Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 29 May 2023 08:57 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2D0C151535 for <tsvwg@ietfa.amsl.com>; Mon, 29 May 2023 01:57:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9pwxuOBEOQy8 for <tsvwg@ietfa.amsl.com>; Mon, 29 May 2023 01:56:58 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20625.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::625]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5202DC15109B for <tsvwg@ietf.org>; Mon, 29 May 2023 01:56:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X/jjBzo31vVa8NN6/SgEDc5BhEvgZAWAhhHtrUFVE0C8L170U7cVg1RCcqXKMmh3yqWK9Dxdo8xIRXWIt8FnuYw5ghnoXRs5HJsvrZoNsaBNYJnCedWmQHN/Z5vgV9qRfOAlXb/C/PJrNtC6EIuB322DURnLlEMn8wpt90mcqzlNG0YWOpdFyfopJ6dNm7EDCYREOdvPoU0zpT28ppwFSCAgspgieLCaLU7zfPoTtpBK/dCDdfEm2dLnW/b6+3Wht/SiXuwk55q1RsORheOwqt8kVdnmFS55ExrW8dkm/sjY0XTdjN5ohZoC+x8gHcmnFlWucEPNA/WK5IuI0KcgUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=H0IDQ9WELe6sJ8+RrcUvlXYI+drL4fxgZQWm3so335g=; b=JvScynFh0hIDMrjBa0ophw3MQnUwzuqo1omhN64+DBWi8hlYls7W+ZmNEj9z4UR6p7qb3xbihEWYf36UFxrLr5c9itfJEjk3ItwIrP5THp1X68LKB3rc/rBvSvDYTjBsQhyFo1V7xK59WMx4qtmmy0czI/i9XYBssYmdUQNuDL7+pLF4QTG/edJNSAUDrlwxVDAqw3NlrXXzfhGCuQuA0dI6gaOmetG601GEUY2hUIXNEREV08VK9r4fZB+9hVOvn3TozBVorVfGGC7+v5AeWXf4bY5EIH2eYiH0f6Qo7ylWvMnqHEeaqcvucBYvCFwiIiQa+ivPsDHCZzQ1gXvwrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H0IDQ9WELe6sJ8+RrcUvlXYI+drL4fxgZQWm3so335g=; b=Bfx1/LWMxENtDdMzIHmw0nlFn+8TK8H3X0FQ26oQ3SOmmoIt4aE73AA/mO35dJRrIbCZjXpazJ/E/AEaFeuz4yoRVTL+m+KCg+57Y3WxilGaJI0swCud7r3LqicHt/YvSkTalYgGPFZM3kbcK/4ZuFzqDxduajgu2OXN5ElNrJM=
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com (2603:10a6:10:40e::17) by DB9PR07MB7881.eurprd07.prod.outlook.com (2603:10a6:10:2a9::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.22; Mon, 29 May 2023 08:56:53 +0000
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::ffe4:ffd:2214:a1b8]) by DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::ffe4:ffd:2214:a1b8%7]) with mapi id 15.20.6433.022; Mon, 29 May 2023 08:56:53 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "tuexen@fh-muenster.de" <tuexen@fh-muenster.de>
CC: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption
Thread-Index: AQHZbJk7z3EhoxIDRUqudPFN6tJMvq8nmQKAgAkvD5aADXc7AIAAnAN1gBVOioCAHQvrPw==
Date: Mon, 29 May 2023 08:56:53 +0000
Message-ID: <DU0PR07MB8970830E1CD2331D8F708BF2954A9@DU0PR07MB8970.eurprd07.prod.outlook.com>
References: <9F7A670A-EA7E-4194-8125-B1DB7030802B@8x8.com> <CFBF062F-91DA-4B54-ACA9-36933EF08788@fh-muenster.de> <DU0PR07MB89700E9D84EBBEF2F8835C99959D9@DU0PR07MB8970.eurprd07.prod.outlook.com> <E9714E49-A217-4F58-A268-737CE5E0B414@fh-muenster.de> <DU0PR07MB89706AA16E41E379E9B0235E956A9@DU0PR07MB8970.eurprd07.prod.outlook.com> <4BB60EB7-4657-4AB6-8248-184D805D8C1F@fh-muenster.de>
In-Reply-To: <4BB60EB7-4657-4AB6-8248-184D805D8C1F@fh-muenster.de>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR07MB8970:EE_|DB9PR07MB7881:EE_
x-ms-office365-filtering-correlation-id: 1cc12b9a-8cc0-4b21-3247-08db6022a635
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bTBqXwVJf1mW/5qCDfo7Uc3bn4geXAdDugx7Eilr9vKqf9QKUfd6KKjqqIO2XsF/HYplNlSxh68uhpc8dWK035tj+ip9tu5cSDxd2kGunfXHJ+i+LBI48ZRlqlANYK+ocmutBQOzpYXur4FmYi5ZEJk/UBynROO5iyAf0BThAiYHU1Nigt9izevsvlKTCK+sWVHHTNO7eX0a0wl/7G+ZlKUAKoWmtPtHI4XvocuVnlWp5S0pLXjj0G3Q57hgnxJK/7xH05TTUkGDJu0Ax5pp/Yzl01T8XHEdyptj96ODVe98/fXXZVDPtgXyns9r/T46UgyXTVeWbncmGG6MF4XOnuID21vO6nmFkSwd81dPmiQQdEhQbxYL36jpZ/xAHoMoqsQ8DJKJjFYAkeEKb5TLn8BCacqJIMXTX+NF3ratMMb4F/JMTAcRRMSY2T2bLkVmDi+4KGpB8Pg3Ne712GCWi/VrLLztBqbez2NWeolw0RlINVLKCXxJHtlRNGVnszhIaKgVKSQgmENJYVZhF6tPLa/MGROHH4NXlqnzP2yziQk8JVYawm4huA6/wsRaLAJjSaCNZY6R6bPn+vl/MMXXoCdKLTN9N2Gj3hdEXtAlDkY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR07MB8970.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(376002)(39860400002)(396003)(366004)(346002)(451199021)(83380400001)(33656002)(71200400001)(5660300002)(316002)(66946007)(76116006)(64756008)(66446008)(66476007)(66556008)(91956017)(52536014)(6916009)(4326008)(82960400001)(122000001)(8676002)(8936002)(99936003)(41300700001)(38100700002)(86362001)(7696005)(55016003)(44832011)(54906003)(53546011)(2906002)(6506007)(38070700005)(9686003)(186003)(478600001)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 410Ie6CFRRBoDpnZ9EK+JFhApiUxzcKXA44v5HSJuGFwW+r3+iGINry1v+AjVqLOR7Ee/taisnfqcCVOiC2rC6yt7Aj8724si923M1IYRploJbzhs2sn+y2b9LsNik2lAddiwEeK/1Is7/6xri9wCSVEwnZGDUU3HDhlTemsJ2k5FtQI9MBCkLp84KAHlXc4+s4W0VsYYDZQiiUN7cA6wtwdbXiz0hlDrPnJngyM4JgQZk0INrfMPLLy1CGiQHLizshwsBHymuQg9ZCmgO03m2mgORDm7EYdijr95BqhJ4JU51g6Y/GqNyV/gH8hwQRFMAZsEzvtz2CtiIRzRpZwgxs6AO6W3tUry+XbTr6RgxtRwL0r6EKZdPy/TjCMTitIjLXQtHVi6Z45g52n8QUZvDMK5rAcstTRRx5lt7pBrok3WRWAO5ZV1Of2UgW2H7/gigiV4eCsch4uPQmlF+wMvwEPnWSHurGV3yltThHHq8KsUdJxyhkIlDpj2Z2lmT5w48k/c7y5z/Q3HfbFAEzEarUeg6hw/+zXgKyZW79m5B6G+PJN4g7FZY6EfE4xPbAo4oYpq0MmyvqdHPtqw/tdFMtSl/Vy+XlxllrAT10RnAUMkGcR0/mbKaU9uwy9Bg1ny3Ri6846rlG16t4SuB3dtFZ28obhHCO3nx6yrCi4oa9z3mTCF9R6wkbJMegLXCh8wmHK6OZuBztkpGFvVIH4wP2o8muyEl9BxKi2IyRwq9xRDKeCiy6JJy/ZOcZ/+v8NA+meSHuChp7FoSLBM3zLfqUZ7+EgSjgQrQAgQHIJrxVYQnjEBO3Q4YEO9a5d3HpJBFO5dASVddsQQS4YlkIaQAH8rK3x/8nZYCVUKLZJEcezRO4BuLpva37e4DdeMiZkPVLJHNGIbzfgZy6rzMFE1tmcubIyKIyKbOTUHQuAbE9cS+ty4P6fR6MxyLjFpHKJaGKUthD1Upa/OygRKQimJUkgo44zLfLrQ3LMLXyZWhueyVOTWsxpx2MmgvpucPETmWvZYHw+pbFtzr+yWoalBJ+AybbBi4X0a5BLhNc0fqtkdO78NP3pTnD0vlSvxX3qxMo0o5rtTldTJh3E943p2gYooI8y6HEBS1plLOErQGWLclhKOQKHZf/tLwRBHkZaBIlQ4eK8DBMnyjMkBQrbNga6IgNt267McV1f3K5SGBCoOlIOEC+voLOn4Xt5D8G9dLSoAmUVC7X6ON6m/0Ih83yg2kCJV3wcVKxyY9R1TZ/fK+x4IVFmIipNSNWUns/UDqSu1p9VAd65BAhbQOefE1k0H0nWsJG/kWmP3ou7K3aixvO3zcsrXp+unvbfUnXHU7lRFEih5M43bFT+2aLghoYQO4H7B4wougBfp3LeYi2MB4AZb6EbwYau62GnR0E96zUT4VhrvR8SNmx8KKSycH1ZkHjbmIoMvbd2nckspzLjjgzPNdrZJjvSXEm62XY0GkBhUBPs6wl9zFtuNOytpHpeCYQeIn7RZEumHT6DWoLFaYuhLXeMFIGCBH+RMjb4pro4cjAD3yoUBDb9AlLZ699SQriMGNWDXxY8AboBYtE9LLfT0PR9M00S42SCOcJIlOm9EBwD7VJaZ6m8KaL9Iny5SYiL3BdM7WzMTFYaftY=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_D569B29A-BBBE-C446-9D26-93630E5D739F_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR07MB8970.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1cc12b9a-8cc0-4b21-3247-08db6022a635
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 May 2023 08:56:53.6653 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cUB26Vz54XwGylg0wDKJ9wCmSfHnFwfpNZ3OPD6nRqWdzw/DsL69IywHhxPltMWdmGpB6BJRz57o24YR9PpTrctE6kIDgQTnU43xa4KJfPs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7881
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/PxGu97RL_kvm82PsGhm7Vkz7trg>
Subject: Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2023 08:57:02 -0000

Hi Michael, 

Sorry for the delay in answering. 

So if I understand the issue is the dependency on the protection mechanism being in place to enable zero checksum. So I think your proposal for including a list of entries representing offered protection mechanism that would allow zero checksum work, and each of them define the criteria for when in the handshaking zero checksum can be enabled would work. You would be able to add SCTP-AUTH immediately. I do wonder a bit if DTLS encapsulation is a method requiring to be listed. If it is encapsulation of the whole SCTP packet that provides a stronger integrity to the packet, then does it need to be specified? It will be in place from the start, and thus the initiator might not need to do more than to indicate that it will rely on the used encapsulation? 

In regards to middleboxes doing deep inspection, and calculating the CRC32c of an UDP encapsulated SCTP packet and then react to it being wrong. I would be quite surprised to find a middlebox that does this fairly deep layer violation. Only if one are running on the registered UDP port for SCTP encapsulation a general middlebox know that this is likely SCTP in the payload. I am not expecting this to be a real issue for this solution. Especially not where we would consider deploying a zero checksum solution where the set of middleboxes would be deployed by the same entity that deploys the endpoints. 

Cheers 

Magnus 



On 2023-05-10, 22:54, "tuexen@fh-muenster.de" <tuexen@fh-muenster.de> wrote: 
> On 27. Apr 2023, at 09:31, Magnus Westerlund <magnus.westerlund@ericsson.com <mailto:magnus.westerlund@ericsson.com>> wrote: 

> 

> Hi, 

> Yes proposed change would address my issue. Thanks 

Hi Magnus, 

I wanted to address this issue before submitting version -03 of the individual 

draft, followed up by the -00 version of the WG document. 



However, when drafting the text, I realized that this is more complex than 

I initially thought. 



Your suggestion is to allow zero checksum when using SCTP AUTH or CRYPTO. 



One issue the related to the middleboxes and one could argue that when using 

SCTP over UDP, middleboxes might not interfere with zero checksum. OK, we 

can write that without make things more complex. 



When using DTLS, all packets are protected. Requiring that packets containing 

an INIT chunk is for backwards compatibility and is not specific to SCTP/DTLS 

and would require to all other cases. The same applies to packets containing 

an COOKIE ECHO or ASCONF chunk. This is for keeping implementations simple. 



But there is a difference between SCTP/DTLS and AUTH or CRYPTO: 

* For CRYPTO (as I understand it right now) does not protect packets handled 

in the front states. 

* For AUTH, it protects only packets for which the AUTH chunk is the first one. 



This means that the packets having an alternative protection depends on the 

alternative method. How does the receiver know? How to specify it in a generic 

way that it includes CRYPTO, for example, without referring to it? 



One possibility would be to extend the Zero Checksum Parameter to contain an 

uint32_t, which is an IANA registered value indicating the alternative method. 

The document could define one for SCTP over DTLS, and one for using AUTH. 

Then the CRYTO document could register another one for CRYPTO and provide 

the rules. 

However, I'm still contemplating whether this is worth doing. If middleboxes 

check the CRC32c (which would kill zero checksum for AUTH and CRYPTO for 

SCTP/IPv46), why shouldn't they do the same when SCTP is UDP encapsulated? 

Assuming that they don't do it now, because SCTP over UDP is not used a lot 

right now, does not extrapolate to the case where some specifications exist, 

which require SCTP (with CRYPTO or AUTH) over UDP. 



What do you think? 



I submitted -03 of the individual document and the -00 of the WG document, 

because I did not want to hold them up any longer. Once we have come 

to a conclusion on the above discussion, I'll update the document accordingly. 



Best regards 

Michael 





> Magnus 

> On 2023-04-27, 00:13, "tsvwg" <tsvwg-bounces@ietf.org <mailto:tsvwg-bounces@ietf.org>> wrote: 

> > On 18. Apr 2023, at 11:06, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org <mailto:40ericsson.com@dmarc.ietf.org>> wrote: 

> > > Hi Michael, 

> > I am slightly confused by your exclusion of UDP for the zero checksum. I would expect that IP/UDP/SCTP per RFC 6951 would actually make it across a network unless a firewall was present that actually checked the CRC on SCTP level with that encapsulation. Which would in fact be a bit surprising as the UDP payload can be a bit of anything unless the UDP port reveals the service and special rules exists. 

> Hi Magnus, 

> there is an IANA assigned UDP port number. So firewalls could use this. However, I don't know if 

> any product does now or will do in the future. 

> > Thus, I would expect that SCTP zero checksum should be possible to deploy when RFC 6951 encapsulation occurs and the SCTP stack would be using SCTP-AUTH or CRYPTO chunk as alternative strong integrity verification. So I think the zero checksum could actually be allowed for UDP encapsulated SCTP when using a strong integrity mechanism. Just want to ensure that the document doesn’t include unnecessary scoping which doesn’t have technical merit. 

> I agree. Possibly we should be more precise: 

> * We should not talk about lower layers providing a protection at least as good as CRC32c, but talk about other 

> protocol mechanisms instead. These protocol mechanisms include lower layers like DTLS, but also AUTH or CRYTO. 

> * We should consider two conditions, where the use of the feature is not appropriate: 

> (1) There is no other protocol mechanism to protect a packet at least as good as CRC32c. 

> (2) Middleboxes will interfere with SCTP packets containing an incorrect checksum of zero. 

> Then: 

> * SCTP over DTLS is OK, since (1) and (2) are both not true. 

> * SCTP over IP is not OK, since (1) and (2) is true. 

> * SCTP using AUTH for all chunks over IP is not OK, since (2) is true. 

> * SCTP over UDP over IP is not OK, since (1) is true. Whether (2) is true is not known to me. 

> * SCTP using AUTH for all chunks over UDP over IP might be OK, if (2) is not true. 

> * SCTP using CRYTO is not OK, since (2) is true. 

> * SCTP using CRPTO might be OK, if (2) is not true. 

> Would such a change address your issue? 

> Best regards 

> Michael 

> > Cheers 

> > Magnus 

> > On 2023-04-12, 14:21, "tsvwg" <tsvwg-bounces@ietf.org <mailto:tsvwg-bounces@ietf.org>> wrote: 

> > > On 11. Apr 2023, at 19:15, Nils Ohlmeier <nils.ohlmeier@8x8.com <mailto:nils.ohlmeier@8x8.com>> wrote: 

> > > > Hello, 

> > > > I’m supporting adoption of draft draft-tuexen-tsvwg-sctp-zero-checksum-02, because it is going to be useful for all WebRTC endpoints out there to have the option to skip the checksum step. 

> > > > I also reviewed the draft. The only concern I found is this sentence: 

> > > > "Since the lower layer of SCTP can not be IPv4 or IPv6 as specified in [RFC9260] or UDP as specified in [RFC6951], no problems with middle boxes expecting correct CRC32c checksums in the SCTP packets are expected.” 

> > > > Which confuses me, because it sounds to me like this is trying to say that SCTP over IPv4 or IPv6 can not be done. Which obviously doesn’t make any sense. But I honestly fail to parse what this sentence is suppose to tell me (besides no problems with middle boxes is expected). 

> > Would using 

> > One example of such a lower layer is the use of SCTP over DTLS as 

> > described in [RFC8261] (as used in the WebRTC context). Counter 

> > examples include: 

> > * SCTP over IPv4 or IPv6 as specified in [RFC9260]. 

> > * SCTP over UDP as specified in [RFC6951]. 

> > * The use of SCTP Authentication as specified in [RFC4895]. 

> > Therefore using an incorrect zero checksum will not result in 

> > problems with middle boxes expecting correct CRC32c checksums in SCTP 

> > packets. 

> > be clearer? 

> > Best regards 

> > Michael 

> > > > Best 

> > > Nils Ohlmeier