Re: [Add] ADD Requirements Draft
tirumal reddy <kondtir@gmail.com> Tue, 01 September 2020 11:10 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A18403A0F55 for <add@ietfa.amsl.com>; Tue, 1 Sep 2020 04:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2T3fjfZSoum for <add@ietfa.amsl.com>; Tue, 1 Sep 2020 04:10:44 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2AFB3A0F56 for <add@ietf.org>; Tue, 1 Sep 2020 04:10:44 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id h4so758157ioe.5 for <add@ietf.org>; Tue, 01 Sep 2020 04:10:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GTXqA8yvwqPMgmtb7dJSB99rjuEyWB7qobHb954i5HE=; b=J+rgrVxL30KncCOCF7KX4BEGYaykUbv8ijCXBk7zDISsRxgcuxTwaWHCuCEvw2EFt5 9z0PAILrHO4e63rOsfErAt7o/sDm136xddOnX5YknxskJm38iUPlW3Sa3VEnBSIMpyHg Vls05aXpy0+4qXX/JL8uGzpWgaoraNv2Hd22ToHzcY2aZZr2NTWCmXDdCL2n1MgdCLOq VgNPImuSBES3dYKYJsAc2bMN809QfsfRZtuxmyRzidY0PcKdFDzu+O0eV09hZvH4HG3B caPr8VdrCrK6U7E73Un7jTPEtwEh9SnC4gQ0oV4XCzblnOID2j1MtdZ/mh76XBT1wxhE 7kWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GTXqA8yvwqPMgmtb7dJSB99rjuEyWB7qobHb954i5HE=; b=F82dSmqIoyV9eu+d1KXkS+SiGKLGByRZ4g0yw3NxAsz5bbTkbK63Um6KFqnG3Xx/Aw seDMZnTjPx/cnAIVKeJFg4w5VwXMVp38WAAmgHEtn/FtfC1NVlUf2rnm519MA5GluPEn vLuvakk8lHUa/kOryd1zh7YYYg3YA5wq57b7ba2oGdAR0u5e8HXRZJpcS7l4ipxv/q92 HnJQO1KT+Sn7dYjEHM7GdaG9w9uRG1cRdPRmOcKy3MSqbvV/mD6iH+7E6/uHVgY7vtn4 Kklqx/Cq50FK21bNR1MEUBK6W0tLX/19jY6HF3qjMKs7ff/ifMJ/ginTmKOZeTP6VJGB oE/g==
X-Gm-Message-State: AOAM530307sxmp7x17L7Y8krcBT6ihryNxXGSffKBB3J0cyuW6/KCq2F dPGoLCKVp+O82dnPinTPb7y8FO7VfS3aUAtJqa/kfIJu/IhZjw==
X-Google-Smtp-Source: ABdhPJxzz3nKVw3IMgUsylfHfuQJmKv/xIh5ibaqvCO38lVyw9RZjvIO085TKy/VrC1A6MKk4z/8ZI5mpLQUECFzPAc=
X-Received: by 2002:a05:6602:48f:: with SMTP id y15mr982870iov.177.1598958643615; Tue, 01 Sep 2020 04:10:43 -0700 (PDT)
MIME-Version: 1.0
References: <31194C90-6C0B-470C-8B14-79C12D2C5C0D@comcast.com> <CACJ6M14gXmEHc_fX8=GpKwRDn6C=R7LR06JG_Qg-cWR5agU9Hw@mail.gmail.com> <391E15D2-9208-4BA9-B01E-3673982DA6CE@apple.com> <CABcZeBMXvcF6PJWE+EkGVx1c9RXzO1XuB3xhrVKUJvUb=aus8A@mail.gmail.com> <4cd8a8c6-3516-4ad6-877c-9460d8096773@www.fastmail.com> <CAFpG3gfkrKGiuPRH1QvH+-w2H=N1ijtDpk5Oh=D2JOp-L4Q1+w@mail.gmail.com> <CABcZeBNhHcNAkVm=PNUvV8_vGVvDvJbaMVHB_w9zu63+ebQwpQ@mail.gmail.com> <CAFpG3gcAjHkh7boDwLq+sHpGtfB2WT0NbuuFqqBQs2M6BZkAOQ@mail.gmail.com> <CABcZeBMi-B7LKB6ipt6vLSZcF9OMLga8f+qydpZVOhOGQrttuQ@mail.gmail.com> <CAFpG3geQefT0=fN-6UFwDqLLqbb1XthHA=np4HPS2NfSO77csA@mail.gmail.com> <CABcZeBPmfe8Um38xFHoxw+26-YQxFUPN+p4aW9uzbPKGy1xz4g@mail.gmail.com>
In-Reply-To: <CABcZeBPmfe8Um38xFHoxw+26-YQxFUPN+p4aW9uzbPKGy1xz4g@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 01 Sep 2020 16:40:31 +0530
Message-ID: <CAFpG3gefyTcibzfQ-dzXKv5fKE=vwUktux0dz25wNL7_+tf7MA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Christopher Wood <caw@heapingbits.net>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f69d1c05ae3e91a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/broMLG7a7Sv96QqgK-RQxZUoQSo>
Subject: Re: [Add] ADD Requirements Draft
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2020 11:10:48 -0000
Hi Eric, Please see inline On Fri, 28 Aug 2020 at 19:08, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Fri, Aug 28, 2020 at 12:35 AM tirumal reddy <kondtir@gmail.com> wrote: > >> On Thu, 27 Aug 2020 at 18:46, Eric Rescorla <ekr@rtfm.com> wrote: >> >>> >>> >>> On Wed, Aug 26, 2020 at 10:15 PM tirumal reddy <kondtir@gmail.com> >>> wrote: >>> >>>> Hi Eric, >>>> >>>> Please see inline >>>> >>>> On Wed, 26 Aug 2020 at 16:50, Eric Rescorla <ekr@rtfm.com> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Aug 26, 2020 at 3:10 AM tirumal reddy <kondtir@gmail.com> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, 25 Aug 2020 at 20:19, Christopher Wood <caw@heapingbits.net> >>>>>> wrote: >>>>>> >>>>>>> Thanks for the review! Please see inline below. >>>>>>> >>>>>>> On Sat, Aug 22, 2020, at 2:07 PM, Eric Rescorla wrote: >>>>>>> > Document: draft-pauly-add-requirements-00.txt >>>>>>> > >>>>>>> > Tommy, >>>>>>> > >>>>>>> > Thanks for posting this. Two comments on the threat model, >>>>>>> > requirements, and what mechanisms it leaves in scope. The points >>>>>>> > below are primarily about local discovery. >>>>>>> > >>>>>>> > >>>>>>> > 1. In S 4, you say you are assuming an RFC 3552 threat model that >>>>>>> > includes on-path active attackers. However, in S 2.1 you indicate >>>>>>> that >>>>>>> > one of the benefits of this type of mechanism is to authenticate >>>>>>> data >>>>>>> > coming from the true resolver: >>>>>>> > >>>>>>> > * Verify that answers come from the selected DNS resolver >>>>>>> > >>>>>>> > * Authenticate that the DNS resolver is the one provisioned by >>>>>>> the >>>>>>> > network >>>>>>> > >>>>>>> > As a side note, I would observe that these benefits derive from the >>>>>>> > use of an authenticated channel, not from an encrypted channel. >>>>>>> This >>>>>>> > is sort of a nit in that modern TLS profiles discourage >>>>>>> authentication >>>>>>> > only, but I think it's still worth getting right. >>>>>>> >>>>>>> Agreed. Use of “encrypted” was referring to the use of authenticated >>>>>>> DoH and DoT, but I can see how that’s confusing given that we later mention >>>>>>> opportunistic encryption (as a contrasting approach). >>>>>>> >>>>>>> > More importantly, this is only really true if either (1) the client >>>>>>> > can accurately determine the nonexistence of a secure resolver or >>>>>>> (2) >>>>>>> > the client somehow behaves meaningfully differently in cases where >>>>>>> > it determines that there is no secure resolver. To lay this out in >>>>>>> > more detail, assuming that it's possible to determine the identity >>>>>>> > of a secure resolver if one is present (e.g., by the kind of SPAU >>>>>>> > mechanism that Chrome uses), then there are three cases: >>>>>>> > >>>>>>> > 1. The client connects to a secure resolver >>>>>>> > 2. No authenticated resolver is present >>>>>>> > 3. There is an attack >>>>>>> > >>>>>>> > While it's straightforward to determine whether one is in case (1), >>>>>>> > many users will be in case (2) and so as long as the client treats >>>>>>> > (1), (2), and (3) identically, then this doesn't preclude attack by >>>>>>> > on-path attackers. Thisisn't a new observation, of course, but I >>>>>>> think >>>>>>> > it points to the need to sharpen the requirements and potentially >>>>>>> > S 4.2 if they are to be useful in the face of the threat model >>>>>>> > you define. >>>>>>> >>>>>>> That’s a good point to raise. If clients don’t treat (3) and (2) >>>>>>> differently, then the attacker can always win. And right now, given the >>>>>>> threat model, it’s unclear *if* a client can differentiate between these >>>>>>> cases. Or to put it differently (and I think this was how you phrased it >>>>>>> once in the past): the client can’t distinguish between a network with no >>>>>>> authenticated resolver and an active attack. >>>>>>> >>>>>>> Perhaps we need to relax the attacker’s capabilities here? If DoH is >>>>>>> blocked, then, well, what is a client left to do? Section 4.2 punts that >>>>>>> problem to the client’s policy, which seems (to me) to be the right way to >>>>>>> deal with this type of attack. >>>>>>> >>>>>>> Perhaps it’s worth clarifying that one of the motivations for these >>>>>>> requirements (and guidance text) is to allow for incremental improvements. >>>>>>> For example, opportunistic encrypted DNS may be better than no encryption >>>>>>> for some clients. Although clients can’t determine if this is an attack or >>>>>>> not, there’s arguably some benefit to it. Or put differently: the attacker >>>>>>> may easily win for opportunistic DNS, but there may be cases where the >>>>>>> attacker loses, and that seems like an improvement. >>>>>>> >>>>>>> > 2. S 4 says that attackers must not be able to: >>>>>>> > >>>>>>> > * Redirect DNS traffic to themselves. >>>>>>> > >>>>>>> > If we try to map this onto the various proposed mechanisms, I >>>>>>> think it >>>>>>> > has to be softened to say something like "Redirect secure DNS >>>>>>> traffic >>>>>>> > to themselves when DNS traffic would not be" (again a 3552 attacker >>>>>>> > can say whatever they want in DHCP). I think this then precludes >>>>>>> this >>>>>>> > mechanism having some kind of indicator of where the secure >>>>>>> resolver >>>>>>> > is other than at its own IP. >>>>>>> >>>>>>> I think that’s right. None of the current discovery mechanisms work >>>>>>> well for local discovery when the attacker controls the network, since none >>>>>>> of the current signals are authenticated. >>>>>>> >>>>>> >>>>>> No, it is possible for the client to defend against an on-path >>>>>> attacker spoofing/blocking encrypted >>>>>> DNS server discovery, see >>>>>> https://tools.ietf.org/html/draft-btw-add-home-08#section-10 >>>>>> >>>>> >>>>> You describe three mechanisms. The first two seem to involve some sort >>>>> of external configuration, and so are not of use in the generic case. >>>>> >>>> >>>> No, only the first mechanism requires external configuration. Please >>>> clarify why you think the three mechanisms are not generic ? >>>> >>> >>> " Cryptographically assert the DNS server identity to identify the DNS >>> client is connecting to an encrypted DNS server hosted by a specific >>> organization" >>> >>> The client has no way of knowing what organizations are acceptable. >>> >>> The reason these aren't generic is that clients in general will not be >>> so configured. >>> >> >> I see the confusion, and will fix the text. The intent is to say the >> cryptographic assertion of the DNS server identity >> proves to the client the encrypted server is hosted by a legal >> organization/entity. It prevents the attack scenario where >> an attacker hosts an encrypted server and claims the best DNS privacy >> preservation policy. >> >> The client can then prompt the user to decide whether the encrypted DNS >> server hosted by a specific organization is >> acceptable or not. The resolver information published by the DNS server >> also includes a privacy statement URL, optional audit URL, >> whether the DNS server performs filtering and reasons for filtering. >> > > As I said when you first proposed this in an ADD meeting, I do not believe > that anything of this kind is viable. > > 1. Certificates tied to a legal entity have not been effective, which is > why browsers are removing EV. > The draft does not propose using EV certificates for encrypted DNS servers, please see https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-05#section-4 for more details. 2. There is ample evidence that users do not read privacy policies. > The DNS server privacy statement is much more simpler compared to a typical privacy statement by a content service provider (see https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-14#section-6). Further, automated analysis of a privacy statement is possible using deep learning (https://pribot.org/files/Polisis_USENIX_Security_Paper.pdf). You can explore polisis and pritbot at https://pribot.org to explore the analysis of privacy statements by several organizations.. > > >> >>> >>> >>>> >>>>> I do not believe the third, STUN-based mechanism works. The attacker >>>>> can make the client believe that it has any external IP of its choice by >>>>> tunnelling the STUN traffic. >>>>> >>>> >>>> Yes, it may be easy for an attacker to identify STUN traffic but >>>> challenging to identify TURN server running on port 443 (TURN-over-TLS). >>>> >>> >>> Well, it will be public information (because it's embedded in many >>> clients) where the servers are. >>> >> >> Yes, good point. If many services are hosted on the same IP address, it >> will be challenging to identify the >> TURN-over-TLS/STUN-over-TLS session. >> > > They will also have a different ALPN value. > Yes but ALPN and SNI can be encrypted using TLS encrypted client hello. Anyways, the client can also use HTTPS (similar to https://ipinfo.io/ip-company-api). > > >> >>> >>> >>> Further, an attacker may or may not be always on-path and the client can >>>> remember that an encrypted resolver is provided by the attached >>>> network (e.g., associate the domain name/organization hosting the encrypted >>>> resolver with the SSID:BSSID). If later the endpoint cannot discover the >>>> network-provided resolver, it can assume an attacker blocked the discovery. >>>> >>> >>> Or that network conditions changed in some way or other, which might >>> result in unacceptable numbers of false positives. >>> In any case, this is a weaker threat model than described in the draft. >>> >> >> Agreed, if the client cannot take an action at least it can notify the >> user that it cannot discover the previously seen >> network-provided encrypted resolver. >> > > A dialog which the user will see a lot and therefore likely click through. > The user should only get a notification if an attacker blocks the discovery or the home network uses a different ISP that does not host an encrypted DNS server. I don't get why the user would get a frequent dialog ? Cheers, -Tiru > > -Ekr > > >> -Tiru >> >> >>> >>> -Ekr >>> >>> >>>> -Tiru >>>> >>>> >>>>> >>>>> -Ekr >>>>> >>>>> >>>>>> -Tiru >>>>>> >>>>>> >>>>>>> >>>>>>> Best, >>>>>>> Chris >>>>>>> >>>>>>> -- >>>>>>> Add mailing list >>>>>>> Add@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/add >>>>>>> >>>>>> -- >>>>>> Add mailing list >>>>>> Add@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/add >>>>>> >>>>>
- Re: [Add] ADD Requirements Draft Eric Rescorla
- [Add] ADD WG Github Deen, Glenn
- Re: [Add] ADD WG Github Chris Box (BT)
- [Add] ADD Requirements Draft Tommy Pauly
- Re: [Add] ADD Requirements Draft Daniel Migault
- Re: [Add] ADD Requirements Draft Chris Box (BT)
- Re: [Add] ADD Requirements Draft Daniel Migault
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft Chris Box (BT)
- Re: [Add] ADD Requirements Draft Christopher Wood
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft Christopher Wood
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD WG Github Vittorio Bertola
- Re: [Add] ADD WG Github Chris Box (BT)
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Pauly
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft Michael Richardson
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Pauly
- Re: [Add] ADD Requirements Draft Tommy Pauly
- Re: [Add] ADD Requirements Draft Michael Richardson
- Re: [Add] ADD Requirements Draft Michael Richardson
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Paul Vixie
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Pauly
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Paul Vixie
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Ted Hardie
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Rob Sayre
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- [Add] discovery of DNS server privacy policy Jim Reid
- Re: [Add] discovery of DNS server privacy policy Paul Wouters
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … Tommy Jensen
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … Dan Wing
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … Martin Thomson
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Michael Richardson
- Re: [Add] discovery of DNS server privacy policy tirumal reddy
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Deen, Glenn
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Eric Orth
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Ted Lemon
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Eric Orth
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Rob Sayre
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Michael Richardson
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy