From nobody Tue Apr 12 03:42:46 2022 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD7513A1A36 for ; Tue, 12 Apr 2022 03:42:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14n9cPeOX6ct for ; Tue, 12 Apr 2022 03:42:36 -0700 (PDT) Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79EF33A1A30 for ; Tue, 12 Apr 2022 03:42:36 -0700 (PDT) Received: by mail-yb1-xb34.google.com with SMTP id q19so1344993ybd.6 for ; Tue, 12 Apr 2022 03:42:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=an46Q/+ZHs0zAa/hBNulOlbN3KDxT4TVmv8L9a07gTM=; b=k005bbizkKw5lb0i2kdrcnXgMrqd1ll1L/uRt6LVQadsExNPcgLySU59mUz1o8aASZ c1gr8n+Nr3knpdMHV07f/An1I4YM3jYzbLoFt0SyrWTr+zjFUxcm2OhX8CSuYtGgbEBn VJxEDLcs1KqHza8iLzTWGDSj0Hn5u8rSGsKmcNXwXX4REIbalfyQU4jQPtIbUP5N81QU qGioXWy676nm6osZHqqhde/2hllx68mlOUNVrTaSP7T5gmysraLFBqGwO3FzudE4yjDG cvjihfJp/fom2vL48BpDnfz3Ipk9HFhJhwQxsMbzgCJwc4k+G3RyL8kCcsvrfIHjjsyT aYHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=an46Q/+ZHs0zAa/hBNulOlbN3KDxT4TVmv8L9a07gTM=; b=Z9SOPWCN4n9zdN3/x7scX/gK47ryFZsy83eReyg7MG06jNRkS7iO67nEUJFiAfKb7U Fn8+CoITFQEIttSC7waF8kpwN9RgsUlcX/Ch92XM+pv3h1YK/0n23VqWvIjN8SVkeYVo z6j3MF2Ve2hsOA1vPwWwFV/AoM+Mhiidyk+nQK7UGL78gAf7eZKfKhYGQMS7txk20W2D IG4N9qFYifXGB3UZCjp/TZ1OzkfgaWI+Bq18HF2ycZVi21KWKuXU7FsxOl1CjGAZI1X5 T5SIYAz98ltl5XPlEXZFElMD30lRvklf84/RHWAHrHKg/fIcioTunpQe3NtgOCqy0KUg IKhw== X-Gm-Message-State: AOAM532kCWMnSeIUrUXRVrVA5hiXl3Ootx2D7gfDcNCpdU+i19/cGis2 g9mojbayxrcWmNePi1OdUUmfH4E8FbhcnYSM9ds= X-Google-Smtp-Source: ABdhPJzMmuK9oqxA4j7BMyz9znvL0h+dm5W1gnt7O/1WFqwzHCksOdPRNeQ3U2zRONIFi91f2wBUnXkjIFi/fEv05Ms= X-Received: by 2002:a25:ccd7:0:b0:641:7c61:de91 with SMTP id l206-20020a25ccd7000000b006417c61de91mr4800865ybf.288.1649760154281; Tue, 12 Apr 2022 03:42:34 -0700 (PDT) MIME-Version: 1.0 References: <355263CA-10A6-4AED-8622-8336A94F069A@isc.org> In-Reply-To: <355263CA-10A6-4AED-8622-8336A94F069A@isc.org> From: =?UTF-8?Q?Eug=C3=A8ne_Adell?= Date: Tue, 12 Apr 2022 12:27:48 +0200 Message-ID: To: Mark Andrews , dwessels@verisign.com Cc: dnsop@ietf.org Content-Type: multipart/mixed; boundary="000000000000f6159205dc72b762" Archived-At: Subject: Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2022 10:42:44 -0000 --000000000000f6159205dc72b762 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, thanks for your constructive comments. My answers are just below, with an updated document (from Duane's remarks, Mark's ones will follow later). 1. Beyond the technical aspects, there are several different persons to think about in our case : the DNS administrator obviously, the decision maker buying (or not) a secured online service, and the CISO. It looks more simple to have dedicated RR types to let them communicate together, without any information distortion. It's necessary to explain that the CRS record can play two roles : of course being involved during the authorization mechanism, and as an information for existing or potential customers checking this mechanism support before subscribing to a new service. In that case, any decision maker or CISO can check by himself without sorting all the TXT records found. @Mark : I am just discovering the APL RR now as I didn't notice it when checking what could be reused. It fits the needs of the CRC, with a different syntax, and likely it's still potentially easier to identify when building an inventory of what CRC-CRS contracts an organization has. 2. I updated for compliance with RFC2606 & RFC5737 3. Updated so 4. After your comments and correcting a typo, it gives ftp.example.com_21.example.net Such domain name for sure doesn't exist and uses the underscore character as separator. It has to be considered as storing data establishing a kind of contract between the two organizations involved. 5. I give some explanation in the answer 1 but I will rephrase. The CRS record can be used before subscribing to a service (typically any storage/log system/SIEM) as an indicator that this service provides the kind of authorization process described in the document. More importantly, it can be checked by the application during the authentication to know if the client CRC must be checked or not. However, if an application doesn't want to rely on the CRS RR, it also can use a parameter in its configuration file. Maybe adding a schema would help ? At least, I tested all that prior to sending my first email, with NSD and a modified Apache Tomcat, and I got the results I wanted. Internet Engineering Task Force E. Adell Internet-Draft 12 April 2022 Intended status: Informational Expires: 14 October 2022 Client Roaming Control draft-adell-client-roaming-00 Abstract This document specifies the Client Roaming Control (CRC) DNS Resource Record allowing an organization to better control the access to third-party applications over Internet. The applications implementing an authorization mechanism to honor the CRC, publish on their side the Client Roaming Support (CRS) Resource Record to inform of this support. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 14 October 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Adell Expires 14 October 2022 [Page 1] Internet-Draft Client Roaming Control April 2022 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 3. The CRC Resource Record . . . . . . . . . . . . . . . . . . . 4 3.1. RR name field . . . . . . . . . . . . . . . . . . . . . . 4 3.2. CRC RDATA Wire Format . . . . . . . . . . . . . . . . . . 4 3.3. CRC Presentation Format . . . . . . . . . . . . . . . . . 4 4. The CRS Resource Record . . . . . . . . . . . . . . . . . . . 5 4.1. CRS RDATA Wire Format . . . . . . . . . . . . . . . . . . 5 4.2. CRS Presentation Format . . . . . . . . . . . . . . . . . 5 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Restricted Application . . . . . . . . . . . . . . . . . 6 5.2. Controlled Application . . . . . . . . . . . . . . . . . 7 5.3. Opened Application . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7.1. DNS misconfiguration . . . . . . . . . . . . . . . . . . 9 7.2. DNS Security . . . . . . . . . . . . . . . . . . . . . . 10 7.3. Application Security . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Illegitimate access to professional restricted applications over Internet is a permanent threat for organizations and their staff. Different methods can be used to impersonate a user access, and in some cases an organization also wants to better prevent its own staff to access a third-party application from a network which is not under its control. On the contrary, an organization maybe wants to allow roaming then its users can access from different known places. The Client Roaming Control (CRC) DNS Resource Record (RR) acts as a White-List and informs a compatible application from which networks its users are allowed to connect, be it a limited list of networks or broadly without any restriction. Adell Expires 14 October 2022 [Page 2] Internet-Draft Client Roaming Control April 2022 At the application level, the identification of the user's organization domain can be based on an information carried during the authentication process, or a lookup on an information already known by the application. In both cases this information lets the application relate the user to its organization unequivocally. Finally, the corresponding user's domain DNS will be requested with the application's FQDN and port, and the application will know whether an authorization is expected or not. Some examples will be given in this document. The applications implementing this authorization control let the client organizations know this feature is available by using the Client Roaming Support (CRS) RR. The data associated with this record indicates if the client's organization expected support of the CRC is mandatory, optional, or ignored. This information stored in the CRS can be confirmed at the application level by a redundant data. The way the application handles the authorization mechanism, by consulting the associated CRS record or not, is left to the implementor. Although this mechanism is designed for improving the security between different organizations, there is no objection to use it for a same organization playing both roles of client and application , as an alternative or additional layer to a solution already in place, such as a firewall for example. 2. Conventions Used in This Document This specification uses definitions from Domain Name System [RFC1035], and readers unfamiliar with it can also check DNS Terminology [RFC8499]. The syntax specification uses the Augmented Backus-Naur Form (ABNF) notation as specified in [RFC5234], with some expressions being defined in "Uniform Resource Identifier (URI): Generic Syntax" [RFC3986] and "IP Version 6 Addressing Architecture" [RFC4291]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Adell Expires 14 October 2022 [Page 3] Internet-Draft Client Roaming Control April 2022 3. The CRC Resource Record The CRC RR purpose is to provide a list of IP ranges authorized to use a particular application. Each RR contains a list of either IPv4 or IPv6 network address ranges. These ranges MUST follow the CIDR notation. A single CRC RR MAY contain ranges for different IP versions, but in the case of many ranges this can be difficult to read or maintain, so dedicating a record to each IP version or not is left to the administrator. Multiple RRs MAY be defined for a given IP version. 3.1. RR name field The CRC RR name field is composed of the third-party application domain, its port, followed by the fully qualified name inherent in this zone. These three components are separated by the underscore character. 3.2. CRC RDATA Wire Format The CRC RDATA wire format is encoded as follows: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ / CRC / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ The CRC field contains a list of either IPv4 or IPv6 ranges separated by the comma character. 3.3. CRC Presentation Format The presentation format of the CRC record is: CRC (ip4netlist [,ip6netlist]) / ([ip4netlist,] ip6netlist) ip4netlist =3D ip4net *(,ip4net) ip4net =3D IPv4address "/" ip4range ip4range =3D DIGIT / "1" DIGIT / "2" DIGIT / "3" DIGIT %x30-32 ip6netlist =3D ip6net *(,ip6net) ip6net =3D (ipv6-address "/" prefix-length) Adell Expires 14 October 2022 [Page 4] Internet-Draft Client Roaming Control April 2022 4. The CRS Resource Record The CRS RR indicates which control is done on the client organizations, and thus which ones are authorized. A requirement field is used for this purpose, it has one of the following values meaning when the checking is performed : * "N" : Never, all organizations are authorized * "A" : Always, only organizations with a CRC are authorized * "O" : Optional, any organization CRC is honored, other organizations are authorized In addition to this value, an optional list of ports can be given. Indeed, multiple applications can be hosted on different ports under the same domain name, and an equivalent support was described for the CRC RR. In case of different requirement values, it is RECOMMENDED to have one dedicated RR for each although one single RR with all the information is supported. One particular port MUST NOT appear in more than one RR. When no port is mentioned, only one RR MAY be declared and its requirement value covers all applications for this domain name. In the absence of such record, no roaming control is to be expected by the client, any of its CRC RRs will be ignored. It is equivalent to a CRS requirement value indicating no control is performed. 4.1. CRS RDATA Wire Format The CRS RDATA wire format is encoded as follows: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ / CRS / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ The CRS field contains a list of requirements followed by their respective optional ports. 4.2. CRS Presentation Format The presentation format of the CRS record is: CRS (single-rule / multiple-rules) single-rule =3D "R=3D" ("N" / "A" / "O") *(,port) Adell Expires 14 October 2022 [Page 5] Internet-Draft Client Roaming Control April 2022 multiple-rules =3D unit-rule 1*2(;unit-rule) unit-rule =3D "R=3D" ("N" / "A" / "O") 1*(,port) port =3D [1-9] *([DIGIT]) 5. Examples The following examples show some typical uses expected from this documentation. Particularly, the intended behaviors for different CRC and CRS values are explained, while the user identification is done directly through carried data or a deduction process. 5.1. Restricted Application In this example, an application is only opened to organizations publishing their respective allowed networks. The requirement value of the CRS record equals "A", and any organization with an empty or missing CRC for this application will be denied access. The ftp.example.com domain is dedicated to hosting an FTP application, which extracts the client's domain from the username used during the authentication process. This information is then used for requesting the client CRC record and finally comparing its content with the client's IP. The client organization example.net allows its users from its own network 192.0.2.0/24 and from a cloud service located at 198.51.100.0/24. A second organization example.org has no CRC record and its users are rejected. Application FQDN : ftp.example.com Application CRS record : ftp.example.com. IN CRS R=3DA,21 Client FQDN : example.net Client organization CRC record : ftp.example.com_21.example.net. IN CRC 192.0.2.0/24,198.51.100.0/24 Client FQDN : example.org No client organization CRC record Adell Expires 14 October 2022 [Page 6] Internet-Draft Client Roaming Control April 2022 Client DNS Client FTP Server FTP FTP USER me@example.net -----------------------------> ... FTP PASS ******** -----------------------------> Query : CRC ftp.example.com_21.example.net <------------------------------------ Answer : CRC ftp.example.com_21.example.net 192.0.2.0/24,198.51.100.0/24 ------------------------------------> FTP 230 <------------------------------ FTP USER me@example.org -----------------------------> ... FTP PASS ******** -----------------------------> Query : CRC ftp.example.com_21.example.org <------------------------------------ Answer : No such name (3) ------------------------------------> FTP 430 <------------------------------ 5.2. Controlled Application The www.example.com domain hosts a Web application on port 443 using client certificates for authenticating its users. The application extracts the client domains from the certificates, which are used to retrieve their CRC records. Users from the example.net organization are allowed only if they connect from an authorized network listed in the CRC record, while users from example.org are always granted access since this one has no CRC declared. Application FQDN : www.example.com Application CRS record : www.example.com. IN CRS R=3DO,443 Client FQDN : example.net Client organization CRC record : www.example.com_443.example.net. IN CRC 192.0.2.0/24,198.51.100.0/24 Client FQDN : example.org No client organization CRC record Adell Expires 14 October 2022 [Page 7] Internet-Draft Client Roaming Control April 2022 Client DNS Client browser Web application ..... Client certificate me@example.net -----------------------------------> Query : CRC www.example.com_443.example.net <------------------------------------------ Answer : CRC www.example.com_443.example.net 192.0.2.0/24,198.51.100.0/24 ------------------------------------------> ..... 200 OK <----------------------------------- ..... Client certificate me@example.org -----------------------------------> Query : CRC www.example.com_443.example.org <------------------------------------------ Answer : No such name (3) ------------------------------------------> ..... 200 OK <----------------------------------- 5.3. Opened Application A company is testing the CRC and CRS behaviors before opening a new service to its customers. Its first test described below consists in configuring both sides to be completely opened, likely before hardening the CRS, then the CRC, and testing again. The application.example.com domain hosts a Web application on port 443 where users are logged in by sending a numerical identifier and a password. The application uses a dictionary data type to identify the user's domain. The client.example.net domain is temporarily using 2 CRC records indicating a free access from anywhere. Application FQDN : application.example.com Application CRS record : application.example.com. IN CRS R=3DN,443 Client FQDN : client.example.net Client organization CRC records : application.example.com_443.example.net. IN CRC 0.0.0.0/24 application.example.com_443.example.net. IN CRC fe80::/10 Adell Expires 14 October 2022 [Page 8] Internet-Draft Client Roaming Control April 2022 Client DNS Client browser Web application ..... HTTP POST 123456/****** -----------------------------------> 200 OK <----------------------------------- 6. IANA Considerations According to Guidelines for Writing an IANA Considerations Section in RFCs [RFC8126] it is asked to IANA to add into the Resource Record (RR) TYPEs registry located at https://www.iana.org/assignments/dns- parameters/dns-parameters.xhtml#dns-parameters-4 the two entries CRC and CRS. +------+-------+------------------------+-----------+ | TYPE | Value | Description | Reference | +------+-------+------------------------+-----------+ | CRC | TBD1 | Client Roaming Control | this RFC | +------+-------+------------------------+-----------+ | CRS | TBD2 | Client Roaming Support | this RFC | +------+-------+------------------------+-----------+ Table 1 7. Security Considerations This section is meant to inform developers and users of the security implications of the CRC/CRS mechanism described by this document. While the CRS RR mostly plays an informative role, the CRC RR delivers important data which requires attention from the developers and administrators. Some particular points are discussed here. 7.1. DNS misconfiguration Any DNS CRS misconfiguration such as multiple records with different requirement values but with the same port value can get a client confused. In this case the client does not know without testing the actual configuration, if its organization is protected against roaming, and contacting the application administrator to fix the situation is a possibility. While CRC misconfigurations are more or less leading to serious security problems, administrators need to pay attention when dealing with multiple networks or records. Particularly, multiple records for the same network range or overlapping networks should be avoided. Adell Expires 14 October 2022 [Page 9] Internet-Draft Client Roaming Control April 2022 7.2. DNS Security Client and application administrators need to pay as much attention as they usually do when dealing with DNS management. As the CRC records are supposed to be requested during an application authentication process, reflection attacks could be built to target a client organization, even one not hosting any CRC record at all. In a general manner, administrators may consider an adequate TTL setting to not overload client organizations, enable TCP as the preferred transport, or rely on DNSSEC to warrant data authenticity and integrity. 7.3. Application Security The following points are of concern to developers: Encryption: Whenever possible, the application protocol should be encrypted to prevent eavesdropping and man-in-the-middle attacks. It is a critical point for applications maintaining a user session with anything like a token or cookie, as it can lead to session hijacking as discussed below. Timing attack: All authentication systems need to be careful to not deliver any information derived from the computing time to a denied user, even the ones involving multiple factors or steps like the one described in this document. In particular, the order in which these steps are executed and their respective implementations, need to defeat statistical hypotheses. Intermediate systems: Some applications are not directly Internet facing and cannot access to the real client's IP address without involving a mechanism to forward this IP at the application layer. For example with HTTP, the common practice based on the non-standard X-Forwarded-For header, or its alternative standard Forwarded [RFC7239], are playing this role. Such practice requires a correct sanitizing of user data to avoid false injected IPs. Session hijacking: A well-known attack called Session Hijacking is not meant to be defeated by this document alone. Application developers must ensure that any receveid session token, such as an HTTP Cookie, belongs to the same IP address than the one which started this session. 8. References Adell Expires 14 October 2022 [Page 10] Internet-Draft Client Roaming Control April 2022 8.1. Normative References [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, . [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 8.2. Informative References [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", RFC 7239, DOI 10.17487/RFC7239, June 2014, . [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019, . Author's Address Eugene Adell Email: eugene.adell@gmail.com Adell Expires 14 October 2022 [Page 11] Le mar. 12 avr. 2022 =C3=A0 02:44, Mark Andrews a =C3=A9cri= t : > > > > > On 11 Apr 2022, at 17:57, Mark Andrews wrote: > > > > I don=E2=80=99t see why APL (RFC 3123) can=E2=80=99t be used for CRC gi= ve you need to construct an > > owner name anyway and have well known label to seperate the components = of the name. > > I see no reason to re-invent the wheel here. > > > > ftp.foo.com_21_bar.com,195.13.35.0/24,91.220.43.0/24 > > > > would be > > > > ftp.foo.com._21._crc.bar.com APL 1:195.13.35.0/24 1:91.220.43.0/24 > > > Additionally text is a really bad way to transmit IP address and prefixes > in the DNS. DNS RRsets are resource constrained (maximum < 64k). DNS ca= ches > are resource constrained. 10-16 octets of text for an IPv4/24 vs 7 octet= s for APL. > An IPv4/8 is 9-11 vs 5 octets. The :: improves this a little bit for IPv= 6 but in > general you will be dealing with /48=E2=80=99s or longer xxxx:xxxx:xxxx::= /48 (19 octets) > vs 10 for APL. > > >> On 5 Apr 2022, at 20:52, Eug=C3=A8ne Adell wr= ote: > >> > >> Hello, > >> > >> I've been working on two new RRTypes described by a Draft, and as > >> suggested by our magnificent, incredibly brilliant and handsome AD > >> Warren "ACE" Kumari, I am posting here this idea and the material I > >> have written so far (the draft itself, and RFC 6895 components). > >> > >> Briefly, one RRType (CRC : Client Roaming Control) contains a > >> whitelist of networks allowing a company employees to connect to a > >> specific application. The second RRType (CRS : Client Roaming Support) > >> is on the application side and informs what kind of restrictions are > >> applied (by saying if CRC is mandatory, optional or ignored). > >> This is not expected to be deployed broadly and everywhere as it is > >> designed to secure Business-To-Business applications. > >> > >> The material (text XML2RFC draft + RFC 6895 components) written is > >> both incorporated below to this email and attached, for practical > >> reasons. > >> > >> > >> Regards > >> E.A. > >> > >> > >> > >> > >> > >> Internet Engineering Task Force E. Ade= ll > >> Internet-Draft 5 April 20= 22 > >> Intended status: Informational > >> Expires: 7 October 2022 > >> > >> > >> Client Roaming Control > >> draft-adell-client-roaming-00 > >> > >> Abstract > >> > >> This document specifies the Client Roaming Control (CRC) DNS Resource > >> Record allowing an organization to better control the access to > >> third-party applications over Internet. The applications > >> implementing an authorization mechanism to honor the CRC, publish on > >> their side the Client Roaming Support (CRS) Resource Record to inform > >> of this support. > >> > >> Status of This Memo > >> > >> This Internet-Draft is submitted in full conformance with the > >> provisions of BCP 78 and BCP 79. > >> > >> Internet-Drafts are working documents of the Internet Engineering > >> Task Force (IETF). Note that other groups may also distribute > >> working documents as Internet-Drafts. The list of current Internet- > >> Drafts is at https://datatracker.ietf.org/drafts/current/. > >> > >> Internet-Drafts are draft documents valid for a maximum of six months > >> and may be updated, replaced, or obsoleted by other documents at any > >> time. It is inappropriate to use Internet-Drafts as reference > >> material or to cite them other than as "work in progress." > >> > >> This Internet-Draft will expire on 7 October 2022. > >> > >> Copyright Notice > >> > >> Copyright (c) 2022 IETF Trust and the persons identified as the > >> document authors. All rights reserved. > >> > >> This document is subject to BCP 78 and the IETF Trust's Legal > >> Provisions Relating to IETF Documents (https://trustee.ietf.org/ > >> license-info) in effect on the date of publication of this document. > >> Please review these documents carefully, as they describe your rights > >> and restrictions with respect to this document. Code Components > >> extracted from this document must include Revised BSD License text as > >> described in Section 4.e of the Trust Legal Provisions and are > >> provided without warranty as described in the Revised BSD License. > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 1] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> Table of Contents > >> > >> 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 > >> 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 > >> 3. The CRC Resource Record . . . . . . . . . . . . . . . . . . . 4 > >> 3.1. RR name field . . . . . . . . . . . . . . . . . . . . . . 4 > >> 3.2. CRC RDATA Wire Format . . . . . . . . . . . . . . . . . . 4 > >> 3.3. CRC Presentation Format . . . . . . . . . . . . . . . . . 4 > >> 4. The CRS Resource Record . . . . . . . . . . . . . . . . . . . 5 > >> 4.1. CRS RDATA Wire Format . . . . . . . . . . . . . . . . . . 5 > >> 4.2. CRS Presentation Format . . . . . . . . . . . . . . . . . 5 > >> 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 > >> 5.1. Restricted Application . . . . . . . . . . . . . . . . . 6 > >> 5.2. Controlled Application . . . . . . . . . . . . . . . . . 7 > >> 5.3. Opened Application . . . . . . . . . . . . . . . . . . . 8 > >> 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 > >> 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 > >> 7.1. DNS misconfiguration . . . . . . . . . . . . . . . . . . 9 > >> 7.2. DNS Security . . . . . . . . . . . . . . . . . . . . . . 10 > >> 7.3. Application Security . . . . . . . . . . . . . . . . . . 10 > >> 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 > >> 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 > >> 8.2. Informative References . . . . . . . . . . . . . . . . . 11 > >> Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 > >> > >> 1. Introduction > >> > >> Illegitimate access to professional restricted applications over > >> Internet is a permanent threat for organizations and their staff. > >> Different methods can be used to impersonate a user access, and in > >> some cases an organization also wants to better prevent its own staff > >> to access a third-party application from a network which is not under > >> its control. On the contrary, an organization maybe wants to allow > >> roaming then its users can access from different known places. > >> > >> The Client Roaming Control (CRC) DNS Resource Record (RR) acts as a > >> White-List and informs a compatible application from which networks > >> its users are allowed to connect, be it a limited list of networks or > >> broadly without any restriction. > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 2] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> At the application level, the identification of the user's > >> organization domain can be based on an information carried during the > >> authentication process, or a lookup on an information already known > >> by the application. In both cases this information lets the > >> application relate the user to its organization unequivocally. > >> Finally, the corresponding user's domain DNS will be requested with > >> the application's FQDN and port, and the application will know > >> whether an authorization is expected or not. Some examples will be > >> given in this document. > >> > >> The applications implementing this authorization control let the > >> client organizations know this feature is available by using the > >> Client Roaming Support (CRS) RR. The data associated with this > >> record indicates if the client's organization expected support of the > >> CRC is mandatory, optional, or ignored. This information stored in > >> the CRS can be confirmed at the application level by a redundant > >> data. The way the application handles the authorization mechanism, > >> by consulting the associated CRS record or not, is left to the > >> implementor. > >> > >> Although this mechanism is designed for improving the security > >> between different organizations, there is no objection to use it for > >> a same organization playing both roles of client and application , as > >> an alternative or additional layer to a solution already in place, > >> such as a firewall for example. > >> > >> 2. Conventions Used in This Document > >> > >> This specification uses definitions from Domain Name System > >> [RFC1035], and readers unfamiliar with it can also check DNS > >> Terminology [RFC8499]. The syntax specification uses the Augmented > >> Backus-Naur Form (ABNF) notation as specified in [RFC5234], with some > >> expressions being defined in "Uniform Resource Identifier (URI): > >> Generic Syntax" [RFC3986] and "IP Version 6 Addressing Architecture" > >> [RFC4291]. > >> > >> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > >> "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and > >> "OPTIONAL" in this document are to be interpreted as described in BCP > >> 14 [RFC2119] [RFC8174] when, and only when, they appear in all > >> capitals, as shown here. > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 3] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> 3. The CRC Resource Record > >> > >> The CRC RR purpose is to provide a list of IP ranges authorized to > >> use a particular application. Each RR contains a list of either IPv4 > >> or IPv6 network address ranges. These ranges MUST follow the CIDR > >> notation. A single CRC RR MAY contain ranges for different IP > >> versions, but in the case of many ranges this can be difficult to > >> read or maintain, so dedicating a record to each IP version or not is > >> left to the administrator. Multiple RRs MAY be defined for a given > >> IP version. > >> > >> 3.1. RR name field > >> > >> The CRC RR name field is composed of the third-party application > >> domain, its port, followed by the fully qualified name inherent in > >> this zone. These three components are separated by the underscore > >> character. > >> > >> 3.2. CRC RDATA Wire Format > >> > >> The CRC RDATA wire format is encoded as follows: > >> > >> +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ > >> / CRC / > >> / / > >> +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ > >> > >> The CRC field contains a list of either IPv4 or IPv6 ranges separated > >> by the comma character. > >> > >> 3.3. CRC Presentation Format > >> > >> The presentation format of the CRC record is: > >> > >> CRC (ip4netlist [,ip6netlist]) / ([ip4netlist,] ip6netlist) > >> > >> ip4netlist =3D ip4net *(,ip4net) > >> > >> ip4net =3D IPv4address "/" ip4range > >> > >> ip4range =3D DIGIT / "1" DIGIT / "2" DIGIT / "3" DIGIT %x30-32 > >> > >> ip6netlist =3D ip6net *(,ip6net) > >> > >> ip6net =3D (ipv6-address "/" prefix-length) > >> > >> > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 4] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> 4. The CRS Resource Record > >> > >> The CRS RR indicates which control is done on the client > >> organizations, and thus which ones are authorized. A requirement > >> field is used for this purpose, it has one of the following values > >> meaning when the checking is performed : > >> > >> * "N" : Never, all organizations are authorized > >> > >> * "A" : Always, only organizations with a CRC are authorized > >> > >> * "O" : Optional, any organization CRC is honored, other > >> organizations are authorized > >> > >> In addition to this value, an optional list of ports can be given. > >> Indeed, multiple applications can be hosted on different ports under > >> the same domain name, and an equivalent support was described for the > >> CRC RR. In case of different requirement values, it is RECOMMENDED > >> to have one dedicated RR for each although one single RR with all the > >> information is supported. One particular port MUST NOT appear in > >> more than one RR. When no port is mentioned, only one RR MAY be > >> declared and its requirement value covers all applications for this > >> domain name. > >> > >> In the absence of such record, no roaming control is to be expected > >> by the client, any of its CRC RRs will be ignored. It is equivalent > >> to a CRS requirement value indicating no control is performed. > >> > >> 4.1. CRS RDATA Wire Format > >> > >> The CRS RDATA wire format is encoded as follows: > >> > >> +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ > >> / CRS / > >> / / > >> +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ > >> > >> The CRS field contains a list of requirements followed by their > >> respective optional ports. > >> > >> 4.2. CRS Presentation Format > >> > >> The presentation format of the CRS record is: > >> > >> CRS (single-rule / multiple-rules) > >> > >> single-rule =3D "R=3D" ("N" / "A" / "O") *(,port) > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 5] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> multiple-rules =3D unit-rule 1*2(;unit-rule) > >> > >> unit-rule =3D "R=3D" ("N" / "A" / "O") 1*(,port) > >> > >> port =3D [1-9] *([DIGIT]) > >> > >> 5. Examples > >> > >> The following examples show some typical uses expected from this > >> documentation. Particularly, the intended behaviors for different > >> CRC and CRS values are explained, while the user identification is > >> done directly through carried data or a deduction process. > >> > >> 5.1. Restricted Application > >> > >> In this example, an application is only opened to organizations > >> publishing their respective allowed networks. The requirement value > >> of the CRS record equals "A", and any organization with an empty or > >> missing CRC for this application will be denied access. > >> > >> The ftp.foo.com domain is dedicated to hosting an FTP application, > >> which extracts the client's domain from the username used during the > >> authentication process. This information is then used for requesting > >> the client CRC record and finally comparing its content with the > >> client's IP. The client organization bar.com allows its users from > >> its own network 195.13.35.0/24 and from a cloud service located at > >> 91.220.43.0/24. A second organization baz.com has no CRC record and > >> its users are rejected. > >> > >> Application FQDN : ftp.foo.com > >> Application CRS record : CRS R=3DA,21 > >> > >> Client FQDN : bar.com > >> Client organization CRC record : CRC > >> ftp.foo.com_21_bar.com,195.13.35.0/24,91.220.43.0/24 > >> > >> Client FQDN : baz.com > >> No client organization CRC record > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 6] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> Client DNS Client FTP Server FTP > >> > >> FTP USER me@bar.com > >> -----------------------------> > >> ... > >> FTP PASS ******** > >> -----------------------------> > >> Query : CRC ftp.foo.com_21_bar.com > >> <------------------------------------ > >> Answer : CRC ftp.foo.com_21_bar.com,195.13.35.0/24,91.220.43.0= /24 > >> ------------------------------------> > >> FTP 230 > >> <------------------------------ > >> > >> > >> FTP USER me@baz.com > >> -----------------------------> > >> ... > >> FTP PASS ******** > >> -----------------------------> > >> Query : CRC ftp.foo.com_21_baz.com > >> <------------------------------------ > >> Answer : No such name (3) > >> ------------------------------------> > >> FTP 430 > >> <------------------------------ > >> > >> 5.2. Controlled Application > >> > >> The foo.com domain hosts a Web application on port 443 using client > >> certificates for authenticating its users. The application extracts > >> the client domains from the certificates, which are used to retrieve > >> their CRC records. Users from the bar.com organization are allowed > >> only if they connect from an authorized network listed in the CRC > >> record, while users from baz.com are always granted access since this > >> one has no CRC declared. > >> > >> Application FQDN : foo.com > >> Application CRS record : CRS R=3DA,443 > >> > >> Client FQDN : bar.com > >> Client organization CRC record : CRC > >> ftp.foo.com_443_bar.com,195.13.35.0/24,91.220.43.0/24 > >> > >> Client FQDN : baz.com > >> No client organization CRC record > >> > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 7] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> Client DNS Client browser Web application > >> > >> > >> ..... > >> Client certificate me@bar.com > >> -----------------------------------> > >> Query : CRC foo.com_443_bar.com > >> <------------------------------------------ > >> Answer : CRC foo.com_443_bar.com,195.13.35.0/24,91.220.43.0/24 > >> ------------------------------------------> > >> ..... > >> 200 OK > >> <----------------------------------- > >> > >> > >> ..... > >> Client certificate me@baz.com > >> -----------------------------------> > >> Query : CRC foo.com_443_baz.com > >> <------------------------------------------ > >> Answer : No such name (3) > >> ------------------------------------------> > >> ..... > >> 200 OK > >> <----------------------------------- > >> > >> 5.3. Opened Application > >> > >> A company is testing the CRC and CRS behaviors before opening a new > >> service to its customers. Its first test described below consists in > >> configuring both sides to be completely opened, likely before > >> hardening the CRS, then the CRC, and testing again. > >> > >> The application.foo.com domain hosts a Web application on port 443 > >> where users are logged in by sending a numerical identifier and a > >> password. The application uses a dictionary data type to identify > >> the user's domain. The client.foo.com domain is temporarily using 2 > >> CRC records indicating a free access from anywhere. > >> > >> Application FQDN : application.foo.com > >> Application CRS record : CRS R=3DN,443 > >> > >> Client FQDN : client.foo.com > >> Client organization CRC records : CRC > >> application.foo.com_443_foo.com,0.0.0.0/24; CRC > >> application.foo.com_443_foo.com,fe80::/10 > >> > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 8] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> Client DNS Client browser Web application > >> > >> > >> ..... > >> HTTP POST 123456/****** > >> -----------------------------------> > >> 200 OK > >> <----------------------------------- > >> > >> 6. IANA Considerations > >> > >> According to Guidelines for Writing an IANA Considerations Section in > >> RFCs [RFC8126] it is asked to IANA to add into the Resource Record > >> (RR) TYPEs registry located at https://www.iana.org/assignments/dns- > >> parameters/dns-parameters.xhtml#dns-parameters-4 the two entries CRC > >> and CRS. > >> > >> +------+-------+------------------------+-----------+ > >> | TYPE | Value | Description | Reference | > >> +------+-------+------------------------+-----------+ > >> | CRC | TBD1 | Client Roaming Control | this RFC | > >> +------+-------+------------------------+-----------+ > >> | CRS | TBD2 | Client Roaming Support | this RFC | > >> +------+-------+------------------------+-----------+ > >> > >> Table 1 > >> > >> 7. Security Considerations > >> > >> This section is meant to inform developers and users of the security > >> implications of the CRC/CRS mechanism described by this document. > >> While the CRS RR mostly plays an informative role, the CRC RR > >> delivers important data which requires attention from the developers > >> and administrators. Some particular points are discussed here. > >> > >> 7.1. DNS misconfiguration > >> > >> Any DNS CRS misconfiguration such as multiple records with different > >> requirement values but with the same port value can get a client > >> confused. In this case the client does not know without testing the > >> actual configuration, if its organization is protected against > >> roaming, and contacting the application administrator to fix the > >> situation is a possibility. > >> > >> While CRC misconfigurations are more or less leading to serious > >> security problems, administrators need to pay attention when dealing > >> with multiple networks or records. Particularly, multiple records > >> for the same network range or overlapping networks should be avoided. > >> > >> > >> > >> Adell Expires 7 October 2022 [Page = 9] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> 7.2. DNS Security > >> > >> Client and application administrators need to pay as much attention > >> as they usually do when dealing with DNS management. As the CRC > >> records are supposed to be requested during an application > >> authentication process, reflection attacks could be built to target a > >> client organization, even one not hosting any CRC record at all. > >> In a general manner, administrators may consider an adequate TTL > >> setting to not overload client organizations, enable TCP as the > >> preferred transport, or rely on DNSSEC to warrant data authenticity > >> and integrity. > >> > >> 7.3. Application Security > >> > >> The following points are of concern to developers: > >> > >> Encryption: > >> Whenever possible, the application protocol should be encrypted to > >> prevent eavesdropping and man-in-the-middle attacks. It is a > >> critical point for applications maintaining a user session with > >> anything like a token or cookie, as it can lead to session hijacking > >> as discussed below. > >> > >> Timing attack: > >> All authentication systems need to be careful to not deliver any > >> information derived from the computing time to a denied user, even > >> the ones involving multiple factors or steps like the one described > >> in this document. In particular, the order in which these steps are > >> executed and their respective implementations, need to defeat > >> statistical hypotheses. > >> > >> Intermediate systems: > >> Some applications are not directly Internet facing and cannot access > >> to the real client's IP address without involving a mechanism to > >> forward this IP at the application layer. For example with HTTP, the > >> common practice based on the non-standard X-Forwarded-For header, or > >> its alternative standard Forwarded [RFC7239], are playing this role. > >> Such practice requires a correct sanitizing of user data to avoid > >> false injected IPs. > >> > >> Session hijacking: > >> A well-known attack called Session Hijacking is not meant to be > >> defeated by this document alone. Application developers must ensure > >> that any receveid session token, such as an HTTP Cookie, belongs to > >> the same IP address than the one which started this session. > >> > >> 8. References > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page 1= 0] > >> > >> Internet-Draft Client Roaming Control April 20= 22 > >> > >> > >> 8.1. Normative References > >> > >> [RFC1035] Mockapetris, P., "Domain names - implementation and > >> specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, > >> November 1987, . > >> > >> [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > >> Requirement Levels", BCP 14, RFC 2119, > >> DOI 10.17487/RFC2119, March 1997, > >> . > >> > >> [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform > >> Resource Identifier (URI): Generic Syntax", STD 66, > >> RFC 3986, DOI 10.17487/RFC3986, January 2005, > >> . > >> > >> [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing > >> Architecture", RFC 4291, DOI 10.17487/RFC4291, February > >> 2006, . > >> > >> [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax > >> Specifications: ABNF", STD 68, RFC 5234, > >> DOI 10.17487/RFC5234, January 2008, > >> . > >> > >> [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC > >> 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, > >> May 2017, . > >> > >> 8.2. Informative References > >> > >> [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", > >> RFC 7239, DOI 10.17487/RFC7239, June 2014, > >> . > >> > >> [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS > >> Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, > >> January 2019, . > >> > >> Author's Address > >> > >> Eugene Adell > >> Email: eugene.adell@gmail.com > >> > >> > >> > >> > >> > >> > >> > >> > >> Adell Expires 7 October 2022 [Page 1= 1] > >> > >> > >> RFC 6895 : > >> A. Submission Date:2002/04/05 > >> B.1 Submission Type: [X] New RRTYPE [ ] Modification to RRTYPE > >> B.2 Kind of RR: [X] Data RR [ ] Meta-RR > >> C. Contact Information for submitter : > >> Name: Eugene Adell Email Address: eugene.adell@gmail.co= m > >> International telephone number: +33699056914 > >> Other contact handles: > >> D. Motivation for the new RRTYPE application. > >> Introduce a couple of RR types working together in order to better > >> secure remote access to partner applications > >> E. Description of the proposed RR type. > >> CRC contains a limited list of authorized networks for a particular > >> application > >> F. What existing RRTYPE or RRTYPEs come closest to filling that need > >> and why are they unsatisfactory? > >> TXT RRTYPE allows the storage of any text data but in practice is > >> usually associated with more or less fixed name or data which is not > >> what is needed here. A dedicated RRTYPE is easier to identify and > >> manage by a security team other than the usual DNS operator team. > >> G. What mnemonic is requested for the new RRTYPE (optional)? > >> CRC > >> H. Does the requested RRTYPE make use of any existing IANA registry or > >> require the creation of a new IANA subregistry in DNS Parameters? > >> It uses the existing Resource Record (RR) TYPEs registry > >> I. Does the proposal require/expect any changes in DNS > >> servers/resolvers that prevent the new type from being processed as an > >> unknown RRTYPE (see [RFC3597])? > >> No > >> J. Comments: > >> None > >> > >> > >> A. Submission Date:2002/04/05 > >> B.1 Submission Type: [X] New RRTYPE [ ] Modification to RRTYPE > >> B.2 Kind of RR: [X] Data RR [ ] Meta-RR > >> C. Contact Information for submitter : > >> Name: Eugene Adell Email Address: eugene.adell@gmail.co= m > >> International telephone number: +33699056914 > >> Other contact handles: > >> D. Motivation for the new RRTYPE application. > >> Introduce a couple of RR types working together in order to better > >> secure remote access to partner applications > >> E. Description of the proposed RR type. > >> CRS contains a requirement value and a list of ports indicating > >> what kind of authorization check is done during the application > >> authentication process > >> F. What existing RRTYPE or RRTYPEs come closest to filling that need > >> and why are they unsatisfactory? > >> TXT RRTYPE allows the storage of any text data but in practice is > >> usually associated with more or less fixed name or data which is not > >> what is needed here. A dedicated RRTYPE is easier to identify and > >> manage by a security team other than the usual DNS operator team. > >> G. What mnemonic is requested for the new RRTYPE (optional)? > >> CRS > >> H. Does the requested RRTYPE make use of any existing IANA registry or > >> require the creation of a new IANA subregistry in DNS Parameters? > >> It uses the existing Resource Record (RR) TYPEs registry > >> I. Does the proposal require/expect any changes in DNS > >> servers/resolvers that prevent the new type from being processed as an > >> unknown RRTYPE (see [RFC3597])? > >> No > >> J. Comments: > >> None > >> ____________= ___________________________________ > >> DNSOP mailing list > >> DNSOP@ietf.org > >> https://www.ietf.org/mailman/listinfo/dnsop > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > --000000000000f6159205dc72b762 Content-Type: text/plain; charset="US-ASCII"; name="draft-adell-client-roaming-01.txt" Content-Disposition: attachment; filename="draft-adell-client-roaming-01.txt" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l1w01mic0 CgoKCkludGVybmV0IEVuZ2luZWVyaW5nIFRhc2sgRm9yY2UgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBFLiBBZGVsbApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDEyIEFwcmlsIDIwMjIKSW50ZW5kZWQgc3RhdHVzOiBJbmZv cm1hdGlvbmFsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCkV4cGly ZXM6IDE0IE9jdG9iZXIgMjAyMgoKCiAgICAgICAgICAgICAgICAgICAgICAgICBDbGllbnQgUm9h bWluZyBDb250cm9sCiAgICAgICAgICAgICAgICAgICAgIGRyYWZ0LWFkZWxsLWNsaWVudC1yb2Ft aW5nLTAwCgpBYnN0cmFjdAoKICAgVGhpcyBkb2N1bWVudCBzcGVjaWZpZXMgdGhlIENsaWVudCBS b2FtaW5nIENvbnRyb2wgKENSQykgRE5TIFJlc291cmNlCiAgIFJlY29yZCBhbGxvd2luZyBhbiBv cmdhbml6YXRpb24gdG8gYmV0dGVyIGNvbnRyb2wgdGhlIGFjY2VzcyB0bwogICB0aGlyZC1wYXJ0 eSBhcHBsaWNhdGlvbnMgb3ZlciBJbnRlcm5ldC4gIFRoZSBhcHBsaWNhdGlvbnMKICAgaW1wbGVt ZW50aW5nIGFuIGF1dGhvcml6YXRpb24gbWVjaGFuaXNtIHRvIGhvbm9yIHRoZSBDUkMsIHB1Ymxp c2ggb24KICAgdGhlaXIgc2lkZSB0aGUgQ2xpZW50IFJvYW1pbmcgU3VwcG9ydCAoQ1JTKSBSZXNv dXJjZSBSZWNvcmQgdG8gaW5mb3JtCiAgIG9mIHRoaXMgc3VwcG9ydC4KClN0YXR1cyBvZiBUaGlz IE1lbW8KCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgaXMgc3VibWl0dGVkIGluIGZ1bGwgY29uZm9y bWFuY2Ugd2l0aCB0aGUKICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4KCiAgIElu dGVybmV0LURyYWZ0cyBhcmUgd29ya2luZyBkb2N1bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2lu ZWVyaW5nCiAgIFRhc2sgRm9yY2UgKElFVEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkg YWxzbyBkaXN0cmlidXRlCiAgIHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0LURyYWZ0cy4g IFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtCiAgIERyYWZ0cyBpcyBhdCBodHRwczovL2Rh dGF0cmFja2VyLmlldGYub3JnL2RyYWZ0cy9jdXJyZW50Ly4KCiAgIEludGVybmV0LURyYWZ0cyBh cmUgZHJhZnQgZG9jdW1lbnRzIHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocwogICBh bmQgbWF5IGJlIHVwZGF0ZWQsIHJlcGxhY2VkLCBvciBvYnNvbGV0ZWQgYnkgb3RoZXIgZG9jdW1l bnRzIGF0IGFueQogICB0aW1lLiAgSXQgaXMgaW5hcHByb3ByaWF0ZSB0byB1c2UgSW50ZXJuZXQt RHJhZnRzIGFzIHJlZmVyZW5jZQogICBtYXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhh biBhcyAid29yayBpbiBwcm9ncmVzcy4iCgogICBUaGlzIEludGVybmV0LURyYWZ0IHdpbGwgZXhw aXJlIG9uIDE0IE9jdG9iZXIgMjAyMi4KCkNvcHlyaWdodCBOb3RpY2UKCiAgIENvcHlyaWdodCAo YykgMjAyMiBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29ucyBpZGVudGlmaWVkIGFzIHRoZQogICBk b2N1bWVudCBhdXRob3JzLiAgQWxsIHJpZ2h0cyByZXNlcnZlZC4KCiAgIFRoaXMgZG9jdW1lbnQg aXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3MgTGVnYWwKICAgUHJvdmlz aW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50cyAoaHR0cHM6Ly90cnVzdGVlLmlldGYub3Jn LwogICBsaWNlbnNlLWluZm8pIGluIGVmZmVjdCBvbiB0aGUgZGF0ZSBvZiBwdWJsaWNhdGlvbiBv ZiB0aGlzIGRvY3VtZW50LgogICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50cyBjYXJlZnVs bHksIGFzIHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMKICAgYW5kIHJlc3RyaWN0aW9ucyB3aXRo IHJlc3BlY3QgdG8gdGhpcyBkb2N1bWVudC4gIENvZGUgQ29tcG9uZW50cwogICBleHRyYWN0ZWQg ZnJvbSB0aGlzIGRvY3VtZW50IG11c3QgaW5jbHVkZSBSZXZpc2VkIEJTRCBMaWNlbnNlIHRleHQg YXMKICAgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mIHRoZSBUcnVzdCBMZWdhbCBQcm92aXNp b25zIGFuZCBhcmUKICAgcHJvdmlkZWQgd2l0aG91dCB3YXJyYW50eSBhcyBkZXNjcmliZWQgaW4g dGhlIFJldmlzZWQgQlNEIExpY2Vuc2UuCgoKCkFkZWxsICAgICAgICAgICAgICAgICAgICBFeHBp cmVzIDE0IE9jdG9iZXIgMjAyMiAgICAgICAgICAgICAgICBbUGFnZSAxXQoMCkludGVybmV0LURy YWZ0ICAgICAgICAgICBDbGllbnQgUm9hbWluZyBDb250cm9sICAgICAgICAgICAgICAgQXByaWwg MjAyMgoKClRhYmxlIG9mIENvbnRlbnRzCgogICAxLiAgSW50cm9kdWN0aW9uICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDIKICAgMi4gIENvbnZlbnRp b25zIFVzZWQgaW4gVGhpcyBEb2N1bWVudCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAz CiAgIDMuICBUaGUgQ1JDIFJlc291cmNlIFJlY29yZCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuICAgNAogICAgIDMuMS4gIFJSIG5hbWUgZmllbGQgLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQKICAgICAzLjIuICBDUkMgUkRBVEEgV2ly ZSBGb3JtYXQgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0CiAgICAgMy4z LiAgQ1JDIFByZXNlbnRhdGlvbiBGb3JtYXQgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAgNAogICA0LiAgVGhlIENSUyBSZXNvdXJjZSBSZWNvcmQgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgIDUKICAgICA0LjEuICBDUlMgUkRBVEEgV2lyZSBGb3JtYXQg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA1CiAgICAgNC4yLiAgQ1JTIFBy ZXNlbnRhdGlvbiBGb3JtYXQgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNQog ICA1LiAgRXhhbXBsZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgIDYKICAgICA1LjEuICBSZXN0cmljdGVkIEFwcGxpY2F0aW9uICAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA2CiAgICAgNS4yLiAgQ29udHJvbGxlZCBBcHBs aWNhdGlvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNwogICAgIDUuMy4g IE9wZW5lZCBBcHBsaWNhdGlvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAgIDgKICAgNi4gIElBTkEgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gICA5CiAgIDcuICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgOQogICAgIDcuMS4gIEROUyBtaXNj b25maWd1cmF0aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDkKICAg ICA3LjIuICBETlMgU2VjdXJpdHkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gIDEwCiAgICAgNy4zLiAgQXBwbGljYXRpb24gU2VjdXJpdHkgIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMAogICA4LiAgUmVmZXJlbmNlcyAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTAKICAgICA4LjEuICBO b3JtYXRpdmUgUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDExCiAgICAgOC4yLiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICAxMQogICBBdXRob3IncyBBZGRyZXNzICAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTEKCjEuICBJbnRyb2R1Y3Rpb24KCiAg IElsbGVnaXRpbWF0ZSBhY2Nlc3MgdG8gcHJvZmVzc2lvbmFsIHJlc3RyaWN0ZWQgYXBwbGljYXRp b25zIG92ZXIKICAgSW50ZXJuZXQgaXMgYSBwZXJtYW5lbnQgdGhyZWF0IGZvciBvcmdhbml6YXRp b25zIGFuZCB0aGVpciBzdGFmZi4KICAgRGlmZmVyZW50IG1ldGhvZHMgY2FuIGJlIHVzZWQgdG8g aW1wZXJzb25hdGUgYSB1c2VyIGFjY2VzcywgYW5kIGluCiAgIHNvbWUgY2FzZXMgYW4gb3JnYW5p emF0aW9uIGFsc28gd2FudHMgdG8gYmV0dGVyIHByZXZlbnQgaXRzIG93biBzdGFmZgogICB0byBh Y2Nlc3MgYSB0aGlyZC1wYXJ0eSBhcHBsaWNhdGlvbiBmcm9tIGEgbmV0d29yayB3aGljaCBpcyBu b3QgdW5kZXIKICAgaXRzIGNvbnRyb2wuICBPbiB0aGUgY29udHJhcnksIGFuIG9yZ2FuaXphdGlv biBtYXliZSB3YW50cyB0byBhbGxvdwogICByb2FtaW5nIHRoZW4gaXRzIHVzZXJzIGNhbiBhY2Nl c3MgZnJvbSBkaWZmZXJlbnQga25vd24gcGxhY2VzLgoKICAgVGhlIENsaWVudCBSb2FtaW5nIENv bnRyb2wgKENSQykgRE5TIFJlc291cmNlIFJlY29yZCAoUlIpIGFjdHMgYXMgYQogICBXaGl0ZS1M aXN0IGFuZCBpbmZvcm1zIGEgY29tcGF0aWJsZSBhcHBsaWNhdGlvbiBmcm9tIHdoaWNoIG5ldHdv cmtzCiAgIGl0cyB1c2VycyBhcmUgYWxsb3dlZCB0byBjb25uZWN0LCBiZSBpdCBhIGxpbWl0ZWQg bGlzdCBvZiBuZXR3b3JrcyBvcgogICBicm9hZGx5IHdpdGhvdXQgYW55IHJlc3RyaWN0aW9uLgoK CgoKCgoKCgoKCgpBZGVsbCAgICAgICAgICAgICAgICAgICAgRXhwaXJlcyAxNCBPY3RvYmVyIDIw MjIgICAgICAgICAgICAgICAgW1BhZ2UgMl0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgQ2xp ZW50IFJvYW1pbmcgQ29udHJvbCAgICAgICAgICAgICAgIEFwcmlsIDIwMjIKCgogICBBdCB0aGUg YXBwbGljYXRpb24gbGV2ZWwsIHRoZSBpZGVudGlmaWNhdGlvbiBvZiB0aGUgdXNlcidzCiAgIG9y Z2FuaXphdGlvbiBkb21haW4gY2FuIGJlIGJhc2VkIG9uIGFuIGluZm9ybWF0aW9uIGNhcnJpZWQg ZHVyaW5nIHRoZQogICBhdXRoZW50aWNhdGlvbiBwcm9jZXNzLCBvciBhIGxvb2t1cCBvbiBhbiBp bmZvcm1hdGlvbiBhbHJlYWR5IGtub3duCiAgIGJ5IHRoZSBhcHBsaWNhdGlvbi4gIEluIGJvdGgg Y2FzZXMgdGhpcyBpbmZvcm1hdGlvbiBsZXRzIHRoZQogICBhcHBsaWNhdGlvbiByZWxhdGUgdGhl IHVzZXIgdG8gaXRzIG9yZ2FuaXphdGlvbiB1bmVxdWl2b2NhbGx5LgogICBGaW5hbGx5LCB0aGUg Y29ycmVzcG9uZGluZyB1c2VyJ3MgZG9tYWluIEROUyB3aWxsIGJlIHJlcXVlc3RlZCB3aXRoCiAg IHRoZSBhcHBsaWNhdGlvbidzIEZRRE4gYW5kIHBvcnQsIGFuZCB0aGUgYXBwbGljYXRpb24gd2ls bCBrbm93CiAgIHdoZXRoZXIgYW4gYXV0aG9yaXphdGlvbiBpcyBleHBlY3RlZCBvciBub3QuICBT b21lIGV4YW1wbGVzIHdpbGwgYmUKICAgZ2l2ZW4gaW4gdGhpcyBkb2N1bWVudC4KCiAgIFRoZSBh cHBsaWNhdGlvbnMgaW1wbGVtZW50aW5nIHRoaXMgYXV0aG9yaXphdGlvbiBjb250cm9sIGxldCB0 aGUKICAgY2xpZW50IG9yZ2FuaXphdGlvbnMga25vdyB0aGlzIGZlYXR1cmUgaXMgYXZhaWxhYmxl IGJ5IHVzaW5nIHRoZQogICBDbGllbnQgUm9hbWluZyBTdXBwb3J0IChDUlMpIFJSLiAgVGhlIGRh dGEgYXNzb2NpYXRlZCB3aXRoIHRoaXMKICAgcmVjb3JkIGluZGljYXRlcyBpZiB0aGUgY2xpZW50 J3Mgb3JnYW5pemF0aW9uIGV4cGVjdGVkIHN1cHBvcnQgb2YgdGhlCiAgIENSQyBpcyBtYW5kYXRv cnksIG9wdGlvbmFsLCBvciBpZ25vcmVkLiAgVGhpcyBpbmZvcm1hdGlvbiBzdG9yZWQgaW4KICAg dGhlIENSUyBjYW4gYmUgY29uZmlybWVkIGF0IHRoZSBhcHBsaWNhdGlvbiBsZXZlbCBieSBhIHJl ZHVuZGFudAogICBkYXRhLiAgVGhlIHdheSB0aGUgYXBwbGljYXRpb24gaGFuZGxlcyB0aGUgYXV0 aG9yaXphdGlvbiBtZWNoYW5pc20sCiAgIGJ5IGNvbnN1bHRpbmcgdGhlIGFzc29jaWF0ZWQgQ1JT IHJlY29yZCBvciBub3QsIGlzIGxlZnQgdG8gdGhlCiAgIGltcGxlbWVudG9yLgoKICAgQWx0aG91 Z2ggdGhpcyBtZWNoYW5pc20gaXMgZGVzaWduZWQgZm9yIGltcHJvdmluZyB0aGUgc2VjdXJpdHkK ICAgYmV0d2VlbiBkaWZmZXJlbnQgb3JnYW5pemF0aW9ucywgdGhlcmUgaXMgbm8gb2JqZWN0aW9u IHRvIHVzZSBpdCBmb3IKICAgYSBzYW1lIG9yZ2FuaXphdGlvbiBwbGF5aW5nIGJvdGggcm9sZXMg b2YgY2xpZW50IGFuZCBhcHBsaWNhdGlvbiAsIGFzCiAgIGFuIGFsdGVybmF0aXZlIG9yIGFkZGl0 aW9uYWwgbGF5ZXIgdG8gYSBzb2x1dGlvbiBhbHJlYWR5IGluIHBsYWNlLAogICBzdWNoIGFzIGEg ZmlyZXdhbGwgZm9yIGV4YW1wbGUuCgoyLiAgQ29udmVudGlvbnMgVXNlZCBpbiBUaGlzIERvY3Vt ZW50CgogICBUaGlzIHNwZWNpZmljYXRpb24gdXNlcyBkZWZpbml0aW9ucyBmcm9tIERvbWFpbiBO YW1lIFN5c3RlbQogICBbUkZDMTAzNV0sIGFuZCByZWFkZXJzIHVuZmFtaWxpYXIgd2l0aCBpdCBj YW4gYWxzbyBjaGVjayBETlMKICAgVGVybWlub2xvZ3kgW1JGQzg0OTldLiAgVGhlIHN5bnRheCBz cGVjaWZpY2F0aW9uIHVzZXMgdGhlIEF1Z21lbnRlZAogICBCYWNrdXMtTmF1ciBGb3JtIChBQk5G KSBub3RhdGlvbiBhcyBzcGVjaWZpZWQgaW4gW1JGQzUyMzRdLCB3aXRoIHNvbWUKICAgZXhwcmVz c2lvbnMgYmVpbmcgZGVmaW5lZCBpbiAiVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkp OgogICBHZW5lcmljIFN5bnRheCIgW1JGQzM5ODZdIGFuZCAiSVAgVmVyc2lvbiA2IEFkZHJlc3Np bmcgQXJjaGl0ZWN0dXJlIgogICBbUkZDNDI5MV0uCgogICBUaGUga2V5IHdvcmRzICJNVVNUIiwg Ik1VU1QgTk9UIiwgIlJFUVVJUkVEIiwgIlNIQUxMIiwgIlNIQUxMIE5PVCIsCiAgICJTSE9VTEQi LCAiU0hPVUxEIE5PVCIsICJSRUNPTU1FTkRFRCIsICJOT1QgUkVDT01NRU5ERUQiLCAiTUFZIiwg YW5kCiAgICJPUFRJT05BTCIgaW4gdGhpcyBkb2N1bWVudCBhcmUgdG8gYmUgaW50ZXJwcmV0ZWQg YXMgZGVzY3JpYmVkIGluIEJDUAogICAxNCBbUkZDMjExOV0gW1JGQzgxNzRdIHdoZW4sIGFuZCBv bmx5IHdoZW4sIHRoZXkgYXBwZWFyIGluIGFsbAogICBjYXBpdGFscywgYXMgc2hvd24gaGVyZS4K CgoKCgoKCgoKCkFkZWxsICAgICAgICAgICAgICAgICAgICBFeHBpcmVzIDE0IE9jdG9iZXIgMjAy MiAgICAgICAgICAgICAgICBbUGFnZSAzXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBDbGll bnQgUm9hbWluZyBDb250cm9sICAgICAgICAgICAgICAgQXByaWwgMjAyMgoKCjMuICBUaGUgQ1JD IFJlc291cmNlIFJlY29yZAoKICAgVGhlIENSQyBSUiBwdXJwb3NlIGlzIHRvIHByb3ZpZGUgYSBs aXN0IG9mIElQIHJhbmdlcyBhdXRob3JpemVkIHRvCiAgIHVzZSBhIHBhcnRpY3VsYXIgYXBwbGlj YXRpb24uICBFYWNoIFJSIGNvbnRhaW5zIGEgbGlzdCBvZiBlaXRoZXIgSVB2NAogICBvciBJUHY2 IG5ldHdvcmsgYWRkcmVzcyByYW5nZXMuICBUaGVzZSByYW5nZXMgTVVTVCBmb2xsb3cgdGhlIENJ RFIKICAgbm90YXRpb24uICBBIHNpbmdsZSBDUkMgUlIgTUFZIGNvbnRhaW4gcmFuZ2VzIGZvciBk aWZmZXJlbnQgSVAKICAgdmVyc2lvbnMsIGJ1dCBpbiB0aGUgY2FzZSBvZiBtYW55IHJhbmdlcyB0 aGlzIGNhbiBiZSBkaWZmaWN1bHQgdG8KICAgcmVhZCBvciBtYWludGFpbiwgc28gZGVkaWNhdGlu ZyBhIHJlY29yZCB0byBlYWNoIElQIHZlcnNpb24gb3Igbm90IGlzCiAgIGxlZnQgdG8gdGhlIGFk bWluaXN0cmF0b3IuICBNdWx0aXBsZSBSUnMgTUFZIGJlIGRlZmluZWQgZm9yIGEgZ2l2ZW4KICAg SVAgdmVyc2lvbi4KCjMuMS4gIFJSIG5hbWUgZmllbGQKCiAgIFRoZSBDUkMgUlIgbmFtZSBmaWVs ZCBpcyBjb21wb3NlZCBvZiB0aGUgdGhpcmQtcGFydHkgYXBwbGljYXRpb24KICAgZG9tYWluLCBp dHMgcG9ydCwgZm9sbG93ZWQgYnkgdGhlIGZ1bGx5IHF1YWxpZmllZCBuYW1lIGluaGVyZW50IGlu CiAgIHRoaXMgem9uZS4gIFRoZXNlIHRocmVlIGNvbXBvbmVudHMgYXJlIHNlcGFyYXRlZCBieSB0 aGUgdW5kZXJzY29yZQogICBjaGFyYWN0ZXIuCgozLjIuICBDUkMgUkRBVEEgV2lyZSBGb3JtYXQK CiAgIFRoZSBDUkMgUkRBVEEgd2lyZSBmb3JtYXQgaXMgZW5jb2RlZCBhcyBmb2xsb3dzOgoKICAg ICAgICstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSsKICAg ICAgIC8gICAgICAgICAgICAgICAgICAgICBDUkMgICAgICAgICAgICAgICAgICAgICAgIC8KICAg ICAgIC8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8KICAg ICAgICstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSsKCiAg IFRoZSBDUkMgZmllbGQgY29udGFpbnMgYSBsaXN0IG9mIGVpdGhlciBJUHY0IG9yIElQdjYgcmFu Z2VzIHNlcGFyYXRlZAogICBieSB0aGUgY29tbWEgY2hhcmFjdGVyLgoKMy4zLiAgQ1JDIFByZXNl bnRhdGlvbiBGb3JtYXQKCiAgIFRoZSBwcmVzZW50YXRpb24gZm9ybWF0IG9mIHRoZSBDUkMgcmVj b3JkIGlzOgoKICAgQ1JDIChpcDRuZXRsaXN0IFssaXA2bmV0bGlzdF0pIC8gKFtpcDRuZXRsaXN0 LF0gaXA2bmV0bGlzdCkKCiAgIGlwNG5ldGxpc3QgPSBpcDRuZXQgKigsaXA0bmV0KQoKICAgaXA0 bmV0ID0gSVB2NGFkZHJlc3MgIi8iIGlwNHJhbmdlCgogICBpcDRyYW5nZSA9IERJR0lUIC8gIjEi IERJR0lUIC8gIjIiIERJR0lUIC8gIjMiIERJR0lUICV4MzAtMzIKCiAgIGlwNm5ldGxpc3QgPSBp cDZuZXQgKigsaXA2bmV0KQoKICAgaXA2bmV0ID0gKGlwdjYtYWRkcmVzcyAiLyIgcHJlZml4LWxl bmd0aCkKCgoKCgoKQWRlbGwgICAgICAgICAgICAgICAgICAgIEV4cGlyZXMgMTQgT2N0b2JlciAy MDIyICAgICAgICAgICAgICAgIFtQYWdlIDRdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIENs aWVudCBSb2FtaW5nIENvbnRyb2wgICAgICAgICAgICAgICBBcHJpbCAyMDIyCgoKNC4gIFRoZSBD UlMgUmVzb3VyY2UgUmVjb3JkCgogICBUaGUgQ1JTIFJSIGluZGljYXRlcyB3aGljaCBjb250cm9s IGlzIGRvbmUgb24gdGhlIGNsaWVudAogICBvcmdhbml6YXRpb25zLCBhbmQgdGh1cyB3aGljaCBv bmVzIGFyZSBhdXRob3JpemVkLiAgQSByZXF1aXJlbWVudAogICBmaWVsZCBpcyB1c2VkIGZvciB0 aGlzIHB1cnBvc2UsIGl0IGhhcyBvbmUgb2YgdGhlIGZvbGxvd2luZyB2YWx1ZXMKICAgbWVhbmlu ZyB3aGVuIHRoZSBjaGVja2luZyBpcyBwZXJmb3JtZWQgOgoKICAgKiAgIk4iIDogTmV2ZXIsIGFs bCBvcmdhbml6YXRpb25zIGFyZSBhdXRob3JpemVkCgogICAqICAiQSIgOiBBbHdheXMsIG9ubHkg b3JnYW5pemF0aW9ucyB3aXRoIGEgQ1JDIGFyZSBhdXRob3JpemVkCgogICAqICAiTyIgOiBPcHRp b25hbCwgYW55IG9yZ2FuaXphdGlvbiBDUkMgaXMgaG9ub3JlZCwgb3RoZXIKICAgICAgb3JnYW5p emF0aW9ucyBhcmUgYXV0aG9yaXplZAoKICAgSW4gYWRkaXRpb24gdG8gdGhpcyB2YWx1ZSwgYW4g b3B0aW9uYWwgbGlzdCBvZiBwb3J0cyBjYW4gYmUgZ2l2ZW4uCiAgIEluZGVlZCwgbXVsdGlwbGUg YXBwbGljYXRpb25zIGNhbiBiZSBob3N0ZWQgb24gZGlmZmVyZW50IHBvcnRzIHVuZGVyCiAgIHRo ZSBzYW1lIGRvbWFpbiBuYW1lLCBhbmQgYW4gZXF1aXZhbGVudCBzdXBwb3J0IHdhcyBkZXNjcmli ZWQgZm9yIHRoZQogICBDUkMgUlIuICBJbiBjYXNlIG9mIGRpZmZlcmVudCByZXF1aXJlbWVudCB2 YWx1ZXMsIGl0IGlzIFJFQ09NTUVOREVECiAgIHRvIGhhdmUgb25lIGRlZGljYXRlZCBSUiBmb3Ig ZWFjaCBhbHRob3VnaCBvbmUgc2luZ2xlIFJSIHdpdGggYWxsIHRoZQogICBpbmZvcm1hdGlvbiBp cyBzdXBwb3J0ZWQuICBPbmUgcGFydGljdWxhciBwb3J0IE1VU1QgTk9UIGFwcGVhciBpbgogICBt b3JlIHRoYW4gb25lIFJSLiAgV2hlbiBubyBwb3J0IGlzIG1lbnRpb25lZCwgb25seSBvbmUgUlIg TUFZIGJlCiAgIGRlY2xhcmVkIGFuZCBpdHMgcmVxdWlyZW1lbnQgdmFsdWUgY292ZXJzIGFsbCBh cHBsaWNhdGlvbnMgZm9yIHRoaXMKICAgZG9tYWluIG5hbWUuCgogICBJbiB0aGUgYWJzZW5jZSBv ZiBzdWNoIHJlY29yZCwgbm8gcm9hbWluZyBjb250cm9sIGlzIHRvIGJlIGV4cGVjdGVkCiAgIGJ5 IHRoZSBjbGllbnQsIGFueSBvZiBpdHMgQ1JDIFJScyB3aWxsIGJlIGlnbm9yZWQuICBJdCBpcyBl cXVpdmFsZW50CiAgIHRvIGEgQ1JTIHJlcXVpcmVtZW50IHZhbHVlIGluZGljYXRpbmcgbm8gY29u dHJvbCBpcyBwZXJmb3JtZWQuCgo0LjEuICBDUlMgUkRBVEEgV2lyZSBGb3JtYXQKCiAgIFRoZSBD UlMgUkRBVEEgd2lyZSBmb3JtYXQgaXMgZW5jb2RlZCBhcyBmb2xsb3dzOgoKICAgICAgICstLSst LSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSsKICAgICAgIC8gICAg ICAgICAgICAgICAgICAgICBDUlMgICAgICAgICAgICAgICAgICAgICAgIC8KICAgICAgIC8gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8KICAgICAgICstLSst LSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSstLSsKCiAgIFRoZSBDUlMg ZmllbGQgY29udGFpbnMgYSBsaXN0IG9mIHJlcXVpcmVtZW50cyBmb2xsb3dlZCBieSB0aGVpcgog ICByZXNwZWN0aXZlIG9wdGlvbmFsIHBvcnRzLgoKNC4yLiAgQ1JTIFByZXNlbnRhdGlvbiBGb3Jt YXQKCiAgIFRoZSBwcmVzZW50YXRpb24gZm9ybWF0IG9mIHRoZSBDUlMgcmVjb3JkIGlzOgoKICAg Q1JTIChzaW5nbGUtcnVsZSAvIG11bHRpcGxlLXJ1bGVzKQoKICAgc2luZ2xlLXJ1bGUgPSAiUj0i ICgiTiIgLyAiQSIgLyAiTyIpICooLHBvcnQpCgoKCgpBZGVsbCAgICAgICAgICAgICAgICAgICAg RXhwaXJlcyAxNCBPY3RvYmVyIDIwMjIgICAgICAgICAgICAgICAgW1BhZ2UgNV0KDApJbnRlcm5l dC1EcmFmdCAgICAgICAgICAgQ2xpZW50IFJvYW1pbmcgQ29udHJvbCAgICAgICAgICAgICAgIEFw cmlsIDIwMjIKCgogICBtdWx0aXBsZS1ydWxlcyA9IHVuaXQtcnVsZSAxKjIoO3VuaXQtcnVsZSkK CiAgIHVuaXQtcnVsZSA9ICJSPSIgKCJOIiAvICJBIiAvICJPIikgMSooLHBvcnQpCgogICBwb3J0 ID0gWzEtOV0gKihbRElHSVRdKQoKNS4gIEV4YW1wbGVzCgogICBUaGUgZm9sbG93aW5nIGV4YW1w bGVzIHNob3cgc29tZSB0eXBpY2FsIHVzZXMgZXhwZWN0ZWQgZnJvbSB0aGlzCiAgIGRvY3VtZW50 YXRpb24uICBQYXJ0aWN1bGFybHksIHRoZSBpbnRlbmRlZCBiZWhhdmlvcnMgZm9yIGRpZmZlcmVu dAogICBDUkMgYW5kIENSUyB2YWx1ZXMgYXJlIGV4cGxhaW5lZCwgd2hpbGUgdGhlIHVzZXIgaWRl bnRpZmljYXRpb24gaXMKICAgZG9uZSBkaXJlY3RseSB0aHJvdWdoIGNhcnJpZWQgZGF0YSBvciBh IGRlZHVjdGlvbiBwcm9jZXNzLgoKNS4xLiAgUmVzdHJpY3RlZCBBcHBsaWNhdGlvbgoKICAgSW4g dGhpcyBleGFtcGxlLCBhbiBhcHBsaWNhdGlvbiBpcyBvbmx5IG9wZW5lZCB0byBvcmdhbml6YXRp b25zCiAgIHB1Ymxpc2hpbmcgdGhlaXIgcmVzcGVjdGl2ZSBhbGxvd2VkIG5ldHdvcmtzLiAgVGhl IHJlcXVpcmVtZW50IHZhbHVlCiAgIG9mIHRoZSBDUlMgcmVjb3JkIGVxdWFscyAiQSIsIGFuZCBh bnkgb3JnYW5pemF0aW9uIHdpdGggYW4gZW1wdHkgb3IKICAgbWlzc2luZyBDUkMgZm9yIHRoaXMg YXBwbGljYXRpb24gd2lsbCBiZSBkZW5pZWQgYWNjZXNzLgoKICAgVGhlIGZ0cC5leGFtcGxlLmNv bSBkb21haW4gaXMgZGVkaWNhdGVkIHRvIGhvc3RpbmcgYW4gRlRQCiAgIGFwcGxpY2F0aW9uLCB3 aGljaCBleHRyYWN0cyB0aGUgY2xpZW50J3MgZG9tYWluIGZyb20gdGhlIHVzZXJuYW1lCiAgIHVz ZWQgZHVyaW5nIHRoZSBhdXRoZW50aWNhdGlvbiBwcm9jZXNzLiAgVGhpcyBpbmZvcm1hdGlvbiBp cyB0aGVuCiAgIHVzZWQgZm9yIHJlcXVlc3RpbmcgdGhlIGNsaWVudCBDUkMgcmVjb3JkIGFuZCBm aW5hbGx5IGNvbXBhcmluZyBpdHMKICAgY29udGVudCB3aXRoIHRoZSBjbGllbnQncyBJUC4gIFRo ZSBjbGllbnQgb3JnYW5pemF0aW9uIGV4YW1wbGUubmV0CiAgIGFsbG93cyBpdHMgdXNlcnMgZnJv bSBpdHMgb3duIG5ldHdvcmsgMTkyLjAuMi4wLzI0IGFuZCBmcm9tIGEgY2xvdWQKICAgc2Vydmlj ZSBsb2NhdGVkIGF0IDE5OC41MS4xMDAuMC8yNC4gIEEgc2Vjb25kIG9yZ2FuaXphdGlvbgogICBl eGFtcGxlLm9yZyBoYXMgbm8gQ1JDIHJlY29yZCBhbmQgaXRzIHVzZXJzIGFyZSByZWplY3RlZC4K CiAgIEFwcGxpY2F0aW9uIEZRRE4gOiBmdHAuZXhhbXBsZS5jb20KICAgQXBwbGljYXRpb24gQ1JT IHJlY29yZCA6IGZ0cC5leGFtcGxlLmNvbS4gIElOIENSUyBSPUEsMjEKCiAgIENsaWVudCBGUURO IDogZXhhbXBsZS5uZXQKICAgQ2xpZW50IG9yZ2FuaXphdGlvbiBDUkMgcmVjb3JkIDogZnRwLmV4 YW1wbGUuY29tXzIxLmV4YW1wbGUubmV0LiAgSU4KICAgQ1JDIDE5Mi4wLjIuMC8yNCwxOTguNTEu MTAwLjAvMjQKCiAgIENsaWVudCBGUUROIDogZXhhbXBsZS5vcmcKICAgTm8gY2xpZW50IG9yZ2Fu aXphdGlvbiBDUkMgcmVjb3JkCgoKCgoKCgoKCgoKCgpBZGVsbCAgICAgICAgICAgICAgICAgICAg RXhwaXJlcyAxNCBPY3RvYmVyIDIwMjIgICAgICAgICAgICAgICAgW1BhZ2UgNl0KDApJbnRlcm5l dC1EcmFmdCAgICAgICAgICAgQ2xpZW50IFJvYW1pbmcgQ29udHJvbCAgICAgICAgICAgICAgIEFw cmlsIDIwMjIKCgogICBDbGllbnQgRE5TICBDbGllbnQgRlRQICAgICAgICAgICAgICAgIFNlcnZl ciBGVFAKCiAgICAgICAgICAgICAgICAgICAgIEZUUCBVU0VSIG1lQGV4YW1wbGUubmV0CiAgICAg ICAgICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPgogICAgICAgICAgICAgICAg ICAgICAgICAgICAgLi4uCiAgICAgICAgICAgICAgICAgICAgIEZUUCBQQVNTICoqKioqKioqCiAg ICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPgogICAgICAgICAgUXVl cnkgOiBDUkMgZnRwLmV4YW1wbGUuY29tXzIxLmV4YW1wbGUubmV0CiAgICAgICAgPC0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogICAgICAgICAgQW5zd2VyIDogQ1JDIGZ0cC5l eGFtcGxlLmNvbV8yMS5leGFtcGxlLm5ldCAxOTIuMC4yLjAvMjQsMTk4LjUxLjEwMC4wLzI0CiAg ICAgICAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPgogICAgICAgICAgICAg ICAgICAgICBGVFAgMjMwCiAgICAgICAgICAgICAgPC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLQoKCiAgICAgICAgICAgICAgICAgICAgIEZUUCBVU0VSIG1lQGV4YW1wbGUub3JnCiAgICAg ICAgICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPgogICAgICAgICAgICAgICAg ICAgICAgICAgICAgLi4uCiAgICAgICAgICAgICAgICAgICAgIEZUUCBQQVNTICoqKioqKioqCiAg ICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPgogICAgICAgICAgUXVl cnkgOiBDUkMgZnRwLmV4YW1wbGUuY29tXzIxLmV4YW1wbGUub3JnCiAgICAgICAgPC0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogICAgICAgICAgQW5zd2VyIDogTm8gc3VjaCBu YW1lICgzKQogICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLT4KICAg ICAgICAgICAgICAgICAgICAgRlRQIDQzMAogICAgICAgICAgICAgIDwtLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0KCjUuMi4gIENvbnRyb2xsZWQgQXBwbGljYXRpb24KCiAgIFRoZSB3d3cu ZXhhbXBsZS5jb20gZG9tYWluIGhvc3RzIGEgV2ViIGFwcGxpY2F0aW9uIG9uIHBvcnQgNDQzIHVz aW5nCiAgIGNsaWVudCBjZXJ0aWZpY2F0ZXMgZm9yIGF1dGhlbnRpY2F0aW5nIGl0cyB1c2Vycy4g IFRoZSBhcHBsaWNhdGlvbgogICBleHRyYWN0cyB0aGUgY2xpZW50IGRvbWFpbnMgZnJvbSB0aGUg Y2VydGlmaWNhdGVzLCB3aGljaCBhcmUgdXNlZCB0bwogICByZXRyaWV2ZSB0aGVpciBDUkMgcmVj b3Jkcy4gIFVzZXJzIGZyb20gdGhlIGV4YW1wbGUubmV0IG9yZ2FuaXphdGlvbgogICBhcmUgYWxs b3dlZCBvbmx5IGlmIHRoZXkgY29ubmVjdCBmcm9tIGFuIGF1dGhvcml6ZWQgbmV0d29yayBsaXN0 ZWQgaW4KICAgdGhlIENSQyByZWNvcmQsIHdoaWxlIHVzZXJzIGZyb20gZXhhbXBsZS5vcmcgYXJl IGFsd2F5cyBncmFudGVkCiAgIGFjY2VzcyBzaW5jZSB0aGlzIG9uZSBoYXMgbm8gQ1JDIGRlY2xh cmVkLgoKICAgQXBwbGljYXRpb24gRlFETiA6IHd3dy5leGFtcGxlLmNvbQogICBBcHBsaWNhdGlv biBDUlMgcmVjb3JkIDogd3d3LmV4YW1wbGUuY29tLiAgSU4gQ1JTIFI9Tyw0NDMKCiAgIENsaWVu dCBGUUROIDogZXhhbXBsZS5uZXQKICAgQ2xpZW50IG9yZ2FuaXphdGlvbiBDUkMgcmVjb3JkIDog d3d3LmV4YW1wbGUuY29tXzQ0My5leGFtcGxlLm5ldC4gIElOCiAgIENSQyAxOTIuMC4yLjAvMjQs MTk4LjUxLjEwMC4wLzI0CgogICBDbGllbnQgRlFETiA6IGV4YW1wbGUub3JnCiAgIE5vIGNsaWVu dCBvcmdhbml6YXRpb24gQ1JDIHJlY29yZAoKCgoKCkFkZWxsICAgICAgICAgICAgICAgICAgICBF eHBpcmVzIDE0IE9jdG9iZXIgMjAyMiAgICAgICAgICAgICAgICBbUGFnZSA3XQoMCkludGVybmV0 LURyYWZ0ICAgICAgICAgICBDbGllbnQgUm9hbWluZyBDb250cm9sICAgICAgICAgICAgICAgQXBy aWwgMjAyMgoKCiAgIENsaWVudCBETlMgIENsaWVudCBicm93c2VyICAgICAgICAgICAgICAgIFdl YiBhcHBsaWNhdGlvbgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLi4uLi4KICAgICAg ICAgICAgICAgICBDbGllbnQgY2VydGlmaWNhdGUgbWVAZXhhbXBsZS5uZXQKICAgICAgICAgICAg ICAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0+CiAgICAgICAgICBRdWVyeSA6 IENSQyB3d3cuZXhhbXBsZS5jb21fNDQzLmV4YW1wbGUubmV0CiAgICAgICAgPC0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogICAgICAgICAgQW5zd2VyIDogQ1JDIHd3 dy5leGFtcGxlLmNvbV80NDMuZXhhbXBsZS5uZXQgMTkyLjAuMi4wLzI0LDE5OC41MS4xMDAuMC8y NAogICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLT4KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAuLi4uLgogICAgICAgICAgICAgICAgICAgICAyMDAg T0sKICAgICAgICAgICAgICAgPC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgoK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAuLi4uLgogICAgICAgICAgICAgICAgIENsaWVu dCBjZXJ0aWZpY2F0ZSBtZUBleGFtcGxlLm9yZwogICAgICAgICAgICAgICAtLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLT4KICAgICAgICAgIFF1ZXJ5IDogQ1JDIHd3dy5leGFtcGxl LmNvbV80NDMuZXhhbXBsZS5vcmcKICAgICAgICA8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tCiAgICAgICAgICBBbnN3ZXIgOiBObyBzdWNoIG5hbWUgKDMpCiAgICAg ICAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPgogICAgICAgICAg ICAgICAgICAgICAgICAgICAgIC4uLi4uCiAgICAgICAgICAgICAgICAgICAgIDIwMCBPSwogICAg ICAgICAgICAgICA8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCjUuMy4gIE9w ZW5lZCBBcHBsaWNhdGlvbgoKICAgQSBjb21wYW55IGlzIHRlc3RpbmcgdGhlIENSQyBhbmQgQ1JT IGJlaGF2aW9ycyBiZWZvcmUgb3BlbmluZyBhIG5ldwogICBzZXJ2aWNlIHRvIGl0cyBjdXN0b21l cnMuICBJdHMgZmlyc3QgdGVzdCBkZXNjcmliZWQgYmVsb3cgY29uc2lzdHMgaW4KICAgY29uZmln dXJpbmcgYm90aCBzaWRlcyB0byBiZSBjb21wbGV0ZWx5IG9wZW5lZCwgbGlrZWx5IGJlZm9yZQog ICBoYXJkZW5pbmcgdGhlIENSUywgdGhlbiB0aGUgQ1JDLCBhbmQgdGVzdGluZyBhZ2Fpbi4KCiAg IFRoZSBhcHBsaWNhdGlvbi5leGFtcGxlLmNvbSBkb21haW4gaG9zdHMgYSBXZWIgYXBwbGljYXRp b24gb24gcG9ydAogICA0NDMgd2hlcmUgdXNlcnMgYXJlIGxvZ2dlZCBpbiBieSBzZW5kaW5nIGEg bnVtZXJpY2FsIGlkZW50aWZpZXIgYW5kIGEKICAgcGFzc3dvcmQuICBUaGUgYXBwbGljYXRpb24g dXNlcyBhIGRpY3Rpb25hcnkgZGF0YSB0eXBlIHRvIGlkZW50aWZ5CiAgIHRoZSB1c2VyJ3MgZG9t YWluLiAgVGhlIGNsaWVudC5leGFtcGxlLm5ldCBkb21haW4gaXMgdGVtcG9yYXJpbHkKICAgdXNp bmcgMiBDUkMgcmVjb3JkcyBpbmRpY2F0aW5nIGEgZnJlZSBhY2Nlc3MgZnJvbSBhbnl3aGVyZS4K CiAgIEFwcGxpY2F0aW9uIEZRRE4gOiBhcHBsaWNhdGlvbi5leGFtcGxlLmNvbQogICBBcHBsaWNh dGlvbiBDUlMgcmVjb3JkIDogYXBwbGljYXRpb24uZXhhbXBsZS5jb20uICBJTiBDUlMgUj1OLDQ0 MwoKICAgQ2xpZW50IEZRRE4gOiBjbGllbnQuZXhhbXBsZS5uZXQKICAgQ2xpZW50IG9yZ2FuaXph dGlvbiBDUkMgcmVjb3JkcyA6CiAgIGFwcGxpY2F0aW9uLmV4YW1wbGUuY29tXzQ0My5leGFtcGxl Lm5ldC4gIElOIENSQyAwLjAuMC4wLzI0CiAgIGFwcGxpY2F0aW9uLmV4YW1wbGUuY29tXzQ0My5l eGFtcGxlLm5ldC4gIElOIENSQyBmZTgwOjovMTAKCgoKCgpBZGVsbCAgICAgICAgICAgICAgICAg ICAgRXhwaXJlcyAxNCBPY3RvYmVyIDIwMjIgICAgICAgICAgICAgICAgW1BhZ2UgOF0KDApJbnRl cm5ldC1EcmFmdCAgICAgICAgICAgQ2xpZW50IFJvYW1pbmcgQ29udHJvbCAgICAgICAgICAgICAg IEFwcmlsIDIwMjIKCgogICBDbGllbnQgRE5TICBDbGllbnQgYnJvd3NlciAgICAgICAgICAgICAg ICBXZWIgYXBwbGljYXRpb24KCgogICAgICAgICAgICAgICAgICAgICAgICAgICAgIC4uLi4uCiAg ICAgICAgICAgICAgICAgSFRUUCBQT1NUIDEyMzQ1Ni8qKioqKioKICAgICAgICAgICAgICAgLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0+CiAgICAgICAgICAgICAgICAgICAgIDIw MCBPSwogICAgICAgICAgICAgICA8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0K CjYuICBJQU5BIENvbnNpZGVyYXRpb25zCgogICBBY2NvcmRpbmcgdG8gR3VpZGVsaW5lcyBmb3Ig V3JpdGluZyBhbiBJQU5BIENvbnNpZGVyYXRpb25zIFNlY3Rpb24gaW4KICAgUkZDcyBbUkZDODEy Nl0gaXQgaXMgYXNrZWQgdG8gSUFOQSB0byBhZGQgaW50byB0aGUgUmVzb3VyY2UgUmVjb3JkCiAg IChSUikgVFlQRXMgcmVnaXN0cnkgbG9jYXRlZCBhdCBodHRwczovL3d3dy5pYW5hLm9yZy9hc3Np Z25tZW50cy9kbnMtCiAgIHBhcmFtZXRlcnMvZG5zLXBhcmFtZXRlcnMueGh0bWwjZG5zLXBhcmFt ZXRlcnMtNCB0aGUgdHdvIGVudHJpZXMgQ1JDCiAgIGFuZCBDUlMuCgogICAgICAgICAgICstLS0t LS0rLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rCiAgICAgICAg ICAgfCBUWVBFIHwgVmFsdWUgfCBEZXNjcmlwdGlvbiAgICAgICAgICAgIHwgUmVmZXJlbmNlIHwK ICAgICAgICAgICArLS0tLS0tKy0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tKwogICAgICAgICAgIHwgQ1JDICB8IFRCRDEgIHwgQ2xpZW50IFJvYW1pbmcgQ29udHJv bCB8IHRoaXMgUkZDICB8CiAgICAgICAgICAgKy0tLS0tLSstLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLSstLS0tLS0tLS0tLSsKICAgICAgICAgICB8IENSUyAgfCBUQkQyICB8IENsaWVu dCBSb2FtaW5nIFN1cHBvcnQgfCB0aGlzIFJGQyAgfAogICAgICAgICAgICstLS0tLS0rLS0tLS0t LSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rCgogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgVGFibGUgMQoKNy4gIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zCgog ICBUaGlzIHNlY3Rpb24gaXMgbWVhbnQgdG8gaW5mb3JtIGRldmVsb3BlcnMgYW5kIHVzZXJzIG9m IHRoZSBzZWN1cml0eQogICBpbXBsaWNhdGlvbnMgb2YgdGhlIENSQy9DUlMgbWVjaGFuaXNtIGRl c2NyaWJlZCBieSB0aGlzIGRvY3VtZW50LgogICBXaGlsZSB0aGUgQ1JTIFJSIG1vc3RseSBwbGF5 cyBhbiBpbmZvcm1hdGl2ZSByb2xlLCB0aGUgQ1JDIFJSCiAgIGRlbGl2ZXJzIGltcG9ydGFudCBk YXRhIHdoaWNoIHJlcXVpcmVzIGF0dGVudGlvbiBmcm9tIHRoZSBkZXZlbG9wZXJzCiAgIGFuZCBh ZG1pbmlzdHJhdG9ycy4gIFNvbWUgcGFydGljdWxhciBwb2ludHMgYXJlIGRpc2N1c3NlZCBoZXJl LgoKNy4xLiAgRE5TIG1pc2NvbmZpZ3VyYXRpb24KCiAgIEFueSBETlMgQ1JTIG1pc2NvbmZpZ3Vy YXRpb24gc3VjaCBhcyBtdWx0aXBsZSByZWNvcmRzIHdpdGggZGlmZmVyZW50CiAgIHJlcXVpcmVt ZW50IHZhbHVlcyBidXQgd2l0aCB0aGUgc2FtZSBwb3J0IHZhbHVlIGNhbiBnZXQgYSBjbGllbnQK ICAgY29uZnVzZWQuICBJbiB0aGlzIGNhc2UgdGhlIGNsaWVudCBkb2VzIG5vdCBrbm93IHdpdGhv dXQgdGVzdGluZyB0aGUKICAgYWN0dWFsIGNvbmZpZ3VyYXRpb24sIGlmIGl0cyBvcmdhbml6YXRp b24gaXMgcHJvdGVjdGVkIGFnYWluc3QKICAgcm9hbWluZywgYW5kIGNvbnRhY3RpbmcgdGhlIGFw cGxpY2F0aW9uIGFkbWluaXN0cmF0b3IgdG8gZml4IHRoZQogICBzaXR1YXRpb24gaXMgYSBwb3Nz aWJpbGl0eS4KCiAgIFdoaWxlIENSQyBtaXNjb25maWd1cmF0aW9ucyBhcmUgbW9yZSBvciBsZXNz IGxlYWRpbmcgdG8gc2VyaW91cwogICBzZWN1cml0eSBwcm9ibGVtcywgYWRtaW5pc3RyYXRvcnMg bmVlZCB0byBwYXkgYXR0ZW50aW9uIHdoZW4gZGVhbGluZwogICB3aXRoIG11bHRpcGxlIG5ldHdv cmtzIG9yIHJlY29yZHMuICBQYXJ0aWN1bGFybHksIG11bHRpcGxlIHJlY29yZHMKICAgZm9yIHRo ZSBzYW1lIG5ldHdvcmsgcmFuZ2Ugb3Igb3ZlcmxhcHBpbmcgbmV0d29ya3Mgc2hvdWxkIGJlIGF2 b2lkZWQuCgoKCkFkZWxsICAgICAgICAgICAgICAgICAgICBFeHBpcmVzIDE0IE9jdG9iZXIgMjAy MiAgICAgICAgICAgICAgICBbUGFnZSA5XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBDbGll bnQgUm9hbWluZyBDb250cm9sICAgICAgICAgICAgICAgQXByaWwgMjAyMgoKCjcuMi4gIEROUyBT ZWN1cml0eQoKICAgQ2xpZW50IGFuZCBhcHBsaWNhdGlvbiBhZG1pbmlzdHJhdG9ycyBuZWVkIHRv IHBheSBhcyBtdWNoIGF0dGVudGlvbgogICBhcyB0aGV5IHVzdWFsbHkgZG8gd2hlbiBkZWFsaW5n IHdpdGggRE5TIG1hbmFnZW1lbnQuICBBcyB0aGUgQ1JDCiAgIHJlY29yZHMgYXJlIHN1cHBvc2Vk IHRvIGJlIHJlcXVlc3RlZCBkdXJpbmcgYW4gYXBwbGljYXRpb24KICAgYXV0aGVudGljYXRpb24g cHJvY2VzcywgcmVmbGVjdGlvbiBhdHRhY2tzIGNvdWxkIGJlIGJ1aWx0IHRvIHRhcmdldCBhCiAg IGNsaWVudCBvcmdhbml6YXRpb24sIGV2ZW4gb25lIG5vdCBob3N0aW5nIGFueSBDUkMgcmVjb3Jk IGF0IGFsbC4KICAgSW4gYSBnZW5lcmFsIG1hbm5lciwgYWRtaW5pc3RyYXRvcnMgbWF5IGNvbnNp ZGVyIGFuIGFkZXF1YXRlIFRUTAogICBzZXR0aW5nIHRvIG5vdCBvdmVybG9hZCBjbGllbnQgb3Jn YW5pemF0aW9ucywgZW5hYmxlIFRDUCBhcyB0aGUKICAgcHJlZmVycmVkIHRyYW5zcG9ydCwgb3Ig cmVseSBvbiBETlNTRUMgdG8gd2FycmFudCBkYXRhIGF1dGhlbnRpY2l0eQogICBhbmQgaW50ZWdy aXR5LgoKNy4zLiAgQXBwbGljYXRpb24gU2VjdXJpdHkKCiAgIFRoZSBmb2xsb3dpbmcgcG9pbnRz IGFyZSBvZiBjb25jZXJuIHRvIGRldmVsb3BlcnM6CgogICBFbmNyeXB0aW9uOgogICBXaGVuZXZl ciBwb3NzaWJsZSwgdGhlIGFwcGxpY2F0aW9uIHByb3RvY29sIHNob3VsZCBiZSBlbmNyeXB0ZWQg dG8KICAgcHJldmVudCBlYXZlc2Ryb3BwaW5nIGFuZCBtYW4taW4tdGhlLW1pZGRsZSBhdHRhY2tz LiAgSXQgaXMgYQogICBjcml0aWNhbCBwb2ludCBmb3IgYXBwbGljYXRpb25zIG1haW50YWluaW5n IGEgdXNlciBzZXNzaW9uIHdpdGgKICAgYW55dGhpbmcgbGlrZSBhIHRva2VuIG9yIGNvb2tpZSwg YXMgaXQgY2FuIGxlYWQgdG8gc2Vzc2lvbiBoaWphY2tpbmcKICAgYXMgZGlzY3Vzc2VkIGJlbG93 LgoKICAgVGltaW5nIGF0dGFjazoKICAgQWxsIGF1dGhlbnRpY2F0aW9uIHN5c3RlbXMgbmVlZCB0 byBiZSBjYXJlZnVsIHRvIG5vdCBkZWxpdmVyIGFueQogICBpbmZvcm1hdGlvbiBkZXJpdmVkIGZy b20gdGhlIGNvbXB1dGluZyB0aW1lIHRvIGEgZGVuaWVkIHVzZXIsIGV2ZW4KICAgdGhlIG9uZXMg aW52b2x2aW5nIG11bHRpcGxlIGZhY3RvcnMgb3Igc3RlcHMgbGlrZSB0aGUgb25lIGRlc2NyaWJl ZAogICBpbiB0aGlzIGRvY3VtZW50LiAgSW4gcGFydGljdWxhciwgdGhlIG9yZGVyIGluIHdoaWNo IHRoZXNlIHN0ZXBzIGFyZQogICBleGVjdXRlZCBhbmQgdGhlaXIgcmVzcGVjdGl2ZSBpbXBsZW1l bnRhdGlvbnMsIG5lZWQgdG8gZGVmZWF0CiAgIHN0YXRpc3RpY2FsIGh5cG90aGVzZXMuCgogICBJ bnRlcm1lZGlhdGUgc3lzdGVtczoKICAgU29tZSBhcHBsaWNhdGlvbnMgYXJlIG5vdCBkaXJlY3Rs eSBJbnRlcm5ldCBmYWNpbmcgYW5kIGNhbm5vdCBhY2Nlc3MKICAgdG8gdGhlIHJlYWwgY2xpZW50 J3MgSVAgYWRkcmVzcyB3aXRob3V0IGludm9sdmluZyBhIG1lY2hhbmlzbSB0bwogICBmb3J3YXJk IHRoaXMgSVAgYXQgdGhlIGFwcGxpY2F0aW9uIGxheWVyLiAgRm9yIGV4YW1wbGUgd2l0aCBIVFRQ LCB0aGUKICAgY29tbW9uIHByYWN0aWNlIGJhc2VkIG9uIHRoZSBub24tc3RhbmRhcmQgWC1Gb3J3 YXJkZWQtRm9yIGhlYWRlciwgb3IKICAgaXRzIGFsdGVybmF0aXZlIHN0YW5kYXJkIEZvcndhcmRl ZCBbUkZDNzIzOV0sIGFyZSBwbGF5aW5nIHRoaXMgcm9sZS4KICAgU3VjaCBwcmFjdGljZSByZXF1 aXJlcyBhIGNvcnJlY3Qgc2FuaXRpemluZyBvZiB1c2VyIGRhdGEgdG8gYXZvaWQKICAgZmFsc2Ug aW5qZWN0ZWQgSVBzLgoKICAgU2Vzc2lvbiBoaWphY2tpbmc6CiAgIEEgd2VsbC1rbm93biBhdHRh Y2sgY2FsbGVkIFNlc3Npb24gSGlqYWNraW5nIGlzIG5vdCBtZWFudCB0byBiZQogICBkZWZlYXRl ZCBieSB0aGlzIGRvY3VtZW50IGFsb25lLiAgQXBwbGljYXRpb24gZGV2ZWxvcGVycyBtdXN0IGVu c3VyZQogICB0aGF0IGFueSByZWNldmVpZCBzZXNzaW9uIHRva2VuLCBzdWNoIGFzIGFuIEhUVFAg Q29va2llLCBiZWxvbmdzIHRvCiAgIHRoZSBzYW1lIElQIGFkZHJlc3MgdGhhbiB0aGUgb25lIHdo aWNoIHN0YXJ0ZWQgdGhpcyBzZXNzaW9uLgoKOC4gIFJlZmVyZW5jZXMKCgoKCkFkZWxsICAgICAg ICAgICAgICAgICAgICBFeHBpcmVzIDE0IE9jdG9iZXIgMjAyMiAgICAgICAgICAgICAgIFtQYWdl IDEwXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBDbGllbnQgUm9hbWluZyBDb250cm9sICAg ICAgICAgICAgICAgQXByaWwgMjAyMgoKCjguMS4gIE5vcm1hdGl2ZSBSZWZlcmVuY2VzCgogICBb UkZDMTAzNV0gIE1vY2thcGV0cmlzLCBQLiwgIkRvbWFpbiBuYW1lcyAtIGltcGxlbWVudGF0aW9u IGFuZAogICAgICAgICAgICAgIHNwZWNpZmljYXRpb24iLCBTVEQgMTMsIFJGQyAxMDM1LCBET0kg MTAuMTc0ODcvUkZDMTAzNSwKICAgICAgICAgICAgICBOb3ZlbWJlciAxOTg3LCA8aHR0cHM6Ly93 d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmMxMDM1Pi4KCiAgIFtSRkMyMTE5XSAgQnJhZG5lciwg Uy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlCiAgICAgICAgICAgICAg UmVxdWlyZW1lbnQgTGV2ZWxzIiwgQkNQIDE0LCBSRkMgMjExOSwKICAgICAgICAgICAgICBET0kg MTAuMTc0ODcvUkZDMjExOSwgTWFyY2ggMTk5NywKICAgICAgICAgICAgICA8aHR0cHM6Ly93d3cu cmZjLWVkaXRvci5vcmcvaW5mby9yZmMyMTE5Pi4KCiAgIFtSRkMzOTg2XSAgQmVybmVycy1MZWUs IFQuLCBGaWVsZGluZywgUi4sIGFuZCBMLiBNYXNpbnRlciwgIlVuaWZvcm0KICAgICAgICAgICAg ICBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpOiBHZW5lcmljIFN5bnRheCIsIFNURCA2NiwKICAg ICAgICAgICAgICBSRkMgMzk4NiwgRE9JIDEwLjE3NDg3L1JGQzM5ODYsIEphbnVhcnkgMjAwNSwK ICAgICAgICAgICAgICA8aHR0cHM6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmMzOTg2Pi4K CiAgIFtSRkM0MjkxXSAgSGluZGVuLCBSLiBhbmQgUy4gRGVlcmluZywgIklQIFZlcnNpb24gNiBB ZGRyZXNzaW5nCiAgICAgICAgICAgICAgQXJjaGl0ZWN0dXJlIiwgUkZDIDQyOTEsIERPSSAxMC4x NzQ4Ny9SRkM0MjkxLCBGZWJydWFyeQogICAgICAgICAgICAgIDIwMDYsIDxodHRwczovL3d3dy5y ZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzQyOTE+LgoKICAgW1JGQzUyMzRdICBDcm9ja2VyLCBELiwg RWQuIGFuZCBQLiBPdmVyZWxsLCAiQXVnbWVudGVkIEJORiBmb3IgU3ludGF4CiAgICAgICAgICAg ICAgU3BlY2lmaWNhdGlvbnM6IEFCTkYiLCBTVEQgNjgsIFJGQyA1MjM0LAogICAgICAgICAgICAg IERPSSAxMC4xNzQ4Ny9SRkM1MjM0LCBKYW51YXJ5IDIwMDgsCiAgICAgICAgICAgICAgPGh0dHBz Oi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNTIzND4uCgogICBbUkZDODE3NF0gIExlaWJh LCBCLiwgIkFtYmlndWl0eSBvZiBVcHBlcmNhc2UgdnMgTG93ZXJjYXNlIGluIFJGQwogICAgICAg ICAgICAgIDIxMTkgS2V5IFdvcmRzIiwgQkNQIDE0LCBSRkMgODE3NCwgRE9JIDEwLjE3NDg3L1JG QzgxNzQsCiAgICAgICAgICAgICAgTWF5IDIwMTcsIDxodHRwczovL3d3dy5yZmMtZWRpdG9yLm9y Zy9pbmZvL3JmYzgxNzQ+LgoKOC4yLiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlcwoKICAgW1JGQzcy MzldICBQZXRlcnNzb24sIEEuIGFuZCBNLiBOaWxzc29uLCAiRm9yd2FyZGVkIEhUVFAgRXh0ZW5z aW9uIiwKICAgICAgICAgICAgICBSRkMgNzIzOSwgRE9JIDEwLjE3NDg3L1JGQzcyMzksIEp1bmUg MjAxNCwKICAgICAgICAgICAgICA8aHR0cHM6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM3 MjM5Pi4KCiAgIFtSRkM4NDk5XSAgSG9mZm1hbiwgUC4sIFN1bGxpdmFuLCBBLiwgYW5kIEsuIEZ1 aml3YXJhLCAiRE5TCiAgICAgICAgICAgICAgVGVybWlub2xvZ3kiLCBCQ1AgMjE5LCBSRkMgODQ5 OSwgRE9JIDEwLjE3NDg3L1JGQzg0OTksCiAgICAgICAgICAgICAgSmFudWFyeSAyMDE5LCA8aHR0 cHM6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM4NDk5Pi4KCkF1dGhvcidzIEFkZHJlc3MK CiAgIEV1Z2VuZSBBZGVsbAogICBFbWFpbDogZXVnZW5lLmFkZWxsQGdtYWlsLmNvbQoKCgoKCgoK CkFkZWxsICAgICAgICAgICAgICAgICAgICBFeHBpcmVzIDE0IE9jdG9iZXIgMjAyMiAgICAgICAg ICAgICAgIFtQYWdlIDExXQo= --000000000000f6159205dc72b762--