Re: [Hipsec] Benjamin Kaduk's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
Miika Komu <miika.komu@ericsson.com> Fri, 04 January 2019 16:49 UTC
Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55786130DE4 for <hipsec@ietfa.amsl.com>; Fri, 4 Jan 2019 08:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.366
X-Spam-Level:
X-Spam-Status: No, score=-4.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=GTS7Qvak; dkim=pass (1024-bit key) header.d=ericsson.com header.b=PDKIouMr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cfG3YE7LwMp0 for <hipsec@ietfa.amsl.com>; Fri, 4 Jan 2019 08:49:08 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73CE6130E7D for <hipsec@ietf.org>; Fri, 4 Jan 2019 08:49:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1546620542; x=1549212542; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=D+D/zEbRyoSECVJ5v6uw+Cs/jcVyKusT06H1QpyUfJQ=; b=GTS7Qvak6sEIkLn2kWRpxFykLULA6xuJ5NVhBZ6X7s3i7rjtRdrUXKe8OnaP6jLx Ef3KIcOcgBQD72P5NqdM9ZBQTj/xlL04AA5nndwtXqOK+bcmiW0gnzbBVEFqH6lg xipUOKNbuI9s6vANR8YXHaWW+h5uEm1r/g/f59bfab0=;
X-AuditID: c1b4fb30-f93ff7000000355c-41-5c2f8e7eb551
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id D1.D5.13660.E7E8F2C5; Fri, 4 Jan 2019 17:49:02 +0100 (CET)
Received: from ESESSMB503.ericsson.se (153.88.183.164) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 4 Jan 2019 17:49:02 +0100
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Fri, 4 Jan 2019 17:49:01 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D+D/zEbRyoSECVJ5v6uw+Cs/jcVyKusT06H1QpyUfJQ=; b=PDKIouMrKTcvNfeAXheazGWAHEckDxm09kyynCEOi/CKXSlVW4Hx5oml//ecwaP6tdeZ9qMMjKPCQSRjM4wRsN2Vcb+Qf1zVimdvEz9ypRC312jLRvBawWWi9+1gGoSN8URPGSTo2m9hRkpDBtmtJISni+EXFA6q7ky6B6Z3UwU=
Received: from VI1PR0701MB2957.eurprd07.prod.outlook.com (10.173.72.135) by VI1PR0701MB2686.eurprd07.prod.outlook.com (10.173.79.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.3; Fri, 4 Jan 2019 16:49:00 +0000
Received: from VI1PR0701MB2957.eurprd07.prod.outlook.com ([fe80::116c:b456:232b:a2ea]) by VI1PR0701MB2957.eurprd07.prod.outlook.com ([fe80::116c:b456:232b:a2ea%3]) with mapi id 15.20.1495.005; Fri, 4 Jan 2019 16:49:00 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-hip-rfc4423-bis@ietf.org" <draft-ietf-hip-rfc4423-bis@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
Thread-Index: AQHT59h7Egh8TLlRj0mcO81NKjZ7x6WgyxQA
Date: Fri, 04 Jan 2019 16:49:00 +0000
Message-ID: <255322ac-0d8f-3e2c-3e9b-adaba14b7f77@ericsson.com>
References: <152589950593.3860.2313922344171073216.idtracker@ietfa.amsl.com>
In-Reply-To: <152589950593.3860.2313922344171073216.idtracker@ietfa.amsl.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: HE1PR0701CA0060.eurprd07.prod.outlook.com (2603:10a6:3:9e::28) To VI1PR0701MB2957.eurprd07.prod.outlook.com (2603:10a6:800:87::7)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0701MB2686; 6:vM2iMf1AVT07bf0bycgNa1IvGClXyuU5J5E/u2uGUmpKSZUPYVNjGV46DmX+VMhei+VDsPsNiWvKXxYsDAEn8gD8xgqA3hef0y54cqizEKGRUR1P1NpOBQ4hzcwmHzPZDInNWEF4amVfkbYt47rm6pEQOU5k3Y3pVy0j17ciXCJre+t8R0zLy94VkL22x7U8TAaHHeJXEp7WnGqY93qoppJQBnpOTfnawADHOaTHCKX1Kmk847j1uP+vwtuRavSwCJ4pZIf1C26v2T7ETthL+G6hVmHTLj6JI98IMBoR3TWB44vtuD1REYyQplZhYjsAoIFhPAqfmr2GeN3+rSAKcr/jTiQzhRz2FTPdoZ2Q2SO+sC0YmraxBqu72y1sgHYwXoktxevtMepzJ6iSJhED0v6FAwtKfTtxiH+QIcvcUazvfNTDOt4cl0lKI1WGg8ht+0bExkuKLbixbfj/8HCGmQ==; 5:+jGUwQkZ8bum9oHL7RSGdF+AB4wCflQpN/2dKTqKYenuk8v6g8GEYs3ojY4elRFZifS2GMT/uhEi7zh9gghFjX0Q8ErybYFgkgn8uZ6uXdzA49qyD3P7kdQaPPaHYejcZBJVByqg8l1q5QMgGxPlKeAxrlwJhBybkXdewSS2K0RcMXsmN8kPBLS6jCkDAFn4b0nJNwRzrKXpyYFlXbfcKA==; 7:LbWnEDQhkQFz6h5H3bsSKWjzVeq1PP1Wx44ao0ki5vuDIzJTggkGuplZk9S0r9Wm7I3RDwIxnG+2wAvuiTAtdahYOhX9oVxYstZiazKvpO99d3O2nfDxMGZpEIaGKR/7YS/kJgglwkgLf8IgJzVlLg==
x-ms-office365-filtering-correlation-id: d89613ad-b553-4cb8-d60b-08d6726486fd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:VI1PR0701MB2686;
x-ms-traffictypediagnostic: VI1PR0701MB2686:
x-microsoft-antispam-prvs: <VI1PR0701MB2686BDB3E26CF96DA5C63F60FC8E0@VI1PR0701MB2686.eurprd07.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(93006095)(93001095)(3231475)(944501520)(52105112)(10201501046)(3002001)(6041310)(20161123562045)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:VI1PR0701MB2686; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB2686;
x-forefront-prvs: 0907F58A24
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(376002)(39860400002)(366004)(396003)(346002)(51444003)(199004)(189003)(52116002)(76176011)(3846002)(14454004)(86362001)(44832011)(81156014)(31696002)(7736002)(4326008)(26005)(97736004)(386003)(53936002)(6116002)(53546011)(2906002)(81166006)(186003)(102836004)(305945005)(25786009)(8936002)(966005)(6506007)(478600001)(68736007)(36756003)(66066001)(8676002)(105586002)(14444005)(99286004)(106356001)(256004)(229853002)(54906003)(31686004)(6436002)(476003)(2616005)(11346002)(316002)(6486002)(71200400001)(5660300001)(486006)(446003)(6246003)(6512007)(71190400001)(6306002)(2171002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0701MB2686; H:VI1PR0701MB2957.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: RVavzxP7H3XKRfBYiV2PQHri0u3ZaxwZS5gsOO+y4yJDzAMGpPWJHl4llso0XugyuO0lZjC4ZcYnSCYWxAuQiUK5CXyfELTLjRP2nPnqSlPnCYPTYgv3qNGkzX2Vx0Ox1K8T2iseHTAncGpCSYjb4EotZN5T5eNp4pFeodJ57b+N8iEAlN9Rw1wRardd7qbrl1UfuIfSVqlPbGRdX5Clm2+0JaGj9fbUWgNS+DeIWvOZHk9Wr5Mve2UuOUcYBVrictz7ojw6YXPIu5RSFMiedl4fNCIPNAjeTruHP/WGqt5W8wCTpyjNEE8KmE/PA5LW
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <04646995BBE6B2478ED870BA857545B2@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d89613ad-b553-4cb8-d60b-08d6726486fd
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jan 2019 16:49:00.3179 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2686
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRzGe8/Z2Y7TwetU/KeJuERQ09kSmWYX64tFRvQpzEsrD240p52j lqEhXlBcXtIWbl5mXqiUEE0yRT/MVIiSTDPRZiEZolikGJmatu0Y9O33vzzP+7wvL01Kmykv WqPLZFidSisTigXGS703Q+5UyBPCHhSHKOeGG0XK4eIykdLQXEMqa7fvkcpHXUbiJBXb2vqb iC14M0JeIOLF0SmMVpPNsPLjV8Tq0pIOYUaT9lbbxC7KRwOaMuREAw6HdWuD0M5SPIzg6cyR MiS28U8Emz2fRXzRQkD98g5hLwS4ioRxy0PETwwEFN6dJPniK4LpkTnKbibEQdBunSbt7I6j oWVu0LFE4o8IustrBPaBG06EOjMvcMdJYLBuIZ4VYC23iuwswP7QW2Rx7EjwCRh/vYH4tOfg 126no++E42Bqcs3BCPvAk2c7joNJ7AmzC2aCvymG1oG3JM8esPRlh7IHAlyLoG9tVsSL40G/ XCnglw7B2PQC4tkPxr7P7xn5wIRZj3hxkQiMw5t7gjio3F3Zc51AsP28n/rntNBgFfKcDu9W 5/diTJHQaBFXIYXpv7QmRNs4EDr75Xw7Fso/zFE8+8F9/bzI5HgMV3hlXBA0IaodeXAMdzUt VaEIZVjNNY5L14XqmMxuZPs5lp6tsBdoaTFmCGEayVwkfwrkCVJKlc3lpA0hoEmZu0RF2FqS FFXObYZNT2aztAw3hLxpgcxTsi11TZDiVFUmc51hMhj235SgnbzyUUaysZrbZ6rJZ5ryfEdz 3STVVID3480zhbRzUslqTl8crcw1r+bf2Eg8GsFFeekrM192BLrMjAabepoGQ1g/a5vpVNZQ aVudekMU43vAsMEstnZ9shw8a4g0hEd+Y7ecz//oDYg6HXHx2PLKWn2xej1iv/ny+2D/TX16 XkWeRibg1KrDQSTLqf4C+s1P3zUDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/rwCqCExqskFzfwdLEwcHqeW9K18>
Subject: Re: [Hipsec] Benjamin Kaduk's No Objection on draft-ietf-hip-rfc4423-bis-19: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2019 16:49:11 -0000
Hi Benjamin, On 5/9/18 23:58, Benjamin Kaduk wrote: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-hip-rfc4423-bis-19: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-hip-rfc4423-bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I share Eric's concerns about the need for > second-preimage-resistance from the hash, and in particular with the > birthday bound, it's unclear that using a 128-bit hash leaves a very > large margin for growth. we'll address the comments in a response to Eric's original email. > Some other section-by-section notes follow. > > Section 1 > > [...] HIP provides for limited forms of trust between systems, > enhance mobility, multi-homing and dynamic IP renumbering, aid in > protocol translation / transition, and reduce certain types of > denial-of-service (DoS) attacks. > > I think that something is weird here with singular vs. plural in the > list elements. Adding -s in the end of the verbs (enhances / aids / reduces) probably fixes the issue you mentioned? > Section 4 > > I agree with the secdir reviewer's not about "SHOULD NOT [implement > non-cryptographic HIP]" The text has changed a bit during the reviews, but I changed the wording to uppercase now: In this document, some non-cryptographic forms of HI and HIP are referenced, but cryptographic forms SHOULD be preferred because they are more secure than their non-cryptographic counterparts. (Btw, the type of draft is "informal" so I am not sure how much mandate this has, but changed nevertheless) > Section 5.1 > > At the client side, a host may have multiple Host Identities, for > instance, for privacy purposes. Another reason can be that the > person utilizing the host employs different identities for different > administrative domains as an extra security measure. If a HIP-aware > middlebox, such as a HIP-based firewall, is on the path between the > client and server, the user or the underlying system should carefully > choose the correct identity to avoid the firewall to unnecessarily > drop HIP-based connectivity [komu-diss]. > > In addition to the firewall case, choosing the correct identifier > can also impact the privacy considerations, as a given identifier > would be trackable by on-path entities. should I add something, I think privacy is mentioned already on the first sentence? > Section 6.2 > > When a node moves while communication is already on-going, address > changes are rather straightforward. The peer of the mobile node can > just accept a HIP or an integrity protected ESP packet from any > address and ignore the source address. However, as discussed in > Section 12.2 below, a mobile node must send a HIP UPDATE packet to > inform the peer of the new address(es), and the peer must verify that > the mobile node is reachable through these addresses. > > Am I reading this right that from a technical perspective, the peer > can just accept stuff from wherever, but from a policy/protocol > perspective the UPDATE requirement is included? The text could > probably be a bit more clear, potentially even without using RFC > 2119 language. I would suggest the following to simplify the text a bit: When a mobile node moves while communication is already on-going, address changes are rather straightforward. The mobile node sends a HIP UPDATE packet to inform the peer of the new address(es), and the peer then verifies that the mobile node is reachable through these addresses. This way, the peer can avoid flooding attacks as further discussed in Section 11.2. Does that work for you? > Section 10 > > There are a number of variables that influence the HIP exchange that > each host must support. All HIP implementations should support at > least 2 HIs, one to publish in DNS or similar directory service and > an unpublished one for anonymous usage. Although unpublished HIs > > I suggest a parenthetical that the unpublished one should expect to > be rotated frequently in order to disrupt linkability/trackability. added some text in parenthesis: ...one to publish in DNS or similar directory service and an unpublished one for anonymous usage (that should expect to be rotated frequently in order to disrupt linkability/trackability). > will be rarely used as responder HIs, they are likely to be common > for initiators. Support for multiple HIs is recommended. [...] > > If multiple means "more than two", it's probably better to say that. > (If multiple means "more than one", this is just a weaker version of > "should support at least 2", above.) And it's rather tempting to > make it a MUST, anyway. I double checked this from RFC7401 and I would change the last sentence to: As stated in [RFC7401], "all HIP implementations MUST support more than one simultaneous HI, at least one of which SHOULD be reserved for anonymous usage", and "support for more than two HIs is RECOMMENDED". > Many initiators would want to use a different HI for different > responders. The implementations should provide for a policy mapping > of initiator HITs to responder HITs. This policy should also include > preferred transforms and local lifetimes. > > "mapping of initiator to responder" is potentially confusing, in > that in practice the procedure will be "I want to talk to responder > A, so let me look up that I use HIT X to talk to responder A", which > is the opposite direction from this text. Good catch, this was text was referencing old RFC5201 text that was replaced by RFC7401. I'd change the text as follows: As stated in [RFC7401], "Initiators MAY use a different HI for different Responders to provide basic privacy. Whether such private HIs are used repeatedly with the same Responder, and how long these HIs are used, are decided by local policy and depend on the privacy requirements of the Initiator". Similarly, I would update change the following paragraph (with similarly outdated text): "Responders would need a similar policy, describing the hosts allowed to participate in HIP exchanges, and the preferred transforms and local lifetimes." ...as follows: According to [RFC7401], "Responders that only respond to selected Initiators require an Access Control List (ACL), representing for which hosts they accept HIP base exchanges, and the preferred transport format and local lifetimes. Wildcarding SHOULD be supported for such ACLs, and also for Responders that offer public or anonymous services". Does this work for you? > Section 11.1 > > I'd consider replacing "is an attempt to" with "attempts to" -- for > example, IPv6 tries to do a lot of things in addition to killing > NAT! ok, changed > Section 11.3.1 > > [...]Second, a > data plane component is needed. Most HIP implementations utilize the > so called BEET mode of ESP that has been available since Linux kernel > 2.6.27, but is included also as a userspace component in a few of the > implementations. > > Nit: "but ESP is included", I think. I changed to: Most HIP implementations utilize the so called BEET mode of ESP that has been available since Linux kernel 2.6.27, but the BEET mode is also included as a userspace component in a few of the implementations. > Section 12.1 > > I don't understand the usage of "a-priori" in: > The need to support multiple hashes for generating the HIT from the > HI affords the MitM to mount a potentially powerful downgrade attack > due to the a-priori need of the HIT in the HIP base exchange. I agree that this is a bit confusing. I would simplify (and generalize) this text as follows: A MitM attacker could try to replay older I1 or R1 messages using weaker cryptographic algorithms as described in section 4.1.4 in RFC7401. How does this sound? > In HIP, the Security Association for ESP is indexed by the SPI; the > source address is always ignored, and the destination address may be > ignored as well. Therefore, HIP-enabled Encapsulated Security > Payload (ESP) is IP address independent. This might seem to make > attacking easier, but ESP with replay protection is already as well > protected as possible, and the removal of the IP address as a check > should not increase the exposure of ESP to DoS attacks. > > It seems like there's still some potential incrased exposure, as > validating the ESP crypto is presumably more expensive than > validating source/destination IP addresses. the destination address can be ignored or included the checks, this is an implementation issue as indicated by the ESP RFC: https://tools.ietf.org/html/rfc4303#section-2.1 Would changing the "may" to "MAY" fix your concern (noting that this draft is still of informal type)? > Section 12.3 > > [...] At middleboxes, HIP-aware > firewalls [lindqvist-enterprise] can use HITs or public keys to > control both ingress and egress access to networks or individual > hosts, even in the presence of mobile devices because the HITs and > public keys are topologically independent. [...] > > Nit: I think that just "topology independent" is what's intended. changed, thanks!
- [Hipsec] Benjamin Kaduk's No Objection on draft-i… Benjamin Kaduk
- Re: [Hipsec] Benjamin Kaduk's No Objection on dra… Miika Komu
- Re: [Hipsec] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk