[Rats] Comments on draft-fedorkow-rats-network-device-attestation-00

Dave Thaler <dthaler@microsoft.com> Thu, 07 November 2019 00:25 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7128E12008F for <rats@ietfa.amsl.com>; Wed, 6 Nov 2019 16:25:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3ZQyWxhmAAb for <rats@ietfa.amsl.com>; Wed, 6 Nov 2019 16:25:52 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800127.outbound.protection.outlook.com [40.107.80.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 672D9120025 for <rats@ietf.org>; Wed, 6 Nov 2019 16:25:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MKiRZGfvF5cc3Xd3tu+VT2AWJKzmK6Ii+NV7NmR1+A//L2YMTfdOSYK67wFGoiVqcTyrKv4phuNoibhBgXSy3dZKOG1PuexlBCH6DOzmc2MPw7NKshE59Vedi6A1q13k26e0gCbGqYJ68uLKL8DwwYnDmDGyToh1FWFSL8QfVpKM5ntgmapiJLFw5kMYe0lCKZO3kJmZoWqEF6eM16Kasih8ZYn8eKVIITLuMYE1Lv1f4B5oyvC3W1+j3ido/77HGZYyRRFD+BS1aEeSmtkQmdca7VL/2HqvK52DtBNB95s2niLG9FAx2cgfz/wr+yjbXlBCqkQYlUe0G3ODn+hEFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=buXMP1x8J8nGWgsd+w0Llp1gncweTx7E0TyMSTy1+E4=; b=Lxh26v28RpdabBdFYcvkoZ1AqTY5KdofGMuvRTr/9Ep4oSpoXnXMpQe4w3tqWY295ITsd2pp3qi4pvDo4AA+t4GxmzQyT5/Nbuzjp8dqworW1oE83Klf5AudE1y5d5cLR+VMMp9MUMBtx5tIt6BQ5nizAxN0h27wg9GwOwA/KTLcu/dcz3GcEjgjtJQQntF3kf42OpyznKmkwCqQk+uuDqcIYW/cKL1Olh0ncTlgAJ0RQfTEmM07wGXnHdC+TTx+zROjyd383WleiQXwDn/evJeUKfnDqOeP/GdiSD3cJ3YSnMbkA4ryokd0QW51r52VVbNVUVVR+V/WOMSdQiqAqA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=buXMP1x8J8nGWgsd+w0Llp1gncweTx7E0TyMSTy1+E4=; b=Ebv/gyJOdp8C8HPzLkKs0zkcn+cCwwYgZbzMWr2gPHBc5nNoTmCaHT9qHuZERd4qj0lelroDHOjM1efzb9lYJLLAnxR2SPl6kc7djDY/fsTdLm3yeQbHS7lNoqtKbtkp8qmaq8GUW6vrX5ZzGS+wrgzFKw0pQqYv5WqUbDzcuJc=
Received: from CY4PR21MB0773.namprd21.prod.outlook.com (10.173.192.19) by CY4PR21MB0693.namprd21.prod.outlook.com (10.175.121.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.12; Thu, 7 Nov 2019 00:25:50 +0000
Received: from CY4PR21MB0773.namprd21.prod.outlook.com ([fe80::cd2a:4051:840f:ecdd]) by CY4PR21MB0773.namprd21.prod.outlook.com ([fe80::cd2a:4051:840f:ecdd%9]) with mapi id 15.20.2451.013; Thu, 7 Nov 2019 00:25:50 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org>
CC: "rats@ietf.org" <rats@ietf.org>, Thomas Hardjono <hardjono@mit.edu>, "Smith, Ned" <ned.smith@intel.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Thread-Topic: Comments on draft-fedorkow-rats-network-device-attestation-00
Thread-Index: AdWVAeYZl01Kj/T7RhKuuFayaZmLkQ==
Date: Thu, 7 Nov 2019 00:25:50 +0000
Message-ID: <CY4PR21MB0773C2CA01797EC8F01CB722A3780@CY4PR21MB0773.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=dc0a14cb-52f7-481f-9452-45415e41c007; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-04T20:56:07.9046064Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2019-10-31T19:26:53.5191743Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=c07f85d3-3baa-4bca-9285-7a27b371dd42; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2001:4898:80e8:a:6664:be8c:aeec:e935]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5c2aba36-c3ab-43fe-1f39-08d763190b17
x-ms-traffictypediagnostic: CY4PR21MB0693:
x-microsoft-antispam-prvs: <CY4PR21MB06935225156DAE42A9C75609A3780@CY4PR21MB0693.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0214EB3F68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(376002)(346002)(39860400002)(366004)(40224003)(199004)(189003)(71200400001)(71190400001)(7736002)(8990500004)(478600001)(5024004)(46003)(14444005)(4326008)(256004)(55016002)(790700001)(186003)(33656002)(8676002)(966005)(102836004)(476003)(99286004)(6306002)(606006)(53546011)(7696005)(25786009)(6436002)(486006)(236005)(10290500003)(6116002)(10090500001)(54906003)(52536014)(74316002)(66946007)(6506007)(54896002)(14454004)(81166006)(2906002)(22452003)(81156014)(8936002)(66476007)(86362001)(5660300002)(64756008)(9686003)(316002)(66556008)(66446008)(76116006); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0693; H:CY4PR21MB0773.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3HmznzBpUbCC5Dx8HhIRfi9Lcyh/w1x9KS5xbq6RwJROOSUQWjE0rs1cJKSWt7Ef+6VparFvs6UhylJhh4/lfBHnkx3yn7kpvFIEIqiOFa7P/p48s3jjKn8AfpeDYvkEdqbXKk35fLmlF4SxxW7VHFkN7VTPrZ4b3+LickvcI5a9RJy5HMuypePWcucZtTT5ulK59wrBbl/Hac5BbqVLm7/L+kwITPW4Pz0PJjBWiDONeB0nsE6tlVqC593XjOjZZraXBYF2mEaz7phxYmTCeZxeDVa4vtPq4C5oAFNQo9wHMf1yuXIY1cvLrhJIXktun4z/BnFSMaET8mN0RFdCr9mj0HpdMnt3OidV/kzIIUgp38rk8IePHkSJJlZ6504oFPSW2CS7NgLAzZ20acB6XXBGFte9EaTAW4kdndL7MuS87OtIzehsq19JkWlqcY0U
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0773C2CA01797EC8F01CB722A3780CY4PR21MB0773namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5c2aba36-c3ab-43fe-1f39-08d763190b17
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Nov 2019 00:25:50.6641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7sbOfW05Y9nkN8raPmDL0VNccgG3elXXhyx3c7sHuHYcSSqpH4Nt2VGVaxd4lGIXK767WGMYyMes2OFCeLpkzuxyezj/iyVr+c0I4ov4hk4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0693
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ogLC7KLygk8ov9oxD7KEaca7Tns>
Subject: [Rats] Comments on draft-fedorkow-rats-network-device-attestation-00
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 00:25:56 -0000

[updated subject line]

Here's some comments on draft-fedorkow-rats-network-device-attestation-00, in addition to the one in the thread copied at bottom...

Section 1.2:

Ø  o  Platform Identity, the mechanism providing trusted identity, can

Ø  reassure network managers that the specific devices they ordered

Ø  from authorized manufacturers for attachment to their network are

Ø  those that were installed, and that they continue to be present in

Ø  their network.  As part of the mechanism for Platform Identity,

Ø  cryptographic proof of the identity of the manufacturer is also

Ø  provided.

Above is somewhat ambiguous.   When it says "the specific devices", is it talking about device instances
(in the exact serial number or key pair sense), or the same models?   I.e., I ordered 3 widgets, and I got
three widgets (and not three oranges or something else).  Is this talking about verifying that they're
widgets, or that they're the precise 3 widgets you're expecting?   I suspect you mean the latter but it's not
clear.   Assuming you do mean instances, then knowing that they're the specific devices that were ordered
presumes some mechanism for learning the public keys of the devices ordered, prior to their arrival, and
this should be called out.

Section 2.1 discusses the model where the verifier communicates directly with the attested device.
However, it doesn't point out the problems with that model, which is that the attested device will see this
as unsolicited inbound communication, and hence and sort of host firewall-like behavior will prevent the
interrogation from succeeding.    Section 1.5 already constrains the scope to a very narrow scenario, but
it's not sufficient, it has to be constrained further to the scenario where unsolicited inbound communication
is permitted.   Allowing unsolicited inbound communication opens up other potential security and privacy
risks that should be discussed in sections 4 and 5.

Given the narrowness of the applicability, and the security and privacy risks inherent in the model where
the verifier communicates directly with the attested device, it's not obvious why this is a good direction
to pursue, especially if there might be alternatives that are both more broadly applicable, and more secure/private.

I have no objection if there are good reasons, but the draft doesn't yet provide sufficient justification
in my view.

Thanks,
Dave

From: Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org>
Sent: Wednesday, November 6, 2019 12:57 PM
To: Dave Thaler <dthaler@microsoft.com>
Cc: rats@ietf.org; Thomas Hardjono <hardjono@mit.edu>du>; Smith, Ned <ned.smith@intel.com>om>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>de>; Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Subject: RE: RIV and the RATS architecture

Hi Dave,
  Ok, I suppose the model where the verifier communicates directly with the attested device is a kind of sub-contracted full-service background check.  That's ok with me, as long as no one interprets the diagram as meaning that the relying party must somehow insert itself into the exchange between Verifier and Attester.

  And I see what you mean about lining up the scope of RIV.  The draft has gone through a number of changes as we've tried to disentangle it from TCG tribal knowledge.
  I think the scope is set by a couple factors.
  The doc as written is clearly limited to TPM-based systems.  That's certainly not the only way to manage a root of trust, but it's the one that's available on a lot of gear already, and it's fairly stable and tightly spec'd.  From the TCG side, I'd expect there would be interest in extending the ideas to other TCG roots of trust such as DICE, but it seems that should be driven out of TCG.

  The limitation to Network Equipment is entirely a matter of expedience.  I think the approach would work easily in other embedded applications, although YANG is likely a fixation only relevant to networking guys.  Other domains would presumably need other domain-specific protocols.

  I'll connect with Jessica to see if we can figure out how to align the name and scope a bit better with the rest of the RATS world.

  Thanks
/guy




Juniper Business Use Only
From: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org<mailto:dthaler=40microsoft.com@dmarc.ietf.org>>
Sent: Monday, November 4, 2019 3:56 PM
To: Guy Fedorkow <gfedorkow@juniper.net<mailto:gfedorkow@juniper.net>>
Cc: rats@ietf.org<mailto:rats@ietf.org>; Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>>; Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>>; Jessica Fitzgerald-McKay <jmfmckay@gmail.com<mailto:jmfmckay@gmail.com>>
Subject: RE: RIV and the RATS architecture

Hi Guy, sorry for the delay, I was at a conference (Open Source Summit, Confidential Computing Consortium, and Linux Security Summit were all co-located) all last week and traveling there/back.

Responses inline below...

From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> On Behalf Of Guy Fedorkow
Sent: Thursday, October 31, 2019 12:27 PM
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org<mailto:dthaler=40microsoft.com@dmarc.ietf.org>>
Cc: rats@ietf.org<mailto:rats@ietf.org>; Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>>; Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>>; Jessica Fitzgerald-McKay <jmfmckay@gmail.com<mailto:jmfmckay@gmail.com>>
Subject: [Rats] RIV and the RATS architecture

Hi Dave,
  Thanks for your doc https://tools.ietf.org/html/draft-thaler-rats-architecture-00<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Ftools.ietf.org*2Fhtml*2Fdraft-thaler-rats-architecture-00%26data%3D02*7C01*7Cdthaler*40microsoft.com*7C520adf8cc884437d639508d75e385c4d*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637081468537546960%26sdata%3D20zFPTGCbLybPlTaNB2E6uSb3re0G2bYPGC8F9TNXis*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSU!8WoA6RjC81c!Rpme4JKWETjOw_zisYJRdztjgIgNvTA_HZoPymMV_ggWZP8BkjOlbCzLuKc18WRBFIY%24&data=02%7C01%7Cdthaler%40microsoft.com%7Cd157a635c6434a9457f808d762fbe83e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637086706397977838&sdata=leCc05tvqV24FnTScTe9zsTy1O5qTAqBpZ1m2Pc32%2FM%3D&reserved=0>amp;reserved=0>.
  Do you have a view as to how the TPM-based attestation described in RIV would fit with the proposed categorization?
https://tools.ietf.org/html/draft-fedorkow-rats-network-device-attestation-00<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Ftools.ietf.org*2Fhtml*2Fdraft-fedorkow-rats-network-device-attestation-00%26data%3D02*7C01*7Cdthaler*40microsoft.com*7C520adf8cc884437d639508d75e385c4d*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637081468537556953%26sdata%3DVTByXHpjuEMkojKjjly0i0BbnvujhB4fIpQaqiPFDKA*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSU!8WoA6RjC81c!Rpme4JKWETjOw_zisYJRdztjgIgNvTA_HZoPymMV_ggWZP8BkjOlbCzLuKc1fEcZrRQ%24&data=02%7C01%7Cdthaler%40microsoft.com%7Cd157a635c6434a9457f808d762fbe83e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637086706397977838&sdata=LJnohgCVQ65zsIffdcRm9W2Ie0Ny76wObKSm10MWBLU%3D&reserved=0>

Great question. From my reading of draft-fedorkow-rats-network-device-attestation-00, it's a background check model, as section 2.3 of your doc explains:
>   3.  A Relying Party, which has access to the Verifier to request
>       attestation and to act on results.

That sentence above is by definition the background check model.
That is, the Attester talks to the Relying Party, the Relying Party then requests a background check by consulting a Verifier,
and will accept whatever answer the Verifier decides.
There are ways where you could use the passport model for network device attestation,
but your document only covers the background check model.

  It doesn't seem to be a passport, since the attester only provides raw evidence, not a pre-approved passport

Agreed, from my reading of your document.

  It doesn't seem to be a background check, as it's the verifier that collects and analyzes the evidence.

If I understand your point here, you're saying that the verifier talks directly to the attester (e.g., by querying the yang module), without going back through the relying party, and that that seemed to you to be different from a classic "background check" diagram.  Did I get your point correctly?

If so, then I see it as a variation of the background check model, as opposed to a separate model per se.

  I'm not sure it matters to RIV, as we haven't drawn much distinction between the relying party and the verifier...  As you say, if they're on the same machine, the distinction is almost moot.

Agree.

And if they're not, I think the communication is out of scope for RIV (if not for RATS).

I disagree that it's out of scope for RATS.

I have no opinion on whether it's out of scope for RIV, since I still have some confusion on the intended scope of RIV.
I note that your document constrains its scope (in section 1.5) to only TPM-based embedded devices, and not other
types of devices.   I couldn't tell if the scope of RIV and the scope of the draft (which does not have RIV in the name, or in
section 1.5) are similar or one is a subset of the other.   Indeed, the title of the document is far wider than just TPM-based
embedded devices, so in that sense the title doesn't match the scoping in section 1.5.   Just explaining why there's not
enough information for me to have an opinion on verifier-relying party communication in RIV.

There can be other network attestation solutions that look quite different from the flow in your draft
(and I have no skin in this game, so don't have a bias towards any solution in particular).   For example,
some other solution might involve a RADIUS server being a Verifier, so the verifier - relying party communication might
be RADIUS in that example.   There's many ways to construct solutions, and so I imagine there's probably multiple
solutions already out there, since the NEA problem is not new even in the IETF (https://tools..ietf.org/wg/nea/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Ftools.ietf.org%2Fwg%2Fnea%2F__%3B!8WoA6RjC81c!Rpme4JKWETjOw_zisYJRdztjgIgNvTA_HZoPymMV_ggWZP8BkjOlbCzLuKc1mSGm10I%24&data=02%7C01%7Cdthaler%40microsoft.com%7Cd157a635c6434a9457f808d762fbe83e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637086706397987832&sdata=Q4juJWspmcPCYfXOCnInuX7EKJYNm9RcXRpp%2B3zHrmY%3D&reserved=0> has
pointers to RFCs for anyone reading this who's not already aware of it).

  But it would be good ensure the architecture and the applications of it actually do fit together...

Absolutely.

Dave

  Thanks
/guy






Juniper Business Use Only