Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 27 July 2020 17:39 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96E63A1BC1; Mon, 27 Jul 2020 10:39:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i3CD6TfMZo1t; Mon, 27 Jul 2020 10:39:08 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640122.outbound.protection.outlook.com [40.107.64.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE2473A1BE6; Mon, 27 Jul 2020 10:39:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q3rlaqStW6uQq7J1/TOZMOXgJ+HYVYwq6g94nV+XnoU+w0YTYLBrWaVXqB41wWnfHrvCjRZN7YMsdzUCvdXPVfrY2EMlfRumst0ni7v35IETUbK2exLfUd31TG5wq3g1nGaotb+9LZVAoak3x4qrGepYxUBdsLJgmO0xgUyomv5n0zZnXFjWAFj9wCIo6TTb+KiO2K10Iutx2Rrg0Bkp/qYgOtcs65vaJaXgp6s3KAV7D7RZpW2VWq93LOZWNTewv8ss/zH9Lsl6woxphj6J+yYaDsRJxTrDo0N14U1Eo2JIZrbt2b+f/EJDyScZzmgAgQzgJQ76g2C3G51jngZCSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vmdF3bp8e/CA+pYTSE1uoE2gLM+5SucSfqUYZ1Iw+Ug=; b=KCiSEpYDMf3UlEcCQ5W+LkhWEQ8tch9RXnUD2eik6ClgvPW5Moyj1iyN/N6nHiycG8AhnHRGnZGMIYE6Mu+PScwTPGdI3/5t6D1tVCrKBx0A8Kq5/aEjWReSoG/T34BgFwhwe2AiE8jahs2AN3XglFOwU7CV8JZnB8ZyF3ADvEs/Aby78VTWV1jh4wi7/8HxH6aMaja/YooQQpG9u+eTumcat+3SVlSc3+lj3zq87UTWb34l6z6547wxl3HNeat8fjfHz53075xWoR0XXKAaxkS5/WNa3mC2eeNWm2gthqQEB3geqD/mjO8HU+MCRbh6ItErXYS2RtcHBTbfPIEBEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vmdF3bp8e/CA+pYTSE1uoE2gLM+5SucSfqUYZ1Iw+Ug=; b=RwtFatu4Yt+OePz7IO34m8LI2uq3cLZqGVuWP5uA13JH/COasgo2AwqM1/bW/f1oV+J7SPDuo0Gqtk6nM3Evx4OLenAsVk7Qipb8gnp7SV60mG34Cx3UNcOm9HPcmrZtGmwMK+rXLGey+vaNwJHuT6RiJjznSja3TilkNWrZLvA=
Received: from SN6PR00MB0366.namprd00.prod.outlook.com (2603:10b6:805:c::21) by SN2PR00MB0157.namprd00.prod.outlook.com (2603:10b6:804:14::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3268.0; Mon, 27 Jul 2020 17:39:04 +0000
Received: from SN6PR00MB0366.namprd00.prod.outlook.com ([fe80::680e:e96:c9e7:83b6]) by SN6PR00MB0366.namprd00.prod.outlook.com ([fe80::680e:e96:c9e7:83b6%6]) with mapi id 15.20.3274.000; Mon, 27 Jul 2020 17:39:04 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper=40google.com@dmarc.ietf.org>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
CC: Jen Linkova <furry13@gmail.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [EXTERNAL] Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Thread-Index: AQHWZBBwnFbN+qQLf06kFxSnz+aE9akbYlAAgAAJxoCAAAuMgIAALOng
Date: Mon, 27 Jul 2020 17:39:04 +0000
Message-ID: <SN6PR00MB0366B0069B49FD37A9D25DB38C720@SN6PR00MB0366.namprd00.prod.outlook.com>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com> <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com> <CACdeXiL1J-WzZM4XAudRbz7NZWOCquH=SXZL9BkRLO3NpsfTTg@mail.gmail.com>
In-Reply-To: <CACdeXiL1J-WzZM4XAudRbz7NZWOCquH=SXZL9BkRLO3NpsfTTg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-27T17:39:03Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d2c384cb-6ae2-4929-a282-7370f60fb097; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.142.169]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 2eb57763-9f08-4e05-53f5-08d83253f4f7
x-ms-traffictypediagnostic: SN2PR00MB0157:
x-microsoft-antispam-prvs: <SN2PR00MB0157B14C86B931982BB440068C721@SN2PR00MB0157.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ROKZwfJQfZkIZhvtDai/ST3yiouQML2ODB0yOdyXv36HpFEcHt0pBFLVzfBMYcUnO6TAgixjclmQfWFLQ2BH+k5iUIb8cSqVf6CQpNLN+/H/oJ2IZFHFu02DyWSFGYWXN4T69v2pMaJRQ83x1nAqB82zZ3oK4e+UVfm3T4Bz4wbrWwgmz+8KkqqrjS3WyXoiL9HkxeNwmIKoBaKRra+EgPqJPpciGUlSROxeQlMgndD60YTz5A36+1rodxQS2L06OLcAKO/TF51fRltzg5GetQoTpnZ5/m5dB8XAiJKBGJjGmuhOtHMlc5deh9Bu7yEPtZTR08yHl4MhNn/t4Di5iBVaw5akwYmzmTCDdLwOpy97nYha4CRhu/MpV0VsPXZ/9Qlpm6aov6wXNZdwLSl6Dw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR00MB0366.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(366004)(346002)(376002)(39860400002)(33656002)(26005)(6506007)(316002)(53546011)(8676002)(71200400001)(4326008)(66946007)(8990500004)(52536014)(5660300002)(66476007)(66556008)(64756008)(66446008)(83380400001)(966005)(478600001)(110136005)(54906003)(10290500003)(186003)(7696005)(86362001)(166002)(82960400001)(82950400001)(9686003)(55016002)(2906002)(8936002)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: JxQktZCD0ITEDJ/njyLhPzXU/d+tudzEqQgErAqLO0a0Z+YuotfkLpbUsQiwvxAM+wvI7jBmTUegy0+Ol6OvqV954tTgqQ4VkryKf2ISfIrYjNMYsQ846O2xAHAAFmtiEZX+0hfLSTyz06gLEKJptI42eB1xxBoKSb97NsBNlRrg/wRLkdVL/s2W5PA/9STg+/hZ8jbFBade8cnpnPHicLh1GqDHfcU12EuqCCEDfQ1KnyP0tQ2wwGqB8vIP2PC3OJ6ZZQZ07LJtLrgLHvGiZKuS25ywy04GfTa2cVeg0n/kB5staC+Xgr11ZbfV1Lkcd/VNM8F2roqsNQ+9T1tXvdb+Ffai7zofkHVrp85WV92UIZlfHQI1asylGlAc2ycs1WwVshshDmsGr9n/QhaO7Zt3ScBEqjHZaKtuKm7iHBT/+mO8CkjG70rVyZpVcXV4oJ/PYnjQ1WMdDTk3zD1+1RiDsDP57s4S+Y94nC7fxU4oMOt2Pr7x5BIgdiB3AC/n9nJn1sSEFMONhhs3N+tsnbczdDMb8o5evYRr6mfrlm0mx8LzpLaVh+PxooDqeQFPSlDKr6gh5O+lB0MJ6QvyIpTAiEXRIEOKkGvZo8ZT4rINFQe80hrvxPT5SCKVPK3Z+PEqoVxOJDeGxETO2pXVQg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SN6PR00MB0366B0069B49FD37A9D25DB38C720SN6PR00MB0366namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR00MB0366.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2eb57763-9f08-4e05-53f5-08d83253f4f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2020 17:39:04.5449 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: w/a2y+r4qoTBzhJpTKyojD/hskTJHmSCWYJIM3j/FQSPVL3CWF7oU+i+TY4JRk8YXVWr3iyWP1O2zhVZm59/3Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR00MB0157
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/PBliwkVBNGmJbc7DpnnRXoA-6pM>
Subject: Re: [OPSEC] [EXTERNAL] Re: [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 17:39:18 -0000

As written, the document provides a basic/general description of MITM proxies. It mentions some of the issues (client auth, handling of 0-RTT application data, single point of failure, updates/patches, risks of disclosure of PII/PHI), but does not really provide alternatives or specific solutions. I oppose adoption of this document in its current shape.

Some specific issues:

  *   The document does not describe alternatives to MITM proxies.
  *   Section 4.1.2 “Inbound provisioning” does not discuss security and operational issues around server key sharing with the proxy. No real discussion of short-lived creds and “keyless” scenarios.
  *   Section 4.2 “Maintain security posture and limit modifications” seems to recommend modifications to the ClientHello, rather than having the proxy generate a new ClientHello. Proxies sending ClientHellos they did not generate are a common cause of interop issues.
  *   Section 4.2 also explicitly allows completely insecure configurations:

      “TLS proxy stacks MAY provide user configurable options, such as an
   option to accept self-signed server certificates, an option to let
   the handshake continue with expired but otherwise valid server
   certificates, etc.”

Cheers,

Andrei

From: TLS <tls-bounces@ietf.org> On Behalf Of Nick Harper
Sent: Monday, July 27, 2020 7:12 AM
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Jen Linkova <furry13@gmail.com>om>; Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org>rg>; OpSec Chairs <opsec-chairs@ietf.org>rg>; OPSEC <opsec@ietf.org>rg>; tls@ietf.org
Subject: [EXTERNAL] Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

As currently written, this draft has multiple problems.

Section 4 decides not to repeat the Protocol Invariants described in section 9.3 of RFC 8446. However, further sections are written assuming that a proxy acts in a way contrary to those Protocol Invariants. One such example is section 4.2 in this draft. It describes how a proxy might generate its list of cipher suites by modifying the client's list. A proxy that copies the cipher suites from the client-initiated ClientHello into its own ClientHello is violating the 1st and 3rd points of the TLS 1.3 Protocol Invariants. For a best practices document, I think it would be reasonable to reiterate the Protocol Invariants.

In addition to reiterating the Protocol Invariants, it should also summarize the advice from the cited papers SECURITY_IMPACT and APPLIANCE_ANALYSIS. One of the problems pointed out by those papers is that TLS proxies will make connections to a server that presents a certificate the client wouldn't accept, but because of the proxy, the client isn't aware of the certificate issues. I don't see this issue addressed at all in the draft. (A similar issue with the server selecting a weak cipher suite is possibly implied by section 4.2, but it is not spelled out well.)

If this draft is adopted, it needs to say the following things, which it currently doesn't.

- When a TLS proxy generates its ClientHello, it should be created independently from the client-initiated ClientHello. The proxy MAY choose to omit fields from its ClientHello based on the client-initiated ClientHello, but it MUST NOT add fields to its ClientHello based on the client-initiated ClientHello. This is effectively a restatement of the 1st (a client MUST support all parameters it sends) and 3rd (it MUST generate its own ClientHello containing only parameters it understands) points of the TLS 1.3 Protocol Invariants.

- If a proxy chooses to conditionally proxy TLS connections and needs more information than what is contained in the client-initiated ClientHello, then the only way to make that decision is to send its own ClientHello to the server the client is connecting to and use information observed on that connection to make the decision to proxy the pending connection.

- If a proxy chooses to not proxy some TLS connections, the proxy will fail open. The only way to avoid failing open is to proxy all connections.

On Mon, Jul 27, 2020 at 6:31 AM Ben Schwartz <bemasc=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>> wrote:
I'm concerned about this work happening outside the TLS working group.  For example, the question of proper handling of TLS extensions is not addressed at all in this draft, and has significant security and functionality implications.  There are various other tricky protocol issues (e.g. version negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start, round-trip deadlock when buffers fill, ticket (non-)reuse, client certificate linkability pre-TLS-1.3, implications of SAN scope of synthesized certificates) that could arise and are going to be difficult to get right in any other WG.

The title "TLS Proxy Best Practice" implies that it is possible to proxy TLS correctly, and that this document is the main source for how to do it.  I think the TLS WG is the right place to make those judgments..  For the OpSec group, I think a more appropriate draft would be something like "TLS Interception Pitfalls", documenting the operational experience on failure modes of TLS interception.

On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote:
The document is not imposing any standards but rather provide guidelines for those implementing TLS proxies;  given that proxies will continue to exist I'm not sure why there is a belief that the IETF should ignore this.

Warm regards, Nancy

On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" <opsec-bounces@ietf.org<mailto:opsec-bounces@ietf.org> on behalf of uri@ll.mit.edu<mailto:uri@ll.mit.edu>> wrote:

    I support Stephen and oppose adoption. IMHO, this is not a technology that IETF should standardize.


    On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org> on behalf of stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:


        I oppose adoption. While there could be some minor benefit
        in documenting the uses and abuses seen when mitm'ing tls,
        I doubt that the effort to ensure a balanced document is at
        all worthwhile. The current draft is too far from what it'd
        need to be to be adopted.

        Send to ISE.

        S.

        On 23/07/2020 02:30, Jen Linkova wrote:
        > One thing to add here: the chairs would like to hear active and
        > explicit support of the adoption. So please speak up if you believe
        > the draft is useful and the WG shall work on getting it published.
        >
        > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica
        > <rbonica=40juniper.net@dmarc.ietf.org<mailto:40juniper.net@dmarc.ietf.org>> wrote:
        >>
        >> Folks,
        >>
        >>
        >>
        >> This email begins a Call For Adoption on draft-wang-opsec-tls-proxy-bp.
        >>
        >>
        >>
        >> Please send comments to opsec@ietf.org<mailto:opsec@ietf.org> by August 3, 2020.
        >>
        >>
        >>
        >>                                                                 Ron
        >>
        >>
        >>
        >>
        >> Juniper Business Use Only
        >>
        >> _______________________________________________
        >> OPSEC mailing list
        >> OPSEC@ietf.org<mailto:OPSEC@ietf.org>
        >> https://www.ietf.org/mailman/listinfo/opsec<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fopsec&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C23d5e7f8ac1047d98fe108d8323724a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637314559736707680&sdata=P0RE3llePUKRCp8og1EVm7G45N1UujWmY6aTOTRBGUE%3D&reserved=0>
        >
        >
        >
        > --
        > SY, Jen Linkova aka Furry
        >
        > _______________________________________________
        > TLS mailing list
        > TLS@ietf.org<mailto:TLS@ietf.org>
        > https://www.ietf.org/mailman/listinfo/tls<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C23d5e7f8ac1047d98fe108d8323724a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637314559736712671&sdata=vmUnm3RlE4rBBLF6oLlh%2B%2FzReeorfWNrbczvyVV7cXI%3D&reserved=0>
        >


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C23d5e7f8ac1047d98fe108d8323724a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637314559736717662&sdata=2rDSL3aK31w3fXWvrqAmE5frKSTbaABPNls9H2ZFABU%3D&reserved=0>
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C23d5e7f8ac1047d98fe108d8323724a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637314559736722653&sdata=%2BzrWj9rV6e4ewc%2BZJxS4PPFgZRcoi%2FB0sdAQKMPNfLw%3D&reserved=0>