[nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up
Eric Rescorla <ekr@rtfm.com> Fri, 11 April 2025 13:40 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: nasr@mail2.ietf.org
Delivered-To: nasr@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 11E251AAEAE6 for <nasr@mail2.ietf.org>; Fri, 11 Apr 2025 06:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAfoZwfTp8ga for <nasr@mail2.ietf.org>; Fri, 11 Apr 2025 06:40:19 -0700 (PDT)
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 33C891AAEAD8 for <nasr@ietf.org>; Fri, 11 Apr 2025 06:40:19 -0700 (PDT)
Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-6f768e9be1aso34416967b3.0 for <nasr@ietf.org>; Fri, 11 Apr 2025 06:40:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1744378819; x=1744983619; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+5yyHjEqbJeLE/n66dkn9HMw6TBkfW3QhT/ekwDDATs=; b=L1fB6k0xHRD3w251setfMSvNRYc+VCgUKGvUCqIXbe0AkJflJV5DhyKWP/a5D4eyrC NRl3iYCTtYA87ny6dkp8+f/QehxRG91aB3JLMvWe/ICY796uQ4Zz4tCAKs/jFtEsIkSZ s4WmuvTeGVRLv6XzRKV7bCpIEPqfGpH+EUdtQjwmAfms0mJ4L8TCYIaOiP/MSuNfRt6M NK6bm0o1Z9R9oj3YKZUZ/rUuf9guqhv5g2EJJECJPZWNLEvQm9G7Jw32KUEhoPmkO6zB eokqWxOVlxmCF4SU6Rex+5Zg/5tYm0hcgN2WHvt19Fte43E7Q4FiiP/K33DnMHlb3Jgk QRNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744378819; x=1744983619; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+5yyHjEqbJeLE/n66dkn9HMw6TBkfW3QhT/ekwDDATs=; b=CDGQY5dc0fIx1fQMyjYLQpRkiRoa/OAqh6b8g6jKEAyx/DXYnJ1abh8L2Erq/BOVjQ IMQsO28ZxvT5/tupdXjVvfExCGpt+8um3BZDub2DxShVUXF3PpvuG6UhrS/z07YCv4Ny ZJ97u5UKVg0G3KNeSSb7gl71ZbIsDxFPjbbdRf3rWKLmOB29iHhk4MOZx+dh2xtEiGv6 G97QmL6DxDZJY3ArRqF0DBJANn3lJ340ddqekCn7N/wbTSsASKjRAIdPBJulz0KN3XJ5 WXpumpc1Dch7GBvetddeS5WK42SsTDsVHok9Y5g9YM4USifsTW5OxqWbaYOZGhxThWVo oUlQ==
X-Forwarded-Encrypted: i=1; AJvYcCXxEZDHUeYgok2ENbj2HKmgVZlrgSEcnC8q4HOPJHnfAwh0CDZtVhZlpAZvdBqUg1wBWpf7@ietf.org
X-Gm-Message-State: AOJu0Yzu8GwRt7OuL7Tyv1hflZASipFaK4MayGYz5d7lVzcSsFNlppos xTWkNPXbbJT1EKb9JmzIr8AyI3WDj1MlkXpHXaUvmISDpeBspGhFsOAwHDe+es8/JCsCVPu9rJu 8PmjbRrwOnwW/SNjCozlwiVZioLpjZ0EJt8e7gA==
X-Gm-Gg: ASbGncvn0MYUDHX0+s4LWdlz7ixuFLJWrpStHr9OAjlOHOPz/IzmeIzwV5t2xXXSZS0 gmQsE9lzJqPa/JMsEgAbCRDYPEsRbTWDTt8dkrFA0IBx2sLENxgEMZAWfr2BSJZJMCi+f+fn2FD n9skunyxjTZCWLVMrSv/yCe4gG
X-Google-Smtp-Source: AGHT+IFe82i4MvYixblY8dHQpyDiakOrpjhQI6GwFdA61IehT3TtCEvU+bvLU6MocxfkHei5Z07O5qW8PTSLmO1KaBk=
X-Received: by 2002:a05:690c:fc6:b0:703:b296:7897 with SMTP id 00721157ae682-70549e81e80mr117943707b3.6.1744378818631; Fri, 11 Apr 2025 06:40:18 -0700 (PDT)
MIME-Version: 1.0
References: <ef08bf0afa924713acc629dff8156761@huawei.com> <2025040312042771743841@chinamobile.com> <CAL02cgSg53nOB8BCSNCLGC78r41P_1VzBPoj2yOJP1qbS0jqfA@mail.gmail.com> <CABcZeBPFaJMsWyNozXS+osh251631vCStkrmOk=WQig5c1_0qw@mail.gmail.com> <19058.1743968487@obiwan.sandelman.ca> <CABcZeBPGt-OLy9KGpTM22neE7F9ysD=Wm0zK6yHZoQ3gFHXqGw@mail.gmail.com> <fd1b5da9-8d5c-c0f6-c801-578c45529f45@ietf.contact> <CABcZeBPEBrQYBH8oH3-JhQbcxi0djcsGVhSJXO3f-jEvdPik_w@mail.gmail.com> <Z_heIJ4DDae5uX_-@faui48e.informatik.uni-erlangen.de> <85ec24dea0b94ceea81f2dcd0701c2f9@huawei.com>
In-Reply-To: <85ec24dea0b94ceea81f2dcd0701c2f9@huawei.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 11 Apr 2025 06:39:41 -0700
X-Gm-Features: ATxdqUGuNC20a3vtLngXG1O1qhSD4JyTICAbP7g6OFQ5HlDCPJuBPE4ELE71FMs
Message-ID: <CABcZeBPA_mC=MsNXHNMT1+bwcnq_jOrYDVv=Au0SVHru4c2X7A@mail.gmail.com>
To: "Liuchunchi(Peter)" <liuchunchi@huawei.com>
Content-Type: multipart/alternative; boundary="000000000000d6bc0b063280d76f"
Message-ID-Hash: Z3EP24CI45M5H4ZSFBPGNBF7EMOP236V
X-Message-ID-Hash: Z3EP24CI45M5H4ZSFBPGNBF7EMOP236V
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Toerless Eckert <tte@cs.fau.de>, Henk Birkholz <henk.birkholz@ietf.contact>, Michael Richardson <mcr+ietf@sandelman.ca>, "nasr@ietf.org" <nasr@ietf.org>, IETF SAAG <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/w3UM5-BSZECN1UB3cu2l2BpeMKw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>
On Fri, Apr 11, 2025 at 2:34 AM Liuchunchi(Peter) <liuchunchi@huawei.com> wrote: > > In the same way, you would start collecting enough attestation to trust > the > > commands through which you retrieve operational state (including prior > > valiation of all credentials to talk to the routers). Such as (YANG > equiv) "show > > int * macsec state" > > or the like (to circle back to my most favourite feature ;-). Which > would show > > enough details to know the credentials of the peer and that the > interfaces > > traffic is MacSEC secured with approved session and data encryption > > protocols. > > > Yes, and such configuration state and operational state should both be > collected as baselines in the step 1 of NASR architecture. > > For device A in the path A-B-C, its "baseline hash" to obtain from the > step 1 is a keyed hash for example AHash= hash(expected config state, > expected operational state, expected Ingress Interface, expected Egress > Interface...) > > For device B, it does it recursively like BHash = hash(received-AHash, > expected config state, expected operational state, expected Ingress > Interface, expected Egress Interface...) > Which brings us back to the question of whether there are in fact a small number of enumerable good states. -Ekr > > And when actual step 2 forwarding takes place, repeat the > take-and-hash-and-replace process, only to change " expected config state " > to " actually measured config state ". And a canonical verification can be > done. > > Hope I am not oversimplifying to confuse people... > > Peter > > > -----Original Message----- > > From: Toerless Eckert <tte@cs.fau.de> > > Sent: Friday, April 11, 2025 8:11 AM > > To: Eric Rescorla <ekr@rtfm.com> > > Cc: Henk Birkholz <henk.birkholz@ietf.contact>; Michael Richardson > > <mcr+ietf@sandelman.ca>; nasr@ietf.org; IETF SAAG <saag@ietf.org> > > Subject: [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up > > > > Eric, > > > > >From my understanding, this analysis does not need to be constrained to > > configuration state. In fact, i would never want to trust configuration > state > > alone, but only configuration and operational state. > > > > This is the same for existing rats for e.g.: secure bootstrap. The > attestation > > provided by a device is not that it has some "operating system file with > some > > cert/signature", but that that is actually the running OS. > > > > In the same way, you would start collecting enough attestation to trust > the > > commands through which you retrieve operational state (including prior > > valiation of all credentials to talk to the routers). Such as (YANG > equiv) "show > > int * macsec state" > > or the like (to circle back to my most favourite feature ;-). Which > would show > > enough details to know the credentials of the peer and that the > interfaces > > traffic is MacSEC secured with approved session and data encryption > > protocols. > > > > It is then the controller who provides the attestation for the fact that > the > > network (or subdomain or whatever) is running MacSec beteween all > > members. > > > > And if we could get scripts into routers to do this analysis of > operational state > > locally on a router, that would be even better, because then it could > probably > > be extending what the router can attest to itself - and the NASR > controller > > needs to primarily provide only attestation as to the seamless > connectivity of > > the per-hop encrypted topoloy or path of interest. > > > > Cheers > > toerless > > > > On Thu, Apr 10, 2025 at 12:28:39PM -0700, Eric Rescorla wrote: > > > On Thu, Apr 10, 2025 at 11:02 AM Henk Birkholz > > > <henk.birkholz@ietf.contact> > > > wrote: > > > > > > > Hi ekr, > > > > > > > > auditing the "correctness" of configuration or configurable state is > > > > an additional step that comes with its own security considerations, > I think. > > > > > > > > The fact that a network device is trustworthy (it is doing what it > > > > is intended to do (by the Verifier Owner) and nothing else) does not > > > > directly translate to an operational state that is doing what every > > > > Relying Party expects it to do, I think. > > > > > > > > In remote attestation, the Verifier can be considered a trusted > > > > third party that takes on the burden of Evidence appraisal. As there > > > > are can be a quite colorful bouquet of Attester and Evidence types, > > > > that (sometimes quite significant burden/complexity) burden of > > > > Evidence appraisal is off-loaded to Verifiers so that the audience > > > > of Relying Parties can consume digestible Attestation Results > tailored to > > their needs. > > > > > > > > If there is additional "relevant stuff" w.r.t. a network device > > > > which needs to be evaluated, that might be a task that remote > > > > attestation is only in support of - but that does not seem to be an > > > > explicit part of establishing trust in the trustworthiness in a > > > > remote peer/router. Or am I missing something very obvious here? > > > > > > > > > > I don't know if you're missing something, but I don't really see how > > > this addresses my point, which is about the complexity of evaluating > > > the relevant Evidence, not about who does it. Specifically, my concern > > > is that it will not be practical to determine whether a given router > > > configuration enforces the high level semantics desired by the Relying > > > Party, e.g., that the data is going directly from this system to > > > system B without any ability for anyone else to see it. In order to > > > ensure this, someone has to know that all configuration values that > > > might implicate this guarantee are in known good states. That could > > > happen by, for instance: > > > > > > - The Verifier seeing Claims for all the relevant configuration values > > > - The vendor determining which configuration values are relevant and > > > causing the device to emit a higher level Claim > > > > > > But in either case, someone needs to take on the analysis of all the > > > configuration values. Has this been done for the types of devices in > > > question? > > > > > > -Ekr > > > > > > > > > > > > > > > > > > Viele Grüße, > > > > > > > > Henk > > > > > > > > On 06.04.25 22:52, Eric Rescorla wrote: > > > > > > > > > > > > > > > On Sun, Apr 6, 2025 at 12:41 PM Michael Richardson > > > > > <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> wrote: > > > > > > > > > > > > > > > Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote: > > > > > > However, it's not clear to me that that's true in this > case, > > > > > because > > > > > > unlike media players, network devices are highly > configurable > > > > > and a > > > > > > large number of the configuration directives might > impact the > > > > > relevant > > > > > > security claims. Thus, determining whether an element > > > > > is > > > > policy > > > > > > conformant is a matter of knowing not just what code it > is > > > > > running > > > > > > but the state of every relevant configuration > directive. One > > > > > could > > > > > > imagine this working at least three ways: > > > > > > > > > > I think you are making routers sound way more complicated than > > > > > they > > > > are. > > > > > > > > > > > > > > > 1. 90% of directives have little to no affect. > > > > > (I have one toe in the routing/operations space. I'm > > > > > ASN26227) > > > > > > > > > > > > > > > Perhaps, but they still need to be individually examined in order > > > > > to to determine that. Has someone done that? > > > > > > > > > > > > > > > 2. they are significantly less complicated than Windows, yet > all > > > > > that media > > > > > based DRM stuff you mentioned is dependant upon windows > boot > > > > > doing the > > > > > right thing. > > > > > > > > > > > > > > > But essentially none of the relevant stuff that needs to be > > > > > attested to is configurable (by design). You just attest to the CDM > > contents. > > > > > > > > > > > > > > > > In the former case, it is quite likely that there will > > > > > be a > > > > large > > > > > > number of valid states, because each directive may have > > > > multiple > > > > > > acceptable values, and so you end up with combinatoric > > > > explosion > > > > > > issues if you just have a list of hashes [0]. In the > latter > > > > > case we > > > > > > > > > > yet, the *routing* people with the expertise here, and a few > > > > > operators seem > > > > > pretty sure they can do this. > > > > > > > > > > > > > > > It's not uncommon to see people be overconfident about things > > > > > prior to attempting them, especially in the area of security. Has > > > > > someone actually gone through the exercise of examining every > > > > > directive and determining which ones are relevant? > > > > > > > > > > -Ekr > > > > > > > > > > > > > > > > Either approach requires studying the impact of every > existing > > > > > > configuration directive for each device type to know > what the > > > > > > impact will be on the relevant policy claims. This seems > > > > > challenging > > > > > > at best. > > > > > > > > > > -- > > > > > Michael Richardson <mcr+IETF@sandelman.ca > > > > > <mailto:mcr%2BIETF@sandelman.ca>> . o O ( IPv6 IøT > consulting ) > > > > > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > saag mailing list -- saag@ietf.org <mailto:saag@ietf.org> > > > > > To unsubscribe send an email to saag-leave@ietf.org > > > > > <mailto:saag-leave@ietf.org> > > > > > > > > > > > > > > -- > > > nasr mailing list -- nasr@ietf.org > > > To unsubscribe send an email to nasr-leave@ietf.org > > > > > > -- > > --- > > tte@cs.fau.de > > > > -- > > nasr mailing list -- nasr@ietf.org > > To unsubscribe send an email to nasr-leave@ietf.org >
- [nasr] NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Richard Barnes
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up 刘鹏辉
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Richard Barnes
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Summary of Discussions So far---Re: [saag]… Meiling Chen
- [nasr] Re: Summary of Discussions So far---Re: [s… Luigi IANNONE
- [nasr] Re: Summary of Discussions So far---Re: [s… Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Liuchunchi(Peter)
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Stephen Farrell
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Liuchunchi(Peter)
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Adrian Farrel
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Eric Rescorla
- [nasr] Re: [saag] Re: Re: NASR BOF Follow-Up Carsten Bormann