluZm9ybWF0aW9uLiBUaGUg Y3VycmVudCB0ZXh0IGNvbnRyYWRpY3RzDQpbM10gc2VjdGlvbiA2LjIgYW5kIFs0XSBzZWN0aW9u IDUuMS4NCg0KTXkgcmVhZGluZyBpcyB0aGF0IHRoZSB0ZXh0IGluZGljYXRlcyB0aGF0IElQc2Vj L0RUTFMgY291bGQgYmUgdXNlZCB0bw0KcHJvdGVjdCB0aGUgb3ZlcmxheSBzZXJ2aWNlIGZvciBi b3RoIGNvbmZpZGVudGlhbGl0eSBhbmQgaW50ZWdyaXR5Lg0KV2hpbGUgdGhpcyBjb3VsZCBiZSB1 c2VkIGluIHNvbWUgZGVwbG95bWVudCB0aGlzIGlzIG5vdCBjb21wYXRpYmxlIHdpdGgNCnRyYW5z aXQgZGV2aWNlcy4gQXMgc3VjaCB0aGUgZ2VuZXJpYyBzdGF0ZW1lbnQgaXMgbm90IGNvcnJlY3Qu IFNlY3Rpb24NCjYuNCBpbmRpY2F0ZXMgdGhhdCB0cmFuc2l0IGRldmljZSBtdXN0IGJlIHRydXN0 ZWQgd2hpY2ggaXMgaW5jb3JyZWN0Lg0KSW5zdGVhZCB0aGUgdHJhbnNpdCBkZXZpY2Ugd2l0aCBh bGwgbm9kZXMgYmV0d2VlbiB0aGUgdHJhbnNpdCBkZXZpY2UgYW5kDQp0aGUgTlZFIG5lZWRzIHRv IGJlIHRydXN0ZWQuICBPdmVyYWxsIHRoZSBpbXByZXNzaW9uIHByb3ZpZGVkIGlzIHRoYXQNCklQ c2VjIChvciBUTFMpIGNhbiBiZSB1c2VkIGJ5IHRoZSBzZXJ2aWNlIG92ZXJsYXkgcHJvdmlkZXIs IHdoaWNoIGlzIChpbg0KbXkgb3Bpbmlvbikgbm90IHRydWUuDQoNCkl0IGlzIHVuY2xlYXIgdG8g bWUgaG93IGF1dGhlbnRpY2F0aW9uIG9mIE5WRSBwZWVycyBkaWZmZXJzIGZyb20gdGhlDQphdXRo ZW50aWNhdGlvbiBjb21tdW5pY2F0aW9uIGFzIHRoZSBsYXRlc3QgdXN1YWxseSByZWx5IG9uIHRo ZSBmaXJzdC4NCk1heWJlIHRoZSBzZWN0aW9uIHNob3VsZCBpbnNpc3Qgb24gbXV0dWFsIGF1dGhl bnRpY2F0aW9uLg0KDQpZb3VycywNCkRhbmllbA0KDQoNClsxXSBodHRwczovL21haWxhcmNoaXZl LmlldGYuLm9yZy9hcmNoL21zZy9udm8zL1JGRmpZSEFVVWxNdk9zWXdSTnRkT0pPSWs5bzxodHRw czovL21haWxhcmNoaXZlLmlldGYub3JnL2FyY2gvbXNnL252bzMvUkZGallIQVVVbE12T3NZd1JO dGRPSk9JazlvPg0KWzJdIGh0dHBzOi8vbWFpbGFyY2hpdmUuaWV0Zi5vcmcvYXJjaC9tc2cvbnZv My9lN1lIRmxxSXVPd0lKb0wyZXA3anlISXJTR3cNClszXSBodHRwczovL3Rvb2xzLmlldGYub3Jn L2h0bWwvZHJhZnQtaWV0Zi1udm8zLXNlY3VyaXR5LXJlcXVpcmVtZW50cy0wNw0KWzRdIGh0dHBz Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1tZ2x0LW52bzMtZ2VuZXZlLXNlY3VyaXR5LXJl cXVpcmVtZW50cy0wNQ0KDQoNCg0KDQoNCk9uIFdlZCwgRmViIDI3LCAyMDE5IGF0IDc6MzAgUE0g UGFua2FqIEdhcmcgPHBhbmthamc9NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYub3JnPG1haWx0 bzo0MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0Zi5vcmc+PiB3cm90ZToNCkkgYW0gbm90IGF3YXJl IG9mIGFueSBJUCByZWxhdGVkIHRvIGRyYWZ0LWlldGYtbnZvMy1nZW5ldmUgd2hpY2ggaGFzIG5v dCBhbHJlYWR5IGJlZW4gZGlzY2xvc2VkLg0KDQpUaGFua3MNClBhbmthag0KDQpGcm9tOiBCb2Nj aSwgTWF0dGhldyAoTm9raWEgLSBHQikgPG1hdHRoZXcuLmJvY2NpQG5va2lhLmNvbTxtYWlsdG86 bWF0dGhldy5ib2NjaUBub2tpYS5jb20+Pg0KU2VudDogVHVlc2RheSwgT2N0b2JlciA5LCAyMDE4 IDI6MDggQU0NClRvOiBOVk8zIDxudm8zQGlldGYub3JnPG1haWx0bzpudm8zQGlldGYub3JnPj4N CkNjOiBkcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW52 bzMtZ2VuZXZlQGlldGYub3JnPg0KU3ViamVjdDogV29ya2luZyBHcm91cCBMYXN0IENhbGwgYW5k IElQUiBQb2xsIGZvciBkcmFmdC1pZXRmLW52bzMtZ2VuZXZlLTA4LnR4dA0KDQpUaGlzIGVtYWls IGJlZ2lucyBhIHR3by13ZWVrIHdvcmtpbmcgZ3JvdXAgbGFzdCBjYWxsIGZvciBkcmFmdC1pZXRm LW52bzMtZ2VuZXZlLTA4LnR4dC4NCg0KUGxlYXNlIHJldmlldyB0aGUgZHJhZnQgYW5kIHBvc3Qg YW55IGNvbW1lbnRzIHRvIHRoZSBOVk8zIHdvcmtpbmcgZ3JvdXAgbGlzdC4gSWYgeW91IGhhdmUg cmVhZCB0aGUgbGF0ZXN0IHZlcnNpb24gb2YgdGhlIGRyYWZ0IGJ1dCBoYXZlIG5vIGNvbW1lbnRz IGFuZCBiZWxpZXZlIGl0IGlzIHJlYWR5IGZvciBwdWJsaWNhdGlvbiBhcyBhIHN0YW5kYXJkcyB0 cmFjayBSRkMsIHBsZWFzZSBhbHNvIGluZGljYXRlIHNvIHRvIHRoZSBXRyBlbWFpbCBsaXN0Lg0K DQpXZSBhcmUgYWxzbyBwb2xsaW5nIGZvciBrbm93bGVkZ2Ugb2YgYW55IHVuZGlzY2xvc2VkIElQ UiB0aGF0IGFwcGxpZXMgdG8gdGhpcyBkb2N1bWVudCwgdG8gZW5zdXJlIHRoYXQgSVBSIGhhcyBi ZWVuIGRpc2Nsb3NlZCBpbiBjb21wbGlhbmNlIHdpdGggSUVURiBJUFIgcnVsZXMgKHNlZSBSRkNz IDM5NzksIDQ4NzksIDM2NjkgYW5kIDUzNzggZm9yIG1vcmUgZGV0YWlscykuDQpJZiB5b3UgYXJl IGxpc3RlZCBhcyBhbiBBdXRob3Igb3IgYSBDb250cmlidXRvciBvZiB0aGlzIGRvY3VtZW50LCBw bGVhc2UgcmVzcG9uZCB0byB0aGlzIGVtYWlsIGFuZCBpbmRpY2F0ZSB3aGV0aGVyIG9yIG5vdCB5 b3UgYXJlIGF3YXJlIG9mIGFueSByZWxldmFudCB1bmRpc2Nsb3NlZCBJUFIuIFRoZSBEb2N1bWVu dCB3b24ndCBwcm9ncmVzcyB3aXRob3V0IGFuc3dlcnMgZnJvbSBhbGwgdGhlIEF1dGhvcnMgYW5k IENvbnRyaWJ1dG9ycy4NCg0KQ3VycmVudGx5IHRoZXJlIGFyZSB0d28gSVBSIGRpc2Nsb3N1cmVz IGFnYWluc3QgdGhpcyBkb2N1bWVudC4NCg0KSWYgeW91IGFyZSBub3QgbGlzdGVkIGFzIGFuIEF1 dGhvciBvciBhIENvbnRyaWJ1dG9yLCB0aGVuIHBsZWFzZSBleHBsaWNpdGx5IHJlc3BvbmQgb25s eSBpZiB5b3UgYXJlIGF3YXJlIG9mIGFueSBJUFIgdGhhdCBoYXMgbm90IHlldCBiZWVuIGRpc2Ns b3NlZCBpbiBjb25mb3JtYW5jZSB3aXRoIElFVEYgcnVsZXMuDQoNClRoaXMgcG9sbCB3aWxsIHJ1 biB1bnRpbCBGcmlkYXkgMjZ0aCBPY3RvYmVyLg0KDQpSZWdhcmRzDQoNCk1hdHRoZXcgYW5kIFNh bQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCm52bzMg bWFpbGluZyBsaXN0DQpudm8zQGlldGYub3JnPG1haWx0bzpudm8zQGlldGYub3JnPg0KaHR0cHM6 Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9udm8zPGh0dHBzOi8vd3d3LmlldGYuLm9y Zy9tYWlsbWFuL2xpc3RpbmZvL252bzM+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fXw0KbnZvMyBtYWlsaW5nIGxpc3QNCm52bzNAaWV0Zi5vcmc8bWFpbHRv Om52bzNAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL252 bzM8aHR0cHM6Ly93d3cuaWV0Zi4ub3JnL21haWxtYW4vbGlzdGluZm8vbnZvMz4NCl9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpudm8zIG1haWxpbmcgbGlz dA0KbnZvM0BpZXRmLm9yZzxtYWlsdG86bnZvM0BpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYu b3JnL21haWxtYW4vbGlzdGluZm8vbnZvMw0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX18NCm52bzMgbWFpbGluZyBsaXN0DQpudm8zQGlldGYub3JnPG1haWx0 bzpudm8zQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9u dm8zDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KbnZv MyBtYWlsaW5nIGxpc3QNCm52bzNAaWV0Zi5vcmc8bWFpbHRvOm52bzNAaWV0Zi5vcmc+DQpodHRw czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL252bzMNCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpudm8zIG1haWxpbmcgbGlzdA0KbnZvM0Bp ZXRmLm9yZzxtYWlsdG86bnZvM0BpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vbnZvMw0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18NCm52bzMgbWFpbGluZyBsaXN0DQpudm8zQGlldGYub3JnPG1haWx0bzpudm8zQGll dGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9udm8zDQoNCl9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpudm8zIG1haWxp bmcgbGlzdA0KbnZvM0BpZXRmLm9yZzxtYWlsdG86bnZvM0BpZXRmLm9yZz4NCmh0dHBzOi8vd3d3 LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vbnZvMw0KX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18NCm52bzMgbWFpbGluZyBsaXN0DQpudm8zQGlldGYub3Jn PG1haWx0bzpudm8zQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9udm8zDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fDQpudm8zIG1haWxpbmcgbGlzdA0KbnZvM0BpZXRmLm9yZzxtYWlsdG86bnZvM0BpZXRmLm9y Zz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vbnZvMw0K --_000_MN2PR15MB3310AE0958697EB6412E96CBE3570MN2PR15MB3310namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAz IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAx NSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpWZXJkYW5hOw0K CXBhbm9zZS0xOjIgMTEgNiA0IDMgNSA0IDQgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1p bHk6Q29uc29sYXM7DQoJcGFub3NlLTE6MiAxMSA2IDkgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUg RGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwN Cgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBw dDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQphOmxpbmssIHNwYW4uTXNv SHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQt ZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxv d2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNv cmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1z dHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdp bi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3Vy aWVyIE5ldyI7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0K CXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJ bWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4t bGVmdDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJI VE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0 eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseTpDb25zb2xhczt9DQpz cGFuLmdtYWlsLW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2Njkx YXBwbGUtY29udmVydGVkLXNwYWNlDQoJe21zby1zdHlsZS1uYW1lOmdtYWlsLW1fLTM0MzcyNjU4 MTQ0MTEyNTY0NTVnbWFpbC1tXzI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3Bh Y2U7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7 DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9 DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNp emU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCglt YXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdl OldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86 c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2Vu ZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVk aXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+ PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1 ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+SWYgdGhlIHRleHQgbWVudGlvbnMgdGhhdCBvcHRpb25zJm5ic3A7IGZvciA8 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1 b3Q7LHNhbnMtc2VyaWYiPg0KYXV0aGVudGljYXRpb24sIGVuY3J5cHRpb24sIGFuZCBpbnRlZ3Jp dHkgY2hlY2tzIGFyZSBleGNlcHRpb25zIHRvIHRoZXNlIHJ1bGVzLiBJIGFtIGZpbmUgYXMgd2Vs bC4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fu cy1zZXJpZiI+WW91cnMsDQo8YnI+DQpEYW5pZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXYg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5n OjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPkZyb206PC9iPiBK b2UgVG91Y2ggJmx0O3RvdWNoQHN0cmF5YWxwaGEuY29tJmd0OyA8YnI+DQo8Yj5TZW50OjwvYj4g V2VkbmVzZGF5LCBBcHJpbCAwMywgMjAxOSA2OjQ3IFBNPGJyPg0KPGI+VG86PC9iPiBEYW5pZWwg TWlnYXVsdCAmbHQ7ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24uY29tJmd0Ozxicj4NCjxiPkNjOjwv Yj4gRlkmcXVvdDtHYW5nYSwgSWxhbmdvIFMmcXVvdDsgJmx0O2lsYW5nby5zLmdhbmdhQGludGVs LmNvbSZndDs7IE5WTzMgJmx0O252bzNAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+ IFJlOiBbbnZvM10gV29ya2luZyBHcm91cCBMYXN0IENhbGwgYW5kIElQUiBQb2xsIGZvciBkcmFm dC1pZXRmLW52bzMtZ2VuZXZlLTA4LnR4dCAtIGdlbmV2ZSBvcHRpb25zPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cD48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtW ZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPkZZSSwgSSBwcm92aWRlZCBzdWdnZXN0aW9ucyBpbiBt eSBpbml0aWFsIHBvc3Q6PG86cD48L286cD48L3NwYW4+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlm Ij4tIE1VU1QgcHJvY2VzcyBpbi1vcmRlcjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDss c2Fucy1zZXJpZiI+LSBNVVNUIG5vdCBkZXBlbmQgb24gaW5mb3JtYXRpb24gaW4gZWFybGllciBv cHRpb25zLCBpbiB0aGUgb3JkZXIgdGhleSBhcmUgcHJvY2Vlc3NlZDxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+SWYgeW91IGhhdmUgc29tZSBvdGhlciByZWFzb24g Zm9yIFNIT1VMRCBOT1QgZGVwZW5kIG9uIG9wdGlvbiBjb250ZW50cyBvciBwYXlsb2FkIGNvbnRl bnRzLCB0aGV5IHRoYXQncyBhIHNlcGFyYXRlIGlzc3VlLiBJLmUuLCBpZiB5b3UgcmV0YWluIHRo YXQgU0hPVUxEIE5PVCwgaXQgd291bGQgYmUgdXNlZnVsIHRvIGluZGljYXRlDQogYXV0aGVudGlj YXRpb24sIGVuY3J5cHRpb24sIGFuZCBpbnRlZ3JpdHkgY2hlY2tzIGFzIHBvc3NpYmxlIGV4Y2Vw dGlvbnMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj5Kb2U8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5z LXNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fu cy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlm Ij5PbiAyMDE5LTA0LTAzIDA5OjE4LCBEYW5pZWwgTWlnYXVsdCB3cm90ZTo8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29s aWQgIzEwMTBGRiAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDUuMHB0O21hcmdpbi1sZWZ0OjBp bjttYXJnaW4tcmlnaHQ6MGluIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNh bnMtc2VyaWYiPkkgYWdyZWUgdGhhdCB3b3VsZCBiZSBiZXR0ZXIsIGhvd2V2ZXIgSSBkbyBub3Qg aGF2ZSBhIGNsZWFyIGlkZWEgb24gd2hhdCBjb3VsZCBxdWFsaWZ5IGFzIGFuIGV4Y2VwdGlvbi4g SSBzZWUgc2VjdXJpdHkgYXMgc3VjaCBhbiBleGNlcHRpb24sIGJ1dCBJIGNhbm5vdCBzYXkgZm9y IHN1cmUgdGhhdA0KIGlzIHRoZSBvbmx5IGV4Y2VwdGlvbi4gTXkgY29uY2VybiB3YXMgdGhhdCB0 aGUgcHJldmlvdXMgdGV4dCBwcmV2ZW50IHN1Y2ggc2VjdXJpdHkgZXh0ZW5zaW9ucy4gVGhlIGN1 cnJlbnQgdGV4dCBhZGRyZXNzIHRoYXQgY29uY2Vybi4gSSBhbSBoYXBweSB0byBoZWFyIGhvdyB3 ZSBjb3VsZCBkbyBiZXR0ZXIuJm5ic3A7DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj5Zb3VycywmbmJzcDs8YnI+DQpE YW5pZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+T24gV2Vk LCBBcHIgMywgMjAxOSBhdCAxMTo0NCBBTSBKb2UgVG91Y2ggJmx0OzxhIGhyZWY9Im1haWx0bzp0 b3VjaEBzdHJheWFscGhhLmNvbSI+dG91Y2hAc3RyYXlhbHBoYS5jb208L2E+Jmd0OyB3cm90ZTo8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6 bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4g Ni4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8ZGl2Pg0KPHA+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90 OyxzYW5zLXNlcmlmIj5GV0lXLCBJTU8gU0hPVUxEIE5PVCBuZWVkcyB0byBjb21lIHdpdGggYSBk ZXNjcmlwdGlvbiBvZiB3aGF0IHdvdWxkIHF1YWxpZnkgYXMgYW4gZXhjZXB0aW9uLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+SG93ZXZlciwgeW91IGNhbid0IGFs bG93IHR3byBzdWNoIGV4Y2VwdGlvbnMgVU5MRVNTIHRoZXkncmUgZGVjb25mbGljdGVkLCZuYnNw O2kuZS4sIHdobyBnb2VzIGZpcnN0LiBUaGF0IG5ldmVyIHdvcmtzIHdlbGwgaW4gcHJhY3RpY2Ug YmVjYXVzZSBldmVyeSBuZXcgb3B0aW9uIHNheXMgJnF1b3Q7SSBjb21lIGZpcnN0JnF1b3Q7Ljxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+SS5lLiwgdGhlIHBvaW50 IGlzbid0IHdoZXRoZXIgeW91IGhhdmUgZXhjZXB0aW9ucyAtIHlvdSB3aWxsLiBUaGUgcG9pbnQg aXMgdG8gc3BlY2lmeSBob3cgdGhvc2UgY2FzZXMgd29yaywgaW4gd2hpY2ggY2FzZSB5b3UgZG9u J3QgbmVlZCB0aGUgU0hPVUxEIE5PVC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cD48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNh bnMtc2VyaWYiPkpvZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtW ZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPHA+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cD48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5h JnF1b3Q7LHNhbnMtc2VyaWYiPk9uIDIwMTktMDQtMDMgMDg6MzMsIERhbmllbCBNaWdhdWx0IHdy b3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9u ZTtib3JkZXItbGVmdDpzb2xpZCAjMTAxMEZGIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNS4w cHQ7bWFyZ2luLWxlZnQ6MGluO21hcmdpbi1yaWdodDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPkhpLCZuYnNwOzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1z ZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtW ZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPk15IHJlYWRpbmcgaXMgdGhhdCBTSE9VTEQgTk9UIG1l YW5zIE1VU1QgTk9UIHVubGVzcyB3ZSBoYXZlIGEgZ29vZCByZWFzb24gZm9yIGl0IGFuZCBzZWN1 cml0eSBvciBjaGVja3N1bSBvcHRpb25zIGZhbGwgaW4gdGhhdCBjYXRlZ29yeS4gQU0gSSBtaXNz aW5nIHNvbWV0aGluZyA/DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPllv dXJzLCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtW ZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPk9uIFR1ZSwgQXByIDIsIDIwMTkgYXQgMTE6MzYgUE0g Sm9lIFRvdWNoICZsdDs8YSBocmVmPSJtYWlsdG86dG91Y2hAc3RyYXlhbHBoYS5jb20iPnRvdWNo QHN0cmF5YWxwaGEuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0ND Q0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21h cmdpbi1yaWdodDowaW4iPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1z ZXJpZiI+SGksIGFsbCwNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVv dDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+RldJ VyAtIEkgZG9uJ3QgdW5kZXJzdGFuZCB0aGlzIHJlcXVpcmVtZW50LjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJp ZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj5DbGVhcmx5LCBhbiBvcHRpb24gTVVTVCBOT1Qg ZGVwZW5kIG9uIG9wdGlvbnMgdGhhdCBjb21lIGJlZm9yZSBpdCBpbiB0aGUgb3JkZXIgdGhleSBv Y2N1ciwgb3RoZXJ3aXNlIHlvdSBjb3VsZCBoYXZlIG9wdGlvbnMgZGVmaW5lZCBpbiBhIGNpcmN1 bGFyIG1hbm5lciB0aGF0IGNhbm5vdCBiZSByZXNvbHZlZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPiZu YnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Zl cmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+SG93ZXZlciwgaWYgeW91IHByZXZlbnQgb3B0aW9ucyB0 aGF0IGRlcGVuZCBvbiBvdGhlciwgbGF0ZXIgb3B0aW9ucyB5b3Ugd291bGQgdW5kZXJtaW5lIHRo ZSBhYmlsaXR5IHRvIGhhdmUgYW4gb3B0aW9uIHRoYXQgcHJvdmlkZXMgYXV0aGVudGljYXRpb24g KHdoaWNoIGlzIHVzZWZ1bCBvbmx5IHdoZW4NCiBpdCBpbmNsdWRlcyBib3RoIHRoZSBwYXlsb2Fk IGFuZCBzdWJzZXF1ZW50IG9wdGlvbnMpIG9yIGVuY3J5cHRpb24gKHdoaWNoIHNob3VsZCBhdCBs ZWFzdCBhdXRoZW50aWNhdGUgdGhlIG9wdGlvbiBhcmVhLCBldmVuIGlmIGl0IGlzbid0IGVuY3J5 cHRlZCkuIEl0IGFsc28gdW5kZXJtaW5lcyB0aGUgYWJpbGl0eSB0byBoYXZlIG9wdGlvbnMgdGhh dCBjcmVhdGUgbmV3IGNoZWNrc3VtIGFsZ29yaXRobXMuPG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJk YW5hJnF1b3Q7LHNhbnMtc2VyaWYiPkFyZSB5b3UgcmVhbGx5IHNlZWtpbmcgdG8gcHJldmVudCB0 aGVzZSBmdXR1cmUgcG9zc2liaWxpdGllcz88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVv dDssc2Fucy1zZXJpZiI+Sm9lPG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICMxMDEw RkYgMS41cHQ7cGFkZGluZzowaW4gMGluIDBpbiA1LjBwdDttYXJnaW4tbGVmdDowaW47bWFyZ2lu LXJpZ2h0OjBpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlm Ij5PbiBNYXIgMjYsIDIwMTksIGF0IDEwOjMwIFBNLCBHYW5nYSwgSWxhbmdvIFMgJmx0OzxhIGhy ZWY9Im1haWx0bzppbGFuZ28ucy5nYW5nYUBpbnRlbC5jb20iPmlsYW5nby5zLmdhbmdhQGludGVs LmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iY29sb3I6IzFGNDk3RCI+SGkgRGFuaWVsLDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+V2UgdXBkYXRlZCB0aGUgZHJhZnQg dG8gcmVzdGF0ZSB0aGUgcmVxdWlyZW1lbnQgb24gb3B0aW9ucyBwcm9jZXNzaW5nLCB0aGUgcmV2 aXNlZCB0ZXh0IGlzIG11Y2ggc2ltcGxlciwgcHJvdmlkZXMgYmV0dGVyIGNsYXJpdHksIGFuZCBy ZXRhaW5zIHRoZSBvcmlnaW5hbCBpbnRlbnQuIFdlIGJlbGlldmUsIHRoaXMgc2hvdWxkIGFkZHJl c3MgeW91ciBjb25jZXJucy48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj48YSBocmVmPSJodHRwczovL21haWxhcmNoaXZlLmlldGYub3JnL2Fy Y2gvbXNnL252bzMvLWp3cTFmandEdWZ2UGw4UWNiazdJaGVpZWdnIiB0YXJnZXQ9Il9ibGFuayI+ PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly9tYWlsYXJjaGl2ZS5pZXRmLm9yZy9h cmNoL21zZy9udm8zLy1qd3ExZmp3RHVmdlBsOFFjYms3SWhlaWVnZzwvc3Bhbj48L2E+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5SZXZpc2VkIHRleHQ6PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPiZxdW90O0FuIG9wdGlvbiBTSE9VTEQgTk9UIGJl IGRlcGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhlPC9zcGFuPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDsiPnBhY2tldCwgaS5lLiwgb3B0aW9ucyBjYW4gYmUgcHJvY2Vz c2VkIGluZGVwZW5kZW50bHkgb2Ygb25lPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDsiPmFub3RoZXIuJm5ic3A7IEFyY2hpdGVjdHVyYWxseSwgb3B0aW9ucyBhcmUgaW50ZW5k ZWQgdG8gYmUgc2VsZi08L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjxwcmU+ZGVzY3JpcHRpdmUgYW5kIGluZGVwZW5kZW50LiZuYnNwOyBU aGlzIGVuYWJsZXMgcGFyYWxsZWxpc20gaW4gb3B0aW9uPG86cD48L286cD48L3ByZT4NCjxwcmU+ cHJvY2Vzc2luZyBhbmQgcmVkdWNlcyBpbXBsZW1lbnRhdGlvbiBjb21wbGV4aXR5LiZxdW90Ozxv OnA+PC9vOnA+PC9wcmU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJjb2xvcjojMUY0OTdEIj5UaGFua3M8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+SWxhbmdvPC9zcGFuPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90Oyxz ZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6 IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHN0cm9uZz48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9t Ojwvc3Bhbj48L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1 Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwv c3Bhbj5EYW5pZWwgTWlnYXVsdCBbPGEgaHJlZj0ibWFpbHRvOmRhbmllbC5taWdhdWx0QGVyaWNz c29uLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+bWFpbHRvOmRhbmllbC5taWdhdWx0 QGVyaWNzc29uLi5jb208L3NwYW4+PC9hPl08c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0 NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2Ui PiZuYnNwOzwvc3Bhbj48YnI+DQo8c3Ryb25nPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPlNlbnQ6PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNs YXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5 MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPldlZG5lc2RheSwgTWFyY2ggMjAs IDIwMTkgMTo1NiBQTTxicj4NCjxzdHJvbmc+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+VG86PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNsYXNz PSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFw cGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPkdhbmdhLCBJbGFuZ28gUyAmbHQ7PGEg aHJlZj0ibWFpbHRvOmlsYW5nby5zLmdhbmdhQGludGVsLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9y OnB1cnBsZSI+aWxhbmdvLnMuZ2FuZ2FAaW50ZWwuY29tPC9zcGFuPjwvYT4mZ3Q7PGJyPg0KPHN0 cm9uZz48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl cmlmIj5DYzo8L3NwYW4+PC9zdHJvbmc+PHNwYW4gY2xhc3M9ImdtYWlsLW0tMzQzNzI2NTgxNDQx MTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29udmVydGVkLXNwYWNlIj4m bmJzcDs8L3NwYW4+TlZPMyAmbHQ7PGEgaHJlZj0ibWFpbHRvOm52bzNAaWV0Zi5vcmciPjxzcGFu IHN0eWxlPSJjb2xvcjpwdXJwbGUiPm52bzNAaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8 c3Ryb25nPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMt c2VyaWYiPlN1YmplY3Q6PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0Mzcy NjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1z cGFjZSI+Jm5ic3A7PC9zcGFuPlJlOiBbbnZvM10gV29ya2luZyBHcm91cCBMYXN0IENhbGwgYW5k IElQUiBQb2xsIGZvciBkcmFmdC1pZXRmLW52bzMtZ2VuZXZlLTA4LnR4dA0KIC0gZ2VuZXZlIG9w dGlvbnM8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5IaSw8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+SSBhbSBsb29raW5nIGF0IHRoZSB2ZXJzaW9uIDEyIGFuZCBzZWUgaG93IGl0 IGFkZHJlc3MgbXkgY29uY2Vybiw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PnJlZ2FyZGluZyB0aGUgaW50ZWdyYXRpb24gb2Ygc2VjdXJpdHkgb3B0aW9ucy48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+VGhlIG5ldyB0ZXh0IGluIHZlcnNpb24gMTIgbWVudGlvbnM6PG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mcXVvdDsmcXVvdDsmcXVvdDs8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVv dDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDtvJm5ic3A7IEFuIG9w dGlvbiBTSE9VTEQgTk9UIGJlIGRlcGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhl PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNw OyBwYWNrZXQsIGkuZS4sIG9wdGlvbnMgY2FuIGJlIHByb2Nlc3NlZCBpbmRlcGVuZGVudCBvZiBv bmUgYW5vdGhlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAm bmJzcDsgJm5ic3A7IEFuIG9wdGlvbiBNVVNUIE5PVCBhZmZlY3QgdGhlIHBhcnNpbmcgb3IgaW50 ZXJwcmV0YXRpb24gb2YgYW55PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4m bmJzcDsgJm5ic3A7ICZuYnNwOyBvdGhlciBvcHRpb24uJm5ic3A7IEhvd2V2ZXIsIG9wdGlvbiBw cm9jZXNzaW5nIGJ5IHR1bm5lbCBlbmRwb2ludHMgbWF5PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu JnF1b3Q7LHNlcmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNwOyByZXN1bHQgaW4gdGhlIHBhY2tldCBi ZWluZyBkcm9wcGVkLiZuYnNwOyBPcHRpb25zIG1heSBhbHNvIGJlIHVzZWQgaW48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5ic3A7IGNvbmp1bmN0 aW9uIHdpdGggZWFjaCBvdGhlciBvciBjb21iaW5lZCB3aXRoIHBhY2tldCBkYXRhIGJ1dCB0aGlz PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNw OyBwcm9jZXNzaW5nIGlzIGRvbmUgYWJvdmUgdGhlIGVuY2Fwc3VsYXRpb24gbGF5ZXIuPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mcXVvdDsmcXVvdDsmcXVvdDs8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVv dDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+SSBhbSByZWFkaW5nIHRoZSB0ZXh0IGFzIGEgc2VjdXJpdHkgb3B0 aW9uIGNhbiBiZSBjb21iaW5lZCB3aXRoIGFub3RoZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPm9wdGlvbiBvciB0aGUgZGF0YSBwYXlsb2FkLiBNb3JlIHNwZWNpZmljYWxs eSwgYW4gYXV0aGVudGljYXRpb24gb3B0aW9uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1z ZXJpZiI+dGhhdCBhdXRoZW50aWNhdGVzIHNvbWUgb3B0aW9ucyBhbmQvb3IgdGhlIHBheWxvYWQg bWF5IHJlc3VsdCBpbiB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPnBh Y2tldCB0byBiZSBkaXNjYXJkZWQgb3Igbm90LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5JIHRo aW5rIHdlIGFyZSBtYWtpbmcgcHJvZ3Jlc3MuIEhvd2V2ZXIsIEkgYW0gbm90IGNsZWFyIGFib3V0 IHRoZSB0ZXh0OjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mcXVvdDsmcXVvdDsmcXVvdDsgYnV0 IHRoaXMgcHJvY2Vzc2luZyBpcyBkb25lIGFib3ZlIHRoZSBlbmNhcHN1bGF0aW9uIGxheWVyLiZx dW90OyZxdW90OyZxdW90OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5JIGFtIHJlYWRpbmcgdGhl IGVuY2Fwc3VsYXRpb24gbGF5ZXIgYXMgdGhlIEdlbmV2ZSBwcm90b2NvbCwgYnV0IEkgYW08bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPm5vdCBjbGVhciB3aGF0IHRoZSBsYXll ciBhYm92ZSBpcy4gSSBhbSBhc3N1bWluZyB0aGF0IGlzIGEgbGF5ZXI8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPnRoYXQgdGFrZXMgdGhlIG91dHB1dCBvZiB0aGUgR2VuZXZl IGRlY2Fwc3VsYXRpb24uIElmIHRoYXQgaXMgY29ycmVjdCw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPkkgdW5kZXJzdGFuZCB0aGUgdGV4dCBzYXlpbmcgR2VuZXZlIHByb2Nl c3NlcyB0aGUgb3B0aW9ucyBldmVuIHRob3VnaDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+dGhlIGF1dGhlbnRpY2F0aW9uIGhhcyBmYWlsZWQuIFR5cGljYWxseSwgc3VwcG9z ZSBvcHRpb24gQSBjb3ZlcnM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPm9w dGlvbnMgTy4gVXBvbiB2ZXJpZmljYXRpb24gb2YgQSBmYWlscywgR2VuZXZlIHByb2Nlc3NlcyBP IGFuZCByZXR1cm5zPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj50byBzb21l IHVwcGVyIGxheWVycyB0aGF0IE8gaGFzIGJlZW4gcHJvY2Vzc2VkIHdoaWxlIGl0cyBhdXRoZW50 aWNhdGlvbjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ZGlkIG5vdCBzdWNj ZWVkLiBJIGFtIHN1cmUgdGhhdCBJIG1pc3VuZGVyc3Rvb2QgdGhlIHRleHQsIGJ1dCBJIHN1Z2dl c3Q8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPnNvbWUgY2xhcmlmaWNhdGlv biBhcmUgcHJvdmlkZWQgdG8gcHJldmVudCBzdWNoIGludGVycHJldGF0aW9uIGFzIHRoZTxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+cHVycG9zZSBvZiB0aGUgYXV0aGVudGlj YXRpbmcgTyBNVVNUIGJlIGFibGUgdG8gcHJldmVudCB0aGUgcHJvY2Vzc2luZzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+b2YgdGhlIG9wdGlvbiBPLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj5JbiB0aGUgY3VycmVudCB0ZXh0IEkgYmVsaWV2ZSB0aGUgdGV4dCAmcXVvdDsm cXVvdDsmcXVvdDtidXQgLi4ubGF5ZXImcXVvdDsmcXVvdDsmcXVvdDsgY2FuIGJlPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5yZW1vdmVkLiBBbm90aGVyIHdheSBtaWdodCBi ZSB0byBjbGFyaWZ5IHRoZSBsYXllciBhYm92ZSB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPmVuY2Fwc3VsYXRpb24uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNw OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+WW91cnMsPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5EYW5pZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+T24gRnJpLCBNYXIgOCwgMjAx OSBhdCA5OjQ0IFBNIERhbmllbCBNaWdhdWx0ICZsdDs8YSBocmVmPSJtYWlsdG86ZGFuaWVsLm1p Z2F1bHRAZXJpY3Nzb24uY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5kYW5pZWwubWln YXVsdEBlcmljc3Nvbi5jb208L3NwYW4+PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk ZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFy Z2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1i b3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SGksPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj5UaGFua3MgZm9yIHRoZSByZXNwb25zZS4gTGV0IG1lIGZpcnN0IHJlY2FwIHRoZSBwcmV2 aW91cyBjb252ZXJzYXRpb24sPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5v ciBhdCBsZWFzdCBteSBwZXJjZXB0aW9uIG9mIHRoZW0uIE15IGluaXRpYWwgY29tbWVudCB3YXMg dGhhdCB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtm b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmN1cnJlbnQgR2Vu ZXZlIHNwZWNpZmljYXRpb24gcHJldmVudHMgdGhlIGRlc2lnbiBvZiBzZWN1cml0eSBvcHRpb25z IGFuZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SSBwcm92aWRlZCBhbiBl eGFtcGxlLiBNeSB1bmRlcnN0YW5kaW5nIGlzIHRoZXJlIGlzIGFuIGFncmVlbWVudCB0aGF0PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5zdWNoIG9wdGlvbiBpcyBwcmV2ZW50 ZWQgYnkgdGhlIGN1cnJlbnQgZ2VuZXZlIHNwZWNpZmljYXRpb24gYW5kIHlvdTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Y2hhbGxlbmdlIHRoZSB1c2VmdWxuZXNzIG9mIHN1 Y2ggYW4gb3B0aW9uIChkZXNpZ25hdGVkIGFzIEEpIGFzIHdlbGwgYXM8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPmFyZ3VlIHRoYXQgYW4gYXV0aGVudGljYXRpb24gdXBvbiBm YWlsdXJlIE1VU1QgcmVzdWx0IGluIGRpc2NhcmRpbmcgdGhlPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj5wYWNrZXQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlRoZSBzZWN1 cml0eSBvcHRpb25zIGNvbnNpZGVyZWQgaGFzIGJlZW4gbWVudGlvbmVkIGluIHR3byBpbmRlcGVu ZGVudDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+c2VjdXJpdHkgYW5hbHlz aXMuIFRoZSBleGFtcGxlIGhhcyBiZWVuIGRlc2NyaWJlZCBhbmQgY29tbWVudGVkPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5leHRlbnNpdmVseSBpbiB0aGUgdGhyZWF0IGFu YWx5c2lzIGFzIHdlbGwuJm5ic3A7IEkgYXJndWUgZnVydGhlciB0aGF0PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5tYW5kYXRpbmcgdGhhdCBkcm9wcGluZyB0aGUgcGFja2V0 LCBpbiBvdXIgY2FzZSBpcyBuZWl0aGVyIGEgZGVjaXNpb248bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPnRoYXQgY2FuIGJlIHRha2VuIGF0IHRoZSBvcHRpb24gbGV2ZWwsIG5v ciBhdCB0aGUgZ2VuZXZlIGxldmVsLiBJbnN0ZWFkLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+aXQgYmVsb25ncyB0byBhIHBvbGljeSBkZWNpc2lvbiB0aGF0IGlzIGxpa2Vs eSB0byByZXN1bHQgaW4gaW5jb2hlcmVudDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90Oyxz ZXJpZiI+ZGVwbG95bWVudHMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4m bmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250 LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkFzIHJlc3VsdCwgdGhl IGN1cnJlbnQgZ2VuZXZlIHNwZWNpZmljYXRpb24gcHJldmVudHMgc2VjdXJpdHkgb3B0aW9ucy48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlBsZWFzZSBzZWUgYmVsb3cgZm9y IG1vcmUgYWRkaXRpb25hbCBpbmZvcm1hdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+VGhl IGN1cnJlbnQgb3B0aW9uIHdvcmtzIHNpbWlsYXJseSB0byBJUHNlYzogSVBzZWMvRVNQIGlzIElQ IG9wdGlvbi4gQUg8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmlzIGFuIG9w dGlvbiB0aGF0IGF1dGhlbnRpY2F0ZXMgdGhlIGZ1bGwgSVAgcGFja2V0Li4gRVNQPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5hdXRoZW50aWNhdGUvZW5jcnlwdCB0aGUgSVAg cGF5bG9hZCBhbmQgbm90IHRoZSBmdWxsIHBhY2tldC4mbmJzcDsgVXBvbjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YXV0aGVudGljYXRpb24gZmFpbHVyZSAqdGhlIHNjb3Bl IG9mIHRoZSBhdXRoZW50aWNhdGlvbiogaXMgZGlzY2FyZGVkPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj5hbmQgaW4gdGhhdCBzZW5zZSB0aGUgZXhhbXBsZSBJIGFtIHByb3Zp ZGluZyBpcyBubyBtb3JlIGRpZmZlcmVudC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDss c2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SW4gb3Vy IGNhc2UsIHRoZSBvcHRpb24gYXV0aGVudGljYXRlIGFuIHBvcnRpb24gb2YgdGhlIGdlbmV2ZSBw YWNrZXQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250 LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPnRoYXQgaXMgbGltaXRl ZCB0byB0aGUgb3B0aW9uLiBUdGhlIGNvdmVyYWdlIG9mIHRoZSBzZWN1cml0eSBvcHRpb24gaXMg YTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+cG9ydGlvbiBvZiB0aGUgZ2Vu ZXZlIGhlYWRlci4mbmJzcDsgQXMgc3VjaCwgdGhlIG9wdGlvbiBjYW5ub3QgbWFuZGF0ZTxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YW55dGhpbmcgb3V0c2lkZSBvZiBpdHMg Y292ZXJhZ2U6IHRoZSBjb3ZlcmVkIG9wdGlvbiBPLiBBcyBhIHJlc3VsdCw8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmRyb3BwaW5nIHRoZSBmdWxsIHBhY2tldCBpcyBvdXRz aWRlIG9mIHRoZSBzY29wZS4gTWFuZGF0aW5nIGEgcGFja2V0Jm5ic3A7PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5kcm9wIGhhcmRseSwgaW4gbXkgb3BpbmlvbiBhcHBseSBo ZXJlLiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5PcHRpb25zIGFyZSB1c3VhbGx5IG5v biBjcml0aWNhbCBmb3IgaW50ZXJvcGVyYWJpbGl0eS4gTWFuZGF0aW5nIHRvIGRyb3A8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVv dDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPnRoZSBwYWNrZXQgd2hlbiBvcHRpb24gTyBj YW5ub3QgYmUgYXV0aGVudGljYXRlZCB3b3VsZCBjb250cmFkaWN0IHRoZTxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+bm9uIGNyaXRpY2FsIHN0YXR1cyBvZiB0aGF0IG9wdGlv biwgd2hpY2ggaXMgdGhlIHBhY2tldCBjYW4gYmUgcHJvY2Vzc2VkPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj53aXRob3V0IHRoZSBvcHRpb24uIFRoaXMgd291bGQgYmUgYSBw b2xpY3kgdGhhdCBvdmVyd3JpdGUgdGhlIGdlbmV2ZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+Jm5ic3A7LSBhcyB3ZWxsIGFzIHRoZSBnZW5ldmUgb3B0aW9uIC0gc3BlY2lm aWNhdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtm b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkEgcG9zc2libGUg aW5jb2hlcmVuY2Ugd291bGQgYmUgaWYgb3B0aW9uIEEgYW5kIE8gYXJlIG5vbiBjcml0aWNhbCB3 b3VsZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YmUgdGhhdCB0aGUgaW1w bGVtZW50YXRpb24gaWdub3JpbmcgdGhlIG9wdGlvbiBBIGFuZCBPIHdpbGwgYWNjZXB0IHRoZTxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+cGFja2V0LCBhbiBpbXBsZW1lbnRh dGlvbiB1bmRlcnN0YW5kaW5nIG9wdGlvbiBPIGJ1dCBub3Qgb3B0aW9uIEEgd2lsbDxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YWNjZXB0IHRoZSBwYWNrZXQgd2hpbGUgdGhl IGltcGxlbWVudGF0aW9uIHVuZGVyc3RhbmRpbmcgb3B0aW9uIEEgYW5kIE88bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPndpbGwgcmVqZWN0IHRoZSBwYWNrZXQuPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPllvdXJzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+T24gV2VkLCBNYXIgNiwgMjAxOSBhdCA5OjMzIFBNIEdhbmdh LCBJbGFuZ28gUyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmlsYW5nby5zLmdhbmdhQGludGVsLmNvbSI+ PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aWxhbmdvLnMuZ2FuZ2FAaW50ZWwuY29tPC9zcGFu PjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAx LjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10 b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0 OTdEIj5IaSBEYW5pZWwsPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJjb2xvcjojMUY0OTdEIj5QbGVhc2Ugc2VlIG15IHJlc3BvbnNlcyBpbmxpbmUgYmVs b3cuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5 N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xv cjojMUY0OTdEIj5UaGFua3MsPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPklsYW5nbzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHN0cm9uZz48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21h aWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1j b252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5udm8zIFttYWlsdG86PGEgaHJlZj0ibWFpbHRv Om52bzMtYm91bmNlc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+bnZvMy1i b3VuY2VzQGlldGYub3JnPC9zcGFuPjwvYT5dPHNwYW4gY2xhc3M9ImdtYWlsLW0tMzQzNzI2NTgx NDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29udmVydGVkLXNwYWNl Ij4mbmJzcDs8L3NwYW4+PHN0cm9uZz48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Pbg0KIEJlaGFsZiBPZjwvc3Bhbj48L3N0cm9uZz48c3Bh biBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIy MDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPjxiPiZuYnNwOzwvYj48L3NwYW4+RGFuaWVsIE1p Z2F1bHQ8YnI+DQo8c3Ryb25nPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWYiPlNlbnQ6PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFp bC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNv bnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPk1vbmRheSwgTWFyY2ggNCwgMjAxOSA5OjE1IEFN PGJyPg0KPHN0cm9uZz48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OyxzYW5zLXNlcmlmIj5Ubzo8L3NwYW4+PC9zdHJvbmc+PHNwYW4gY2xhc3M9ImdtYWlsLW0tMzQz NzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29udmVydGVk LXNwYWNlIj4mbmJzcDs8L3NwYW4+R2FuZ2EsIElsYW5nbyBTICZsdDs8YSBocmVmPSJtYWlsdG86 aWxhbmdvLnMuZ2FuZ2FAaW50ZWwuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5pbGFu Z28ucy5nYW5nYUBpbnRlbC5jb208L3NwYW4+PC9hPiZndDs8YnI+DQo8c3Ryb25nPjxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkNjOjwvc3Bh bj48L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwt bTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48 YSBocmVmPSJtYWlsdG86bnZvM0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+ bnZvM0BpZXRmLm9yZzwvc3Bhbj48L2E+PGJyPg0KPHN0cm9uZz48c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5TdWJqZWN0Ojwvc3Bhbj48L3N0 cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4 Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5SZTogW252 bzNdIFdvcmtpbmcgR3JvdXAgTGFzdCBDYWxsIGFuZCBJUFIgUG9sbCBmb3IgZHJhZnQtaWV0Zi1u dm8zLWdlbmV2ZS0wOC50eHQ8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+SGkgSWxhbmdvLCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5UaGFua3MgZm9yIHRo ZSByZXNwb25zZS4mbmJzcDtQbGVhc2Ugc2VlIGEgY29uY3JldGUgZXhhbXBsZSB0byBpbGx1c3Ry YXRlIG15IGNvbmNlcm4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PmZvciBjb21tZW50IDEuIEZvciBjb21tZW50IDIsIGl0IHJlYWxseSBoZWxwZWQgeW91IGluZGlj YXRlZCB0aGF0IEdlbmV2ZSBpcyBleHBlY3RlZCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+dG8gYmUgYW4gZW5kLXRvLWVuZCBwcm90b2NvbC4gVGhpcyB3aWxsIGhl bHAgbWUgdXBkYXRlIHRoZSBzZWN1cml0eSByZXF1aXJlbWVudCZuYnNwOzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ZG9jdW1lbnQuIEhvd2V2ZXIsIHRoZSBjdXJyZW50IEdl bmV2ZSBzcGVjaWZpY2F0aW9uIHdpdGggdHJhbnNpdCBkZXZpY2VzIHNlZW1zIC0mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmF0IGxlYXN0IHRvIG1lIC0gdG8gcmFp c2UgYW4gYXJjaGl0ZWN0dXJlIGNvbmNlcm4gYXMgcmFpc2VkIGluIFsxXS48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPi0tIGNvbW1lbnQgMTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ VGhhbmtzIGZvciB0aGUgZmVlZCBiYWNrLiBJIHVuZGVyc3RhbmQgdGhlIHB1cnBvc2Ugb2Yga2Vl cGluZyBvcHRpb248bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmluZGVwZW5k ZW50IG9uZSBmcm9tIGVhY2ggb3RoZXIsIGFuZCBmYXZvdXIgdGhpcyBpcyBzdHJvbmdseSByZWNv bW1lbmRlZC4uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5Ib3dldmVyLCBJ IGFtIG5vdCBjb252aW5jZWQgdGhpcyBhcHBsaWVzIGFsd2F5cy4gTW9yZSBzcGVjaWZpY2FsbHks IGluIGE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250 LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmNvbnRleHQgb2Ygc2Vj dXJpdHksIHRoZSBwdXJwb3NlIG9mIGEgc2VjdXJpdHkgb3B0aW9uIG1heSBiZSByZWxhdGVkIHRv PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5hbm90aGVyIG9wdGlvbi4gVHlw aWNhbGx5LCBhIHNlY3VyaXR5IG9wdGlvbiBwcm92aWRpbmcgYXV0aGVudGljYXRpb24gb3I8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmVuY3J5cHRpb24gaXMgcG90ZW50aWFs bHkgYXV0aGVudGljYXRpbmcvZW5jcnlwdGlvbiBhbm90aGVyIG9wdGlvbiBvcjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+b3RoZXIgaW5mb3JtYXRpb24gY29udGFpbmVkIGlu IHRoZSBoZWFkZXIuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlRoZSB0eXBpY2FsIHNjZW5hcmlv IEkgaGF2ZSBpbiBtaW5kIHdvdWxkIGJlIGFuIGF1dGhlbnRpY2F0aW9uIG9wdGlvbiBBPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5hdXRoZW50aWNhdGluZyBvcHRpb24gTy4g VGhlcmUgd2lsbCBjbGVhcmx5IHNvbWUgZGVwZW5kZW5jaWVzIGJldHdlZW4gQTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YW5kIE8gYXMgTyBjb3VsZCBvbmx5IGJlIHVzZWQg aWYgQSBoYXMgYmVlbiBwcmltYXJpbHkgYmVlbiB2YWxpZGF0ZWQuPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj5UaGUgY3VycmVudCBzdGF0ZW1lbnQgJnF1b3Q7U0hPVUxEIE5P VCBiZSBkZXBlbmRlbnQmcXVvdDsgZW5hYmxlcyB0aGlzLiBIb3dldmVyLCBJPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5oYXZlIGNvbmNlcm5zIHJlZ2FyZGluZyB0aGUgc3Rh dGVtZW50ICZxdW90O01VU1QgTk9UIGFmZmVjdCB0aGUgcGFyc2luZyBvcjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+aW50ZXJwcmV0YXRpb24mcXVvdDsuIEluIGZhY3QsIHRo ZSBvdXRwdXQgb2YgQSwgd2lsbCBkZXRlcm1pbmUgaWYgTyBzaG91bGQgYmU8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmRyb3BwZWQgb3IgcHJvY2Vzc2VkIG5vcm1hbGx5LiBJ biBjYXNlIEEgc2hvd3MgTyBpcyBub3QgYXBwcm9wcmlhdGVseTxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+YXV0aGVudGljYXRlZCwgTyBtaWdodCBiZSByZWplY3RlZCBiYXNl ZCBvbiBpdHMgQyB2YWx1ZS4gVGhlIGFtYmlndWl0eSBJPG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu JnF1b3Q7LHNlcmlmIj5zZWUgaXMgdGhhdCBBIGNhbiBiZSB1bmRlcnN0b29kIGFzIGFmZmVjdGlu ZyB0aGUgcGFyc2luZyBhbmQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmlu dGVycHJldGF0aW9uIG9mIE8gb3IgYXMgYSBwcmUtcHJvY2Vzc2luZyBvcGVyYXRpb24gYmVmb3Jl IHBhcnNpbmcgb3I8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmludGVycHJl dGF0aW9uIG9mIE8uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkkgdGhpbmssIHRoZSB0ZXh0IG5l ZWRzIGZ1cnRoZXIgY2xhcmlmaWNhdGlvbnMgdG8gcmVtb3ZlIHN1Y2ggYW1iaWd1aXR5LjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Q2hhbmdpbmcgTVVTVCBOT1QgYnkgU0hP VUxEIE5PVCB3YXMgb2YgY291cnNlIG9ubHkgb25lIHByb3Bvc2l0aW9uIGFuZDxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dGhpcyBjb3VsZCBiZSBhbHNvIGFkZHJlc3NlZCBv dGhlcndpc2UuIEl0IG1pZ2h0IGJlIGJldHRlciwgSSBhZ3JlZSwgdG88bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPmV4cGxpY2l0bHkgbWVudGlvbiB0aGF0IHNvbWUgb3B0aW9u cyBtYXkgcHJvdmlkZSBjb25kaXRpb24gb24gdGhlPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj5wYXJzaW5nIG9mIHRoZSBvcHRpb25zLiBUaGlzIHdvdWxkIGxlYXZlIHRoZSBw YXJzaW5nIG9mIHRoZSBvcHRpb25zIHVuY2hhbmdlZC4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29s b3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPiZsdDtJbGFuZ28mZ3Q7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPklmIEkgdW5kZXJzdGFuZCB5b3VyIGV4 YW1wbGUgY29ycmVjdGx5LCB5b3Ugd2FudCB0byBoYXZlIG9uZSBvcHRpb24gYXV0aGVudGljYXRl IHRoZSBjb250ZW50cyBvZiBhbm90aGVyIG9wdGlvbiBhbmQgaWYgdGhhdCBhdXRoZW50aWNhdGlv biBmYWlscywgZHJvcCB0aGUgb3B0aW9uLiBUaGlzIHdvdWxkIG5vdCBkcm9wIHRoZSBlbnRpcmUg cGFja2V0IHVubGVzcw0KIHRoYXQgb3B0aW9uIGlzIGNyaXRpY2FsLiBDYW4geW91IGdpdmUgYSB1 c2UgY2FzZSBmb3IgdGhpcz8gVGhpcyBzZWVtcyB1bnVzdWFsIGFuZCBub3Qgc29tZXRoaW5nIHRo YXQgaXMgc3VwcG9ydGVkIGJ5IG90aGVyIHNlY3VyaXR5IHByb3RvY29scyBzdWNoIGFzIElQc2Vj IG9yIFRMUyB0byB0aGUgYmVzdCBvZiBvdXIga25vd2xlZGdlLjwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDss c2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu JnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+SSBiZWxpZXZlIGEg bW9yZSBjb21tb24gb3V0Y29tZSBvZiBhIGZhaWxlZCBhdXRoZW50aWNhdGlvbiBpcyB0aGF0IHRo ZSBlbnRpcmUgcGFja2V0IHdvdWxkIGJlIGRyb3BwZWQuIEFzIHByZXZpb3VzbHkgbm90ZWQsIHRo ZSBjdXJyZW50IHRleHQgZG9lcyBub3QgcHJlY2x1ZGUgdGhpcy4gSXQgc2VlbXMgbGlrZSBnb2lu ZyBiZXlvbmQgdGhpcyB3b3VsZCByZXN1bHQNCiBpbiBzaWduaWZpY2FudCBjb21wbGV4aXR5LCBi b3RoIGZvciBwcm9jZXNzaW5nIG9wdGlvbnMgaW4gdGhpcyBzcGVjaWZpYyBjYXNlIGFzIHdlbGwg YXMgdGhlIHBvc3NpYmlsaXR5IG9mIGludHJvZHVjaW5nIGFtYmlndWl0eSBpbiBob3cgb3RoZXIg b3B0aW9ucyBtaWdodCBiZSBkZWZpbmVkIG9yIHByb2Nlc3NlZCBhcyBhbiB1bmludGVuZGVkIGNv bnNlcXVlbmNlLiBXaXRob3V0IGEgc3Ryb25nIHVzZSBjYXNlLCB0aGlzIGRvZXMgbm90IHNlZW0N CiBkZXNpcmFibGUuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPiZsdDsvJmd0Ozwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj4tLSBjb21tZW50IDI6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlRo YW5rcyBmb3IgdGhlIHJlc3BvbnNlIHRoYXQgY2xhcmlmaWVzIGEgYml0IG15IHVuZGVyc3RhbmRp bmcgb2YgdGhlPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj50cmFuc2l0IGRl dmljZXMuLiBJIGJlbGlldmUgdGhlIGlzc3VlIEkgaGF2ZSBpcyByZWxhdGVkIHRvIHRoZSB0cmFu c2l0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5kZXZpY2VzIHdoaWNoIEkg ZG8gbm90IHNlZSwgdW5sZXNzIEkgYW0gd3JvbmcsIG1lZXRpbmcgdGhlIHJlcXVpcmVtZW50czxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Zm9yIGJlaW5nIE9QVElPTkFMIGFu ZCB0aGF0IHNlZW1zIC0gYXQgbGVhc3QgdG8gbWUgLSBjb250cmFkaWN0aW5nIHRoZTxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+c3RhdHVzIG9mIGVuZC10by1lbmQgcHJvdG9j b2wuIEFzIHN1Z2dlc3RlZCBpbiBbMV0sIHRyYW5zaXQgZGV2aWNlcyBzZWVtIHRvIHJhaXNlPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5hcmNoaXRlY3R1cmFsIGNvbmNlcm5z IHRoYXQgaXMgbm90IG5lZWRlZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+WW91IGFyZSBjb3Jy ZWN0IHRoYXQgdGhlIHRleHQgaXMgY2xlYXIgdGhhdCB0cmFuc2l0IGRldmljZXMgYXJlPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5PUFRJT05BTC4gSG93ZXZlciwgbXkgdW5k ZXJzdGFuZGluZyBvZiBPUFRJT05BTCBmcm9tIDIxMTkgaXMgdGhhdCB0aGVyZSZuYnNwOzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YXJlIHR3byBzaWRlcyBvZiBpdC4gT25l IGlzIHRoYXQgYSB2ZW5kb3IgbWF5IGltcGxlbWVudCBpdCBvciBub3QsIGJ1dDxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dGhlIG90aGVyIHNpZGUgaXMgdGhhdCBpbnRlcm9w ZXJhYmlsaXR5IHdpdGggb3RoZXIgaW1wbGVtZW50YXRpb25zIGFyZTxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+bm90IGFmZmVjdGVkLiBJbiB0aGlzIGNhc2UsIHR3byBHZW5l dmUgZW5kcG9pbnRzIHVzaW5nIFRMUyBvciBJUHNlYyB3aWxsPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj5ub3QgYmUgYWJsZSB0byBpbnRlcm9wZXJhdGUgd2l0aCBhbiBpbXBs ZW1lbnRhdGlvbiBiYXNlZCBvbiB0cmFuc2l0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj5kZXZpY2VzICh1bmxlc3MgdGhlIHByb2Nlc3MgYmVpbmcgcGVyZm9ybWVkIGJ5IHRo ZSB0cmFuc2l0IGRldmljZXMgaXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PmFsc28gcGVyZm9ybWVkIGJ5IHRoZSBOVkUpLiBJbiB0aGF0IHNlbnNlLCBJIGJlbGlldmUgT1BU SU9OQUwgc3RhdGVtZW50PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5pcyBu b3QgYXBwcm9wcmlhdGVkIGhlcmUuLiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5BbiBp bXBsZW1lbnRhdGlvbiB3aXRoIHRyYW5zaXQgZGV2aWNlcyBzZWVtcyB0byBwcmV2ZW50IHRoZSZu YnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+aW50ZXJvcGVyYWJpbGl0 eSBvZiB3aXRoIGFuIGltcGxlbWVudGF0aW9uIHdoZXJlJm5ic3A7IG9wdGlvbnMgYXJlIHRyZWF0 ZWQmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtm b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmJ5IHRoZSBOVkUg b3ZlciBhIHNlY3VyZSBjaGFubmVsLiBJZiB3ZSBzdXBwb3NlIHRoYXQgTlZFIGFuZCZuYnNwOzxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dHJhbnNpdCBkZXZpY2VzIHN1cHBv cnQgdGhlIHNhbWUgb3B0aW9ucywgdGhlbiB0cmFuc2l0IGRldmljZXMgYXJlIG5vdCZuYnNwOzxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+bmVjZXNzYXJ5IGFuZCBjb3VsZCBi ZSByZW1vdmVkIGZyb20gdGhlIHNwZWNpZmljYXRpb24uIElmIG9wdGlvbnM8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPnN1cHBvcnRlZCBieSB0cmFuc2l0IGRldmljZXMgYXJl IGRpZmZlcmVudCBmcm9tIHRob3NlIHN1cHBvcnRlZCBieSZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+dGhlIE5WRSwgaW50ZXJvcGVyYWJpbGl0eSB3aWxsIG5vdCBi ZSBhY2hpZXZlZC4gVHJhbnNpdCBkZXZpY2Ugd2lsbCBub3QgYmUmbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmFibGUgdG8gcHJvY2VzcyB0aGUgb3B0aW9ucywgcmVz dWx0aW5nIGluIG9wdGlvbnMgd2lsbCBiZSBpZ25vcmVkICh3aGlsZSZuYnNwOzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YmVpbmcgc3VwcG9ydGVkIGJ5IHRoZSBpbXBsZW1l bnRhdGlvbikuLiBJbiBhZGRpdGlvbiwmbmJzcDtpZiB0aGUgb3B0aW9ucyZuYnNwOzxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YXJlIGNyaXRpY2FsLCB0aGUgTlZFIGlzIGxp a2VseSB0byBkcm9wIHRoZSBwYWNrZXQgYXMgaXQgZG9lcyBub3Qgc3VwcG9ydCZuYnNwOzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dGhlIG9wdGlvbi4mbmJzcDs8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVv dDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+SW4gYWRkaXRpb24sIEkgaGF2ZSBzb21lIGhhcmQgdGltZSB0byB1 bmRlcnN0YW5kIHRoZSBlbmQtdG8tZW5kIG1vZGVsJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj53aXRoIGEgdHJhbnNpdCBkZXZpY2UgZXZlbiBvcHRpb25hbC4gSSBi ZWxpZXZlIHRoYXQgZW5kLXRvLWVuZCBwcm90b2NvbDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+aXMgYSBnb29kIHBhdGgsIHRob3VnaC4gSG93ZXZlciwgbXkgdW5kZXJzdGFu ZGluZyBvZiBlbmQtdG8tZW5kIHByb3RvY29sPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj5pcyB0aGF0IHRoZXkgc2hvdWxkIG9ubHkgaW52b2x2ZSB0d28gZW5kIHBvaW50cy4g SSBzZWUgdGhlIE5WRSBhcyBlbmQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PnBvaW50cyBidXQgdGhlIG9wdGlvbmFsIHRyYW5zaXQgZGV2aWNlIGRvZXMgbm90IHNlZW1zIHRv IGJlIG9uZSBvZjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dGhlc2UuIEhv d2V2ZXIsIHRvIGhlbHAgbWUgdW5kZXJzdGFuZCBiZXR0ZXIgdGhpcywgYXMgaXQgc2VlbXMgR2Vu ZXZlIGlzJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5zaW1pbGFy IHRvIG90aGVyIGVuZC10by1lbmQgcHJvdG9jb2wsIG1heWJlIHlvdSBjb3VsZCBwcm92aWRlIHNp bWlsYXImbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmVuZC10by1l bmQgcHJvdG9jb2wgdGhhdCBpbnZvbHZlcyBhIHRyYW5zaXQgZGV2aWNlcyBvciBzb21ldGhpbmcg c2ltaWxhci4mbmJzcDsgJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2Vy aWYiPkkgYWxzbyBoYXZlIGFub3RoZXIgY2xhcmlmaWNhdGlvbiByZWdhcmRpbmcgdHJhbnNpdCBk ZXZpY2UuIEkgc2VlIHRoZXNlPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj50 cmFuc2l0IGRldmljZXMgYXMgYWRkaW5nIGEgbG90IG9mIGNvbXBsZXhpdHkgdG8gdGhlIGVuZC10 by1lbmQgbW9kZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPndpdGggbGl0 dGxlIGJlbmVmaXRzLiBUeXBpY2FsbHksIGFzIGZhciBhcyBJIHVuZGVyc3RhbmQsIHRoZXkgY2Fu IG9ubHk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250 LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPnJlYWQgYW4gb3B0aW9u LiBJIGFtIHRodXMgd29uZGVyaW5nIHdoZXRoZXIgd2Ugc2hvdWxkIG5vdCBiZSBiZXR0ZXIgb2Zm PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5yZW1vdmluZyB0aGVtIGZyb20g dGhlIHNwZWNpZmljYXRpb24uIFRoaXMgd291bGQgZW5kIHVwIHdpdGggYSBjbGVhcjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ZW5kLXRvLWVuZCBtb2RlbC4gUmV2ZXJzZWx5 LCBJIGRvIG5vdCBzZWUgYW55dGhpbmcgcHJldmVudGluZyBhIHZlbmRvcjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dG8gaW1wbGVtZW50IHRoZW0gYXQgbGVhc3QgZm9yIHVu c2VjdXJlIGRlcGxveW1lbnRzLiBSZW1vdmluZyB0aGVtJm5ic3A7PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj5mcm9tIHRoZSBzcGVjaWZpY2F0aW9uIHdvdWxkIGxlYXZlIHRo ZSB0cmFuc2l0IGRldmljZXMgYXMgaW1wbGVtZW50YXRpb24mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPnNwZWNpZmljLiBXaGF0IGFyZSBhY3R1YWxseSB0aGUgYmVu ZWZpdHMgb2YgdGhlIHRyYW5zaXQgZGV2aWNlcyB0aGF0IHdvdWxkJm5ic3A7PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5qdXN0aWZ5IHRoZW0gdG8gYmUgcGFydCBvZiB0aGUg c3BlY2lmaWNhdGlvbj88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFu PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZsdDtJ bGFuZ28mZ3Q7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9y OiMxRjQ5N0QiPlRyYW5zaXQgZGV2aWNlcyBleGlzdHMgaW4gdGhlIHVuZGVybGF5IG5ldHdvcmss IHRoZXNlIGFyZSBzaW1wbHkgZm9yd2FyZGluZyBlbGVtZW50cyAoZS5nLiBzd2l0Y2hlcywgcm91 dGVycykgdGhhdCBnZW5lcmFsbHkgZm9yd2FyZHMgcGFja2V0cyBiYXNlZCBvbiBvdXRlciBoZWFk ZXIgaW5mb3JtYXRpb24sIHRoZXJlIGlzIG5vdGhpbmcgdGhhdCBzdG9wcyBzdWNoDQogZGV2aWNl cyBmcm9tIHJlYWRpbmcgdGhlIGNvbnRlbnRzIGlmIHRoZSBkYXRhIGlzIGluIHRoZSBjbGVhci4m bmJzcDsgVGhpcyB3b3JrcyB3aXRoIGFueSB0cmFuc3BvcnQgcHJvdG9jb2xzIGxpa2UgSVAsIElQ IGluIElQLCBHUkUsIFZYTEFOLCBldGMuJm5ic3A7IEZvciBleGFtcGxlLCByb3V0ZXJzIG1heSBs b29rIGF0IGhlYWRlcnMgYW5kL29yIGlubmVyIHBheWxvYWQgZm9yIEVDTVAgcHVycG9zZXMgb3Ig Zm9yIHN0YXRpc3RpY3Mgb3IgbG9nZ2luZyBwdXJwb3Nlcy4NCiBJZiB0aGUgcGFja2V0IGlzIGVu Y3J5cHRlZCB0aGVuIHN1Y2ggdHJhbnNpdCBkZXZpY2VzIGNhbm5vdCBsb29rIGludG8gdGhlIHBh Y2tldHMgYnV0IHdvdWxkIHNpbXBseSBmb3J3YXJkIGJhc2VkIG9uIHRoZSBvdXRlciBoZWFkZXJz IGFuZCB1c2UgaW5mb3JtYXRpb24gaW4gb3V0ZXIgaGVhZGVycyBmb3IgZW50cm9weS4gVGhlcmUg aXMgbm8gaW50ZXJvcGVyYWJpbGl0eSBpc3N1ZSBiZXR3ZWVuIHRoZSBlbmRwb2ludHMuIEdlbmV2 ZSBpcyBubyBkaWZmZXJlbnQuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5SZWNvZ25pemluZyB0aGUgZmFjdCB0aGF0IHN1Y2gg YSBkZXZpY2UgaXMgYW55d2F5IGdvaW5nIHRvIGV4aXN0IGluIHRoZSBuZXR3b3JrLCBHZW5ldmUg ZHJhZnQgcHJvdmlkZXMgZ3VpZGFuY2Ugb24gaG93IHRvIGhhbmRsZSBHZW5ldmUgaGVhZGVycyAo aWYgYSBkZXZpY2UgaGFzIHRoZSBvcHRpb24gdG8gZG8gc28pLiZuYnNwOyBHZW5ldmUgb3B0aW9u cyBhcmUgcGFydA0KIG9mIEdlbmV2ZSBoZWFkZXIsIGEgdHJhbnNpdCBkZXZpY2UgdGhhdCBpcyBj YXBhYmxlIG9mIGludGVycHJldGluZyBHZW5ldmUgaGVhZGVycyBtYXkgaW50ZXJwcmV0IGFuIG9w dGlvbiBvciBza2lwIG92ZXIgdGhlIG9wdGlvbiB0byB2aWV3IHRoZSBwYXlsb2FkLCBldGMuJm5i c3A7IElmIGEgdHJhbnNpdCBkZXZpY2UgaXMgbm90IGFibGUgaW50ZXJwcmV0IHRoZSBoZWFkZXIg b3Igb3B0aW9uLCBpdCBoYXMgdG8gc2ltcGx5IHVzZSB0aGUgb3V0ZXIgaGVhZGVyDQogdG8gZm9y d2FyZCB0aGUgcGFja2V0IChvdXRlciBJUC9VRFApLiBUaGlzIGlzIHdoYXQgdGhlIEdlbmV2ZSBk cmFmdCBjbGFyaWZpZXMuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJjb2xvcjojMUY0OTdEIj5UaGVzZSBndWlkZWxpbmVzIHJlZHVjZSBwb3NzaWJsZSBp bnRlcm9wZXJhYmlsaXR5IGlzc3VlcyBjb21wYXJlZCB0byBpZiBiZWhhdmlvciB3YXMgbGVmdCB1 bmRlZmluZWQuIEZvciBleGFtcGxlLCB0cmFuc2l0IGRldmljZXMgYXJlIG5vdCBhbGxvd2VkIHRv IGRyb3AgcGFja2V0cyBvciBmYWxsIGJhY2sgdG8gYSBzbG93IHBhdGggb24gdGhlIGJhc2lzIG9m IGFuDQogdW5rbm93biBvcHRpb24uIElmIHRoaXMgd2VyZSB0byBoYXBwZW4sIGl0IHdvdWxkIGhh bXBlciB0aGUgaW50cm9kdWN0aW9uIG9mIG5ldyBvcHRpb25zLiBJdCBtaWdodCBhbHNvIGJlIHdv cnRoIG1lbnRpb25pbmcgdGhhdCBhbnl0aGluZyB0aGF0IGNvdWxkIGJlIGNvbnNpZGVyZWQgYSBt aWRkbGVib3ggaXMgbm90IGEgdHJhbnNpdCBkZXZpY2UgYnV0IG5lZWRzIHRvIGJlIG1vZGVsZWQg YXMgYW4gZW5kcG9pbnQgYW5kIHNvIEdlbmV2ZSByZWFsbHkNCiBzaG91bGQgYmUgdmlld2VkIGFz IGEgdHVubmVsIGVuZHBvaW50LXRvLWVuZHBvaW50IHByb3RvY29sLjwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbHQ7ZW5kJmd0Ozwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlsxXTxzcGFuIGNsYXNzPSJnbWFpbC1t LTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZl cnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxhIGhyZWY9Imh0dHBzOi8vbWFpbGFyY2hpdmUuaWV0 Zi5vcmcvYXJjaC9tc2cvbnZvMy9la0xvZmhxOGVyUkxFX01zdWs4Tl9TQ2RoY3MiIHRhcmdldD0i X2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL21haWxhcmNoaXZlLmll dGYub3JnL2FyY2gvbXNnL252bzMvZWtMb2ZocThlclJMRV9Nc3VrOE5fU0NkaGNzPC9zcGFuPjwv YT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPllvdXJzLCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+RGFuaWVsJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5PbiBTYXQsIE1hciAy LCAyMDE5IGF0IDg6MTggUE0gR2FuZ2EsIElsYW5nbyBTICZsdDs8YSBocmVmPSJtYWlsdG86aWxh bmdvLnMuZ2FuZ2FAaW50ZWwuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5pbGFuZ28u cy5nYW5nYUBpbnRlbC5jb208L3NwYW4+PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk ZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFy Z2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1i b3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPkhpIERhbmllbCw8L3NwYW4+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPkxldCB1cyBiZSBz cGVjaWZpYy4gSSBzZWUgdGhhdCB5b3UgaGF2ZSB0d28gY29tbWVudHMgb24gdGhlIGxhdGVzdCBk cmFmdC1pZXRmLW52bzMtZ2VuZXZlLTA5LiZuYnNwOyBQbGVhc2Ugc2VlIGJlbG93IGZvciByZXNw b25zZXMgdG8geW91ciBjb21tZW50cy48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPkNvbW1lbnQgMTo8L3NwYW4+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPk9MRDxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+Jm5ic3A7ICZuYnNwO28mbmJzcDsgQW4gb3B0aW9uIFNIT1VMRCBOT1QgYmUgZGVwZW5kZW50 IHVwb24gYW55IG90aGVyIG9wdGlvbiBpbiB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNw OyAmbmJzcDsgJm5ic3A7IHBhY2tldCwgaS5lLiwgb3B0aW9ucyBjYW4gYmUgcHJvY2Vzc2VkIGlu ZGVwZW5kZW50IG9mIG9uZSBhbm90aGVyLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7ICZu YnNwOyAmbmJzcDsgQW4gb3B0aW9uIE1VU1QgTk9UIGFmZmVjdCB0aGUgcGFyc2luZyBvciBpbnRl cnByZXRhdGlvbiBvZiBhbnk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5i c3A7IG90aGVyIG9wdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+TkVXPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssc2VyaWYiPiZuYnNwOyAmbmJzcDtvJm5ic3A7IEFuIG9wdGlvbiBTSE9VTEQgTk9UIGJlIGRl cGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhlPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyBwYWNrZXQsIGkuZS4sIG9wdGlvbnMgY2FuIGJlIHByb2Nl c3NlZCBpbmRlcGVuZGVudCBvZiBvbmUgYW5vdGhlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZu YnNwOyAmbmJzcDsgJm5ic3A7IEFuIG9wdGlvbiBTSE9VTEQgTk9UIGFmZmVjdCB0aGUgcGFyc2lu ZyBvciBpbnRlcnByZXRhdGlvbiBvZiBhbnk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAm bmJzcDsgJm5ic3A7IG90aGVyIG9wdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+ Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMx RjQ5N0QiPiZsdDtJbGFuZ28mZ3Q7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPkFyY2hpdGVjdHVyYWxseSBHZW5ldmUgb3B0aW9ucyBjYW4g YmUgcHJvY2Vzc2VkIGluZGVwZW5kZW50IG9mIG9uZSBhbm90aGVyLiBUaGUgc2Vjb25kIHN0YXRl bWVudCBjbGVhcmx5IHN0YXRlcyB0aGF0IHBhcnNpbmcgb3IgaW50ZXJwcmV0YXRpb24gb2Ygb25l IG9wdGlvbiBtdXN0IG5vdCBhZmZlY3QgdGhlIG90aGVyLiZuYnNwOyBUaGlzIGlzIGEgcmVhc29u YWJsZSBjb25zdHJhaW50DQogdG8gYXZvaWQgbmVzdGVkIGRlcGVuZGVuY2llcy4gT3B0aW9ucyBj YW4gYmUgZGVzaWduZWQgdG8gd29yayB3aXRoIHRoZSByZXF1aXJlbWVudHMgc3BlY2lmaWVkIGlu IEdlbmV2ZS48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6 IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImNvbG9yOiMxRjQ5N0QiPkxldCB1cyB0YWtlIHNwZWNpZmljIGV4YW1wbGVzOjwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5XZSBjb3VsZCB0 aGluayBvZiBhIGRlc2lnbiBvZiBhIEhlYWRlciBJbnRlZ3JpdHkgY2hlY2sgb3B0aW9uIChyZWxh dGVkIHRvIHlvdXIgZXhhbXBsZSkuIEluIHRoaXMgY2FzZSBpZiB0aGUgaGVhZGVyIGludGVncml0 eSBjaGVjayBmYWlscywgYXMgYSByZXN1bHQgdGhlIGVudGlyZSBoZWFkZXIgaXMgaW52YWxpZCBh bmQgaGVuY2UgdGhlIG1vc3QgbGlrZWx5IG91dGNvbWUNCiBvZiBhIGZhaWxlZCBjaGVjayBpcyB0 aGF0IHRoZSBwYWNrZXQgYmVpbmcgZHJvcHBlZCAoaW5jbHVkaW5nIGFueSBvcHRpb25zIGluIHRo YXQgcGFja2V0IHdoZXRoZXIgcGFyc2VkL2ludGVycHJldGVkIG9yIG5vdCkuIFRoZSBjdXJyZW50 IHRleHQgZG9lcyBub3QgcHJlY2x1ZGUgdGhlIHBhY2tldCBiZWluZyBkcm9wcGVkIGFzIHJlc3Vs dCBvZiBmYWlsdXJlLjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFp bC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFu Pjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdE Ij4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6 IzFGNDk3RCI+SXQgaXMgcG9zc2libGUgdG8gZGVzaWduIG9wdGlvbnMsIGluY2x1ZGluZyBhbnkg c2VjdXJpdHkgb3B0aW9ucywgd2l0aCB0aGVzZSBjb25zdHJhaW50cy4mbmJzcDsgV2UgZG9uJ3Qg c2VlIGEgcmVhc29uIHRvIGNoYW5nZSB0aGlzIHJlcXVpcmVtZW50IHRoYXQgbWF5IGhhdmUgdW5p bnRlbmRlZCBjb25zZXF1ZW5jZXMuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5Db21tZW50IDI6PC9zcGFuPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0ND QyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdp bi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ TkVXPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5TZWN1cml0eSBDb25zaWRlcmF0aW9uPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu JnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250 LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkdlbmV2ZSBPdmVybGF5 IG1heSBiZSBzZWN1cmVkIHVzaW5nIGJ5IHByb3RlY3RpbmcgdGhlIE5WRS10by1OVkU8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPmNvbW11bmljYXRpb24gdXNpbmcgSVBzZWMgb3IgRFRMUy4gSG93ZXZl ciwgc3VjaCBtZWNoYW5pc21zIGNhbm5vdCBiZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YXBwbGll ZCBmb3IgZGVwbG95bWVudHMgdGhhdCBpbmNsdWRlIHRyYW5zaXQgZGV2aWNlcy4uJm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlNvbWUgZGVw bG95bWVudCBtYXkgbm90IGJlIGFibGUgdG8gc2VjdXJlIHRoZSBmdWxsIGNvbW11bmljYXRpb24g dXNpbmc8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPklQc2VjIG9yIERUTFMgYmV0d2VlbiB0aGUgTlZF cy4gVGhpcyBjb3VsZCBiZSBtb3RpdmF0ZWQgYnkgdGhlIHByZXNlbmNlPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj5vZiB0cmFuc2l0IGRldmljZXMgb3IgYnkgYSByaXNrIGFuYWx5c2lzIHRoYXQgY29u Y2x1ZGVzIHRoYXQgdGhlIEdlbmV2ZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+cGFja2V0IGJlIG9u bHkgcGFydGlhbGx5IHByb3RlY3RlZCAtIHR5cGljYWxseSByZWR1Y2VkIHRvIHRoZSBHZW5ldmU8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPkhlYWRlciBpbmZvcm1hdGlvbi4gSW4gc3VjaCBjYXNlcyBH ZW5ldmUgc3BlY2lmaWMgbWVjaGFuaXNtcyBuZWVkcyB0byBiZTxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+ZGVzaWduZWQuJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4m bHQ7SWxhbmdvJmd0OyBUaGUgY2hhbGxlbmdlIGlzLCB5b3UgYXJlIGFza2luZyB0byBpbXBvc2Ug cmVxdWlyZW1lbnRzIHRoYXQgaXMgbm90IHN1cHBvcnRlZCBieSBHZW5ldmUgYXJjaGl0ZWN0dXJl LiBHZW5ldmUgaGFzIGFuIG9wdGlvbmFsIGZlYXR1cmUgd2hlcmUgdHJhbnNpdCBkZXZpY2VzIG1h eSBiZSBhYmxlIHRvIGludGVycHJldCBHZW5ldmUgb3B0aW9ucy4gSG93ZXZlcg0KIHRoaXMgaXMg bm90IGEgcmVxdWlyZW1lbnQgZm9yIEdlbmV2ZSBvcGVyYXRpb24gYmV0d2VlbiB0dW5uZWwgZW5k IHBvaW50IHRvIHR1bm5lbCBlbmQgcG9pbnQuIFdlIGhhdmUgdHJpZWQgbWFrZSB0aGlzIHZlcnkg Y2xlYXIgYnkgYWRkaW5nIGNsYXJpZnlpbmcgdGV4dCBkdXJpbmcgdGhlIGxhc3QgdHdvIHJldmlz aW9ucy4gSWYgdGhlIEdlbmV2ZSBwYWNrZXQgaXMgaW4gdGhlIGNsZWFyIHRoZW4gdHJhbnNpdCBk ZXZpY2VzIG1heSBiZSBhYmxlIHRvDQogdmlldyB0aGUgR2VudmUgaGVhZGVyLCBvcHRpb25zLCBh bmQgdGhlIHBheWxvYWQuIEhvd2V2ZXIgaWYgdGhlIHBhY2tldCBpcyBlbmNyeXB0ZWQgdGhlbiB0 cmFuc2l0IGRldmljZXMgY2Fubm90IHZpZXcgdGhlIHBhY2tldCBjb250ZW50cy4gVGhpcyBpcyBj b25zaXN0ZW50IHdpdGggb3RoZXIgdHJhbnNwb3J0IHByb3RvY29scyBlbmNyeXB0aW5nIHRoZSBw YWNrZXRzLiBTbyB3ZSBkb24ndCBzZWUgYSByZWFzb24gd2h5IEdlbmV2ZSBzaG91bGQgYmUNCiBk aWZmZXJlbnQuICZuYnNwOyZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+R2VuZXZlIGlzIGFuIGVuZCB0byBlbmQgcHJv dG9jb2wgYmV0d2VlbiB0dW5uZWwgZW5kcG9pbnRzIGFuZCB0aGUgTlZFcyBkZWNpZGUgdG8gc2Vj dXJlIChlbmNyeXB0KSB0aGUgcGFja2V0cyBiZXR3ZWVuIHR1bm5lbCBlbmRwb2ludHMuIElmIGEg bWlkZGxlIGJveCBoYXMgYSBuZWVkIHRvIHNlZSBhbiBlbmNyeXB0ZWQgcGFja2V0LCB0aGVuIGl0 IGhhcyB0byBpbXBsZW1lbnQNCiB0dW5uZWwgZW5kcG9pbnQgZnVuY3Rpb25hbGl0eS48L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7 PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0Qi PldlIGFscmVhZHkgaGF2ZSB0ZXh0IGluIDYuNCBzZWN1cml0eSBjb25zaWRlcmF0aW9uIHNlY3Rp b24gdGhhdCBwcm92aWRlcyBjbGVhciBndWlkYW5jZSB0byB0aGUgb3BlcmF0b3JzLjwvc3Bhbj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+ U28gd2UgZG9uJ3Qgc2VlIGEgZ29vZCByZWFzb24gdG8gYWRkIHRoZSBzdWdnZXN0ZWQgdGV4dCBh Ym92ZS48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFG NDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj5Gb3IgYSBjb21wbGV0ZSB0aHJlYXQgYW5hbHlzaXMsIGEgc2VjdXJpdHkgYW5hbHlzaXMg b2YgR2VuZXZlIG9yIHNvbWU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmd1aWRlIGxpbmVzIHRvIHNl Y3VyZSBhIEdlbmV2ZSBvdmVybGF5IG5ldHdvcmssIHBsZWFzZSByZWZlciB0bzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+W2RyYWZ0LW1nbHQtbnZvMy1nZW5ldmUtc2VjdXJpdHktcmVxdWlyZW1lbnRz XSBhcyB3ZWxsIGFzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5bZHJhZnQtaWV0Zi1udm8zLXNlY3Vy aXR5LXJlcXVpcmVtZW50c10uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4m bHQ7SWxhbmdvJmd0Ozwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJj b2xvcjojMUY0OTdEIj5UaGUgc2VjdXJpdHkgcmVxdWlyZW1lbnRzIGRvY3VtZW50ICZuYnNwO21h a2VzIGNlcnRhaW4gYXNzdW1wdGlvbnMgdGhhdCBpcyB1bnN1cHBvcnRlZCBieSBHZW5ldmUgYXJj aGl0ZWN0dXJlLiBXZSBoYXZlIHRyaWVkIHRvIGNsYXJpZnkgdGhpcyBtdWx0aXBsZSB0aW1lcywg aG93ZXZlciB5b3UgaGF2ZSBzdGlsbCBtYWludGFpbmVkIHRoaXMgaW4gdGhlIHJlcXVpcmVtZW50 cw0KIGRvY3VtZW50LiBTbyB0aGlzIG5lZWRzIHRvIGJlIGFkZHJlc3NlZC4gQWxzbyB0aGUgZG9j dW1lbnQgaXMgbm90IHlldCBhZG9wdGVkIGJ5IHRoZSB3b3JraW5nIGdyb3VwLjwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3Nw YW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+TW9y ZW92ZXIsIEdlbmV2ZSBzZWN1cml0eSBjb25zaWRlcmF0aW9uIHNlY3Rpb24gaGFzIGJlZW4gc2ln bmlmaWNhbnRseSBlbmhhbmNlZCB0byBwcm92aWRlIGd1aWRhbmNlIHRvIG9wZXJhdG9ycyBhbmQg dG8gYWRkcmVzcyB0aGUgY29tbWVudHMuIFNvIGJvdGggZG9jdW1lbnRzIGNhbiBwcm9ncmVzcyBp bmRlcGVuZGVudGx5Ljwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJj b2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iY29sb3I6IzFGNDk3RCI+VGhhbmtzLDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5JbGFuZ288L3NwYW4+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIG5hbWU9Im1fLTM0MzcyNjU4MTQ0MTEyNTY0NTVfbV8y NTU3ODI3NjA4MDcyMjAiPjwvYT48c3Ryb25nPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNs YXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5 MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPkRhbmllbCBNaWdhdWx0DQogW21h aWx0bzo8YSBocmVmPSJtYWlsdG86ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24uY29tIj48c3BhbiBz dHlsZT0iY29sb3I6cHVycGxlIj5kYW5pZWwubWlnYXVsdEBlcmljc3Nvbi5jb208L3NwYW4+PC9h Pl08c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2 MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YnI+DQo8c3Ry b25nPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy aWYiPlNlbnQ6PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0 MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+ Jm5ic3A7PC9zcGFuPlNhdHVyZGF5LCBNYXJjaCAyLCAyMDE5IDg6NDkgQU08YnI+DQo8c3Ryb25n PjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYi PlRvOjwvc3Bhbj48L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2 NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNw Ozwvc3Bhbj5Cb2NjaSwgTWF0dGhldyAoTm9raWEgLSBHQikgJmx0OzxhIGhyZWY9Im1haWx0bzpt YXR0aGV3LmJvY2NpQG5va2lhLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+bWF0dGhl dy5ib2NjaUBub2tpYS5jb208L3NwYW4+PC9hPiZndDs8YnI+DQo8c3Ryb25nPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkNjOjwvc3Bhbj48 L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1 NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YSBo cmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9 ImNvbG9yOnB1cnBsZSI+ZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZzwvc3Bhbj48L2E+ Ow0KIFBhbmthaiBHYXJnICZsdDtwYW5rYWpnPTxhIGhyZWY9Im1haWx0bzo0MG1pY3Jvc29mdC5j b21AZG1hcmMuaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPjQwbWljcm9zb2Z0 LmNvbUBkbWFyYy5pZXRmLm9yZzwvc3Bhbj48L2E+Jmd0OzsgTlZPMyAmbHQ7PGEgaHJlZj0ibWFp bHRvOm52bzNAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPm52bzNAaWV0Zi5v cmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8c3Ryb25nPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPlN1YmplY3Q6PC9zcGFuPjwvc3Ryb25nPjxz cGFuIGNsYXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3 MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPlJlOiBbbnZvM10gV29y a2luZyBHcm91cCBMYXN0IENhbGwgYW5kIElQUiBQb2xsIGZvciBkcmFmdC1pZXRmLW52bzMtZ2Vu ZXZlLTA4LnR4dDxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtm b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkhpIE1hdHQsPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDsmbmJzcDs8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+WW91IGFyZSBjb3JyZWN0LCB0aGlzIGlzIGF0IGxlYXN0IG5vdCBhbiBy ZWd1bGFyIHByb2Nlc3MgdG8gaGF2ZSBhPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj5zdGFuZGFyZCB0cmFjayBkb2N1bWVudCBiZWluZyB1cGRhdGVkIGJ5IGFuIGluZm9ybWF0 aW9uYWwuIEkgZG8gbm90IHNlZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ ZWl0aGVyIGFueSByZXF1aXJlbWVudHMgZm9yIGhhdmluZyBhIFdHIHN0YXR1cyB0byBiZWNvbWUg YSByZWZlcmVuY2UsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5idXQgdGhh dCBpcyBzb21ldGhpbmcgd2UgY291bGQgY29uZmlybSB3aXRoIHRoZSBSRkMtZWRpdG9yLjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj5CYWNrIHRvIHRoZSBpbml0aWFsIHN1Z2dlc3Rpb24sIEkgYWxz byBiZWxpZXZlIHRoZSBkaWZmaWN1bHRpZXMgb2YgdXBkYXRpbmcmbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPnRoZSBHZW5ldmUgc3BlY2lmaWNhdGlvbnMgYXJlIGZh ciBsZXNzIGNvbXBsZXggdGhhbiB1cGRhdGluZyB0aGUmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPmltcGxlbWVudGF0aW9uLCBhbmQgZm9yIHRoYXQgc3BlY2lmaWMg cmVhc29uLCBpdCB3b3VsZCBiZSBnb29kIHdlIGhhdmUgYSZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+Y29uc2Vuc3VzIG9uIHRoZSBzZWN1cml0eSBhbmFseXNlLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5JIGFncmVlIHRoYXQgV0cgZHJhZnQgd291bGQgYmUgYmV0 dGVyLCBhbmQgUkZDIHdvdWxkIGJlIGV2ZW4gYmV0dGVyIGFzPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj53ZSBoYXZlIHNlZW4gV0cgZG9jdW1lbnQgYmVpbmcgc3RhbGxlZC4g SSBhbSBjb25maWRlbnQgd2UgY2FuIG1ha2UgdGhpczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+aGFwcGVuIG9yIGF0IGxlYXN0IEkgZG8gbm90IHNlZSBtYWpvciBpc3N1ZXMu PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPllvdXJzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4m bmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNw OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5PbiBGcmksIE1hciAxLCAyMDE5 IGF0IDExOjUxIEFNIEJvY2NpLCBNYXR0aGV3IChOb2tpYSAtIEdCKSAmbHQ7PGEgaHJlZj0ibWFp bHRvOm1hdHRoZXcuYm9jY2lAbm9raWEuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5t YXR0aGV3LmJvY2NpQG5va2lhLmNvbTwvc3Bhbj48L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6 NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPldHLCBEYW5pZWwsPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkFwb2xvZ2llcyBidXQgSSBt aXMtc3Bva2Ugb24gdGhlIHN1Z2dlc3Rpb24gZm9yIHRoZSBzZWN1cml0eSByZXF1aXJlbWVudHMg dG8gYWN0IGFzIGFuIHVwZGF0ZSB0byB0aGUgZW5jYXBzdWxhdGlvbiBSRkMgaW4gZnV0dXJlLiBU aGlzIHdvdWxkIGJlIGRpZmZpY3VsdCB0byBkbyBhcyBpdCBpcw0KIGluZm9ybWF0aW9uYWwuPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPk5vbmV0aGVs ZXNzIEkgdGhpbmsgd2Ugc2hvdWxkIG9ubHkgYmUgcmVmZXJlbmNpbmcgYSBXRyBkcmFmdCAoYXQg YSBtaW5pbXVtKSBoZXJlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj5NYXR0aGV3PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9w OnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHN0cm9uZz48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dCI+RnJvbTo8L3NwYW4+PC9zdHJvbmc+PHNwYW4gY2xhc3M9ImdtYWlsLW0tMzQzNzI2NTgxNDQx MTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29udmVydGVkLXNwYWNlIj48 Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzwvc3Bhbj48L2I+PC9zcGFuPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+RGFjaGVuZw0KIFpoYW5nICZsdDs8YSBocmVmPSJtYWlsdG86bnZvMy1ib3VuY2Vz QGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5udm8zLWJvdW5jZXNAaWV0Zi5v cmc8L3NwYW4+PC9hPiZndDsgb24gYmVoYWxmIG9mICZxdW90O0JvY2NpLCBNYXR0aGV3IChOb2tp YSAtIEdCKSZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOm1hdHRoZXcuYm9jY2lAbm9raWEuY29t Ij48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5tYXR0aGV3LmJvY2NpQG5va2lhLmNvbTwvc3Bh bj48L2E+Jmd0Ozxicj4NCjxzdHJvbmc+RGF0ZTo8L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwt bS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252 ZXJ0ZWQtc3BhY2UiPjxiPiZuYnNwOzwvYj48L3NwYW4+RnJpZGF5LCAxIE1hcmNoIDIwMTkgYXQg MTY6MjQ8YnI+DQo8c3Ryb25nPlRvOjwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0Mzcy NjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1z cGFjZSI+PGI+Jm5ic3A7PC9iPjwvc3Bhbj5EYW5pZWwgTWlnYXVsdCAmbHQ7PGEgaHJlZj0ibWFp bHRvOmRhbmllbC5taWdhdWx0QGVyaWNzc29uLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBs ZSI+ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24uY29tPC9zcGFuPjwvYT4mZ3Q7PGJyPg0KPHN0cm9u Zz5DYzo8L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21h aWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPjxiPiZuYnNwOzwv Yj48L3NwYW4+JnF1b3Q7PGEgaHJlZj0ibWFpbHRvOmRyYWZ0LWlldGYtbnZvMy1nZW5ldmVAaWV0 Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmRyYWZ0LWlldGYtbnZvMy1nZW5ldmVA aWV0Zi5vcmc8L3NwYW4+PC9hPiZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmRyYWZ0LWlldGYt bnZvMy1nZW5ldmVAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmRyYWZ0LWll dGYtbnZvMy1nZW5ldmVAaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDssDQogUGFua2FqIEdhcmcgJmx0 O3Bhbmthamc9PGEgaHJlZj0ibWFpbHRvOjQwbWljcm9zb2Z0LmNvbUBkbWFyYy5pZXRmLm9yZyI+ PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYub3Jn PC9zcGFuPjwvYT4mZ3Q7LCBOVk8zICZsdDs8YSBocmVmPSJtYWlsdG86bnZvM0BpZXRmLm9yZyI+ PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+bnZvM0BpZXRmLm9yZzwvc3Bhbj48L2E+Jmd0Ozxi cj4NCjxzdHJvbmc+U3ViamVjdDo8L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1 ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3Bh Y2UiPjxiPiZuYnNwOzwvYj48L3NwYW4+UmU6IFtudm8zXSBXb3JraW5nIEdyb3VwIExhc3QgQ2Fs bCBhbmQgSVBSIFBvbGwgZm9yIGRyYWZ0LWlldGYtbnZvMy1nZW5ldmUtMDgudHh0PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssc2VyaWYiPkZyb20gYSBwcm9jZWR1cmFsIHBlcnNwZWN0aXZlLCByZWZlcnJpbmcgdG8geW91 ciBkcmFmdCBjcmVhdGVzIGEgZGVwZW5kZW5jeSBhbmQgdGhhdCBkcmFmdCBoYXMgbm90IHlldCBi ZWVuIGFkb3B0ZWQgYnkgdGhlIFdHLiBUaGUgb2xkIFNlY3VyaXR5IHJlcXVpcmVtZW50cyBmcmFt ZXdvcmsgZXhwaXJlZA0KIGEgY291cGxlIG9mIHllYXJzIGFnbyBhbmQgZG9lcyBub3Qgc2VlbSB0 byBiZSBiZWluZyBwcm9ncmVzc2VkLjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEy NTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+TWF5YmUgYSBiZXR0ZXIgYXBwcm9hY2gg dG8gYWxsb3cgcHJvZ3Jlc3MsIGFzIGxvbmcgYXMgdGhlIFdHIGNhbiBhZ3JlZSB0byB5b3VyIHRl eHQgKGlmIG5lZWRlZCkgdG8gc2F0aXNmeSB0aGUgY29uY2VybiB0aGF0IGZ1dHVyZSBzZWN1cml0 eSBtZWNoYW5pc21zIGNhbiBiZSB1c2VkLCBhbmQgdGhhdA0KIHRoZSBldm9sdmluZyB0aHJlYXQg YW5hbHlzaXMgaXMgdW5kZXJzdG9vZCBieSBpbXBsZW1lbnRlcnMgYW5kIHVzZXJzIG9mIEdlbmV2 ZSwgd291bGQgYmUgdG8gbWFyayB0aGUgR2VuZXZlIHNlY3VyaXR5IHJlcXVpcmVtZW50cyBhcyBh biB1cGRhdGUgdG8gdGhlIGdlbmV2ZSBlbmNhcHN1bGF0aW9uIFJGQyB3aGVuIGl0IGlzIHB1Ymxp c2hlZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ TWF0dGhldzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0 REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHN0cm9uZz48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdCI+RnJvbTo8L3Nw YW4+PC9zdHJvbmc+PHNwYW4gY2xhc3M9ImdtYWlsLW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWls LW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29udmVydGVkLXNwYWNlIj48Yj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssc2VyaWYiPiZuYnNwOzwvc3Bhbj48L2I+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+RGFu aWVsDQogTWlnYXVsdCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmRhbmllbC5taWdhdWx0QGVyaWNzc29u LmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+ZGFuaWVsLm1pZ2F1bHRAZXJpY3Nzb24u Y29tPC9zcGFuPjwvYT4mZ3Q7PGJyPg0KPHN0cm9uZz5EYXRlOjwvc3Ryb25nPjxzcGFuIGNsYXNz PSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFw cGxlLWNvbnZlcnRlZC1zcGFjZSI+PGI+Jm5ic3A7PC9iPjwvc3Bhbj5GcmlkYXksIDEgTWFyY2gg MjAxOSBhdCAxNjoxMTxicj4NCjxzdHJvbmc+VG86PC9zdHJvbmc+PHNwYW4gY2xhc3M9ImdtYWls LW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29u dmVydGVkLXNwYWNlIj48Yj4mbmJzcDs8L2I+PC9zcGFuPiZxdW90O0JvY2NpLCBNYXR0aGV3IChO b2tpYSAtIEdCKSZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOm1hdHRoZXcuYm9jY2lAbm9raWEu Y29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5tYXR0aGV3LmJvY2NpQG5va2lhLmNvbTwv c3Bhbj48L2E+Jmd0Ozxicj4NCjxzdHJvbmc+Q2M6PC9zdHJvbmc+PHNwYW4gY2xhc3M9ImdtYWls LW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29u dmVydGVkLXNwYWNlIj48Yj4mbmJzcDs8L2I+PC9zcGFuPlBhbmthaiBHYXJnICZsdDtwYW5rYWpn PTxhIGhyZWY9IiNOT1AiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPjQwbWljcm9zb2Z0LmNv bUBkbWFyYy5pZXRmLm9yZzwvc3Bhbj48L2E+Jmd0OywgJnF1b3Q7PGEgaHJlZj0ibWFpbHRvOmRy YWZ0LWlldGYtbnZvMy1nZW5ldmVAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUi PmRyYWZ0LWlldGYtbnZvMy1nZW5ldmVAaWV0Zi5vcmc8L3NwYW4+PC9hPiZxdW90Ow0KICZsdDs8 YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZyI+PHNwYW4gc3R5 bGU9ImNvbG9yOnB1cnBsZSI+ZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZUBpZXRmLm9yZzwvc3Bhbj48 L2E+Jmd0OywgTlZPMyAmbHQ7PGEgaHJlZj0ibWFpbHRvOm52bzNAaWV0Zi5vcmciPjxzcGFuIHN0 eWxlPSJjb2xvcjpwdXJwbGUiPm52bzNAaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8c3Ry b25nPlN1YmplY3Q6PC9zdHJvbmc+PHNwYW4gY2xhc3M9ImdtYWlsLW0tMzQzNzI2NTgxNDQxMTI1 NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUtY29udmVydGVkLXNwYWNlIj48Yj4m bmJzcDs8L2I+PC9zcGFuPlJlOiBbbnZvM10gV29ya2luZyBHcm91cCBMYXN0IENhbGwgYW5kIElQ UiBQb2xsIGZvciBkcmFmdC1pZXRmLW52bzMtZ2VuZXZlLTA4Li50eHQ8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5IaSBNYXR0aGV3LCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj5JIGFtIGhhcHB5IHRvIGNsYXJpZnkgYW5kIGJlIG1vcmUgc3BlY2lmaWMuIEhvd2V2 ZXIsIGRlc3BpdGUgeW91cjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+cmVh ZGluZyBvZiBbMV0gSSB0aGluayBbMV0gY2xlYXJseSBpbmRpY2F0ZXMgdGhlIGNoYW5nZXMgSSBl eHBlY3RlZCBhczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+d2VsbCBhcyB0 aGF0IHRoZXNlIGNoYW5nZXMgbmVlZHMgdG8gYmUgbWFkZS4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+SSBiZWxpZXZlIHRoZSByZXNwb25zaWJpbGl0eSBvZiBub3QgYWRkcmVzc2luZyBh biBhY2tub3dsZWRnZWQgaXNzdWUgaXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2Vy aWYiPm1vcmUgb24gdGhlIHNpZGUgb2YgcGVvcGxlIGlnbm9yaW5nIHRoZSBpc3N1ZSZuYnNwOyB0 aGVuIG9uIHRoZSBzaWRlIG9mIHRoZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+b25lIHJhaXNpbmcgdGhpcyBpc3N1ZS4gTXkgaW1wcmVzc2lvbiBpcyB0aGF0IHRoaXMgaXMg dGhlIHNpdHVhdGlvbiB3ZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+YXJl IGluLiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5JIGFncmVlIHRoYXQgbXkg aW5pdGlhbCBjb21tZW50IHNheWluZyAmcXVvdDtJIGFtIGZpbmUgd2l0aCB0aGUgdGV4dCBpZiB3 ZSBkbzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+bm90IGZpbmQgc29tZXRo aW5nIGJldHRlci4mcXVvdDsgbWlnaHQgaGF2ZSBiZWVuIGNvbmZ1c2luZyBhbmQgSSBhcG9sb2d5 IGZvcjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dGhpcy4gQXQgdGhlIHRp bWUgb2Ygd3JpdGluZyB0aGUgaW5pdGlhbCBjb21tZW50IEkgd2FzIG5vdCBzdXJlIEkgd2FzPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5ub3QgbWlzc2luZyBzb21ldGhpbmcg bm9yIHRoYXQgdGhlIHByb2JsZW0gY291bGQgbm90IGJlIHNvbHZlZCBoZXJlIG9yPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5zb21ld2hlcmUgZWxzZSAoaW4gYW5vdGhlciBz ZWN0aW9uKS4gTXkgbWVhbmluZyBiZWhpbmQgdGhvc2Ugd29yZHMgd2VyZTxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dGhhdCBJIHdhcyBvcGVuIHRvIHRoZSB3YXkgdGhlIGNv bmNlcm5lZCBjb3VsZCBiZSBhZGRyZXNzZWQuIEhvd2V2ZXIsIC08bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPmZyb20gbXkgcG9pbnQgb2YgdmlldyAtIHRoZSB0ZXh0IGRvZXMg bm90IHNheSB0aGUgaXNzdWUgZG9lcyBub3QgbmVlZCB0bzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+YmUgc29sdmVkIHdoaWNoIGlzIHRoZSB3YXkgaXQgaGFzIGJlZW4gaW50 ZXJwcmV0ZWQuIEluIGFkZGl0aW9uLCBJPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj5iZWxpZXZlIEkgaGF2ZSBjbGFyaWZpZWQgdGhpcyByaWdodCBhd2F5IGFmdGVyIHRoZSBj b25jZXJuIGhhcyBiZWVuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5hY2tu b3dsZWRnZWQgYW5kIG5vdCBhZGRyZXNzZWQuIEFzIHJlc3VsdCwgSSBkbyBub3QgdGhpbmsgbXkg Y29tbWVudDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Y291bGQgYmUgcmVh c29uYWJseSByZWFkIGFzIHRoZSB0ZXh0IGlzIGZpbmUuLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij5QbGVhc2UgZmluZSB0aGUgYmVsb3cgdGhlIGluaXRpYWwgY29tbWVudCBpdHMgcmVzcG9uc2Ug YW5kIHRoZSByZXNwb25zZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dG8g dGhlIHJlc3BvbnNlIGZyb20gWzFdLiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mcXVv dDsmcXVvdDsmcXVvdDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZsdDtt Z2x0Jmd0OyBJbiBjYXNlIHdlIGhhdmUgYSBvcHRpb24gcHJvdmlkaW5nIGF1dGhlbnRpY2F0aW9u LCBzdWNoIG9wdGlvbjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+bWF5IGFm ZmVjdCB0aGUgaW50ZXJwcmV0YXRpb24gb2YgdGhlIG90aGVyIG9wdGlvbnMuPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5zL2ludGVycHJldGF0aW9uL25kZXBlbmRhbmNlIG1h eSBub3QgYmUgYmV0dGVyLi4uLiBJIHRoaW5rIHdoYXQgd2Ugd2FudDxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+dG8gc2F5IGlzIHRoYXQgb3B0aW9uIE1VU1QgYmUgYWJsZSB0 byBiZSBwcm9jZXNzZWQgaW4gYW55IG9yZGVyIG9yIGluPG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu JnF1b3Q7LHNlcmlmIj5wYXJhbGxlbC4mbmJzcDsgSSBhbSBmaW5lIHdpdGggdGhlIHRleHQgaWYg d2UgZG8gbm90IGZpbmQgc29tZXRoaW5nIGJldHRlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZsdDsvbWdsdCZndDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDss c2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jmx0O0ls YW5nbyZndDsgVGhpcyBpcyBhIGdvb2QgcG9pbnQsIGhvd2V2ZXIgd2UgYmVsaWV2ZSB0aGF0IHRo aXMgdGV4dDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Y2FwdHVyZXMgdGhl IGludGVudC4mbmJzcDsgJmx0Oy8mZ3Q7Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZs dDttZ2x0MiZndDtUaGUgcHJvYmxlbSBJIGhhdmUgaXMgdGhhdCB0aGUgY3VycmVudCB0ZXh0IHBy ZXZlbnRzIHNlY3VyaXR5PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5vcHRp b25zLCBzbyBJIGd1ZXNzIHNvbWUgY2xhcmlmaWNhdGlvbiBzaG91bGQgYmUgYnJvdWdodCB0byBj bGFyaWZ5IHRoZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+aW50ZW50LiZs dDsvbWdsdDImZ3Q7Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4m cXVvdDsmcXVvdDsmcXVvdDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZu YnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SWYgSSBoYWQgdG8gc3Vn Z2VzdCBzb21lIHRleHQgSSB3b3VsZCBzdWdnZXN0IHRoZSBmb2xsb3dpbmcgLSBvcjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+c29tZXRoaW5nIGFyb3VuZCB0aGUgZm9sbG93 aW5nIGxpbmVzLiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPk9MRDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+Jm5ic3A7ICZuYnNwO28mbmJzcDsgQW4gb3B0aW9uIFNIT1VMRCBOT1QgYmUg ZGVwZW5kZW50IHVwb24gYW55IG90aGVyIG9wdGlvbiBpbiB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5ic3A7IHBhY2tldCwgaS5lLiwgb3B0 aW9ucyBjYW4gYmUgcHJvY2Vzc2VkIGluZGVwZW5kZW50IG9mIG9uZSBhbm90aGVyLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgQW4gb3B0 aW9uIE1VU1QgTk9UIGFmZmVjdCB0aGUgcGFyc2luZyBvciBpbnRlcnByZXRhdGlvbiBvZiBhbnk8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5ic3A7 IG90aGVyIG9wdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNw OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+TkVXPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssc2VyaWYiPiZuYnNwOyAmbmJzcDtvJm5ic3A7IEFuIG9wdGlvbiBTSE9VTEQgTk9UIGJlIGRl cGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhlPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBwYWNrZXQsIGkuZS4sIG9wdGlv bnMgY2FuIGJlIHByb2Nlc3NlZCBpbmRlcGVuZGVudCBvZiBvbmUgYW5vdGhlci48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5ic3A7IEFuIG9wdGlv biBTSE9VTEQgTk9UIGFmZmVjdCB0aGUgcGFyc2luZyBvciBpbnRlcnByZXRhdGlvbiBvZiBhbnk8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5ic3A7 IG90aGVyIG9wdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNw OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+VGhlcmUgYXJlIHJhcmUgY2Fz ZXMgd2VyZSB0aGUgcGFyc2luZyBvZiBvbmUgb3B0aW9uIGFmZmVjdHMgdGhlIHBhcnNpbmc8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPm9yIHRoZSBpbnRlcnByZXRhdGlvbiBv ZiBvdGhlciBvcHRpb24uIE9wdGlvbiByZWxhdGVkIHRvIHNlY3VyaXR5IG1heTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ZmFsbCBpbnRvIHRoaXMgY2F0ZWdvcnkuIFR5cGlj YWxseSwgaWYgYW4gb3B0aW9uIGVuYWJsZXMgdGhlPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj5hdXRoZW50aWNhdGlvbiBvZiBhbm90aGVyIG9wdGlvbiBhbmQgdGhlIGF1dGhl bnRpY2F0aW9uIGRvZXMgbm90PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5z dWNjZWVkLCB0aGUgYXV0aGVudGljYXRlZCBvcHRpb24gTVVTVCBOT1QgYmUgcHJvY2Vzc2VkLiBP dGhlciBvcHRpb25zPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5tYXkgYmUg ZGVzaWduZWQgaW4gdGhlIGZ1dHVyZS4mbmJzcDsmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+TkVXPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5TZWN1cml0eSBDb25z aWRlcmF0aW9uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5HZW5ldmUgT3ZlcmxheSBtYXkgYmUgc2Vj dXJlZCB1c2luZyBieSBwcm90ZWN0aW5nIHRoZSBOVkUtdG8tTlZFPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj5jb21tdW5pY2F0aW9uIHVzaW5nIElQc2VjIG9yIERUTFMuIEhv d2V2ZXIsIHN1Y2ggbWVjaGFuaXNtcyBjYW5ub3QgYmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPmFwcGxpZWQgZm9yIGRlcGxveW1lbnRzIHRoYXQgaW5jbHVkZSB0cmFuc2l0 IGRldmljZXMuJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZh bWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlNvbWUgZGVwbG95bWVudCBt YXkgbm90IGJlIGFibGUgdG8gc2VjdXJlIHRoZSBmdWxsIGNvbW11bmljYXRpb24gdXNpbmc8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPklQc2VjIG9yIERUTFMgYmV0d2VlbiB0 aGUgTlZFcy4gVGhpcyBjb3VsZCBiZSBtb3RpdmF0ZWQgYnkgdGhlIHByZXNlbmNlPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5vZiB0cmFuc2l0IGRldmljZXMgb3IgYnkgYSBy aXNrIGFuYWx5c2lzIHRoYXQgY29uY2x1ZGVzIHRoYXQgdGhlIEdlbmV2ZTxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+cGFja2V0IGJlIG9ubHkgcGFydGlhbGx5IHByb3RlY3Rl ZCAtIHR5cGljYWxseSByZWR1Y2VkIHRvIHRoZSBHZW5ldmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPkhlYWRlciBpbmZvcm1hdGlvbi4gSW4gc3VjaCBjYXNlcyBHZW5ldmUg c3BlY2lmaWMgbWVjaGFuaXNtcyBuZWVkcyB0byBiZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZx dW90OyxzZXJpZiI+ZGVzaWduZWQuJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPkZvciBh IGNvbXBsZXRlIHRocmVhdCBhbmFseXNpcywgYSBzZWN1cml0eSBhbmFseXNpcyBvZiBHZW5ldmUg b3Igc29tZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Z3VpZGUgbGluZXMg dG8gc2VjdXJlIGEgR2VuZXZlIG92ZXJsYXkgbmV0d29yaywgcGxlYXNlIHJlZmVyIHRvPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5bZHJhZnQtbWdsdC1udm8zLWdlbmV2ZS1z ZWN1cml0eS1yZXF1aXJlbWVudHNdIGFzIHdlbGwgYXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPltkcmFmdC1pZXRmLW52bzMtc2VjdXJpdHktcmVxdWlyZW1lbnRzXS48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+Rm9yIGZ1bGwgZGlzY2xvc3VyZSBJIGFtIGEgY28tYXV0aG9y IG9mPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5kcmFmdC1tZ2x0LW52bzMt Z2VuZXZlLXNlY3VyaXR5LXJlcXVpcmVtZW50LiBIb3dldmVyIHRoZSByZWFzb24gZm9yPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5yZWZlcnJpbmcgdG8gdGhlc2UgZG9jdW1l bnRzIGlzIG1vdGl2YXRlZCBieSB0aGUgZmFjdCB0aGF0IEkgYmVsaWV2ZTxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dGhlc2UgYW5hbHlzaXMgcHJvdmlkZSBhIGJldHRlciBz ZWN1cml0eSBhbmFseXNpcyB0aGFuIHRoZSBjdXJyZW50IChPTEQpPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj5zZWN1cml0eSBjb25zaWRlcmF0aW9uIHNlY3Rpb24uJm5ic3A7 PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPllvdXJzLCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5PbiBGcmksIE1hciAx LCAyMDE5IGF0IDY6MDMgQU0gQm9jY2ksIE1hdHRoZXcgKE5va2lhIC0gR0IpICZsdDs8YSBocmVm PSJtYWlsdG86bWF0dGhldy5ib2NjaUBub2tpYS5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJw bGUiPm1hdHRoZXcuYm9jY2lAbm9raWEuY29tPC9zcGFuPjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVy Om5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGlu IDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBp bjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SGkgRGFuaWVsPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlRoYW5rcyBmb3IgcmV2aWV3aW5nIHRo ZSBsYXRlc3QgdmVyc2lvbi4gQXQgdGhpcyBzdGFnZSBpdCB3b3VsZCBiZSBoZWxwZnVsIGlmIHlv dSBjb3VsZCBiZSBtdWNoIG1vcmUgY29uY3JldGUgYW5kIGdpdmUgc3BlY2lmaWNzLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5JIHRoaW5rIHRoYXQg dGhlIG1haW4gaXNzdWUgaXMgd2hldGhlciB0aGUgZGVzaWduIG9mIEdlbmV2ZSBwcmV2ZW50cyBm dXR1cmUgc2VjdXJpdHkgZXh0ZW5zaW9ucy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+SG93ZXZlciwgaW4gWzFdLCB5b3Ugc3RhdGVkIHRoYXQgeW91 IHdlcmUgY29tZm9ydGFibGUgd2l0aCB0aGUgdGV4dCBpZiBub3RoaW5nIGVsc2UgY291bGQgYmUg Zm91bmQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYi PldoYXQgc3BlY2lmaWNhbGx5IGRvIHlvdSB3YW50IHRvIGNoYW5nZSBpbiB0aGUgZm9sbG93aW5n LCBiZWFyaW5nIGluIG1pbmQgdGhhdCB0aGVyZSBhcmUgYWxyZWFkeSBjbGFpbWVkIGltcGxlbWVu dGF0aW9ucyBvZiBHZW5ldmU6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mcXVvdDsmcXVvdDsmcXVv dDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDtvJm5ic3A7IEFuIG9wdGlvbiBT SE9VTEQgTk9UIGJlIGRlcGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhlPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBwYWNrZXQsIGkuZS4sIG9wdGlv bnMgY2FuIGJlIHByb2Nlc3NlZCBpbmRlcGVuZGVudCBvZiBvbmUgYW5vdGhlci48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5ic3A7IEFuIG9wdGlvbiBNVVNUIE5PVCBhZmZl Y3QgdGhlIHBhcnNpbmcgb3IgaW50ZXJwcmV0YXRpb24gb2YgYW55PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBvdGhlciBvcHRpb24uPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj4mcXVvdDsmcXVvdDsmcXVvdDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtm b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5NYXR0aGV3PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9y ZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzdHJvbmc+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQiPkZyb206PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0Mzcy NjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1z cGFjZSI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8L3NwYW4+PC9iPjwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPkRhbmllbA0KIE1pZ2F1bHQgJmx0OzxhIGhyZWY9Im1haWx0bzpkYW5p ZWwubWlnYXVsdEBlcmljc3Nvbi5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmRhbmll bC5taWdhdWx0QGVyaWNzc29uLmNvbTwvc3Bhbj48L2E+Jmd0Ozxicj4NCjxzdHJvbmc+RGF0ZTo8 L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1 NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPjxiPiZuYnNwOzwvYj48L3Nw YW4+RnJpZGF5LCAxIE1hcmNoIDIwMTkgYXQgMDM6MDY8YnI+DQo8c3Ryb25nPlRvOjwvc3Ryb25n PjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYw ODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+PGI+Jm5ic3A7PC9iPjwvc3Bhbj5QYW5r YWogR2FyZyAmbHQ7cGFua2FqZz08YSBocmVmPSIjTk9QIj48c3BhbiBzdHlsZT0iY29sb3I6cHVy cGxlIj40MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8 c3Ryb25nPkNjOjwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0 NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+PGI+Jm5i c3A7PC9iPjwvc3Bhbj4mcXVvdDtCb2NjaSwgTWF0dGhldyAoTm9raWEgLSBHQikmcXVvdDsgJmx0 OzxhIGhyZWY9Im1haWx0bzptYXR0aGV3LmJvY2NpQG5va2lhLmNvbSI+PHNwYW4gc3R5bGU9ImNv bG9yOnB1cnBsZSI+bWF0dGhldy5ib2NjaUBub2tpYS5jb208L3NwYW4+PC9hPiZndDssDQogTlZP MyAmbHQ7PGEgaHJlZj0ibWFpbHRvOm52bzNAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpw dXJwbGUiPm52bzNAaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDssICZxdW90OzxhIGhyZWY9Im1haWx0 bzpkcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6cHVy cGxlIj5kcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnPC9zcGFuPjwvYT4mcXVvdDsgJmx0 OzxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnIj48c3BhbiBz dHlsZT0iY29sb3I6cHVycGxlIj5kcmFmdC1pZXRmLW52bzMtZ2VuZXZlQGlldGYub3JnPC9zcGFu PjwvYT4mZ3Q7PGJyPg0KPHN0cm9uZz5TdWJqZWN0Ojwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFp bC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNv bnZlcnRlZC1zcGFjZSI+PGI+Jm5ic3A7PC9iPjwvc3Bhbj5SZTogW252bzNdIFdvcmtpbmcgR3Jv dXAgTGFzdCBDYWxsIGFuZCBJUFIgUG9sbCBmb3IgZHJhZnQtaWV0Zi1udm8zLWdlbmV2ZS0wOC4u dHh0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SGksJm5ic3A7PG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OyxzYW5zLXNlcmlmIj5JIGp1c3QgYnJpZWZseSB3ZW50IHRocm91Z2ggdGhlIGRvY3VtZW50 IHF1aWNrbHkgYW5kIGluIG15IG9waW5pb24sIHRoZSBkb2N1bWVudCBzdGlsbCBmYWNlcyBzb21l IHNlY3VyaXR5IGlzc3Vlcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZu YnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+VGhlIGN1cnJlbnQgdGV4 dCAoaW4gbXkgb3BpbmlvbikgcHJldmVudHMgYW55IGdlbmV2ZSBzZWN1cml0eSByZWxhdGVkPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5vcHRpb25zLiBDdXJyZW50bHkgR2Vu ZXZlIGNhbm5vdCBiZSBzZWN1cmVkIGFuZCB0aGlzIHByZXZlbnRzIGZ1dHVyZTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+d29yayB0byBldmVudHVhbGx5IHNlY3VyZSBHZW5l dmUuIEluIG15IG9waW5pb24gdGhlIGN1cnJlbnQgdGV4dDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+bWFuZGF0ZXMgR2VuZXZlIHRvIHJlbWFpbiB1bnNlY3VyZS4mbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+R2VuZXZlIHNlY3VyaXR5IG9wdGlvbiB0aGF0IGFyZSB3 aWxsaW5nIHRvIGF1dGhlbnRpY2F0ZS9lbmNyeXB0IGEgcGFydDxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+b2YgdGhlIEdlbmV2ZSBIZWFkZXIgd2lsbCBhZmZlY3QgdGhlIHBh cnNpbmcgb2YgdGhlIHByb3RlY3RlZCBvcHRpb24gYW5kPG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu JnF1b3Q7LHNlcmlmIj53aWxsIGFmZmVjdCB0aGUgb3JkZXIgaW4gd2hpY2ggb3B0aW9uIG5lZWRz IHRvIGJlIHByb2Nlc3MuIFR5cGljYWxseSBhPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj5wcm90ZWN0ZWQgb3B0aW9uIChhdXRoZW50aWNhdGVkLCBlbmNyeXB0ZWQpIGNhbm5v dCBvciBzaG91bGQgbm90IGJlPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+cHJv Y2Vzc2VkIGJlZm9yZSBhdXRoZW50aWNhdGVkIG9yIGRlY3J5cHRlZC4mbmJzcDs8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+VGhpcyBoYXMgYWxyZWFkeSBiZWVuIG1lbnRpb25lZCBpbiBbMV0sIGFu ZCB0aGUgdGV4dCBuZWVkcyBpbiBteSBvcGluaW9uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj5mdXJ0aGVyIGNsYXJpZmljYXRpb25zLiZuYnNwOyZuYnNwOzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFu JnF1b3Q7LHNlcmlmIj4mcXVvdDsmcXVvdDsmcXVvdDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDtvJm5ic3A7IEFuIG9wdGlvbiBTSE9VTEQgTk9UIGJl IGRlcGVuZGVudCB1cG9uIGFueSBvdGhlciBvcHRpb24gaW4gdGhlPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBwYWNrZXQsIGkuZS4sIG9w dGlvbnMgY2FuIGJlIHByb2Nlc3NlZCBpbmRlcGVuZGVudCBvZiBvbmUgYW5vdGhlci48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVv dDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOyAmbmJzcDsgJm5ic3A7IEFuIG9w dGlvbiBNVVNUIE5PVCBhZmZlY3QgdGhlIHBhcnNpbmcgb3IgaW50ZXJwcmV0YXRpb24gb2YgYW55 PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDsgJm5ic3A7ICZuYnNw OyBvdGhlciBvcHRpb24uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mcXVv dDsmcXVvdDsmcXVvdDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNw OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPkFzIHN0YXRlZCBpbiBbMl0gaXQgcmVtYWlucyB1bmNsZWFyIHRvIG1lIHdo eSB0aGlzIHNlY3Rpb24gaXMgbm90PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij5yZWZlcmVuY2luZyBhbmQgbGV2ZXJhZ2luZyBvbiB0aGUgc2VjdXJpdHkgYW5hbHlzaXMgWzMt NF0gcGVyZm9ybWVkIGJ5PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj50d28g ZGlmZmVyZW50IGluZGVwZW5kZW50IHRlYW1zLi4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+TXkgcmVhZGluZyBvZiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbiBpcyB0aGF0IHRoZSBt ZXNzYWdlIGlzIHRoYXQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPklQc2Vj IG9yIFRMUyBjb3VsZCBiZSB1c2VkIHRvIHByb3RlY3QgYSBnZW5ldmUgb3ZlcmxheSBuZXR3b3Jr LiBUaGlzIGlzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4tIGluIG15IG9w aW5pb24tIG5vdCBjb3JyZWN0IGFzIHRoaXMgZG9lcyBub3QgY29uc2lkZXIgdGhlIHRyYW5zaXQ8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPmRldmljZS4gSW4gYWRkaXRpb24s IHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9uIG9ubHkgY29uc2lkZXJzIHRoZSBjYXNlPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj53aGVyZSB0aGUgY2xvdWQgcHJvdmlkZXIg YW5kIHRoZSBvdmVybGF5IG5ldHdvcmsgcHJvdmlkZXIgYXJlIGEgc2luZ2xlPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5lbnRpdHksIHdoaWNoIEkgYmVsaWV2ZSBvdmVyc2lt cGxpZmllcyB0aGUgcHJvYmxlbS4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDss c2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+VGhlIHRo cmVhdCBtb2RlbCBzZWVtcyB0byBtZSB2ZXJ5IHZhZ3VlLCBzbyB0aGUgY3VycmVudCBzZWN1cml0 eTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Y29uc2lkZXJhdGlvbiBpcyBs aW1pdGVkIHRvIHNvbHZpbmcgYSBwcm9ibGVtIHRoYXQgaXMgbm90IHN0YXRlZC4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+TXkgcmVhZGluZyBvZiB0aGUgdGV4dCBpbmRpY2F0ZXMgdGhl IHRlbmFudCBjYW4gaGFuZGxlIGJ5IGl0c2VsZiB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPmNvbmZpZGVudGlhbGl0eSBvZiBpdHMgaW5mb3JtYXRpb24gd2l0aG91dCBu ZWNlc3NhcmlseSByZWx5aW5nIG9uIHRoZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90Oyxz ZXJpZiI+b3ZlcmxheSBzZXJ2aWNlIHByb3ZpZGVyLiBUaGlzIGlzIG5vdCBjb3JyZWN0LiBFdmVu IHdoZW4gdGhlIHRlbmFudCB1c2VzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij5JUHNlYy9UTFMsIGl0IHN0aWxsIGxlYWtzIHNvbWUgaW5mb3JtYXRpb24uIFRoZSBjdXJyZW50 IHRleHQgY29udHJhZGljdHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPlsz XSBzZWN0aW9uIDYuMiBhbmQgWzRdIHNlY3Rpb24gNS4xLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij5NeSByZWFkaW5nIGlzIHRoYXQgdGhlIHRleHQgaW5kaWNhdGVzIHRoYXQgSVBzZWMvRFRMUyBj b3VsZCBiZSB1c2VkIHRvPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5wcm90 ZWN0IHRoZSBvdmVybGF5IHNlcnZpY2UgZm9yIGJvdGggY29uZmlkZW50aWFsaXR5IGFuZCBpbnRl Z3JpdHkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5XaGlsZSB0aGlzIGNv dWxkIGJlIHVzZWQgaW4gc29tZSBkZXBsb3ltZW50IHRoaXMgaXMgbm90IGNvbXBhdGlibGUgd2l0 aDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+dHJhbnNpdCBkZXZpY2VzLiBB cyBzdWNoIHRoZSBnZW5lcmljIHN0YXRlbWVudCBpcyBub3QgY29ycmVjdC4gU2VjdGlvbjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Ni40IGluZGljYXRlcyB0aGF0IHRyYW5z aXQgZGV2aWNlIG11c3QgYmUgdHJ1c3RlZCB3aGljaCBpcyBpbmNvcnJlY3QuPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5JbnN0ZWFkIHRoZSB0cmFuc2l0IGRldmljZSB3aXRo IGFsbCBub2RlcyBiZXR3ZWVuIHRoZSB0cmFuc2l0IGRldmljZSBhbmQ8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssc2VyaWYiPnRoZSBOVkUgbmVlZHMgdG8gYmUgdHJ1c3RlZC4mbmJzcDsg T3ZlcmFsbCB0aGUgaW1wcmVzc2lvbiBwcm92aWRlZCBpcyB0aGF0PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj5JUHNlYyAob3IgVExTKSBjYW4gYmUgdXNlZCBieSB0aGUgc2Vy dmljZSBvdmVybGF5IHByb3ZpZGVyLCB3aGljaCBpcyAoaW48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPm15IG9waW5pb24pIG5vdCB0cnVlLiZuYnNwOzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj5JdCBpcyB1bmNsZWFyIHRvIG1lIGhvdyBhdXRoZW50aWNhdGlvbiBvZiBOVkUg cGVlcnMgZGlmZmVycyBmcm9tIHRoZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJp ZiI+YXV0aGVudGljYXRpb24gY29tbXVuaWNhdGlvbiBhcyB0aGUgbGF0ZXN0IHVzdWFsbHkgcmVs eSBvbiB0aGUgZmlyc3QuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5NYXli ZSB0aGUgc2VjdGlvbiBzaG91bGQgaW5zaXN0IG9uIG11dHVhbCBhdXRoZW50aWNhdGlvbi4mbmJz cDsmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtm b250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+WW91cnMsJm5ic3A7PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5EYW5pZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5bMV08c3BhbiBjbGFz cz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFh cHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YSBocmVmPSJodHRwczovL21haWxh cmNoaXZlLmlldGYub3JnL2FyY2gvbXNnL252bzMvUkZGallIQVVVbE12T3NZd1JOdGRPSk9Jazlv IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly9tYWls YXJjaGl2ZS5pZXRmLi5vcmcvYXJjaC9tc2cvbnZvMy9SRkZqWUhBVVVsTXZPc1l3Uk50ZE9KT0lr OW88L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+WzJdPHNw YW4gY2xhc3M9ImdtYWlsLW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcy MjA2NjkxYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGEgaHJlZj0iaHR0cHM6 Ly9tYWlsYXJjaGl2ZS5pZXRmLm9yZy9hcmNoL21zZy9udm8zL2U3WUhGbHFJdU93SUpvTDJlcDdq eUhJclNHdyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHBz Oi8vbWFpbGFyY2hpdmUuaWV0Zi5vcmcvYXJjaC9tc2cvbnZvMy9lN1lIRmxxSXVPd0lKb0wyZXA3 anlISXJTR3c8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+ WzNdPHNwYW4gY2xhc3M9ImdtYWlsLW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3 NjA4MDcyMjA2NjkxYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGEgaHJlZj0i aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtbnZvMy1zZWN1cml0eS1yZXF1 aXJlbWVudHMtMDciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5o dHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1udm8zLXNlY3VyaXR5LXJlcXVp cmVtZW50cy0wNzwvc3Bhbj48L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlm Ij5bNF08c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4 Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YSBocmVm PSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtbWdsdC1udm8zLWdlbmV2ZS1zZWN1 cml0eS1yZXF1aXJlbWVudHMtMDUiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6 cHVycGxlIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtbWdsdC1udm8zLWdlbmV2 ZS1zZWN1cml0eS1yZXF1aXJlbWVudHMtMDU8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNl cmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+T24gV2VkLCBGZWIgMjcsIDIwMTkgYXQgNzozMCBQTSBQYW5rYWog R2FyZyAmbHQ7cGFua2FqZz08YSBocmVmPSJtYWlsdG86NDBtaWNyb3NvZnQuY29tQGRtYXJjLmll dGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj40MG1pY3Jvc29mdC5jb21AZG1hcmMu aWV0Zi5vcmc8L3NwYW4+PC9hPiZndDsNCiB3cm90ZTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0 OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVm dDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1 LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssc2VyaWYiPkkgYW0gbm90IGF3YXJlIG9mIGFueSBJUCByZWxhdGVkIHRvIGRyYWZ0LWll dGYtbnZvMy1nZW5ldmUgd2hpY2ggaGFzIG5vdCBhbHJlYWR5IGJlZW4gZGlzY2xvc2VkLjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBS b21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5UaGFua3M8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPlBhbmthajxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5v bmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAw aW4iPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzdHJvbmc+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQiPkZyb206PC9zcGFuPjwvc3Ryb25nPjxzcGFuIGNsYXNzPSJnbWFpbC1t LTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYwODA3MjIwNjY5MWFwcGxlLWNvbnZl cnRlZC1zcGFjZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyxzZXJpZiI+Qm9jY2ksDQogTWF0dGhldyAoTm9raWEgLSBHQikgJmx0OzxhIGhyZWY9 Im1haWx0bzptYXR0aGV3LmJvY2NpQG5va2lhLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBs ZSI+bWF0dGhldy4uYm9jY2lAbm9raWEuY29tPC9zcGFuPjwvYT4mZ3Q7PHNwYW4gY2xhc3M9Imdt YWlsLW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUt Y29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGJyPg0KPHN0cm9uZz5TZW50Ojwvc3Ryb25n PjxzcGFuIGNsYXNzPSJnbWFpbC1tLTM0MzcyNjU4MTQ0MTEyNTY0NTVnbWFpbC1tMjU1NzgyNzYw ODA3MjIwNjY5MWFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPlR1ZXNkYXksIE9j dG9iZXIgOSwgMjAxOCAyOjA4IEFNPGJyPg0KPHN0cm9uZz5Ubzo8L3N0cm9uZz48c3BhbiBjbGFz cz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFh cHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5OVk8zICZsdDs8YSBocmVmPSJtYWls dG86bnZvM0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+bnZvM0BpZXRmLm9y Zzwvc3Bhbj48L2E+Jmd0Ozxicj4NCjxzdHJvbmc+Q2M6PC9zdHJvbmc+PHNwYW4gY2xhc3M9Imdt YWlsLW0tMzQzNzI2NTgxNDQxMTI1NjQ1NWdtYWlsLW0yNTU3ODI3NjA4MDcyMjA2NjkxYXBwbGUt Y29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOmRyYWZ0LWlldGYt bnZvMy1nZW5ldmVAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmRyYWZ0LWll dGYtbnZvMy1nZW5ldmVAaWV0Zi5vcmc8L3NwYW4+PC9hPjxicj4NCjxzdHJvbmc+U3ViamVjdDo8 L3N0cm9uZz48c3BhbiBjbGFzcz0iZ21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1 NTc4Mjc2MDgwNzIyMDY2OTFhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5Xb3Jr aW5nIEdyb3VwIExhc3QgQ2FsbCBhbmQgSVBSIFBvbGwgZm9yIGRyYWZ0LWlldGYtbnZvMy1nZW5l dmUtMDgudHh0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Jm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LHNlcmlmIj5UaGlzIGVtYWlsIGJlZ2lucyBhIHR3by13ZWVrIHdvcmtpbmcg Z3JvdXAgbGFzdCBjYWxsIGZvciBkcmFmdC1pZXRmLW52bzMtZ2VuZXZlLTA4LnR4dC48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+UGxlYXNlIHJldmll dyB0aGUgZHJhZnQgYW5kIHBvc3QgYW55IGNvbW1lbnRzIHRvIHRoZSBOVk8zIHdvcmtpbmcgZ3Jv dXAgbGlzdC4gSWYgeW91IGhhdmUgcmVhZCB0aGUgbGF0ZXN0IHZlcnNpb24gb2YgdGhlIGRyYWZ0 IGJ1dCBoYXZlIG5vIGNvbW1lbnRzIGFuZCBiZWxpZXZlIGl0IGlzIHJlYWR5DQogZm9yIHB1Ymxp Y2F0aW9uIGFzIGEgc3RhbmRhcmRzIHRyYWNrIFJGQywgcGxlYXNlIGFsc28gaW5kaWNhdGUgc28g dG8gdGhlIFdHIGVtYWlsIGxpc3QuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj4mbmJzcDs8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWYiPldlIGFyZSBhbHNvIHBvbGxpbmcgZm9yIGtub3dsZWRnZSBvZiBhbnkg dW5kaXNjbG9zZWQgSVBSIHRoYXQgYXBwbGllcyB0byB0aGlzIGRvY3VtZW50LCB0byBlbnN1cmUg dGhhdCBJUFIgaGFzIGJlZW4gZGlzY2xvc2VkIGluIGNvbXBsaWFuY2Ugd2l0aCBJRVRGIElQUiBy dWxlcyAoc2VlIFJGQ3MNCiAzOTc5LCA0ODc5LCAzNjY5IGFuZCA1Mzc4IGZvciBtb3JlIGRldGFp bHMpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SWYgeW91IGFyZSBsaXN0ZWQgYXMgYW4gQXV0aG9y IG9yIGEgQ29udHJpYnV0b3Igb2YgdGhpcyBkb2N1bWVudCwgcGxlYXNlIHJlc3BvbmQgdG8gdGhp cyBlbWFpbCBhbmQgaW5kaWNhdGUgd2hldGhlciBvciBub3QgeW91IGFyZSBhd2FyZSBvZiBhbnkg cmVsZXZhbnQgdW5kaXNjbG9zZWQgSVBSLg0KIFRoZSBEb2N1bWVudCB3b24ndCBwcm9ncmVzcyB3 aXRob3V0IGFuc3dlcnMgZnJvbSBhbGwgdGhlIEF1dGhvcnMgYW5kIENvbnRyaWJ1dG9ycy48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+Q3VycmVudGx5 IHRoZXJlIGFyZSB0d28gSVBSIGRpc2Nsb3N1cmVzIGFnYWluc3QgdGhpcyBkb2N1bWVudC48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+SWYgeW91IGFy ZSBub3QgbGlzdGVkIGFzIGFuIEF1dGhvciBvciBhIENvbnRyaWJ1dG9yLCB0aGVuIHBsZWFzZSBl eHBsaWNpdGx5IHJlc3BvbmQgb25seSBpZiB5b3UgYXJlIGF3YXJlIG9mIGFueSBJUFIgdGhhdCBo YXMgbm90IHlldCBiZWVuIGRpc2Nsb3NlZCBpbiBjb25mb3JtYW5jZSB3aXRoDQogSUVURiBydWxl cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+VGhp cyBwb2xsIHdpbGwgcnVuIHVudGlsIEZyaWRheSAyNjxzdXA+dGg8L3N1cD48c3BhbiBjbGFzcz0i Z21haWwtbS0zNDM3MjY1ODE0NDExMjU2NDU1Z21haWwtbTI1NTc4Mjc2MDgwNzIyMDY2OTFhcHBs ZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5PY3RvYmVyLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90Oyxz ZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj5SZWdhcmRzPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 LHNlcmlmIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPk1hdHRoZXcgYW5kIFNhbTxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssc2VyaWYiPl9fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KbnZvMyBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBo cmVmPSJtYWlsdG86bnZvM0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+bnZv M0BpZXRmLm9yZzwvc3Bhbj48L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi4ub3Jn L21haWxtYW4vbGlzdGluZm8vbnZvMyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xv cjpwdXJwbGUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vbnZvMzwvc3Bh bj48L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1 b3Q7LHNlcmlmIj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f Xzxicj4NCm52bzMgbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOm52bzNAaWV0Zi5v cmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPm52bzNAaWV0Zi5vcmc8L3NwYW4+PC9hPjxi cj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYuLm9yZy9tYWlsbWFuL2xpc3RpbmZvL252bzMi IHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL252bzM8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZiI+X19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpudm8zIG1haWxpbmcgbGlz dDxicj4NCjxhIGhyZWY9Im1haWx0bzpudm8zQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6 cHVycGxlIj5udm8zQGlldGYub3JnPC9zcGFuPjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3 dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL252bzMiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBz dHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv L252bzM8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1 b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX188YnI+DQpudm8zIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpu dm8zQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5udm8zQGlldGYub3JnPC9z cGFuPjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL252bzMiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRw czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL252bzM8L3NwYW4+PC9hPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyxzZXJpZiI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX188YnI+DQpudm8zIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpu dm8zQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5udm8zQGlldGYub3JnPC9z cGFuPjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL252bzMiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRw czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL252bzM8L3NwYW4+PC9hPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNh JnF1b3Q7LHNhbnMtc2VyaWYiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fPGJyPg0KbnZvMyBtYWlsaW5nIGxpc3Q8YnI+DQo8L3NwYW4+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNl cmlmIj48YSBocmVmPSJtYWlsdG86bnZvM0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjpwdXJwbGUiPm52bzNAaWV0Zi5vcmc8L3NwYW4+PC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlm Ij48YnI+DQo8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmIj48YSBocmVmPSJodHRwczovL3d3dy5pZXRm Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL252bzMiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNl cmlmO2NvbG9yOnB1cnBsZSI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9u dm8zPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90 ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fu cy1zZXJpZiI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188 YnI+DQpudm8zIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpudm8zQGlldGYub3Jn Ij5udm8zQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21h aWxtYW4vbGlzdGluZm8vbnZvMyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vbnZvMzwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2Nr cXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJpZiI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7Ij5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxi cj4NCm52bzMgbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOm52bzNAaWV0Zi5vcmci Pm52bzNAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9udm8zIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcv bWFpbG1hbi9saXN0aW5mby9udm8zPC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2Vy aWYiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0K bnZvMyBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86bnZvM0BpZXRmLm9yZyI+bnZv M0BpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL252bzMiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL252bzM8L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3Rl Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 OyI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpu dm8zIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpudm8zQGlldGYub3JnIj5udm8z QGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v bGlzdGluZm8vbnZvMyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vbnZvMzwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvYmxv Y2txdW90ZT4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_MN2PR15MB3310AE0958697EB6412E96CBE3570MN2PR15MB3310namp_-- From nobody Tue Apr 9 22:07:16 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E69F12015B for ; Tue, 9 Apr 2019 22:07:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.001 X-Spam-Level: X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kernel.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UPnxnJSEBS2e for ; Tue, 9 Apr 2019 22:07:11 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ED44120155 for ; Tue, 9 Apr 2019 22:07:11 -0700 (PDT) Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5FDFC2133D for ; Wed, 10 Apr 2019 05:07:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554872830; bh=RDzx/XTaWV/2OvD3+nQIJbhWHJRWC2CxrkvUBNpd53k=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=u5x/OKU3/3zGQdrEvh6D3EHqEElmcBmZIUZRo8vQofiVDipO4f1x2CXlOFgtsiFSH pzd/0opHu5j/Sf4POAt3G1xxrtETB1dW8MC1JEccAT1OAcDBHEJqTmua0BQMsNOy4W R7qgEZQm4nEqOsvZnO+22ImjwiUOYQXtz5w4+uvk= Received: by mail-qk1-f180.google.com with SMTP id o129so461951qke.8 for ; Tue, 09 Apr 2019 22:07:10 -0700 (PDT) X-Gm-Message-State: APjAAAVkyV+WituhvqSgcnzT2MfZomJnZrNlovCDg5l5zXi4n+A0veR0 HqDwUhAC19gAzKhTVJDS0WO75TNG0ZJ36CqWHbBMPw== X-Google-Smtp-Source: APXvYqy6oJemS2ifrlvyggF9zifQ1ODUvh6YWtKggV07lB0EQFEMVpH2b/F2OOSwd9QdldB58fIdsuRThvJxbApDEn4= X-Received: by 2002:a37:a94c:: with SMTP id s73mr31111039qke.76.1554872829430; Tue, 09 Apr 2019 22:07:09 -0700 (PDT) MIME-Version: 1.0 References: <97EAAD15-1A6C-4EBD-92A2-2FCFAC89AC62@nokia.com> <1F82320E-5CBC-47D1-968F-6EA58D776A17@nokia.com> <6528AF40-D971-4496-8963-7540C5DDE650@nokia.com> <124B2B65-48C6-45B8-94FB-ED4368E65660@strayalpha.com> <9e18391a85bb2077cc3be318f1aed316@strayalpha.com> In-Reply-To: <9e18391a85bb2077cc3be318f1aed316@strayalpha.com> From: Jesse Gross Date: Tue, 9 Apr 2019 22:06:58 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Joe Touch Cc: Daniel Migault , "FYGanga, Ilango S" , NVO3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf-nvo3-geneve-08.txt - geneve options X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 05:07:15 -0000 Joe, The current text: "An option SHOULD NOT be dependent upon any other option in the packet, i.e., options can be processed independently of one another. Architecturally, options are intended to be self- descriptive and independent. This enables parallelism in option processing and reduces implementation complexity." One of the goals of this text is to enable parallel processing, so mandating in-order processing changes the meaning. We believe =E2=80=9CSHOU= LD NOT=E2=80=9D accurately captures the intent by describing the general rule = and the guiding principle - options are intended to be self-descriptive & independent. We do not want to limit the scope of what options can do in the future or what kind of options can be specified by listing exceptions. Processing of authentication, encryption, etc. is allowed and would yield correct behavior with the current text. Jesse On Wed, Apr 3, 2019 at 9:47 AM Joe Touch wrote: > > FYI, I provided suggestions in my initial post: > > - MUST process in-order > > - MUST not depend on information in earlier options, in the order they ar= e proceessed > > If you have some other reason for SHOULD NOT depend on option contents or= payload contents, they that's a separate issue. I.e., if you retain that S= HOULD NOT, it would be useful to indicate authentication, encryption, and i= ntegrity checks as possible exceptions. > > Joe > > > > > On 2019-04-03 09:18, Daniel Migault wrote: > > I agree that would be better, however I do not have a clear idea on what = could qualify as an exception. I see security as such an exception, but I c= annot say for sure that is the only exception. My concern was that the prev= ious text prevent such security extensions. The current text address that c= oncern. I am happy to hear how we could do better. > Yours, > Daniel > > On Wed, Apr 3, 2019 at 11:44 AM Joe Touch wrote: >> >> FWIW, IMO SHOULD NOT needs to come with a description of what would qual= ify as an exception. >> >> However, you can't allow two such exceptions UNLESS they're deconflicted= , i.e., who goes first. That never works well in practice because every new= option says "I come first". >> >> I.e., the point isn't whether you have exceptions - you will. The point = is to specify how those cases work, in which case you don't need the SHOULD= NOT. >> >> Joe >> >> >> >> >> On 2019-04-03 08:33, Daniel Migault wrote: >> >> Hi, >> >> My reading is that SHOULD NOT means MUST NOT unless we have a good reaso= n for it and security or checksum options fall in that category. AM I missi= ng something ? >> >> Yours, >> Daniel >> >> On Tue, Apr 2, 2019 at 11:36 PM Joe Touch wrote: >>> >>> Hi, all, >>> >>> FWIW - I don't understand this requirement. >>> >>> Clearly, an option MUST NOT depend on options that come before it in th= e order they occur, otherwise you could have options defined in a circular = manner that cannot be resolved. >>> >>> However, if you prevent options that depend on other, later options you= would undermine the ability to have an option that provides authentication= (which is useful only when it includes both the payload and subsequent opt= ions) or encryption (which should at least authenticate the option area, ev= en if it isn't encrypted). It also undermines the ability to have options t= hat create new checksum algorithms. >>> >>> Are you really seeking to prevent these future possibilities? >>> >>> Joe >>> >>> On Mar 26, 2019, at 10:30 PM, Ganga, Ilango S wrote: >>> >>> Hi Daniel, >>> >>> We updated the draft to restate the requirement on options processing, = the revised text is much simpler, provides better clarity, and retains the = original intent. We believe, this should address your concerns. >>> >>> https://mailarchive.ietf.org/arch/msg/nvo3/-jwq1fjwDufvPl8Qcbk7Iheiegg >>> >>> Revised text: >>> "An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independently of one >>> another. Architecturally, options are intended to be self- >>> >>> descriptive and independent. This enables parallelism in option >>> >>> processing and reduces implementation complexity." >>> >>> >>> Thanks >>> Ilango >>> >>> >>> From: Daniel Migault [mailto:daniel.migault@ericsson..com] >>> Sent: Wednesday, March 20, 2019 1:56 PM >>> To: Ganga, Ilango S >>> Cc: NVO3 >>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf= -nvo3-geneve-08.txt - geneve options >>> >>> Hi, >>> >>> I am looking at the version 12 and see how it address my concern, >>> regarding the integration of security options. >>> >>> The new text in version 12 mentions: >>> """ >>> o An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independent of one another= . >>> An option MUST NOT affect the parsing or interpretation of any >>> other option. However, option processing by tunnel endpoints may >>> result in the packet being dropped. Options may also be used in >>> conjunction with each other or combined with packet data but this >>> processing is done above the encapsulation layer. >>> """ >>> >>> I am reading the text as a security option can be combined with another >>> option or the data payload. More specifically, an authentication option >>> that authenticates some options and/or the payload may result in the >>> packet to be discarded or not. >>> >>> I think we are making progress. However, I am not clear about the text: >>> >>> """ but this processing is done above the encapsulation layer.""" >>> >>> I am reading the encapsulation layer as the Geneve protocol, but I am >>> not clear what the layer above is. I am assuming that is a layer >>> that takes the output of the Geneve decapsulation. If that is correct, >>> I understand the text saying Geneve processes the options even though >>> the authentication has failed. Typically, suppose option A covers >>> options O. Upon verification of A fails, Geneve processes O and returns >>> to some upper layers that O has been processed while its authentication >>> did not succeed. I am sure that I misunderstood the text, but I suggest >>> some clarification are provided to prevent such interpretation as the >>> purpose of the authenticating O MUST be able to prevent the processing >>> of the option O. >>> >>> In the current text I believe the text """but ...layer""" can be >>> removed. Another way might be to clarify the layer above the >>> encapsulation. >>> >>> >>> Yours, >>> Daniel >>> >>> >>> >>> On Fri, Mar 8, 2019 at 9:44 PM Daniel Migault wrote: >>> >>> Hi, >>> >>> Thanks for the response. Let me first recap the previous conversation, >>> or at least my perception of them. My initial comment was that the >>> current Geneve specification prevents the design of security options an= d >>> I provided an example. My understanding is there is an agreement that >>> such option is prevented by the current geneve specification and you >>> challenge the usefulness of such an option (designated as A) as well as >>> argue that an authentication upon failure MUST result in discarding the >>> packet. >>> >>> The security options considered has been mentioned in two independent >>> security analysis. The example has been described and commented >>> extensively in the threat analysis as well. I argue further that >>> mandating that dropping the packet, in our case is neither a decision >>> that can be taken at the option level, nor at the geneve level. Instead= , >>> it belongs to a policy decision that is likely to result in incoherent >>> deployments. >>> >>> As result, the current geneve specification prevents security options. >>> Please see below for more additional information. >>> >>> The current option works similarly to IPsec: IPsec/ESP is IP option. AH >>> is an option that authenticates the full IP packet.. ESP >>> authenticate/encrypt the IP payload and not the full packet. Upon >>> authentication failure *the scope of the authentication* is discarded >>> and in that sense the example I am providing is no more different. >>> >>> In our case, the option authenticate an portion of the geneve packet >>> that is limited to the option. Tthe coverage of the security option is = a >>> portion of the geneve header. As such, the option cannot mandate >>> anything outside of its coverage: the covered option O. As a result, >>> dropping the full packet is outside of the scope. Mandating a packet >>> drop hardly, in my opinion apply here. >>> >>> Options are usually non critical for interoperability. Mandating to dro= p >>> the packet when option O cannot be authenticated would contradict the >>> non critical status of that option, which is the packet can be processe= d >>> without the option. This would be a policy that overwrite the geneve >>> - as well as the geneve option - specification. >>> A possible incoherence would be if option A and O are non critical woul= d >>> be that the implementation ignoring the option A and O will accept the >>> packet, an implementation understanding option O but not option A will >>> accept the packet while the implementation understanding option A and O >>> will reject the packet. >>> >>> Yours, >>> Daniel >>> >>> >>> On Wed, Mar 6, 2019 at 9:33 PM Ganga, Ilango S wrote: >>> >>> Hi Daniel, >>> >>> Please see my responses inline below. >>> >>> Thanks, >>> Ilango >>> >>> >>> From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Daniel Migault >>> Sent: Monday, March 4, 2019 9:15 AM >>> To: Ganga, Ilango S >>> Cc: nvo3@ietf.org >>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf= -nvo3-geneve-08.txt >>> >>> Hi Ilango, >>> >>> Thanks for the response. Please see a concrete example to illustrate my= concern >>> for comment 1. For comment 2, it really helped you indicated that Genev= e is expected >>> to be an end-to-end protocol. This will help me update the security req= uirement >>> document. However, the current Geneve specification with transit device= s seems - >>> at least to me - to raise an architecture concern as raised in [1]. >>> >>> -- comment 1: >>> >>> Thanks for the feed back. I understand the purpose of keeping option >>> independent one from each other, and favour this is strongly recommende= d.. >>> However, I am not convinced this applies always. More specifically, in = a >>> context of security, the purpose of a security option may be related to >>> another option. Typically, a security option providing authentication o= r >>> encryption is potentially authenticating/encryption another option or >>> other information contained in the header. >>> >>> The typical scenario I have in mind would be an authentication option A >>> authenticating option O. There will clearly some dependencies between A >>> and O as O could only be used if A has been primarily been validated. >>> The current statement "SHOULD NOT be dependent" enables this. However, = I >>> have concerns regarding the statement "MUST NOT affect the parsing or >>> interpretation". In fact, the output of A, will determine if O should b= e >>> dropped or processed normally. In case A shows O is not appropriately >>> authenticated, O might be rejected based on its C value. The ambiguity = I >>> see is that A can be understood as affecting the parsing and >>> interpretation of O or as a pre-processing operation before parsing or >>> interpretation of O. >>> >>> I think, the text needs further clarifications to remove such ambiguity= . >>> Changing MUST NOT by SHOULD NOT was of course only one proposition and >>> this could be also addressed otherwise. It might be better, I agree, to >>> explicitly mention that some options may provide condition on the >>> parsing of the options. This would leave the parsing of the options unc= hanged. >>> >>> >>> If I understand your example correctly, you want to have one option aut= henticate the contents of another option and if that authentication fails, = drop the option. This would not drop the entire packet unless that option i= s critical. Can you give a use case for this? This seems unusual and not so= mething that is supported by other security protocols such as IPsec or TLS = to the best of our knowledge. >>> >>> I believe a more common outcome of a failed authentication is that the = entire packet would be dropped. As previously noted, the current text does = not preclude this. It seems like going beyond this would result in signific= ant complexity, both for processing options in this specific case as well a= s the possibility of introducing ambiguity in how other options might be de= fined or processed as an unintended consequence. Without a strong use case,= this does not seem desirable. >>> >>> >>> -- comment 2: >>> >>> Thanks for the response that clarifies a bit my understanding of the >>> transit devices.. I believe the issue I have is related to the transit >>> devices which I do not see, unless I am wrong, meeting the requirements >>> for being OPTIONAL and that seems - at least to me - contradicting the >>> status of end-to-end protocol. As suggested in [1], transit devices see= m to raise >>> architectural concerns that is not needed. >>> >>> You are correct that the text is clear that transit devices are >>> OPTIONAL. However, my understanding of OPTIONAL from 2119 is that there >>> are two sides of it. One is that a vendor may implement it or not, but >>> the other side is that interoperability with other implementations are >>> not affected. In this case, two Geneve endpoints using TLS or IPsec wil= l >>> not be able to interoperate with an implementation based on transit >>> devices (unless the process being performed by the transit devices is >>> also performed by the NVE). In that sense, I believe OPTIONAL statement >>> is not appropriated here.. >>> >>> An implementation with transit devices seems to prevent the >>> interoperability of with an implementation where options are treated >>> by the NVE over a secure channel. If we suppose that NVE and >>> transit devices support the same options, then transit devices are not >>> necessary and could be removed from the specification. If options >>> supported by transit devices are different from those supported by >>> the NVE, interoperability will not be achieved. Transit device will not= be >>> able to process the options, resulting in options will be ignored (whil= e >>> being supported by the implementation).. In addition, if the options >>> are critical, the NVE is likely to drop the packet as it does not suppo= rt >>> the option. >>> >>> In addition, I have some hard time to understand the end-to-end model >>> with a transit device even optional. I believe that end-to-end protocol >>> is a good path, though. However, my understanding of end-to-end protoco= l >>> is that they should only involve two end points. I see the NVE as end >>> points but the optional transit device does not seems to be one of >>> these. However, to help me understand better this, as it seems Geneve i= s >>> similar to other end-to-end protocol, maybe you could provide similar >>> end-to-end protocol that involves a transit devices or something simila= r. >>> >>> I also have another clarification regarding transit device. I see these >>> transit devices as adding a lot of complexity to the end-to-end model >>> with little benefits. Typically, as far as I understand, they can only >>> read an option. I am thus wondering whether we should not be better off >>> removing them from the specification. This would end up with a clear >>> end-to-end model. Reversely, I do not see anything preventing a vendor >>> to implement them at least for unsecure deployments. Removing them >>> from the specification would leave the transit devices as implementatio= n >>> specific. What are actually the benefits of the transit devices that wo= uld >>> justify them to be part of the specification? >>> >>> >>> Transit devices exists in the underlay network, these are simply forwar= ding elements (e.g. switches, routers) that generally forwards packets base= d on outer header information, there is nothing that stops such devices fro= m reading the contents if the data is in the clear. This works with any tr= ansport protocols like IP, IP in IP, GRE, VXLAN, etc. For example, routers= may look at headers and/or inner payload for ECMP purposes or for statisti= cs or logging purposes. If the packet is encrypted then such transit device= s cannot look into the packets but would simply forward based on the outer = headers and use information in outer headers for entropy. There is no inter= operability issue between the endpoints. Geneve is no different. >>> >>> Recognizing the fact that such a device is anyway going to exist in the= network, Geneve draft provides guidance on how to handle Geneve headers (i= f a device has the option to do so). Geneve options are part of Geneve hea= der, a transit device that is capable of interpreting Geneve headers may in= terpret an option or skip over the option to view the payload, etc. If a t= ransit device is not able interpret the header or option, it has to simply = use the outer header to forward the packet (outer IP/UDP). This is what the= Geneve draft clarifies. >>> >>> These guidelines reduce possible interoperability issues compared to if= behavior was left undefined. For example, transit devices are not allowed = to drop packets or fall back to a slow path on the basis of an unknown opti= on. If this were to happen, it would hamper the introduction of new options= . It might also be worth mentioning that anything that could be considered = a middlebox is not a transit device but needs to be modeled as an endpoint = and so Geneve really should be viewed as a tunnel endpoint-to-endpoint prot= ocol. >>> >>> >>> >>> [1] https://mailarchive.ietf.org/arch/msg/nvo3/ekLofhq8erRLE_Msuk8N_SCd= hcs >>> >>> >>> Yours, >>> Daniel >>> >>> On Sat, Mar 2, 2019 at 8:18 PM Ganga, Ilango S wrote: >>> >>> Hi Daniel, >>> >>> Let us be specific. I see that you have two comments on the latest draf= t-ietf-nvo3-geneve-09. Please see below for responses to your comments. >>> >>> Comment 1: >>> OLD >>> o An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independent of one another= . >>> An option MUST NOT affect the parsing or interpretation of any >>> other option. >>> >>> NEW >>> >>> o An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independent of one another= . >>> An option SHOULD NOT affect the parsing or interpretation of any >>> other option. >>> >>> >>> Architecturally Geneve options can be processed independent of one anot= her. The second statement clearly states that parsing or interpretation of = one option must not affect the other. This is a reasonable constraint to a= void nested dependencies. Options can be designed to work with the requirem= ents specified in Geneve. >>> >>> Let us take specific examples: >>> We could think of a design of a Header Integrity check option (related = to your example). In this case if the header integrity check fails, as a re= sult the entire header is invalid and hence the most likely outcome of a fa= iled check is that the packet being dropped (including any options in that = packet whether parsed/interpreted or not). The current text does not preclu= de the packet being dropped as result of failure. >>> >>> It is possible to design options, including any security options, with = these constraints. We don't see a reason to change this requirement that m= ay have unintended consequences. >>> >>> Comment 2: >>> >>> >>> >>> NEW >>> Security Consideration >>> >>> Geneve Overlay may be secured using by protecting the NVE-to-NVE >>> communication using IPsec or DTLS. However, such mechanisms cannot be >>> applied for deployments that include transit devices.. >>> >>> Some deployment may not be able to secure the full communication using >>> IPsec or DTLS between the NVEs. This could be motivated by the presence >>> of transit devices or by a risk analysis that concludes that the Geneve >>> packet be only partially protected - typically reduced to the Geneve >>> Header information. In such cases Geneve specific mechanisms needs to b= e >>> designed. >>> >>> The challenge is, you are asking to impose requirements that i= s not supported by Geneve architecture. Geneve has an optional feature wher= e transit devices may be able to interpret Geneve options. However this is = not a requirement for Geneve operation between tunnel end point to tunnel e= nd point. We have tried make this very clear by adding clarifying text duri= ng the last two revisions. If the Geneve packet is in the clear then transi= t devices may be able to view the Genve header, options, and the payload. H= owever if the packet is encrypted then transit devices cannot view the pack= et contents. This is consistent with other transport protocols encrypting t= he packets. So we don't see a reason why Geneve should be different. >>> >>> Geneve is an end to end protocol between tunnel endpoints and the NVEs = decide to secure (encrypt) the packets between tunnel endpoints. If a middl= e box has a need to see an encrypted packet, then it has to implement tunne= l endpoint functionality. >>> >>> We already have text in 6.4 security consideration section that provide= s clear guidance to the operators. >>> >>> So we don't see a good reason to add the suggested text above. >>> >>> For a complete threat analysis, a security analysis of Geneve or some >>> guide lines to secure a Geneve overlay network, please refer to >>> [draft-mglt-nvo3-geneve-security-requirements] as well as >>> [draft-ietf-nvo3-security-requirements]. >>> >>> >>> The security requirements document makes certain assumptions that is u= nsupported by Geneve architecture. We have tried to clarify this multiple t= imes, however you have still maintained this in the requirements document. = So this needs to be addressed. Also the document is not yet adopted by the = working group. >>> >>> Moreover, Geneve security consideration section has been significantly = enhanced to provide guidance to operators and to address the comments. So b= oth documents can progress independently. >>> >>> Thanks, >>> Ilango >>> >>> >>> From: Daniel Migault [mailto:daniel.migault@ericsson.com] >>> Sent: Saturday, March 2, 2019 8:49 AM >>> To: Bocci, Matthew (Nokia - GB) >>> Cc: draft-ietf-nvo3-geneve@ietf.org; Pankaj Garg ; NVO3 >>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf= -nvo3-geneve-08.txt >>> >>> Hi Matt, >>> >>> >>> You are correct, this is at least not an regular process to have a >>> standard track document being updated by an informational. I do not see >>> either any requirements for having a WG status to become a reference, >>> but that is something we could confirm with the RFC-editor. >>> >>> Back to the initial suggestion, I also believe the difficulties of upda= ting >>> the Geneve specifications are far less complex than updating the >>> implementation, and for that specific reason, it would be good we have = a >>> consensus on the security analyse. >>> >>> I agree that WG draft would be better, and RFC would be even better as >>> we have seen WG document being stalled. I am confident we can make this >>> happen or at least I do not see major issues. >>> >>> Yours, >>> Daniel >>> >>> >>> On Fri, Mar 1, 2019 at 11:51 AM Bocci, Matthew (Nokia - GB) wrote: >>> >>> WG, Daniel, >>> >>> Apologies but I mis-spoke on the suggestion for the security requiremen= ts to act as an update to the encapsulation RFC in future. This would be di= fficult to do as it is informational. >>> >>> Nonetheless I think we should only be referencing a WG draft (at a mini= mum) here. >>> >>> Matthew >>> >>> >>> >>> From: Dacheng Zhang on behalf of "Bocci, Matthe= w (Nokia - GB)" >>> Date: Friday, 1 March 2019 at 16:24 >>> To: Daniel Migault >>> Cc: "draft-ietf-nvo3-geneve@ietf.org" = , Pankaj Garg , NVO3 >>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf= -nvo3-geneve-08.txt >>> >>> Daniel >>> >>> From a procedural perspective, referring to your draft creates a depend= ency and that draft has not yet been adopted by the WG. The old Security re= quirements framework expired a couple of years ago and does not seem to be = being progressed. >>> Maybe a better approach to allow progress, as long as the WG can agree = to your text (if needed) to satisfy the concern that future security mechan= isms can be used, and that the evolving threat analysis is understood by im= plementers and users of Geneve, would be to mark the Geneve security requir= ements as an update to the geneve encapsulation RFC when it is published. >>> >>> Matthew >>> >>> From: Daniel Migault >>> Date: Friday, 1 March 2019 at 16:11 >>> To: "Bocci, Matthew (Nokia - GB)" >>> Cc: Pankaj Garg , "draft-ietf= -nvo3-geneve@ietf.org" , NVO3 >>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf= -nvo3-geneve-08..txt >>> >>> Hi Matthew, >>> >>> I am happy to clarify and be more specific. However, despite your >>> reading of [1] I think [1] clearly indicates the changes I expected as >>> well as that these changes needs to be made. >>> >>> I believe the responsibility of not addressing an acknowledged issue is >>> more on the side of people ignoring the issue then on the side of the >>> one raising this issue. My impression is that this is the situation we >>> are in. >>> >>> I agree that my initial comment saying "I am fine with the text if we d= o >>> not find something better." might have been confusing and I apology for >>> this. At the time of writing the initial comment I was not sure I was >>> not missing something nor that the problem could not be solved here or >>> somewhere else (in another section). My meaning behind those words were >>> that I was open to the way the concerned could be addressed. However, - >>> from my point of view - the text does not say the issue does not need t= o >>> be solved which is the way it has been interpreted. In addition, I >>> believe I have clarified this right away after the concern has been >>> acknowledged and not addressed. As result, I do not think my comment >>> could be reasonably read as the text is fine.. >>> >>> Please fine the below the initial comment its response and the response >>> to the response from [1]. >>> >>> """ >>> In case we have a option providing authentication, such option >>> may affect the interpretation of the other options. >>> s/interpretation/ndependance may not be better.... I think what we want >>> to say is that option MUST be able to be processed in any order or in >>> parallel. I am fine with the text if we do not find something better. >>> >>> >>> This is a good point, however we believe that this text >>> captures the intent. >>> >>> The problem I have is that the current text prevents security >>> options, so I guess some clarification should be brought to clarify the >>> intent. >>> """ >>> >>> If I had to suggest some text I would suggest the following - or >>> something around the following lines. >>> >>> >>> OLD >>> o An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independent of one another= . >>> An option MUST NOT affect the parsing or interpretation of any >>> other option. >>> >>> NEW >>> >>> o An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independent of one another= . >>> An option SHOULD NOT affect the parsing or interpretation of any >>> other option. >>> >>> There are rare cases were the parsing of one option affects the parsing >>> or the interpretation of other option. Option related to security may >>> fall into this category. Typically, if an option enables the >>> authentication of another option and the authentication does not >>> succeed, the authenticated option MUST NOT be processed. Other options >>> may be designed in the future. >>> >>> NEW >>> Security Consideration >>> >>> Geneve Overlay may be secured using by protecting the NVE-to-NVE >>> communication using IPsec or DTLS. However, such mechanisms cannot be >>> applied for deployments that include transit devices. >>> >>> Some deployment may not be able to secure the full communication using >>> IPsec or DTLS between the NVEs. This could be motivated by the presence >>> of transit devices or by a risk analysis that concludes that the Geneve >>> packet be only partially protected - typically reduced to the Geneve >>> Header information. In such cases Geneve specific mechanisms needs to b= e >>> designed. >>> >>> For a complete threat analysis, a security analysis of Geneve or some >>> guide lines to secure a Geneve overlay network, please refer to >>> [draft-mglt-nvo3-geneve-security-requirements] as well as >>> [draft-ietf-nvo3-security-requirements]. >>> >>> For full disclosure I am a co-author of >>> draft-mglt-nvo3-geneve-security-requirement. However the reason for >>> referring to these documents is motivated by the fact that I believe >>> these analysis provide a better security analysis than the current (OLD= ) >>> security consideration section. >>> >>> Yours, >>> Daniel >>> >>> >>> On Fri, Mar 1, 2019 at 6:03 AM Bocci, Matthew (Nokia - GB) wrote: >>> >>> Hi Daniel >>> >>> Thanks for reviewing the latest version. At this stage it would be help= ful if you could be much more concrete and give specifics. >>> >>> I think that the main issue is whether the design of Geneve prevents fu= ture security extensions. >>> >>> However, in [1], you stated that you were comfortable with the text if = nothing else could be found. >>> >>> What specifically do you want to change in the following, bearing in mi= nd that there are already claimed implementations of Geneve: >>> """ >>> o An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independent of one another= . >>> An option MUST NOT affect the parsing or interpretation of any >>> other option. >>> """ >>> >>> >>> Matthew >>> >>> >>> From: Daniel Migault >>> Date: Friday, 1 March 2019 at 03:06 >>> To: Pankaj Garg >>> Cc: "Bocci, Matthew (Nokia - GB)" , NVO3 , "draft-ietf-nvo3-geneve@ietf.org" >>> Subject: Re: [nvo3] Working Group Last Call and IPR Poll for draft-ietf= -nvo3-geneve-08..txt >>> >>> Hi, >>> >>> I just briefly went through the document quickly and in my opinion, the= document still faces some security issues. >>> >>> The current text (in my opinion) prevents any geneve security related >>> options. Currently Geneve cannot be secured and this prevents future >>> work to eventually secure Geneve. In my opinion the current text >>> mandates Geneve to remain unsecure. >>> >>> Geneve security option that are willing to authenticate/encrypt a part >>> of the Geneve Header will affect the parsing of the protected option an= d >>> will affect the order in which option needs to be process. Typically a >>> protected option (authenticated, encrypted) cannot or should not be >>> processed before authenticated or decrypted. >>> >>> This has already been mentioned in [1], and the text needs in my opinio= n >>> further clarifications. >>> >>> """ >>> o An option SHOULD NOT be dependent upon any other option in the >>> packet, i.e., options can be processed independent of one another= . >>> An option MUST NOT affect the parsing or interpretation of any >>> other option. >>> """ >>> >>> >>> >>> As stated in [2] it remains unclear to me why this section is not >>> referencing and leveraging on the security analysis [3-4] performed by >>> two different independent teams.. >>> >>> My reading of the security consideration is that the message is that >>> IPsec or TLS could be used to protect a geneve overlay network. This is >>> - in my opinion- not correct as this does not consider the transit >>> device. In addition, the security consideration only considers the case >>> where the cloud provider and the overlay network provider are a single >>> entity, which I believe oversimplifies the problem. >>> >>> The threat model seems to me very vague, so the current security >>> consideration is limited to solving a problem that is not stated. >>> >>> My reading of the text indicates the tenant can handle by itself the >>> confidentiality of its information without necessarily relying on the >>> overlay service provider. This is not correct. Even when the tenant use= s >>> IPsec/TLS, it still leaks some information. The current text contradict= s >>> [3] section 6.2 and [4] section 5.1. >>> >>> My reading is that the text indicates that IPsec/DTLS could be used to >>> protect the overlay service for both confidentiality and integrity. >>> While this could be used in some deployment this is not compatible with >>> transit devices. As such the generic statement is not correct. Section >>> 6.4 indicates that transit device must be trusted which is incorrect. >>> Instead the transit device with all nodes between the transit device an= d >>> the NVE needs to be trusted. Overall the impression provided is that >>> IPsec (or TLS) can be used by the service overlay provider, which is (i= n >>> my opinion) not true. >>> >>> It is unclear to me how authentication of NVE peers differs from the >>> authentication communication as the latest usually rely on the first. >>> Maybe the section should insist on mutual authentication. >>> >>> Yours, >>> Daniel >>> >>> >>> [1] https://mailarchive.ietf..org/arch/msg/nvo3/RFFjYHAUUlMvOsYwRNtdOJO= Ik9o >>> [2] https://mailarchive.ietf.org/arch/msg/nvo3/e7YHFlqIuOwIJoL2ep7jyHIr= SGw >>> [3] https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-0= 7 >>> [4] https://tools.ietf.org/html/draft-mglt-nvo3-geneve-security-require= ments-05 >>> >>> >>> >>> >>> >>> On Wed, Feb 27, 2019 at 7:30 PM Pankaj Garg wrote: >>> >>> I am not aware of any IP related to draft-ietf-nvo3-geneve which has no= t already been disclosed. >>> >>> Thanks >>> Pankaj >>> >>> From: Bocci, Matthew (Nokia - GB) >>> Sent: Tuesday, October 9, 2018 2:08 AM >>> To: NVO3 >>> Cc: draft-ietf-nvo3-geneve@ietf.org >>> Subject: Working Group Last Call and IPR Poll for draft-ietf-nvo3-genev= e-08.txt >>> >>> This email begins a two-week working group last call for draft-ietf-nvo= 3-geneve-08.txt. >>> >>> Please review the draft and post any comments to the NVO3 working group= list. If you have read the latest version of the draft but have no comment= s and believe it is ready for publication as a standards track RFC, please = also indicate so to the WG email list. >>> >>> We are also polling for knowledge of any undisclosed IPR that applies t= o this document, to ensure that IPR has been disclosed in compliance with I= ETF IPR rules (see RFCs 3979, 4879, 3669 and 5378 for more details). >>> If you are listed as an Author or a Contributor of this document, pleas= e respond to this email and indicate whether or not you are aware of any re= levant undisclosed IPR. The Document won't progress without answers from al= l the Authors and Contributors. >>> >>> Currently there are two IPR disclosures against this document. >>> >>> If you are not listed as an Author or a Contributor, then please explic= itly respond only if you are aware of any IPR that has not yet been disclos= ed in conformance with IETF rules. >>> >>> This poll will run until Friday 26th October. >>> >>> Regards >>> >>> Matthew and Sam >>> _______________________________________________ >>> nvo3 mailing list >>> nvo3@ietf.org >>> https://www.ietf.org/mailman/listinfo/nvo3 >>> >>> _______________________________________________ >>> nvo3 mailing list >>> nvo3@ietf.org >>> https://www.ietf.org/mailman/listinfo/nvo3 >>> >>> _______________________________________________ >>> nvo3 mailing list >>> nvo3@ietf.org >>> https://www.ietf.org/mailman/listinfo/nvo3 >>> >>> _______________________________________________ >>> nvo3 mailing list >>> nvo3@ietf.org >>> https://www.ietf.org/mailman/listinfo/nvo3 >>> >>> _______________________________________________ >>> nvo3 mailing list >>> nvo3@ietf.org >>> https://www.ietf.org/mailman/listinfo/nvo3 >>> >>> _______________________________________________ >>> nvo3 mailing list >>> nvo3@ietf.org >>> https://www.ietf.org/mailman/listinfo/nvo3 >>> >>> _______________________________________________ >>> nvo3 mailing list >>> nvo3@ietf.org >>> https://www.ietf.org/mailman/listinfo/nvo3 >> >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 >> >> _______________________________________________ >> nvo3 mailing list >> nvo3@ietf.org >> https://www.ietf.org/mailman/listinfo/nvo3 > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 From nobody Wed Apr 10 00:44:14 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50DFD12013C for ; Wed, 10 Apr 2019 00:44:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oG1uhaMZ9A3r for ; Wed, 10 Apr 2019 00:44:09 -0700 (PDT) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130102.outbound.protection.outlook.com [40.107.13.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55C8312012A for ; Wed, 10 Apr 2019 00:44:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yVplabMy37uhsTlogkk64JdZ0Z+OhDe2EOzGwDhfE9k=; b=lBdS0Hc/Cf+RiaTRkGWaquQVT2VoCJRwIcnHd61EY3oSqoFnoVGroPSqS5XOyYqC8KV6XcxYXTmq787rYZ2z5CoCRkdgWH6ot1aPF1tc/5ULoCLoCviGGGaWAt9xQgr+p6luX+qLU9Ny7N2lZlWpK67YssD9bfhxGR7+zbR44Hc= Received: from DB7PR07MB4106.eurprd07.prod.outlook.com (52.134.100.160) by DB7PR07MB4745.eurprd07.prod.outlook.com (52.135.136.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.8; Wed, 10 Apr 2019 07:44:06 +0000 Received: from DB7PR07MB4106.eurprd07.prod.outlook.com ([fe80::90c9:868c:4aff:709d]) by DB7PR07MB4106.eurprd07.prod.outlook.com ([fe80::90c9:868c:4aff:709d%5]) with mapi id 15.20.1792.007; Wed, 10 Apr 2019 07:44:06 +0000 From: "Bocci, Matthew (Nokia - GB)" To: NVO3 CC: "Vigoureux, Martin (Nokia - FR/Paris-Saclay)" Thread-Topic: Moving forward with draft-ietf-nvo3-geneve-13 Thread-Index: AQHU73EsjFt8p8By1Em0eaG4K0dNcg== Date: Wed, 10 Apr 2019 07:44:06 +0000 Message-ID: <7B11D56D-210E-4456-8075-B9CACF3602C5@nokia.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.17.1.190326 authentication-results: spf=none (sender IP is ) smtp.mailfrom=matthew.bocci@nokia.com; x-originating-ip: [81.108.178.133] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 579d631c-7e82-47c2-51f3-08d6bd884f89 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(4618075)(2017052603328)(7167020)(7193020); SRVR:DB7PR07MB4745; x-ms-traffictypediagnostic: DB7PR07MB4745: x-microsoft-antispam-prvs: x-forefront-prvs: 00032065B2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(396003)(39860400002)(376002)(136003)(189003)(199004)(2906002)(6116002)(99286004)(2616005)(58126008)(316002)(486006)(86362001)(476003)(36756003)(66066001)(97736004)(3846002)(68736007)(82746002)(6916009)(71190400001)(83716004)(6486002)(71200400001)(4326008)(33656002)(14454004)(5660300002)(107886003)(478600001)(25786009)(256004)(6436002)(14444005)(105586002)(102836004)(6512007)(4744005)(26005)(55236004)(186003)(6506007)(6306002)(53936002)(54896002)(7736002)(81156014)(8676002)(8936002)(81166006)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB7PR07MB4745; H:DB7PR07MB4106.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: FfDeh+VmKARReKojaYC7DRFIY8DSU6MPbIWuTV4gaLDdTwGsFA6INyFoDzyb7+LX5/pHxyBNwbDk8n5R2F9OBH37mRkhHNKQnqwJkNapD06O5uWIz/cgVg3gnSzd2GRquAb2JrGr8VA7HWX+lqrYYXq2uYOJTwwyF/jrYzhewPLDtKbizX8dP0Bc/Sm/o0OzVqBQ4AKf7HjvcpGG71vSbTOfbxbUNl63LlJAg5aHBp2vdCe0j1aDWDs/8UqezBuPTZNh17YH10fRdDNmDP5wHncepR/LSU8yqOIBH9b7ZZ8ZRgf3QCvLuivRG/DqRyqolpmXdq7ZQZ/TnfUVpE+U3uu7Y5hxBTcikojI49kf1S/yvqr9LgnH7PAWx1oIk4fyal+1chyVUOuZ1LRHNaCHATCbxNaBJlbqrOgRRQ1y43M= Content-Type: multipart/alternative; boundary="_000_7B11D56D210E44568075B9CACF3602C5nokiacom_" MIME-Version: 1.0 X-OriginatorOrg: nokia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 579d631c-7e82-47c2-51f3-08d6bd884f89 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2019 07:44:06.5574 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB4745 Archived-At: Subject: [nvo3] Moving forward with draft-ietf-nvo3-geneve-13 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 07:44:12 -0000 --_000_7B11D56D210E44568075B9CACF3602C5nokiacom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Rm9sa3MsDQoNCkkgYmVsaWV2ZSB0aGVyZSBpcyByb3VnaCBjb25zZW5zdXMgdG8gbW92ZSBmb3J3 YXJkIHdpdGggdGhlIHB1YmxpY2F0aW9uIG9mIGRyYWZ0LWlldGYtbnZvMy1nZW5ldmUtMTMuIEFs dGhvdWdoIHRoZXJlIGhhcyBiZWVuIHNvbWUgZnVydGhlciBkaXNjdXNzaW9uIG9uIHRoZSBsaXN0 IGFib3V0IHRoZSBwcmVjaXNlIHdvcmRpbmcgYXJvdW5kIGFueSByZXN0cmljdGlvbnMgb24gdGhl IG9yZGVyIG9mIHByb2Nlc3Npbmcgb3B0aW9ucywgYW5kIGFueSBkZXBlbmRlbmNpZXMgYmV0d2Vl biB0aGVtLCBJIGRvIG5vdCBzZWUgY29uc2Vuc3VzIHRvIG1ha2UgYSBjaGFuZ2UgdG8gdGhlIGN1 cnJlbnQgdGV4dCB0aGF0IHJlYWxseSBhZGRzIG11Y2ggY2xhcml0eS4gSSBoYXZlIG5vdGVkIHRo ZSBkaXNjdXNzaW9uIGFyb3VuZCB0aGlzIGluIHRoZSBzaGVwaGVyZOKAmXMgd3JpdGUgdXAsIGFz IHdlbGwgYXMgdGhlIGRpc2N1c3Npb24gb24gdGhlIGltcGFjdCBvZiB0cmFuc2l0IGRldmljZXMu DQoNCkJlc3QgcmVnYXJkcw0KDQpNYXR0aGV3DQo= --_000_7B11D56D210E44568075B9CACF3602C5nokiacom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJUaW1lcyBO ZXcgUm9tYW4gXChCb2R5IENTXCkiOw0KCXBhbm9zZS0xOjIgMiA2IDMgNSA0IDUgMiAzIDQ7fQ0K LyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5N c29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1z aXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQphOmxpbmss IHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojMDU2 M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5 cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojOTU0Rjcy Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30N CkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIu MHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3Jk U2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLUdCIiBsaW5r PSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+Rm9sa3MsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgYmVs aWV2ZSB0aGVyZSBpcyByb3VnaCBjb25zZW5zdXMgdG8gbW92ZSBmb3J3YXJkIHdpdGggdGhlIHB1 YmxpY2F0aW9uIG9mIGRyYWZ0LWlldGYtbnZvMy1nZW5ldmUtMTMuIEFsdGhvdWdoIHRoZXJlIGhh cyBiZWVuIHNvbWUgZnVydGhlciBkaXNjdXNzaW9uIG9uIHRoZSBsaXN0IGFib3V0IHRoZSBwcmVj aXNlIHdvcmRpbmcgYXJvdW5kIGFueSByZXN0cmljdGlvbnMgb24gdGhlIG9yZGVyIG9mIHByb2Nl c3NpbmcNCiBvcHRpb25zLCBhbmQgYW55IGRlcGVuZGVuY2llcyBiZXR3ZWVuIHRoZW0sIEkgZG8g bm90IHNlZSBjb25zZW5zdXMgdG8gbWFrZSBhIGNoYW5nZSB0byB0aGUgY3VycmVudCB0ZXh0IHRo YXQgcmVhbGx5IGFkZHMgbXVjaCBjbGFyaXR5LiBJIGhhdmUgbm90ZWQgdGhlIGRpc2N1c3Npb24g YXJvdW5kIHRoaXMgaW4gdGhlIHNoZXBoZXJk4oCZcyB3cml0ZSB1cCwgYXMgd2VsbCBhcyB0aGUg ZGlzY3Vzc2lvbiBvbiB0aGUgaW1wYWN0IG9mIHRyYW5zaXQgZGV2aWNlcy48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+QmVzdCByZWdhcmRzPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk1hdHRoZXc8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_7B11D56D210E44568075B9CACF3602C5nokiacom_-- From nobody Wed Apr 10 00:46:14 2019 Return-Path: X-Original-To: nvo3@ietf.org Delivered-To: nvo3@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DE0B1202CC; Wed, 10 Apr 2019 00:46:12 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Matthew Bocci via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Cc: matthew.bocci@nokia.com, nvo3@ietf.org, iesg-secretary@ietf.org, Matthew Bocci , nvo3-chairs@ietf.org Message-ID: <155488237257.1192.5967575607034963572.idtracker@ietfa.amsl.com> Date: Wed, 10 Apr 2019 00:46:12 -0700 Archived-At: Subject: [nvo3] Publication has been requested for draft-ietf-nvo3-geneve-13 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 07:46:13 -0000 Matthew Bocci has requested publication of draft-ietf-nvo3-geneve-13 as Proposed Standard on behalf of the NVO3 working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/ From nobody Wed Apr 10 07:38:31 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E53021202DB for ; Wed, 10 Apr 2019 07:38:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JAmA5uxaT78h for ; Wed, 10 Apr 2019 07:38:26 -0700 (PDT) Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80132.outbound.protection.outlook.com [40.107.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67F20120021 for ; Wed, 10 Apr 2019 07:38:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8bHP1dW6tUx6LzZ6LRhdca0paENwbUHLxfkFCQxBu7Y=; b=Cvi2fLx83p/SUS7CiZCdMMMQgtmEV9JS/A9vGNimDfwfUj509IZILr8kWdbMPsEPkX4c66FSd71vAniwnKVPUfXknXoqcALJ1GtyxlfCJNYiCp6EBgKkQ9Cdd07oe1kgCk/5DI1IW0brPs7R/wq1VKgOeCaIkk4nBysp+sveAOs= Received: from DB7PR07MB4106.eurprd07.prod.outlook.com (52.134.100.160) by DB7PR07MB6028.eurprd07.prod.outlook.com (20.178.107.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.8; Wed, 10 Apr 2019 14:38:23 +0000 Received: from DB7PR07MB4106.eurprd07.prod.outlook.com ([fe80::90c9:868c:4aff:709d]) by DB7PR07MB4106.eurprd07.prod.outlook.com ([fe80::90c9:868c:4aff:709d%5]) with mapi id 15.20.1792.007; Wed, 10 Apr 2019 14:38:23 +0000 From: "Bocci, Matthew (Nokia - GB)" To: NVO3 Thread-Topic: Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 Thread-Index: AQHU76sMQTUR8A05LUCCECwFS11kqg== Date: Wed, 10 Apr 2019 14:38:23 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.17.1.190326 authentication-results: spf=none (sender IP is ) smtp.mailfrom=matthew.bocci@nokia.com; x-originating-ip: [46.218.58.220] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: c6407a78-509a-4e07-a73d-08d6bdc22f43 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:DB7PR07MB6028; x-ms-traffictypediagnostic: DB7PR07MB6028: x-microsoft-antispam-prvs: x-forefront-prvs: 00032065B2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(376002)(396003)(346002)(366004)(199004)(189003)(7736002)(82746002)(8936002)(81156014)(256004)(14444005)(6512007)(6306002)(186003)(6506007)(2906002)(8676002)(25786009)(86362001)(97736004)(26005)(54896002)(81166006)(316002)(4744005)(6916009)(53936002)(6116002)(15650500001)(3846002)(68736007)(33656002)(2420400007)(486006)(105586002)(71200400001)(58126008)(478600001)(71190400001)(83716004)(5660300002)(66066001)(7110500001)(36756003)(99286004)(6436002)(2616005)(6486002)(476003)(106356001)(14454004)(102836004); DIR:OUT; SFP:1102; SCL:1; SRVR:DB7PR07MB6028; H:DB7PR07MB4106.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: G8a9LQqdcrsBTjc7W6oosrfKPijkkjSpkvkznLL7Z2CMmx/xc4MDc0GjGSHsv4rGi37avHyluAOVloXEvqiKSkcr5LPoeOkQ/HCO9O1StXJCZGiUXcrBI5PIQU1bj2AnCAm1LNN95v2FSXG5zrcLj1lzI3rIA5Lh4Ce3xpIJoscyuWhOIPIFNSkdnxKetnBp7ERin8E9aKox5aD2WQzFmmrlVLzD+5aCUl74V6P4xJkCLiqLOYJ9iiePvVrNbEEGwRcbQzwjn3pzfUmEE1ntuUafQI5yRs9kq427rVfJA0yiE94/o+mKUCpCWnRZwMqwwEaw9JjCFNf0tU6pJja7u2JqwAAoq3qd8umI+rhWUcaymZQfGvs8uhzh6ruUfF4ms+a5Go73eK9qGuVNyRteY3WXn5+o94AuS7uHWqbLHcU= Content-Type: multipart/alternative; boundary="_000_C4BF72BAA692403285E72A20992CCA37nokiacom_" MIME-Version: 1.0 X-OriginatorOrg: nokia.com X-MS-Exchange-CrossTenant-Network-Message-Id: c6407a78-509a-4e07-a73d-08d6bdc22f43 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2019 14:38:23.2811 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB6028 Archived-At: Subject: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 14:38:29 -0000 --_000_C4BF72BAA692403285E72A20992CCA37nokiacom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyBlbWFpbCBiZWdpbnMgYSBzZWNvbmQgdHdvLXdlZWsgcG9sbCBmb3IgYWRvcHRpb24gb2Yg ZHJhZnQtbWdsdC1udm8zLWdlbmV2ZS1zZWN1cml0eS1yZXF1aXJlbWVudHMtMDYgaW4gdGhlIE5W TzMgd29ya2luZyBncm91cC4NCg0KUGxlYXNlIHJldmlldyB0aGUgZHJhZnQgYW5kIHNlbmQgYW55 IGNvbW1lbnRzIHRvIHRoZSBOVk8zIGxpc3QuDQoNClBsZWFzZSBhbHNvIGluZGljYXRlIHdoZXRo ZXIgeW91IHN1cHBvcnQgYWRvcHRpb24gb2YgdGhlIGRyYWZ0IGFzIGFuIE5WTzMgd29ya2luZyBn cm91cCBkb2N1bWVudC4NCg0KTm90ZSB0aGF0IHN1cHBvcnRpbmcgd29ya2luZyBncm91cCBhZG9w dGlvbiBpbmRpY2F0ZXMgdGhhdCB5b3UgdGhpbmsgdGhlIGRyYWZ0IGlzIGhlYWRlZCBpbiB0aGUg cmlnaHQgZGlyZWN0aW9uIGFuZCByZXByZXNlbnRzIGEgcGllY2Ugb2Ygd29yayB0aGF0IHRoZSB3 b3JraW5nIGdyb3VwIHNob3VsZCB0YWtlIG9uIGFuZCBwcm9ncmVzcy4gSXQgZG9lcyBub3QgaGF2 ZSB0byBiZSB0ZWNobmljYWxseSBwZXJmZWN0IGF0IHRoaXMgc3RhZ2UuDQoNClRoaXMgcG9sbCBj bG9zZXMgb24gV2VkbmVzZGF5IDI0dGggQXByaWwgMjAxOS4NCg0KUmVnYXJkcw0KTWF0dGhldyBh bmQgU2FtDQoNCg== --_000_C4BF72BAA692403285E72A20992CCA37nokiacom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJUaW1lcyBO ZXcgUm9tYW4gXChCb2R5IENTXCkiOw0KCXBhbm9zZS0xOjIgMiA2IDMgNSA0IDUgMiAzIDQ7fQ0K LyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5N c29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1z aXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQphOmxpbmss IHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojMDU2 M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5 cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojOTU0Rjcy Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uYXBwbGUtY29udmVydGVkLXNwYWNl DQoJe21zby1zdHlsZS1uYW1lOmFwcGxlLWNvbnZlcnRlZC1zcGFjZTt9DQouTXNvQ2hwRGVmYXVs dA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs c2Fucy1zZXJpZjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7 DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24x DQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keSBsYW5n PSJFTi1HQiIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29y ZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2NvbG9yOmJsYWNrIj5UaGlzIGVtYWlsIGJlZ2lucyBhIHNlY29uZCB0d28td2VlayBw b2xsIGZvciZuYnNwO2Fkb3B0aW9uJm5ic3A7b2YgZHJhZnQtbWdsdC1udm8zLWdlbmV2ZS1zZWN1 cml0eS1yZXF1aXJlbWVudHMtMDYgaW4gdGhlIE5WTzMgd29ya2luZyBncm91cC48L3NwYW4+PHNw YW4gc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPlBsZWFzZSByZXZpZXcgdGhlIGRyYWZ0 IGFuZCBzZW5kIGFueSBjb21tZW50cyB0byB0aGUgTlZPMyBsaXN0Ljwvc3Bhbj48c3BhbiBzdHls ZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+UGxlYXNlIGFsc28gaW5kaWNhdGUgd2hldGhlciB5 b3Ugc3VwcG9ydCZuYnNwO2Fkb3B0aW9uJm5ic3A7b2YgdGhlIGRyYWZ0IGFzIGFuIE5WTzMgd29y a2luZyBncm91cCBkb2N1bWVudC48L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6 YmxhY2siPk5vdGUgdGhhdCBzdXBwb3J0aW5nIHdvcmtpbmcgZ3JvdXAgYWRvcHRpb24gaW5kaWNh dGVzIHRoYXQgeW91IHRoaW5rIHRoZSBkcmFmdCBpcyBoZWFkZWQgaW4gdGhlIHJpZ2h0IGRpcmVj dGlvbiBhbmQgcmVwcmVzZW50cyBhIHBpZWNlIG9mIHdvcmsgdGhhdCB0aGUgd29ya2luZyBncm91 cCBzaG91bGQgdGFrZSBvbiBhbmQgcHJvZ3Jlc3MuDQogSXQgZG9lcyBub3QgaGF2ZSB0byBiZSB0 ZWNobmljYWxseSBwZXJmZWN0IGF0IHRoaXMgc3RhZ2UuPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6 YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj5UaGlzIHBvbGwgY2xv c2VzIG9uIFdlZG5lc2RheSAyNHRoIEFwcmlsIDIwMTkuPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2NvbG9yOmJsYWNrIj5SZWdhcmRzPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFj ayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPk1hdHRoZXcgYW5kIFNhbTwvc3Bhbj48 c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0 bWw+DQo= --_000_C4BF72BAA692403285E72A20992CCA37nokiacom_-- From nobody Thu Apr 11 11:48:52 2019 Return-Path: X-Original-To: nvo3@ietf.org Delivered-To: nvo3@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C8012030F; Thu, 11 Apr 2019 11:48:50 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: nvo3@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: nvo3@ietf.org Message-ID: <155500853020.13775.17180244856358160604@ietfa.amsl.com> Date: Thu, 11 Apr 2019 11:48:50 -0700 Archived-At: Subject: [nvo3] I-D Action: draft-ietf-nvo3-vxlan-gpe-07.txt X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 18:48:50 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Virtualization Overlays WG of the IETF. Title : Generic Protocol Extension for VXLAN Authors : Fabio Maino (Editor) Larry Kreeger (editor) Uri Elzur (editor) Filename : draft-ietf-nvo3-vxlan-gpe-07.txt Pages : 19 Date : 2019-04-11 Abstract: This draft describes extending Virtual eXtensible Local Area Network (VXLAN), via changes to the VXLAN header, with three new capabilities: support for multi-protocol encapsulation, operations, administration and management (OAM) signaling and explicit versioning. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-nvo3-vxlan-gpe/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07 https://datatracker.ietf.org/doc/html/draft-ietf-nvo3-vxlan-gpe-07 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-nvo3-vxlan-gpe-07 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Thu Apr 11 23:50:54 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDA6F12011C; Thu, 11 Apr 2019 23:50:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id InAmAHhY84DP; Thu, 11 Apr 2019 23:50:46 -0700 (PDT) Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 885B11200BA; Thu, 11 Apr 2019 23:50:46 -0700 (PDT) Received: by mail-lf1-x129.google.com with SMTP id w23so6622460lfc.9; Thu, 11 Apr 2019 23:50:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=oWv/Lj4kYc6i1g5r9KJEo6BmTHihuufiwSzmf++XGi8=; b=bPO/h0OnDcTAYMSCVwrSaIWFBeKo5/unpEZc4MCNGTTcuaCq1uxra7dUvs3lgi9JwG mH4dFu7I3xP/fzWBQao18CNeNP1z88I+12bwKzNe6hYLv5Dpuk6KPWI01MqdomnaoS1F ZWURH+85za8Ss5AeJ0kQk6sNyvLaiIuySigysCF5HembBLW6Bpg22agJq6CeumJMDlzn li4FUBHkqcrF5Wd+uArvZIW99Z2yBKCezZuqVhSBfimdmabRY0zBYOEH0t97Kf1kMPDg 5/OIiOPXU+lMKQWZD3b5PZknpgMvhWeVAdTpN5oCJkh9HKD/+N6zAkIZ6gca3HcZJIkB E5Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=oWv/Lj4kYc6i1g5r9KJEo6BmTHihuufiwSzmf++XGi8=; b=jP1WwHPuM43UM2I4NQ5SYGTADEsj839m4l9+oidGHFHgF5aEANJWCoa9AdSib9ZOst sHf0kMFzjIhdY6IX/rER02TwTrqyouwWS7GSUgaMorLYsW6tQbVMcG1BEpmr5kSsOtG4 xBRta4MZE+1HDcpUSMGtj51Fp7ULjtTBiQOh4ts/0UwiDKuvW9olldWIjmi2Ybn2voqQ Ve2lXd4D4Q7bX8yxHDpZF7WbO2XgJkisTtKFGbmMhhJoJaZ+xYCPTE8XQdeSeQ/K0wvp PZs1smVzAJDiWUnIqpGwCNYQ4T5AhUZFA1ptJy3aZIhzgFTswPhtKsZ23hQwmpyO+WEI c4tw== X-Gm-Message-State: APjAAAXZKL7a+KadJpIBXgq8Mi/Cy7du6bzX2PLm1cW9GcPKqhkAd+93 QEpJlR1fOyhLnaUdO4G6mdHhJ94yytKJUuKucY5LX8ESHDo= X-Google-Smtp-Source: APXvYqyn2m6n4oPYCNekKj+mY8XbXHjbh75lTR0WL2V5PQQ6yqUQt6uS/XSSGfzrd8CvhE8fb/s41yiU48K/rSGPYcs= X-Received: by 2002:ac2:4303:: with SMTP id l3mr10673271lfh.61.1555051844076; Thu, 11 Apr 2019 23:50:44 -0700 (PDT) MIME-Version: 1.0 From: Greg Mirsky Date: Fri, 12 Apr 2019 08:50:34 +0200 Message-ID: To: draft-ietf-nvo3-vxlan-gpe@ietf.org, NVO3 Content-Type: multipart/alternative; boundary="000000000000c608eb05864fb851" Archived-At: Subject: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 06:50:53 -0000 --000000000000c608eb05864fb851 Content-Type: text/plain; charset="UTF-8" Dear Editors, et al., I've read the latest -07 version and would like to share my comments and questions with you: - in the earlier version of the draft, the O-bit was introduced and defined as: OAM Flag Bit (O bit): The O bit is set to indicate that the packet is an OAM packet. At the same time, in the latest version, the new Next Protocol value (0x81) to identify iOAM Data was introduced. Hence are my questions: - What must be the value of the O-bit when the value of the Next Protocol field is iOAM? - Do you plan to define the Next Protocol values for active OAM protocols, e.g., Echo Request/Reply, BFD, Performance Monitoring? - How to interpret the situation when the O-bit value is 1 but the value of the Next Protocol field is, for example, NSH, i.e., not any of OAM protocols? - I believe that the use of the dedicated OAM flag and the Next Protocol field for a fixed-size header that cannot include meta-data is unwarranted and adds unnecessary complexity. I suggest not to use O-bit in the VXLAN-GPE header and release it into the Reserved field. I don't see the apparent benefit of using the flag, as the VXLA-GPE uses the fixed size header and the header cannot carry OAM data in it. The only role the VXLAN-GPE header must perform, in my opinion, is to unambiguously identify the payload type that immediately follows the header as OAM (demultiplexing OAM protocols may be done in OAM Header shim). Much appreciate your consideration. Regards, Greg --000000000000c608eb05864fb851 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear Editors, et al.,
I've read t= he latest -07 version and would like to share my comments and questions wit= h you:
  • in the earlier version of the draft, the O-bit was= introduced and defined as:
OAM Flag Bit (O bit):=C2=A0 The O= bit is set to indicate that the packet is an OAM packet.
=
At the same time, in the latest version, the new Next Protoc= ol value (0x81) to identify iOAM Data was introduced. Hence are my question= s:
  • What=C2=A0must be the value of the O-bit when the value of = the Next Protocol field is iOAM?
  • Do you plan to define the Next Pro= tocol values for active OAM protocols, e.g., Echo Request/Reply, BFD, Perfo= rmance Monitoring?
  • How to interpret the situation when the O-bit va= lue is 1 but the value of the Next Protocol field is, for example, NSH, i.e= ., not any of OAM protocols?
  • I believe that the use of the dedicated OAM flag and the Next Protoco= l field for a fixed-size header that cannot include meta-data is unwarrante= d and adds unnecessary complexity. I suggest not to use O-bit in the VXLAN-= GPE header and release it into the Reserved field.=C2=A0 I don't see th= e apparent benefit of using the flag, as the VXLA-GPE uses the fixed size h= eader and the header cannot carry OAM data in it. The only role the VXLAN-G= PE header must perform, in my opinion, is to unambiguously identify the pay= load type that immediately follows the header as OAM (demultiplexing OAM pr= otocols may be done in OAM Header shim).
    • Much appreciat= e your consideration.

    Regards,
    Greg
    --000000000000c608eb05864fb851-- From nobody Fri Apr 12 04:44:23 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65C8A1202A3 for ; Fri, 12 Apr 2019 04:44:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.647 X-Spam-Level: X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1i7h0Hj-uusk for ; Fri, 12 Apr 2019 04:44:19 -0700 (PDT) Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com [209.85.208.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37826120227 for ; Fri, 12 Apr 2019 04:44:19 -0700 (PDT) Received: by mail-lj1-f178.google.com with SMTP id h21so8528927ljk.13 for ; Fri, 12 Apr 2019 04:44:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qpDXl+L6Yv7YOhZeotKTPrUwpjif3WitRtDpsFGaRpc=; b=lFX+lGvtQzztdN/V+3Lwn8o1b13ikkRuLGSNSXf61S+uW+GTedV8MKWw4EwMbNXQgV ndu4V8NJ5qH+ZEhGHGVgpOS2e+WnXpyq/Rb1filbfEMr63EhnTj3W6FeV46LE6IA4xbq c0MXKB1pCkODiedapbWPNMDFGK9DJz7HmyFqVzCUQcUcES3zQI5m17H1OClDtLH2uV2k K7+MYhbII20rKieUul9PJedkKZmyOrToly003U+uPjPmQ0NfvxxD3VEKt11pOE/xeULr vipDLnakmO+Y73rFqRhhSYfY7gGUvwGwCugqS3RQqzlLPTPshrD/mlcMyXRjPzjJ9naK Xb6g== X-Gm-Message-State: APjAAAWyxae3qGfzhY/wmeNQDNG0uP+mAqJMwOwlWCQWz/+/2wNyp67Z Gxv5sQO8qmBkQnvS1IY6DFbBn0OnqwZ6Nf40ves= X-Google-Smtp-Source: APXvYqwLeK8jP+880FHepfegTEVGrlSJOMZsw++BwY8I4QPIzxlH3kjLVmU1C85ty9JMvLtmCChKNrpus4maaze6tmA= X-Received: by 2002:a2e:5056:: with SMTP id v22mr29638130ljd.153.1555069457460; Fri, 12 Apr 2019 04:44:17 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Daniel Migault Date: Fri, 12 Apr 2019 07:44:05 -0400 Message-ID: To: "Bocci, Matthew (Nokia - GB)" Cc: NVO3 Content-Type: multipart/alternative; boundary="0000000000009cf2b5058653d25e" Archived-At: Subject: Re: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 11:44:21 -0000 --0000000000009cf2b5058653d25e Content-Type: text/plain; charset="UTF-8" As a co-author, I am supporting the adoption of the draft. Yours, Daniel On Wed, Apr 10, 2019 at 10:38 AM Bocci, Matthew (Nokia - GB) < matthew.bocci@nokia.com> wrote: > This email begins a second two-week poll for adoption of > draft-mglt-nvo3-geneve-security-requirements-06 in the NVO3 working group. > > > > Please review the draft and send any comments to the NVO3 list. > > > > Please also indicate whether you support adoption of the draft as an NVO3 > working group document. > > > > Note that supporting working group adoption indicates that you think the > draft is headed in the right direction and represents a piece of work that > the working group should take on and progress. It does not have to be > technically perfect at this stage. > > > > This poll closes on Wednesday 24th April 2019. > > > > Regards > > Matthew and Sam > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --0000000000009cf2b5058653d25e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    As a co-author, I am supporting the adoption of the draft.= =C2=A0
    Yours,=C2=A0
    Daniel

    On Wed, Apr 10, 2019 at 10:38 AM Boc= ci, Matthew (Nokia - GB) <mat= thew.bocci@nokia.com> wrote:

    This emai= l begins a second two-week poll for=C2=A0adoption=C2=A0of draft-mglt-nvo3-g= eneve-security-requirements-06 in the NVO3 working group.

    = =C2=A0

    Please re= view the draft and send any comments to the NVO3 list.

    = =C2=A0

    Please al= so indicate whether you support=C2=A0adoption=C2=A0of the draft as an NVO3 = working group document.

    = =C2=A0

    Note that= supporting working group adoption indicates that you think the draft is he= aded in the right direction and represents a piece of work that the working= group should take on and progress. It does not have to be technically perfect at this stage.

    = =C2=A0

    This poll= closes on Wednesday 24th April 2019.=

    = =C2=A0

    Regards

    Matthew a= nd Sam

    =C2=A0

    _______________________________________________
    nvo3 mailing list
    nvo3@ietf.org
    https://www.ietf.org/mailman/listinfo/nvo3
    --0000000000009cf2b5058653d25e-- From nobody Fri Apr 12 05:23:27 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C89F712024C; Fri, 12 Apr 2019 05:23:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RE4QqL88Gq7c; Fri, 12 Apr 2019 05:23:24 -0700 (PDT) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6B9D12011D; Fri, 12 Apr 2019 05:23:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3654; q=dns/txt; s=iport; t=1555071804; x=1556281404; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=GqmhGuDewsOcqkAADpJC/7weJtUBELKMqe+oxNUQtKI=; b=A9SzJo5oAgKXeYE6VTunuJ8viiMCuCMeO6S49bsg3op6a9XXgj4Qa7Gf 6LcbxiyT+E1oywgi3koDBryn7lS39opdKtrkIjR0hFKj2B1xsFDOf1C1C 72plpQIW2X6VdNSJyMCjLzMW3Jt+uYa6hLCWZEfPgxPG4l7dbDAwo9mya g=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AKAAAhgrBc/5pdJa1bChoBAQEBAQI?= =?us-ascii?q?BAQEBBwIBAQEBgVMDAQEBAQsBgWEFKmiBAygKhASVESWJOY8PFIFnDgEBGAu?= =?us-ascii?q?ESgIXhV8jNgcOAQMBAQoBAgECbRwMhUoBAQEDAQEBIRE6CwULAgEIGAICJgI?= =?us-ascii?q?CAh8GCxUQAgQOBYMiAYFpAw0PD6wQgS+FRoI9DYIbBoELJwGLRheBQD+BESc?= =?us-ascii?q?ME4JMPoIaRwEBgSkNKgGDCjGCJgONIIwTjAssNgkCggWOSoNHGoIHhhqDZYh?= =?us-ascii?q?pk0+JLIJ0AhEVgTAmByqBVnAVOyoBgkE+gnABAodchT9BMY9RgSABAQ?= X-IronPort-AV: E=Sophos;i="5.60,341,1549929600"; d="scan'208";a="257357018" Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Apr 2019 12:23:22 +0000 Received: from XCH-RTP-020.cisco.com (xch-rtp-020.cisco.com [64.101.220.160]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x3CCNM6T015920 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 12 Apr 2019 12:23:22 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-020.cisco.com (64.101.220.160) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 12 Apr 2019 08:23:21 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1473.003; Fri, 12 Apr 2019 08:23:21 -0400 From: "Carlos Pignataro (cpignata)" To: Greg Mirsky CC: "draft-ietf-nvo3-vxlan-gpe@ietf.org" , NVO3 Thread-Topic: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe Thread-Index: AQHU8Pwb4PQUm0Sk6kyANyiY2S4odqY4th6A Date: Fri, 12 Apr 2019 12:23:21 +0000 Message-ID: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3445.104.8) x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.118.116.132] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.160, xch-rtp-020.cisco.com X-Outbound-Node: rcdn-core-3.cisco.com Archived-At: Subject: Re: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 12:23:26 -0000 R3JlZywNCg0KWW91IHNlZW0gdG8gYmUgY29uZnVzaW5nIGFuZCBtaXhpbmcgdGhpbmdzIHVwLg0K DQpQbGVhc2Ugc2VlIGlubGluZS4NCg0KPiBPbiBBcHIgMTIsIDIwMTksIGF0IDI6NTAgQU0sIEdy ZWcgTWlyc2t5IDxncmVnaW1pcnNreUBnbWFpbC5jb20+IHdyb3RlOg0KPiANCj4gRGVhciBFZGl0 b3JzLCBldCBhbC4sDQo+IEkndmUgcmVhZCB0aGUgbGF0ZXN0IC0wNyB2ZXJzaW9uIGFuZCB3b3Vs ZCBsaWtlIHRvIHNoYXJlIG15IGNvbW1lbnRzIGFuZCBxdWVzdGlvbnMgd2l0aCB5b3U6DQo+IAni gKIgaW4gdGhlIGVhcmxpZXIgdmVyc2lvbiBvZiB0aGUgZHJhZnQsIHRoZSBPLWJpdCB3YXMgaW50 cm9kdWNlZCBhbmQgZGVmaW5lZCBhczoNCj4gT0FNIEZsYWcgQml0IChPIGJpdCk6ICBUaGUgTyBi aXQgaXMgc2V0IHRvIGluZGljYXRlIHRoYXQgdGhlIHBhY2tldCBpcyBhbiBPQU0gcGFja2V0Lg0K PiBBdCB0aGUgc2FtZSB0aW1lLCBpbiB0aGUgbGF0ZXN0IHZlcnNpb24sIHRoZSBuZXcgTmV4dCBQ cm90b2NvbCB2YWx1ZSAoMHg4MSkgdG8gaWRlbnRpZnkgaU9BTSBEYXRhIHdhcyBpbnRyb2R1Y2Vk LiBIZW5jZSBhcmUgbXkgcXVlc3Rpb25zOg0KPiAJ4oCiIFdoYXQgbXVzdCBiZSB0aGUgdmFsdWUg b2YgdGhlIE8tYml0IHdoZW4gdGhlIHZhbHVlIG9mIHRoZSBOZXh0IFByb3RvY29sIGZpZWxkIGlz IGlPQU0/DQoNClRoZSBPIGJpdCDigJxpcyBzZXQgdG8gaW5kaWNhdGUgdGhhdCB0aGUgcGFja2V0 IGlzIGFuIE9BTSBwYWNrZXTigJ0uDQpJQU9NIGlzIG5vdCBhbiBPQU0gcGFja2V0LiBIZW5jZSwg TyBiaXQgY2xlYXIgaWYgVlhMQU4tR1BFIGVuY2Fwc3VsYXRlcyBhIG5vbi1PQU0gcGFja2V0IGFu ZCBhZGRzIGFuIElPQU0gc2hpbS4NCg0KPiAJ4oCiIERvIHlvdSBwbGFuIHRvIGRlZmluZSB0aGUg TmV4dCBQcm90b2NvbCB2YWx1ZXMgZm9yIGFjdGl2ZSBPQU0gcHJvdG9jb2xzLCBlLmcuLCBFY2hv IFJlcXVlc3QvUmVwbHksIEJGRCwgUGVyZm9ybWFuY2UgTW9uaXRvcmluZz8NCg0KSSBjYW5ub3Qg c3BlYWsgdG8g4oCccGxhbnPigJ0gKHJlcGx5aW5nIGFzIOKAnGV0IGFsLuKAnSwgbm90IGFzIOKA nGVkaXRvcuKAnSksIGJ1dCBJIGV4cGVjdCBPQU0gZG9jdW1lbnRzIG91Z2h0IHRvIGhhdmUgdGhv c2UgcmVxdWVzdGVkLCBhbmQgeW91IGRvIG5vdCBuZWVkIG5lY2Vzc2FyaWx5IGFsbCBvZiB0aG9z ZSDigJQgdGhlIG5leCBwcm90b2NvbCBJUHY0IC8gSVB2NiBjYW4gZW5jYXBzdWxhdGUgSUNNUCwg VURQL0JGRCwgZXRjLiwgZXRjLiwgZXRjLiwgZXRjLg0KDQo+IAnigKIgSG93IHRvIGludGVycHJl dCB0aGUgc2l0dWF0aW9uIHdoZW4gdGhlIE8tYml0IHZhbHVlIGlzIDEgYnV0IHRoZSB2YWx1ZSBv ZiB0aGUgTmV4dCBQcm90b2NvbCBmaWVsZCBpcywgZm9yIGV4YW1wbGUsIE5TSCwgaS5lLi4sIG5v dCBhbnkgb2YgT0FNIHByb3RvY29scz8NCg0KSSBleHBlY3QgaXQgbWVhbnMgdGhlcmXigJlzIE9B TSB3aXRoaW4gdGhhdCBOU0ggKHNvbWV0aW1lcyB0aGVyZeKAmXMgbm8gc3VjaCB0aGluZ3MgYXMg 4oCcT0FNIFByb3RvY29sc+KAnSksIG9yIGFuIHVuaGFuZGxlZCBPQU0gcHJvdG9jb2wuDQoNCj4g CeKAoiBJIGJlbGlldmUgdGhhdCB0aGUgdXNlIG9mIHRoZSBkZWRpY2F0ZWQgT0FNIGZsYWcgYW5k IHRoZSBOZXh0IFByb3RvY29sIGZpZWxkIGZvciBhIGZpeGVkLXNpemUgaGVhZGVyIHRoYXQgY2Fu bm90IGluY2x1ZGUgbWV0YS1kYXRhIGlzIHVud2FycmFudGVkIGFuZCBhZGRzIHVubmVjZXNzYXJ5 IGNvbXBsZXhpdHkuDQoNCkRpc2FncmVlLiANCg0KU2VlIGV4YW1wbGUgd2hlcmUgcHJvdG9jb2wg aXMgSVAgY2FycnlpbmcgYW4gT0FNIHBhY2tldC4NCg0KPiBJIHN1Z2dlc3Qgbm90IHRvIHVzZSBP LWJpdCBpbiB0aGUgVlhMQU4tR1BFIGhlYWRlciBhbmQgcmVsZWFzZSBpdCBpbnRvIHRoZSBSZXNl cnZlZCBmaWVsZC4gIEkgZG9uJ3Qgc2VlIHRoZSBhcHBhcmVudCBiZW5lZml0IG9mIHVzaW5nIHRo ZSBmbGFnLCBhcyB0aGUgVlhMQS1HUEUgdXNlcyB0aGUgZml4ZWQgc2l6ZSBoZWFkZXIgYW5kIHRo ZSBoZWFkZXIgY2Fubm90IGNhcnJ5IE9BTSBkYXRhIGluIGl0LiBUaGUgb25seSByb2xlIHRoZSBW WExBTi1HUEUgaGVhZGVyIG11c3QgcGVyZm9ybSwgaW4gbXkgb3BpbmlvbiwgaXMgdG8gdW5hbWJp Z3VvdXNseSBpZGVudGlmeSB0aGUgcGF5bG9hZCB0eXBlIHRoYXQgaW1tZWRpYXRlbHkgZm9sbG93 cyB0aGUgaGVhZGVyIGFzIE9BTSAoZGVtdWx0aXBsZXhpbmcgT0FNIHByb3RvY29scyBtYXkgYmUg ZG9uZSBpbiBPQU0gSGVhZGVyIHNoaW0pLg0KPiBNdWNoIGFwcHJlY2lhdGUgeW91ciBjb25zaWRl cmF0aW9uLg0KPiANCg0KQmVzdCwNCg0K4oCUDQpDYXJsb3MgUGlnbmF0YXJvLCBjYXJsb3NAY2lz Y28uY29tDQoNCuKAnFNvbWV0aW1lcyBJIHVzZSBiaWcgd29yZHMgdGhhdCBJIGRvIG5vdCBmdWxs eSB1bmRlcnN0YW5kLCB0byBtYWtlIG15c2VsZiBzb3VuZCBtb3JlIHBob3Rvc3ludGhlc2lzLiIN Cg0KPiBSZWdhcmRzLA0KPiBHcmVnDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fDQo+IG52bzMgbWFpbGluZyBsaXN0DQo+IG52bzNAaWV0Zi5vcmcNCj4g aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9udm8zDQoNCg== From nobody Fri Apr 12 05:24:10 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19DFA1201B2 for ; Fri, 12 Apr 2019 05:24:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knI8wY9p3SgZ for ; Fri, 12 Apr 2019 05:24:07 -0700 (PDT) Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1576F12011D for ; Fri, 12 Apr 2019 05:24:07 -0700 (PDT) Received: by mail-lf1-x12a.google.com with SMTP id t30so7333077lfd.8 for ; Fri, 12 Apr 2019 05:24:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=foZnZ2UVObpCu19zi3pbwMhkG358nzyErjbTFs2nm4E=; b=cij8xu4jugyE4CrISXcUxfnC6SCnyV8npbeWQsa5ddrnq/uHrFHe64oWyBm/9Q83w+ nlxODkMvaGgnExqenfZAnxDeD9CsshAsJMoetUSMdp6/TDuH/ckKL0L7oCEIgE5yNhco Xg3Fm2Ak8YlBrgAc+ZzYBn7lQA8DZ6NWbwqnzC0abXDB2RKeoPYYdbiGrXEK5ReRHLnI 9wnjoQeZ2igRAmSscEPKfFwTtBx6BxmDbvFmjNVw1WXwqP/mWqrJQPX1yYbUG+JIffAt eRsjCgQYsLLyHX+PtE87DhYleDSc+qsQJ8M0NWTORyWdV64isGp99b2yMz0hlPat1gYx VZwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=foZnZ2UVObpCu19zi3pbwMhkG358nzyErjbTFs2nm4E=; b=YqYVyVu8oC24OCkXjJqFBLibnUS9DkD+b1Y+1tLnNMUS5d8wfE+41N6kpYIvKPfhmJ hPdpX9d1tJGXrAbITbOZseJoS2gZINSgywkJB+/44m/45HhIWObAu6+MNieurKRUBC/I AR+cuG4o7jnRVRh2HswkR6o79GwS++NRr5UbpJOnTagc+K/hJfL+tVbREvhUHSf2F1DS 5rLykidQidOiEJE5gzDwUSmKbDK1sLTkQizcXe6OdqsE7F/yvyvDPBrx9/NBsXfr48o8 4MXHBBWCbzOyvA4Vve60tLfOIzagwcjCmGLkfD4UIhkUb2RoKYN51IgkBUZf5rz7NmDF aJJw== X-Gm-Message-State: APjAAAXJqfboOW6gYzlIEGZeTxaHRnJACL1J1AaAnNxSQ0n3opW5ztyC I6QZzHThru+V2N1jD90Xl+B6gNsHO0qPa3JakoQ= X-Google-Smtp-Source: APXvYqyz2thwEuaT26OePcdHDaW0+3wAbXThsT0HND/J2YANTfS+Uqxk+wysHa2XBnGMPN9VVWxAvQV51UHdkq6evfk= X-Received: by 2002:a19:ae11:: with SMTP id f17mr29919487lfc.12.1555071843791; Fri, 12 Apr 2019 05:24:03 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Greg Mirsky Date: Fri, 12 Apr 2019 14:23:54 +0200 Message-ID: To: "Bocci, Matthew (Nokia - GB)" Cc: NVO3 Content-Type: multipart/alternative; boundary="000000000000d97ea505865460f3" Archived-At: Subject: Re: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 12:24:09 -0000 --000000000000d97ea505865460f3 Content-Type: text/plain; charset="UTF-8" Dear Matthew, Sam, et al., I've read the draft and support its adoption by the WG. It addresses the much-needed problem of providing L3 overlay security when using the Geneve protocol, is well-written. I believe the work is well-timed and is in the scope of the WG charter. Regards, Greg On Wed, Apr 10, 2019 at 4:38 PM Bocci, Matthew (Nokia - GB) < matthew.bocci@nokia.com> wrote: > This email begins a second two-week poll for adoption of > draft-mglt-nvo3-geneve-security-requirements-06 in the NVO3 working group. > > > > Please review the draft and send any comments to the NVO3 list. > > > > Please also indicate whether you support adoption of the draft as an NVO3 > working group document. > > > > Note that supporting working group adoption indicates that you think the > draft is headed in the right direction and represents a piece of work that > the working group should take on and progress. It does not have to be > technically perfect at this stage. > > > > This poll closes on Wednesday 24th April 2019. > > > > Regards > > Matthew and Sam > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --000000000000d97ea505865460f3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    Dear Matthew, Sam, et al.,
    I've read the draft and= support its adoption by the WG. It addresses the much-needed problem of pr= oviding L3 overlay security when using the Geneve protocol,=C2=A0is well-wr= itten. I believe the work is well-timed and is in the scope of the WG chart= er.

    Regards,
    Greg

    On Wed, Apr 10, 2= 019 at 4:38 PM Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> wrote:

    This emai= l begins a second two-week poll for=C2=A0adoption=C2=A0of draft-mglt-nvo3-g= eneve-security-requirements-06 in the NVO3 working group.

    = =C2=A0

    Please re= view the draft and send any comments to the NVO3 list.

    = =C2=A0

    Please al= so indicate whether you support=C2=A0adoption=C2=A0of the draft as an NVO3 = working group document.

    = =C2=A0

    Note that= supporting working group adoption indicates that you think the draft is he= aded in the right direction and represents a piece of work that the working= group should take on and progress. It does not have to be technically perfect at this stage.

    = =C2=A0

    This poll= closes on Wednesday 24th April 2019.=

    = =C2=A0

    Regards

    Matthew a= nd Sam

    =C2=A0

    _______________________________________________
    nvo3 mailing list
    nvo3@ietf.org
    https://www.ietf.org/mailman/listinfo/nvo3
    --000000000000d97ea505865460f3-- From nobody Tue Apr 16 16:03:56 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6706A1203FA; Tue, 16 Apr 2019 16:03:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZOG5TRoYnSH; Tue, 16 Apr 2019 16:03:53 -0700 (PDT) Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E79F1201CE; Tue, 16 Apr 2019 16:03:53 -0700 (PDT) Received: by mail-io1-xd32.google.com with SMTP id c4so19056955ioh.9; Tue, 16 Apr 2019 16:03:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ks3rl3tpi4ahceVqXHKugO58tjthSktz4hv2EA+v2Ig=; b=GwS227MTILmPwq43vzVNv94oZ4G/gfmoK4804gzgnhGdWjkYTtmn82qxQXgrfwtRhq UedcFS6tSotFhCdm/MkI7G/eDcVR990CAEEOW0/iVjLMjvHBoXVknnyGOGpSUr3FrenP hnfems7b/ya6tZEq9ETLEwgML0sDWhAxTz8dvJCDgbDrhQtbkreCBzDDT1WjSFiZlyo/ zafb1K0xh/Nowiij90ZM+wd7Dw6gQoGcR9mk8H05VON4JTm+MmzrmFbd2mKbGYwm/vNr y5QHv2N5QYKxTeEv1z+fbY8XclNn8wBAtHcHmkKz83ibO7delJVcXmwSREZTreZyAj52 Wdhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ks3rl3tpi4ahceVqXHKugO58tjthSktz4hv2EA+v2Ig=; b=MiGydpoRyUt1FEz/oqZ60SG7CSxXNkBD0fDa7HMKyc+73orbGJXXtDeGARKVirChu9 JjxXMsNTFUORc2IsH0meqtVaZS3wql/MIuxINyQu6/wuA1W1elZlTj0kALClFBpe+ZAR H8mMcwx0l40PQ4mqJtJXF3vzYxlD/3eYZhhhgXA5ap5opraUDugUv3gEeqhvbyRhOUMw M1is7jehrPAZoHlo9AqwZ24ZjLkNwl79GKc+Pl9uDOBqSsjsopxS6qTx/f6dCrN/UV3c LzNakaoCwIgp2TJG8s+SSBREul+voIP82fvL1tMJiYezlXsygWSP7TQlnv8ro4Q6nTSF U+ig== X-Gm-Message-State: APjAAAXoewcMqMwITEHSh5SGfG6mJ2RgQN/tVSxz2bWTsmb49A+KsOwW S+qsoNMWoXm9XaSaghxD7v8HezBPm3pRZcbwahpP5S4V X-Google-Smtp-Source: APXvYqzXzxjbNzTUKwejhAvnOizdfEN6vXfQGimGLWngV3pD4I41M4x/Rk2oKS6Vn3cLzl+5+ZLwV4Gwki8ZRZdKSV4= X-Received: by 2002:a6b:700a:: with SMTP id l10mr17477342ioc.270.1555455832815; Tue, 16 Apr 2019 16:03:52 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sam Aldrin Date: Tue, 16 Apr 2019 16:03:42 -0700 Message-ID: To: nvo3@ietf.org Cc: nvo3-chairs@ietf.org, draft-rabadan-nvo3-evpn-applicability@ietf.org Content-Type: multipart/alternative; boundary="00000000000060fb860586adc8b2" Archived-At: Subject: Re: [nvo3] Last call for draft-ietf-nvo3-evpn-applicability X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Apr 2019 23:03:56 -0000 --00000000000060fb860586adc8b2 Content-Type: text/plain; charset="UTF-8" The LC for the draft is now closed. Apologize for the delayed notification to the group. Will follow up with authors about the next steps. -sam On Mon, Mar 11, 2019 at 11:15 AM Sam Aldrin wrote: > [Resending with right subject] > > NVo3 Working Group, > > This is to initiate a three (not two) week working group last call on > > draft-ietf-nvo3-evpn-applicability > > > Please send your comments to the nvo3 wg mailing list (nvo3@ietf.org). > > > During draft adoption as WG doc, authors have stated on the working group > mailing list that they > are unaware of any non-disclosed IPRs that relates to this document. > Kindly email WG if you are aware of any IPR against the document. > > Authors and contributors, please let us know about IPR and kindly reply to > the group. > > This working group last call ends Monday April 1st, 2019. > > cheers > Sam and Matthew > --00000000000060fb860586adc8b2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    The LC for the draft is now closed. Apologize for the dela= yed notification to the group.
    Will follow up with authors about the ne= xt=C2=A0steps.

    -sam

    On Mon, Mar 11, 2019 at 1= 1:15 AM Sam Aldrin <aldrin.ietf= @gmail.com> wrote:
    [Resending with right subject]
    <= br>
    NVo3 Working Group,

    This is to initiate a three (not two) week working= group=C2=A0last<= /span>=C2=A0<= span class=3D"gmail-m_8036518260567417760gmail-m_35880361707837247gmail-il"= style=3D"font-family:arial,helvetica,sans-serif">call=C2=A0on
    --00000000000060fb860586adc8b2-- From nobody Wed Apr 17 12:00:24 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C0C31205F9; Wed, 17 Apr 2019 12:00:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDvmVgUQa9aT; Wed, 17 Apr 2019 12:00:15 -0700 (PDT) Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3D4A120627; Wed, 17 Apr 2019 12:00:14 -0700 (PDT) Received: by mail-lf1-x12c.google.com with SMTP id h5so16762157lfm.1; Wed, 17 Apr 2019 12:00:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JCayDDduBLQt+OHqJuyR7kyHas7WLlvHJN9uRbWQKCE=; b=E0yTWqShide0zpYXjNMhFsdpX3EPYfga8t5sz7SNaXFgRew7BiIsDkfHW+b8UMLFo1 ri9EWoeHa4bJpOk6nCVWraGKrwv+uZ6gSDLncP5jo8XRoP+dBkna9Zzj8Ve6loMPCL2A OVujwVvniSeEQiM2ckI9Db/ugZJbJj/O7++OLp4II8awKjQdVU45PLTwqpL+XGhY3wcT 8qsQC1qldpWMj2cE+kxICP4LUsJLf+y+eVswGsjmZ29F1dHoJV03nn0L5BZgBr3xkpz2 qCopMti95nJet6Ufw+edmhStuRXc3GnWyokgd1hGREaSkSi++U9i7i9ZXupgI0kWcluW 6r1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JCayDDduBLQt+OHqJuyR7kyHas7WLlvHJN9uRbWQKCE=; b=JIgnOt1MWbu6Di1vupKHNl/mHqD7ioAn9vlbJHJGZ708fCZMyB3HLVvShwFGr4Ouz8 YXiLHk/JyOtvxZ4vNdqp1n388k4juPCueQBLKzKHuwIVWYjf54MTbSdNnTNY9ab/tzui uj3jBATrG7SqUiDumrOIsuNQQKU4xiDJe42WEtlooaceZG2c0zoPc3cYtRyJGlIEbZFj GfHnAONLePD4ShGGRnej7ikcNm+QgLXNB2U5yJU5v+YUxVtzmNhRY+kAZ8wpdJ498AyF 51WuW2T//6Aid5ptvzqDiBMl0/Q8teUZiAwc7Zy6Onh4XK/SE7lGoJ0cLrdHne8wOn2E gjeg== X-Gm-Message-State: APjAAAVdlwP0mXZlr9xhfr6V6RCa0+p3GtcqkonKmWg9U1fVjMOzAdqw /3HjSHFYpVc0ME6Ilzi9g0AwCKzjn3bgzaVavYg= X-Google-Smtp-Source: APXvYqzZ7zBlI/z5HwFhRqq8vJSS5qrzi/PYJAoOQrkEjaMxNE1FHnJggys6kIJK70+QwqyIyGYqu2uDugKbkQ7O84k= X-Received: by 2002:a19:6619:: with SMTP id a25mr49703858lfc.21.1555527612874; Wed, 17 Apr 2019 12:00:12 -0700 (PDT) MIME-Version: 1.0 References: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> In-Reply-To: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> From: Greg Mirsky Date: Wed, 17 Apr 2019 12:00:05 -0700 Message-ID: To: "Carlos Pignataro (cpignata)" Cc: "draft-ietf-nvo3-vxlan-gpe@ietf.org" , NVO3 Content-Type: multipart/alternative; boundary="000000000000cdc3720586be7e63" Archived-At: Subject: Re: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Apr 2019 19:00:23 -0000 --000000000000cdc3720586be7e63 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Carlos, thank you for sharing your view on the design of the VXLAN-GPE protocol. Please find my comments in-line tagged GIM>>. Regards, Greg On Fri, Apr 12, 2019 at 5:23 AM Carlos Pignataro (cpignata) < cpignata@cisco.com> wrote: > Greg, > > You seem to be confusing and mixing things up. > > Please see inline. > > > On Apr 12, 2019, at 2:50 AM, Greg Mirsky wrote: > > > > Dear Editors, et al., > > I've read the latest -07 version and would like to share my comments an= d > questions with you: > > =E2=80=A2 in the earlier version of the draft, the O-bit was intr= oduced > and defined as: > > OAM Flag Bit (O bit): The O bit is set to indicate that the packet is > an OAM packet. > > At the same time, in the latest version, the new Next Protocol value > (0x81) to identify iOAM Data was introduced. Hence are my questions: > > =E2=80=A2 What must be the value of the O-bit when the value of t= he Next > Protocol field is iOAM? > > The O bit =E2=80=9Cis set to indicate that the packet is an OAM packet=E2= =80=9D. > IAOM is not an OAM packet. Hence, O bit clear if VXLAN-GPE encapsulates a > non-OAM packet and adds an IOAM shim. > GIM>> It is a very unexpected statement from you, one of the co-authors of draft-ietf-ippm-ioam-data where the first paragraph of the Introduction section defines iOAM as Hybrid Type 1 OAM, according to RFC 7799 classification: IOAM is to complement mechanisms such as Ping or Traceroute, or more recent active probing mechanisms as described in [I-D.lapukhov-dataplane-probe]. In terms of "active" or "passive" OAM, "in-situ" OAM can be considered a hybrid OAM type. While no extra packets are sent, IOAM adds information to the packets therefore cannot be considered passive. In terms of the classification given in [RFC7799] IOAM could be portrayed as Hybrid Type 1. > > > =E2=80=A2 Do you plan to define the Next Protocol values for acti= ve OAM > protocols, e.g., Echo Request/Reply, BFD, Performance Monitoring? > > I cannot speak to =E2=80=9Cplans=E2=80=9D (replying as =E2=80=9Cet al.=E2= =80=9D, not as =E2=80=9Ceditor=E2=80=9D), but I > expect OAM documents ought to have those requested, and you do not need > necessarily all of those =E2=80=94 the nex protocol IPv4 / IPv6 can encap= sulate > ICMP, UDP/BFD, etc., etc., etc., etc. > GIM>> Of course, use of the well-known port number, usually it is UDP destination port, is one of the methods to demultiplex protocols. This method is broadly used, for example, in MPLS OAM. But this method has some disadvantages that were pointed out in the discussion of BFD over GENEVE in Prague by David Black (the last presentation in the minutes ): David: I want the BFD header to be as close to the thing whose liveness I'm testing. The more headers you add in the middle, the more ways there are to break BFD without breaking the forwarding engine. The further away I move BFD from the chunk of hardware's liveness I care about, the more opportunities are for BFD and the hardware to not to tell me the same thing= . > > =E2=80=A2 How to interpret the situation when the O-bit value is = 1 but the > value of the Next Protocol field is, for example, NSH, i.e.., not any of > OAM protocols? > > I expect it means there=E2=80=99s OAM within that NSH (sometimes there=E2= =80=99s no such > things as =E2=80=9COAM Protocols=E2=80=9D), or an unhandled OAM protocol. > GIM>> Should that, i.e., OAM in NSH or immediately following NSH be signaled using SFC NSH methods that are already defined in draft-ietf-sfc-multi-layer-oam ? Using the server layer, as you've suggested, seems as layer violation. > > > =E2=80=A2 I believe that the use of the dedicated OAM flag and th= e Next > Protocol field for a fixed-size header that cannot include meta-data is > unwarranted and adds unnecessary complexity. > > Disagree. > > See example where protocol is IP carrying an OAM packet. > GIM>> When IP/UDP encapsulation is used for OAM, there's no, in my opinion, any need to use the O-bit. The destination IP address must be as described in RFC 8029 or RFC 5884 and the demultiplexing is done based on the destination UDP port number. Clearly, O-bit is unnecessary if IP/UDP encapsulation for OAM being used. > > > I suggest not to use O-bit in the VXLAN-GPE header and release it into > the Reserved field. I don't see the apparent benefit of using the flag, = as > the VXLA-GPE uses the fixed size header and the header cannot carry OAM > data in it. The only role the VXLAN-GPE header must perform, in my opinio= n, > is to unambiguously identify the payload type that immediately follows th= e > header as OAM (demultiplexing OAM protocols may be done in OAM Header shi= m). > > Much appreciate your consideration. > > > > Best, > > =E2=80=94 > Carlos Pignataro, carlos@cisco.com > > =E2=80=9CSometimes I use big words that I do not fully understand, to mak= e myself > sound more photosynthesis." > > > Regards, > > Greg > > _______________________________________________ > > nvo3 mailing list > > nvo3@ietf.org > > https://www.ietf.org/mailman/listinfo/nvo3 > > --000000000000cdc3720586be7e63 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    Hi Carlos,
    thank you for sharing your view o= n the design of the VXLAN-GPE protocol. Please find my=C2=A0comments in-lin= e tagged GIM>>.

    Regards,
    Greg

    On Fri, Apr 12, 2019 at 5:23 AM Carlos Pignataro (cpignata) <cpignata@cisco.com> wrote:
    Greg,

    You seem to be confusing and mixing things up.

    Please see inline.

    > On Apr 12, 2019, at 2:50 AM, Greg Mirsky <    gregimirsky@gmail.com> wrote:<= br>>
    > Dear Editors, et al.,
    > I've read the latest -07= version and would like to share my comments and questions with you:
    >= ;=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 in the earlier version of the draft, = the O-bit was introduced and defined as:
    > OAM Flag Bit (O bit):=C2= =A0 The O bit is set to indicate that the packet is an OAM packet.
    > = At the same time, in the latest version, the new Next Protocol value (0x81)= to identify iOAM Data was introduced. Hence are my questions:
    >=C2= =A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 What must be the value of the O-bit when = the value of the Next Protocol field is iOAM?

    The O bit =E2=80=9Cis set to indicate that the packet is an OAM packet= =E2=80=9D.
    IAOM is not an OAM packet. Hence, O bit clear if VXLAN-GPE en= capsulates a non-OAM packet and adds an IOAM shim.
    GIM= >> It is a very unexpected statement from you, one of the co-authors = of=C2=A0draft-ietf-ippm-ioam-data=C2=A0=C2=A0where the first paragraph of = the Introduction section defines iOAM as Hybrid Type 1 OAM, according to RF= C 7799 classification:
    =C2=A0 =C2=A0IOAM is to complement
    =C2=A0 =C2=A0mechanisms such as Ping or Traceroute, or more recent = active probing
    =C2=A0 =C2=A0mechanisms as described in [I-D.lapuk= hov-dataplane-probe].=C2=A0 In terms
    =C2=A0 =C2=A0of "active= " or "passive" OAM, "in-situ" OAM can be considere= d a
    =C2=A0 =C2=A0hybrid OAM type.=C2=A0 While no extra packets ar= e sent, IOAM adds
    =C2=A0 =C2=A0information to the packets therefo= re cannot be considered passive.
    =C2=A0 =C2=A0In terms of the cla= ssification given in [RFC7799] IOAM could be
    =C2=A0 =C2=A0portray= ed as Hybrid Type 1.

    >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 Do you plan to define the Next= Protocol values for active OAM protocols, e.g., Echo Request/Reply, BFD, P= erformance Monitoring?

    I cannot speak to =E2=80=9Cplans=E2=80=9D (replying as =E2=80=9Cet al.= =E2=80=9D, not as =E2=80=9Ceditor=E2=80=9D), but I expect OAM documents oug= ht to have those requested, and you do not need necessarily all of those = =E2=80=94 the nex protocol IPv4 / IPv6 can encapsulate ICMP, UDP/BFD, etc.,= etc., etc., etc.
    GIM>> Of course, use of the we= ll-known port number, usually it is UDP destination port, is one of the met= hods to demultiplex protocols. This method is broadly used, for example, in= MPLS OAM. But this method has some disadvantages that were pointed out in = the discussion of BFD over GENEVE in Prague by David Black (the last presen= tation in the minutes):
    Da= vid: I want the BFD header to be as close to the thing whose liveness I'= ;m testing. The more headers you add in the middle, the more ways there are= to break BFD without breaking the forwarding engine. The further away I mo= ve BFD from the chunk of hardware's liveness I care about, the more opp= ortunities are for BFD and the hardware to not to tell me the same thing.


    >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 How to interpret the situation= when the O-bit value is 1 but the value of the Next Protocol field is, for= example, NSH, i.e.., not any of OAM protocols?

    I expect it means there=E2=80=99s OAM within that NSH (sometimes there= =E2=80=99s no such things as =E2=80=9COAM Protocols=E2=80=9D), or an unhand= led OAM protocol.
    GIM>> Should that, i.e., OAM i= n NSH or immediately following NSH be signaled using SFC NSH methods that a= re already defined in=C2=A0draft-ietf-sfc-multi-layer-oam? Using the = server layer, as you've suggested, seems as layer violation.=C2=A0

    >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 I believe that the use of the = dedicated OAM flag and the Next Protocol field for a fixed-size header that= cannot include meta-data is unwarranted and adds unnecessary complexity.
    Disagree.

    See example where protocol is IP carrying an OAM packet.
    GIM>> When IP/UDP encapsulation is used for OAM, there's n= o, in my opinion, any need to use the O-bit. The destination IP address mus= t be as described in RFC 8029 or RFC 5884 and the demultiplexing is done ba= sed on the destination UDP port number. Clearly, O-bit is unnecessary if IP= /UDP encapsulation for OAM being used.

    > I suggest not to use O-bit in the VXLAN-GPE header and release it = into the Reserved field.=C2=A0 I don't see the apparent benefit of usin= g the flag, as the VXLA-GPE uses the fixed size header and the header canno= t carry OAM data in it. The only role the VXLAN-GPE header must perform, in= my opinion, is to unambiguously identify the payload type that immediately= follows the header as OAM (demultiplexing OAM protocols may be done in OAM= Header shim).
    > Much appreciate your consideration.
    >

    Best,

    =E2=80=94
    Carlos Pignataro, carlos@cisco.com

    =E2=80=9CSometimes I use big words that I do not fully understand, to m= ake myself sound more photosynthesis."

    > Regards,
    > Greg
    > ____________________________________= ___________
    > nvo3 mailing list
    > nvo3@ietf.org
    > https://ww= w.ietf.org/mailman/listinfo/nvo3

    --000000000000cdc3720586be7e63-- From nobody Wed Apr 17 12:44:38 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6B7712014F; Wed, 17 Apr 2019 12:44:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRWaGj_-FfAV; Wed, 17 Apr 2019 12:44:33 -0700 (PDT) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A72B1120104; Wed, 17 Apr 2019 12:44:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9390; q=dns/txt; s=iport; t=1555530272; x=1556739872; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=pQFAg3yFutG8O9ctq30lgU6KxSctZhtueHH02y3v/vQ=; b=UwQhoF4TFDfqqHho+70DvCYZ6d0X9KhvQ/OOKlsgwaknrlRUOhCs1lxV hxcBPsSODkS1Eu7ZBaNpUpxxA0qy0osLKJE5k2EChvMcUpZYMS/Zd0nZu DCqMRWUZSE0cnlT4AOq+gnUjP0A631J9gTYbJ2uNxlZkYRsLLj8XTxJNI w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AHAAD4gLdc/5hdJa1cChkBAQEBAQE?= =?us-ascii?q?BAQEBAQEHAQEBAQEBgVMCAQEBAQELAYFhBSpogQQoCoQElRAliTqPEBSBZw4?= =?us-ascii?q?BARgLhEoCF4V+IzYHDgEDAQEEAQIBAm0cDIVKAQEBAwEBASEROgsFCwIBCBg?= =?us-ascii?q?CAiYCAgIfBgsVEAIEDgWDIgGBaQMNDw+qTYEvh38NghsGgQsnAYtJF4FAP4E?= =?us-ascii?q?RJwwTgU5+PoIaRwEBgSkNFRUBgwoxgiYEjSmMIYwQLDcJAoIGil2Dd4NKG4I?= =?us-ascii?q?Jhh2DZ4hwjQ+GWIk8gnUCERWBMCYDLoFWcBU7KgGCQT6CdAECh1yFP0Exj1G?= =?us-ascii?q?BIQEB?= X-IronPort-AV: E=Sophos;i="5.60,363,1549929600"; d="scan'208";a="463041419" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Apr 2019 19:44:31 +0000 Received: from XCH-RTP-017.cisco.com (xch-rtp-017.cisco.com [64.101.220.157]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x3HJiVcI005890 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 17 Apr 2019 19:44:31 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-017.cisco.com (64.101.220.157) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 17 Apr 2019 15:44:30 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1473.003; Wed, 17 Apr 2019 15:44:30 -0400 From: "Carlos Pignataro (cpignata)" To: Greg Mirsky CC: "draft-ietf-nvo3-vxlan-gpe@ietf.org" , NVO3 , IETF IPPM WG Thread-Topic: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe Thread-Index: AQHU8Pwb4PQUm0Sk6kyANyiY2S4odqY4th6AgAhKgYCAAAxngA== Date: Wed, 17 Apr 2019 19:44:30 +0000 Message-ID: <3AFD4751-CF3A-4939-A49A-FB981C68CADF@cisco.com> References: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3445.104.8) x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.118.116.132] Content-Type: text/plain; charset="utf-8" Content-ID: <9462EB032C2F0A489DE451FFA12FE189@emea.cisco.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.157, xch-rtp-017.cisco.com X-Outbound-Node: rcdn-core-1.cisco.com Archived-At: Subject: Re: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Apr 2019 19:44:36 -0000 SGksIEdyZWcsDQoNCkFkZGluZyB0aGUgSVBQTSBtYWlsaW5nIGxpc3QsIHNpbmNlIHlvdSByZWZl cmVuY2UgaXQgYmVsb3csIGFuZCBwb2ludCB0byBSRkMgNzc5OS4NCg0KUGxlYXNlIHNlZSBpbmxp bmUuDQoNCj4gT24gQXByIDE3LCAyMDE5LCBhdCAzOjAwIFBNLCBHcmVnIE1pcnNreSA8Z3JlZ2lt aXJza3lAZ21haWwuY29tPiB3cm90ZToNCj4gDQo+IEhpIENhcmxvcywNCj4gdGhhbmsgeW91IGZv ciBzaGFyaW5nIHlvdXIgdmlldyBvbiB0aGUgZGVzaWduIG9mIHRoZSBWWExBTi1HUEUgcHJvdG9j b2wuIFBsZWFzZSBmaW5kIG15IGNvbW1lbnRzIGluLWxpbmUgdGFnZ2VkIEdJTT4+Lg0KPiANCj4g UmVnYXJkcywNCj4gR3JlZw0KPiANCj4gT24gRnJpLCBBcHIgMTIsIDIwMTkgYXQgNToyMyBBTSBD YXJsb3MgUGlnbmF0YXJvIChjcGlnbmF0YSkgPGNwaWduYXRhQGNpc2NvLmNvbT4gd3JvdGU6DQo+ IEdyZWcsDQo+IA0KPiBZb3Ugc2VlbSB0byBiZSBjb25mdXNpbmcgYW5kIG1peGluZyB0aGluZ3Mg dXAuDQo+IA0KPiBQbGVhc2Ugc2VlIGlubGluZS4NCj4gDQo+ID4gT24gQXByIDEyLCAyMDE5LCBh dCAyOjUwIEFNLCBHcmVnIE1pcnNreSA8Z3JlZ2ltaXJza3lAZ21haWwuY29tPiB3cm90ZToNCj4g PiANCj4gPiBEZWFyIEVkaXRvcnMsIGV0IGFsLiwNCj4gPiBJJ3ZlIHJlYWQgdGhlIGxhdGVzdCAt MDcgdmVyc2lvbiBhbmQgd291bGQgbGlrZSB0byBzaGFyZSBteSBjb21tZW50cyBhbmQgcXVlc3Rp b25zIHdpdGggeW91Og0KPiA+ICAgICAgIOKAoiBpbiB0aGUgZWFybGllciB2ZXJzaW9uIG9mIHRo ZSBkcmFmdCwgdGhlIE8tYml0IHdhcyBpbnRyb2R1Y2VkIGFuZCBkZWZpbmVkIGFzOg0KPiA+IE9B TSBGbGFnIEJpdCAoTyBiaXQpOiAgVGhlIE8gYml0IGlzIHNldCB0byBpbmRpY2F0ZSB0aGF0IHRo ZSBwYWNrZXQgaXMgYW4gT0FNIHBhY2tldC4NCj4gPiBBdCB0aGUgc2FtZSB0aW1lLCBpbiB0aGUg bGF0ZXN0IHZlcnNpb24sIHRoZSBuZXcgTmV4dCBQcm90b2NvbCB2YWx1ZSAoMHg4MSkgdG8gaWRl bnRpZnkgaU9BTSBEYXRhIHdhcyBpbnRyb2R1Y2VkLiBIZW5jZSBhcmUgbXkgcXVlc3Rpb25zOg0K PiA+ICAgICAgIOKAoiBXaGF0IG11c3QgYmUgdGhlIHZhbHVlIG9mIHRoZSBPLWJpdCB3aGVuIHRo ZSB2YWx1ZSBvZiB0aGUgTmV4dCBQcm90b2NvbCBmaWVsZCBpcyBpT0FNPw0KPiANCj4gVGhlIE8g Yml0IOKAnGlzIHNldCB0byBpbmRpY2F0ZSB0aGF0IHRoZSBwYWNrZXQgaXMgYW4gT0FNIHBhY2tl dOKAnS4NCj4gSUFPTSBpcyBub3QgYW4gT0FNIHBhY2tldC4gSGVuY2UsIE8gYml0IGNsZWFyIGlm IFZYTEFOLUdQRSBlbmNhcHN1bGF0ZXMgYSBub24tT0FNIHBhY2tldCBhbmQgYWRkcyBhbiBJT0FN IHNoaW0uDQo+IEdJTT4+IEl0IGlzIGEgdmVyeSB1bmV4cGVjdGVkIHN0YXRlbWVudCBmcm9tIHlv dSwNCg0KSSB3b3VsZCB0ZWxsIHlvdSDigJhleHBlY3QgdGhlIHVuZXhwZWN0ZWTigJksIGJ1dCB0 aGF0IGlzIG5vdCB0aGUgY2FzZSBoZXJlLi4uIDotKQ0KDQpJZiB5b3UgYWN0dWFsbHkgcmVhZCBt eSBzdGF0ZW1lbnQsIHlvdSB3aWxsIHNlZSAiSUFPTSBpcyBub3QgYW4gT0FNICpwYWNrZXQqLuKA nSBOZXcgZW1waGFzaXMgYWRkZWQg4oCUIGl0IGlzIF9ub3RfICphbiBPQU0gcGFja2V0Ki4NCg0K SSBzdGFuZCBieSBpdC4gSXTigJlzIGFuIGF1Z21lbnRlZCBkYXRhIHBhY2tldCBvZiBpbnRlcmVz dC4NCg0KPiBvbmUgb2YgdGhlIGNvLWF1dGhvcnMgb2YgZHJhZnQtaWV0Zi1pcHBtLWlvYW0tZGF0 YSAgd2hlcmUgdGhlIGZpcnN0IHBhcmFncmFwaCBvZiB0aGUgSW50cm9kdWN0aW9uIHNlY3Rpb24g ZGVmaW5lcyBpT0FNIGFzIEh5YnJpZCBUeXBlIDEgT0FNLCBhY2NvcmRpbmcgdG8gUkZDIDc3OTkg Y2xhc3NpZmljYXRpb246DQoNClRoaXMgaXMgc3RpbGwgcXVpdGUgY29uc2lzdGVudCB3aXRoIHRo YXQgZGVmaW5pdGlvbiwgd2hpY2ggSSByZWNvbW1lbmQgeW91IHJlLXJlYWQ6DQoNClJGQyA3Nzk5 IGlzIGFib3V0IG1ldHJpY3MgYW5kIG1ldGhvZHMsIG5vdCBwYWNrZXQgZGVmaW5pdGlvbnMuDQoN CllvdSB3aWxsIHNlZSB0aGF0IEFjdGl2ZSBtZXRob2RzIGluY2x1ZGUgYSDigJxkZWRpY2F0ZWQg bWVhc3VyZW1lbnQgcGFja2V0IHN0cmVhbeKAnS4g4oCcQWN0aXZlIE1ldGhvZHMgZ2VuZXJhdGUg cGFja2V0IHN0cmVhbXMu4oCdDQoNCkhvd2V2ZXIsIEh5YnJpZCBUeXBlIEkgbGV2ZXJhZ2VzIOKA nEF1Z21lbnRhdGlvbiBvciBtb2RpZmljYXRpb24gb2YgdGhlIHN0cmVhbSBvZiBpbnRlcmVzdCIN Cg0KRm9sbG93aW5nIHlvdXIgbG9naWMsIGlmIHlvdSBjaGFuZ2UgYSBwYWNrZXQgZmllbGQgc3Vj aCBhcyBUVEwvSEwgdG8gcHJvdmlkZSBwYWNrZXQgY29sb3JpbmcsIGRvIHlvdSBuZWVkIHRvIHNl dCB0aGUgTy1iaXQ/DQoNCj4gICAgSU9BTSBpcyB0byBjb21wbGVtZW50DQo+ICAgIG1lY2hhbmlz bXMgc3VjaCBhcyBQaW5nIG9yIFRyYWNlcm91dGUsIG9yIG1vcmUgcmVjZW50IGFjdGl2ZSBwcm9i aW5nDQo+ICAgIG1lY2hhbmlzbXMgYXMgZGVzY3JpYmVkIGluIFtJLUQubGFwdWtob3YtZGF0YXBs YW5lLXByb2JlXS4gIEluIHRlcm1zDQo+ICAgIG9mICJhY3RpdmUiIG9yICJwYXNzaXZlIiBPQU0s ICJpbi1zaXR1IiBPQU0gY2FuIGJlIGNvbnNpZGVyZWQgYQ0KPiAgICBoeWJyaWQgT0FNIHR5cGUu ICBXaGlsZSBubyBleHRyYSBwYWNrZXRzIGFyZSBzZW50LCBJT0FNIGFkZHMNCj4gICAgaW5mb3Jt YXRpb24gdG8gdGhlIHBhY2tldHMgdGhlcmVmb3JlIGNhbm5vdCBiZSBjb25zaWRlcmVkIHBhc3Np dmUuDQo+ICAgIEluIHRlcm1zIG9mIHRoZSBjbGFzc2lmaWNhdGlvbiBnaXZlbiBpbiBbUkZDNzc5 OV0gSU9BTSBjb3VsZCBiZQ0KPiAgICBwb3J0cmF5ZWQgYXMgSHlicmlkIFR5cGUgMS4NCj4gDQo+ ID4gICAgICAg4oCiIERvIHlvdSBwbGFuIHRvIGRlZmluZSB0aGUgTmV4dCBQcm90b2NvbCB2YWx1 ZXMgZm9yIGFjdGl2ZSBPQU0gcHJvdG9jb2xzLCBlLmcuLCBFY2hvIFJlcXVlc3QvUmVwbHksIEJG RCwgUGVyZm9ybWFuY2UgTW9uaXRvcmluZz8NCj4gDQo+IEkgY2Fubm90IHNwZWFrIHRvIOKAnHBs YW5z4oCdIChyZXBseWluZyBhcyDigJxldCBhbC7igJ0sIG5vdCBhcyDigJxlZGl0b3LigJ0pLCBi dXQgSSBleHBlY3QgT0FNIGRvY3VtZW50cyBvdWdodCB0byBoYXZlIHRob3NlIHJlcXVlc3RlZCwg YW5kIHlvdSBkbyBub3QgbmVlZCBuZWNlc3NhcmlseSBhbGwgb2YgdGhvc2Ug4oCUIHRoZSBuZXgg cHJvdG9jb2wgSVB2NCAvIElQdjYgY2FuIGVuY2Fwc3VsYXRlIElDTVAsIFVEUC9CRkQsIGV0Yy4s IGV0Yy4sIGV0Yy4sIGV0Yy4NCj4gR0lNPj4gT2YgY291cnNlLCB1c2Ugb2YgdGhlIHdlbGwta25v d24gcG9ydCBudW1iZXIsIHVzdWFsbHkgaXQgaXMgVURQIGRlc3RpbmF0aW9uIHBvcnQsIGlzIG9u ZSBvZiB0aGUgbWV0aG9kcyB0byBkZW11bHRpcGxleCBwcm90b2NvbHMuIFRoaXMgbWV0aG9kIGlz IGJyb2FkbHkgdXNlZCwgZm9yIGV4YW1wbGUsIGluIE1QTFMgT0FNLiBCdXQgdGhpcyBtZXRob2Qg aGFzIHNvbWUgZGlzYWR2YW50YWdlcyB0aGF0IHdlcmUgcG9pbnRlZCBvdXQgaW4gdGhlIGRpc2N1 c3Npb24gb2YgQkZEIG92ZXIgR0VORVZFIGluIFByYWd1ZSBieSBEYXZpZCBCbGFjayAodGhlIGxh c3QgcHJlc2VudGF0aW9uIGluIHRoZSBtaW51dGVzKToNCj4gRGF2aWQ6IEkgd2FudCB0aGUgQkZE IGhlYWRlciB0byBiZSBhcyBjbG9zZSB0byB0aGUgdGhpbmcgd2hvc2UgbGl2ZW5lc3MgSSdtIHRl c3RpbmcuIFRoZSBtb3JlIGhlYWRlcnMgeW91IGFkZCBpbiB0aGUgbWlkZGxlLCB0aGUgbW9yZSB3 YXlzIHRoZXJlIGFyZSB0byBicmVhayBCRkQgd2l0aG91dCBicmVha2luZyB0aGUgZm9yd2FyZGlu ZyBlbmdpbmUuIFRoZSBmdXJ0aGVyIGF3YXkgSSBtb3ZlIEJGRCBmcm9tIHRoZSBjaHVuayBvZiBo YXJkd2FyZSdzIGxpdmVuZXNzIEkgY2FyZSBhYm91dCwgdGhlIG1vcmUgb3Bwb3J0dW5pdGllcyBh cmUgZm9yIEJGRCBhbmQgdGhlIGhhcmR3YXJlIHRvIG5vdCB0byB0ZWxsIG1lIHRoZSBzYW1lIHRo aW5nLg0KPiANCg0KVGhlb3J5IGFuZCBwcmFjdGljZSBtYXRjaCBpbiB0aGVvcnksIGxlc3Mgc28g aW4gcHJhY3RpY2Ug4oCUIHVubGVzcyB5b3UgYXJlIHBsYW5uaW5nIHRvIHVwZGF0ZSBSRkMgNTg4 MS4NCg0KVGhpcyBjYW4gYmUgYXJndWVkIGJvdGggd2F5cyAoZS5nLiwgYmV0dGVyIHRvIGhhdmUg Y29tbW9uIGhhbmRsZXJzLCBldGMuKSwgYnV0IEkgdGFrZSBubyBwb3NpdGlvbi4gSSBkbyBzYXkg dGhhdCBpbiBwcmVzZW5jZSBvZiBkZXBsb3llZCBPQU0gZW5jYXBzdWxhdGlvbnMsIHRoZXJl4oCZ cyBubyBiYXNpcyBmb3IgeW91ciB5b3VyIGNvbW1lbnQgYWJvdXQgZGVmaW5pbmcgYSBwcm90b2Nv bCB0eXBlIGZvciDigJxQZXJmb3JtYW5jZSBNb25pdG9yaW5n4oCdIGFzIGEgcHJvdG9jb2wuLi4N Cg0KDQo+IA0KPiA+ICAgICAgIOKAoiBIb3cgdG8gaW50ZXJwcmV0IHRoZSBzaXR1YXRpb24gd2hl biB0aGUgTy1iaXQgdmFsdWUgaXMgMSBidXQgdGhlIHZhbHVlIG9mIHRoZSBOZXh0IFByb3RvY29s IGZpZWxkIGlzLCBmb3IgZXhhbXBsZSwgTlNILCBpLmUuLiwgbm90IGFueSBvZiBPQU0gcHJvdG9j b2xzPw0KPiANCj4gSSBleHBlY3QgaXQgbWVhbnMgdGhlcmXigJlzIE9BTSB3aXRoaW4gdGhhdCBO U0ggKHNvbWV0aW1lcyB0aGVyZeKAmXMgbm8gc3VjaCB0aGluZ3MgYXMg4oCcT0FNIFByb3RvY29s c+KAnSksIG9yIGFuIHVuaGFuZGxlZCBPQU0gcHJvdG9jb2wuDQo+IEdJTT4+IFNob3VsZCB0aGF0 LCBpLmUuLCBPQU0gaW4gTlNIIG9yIGltbWVkaWF0ZWx5IGZvbGxvd2luZyBOU0ggYmUgc2lnbmFs ZWQgdXNpbmcgU0ZDIE5TSCBtZXRob2RzIHRoYXQgYXJlIGFscmVhZHkgZGVmaW5lZCBpbiBkcmFm dC1pZXRmLXNmYy1tdWx0aS1sYXllci1vYW0/DQoNCg0KTm9uIHNlcXVpdHVyIOKAlCBJIGRvIG5v dCBmb2xsb3cgd2hhdCBzaWduYWxpbmcgaGFzIHRvIGRvIHdpdGggdGhlIGNvbnZlcnNhdGlvbiwg bm9yIGhvdyB0aGF0IGRyYWZ0IG1pZ2h0IGJlIHJlbGV2YW50Lg0KDQo+IFVzaW5nIHRoZSBzZXJ2 ZXIgbGF5ZXIsIGFzIHlvdSd2ZSBzdWdnZXN0ZWQsIHNlZW1zIGFzIGxheWVyIHZpb2xhdGlvbi4g DQo+IA0KDQpUaGlzIGlzIGEgZnVubnkgc3RhdGVtZW50IOKAlCBOVk8zIGlzIGEgbGF5ZXIgdmlv bGF0aW9uIDotKSBTbyBhcmUgUHNldWRvd2lyZXMuIFBsZWFzZSBkbyBub3QgdGFrZSB0aGlzIHN0 YXRlbWVudCB0b28gc2VyaW91c2x5LCBpdCBpcyBub3QgaW52aXRpbmcgZGlzY3Vzc2lvbi4NCg0K PiA+ICAgICAgIOKAoiBJIGJlbGlldmUgdGhhdCB0aGUgdXNlIG9mIHRoZSBkZWRpY2F0ZWQgT0FN IGZsYWcgYW5kIHRoZSBOZXh0IFByb3RvY29sIGZpZWxkIGZvciBhIGZpeGVkLXNpemUgaGVhZGVy IHRoYXQgY2Fubm90IGluY2x1ZGUgbWV0YS1kYXRhIGlzIHVud2FycmFudGVkIGFuZCBhZGRzIHVu bmVjZXNzYXJ5IGNvbXBsZXhpdHkuDQo+IA0KPiBEaXNhZ3JlZS4gDQo+IA0KPiBTZWUgZXhhbXBs ZSB3aGVyZSBwcm90b2NvbCBpcyBJUCBjYXJyeWluZyBhbiBPQU0gcGFja2V0Lg0KPiBHSU0+PiBX aGVuIElQL1VEUCBlbmNhcHN1bGF0aW9uIGlzIHVzZWQgZm9yIE9BTSwgdGhlcmUncyBubywgaW4g bXkgb3BpbmlvbiwgYW55IG5lZWQgdG8gdXNlIHRoZSBPLWJpdC4gVGhlIGRlc3RpbmF0aW9uIElQ IGFkZHJlc3MgbXVzdCBiZSBhcyBkZXNjcmliZWQgaW4gUkZDIDgwMjkgb3IgUkZDIDU4ODQgYW5k IHRoZSBkZW11bHRpcGxleGluZyBpcyBkb25lIGJhc2VkIG9uIHRoZSBkZXN0aW5hdGlvbiBVRFAg cG9ydCBudW1iZXIuIENsZWFybHksIE8tYml0IGlzIHVubmVjZXNzYXJ5IGlmIElQL1VEUCBlbmNh cHN1bGF0aW9uIGZvciBPQU0gYmVpbmcgdXNlZC4NCj4gDQoNCkZvcnR1bmF0ZWx5LCBiaXQgdXNh Z2UgaXMgYSBtYXR0ZXIgb2YgZGVmaW5pdGlvbiBhbmQgbm90IG9waW5pb24gOi0pDQoNCktpbmQg cmVnYXJkcywNCg0KQ2FybG9zLg0KDQoNCj4gPiBJIHN1Z2dlc3Qgbm90IHRvIHVzZSBPLWJpdCBp biB0aGUgVlhMQU4tR1BFIGhlYWRlciBhbmQgcmVsZWFzZSBpdCBpbnRvIHRoZSBSZXNlcnZlZCBm aWVsZC4gIEkgZG9uJ3Qgc2VlIHRoZSBhcHBhcmVudCBiZW5lZml0IG9mIHVzaW5nIHRoZSBmbGFn LCBhcyB0aGUgVlhMQS1HUEUgdXNlcyB0aGUgZml4ZWQgc2l6ZSBoZWFkZXIgYW5kIHRoZSBoZWFk ZXIgY2Fubm90IGNhcnJ5IE9BTSBkYXRhIGluIGl0LiBUaGUgb25seSByb2xlIHRoZSBWWExBTi1H UEUgaGVhZGVyIG11c3QgcGVyZm9ybSwgaW4gbXkgb3BpbmlvbiwgaXMgdG8gdW5hbWJpZ3VvdXNs eSBpZGVudGlmeSB0aGUgcGF5bG9hZCB0eXBlIHRoYXQgaW1tZWRpYXRlbHkgZm9sbG93cyB0aGUg aGVhZGVyIGFzIE9BTSAoZGVtdWx0aXBsZXhpbmcgT0FNIHByb3RvY29scyBtYXkgYmUgZG9uZSBp biBPQU0gSGVhZGVyIHNoaW0pLg0KPiA+IE11Y2ggYXBwcmVjaWF0ZSB5b3VyIGNvbnNpZGVyYXRp b24uDQo+ID4gDQo+IA0KPiBCZXN0LA0KPiANCj4g4oCUDQo+IENhcmxvcyBQaWduYXRhcm8sIGNh cmxvc0BjaXNjby5jb20NCj4gDQo+IOKAnFNvbWV0aW1lcyBJIHVzZSBiaWcgd29yZHMgdGhhdCBJ IGRvIG5vdCBmdWxseSB1bmRlcnN0YW5kLCB0byBtYWtlIG15c2VsZiBzb3VuZCBtb3JlIHBob3Rv c3ludGhlc2lzLiINCj4gDQo+ID4gUmVnYXJkcywNCj4gPiBHcmVnDQo+ID4gX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gPiBudm8zIG1haWxpbmcgbGlz dA0KPiA+IG52bzNAaWV0Zi5vcmcNCj4gPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL252bzMNCj4gDQoNCg== From nobody Wed Apr 17 14:55:07 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E56CE120143; Wed, 17 Apr 2019 14:55:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aFNdwhKONwOR; Wed, 17 Apr 2019 14:55:02 -0700 (PDT) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F41D1200FE; Wed, 17 Apr 2019 14:55:01 -0700 (PDT) Received: by mail-lj1-x22e.google.com with SMTP id p14so81956ljg.5; Wed, 17 Apr 2019 14:55:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hLq+bUSMN84B9NJChP8lmurophEDG63RP4w2r53yvZ8=; b=Ro++NXeKdK6jSKL2ZvvF7KAfDhS3SFMfhlPpse04yfkNda6J+W4ZxkkKx322buQSJB xLvANaHHck+D5qIHIaFpDBLA5OIzm4HBJ+yUWXegFR0f2xQmsBu1EfgLv4nuJ59gUxa8 J9Dt9MxrLvU0nepVAXnp/glzB7UlADuDQeKFsDv7+FM7Iv1kcl54Vg+eafLsslHFyrab VfocVHYetBAHUC41bxHiIyCW9VKHtsLnAQ5SDt3+chNQsPybcEoromOR8J1Z0za4aM4I pLaq5Uc06xcYsueY/yx8MuAWPLYoaUNATdANVU/Pytx7gIadhCd/Qg+tLQIr2rS4xw5Z JkiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hLq+bUSMN84B9NJChP8lmurophEDG63RP4w2r53yvZ8=; b=S03gKvaW+hhX0WuCOqEJtN74cIuEAWE6zx87sQ4JTa9gtmOPY3CcPBlj+JnIKu4me7 7VNPk1RO5hSAsRE91oRwBGDKYe3PjluLV/UTYUhCJkllFiKVHCPOp/Vc4sK6lenXJtRu R0MHtZ3y13uA6+LJACTu49B8D9zKUDemgRX1A8MruAH0MTlhyA3QBOmwZ6Btkwh7VEa5 HwTlFWFH5w2pct70N3hPMfnbNwHWX9n3OYptVHYgJhLsduOWBR1ZV2oTWXZrY+lCfIln DbC5QhStA0NGaAfCixeiayLJ2cFoZvVG5n54Cw40wU5VjfNhlYAYGvLUwXt5iUQ0yx94 aZeg== X-Gm-Message-State: APjAAAVhSGckt+mW4uEkwGGpYL02RkopScsLM/siOIZovA2O4dn4EhrR 1/dccIQY+U/V3RvUsoq/Gmiw2j4jYam8AGK/k3A= X-Google-Smtp-Source: APXvYqwaozuetZyWdKUbQyILAokXAxGp6drYThDTvMixNUU6CQy6rgKhh3mn71MOuFLaCIvfVW3eXK1t7ZboaweecGE= X-Received: by 2002:a2e:974d:: with SMTP id f13mr48401865ljj.140.1555538099460; Wed, 17 Apr 2019 14:54:59 -0700 (PDT) MIME-Version: 1.0 References: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> <3AFD4751-CF3A-4939-A49A-FB981C68CADF@cisco.com> In-Reply-To: <3AFD4751-CF3A-4939-A49A-FB981C68CADF@cisco.com> From: Greg Mirsky Date: Wed, 17 Apr 2019 14:54:52 -0700 Message-ID: To: "Carlos Pignataro (cpignata)" Cc: "draft-ietf-nvo3-vxlan-gpe@ietf.org" , NVO3 , IETF IPPM WG Content-Type: multipart/alternative; boundary="000000000000da614c0586c0ef8a" Archived-At: Subject: Re: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Apr 2019 21:55:06 -0000 --000000000000da614c0586c0ef8a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Carlos, to add another quote from the draft-ietf-sfc-ioam-nsh that you've co-authored, Packets with IOAM data included MUST follow this definition, i.e. the O bit MUST NOT be set for regular customer traffic which also carries IOAM data and the O bit MUST be set for OAM packets which carry only IOAM data without any regular data payload. So, if the only iOAM message is carried in or after an NSH, it is identified as OAM. And, by your own example in the earlier note, so should VXLAN-GPE. Regards, Greg On Wed, Apr 17, 2019 at 12:44 PM Carlos Pignataro (cpignata) < cpignata@cisco.com> wrote: > Hi, Greg, > > Adding the IPPM mailing list, since you reference it below, and point to > RFC 7799. > > Please see inline. > > > On Apr 17, 2019, at 3:00 PM, Greg Mirsky wrote: > > > > Hi Carlos, > > thank you for sharing your view on the design of the VXLAN-GPE protocol= . > Please find my comments in-line tagged GIM>>. > > > > Regards, > > Greg > > > > On Fri, Apr 12, 2019 at 5:23 AM Carlos Pignataro (cpignata) < > cpignata@cisco.com> wrote: > > Greg, > > > > You seem to be confusing and mixing things up. > > > > Please see inline. > > > > > On Apr 12, 2019, at 2:50 AM, Greg Mirsky > wrote: > > > > > > Dear Editors, et al., > > > I've read the latest -07 version and would like to share my comments > and questions with you: > > > =E2=80=A2 in the earlier version of the draft, the O-bit was in= troduced > and defined as: > > > OAM Flag Bit (O bit): The O bit is set to indicate that the packet i= s > an OAM packet. > > > At the same time, in the latest version, the new Next Protocol value > (0x81) to identify iOAM Data was introduced. Hence are my questions: > > > =E2=80=A2 What must be the value of the O-bit when the value of= the Next > Protocol field is iOAM? > > > > The O bit =E2=80=9Cis set to indicate that the packet is an OAM packet= =E2=80=9D. > > IAOM is not an OAM packet. Hence, O bit clear if VXLAN-GPE encapsulates > a non-OAM packet and adds an IOAM shim. > > GIM>> It is a very unexpected statement from you, > > I would tell you =E2=80=98expect the unexpected=E2=80=99, but that is not= the case here... > :-) > > If you actually read my statement, you will see "IAOM is not an OAM > *packet*.=E2=80=9D New emphasis added =E2=80=94 it is _not_ *an OAM packe= t*. > > I stand by it. It=E2=80=99s an augmented data packet of interest. > > > one of the co-authors of draft-ietf-ippm-ioam-data where the first > paragraph of the Introduction section defines iOAM as Hybrid Type 1 OAM, > according to RFC 7799 classification: > > This is still quite consistent with that definition, which I recommend yo= u > re-read: > > RFC 7799 is about metrics and methods, not packet definitions. > > You will see that Active methods include a =E2=80=9Cdedicated measurement= packet > stream=E2=80=9D. =E2=80=9CActive Methods generate packet streams.=E2=80= =9D > > However, Hybrid Type I leverages =E2=80=9CAugmentation or modification of= the > stream of interest" > > Following your logic, if you change a packet field such as TTL/HL to > provide packet coloring, do you need to set the O-bit? > > > IOAM is to complement > > mechanisms such as Ping or Traceroute, or more recent active probing > > mechanisms as described in [I-D.lapukhov-dataplane-probe]. In terms > > of "active" or "passive" OAM, "in-situ" OAM can be considered a > > hybrid OAM type. While no extra packets are sent, IOAM adds > > information to the packets therefore cannot be considered passive. > > In terms of the classification given in [RFC7799] IOAM could be > > portrayed as Hybrid Type 1. > > > > > =E2=80=A2 Do you plan to define the Next Protocol values for ac= tive OAM > protocols, e.g., Echo Request/Reply, BFD, Performance Monitoring? > > > > I cannot speak to =E2=80=9Cplans=E2=80=9D (replying as =E2=80=9Cet al.= =E2=80=9D, not as =E2=80=9Ceditor=E2=80=9D), but I > expect OAM documents ought to have those requested, and you do not need > necessarily all of those =E2=80=94 the nex protocol IPv4 / IPv6 can encap= sulate > ICMP, UDP/BFD, etc., etc., etc., etc. > > GIM>> Of course, use of the well-known port number, usually it is UDP > destination port, is one of the methods to demultiplex protocols. This > method is broadly used, for example, in MPLS OAM. But this method has som= e > disadvantages that were pointed out in the discussion of BFD over GENEVE = in > Prague by David Black (the last presentation in the minutes): > > David: I want the BFD header to be as close to the thing whose liveness > I'm testing. The more headers you add in the middle, the more ways there > are to break BFD without breaking the forwarding engine. The further away= I > move BFD from the chunk of hardware's liveness I care about, the more > opportunities are for BFD and the hardware to not to tell me the same thi= ng. > > > > Theory and practice match in theory, less so in practice =E2=80=94 unless= you are > planning to update RFC 5881. > > This can be argued both ways (e.g., better to have common handlers, etc.)= , > but I take no position. I do say that in presence of deployed OAM > encapsulations, there=E2=80=99s no basis for your your comment about defi= ning a > protocol type for =E2=80=9CPerformance Monitoring=E2=80=9D as a protocol.= .. > > > > > > > =E2=80=A2 How to interpret the situation when the O-bit value i= s 1 but > the value of the Next Protocol field is, for example, NSH, i.e.., not any > of OAM protocols? > > > > I expect it means there=E2=80=99s OAM within that NSH (sometimes there= =E2=80=99s no such > things as =E2=80=9COAM Protocols=E2=80=9D), or an unhandled OAM protocol. > > GIM>> Should that, i.e., OAM in NSH or immediately following NSH be > signaled using SFC NSH methods that are already defined in > draft-ietf-sfc-multi-layer-oam? > > > Non sequitur =E2=80=94 I do not follow what signaling has to do with the > conversation, nor how that draft might be relevant. > > > Using the server layer, as you've suggested, seems as layer violation. > > > > This is a funny statement =E2=80=94 NVO3 is a layer violation :-) So are > Pseudowires. Please do not take this statement too seriously, it is not > inviting discussion. > > > > =E2=80=A2 I believe that the use of the dedicated OAM flag and = the Next > Protocol field for a fixed-size header that cannot include meta-data is > unwarranted and adds unnecessary complexity. > > > > Disagree. > > > > See example where protocol is IP carrying an OAM packet. > > GIM>> When IP/UDP encapsulation is used for OAM, there's no, in my > opinion, any need to use the O-bit. The destination IP address must be as > described in RFC 8029 or RFC 5884 and the demultiplexing is done based on > the destination UDP port number. Clearly, O-bit is unnecessary if IP/UDP > encapsulation for OAM being used. > > > > Fortunately, bit usage is a matter of definition and not opinion :-) > > Kind regards, > > Carlos. > > > > > I suggest not to use O-bit in the VXLAN-GPE header and release it int= o > the Reserved field. I don't see the apparent benefit of using the flag, = as > the VXLA-GPE uses the fixed size header and the header cannot carry OAM > data in it. The only role the VXLAN-GPE header must perform, in my opinio= n, > is to unambiguously identify the payload type that immediately follows th= e > header as OAM (demultiplexing OAM protocols may be done in OAM Header shi= m). > > > Much appreciate your consideration. > > > > > > > Best, > > > > =E2=80=94 > > Carlos Pignataro, carlos@cisco.com > > > > =E2=80=9CSometimes I use big words that I do not fully understand, to m= ake > myself sound more photosynthesis." > > > > > Regards, > > > Greg > > > _______________________________________________ > > > nvo3 mailing list > > > nvo3@ietf.org > > > https://www.ietf.org/mailman/listinfo/nvo3 > > > > --000000000000da614c0586c0ef8a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    Hi Carlos,
    to add an= other quote from the draft-ietf-sfc-ioam-nsh that you've co-aut= hored,=C2=A0
    =C2=A0 =C2=A0Packets with IOAM data included MU= ST follow this
    =C2=A0 =C2=A0definition, i.e. the O bit MUST NOT b= e set for regular customer
    =C2=A0 =C2=A0traffic which also carrie= s IOAM data and the O bit MUST be set for
    =C2=A0 =C2=A0OAM packet= s which carry only IOAM data without any regular data
    =C2=A0 =C2= =A0payload.

    So, if the only iOAM message is = carried in or after an NSH, it is identified as OAM. And, by your own examp= le in the earlier note, so should VXLAN-GPE.

    Regar= ds,
    Greg

    On Wed, Apr 17, 2019 at 12:44 PM Carlos= Pignataro (cpignata) <cpignata@ci= sco.com> wrote:
    Hi, Greg,

    Adding the IPPM mailing list, since you reference it below, and point to RF= C 7799.

    Please see inline.

    > On Apr 17, 2019, at 3:00 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
    >
    > Hi Carlos,
    > thank you for sharing your view on the design of the VXLAN-GPE protoco= l. Please find my comments in-line tagged GIM>>.
    >
    > Regards,
    > Greg
    >
    > On Fri, Apr 12, 2019 at 5:23 AM Carlos Pignataro (cpignata) <cpignata@cisco.com>= ; wrote:
    > Greg,
    >
    > You seem to be confusing and mixing things up.
    >
    > Please see inline.
    >
    > > On Apr 12, 2019, at 2:50 AM, Greg Mirsky <gregimirsky@gmail.com> wrote:=
    > >
    > > Dear Editors, et al.,
    > > I've read the latest -07 version and would like to share my c= omments and questions with you:
    > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 in the earlier version of the= draft, the O-bit was introduced and defined as:
    > > OAM Flag Bit (O bit):=C2=A0 The O bit is set to indicate that the= packet is an OAM packet.
    > > At the same time, in the latest version, the new Next Protocol va= lue (0x81) to identify iOAM Data was introduced. Hence are my questions: > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 What must be the value of the= O-bit when the value of the Next Protocol field is iOAM?
    >
    > The O bit =E2=80=9Cis set to indicate that the packet is an OAM packet= =E2=80=9D.
    > IAOM is not an OAM packet. Hence, O bit clear if VXLAN-GPE encapsulate= s a non-OAM packet and adds an IOAM shim.
    > GIM>> It is a very unexpected statement from you,

    I would tell you =E2=80=98expect the unexpected=E2=80=99, but that is not t= he case here... :-)

    If you actually read my statement, you will see "IAOM is not an OAM *p= acket*.=E2=80=9D New emphasis added =E2=80=94 it is _not_ *an OAM packet*.<= br>
    I stand by it. It=E2=80=99s an augmented data packet of interest.

    > one of the co-authors of draft-ietf-ippm-ioam-data=C2=A0 where the fir= st paragraph of the Introduction section defines iOAM as Hybrid Type 1 OAM,= according to RFC 7799 classification:

    This is still quite consistent with that definition, which I recommend you = re-read:

    RFC 7799 is about metrics and methods, not packet definitions.

    You will see that Active methods include a =E2=80=9Cdedicated measurement p= acket stream=E2=80=9D. =E2=80=9CActive Methods generate packet streams.=E2= =80=9D

    However, Hybrid Type I leverages =E2=80=9CAugmentation or modification of t= he stream of interest"

    Following your logic, if you change a packet field such as TTL/HL to provid= e packet coloring, do you need to set the O-bit?

    >=C2=A0 =C2=A0 IOAM is to complement
    >=C2=A0 =C2=A0 mechanisms such as Ping or Traceroute, or more recent act= ive probing
    >=C2=A0 =C2=A0 mechanisms as described in [I-D.lapukhov-dataplane-probe]= .=C2=A0 In terms
    >=C2=A0 =C2=A0 of "active" or "passive" OAM, "i= n-situ" OAM can be considered a
    >=C2=A0 =C2=A0 hybrid OAM type.=C2=A0 While no extra packets are sent, I= OAM adds
    >=C2=A0 =C2=A0 information to the packets therefore cannot be considered= passive.
    >=C2=A0 =C2=A0 In terms of the classification given in [RFC7799] IOAM co= uld be
    >=C2=A0 =C2=A0 portrayed as Hybrid Type 1.
    >
    > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 Do you plan to define the Nex= t Protocol values for active OAM protocols, e.g., Echo Request/Reply, BFD, = Performance Monitoring?
    >
    > I cannot speak to =E2=80=9Cplans=E2=80=9D (replying as =E2=80=9Cet al.= =E2=80=9D, not as =E2=80=9Ceditor=E2=80=9D), but I expect OAM documents oug= ht to have those requested, and you do not need necessarily all of those = =E2=80=94 the nex protocol IPv4 / IPv6 can encapsulate ICMP, UDP/BFD, etc.,= etc., etc., etc.
    > GIM>> Of course, use of the well-known port number, usually it i= s UDP destination port, is one of the methods to demultiplex protocols. Thi= s method is broadly used, for example, in MPLS OAM. But this method has som= e disadvantages that were pointed out in the discussion of BFD over GENEVE = in Prague by David Black (the last presentation in the minutes):
    > David: I want the BFD header to be as close to the thing whose livenes= s I'm testing. The more headers you add in the middle, the more ways th= ere are to break BFD without breaking the forwarding engine. The further aw= ay I move BFD from the chunk of hardware's liveness I care about, the m= ore opportunities are for BFD and the hardware to not to tell me the same t= hing.
    >

    Theory and practice match in theory, less so in practice =E2=80=94 unless y= ou are planning to update RFC 5881.

    This can be argued both ways (e.g., better to have common handlers, etc.), = but I take no position. I do say that in presence of deployed OAM encapsula= tions, there=E2=80=99s no basis for your your comment about defining a prot= ocol type for =E2=80=9CPerformance Monitoring=E2=80=9D as a protocol...


    >
    > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 How to interpret the situatio= n when the O-bit value is 1 but the value of the Next Protocol field is, fo= r example, NSH, i.e.., not any of OAM protocols?
    >
    > I expect it means there=E2=80=99s OAM within that NSH (sometimes there= =E2=80=99s no such things as =E2=80=9COAM Protocols=E2=80=9D), or an unhand= led OAM protocol.
    > GIM>> Should that, i.e., OAM in NSH or immediately following NSH= be signaled using SFC NSH methods that are already defined in draft-ietf-s= fc-multi-layer-oam?


    Non sequitur =E2=80=94 I do not follow what signaling has to do with the co= nversation, nor how that draft might be relevant.

    > Using the server layer, as you've suggested, seems as layer violat= ion.
    >

    This is a funny statement =E2=80=94 NVO3 is a layer violation :-) So are Ps= eudowires. Please do not take this statement too seriously, it is not invit= ing discussion.

    > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 I believe that the use of the= dedicated OAM flag and the Next Protocol field for a fixed-size header tha= t cannot include meta-data is unwarranted and adds unnecessary complexity.<= br> >
    > Disagree.
    >
    > See example where protocol is IP carrying an OAM packet.
    > GIM>> When IP/UDP encapsulation is used for OAM, there's no,= in my opinion, any need to use the O-bit. The destination IP address must = be as described in RFC 8029 or RFC 5884 and the demultiplexing is done base= d on the destination UDP port number. Clearly, O-bit is unnecessary if IP/U= DP encapsulation for OAM being used.
    >

    Fortunately, bit usage is a matter of definition and not opinion :-)

    Kind regards,

    Carlos.


    > > I suggest not to use O-bit in the VXLAN-GPE header and release it= into the Reserved field.=C2=A0 I don't see the apparent benefit of usi= ng the flag, as the VXLA-GPE uses the fixed size header and the header cann= ot carry OAM data in it. The only role the VXLAN-GPE header must perform, i= n my opinion, is to unambiguously identify the payload type that immediatel= y follows the header as OAM (demultiplexing OAM protocols may be done in OA= M Header shim).
    > > Much appreciate your consideration.
    > >
    >
    > Best,
    >
    > =E2=80=94
    > Carlos Pignataro, carlos@cisco.com
    >
    > =E2=80=9CSometimes I use big words that I do not fully understand, to = make myself sound more photosynthesis."
    >
    > > Regards,
    > > Greg
    > > _______________________________________________
    > > nvo3 mailing list
    > > nvo3@ietf.org<= /a>
    > >     https://www.ietf.org/mailman/listinfo/nvo3 >

    --000000000000da614c0586c0ef8a-- From nobody Wed Apr 17 17:18:48 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E158F120026; Wed, 17 Apr 2019 17:18:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.502 X-Spam-Level: X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9eUtmcyGE8l; Wed, 17 Apr 2019 17:18:36 -0700 (PDT) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71BA7120033; Wed, 17 Apr 2019 17:18:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13126; q=dns/txt; s=iport; t=1555546716; x=1556756316; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=SVrd0U93Ar4D/yndE+YJt08voiaRKFFejRqDMDA15X8=; b=KpwZLRADjMiUBC851ljtp3A4sMxX0dHVCcPbFYwtVj6c0RrrulplevnE vbK0cz3ADiCIpkra4fGIUMgBuRyJMWJyRenTNjf8rik8ZZUX0TQM0Hrlr kspRIaBXkSEjWMU9aIK0GN6Pq+E1XAgdtAnq73kAYYUzYahRk4mDOV5Ap s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0APAACmwbdc/5BdJa1cChkBAQEBAQE?= =?us-ascii?q?BAQEBAQEHAQEBAQEBgVQBAQEBAQELAYFmKmiBBCgKhASVNok6jySBZw4BAYR?= =?us-ascii?q?tAheFfiM3Bg4BAwEBBAECAQJtKIVKAQEBAwEjETMHCwULAgEIGAICJgICAh8?= =?us-ascii?q?RFRACBA4FgyIBgWkDDQ+qB4Evh38NghsGgQsnAYtJF4FAP4ERJx+BTn4+ghq?= =?us-ascii?q?Bcg0VBBGDCzGCJgSNKZgxLDcJAoIGil2Dd4NKG4IJhh2DZ4hwjQ+GWIk8gnU?= =?us-ascii?q?CERWBMDUigVZwFTsqAYJBPoJ0AQKNG0Exj1GBIQEB?= X-IronPort-AV: E=Sophos;i="5.60,363,1549929600"; d="scan'208";a="463105773" Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Apr 2019 00:18:31 +0000 Received: from XCH-RTP-016.cisco.com (xch-rtp-016.cisco.com [64.101.220.156]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x3I0IUti008862 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 18 Apr 2019 00:18:30 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-016.cisco.com (64.101.220.156) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 17 Apr 2019 20:18:29 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1473.003; Wed, 17 Apr 2019 20:18:29 -0400 From: "Carlos Pignataro (cpignata)" To: Greg Mirsky CC: NVO3 , "draft-ietf-nvo3-vxlan-gpe@ietf.org" , IETF IPPM WG , "sfc@ietf.org" Thread-Topic: [SUSPICIOUS] Re: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe Thread-Index: AQHU8Pwb4PQUm0Sk6kyANyiY2S4odqY4th6AgAhKgYCAAAxngIAAJG4AgAAoIIA= Date: Thu, 18 Apr 2019 00:18:29 +0000 Message-ID: <4C9CDD29-BDF8-425E-998F-B12C1BD7CA7C@cisco.com> References: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> <3AFD4751-CF3A-4939-A49A-FB981C68CADF@cisco.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3445.104.8) x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.118.116.132] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.156, xch-rtp-016.cisco.com X-Outbound-Node: rcdn-core-8.cisco.com Archived-At: Subject: Re: [nvo3] [SUSPICIOUS] Re: Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 00:18:40 -0000 RGVhciBHcmVnLA0KDQpbTm93IGFkZGluZyB0aGUgU0ZDIFdHIE1haWxpbmcgbGlzdCBzaW5jZSB5 b3UgdGFrZSB1cyB0byBhIGRpZmZlcmVudCBXRyBhZ2Fpbl0NCg0KVGhhbmsgeW91IHZlcnkgbXVj aCBmb3IgZmluZS1jb21iaW5nIHdpdGggYSBtYWduaWZ5aW5nIGdsYXNzIHRocm91Z2ggYWxsIHRo ZSBkb2N1bWVudHMgSeKAmW0gY3VycmVudGx5IGNvLWF1dGhvcmluZyA6LSkNCg0KSXQgaXMgcmVm cmVzaGluZyB0byBzZWUgdGhhdCB0aGUgb25seSBpc3N1ZXMgeW91IGZpbmQgYXJlIG5vbi1pc3N1 ZXMsIGFuZCB5b3VyIHF1ZXN0aW9ucyBlYXN5IHRvIHJlLWFuc3dlciA6LSkNCg0KQXQgdGhpcyBw b2ludCBJIGFtIGEgYml0IGF0IGEgbG9zcyBvZiB3aGF0IHlvdXIgcG9pbnQgaXMsIG9yIHdoYXQg eW91IGFyZSB0cnlpbmcgdG8gcHJvdmUgYmVuZGluZyB0ZXh0LiBBcmUgeW91IGNvZGluZywgZGVw bG95aW5nLCBvciB0ZXN0aW5nIElPQU0gb24gTlNIIHdpdGhvdXQgZGF0YSBwYWNrZXRzIG9uIFZY TEFOLUdQRSBvdmVyIElQPyBOU0ggaXMgZGF0YSBhcyBmYXIgYXMgVlhMQU4tR1BFIGlzIGNvbmNl cm5lZC4gSU9BTSBzaGltbWVkIGluIE5TSCBpcyBvcnRob2dvbmFsIHRvIElPQU0gc2hpbW1lZCBp biBWWExBTi1HUEUuDQoNCkkgZmVlbCB0aGlzIGRpc2N1c3Npb24gYWJvdXQgdGhlIE8tYml0IGFs cmVhZHkgdG9vayBwbGFjZSBvbmNlIG9yIHR3aWNlLg0KDQpLaW5kIFJlZ2FyZHMsDQoNCuKAlCBD YXJsb3MgUGlnbmF0YXJvDQoNClBTOiBUaGUgRXZpbCBiaXQgaXMgZGVmaW5lZCBmb3IgSVB2NCwg c2hvdWxkIHdlIHRoZXJlZm9yZSBhbHNvIGRlZmluZSBpdCBoZXJlPw0KDQoNCj4gT24gQXByIDE3 LCAyMDE5LCBhdCA1OjU0IFBNLCBHcmVnIE1pcnNreSA8Z3JlZ2ltaXJza3lAZ21haWwuY29tPiB3 cm90ZToNCj4gDQo+IEhpIENhcmxvcywNCj4gdG8gYWRkIGFub3RoZXIgcXVvdGUgZnJvbSB0aGUg ZHJhZnQtaWV0Zi1zZmMtaW9hbS1uc2ggdGhhdCB5b3UndmUgY28tYXV0aG9yZWQsIA0KPiAgICBQ YWNrZXRzIHdpdGggSU9BTSBkYXRhIGluY2x1ZGVkIE1VU1QgZm9sbG93IHRoaXMNCj4gICAgZGVm aW5pdGlvbiwgaS5lLiB0aGUgTyBiaXQgTVVTVCBOT1QgYmUgc2V0IGZvciByZWd1bGFyIGN1c3Rv bWVyDQo+ICAgIHRyYWZmaWMgd2hpY2ggYWxzbyBjYXJyaWVzIElPQU0gZGF0YSBhbmQgdGhlIE8g Yml0IE1VU1QgYmUgc2V0IGZvcg0KPiAgICBPQU0gcGFja2V0cyB3aGljaCBjYXJyeSBvbmx5IElP QU0gZGF0YSB3aXRob3V0IGFueSByZWd1bGFyIGRhdGENCj4gICAgcGF5bG9hZC4NCj4gDQo+IFNv LCBpZiB0aGUgb25seSBpT0FNIG1lc3NhZ2UgaXMgY2FycmllZCBpbiBvciBhZnRlciBhbiBOU0gs IGl0IGlzIGlkZW50aWZpZWQgYXMgT0FNLiBBbmQsIGJ5IHlvdXIgb3duIGV4YW1wbGUgaW4gdGhl IGVhcmxpZXIgbm90ZSwgc28gc2hvdWxkIFZYTEFOLUdQRS4NCj4gDQo+IFJlZ2FyZHMsDQo+IEdy ZWcNCj4gDQo+IE9uIFdlZCwgQXByIDE3LCAyMDE5IGF0IDEyOjQ0IFBNIENhcmxvcyBQaWduYXRh cm8gKGNwaWduYXRhKSA8Y3BpZ25hdGFAY2lzY28uY29tPiB3cm90ZToNCj4gSGksIEdyZWcsDQo+ IA0KPiBBZGRpbmcgdGhlIElQUE0gbWFpbGluZyBsaXN0LCBzaW5jZSB5b3UgcmVmZXJlbmNlIGl0 IGJlbG93LCBhbmQgcG9pbnQgdG8gUkZDIDc3OTkuDQo+IA0KPiBQbGVhc2Ugc2VlIGlubGluZS4N Cj4gDQo+ID4gT24gQXByIDE3LCAyMDE5LCBhdCAzOjAwIFBNLCBHcmVnIE1pcnNreSA8Z3JlZ2lt aXJza3lAZ21haWwuY29tPiB3cm90ZToNCj4gPiANCj4gPiBIaSBDYXJsb3MsDQo+ID4gdGhhbmsg eW91IGZvciBzaGFyaW5nIHlvdXIgdmlldyBvbiB0aGUgZGVzaWduIG9mIHRoZSBWWExBTi1HUEUg cHJvdG9jb2wuIFBsZWFzZSBmaW5kIG15IGNvbW1lbnRzIGluLWxpbmUgdGFnZ2VkIEdJTT4+Lg0K PiA+IA0KPiA+IFJlZ2FyZHMsDQo+ID4gR3JlZw0KPiA+IA0KPiA+IE9uIEZyaSwgQXByIDEyLCAy MDE5IGF0IDU6MjMgQU0gQ2FybG9zIFBpZ25hdGFybyAoY3BpZ25hdGEpIDxjcGlnbmF0YUBjaXNj by5jb20+IHdyb3RlOg0KPiA+IEdyZWcsDQo+ID4gDQo+ID4gWW91IHNlZW0gdG8gYmUgY29uZnVz aW5nIGFuZCBtaXhpbmcgdGhpbmdzIHVwLg0KPiA+IA0KPiA+IFBsZWFzZSBzZWUgaW5saW5lLg0K PiA+IA0KPiA+ID4gT24gQXByIDEyLCAyMDE5LCBhdCAyOjUwIEFNLCBHcmVnIE1pcnNreSA8Z3Jl Z2ltaXJza3lAZ21haWwuY29tPiB3cm90ZToNCj4gPiA+IA0KPiA+ID4gRGVhciBFZGl0b3JzLCBl dCBhbC4sDQo+ID4gPiBJJ3ZlIHJlYWQgdGhlIGxhdGVzdCAtMDcgdmVyc2lvbiBhbmQgd291bGQg bGlrZSB0byBzaGFyZSBteSBjb21tZW50cyBhbmQgcXVlc3Rpb25zIHdpdGggeW91Og0KPiA+ID4g ICAgICAg4oCiIGluIHRoZSBlYXJsaWVyIHZlcnNpb24gb2YgdGhlIGRyYWZ0LCB0aGUgTy1iaXQg d2FzIGludHJvZHVjZWQgYW5kIGRlZmluZWQgYXM6DQo+ID4gPiBPQU0gRmxhZyBCaXQgKE8gYml0 KTogIFRoZSBPIGJpdCBpcyBzZXQgdG8gaW5kaWNhdGUgdGhhdCB0aGUgcGFja2V0IGlzIGFuIE9B TSBwYWNrZXQuDQo+ID4gPiBBdCB0aGUgc2FtZSB0aW1lLCBpbiB0aGUgbGF0ZXN0IHZlcnNpb24s IHRoZSBuZXcgTmV4dCBQcm90b2NvbCB2YWx1ZSAoMHg4MSkgdG8gaWRlbnRpZnkgaU9BTSBEYXRh IHdhcyBpbnRyb2R1Y2VkLiBIZW5jZSBhcmUgbXkgcXVlc3Rpb25zOg0KPiA+ID4gICAgICAg4oCi IFdoYXQgbXVzdCBiZSB0aGUgdmFsdWUgb2YgdGhlIE8tYml0IHdoZW4gdGhlIHZhbHVlIG9mIHRo ZSBOZXh0IFByb3RvY29sIGZpZWxkIGlzIGlPQU0/DQo+ID4gDQo+ID4gVGhlIE8gYml0IOKAnGlz IHNldCB0byBpbmRpY2F0ZSB0aGF0IHRoZSBwYWNrZXQgaXMgYW4gT0FNIHBhY2tldOKAnS4NCj4g PiBJQU9NIGlzIG5vdCBhbiBPQU0gcGFja2V0LiBIZW5jZSwgTyBiaXQgY2xlYXIgaWYgVlhMQU4t R1BFIGVuY2Fwc3VsYXRlcyBhIG5vbi1PQU0gcGFja2V0IGFuZCBhZGRzIGFuIElPQU0gc2hpbS4N Cj4gPiBHSU0+PiBJdCBpcyBhIHZlcnkgdW5leHBlY3RlZCBzdGF0ZW1lbnQgZnJvbSB5b3UsDQo+ IA0KPiBJIHdvdWxkIHRlbGwgeW91IOKAmGV4cGVjdCB0aGUgdW5leHBlY3RlZOKAmSwgYnV0IHRo YXQgaXMgbm90IHRoZSBjYXNlIGhlcmUuLi4gOi0pDQo+IA0KPiBJZiB5b3UgYWN0dWFsbHkgcmVh ZCBteSBzdGF0ZW1lbnQsIHlvdSB3aWxsIHNlZSAiSUFPTSBpcyBub3QgYW4gT0FNICpwYWNrZXQq LuKAnSBOZXcgZW1waGFzaXMgYWRkZWQg4oCUIGl0IGlzIF9ub3RfICphbiBPQU0gcGFja2V0Ki4N Cj4gDQo+IEkgc3RhbmQgYnkgaXQuIEl04oCZcyBhbiBhdWdtZW50ZWQgZGF0YSBwYWNrZXQgb2Yg aW50ZXJlc3QuDQo+IA0KPiA+IG9uZSBvZiB0aGUgY28tYXV0aG9ycyBvZiBkcmFmdC1pZXRmLWlw cG0taW9hbS1kYXRhICB3aGVyZSB0aGUgZmlyc3QgcGFyYWdyYXBoIG9mIHRoZSBJbnRyb2R1Y3Rp b24gc2VjdGlvbiBkZWZpbmVzIGlPQU0gYXMgSHlicmlkIFR5cGUgMSBPQU0sIGFjY29yZGluZyB0 byBSRkMgNzc5OSBjbGFzc2lmaWNhdGlvbjoNCj4gDQo+IFRoaXMgaXMgc3RpbGwgcXVpdGUgY29u c2lzdGVudCB3aXRoIHRoYXQgZGVmaW5pdGlvbiwgd2hpY2ggSSByZWNvbW1lbmQgeW91IHJlLXJl YWQ6DQo+IA0KPiBSRkMgNzc5OSBpcyBhYm91dCBtZXRyaWNzIGFuZCBtZXRob2RzLCBub3QgcGFj a2V0IGRlZmluaXRpb25zLg0KPiANCj4gWW91IHdpbGwgc2VlIHRoYXQgQWN0aXZlIG1ldGhvZHMg aW5jbHVkZSBhIOKAnGRlZGljYXRlZCBtZWFzdXJlbWVudCBwYWNrZXQgc3RyZWFt4oCdLiDigJxB Y3RpdmUgTWV0aG9kcyBnZW5lcmF0ZSBwYWNrZXQgc3RyZWFtcy7igJ0NCj4gDQo+IEhvd2V2ZXIs IEh5YnJpZCBUeXBlIEkgbGV2ZXJhZ2VzIOKAnEF1Z21lbnRhdGlvbiBvciBtb2RpZmljYXRpb24g b2YgdGhlIHN0cmVhbSBvZiBpbnRlcmVzdCINCj4gDQo+IEZvbGxvd2luZyB5b3VyIGxvZ2ljLCBp ZiB5b3UgY2hhbmdlIGEgcGFja2V0IGZpZWxkIHN1Y2ggYXMgVFRML0hMIHRvIHByb3ZpZGUgcGFj a2V0IGNvbG9yaW5nLCBkbyB5b3UgbmVlZCB0byBzZXQgdGhlIE8tYml0Pw0KPiANCj4gPiAgICBJ T0FNIGlzIHRvIGNvbXBsZW1lbnQNCj4gPiAgICBtZWNoYW5pc21zIHN1Y2ggYXMgUGluZyBvciBU cmFjZXJvdXRlLCBvciBtb3JlIHJlY2VudCBhY3RpdmUgcHJvYmluZw0KPiA+ICAgIG1lY2hhbmlz bXMgYXMgZGVzY3JpYmVkIGluIFtJLUQubGFwdWtob3YtZGF0YXBsYW5lLXByb2JlXS4uICBJbiB0 ZXJtcw0KPiA+ICAgIG9mICJhY3RpdmUiIG9yICJwYXNzaXZlIiBPQU0sICJpbi1zaXR1IiBPQU0g Y2FuIGJlIGNvbnNpZGVyZWQgYQ0KPiA+ICAgIGh5YnJpZCBPQU0gdHlwZS4gIFdoaWxlIG5vIGV4 dHJhIHBhY2tldHMgYXJlIHNlbnQsIElPQU0gYWRkcw0KPiA+ICAgIGluZm9ybWF0aW9uIHRvIHRo ZSBwYWNrZXRzIHRoZXJlZm9yZSBjYW5ub3QgYmUgY29uc2lkZXJlZCBwYXNzaXZlLg0KPiA+ICAg IEluIHRlcm1zIG9mIHRoZSBjbGFzc2lmaWNhdGlvbiBnaXZlbiBpbiBbUkZDNzc5OV0gSU9BTSBj b3VsZCBiZQ0KPiA+ICAgIHBvcnRyYXllZCBhcyBIeWJyaWQgVHlwZSAxLg0KPiA+IA0KPiA+ID4g ICAgICAg4oCiIERvIHlvdSBwbGFuIHRvIGRlZmluZSB0aGUgTmV4dCBQcm90b2NvbCB2YWx1ZXMg Zm9yIGFjdGl2ZSBPQU0gcHJvdG9jb2xzLCBlLmcuLCBFY2hvIFJlcXVlc3QvUmVwbHksIEJGRCwg UGVyZm9ybWFuY2UgTW9uaXRvcmluZz8NCj4gPiANCj4gPiBJIGNhbm5vdCBzcGVhayB0byDigJxw bGFuc+KAnSAocmVwbHlpbmcgYXMg4oCcZXQgYWwu4oCdLCBub3QgYXMg4oCcZWRpdG9y4oCdKSwg YnV0IEkgZXhwZWN0IE9BTSBkb2N1bWVudHMgb3VnaHQgdG8gaGF2ZSB0aG9zZSByZXF1ZXN0ZWQs IGFuZCB5b3UgZG8gbm90IG5lZWQgbmVjZXNzYXJpbHkgYWxsIG9mIHRob3NlIOKAlCB0aGUgbmV4 IHByb3RvY29sIElQdjQgLyBJUHY2IGNhbiBlbmNhcHN1bGF0ZSBJQ01QLCBVRFAvQkZELCBldGMu LCBldGMuLCBldGMuLCBldGMuDQo+ID4gR0lNPj4gT2YgY291cnNlLCB1c2Ugb2YgdGhlIHdlbGwt a25vd24gcG9ydCBudW1iZXIsIHVzdWFsbHkgaXQgaXMgVURQIGRlc3RpbmF0aW9uIHBvcnQsIGlz IG9uZSBvZiB0aGUgbWV0aG9kcyB0byBkZW11bHRpcGxleCBwcm90b2NvbHMuIFRoaXMgbWV0aG9k IGlzIGJyb2FkbHkgdXNlZCwgZm9yIGV4YW1wbGUsIGluIE1QTFMgT0FNLiBCdXQgdGhpcyBtZXRo b2QgaGFzIHNvbWUgZGlzYWR2YW50YWdlcyB0aGF0IHdlcmUgcG9pbnRlZCBvdXQgaW4gdGhlIGRp c2N1c3Npb24gb2YgQkZEIG92ZXIgR0VORVZFIGluIFByYWd1ZSBieSBEYXZpZCBCbGFjayAodGhl IGxhc3QgcHJlc2VudGF0aW9uIGluIHRoZSBtaW51dGVzKToNCj4gPiBEYXZpZDogSSB3YW50IHRo ZSBCRkQgaGVhZGVyIHRvIGJlIGFzIGNsb3NlIHRvIHRoZSB0aGluZyB3aG9zZSBsaXZlbmVzcyBJ J20gdGVzdGluZy4gVGhlIG1vcmUgaGVhZGVycyB5b3UgYWRkIGluIHRoZSBtaWRkbGUsIHRoZSBt b3JlIHdheXMgdGhlcmUgYXJlIHRvIGJyZWFrIEJGRCB3aXRob3V0IGJyZWFraW5nIHRoZSBmb3J3 YXJkaW5nIGVuZ2luZS4gVGhlIGZ1cnRoZXIgYXdheSBJIG1vdmUgQkZEIGZyb20gdGhlIGNodW5r IG9mIGhhcmR3YXJlJ3MgbGl2ZW5lc3MgSSBjYXJlIGFib3V0LCB0aGUgbW9yZSBvcHBvcnR1bml0 aWVzIGFyZSBmb3IgQkZEIGFuZCB0aGUgaGFyZHdhcmUgdG8gbm90IHRvIHRlbGwgbWUgdGhlIHNh bWUgdGhpbmcuDQo+ID4gDQo+IA0KPiBUaGVvcnkgYW5kIHByYWN0aWNlIG1hdGNoIGluIHRoZW9y eSwgbGVzcyBzbyBpbiBwcmFjdGljZSDigJQgdW5sZXNzIHlvdSBhcmUgcGxhbm5pbmcgdG8gdXBk YXRlIFJGQyA1ODgxLg0KPiANCj4gVGhpcyBjYW4gYmUgYXJndWVkIGJvdGggd2F5cyAoZS5nLiwg YmV0dGVyIHRvIGhhdmUgY29tbW9uIGhhbmRsZXJzLCBldGMuKSwgYnV0IEkgdGFrZSBubyBwb3Np dGlvbi4gSSBkbyBzYXkgdGhhdCBpbiBwcmVzZW5jZSBvZiBkZXBsb3llZCBPQU0gZW5jYXBzdWxh dGlvbnMsIHRoZXJl4oCZcyBubyBiYXNpcyBmb3IgeW91ciB5b3VyIGNvbW1lbnQgYWJvdXQgZGVm aW5pbmcgYSBwcm90b2NvbCB0eXBlIGZvciDigJxQZXJmb3JtYW5jZSBNb25pdG9yaW5n4oCdIGFz IGEgcHJvdG9jb2wuLi4NCj4gDQo+IA0KPiA+IA0KPiA+ID4gICAgICAg4oCiIEhvdyB0byBpbnRl cnByZXQgdGhlIHNpdHVhdGlvbiB3aGVuIHRoZSBPLWJpdCB2YWx1ZSBpcyAxIGJ1dCB0aGUgdmFs dWUgb2YgdGhlIE5leHQgUHJvdG9jb2wgZmllbGQgaXMsIGZvciBleGFtcGxlLCBOU0gsIGkuZS4u LCBub3QgYW55IG9mIE9BTSBwcm90b2NvbHM/DQo+ID4gDQo+ID4gSSBleHBlY3QgaXQgbWVhbnMg dGhlcmXigJlzIE9BTSB3aXRoaW4gdGhhdCBOU0ggKHNvbWV0aW1lcyB0aGVyZeKAmXMgbm8gc3Vj aCB0aGluZ3MgYXMg4oCcT0FNIFByb3RvY29sc+KAnSksIG9yIGFuIHVuaGFuZGxlZCBPQU0gcHJv dG9jb2wuDQo+ID4gR0lNPj4gU2hvdWxkIHRoYXQsIGkuZS4sIE9BTSBpbiBOU0ggb3IgaW1tZWRp YXRlbHkgZm9sbG93aW5nIE5TSCBiZSBzaWduYWxlZCB1c2luZyBTRkMgTlNIIG1ldGhvZHMgdGhh dCBhcmUgYWxyZWFkeSBkZWZpbmVkIGluIGRyYWZ0LWlldGYtc2ZjLW11bHRpLWxheWVyLW9hbT8N Cj4gDQo+IA0KPiBOb24gc2VxdWl0dXIg4oCUIEkgZG8gbm90IGZvbGxvdyB3aGF0IHNpZ25hbGlu ZyBoYXMgdG8gZG8gd2l0aCB0aGUgY29udmVyc2F0aW9uLCBub3IgaG93IHRoYXQgZHJhZnQgbWln aHQgYmUgcmVsZXZhbnQuDQo+IA0KPiA+IFVzaW5nIHRoZSBzZXJ2ZXIgbGF5ZXIsIGFzIHlvdSd2 ZSBzdWdnZXN0ZWQsIHNlZW1zIGFzIGxheWVyIHZpb2xhdGlvbi4gDQo+ID4gDQo+IA0KPiBUaGlz IGlzIGEgZnVubnkgc3RhdGVtZW50IOKAlCBOVk8zIGlzIGEgbGF5ZXIgdmlvbGF0aW9uIDotKSBT byBhcmUgUHNldWRvd2lyZXMuIFBsZWFzZSBkbyBub3QgdGFrZSB0aGlzIHN0YXRlbWVudCB0b28g c2VyaW91c2x5LCBpdCBpcyBub3QgaW52aXRpbmcgZGlzY3Vzc2lvbi4NCj4gDQo+ID4gPiAgICAg ICDigKIgSSBiZWxpZXZlIHRoYXQgdGhlIHVzZSBvZiB0aGUgZGVkaWNhdGVkIE9BTSBmbGFnIGFu ZCB0aGUgTmV4dCBQcm90b2NvbCBmaWVsZCBmb3IgYSBmaXhlZC1zaXplIGhlYWRlciB0aGF0IGNh bm5vdCBpbmNsdWRlIG1ldGEtZGF0YSBpcyB1bndhcnJhbnRlZCBhbmQgYWRkcyB1bm5lY2Vzc2Fy eSBjb21wbGV4aXR5Lg0KPiA+IA0KPiA+IERpc2FncmVlLiANCj4gPiANCj4gPiBTZWUgZXhhbXBs ZSB3aGVyZSBwcm90b2NvbCBpcyBJUCBjYXJyeWluZyBhbiBPQU0gcGFja2V0Lg0KPiA+IEdJTT4+ IFdoZW4gSVAvVURQIGVuY2Fwc3VsYXRpb24gaXMgdXNlZCBmb3IgT0FNLCB0aGVyZSdzIG5vLCBp biBteSBvcGluaW9uLCBhbnkgbmVlZCB0byB1c2UgdGhlIE8tYml0LiBUaGUgZGVzdGluYXRpb24g SVAgYWRkcmVzcyBtdXN0IGJlIGFzIGRlc2NyaWJlZCBpbiBSRkMgODAyOSBvciBSRkMgNTg4NCBh bmQgdGhlIGRlbXVsdGlwbGV4aW5nIGlzIGRvbmUgYmFzZWQgb24gdGhlIGRlc3RpbmF0aW9uIFVE UCBwb3J0IG51bWJlci4gQ2xlYXJseSwgTy1iaXQgaXMgdW5uZWNlc3NhcnkgaWYgSVAvVURQIGVu Y2Fwc3VsYXRpb24gZm9yIE9BTSBiZWluZyB1c2VkLg0KPiA+IA0KPiANCj4gRm9ydHVuYXRlbHks IGJpdCB1c2FnZSBpcyBhIG1hdHRlciBvZiBkZWZpbml0aW9uIGFuZCBub3Qgb3BpbmlvbiA6LSkN Cj4gDQo+IEtpbmQgcmVnYXJkcywNCj4gDQo+IENhcmxvcy4NCj4gDQo+IA0KPiA+ID4gSSBzdWdn ZXN0IG5vdCB0byB1c2UgTy1iaXQgaW4gdGhlIFZYTEFOLUdQRSBoZWFkZXIgYW5kIHJlbGVhc2Ug aXQgaW50byB0aGUgUmVzZXJ2ZWQgZmllbGQuICBJIGRvbid0IHNlZSB0aGUgYXBwYXJlbnQgYmVu ZWZpdCBvZiB1c2luZyB0aGUgZmxhZywgYXMgdGhlIFZYTEEtR1BFIHVzZXMgdGhlIGZpeGVkIHNp emUgaGVhZGVyIGFuZCB0aGUgaGVhZGVyIGNhbm5vdCBjYXJyeSBPQU0gZGF0YSBpbiBpdC4gVGhl IG9ubHkgcm9sZSB0aGUgVlhMQU4tR1BFIGhlYWRlciBtdXN0IHBlcmZvcm0sIGluIG15IG9waW5p b24sIGlzIHRvIHVuYW1iaWd1b3VzbHkgaWRlbnRpZnkgdGhlIHBheWxvYWQgdHlwZSB0aGF0IGlt bWVkaWF0ZWx5IGZvbGxvd3MgdGhlIGhlYWRlciBhcyBPQU0gKGRlbXVsdGlwbGV4aW5nIE9BTSBw cm90b2NvbHMgbWF5IGJlIGRvbmUgaW4gT0FNIEhlYWRlciBzaGltKS4NCj4gPiA+IE11Y2ggYXBw cmVjaWF0ZSB5b3VyIGNvbnNpZGVyYXRpb24uDQo+ID4gPiANCj4gPiANCj4gPiBCZXN0LA0KPiA+ IA0KPiA+IOKAlA0KPiA+IENhcmxvcyBQaWduYXRhcm8sIGNhcmxvc0BjaXNjby5jb20NCj4gPiAN Cj4gPiDigJxTb21ldGltZXMgSSB1c2UgYmlnIHdvcmRzIHRoYXQgSSBkbyBub3QgZnVsbHkgdW5k ZXJzdGFuZCwgdG8gbWFrZSBteXNlbGYgc291bmQgbW9yZSBwaG90b3N5bnRoZXNpcy4iDQo+ID4g DQo+ID4gPiBSZWdhcmRzLA0KPiA+ID4gR3JlZw0KPiA+ID4gX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gPiA+IG52bzMgbWFpbGluZyBsaXN0DQo+ID4g PiBudm8zQGlldGYub3JnDQo+ID4gPiBodHRwczovL3NlY3VyZS13ZWIuY2lzY28uY29tLzFqLWpy NjR5aDJEOHlPOTJpYmNxYU4tSDk4WkNQM2xRZEhtc1lQc0g4bGtqc2E0V2xKNGtnM1c0SEw4cVQy NXJDVml0dFQ1YkZRb3hfX09uU2tuVjV3X3dXNjlGdlVoWGt4cXhLaGk5TUNpeTVvSC1KVHVjWE5f N0ZLODVxN2pELXFFd1JNNUlYWTY4X1ZmZWJfWEkyckt4eXp3VnNHXzA2S1RHRjA5Qnc5b0hBT1hV TkZjZEN3X29vbl9lcnVVaFJQdGR3TGM5VVFOejJUaFlQOHlzZjJwcjY0VlUwNFZqTUttR3dxWXZ6 enlBc0xURWJIcnM3R1ZDcXBoVDU4VDBzdDc4Xzk2OHJNNU1LRkxrN0VpV0JqN2daUG1fckRlQmY2 M2dVdHhrY2otdzhYeWJKaWlPMnRjRmFlb0FMXzhtLVpUNUw5LTFWSzR3WmtIbVI1Q19MZGcvaHR0 cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZudm8zDQo+ID4g DQo+IA0KPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0K PiBudm8zIG1haWxpbmcgbGlzdA0KPiBudm8zQGlldGYub3JnDQo+IGh0dHBzOi8vc2VjdXJlLXdl Yi5jaXNjby5jb20vMWotanI2NHloMkQ4eU85MmliY3FhTi1IOThaQ1AzbFFkSG1zWVBzSDhsa2pz YTRXbEo0a2czVzRITDhxVDI1ckNWaXR0VDViRlFveF9fT25Ta25WNXdfd1c2OUZ2VWhYa3hxeEto aTlNQ2l5NW9ILUpUdWNYTl83Rks4NXE3akQtcUV3Uk01SVhZNjhfVmZlYl9YSTJyS3h5endWc0df MDZLVEdGMDlCdzlvSEFPWFVORmNkQ3dfb29uX2VydVVoUlB0ZHdMYzlVUU56MlRoWVA4eXNmMnBy NjRWVTA0VmpNS21Hd3FZdnp6eUFzTFRFYkhyczdHVkNxcGhUNThUMHN0NzhfOTY4ck01TUtGTGs3 RWlXQmo3Z1pQbV9yRGVCZjYzZ1V0eGtjai13OFh5YkppaU8ydGNGYWVvQUxfOG0tWlQ1TDktMVZL NHdaa0htUjVDX0xkZy9odHRwcyUzQSUyRiUyRnd3dy5pZXRmLm9yZyUyRm1haWxtYW4lMkZsaXN0 aW5mbyUyRm52bzMNCg0K From nobody Wed Apr 17 17:49:18 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5411201A2; Wed, 17 Apr 2019 17:49:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnWwcVhP-3rX; Wed, 17 Apr 2019 17:49:14 -0700 (PDT) Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADA45120033; Wed, 17 Apr 2019 17:49:13 -0700 (PDT) Received: by mail-lj1-x22a.google.com with SMTP id h21so318927ljk.13; Wed, 17 Apr 2019 17:49:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CWa0oGr0pe1svZPWxNBzRmESGnGjYp6DFSbq8/v3MUs=; b=GShRXdhuPfFpKkHwQjWw2l1LGw6b4BoBvJ2+bNSZY2DTiU/ONY6MzaWtpPfw8s6OY/ YwCNx4Rz6RJpZVjWVdU7Ult18Egtaw521lJMPbWZ6o7NkH/tSOLO9EsZEwNWLkNpvoZQ z9Rlr6ZJBdZYG/CKKfVwXnSa7jzT+lBLyCBcThiQq4YCZ6ZPclOndIgApjMiIax6ONvB uggnzoDiBRE52zRkaKNWcxJGfbbgvi68F0LAARiq4HHmVo+wXqepz+BJjaB4d0qT33u1 Ewz0FVggknyPXNvZ/cUnOA6jsevYugL84/JS12XMWxK4G2bp+YhzqYvjUWC8205KFoTH BAYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CWa0oGr0pe1svZPWxNBzRmESGnGjYp6DFSbq8/v3MUs=; b=LYwINxGceBXX90yunEb3o4Ge1tcAJJpaIcKyCkZegTtdhUWPL8yPN/lhXj39oBpvCI y3wSHYCzKcA2gxz2w8e5shd5dn4qACokNWjyNu0O7h5Bdsoe1H8ZhWU0lO9h091eKD7e ImyQi0UBu8zkYoia0Dutr/dkSu61BxbvqbaSrJXwUV9HOW+npnrNRXqFYTkCsZG7H7c7 +Z5e0K07oug/iq/teZzka1Zzh9hf6Af9g3ynFtZerU0V7wvLvuI+puXqBrAGOPY1F7Nx 6vEGMfRnC07PnF/MsiTkg5F5E2PKMbV9O9LuX+ZiVq2dtgLnKS9Qwy1Ra9+WyTHjRxc0 XO8w== X-Gm-Message-State: APjAAAWrj/2sWqPMgmZfILLtut/s9hYgqhOn1w1UYGUOl7ISuwEN87vh 4gH/dsRLeBueJtmjSCS5NoITvAf3Buqxr9S1Sg4= X-Google-Smtp-Source: APXvYqzpJeHXpYpzLAdgQ4P1myEem8WNHGwWqO5/2LSOskbloD2oA5CI0r/6Y/Q2qO4bKBiYsYbIWZYw6j4O7aqVVM0= X-Received: by 2002:a2e:5d56:: with SMTP id r83mr49576870ljb.74.1555548551719; Wed, 17 Apr 2019 17:49:11 -0700 (PDT) MIME-Version: 1.0 References: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> <3AFD4751-CF3A-4939-A49A-FB981C68CADF@cisco.com> <4C9CDD29-BDF8-425E-998F-B12C1BD7CA7C@cisco.com> In-Reply-To: <4C9CDD29-BDF8-425E-998F-B12C1BD7CA7C@cisco.com> From: Greg Mirsky Date: Wed, 17 Apr 2019 17:49:04 -0700 Message-ID: To: "Carlos Pignataro (cpignata)" Cc: NVO3 , "draft-ietf-nvo3-vxlan-gpe@ietf.org" , IETF IPPM WG , "sfc@ietf.org" Content-Type: multipart/alternative; boundary="000000000000db2fac0586c35e28" Archived-At: Subject: Re: [nvo3] [SUSPICIOUS] Re: Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 00:49:17 -0000 --000000000000db2fac0586c35e28 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Carlos, thank you for the discussion. As the VXLAN-GPE is on the Informational track, there may be little point to discuss it. But as the draft has been adopted by NVO3 WG, I'm curious about the updates the editors have been making without the WG agreeing to that. I'm looking forward to hearing from any of the editors of VXLAN-GPE about the updates in the last two versions. Also, hope editors of the draft will find time to reply to my questions and consider my comments. Regards, Greg On Wed, Apr 17, 2019 at 5:18 PM Carlos Pignataro (cpignata) < cpignata@cisco.com> wrote: > Dear Greg, > > [Now adding the SFC WG Mailing list since you take us to a different WG > again] > > Thank you very much for fine-combing with a magnifying glass through all > the documents I=E2=80=99m currently co-authoring :-) > > It is refreshing to see that the only issues you find are non-issues, and > your questions easy to re-answer :-) > > At this point I am a bit at a loss of what your point is, or what you are > trying to prove bending text. Are you coding, deploying, or testing IOAM = on > NSH without data packets on VXLAN-GPE over IP? NSH is data as far as > VXLAN-GPE is concerned. IOAM shimmed in NSH is orthogonal to IOAM shimmed > in VXLAN-GPE. > > I feel this discussion about the O-bit already took place once or twice. > > Kind Regards, > > =E2=80=94 Carlos Pignataro > > PS: The Evil bit is defined for IPv4, should we therefore also define it > here? > > > > On Apr 17, 2019, at 5:54 PM, Greg Mirsky wrote: > > > > Hi Carlos, > > to add another quote from the draft-ietf-sfc-ioam-nsh that you've > co-authored, > > Packets with IOAM data included MUST follow this > > definition, i.e. the O bit MUST NOT be set for regular customer > > traffic which also carries IOAM data and the O bit MUST be set for > > OAM packets which carry only IOAM data without any regular data > > payload. > > > > So, if the only iOAM message is carried in or after an NSH, it is > identified as OAM. And, by your own example in the earlier note, so shoul= d > VXLAN-GPE. > > > > Regards, > > Greg > > > > On Wed, Apr 17, 2019 at 12:44 PM Carlos Pignataro (cpignata) < > cpignata@cisco.com> wrote: > > Hi, Greg, > > > > Adding the IPPM mailing list, since you reference it below, and point t= o > RFC 7799. > > > > Please see inline. > > > > > On Apr 17, 2019, at 3:00 PM, Greg Mirsky > wrote: > > > > > > Hi Carlos, > > > thank you for sharing your view on the design of the VXLAN-GPE > protocol. Please find my comments in-line tagged GIM>>. > > > > > > Regards, > > > Greg > > > > > > On Fri, Apr 12, 2019 at 5:23 AM Carlos Pignataro (cpignata) < > cpignata@cisco.com> wrote: > > > Greg, > > > > > > You seem to be confusing and mixing things up. > > > > > > Please see inline. > > > > > > > On Apr 12, 2019, at 2:50 AM, Greg Mirsky > wrote: > > > > > > > > Dear Editors, et al., > > > > I've read the latest -07 version and would like to share my comment= s > and questions with you: > > > > =E2=80=A2 in the earlier version of the draft, the O-bit was > introduced and defined as: > > > > OAM Flag Bit (O bit): The O bit is set to indicate that the packet > is an OAM packet. > > > > At the same time, in the latest version, the new Next Protocol valu= e > (0x81) to identify iOAM Data was introduced. Hence are my questions: > > > > =E2=80=A2 What must be the value of the O-bit when the value = of the > Next Protocol field is iOAM? > > > > > > The O bit =E2=80=9Cis set to indicate that the packet is an OAM packe= t=E2=80=9D. > > > IAOM is not an OAM packet. Hence, O bit clear if VXLAN-GPE > encapsulates a non-OAM packet and adds an IOAM shim. > > > GIM>> It is a very unexpected statement from you, > > > > I would tell you =E2=80=98expect the unexpected=E2=80=99, but that is n= ot the case > here... :-) > > > > If you actually read my statement, you will see "IAOM is not an OAM > *packet*.=E2=80=9D New emphasis added =E2=80=94 it is _not_ *an OAM packe= t*. > > > > I stand by it. It=E2=80=99s an augmented data packet of interest. > > > > > one of the co-authors of draft-ietf-ippm-ioam-data where the first > paragraph of the Introduction section defines iOAM as Hybrid Type 1 OAM, > according to RFC 7799 classification: > > > > This is still quite consistent with that definition, which I recommend > you re-read: > > > > RFC 7799 is about metrics and methods, not packet definitions. > > > > You will see that Active methods include a =E2=80=9Cdedicated measureme= nt packet > stream=E2=80=9D. =E2=80=9CActive Methods generate packet streams.=E2=80= =9D > > > > However, Hybrid Type I leverages =E2=80=9CAugmentation or modification = of the > stream of interest" > > > > Following your logic, if you change a packet field such as TTL/HL to > provide packet coloring, do you need to set the O-bit? > > > > > IOAM is to complement > > > mechanisms such as Ping or Traceroute, or more recent active probi= ng > > > mechanisms as described in [I-D.lapukhov-dataplane-probe].. In > terms > > > of "active" or "passive" OAM, "in-situ" OAM can be considered a > > > hybrid OAM type. While no extra packets are sent, IOAM adds > > > information to the packets therefore cannot be considered passive. > > > In terms of the classification given in [RFC7799] IOAM could be > > > portrayed as Hybrid Type 1. > > > > > > > =E2=80=A2 Do you plan to define the Next Protocol values for = active > OAM protocols, e.g., Echo Request/Reply, BFD, Performance Monitoring? > > > > > > I cannot speak to =E2=80=9Cplans=E2=80=9D (replying as =E2=80=9Cet al= .=E2=80=9D, not as =E2=80=9Ceditor=E2=80=9D), but > I expect OAM documents ought to have those requested, and you do not need > necessarily all of those =E2=80=94 the nex protocol IPv4 / IPv6 can encap= sulate > ICMP, UDP/BFD, etc., etc., etc., etc. > > > GIM>> Of course, use of the well-known port number, usually it is UDP > destination port, is one of the methods to demultiplex protocols. This > method is broadly used, for example, in MPLS OAM. But this method has som= e > disadvantages that were pointed out in the discussion of BFD over GENEVE = in > Prague by David Black (the last presentation in the minutes): > > > David: I want the BFD header to be as close to the thing whose > liveness I'm testing. The more headers you add in the middle, the more wa= ys > there are to break BFD without breaking the forwarding engine. The furthe= r > away I move BFD from the chunk of hardware's liveness I care about, the > more opportunities are for BFD and the hardware to not to tell me the sam= e > thing. > > > > > > > Theory and practice match in theory, less so in practice =E2=80=94 unle= ss you > are planning to update RFC 5881. > > > > This can be argued both ways (e.g., better to have common handlers, > etc.), but I take no position. I do say that in presence of deployed OAM > encapsulations, there=E2=80=99s no basis for your your comment about defi= ning a > protocol type for =E2=80=9CPerformance Monitoring=E2=80=9D as a protocol.= .. > > > > > > > > > > > =E2=80=A2 How to interpret the situation when the O-bit value= is 1 but > the value of the Next Protocol field is, for example, NSH, i.e.., not any > of OAM protocols? > > > > > > I expect it means there=E2=80=99s OAM within that NSH (sometimes ther= e=E2=80=99s no > such things as =E2=80=9COAM Protocols=E2=80=9D), or an unhandled OAM prot= ocol. > > > GIM>> Should that, i.e., OAM in NSH or immediately following NSH be > signaled using SFC NSH methods that are already defined in > draft-ietf-sfc-multi-layer-oam? > > > > > > Non sequitur =E2=80=94 I do not follow what signaling has to do with th= e > conversation, nor how that draft might be relevant. > > > > > Using the server layer, as you've suggested, seems as layer violation= . > > > > > > > This is a funny statement =E2=80=94 NVO3 is a layer violation :-) So ar= e > Pseudowires. Please do not take this statement too seriously, it is not > inviting discussion. > > > > > > =E2=80=A2 I believe that the use of the dedicated OAM flag an= d the > Next Protocol field for a fixed-size header that cannot include meta-data > is unwarranted and adds unnecessary complexity. > > > > > > Disagree. > > > > > > See example where protocol is IP carrying an OAM packet. > > > GIM>> When IP/UDP encapsulation is used for OAM, there's no, in my > opinion, any need to use the O-bit. The destination IP address must be as > described in RFC 8029 or RFC 5884 and the demultiplexing is done based on > the destination UDP port number. Clearly, O-bit is unnecessary if IP/UDP > encapsulation for OAM being used. > > > > > > > Fortunately, bit usage is a matter of definition and not opinion :-) > > > > Kind regards, > > > > Carlos. > > > > > > > > I suggest not to use O-bit in the VXLAN-GPE header and release it > into the Reserved field. I don't see the apparent benefit of using the > flag, as the VXLA-GPE uses the fixed size header and the header cannot > carry OAM data in it. The only role the VXLAN-GPE header must perform, in > my opinion, is to unambiguously identify the payload type that immediatel= y > follows the header as OAM (demultiplexing OAM protocols may be done in OA= M > Header shim). > > > > Much appreciate your consideration. > > > > > > > > > > Best, > > > > > > =E2=80=94 > > > Carlos Pignataro, carlos@cisco.com > > > > > > =E2=80=9CSometimes I use big words that I do not fully understand, to= make > myself sound more photosynthesis." > > > > > > > Regards, > > > > Greg > > > > _______________________________________________ > > > > nvo3 mailing list > > > > nvo3@ietf.org > > > > > https://secure-web.cisco.com/1j-jr64yh2D8yO92ibcqaN-H98ZCP3lQdHmsYPsH8lkj= sa4WlJ4kg3W4HL8qT25rCVittT5bFQox__OnSknV5w_wW69FvUhXkxqxKhi9MCiy5oH-JTucXN_= 7FK85q7jD-qEwRM5IXY68_Vfeb_XI2rKxyzwVsG_06KTGF09Bw9oHAOXUNFcdCw_oon_eruUhRP= tdwLc9UQNz2ThYP8ysf2pr64VU04VjMKmGwqYvzzyAsLTEbHrs7GVCqphT58T0st78_968rM5MK= FLk7EiWBj7gZPm_rDeBf63gUtxkcj-w8XybJiiO2tcFaeoAL_8m-ZT5L9-1VK4wZkHmR5C_Ldg/= https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fnvo3 > > > > > > > _______________________________________________ > > nvo3 mailing list > > nvo3@ietf.org > > > https://secure-web.cisco.com/1j-jr64yh2D8yO92ibcqaN-H98ZCP3lQdHmsYPsH8lkj= sa4WlJ4kg3W4HL8qT25rCVittT5bFQox__OnSknV5w_wW69FvUhXkxqxKhi9MCiy5oH-JTucXN_= 7FK85q7jD-qEwRM5IXY68_Vfeb_XI2rKxyzwVsG_06KTGF09Bw9oHAOXUNFcdCw_oon_eruUhRP= tdwLc9UQNz2ThYP8ysf2pr64VU04VjMKmGwqYvzzyAsLTEbHrs7GVCqphT58T0st78_968rM5MK= FLk7EiWBj7gZPm_rDeBf63gUtxkcj-w8XybJiiO2tcFaeoAL_8m-ZT5L9-1VK4wZkHmR5C_Ldg/= https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fnvo3 > > --000000000000db2fac0586c35e28 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    Hi Carlos,
    thank you for the discussion.
    As = the VXLAN-GPE is on the Informational track, there may be little point to d= iscuss it. But as the draft has been adopted by NVO3 WG, I'm curious ab= out the updates the editors have been making without the WG agreeing to tha= t. I'm looking forward to hearing from any of the editors of VXLAN-GPE = about the updates in the last two versions. Also, hope editors of the draft= will find time to reply to my questions and consider my comments.

    Regards,
    Greg

    On Wed, Apr 17, 2019 at 5:18 = PM Carlos Pignataro (cpignata) <cp= ignata@cisco.com> wrote:
    Dear Greg,

    [Now adding the SFC WG Mailing list since you take us to a different WG aga= in]

    Thank you very much for fine-combing with a magnifying glass through all th= e documents I=E2=80=99m currently co-authoring :-)

    It is refreshing to see that the only issues you find are non-issues, and y= our questions easy to re-answer :-)

    At this point I am a bit at a loss of what your point is, or what you are t= rying to prove bending text. Are you coding, deploying, or testing IOAM on = NSH without data packets on VXLAN-GPE over IP? NSH is data as far as VXLAN-= GPE is concerned. IOAM shimmed in NSH is orthogonal to IOAM shimmed in VXLA= N-GPE.

    I feel this discussion about the O-bit already took place once or twice.
    Kind Regards,

    =E2=80=94 Carlos Pignataro

    PS: The Evil bit is defined for IPv4, should we therefore also define it he= re?


    > On Apr 17, 2019, at 5:54 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
    >
    > Hi Carlos,
    > to add another quote from the draft-ietf-sfc-ioam-nsh that you've = co-authored,
    >=C2=A0 =C2=A0 Packets with IOAM data included MUST follow this
    >=C2=A0 =C2=A0 definition, i.e. the O bit MUST NOT be set for regular cu= stomer
    >=C2=A0 =C2=A0 traffic which also carries IOAM data and the O bit MUST b= e set for
    >=C2=A0 =C2=A0 OAM packets which carry only IOAM data without any regula= r data
    >=C2=A0 =C2=A0 payload.
    >
    > So, if the only iOAM message is carried in or after an NSH, it is iden= tified as OAM. And, by your own example in the earlier note, so should VXLA= N-GPE.
    >
    > Regards,
    > Greg
    >
    > On Wed, Apr 17, 2019 at 12:44 PM Carlos Pignataro (cpignata) <cpignata@cisco.com&g= t; wrote:
    > Hi, Greg,
    >
    > Adding the IPPM mailing list, since you reference it below, and point = to RFC 7799.
    >
    > Please see inline.
    >
    > > On Apr 17, 2019, at 3:00 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:=
    > >
    > > Hi Carlos,
    > > thank you for sharing your view on the design of the VXLAN-GPE pr= otocol. Please find my comments in-line tagged GIM>>.
    > >
    > > Regards,
    > > Greg
    > >
    > > On Fri, Apr 12, 2019 at 5:23 AM Carlos Pignataro (cpignata) <<= a href=3D"mailto:cpignata@cisco.com" target=3D"_blank">cpignata@cisco.com> wrote:
    > > Greg,
    > >
    > > You seem to be confusing and mixing things up.
    > >
    > > Please see inline.
    > >
    > > > On Apr 12, 2019, at 2:50 AM, Greg Mirsky <gregimirsky@gmail.com> w= rote:
    > > >
    > > > Dear Editors, et al.,
    > > > I've read the latest -07 version and would like to share= my comments and questions with you:
    > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 in the earlier version o= f the draft, the O-bit was introduced and defined as:
    > > > OAM Flag Bit (O bit):=C2=A0 The O bit is set to indicate tha= t the packet is an OAM packet.
    > > > At the same time, in the latest version, the new Next Protoc= ol value (0x81) to identify iOAM Data was introduced. Hence are my question= s:
    > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 What must be the value o= f the O-bit when the value of the Next Protocol field is iOAM?
    > >
    > > The O bit =E2=80=9Cis set to indicate that the packet is an OAM p= acket=E2=80=9D.
    > > IAOM is not an OAM packet. Hence, O bit clear if VXLAN-GPE encaps= ulates a non-OAM packet and adds an IOAM shim.
    > > GIM>> It is a very unexpected statement from you,
    >
    > I would tell you =E2=80=98expect the unexpected=E2=80=99, but that is = not the case here... :-)
    >
    > If you actually read my statement, you will see "IAOM is not an O= AM *packet*.=E2=80=9D New emphasis added =E2=80=94 it is _not_ *an OAM pack= et*.
    >
    > I stand by it. It=E2=80=99s an augmented data packet of interest.
    >
    > > one of the co-authors of draft-ietf-ippm-ioam-data=C2=A0 where th= e first paragraph of the Introduction section defines iOAM as Hybrid Type 1= OAM, according to RFC 7799 classification:
    >
    > This is still quite consistent with that definition, which I recommend= you re-read:
    >
    > RFC 7799 is about metrics and methods, not packet definitions.
    >
    > You will see that Active methods include a =E2=80=9Cdedicated measurem= ent packet stream=E2=80=9D. =E2=80=9CActive Methods generate packet streams= .=E2=80=9D
    >
    > However, Hybrid Type I leverages =E2=80=9CAugmentation or modification= of the stream of interest"
    >
    > Following your logic, if you change a packet field such as TTL/HL to p= rovide packet coloring, do you need to set the O-bit?
    >
    > >=C2=A0 =C2=A0 IOAM is to complement
    > >=C2=A0 =C2=A0 mechanisms such as Ping or Traceroute, or more recen= t active probing
    > >=C2=A0 =C2=A0 mechanisms as described in [I-D.lapukhov-dataplane-p= robe]..=C2=A0 In terms
    > >=C2=A0 =C2=A0 of "active" or "passive" OAM, &q= uot;in-situ" OAM can be considered a
    > >=C2=A0 =C2=A0 hybrid OAM type.=C2=A0 While no extra packets are se= nt, IOAM adds
    > >=C2=A0 =C2=A0 information to the packets therefore cannot be consi= dered passive.
    > >=C2=A0 =C2=A0 In terms of the classification given in [RFC7799] IO= AM could be
    > >=C2=A0 =C2=A0 portrayed as Hybrid Type 1.
    > >
    > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 Do you plan to define th= e Next Protocol values for active OAM protocols, e.g., Echo Request/Reply, = BFD, Performance Monitoring?
    > >
    > > I cannot speak to =E2=80=9Cplans=E2=80=9D (replying as =E2=80=9Ce= t al.=E2=80=9D, not as =E2=80=9Ceditor=E2=80=9D), but I expect OAM document= s ought to have those requested, and you do not need necessarily all of tho= se =E2=80=94 the nex protocol IPv4 / IPv6 can encapsulate ICMP, UDP/BFD, et= c., etc., etc., etc.
    > > GIM>> Of course, use of the well-known port number, usually= it is UDP destination port, is one of the methods to demultiplex protocols= . This method is broadly used, for example, in MPLS OAM. But this method ha= s some disadvantages that were pointed out in the discussion of BFD over GE= NEVE in Prague by David Black (the last presentation in the minutes):
    > > David: I want the BFD header to be as close to the thing whose li= veness I'm testing. The more headers you add in the middle, the more wa= ys there are to break BFD without breaking the forwarding engine. The furth= er away I move BFD from the chunk of hardware's liveness I care about, = the more opportunities are for BFD and the hardware to not to tell me the s= ame thing.
    > >
    >
    > Theory and practice match in theory, less so in practice =E2=80=94 unl= ess you are planning to update RFC 5881.
    >
    > This can be argued both ways (e.g., better to have common handlers, et= c.), but I take no position. I do say that in presence of deployed OAM enca= psulations, there=E2=80=99s no basis for your your comment about defining a= protocol type for =E2=80=9CPerformance Monitoring=E2=80=9D as a protocol..= .
    >
    >
    > >
    > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 How to interpret the sit= uation when the O-bit value is 1 but the value of the Next Protocol field i= s, for example, NSH, i.e.., not any of OAM protocols?
    > >
    > > I expect it means there=E2=80=99s OAM within that NSH (sometimes = there=E2=80=99s no such things as =E2=80=9COAM Protocols=E2=80=9D), or an u= nhandled OAM protocol.
    > > GIM>> Should that, i.e., OAM in NSH or immediately followin= g NSH be signaled using SFC NSH methods that are already defined in draft-i= etf-sfc-multi-layer-oam?
    >
    >
    > Non sequitur =E2=80=94 I do not follow what signaling has to do with t= he conversation, nor how that draft might be relevant.
    >
    > > Using the server layer, as you've suggested, seems as layer v= iolation.
    > >
    >
    > This is a funny statement =E2=80=94 NVO3 is a layer violation :-) So a= re Pseudowires. Please do not take this statement too seriously, it is not = inviting discussion.
    >
    > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0=E2=80=A2 I believe that the use o= f the dedicated OAM flag and the Next Protocol field for a fixed-size heade= r that cannot include meta-data is unwarranted and adds unnecessary complex= ity.
    > >
    > > Disagree.
    > >
    > > See example where protocol is IP carrying an OAM packet.
    > > GIM>> When IP/UDP encapsulation is used for OAM, there'= s no, in my opinion, any need to use the O-bit. The destination IP address = must be as described in RFC 8029 or RFC 5884 and the demultiplexing is done= based on the destination UDP port number. Clearly, O-bit is unnecessary if= IP/UDP encapsulation for OAM being used.
    > >
    >
    > Fortunately, bit usage is a matter of definition and not opinion :-) >
    > Kind regards,
    >
    > Carlos.
    >
    >
    > > > I suggest not to use O-bit in the VXLAN-GPE header and relea= se it into the Reserved field.=C2=A0 I don't see the apparent benefit o= f using the flag, as the VXLA-GPE uses the fixed size header and the header= cannot carry OAM data in it. The only role the VXLAN-GPE header must perfo= rm, in my opinion, is to unambiguously identify the payload type that immed= iately follows the header as OAM (demultiplexing OAM protocols may be done = in OAM Header shim).
    > > > Much appreciate your consideration.
    > > >
    > >
    > > Best,
    > >
    > > =E2=80=94
    > > Carlos Pignataro, carlos@cisco.com
    > >
    > > =E2=80=9CSometimes I use big words that I do not fully understand= , to make myself sound more photosynthesis."
    > >
    > > > Regards,
    > > > Greg
    > > > _______________________________________________
    > > > nvo3 mailing list
    > > > nvo3@ietf= .org
    > > > https://secure-web.cisco.com/1j-j= r64yh2D8yO92ibcqaN-H98ZCP3lQdHmsYPsH8lkjsa4WlJ4kg3W4HL8qT25rCVittT5bFQox__O= nSknV5w_wW69FvUhXkxqxKhi9MCiy5oH-JTucXN_7FK85q7jD-qEwRM5IXY68_Vfeb_XI2rKxyz= wVsG_06KTGF09Bw9oHAOXUNFcdCw_oon_eruUhRPtdwLc9UQNz2ThYP8ysf2pr64VU04VjMKmGw= qYvzzyAsLTEbHrs7GVCqphT58T0st78_968rM5MKFLk7EiWBj7gZPm_rDeBf63gUtxkcj-w8Xyb= JiiO2tcFaeoAL_8m-ZT5L9-1VK4wZkHmR5C_Ldg/https%3A%2F%2Fwww.ietf.org%2Fmailma= n%2Flistinfo%2Fnvo3
    > >
    >
    > _______________________________________________
    > nvo3 mailing list
    > nvo3@ietf.org > https://secure-web.cisco.com/1j-jr64yh2D8= yO92ibcqaN-H98ZCP3lQdHmsYPsH8lkjsa4WlJ4kg3W4HL8qT25rCVittT5bFQox__OnSknV5w_= wW69FvUhXkxqxKhi9MCiy5oH-JTucXN_7FK85q7jD-qEwRM5IXY68_Vfeb_XI2rKxyzwVsG_06K= TGF09Bw9oHAOXUNFcdCw_oon_eruUhRPtdwLc9UQNz2ThYP8ysf2pr64VU04VjMKmGwqYvzzyAs= LTEbHrs7GVCqphT58T0st78_968rM5MKFLk7EiWBj7gZPm_rDeBf63gUtxkcj-w8XybJiiO2tcF= aeoAL_8m-ZT5L9-1VK4wZkHmR5C_Ldg/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flist= info%2Fnvo3

    --000000000000db2fac0586c35e28-- From nobody Wed Apr 17 18:08:13 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB3FD120096; Wed, 17 Apr 2019 18:08:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3GeructIx2W; Wed, 17 Apr 2019 18:07:59 -0700 (PDT) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF7E4120033; Wed, 17 Apr 2019 18:07:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=42928; q=dns/txt; s=iport; t=1555549679; x=1556759279; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=TetsWSy/95PjxMFyLIA2V9dP7DhvvcT+BDVEHBIzj3o=; b=OTTQsteR90jR+Qe7OUZnpSYUZFvNZZ90AtoWNgg6Bst72As1WBV7LoKY bXUI5meXCdQn+Pyo2IPRz/ZLaODeL03Qp1esABpl223a/F60w3+5zlXaU tjYP1MRSsouGscZ5oErDIiuo1P6jVNF0HHa1M1S+PagF47/t0Nk0o7DP2 E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AHAAAqzbdc/5ldJa1cChkBAQEBAQE?= =?us-ascii?q?BAQEBAQEHAQEBAQEBgVMCAQEBAQELAYEOUwUqaIEEKAqEBJU2iTqPEBSBZw4?= =?us-ascii?q?BARgBCYRLAheFfiM2Bw4BAwEBBAECAQJtHAyFSgEBAQMBAQEYCQRABwsFCwI?= =?us-ascii?q?BCBEDAQIBIAcDAgICHwYLFAkIAgQOBYMiAYEdTAMNDw+pVnwzhDYCg0gNghs?= =?us-ascii?q?GgTIBi0kXgUA/gREnH4FOfj6CGkcBAQIYgQ8NFQQyFoJUMYImBI0phDqHZ4w?= =?us-ascii?q?QLDcJAoIGhguEUoN3g0obggmGHYNniHCND4URgUeMMQIRFYEwJgkogVZwFTs?= =?us-ascii?q?qAYJBgzIBAoJIhRSFP0ExAQEKj0WBIQEB?= X-IronPort-AV: E=Sophos;i="5.60,364,1549929600"; d="scan'208,217";a="263524500" Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Apr 2019 01:07:57 +0000 Received: from XCH-RTP-018.cisco.com (xch-rtp-018.cisco.com [64.101.220.158]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x3I17vDS013117 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 18 Apr 2019 01:07:57 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-018.cisco.com (64.101.220.158) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 17 Apr 2019 21:07:56 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1473.003; Wed, 17 Apr 2019 21:07:56 -0400 From: "Carlos Pignataro (cpignata)" To: Greg Mirsky CC: NVO3 , "draft-ietf-nvo3-vxlan-gpe@ietf.org" , IETF IPPM WG , "sfc@ietf.org" Thread-Topic: [SUSPICIOUS] Re: [nvo3] Comments on draft-ietf-nvo3-vxlan-gpe Thread-Index: AQHU8Pwb4PQUm0Sk6kyANyiY2S4odqY4th6AgAhKgYCAAAxngIAAJG4AgAAoIICAAAiMAP//wjaA Date: Thu, 18 Apr 2019 01:07:56 +0000 Message-ID: <5C94C616-82BD-49CE-BB20-A31F843E8806@cisco.com> References: <12ACA02A-BB51-4214-A72B-1AEFCCB914AC@cisco.com> <3AFD4751-CF3A-4939-A49A-FB981C68CADF@cisco.com> <4C9CDD29-BDF8-425E-998F-B12C1BD7CA7C@cisco.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.18.0.190414 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.118.116.132] Content-Type: multipart/alternative; boundary="_000_5C94C61682BD49CEBB20A31F843E8806ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.158, xch-rtp-018.cisco.com X-Outbound-Node: rcdn-core-2.cisco.com Archived-At: Subject: Re: [nvo3] [SUSPICIOUS] Re: Comments on draft-ietf-nvo3-vxlan-gpe X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 01:08:05 -0000 --_000_5C94C61682BD49CEBB20A31F843E8806ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVhciBHcmVnLA0KDQpBcyBhbiBpbm5vY2VudCBieXN0YW5kZXIsIEkgaGF2ZSBubyBkb2cgaW4g dGhpcyBmaWdodCAoaS5lLiwgbm8gcGVyc29uYWwgc3Rha2UgaW4gdGhlIGlzc3VlIHlvdSBrZWVw IHJhaXNpbmcpLCBidXQgeW91IHNlZW0gdG8gYmUgbWFraW5nIGEgcmF0aGVyIHN0cm9uZyBhY2N1 c2F0aW9uOiDigJx0aGUgdXBkYXRlcyB0aGUgZWRpdG9ycyBoYXZlIGJlZW4gbWFraW5nIHdpdGhv dXQgdGhlIFdHIGFncmVlaW5nIHRvIHRoYXTigJ0uIFlvdSB0YWxrIGFib3V0IHBsdXJhbCDigJx1 cGRhdGVz4oCdLCBhbmQgeW91IHVzZSBhIGNvbnRpbnVlZCB0ZW5zZSBvZiDigJxoYXZlIGJlZW4g bWFraW5n4oCdIChpbXBseWluZyBtb3JlIHRoYW4gb25jZSwgb3IgcmVwZWF0ZWRseSkuDQoNCkxv b2tpbmcgYXQgdGhlIGRpZmZzIGZyb20gZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0wMCB0byBk cmFmdC1pZXRmLW52bzMtdnhsYW4tZ3BlLTA3Og0KaHR0cHM6Ly93d3c2LmlldGYub3JnL3JmY2Rp ZmYvP3VybDE9ZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0wMCZ1cmwyPWRyYWZ0LWlldGYtbnZv My12eGxhbi1ncGUtMDcNCg0KSSBzZWUgbm8gY2hhbmdlcyBpbiB0aGUgZGVmaW5pdGlvbiBvZiB0 aGUgTy1iaXQuDQoNCkkgd2lsbCBzdG9wIHJlcGx5aW5nIHRvIHRoaXMgdGhyZWFkIHdpdGggdGhp cyBmaW5hbCBub3RlLCBhbmQgbGV0IHRoZSBFZGl0b3JzIG9mIHRoYXQgZG9jdW1lbnQgYW5zd2Vy IHlvdXIgZXhwbGljaXQgY2FsbCDigJMgaG93ZXZlciwgZm9yIHRoZSBiZW5lZml0IG9mIGNsYXJp dHkgZm9yIHRoZSBXRywgd2hhdCBzcGVjaWZpYyB1cGRhdGVzIHlvdSByZWZlciB0bz8NCg0KWW91 IG1lbnRpb24g4oCcdGhlIGxhc3QgdHdvIHZlcnNpb25z4oCdIG9mIFZYTEFOLUdSRS4NCjA1IC0+ IDA2OiBodHRwczovL3d3dzYuaWV0Zi5vcmcvcmZjZGlmZi8/dXJsMT1kcmFmdC1pZXRmLW52bzMt dnhsYW4tZ3BlLTA1JnVybDI9ZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0wNg0KSSBzZWUgbm8g Y29udGVudCBjaGFuZ2VzIOKAkyBvbmx5IHVwZGF0aW5nIHJlZmVyZW5jZXMgYW5kIHNwYWNlcw0K DQowNiAtPiAwNzogaHR0cHM6Ly93d3c2LmlldGYub3JnL3JmY2RpZmYvP3VybDE9ZHJhZnQtaWV0 Zi1udm8zLXZ4bGFuLWdwZS0wNiZ1cmwyPWRyYWZ0LWlldGYtbnZvMy12eGxhbi1ncGUtMDcNCkRl ZmluaXRpb24gb2YgTmV4dCBQcm90b2NvbCByYW5nZSBmb3Igc2hpbSBoZWFkZXJzLCBhbmQgYXNz aWdubWVudCBvZiBhIE5leHQgUHJvdG9jb2wgdmFsdWUgZm9yIHRoZSBJT0FNIHNoaW0uDQoNCldo aWNoIG9uZSBpcyBpdD8NCg0KQ2FybG9zLg0KDQoNCkZyb206IEdyZWcgTWlyc2t5IDxncmVnaW1p cnNreUBnbWFpbC5jb20+DQpEYXRlOiBXZWRuZXNkYXksIEFwcmlsIDE3LCAyMDE5IGF0IDg6NDkg UE0NClRvOiAiQ2FybG9zIFBpZ25hdGFybyAoY3BpZ25hdGEpIiA8Y3BpZ25hdGFAY2lzY28uY29t Pg0KQ2M6IE5WTzMgPG52bzNAaWV0Zi5vcmc+LCAiZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZUBp ZXRmLm9yZyIgPGRyYWZ0LWlldGYtbnZvMy12eGxhbi1ncGVAaWV0Zi5vcmc+LCBJRVRGIElQUE0g V0cgPGlwcG1AaWV0Zi5vcmc+LCAic2ZjQGlldGYub3JnIiA8c2ZjQGlldGYub3JnPg0KU3ViamVj dDogUmU6IFtTVVNQSUNJT1VTXSBSZTogW252bzNdIENvbW1lbnRzIG9uIGRyYWZ0LWlldGYtbnZv My12eGxhbi1ncGUNCg0KSGkgQ2FybG9zLA0KdGhhbmsgeW91IGZvciB0aGUgZGlzY3Vzc2lvbi4N CkFzIHRoZSBWWExBTi1HUEUgaXMgb24gdGhlIEluZm9ybWF0aW9uYWwgdHJhY2ssIHRoZXJlIG1h eSBiZSBsaXR0bGUgcG9pbnQgdG8gZGlzY3VzcyBpdC4gQnV0IGFzIHRoZSBkcmFmdCBoYXMgYmVl biBhZG9wdGVkIGJ5IE5WTzMgV0csIEknbSBjdXJpb3VzIGFib3V0IHRoZSB1cGRhdGVzIHRoZSBl ZGl0b3JzIGhhdmUgYmVlbiBtYWtpbmcgd2l0aG91dCB0aGUgV0cgYWdyZWVpbmcgdG8gdGhhdC4g SSdtIGxvb2tpbmcgZm9yd2FyZCB0byBoZWFyaW5nIGZyb20gYW55IG9mIHRoZSBlZGl0b3JzIG9m IFZYTEFOLUdQRSBhYm91dCB0aGUgdXBkYXRlcyBpbiB0aGUgbGFzdCB0d28gdmVyc2lvbnMuIEFs c28sIGhvcGUgZWRpdG9ycyBvZiB0aGUgZHJhZnQgd2lsbCBmaW5kIHRpbWUgdG8gcmVwbHkgdG8g bXkgcXVlc3Rpb25zIGFuZCBjb25zaWRlciBteSBjb21tZW50cy4NCg0KUmVnYXJkcywNCkdyZWcN Cg0KT24gV2VkLCBBcHIgMTcsIDIwMTkgYXQgNToxOCBQTSBDYXJsb3MgUGlnbmF0YXJvIChjcGln bmF0YSkgPGNwaWduYXRhQGNpc2NvLmNvbTxtYWlsdG86Y3BpZ25hdGFAY2lzY28uY29tPj4gd3Jv dGU6DQpEZWFyIEdyZWcsDQoNCltOb3cgYWRkaW5nIHRoZSBTRkMgV0cgTWFpbGluZyBsaXN0IHNp bmNlIHlvdSB0YWtlIHVzIHRvIGEgZGlmZmVyZW50IFdHIGFnYWluXQ0KDQpUaGFuayB5b3UgdmVy eSBtdWNoIGZvciBmaW5lLWNvbWJpbmcgd2l0aCBhIG1hZ25pZnlpbmcgZ2xhc3MgdGhyb3VnaCBh bGwgdGhlIGRvY3VtZW50cyBJ4oCZbSBjdXJyZW50bHkgY28tYXV0aG9yaW5nIDotKQ0KDQpJdCBp cyByZWZyZXNoaW5nIHRvIHNlZSB0aGF0IHRoZSBvbmx5IGlzc3VlcyB5b3UgZmluZCBhcmUgbm9u LWlzc3VlcywgYW5kIHlvdXIgcXVlc3Rpb25zIGVhc3kgdG8gcmUtYW5zd2VyIDotKQ0KDQpBdCB0 aGlzIHBvaW50IEkgYW0gYSBiaXQgYXQgYSBsb3NzIG9mIHdoYXQgeW91ciBwb2ludCBpcywgb3Ig d2hhdCB5b3UgYXJlIHRyeWluZyB0byBwcm92ZSBiZW5kaW5nIHRleHQuIEFyZSB5b3UgY29kaW5n LCBkZXBsb3lpbmcsIG9yIHRlc3RpbmcgSU9BTSBvbiBOU0ggd2l0aG91dCBkYXRhIHBhY2tldHMg b24gVlhMQU4tR1BFIG92ZXIgSVA/IE5TSCBpcyBkYXRhIGFzIGZhciBhcyBWWExBTi1HUEUgaXMg Y29uY2VybmVkLiBJT0FNIHNoaW1tZWQgaW4gTlNIIGlzIG9ydGhvZ29uYWwgdG8gSU9BTSBzaGlt bWVkIGluIFZYTEFOLUdQRS4NCg0KSSBmZWVsIHRoaXMgZGlzY3Vzc2lvbiBhYm91dCB0aGUgTy1i aXQgYWxyZWFkeSB0b29rIHBsYWNlIG9uY2Ugb3IgdHdpY2UuDQoNCktpbmQgUmVnYXJkcywNCg0K 4oCUIENhcmxvcyBQaWduYXRhcm8NCg0KUFM6IFRoZSBFdmlsIGJpdCBpcyBkZWZpbmVkIGZvciBJ UHY0LCBzaG91bGQgd2UgdGhlcmVmb3JlIGFsc28gZGVmaW5lIGl0IGhlcmU/DQoNCg0KPiBPbiBB cHIgMTcsIDIwMTksIGF0IDU6NTQgUE0sIEdyZWcgTWlyc2t5IDxncmVnaW1pcnNreUBnbWFpbC5j b208bWFpbHRvOmdyZWdpbWlyc2t5QGdtYWlsLmNvbT4+IHdyb3RlOg0KPg0KPiBIaSBDYXJsb3Ms DQo+IHRvIGFkZCBhbm90aGVyIHF1b3RlIGZyb20gdGhlIGRyYWZ0LWlldGYtc2ZjLWlvYW0tbnNo IHRoYXQgeW91J3ZlIGNvLWF1dGhvcmVkLA0KPiAgICBQYWNrZXRzIHdpdGggSU9BTSBkYXRhIGlu Y2x1ZGVkIE1VU1QgZm9sbG93IHRoaXMNCj4gICAgZGVmaW5pdGlvbiwgaS5lLiB0aGUgTyBiaXQg TVVTVCBOT1QgYmUgc2V0IGZvciByZWd1bGFyIGN1c3RvbWVyDQo+ICAgIHRyYWZmaWMgd2hpY2gg YWxzbyBjYXJyaWVzIElPQU0gZGF0YSBhbmQgdGhlIE8gYml0IE1VU1QgYmUgc2V0IGZvcg0KPiAg ICBPQU0gcGFja2V0cyB3aGljaCBjYXJyeSBvbmx5IElPQU0gZGF0YSB3aXRob3V0IGFueSByZWd1 bGFyIGRhdGENCj4gICAgcGF5bG9hZC4NCj4NCj4gU28sIGlmIHRoZSBvbmx5IGlPQU0gbWVzc2Fn ZSBpcyBjYXJyaWVkIGluIG9yIGFmdGVyIGFuIE5TSCwgaXQgaXMgaWRlbnRpZmllZCBhcyBPQU0u IEFuZCwgYnkgeW91ciBvd24gZXhhbXBsZSBpbiB0aGUgZWFybGllciBub3RlLCBzbyBzaG91bGQg VlhMQU4tR1BFLg0KPg0KPiBSZWdhcmRzLA0KPiBHcmVnDQo+DQo+IE9uIFdlZCwgQXByIDE3LCAy MDE5IGF0IDEyOjQ0IFBNIENhcmxvcyBQaWduYXRhcm8gKGNwaWduYXRhKSA8Y3BpZ25hdGFAY2lz Y28uY29tPG1haWx0bzpjcGlnbmF0YUBjaXNjby5jb20+PiB3cm90ZToNCj4gSGksIEdyZWcsDQo+ DQo+IEFkZGluZyB0aGUgSVBQTSBtYWlsaW5nIGxpc3QsIHNpbmNlIHlvdSByZWZlcmVuY2UgaXQg YmVsb3csIGFuZCBwb2ludCB0byBSRkMgNzc5OS4NCj4NCj4gUGxlYXNlIHNlZSBpbmxpbmUuDQo+ DQo+ID4gT24gQXByIDE3LCAyMDE5LCBhdCAzOjAwIFBNLCBHcmVnIE1pcnNreSA8Z3JlZ2ltaXJz a3lAZ21haWwuY29tPG1haWx0bzpncmVnaW1pcnNreUBnbWFpbC5jb20+PiB3cm90ZToNCj4gPg0K PiA+IEhpIENhcmxvcywNCj4gPiB0aGFuayB5b3UgZm9yIHNoYXJpbmcgeW91ciB2aWV3IG9uIHRo ZSBkZXNpZ24gb2YgdGhlIFZYTEFOLUdQRSBwcm90b2NvbC4gUGxlYXNlIGZpbmQgbXkgY29tbWVu dHMgaW4tbGluZSB0YWdnZWQgR0lNPj4uDQo+ID4NCj4gPiBSZWdhcmRzLA0KPiA+IEdyZWcNCj4g Pg0KPiA+IE9uIEZyaSwgQXByIDEyLCAyMDE5IGF0IDU6MjMgQU0gQ2FybG9zIFBpZ25hdGFybyAo Y3BpZ25hdGEpIDxjcGlnbmF0YUBjaXNjby5jb208bWFpbHRvOmNwaWduYXRhQGNpc2NvLmNvbT4+ IHdyb3RlOg0KPiA+IEdyZWcsDQo+ID4NCj4gPiBZb3Ugc2VlbSB0byBiZSBjb25mdXNpbmcgYW5k IG1peGluZyB0aGluZ3MgdXAuDQo+ID4NCj4gPiBQbGVhc2Ugc2VlIGlubGluZS4NCj4gPg0KPiA+ ID4gT24gQXByIDEyLCAyMDE5LCBhdCAyOjUwIEFNLCBHcmVnIE1pcnNreSA8Z3JlZ2ltaXJza3lA Z21haWwuY29tPG1haWx0bzpncmVnaW1pcnNreUBnbWFpbC5jb20+PiB3cm90ZToNCj4gPiA+DQo+ ID4gPiBEZWFyIEVkaXRvcnMsIGV0IGFsLiwNCj4gPiA+IEkndmUgcmVhZCB0aGUgbGF0ZXN0IC0w NyB2ZXJzaW9uIGFuZCB3b3VsZCBsaWtlIHRvIHNoYXJlIG15IGNvbW1lbnRzIGFuZCBxdWVzdGlv bnMgd2l0aCB5b3U6DQo+ID4gPiAgICAgICDigKIgaW4gdGhlIGVhcmxpZXIgdmVyc2lvbiBvZiB0 aGUgZHJhZnQsIHRoZSBPLWJpdCB3YXMgaW50cm9kdWNlZCBhbmQgZGVmaW5lZCBhczoNCj4gPiA+ IE9BTSBGbGFnIEJpdCAoTyBiaXQpOiAgVGhlIE8gYml0IGlzIHNldCB0byBpbmRpY2F0ZSB0aGF0 IHRoZSBwYWNrZXQgaXMgYW4gT0FNIHBhY2tldC4NCj4gPiA+IEF0IHRoZSBzYW1lIHRpbWUsIGlu IHRoZSBsYXRlc3QgdmVyc2lvbiwgdGhlIG5ldyBOZXh0IFByb3RvY29sIHZhbHVlICgweDgxKSB0 byBpZGVudGlmeSBpT0FNIERhdGEgd2FzIGludHJvZHVjZWQuIEhlbmNlIGFyZSBteSBxdWVzdGlv bnM6DQo+ID4gPiAgICAgICDigKIgV2hhdCBtdXN0IGJlIHRoZSB2YWx1ZSBvZiB0aGUgTy1iaXQg d2hlbiB0aGUgdmFsdWUgb2YgdGhlIE5leHQgUHJvdG9jb2wgZmllbGQgaXMgaU9BTT8NCj4gPg0K PiA+IFRoZSBPIGJpdCDigJxpcyBzZXQgdG8gaW5kaWNhdGUgdGhhdCB0aGUgcGFja2V0IGlzIGFu IE9BTSBwYWNrZXTigJ0uDQo+ID4gSUFPTSBpcyBub3QgYW4gT0FNIHBhY2tldC4gSGVuY2UsIE8g Yml0IGNsZWFyIGlmIFZYTEFOLUdQRSBlbmNhcHN1bGF0ZXMgYSBub24tT0FNIHBhY2tldCBhbmQg YWRkcyBhbiBJT0FNIHNoaW0uDQo+ID4gR0lNPj4gSXQgaXMgYSB2ZXJ5IHVuZXhwZWN0ZWQgc3Rh dGVtZW50IGZyb20geW91LA0KPg0KPiBJIHdvdWxkIHRlbGwgeW91IOKAmGV4cGVjdCB0aGUgdW5l eHBlY3RlZOKAmSwgYnV0IHRoYXQgaXMgbm90IHRoZSBjYXNlIGhlcmUuLi4gOi0pDQo+DQo+IElm IHlvdSBhY3R1YWxseSByZWFkIG15IHN0YXRlbWVudCwgeW91IHdpbGwgc2VlICJJQU9NIGlzIG5v dCBhbiBPQU0gKnBhY2tldCou4oCdIE5ldyBlbXBoYXNpcyBhZGRlZCDigJQgaXQgaXMgX25vdF8g KmFuIE9BTSBwYWNrZXQqLg0KPg0KPiBJIHN0YW5kIGJ5IGl0LiBJdOKAmXMgYW4gYXVnbWVudGVk IGRhdGEgcGFja2V0IG9mIGludGVyZXN0Lg0KPg0KPiA+IG9uZSBvZiB0aGUgY28tYXV0aG9ycyBv ZiBkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhICB3aGVyZSB0aGUgZmlyc3QgcGFyYWdyYXBoIG9m IHRoZSBJbnRyb2R1Y3Rpb24gc2VjdGlvbiBkZWZpbmVzIGlPQU0gYXMgSHlicmlkIFR5cGUgMSBP QU0sIGFjY29yZGluZyB0byBSRkMgNzc5OSBjbGFzc2lmaWNhdGlvbjoNCj4NCj4gVGhpcyBpcyBz dGlsbCBxdWl0ZSBjb25zaXN0ZW50IHdpdGggdGhhdCBkZWZpbml0aW9uLCB3aGljaCBJIHJlY29t bWVuZCB5b3UgcmUtcmVhZDoNCj4NCj4gUkZDIDc3OTkgaXMgYWJvdXQgbWV0cmljcyBhbmQgbWV0 aG9kcywgbm90IHBhY2tldCBkZWZpbml0aW9ucy4NCj4NCj4gWW91IHdpbGwgc2VlIHRoYXQgQWN0 aXZlIG1ldGhvZHMgaW5jbHVkZSBhIOKAnGRlZGljYXRlZCBtZWFzdXJlbWVudCBwYWNrZXQgc3Ry ZWFt4oCdLiDigJxBY3RpdmUgTWV0aG9kcyBnZW5lcmF0ZSBwYWNrZXQgc3RyZWFtcy7igJ0NCj4N Cj4gSG93ZXZlciwgSHlicmlkIFR5cGUgSSBsZXZlcmFnZXMg4oCcQXVnbWVudGF0aW9uIG9yIG1v ZGlmaWNhdGlvbiBvZiB0aGUgc3RyZWFtIG9mIGludGVyZXN0Ig0KPg0KPiBGb2xsb3dpbmcgeW91 ciBsb2dpYywgaWYgeW91IGNoYW5nZSBhIHBhY2tldCBmaWVsZCBzdWNoIGFzIFRUTC9ITCB0byBw cm92aWRlIHBhY2tldCBjb2xvcmluZywgZG8geW91IG5lZWQgdG8gc2V0IHRoZSBPLWJpdD8NCj4N Cj4gPiAgICBJT0FNIGlzIHRvIGNvbXBsZW1lbnQNCj4gPiAgICBtZWNoYW5pc21zIHN1Y2ggYXMg UGluZyBvciBUcmFjZXJvdXRlLCBvciBtb3JlIHJlY2VudCBhY3RpdmUgcHJvYmluZw0KPiA+ICAg IG1lY2hhbmlzbXMgYXMgZGVzY3JpYmVkIGluIFtJLUQubGFwdWtob3YtZGF0YXBsYW5lLXByb2Jl XS4uICBJbiB0ZXJtcw0KPiA+ICAgIG9mICJhY3RpdmUiIG9yICJwYXNzaXZlIiBPQU0sICJpbi1z aXR1IiBPQU0gY2FuIGJlIGNvbnNpZGVyZWQgYQ0KPiA+ICAgIGh5YnJpZCBPQU0gdHlwZS4gIFdo aWxlIG5vIGV4dHJhIHBhY2tldHMgYXJlIHNlbnQsIElPQU0gYWRkcw0KPiA+ICAgIGluZm9ybWF0 aW9uIHRvIHRoZSBwYWNrZXRzIHRoZXJlZm9yZSBjYW5ub3QgYmUgY29uc2lkZXJlZCBwYXNzaXZl Lg0KPiA+ICAgIEluIHRlcm1zIG9mIHRoZSBjbGFzc2lmaWNhdGlvbiBnaXZlbiBpbiBbUkZDNzc5 OV0gSU9BTSBjb3VsZCBiZQ0KPiA+ICAgIHBvcnRyYXllZCBhcyBIeWJyaWQgVHlwZSAxLg0KPiA+ DQo+ID4gPiAgICAgICDigKIgRG8geW91IHBsYW4gdG8gZGVmaW5lIHRoZSBOZXh0IFByb3RvY29s IHZhbHVlcyBmb3IgYWN0aXZlIE9BTSBwcm90b2NvbHMsIGUuZy4sIEVjaG8gUmVxdWVzdC9SZXBs eSwgQkZELCBQZXJmb3JtYW5jZSBNb25pdG9yaW5nPw0KPiA+DQo+ID4gSSBjYW5ub3Qgc3BlYWsg dG8g4oCccGxhbnPigJ0gKHJlcGx5aW5nIGFzIOKAnGV0IGFsLuKAnSwgbm90IGFzIOKAnGVkaXRv cuKAnSksIGJ1dCBJIGV4cGVjdCBPQU0gZG9jdW1lbnRzIG91Z2h0IHRvIGhhdmUgdGhvc2UgcmVx dWVzdGVkLCBhbmQgeW91IGRvIG5vdCBuZWVkIG5lY2Vzc2FyaWx5IGFsbCBvZiB0aG9zZSDigJQg dGhlIG5leCBwcm90b2NvbCBJUHY0IC8gSVB2NiBjYW4gZW5jYXBzdWxhdGUgSUNNUCwgVURQL0JG RCwgZXRjLiwgZXRjLiwgZXRjLiwgZXRjLg0KPiA+IEdJTT4+IE9mIGNvdXJzZSwgdXNlIG9mIHRo ZSB3ZWxsLWtub3duIHBvcnQgbnVtYmVyLCB1c3VhbGx5IGl0IGlzIFVEUCBkZXN0aW5hdGlvbiBw b3J0LCBpcyBvbmUgb2YgdGhlIG1ldGhvZHMgdG8gZGVtdWx0aXBsZXggcHJvdG9jb2xzLiBUaGlz IG1ldGhvZCBpcyBicm9hZGx5IHVzZWQsIGZvciBleGFtcGxlLCBpbiBNUExTIE9BTS4gQnV0IHRo aXMgbWV0aG9kIGhhcyBzb21lIGRpc2FkdmFudGFnZXMgdGhhdCB3ZXJlIHBvaW50ZWQgb3V0IGlu IHRoZSBkaXNjdXNzaW9uIG9mIEJGRCBvdmVyIEdFTkVWRSBpbiBQcmFndWUgYnkgRGF2aWQgQmxh Y2sgKHRoZSBsYXN0IHByZXNlbnRhdGlvbiBpbiB0aGUgbWludXRlcyk6DQo+ID4gRGF2aWQ6IEkg d2FudCB0aGUgQkZEIGhlYWRlciB0byBiZSBhcyBjbG9zZSB0byB0aGUgdGhpbmcgd2hvc2UgbGl2 ZW5lc3MgSSdtIHRlc3RpbmcuIFRoZSBtb3JlIGhlYWRlcnMgeW91IGFkZCBpbiB0aGUgbWlkZGxl LCB0aGUgbW9yZSB3YXlzIHRoZXJlIGFyZSB0byBicmVhayBCRkQgd2l0aG91dCBicmVha2luZyB0 aGUgZm9yd2FyZGluZyBlbmdpbmUuIFRoZSBmdXJ0aGVyIGF3YXkgSSBtb3ZlIEJGRCBmcm9tIHRo ZSBjaHVuayBvZiBoYXJkd2FyZSdzIGxpdmVuZXNzIEkgY2FyZSBhYm91dCwgdGhlIG1vcmUgb3Bw b3J0dW5pdGllcyBhcmUgZm9yIEJGRCBhbmQgdGhlIGhhcmR3YXJlIHRvIG5vdCB0byB0ZWxsIG1l IHRoZSBzYW1lIHRoaW5nLg0KPiA+DQo+DQo+IFRoZW9yeSBhbmQgcHJhY3RpY2UgbWF0Y2ggaW4g dGhlb3J5LCBsZXNzIHNvIGluIHByYWN0aWNlIOKAlCB1bmxlc3MgeW91IGFyZSBwbGFubmluZyB0 byB1cGRhdGUgUkZDIDU4ODEuDQo+DQo+IFRoaXMgY2FuIGJlIGFyZ3VlZCBib3RoIHdheXMgKGUu Zy4sIGJldHRlciB0byBoYXZlIGNvbW1vbiBoYW5kbGVycywgZXRjLiksIGJ1dCBJIHRha2Ugbm8g cG9zaXRpb24uIEkgZG8gc2F5IHRoYXQgaW4gcHJlc2VuY2Ugb2YgZGVwbG95ZWQgT0FNIGVuY2Fw c3VsYXRpb25zLCB0aGVyZeKAmXMgbm8gYmFzaXMgZm9yIHlvdXIgeW91ciBjb21tZW50IGFib3V0 IGRlZmluaW5nIGEgcHJvdG9jb2wgdHlwZSBmb3Ig4oCcUGVyZm9ybWFuY2UgTW9uaXRvcmluZ+KA nSBhcyBhIHByb3RvY29sLi4uDQo+DQo+DQo+ID4NCj4gPiA+ICAgICAgIOKAoiBIb3cgdG8gaW50 ZXJwcmV0IHRoZSBzaXR1YXRpb24gd2hlbiB0aGUgTy1iaXQgdmFsdWUgaXMgMSBidXQgdGhlIHZh bHVlIG9mIHRoZSBOZXh0IFByb3RvY29sIGZpZWxkIGlzLCBmb3IgZXhhbXBsZSwgTlNILCBpLmUu Liwgbm90IGFueSBvZiBPQU0gcHJvdG9jb2xzPw0KPiA+DQo+ID4gSSBleHBlY3QgaXQgbWVhbnMg dGhlcmXigJlzIE9BTSB3aXRoaW4gdGhhdCBOU0ggKHNvbWV0aW1lcyB0aGVyZeKAmXMgbm8gc3Vj aCB0aGluZ3MgYXMg4oCcT0FNIFByb3RvY29sc+KAnSksIG9yIGFuIHVuaGFuZGxlZCBPQU0gcHJv dG9jb2wuDQo+ID4gR0lNPj4gU2hvdWxkIHRoYXQsIGkuZS4sIE9BTSBpbiBOU0ggb3IgaW1tZWRp YXRlbHkgZm9sbG93aW5nIE5TSCBiZSBzaWduYWxlZCB1c2luZyBTRkMgTlNIIG1ldGhvZHMgdGhh dCBhcmUgYWxyZWFkeSBkZWZpbmVkIGluIGRyYWZ0LWlldGYtc2ZjLW11bHRpLWxheWVyLW9hbT8N Cj4NCj4NCj4gTm9uIHNlcXVpdHVyIOKAlCBJIGRvIG5vdCBmb2xsb3cgd2hhdCBzaWduYWxpbmcg aGFzIHRvIGRvIHdpdGggdGhlIGNvbnZlcnNhdGlvbiwgbm9yIGhvdyB0aGF0IGRyYWZ0IG1pZ2h0 IGJlIHJlbGV2YW50Lg0KPg0KPiA+IFVzaW5nIHRoZSBzZXJ2ZXIgbGF5ZXIsIGFzIHlvdSd2ZSBz dWdnZXN0ZWQsIHNlZW1zIGFzIGxheWVyIHZpb2xhdGlvbi4NCj4gPg0KPg0KPiBUaGlzIGlzIGEg ZnVubnkgc3RhdGVtZW50IOKAlCBOVk8zIGlzIGEgbGF5ZXIgdmlvbGF0aW9uIDotKSBTbyBhcmUg UHNldWRvd2lyZXMuIFBsZWFzZSBkbyBub3QgdGFrZSB0aGlzIHN0YXRlbWVudCB0b28gc2VyaW91 c2x5LCBpdCBpcyBub3QgaW52aXRpbmcgZGlzY3Vzc2lvbi4NCj4NCj4gPiA+ICAgICAgIOKAoiBJ IGJlbGlldmUgdGhhdCB0aGUgdXNlIG9mIHRoZSBkZWRpY2F0ZWQgT0FNIGZsYWcgYW5kIHRoZSBO ZXh0IFByb3RvY29sIGZpZWxkIGZvciBhIGZpeGVkLXNpemUgaGVhZGVyIHRoYXQgY2Fubm90IGlu Y2x1ZGUgbWV0YS1kYXRhIGlzIHVud2FycmFudGVkIGFuZCBhZGRzIHVubmVjZXNzYXJ5IGNvbXBs ZXhpdHkuDQo+ID4NCj4gPiBEaXNhZ3JlZS4NCj4gPg0KPiA+IFNlZSBleGFtcGxlIHdoZXJlIHBy b3RvY29sIGlzIElQIGNhcnJ5aW5nIGFuIE9BTSBwYWNrZXQuDQo+ID4gR0lNPj4gV2hlbiBJUC9V RFAgZW5jYXBzdWxhdGlvbiBpcyB1c2VkIGZvciBPQU0sIHRoZXJlJ3Mgbm8sIGluIG15IG9waW5p b24sIGFueSBuZWVkIHRvIHVzZSB0aGUgTy1iaXQuIFRoZSBkZXN0aW5hdGlvbiBJUCBhZGRyZXNz IG11c3QgYmUgYXMgZGVzY3JpYmVkIGluIFJGQyA4MDI5IG9yIFJGQyA1ODg0IGFuZCB0aGUgZGVt dWx0aXBsZXhpbmcgaXMgZG9uZSBiYXNlZCBvbiB0aGUgZGVzdGluYXRpb24gVURQIHBvcnQgbnVt YmVyLiBDbGVhcmx5LCBPLWJpdCBpcyB1bm5lY2Vzc2FyeSBpZiBJUC9VRFAgZW5jYXBzdWxhdGlv biBmb3IgT0FNIGJlaW5nIHVzZWQuDQo+ID4NCj4NCj4gRm9ydHVuYXRlbHksIGJpdCB1c2FnZSBp cyBhIG1hdHRlciBvZiBkZWZpbml0aW9uIGFuZCBub3Qgb3BpbmlvbiA6LSkNCj4NCj4gS2luZCBy ZWdhcmRzLA0KPg0KPiBDYXJsb3MuDQo+DQo+DQo+ID4gPiBJIHN1Z2dlc3Qgbm90IHRvIHVzZSBP LWJpdCBpbiB0aGUgVlhMQU4tR1BFIGhlYWRlciBhbmQgcmVsZWFzZSBpdCBpbnRvIHRoZSBSZXNl cnZlZCBmaWVsZC4gIEkgZG9uJ3Qgc2VlIHRoZSBhcHBhcmVudCBiZW5lZml0IG9mIHVzaW5nIHRo ZSBmbGFnLCBhcyB0aGUgVlhMQS1HUEUgdXNlcyB0aGUgZml4ZWQgc2l6ZSBoZWFkZXIgYW5kIHRo ZSBoZWFkZXIgY2Fubm90IGNhcnJ5IE9BTSBkYXRhIGluIGl0LiBUaGUgb25seSByb2xlIHRoZSBW WExBTi1HUEUgaGVhZGVyIG11c3QgcGVyZm9ybSwgaW4gbXkgb3BpbmlvbiwgaXMgdG8gdW5hbWJp Z3VvdXNseSBpZGVudGlmeSB0aGUgcGF5bG9hZCB0eXBlIHRoYXQgaW1tZWRpYXRlbHkgZm9sbG93 cyB0aGUgaGVhZGVyIGFzIE9BTSAoZGVtdWx0aXBsZXhpbmcgT0FNIHByb3RvY29scyBtYXkgYmUg ZG9uZSBpbiBPQU0gSGVhZGVyIHNoaW0pLg0KPiA+ID4gTXVjaCBhcHByZWNpYXRlIHlvdXIgY29u c2lkZXJhdGlvbi4NCj4gPiA+DQo+ID4NCj4gPiBCZXN0LA0KPiA+DQo+ID4g4oCUDQo+ID4gQ2Fy bG9zIFBpZ25hdGFybywgY2FybG9zQGNpc2NvLmNvbTxtYWlsdG86Y2FybG9zQGNpc2NvLmNvbT4N Cj4gPg0KPiA+IOKAnFNvbWV0aW1lcyBJIHVzZSBiaWcgd29yZHMgdGhhdCBJIGRvIG5vdCBmdWxs eSB1bmRlcnN0YW5kLCB0byBtYWtlIG15c2VsZiBzb3VuZCBtb3JlIHBob3Rvc3ludGhlc2lzLiIN Cj4gPg0KPiA+ID4gUmVnYXJkcywNCj4gPiA+IEdyZWcNCj4gPiA+IF9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+ID4gPiBudm8zIG1haWxpbmcgbGlzdA0K PiA+ID4gbnZvM0BpZXRmLm9yZzxtYWlsdG86bnZvM0BpZXRmLm9yZz4NCj4gPiA+IGh0dHBzOi8v c2VjdXJlLXdlYi5jaXNjby5jb20vMWotanI2NHloMkQ4eU85MmliY3FhTi1IOThaQ1AzbFFkSG1z WVBzSDhsa2pzYTRXbEo0a2czVzRITDhxVDI1ckNWaXR0VDViRlFveF9fT25Ta25WNXdfd1c2OUZ2 VWhYa3hxeEtoaTlNQ2l5NW9ILUpUdWNYTl83Rks4NXE3akQtcUV3Uk01SVhZNjhfVmZlYl9YSTJy S3h5endWc0dfMDZLVEdGMDlCdzlvSEFPWFVORmNkQ3dfb29uX2VydVVoUlB0ZHdMYzlVUU56MlRo WVA4eXNmMnByNjRWVTA0VmpNS21Hd3FZdnp6eUFzTFRFYkhyczdHVkNxcGhUNThUMHN0NzhfOTY4 ck01TUtGTGs3RWlXQmo3Z1pQbV9yRGVCZjYzZ1V0eGtjai13OFh5YkppaU8ydGNGYWVvQUxfOG0t WlQ1TDktMVZLNHdaa0htUjVDX0xkZy9odHRwcyUzQSUyRiUyRnd3dy5pZXRmLm9yZyUyRm1haWxt YW4lMkZsaXN0aW5mbyUyRm52bzMNCj4gPg0KPg0KPiBfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXw0KPiBudm8zIG1haWxpbmcgbGlzdA0KPiBudm8zQGlldGYu b3JnPG1haWx0bzpudm8zQGlldGYub3JnPg0KPiBodHRwczovL3NlY3VyZS13ZWIuY2lzY28uY29t LzFqLWpyNjR5aDJEOHlPOTJpYmNxYU4tSDk4WkNQM2xRZEhtc1lQc0g4bGtqc2E0V2xKNGtnM1c0 SEw4cVQyNXJDVml0dFQ1YkZRb3hfX09uU2tuVjV3X3dXNjlGdlVoWGt4cXhLaGk5TUNpeTVvSC1K VHVjWE5fN0ZLODVxN2pELXFFd1JNNUlYWTY4X1ZmZWJfWEkyckt4eXp3VnNHXzA2S1RHRjA5Qnc5 b0hBT1hVTkZjZEN3X29vbl9lcnVVaFJQdGR3TGM5VVFOejJUaFlQOHlzZjJwcjY0VlUwNFZqTUtt R3dxWXZ6enlBc0xURWJIcnM3R1ZDcXBoVDU4VDBzdDc4Xzk2OHJNNU1LRkxrN0VpV0JqN2daUG1f ckRlQmY2M2dVdHhrY2otdzhYeWJKaWlPMnRjRmFlb0FMXzhtLVpUNUw5LTFWSzR3WmtIbVI1Q19M ZGcvaHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZudm8z DQo= --_000_5C94C61682BD49CEBB20A31F843E8806ciscocom_ Content-Type: text/html; charset="utf-8" Content-ID: <7E4C364AFA98144E8F9DD3737B762D0F@emea.cisco.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJZdSBNaW5j aG8iOw0KCXBhbm9zZS0xOjIgMiA0IDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0KCXtmb250 LWZhbWlseToiXEBZdSBNaW5jaG8iO30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05v cm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2lu LWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUt cHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30N CmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3Jp dHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5t c29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFt ZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBp bjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9u dC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFu LkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBE ZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7 fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBp biAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rp b24xO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1 ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+RGVhciBHcmVnLDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BcyBhbiBpbm5v Y2VudCBieXN0YW5kZXIsIEkgaGF2ZSBubyBkb2cgaW4gdGhpcyBmaWdodCAoaS5lLiwgbm8gcGVy c29uYWwgc3Rha2UgaW4gdGhlIGlzc3VlIHlvdSBrZWVwIHJhaXNpbmcpLCBidXQgeW91IHNlZW0g dG8gYmUgbWFraW5nIGEgcmF0aGVyIHN0cm9uZyBhY2N1c2F0aW9uOiDigJw8aT50aGUgdXBkYXRl cyB0aGUgZWRpdG9ycyBoYXZlIGJlZW4gbWFraW5nIHdpdGhvdXQgdGhlIFdHIGFncmVlaW5nIHRv DQogdGhhdDwvaT7igJ0uIFlvdSB0YWxrIGFib3V0IHBsdXJhbCDigJx1cGRhdGVz4oCdLCBhbmQg eW91IHVzZSBhIGNvbnRpbnVlZCB0ZW5zZSBvZiDigJxoYXZlIGJlZW4gbWFraW5n4oCdIChpbXBs eWluZyBtb3JlIHRoYW4gb25jZSwgb3IgcmVwZWF0ZWRseSkuPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkxvb2tpbmcgYXQgdGhlIGRpZmZzIGZyb20gZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0w MCB0byBkcmFmdC1pZXRmLW52bzMtdnhsYW4tZ3BlLTA3OjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PGEgaHJlZj0iaHR0cHM6Ly93d3c2LmlldGYub3JnL3JmY2RpZmYvP3Vy bDE9ZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0wMCZhbXA7dXJsMj1kcmFmdC1pZXRmLW52bzMt dnhsYW4tZ3BlLTA3Ij5odHRwczovL3d3dzYuaWV0Zi5vcmcvcmZjZGlmZi8/dXJsMT1kcmFmdC1p ZXRmLW52bzMtdnhsYW4tZ3BlLTAwJmFtcDt1cmwyPWRyYWZ0LWlldGYtbnZvMy12eGxhbi1ncGUt MDc8L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgc2VlIG5vIGNoYW5nZXMgaW4gdGhlIGRl ZmluaXRpb24gb2YgdGhlIE8tYml0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIHdpbGwgc3Rv cCByZXBseWluZyB0byB0aGlzIHRocmVhZCB3aXRoIHRoaXMgZmluYWwgbm90ZSwgYW5kIGxldCB0 aGUgRWRpdG9ycyBvZiB0aGF0IGRvY3VtZW50IGFuc3dlciB5b3VyIGV4cGxpY2l0IGNhbGwg4oCT IGhvd2V2ZXIsIGZvciB0aGUgYmVuZWZpdCBvZiBjbGFyaXR5IGZvciB0aGUgV0csIHdoYXQgc3Bl Y2lmaWMgdXBkYXRlcyB5b3UgcmVmZXIgdG8/PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPllvdSBt ZW50aW9uIOKAnHRoZSBsYXN0IHR3byB2ZXJzaW9uc+KAnSBvZiBWWExBTi1HUkUuPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4wNSAtJmd0OyAwNjogPGEgaHJlZj0iaHR0cHM6 Ly93d3c2LmlldGYub3JnL3JmY2RpZmYvP3VybDE9ZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0w NSZhbXA7dXJsMj1kcmFmdC1pZXRmLW52bzMtdnhsYW4tZ3BlLTA2Ij4NCmh0dHBzOi8vd3d3Ni5p ZXRmLm9yZy9yZmNkaWZmLz91cmwxPWRyYWZ0LWlldGYtbnZvMy12eGxhbi1ncGUtMDUmYW1wO3Vy bDI9ZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0wNjwvYT48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPkkgc2VlIG5vIGNvbnRlbnQgY2hhbmdlcyDigJMgb25seSB1cGRhdGlu ZyByZWZlcmVuY2VzIGFuZCBzcGFjZXM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MDYgLSZndDsg MDc6IDxhIGhyZWY9Imh0dHBzOi8vd3d3Ni5pZXRmLm9yZy9yZmNkaWZmLz91cmwxPWRyYWZ0LWll dGYtbnZvMy12eGxhbi1ncGUtMDYmYW1wO3VybDI9ZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdwZS0w NyI+DQpodHRwczovL3d3dzYuaWV0Zi5vcmcvcmZjZGlmZi8/dXJsMT1kcmFmdC1pZXRmLW52bzMt dnhsYW4tZ3BlLTA2JmFtcDt1cmwyPWRyYWZ0LWlldGYtbnZvMy12eGxhbi1ncGUtMDc8L2E+PG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5EZWZpbml0aW9uIG9mIE5leHQgUHJv dG9jb2wgcmFuZ2UgZm9yIHNoaW0gaGVhZGVycywgYW5kIGFzc2lnbm1lbnQgb2YgYSBOZXh0IFBy b3RvY29sIHZhbHVlIGZvciB0aGUgSU9BTSBzaGltLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5X aGljaCBvbmUgaXMgaXQ/PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNhcmxvcy48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6 bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGlu IDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtjb2xvcjpibGFjayI+RnJvbTogPC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtjb2xvcjpibGFjayI+R3JlZyBNaXJza3kgJmx0O2dyZWdpbWlyc2t5QGdtYWlsLmNv bSZndDs8YnI+DQo8Yj5EYXRlOiA8L2I+V2VkbmVzZGF5LCBBcHJpbCAxNywgMjAxOSBhdCA4OjQ5 IFBNPGJyPg0KPGI+VG86IDwvYj4mcXVvdDtDYXJsb3MgUGlnbmF0YXJvIChjcGlnbmF0YSkmcXVv dDsgJmx0O2NwaWduYXRhQGNpc2NvLmNvbSZndDs8YnI+DQo8Yj5DYzogPC9iPk5WTzMgJmx0O252 bzNAaWV0Zi5vcmcmZ3Q7LCAmcXVvdDtkcmFmdC1pZXRmLW52bzMtdnhsYW4tZ3BlQGlldGYub3Jn JnF1b3Q7ICZsdDtkcmFmdC1pZXRmLW52bzMtdnhsYW4tZ3BlQGlldGYub3JnJmd0OywgSUVURiBJ UFBNIFdHICZsdDtpcHBtQGlldGYub3JnJmd0OywgJnF1b3Q7c2ZjQGlldGYub3JnJnF1b3Q7ICZs dDtzZmNAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDogPC9iPlJlOiBbU1VTUElDSU9VU10g UmU6IFtudm8zXSBDb21tZW50cyBvbiBkcmFmdC1pZXRmLW52bzMtdnhsYW4tZ3BlPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBD YXJsb3MsIDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPnRoYW5r IHlvdSBmb3IgdGhlIGRpc2N1c3Npb24uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj5BcyB0aGUgVlhMQU4tR1BFIGlzIG9uIHRoZSBJbmZvcm1hdGlv bmFsIHRyYWNrLCB0aGVyZSBtYXkgYmUgbGl0dGxlIHBvaW50IHRvIGRpc2N1c3MgaXQuIEJ1dCBh cyB0aGUgZHJhZnQgaGFzIGJlZW4gYWRvcHRlZCBieSBOVk8zIFdHLCBJJ20gY3VyaW91cyBhYm91 dCB0aGUgdXBkYXRlcyB0aGUgZWRpdG9ycyBoYXZlIGJlZW4gbWFraW5nIHdpdGhvdXQgdGhlIFdH IGFncmVlaW5nIHRvIHRoYXQuIEknbSBsb29raW5nDQogZm9yd2FyZCB0byBoZWFyaW5nIGZyb20g YW55IG9mIHRoZSBlZGl0b3JzIG9mIFZYTEFOLUdQRSBhYm91dCB0aGUgdXBkYXRlcyBpbiB0aGUg bGFzdCB0d28gdmVyc2lvbnMuIEFsc28sIGhvcGUgZWRpdG9ycyBvZiB0aGUgZHJhZnQgd2lsbCBm aW5kIHRpbWUgdG8gcmVwbHkgdG8gbXkgcXVlc3Rpb25zIGFuZCBjb25zaWRlciBteSBjb21tZW50 cy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ UmVnYXJkcyw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkdyZWc8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+T24gV2VkLCBBcHIgMTcsIDIwMTkgYXQgNToxOCBQTSBDYXJsb3MgUGlnbmF0YXJvIChj cGlnbmF0YSkgJmx0OzxhIGhyZWY9Im1haWx0bzpjcGlnbmF0YUBjaXNjby5jb20iPmNwaWduYXRh QGNpc2NvLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2tx dW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtw YWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDow aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5E ZWFyIEdyZWcsPGJyPg0KPGJyPg0KW05vdyBhZGRpbmcgdGhlIFNGQyBXRyBNYWlsaW5nIGxpc3Qg c2luY2UgeW91IHRha2UgdXMgdG8gYSBkaWZmZXJlbnQgV0cgYWdhaW5dPGJyPg0KPGJyPg0KVGhh bmsgeW91IHZlcnkgbXVjaCBmb3IgZmluZS1jb21iaW5nIHdpdGggYSBtYWduaWZ5aW5nIGdsYXNz IHRocm91Z2ggYWxsIHRoZSBkb2N1bWVudHMgSeKAmW0gY3VycmVudGx5IGNvLWF1dGhvcmluZyA6 LSk8YnI+DQo8YnI+DQpJdCBpcyByZWZyZXNoaW5nIHRvIHNlZSB0aGF0IHRoZSBvbmx5IGlzc3Vl cyB5b3UgZmluZCBhcmUgbm9uLWlzc3VlcywgYW5kIHlvdXIgcXVlc3Rpb25zIGVhc3kgdG8gcmUt YW5zd2VyIDotKTxicj4NCjxicj4NCkF0IHRoaXMgcG9pbnQgSSBhbSBhIGJpdCBhdCBhIGxvc3Mg b2Ygd2hhdCB5b3VyIHBvaW50IGlzLCBvciB3aGF0IHlvdSBhcmUgdHJ5aW5nIHRvIHByb3ZlIGJl bmRpbmcgdGV4dC4gQXJlIHlvdSBjb2RpbmcsIGRlcGxveWluZywgb3IgdGVzdGluZyBJT0FNIG9u IE5TSCB3aXRob3V0IGRhdGEgcGFja2V0cyBvbiBWWExBTi1HUEUgb3ZlciBJUD8gTlNIIGlzIGRh dGEgYXMgZmFyIGFzIFZYTEFOLUdQRSBpcyBjb25jZXJuZWQuIElPQU0gc2hpbW1lZCBpbg0KIE5T SCBpcyBvcnRob2dvbmFsIHRvIElPQU0gc2hpbW1lZCBpbiBWWExBTi1HUEUuPGJyPg0KPGJyPg0K SSBmZWVsIHRoaXMgZGlzY3Vzc2lvbiBhYm91dCB0aGUgTy1iaXQgYWxyZWFkeSB0b29rIHBsYWNl IG9uY2Ugb3IgdHdpY2UuPGJyPg0KPGJyPg0KS2luZCBSZWdhcmRzLDxicj4NCjxicj4NCuKAlCBD YXJsb3MgUGlnbmF0YXJvPGJyPg0KPGJyPg0KUFM6IFRoZSBFdmlsIGJpdCBpcyBkZWZpbmVkIGZv ciBJUHY0LCBzaG91bGQgd2UgdGhlcmVmb3JlIGFsc28gZGVmaW5lIGl0IGhlcmU/PGJyPg0KPGJy Pg0KPGJyPg0KJmd0OyBPbiBBcHIgMTcsIDIwMTksIGF0IDU6NTQgUE0sIEdyZWcgTWlyc2t5ICZs dDs8YSBocmVmPSJtYWlsdG86Z3JlZ2ltaXJza3lAZ21haWwuY29tIiB0YXJnZXQ9Il9ibGFuayI+ Z3JlZ2ltaXJza3lAZ21haWwuY29tPC9hPiZndDsgd3JvdGU6PGJyPg0KJmd0OyA8YnI+DQomZ3Q7 IEhpIENhcmxvcyw8YnI+DQomZ3Q7IHRvIGFkZCBhbm90aGVyIHF1b3RlIGZyb20gdGhlIGRyYWZ0 LWlldGYtc2ZjLWlvYW0tbnNoIHRoYXQgeW91J3ZlIGNvLWF1dGhvcmVkLCA8YnI+DQomZ3Q7Jm5i c3A7ICZuYnNwOyBQYWNrZXRzIHdpdGggSU9BTSBkYXRhIGluY2x1ZGVkIE1VU1QgZm9sbG93IHRo aXM8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyBkZWZpbml0aW9uLCBpLmUuIHRoZSBPIGJpdCBNVVNU IE5PVCBiZSBzZXQgZm9yIHJlZ3VsYXIgY3VzdG9tZXI8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyB0 cmFmZmljIHdoaWNoIGFsc28gY2FycmllcyBJT0FNIGRhdGEgYW5kIHRoZSBPIGJpdCBNVVNUIGJl IHNldCBmb3I8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyBPQU0gcGFja2V0cyB3aGljaCBjYXJyeSBv bmx5IElPQU0gZGF0YSB3aXRob3V0IGFueSByZWd1bGFyIGRhdGE8YnI+DQomZ3Q7Jm5ic3A7ICZu YnNwOyBwYXlsb2FkLjxicj4NCiZndDsgPGJyPg0KJmd0OyBTbywgaWYgdGhlIG9ubHkgaU9BTSBt ZXNzYWdlIGlzIGNhcnJpZWQgaW4gb3IgYWZ0ZXIgYW4gTlNILCBpdCBpcyBpZGVudGlmaWVkIGFz IE9BTS4gQW5kLCBieSB5b3VyIG93biBleGFtcGxlIGluIHRoZSBlYXJsaWVyIG5vdGUsIHNvIHNo b3VsZCBWWExBTi1HUEUuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFJlZ2FyZHMsPGJyPg0KJmd0OyBH cmVnPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IE9uIFdlZCwgQXByIDE3LCAyMDE5IGF0IDEyOjQ0IFBN IENhcmxvcyBQaWduYXRhcm8gKGNwaWduYXRhKSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmNwaWduYXRh QGNpc2NvLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmNwaWduYXRhQGNpc2NvLmNvbTwvYT4mZ3Q7IHdy b3RlOjxicj4NCiZndDsgSGksIEdyZWcsPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEFkZGluZyB0aGUg SVBQTSBtYWlsaW5nIGxpc3QsIHNpbmNlIHlvdSByZWZlcmVuY2UgaXQgYmVsb3csIGFuZCBwb2lu dCB0byBSRkMgNzc5OS48YnI+DQomZ3Q7IDxicj4NCiZndDsgUGxlYXNlIHNlZSBpbmxpbmUuPGJy Pg0KJmd0OyA8YnI+DQomZ3Q7ICZndDsgT24gQXByIDE3LCAyMDE5LCBhdCAzOjAwIFBNLCBHcmVn IE1pcnNreSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmdyZWdpbWlyc2t5QGdtYWlsLmNvbSIgdGFyZ2V0 PSJfYmxhbmsiPmdyZWdpbWlyc2t5QGdtYWlsLmNvbTwvYT4mZ3Q7IHdyb3RlOjxicj4NCiZndDsg Jmd0OyA8YnI+DQomZ3Q7ICZndDsgSGkgQ2FybG9zLDxicj4NCiZndDsgJmd0OyB0aGFuayB5b3Ug Zm9yIHNoYXJpbmcgeW91ciB2aWV3IG9uIHRoZSBkZXNpZ24gb2YgdGhlIFZYTEFOLUdQRSBwcm90 b2NvbC4gUGxlYXNlIGZpbmQgbXkgY29tbWVudHMgaW4tbGluZSB0YWdnZWQgR0lNJmd0OyZndDsu PGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBSZWdhcmRzLDxicj4NCiZndDsgJmd0OyBH cmVnPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBPbiBGcmksIEFwciAxMiwgMjAxOSBh dCA1OjIzIEFNIENhcmxvcyBQaWduYXRhcm8gKGNwaWduYXRhKSAmbHQ7PGEgaHJlZj0ibWFpbHRv OmNwaWduYXRhQGNpc2NvLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmNwaWduYXRhQGNpc2NvLmNvbTwv YT4mZ3Q7IHdyb3RlOjxicj4NCiZndDsgJmd0OyBHcmVnLDxicj4NCiZndDsgJmd0OyA8YnI+DQom Z3Q7ICZndDsgWW91IHNlZW0gdG8gYmUgY29uZnVzaW5nIGFuZCBtaXhpbmcgdGhpbmdzIHVwLjxi cj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgUGxlYXNlIHNlZSBpbmxpbmUuPGJyPg0KJmd0 OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyAmZ3Q7IE9uIEFwciAxMiwgMjAxOSwgYXQgMjo1MCBBTSwg R3JlZyBNaXJza3kgJmx0OzxhIGhyZWY9Im1haWx0bzpncmVnaW1pcnNreUBnbWFpbC5jb20iIHRh cmdldD0iX2JsYW5rIj5ncmVnaW1pcnNreUBnbWFpbC5jb208L2E+Jmd0OyB3cm90ZTo8YnI+DQom Z3Q7ICZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgJmd0OyBEZWFyIEVkaXRvcnMsIGV0IGFsLiw8 YnI+DQomZ3Q7ICZndDsgJmd0OyBJJ3ZlIHJlYWQgdGhlIGxhdGVzdCAtMDcgdmVyc2lvbiBhbmQg d291bGQgbGlrZSB0byBzaGFyZSBteSBjb21tZW50cyBhbmQgcXVlc3Rpb25zIHdpdGggeW91Ojxi cj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A74oCiIGluIHRoZSBl YXJsaWVyIHZlcnNpb24gb2YgdGhlIGRyYWZ0LCB0aGUgTy1iaXQgd2FzIGludHJvZHVjZWQgYW5k IGRlZmluZWQgYXM6PGJyPg0KJmd0OyAmZ3Q7ICZndDsgT0FNIEZsYWcgQml0IChPIGJpdCk6Jm5i c3A7IFRoZSBPIGJpdCBpcyBzZXQgdG8gaW5kaWNhdGUgdGhhdCB0aGUgcGFja2V0IGlzIGFuIE9B TSBwYWNrZXQuPGJyPg0KJmd0OyAmZ3Q7ICZndDsgQXQgdGhlIHNhbWUgdGltZSwgaW4gdGhlIGxh dGVzdCB2ZXJzaW9uLCB0aGUgbmV3IE5leHQgUHJvdG9jb2wgdmFsdWUgKDB4ODEpIHRvIGlkZW50 aWZ5IGlPQU0gRGF0YSB3YXMgaW50cm9kdWNlZC4gSGVuY2UgYXJlIG15IHF1ZXN0aW9uczo8YnI+ DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO+KAoiBXaGF0IG11c3Qg YmUgdGhlIHZhbHVlIG9mIHRoZSBPLWJpdCB3aGVuIHRoZSB2YWx1ZSBvZiB0aGUgTmV4dCBQcm90 b2NvbCBmaWVsZCBpcyBpT0FNPzxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgVGhlIE8g Yml0IOKAnGlzIHNldCB0byBpbmRpY2F0ZSB0aGF0IHRoZSBwYWNrZXQgaXMgYW4gT0FNIHBhY2tl dOKAnS48YnI+DQomZ3Q7ICZndDsgSUFPTSBpcyBub3QgYW4gT0FNIHBhY2tldC4gSGVuY2UsIE8g Yml0IGNsZWFyIGlmIFZYTEFOLUdQRSBlbmNhcHN1bGF0ZXMgYSBub24tT0FNIHBhY2tldCBhbmQg YWRkcyBhbiBJT0FNIHNoaW0uPGJyPg0KJmd0OyAmZ3Q7IEdJTSZndDsmZ3Q7IEl0IGlzIGEgdmVy eSB1bmV4cGVjdGVkIHN0YXRlbWVudCBmcm9tIHlvdSw8YnI+DQomZ3Q7IDxicj4NCiZndDsgSSB3 b3VsZCB0ZWxsIHlvdSDigJhleHBlY3QgdGhlIHVuZXhwZWN0ZWTigJksIGJ1dCB0aGF0IGlzIG5v dCB0aGUgY2FzZSBoZXJlLi4uIDotKTxicj4NCiZndDsgPGJyPg0KJmd0OyBJZiB5b3UgYWN0dWFs bHkgcmVhZCBteSBzdGF0ZW1lbnQsIHlvdSB3aWxsIHNlZSAmcXVvdDtJQU9NIGlzIG5vdCBhbiBP QU0gKnBhY2tldCou4oCdIE5ldyBlbXBoYXNpcyBhZGRlZCDigJQgaXQgaXMgX25vdF8gKmFuIE9B TSBwYWNrZXQqLjxicj4NCiZndDsgPGJyPg0KJmd0OyBJIHN0YW5kIGJ5IGl0LiBJdOKAmXMgYW4g YXVnbWVudGVkIGRhdGEgcGFja2V0IG9mIGludGVyZXN0Ljxicj4NCiZndDsgPGJyPg0KJmd0OyAm Z3Q7IG9uZSBvZiB0aGUgY28tYXV0aG9ycyBvZiBkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhJm5i c3A7IHdoZXJlIHRoZSBmaXJzdCBwYXJhZ3JhcGggb2YgdGhlIEludHJvZHVjdGlvbiBzZWN0aW9u IGRlZmluZXMgaU9BTSBhcyBIeWJyaWQgVHlwZSAxIE9BTSwgYWNjb3JkaW5nIHRvIFJGQyA3Nzk5 IGNsYXNzaWZpY2F0aW9uOjxicj4NCiZndDsgPGJyPg0KJmd0OyBUaGlzIGlzIHN0aWxsIHF1aXRl IGNvbnNpc3RlbnQgd2l0aCB0aGF0IGRlZmluaXRpb24sIHdoaWNoIEkgcmVjb21tZW5kIHlvdSBy ZS1yZWFkOjxicj4NCiZndDsgPGJyPg0KJmd0OyBSRkMgNzc5OSBpcyBhYm91dCBtZXRyaWNzIGFu ZCBtZXRob2RzLCBub3QgcGFja2V0IGRlZmluaXRpb25zLjxicj4NCiZndDsgPGJyPg0KJmd0OyBZ b3Ugd2lsbCBzZWUgdGhhdCBBY3RpdmUgbWV0aG9kcyBpbmNsdWRlIGEg4oCcZGVkaWNhdGVkIG1l YXN1cmVtZW50IHBhY2tldCBzdHJlYW3igJ0uIOKAnEFjdGl2ZSBNZXRob2RzIGdlbmVyYXRlIHBh Y2tldCBzdHJlYW1zLuKAnTxicj4NCiZndDsgPGJyPg0KJmd0OyBIb3dldmVyLCBIeWJyaWQgVHlw ZSBJIGxldmVyYWdlcyDigJxBdWdtZW50YXRpb24gb3IgbW9kaWZpY2F0aW9uIG9mIHRoZSBzdHJl YW0gb2YgaW50ZXJlc3QmcXVvdDs8YnI+DQomZ3Q7IDxicj4NCiZndDsgRm9sbG93aW5nIHlvdXIg bG9naWMsIGlmIHlvdSBjaGFuZ2UgYSBwYWNrZXQgZmllbGQgc3VjaCBhcyBUVEwvSEwgdG8gcHJv dmlkZSBwYWNrZXQgY29sb3JpbmcsIGRvIHlvdSBuZWVkIHRvIHNldCB0aGUgTy1iaXQ/PGJyPg0K Jmd0OyA8YnI+DQomZ3Q7ICZndDsmbmJzcDsgJm5ic3A7IElPQU0gaXMgdG8gY29tcGxlbWVudDxi cj4NCiZndDsgJmd0OyZuYnNwOyAmbmJzcDsgbWVjaGFuaXNtcyBzdWNoIGFzIFBpbmcgb3IgVHJh Y2Vyb3V0ZSwgb3IgbW9yZSByZWNlbnQgYWN0aXZlIHByb2Jpbmc8YnI+DQomZ3Q7ICZndDsmbmJz cDsgJm5ic3A7IG1lY2hhbmlzbXMgYXMgZGVzY3JpYmVkIGluIFtJLUQubGFwdWtob3YtZGF0YXBs YW5lLXByb2JlXS4uJm5ic3A7IEluIHRlcm1zPGJyPg0KJmd0OyAmZ3Q7Jm5ic3A7ICZuYnNwOyBv ZiAmcXVvdDthY3RpdmUmcXVvdDsgb3IgJnF1b3Q7cGFzc2l2ZSZxdW90OyBPQU0sICZxdW90O2lu LXNpdHUmcXVvdDsgT0FNIGNhbiBiZSBjb25zaWRlcmVkIGE8YnI+DQomZ3Q7ICZndDsmbmJzcDsg Jm5ic3A7IGh5YnJpZCBPQU0gdHlwZS4mbmJzcDsgV2hpbGUgbm8gZXh0cmEgcGFja2V0cyBhcmUg c2VudCwgSU9BTSBhZGRzPGJyPg0KJmd0OyAmZ3Q7Jm5ic3A7ICZuYnNwOyBpbmZvcm1hdGlvbiB0 byB0aGUgcGFja2V0cyB0aGVyZWZvcmUgY2Fubm90IGJlIGNvbnNpZGVyZWQgcGFzc2l2ZS48YnI+ DQomZ3Q7ICZndDsmbmJzcDsgJm5ic3A7IEluIHRlcm1zIG9mIHRoZSBjbGFzc2lmaWNhdGlvbiBn aXZlbiBpbiBbUkZDNzc5OV0gSU9BTSBjb3VsZCBiZTxicj4NCiZndDsgJmd0OyZuYnNwOyAmbmJz cDsgcG9ydHJheWVkIGFzIEh5YnJpZCBUeXBlIDEuPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsg Jmd0OyAmZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A74oCiIERvIHlvdSBwbGFuIHRvIGRl ZmluZSB0aGUgTmV4dCBQcm90b2NvbCB2YWx1ZXMgZm9yIGFjdGl2ZSBPQU0gcHJvdG9jb2xzLCBl LmcuLCBFY2hvIFJlcXVlc3QvUmVwbHksIEJGRCwgUGVyZm9ybWFuY2UgTW9uaXRvcmluZz88YnI+ DQomZ3Q7ICZndDsgPGJyPg0KJmd0OyAmZ3Q7IEkgY2Fubm90IHNwZWFrIHRvIOKAnHBsYW5z4oCd IChyZXBseWluZyBhcyDigJxldCBhbC7igJ0sIG5vdCBhcyDigJxlZGl0b3LigJ0pLCBidXQgSSBl eHBlY3QgT0FNIGRvY3VtZW50cyBvdWdodCB0byBoYXZlIHRob3NlIHJlcXVlc3RlZCwgYW5kIHlv dSBkbyBub3QgbmVlZCBuZWNlc3NhcmlseSBhbGwgb2YgdGhvc2Ug4oCUIHRoZSBuZXggcHJvdG9j b2wgSVB2NCAvIElQdjYgY2FuIGVuY2Fwc3VsYXRlIElDTVAsIFVEUC9CRkQsIGV0Yy4sIGV0Yy4s IGV0Yy4sIGV0Yy48YnI+DQomZ3Q7ICZndDsgR0lNJmd0OyZndDsgT2YgY291cnNlLCB1c2Ugb2Yg dGhlIHdlbGwta25vd24gcG9ydCBudW1iZXIsIHVzdWFsbHkgaXQgaXMgVURQIGRlc3RpbmF0aW9u IHBvcnQsIGlzIG9uZSBvZiB0aGUgbWV0aG9kcyB0byBkZW11bHRpcGxleCBwcm90b2NvbHMuIFRo aXMgbWV0aG9kIGlzIGJyb2FkbHkgdXNlZCwgZm9yIGV4YW1wbGUsIGluIE1QTFMgT0FNLiBCdXQg dGhpcyBtZXRob2QgaGFzIHNvbWUgZGlzYWR2YW50YWdlcyB0aGF0IHdlcmUgcG9pbnRlZCBvdXQg aW4NCiB0aGUgZGlzY3Vzc2lvbiBvZiBCRkQgb3ZlciBHRU5FVkUgaW4gUHJhZ3VlIGJ5IERhdmlk IEJsYWNrICh0aGUgbGFzdCBwcmVzZW50YXRpb24gaW4gdGhlIG1pbnV0ZXMpOjxicj4NCiZndDsg Jmd0OyBEYXZpZDogSSB3YW50IHRoZSBCRkQgaGVhZGVyIHRvIGJlIGFzIGNsb3NlIHRvIHRoZSB0 aGluZyB3aG9zZSBsaXZlbmVzcyBJJ20gdGVzdGluZy4gVGhlIG1vcmUgaGVhZGVycyB5b3UgYWRk IGluIHRoZSBtaWRkbGUsIHRoZSBtb3JlIHdheXMgdGhlcmUgYXJlIHRvIGJyZWFrIEJGRCB3aXRo b3V0IGJyZWFraW5nIHRoZSBmb3J3YXJkaW5nIGVuZ2luZS4gVGhlIGZ1cnRoZXIgYXdheSBJIG1v dmUgQkZEIGZyb20gdGhlIGNodW5rIG9mIGhhcmR3YXJlJ3MNCiBsaXZlbmVzcyBJIGNhcmUgYWJv dXQsIHRoZSBtb3JlIG9wcG9ydHVuaXRpZXMgYXJlIGZvciBCRkQgYW5kIHRoZSBoYXJkd2FyZSB0 byBub3QgdG8gdGVsbCBtZSB0aGUgc2FtZSB0aGluZy48YnI+DQomZ3Q7ICZndDsgPGJyPg0KJmd0 OyA8YnI+DQomZ3Q7IFRoZW9yeSBhbmQgcHJhY3RpY2UgbWF0Y2ggaW4gdGhlb3J5LCBsZXNzIHNv IGluIHByYWN0aWNlIOKAlCB1bmxlc3MgeW91IGFyZSBwbGFubmluZyB0byB1cGRhdGUgUkZDIDU4 ODEuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFRoaXMgY2FuIGJlIGFyZ3VlZCBib3RoIHdheXMgKGUu Zy4sIGJldHRlciB0byBoYXZlIGNvbW1vbiBoYW5kbGVycywgZXRjLiksIGJ1dCBJIHRha2Ugbm8g cG9zaXRpb24uIEkgZG8gc2F5IHRoYXQgaW4gcHJlc2VuY2Ugb2YgZGVwbG95ZWQgT0FNIGVuY2Fw c3VsYXRpb25zLCB0aGVyZeKAmXMgbm8gYmFzaXMgZm9yIHlvdXIgeW91ciBjb21tZW50IGFib3V0 IGRlZmluaW5nIGEgcHJvdG9jb2wgdHlwZSBmb3Ig4oCcUGVyZm9ybWFuY2UgTW9uaXRvcmluZ+KA nQ0KIGFzIGEgcHJvdG9jb2wuLi48YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0KJmd0OyAmZ3Q7 IDxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A74oCiIEhvdyB0 byBpbnRlcnByZXQgdGhlIHNpdHVhdGlvbiB3aGVuIHRoZSBPLWJpdCB2YWx1ZSBpcyAxIGJ1dCB0 aGUgdmFsdWUgb2YgdGhlIE5leHQgUHJvdG9jb2wgZmllbGQgaXMsIGZvciBleGFtcGxlLCBOU0gs IGkuZS4uLCBub3QgYW55IG9mIE9BTSBwcm90b2NvbHM/PGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZn dDsgJmd0OyBJIGV4cGVjdCBpdCBtZWFucyB0aGVyZeKAmXMgT0FNIHdpdGhpbiB0aGF0IE5TSCAo c29tZXRpbWVzIHRoZXJl4oCZcyBubyBzdWNoIHRoaW5ncyBhcyDigJxPQU0gUHJvdG9jb2xz4oCd KSwgb3IgYW4gdW5oYW5kbGVkIE9BTSBwcm90b2NvbC48YnI+DQomZ3Q7ICZndDsgR0lNJmd0OyZn dDsgU2hvdWxkIHRoYXQsIGkuZS4sIE9BTSBpbiBOU0ggb3IgaW1tZWRpYXRlbHkgZm9sbG93aW5n IE5TSCBiZSBzaWduYWxlZCB1c2luZyBTRkMgTlNIIG1ldGhvZHMgdGhhdCBhcmUgYWxyZWFkeSBk ZWZpbmVkIGluIGRyYWZ0LWlldGYtc2ZjLW11bHRpLWxheWVyLW9hbT88YnI+DQomZ3Q7IDxicj4N CiZndDsgPGJyPg0KJmd0OyBOb24gc2VxdWl0dXIg4oCUIEkgZG8gbm90IGZvbGxvdyB3aGF0IHNp Z25hbGluZyBoYXMgdG8gZG8gd2l0aCB0aGUgY29udmVyc2F0aW9uLCBub3IgaG93IHRoYXQgZHJh ZnQgbWlnaHQgYmUgcmVsZXZhbnQuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZndDsgVXNpbmcgdGhl IHNlcnZlciBsYXllciwgYXMgeW91J3ZlIHN1Z2dlc3RlZCwgc2VlbXMgYXMgbGF5ZXIgdmlvbGF0 aW9uLiA8YnI+DQomZ3Q7ICZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFRoaXMgaXMgYSBmdW5u eSBzdGF0ZW1lbnQg4oCUIE5WTzMgaXMgYSBsYXllciB2aW9sYXRpb24gOi0pIFNvIGFyZSBQc2V1 ZG93aXJlcy4gUGxlYXNlIGRvIG5vdCB0YWtlIHRoaXMgc3RhdGVtZW50IHRvbyBzZXJpb3VzbHks IGl0IGlzIG5vdCBpbnZpdGluZyBkaXNjdXNzaW9uLjxicj4NCiZndDsgPGJyPg0KJmd0OyAmZ3Q7 ICZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDvigKIgSSBiZWxpZXZlIHRoYXQgdGhlIHVz ZSBvZiB0aGUgZGVkaWNhdGVkIE9BTSBmbGFnIGFuZCB0aGUgTmV4dCBQcm90b2NvbCBmaWVsZCBm b3IgYSBmaXhlZC1zaXplIGhlYWRlciB0aGF0IGNhbm5vdCBpbmNsdWRlIG1ldGEtZGF0YSBpcyB1 bndhcnJhbnRlZCBhbmQgYWRkcyB1bm5lY2Vzc2FyeSBjb21wbGV4aXR5Ljxicj4NCiZndDsgJmd0 OyA8YnI+DQomZ3Q7ICZndDsgRGlzYWdyZWUuIDxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZn dDsgU2VlIGV4YW1wbGUgd2hlcmUgcHJvdG9jb2wgaXMgSVAgY2FycnlpbmcgYW4gT0FNIHBhY2tl dC48YnI+DQomZ3Q7ICZndDsgR0lNJmd0OyZndDsgV2hlbiBJUC9VRFAgZW5jYXBzdWxhdGlvbiBp cyB1c2VkIGZvciBPQU0sIHRoZXJlJ3Mgbm8sIGluIG15IG9waW5pb24sIGFueSBuZWVkIHRvIHVz ZSB0aGUgTy1iaXQuIFRoZSBkZXN0aW5hdGlvbiBJUCBhZGRyZXNzIG11c3QgYmUgYXMgZGVzY3Jp YmVkIGluIFJGQyA4MDI5IG9yIFJGQyA1ODg0IGFuZCB0aGUgZGVtdWx0aXBsZXhpbmcgaXMgZG9u ZSBiYXNlZCBvbiB0aGUgZGVzdGluYXRpb24gVURQIHBvcnQgbnVtYmVyLiBDbGVhcmx5LA0KIE8t Yml0IGlzIHVubmVjZXNzYXJ5IGlmIElQL1VEUCBlbmNhcHN1bGF0aW9uIGZvciBPQU0gYmVpbmcg dXNlZC48YnI+DQomZ3Q7ICZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEZvcnR1bmF0ZWx5LCBi aXQgdXNhZ2UgaXMgYSBtYXR0ZXIgb2YgZGVmaW5pdGlvbiBhbmQgbm90IG9waW5pb24gOi0pPGJy Pg0KJmd0OyA8YnI+DQomZ3Q7IEtpbmQgcmVnYXJkcyw8YnI+DQomZ3Q7IDxicj4NCiZndDsgQ2Fy bG9zLjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZndDsgJmd0OyBJIHN1Z2dlc3Qg bm90IHRvIHVzZSBPLWJpdCBpbiB0aGUgVlhMQU4tR1BFIGhlYWRlciBhbmQgcmVsZWFzZSBpdCBp bnRvIHRoZSBSZXNlcnZlZCBmaWVsZC4mbmJzcDsgSSBkb24ndCBzZWUgdGhlIGFwcGFyZW50IGJl bmVmaXQgb2YgdXNpbmcgdGhlIGZsYWcsIGFzIHRoZSBWWExBLUdQRSB1c2VzIHRoZSBmaXhlZCBz aXplIGhlYWRlciBhbmQgdGhlIGhlYWRlciBjYW5ub3QgY2FycnkgT0FNIGRhdGEgaW4gaXQuIFRo ZSBvbmx5IHJvbGUgdGhlIFZYTEFOLUdQRQ0KIGhlYWRlciBtdXN0IHBlcmZvcm0sIGluIG15IG9w aW5pb24sIGlzIHRvIHVuYW1iaWd1b3VzbHkgaWRlbnRpZnkgdGhlIHBheWxvYWQgdHlwZSB0aGF0 IGltbWVkaWF0ZWx5IGZvbGxvd3MgdGhlIGhlYWRlciBhcyBPQU0gKGRlbXVsdGlwbGV4aW5nIE9B TSBwcm90b2NvbHMgbWF5IGJlIGRvbmUgaW4gT0FNIEhlYWRlciBzaGltKS48YnI+DQomZ3Q7ICZn dDsgJmd0OyBNdWNoIGFwcHJlY2lhdGUgeW91ciBjb25zaWRlcmF0aW9uLjxicj4NCiZndDsgJmd0 OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgQmVzdCw8YnI+DQomZ3Q7ICZn dDsgPGJyPg0KJmd0OyAmZ3Q7IOKAlDxicj4NCiZndDsgJmd0OyBDYXJsb3MgUGlnbmF0YXJvLCA8 YSBocmVmPSJtYWlsdG86Y2FybG9zQGNpc2NvLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmNhcmxvc0Bj aXNjby5jb208L2E+PGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyDigJxTb21ldGltZXMg SSB1c2UgYmlnIHdvcmRzIHRoYXQgSSBkbyBub3QgZnVsbHkgdW5kZXJzdGFuZCwgdG8gbWFrZSBt eXNlbGYgc291bmQgbW9yZSBwaG90b3N5bnRoZXNpcy4mcXVvdDs8YnI+DQomZ3Q7ICZndDsgPGJy Pg0KJmd0OyAmZ3Q7ICZndDsgUmVnYXJkcyw8YnI+DQomZ3Q7ICZndDsgJmd0OyBHcmVnPGJyPg0K Jmd0OyAmZ3Q7ICZndDsgX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX188YnI+DQomZ3Q7ICZndDsgJmd0OyBudm8zIG1haWxpbmcgbGlzdDxicj4NCiZndDsgJmd0 OyAmZ3Q7IDxhIGhyZWY9Im1haWx0bzpudm8zQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+bnZv M0BpZXRmLm9yZzwvYT48YnI+DQomZ3Q7ICZndDsgJmd0OyA8YSBocmVmPSJodHRwczovL3NlY3Vy ZS13ZWIuY2lzY28uY29tLzFqLWpyNjR5aDJEOHlPOTJpYmNxYU4tSDk4WkNQM2xRZEhtc1lQc0g4 bGtqc2E0V2xKNGtnM1c0SEw4cVQyNXJDVml0dFQ1YkZRb3hfX09uU2tuVjV3X3dXNjlGdlVoWGt4 cXhLaGk5TUNpeTVvSC1KVHVjWE5fN0ZLODVxN2pELXFFd1JNNUlYWTY4X1ZmZWJfWEkyckt4eXp3 VnNHXzA2S1RHRjA5Qnc5b0hBT1hVTkZjZEN3X29vbl9lcnVVaFJQdGR3TGM5VVFOejJUaFlQOHlz ZjJwcjY0VlUwNFZqTUttR3dxWXZ6enlBc0xURWJIcnM3R1ZDcXBoVDU4VDBzdDc4Xzk2OHJNNU1L RkxrN0VpV0JqN2daUG1fckRlQmY2M2dVdHhrY2otdzhYeWJKaWlPMnRjRmFlb0FMXzhtLVpUNUw5 LTFWSzR3WmtIbVI1Q19MZGcvaHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJG bGlzdGluZm8lMkZudm8zIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwczovL3NlY3VyZS13ZWIuY2lz Y28uY29tLzFqLWpyNjR5aDJEOHlPOTJpYmNxYU4tSDk4WkNQM2xRZEhtc1lQc0g4bGtqc2E0V2xK NGtnM1c0SEw4cVQyNXJDVml0dFQ1YkZRb3hfX09uU2tuVjV3X3dXNjlGdlVoWGt4cXhLaGk5TUNp eTVvSC1KVHVjWE5fN0ZLODVxN2pELXFFd1JNNUlYWTY4X1ZmZWJfWEkyckt4eXp3VnNHXzA2S1RH RjA5Qnc5b0hBT1hVTkZjZEN3X29vbl9lcnVVaFJQdGR3TGM5VVFOejJUaFlQOHlzZjJwcjY0VlUw NFZqTUttR3dxWXZ6enlBc0xURWJIcnM3R1ZDcXBoVDU4VDBzdDc4Xzk2OHJNNU1LRkxrN0VpV0Jq N2daUG1fckRlQmY2M2dVdHhrY2otdzhYeWJKaWlPMnRjRmFlb0FMXzhtLVpUNUw5LTFWSzR3WmtI bVI1Q19MZGcvaHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8l MkZudm8zPC9hPjxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQomZ3Q7IG52bzMgbWFp bGluZyBsaXN0PGJyPg0KJmd0OyA8YSBocmVmPSJtYWlsdG86bnZvM0BpZXRmLm9yZyIgdGFyZ2V0 PSJfYmxhbmsiPm52bzNAaWV0Zi5vcmc8L2E+PGJyPg0KJmd0OyA8YSBocmVmPSJodHRwczovL3Nl Y3VyZS13ZWIuY2lzY28uY29tLzFqLWpyNjR5aDJEOHlPOTJpYmNxYU4tSDk4WkNQM2xRZEhtc1lQ c0g4bGtqc2E0V2xKNGtnM1c0SEw4cVQyNXJDVml0dFQ1YkZRb3hfX09uU2tuVjV3X3dXNjlGdlVo WGt4cXhLaGk5TUNpeTVvSC1KVHVjWE5fN0ZLODVxN2pELXFFd1JNNUlYWTY4X1ZmZWJfWEkyckt4 eXp3VnNHXzA2S1RHRjA5Qnc5b0hBT1hVTkZjZEN3X29vbl9lcnVVaFJQdGR3TGM5VVFOejJUaFlQ OHlzZjJwcjY0VlUwNFZqTUttR3dxWXZ6enlBc0xURWJIcnM3R1ZDcXBoVDU4VDBzdDc4Xzk2OHJN NU1LRkxrN0VpV0JqN2daUG1fckRlQmY2M2dVdHhrY2otdzhYeWJKaWlPMnRjRmFlb0FMXzhtLVpU NUw5LTFWSzR3WmtIbVI1Q19MZGcvaHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFu JTJGbGlzdGluZm8lMkZudm8zIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwczovL3NlY3VyZS13ZWIu Y2lzY28uY29tLzFqLWpyNjR5aDJEOHlPOTJpYmNxYU4tSDk4WkNQM2xRZEhtc1lQc0g4bGtqc2E0 V2xKNGtnM1c0SEw4cVQyNXJDVml0dFQ1YkZRb3hfX09uU2tuVjV3X3dXNjlGdlVoWGt4cXhLaGk5 TUNpeTVvSC1KVHVjWE5fN0ZLODVxN2pELXFFd1JNNUlYWTY4X1ZmZWJfWEkyckt4eXp3VnNHXzA2 S1RHRjA5Qnc5b0hBT1hVTkZjZEN3X29vbl9lcnVVaFJQdGR3TGM5VVFOejJUaFlQOHlzZjJwcjY0 VlUwNFZqTUttR3dxWXZ6enlBc0xURWJIcnM3R1ZDcXBoVDU4VDBzdDc4Xzk2OHJNNU1LRkxrN0Vp V0JqN2daUG1fckRlQmY2M2dVdHhrY2otdzhYeWJKaWlPMnRjRmFlb0FMXzhtLVpUNUw5LTFWSzR3 WmtIbVI1Q19MZGcvaHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGlu Zm8lMkZudm8zPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rp dj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_5C94C61682BD49CEBB20A31F843E8806ciscocom_-- From nobody Wed Apr 17 23:40:58 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB65E1200C5 for ; Wed, 17 Apr 2019 23:40:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=vmware.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgUOi8Cwzjxo for ; Wed, 17 Apr 2019 23:40:52 -0700 (PDT) Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680067.outbound.protection.outlook.com [40.107.68.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 048711200B6 for ; Wed, 17 Apr 2019 23:40:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oSPIWx6uAO0DSRb1aEbZJQ8ysQ9Rd7LDr5w1OmmqZi0=; b=JFOxSIt4f4OKRoEZxk15T5a03L6LC7NePvp4+TngYWfIXulozxvZGr9MwGz7/Ix5BlIkuvub0TECsuF+d7ok8sPe69ZUKAcsEL4aFjn+bbgbnUx8LSVU9IM4HorDRFMIgdIFnWx5S52DWkZqdzW7OH7OUWsSfCQoogMqDYhi+nE= Received: from CY4PR0501MB3828.namprd05.prod.outlook.com (52.132.100.140) by CY4PR0501MB3890.namprd05.prod.outlook.com (52.132.100.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.9; Thu, 18 Apr 2019 06:40:48 +0000 Received: from CY4PR0501MB3828.namprd05.prod.outlook.com ([fe80::e936:db8e:d2d4:7dee]) by CY4PR0501MB3828.namprd05.prod.outlook.com ([fe80::e936:db8e:d2d4:7dee%7]) with mapi id 15.20.1813.009; Thu, 18 Apr 2019 06:40:48 +0000 From: "T. Sridhar" To: "Bocci, Matthew (Nokia - GB)" , "nvo3@ietf.org" Thread-Topic: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 Thread-Index: AQHU9bGoujle5E/hy0i+pTJZdoDYVg== Date: Thu, 18 Apr 2019 06:40:48 +0000 Message-ID: <229C8F61-9402-4712-BC48-10F3E2FA031A@vmware.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.16.1.190220 authentication-results: spf=none (sender IP is ) smtp.mailfrom=tsridhar@vmware.com; x-originating-ip: [2601:647:4802:65d0:15a9:7d86:82a9:3b0a] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4c0ecc23-86d8-42c1-5d9a-08d6c3c8cac9 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600141)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:CY4PR0501MB3890; x-ms-traffictypediagnostic: CY4PR0501MB3890: x-ms-exchange-purlcount: 3 x-microsoft-antispam-prvs: x-forefront-prvs: 0011612A55 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(346002)(39860400002)(136003)(366004)(189003)(199004)(486006)(36756003)(256004)(7110500001)(86362001)(6116002)(6246003)(316002)(15650500001)(71200400001)(14454004)(58126008)(478600001)(83716004)(25786009)(71190400001)(53936002)(5660300002)(14444005)(606006)(2420400007)(2501003)(97736004)(236005)(6512007)(6306002)(102836004)(46003)(11346002)(7736002)(68736007)(6436002)(8936002)(54896002)(229853002)(2616005)(33656002)(296002)(81156014)(6486002)(8676002)(6506007)(76176011)(99286004)(2906002)(110136005)(81166006)(53546011)(82746002)(186003)(476003)(446003); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR0501MB3890; H:CY4PR0501MB3828.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: vmware.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 2t00lZ4td81m8xlBALCOXKqpl5xz8beTsXbFEZTpBU1P2fvwppFS1m3v4VKw/KE1lZtAEjw7wSxBH/VoeWXBND4yrXybzGthz1GXo7yZzL6S9SE58gy31YIn9VAaD9ol7UYrG8IuOlRhEVq0ylNASTecHzcwRP5eDWlIokEv8C+NoRBkoY0zT4sYiZHDzllnaJrqVPAXOR4DDNgB3vRYtYLI2kw1H0LYlnlGOkKpPYhGM4E4KZujngTB2K7bpra1rYnvxRNW4+IN0TmfGNqPkkcLdzAf1UBseQIOW/5XxoLiJaz1CBMga2xhyPIdBjNX/wWTyQK91666y3rUBWJg9rFlAiIHR/ZMmsGF2EuF5hiluA03x7iILfFjRjxidtOpEb1qAxyVxjLThOBGVSv5xrCFb1XPfrFHkhDMP6wmkkU= Content-Type: multipart/alternative; boundary="_000_229C8F6194024712BC4810F3E2FA031Avmwarecom_" MIME-Version: 1.0 X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4c0ecc23-86d8-42c1-5d9a-08d6c3c8cac9 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2019 06:40:48.1014 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR0501MB3890 Archived-At: Subject: Re: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 06:40:57 -0000 --_000_229C8F6194024712BC4810F3E2FA031Avmwarecom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpUaGVyZSBpcyBhbHJlYWR5IGFub3RoZXIgd29ya2luZyBncm91cCBkcmFmdCBvbiBOVk8zIHNl Y3VyaXR5IChodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1udm8zLXNlY3Vy aXR5LXJlcXVpcmVtZW50cy0wNykgd2hpY2ggd291bGQgYmUgYSBnb29kIHBsYWNlIHRvIGluY2x1 ZGUgaW5mb3JtYXRpb24gYWJvdXQgR2VuZXZlIHNwZWNpZmljIHNlY3VyaXR5IHJlcXVpcmVtZW50 cy4gVGhpcyBkcmFmdCBoYXMgbm90IGJlZW4gdXBkYXRlZCBpbiBhIHdoaWxlIGJ1dCBpbmNsdWRl cyBjb250ZW50IHdoaWNoIGlzIGJyb2FkbHkgYXBwbGljYWJsZSB0byBOVk8zIGluY2x1ZGluZyBO VkUtTlZFIGRhdGEgcGxhbmUgKGkuZS4gR2VuZXZlKSAgY29tbXVuaWNhdGlvbi4NCg0KTXkgdm90 ZSBpcyBmb3IgdGhlIGRyYWZ0LW1nbHQtbnZvMy1nZW5ldmUtc2VjdXJpdHktcmVxdWlyZW1lbnRz IGF1dGhvcnMgdG8gaW5jbHVkZSByZWxldmFudCBzZWN0aW9ucyBvZiB0aGVpciBkcmFmdCBpbiB0 aGUgZXhpc3RpbmcgbnYwMy1zZWN1cml0eS1yZXF1aXJlbWVudHMgZHJhZnQgaW5zdGVhZCBvZiB0 aGUgV0cgYWRvcHRpbmcgYW5vdGhlciBkcmFmdCByZWxhdGVkIHRvIHNlY3VyaXR5Lg0KDQpTZWN0 aW9uIDYuMiBvZiBkcmFmdC1pZXRmLW52bzMtc2VjdXJpdHktcmVxdWlyZW1lbnRzICBpcyB0aGUg c2VjdGlvbiB3aGljaCBjYW4gYmUgZW5oYW5jZWQgdG8gaW5jbHVkZSBpbmZvcm1hdGlvbiBhYm91 dCBHZW5ldmUgc2VjdXJpdHkgc2luY2UgaXQgYWxyZWFkeSBkZXRhaWxzIHNldmVyYWwgYXJlYXMg Y29tbW9uIHRvIGJvdGggdGhlIGRyYWZ0cy4gIEkgd291bGQgYWxzbyBzdWdnZXN0IG5vdCB1c2lu ZyB0aGUgY3VycmVudCBjYXRlZ29yaXphdGlvbiBvZiBkcmFmdC1tZ2x0LW52bzMtZ2VuZXZlLXNl Y3VyaXR5LXJlcXVpcmVtZW50cyAoU0VDLU9QIGFuZCBTRUMtR0VOIOKAkyBzZWUgYmVsb3cpIHdo ZW4gaW5jbHVkaW5nIHRleHQgZnJvbSBkcmFmdC1tZ2x0LW52bzMtZ2VuZXZlLXNlY3VyaXR5LXJl cXVpcmVtZW50cyAgaW50byBkcmFmdC1udm8zLXNlY3VyaXR5LXJlcXVpcmVtZW50cw0KDQoNClNF Qy1PUDogcmVxdWlyZW1lbnRzIHRvIGV2YWx1YXRlIGEgZ2l2ZW4gZGVwbG95bWVudCBvZiBHZW5l dmUgb3ZlcmxheS4gU3VjaCByZXF1aXJlbWVudHMgYXJlIGludGVuZGVkIHRvIEdlbmV2ZSBvdmVy bGF5IHByb3ZpZGVyIHRvIGV2YWx1YXRlIGEgZ2l2ZW4gZGVwbG95bWVudC4NCg0KDQpTRUMtR0VO OiByZXF1aXJlbWVudHMgYSBzZWN1cml0eSBtZWNoYW5pc20gbmVlZCB0byBmdWxmaWxsIHRvIHNl Y3VyZSBhbnkgZGVwbG95bWVudCBvZiBHZW5ldmUgb3ZlcmxheSBkZXBsb3ltZW50DQoNCg0KDQpJ biBzdW1tYXJ5LCBJIGRvbuKAmXQgc3VwcG9ydCB0aGUgYWRvcHRpb24gb2YgdGhpcyBkcmFmdCBh cyBhIG5ldyBXRyBkb2N1bWVudCDigJMgd2Ugc2hvdWxkIGFkZCByZWxldmFudCBjb250ZW50IGZy b20gaGVyZSBpbnRvIHRoZSBleGlzdGluZyBzZWN1cml0eSByZXF1aXJlbWVudHMgZHJhZnQgYW5k IGNvbnRpbnVlIHRvIHByb2dyZXNzIHRoYXQuDQoNCg0KDQpUaGFua3MsDQoNClNyaWRoYXINCg0K DQoNCkZyb206ICJCb2NjaSwgTWF0dGhldyAoTm9raWEgLSBHQikiIDxtYXR0aGV3LmJvY2NpQG5v a2lhLmNvbT4NCkRhdGU6IFdlZG5lc2RheSwgQXByaWwgMTAsIDIwMTkgYXQgNzozOCBBTQ0KVG86 ICJudm8zQGlldGYub3JnIiA8bnZvM0BpZXRmLm9yZz4NClN1YmplY3Q6IFtudm8zXSBQb2xsIGZv ciBhZG9wdGlvbiBvZiBkcmFmdC1tZ2x0LW52bzMtZ2VuZXZlLXNlY3VyaXR5LXJlcXVpcmVtZW50 cy0wNg0KDQpUaGlzIGVtYWlsIGJlZ2lucyBhIHNlY29uZCB0d28td2VlayBwb2xsIGZvciBhZG9w dGlvbiBvZiBkcmFmdC1tZ2x0LW52bzMtZ2VuZXZlLXNlY3VyaXR5LXJlcXVpcmVtZW50cy0wNiBp biB0aGUgTlZPMyB3b3JraW5nIGdyb3VwLg0KDQpQbGVhc2UgcmV2aWV3IHRoZSBkcmFmdCBhbmQg c2VuZCBhbnkgY29tbWVudHMgdG8gdGhlIE5WTzMgbGlzdC4NCg0KUGxlYXNlIGFsc28gaW5kaWNh dGUgd2hldGhlciB5b3Ugc3VwcG9ydCBhZG9wdGlvbiBvZiB0aGUgZHJhZnQgYXMgYW4gTlZPMyB3 b3JraW5nIGdyb3VwIGRvY3VtZW50Lg0KDQpOb3RlIHRoYXQgc3VwcG9ydGluZyB3b3JraW5nIGdy b3VwIGFkb3B0aW9uIGluZGljYXRlcyB0aGF0IHlvdSB0aGluayB0aGUgZHJhZnQgaXMgaGVhZGVk IGluIHRoZSByaWdodCBkaXJlY3Rpb24gYW5kIHJlcHJlc2VudHMgYSBwaWVjZSBvZiB3b3JrIHRo YXQgdGhlIHdvcmtpbmcgZ3JvdXAgc2hvdWxkIHRha2Ugb24gYW5kIHByb2dyZXNzLiBJdCBkb2Vz IG5vdCBoYXZlIHRvIGJlIHRlY2huaWNhbGx5IHBlcmZlY3QgYXQgdGhpcyBzdGFnZS4NCg0KVGhp cyBwb2xsIGNsb3NlcyBvbiBXZWRuZXNkYXkgMjR0aCBBcHJpbCAyMDE5Lg0KDQpSZWdhcmRzDQpN YXR0aGV3IGFuZCBTYW0NCg0K --_000_229C8F6194024712BC4810F3E2FA031Avmwarecom_ Content-Type: text/html; charset="utf-8" Content-ID: <46A1716084D43D468126C1A6BE251CCE@namprd05.prod.outlook.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpDb3VyaWVyOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGlu Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJ e21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCglt YXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1s ZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5z LXNlcmlmO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0K CWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0K c3Bhbi5hcHBsZS1jb252ZXJ0ZWQtc3BhY2UNCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUtY29udmVy dGVkLXNwYWNlO30NCnNwYW4uRW1haWxTdHlsZTIwDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFs LXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRv d3RleHQ7fQ0KcC5wMSwgbGkucDEsIGRpdi5wMQ0KCXttc28tc3R5bGUtbmFtZTpwMTsNCgltYXJn aW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6Ny41cHQ7DQoJZm9u dC1mYW1pbHk6Q291cmllcjt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBv cnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXpl OjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2Lldv cmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPg0KPC9oZWFkPg0K PGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxkaXYg Y2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoZXJlIGlzIGFscmVh ZHkgYW5vdGhlciB3b3JraW5nIGdyb3VwIGRyYWZ0IG9uIE5WTzMgc2VjdXJpdHkgKDxhIGhyZWY9 Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW52bzMtc2VjdXJpdHktcmVx dWlyZW1lbnRzLTA3Ij5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1udm8z LXNlY3VyaXR5LXJlcXVpcmVtZW50cy0wNzwvYT4pDQogd2hpY2ggd291bGQgYmUgYSBnb29kIHBs YWNlIHRvIGluY2x1ZGUgaW5mb3JtYXRpb24gYWJvdXQgR2VuZXZlIHNwZWNpZmljIHNlY3VyaXR5 IHJlcXVpcmVtZW50cy4gVGhpcyBkcmFmdCBoYXMgbm90IGJlZW4gdXBkYXRlZCBpbiBhIHdoaWxl IGJ1dCBpbmNsdWRlcyBjb250ZW50IHdoaWNoIGlzIGJyb2FkbHkgYXBwbGljYWJsZSB0byBOVk8z IGluY2x1ZGluZyBOVkUtTlZFIGRhdGEgcGxhbmUgKGkuZS4gR2VuZXZlKSAmbmJzcDtjb21tdW5p Y2F0aW9uLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+TXkgdm90 ZSBpcyBmb3IgdGhlIGRyYWZ0LW1nbHQtbnZvMy1nZW5ldmUtc2VjdXJpdHktcmVxdWlyZW1lbnRz IGF1dGhvcnMgdG8gaW5jbHVkZSByZWxldmFudCBzZWN0aW9ucyBvZiB0aGVpciBkcmFmdCBpbiB0 aGUgZXhpc3RpbmcgbnYwMy1zZWN1cml0eS1yZXF1aXJlbWVudHMgZHJhZnQgaW5zdGVhZCBvZiB0 aGUgV0cgYWRvcHRpbmcgYW5vdGhlciBkcmFmdA0KIHJlbGF0ZWQgdG8gc2VjdXJpdHkuIDxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+U2VjdGlvbiA2LjIgb2YgZHJh ZnQtaWV0Zi1udm8zLXNlY3VyaXR5LXJlcXVpcmVtZW50cyAmbmJzcDtpcyB0aGUgc2VjdGlvbiB3 aGljaCBjYW4gYmUgZW5oYW5jZWQgdG8gaW5jbHVkZSBpbmZvcm1hdGlvbiBhYm91dCBHZW5ldmUg c2VjdXJpdHkgc2luY2UgaXQgYWxyZWFkeSBkZXRhaWxzIHNldmVyYWwgYXJlYXMgY29tbW9uIHRv IGJvdGggdGhlIGRyYWZ0cy4gJm5ic3A7SQ0KIHdvdWxkIGFsc28gc3VnZ2VzdCBub3QgdXNpbmcg dGhlIGN1cnJlbnQgY2F0ZWdvcml6YXRpb24gb2YgZHJhZnQtbWdsdC1udm8zLWdlbmV2ZS1zZWN1 cml0eS1yZXF1aXJlbWVudHMgKFNFQy1PUCBhbmQgU0VDLUdFTiDigJMgc2VlIGJlbG93KSB3aGVu IGluY2x1ZGluZyB0ZXh0IGZyb20gZHJhZnQtbWdsdC1udm8zLWdlbmV2ZS1zZWN1cml0eS1yZXF1 aXJlbWVudHMgJm5ic3A7aW50byBkcmFmdC1udm8zLXNlY3VyaXR5LXJlcXVpcmVtZW50cw0KPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJw MSIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+U0VDLU9QOiByZXF1 aXJlbWVudHMgdG8gZXZhbHVhdGUgYSBnaXZlbiBkZXBsb3ltZW50IG9mIEdlbmV2ZSBvdmVybGF5 LiBTdWNoIHJlcXVpcmVtZW50cyBhcmUgaW50ZW5kZWQgdG8gR2VuZXZlIG92ZXJsYXkgcHJvdmlk ZXIgdG8gZXZhbHVhdGUgYSBnaXZlbiBkZXBsb3ltZW50LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9InAxIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5TRUMtR0VO OiByZXF1aXJlbWVudHMgYSBzZWN1cml0eSBtZWNoYW5pc20gbmVlZCB0byBmdWxmaWxsIHRvIHNl Y3VyZSBhbnkgZGVwbG95bWVudCBvZiBHZW5ldmUgb3ZlcmxheSBkZXBsb3ltZW50PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9InAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJwMSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5JbiBzdW1t YXJ5LCBJIGRvbuKAmXQgc3VwcG9ydCB0aGUgYWRvcHRpb24gb2YgdGhpcyBkcmFmdCBhcyBhIG5l dyBXRyBkb2N1bWVudCDigJMgd2Ugc2hvdWxkIGFkZCByZWxldmFudCBjb250ZW50IGZyb20gaGVy ZSBpbnRvIHRoZSBleGlzdGluZyBzZWN1cml0eSByZXF1aXJlbWVudHMgZHJhZnQgYW5kIGNvbnRp bnVlIHRvDQogcHJvZ3Jlc3MgdGhhdC4gPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 InAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJwMSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5UaGFua3MsPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9InAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPlNyaWRoYXI8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0icDEiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25l O2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGlu Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+RnJv bTogPC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZxdW90O0JvY2NpLCBNYXR0 aGV3IChOb2tpYSAtIEdCKSZxdW90OyAmbHQ7bWF0dGhldy5ib2NjaUBub2tpYS5jb20mZ3Q7PGJy Pg0KPGI+RGF0ZTogPC9iPldlZG5lc2RheSwgQXByaWwgMTAsIDIwMTkgYXQgNzozOCBBTTxicj4N CjxiPlRvOiA8L2I+JnF1b3Q7bnZvM0BpZXRmLm9yZyZxdW90OyAmbHQ7bnZvM0BpZXRmLm9yZyZn dDs8YnI+DQo8Yj5TdWJqZWN0OiA8L2I+W252bzNdIFBvbGwgZm9yIGFkb3B0aW9uIG9mIGRyYWZ0 LW1nbHQtbnZvMy1nZW5ldmUtc2VjdXJpdHktcmVxdWlyZW1lbnRzLTA2PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6 YmxhY2siPlRoaXMgZW1haWwgYmVnaW5zIGEgc2Vjb25kIHR3by13ZWVrIHBvbGwgZm9yJm5ic3A7 YWRvcHRpb24mbmJzcDtvZiBkcmFmdC1tZ2x0LW52bzMtZ2VuZXZlLXNlY3VyaXR5LXJlcXVpcmVt ZW50cy0wNiBpbiB0aGUgTlZPMyB3b3JraW5nIGdyb3VwLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9y OmJsYWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+UGxlYXNlIHJldmll dyB0aGUgZHJhZnQgYW5kIHNlbmQgYW55IGNvbW1lbnRzIHRvIHRoZSBOVk8zIGxpc3QuPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJs YWNrIj5QbGVhc2UgYWxzbyBpbmRpY2F0ZSB3aGV0aGVyIHlvdSBzdXBwb3J0Jm5ic3A7YWRvcHRp b24mbmJzcDtvZiB0aGUgZHJhZnQgYXMgYW4gTlZPMyB3b3JraW5nIGdyb3VwIGRvY3VtZW50Ljwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv cjpibGFjayI+Tm90ZSB0aGF0IHN1cHBvcnRpbmcgd29ya2luZyBncm91cCBhZG9wdGlvbiBpbmRp Y2F0ZXMgdGhhdCB5b3UgdGhpbmsgdGhlIGRyYWZ0IGlzIGhlYWRlZCBpbiB0aGUgcmlnaHQgZGly ZWN0aW9uIGFuZCByZXByZXNlbnRzIGEgcGllY2Ugb2Ygd29yayB0aGF0IHRoZSB3b3JraW5nIGdy b3VwIHNob3VsZCB0YWtlIG9uIGFuZCBwcm9ncmVzcy4NCiBJdCBkb2VzIG5vdCBoYXZlIHRvIGJl IHRlY2huaWNhbGx5IHBlcmZlY3QgYXQgdGhpcyBzdGFnZS48L3NwYW4+PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv cjpibGFjayI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPlRoaXMgcG9sbCBj bG9zZXMgb24gV2VkbmVzZGF5IDI0dGggQXByaWwgMjAxOS48L3NwYW4+PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv cjpibGFjayI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPlJlZ2FyZHM8L3Nw YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+TWF0dGhldyBhbmQgU2FtPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_229C8F6194024712BC4810F3E2FA031Avmwarecom_-- From nobody Fri Apr 19 00:56:25 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AECFB120113 for ; Fri, 19 Apr 2019 00:56:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uorunUp6O5WU for ; Fri, 19 Apr 2019 00:56:22 -0700 (PDT) Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 115471200F7 for ; Fri, 19 Apr 2019 00:56:22 -0700 (PDT) Received: from lhreml708-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 428FBB78EA7948DB1473 for ; Fri, 19 Apr 2019 08:56:20 +0100 (IST) Received: from DGGEMM404-HUB.china.huawei.com (10.3.20.212) by lhreml708-cah.china.huawei.com (10.201.108.49) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 19 Apr 2019 08:56:20 +0100 Received: from DGGEMM506-MBX.china.huawei.com ([169.254.3.162]) by DGGEMM404-HUB.china.huawei.com ([10.3.20.212]) with mapi id 14.03.0415.000; Fri, 19 Apr 2019 15:56:16 +0800 From: "Liubing (Remy)" To: "nvo3@ietf.org" Thread-Topic: Comments on the draft-ietf-nvo3-vxlan-gpe-07 Thread-Index: AdT2gkL96H38bA2+SUm2OGn0fvSgvQ== Date: Fri, 19 Apr 2019 07:56:16 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.130.180.83] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Archived-At: Subject: [nvo3] Comments on the draft-ietf-nvo3-vxlan-gpe-07 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Apr 2019 07:56:24 -0000 Hello authors, Thank you for bring up this draft again. I've read this new version and I t= hink the design of the shim header is a big improvement. If I understand it correctly, the logic of the shim header is similar to t= he non-critical TLV in GENEVE. But I think some clarification is required. Quote from the draft: "Implementations that are not aware of a given shim h= eader MUST ignore the header and proceed to parse the next protocol." The d= efinition of "implementations" is not clear at all. The implementation can = be a transit node or the NVE and the related operations should be different= iated. In my opinion, the NVE should not or even must not ignore any shim h= eader, while the transit node can do this. Another point may need to be clarified: does "...are not aware of a given s= him header..." mean that the device have to at least know that there is a s= him header and how long it is so that it can skip the header to parse the n= ext protocol? If the device can't recognize any shim header, i.e. it does n= ot know the meaning of "0x80 to 0xFF", the packet must be dropped in this c= ase? Best regards, Remy From nobody Tue Apr 23 10:48:05 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A3D12011D for ; Tue, 23 Apr 2019 10:48:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.647 X-Spam-Level: X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzuB6YmZuXdo for ; Tue, 23 Apr 2019 10:48:01 -0700 (PDT) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5052612009C for ; Tue, 23 Apr 2019 10:48:01 -0700 (PDT) Received: by mail-qk1-f176.google.com with SMTP id c190so5355009qke.9 for ; Tue, 23 Apr 2019 10:48:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e8q6BoSu4Yvi3nO1O5pff9Apm3ZUjcELs6DvGzE0Nhc=; b=SwgwTeNiOgQEdGQuvakYbbcBbj76pMdGP7F5K6oxErG1tK/68imXZSZN+BMtESwWGF NPK9NlVhUd7N7LCryS+vB6MxwWtzrCoZr/MJXKE4imWHYRJRgl/Pzlr3qIKf20Qcmv5l OuK4LMtI7CmiDDquGHmn8oELbdISRxls5V1BRGaktu7uFoA43z9EeZCD2me+gHFkKF9m lx/OQaB+ldjOY307adESN8ERcLQDAmXWYLXIB3s085u7rCmqBQx/iDdf+KjwD5qE8HuG M6PI4wRJSVQWyrxVYztu0JfquZp/a+sbDhZz5If5pRQ25R8hUvNd2xuX5fZcBuiJamI2 1qUQ== X-Gm-Message-State: APjAAAXti1jJy8EnXWgJXDGEvTAKuaG+yAoiYOX+JD4+tRYnBVfOwtRE jwc90p6R+zVlwHIvr37lussiuVieMJzLQILRFQU= X-Google-Smtp-Source: APXvYqxQOWh0OT6cyuQ61NZFSRcZRrQKzU3q6s0wSzQstXy94g7ePrHy3wQkq/PCOYr2qeUT1aE3O23POpLyAzCtnA8= X-Received: by 2002:a37:73c3:: with SMTP id o186mr20545297qkc.71.1556041680212; Tue, 23 Apr 2019 10:48:00 -0700 (PDT) MIME-Version: 1.0 References: <229C8F61-9402-4712-BC48-10F3E2FA031A@vmware.com> In-Reply-To: <229C8F61-9402-4712-BC48-10F3E2FA031A@vmware.com> From: Daniel Migault Date: Tue, 23 Apr 2019 13:47:49 -0400 Message-ID: To: "T. Sridhar" Cc: "Bocci, Matthew (Nokia - GB)" , "nvo3@ietf.org" Content-Type: multipart/alternative; boundary="0000000000009ad74e0587362f9d" Archived-At: Subject: Re: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Apr 2019 17:48:04 -0000 --0000000000009ad74e0587362f9d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi T. Sridhar, Thanks for the feedbacks. My reading of your feedback, is that you are supporting a security analysis for Geneve, however, you would have prefered it to be part of a document expired since 2016 dealing another topic written by a different team of co-authors. You are correct that is not what happened and since then, you comment might be interpreted like a support for adopting the document. As far as I understand, you do not have technical concerns. That reality could have been otherwise might not be sufficient to oppose adoption of a document. If there ever have been any technical concerns, we would be pleased to heard them clearly. I believe raising them would be more appropriated for a call for adoption -- as well as helpful for the co-authors of the document. Note also that we checked the Geneve security document was aligned with the more generic recommendations of NVO3. It has been decided by the WG and the chairs to include the relevant NVO3 recommendations that apply to Geneve in the current document rather than building on top of the NVO3 requirements. Note also that the notation SEC-OP/SEC-GEN have been proposed as a way to address the WG concerns: * How to evaluate a Geneve deployment is secure * What are the requirements for a Geneve Security mechanisms to secure Geneve deployments. Are you suggesting after adoption, these two questions should be provided in two different documents ? Yours, Daniel On Thu, Apr 18, 2019 at 2:41 AM T. Sridhar wrote: > > > There is already another working group draft on NVO3 security ( > https://tools.ietf.org/html/draft-ietf-nvo3-security-requirements-07) > which would be a good place to include information about Geneve specific > security requirements. This draft has not been updated in a while but > includes content which is broadly applicable to NVO3 including NVE-NVE da= ta > plane (i.e. Geneve) communication. > > > > My vote is for the draft-mglt-nvo3-geneve-security-requirements authors t= o > include relevant sections of their draft in the existing > nv03-security-requirements draft instead of the WG adopting another draft > related to security. > > > > Section 6.2 of draft-ietf-nvo3-security-requirements is the section whic= h > can be enhanced to include information about Geneve security since it > already details several areas common to both the drafts. I would also > suggest not using the current categorization of > draft-mglt-nvo3-geneve-security-requirements (SEC-OP and SEC-GEN =E2=80= =93 see > below) when including text from > draft-mglt-nvo3-geneve-security-requirements into > draft-nvo3-security-requirements > > > > SEC-OP: requirements to evaluate a given deployment of Geneve overlay. > Such requirements are intended to Geneve overlay provider to evaluate a > given deployment. > > > > SEC-GEN: requirements a security mechanism need to fulfill to secure any > deployment of Geneve overlay deployment > > > > In summary, I don=E2=80=99t support the adoption of this draft as a new W= G > document =E2=80=93 we should add relevant content from here into the exis= ting > security requirements draft and continue to progress that. > > > > Thanks, > > Sridhar > > > > > > *From: *"Bocci, Matthew (Nokia - GB)" > *Date: *Wednesday, April 10, 2019 at 7:38 AM > *To: *"nvo3@ietf.org" > *Subject: *[nvo3] Poll for adoption of > draft-mglt-nvo3-geneve-security-requirements-06 > > > > This email begins a second two-week poll for adoption of > draft-mglt-nvo3-geneve-security-requirements-06 in the NVO3 working group= . > > > > Please review the draft and send any comments to the NVO3 list. > > > > Please also indicate whether you support adoption of the draft as an NVO3 > working group document. > > > > Note that supporting working group adoption indicates that you think the > draft is headed in the right direction and represents a piece of work tha= t > the working group should take on and progress. It does not have to be > technically perfect at this stage. > > > > This poll closes on Wednesday 24th April 2019. > > > > Regards > > Matthew and Sam > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --0000000000009ad74e0587362f9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    Hi T. Sridhar,

    <= div>Thanks for the feedbacks.=C2=A0 =C2=A0

    My read= ing of your feedback, is that you are supporting a security
    analy= sis for Geneve, however, you would have prefered it to be part of a documen= t
    expired since 2016 dealing another topic written by a different= team of
    co-authors. You are correct that is not what happened an= d since then,
    you comment might be interpreted like a support for= adopting the document.

    As far as I understand, yo= u do not have technical concerns. That reality
    could have been ot= herwise might not be sufficient to oppose adoption of
    a document.= If there ever have been any technical concerns, we would=C2=A0
    b= e pleased to heard them clearly.=C2=A0 I believe raising them would be more=
    =C2=A0appropriated for a call for adoption -- as well as helpful= for the co-authors=C2=A0
    of the document.=C2=A0

    Note also that we checked the Geneve security document was aligned= with
    the more generic recommendations of NVO3. It has been decid= ed by the WG
    and the chairs to include the relevant NVO3 recommen= dations that apply
    to Geneve in the current document rather than = building on top of the
    NVO3 requirements.

    Note also that the notation SEC-OP/SEC-GEN have been proposed as a way to=
    address the WG concerns:
    * How to evaluate a Geneve de= ployment is secure
    * What are the requirements for a Geneve Secur= ity mechanisms to secure
    Geneve deployments.
    Are you su= ggesting after adoption, these two questions should be provided in two
    different documents ?

    Yours,
    Danie= l



    On Thu, Apr 18, 2019 at 2:41 AM = T. Sridhar <tsridhar=3D40= vmware.com@dmarc.ietf.org> wrote:

    =C2=A0<= /span>

    There is already anot= her working group draft on NVO3 security (https://t= ools.ietf.org/html/draft-ietf-nvo3-security-requirements-07) which would be a good place to include information about Geneve specific s= ecurity requirements. This draft has not been updated in a while but includ= es content which is broadly applicable to NVO3 including NVE-NVE data plane= (i.e. Geneve) =C2=A0communication.

    =C2=A0<= /span>

    My vote is for the dr= aft-mglt-nvo3-geneve-security-requirements authors to include relevant sect= ions of their draft in the existing nv03-security-requirements draft instea= d of the WG adopting another draft related to security.

    =C2=A0<= /span>

    Section 6.2 of draft-= ietf-nvo3-security-requirements =C2=A0is the section which can be enhanced = to include information about Geneve security since it already details sever= al areas common to both the drafts.=C2=A0 I would also suggest not using the current categorization of draft-mglt-nvo3= -geneve-security-requirements (SEC-OP and SEC-GEN =E2=80=93 see below) when= including text from draft-mglt-nvo3-geneve-security-requirements =C2=A0int= o draft-nvo3-security-requirements

    =C2=A0<= /span>

    SEC-OP: requiremen= ts to evaluate a given deployment of Geneve overlay. Such requirements are = intended to Geneve overlay provider to evaluate a given deployment.<= u>

    =C2=A0

    SEC-GEN: requireme= nts a security mechanism need to fulfill to secure any deployment of Geneve= overlay deployment

    =C2=A0

    In summary, I don=E2=80=99t support the adopti= on of this draft as a new WG document =E2=80=93 we should add relevant cont= ent from here into the existing security requirements draft and continue to progress that.

    =C2=A0

    Thanks,

    Sridhar

    =C2=A0

    =C2=A0<= /span>

    From: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.c= om>
    Date: Wednesday, April 10, 2019 at 7:38 AM
    To: "nvo3@ie= tf.org" <nvo= 3@ietf.org>
    Subject: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security= -requirements-06

    =C2=A0<= /span>

    This emai= l begins a second two-week poll for=C2=A0adoption=C2=A0of draft-mglt-nvo3-g= eneve-security-requirements-06 in the NVO3 working group.<= /u>

    =C2=A0

    Please re= view the draft and send any comments to the NVO3 list.=

    =C2=A0

    Please al= so indicate whether you support=C2=A0adoption=C2=A0of the draft as an NVO3 = working group document.

    =C2=A0

    Note that= supporting working group adoption indicates that you think the draft is he= aded in the right direction and represents a piece of work that the working= group should take on and progress. It does not have to be technically perfect at this stage.=

    =C2=A0

    This poll= closes on Wednesday 24th April 2019.

    =C2=A0

    Regards

    Matthew a= nd Sam

    =C2=A0

    _______________________________________________
    nvo3 mailing list
    nvo3@ietf.org
    https://www.ietf.org/mailman/listinfo/nvo3
    --0000000000009ad74e0587362f9d-- From nobody Wed Apr 24 16:57:01 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D93B120477 for ; Wed, 24 Apr 2019 16:56:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNhOpQ3tL_us for ; Wed, 24 Apr 2019 16:56:54 -0700 (PDT) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37A291200BA for ; Wed, 24 Apr 2019 16:56:54 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Apr 2019 16:56:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,391,1549958400"; d="scan'208,217";a="340547123" Received: from orsmsx110.amr.corp.intel.com ([10.22.240.8]) by fmsmga006.fm.intel.com with ESMTP; 24 Apr 2019 16:56:52 -0700 Received: from orsmsx152.amr.corp.intel.com (10.22.226.39) by ORSMSX110.amr.corp.intel.com (10.22.240.8) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 24 Apr 2019 16:56:52 -0700 Received: from orsmsx116.amr.corp.intel.com ([169.254.7.36]) by ORSMSX152.amr.corp.intel.com ([169.254.8.32]) with mapi id 14.03.0415.000; Wed, 24 Apr 2019 16:56:52 -0700 From: "Ganga, Ilango S" To: NVO3 Thread-Topic: Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 Thread-Index: AQHU76sMQTUR8A05LUCCECwFS11kqqZJSrYg Date: Wed, 24 Apr 2019 23:56:52 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTk4NGViMTItYzA0Yy00NjQ3LThlZTAtOWUzOTVhNmQ4NzBhIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiWmlqKzhRQnhxZVdVWGV4Sk1XV2dJTXNlN1lxTzE1OFJEalFEUDNycWhFVElcL0xwK2FNWHdFYkh4MUpxUHlSK04ifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [10.22.254.139] Content-Type: multipart/alternative; boundary="_000_C5A274B25007804B800CB5B289727E359052C181ORSMSX116amrcor_" MIME-Version: 1.0 Archived-At: Subject: Re: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2019 23:56:59 -0000 --_000_C5A274B25007804B800CB5B289727E359052C181ORSMSX116amrcor_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGVsbG8gV0cgQ2hhaXIsIEF1dGhvcnMgYW5kIFdHLA0KDQpJIHJldmlld2VkIHRoZSBuZXcgdmVy c2lvbiBvZiB0aGUgZHJhZnQuIFRoZSBkb2N1bWVudCBzdGlsbCBoYXMgbm90IGFkZHJlc3NlZCBt YW55IG9mIHRoZSBjb21tZW50cyByYWlzZWQgb24gdGhlIHByZXZpb3VzIHZlcnNpb25zIG9mIHRo ZSBkcmFmdC4gVGhpcyB2ZXJzaW9uIHN0aWxsIG1ha2VzIGNlcnRhaW4gYXNzdW1wdGlvbnMgb24g dGhlIGZ1bmN0aW9uYWxpdHkgb2YgdHJhbnNpdCBkZXZpY2VzIHRoYXQgaXMgbm90IGNvbnNpc3Rl bnQgd2l0aCBHZW5ldmUgYXJjaGl0ZWN0dXJlLg0KDQpJdCBpcyBub3QgYWJvdXQgdGVjaG5pY2Fs IHBlcmZlY3Rpb24sIHRoZSBhcmNoaXRlY3R1cmFsIGlzc3VlIGFuZCB0aGUgYXNzdW1wdGlvbiBv ZiB0aGUgdGhyZWF0IG1vZGVsIGR1ZSB0byB0aGlzIGVmZmVjdCBuZWVkcyB0byBiZSBhZGRyZXNz ZWQgYmVmb3JlIHRoZSBhZG9wdGlvbiBvZiB0aGlzIGRyYWZ0IGFzIFdHIGRvY3VtZW50Lg0KDQpU aGUgZG9jdW1lbnQgY2FsbHMgZm9yIHVuZHVlIHJlcXVpcmVtZW50cyBhbmQgcHJlc2NyaXB0aXZl IG9mIE5WRSBpbXBsZW1lbnRhdGlvbnMgYW5kIHNvbHV0aW9ucyB0aGF0IGFyZSBlaXRoZXIgbm90 IG5lY2Vzc2FyeSBub3IgcHJhY3RpY2FsIGZvciBkZXBsb3ltZW50cyAoZGV0YWlscyBiZWxvdyku IFNvbWUgb2YgdGhlIHJlcXVpcmVtZW50cyBhcmUgb3B0aW1pemF0aW9ucyB0aGF0IGFyZSBub3Qg YWJzb2x1dGUgcmVxdWlyZW1lbnRzIGZvciBzZWN1cmluZyBvdmVybGF5cy4NCg0KV2UgbmVlZCB0 byBmaXJzdCBiYXNlbGluZSBvbiBhIHRocmVhdCBtb2RlbCBhcyBhcHBsaWNhYmxlIHRvIEdlbmV2 ZSBhbmQgaW4gZ2VuZXJhbCBvdmVybGF5cyBpbiBOVk8zLiAgSG93IGFyZSBzdWNoIHRocmVhdHMg YmVpbmcgYWRkcmVzc2VkIGJ5IG90aGVyIGVuY2Fwc3VsYXRpb25zIHByb3RvY29scyBsaWtlIElQ LWluLUlQLCBHUkUsIFVEUCBlbmNhcHN1bGF0aW9uIHByb3RvY29scyBsaWtlIEdSRS1pbi1VRFAs IE1QTFMtaW4tVURQLCBldGMuLCAgICBBcHBseSB0aG9zZSBsZWFybmluZ3MgYW5kIGZvY3VzIG9u IGFkZHJlc3NpbmcgIHNwZWNpZmljIHRocmVhdHMgYXBwbGljYWJsZSB0byBHZW5ldmUgZGVwbG95 bWVudCBtb2RlbHMgaW5zdGVhZCBvdmVyLXNwZWNpZnlpbmcgb3IgZ3JhdHVpdG91cyByZXF1aXJl bWVudHMgYW5kIHByZXNjcmliaW5nIHNvbHV0aW9ucy4gTWFueSBvZiB0aGVzZSBpc3N1ZXMgbmVl ZCB0byBiZSBhZGRyZXNzZWQgYnkgdGhlIGRvY3VtZW50Lg0KDQpIZW5jZSwgSSBkbyBub3Qgc3Vw cG9ydCB0aGUgYWRvcHRpb24gb2YgdGhlIGRyYWZ0IGluIGl0cyBjdXJyZW50IGZvcm0uDQoNClBs ZWFzZSBzZWUgYmVsb3cgZm9yIGxpc3Qgb2YgY29tbWVudHMgb24gdGhlIGN1cnJlbnQgZHJhZnQ6 DQoNCkdlbmVyYWwgY29tbWVudHMgcmVsYXRlZCB0byB0aGUgZHJhZnQ6DQpTRUMtT1AgdnMgU0VD LUdFTiByZXF1aXJlbWVudHMuIFRoZXJlIHdhcyBsZW5ndGh5IGRpc2N1c3Npb24gaW4gTlZPMyBX RyBtZWV0aW5nIG9uIHNob3VsZCB3ZSBoYXZlIFNFQy1PUCBhbmQgU0VDLUdFTiByZXF1aXJlbWVu dHMsIHNob3VsZCB3ZSBpbmNsdWRlIFNFQy1PUCwgaG93IHRvIGdldCBmZWVkYmFjayBmcm9tIG9w ZXJhdG9ycywgc2hvdWxkIHRoaXMgYmUgaW4gYSBzaW5nbGUgZG9jdW1lbnQgb3IgbXVsdGlwbGUg c2VwYXJhdGUgZG9jdW1lbnRzIGV0Yy4sIFRoZXJlIHdhcyBubyBjb25zZW5zdXMgb24gdGhpcyBp c3N1ZS4gSGVuY2Ugd2Ugc3RpbGwgbmVlZCB0byByZXZpc2l0IHRoaXMgaXNzdWUuICBUaGVyZSB3 YXMgc3VwcG9zZWQgdG8gYmUgbWFpbGluZyBsaXN0IGRpc2N1c3Npb24gb24gdGhpcyB0b3BpYy4g IEhvd2V2ZXIsIEkgZGlkIG5vdCBzZWUgc3VjaCBkaXNjdXNzaW9uLg0KaHR0cHM6Ly9kYXRhdHJh Y2tlci5pZXRmLm9yZy9tZWV0aW5nLzEwMy9tYXRlcmlhbHMvbWludXRlcy0xMDMtbnZvMy0wMA0K DQpJLUQuaWV0Zi1udm8zLXNlY3VyaXR5LXJlcXVpcmVtZW50cyBkb2N1bWVudC4gVGhlcmUgaXMg YSByZWZlcmVuY2UgdG8gdGhpcyBkb2N1bWVudCBmcm9tIHRoZSBnZW5ldmUgc2VjdXJpdHkgcmVx dWlyZW1lbnRzIGRyYWZ0LiBUaGVyZSBpcyBnb29kIGFtb3VudCBvZiBpbmZvcm1hdGlvbiwgaW5j bHVkaW5nIHRoZSB0aHJlYXQgbW9kZWwsIHRoYXQgaXMgZGVmaW5lZCBpbiB0aGUgTlZPMy1zZWN1 aXJ0eS1yZXF1aXJlbWVudHMgZG9jdW1lbnQsIGFuZCBkYXRhIHBsYW5lIGFuZCBjb250cm9sIHBs YW5lIHJlcXVpcmVtZW50cyBhcmUgYWxzbyBkZWZpbmVkLiAgV2UgbmVlZCB0byBkZWljaWRlIGFz IHRvIHdoYXQgZG8gd2UgZG8gd2l0aCByZXNwZWN0IHRvIHRoZSBOVk8zIHNlY3VyaXR5IHJlcXVp cmVtZW50cyBkb2N1bWVudCwgYW5kIGhvdyBkbyB3ZSBwdWxsIGluIHRoZSBpbmZvcm1hdGlvbiBp bnRvIHRoaXMgZHJhZnQgb3Igb3RoZXIgb3B0aW9uIGlzIHRvIHJldml2ZSB0aGUgYWxyZWFkeSBh ZG9wdGVkIE5WTzMgV0cgZG9jdW1lbnQuDQoNCkluIGdlbmVyYWwgd2UgbmVlZCBzb21lIHNlcmlv dXMgZGlzY3Vzc2lvbiBvbiB0aGUgbWFpbGluZyBsaXN0IG9uIHRoZSBkaXJlY3Rpb24gZGVmaW5p bmcgdGhlIHRocmVhdCBtb2RlbCBhbmQgZGlyZWN0aW9uIHdlIHNob3VsZCB0YWtlIGluIGRlZmlu aW5nIHRoZSByZXF1aXJlbWVudHMuDQoNClNwZWNpZmljIGNvbW1lbnRzIHJlbGF0ZWQgdG8gUmVx dWlyZW1lbnRzOg0KDQpTRUMtT1AtMTogQSBzZWN1cmUgZGVwbG95bWVudCBvZiBhIEdlbmV2ZSBv dmVybGF5IFNIT1VMRCBieQ0KZGVmYXVsdCBlbmNyeXB0IHRoZSBpbm5lciBwYXlsb2FkLiBBIEdl bmV2ZSBvdmVybGF5IHByb3ZpZGVyIE1BWQ0KZGlzYWJsZSB0aGlzIGNhcGFiaWxpdHkgZm9yIGV4 YW1wbGUgd2hlbiBlbmNyeXB0aW9uIGlzIHBlcmZvcm1lZA0KYnkgdGhlIFRlbmFudCBTeXN0ZW0g YW5kIHRoYXQgbGV2ZWwgb2YgY29uZmlkZW50aWFsaXR5IGlzIGJlbGlldmVkDQp0byBiZSBzdWZm aWNpZW50LiBJbiBvcmRlciB0byBwcm92aWRlIGFkZGl0aW9uYWwgcHJvdGVjdGlvbiB0bw0KdHJh ZmZpYyBhbHJlYWR5IGVuY3J5cHRlZCBieSB0aGUgVGVuYW50IHRoZSBHZW5ldmUgbmV0d29yaw0K b3BlcmF0b3IgTUFZIHBhcnRpYWxseSBlbmNyeXB0IHRoZSBjbGVhciBwYXJ0IG9mIHRoZSBpbm5l cg0KcGF5bG9hZC4NCg0KU0VDLUdFTi0yOiBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNtIFNIT1VM RCBwcm92aWRlIHRoZSBjYXBhYmlsaXR5DQp0byBwYXJ0aWFsbHkgZW5jcnlwdCB0aGUgaW5uZXIg cGF5bG9hZCBoZWFkZXIuDQoNClNFQy1PUC00OiBBIHNlY3VyZSBkZXBsb3ltZW50IG9mIGEgR2Vu ZXZlIG92ZXJsYXkgTVVTVCBwcm92aWRlIHRoZQ0KY2FwYWJpbGl0eSBhdXRoZW50aWNhdGUgdGhl IGlubmVyIHBheWxvYWQgd2hlbiBlbmNyeXB0aW9uIGlzIG5vdA0KcHJvdmlkZWQuIEEgR2VuZXZl IG92ZXJsYXkgcHJvdmlkZXIgTUFZIGRpc2FibGUgdGhpcyBjYXBhYmlsaXR5DQpmb3IgZXhhbXBs ZSB3aGVuIHRoaXMgaXMgcGVyZm9ybWVkIGJ5IHRoZSBUZW5hbnQgU3lzdGVtIGFuZCB0aGF0DQps ZXZlbCBvZiBpbnRlZ3JpdHkgaXMgYmVsaWV2ZWQgdG8gYmUgc3VmZmljaWVudC4gSW4gb3JkZXIg dG8NCnByb3ZpZGUgYWRkaXRpb25hbCBwcm90ZWN0aW9uIHRvIHRyYWZmaWMgYWxyZWFkeSBwcm90 ZWN0ZWQgYnkgdGhlDQpUZW5hbnQgdGhlIEdlbmV2ZSBuZXR3b3JrIG9wZXJhdG9yIE1BWSBwYXJ0 aWFsbHkgcHJvdGVjdCB0aGUNCnVucHJvdGVjdGVkIHBhcnQgb2YgdGhlIGlubmVyIHBheWxvYWQu DQoNCg0KUGFydGlhbCBlbmNyeXB0aW9uIChTRUMtT1AtMSBhbmQgU0VDLUdFTjIpIGlzIGFuIG9w dGltaXphdGlvbiAoYXMgaGFkIGJlZW4gaW5kaWNhdGVkIGluIGEgY29tbWVudCBvbiB0aGUgcHJl dmlvdXMgdmVyc2lvbiBvZiB0aGlzIGRyYWZ0KSBhbmQgc2hvdWxkIG5vdCBiZSBhIHJlcXVpcmVt ZW50LiAgVGhlIHRyYWZmaWMgYmV0d2VlbiBOVkUgcGFpcnMgc2hvdWxkIGJlIHNlY3VyZWQgYW5k IG9wZXJhdG9yIG1heSBoYXZlIGEgcG9saWN5IHRvIGVuY3J5cHQgdGhlIHRyYWZmaWMgaXJyZXNw ZWN0aXZlIG9mIHRoZSBhbnkgc2VjdXJpdHkgbWVjaGFuaXNtcyBlbXBsb3llZCBieSB0aGUgVGVu YW50IFN5c3RlbXMgQWxzbyBhbiBOVkUgbWF5IGhhbmRsZSB0cmFmZmljIGZyb20gbXVsdGlwbGUg VFNlcyBhbmQgaGVuY2UgdGhlIHNlcnZpY2UgcHJvdmlkZXIgbWF5IGVuYWJsZSBlbmNyeXB0aW9u IGJldHdlZW4gTlZFIHBhaXJzLiBTbyBwYXJ0aWFsIGVuY3J5cHRpb24gb3Igc2VsZWN0aXZlIGVu Y3J5cHRpb24gc2hvdWxkIG5vdCBiZSBhIHJlcXVpcmVtZW50Lg0KDQpTRUMtT1AtMzogQSBzZWN1 cmUgZGVwbG95bWVudCBvZiBhIEdlbmV2ZSBvdmVybGF5IE1VU1QgZXZhbHVhdGUNCnRoZSByaXNr IGFzc29jaWF0ZWQgdG8gdHJhZmZpYyBwYXR0ZXJuIHJlY29nbml0aW9uLiBXaGVuIGEgcmlzaw0K aGFzIGJlZW4gaWRlbnRpZmllZCwgdHJhZmZpYyBwYXR0ZXJuIHJlY29nbml0aW9uIE1VU1QgYmUg YWRkcmVzc2VkDQp3aXRoIHBhZGRpbmcgcG9saWNpZXMgYXMgd2VsbCBhcyBnZW5lcmF0aW9uIG9m IGR1bW15IHBhY2tldHMuDQoNClNFQy1HRU4tNjogR2VuZXZlIHNlY3VyaXR5IG1lY2hhbmlzbSBN VVNUIHByb3ZpZGUgdGhlIGFiaWxpdHkgdG8NCnBhZCBhIEdlbmV2ZSBwYWNrZXQuDQoNClNFQy1H RU4tNzogR2VuZXZlIHNlY3VyaXR5IG1lY2hhbmlzbSBNVVNUIHByb3ZpZGUgdGhlIGFiaWxpdHkg dG8NCnNlbmQgZHVtbXkgcGFja2V0cy4NCg0KU0VDLU9QLTMgYW5kIFNFQy1HRU4tNjogVGhlIHJl cXVpcmVtZW50cyBkb2N1bWVudCBzaG91bGQgc3RheSB3aXRoIHN0YXRpbmcgcmVxdWlyZW1lbnRz IGFuZCBub3QgcHJlc2NyaWJlIGEgc29sdXRpb24ocykuIFRoaXMgY29tbWVudCB3YXMgYWxyZWFk eSBzdWJtaXR0ZWQgaW4gdGhlIHByZXZpb3VzIHZlcnNpb24gb2YgdGhlIGRvY3VtZW50LiAg4oCc dHJhZmZpYyBwYXR0ZXJuIHJlY29nbml0aW9uIE1VU1QgYmUgYWRkcmVzc2VkIHdpdGggcGFkZGlu ZyBwb2xpY2llcyBhcyB3ZWxsIGFzIGdlbmVyYXRpb24gb2YgZHVtbXkgcGFja2V0c+KAnSAgVGhp cyBpcyBhbiB1bmR1ZSByZXF1aXJlbWVudCBvbiBOVkUgaW1wbGVtZW50YXRpb25zIHdoaWNoIGlz IG5vdCBuZWNlc3NhcnkgYW5kIHNob3VsZCBub3QgYmUgaW4gdGhlIHJlcXVpcmVtZW50cy4gIE5l ZWQgdG8gY2xlYXJseSBleHBsYWluIHdoYXQgYWRkaXRpb25hbCBzZWN1cml0eSByaXNrIGlzIGNh dXNlZCBiZWNhdXNlIEdlbmV2ZSBlbmNhcHN1bGF0aW9uIHZzIHN0YW5kYXJkIElQIHRyYW5zcG9y dCBhbmQgd2h5IHN1Y2ggYSByZXF1aXJlbWVudCBpcyBtYW5kYXRvcnkuIEFueSBzdWNoIHJpc2sg Y2FuIGJlIG1pdGlnYXRlZCBieSBleGlzdGluZyBzZWN1cml0eSBtZWNoYW5pc21zIGZvciBjb21t dW5pY2F0aW9uIGJldHdlZW4gTlZFcy4NCg0KU0VDLUdFTi0xOiBHZW5ldmUgc2VjdXJpdHkgbWVj aGFuaXNtIE1VU1QgcHJvdmlkZSB0aGUgY2FwYWJpbGl0eQ0KdG8gZW5jcnlwdCB0aGUgaW5uZXIg cGF5bG9hZC4NCg0KRGVmaW5lIHRoZSB0aHJlYXQgbW9kZWwgd2hlcmUgb25seSB0aGUgaW5uZXIg cGF5bG9hZCBzaG91bGQgYmUgc2VsZWN0aXZlbHkgZW5jcnlwdGVkLiBUaGUgcmVxdWlyZW1lbnRz IHNob3VsZCBiZSB0byBhZGRyZXNzIGEgc3BlY2lmaWMgdGhyZWF0IG1vZGVsLiBOb3QgYWxsIGRl cGxveW1lbnRzIG5lZWQgZW5jcnlwdGlvbi4NCg0KU0VDLUdFTi0zOiBHZW5ldmUgc2VjdXJpdHkg bWVjaGFuaXNtIE1VU1QgcHJvdmlkZSBtZWFucyB0byBlbmNyeXB0DQphIHNpbmdsZSBvciBhIHNl dCBvZiB6ZXJvLCBvbmUgb3IgbXVsdGlwbGUgR2VuZXZlIE9wdGlvbnMgd2hpbGUNCmxlYXZlIG90 aGVyIEdlbmV2ZSBPcHRpb25zIGluIGNsZWFyLiBSZXZlcnNlbHksIGEgR2VuZXZlIHNlY3VyaXR5 DQptZWNoYW5pc20gTVVTVCBiZSBhYmxlIHRvIGxlYXZlIGEgR2VuZXZlIG9wdGlvbiBpbiBjbGVh ciwgd2hpbGUNCmVuY3J5cHRpbmcgdGhlIG90aGVycy4NCg0KU0VDLUdFTi00OiBHZW5ldmUgc2Vj dXJpdHkgbWVjaGFuaXNtIE1VU1QgcHJvdmlkZSBtZWFucyB0byBlbmNyeXB0DQp0aGUgaW5mb3Jt YXRpb24gb2YgR2VuZXZlIEhlYWRlciAoZXhjbHVkaW5nIEdlbmV2ZSBPcHRpb25zKS4NClJldmVy c2VseSwgYSBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNtIE1VU1QgYmUgYWJsZSB0byBsZWF2ZSBp bg0KY2xlYXIgR2VuZXZlIEhlYWRlciBpbmZvcm1hdGlvbiAoR2VuZXZlIE9wdGlvbnMgZXhjbHVk ZWQpIHdoaWxlDQplbmNyeXB0aW5nIHRoZSBvdGhlci4NCg0KU0VDLUdFTi01OiBHZW5ldmUgc2Vj dXJpdHkgbWVjaGFuaXNtcyBNVVNUIHByb3ZpZGUgdGhlIGFiaWxpdHkgdG8NCnByb3ZpZGUgY29u ZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gYmV0d2VlbiBtdWx0aXBsZSBub2RlcywgaS5lLg0KbXVs dGlwbGUgdHJhbnNpdCBkZXZpY2VzIGFuZCBhIE5WRS4NCg0KDQoNClNFQy1HRU4tMyw0IGFuZCBT RUMtR0VOLTUsNiw3OiBBbGwgdGhlc2UgU0VDLUdFTiByZXF1aXJlbWVudHMgKGZvciBwYXJ0aWFs IGVuY3J5cHRpb24pIGFyZSBvcHRpbWl6YXRpb25zIHdoaWNoIHNob3VsZCBub3QgYmUgcGFydCBv ZiByZXF1aXJlbWVudHMgZXNwZWNpYWxseSB3aXRoIOKAnE1VU1TigJ0gbWFuZGF0ZXMuIFRoZSBt YWluIG9iamVjdGl2ZSBvZiByZXF1aXJlbWVudHMgaXMgZm9yIHByb3RlY3RpbmcgdGhlIHRyYWZm aWMgYmV0d2VlbiB0aGUgTlZFcyAocHJpdmFjeS9pbnRlZ3JpdHkvY29uZmlkZW50aWFsaXR5KS4g QXBwbHlpbmcgcGFydGlhbCBlbmNyeXB0aW9uIGlzIG1vcmUgb2YgYW4gb3B0aW1pemF0aW9uIHRo YW4gdG8gbWl0aWdhdGUgYW55IHNwZWNpZmljIHRocmVhdCBlc3BlY2lhbGx5IHdoZW4gb3RoZXIg ZXhpc3RpbmcgbWVjaGFuaXNtcyBhcmUgYXZhaWxhYmxlIHRvIHByb3RlY3QgY29tbXVuaWNhdGlv bnMgYmV0d2VlbiBOVkVzLiAgU3BlY2lmeSB0aGUgdXNlIGNhc2VzIHdoZXJlIG9wdGlvbnMgbmVl ZCB0byBzZWxlY3RpdmVseSBlbmNyeXB0ZWQuIFdoYXQgaXMgdGhlIHRocmVhdCBtb2RlbCBhbmQg d2h5IHN1Y2ggcGFydGlhbCBlbmNyeXB0aW9uIG9mIG9wdGlvbnMgaXMgcmVxdWlyZWQuICBTbyBh ZGRpbmcgcmVxdWlyZW1lbnRzIGZvciBwYXJ0aWFsIGhlYWRlcnMvcGF5bG9hZC9vcHRpb25zIGNv dWxkIG5vdCBiZSBjb25zaWRlcmVkIGFzIGEgc2VjdXJpdHkgcmVxdWlyZW1lbnQgdG8gYWRkcmVz cyBhIHNlY3VyaXR5IHRocmVhdCwgaGVuY2UgdGhlc2UgcmVxdWlyZW1lbnRzIG11c3Qgbm90IGJl IGluY2x1ZGVkLg0KDQoNCg0KU0VDLU9QLTU6IEEgc2VjdXJlIGRlcGxveW1lbnQgb2YgYSBHZW5l dmUgb3ZlcmxheSBNVVNUIGV2YWx1YXRlDQp0aGUgcmlzayBhc3NvY2lhdGVkIHRvIGEgY2hhbmdl IG9mIHRoZSBHZW5ldmUgT3V0ZXIgSGVhZGVyLCBHZW5ldmUNCkhlYWRlciAoZXhjbHVkaW5nIEdl bmV2ZSBPcHRpb25zKSBhbmQgR2VuZXZlIE9wdGlvbi4gV2hlbiBhIHJpc2sNCmFuYWx5c2lzIGNv bmNsdWRlcyB0aGF0IHRoZSByaXNrIGlzIHRvbyBoaWdoLCB0aGlzIHBpZWNlIG9mDQppbmZvcm1h dGlvbiBNVVNUIGJlIGF1dGhlbnRpY2F0ZWQuDQoNCg0KDQpTRUMtT1AtNjogQSBzZWN1cmUgZGVw bG95bWVudCBvZiBhIEdlbmV2ZSBvdmVybGF5IFNIT1VMRA0KYXV0aGVudGljYXRlIGNvbW11bmlj YXRpb25zIGJldHdlZW4gTlZFIHRvIHByb3RlY3QgdGhlIEdlbmV2ZQ0KT3ZlcmxheSBpbmZyYXN0 cnVjdHVyZSBhcyB3ZWxsIGFzIHRoZSBUZW5hbnRzIFN5c3RlbeKAmXMNCmNvbW11bmljYXRpb25z IChHZW5ldmUgUGFja2V0KS4gQSBHZW5ldmUgb3ZlcmxheSBwcm92aWRlciBNQVkNCmRpc2FibGUg YXV0aGVudGljYXRpb24gb2YgdGhlIGlubmVyIHBhY2tldCBhbmQgZGVsZWdhdGVzIGl0IHRvIHRo ZQ0KVGVuYW50IFN5c3RlbXMgd2hlbiBjb21tdW5pY2F0aW9ucyBiZXR3ZWVuIFRlbmFudOKAmXMg U3lzdGVtIGlzDQpzZWN1cmVkLiBUaGlzIGlzIE5PVCBSRUNPTU1FTkRFRC4gSW5zdGVhZCwgaXQg aXMgUkVDT01NRU5ERUQNCnRoYXQgbWVjaGFuaXNtcyBiaW5kcyB0aGUgaW5uZXIgcGF5bG9hZCB0 byB0aGUgR2VuZXZlIEhlYWRlci4gVG8NCnByZXZlbnQgaW5qZWN0aW9uIGJldHdlZW4gdmlydHVh bGl6ZWQgbmV0d29yaywgaXQgaXMgc3Ryb25nbHkgUkVDT01NRU5ERUQgdGhhdCBhdCBsZWFzdCB0 aGUgR2VuZXZlIEhlYWRlciB3aXRob3V0IEdlbmV2ZSBPcHRpb25zDQppcyBhdXRoZW50aWNhdGVk Lg0KDQoNCg0KV2hhdCBzcGVjaWZpYyByaXNrIGRvZXMgdGhlIG9wZXJhdG9yIHNlZSBiYXNlZCBv biB0aGUgdGhyZWF0IG1vZGVsIGFuZCB3aGF0IHBpZWNlIG9mIGluZm9ybWF0aW9uIHNob3VsZCBi ZSBhdXRoZW50aWNhdGVkLCB3aHkgdGhpcyBzaG91bGQgYmUgc2VsZWN0aXZlbHkgYXV0aGVudGlj YXRlZCBhcyBjYWxsZWQgZm9yIGluIHRoZXNlIHJlcXVpcmVtZW50cz8gQ2FuIHlvdSBzcGVjaWZ5 IHRoZSB1c2FnZSBtb2RlbCBmb3IgdGhlc2UgcmVxdWlyZW1lbnRzLg0KDQoNCg0KU0VDLU9QLTc6 IEEgc2VjdXJlIGRlcGxveW1lbnQgb2YgYSBHZW5ldmUgb3ZlcmxheSBTSE9VTEQgTk9UDQpwcm9j ZXNzIGRhdGEgcHJpb3IgYXV0aGVudGljYXRpb24uIElmIHRoYXQgaXMgbm90IHBvc3NpYmxlLCB0 aGUNCkdlbmV2ZSBvdmVybGF5IHByb3ZpZGVyIFNIT1VMRCBldmFsdWF0ZSBpdHMgaW1wYWN0Lg0K DQoNCg0KVGhpcyBpcyB0b28gZ2VuZXJpYywgd2hhdCBzaG91bGQgdGhlIG9wZXJhdG9yIGRvIHdp dGggdGhpcyByZXF1aXJlbWVudCwgIOKAnOKAplNIT1VEIGV2YWx1YXRlIGl0cyBpbXBhY3TigJ0/ DQoNCg0KDQpTRUMtR0VOLTg6IEdlbmV2ZSBzZWN1cml0eSBtZWNoYW5pc20gTVVTVCBwcm92aWRl IHRoZSBjYXBhYmlsaXR5DQp0byBhdXRoZW50aWNhdGUgdGhlIGlubmVyIHBheWxvYWQuDQoNCg0K U0VDLUdFTi05OiBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNtIFNIT1VMRCBwcm92aWRlIHRoZSBj YXBhYmlsaXR5DQp0byBwYXJ0aWFsbHkgYXV0aGVudGljYXRlIHRoZSBpbm5lciBwYXlsb2FkIGhl YWRlci4NCg0KDQpTRUMtR0VOLTEwOiBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNtIE1VU1QgcHJv dmlkZSB0aGUgY2FwYWJpbGl0eQ0KdG8gYXV0aGVudGljYXRlIGEgc2luZ2xlIG9yIGEgc2V0IG9m IG9wdGlvbnMgd2hpbGUgbGVhdmUgb3RoZXINCkdlbmV2ZSBPcHRpb24gdW5hdXRoZW50aWNhdGVk LiBSZXZlcnNlbHksIGEgR2VuZXZlIHNlY3VyaXR5DQptZWNoYW5pc20gTVVTVCBiZSBhYmxlIHRv IGxlYXZlIGEgR2VuZXZlIG9wdGlvbiB1bmF1dGhlbnRpY2F0ZWQsDQp3aGlsZSBlbmNyeXB0aW5n IHRoZSBvdGhlcnMuDQoNCg0KDQpTRUMtR0VOLTExOiBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNt IE1VU1QgcHJvdmlkZSBtZWFucyB0bw0KYXV0aGVudGljYXRlIHRoZSBpbmZvcm1hdGlvbiBvZiBH ZW5ldmUgSGVhZGVyIChHZW5ldmUgT3B0aW9uDQpleGNsdWRlZCkuIFJldmVyc2VseSwgYSBHZW5l dmUgc2VjdXJpdHkgbWVjaGFuaXNtIE1VU1QgYmUgYWJsZSB0bw0KbGVhdmUgdW5hdXRoZW50aWNh dGVkIEdlbmV2ZSBoZWFkZXIgaW5mb3JtYXRpb24gKEdlbmV2ZSBPcHRpb25zDQpleGNsdWRlZCkg d2hpbGUgYXV0aGVudGljYXRpbmcgdGhlIG90aGVyLg0KDQoNCg0KV2hhdCBpcyB0aGUgdGhyZWF0 IG1vZGVsIGFuZCB3aGF0IGlzIHVzZSBjYXNlIHRoYXQgaXMgZHJpdmluZyB0aGUgcGFydGlhbCBl bmNyeXB0aW9uIG9yIGF1dGhlbnRpY2F0aW9uIG9mIG9wdGlvbnM/DQoNCg0KDQpTRUMtR0VOLTEz OiBHZW5ldmUgU2VjdXJpdHkgbWVjaGFuaXNtIE1VU1QgcHJvdmlkZSBtZWFucyBmb3IgYQ0KdHJh bnNpdCBkZXZpY2UgdG8gYXV0aGVudGljYXRlIGRhdGEgcHJpb3IgaXQgaXMgYmVpbmcgcHJvY2Vz c2VkLg0KDQoNCg0KVGhpcyByZXF1aXJlbWVudCBpcyBub3QgY29uc2lzdGVudCB3aXRoIEdlbmV2 ZSBhcmNoaXRlY3R1cmUsIGhlbmNlIHJlbW92ZSB0aGlzIHJlcXVpcmVtZW50Lg0KDQoNCg0KU0VD LU9QLTg6IEEgc2VjdXJlIGRlcGxveW1lbnQgb2YgYSBHZW5ldmUgb3ZlcmxheSBNVVNUIGV2YWx1 YXRlDQp0aGUgY29tbXVuaWNhdGlvbnMgc3ViamVjdCB0byByZXBsYXkgYXR0YWNrcy4gQ29tbXVu aWNhdGlvbnMgdGhhdA0KYXJlIHN1YmplY3QgdG8gdGhpcyBhdHRhY2tzIE1VU1QgYmUgYXV0aGVu dGljYXRlZCB3aXRoIGFuIGFudGkNCnJlcGxheSBtZWNoYW5pc20uIE5vdGUgdGhhdCB3aGVuIHBh cnRpYWwgYXV0aGVudGljYXRpb24gaXMNCnByb3ZpZGVkLCB0aGUgcGFydCBub3QgY292ZXJlZCBi eSB0aGUgYXV0aGVudGljYXRpb24gcmVtYWlucyBhDQpzdXJmYWNlIG9mIGF0dGFjay4gSXQgaXMg c3Ryb25nbHkgUkVDT01NRU5ERUQgdGhhdCB0aGUgR2VuZXZlDQpIZWFkZXIgaXMgYXV0aGVudGlj YXRlZCB3aXRoIGFudGkgcmVwbGF5IHByb3RlY3Rpb24NCg0KDQoNCldoYXQgaXMgdGhlIHRocmVh dCBtb2RlbCBhbmQgdXNlIGNhc2UgdGhhdCBjYWxscyBmb3IgcGFydGlhbCBhdXRoZW50aWNhdGlv bi4gU2FtZSBjb21tZW50cyBhcyBwYXJ0aWFsIGVuY3J5cHRpb24gYXBwbGllcyB0byB0aGlzIGNv bW1lbnQgYXMgd2VsbC4NCg0KDQoNClNFQy1PUC05OiBBIHNlY3VyZSBkZXBsb3ltZW50IG9mIGEg R2VuZXZlIG92ZXJsYXkgTVVTVCBkZWZpbmUgdGhlDQpzZWN1cml0eSBwb2xpY2llcyB0aGF0IGFz c29jaWF0ZXMgdGhlIGVuY3J5cHRpb24sIGFuZA0KYXV0aGVudGljYXRpb24gYXNzb2NpYXRlZCB0 byBlYWNoIGZsb3cgYmV0d2VlbiBOVkVzLg0KDQoNCg0KU0VDLU9QLTEwOiBBIHNlY3VyZSBkZXBs b3ltZW50IG9mIGEgR2VuZXZlIG92ZXJsYXkgU0hPVUxEIGRlZmluZQ0KZGlzdGluY3QgbWF0ZXJp YWwgZm9yIGVhY2ggZmxvdy4gVGhlIGNyeXB0b2dyYXBoaWMgZGVwZW5kcyBvbiB0aGUNCm5hdHVy ZSBvZiB0aGUgZmxvdyAobXVsdGljYXN0LCB1bmljYXN0KSBhcyB3ZWxsIGFzIG9uIHRoZSBzZWN1 cml0eQ0KbWVjaGFuaXNtIGVuYWJsZWQgdG8gcHJvdGVjdCB0aGUgZmxvdy4NCg0KDQoNClNFQy1H RU4tMTU6IEEgR2VuZXZlIHNlY3VyaXR5IG1lY2hhbmlzbSBNVVNUIGJlIG1hbmFnZWQgdmlhDQpz ZWN1cml0eSBwb2xpY2llcyBhc3NvY2lhdGVkIGZvciBlYWNoIHRyYWZmaWMgZmxvdyB0byBiZQ0K cHJvdGVjdGVkLiBHZW5ldmUgb3ZlcmxheSBwcm92aWRlciBNVVNUIGJlIGFibGUgdG8gY29uZmln dXJlIE5WRXMNCndpdGggZGlmZmVyZW50IHNlY3VyaXR5IHBvbGljaWVzIGZvciBkaWZmZXJlbnQg Zmxvd3MuIEEgZmxvdyBNVVNUDQpiZSBpZGVudGlmaWVkIGF0IG1pbmltdW0gYnkgdGhlIEdlbmV2 ZSB2aXJ0dWFsIG5ldHdvcmsgaWRlbnRpZmllcg0KYW5kIHRoZSBpbm5lciBJUCBhbmQgdHJhbnNw b3J0IGhlYWRlcnMsIGFuZCBvcHRpb25hbGx5IGFkZGl0aW9uYWwNCmZpZWxkcyB3aGljaCBkZWZp bmUgYSBmbG93IChlLmcuLCBpbm5lciBJUCBEU0NQLCBJUHY2IGZsb3cgaWQsDQpHZW5ldmUgb3B0 aW9ucykNCg0KDQoNCg0KDQpJdCBpcyBub3QgY2xlYXIgYXMgdG8gd2hhdCB0aHJlYXQgaXMgYmVp bmcgYWRkcmVzc2VkIGJ5IHJlcXVpcmluZyBmbG93IGxldmVsIGdyYW51bGFyaXR5LiAgSWYgY29t bXVuaWNhdGlvbiBiZXR3ZWVuIE5WRSB0byBOVkUgbmVlZCBiZSBlbmNyeXB0ZWQvYXV0aGVudGlj YXRlZCwgdGhlbiwgYXQgYSBtaW5pbXVtLCBzZWN1cml0eSBwb2xpY3kgc2hvdWxkIGJlIGFwcGxp ZWQgZm9yIHRoZSB0cmFmZmljIGJldHdlZW4sIGZvciBleGFtcGxlLCBOVkUgQSB0byBOVkUgQiBv ciBOVkUgQSB0byBOVkUgQywgZXRjLiAgQW55IGdyYW51bGFyaXR5IGJleW9uZCB0aGF0IGlzIG5v dCBhIHJlcXVpcmVtZW50IHRvIGFkZHJlc3MgYW55IHRocmVhdC4gVGhpcyBpcyB1bmR1ZSBidXJk ZW4gb24gTlZFcywgbm90IG5lZWRlZCB0byBhZGRyZXNzIHNwZWNpZmljIHRocmVhdCBvciBkZWZp bmUgdGhlIHRocmVhdCBtb2RlbC4gICBIZW5jZSByZW1vdmUgZmxvdyBsZXZlbCBncmFudWxhcml0 eSByZXF1aXJlbWVudC4NCg0KDQoNClNFQy1HRU4tMTc6IEEgR2VuZXZlIHNlY3VyaXR5IG1lY2hh bmlzbXMsIHdoZW4gbXVsdGljYXN0IGlzIHVzZWQsDQpwYWNrZXRzLE1VU1QgYmUgYWJsZSB0byBh c3NpZ24gZGlzdGluY3QgY3J5cHRvZ3JhcGhpYyBncm91cCBrZXlzDQp0byBwcm90ZWN0IHRoZSBt dWx0aWNhc3QgcGFja2V0cyBleGNoYW5nZWQgYW1vbmcgdGhlIE5WRXMgd2l0aGluDQpkaWZmZXJl bnQgbXVsdGljYXN0IGdyb3Vwcy4gVXBvbiByZWNlaXZpbmcgYSBkYXRhIHBhY2tldCwgYW4NCmVn cmVzcyBHZW5ldmUgTlZFIE1VU1QgYmUgYWJsZSB0byB2ZXJpZnkgd2hldGhlciB0aGUgcGFja2V0 IGlzDQoNCnNlbnQgZnJvbSBhIHByb3BlciBpbmdyZXNzIE5WRSB3aGljaCBpcyBhdXRob3JpemVk IHRvIGZvcndhcmQgdGhhdA0KcGFja2V0Lg0KDQoNCg0KTmVlZCB0byBkZWZpbmUgdGhlIHRocmVh dCBtb2RlbCBmb3IgbXVsdGljYXN0LCBkZWZpbmUgbXVsdGljYXN0LCAgbW9zdCBkZXBsb3ltZW50 cyBtdWx0aWNhc3QgaXMgaW1wbGVtZW50ZWQgdXNpbmcgbXVsdGlwbGUgdW5pY2FzdC4gU28gdGhl IHJlcXVpcmVtZW50IGRvZXMgbm90IGFwcGx5IHRvIHN1Y2ggZGVwbG95bWVudHMuDQoNCg0KDQo4 LiBBcHBlbmRpeA0KDQoNCg0KSSBzdWdnZXN0IHRvIHJlbW92ZSB0aGUgZW50aXJlIEFwcGVuZGl4 IGZyb20gdGhlIGRvY3VtZW50LiBMZXQgdXMgZmlyc3QgYWdyZWUgb24gdGhlIHJlcXVpcmVtZW50 cyBiZWZvcmUgd2UgZ2V0IGludG8gbWFwcGluZyBkaWZmZXJlbnQgc29sdXRpb25zIHRvIG1lZXQg dGhlIHJlcXVpcmVtZW50cy4NCg0KDQoNClRoYW5rcywNCg0KSWxhbmdvDQoNCg0KDQpGcm9tOiBu dm8zIFttYWlsdG86bnZvMy1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgQm9jY2ksIE1h dHRoZXcgKE5va2lhIC0gR0IpDQpTZW50OiBXZWRuZXNkYXksIEFwcmlsIDEwLCAyMDE5IDc6Mzgg QU0NClRvOiBOVk8zIDxudm8zQGlldGYub3JnPg0KU3ViamVjdDogW252bzNdIFBvbGwgZm9yIGFk b3B0aW9uIG9mIGRyYWZ0LW1nbHQtbnZvMy1nZW5ldmUtc2VjdXJpdHktcmVxdWlyZW1lbnRzLTA2 DQoNClRoaXMgZW1haWwgYmVnaW5zIGEgc2Vjb25kIHR3by13ZWVrIHBvbGwgZm9yIGFkb3B0aW9u IG9mIGRyYWZ0LW1nbHQtbnZvMy1nZW5ldmUtc2VjdXJpdHktcmVxdWlyZW1lbnRzLTA2IGluIHRo ZSBOVk8zIHdvcmtpbmcgZ3JvdXAuDQoNClBsZWFzZSByZXZpZXcgdGhlIGRyYWZ0IGFuZCBzZW5k IGFueSBjb21tZW50cyB0byB0aGUgTlZPMyBsaXN0Lg0KDQpQbGVhc2UgYWxzbyBpbmRpY2F0ZSB3 aGV0aGVyIHlvdSBzdXBwb3J0IGFkb3B0aW9uIG9mIHRoZSBkcmFmdCBhcyBhbiBOVk8zIHdvcmtp bmcgZ3JvdXAgZG9jdW1lbnQuDQoNCk5vdGUgdGhhdCBzdXBwb3J0aW5nIHdvcmtpbmcgZ3JvdXAg YWRvcHRpb24gaW5kaWNhdGVzIHRoYXQgeW91IHRoaW5rIHRoZSBkcmFmdCBpcyBoZWFkZWQgaW4g dGhlIHJpZ2h0IGRpcmVjdGlvbiBhbmQgcmVwcmVzZW50cyBhIHBpZWNlIG9mIHdvcmsgdGhhdCB0 aGUgd29ya2luZyBncm91cCBzaG91bGQgdGFrZSBvbiBhbmQgcHJvZ3Jlc3MuIEl0IGRvZXMgbm90 IGhhdmUgdG8gYmUgdGVjaG5pY2FsbHkgcGVyZmVjdCBhdCB0aGlzIHN0YWdlLg0KDQpUaGlzIHBv bGwgY2xvc2VzIG9uIFdlZG5lc2RheSAyNHRoIEFwcmlsIDIwMTkuDQoNClJlZ2FyZHMNCk1hdHRo ZXcgYW5kIFNhbQ0KDQo= --_000_C5A274B25007804B800CB5B289727E359052C181ORSMSX116amrcor_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q291cmllcjsNCglwYW5vc2UtMToyIDcgNCA5IDIgMiA1IDIgNCA0O30NCkBmb250LWZhY2UNCgl7 Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIg NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1 IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBs aS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9t Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2 aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5 OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJ e21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0 ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1z aXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uRW1haWxTdHls ZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz YW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5hcHBsZS1jb252ZXJ0ZWQtc3Bh Y2UNCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUtY29udmVydGVkLXNwYWNlO30NCnNwYW4uRW1haWxT dHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5mb250c3R5bGUwMQ0K CXttc28tc3R5bGUtbmFtZTpmb250c3R5bGUwMTsNCglmb250LWZhbWlseTpDb3VyaWVyOw0KCWNv bG9yOmJsYWNrOw0KCWZvbnQtd2VpZ2h0Om5vcm1hbDsNCglmb250LXN0eWxlOm5vcm1hbDt9DQpz cGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1h dHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhU TUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCi5Nc29DaHBE ZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7 fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBp biAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rp b24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1 bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEt LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzpp ZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtl bmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSIjMDU2M0MxIiB2bGlu az0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+SGVsbG8g V0cgQ2hhaXIsIEF1dGhvcnMgYW5kIFdHLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0Qi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPkkgcmV2aWV3ZWQgdGhlIG5l dyB2ZXJzaW9uIG9mIHRoZSBkcmFmdC4gVGhlIGRvY3VtZW50IHN0aWxsIGhhcyBub3QgYWRkcmVz c2VkIG1hbnkgb2YgdGhlIGNvbW1lbnRzIHJhaXNlZCBvbiB0aGUgcHJldmlvdXMgdmVyc2lvbnMg b2YgdGhlIGRyYWZ0LiBUaGlzIHZlcnNpb24gc3RpbGwgbWFrZXMgY2VydGFpbiBhc3N1bXB0aW9u cyBvbg0KIHRoZSBmdW5jdGlvbmFsaXR5IG9mIHRyYW5zaXQgZGV2aWNlcyB0aGF0IGlzIG5vdCBj b25zaXN0ZW50IHdpdGggR2VuZXZlIGFyY2hpdGVjdHVyZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5JdCBpcyBu b3QgYWJvdXQgdGVjaG5pY2FsIHBlcmZlY3Rpb24sIHRoZSBhcmNoaXRlY3R1cmFsIGlzc3VlIGFu ZCB0aGUgYXNzdW1wdGlvbiBvZiB0aGUgdGhyZWF0IG1vZGVsIGR1ZSB0byB0aGlzIGVmZmVjdCBu ZWVkcyB0byBiZSBhZGRyZXNzZWQgYmVmb3JlIHRoZSBhZG9wdGlvbiBvZiB0aGlzIGRyYWZ0IGFz IFdHIGRvY3VtZW50Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+VGhlIGRvY3VtZW50IGNhbGxzIGZvciB1bmR1 ZSByZXF1aXJlbWVudHMgYW5kIHByZXNjcmlwdGl2ZSBvZiBOVkUgaW1wbGVtZW50YXRpb25zIGFu ZCBzb2x1dGlvbnMgdGhhdCBhcmUgZWl0aGVyIG5vdCBuZWNlc3Nhcnkgbm9yIHByYWN0aWNhbCBm b3IgZGVwbG95bWVudHMgKGRldGFpbHMgYmVsb3cpLiBTb21lIG9mIHRoZSByZXF1aXJlbWVudHMN CiBhcmUgb3B0aW1pemF0aW9ucyB0aGF0IGFyZSBub3QgYWJzb2x1dGUgcmVxdWlyZW1lbnRzIGZv ciBzZWN1cmluZyBvdmVybGF5cy4gJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+V2UgbmVlZCB0byBmaXJz dCBiYXNlbGluZSBvbiBhIHRocmVhdCBtb2RlbCBhcyBhcHBsaWNhYmxlIHRvIEdlbmV2ZSBhbmQg aW4gZ2VuZXJhbCBvdmVybGF5cyBpbiBOVk8zLiAmbmJzcDtIb3cgYXJlIHN1Y2ggdGhyZWF0cyBi ZWluZyBhZGRyZXNzZWQgYnkgb3RoZXIgZW5jYXBzdWxhdGlvbnMgcHJvdG9jb2xzIGxpa2UgSVAt aW4tSVAsIEdSRSwNCiBVRFAgZW5jYXBzdWxhdGlvbiBwcm90b2NvbHMgbGlrZSBHUkUtaW4tVURQ LCBNUExTLWluLVVEUCwgZXRjLiwgJm5ic3A7Jm5ic3A7Jm5ic3A7QXBwbHkgdGhvc2UgbGVhcm5p bmdzIGFuZCBmb2N1cyBvbiBhZGRyZXNzaW5nICZuYnNwO3NwZWNpZmljIHRocmVhdHMgYXBwbGlj YWJsZSB0byBHZW5ldmUgZGVwbG95bWVudCBtb2RlbHMgaW5zdGVhZCBvdmVyLXNwZWNpZnlpbmcg b3IgZ3JhdHVpdG91cyByZXF1aXJlbWVudHMgYW5kIHByZXNjcmliaW5nIHNvbHV0aW9ucy4gTWFu eSBvZg0KIHRoZXNlIGlzc3VlcyBuZWVkIHRvIGJlIGFkZHJlc3NlZCBieSB0aGUgZG9jdW1lbnQu IDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2NvbG9yOiMxRjQ5N0QiPkhlbmNlLCBJIGRvIG5vdCBzdXBwb3J0IHRoZSBhZG9wdGlvbiBvZiB0 aGUgZHJhZnQgaW4gaXRzIGN1cnJlbnQgZm9ybS4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPlBsZWFzZSBzZWUg YmVsb3cgZm9yIGxpc3Qgb2YgY29tbWVudHMgb24gdGhlIGN1cnJlbnQgZHJhZnQ6DQo8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjoj MUY0OTdEIj5HZW5lcmFsIGNvbW1lbnRzIHJlbGF0ZWQgdG8gdGhlIGRyYWZ0OjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPlNFQy1PUCB2cyBTRUMtR0VOIHJlcXVpcmVtZW50cy4gVGhl cmUgd2FzIGxlbmd0aHkgZGlzY3Vzc2lvbiBpbiBOVk8zIFdHIG1lZXRpbmcgb24gc2hvdWxkIHdl IGhhdmUgU0VDLU9QIGFuZCBTRUMtR0VOIHJlcXVpcmVtZW50cywgc2hvdWxkIHdlIGluY2x1ZGUg U0VDLU9QLCBob3cgdG8gZ2V0IGZlZWRiYWNrIGZyb20gb3BlcmF0b3JzLA0KIHNob3VsZCB0aGlz IGJlIGluIGEgc2luZ2xlIGRvY3VtZW50IG9yIG11bHRpcGxlIHNlcGFyYXRlIGRvY3VtZW50cyBl dGMuLCBUaGVyZSB3YXMgbm8gY29uc2Vuc3VzIG9uIHRoaXMgaXNzdWUuIEhlbmNlIHdlIHN0aWxs IG5lZWQgdG8gcmV2aXNpdCB0aGlzIGlzc3VlLiAmbmJzcDtUaGVyZSB3YXMgc3VwcG9zZWQgdG8g YmUgbWFpbGluZyBsaXN0IGRpc2N1c3Npb24gb24gdGhpcyB0b3BpYy4gJm5ic3A7SG93ZXZlciwg SSBkaWQgbm90IHNlZSBzdWNoIGRpc2N1c3Npb24uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9t ZWV0aW5nLzEwMy9tYXRlcmlhbHMvbWludXRlcy0xMDMtbnZvMy0wMCI+aHR0cHM6Ly9kYXRhdHJh Y2tlci5pZXRmLm9yZy9tZWV0aW5nLzEwMy9tYXRlcmlhbHMvbWludXRlcy0xMDMtbnZvMy0wMDwv YT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Y29sb3I6IzFGNDk3RCI+SS1ELmlldGYtbnZvMy1zZWN1cml0eS1yZXF1aXJlbWVudHMgZG9jdW1l bnQuIFRoZXJlIGlzIGEgcmVmZXJlbmNlIHRvIHRoaXMgZG9jdW1lbnQgZnJvbSB0aGUgZ2VuZXZl IHNlY3VyaXR5IHJlcXVpcmVtZW50cyBkcmFmdC4gVGhlcmUgaXMgZ29vZCBhbW91bnQgb2YgaW5m b3JtYXRpb24sIGluY2x1ZGluZyB0aGUgdGhyZWF0IG1vZGVsLA0KIHRoYXQgaXMgZGVmaW5lZCBp biB0aGUgTlZPMy1zZWN1aXJ0eS1yZXF1aXJlbWVudHMgZG9jdW1lbnQsIGFuZCBkYXRhIHBsYW5l IGFuZCBjb250cm9sIHBsYW5lIHJlcXVpcmVtZW50cyBhcmUgYWxzbyBkZWZpbmVkLiAmbmJzcDtX ZSBuZWVkIHRvIGRlaWNpZGUgYXMgdG8gd2hhdCBkbyB3ZSBkbyB3aXRoIHJlc3BlY3QgdG8gdGhl IE5WTzMgc2VjdXJpdHkgcmVxdWlyZW1lbnRzIGRvY3VtZW50LCBhbmQgaG93IGRvIHdlIHB1bGwg aW4gdGhlIGluZm9ybWF0aW9uDQogaW50byB0aGlzIGRyYWZ0IG9yIG90aGVyIG9wdGlvbiBpcyB0 byByZXZpdmUgdGhlIGFscmVhZHkgYWRvcHRlZCBOVk8zIFdHIGRvY3VtZW50LjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5 N0QiPkluIGdlbmVyYWwgd2UgbmVlZCBzb21lIHNlcmlvdXMgZGlzY3Vzc2lvbiBvbiB0aGUgbWFp bGluZyBsaXN0IG9uIHRoZSBkaXJlY3Rpb24gZGVmaW5pbmcgdGhlIHRocmVhdCBtb2RlbCBhbmQg ZGlyZWN0aW9uIHdlIHNob3VsZCB0YWtlIGluIGRlZmluaW5nIHRoZSByZXF1aXJlbWVudHMuDQo8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtj b2xvcjojMUY0OTdEIj5TcGVjaWZpYyBjb21tZW50cyByZWxhdGVkIHRvIFJlcXVpcmVtZW50czo8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij5TRUMtT1AtMTogQSBzZWN1cmUgZGVwbG95bWVudCBv ZiBhIEdlbmV2ZSBvdmVybGF5IFNIT1VMRCBieTwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpibGFjayI+PGJyPg0KPHNw YW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5kZWZhdWx0IGVuY3J5cHQgdGhlIGlubmVyIHBheWxvYWQu IEEgR2VuZXZlIG92ZXJsYXkgcHJvdmlkZXIgTUFZPC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJm b250c3R5bGUwMSI+ZGlzYWJsZSB0aGlzIGNhcGFiaWxpdHkgZm9yIGV4YW1wbGUgd2hlbiBlbmNy eXB0aW9uIGlzIHBlcmZvcm1lZDwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEi PmJ5IHRoZSBUZW5hbnQgU3lzdGVtIGFuZCB0aGF0IGxldmVsIG9mIGNvbmZpZGVudGlhbGl0eSBp cyBiZWxpZXZlZDwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPnRvIGJlIHN1 ZmZpY2llbnQuIEluIG9yZGVyIHRvIHByb3ZpZGUgYWRkaXRpb25hbCBwcm90ZWN0aW9uIHRvPC9z cGFuPjxicj4NCjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+dHJhZmZpYyBhbHJlYWR5IGVuY3J5 cHRlZCBieSB0aGUgVGVuYW50IHRoZSBHZW5ldmUgbmV0d29yazwvc3Bhbj48YnI+DQo8c3BhbiBj bGFzcz0iZm9udHN0eWxlMDEiPm9wZXJhdG9yIE1BWSBwYXJ0aWFsbHkgZW5jcnlwdCB0aGUgY2xl YXIgcGFydCBvZiB0aGUgaW5uZXI8L3NwYW4+PGJyPg0KPHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAx Ij5wYXlsb2FkLjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdCI+U0VDLUdFTi0yOiBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNtIFNIT1VMRCBwcm92aWRl IHRoZSBjYXBhYmlsaXR5PC9zcGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTpDb3VyaWVyO2NvbG9yOmJsYWNrIj48YnI+DQo8c3BhbiBjbGFzcz0iZm9u dHN0eWxlMDEiPnRvIHBhcnRpYWxseSBlbmNyeXB0IHRoZSBpbm5lciBwYXlsb2FkIGhlYWRlci48 bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g Y2xhc3M9ImZvbnRzdHlsZTAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IGNsYXNzPSJmb250c3R5bGUwMSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPlNFQy1P UC00OiBBIHNlY3VyZSBkZXBsb3ltZW50IG9mIGEgR2VuZXZlIG92ZXJsYXkgTVVTVCBwcm92aWRl IHRoZTwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6Q291cmllcjtjb2xvcjpibGFjayI+PGJyPg0KPHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5j YXBhYmlsaXR5IGF1dGhlbnRpY2F0ZSB0aGUgaW5uZXIgcGF5bG9hZCB3aGVuIGVuY3J5cHRpb24g aXMgbm90PC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+cHJvdmlkZWQuIEEg R2VuZXZlIG92ZXJsYXkgcHJvdmlkZXIgTUFZIGRpc2FibGUgdGhpcyBjYXBhYmlsaXR5PC9zcGFu Pjxicj4NCjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+Zm9yIGV4YW1wbGUgd2hlbiB0aGlzIGlz IHBlcmZvcm1lZCBieSB0aGUgVGVuYW50IFN5c3RlbSBhbmQgdGhhdDwvc3Bhbj48YnI+DQo8c3Bh biBjbGFzcz0iZm9udHN0eWxlMDEiPmxldmVsIG9mIGludGVncml0eSBpcyBiZWxpZXZlZCB0byBi ZSBzdWZmaWNpZW50LiBJbiBvcmRlciB0bzwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZm9udHN0 eWxlMDEiPnByb3ZpZGUgYWRkaXRpb25hbCBwcm90ZWN0aW9uIHRvIHRyYWZmaWMgYWxyZWFkeSBw cm90ZWN0ZWQgYnkgdGhlPC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+VGVu YW50IHRoZSBHZW5ldmUgbmV0d29yayBvcGVyYXRvciBNQVkgcGFydGlhbGx5IHByb3RlY3QgdGhl PC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+dW5wcm90ZWN0ZWQgcGFydCBv ZiB0aGUgaW5uZXIgcGF5bG9hZC48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+UGFydGlhbCBlbmNyeXB0aW9uIChTRUMtT1At MSBhbmQgU0VDLUdFTjIpIGlzIGFuIG9wdGltaXphdGlvbiAoYXMgaGFkIGJlZW4gaW5kaWNhdGVk IGluIGEgY29tbWVudCBvbiB0aGUgcHJldmlvdXMgdmVyc2lvbiBvZiB0aGlzIGRyYWZ0KSBhbmQg c2hvdWxkIG5vdCBiZSBhIHJlcXVpcmVtZW50LiZuYnNwOw0KIFRoZSB0cmFmZmljIGJldHdlZW4g TlZFIHBhaXJzIHNob3VsZCBiZSBzZWN1cmVkIGFuZCBvcGVyYXRvciBtYXkgaGF2ZSBhIHBvbGlj eSB0byBlbmNyeXB0IHRoZSB0cmFmZmljIGlycmVzcGVjdGl2ZSBvZiB0aGUgYW55IHNlY3VyaXR5 IG1lY2hhbmlzbXMgZW1wbG95ZWQgYnkgdGhlIFRlbmFudCBTeXN0ZW1zIEFsc28gYW4gTlZFIG1h eSBoYW5kbGUgdHJhZmZpYyBmcm9tIG11bHRpcGxlIFRTZXMgYW5kIGhlbmNlIHRoZSBzZXJ2aWNl IHByb3ZpZGVyDQogbWF5IGVuYWJsZSBlbmNyeXB0aW9uIGJldHdlZW4gTlZFIHBhaXJzLiBTbyBw YXJ0aWFsIGVuY3J5cHRpb24gb3Igc2VsZWN0aXZlIGVuY3J5cHRpb24gc2hvdWxkIG5vdCBiZSBh IHJlcXVpcmVtZW50Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxl MDEiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij5TRUMtT1AtMzogQSBzZWN1cmUgZGVw bG95bWVudCBvZiBhIEdlbmV2ZSBvdmVybGF5IE1VU1QgZXZhbHVhdGU8L3NwYW4+PC9zcGFuPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXI7Y29sb3I6Ymxh Y2siPjxicj4NCjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+dGhlIHJpc2sgYXNzb2NpYXRlZCB0 byB0cmFmZmljIHBhdHRlcm4gcmVjb2duaXRpb24uIFdoZW4gYSByaXNrPC9zcGFuPjxicj4NCjxz cGFuIGNsYXNzPSJmb250c3R5bGUwMSI+aGFzIGJlZW4gaWRlbnRpZmllZCwgdHJhZmZpYyBwYXR0 ZXJuIHJlY29nbml0aW9uIE1VU1QgYmUgYWRkcmVzc2VkPC9zcGFuPjxicj4NCjxzcGFuIGNsYXNz PSJmb250c3R5bGUwMSI+d2l0aCBwYWRkaW5nIHBvbGljaWVzIGFzIHdlbGwgYXMgZ2VuZXJhdGlv biBvZiBkdW1teSBwYWNrZXRzLjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZvbnRz dHlsZTAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5k OndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0Ij5TRUMtR0VOLTY6IEdlbmV2ZSBzZWN1cml0eSBtZWNoYW5pc20gTVVTVCBwcm92aWRl IHRoZSBhYmlsaXR5IHRvPC9zcGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTpDb3VyaWVyO2NvbG9yOmJsYWNrIj48YnI+DQo8c3BhbiBjbGFzcz0iZm9u dHN0eWxlMDEiPnBhZCBhIEdlbmV2ZSBwYWNrZXQuPG86cD48L286cD48L3NwYW4+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBj bGFzcz0iZm9udHN0eWxlMDEiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQiPlNFQy1HRU4tNzogR2VuZXZlIHNlY3VyaXR5IG1lY2hhbmlzbSBN VVNUIHByb3ZpZGUgdGhlIGFiaWxpdHkgdG88L3NwYW4+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXI7Y29sb3I6YmxhY2siPjxicj4NCjxzcGFu IGNsYXNzPSJmb250c3R5bGUwMSI+c2VuZCBkdW1teSBwYWNrZXRzLjxvOnA+PC9vOnA+PC9zcGFu Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0 ZSI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtjb2xvcjojMUY0OTdEIj5TRUMtT1AtMyBhbmQgU0VDLUdFTi02OiBUaGUgcmVxdWlyZW1lbnRz IGRvY3VtZW50IHNob3VsZCBzdGF5IHdpdGggc3RhdGluZyByZXF1aXJlbWVudHMgYW5kIG5vdCBw cmVzY3JpYmUgYSBzb2x1dGlvbihzKS4gVGhpcyBjb21tZW50IHdhcyBhbHJlYWR5IHN1Ym1pdHRl ZCBpbiB0aGUgcHJldmlvdXMNCiB2ZXJzaW9uIG9mIHRoZSBkb2N1bWVudC4gJm5ic3A74oCcdHJh ZmZpYyBwYXR0ZXJuIHJlY29nbml0aW9uIE1VU1QgYmUgYWRkcmVzc2VkIHdpdGggcGFkZGluZyBw b2xpY2llcyBhcyB3ZWxsIGFzIGdlbmVyYXRpb24gb2YgZHVtbXkgcGFja2V0c+KAnSZuYnNwOyBU aGlzIGlzIGFuIHVuZHVlIHJlcXVpcmVtZW50IG9uIE5WRSBpbXBsZW1lbnRhdGlvbnMgd2hpY2gg aXMgbm90IG5lY2Vzc2FyeSBhbmQgc2hvdWxkIG5vdCBiZSBpbiB0aGUgcmVxdWlyZW1lbnRzLiZu YnNwOyBOZWVkDQogdG8gY2xlYXJseSBleHBsYWluIHdoYXQgYWRkaXRpb25hbCBzZWN1cml0eSBy aXNrIGlzIGNhdXNlZCBiZWNhdXNlIEdlbmV2ZSBlbmNhcHN1bGF0aW9uIHZzIHN0YW5kYXJkIElQ IHRyYW5zcG9ydCBhbmQgd2h5IHN1Y2ggYSByZXF1aXJlbWVudCBpcyBtYW5kYXRvcnkuIEFueSBz dWNoIHJpc2sgY2FuIGJlIG1pdGlnYXRlZCBieSBleGlzdGluZyBzZWN1cml0eSBtZWNoYW5pc21z IGZvciBjb21tdW5pY2F0aW9uIGJldHdlZW4gTlZFcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFu IGNsYXNzPSJmb250c3R5bGUwMSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPlNFQy1H RU4tMTogR2VuZXZlIHNlY3VyaXR5IG1lY2hhbmlzbSBNVVNUIHByb3ZpZGUgdGhlIGNhcGFiaWxp dHk8L3NwYW4+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OkNvdXJpZXI7Y29sb3I6YmxhY2siPjxicj4NCjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+dG8g ZW5jcnlwdCB0aGUgaW5uZXIgcGF5bG9hZC48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNz PSJmb250c3R5bGUwMSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFj a2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6IzFGNDk3 RCI+RGVmaW5lIHRoZSB0aHJlYXQgbW9kZWwgd2hlcmUgb25seSB0aGUgaW5uZXIgcGF5bG9hZCBz aG91bGQgYmUgc2VsZWN0aXZlbHkgZW5jcnlwdGVkLiBUaGUgcmVxdWlyZW1lbnRzIHNob3VsZCBi ZSB0byBhZGRyZXNzIGEgc3BlY2lmaWMgdGhyZWF0IG1vZGVsLiBOb3QgYWxsIGRlcGxveW1lbnRz DQogbmVlZCBlbmNyeXB0aW9uLiA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNzPSJmb250 c3R5bGUwMSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPlNFQy1HRU4tMzogR2VuZXZl IHNlY3VyaXR5IG1lY2hhbmlzbSBNVVNUIHByb3ZpZGUgbWVhbnMgdG8gZW5jcnlwdDwvc3Bhbj48 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Q291cmllcjtj b2xvcjpibGFjayI+PGJyPg0KPHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5hIHNpbmdsZSBvciBh IHNldCBvZiB6ZXJvLCBvbmUgb3IgbXVsdGlwbGUgR2VuZXZlIE9wdGlvbnMgd2hpbGU8L3NwYW4+ PGJyPg0KPHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5sZWF2ZSBvdGhlciBHZW5ldmUgT3B0aW9u cyBpbiBjbGVhci4gUmV2ZXJzZWx5LCBhIEdlbmV2ZSBzZWN1cml0eTwvc3Bhbj48YnI+DQo8c3Bh biBjbGFzcz0iZm9udHN0eWxlMDEiPm1lY2hhbmlzbSBNVVNUIGJlIGFibGUgdG8gbGVhdmUgYSBH ZW5ldmUgb3B0aW9uIGluIGNsZWFyLCB3aGlsZTwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZm9u dHN0eWxlMDEiPmVuY3J5cHRpbmcgdGhlIG90aGVycy48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFu IGNsYXNzPSJmb250c3R5bGUwMSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjBwdCI+U0VDLUdFTi00OiBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNt IE1VU1QgcHJvdmlkZSBtZWFucyB0byBlbmNyeXB0PC9zcGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpDb3VyaWVyO2NvbG9yOmJsYWNrIj48YnI+DQo8 c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPnRoZSBpbmZvcm1hdGlvbiBvZiBHZW5ldmUgSGVhZGVy IChleGNsdWRpbmcgR2VuZXZlIE9wdGlvbnMpLjwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZm9u dHN0eWxlMDEiPlJldmVyc2VseSwgYSBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNtIE1VU1QgYmUg YWJsZSB0byBsZWF2ZSBpbjwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPmNs ZWFyIEdlbmV2ZSBIZWFkZXIgaW5mb3JtYXRpb24gKEdlbmV2ZSBPcHRpb25zIGV4Y2x1ZGVkKSB3 aGlsZTwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPmVuY3J5cHRpbmcgdGhl IG90aGVyLjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3Bh biBjbGFzcz0iZm9udHN0eWxlMDEiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij5TRUMt R0VOLTU6IEdlbmV2ZSBzZWN1cml0eSBtZWNoYW5pc21zIE1VU1QgcHJvdmlkZSB0aGUgYWJpbGl0 eSB0bzwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6Q291cmllcjtjb2xvcjpibGFjayI+PGJyPg0KPHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5w cm92aWRlIGNvbmZpZGVudGlhbGl0eSBwcm90ZWN0aW9uIGJldHdlZW4gbXVsdGlwbGUgbm9kZXMs IGkuZS48L3NwYW4+PGJyPg0KPHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5tdWx0aXBsZSB0cmFu c2l0IGRldmljZXMgYW5kIGEgTlZFLjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZv bnRzdHlsZTAxIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3Jv dW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHByZSBzdHls ZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPlNFQy1H RU4tMyw0IGFuZCBTRUMtR0VOLTUsNiw3OiBBbGwgdGhlc2UgU0VDLUdFTiByZXF1aXJlbWVudHMg KGZvciBwYXJ0aWFsIGVuY3J5cHRpb24pIGFyZSBvcHRpbWl6YXRpb25zIHdoaWNoIHNob3VsZCBu b3QgYmUgcGFydCBvZiByZXF1aXJlbWVudHMgZXNwZWNpYWxseSB3aXRoIOKAnE1VU1TigJ0gbWFu ZGF0ZXMuIFRoZSBtYWluIG9iamVjdGl2ZSBvZiByZXF1aXJlbWVudHMgaXMgZm9yIHByb3RlY3Rp bmcgdGhlIHRyYWZmaWMgYmV0d2VlbiB0aGUgTlZFcyAocHJpdmFjeS9pbnRlZ3JpdHkvY29uZmlk ZW50aWFsaXR5KS4gQXBwbHlpbmcgcGFydGlhbCBlbmNyeXB0aW9uIGlzIG1vcmUgb2YgYW4gb3B0 aW1pemF0aW9uIHRoYW4gdG8gbWl0aWdhdGUgYW55IHNwZWNpZmljIHRocmVhdCBlc3BlY2lhbGx5 IHdoZW4gb3RoZXIgZXhpc3RpbmcgbWVjaGFuaXNtcyBhcmUgYXZhaWxhYmxlIHRvIHByb3RlY3Qg Y29tbXVuaWNhdGlvbnMgYmV0d2VlbiBOVkVzLiAmbmJzcDtTcGVjaWZ5IHRoZSB1c2UgY2FzZXMg d2hlcmUgb3B0aW9ucyBuZWVkIHRvIHNlbGVjdGl2ZWx5IGVuY3J5cHRlZC4gV2hhdCBpcyB0aGUg dGhyZWF0IG1vZGVsIGFuZCB3aHkgc3VjaCBwYXJ0aWFsIGVuY3J5cHRpb24gb2Ygb3B0aW9ucyBp cyByZXF1aXJlZC4gJm5ic3A7U28gYWRkaW5nIHJlcXVpcmVtZW50cyBmb3IgcGFydGlhbCBoZWFk ZXJzL3BheWxvYWQvb3B0aW9ucyBjb3VsZCBub3QgYmUgY29uc2lkZXJlZCBhcyBhIHNlY3VyaXR5 IHJlcXVpcmVtZW50IHRvIGFkZHJlc3MgYSBzZWN1cml0eSB0aHJlYXQsIGhlbmNlIHRoZXNlIHJl cXVpcmVtZW50cyBtdXN0IG5vdCBiZSBpbmNsdWRlZC4mbmJzcDsgPG86cD48L286cD48L3NwYW4+ PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29s b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJi YWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPlNFQy1PUC01OiBBIHNl Y3VyZSBkZXBsb3ltZW50IG9mIGEgR2VuZXZlIG92ZXJsYXkgTVVTVCBldmFsdWF0ZTwvc3Bhbj48 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpibGFjayI+PGJyPjxzcGFuIGNs YXNzPSJmb250c3R5bGUwMSI+dGhlIHJpc2sgYXNzb2NpYXRlZCB0byBhIGNoYW5nZSBvZiB0aGUg R2VuZXZlIE91dGVyIEhlYWRlciwgR2VuZXZlPC9zcGFuPjxicj48c3BhbiBjbGFzcz0iZm9udHN0 eWxlMDEiPkhlYWRlciAoZXhjbHVkaW5nIEdlbmV2ZSBPcHRpb25zKSBhbmQgR2VuZXZlIE9wdGlv bi4gV2hlbiBhIHJpc2s8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+YW5hbHlz aXMgY29uY2x1ZGVzIHRoYXQgdGhlIHJpc2sgaXMgdG9vIGhpZ2gsIHRoaXMgcGllY2Ugb2Y8L3Nw YW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+aW5mb3JtYXRpb24gTVVTVCBiZSBhdXRo ZW50aWNhdGVkLjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJh Y2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFz cz0iZm9udHN0eWxlMDEiPlNFQy1PUC02OiBBIHNlY3VyZSBkZXBsb3ltZW50IG9mIGEgR2VuZXZl IG92ZXJsYXkgU0hPVUxEPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpDb3VyaWVyO2Nv bG9yOmJsYWNrIj48YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5hdXRoZW50aWNhdGUgY29t bXVuaWNhdGlvbnMgYmV0d2VlbiBOVkUgdG8gcHJvdGVjdCB0aGUgR2VuZXZlPC9zcGFuPjxicj48 c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPk92ZXJsYXkgaW5mcmFzdHJ1Y3R1cmUgYXMgd2VsbCBh cyB0aGUgVGVuYW50cyBTeXN0ZW3igJlzPC9zcGFuPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxl MDEiPmNvbW11bmljYXRpb25zIChHZW5ldmUgUGFja2V0KS4gQSBHZW5ldmUgb3ZlcmxheSBwcm92 aWRlciBNQVk8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+ZGlzYWJsZSBhdXRo ZW50aWNhdGlvbiBvZiB0aGUgaW5uZXIgcGFja2V0IGFuZCBkZWxlZ2F0ZXMgaXQgdG8gdGhlPC9z cGFuPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPlRlbmFudCBTeXN0ZW1zIHdoZW4gY29t bXVuaWNhdGlvbnMgYmV0d2VlbiBUZW5hbnTigJlzIFN5c3RlbSBpczwvc3Bhbj48YnI+PHNwYW4g Y2xhc3M9ImZvbnRzdHlsZTAxIj5zZWN1cmVkLiBUaGlzIGlzIE5PVCBSRUNPTU1FTkRFRC4gSW5z dGVhZCwgaXQgaXMgUkVDT01NRU5ERUQ8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUw MSI+dGhhdCBtZWNoYW5pc21zIGJpbmRzIHRoZSBpbm5lciBwYXlsb2FkIHRvIHRoZSBHZW5ldmUg SGVhZGVyLiBUbzwvc3Bhbj48YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5wcmV2ZW50IGlu amVjdGlvbiBiZXR3ZWVuIHZpcnR1YWxpemVkIG5ldHdvcmssIGl0IGlzIHN0cm9uZ2x5PC9zcGFu Pjwvc3Bhbj48c3BhbiBjbGFzcz0iTXNvSHlwZXJsaW5rIj4gPC9zcGFuPjxzcGFuIGNsYXNzPSJm b250c3R5bGUwMSI+UkVDT01NRU5ERUQgdGhhdCBhdCBsZWFzdCB0aGUgR2VuZXZlIEhlYWRlciB3 aXRob3V0IEdlbmV2ZSBPcHRpb25zPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpDb3Vy aWVyO2NvbG9yOmJsYWNrIj48YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5pcyBhdXRoZW50 aWNhdGVkLjwvc3Bhbj48L3NwYW4+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMt c2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcHJlPg0KPHBy ZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5XaGF0IHNwZWNpZmljIHJpc2sgZG9lcyB0 aGUgb3BlcmF0b3Igc2VlIGJhc2VkIG9uIHRoZSB0aHJlYXQgbW9kZWwgYW5kIHdoYXQgcGllY2Ug b2YgaW5mb3JtYXRpb24gc2hvdWxkIGJlIGF1dGhlbnRpY2F0ZWQsIHdoeSB0aGlzIHNob3VsZCBi ZSBzZWxlY3RpdmVseSBhdXRoZW50aWNhdGVkIGFzIGNhbGxlZCBmb3IgaW4gdGhlc2UgcmVxdWly ZW1lbnRzPyBDYW4geW91IHNwZWNpZnkgdGhlIHVzYWdlIG1vZGVsIGZvciB0aGVzZSByZXF1aXJl bWVudHMuPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndo aXRlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9u dHN0eWxlMDEiPlNFQy1PUC03OiBBIHNlY3VyZSBkZXBsb3ltZW50IG9mIGEgR2VuZXZlIG92ZXJs YXkgU0hPVUxEIE5PVDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6Q291cmllcjtjb2xv cjpibGFjayI+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+cHJvY2VzcyBkYXRhIHByaW9y IGF1dGhlbnRpY2F0aW9uLiBJZiB0aGF0IGlzIG5vdCBwb3NzaWJsZSwgdGhlPC9zcGFuPjxicj48 c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPkdlbmV2ZSBvdmVybGF5IHByb3ZpZGVyIFNIT1VMRCBl dmFsdWF0ZSBpdHMgaW1wYWN0LjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3ByZT4NCjxwcmUg c3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+VGhpcyBpcyB0b28gZ2VuZXJpYywgd2hhdCBz aG91bGQgdGhlIG9wZXJhdG9yIGRvIHdpdGggdGhpcyByZXF1aXJlbWVudCwgJm5ic3A74oCc4oCm U0hPVUQgZXZhbHVhdGUgaXRzIGltcGFjdOKAnT88bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxw cmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6 d2hpdGUiPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+U0VDLUdFTi04OiBHZW5ldmUgc2VjdXJp dHkgbWVjaGFuaXNtIE1VU1QgcHJvdmlkZSB0aGUgY2FwYWJpbGl0eTwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpibGFjayI+PGJyPjxzcGFuIGNsYXNzPSJmb250 c3R5bGUwMSI+dG8gYXV0aGVudGljYXRlIHRoZSBpbm5lciBwYXlsb2FkLjwvc3Bhbj48YnI+PGJy PjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+PG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcHJl Pg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAx Ij5TRUMtR0VOLTk6IEdlbmV2ZSBzZWN1cml0eSBtZWNoYW5pc20gU0hPVUxEIHByb3ZpZGUgdGhl IGNhcGFiaWxpdHk8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OkNvdXJpZXI7Y29sb3I6 YmxhY2siPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPnRvIHBhcnRpYWxseSBhdXRoZW50 aWNhdGUgdGhlIGlubmVyIHBheWxvYWQgaGVhZGVyLjwvc3Bhbj48YnI+PGJyPjxzcGFuIGNsYXNz PSJmb250c3R5bGUwMSI+PG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHls ZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5TRUMtR0VOLTEw OiBHZW5ldmUgc2VjdXJpdHkgbWVjaGFuaXNtIE1VU1QgcHJvdmlkZSB0aGUgY2FwYWJpbGl0eTwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpibGFjayI+PGJyPjxz cGFuIGNsYXNzPSJmb250c3R5bGUwMSI+dG8gYXV0aGVudGljYXRlIGEgc2luZ2xlIG9yIGEgc2V0 IG9mIG9wdGlvbnMgd2hpbGUgbGVhdmUgb3RoZXI8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250 c3R5bGUwMSI+R2VuZXZlIE9wdGlvbiB1bmF1dGhlbnRpY2F0ZWQuIFJldmVyc2VseSwgYSBHZW5l dmUgc2VjdXJpdHk8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+bWVjaGFuaXNt IE1VU1QgYmUgYWJsZSB0byBsZWF2ZSBhIEdlbmV2ZSBvcHRpb24gdW5hdXRoZW50aWNhdGVkLDwv c3Bhbj48YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj53aGlsZSBlbmNyeXB0aW5nIHRoZSBv dGhlcnMuPG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dy b3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNzPSJm b250c3R5bGUwMSI+U0VDLUdFTi0xMTogR2VuZXZlIHNlY3VyaXR5IG1lY2hhbmlzbSBNVVNUIHBy b3ZpZGUgbWVhbnMgdG88L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OkNvdXJpZXI7Y29s b3I6YmxhY2siPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPmF1dGhlbnRpY2F0ZSB0aGUg aW5mb3JtYXRpb24gb2YgR2VuZXZlIEhlYWRlciAoR2VuZXZlIE9wdGlvbjwvc3Bhbj48YnI+PHNw YW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5leGNsdWRlZCkuIFJldmVyc2VseSwgYSBHZW5ldmUgc2Vj dXJpdHkgbWVjaGFuaXNtIE1VU1QgYmUgYWJsZSB0bzwvc3Bhbj48YnI+PHNwYW4gY2xhc3M9ImZv bnRzdHlsZTAxIj5sZWF2ZSB1bmF1dGhlbnRpY2F0ZWQgR2VuZXZlIGhlYWRlciBpbmZvcm1hdGlv biAoR2VuZXZlIE9wdGlvbnM8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+ZXhj bHVkZWQpIHdoaWxlIGF1dGhlbnRpY2F0aW5nIHRoZSBvdGhlci48bzpwPjwvbzpwPjwvc3Bhbj48 L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0i Zm9udHN0eWxlMDEiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0i YmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPldoYXQgaXMg dGhlIHRocmVhdCBtb2RlbCBhbmQgd2hhdCBpcyB1c2UgY2FzZSB0aGF0IGlzIGRyaXZpbmcgdGhl IHBhcnRpYWwgZW5jcnlwdGlvbiBvciBhdXRoZW50aWNhdGlvbiBvZiBvcHRpb25zPyAmbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3By ZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNzPSJmb250c3R5bGUw MSI+U0VDLUdFTi0xMzogR2VuZXZlIFNlY3VyaXR5IG1lY2hhbmlzbSBNVVNUIHByb3ZpZGUgbWVh bnMgZm9yIGE8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OkNvdXJpZXI7Y29sb3I6Ymxh Y2siPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPnRyYW5zaXQgZGV2aWNlIHRvIGF1dGhl bnRpY2F0ZSBkYXRhIHByaW9yIGl0IGlzIGJlaW5nIHByb2Nlc3NlZC48bzpwPjwvbzpwPjwvc3Bh bj48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFz cz0iZm9udHN0eWxlMDEiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHls ZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPlRoaXMg cmVxdWlyZW1lbnQgaXMgbm90IGNvbnNpc3RlbnQgd2l0aCBHZW5ldmUgYXJjaGl0ZWN0dXJlLCBo ZW5jZSByZW1vdmUgdGhpcyByZXF1aXJlbWVudC4gPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8 cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5k OndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPlNFQy1PUC04OiBBIHNlY3VyZSBkZXBs b3ltZW50IG9mIGEgR2VuZXZlIG92ZXJsYXkgTVVTVCBldmFsdWF0ZTwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpibGFjayI+PGJyPjxzcGFuIGNsYXNzPSJmb250 c3R5bGUwMSI+dGhlIGNvbW11bmljYXRpb25zIHN1YmplY3QgdG8gcmVwbGF5IGF0dGFja3MuIENv bW11bmljYXRpb25zIHRoYXQ8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+YXJl IHN1YmplY3QgdG8gdGhpcyBhdHRhY2tzIE1VU1QgYmUgYXV0aGVudGljYXRlZCB3aXRoIGFuIGFu dGk8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+cmVwbGF5IG1lY2hhbmlzbS4g Tm90ZSB0aGF0IHdoZW4gcGFydGlhbCBhdXRoZW50aWNhdGlvbiBpczwvc3Bhbj48YnI+PHNwYW4g Y2xhc3M9ImZvbnRzdHlsZTAxIj5wcm92aWRlZCwgdGhlIHBhcnQgbm90IGNvdmVyZWQgYnkgdGhl IGF1dGhlbnRpY2F0aW9uIHJlbWFpbnMgYTwvc3Bhbj48YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHls ZTAxIj5zdXJmYWNlIG9mIGF0dGFjay4gSXQgaXMgc3Ryb25nbHkgUkVDT01NRU5ERUQgdGhhdCB0 aGUgR2VuZXZlPC9zcGFuPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPkhlYWRlciBpcyBh dXRoZW50aWNhdGVkIHdpdGggYW50aSByZXBsYXkgcHJvdGVjdGlvbjwvc3Bhbj48L3NwYW4+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHBy ZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Qi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3 aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPldoYXQgaXMgdGhlIHRocmVhdCBt b2RlbCBhbmQgdXNlIGNhc2UgdGhhdCBjYWxscyBmb3IgcGFydGlhbCBhdXRoZW50aWNhdGlvbi4g U2FtZSBjb21tZW50cyBhcyBwYXJ0aWFsIGVuY3J5cHRpb24gYXBwbGllcyB0byB0aGlzIGNvbW1l bnQgYXMgd2VsbC48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91 bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNz PSJmb250c3R5bGUwMSI+U0VDLU9QLTk6IEEgc2VjdXJlIGRlcGxveW1lbnQgb2YgYSBHZW5ldmUg b3ZlcmxheSBNVVNUIGRlZmluZSB0aGU8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OkNv dXJpZXI7Y29sb3I6YmxhY2siPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPnNlY3VyaXR5 IHBvbGljaWVzIHRoYXQgYXNzb2NpYXRlcyB0aGUgZW5jcnlwdGlvbiwgYW5kPC9zcGFuPjxicj48 c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPmF1dGhlbnRpY2F0aW9uIGFzc29jaWF0ZWQgdG8gZWFj aCBmbG93IGJldHdlZW4gTlZFcy48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wcmU+DQo8cHJl IHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+ PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5TRUMtT1AtMTA6IEEgc2VjdXJlIGRlcGxveW1lbnQg b2YgYSBHZW5ldmUgb3ZlcmxheSBTSE9VTEQgZGVmaW5lPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LWZhbWlseTpDb3VyaWVyO2NvbG9yOmJsYWNrIj48YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAx Ij5kaXN0aW5jdCBtYXRlcmlhbCBmb3IgZWFjaCBmbG93LiBUaGUgY3J5cHRvZ3JhcGhpYyBkZXBl bmRzIG9uIHRoZTwvc3Bhbj48YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5uYXR1cmUgb2Yg dGhlIGZsb3cgKG11bHRpY2FzdCwgdW5pY2FzdCkgYXMgd2VsbCBhcyBvbiB0aGUgc2VjdXJpdHk8 L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+bWVjaGFuaXNtIGVuYWJsZWQgdG8g cHJvdGVjdCB0aGUgZmxvdy48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wcmU+DQo8cHJlIHN0 eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNw YW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5TRUMtR0VOLTE1OiBBIEdlbmV2ZSBzZWN1cml0eSBtZWNo YW5pc20gTVVTVCBiZSBtYW5hZ2VkIHZpYTwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6 Q291cmllcjtjb2xvcjpibGFjayI+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+c2VjdXJp dHkgcG9saWNpZXMgYXNzb2NpYXRlZCBmb3IgZWFjaCB0cmFmZmljIGZsb3cgdG8gYmU8L3NwYW4+ PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+cHJvdGVjdGVkLiBHZW5ldmUgb3ZlcmxheSBw cm92aWRlciBNVVNUIGJlIGFibGUgdG8gY29uZmlndXJlIE5WRXM8L3NwYW4+PGJyPjxzcGFuIGNs YXNzPSJmb250c3R5bGUwMSI+d2l0aCBkaWZmZXJlbnQgc2VjdXJpdHkgcG9saWNpZXMgZm9yIGRp ZmZlcmVudCBmbG93cy4gQSBmbG93IE1VU1Q8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5 bGUwMSI+YmUgaWRlbnRpZmllZCBhdCBtaW5pbXVtIGJ5IHRoZSBHZW5ldmUgdmlydHVhbCBuZXR3 b3JrIGlkZW50aWZpZXI8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+YW5kIHRo ZSBpbm5lciBJUCBhbmQgdHJhbnNwb3J0IGhlYWRlcnMsIGFuZCBvcHRpb25hbGx5IGFkZGl0aW9u YWw8L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+ZmllbGRzIHdoaWNoIGRlZmlu ZSBhIGZsb3cgKGUuZy4sIGlubmVyIElQIERTQ1AsIElQdjYgZmxvdyBpZCw8L3NwYW4+PGJyPjxz cGFuIGNsYXNzPSJmb250c3R5bGUwMSI+R2VuZXZlIG9wdGlvbnMpPG86cD48L286cD48L3NwYW4+ PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gY2xhc3M9 ImZvbnRzdHlsZTAxIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9 ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh bnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+SXQgaXMgbm90IGNsZWFyIGFzIHRvIHdoYXQgdGhyZWF0 IGlzIGJlaW5nIGFkZHJlc3NlZCBieSByZXF1aXJpbmcgZmxvdyBsZXZlbCBncmFudWxhcml0eS4m bmJzcDsgSWYgY29tbXVuaWNhdGlvbiBiZXR3ZWVuIE5WRSB0byBOVkUgbmVlZCBiZSBlbmNyeXB0 ZWQvYXV0aGVudGljYXRlZCwgdGhlbiwgYXQgYSBtaW5pbXVtLCBzZWN1cml0eSBwb2xpY3kgc2hv dWxkIGJlIGFwcGxpZWQgZm9yIHRoZSB0cmFmZmljIGJldHdlZW4sIGZvciBleGFtcGxlLCBOVkUg QSB0byBOVkUgQiBvciBOVkUgQSB0byBOVkUgQywgZXRjLiZuYnNwOyBBbnkgZ3JhbnVsYXJpdHkg YmV5b25kIHRoYXQgaXMgbm90IGEgcmVxdWlyZW1lbnQgdG8gYWRkcmVzcyBhbnkgdGhyZWF0LiBU aGlzIGlzIHVuZHVlIGJ1cmRlbiBvbiBOVkVzLCBub3QgbmVlZGVkIHRvIGFkZHJlc3Mgc3BlY2lm aWMgdGhyZWF0IG9yIGRlZmluZSB0aGUgdGhyZWF0IG1vZGVsLiAmbmJzcDsmbmJzcDtIZW5jZSBy ZW1vdmUgZmxvdyBsZXZlbCBncmFudWxhcml0eSByZXF1aXJlbWVudC4mbmJzcDsgPG86cD48L286 cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMt c2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cHJl IHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPlNFQy1H RU4tMTc6IEEgR2VuZXZlIHNlY3VyaXR5IG1lY2hhbmlzbXMsIHdoZW4gbXVsdGljYXN0IGlzIHVz ZWQsPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpDb3VyaWVyO2NvbG9yOmJsYWNrIj48 YnI+PHNwYW4gY2xhc3M9ImZvbnRzdHlsZTAxIj5wYWNrZXRzLE1VU1QgYmUgYWJsZSB0byBhc3Np Z24gZGlzdGluY3QgY3J5cHRvZ3JhcGhpYyBncm91cCBrZXlzPC9zcGFuPjxicj48c3BhbiBjbGFz cz0iZm9udHN0eWxlMDEiPnRvIHByb3RlY3QgdGhlIG11bHRpY2FzdCBwYWNrZXRzIGV4Y2hhbmdl ZCBhbW9uZyB0aGUgTlZFcyB3aXRoaW48L3NwYW4+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUw MSI+ZGlmZmVyZW50IG11bHRpY2FzdCBncm91cHMuIFVwb24gcmVjZWl2aW5nIGEgZGF0YSBwYWNr ZXQsIGFuPC9zcGFuPjxicj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEiPmVncmVzcyBHZW5ldmUg TlZFIE1VU1QgYmUgYWJsZSB0byB2ZXJpZnkgd2hldGhlciB0aGUgcGFja2V0IGlzPC9zcGFuPjwv c3Bhbj48c3BhbiBjbGFzcz0iTXNvSHlwZXJsaW5rIj4gPG86cD48L286cD48L3NwYW4+PC9wcmU+ DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBjbGFzcz0iZm9udHN0eWxlMDEi PnNlbnQgZnJvbSBhIHByb3BlciBpbmdyZXNzIE5WRSB3aGljaCBpcyBhdXRob3JpemVkIHRvIGZv cndhcmQgdGhhdDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6Q291cmllcjtjb2xvcjpi bGFjayI+PGJyPjxzcGFuIGNsYXNzPSJmb250c3R5bGUwMSI+cGFja2V0LjxvOnA+PC9vOnA+PC9z cGFuPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIGNs YXNzPSJmb250c3R5bGUwMSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0 eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+TmVl ZCB0byBkZWZpbmUgdGhlIHRocmVhdCBtb2RlbCBmb3IgbXVsdGljYXN0LCBkZWZpbmUgbXVsdGlj YXN0LCAmbmJzcDttb3N0IGRlcGxveW1lbnRzIG11bHRpY2FzdCBpcyBpbXBsZW1lbnRlZCB1c2lu ZyBtdWx0aXBsZSB1bmljYXN0LiBTbyB0aGUgcmVxdWlyZW1lbnQgZG9lcyBub3QgYXBwbHkgdG8g c3VjaCBkZXBsb3ltZW50cy48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJh Y2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFu IGNsYXNzPSJmb250c3R5bGUwMSI+OC4gQXBwZW5kaXg8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dy b3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z LXNlcmlmO2NvbG9yOiMxRjQ5N0QiPkkgc3VnZ2VzdCB0byByZW1vdmUgdGhlIGVudGlyZSBBcHBl bmRpeCBmcm9tIHRoZSBkb2N1bWVudC4gTGV0IHVzIGZpcnN0IGFncmVlIG9uIHRoZSByZXF1aXJl bWVudHMgYmVmb3JlIHdlIGdldCBpbnRvIG1hcHBpbmcgZGlmZmVyZW50IHNvbHV0aW9ucyB0byBt ZWV0IHRoZSByZXF1aXJlbWVudHMuIDxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHls ZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyw8bzpwPjwvbzpwPjwvc3Bhbj48 L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjojMUY0OTdEIj5JbGFuZ288bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YSBu YW1lPSJfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9y OiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvYT48L3A+DQo8ZGl2Pg0KPGRpdiBz dHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6 My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgbmFtZT0iX19fX19y ZXBseXNlcGFyYXRvciI+PC9hPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gcm9t Ojwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiBudm8zIFttYWlsdG86 bnZvMy1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5Cb2NjaSwgTWF0dGhl dyAoTm9raWEgLSBHQik8YnI+DQo8Yj5TZW50OjwvYj4gV2VkbmVzZGF5LCBBcHJpbCAxMCwgMjAx OSA3OjM4IEFNPGJyPg0KPGI+VG86PC9iPiBOVk8zICZsdDtudm8zQGlldGYub3JnJmd0Ozxicj4N CjxiPlN1YmplY3Q6PC9iPiBbbnZvM10gUG9sbCBmb3IgYWRvcHRpb24gb2YgZHJhZnQtbWdsdC1u dm8zLWdlbmV2ZS1zZWN1cml0eS1yZXF1aXJlbWVudHMtMDY8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPlRoaXMgZW1haWwgYmVnaW5zIGEgc2Vjb25kIHR3by13 ZWVrIHBvbGwgZm9yJm5ic3A7YWRvcHRpb24mbmJzcDtvZiBkcmFmdC1tZ2x0LW52bzMtZ2VuZXZl LXNlY3VyaXR5LXJlcXVpcmVtZW50cy0wNiBpbiB0aGUgTlZPMyB3b3JraW5nIGdyb3VwLjwvc3Bh bj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtjb2xvcjpibGFjayI+UGxlYXNlIHJldmlldyB0aGUgZHJhZnQgYW5kIHNlbmQgYW55 IGNvbW1lbnRzIHRvIHRoZSBOVk8zIGxpc3QuPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFj ayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOmJsYWNrIj5QbGVh c2UgYWxzbyBpbmRpY2F0ZSB3aGV0aGVyIHlvdSBzdXBwb3J0Jm5ic3A7YWRvcHRpb24mbmJzcDtv ZiB0aGUgZHJhZnQgYXMgYW4gTlZPMyB3b3JraW5nIGdyb3VwIGRvY3VtZW50Ljwvc3Bhbj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtjb2xvcjpibGFjayI+Tm90ZSB0aGF0IHN1cHBvcnRpbmcgd29ya2luZyBncm91cCBhZG9wdGlv biBpbmRpY2F0ZXMgdGhhdCB5b3UgdGhpbmsgdGhlIGRyYWZ0IGlzIGhlYWRlZCBpbiB0aGUgcmln aHQgZGlyZWN0aW9uIGFuZCByZXByZXNlbnRzIGEgcGllY2Ugb2Ygd29yayB0aGF0IHRoZSB3b3Jr aW5nIGdyb3VwIHNob3VsZCB0YWtlIG9uDQogYW5kIHByb2dyZXNzLiBJdCBkb2VzIG5vdCBoYXZl IHRvIGJlIHRlY2huaWNhbGx5IHBlcmZlY3QgYXQgdGhpcyBzdGFnZS48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtjb2xvcjpibGFjayI+VGhpcyBwb2xsIGNsb3NlcyBvbiBXZWRuZXNkYXkgMjR0aCBB cHJpbCAyMDE5Ljwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjpibGFjayI+UmVnYXJkczwvc3Bhbj48c3BhbiBs YW5nPSJFTi1HQiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Y29sb3I6YmxhY2siPk1hdHRoZXcgYW5kIFNhbTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1H QiIgc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_C5A274B25007804B800CB5B289727E359052C181ORSMSX116amrcor_-- From nobody Thu Apr 25 14:04:55 2019 Return-Path: X-Original-To: nvo3@ietfa.amsl.com Delivered-To: nvo3@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7BC0120025 for ; Thu, 25 Apr 2019 14:04:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.648 X-Spam-Level: X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-ZAPMTP2568 for ; Thu, 25 Apr 2019 14:04:48 -0700 (PDT) Received: from mail-lf1-f54.google.com (mail-lf1-f54.google.com [209.85.167.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B65EB1200FF for ; Thu, 25 Apr 2019 14:04:47 -0700 (PDT) Received: by mail-lf1-f54.google.com with SMTP id h126so841511lfh.4 for ; Thu, 25 Apr 2019 14:04:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lqfl+HlDgD3HyA88XD2y1AKUrkGrR/lJhiEeWvlKlVo=; b=oSAIUyInXLeX24VkZk5qbIxszgc7s5TDs5OivFvGjI1O6AUKM7b7034LxVFJNwZE/F Z8BbgxPgPLIDyvJstksAXeoT188Zln3febgAH00gRs09/32dwnxckqJg7WkAcgWhAdJQ yiddiLbIVEVt6d4y9T/A2e9LihCmA8TinMxdRQaTwHQnSOe3WJRve2R9coa+OtoSUTYi rjEYd5syxxRoO9+MeUU9tm4qhAhUHSQUA83W/JXNMQwZllO11/jRA1lzYI5Ur9HlgVPN fvotrKwjle8ZUHMPPushABxmy5ZyAvvi6uBvSMgaWwLV38o5Wlo/tTKOXDZtBwRJEJdn KBVA== X-Gm-Message-State: APjAAAWyKqBVQogHDem3qTv5C/PBzls2VsdnZ5mhdAo7EwxcDplk8fLO BIUnUXJVBVNEvhlD1ury3K2R1PVPKYIQXe0mEFI= X-Google-Smtp-Source: APXvYqzBn3Z6ntHjd6mUcMhbCxdZJJHc6VbyMru4pPQaKsbN0gZaiY3A4LXdJERgtXyt6RhSOVBsduRfqbl40a4QZr0= X-Received: by 2002:ac2:5a11:: with SMTP id q17mr3809601lfn.145.1556226285496; Thu, 25 Apr 2019 14:04:45 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Daniel Migault Date: Thu, 25 Apr 2019 17:04:33 -0400 Message-ID: To: "Ganga, Ilango S" Cc: NVO3 Content-Type: multipart/alternative; boundary="000000000000efee890587612ab0" Archived-At: Subject: Re: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security-requirements-06 X-BeenThere: nvo3@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2019 21:04:53 -0000 --000000000000efee890587612ab0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, In my opinion most concerns raised are irrelevant. While the requirements are derived from the threat model, it seems this section has been ignored. I am addressing them all in line and further discussion may happen after the document is adopted. I agree that further discussion should happen on the mailing list, but I do not think we can be blamed for not requesting these discussion to happen. In any case, adoption does not mean that no changes will be possible. I have a big concern regarding the following comment and would like further clarifications, though this could happen after adoption as well. > > SEC-GEN-13: Geneve Security mechanism MUST provide means for a > transit device to authenticate data prior it is being processed. > > > > This requirement is not consistent with Geneve architecture, hence remove= this requirement. > > > > My reading of your comment is that you are mandating that transit devices are not expected to be able to authenticate the data they process. Could you clarify your concern as well you clarify where the inconsistency is? Text from the geneve architecture would be welcome. My understanding is that the requirement that transit device authenticate the option they process has been stated at the mic by David at the mic during the Prague meeting. As a result, I am very confused by that concern. Of course if that is inconsistent with the Geneve architecture, such requirement will be removed. . Yours, Daniel On Wed, Apr 24, 2019 at 7:57 PM Ganga, Ilango S wrote: > Hello WG Chair, Authors and WG, > > > > I reviewed the new version of the draft. The document still has not > addressed many of the comments raised on the previous versions of the > draft. This version still makes certain assumptions on the functionality = of > transit devices that is not consistent with Geneve architecture. > > > > It is not about technical perfection, the architectural issue and the > assumption of the threat model due to this effect needs to be addressed > before the adoption of this draft as WG document. > > > > The document calls for undue requirements and prescriptive of NVE > implementations and solutions that are either not necessary nor practical > for deployments (details below). Some of the requirements are optimizatio= ns > that are not absolute requirements for securing overlays. > > > > We need to first baseline on a threat model as applicable to Geneve and i= n > general overlays in NVO3. How are such threats being addressed by other > encapsulations protocols like IP-in-IP, GRE, UDP encapsulation protocols > like GRE-in-UDP, MPLS-in-UDP, etc., Apply those learnings and focus on > addressing specific threats applicable to Geneve deployment models inste= ad > over-specifying or gratuitous requirements and prescribing solutions. Man= y > of these issues need to be addressed by the document. > > > My understanding of your comment is that you are missing a threat model for geneve and NVO3 as well as a section on how many of these protocol are addressing these threats. The draft focuses on geneve and Section 4 of the draft describes the threat model for geneve. From the threat model security requirements are derived. My understanding is that comparison on how other protocol address the security is part of the solution space which is out of scope of the current document. > Hence, I do not support the adoption of the draft in its current form. > > > > Please see below for list of comments on the current draft: > > > > General comments related to the draft: > > SEC-OP vs SEC-GEN requirements. There was lengthy discussion in NVO3 WG > meeting on should we have SEC-OP and SEC-GEN requirements, should we > include SEC-OP, how to get feedback from operators, should this be in a > single document or multiple separate documents etc., There was no consens= us > on this issue. Hence we still need to revisit this issue. There was > supposed to be mailing list discussion on this topic. However, I did not > see such discussion. > > https://datatracker.ietf.org/meeting/103/materials/minutes-103-nvo3-00 > > > If I understand correctly your comment, you would like a discussion on how to deal with the SEC-GEN, SEC-OP requirements. The question was do we want to have SEC-OP in that document or in another one. I am happy to do what the WG wants. Nothing prevents this to be done after adoption. > I-D.ietf-nvo3-security-requirements document. There is a reference to thi= s > document from the geneve security requirements draft. There is good amoun= t > of information, including the threat model, that is defined in the > NVO3-secuirty-requirements document, and data plane and control plane > requirements are also defined. We need to deicide as to what do we do wi= th > respect to the NVO3 security requirements document, and how do we pull in > the information into this draft or other option is to revive the already > adopted NVO3 WG document. > > > Again, this is out of scope of that call for adoption. The current document deals with Geneve, not nvo3 in general. Adoption of the geneve security requirement do not prevent nvo3 security requirements to be revived. This has been already discussed in session and is not a topic we are ignoring. > In general we need some serious discussion on the mailing list on the > direction defining the threat model and direction we should take in > defining the requirements. > > > My vision is that we have made all possible effort to get these discussions, through an issue tracker, a mailing list conference calls. We also have been responsive to concerned we got. You are correct that not being responsive does not help and we are happy to have those discussions on the mailing list. I do not believe that prevents adoption of the document. > Specific comments related to Requirements: > > > > SEC-OP-1: A secure deployment of a Geneve overlay SHOULD by > default encrypt the inner payload. A Geneve overlay provider MAY > disable this capability for example when encryption is performed > by the Tenant System and that level of confidentiality is believed > to be sufficient. In order to provide additional protection to > traffic already encrypted by the Tenant the Geneve network > operator MAY partially encrypt the clear part of the inner > payload. > > > > SEC-GEN-2: Geneve security mechanism SHOULD provide the capability > to partially encrypt the inner payload header. > > > > SEC-OP-4: A secure deployment of a Geneve overlay MUST provide the > capability authenticate the inner payload when encryption is not > provided. A Geneve overlay provider MAY disable this capability > for example when this is performed by the Tenant System and that > level of integrity is believed to be sufficient. In order to > provide additional protection to traffic already protected by the > Tenant the Geneve network operator MAY partially protect the > unprotected part of the inner payload. > > > > > > Partial encryption (SEC-OP-1 and SEC-GEN2) is an optimization (as had bee= n > indicated in a comment on the previous version of this draft) and should > not be a requirement. The traffic between NVE pairs should be secured an= d > operator may have a policy to encrypt the traffic irrespective of the any > security mechanisms employed by the Tenant Systems Also an NVE may handle > traffic from multiple TSes and hence the service provider may enable > encryption between NVE pairs. So partial encryption or selective encrypti= on > should not be a requirement. > > Your comment seems to say these requirements prevent a NVE to encrypt the traffic irrespective to the TSs. This is wrong and SHOULD makes this requirement non blocking. The appendix provides also two examples of DTLS and IPsec that do not have this capability and such requirement does not block IPsec nor TLS to be used. In addition, the same requirement is in the nvo3 security requirement. As result, your concern does not seem relevant. > > > SEC-OP-3: A secure deployment of a Geneve overlay MUST evaluate > the risk associated to traffic pattern recognition. When a risk > has been identified, traffic pattern recognition MUST be addressed > with padding policies as well as generation of dummy packets. > > > > SEC-GEN-6: Geneve security mechanism MUST provide the ability to > pad a Geneve packet. > > > > SEC-GEN-7: Geneve security mechanism MUST provide the ability to > send dummy packets. > > > > SEC-OP-3 and SEC-GEN-6: The requirements document should stay with statin= g > requirements and not prescribe a solution(s). This comment was already > submitted in the previous version of the document. =E2=80=9Ctraffic patt= ern > recognition MUST be addressed with padding policies as well as generation > of dummy packets=E2=80=9D This is an undue requirement on NVE implementa= tions > which is not necessary and should not be in the requirements. Need to > clearly explain what additional security risk is caused because Geneve > encapsulation vs standard IP transport and why such a requirement is > mandatory. Any such risk can be mitigated by existing security mechanisms > for communication between NVEs. > > > Your comment seems to indicate we are prescribing solutions or preventing existing solution to be re-used. In addition, you indicate a threat model should be provided. I do not think that is correct. I do not think we are mentioning any solution, nor prescribing any. Then requirements are based on threat models provided in section 4. I do not see any comments regarding threat model, thus I assume you agree with it. Appendix section illustrates that IPsec fulfil SEC-GEN-6, so existing mechanisms can be re-used. Your concern, up to my understanding does not seem relevant. Please lt us know how section 4 (threat model) as well as the appendix can be clarified, if needed. > SEC-GEN-1: Geneve security mechanism MUST provide the capability > to encrypt the inner payload. > > > > Define the threat model where only the inner payload should be selectivel= y > encrypted. The requirements should be to address a specific threat model. > Not all deployments need encryption. > > > You are reading the word "only" but I don't. On the other hand, you do not see the threat model section but I do. The requirement addresses traffic sniffing (this is the title of the section), in which case authentication provides no protection. Your concern is not relevant. > SEC-GEN-3: Geneve security mechanism MUST provide means to encrypt > a single or a set of zero, one or multiple Geneve Options while > leave other Geneve Options in clear. Reversely, a Geneve security > mechanism MUST be able to leave a Geneve option in clear, while > encrypting the others. > > > > SEC-GEN-4: Geneve security mechanism MUST provide means to encrypt > the information of Geneve Header (excluding Geneve Options). > Reversely, a Geneve security mechanism MUST be able to leave in > clear Geneve Header information (Geneve Options excluded) while > encrypting the other. > > > > SEC-GEN-5: Geneve security mechanisms MUST provide the ability to > provide confidentiality protection between multiple nodes, i.e. > multiple transit devices and a NVE. > > > > > > SEC-GEN-3,4 and SEC-GEN-5,6,7: All these SEC-GEN requirements (for partia= l encryption) are optimizations which should not be part of requirements es= pecially with =E2=80=9CMUST=E2=80=9D mandates. > > The main objective of requirements is for protecting the traffic between = the NVEs (privacy/integrity/confidentiality). Applying partial encryption i= s more of an optimization than to mitigate any specific threat especially w= hen other existing mechanisms are available to protect communications betwe= en NVEs. Specify the use cases where options need to selectively encrypted= . What is the threat model and why such partial encryption of options is re= quired. So adding requirements for partial headers/payload/options could n= ot be considered as a security requirement to address a security threat, he= nce these requirements must not be included. > > > > You seem to indicate that the requirement are not based on a threat model. The requirement does not come from an optimization perspective. Such requirements comes from the presence of transit nodes. The exact same requirement have been mentioned at the mic by David Black during the Prague meeting. I agreed, none objected. It you want transit device to coexist with a security mechanism this is a necessary requirement. Otherwise you will have to chose between transit device OR security. This is exactly what makes transit devices not OPTIONNAL. IPv6 and IPsec handle transit devices, in a clean way, but Genev is not willing to learn from this. Your concern and this discussion is out of scope of the document but in the scope of the Geneve specification. SEC-OP-5: A secure deployment of a Geneve overlay MUST evaluate > the risk associated to a change of the Geneve Outer Header, Geneve > Header (excluding Geneve Options) and Geneve Option. When a risk > analysis concludes that the risk is too high, this piece of > information MUST be authenticated. > > > > SEC-OP-6: A secure deployment of a Geneve overlay SHOULD > authenticate communications between NVE to protect the Geneve > Overlay infrastructure as well as the Tenants System=E2=80=99s > communications (Geneve Packet). A Geneve overlay provider MAY > disable authentication of the inner packet and delegates it to the > Tenant Systems when communications between Tenant=E2=80=99s System is > secured. This is NOT RECOMMENDED. Instead, it is RECOMMENDED > that mechanisms binds the inner payload to the Geneve Header. To > prevent injection between virtualized network, it is strongly RECOMMENDED= that at least the Geneve Header without Geneve Options > is authenticated. > > > > What specific risk does the operator see based on the threat model and wh= at piece of information should be authenticated, > > why this should be selectively authenticated as called for in these requi= rements? Can you specify the usage model for these requirements. > > The threat model and risks are described in section 4. Authentication of Options or metadata is not something new. The threat model of protecting the NVI is to prevent packets to be steered in the wrong network. Unless I am not understanding your comment, I believe it is irrelevant here. Maybe it could be handled in clarifying the threat model, but that is not something your seem to have concern with. > > > SEC-OP-7: A secure deployment of a Geneve overlay SHOULD NOT > process data prior authentication. If that is not possible, the > Geneve overlay provider SHOULD evaluate its impact. > > > > This is too generic, what should the operator do with this requirement, = =E2=80=9C=E2=80=A6SHOUD evaluate its impact=E2=80=9D? > > The operator needs to ensure authentication is performed prior the data is processed. I do not see how to clarify the purpose. This requirement comes from the transit devices, and the purpose is to avoid option being for example processed by a transit device and authenticated by the NVE. > > > SEC-GEN-8: Geneve security mechanism MUST provide the capability > to authenticate the inner payload. > > SEC-GEN-9: Geneve security mechanism SHOULD provide the capability > to partially authenticate the inner payload header. > > SEC-GEN-10: Geneve security mechanism MUST provide the capability > to authenticate a single or a set of options while leave other > Geneve Option unauthenticated. Reversely, a Geneve security > mechanism MUST be able to leave a Geneve option unauthenticated, > while encrypting the others. > > > > SEC-GEN-11: Geneve security mechanism MUST provide means to > authenticate the information of Geneve Header (Geneve Option > excluded). Reversely, a Geneve security mechanism MUST be able to > leave unauthenticated Geneve header information (Geneve Options > excluded) while authenticating the other. > > > > What is the threat model and what is use case that is driving the partial= encryption or authentication of options? > > see section 4 for the threat model. > > > SEC-GEN-13: Geneve Security mechanism MUST provide means for a > transit device to authenticate data prior it is being processed. > > > > This requirement is not consistent with Geneve architecture, hence remove= this requirement. > > > > My reading of your comment is that you are mandating that transit devices are not expected to process the data they process. Could clarify your concern as well you clarify where the inconsistency is? Text from the geneve architecture would be welcome. The requirement that transit device authenticate the option they process has been stated at the mic by David at the mic during the Prague meeting. As a result, I am very confused. Of course if that is inconsistent with the Geneve architecture, such requirement will be removed. But further discussion is needed, and being unresponsive will not help. SEC-OP-8: A secure deployment of a Geneve overlay MUST evaluate > the communications subject to replay attacks. Communications that > are subject to this attacks MUST be authenticated with an anti > replay mechanism. Note that when partial authentication is > provided, the part not covered by the authentication remains a > surface of attack. It is strongly RECOMMENDED that the Geneve > Header is authenticated with anti replay protection > > > > What is the threat model and use case that calls for partial authenticati= on. Same comments as partial encryption applies to this comment as well. > > > > same response. please read the threat model section. The concern i= s > SEC-OP-9: A secure deployment of a Geneve overlay MUST define the > security policies that associates the encryption, and > authentication associated to each flow between NVEs. > > > > SEC-OP-10: A secure deployment of a Geneve overlay SHOULD define > distinct material for each flow. The cryptographic depends on the > nature of the flow (multicast, unicast) as well as on the security > mechanism enabled to protect the flow. > > > > SEC-GEN-15: A Geneve security mechanism MUST be managed via > security policies associated for each traffic flow to be > protected. Geneve overlay provider MUST be able to configure NVEs > with different security policies for different flows. A flow MUST > be identified at minimum by the Geneve virtual network identifier > and the inner IP and transport headers, and optionally additional > fields which define a flow (e.g., inner IP DSCP, IPv6 flow id, > Geneve options) > > > > > > It is not clear as to what threat is being addressed by requiring flow le= vel granularity. If communication between NVE to NVE need be encrypted/aut= henticated, then, at a minimum, security policy should be applied for the t= raffic between, for example, NVE A to NVE B or NVE A to NVE C, etc. > > > Any granularity beyond that is not a requirement to address any threat. T= his is undue burden on NVEs, not needed to address specific threat or defin= e the threat model. Hence remove flow level granularity requirement. > > This needs further discussion in the working group to what level of granularity we want. The discussion can happen after adoption. > > > SEC-GEN-17: A Geneve security mechanisms, when multicast is used, > packets,MUST be able to assign distinct cryptographic group keys > to protect the multicast packets exchanged among the NVEs within > different multicast groups. Upon receiving a data packet, an > egress Geneve NVE MUST be able to verify whether the packet is > > sent from a proper ingress NVE which is authorized to forward that > packet. > > > > Need to define the threat model for multicast, define multicast, most de= ployments multicast is implemented using multiple unicast. So the requireme= nt does not apply to such deployments. > > > > My reading of your comment is that as multicast can be replaced by multiple unicast, the requirement should be removed. The document is focused on Geneve which may use multicast, not to replace multicast. The nvo3 security requirement document got similar requirements. I believe your concern is irrelevant to the document. > 8. Appendix > > > > I suggest to remove the entire Appendix from the document. Let us first a= gree on the requirements before we get into mapping different solutions to = meet the requirements. > > I believe that the appendix is illustrating the requirements and as such is useful to understand the requirements as well as how to read them. Ithe appendix was completed based on the comments received from the secdir reviewer of the geneve document. Of course the requirement needs to be agreed on. However, I believe that lots of your concerns could have been avoided if this section has been read, so I strongly believe it is a useful section. > > > Thanks, > > Ilango > > > > > > > > *From:* nvo3 [mailto:nvo3-bounces@ietf.org] *On Behalf Of *Bocci, Matthew > (Nokia - GB) > *Sent:* Wednesday, April 10, 2019 7:38 AM > *To:* NVO3 > *Subject:* [nvo3] Poll for adoption of > draft-mglt-nvo3-geneve-security-requirements-06 > > > > This email begins a second two-week poll for adoption of > draft-mglt-nvo3-geneve-security-requirements-06 in the NVO3 working group= . > > > > Please review the draft and send any comments to the NVO3 list. > > > > Please also indicate whether you support adoption of the draft as an NVO3 > working group document. > > > > Note that supporting working group adoption indicates that you think the > draft is headed in the right direction and represents a piece of work tha= t > the working group should take on and progress. It does not have to be > technically perfect at this stage. > > > > This poll closes on Wednesday 24th April 2019. > > > > Regards > > Matthew and Sam > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > --000000000000efee890587612ab0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    Hi,=C2=A0

    In my opinion most concerns raised are irrelevant. While th= e requirements are derived from the threat model, it seems this section has= been ignored.=C2=A0=C2=A0
    I am addressing them all in line and f= urther discussion may happen after the document is adopted. I agree that fu= rther discussion should happen on the mailing list, but I do not think we c= an be blamed for not requesting these discussion to happen. In any case, ad= option does not mean that no changes will be possible.=C2=A0

    =
    I have a big concern regarding the following comment and would l= ike further clarifications, though this could happen after adoption as well= .

    =C2=A0
    SEC-GEN-13: Geneve Security mechanism MUST provide mea=
ns for a
    transi=
t device to authenticate data prior it is being processed.
    =C2=A0
    This requirement is not consistent with Geneve archite=
cture, hence remove this requirement. 
    =C2=A0
    <= ;mglt>My reading of your comment is that you are mandating that transit = devices are not expected to be able to authenticate the data they process. = Could you clarify your concern as well you clarify where the inconsistency = is? Text from the geneve architecture would be welcome. My understanding is= that the requirement that transit device authenticate the option they proc= ess has been stated at the mic by David at the mic during the Prague meetin= g. As a result, I am very confused by that concern. Of course if that is in= consistent with the Geneve architecture, such requirement will be removed. = .</mglt>

    Yours,=C2=A0
    Daniel=


    On Wed, Apr 24, 2019 at 7:57 PM Ganga, Ilango S = <ilango.s.= ganga@intel.com> wrote:

    = Hello WG Chair, Authors and WG,

    = =C2=A0

    = I reviewed the new version of the draft. The document still has not address= ed many of the comments raised on the previous versions of the draft. This = version still makes certain assumptions on the functionality of transit devices that is not consistent with Geneve ar= chitecture.

    = =C2=A0

    = It is not about technical perfection, the architectural issue and the assum= ption of the threat model due to this effect needs to be addressed before t= he adoption of this draft as WG document.

    = =C2=A0

    = The document calls for undue requirements and prescriptive of NVE implement= ations and solutions that are either not necessary nor practical for deploy= ments (details below). Some of the requirements are optimizations that are not absolute requirements for securing overlays= . =C2=A0

    = =C2=A0

    = We need to first baseline on a threat model as applicable to Geneve and in = general overlays in NVO3.=C2=A0 How are such threats being addressed by oth= er encapsulations protocols like IP-in-IP, GRE, UDP encapsulation protocols like GRE-in-UDP, MPLS-in-UDP, etc., =C2=A0=C2= =A0=C2=A0Apply those learnings and focus on addressing =C2=A0specific threa= ts applicable to Geneve deployment models instead over-specifying or gratui= tous requirements and prescribing solutions. Many of these issues need to be addressed by the document.

    = =C2=A0

    <mglt>My unders= tanding of your comment is that you are missing a threat model for geneve a= nd NVO3 as well as a section on how many of these protocol are addressing t= hese threats. The draft focuses on geneve and Section 4 of the draft descri= bes the threat model for geneve. From the threat model security requirement= s are derived. My understanding is that comparison on how other protocol ad= dress the security is part of the solution space which is out of scope of t= he current document. </mglt>
    =C2=A0=C2=A0=C2=A0

    <= /span>

    = Hence, I do not support the adoption of the draft in its current form.

    = =C2=A0

    = Please see below for list of comments on the current draft:

    = =C2=A0

    = General comments related to the draft:

    = SEC-OP vs SEC-GEN requirements. There was lengthy discussion in NVO3 WG mee= ting on should we have SEC-OP and SEC-GEN requirements, should we include S= EC-OP, how to get feedback from operators, should this be in a single document or multiple separate documents etc., T= here was no consensus on this issue. Hence we still need to revisit this is= sue.=C2=A0 There was supposed to be mailing list discussion on this topic.= =C2=A0 However, I did not see such discussion.

    https://datatracker.ietf.o= rg/meeting/103/materials/minutes-103-nvo3-00

    =C2=A0

    <m= glt>If I understand correctly your comment, you would like a discussion = on how to deal with the SEC-GEN, SEC-OP requirements. The question was do w= e want to have SEC-OP in that document or in another one. I am happy to do = what the WG wants. Nothing prevents this to be done after adoption. </mg= lt>=C2=A0
    =C2=A0

    = I-D.ietf-nvo3-security-requirements document. There is a reference to this = document from the geneve security requirements draft. There is good amount = of information, including the threat model, that is defined in the NVO3-secuirty-requirements document, and data plane= and control plane requirements are also defined.=C2=A0 We need to deicide = as to what do we do with respect to the NVO3 security requirements document= , and how do we pull in the information into this draft or other option is to revive the already adopted NVO3 WG d= ocument.

    = =C2=A0

    <mglt>Again, th= is is out of scope of that call for adoption. The current document deals wi= th Geneve, not nvo3 in general. Adoption of the geneve security requirement= do not prevent nvo3 security requirements to be revived. This has been alr= eady discussed in session and is not a topic we are ignoring. </mglt>=
    =C2=A0

    = In general we need some serious discussion on the mailing list on the direc= tion defining the threat model and direction we should take in defining the= requirements.

    = =C2=A0

    <mglt>My vision= is that we have made all possible effort to get these discussions, through= an issue tracker, a mailing list conference calls. We also have been respo= nsive to concerned we got. You are correct that not being responsive does n= ot help and we are happy to have those discussions on the mailing list. I d= o not believe that prevents adoption of the document.</mglt>=C2=A0 = =C2=A0
    =C2=A0

    = Specific comments related to Requirements:

    = =C2=A0

    SEC-OP-1: A secure = deployment of a Geneve overlay SHOULD by
    default encrypt the inner payload. A Geneve overlay provider MAY disable this capability for example when encryption is performed by the Tenant System and that level of confidentiality is believed=
    to be sufficient. In order to provide additional protection to
    traffic already encrypted by the Tenant the Geneve network
    operator MAY partially encrypt the clear part of the inner
    payload.

    =C2=A0

    SEC-GEN-2: Geneve s= ecurity mechanism SHOULD provide the capability
    to partially encrypt the inner payload header.

    =C2=A0

    SEC-OP-4: A secure = deployment of a Geneve overlay MUST provide the
    capability authenticate the inner payload when encryption is not provided. A Geneve overlay provider MAY disable this capability for example when this is performed by the Tenant System and that level of integrity is believed to be sufficient. In order to
    provide additional protection to traffic already protected by the<= br> Tenant the Geneve network operator MAY partially protect the
    unprotected part of the inner payload.

    =C2=A0

    =C2=A0

    Partial encryption (SEC-OP-1 and SEC-GEN2) is an= optimization (as had been indicated in a comment on the previous version o= f this draft) and should not be a requirement.=C2=A0 The traffic between NVE pairs should be secured and operator may have a po= licy to encrypt the traffic irrespective of the any security mechanisms emp= loyed by the Tenant Systems Also an NVE may handle traffic from multiple TS= es and hence the service provider may enable encryption between NVE pairs. So partial encryption or selectiv= e encryption should not be a requirement.

    =
    <mglt>Your comment seems to say these requirements pre= vent a NVE to encrypt the traffic irrespective to the TSs. This is wrong an= d SHOULD makes this requirement non blocking. The appendix provides=C2=A0 a= lso two examples of DTLS and IPsec that do not have this capability and suc= h requirement does not block IPsec nor TLS to be used. In addition, the sam= e requirement is in the nvo3 security requirement. As result, your concern = does not seem relevant. </mglt>

    =C2=A0

    SEC-OP-3: A secure deployment of a Geneve overlay MUST evaluate the risk associated to traffic pattern recognition. When a risk has been identified, traffic pattern recognition MUST be addressed=
    with padding policies as well as generation of dummy packets.

    =C2=A0

    SEC-GEN-6: Geneve security mechanism MUST provide the ability to<= br> pad a Geneve packet.

    =C2=A0

    SEC-GEN-7: Geneve security mechanism MUST provide the ability to<= br> send dummy packets.

    =C2=A0

    SEC-OP-3 and SEC-GEN-6: The requirements documen= t should stay with stating requirements and not prescribe a solution(s). Th= is comment was already submitted in the previous version of the document. =C2=A0=E2=80=9Ctraffic pattern recognition MUST b= e addressed with padding policies as well as generation of dummy packets=E2= =80=9D=C2=A0 This is an undue requirement on NVE implementations which is n= ot necessary and should not be in the requirements.=C2=A0 Need to clearly explain what additional security risk is caused because Geneve = encapsulation vs standard IP transport and why such a requirement is mandat= ory. Any such risk can be mitigated by existing security mechanisms for com= munication between NVEs.

    =C2=A0

    <mglt>Your comment seems to indicate we are prescribing solutio= ns or preventing existing solution to be re-used. In addition, you indicate= a threat model should be provided. I do not think that is correct. I do no= t think we are mentioning any solution, nor prescribing any. Then requireme= nts are based on threat models provided in section 4. I do not see any comm= ents regarding threat model, thus I assume you agree with it.=C2=A0 =C2=A0A= ppendix section illustrates that IPsec fulfil SEC-GEN-6, so existing mechan= isms can be re-used. Your concern, up to my understanding does not seem rel= evant. Please lt us know=C2=A0how section 4 (threat model) as well as the a= ppendix can be clarified, if needed.</mglt>
    =C2=A0

    SEC-GEN-1: Geneve security mechanism MUST provide the capability<= br> to encrypt the inner payload.

    =C2=A0

    Define the threat model where only the inner pay= load should be selectively encrypted. The requirements should be to address= a specific threat model. Not all deployments need encryption.

    =C2=A0

    <mglt>You are reading the word "only" but I don't= . On the other hand, you do not see the threat model section but I do. The = requirement addresses traffic sniffing (this is the title of the section), = in which case authentication provides no protection. Your concern is not re= levant.</mglt>
    =C2=A0

    <= /span>

    SEC-GEN-3: Geneve security mechanism MUST provide means to encrypt<= /span>
    a single or a set of zero, one or multiple Geneve Options while leave other Geneve Options in clear. Reversely, a Geneve security<= br> mechanism MUST be able to leave a Geneve option in clear, while encrypting the others.

    =C2=A0

    SEC-GEN-4: Geneve security mechanism MUST provide means to encrypt<= /span>
    the information of Geneve Header (excluding Geneve Options).
    Reversely, a Geneve security mechanism MUST be able to leave in clear Geneve Header information (Geneve Options excluded) while encrypting the other.

    =C2=A0

    SEC-GEN-5: Geneve security mechanisms MUST provide the ability to=
    provide confidentiality protection between multiple nodes, i.e. multiple transit devices and a NVE.

    =C2=A0

    =C2=A0

    SEC-GEN-3,4 and SEC-GEN-5,6,7: All =
these SEC-GEN requirements (for partial encryption) are optimizations which=
 should not be part of requirements especially with =E2=80=9CMUST=E2=80=9D =
mandates. =C2=A0
    The main objective of requirements is for protecting the tr=
affic between the NVEs (privacy/integrity/confidentiality). Applying partia=
l encryption is more of an optimization than to mitigate any specific threa=
t especially when other existing mechanisms are available to protect commun=
ications between NVEs.=C2=A0 Specify the use cases where options need to se=
lectively encrypted. What is the threat model and why such partial encrypti=
on of options is required.=C2=A0 So adding requirements for partial headers=
/payload/options could not be considered as a security requirement to addre=
ss a security threat, hence these requirements must not be included.=C2=A0 =

    =C2=A0
    <mglt>You seem to indicate that the requirement = are not based on a threat model. The requirement does not come from an opti= mization perspective. Such requirements comes from the presence of transit = nodes. The exact same requirement have been mentioned at the mic by David B= lack during the Prague meeting. I agreed, none objected. It you want transi= t device to coexist with a security mechanism this is a necessary requireme= nt. Otherwise you will have to chose between transit device OR security. Th= is is exactly what makes transit devices not OPTIONNAL. IPv6 and IPsec hand= le transit devices, in a clean way, but Genev is not willing to learn from = this. Your concern and this discussion is out of scope of the document but = in the scope of the Geneve specification.=C2=A0 =C2=A0 =C2=A0</mglt><= /div>

    

    SEC-OP-5: A secure deployment of a Geneve=
 overlay MUST evaluate
    the risk associated to a change of the Geneve Outer Header, Geneve<=
/span>
    Header (excluding Geneve Options) and Geneve Option. When a ris=
k
    analysis concludes that the risk is too high, this piece of
    information MUST be authenticated.    

    =C2=A0
    

    SEC-OP-6: A secure deployment of a Geneve=
 overlay SHOULD
    <=
span class=3D"m_3807981396123409526gmail-m_-7797871005321186789fontstyle01"=
>authenticate communications between NVE to protect the Geneve
    =
Overlay infrastructure as well as the Tenants System=E2=80=99s
    =
communications (Geneve Packet). A Geneve overlay provider MAY
    d=
isable authentication of the inner packet and delegates it to theTenant Systems when communications between Tenant=E2=80=99s System is
    secured. This is NOT RECOMMENDED. Instead, it is RECOMMENDED
    that mechanisms binds the inner payload to the Geneve Header. To
    prevent injection between virtualized network, it is strongly RECOMMENDED that at least the Geneve Header without =
Geneve Options
    =
is authenticated.
    

    =C2=A0
    

    What specific risk does the operato=
r see based on the threat model and what piece of information should be aut=
henticated, =C2=A0
    why this should be selectively authenticated as called =
for in these requirements? Can you specify the usage model for these requir=
ements.
    <mglt> The threat model and risks are described in sec= tion 4. Authentication of Options or metadata is not something new. The thr= eat model of protecting the NVI is to prevent packets to be steered in the = wrong network. Unless I am not understanding your comment, I believe it is = irrelevant here. Maybe it could be handled in clarifying the threat model, = but that is not something your seem to have concern with. </mglt>
    <= pre style=3D"background:white">=C2=A0 
    SEC-OP-7: A secure deployment of a Geneve=
 overlay SHOULD NOT<=
br>process data prior authentication. If that is not possible, the=

    Geneve overlay provider SHOULD evaluate its impact.
    =C2=A0
    This is too generic, what should th=
e operator do with this requirement, =C2=A0=E2=80=9C=E2=80=A6SHOUD evaluate=
 its impact=E2=80=9D?
    =C2=A0<mglt>The operator needs to ensure authe= ntication is performed prior the data is processed. I do not see how to cla= rify the purpose.=C2=A0
    =C2=A0This requirement comes from = the transit devices, and the purpose is to avoid option being for example p= rocessed by a transit device and authenticated by the NVE.=C2=A0=C2= =A0</mglt>
    =C2=A0
    =
=C2=A0
    SEC-GEN-8: Geneve security mechanism MUST=
 provide the capability
    to authenticate the inner payload.

    <=
/span>
    SEC-GEN-9: Geneve security mechanism SHOU=
LD provide the capability
    to partially authenticate the inner payload header.
    SEC-GEN-10: Geneve security mechanism MUS=
T provide the capability
    to authenticate a single or a set of options while leave other
    Geneve Option unauthenticated. Reversely, a Geneve security
    mechanism MUST be able to leave a Geneve option unauthenticated,
    while encrypting the others.
    =C2=A0
    SEC-GEN-11: Geneve security mechanism MUS=
T provide means toauthenticate the information of Geneve Header (Geneve Option
    =
excluded). Reversely, a Geneve security mechanism MUST be able to<=
br>leave unauthenticated Geneve header information (Geneve Options=

    excluded) while authenticating the other.    =

    =C2=A0
    What is the threat model and what i=
s use case that is driving the partial encryption or authentication of opti=
ons? =C2=A0
    <mglt>see secti= on 4 for the threat model.</mglt>=C2=A0
    =C2=A0
    SEC-GEN-13: Geneve Security mechanism MUS=
T provide means for a
    transit device to authenticate data prior it is being processed.<=
/u>
    =C2=A0
    This requirement is not consistent =
with Geneve architecture, hence remove this requirement. 
    =C2=A0
    <mglt>My reading of your comment is that you are= mandating that transit devices are not expected to process the data they p= rocess. Could clarify your concern as well you clarify where the inconsiste= ncy is? Text from the geneve architecture would be welcome. The requirement= that transit device authenticate the option they process has been stated a= t the mic by David at the mic during the Prague meeting. As a result, I am = very confused. Of course if that is inconsistent with the Geneve architectu= re, such requirement will be removed. But further discussion is needed, and= being unresponsive will not help.</mglt>

    SEC-OP-8: A secure deployment of a Geneve=
 overlay MUST evaluate
    the communications subject to replay attacks. Communications that
    are subject to this attacks MUST be authenticated with an anti
    replay mechanism. Note that when partial authentication is
    provided, the part not covered by the authentication remains a
    surface of attack. It is strongly RECOMMENDED that the Geneve=

    Header is authenticated with anti replay protection
    =C2=A0
    What is the threat model and use ca=
se that calls for partial authentication. Same comments as partial encrypti=
on applies to this comment as well.
    =C2=A0
    <mglt> same response. please read the threat mod= el section. The concern is </mglt>=C2=A0
    SEC-OP-9: A secure deployment of a Geneve=
 overlay MUST define the
    security policies that associates the encryption, and
    <=
span class=3D"m_3807981396123409526gmail-m_-7797871005321186789fontstyle01"=
>authentication associated to each flow between NVEs.    <=
/span>
    =C2=A0
    SEC-OP-10: A secure deployment of a Genev=
e overlay SHOULD define
    distinct material for each flow. The cryptographic depends on the<=
/span>
    nature of the flow (multicast, unicast) as well as on the secur=
ity
    mechanism enabled to protect the flow.=

    =C2=A0
    SEC-GEN-15: A Geneve security mechanism M=
UST be managed viasecurity policies associated for each traffic flow to be
    pr=
otected. Geneve overlay provider MUST be able to configure NVEs
    <=
span class=3D"m_3807981396123409526gmail-m_-7797871005321186789fontstyle01"=
>with different security policies for different flows. A flow MUSTbe identified at minimum by the Geneve virtual network identifier
    and the inner IP and transport headers, and optionally additional
    fields which define a flow (e.g., inner IP DSCP, IPv6 flow id,
    Geneve options)
    =C2=A0
    =C2=A0
    It is not clear as to what threat i=
s being addressed by requiring flow level granularity.=C2=A0 If communicati=
on between NVE to NVE need be encrypted/authenticated, then, at a minimum, =
security policy should be applied for the traffic between, for example, NVE=
 A to NVE B or NVE A to NVE C, etc.=C2=A0
    =C2=A0
    Any granularity =
beyond that is not a requirement to address any threat. This is undue burde=
n on NVEs, not needed to address specific threat or define the threat model=
. =C2=A0=C2=A0Hence remove flow level granularity requirement.=C2=A0
    <mglt>This needs further discussion in the working gro= up to what level of granularity we want. The discussion can happen after ad= option.</mglt>=C2=A0
    =C2=A0=

    SEC-GEN-17: A Geneve security mechanisms,=
 when multicast is used,
    packets,MUST be able to assign distinct cryptographic group keys<=
/span>
    to protect the multicast packets exchanged among the NVEs withi=
n
    different multicast groups. Upon receiving a data packet, an<=
/span>
    egress Geneve NVE MUST be able to verify whether the packet is<=
/span> 
    sent from a proper ingress NVE which is a=
uthorized to forward that
    packet.
    =C2=A0
    Need to define the threat model for=
 multicast, define multicast, =C2=A0most deployments multicast is implement=
ed using multiple unicast. So the requirement does not apply to such deploy=
ments.
    =C2=A0
    <mglt>My reading of your comment is that as mult= icast can be replaced by multiple unicast, the requirement should be remove= d. The document is focused on Geneve which may use multicast, not to replac= e multicast. The nvo3 security requirement document got similar requirement= s. I believe your concern is irrelevant to the document. </mglt>=C2= =A0 =C2=A0
    8. Appendix<=
/span>
    =C2=A0
    I suggest to remove the entire Appe=
ndix from the document. Let us first agree on the requirements before we ge=
t into mapping different solutions to meet the requirements.
    <= /div>
    <mglt>I believe that the appendix is ill= ustrating the requirements and as such is useful to understand the requirem= ents as well as how to read them. Ithe appendix was completed based on the = comments received from the secdir reviewer of the geneve document.=C2=A0 Of= course the requirement needs to be agreed on. However, I believe that lots= of your concerns could have been avoided if this section has been read, so= I strongly believe it is a useful section. </mglt>
    =C2=A0
    Thanks,
    Ilango

    =C2=A0

    = =C2=A0

    =C2=A0

    From:= nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Bocci, Matthew (Nokia - GB)
    Sent: Wednesday, April 10, 2019 7:38 AM
    To: NVO3 <nvo3= @ietf.org>
    Subject: [nvo3] Poll for adoption of draft-mglt-nvo3-geneve-security= -requirements-06

    =C2=A0

    This email begins a second two-week poll for=C2=A0adoption=C2=A0of dr= aft-mglt-nvo3-geneve-security-requirements-06 in the NVO3 working group.

    =C2=A0

    Please review the draft and send any comments to the NVO3 list.

    =C2=A0

    Please also indicate whether you support=C2=A0adoption=C2=A0of the dr= aft as an NVO3 working group document.

    =C2=A0

    Note that supporting working group adoption indicates that you think = the draft is headed in the right direction and represents a piece of work t= hat the working group should take on and progress. It does not have to be technically perfect at this stage.=

    =C2=A0

    This poll closes on Wednesday 24th April 2019.

    =C2=A0

    Regards

    Matthew and Sam<= /u>

    =C2=A0

    _______________________________________________
    nvo3 mailing list
    nvo3@ietf.org
    https://www.ietf.org/mailman/listinfo/nvo3
    --000000000000efee890587612ab0--