From idwg-public-request@semper.org Wed Oct 23 12:51:28 2002 Received: from www.opencard.org (www.opencard.org [195.176.20.76]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA25212 for ; Wed, 23 Oct 2002 12:51:25 -0400 (EDT) Received: by www.opencard.org (Postfix, from userid 503) id 01CC134844; Wed, 23 Oct 2002 18:53:03 +0200 (CEST) Old-Return-Path: Delivered-To: semper-idwg-public@opencard.org Date: Wed, 23 Oct 2002 09:52:17 -0700 From: Mike Erlinger To: intrusion detection wg , internet-drafts@ietf.org Cc: Mike Erlinger , Stuart Staniford , jis@mit.edu, smb@research.att.com Subject: New Req ID Message-Id: <20021023165216.GA29741@cs.hmc.edu> Reply-To: mike@cs.hmc.edu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline User-Agent: Mutt/1.3.27i Resent-Message-ID: Resent-From: idwg-public@semper.org X-Mailing-List: archive/latest/556 X-Loop: idwg-public@semper.org Precedence: list Resent-Sender: idwg-public-request@semper.org Resent-Date: Wed, 23 Oct 2002 18:53:03 +0200 (CEST) --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline A new Requirements ID is attached. It contains changes recommended by the IESG. Namely: Change section 6.17, Message Extensions, to indicate that such extensions CANNOT affect interoperability Change section 6.19, Message Extensions, to indicate that such extensions CANNOT affect interoperability Add a Reference Section and some related anchors mike -- Mike Erlinger, Professor and Chair Computer Science www: http://www.cs.hmc.edu/~mike email: mike@cs.hmc.edu smail: Computer Science Dept., Harvey Mudd College, 301 E. 12th Street, Claremont, CA, 91711 909-621-8912, FAX: 909-607-8364 --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="10.xml" Intrusion Detection Message Exchange Requirements Internet Security Systems, Inc
6303 Barfield Road Atlanta GA 30328 US mark1@iss.net
Harvey Mudd College
Computer Science Dept 301 East 12th Street Claremont CA 91711 US mike@cs.hmc.edu http://www.cs.hmc.edu/
Security Intrusion Detection Working Group Internet Draft IDMEF The purpose of the Intrusion Detection Exchange Format Working Group (IDWG) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. This Internet-Draft describes the high-level requirements for such a communication mechanism, including the rationale for those requirements where clarification is needed. Scenarios are used to illustrate some requirements.
This is not an IETF standards track document and thus the keywords MUST, MUST NOT, SHOULD, and MAY are NOT as in RFC 2119, but rather: MUST: This word, or the terms "REQUIRED" or "SHALL", means that the described behavior or characteristic is an absolute requirement for a proposed IDWG specification. MUST NOT: This phrase, or the phrase "SHALL NOT", means that the described behavior or characteristic is an absolute prohibition of a proposed IDWG specification. SHOULD: This word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances for a proposed IDWG specification to ignore described behavior or characteristics. MAY: This word, or the adjective "OPTIONAL", means that described behavior or characteristics are truly optional for a proposed IDWG specification. One proposed specification may choose to include the described behavior or characteristic while another proposed specification may omit the same behavior or characteristic.
This document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF), which is the intended work product of the Intrusion Detection Exchange Format Working Group (IDWG). IDMEF is planned to be a standard format which automated Intrusion Detection Systems (IDS) can use for reporting what they have deemed to be suspicious or of interest. This document also specifies requirements for a communication protocol for communicating IDMEF. As chartered IDWG, has the responsibility to first evaluate existing communication protocols before choosing to specify a new one. Thus the requirements in this document can be used to evaluate existing communication protocols. If IDWG determines that a new communication protocol is necessary, the requirements in this document can be used to evaluate proposed solutions.
The reasons such a format should be useful are as follows: A number of commercial and free Intrusion Detection Systems are available and more are becoming available all the time. Some products are aimed at detecting intrusions on the network, others are aimed at host operating systems, while still others are aimed at applications. Even within a given category, the products have very different strengths and weaknesses. Hence it is likely that users will deploy more than a single product, and users will want to observe the output of these products from one or more manager(s). A standard format for reporting will simplify this task greatly. Intrusions frequently involve multiple organizations as victims, or multiple sites within the same organization. Typically, those sites will use different IDSs. It would be very helpful to correlate such distributed intrusions across multiple sites and administrative domains. Having reports from all sites in a common format would facilitate this task. The existence of a common format should allow components from different IDSs to be integrated more readily. Thus, Intrusion Detection (ID) research should migrate into commercial products more easily. In addition to enabling communication from an ID analyzer to an ID manager, the IDMEF notification system may also enable communication between a variety of IDS components. However, for the remainder of this document, we refer to the communication as going from an analyzer to a manager. All of these reasons suggest that a common format for reporting anything deemed suspicious should help the IDS market to grow and innovate more successfully, and should result in IDS users obtaining better results from deployment of ID systems.
In order to make the rest of the requirements clearer, we define some terms about typical IDSs. These terms are presented in alphabetical order. The diagram at the end of this section illustrates the relationships of some of the terms defined herein.
Elements of the data source or occurrences within the data source that are identified by the sensor or analyzer as being of interest to the operator. Examples of this include (but are not limited to) network session showing unexpected telnet activity, operating system log file entries showing a user attempting to access files to which he is not authorized to have access, application log files showing persistent login failures, etc. Activity can range from extremely serious occurrences (such as an unequivocally malicious attack) to less serious occurrences (such as unusual user activity that's worth a further look) to neutral activity (such as user login).
The human with overall responsibility for setting the security policy of the organization, and, thus, for decisions about deploying and configuring the IDS. This may or may not be the same person as the operator of the IDS. In some organizations, the administrator is associated with the network or systems administration groups. In other organizations, it's an independent position.
A message from an analyzer to a manager that an event of interest has been detected. An alert typically contains information about the unusual activity that was detected, as well as the specifics of the occurrence.
The ID component or process that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. In many existing IDSs, the sensor and the analyzer are part of the same component. In this document, the term analyzer is used generically to refer to the sender of the IDMEF message.
The raw information that an intrusion detection system uses to detect unauthorized or undesired activity. Common data sources include (but are not limited to) raw network packets, operating system audit logs, application audit logs, and system-generated checksum data.
The occurrence in the data source that is detected by the sensor and which may result in an IDMEF alert being transmitted. For example, 'N' failed logins in 'T' seconds might indicate a brute-force login attack.
Intrusion detection system. Some combination of one or more of the following components: sensor, analyzer, manager.
The ID component or process from which the operator manages the various components of the ID system. Management functions typically include (but are not limited to) sensor configuration, analyzer configuration, event notification management, data consolidation, and reporting.
The method by which the IDS manager makes the operator aware of the alert occurrence and thus the event. In many IDSs, this is done via the display of a colored icon on the IDS manager screen, the transmission of an e-mail or pager message, or the transmission of an SNMP trap, although other notification techniques are also used.
The human that is the primary user of the IDS manager. The operator often monitors the output of the ID system and initiates or recommends further action.
The actions taken in response to an event. Responses may be undertaken automatically by some entity in the IDS architecture or may be initiated by a human. Sending a notification to the operator is a very common response. Other responses include (but are not limited to) logging the activity, recording the raw data (from the data source) that characterized the event, terminating a network, user, or application session, or altering network or system access controls.
The ID component that collects data from the data source. The frequency of data collection will vary across IDS offerings. The sensor is setup to forward events to the analyzer.
A rule used by the analyzer to identify interesting activity to the security administrator. Signatures represent one of the mechanisms (though not necessarily the only mechanism) by which IDSs detect intrusions.
The predefined, formally documented statement which defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements. This includes, but is not limited to, which hosts are to be denied external network access.
________ | | -------- | Data |_________ ________| | __________ | Source | Activity |Sensor | | | |________| | |________| | Operator |_______ | | |__________| | \|/ Event A | _____V___ | /|\ | | | | \ | | Sensor |__ | Notification | |_________| Event | \ \|/ A | V_________ \ V /|\ | | | \ Response | --->| Analyzer|__ | A | | | Alert | /|\ | |_________| | | | | A | | | | /|\ \|/ | | |________________| ____V___ | | | | |_| | | | Manager|_________| | |________| | A Security /|\ _______________ | Policy__________| | | | | Administrator |__| |_______________| The diagram above illustrates the terms above and their relationships. Not every IDS will have all of these separate components exactly as shown. Some IDSs will combine these components into a single module; some will have multiple instances of these modules.
In this document, as defined in the terms above, we assume that an analyzer determines somehow that a suspicious event has been seen by a sensor, and sends an alert to a manager. The format of that alert and the method of communicating it are what IDMEF proposes to standardize. For the purposes of this document, we assume that the analyzer and manager are separate components, and that they are communicating pairwise across a TCP/IP network. No other form of communication between these entities is contemplated in this document, and no other use of IDMEF alerts is considered. We refer to the communication protocol that communicates IDMEF as the IDMEF Communication Protocol (IDP). The Trust Model is not specified as a requirement, but is rather left to the choice of the IDMEF communications protocol, i.e., a design decision. What is specified are individual security related requirements, . We try to make no further architectural assumptions than those just stated. For example, the following points should not matter: Whether the sensor and the analyzer are integrated or separate. Whether the analyzer and manager are isolated, or embedded in some large hierarchy or distributed mesh of components. Whether the manager actually notifies a human, takes action automatically, or just analyzes incoming alerts and correlates them. Whether a component might act as an analyzer with respect to one component, while also acting as a manager with respect to another.
Besides this requirements document, the IDWG should produce two other documents. The first should describe a data format or language for exchanging information about suspicious events. In this, the requirements document, we refer to that document as the "data-format specification". The second document to be produced should identify existing IETF protocols that are best used for conveying the data so formatted, and explain how to package this data in those existing formats or the document should specify a new protocol. We refer to this as the IDP (IDMEF Communication Protocol). Accordingly, the requirements here are partitioned into four sections The first of these contains general requirements that apply to all aspects of the IDMEF specification . The second section describes requirements on the formatting of IDMEF messages . The third section outlines requirements on the communications mechanism, IDP, used to move IDMEF messages from the analyzer to the manager . The final section contains requirements on the content and semantics of the IDMEF messages . For each requirement, we attempt to state the requirement as clearly as possible without imposing an idea of what a design solution should be. Then we give the rationale for why this requirement is important, and state whether this should be an essential feature of the specification, or is beneficial but could be lacking if it is difficult to fulfill. Finally, where it seems necessary, we give an illustrative scenario. In some cases, we include possible design solutions in the scenario. These are purely illustrative.
It is expected that proposed IDMEF designs will, at a minimum, satisfy the requirements expressed in this document. However, this document will be used only as one of many criteria in the evaluation of various IDMEF designs and proposed communication protocols. It is recognized that the working group may use additional metrics to evaluate competing IDMEF designs and/or communication protocols.
The IDMEF SHALL reference and use previously published RFCs where possible.
The IETF has already completed a great deal of research and work into the areas of networks and security. In the interest of time, it is smart to use already defined and accepted standards.
The IDMEF specification MUST take into account that IDMEF should be able to operate in environments that contain IPv4 and IPv6 implementations.
Since pure IPv4, hybrid IPv6/IPv4, and pure IPv6 environments are expected to exist within the time frame of IDMEF implementations, the IDMEF specification MUST support IPv6 and IPv4 environments.
The IDMEF message format is intended to be independent of the IDMEF communications protocol (IDP). It should be possible to use a completely different transport mechanism without changing the IDMEF format. The goal behind this requirement is to ensure a clean separation between semantics and communication mechanisms. Obviously the IDMEF communication protocol is recommended.
IDMEF message formats SHALL support full internationalization and localization.
Since network security and intrusion detection are areas that cross geographic, political, and cultural boundaries, the IDMEF messages MUST be formatted such that they can be presented to an operator in a local language and adhering to local presentation customs.
An IDMEF specification might include numeric event identifiers. An IDMEF implementation might translate these numeric event identifiers into local language descriptions. In cases where the messages contain strings, the information might be represented using the ISO/IEC IS 10646-1 character set and encoded using the UTF-8 transformation format to facilitate internationalization .
The format of IDMEF messages MUST support filtering and/or aggregation of data by the manager.
Since it is anticipated that some managers might want to perform filtering and/or data aggregation functions on IDMEF messages, the IDMEF messages MUST be structured to facilitate these operations.
An IDMEF specification proposal might recommend fixed format messages with strong numerical semantics. This would lend itself to high-performance filtering and aggregation by the receiving station.
The IDP MUST support reliable transmission of messages.
IDS managers often rely on receipt of data from IDS analyzers to do their jobs effectively. Since IDS managers will rely on IDMEF messages for this purpose, it is important that IDP deliver IDMEF messages reliably.
The IDP MUST support transmission of messages between ID components across firewall boundaries without compromising security.
Since it is expected that firewalls will often be deployed between IDMEF capable analyzers and their corresponding managers, the ability to relay messages via proxy or other suitable mechanism across firewalls is necessary. Setting up this communication MUST NOT require changes to the intervening firewall(s) that weaken the security of the protected network(s). Nor SHOULD this be achieved by mixing IDMEF messages with other kinds of traffic (e.g., by overloading the HTTP POST method) since that would make it difficult for an organization to apply separate policies to IDMEF traffic and other kinds of traffic.
One possible design is the use of TCP to convey IDMEF messages. The general goal in this case is to avoid opening dangerous inbound "holes" in the firewall. When the manager is inside the firewall and the analyzers are outside the firewall, this is often achieved by having the manager initiate an outbound connection to each analyzer. However, it is also possible to place the manager outside the firewall and the analyzers on the inside; this can occur when a third-party vendor (such as an ISP) is providing monitoring services to a user. In this case, the outbound connections would be initiated by each analyzer to the manager. A mechanism that permits either the manager or the analyzer to initiate connections would provide maximum flexibility in manager and analyzer deployment.
The IDP MUST support mutual authentication of the analyzer and the manager to each other. Application-layer authentication is required irrespective of the underlying transport layer.
Since the alert messages are used by a manager to direct responses or further investigation related to the security of an enterprise network, it is important that the receiver have confidence in the identity of the sender and that the sender have confidence in the identity of the receiver. This is peer-to-peer authentication of each party to the other. It MUST NOT be limited to authentication of the underlying communications mechanism, for example, because of the risk that this authentication process might be subverted or misconfigured.
The IDP MUST support confidentiality of the message content during message exchange. The selected design MUST be capable of supporting a variety of encryption algorithms and MUST be adaptable to a wide variety of environments.
IDMEF messages potentially contain extremely sensitive information (such as passwords) and would be of great interest to an intruder. Since it is likely some of these messages will be transmitted across uncontrolled network segments, it is important that the content be shielded. Furthermore, since the legal environment for encryption technologies is extremely varied and changes often, it is important that the design selected be capable of supporting a number of different encryption options and be adaptable by the user to a variety of environments.
The IDP MUST ensure the integrity of the message content. The selected design MUST be capable of supporting a variety of integrity mechanisms and MUST be adaptable to a wide variety of environments.
IDMEF messages are used by the manager to direct action related to the security of the protected enterprise network. It is vital for the manager to be certain that the content of the message has not been changed after transmission.
The IDP MUST support separate authentication keys for each sender. If symmetric algorithms are used, these keys would need to be known to the manager it is communicating with.
Given that sensitive security information is being exchanged via the IDMEF, it is important that the manager can authenticate each analyzer sending alerts.
The IDP SHOULD resist protocol denial of service attacks.
A common way to defeat secure communications systems is through resource exhaustion. While this does not corrupt valid messages, it can prevent any communication at all. It is desirable that IDP resist such denial of service attacks.
An attacker penetrates a network being defended by an IDS. Although the attacker is not certain that an IDS is present, he is certain that application-level encrypted traffic (i.e., IDMEF traffic) is being exchanged between components on the network being attacked. He decides to mask his presence and disrupt the encrypted communications by initiating one or more flood events. If the IDP can resist such an attack, the probability that the attacker will be stopped increases.
The IDP SHOULD resist malicious duplication of messages.
A common way to impair the performance of secure communications mechanisms is to duplicate the messages being sent, even though the attacker might not understand them, in an attempt to confuse the receiver. It is desirable that the IDP resist such message duplication.
An attacker penetrates a network being defended by an IDS. The attacker suspects that an IDS is present and quickly identifies the encrypted traffic flowing between system components as being a possible threat. Even though she cannot read this traffic, she copies the messages and directs multiple copies at the receiver in an attempt to confuse it. If the IDP resists such message duplication, the probability that the attacker will be stopped increases.
There are many different types of IDSs, such as those based on: signatures, anomalies, correlation, network monitoring, host monitoring, or application monitoring. The IDMEF design MUST strive to accommodate these diverse approaches by concentrating on conveying *what* an IDS has detected, rather than *how* it detected it.
Rationale: There are many types of IDSs that analyze a variety of data sources. Some are profile based and operate on log files, attack signatures etc. Others are anomaly based and define normal behavior and detect deviations from the established baseline. Each of these IDSs reports different data that, in part, depends on their intrusion detection methodology. All MUST be supported by this standard.
The content of IDMEF messages MUST contain the identified name of the event (event identity) if it is known. This name MUST be drawn from a standardized list of events (if available) or will be an implementation-specific name if the event identity has not yet been standardized. It is not known how this standardized list will be defined or updated. Requirements on the creation of this list are beyond our efforts. Other groups within the security arena are investigating the creation of such lists.
Given that this document presents requirements on standardizing ID message formats so that an ID manager is able to receive alerts from analyzers from multiple implementations, it is important that the manager understand the semantics of the reported events. There is, therefore, a need to identify known events and store information concerning their methods and possible fixes to these events. Some events are well known and this recognition can help the operator.
Intruder launches an attack that is detected by two different analyzers from two distinct implementations. Both report the same event identity to the ID manager, even though the algorithms used to detect the attack by each analyzer might have been different.
The IDMEF message design MUST include information, which the sender should provide, that allows a receiver to locate background information on the kind of event that is being reported in the alert.
This information is used by administrators to report and fix problems.
Attacker performs a well-known attack. A reference to a URL to background information on the attack is included in the IDMEF message. The operator uses this information to initiate repairs on the vulnerable system.
The IDMEF message MUST be able to reference additional detailed data related to this specific underlying event. It is OPTIONAL for implementations to use this field. No requirements are placed on the format or content of this field. It is expected that this will be defined and described by the implementor.
Operators might want more information on specifics of an event. This field, if filled in by the analyzer, MAY point to additional or more detailed information about the event.
The IDMEF message MUST contain the identity of the source of the event and target component identifier if it is known. In the case of a network-based event, this will be the source and destination IP address of the session used to launch the event. Note that the identity of source and target will vary for other types of events, such as those launched/detected at the operating system or application level.
This will allow the operator to identify the source and target of the event.
The IDMEF message MUST support the representation of different types of device addresses.
A Device is a uniquely addressable element on the network. (i.e., not limited to computers or networks nor a specific level of the network protocol hierarchy). Additionally, devices involved in an intrusion event might use addresses that are not IP-centric.
The IDS recognizes an intrusion on a particular device and includes both the IP address and the MAC address of the device in the IDMEF message. In another situation, the IDS recognizes an intrusion on a device which has only a MAC address and includes only that address in the IDMEF message. Another situation involves analyzers in an ATM switch fabric which use E.164 address formats.
The IDMEF message MUST contain an indication of the possible impact of this event on the target. The IDMEF design document MUST define the scope of this value.
Information concerning the possible impact of the event on the target system provides an indication of what the intruder is attempting to do and is critical data for the operator to perform damage assessment. Not all systems will be able to determine this, but it is important data to transmit for those systems that can. This requirement places no requirements on the list itself (e.g., properties of the list, maintenance, etc.), rather the requirement only specifies that the IDMEF must contain a field for specifying the impact and that the IDMEF must define the scope of such values.
The IDMEF message MUST provide information about the automatic actions taken by the analyzer in response to the event (if any).
It is very important for the operator to know if there was an automated response and what that response was. This will help determine what further action to take, if any.
The IDMEF message MUST include information which would make it possible to later identify and locate the individual analyzer which reported the event.
The identity of the detecting analyzer often proves to be a valuable piece of data to have in determining how to respond to a particular event.
Scenario: One interesting scenario involves the progress of an intrusion event throughout a network. If the same event is detected and reported by multiple analyzers, the identity of the analyzer (in the case of a network-based analyzer) might provide some indication of the network location of the target systems and might warrant a specific type of response. This might be implemented as an IP address.
The IDMEF message MUST be able to contain the identity of the implementor and the analyzer that detected the event.
Rationale: Users might run multiple IDSs to protect their enterprise. This data will help the systems administrator determine which implementor and analyzer detected the event.
Analyzer X from implementor Y detects a potential intrusion. A message is sent reporting that it found a potential break-in with X and Y specified. The operator is therefore able to include the known capabilities or weaknesses of analyzer X in his decision regarding further action.
The IDMEF message MUST be able to state the degree of confidence of the report. The completion of this field by an analyzer is OPTIONAL, as this data might not be available at all analyzers.
Many IDSs contain thresholds to determine whether or not to generate an alert. This might influence the degree of confidence one has in the report or perhaps would indicate the likelihood of the report being a false alarm.
The alarm threshold monitor is set at a low level to indicate that an organization wants reports on any suspicious activity, regardless of the probability of a real attack. The degree of confidence measure is used to indicate if this is a low probability or high probability event.
The IDMEF message MUST be uniquely identifiable in that it can be distinguished from other IDMEF messages.
An IDMEF message might be sent by multiple geographically-distributed analyzers at different times. A unique identifier will allow an IDMEF message to be identified efficiently for data reduction and correlation purposes.
The unique identifier might consist of a unique originator identifier (e.g. IPv4 or IPv6 address) concatenated with a unique sequence number generated by the originator. In a typical IDS deployment, a low-level event analyzer will log the raw sensor information into, e.g., a database while analyzing and reporting results to higher levels. In this case, the unique raw message identifier can be included in the result message as supporting evidence. Higher level analyzers can later use this identifier to retrieve the raw message from the database if necessary.
The IDMEF MUST support reporting alert creation date and time in each event, where the creation date and time refer to the date and time that the analyzer decided to create an alert. The IDMEF MAY support additional dates and times, such as the date and time the event reference by the alert began.
Time is important from both a reporting and correlation point of view. Event onset time might differ from the alert creation time because it might take some time for the sensor to accumulate information about a monitored activity before generating the event, and additional time for the analyzer to receive the event and create an alert. The event onset time is therefore more representative of the actual time that the reported activity began than is the alert creation time.
If an event is reported in the quiet hours of the night, the operator might assign a higher priority to it than she would to the same event reported in the busy hours of the day. Furthermore, an event (like a lengthy port scan) may take place over a long period of time and it would be useful for the analyzer to report the time of the alert as well as the time the event began.
Time SHALL be reported such that events from multiple analyzers in different time zones can be received by the same manager and that the local time at the analyzer can be inferred.
For event correlation purposes, it is important that the manager be able to normalize the time information reported in the IDMEF alerts.
A distributed ID system has analyzers located in multiple timezones, all reporting to a single manager. An intrusion occurs that spans multiple timezones as well as multiple analyzers. The central manager requires sufficient information to normalize these alerts and determine that all were reported near the same "time" and that they are part of the same attack.
The format for reporting the date MUST be compliant with all current standards for Year 2000 rollover, and it MUST have sufficient capability to continue reporting date values past the year 2038.
It is desirable that the IDMEF have a long lifetime and that implementations be suitable for use in a variety of environments. Therefore, characteristics that limit the lifespan of the IDMEF (such as 2038 date representation limitation) MUST be avoided.
Time granularity and time accuracy in event messages SHALL NOT be specified by the IDMEF.
The IDMEF cannot assume a certain clock granularity on sensing elements, and so cannot impose any requirements on the granularity of the event timestamps. Nor can the IDMEF assume that the clocks being used to timestamp the events have a specified accuracy.
The IDMEF message MUST support an extension mechanism used by implementors to define implementation-specific data. The use of this mechanism by the implementor is OPTIONAL. This data contains implementation-specific information determined by each implementor. The implementor MUST indicate how to interpret these extensions, although there are no specific requirements placed on how implementors describe their implementation-specific extensions. The lack or presence of such message extensions for implementation-specific data MUST NOT break interoperation.
Implementors might wish to supply extra data such as the version number of their product or other data that they believe provides value added due to the specific nature of their product. Implementors may publish a document or web site describing their extensions; they might also use an in-band extension mechanism that is self-describing. Such extensions are not a license to break the interoperation of IDMEF messages.
The semantics of the IDMEF message MUST be well defined.
Good semantics are key to understanding what the message is trying to convey so there are no errors. Operators will decide what action to take based on these messages, so it is important that they can interpret them correctly.
Without this requirement, the operator receives an IDMEF message and interprets it one way. The implementor who constructed the message intended it to have a different meaning from the operator's interpretation. The resulting corrective action is, therefore, incorrect.
The IDMEF itself MUST be extensible. As new ID technologies emerge and as new information about events becomes available, the IDMEF message format MUST be able to include this new information. Such message extensibility must occur in such a manner that interoperability is NOT impacted.
As intrusion detection technology continues to evolve, it is likely that additional information relating to detected events will become available. The IDMEF message format MUST be able to be extended by a specific implementation to encompass this new information. Such extensions are not a license to break the interoperation of IDMEF messages.
This document does not treat security matters, except that Section 5 specifies security requirements for the protocols to be developed.
The RFC Editor should remove this section and its corresponding TOC references prior to publication.
Change section 6.17, Message Extensions, to indicate that such extensions CANNOT affect interoperability Change section 6.19, Message Extensions, to indicate that such extensions CANNOT affect interoperability Add a Reference Section and some related anchors
The following individuals contributed substantially to this document and should be recognized for their efforts. This document would not exist without their help: Mark Crosbie, Hewlett-Packard David Curry, IBM Emergency Response Services David Donahoo, Air Force Information Warfare Center Mike Erlinger, Harvey Mudd College Fengmin Gong, Microcomputing Center of North Carolina Dipankar Gupta, Hewlett-Packard Glenn Mansfield, Cyber Solutions, Inc. Jed Pickel, CERT Coordination Center Stuart Staniford-Chen, Silicon Defense Maureen Stillman, Nokia IP Telephony
--tThc/1wpZn/ma/RB-- From idwg-public-request@semper.org Wed Oct 23 12:53:03 2002 Received: from www.opencard.org (www.opencard.org [195.176.20.76]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA25247 for ; Wed, 23 Oct 2002 12:53:03 -0400 (EDT) Received: by www.opencard.org (Postfix, from userid 503) id C7EDF348D4; Wed, 23 Oct 2002 18:55:08 +0200 (CEST) Old-Return-Path: Delivered-To: semper-idwg-public@opencard.org From: sandra.rosada@unipd.it (messaggio automatico) Subject: Sono assente. Message-Id: <20021023165439.906811EB367@mail.unipd.it> Date: Wed, 23 Oct 2002 18:54:39 +0200 (MET DST) To: undisclosed-recipients: ;, undisclosed-recipients:@internet-fence.zurich.ihost.com Resent-Message-ID: Resent-From: idwg-public@semper.org X-Mailing-List: archive/latest/557 X-Loop: idwg-public@semper.org Precedence: list Resent-Sender: idwg-public-request@semper.org Resent-Date: Wed, 23 Oct 2002 18:55:08 +0200 (CEST) Buongiorno, sono assente fino al giorno 11.11.02. Per questioni urgenti contattare il servizio di helpdesk del Centro di Calcolo: mail helpdesk.cca@unipd.it tel 049-8273722 Cordialmente Sandra Rosada From idwg-public-request@semper.org Wed Oct 23 13:03:06 2002 Received: from www.opencard.org (www.opencard.org [195.176.20.76]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA25574 for ; Wed, 23 Oct 2002 13:03:04 -0400 (EDT) Received: by www.opencard.org (Postfix, from userid 503) id 8F53C348D6; Wed, 23 Oct 2002 19:05:11 +0200 (CEST) Old-Return-Path: Delivered-To: semper-idwg-public@opencard.org Subject: Fwd: draft-ietf-idwg-beep-idxp-07 From: James Riordan To: idwg-public@zurich.ibm.com Content-Type: multipart/mixed; boundary="=-p8X6nlOCFvhLlR58opoW" X-Mailer: Ximian Evolution 1.0.8 (1.0.8-10) Date: 23 Oct 2002 19:03:49 +0200 Message-Id: <1035392629.12111.38.camel@como.zurich.ibm.com> Mime-Version: 1.0 Resent-Message-ID: Resent-From: idwg-public@semper.org X-Mailing-List: archive/latest/558 X-Loop: idwg-public@semper.org Precedence: list Resent-Sender: idwg-public-request@semper.org Resent-Date: Wed, 23 Oct 2002 19:05:11 +0200 (CEST) --=-p8X6nlOCFvhLlR58opoW Content-Type: text/plain Content-Transfer-Encoding: 7bit Forwarded mail... --=-p8X6nlOCFvhLlR58opoW Content-Disposition: inline Content-Description: Forwarded message - draft-ietf-idwg-beep-idxp-07 Content-Type: message/rfc822 Received: from d12relay03.de.ibm.com by sihl.zurich.ibm.com (AIX 4.3/UCB 5.64/4.03) id AA51082 from ; Wed, 23 Oct 2002 01:40:30 +0200 Return-Path: Received: from d12lmsgate.de.ibm.com (d12lmsgate.emea.ibm.com [9.165.1.110]) by d12relay03.de.ibm.com (8.12.3/NCO/VER6.4) with ESMTP id g9MNeNrY076190 for ; Wed, 23 Oct 2002 01:40:23 +0200 Received: from www.opencard.org (www.opencard.org [195.176.20.76]) by d12lmsgate.de.ibm.com (8.12.3/8.12.3) with ESMTP id g9MNeMjU018744 for ; Wed, 23 Oct 2002 01:40:22 +0200 Received: by www.opencard.org (Postfix, from userid 23067) id 5426A34844; Wed, 23 Oct 2002 01:40:48 +0200 (CEST) Delivered-To: rij@opencard.org Received: by www.opencard.org (Postfix, from userid 503) id 5E48634845; Wed, 23 Oct 2002 01:40:47 +0200 (CEST) X-From_: me@benfeinstein.net Wed Oct 23 01:40:46 2002 Delivered-To: semper-idwg-public@opencard.org Received: from internet-fence.zurich.ihost.com (internet-fence.zurich.ihost.com [195.176.20.141]) by www.opencard.org (Postfix) with ESMTP id 27FBA347FA for ; Wed, 23 Oct 2002 01:40:28 +0200 (CEST) Received: from d12lmsgate-2.de.ibm.com (d12lmsgate-2.de.ibm.com [194.196.100.235]) by internet-fence.zurich.ihost.com (AIX4.3/8.9.3/8.8.8) with ESMTP id BAA12182 for ; Wed, 23 Oct 2002 01:39:59 +0200 Received: from d12relay02.de.ibm.com (d12relay02.de.ibm.com [9.165.215.23]) by d12lmsgate-2.de.ibm.com (8.12.3/8.12.3) with ESMTP id g9MNdxCG066204 for ; Wed, 23 Oct 2002 01:39:59 +0200 Received: from sihl.zurich.ibm.com (sihl.zurich.ibm.com [9.4.16.232]) by d12relay02.de.ibm.com (8.12.3/NCO/VER6.4) with SMTP id g9MNdw9X034122 for ; Wed, 23 Oct 2002 01:39:58 +0200 Received: from d12relay03.de.ibm.com by sihl.zurich.ibm.com (AIX 4.3/UCB 5.64/4.03) id AA29652 from ; Wed, 23 Oct 2002 01:39:50 +0200 Received: from d12lmsgate-2.de.ibm.com (d12lmsgate-2.emea.ibm.com [9.165.1.111]) by d12relay03.de.ibm.com (8.12.3/NCO/VER6.4) with ESMTP id g9MNdfrY119024 for ; Wed, 23 Oct 2002 01:39:41 +0200 Received: from sack.dreamhost.com (sack.dreamhost.com [66.33.213.6]) by d12lmsgate-2.de.ibm.com (8.12.3/8.12.3) with ESMTP id g9MNdaCG066194 for ; Wed, 23 Oct 2002 01:39:38 +0200 Received: from raiden.dreamhost.com (raiden.dreamhost.com [66.33.213.5]) by sack.dreamhost.com (Postfix) with ESMTP id B935113E370; Tue, 22 Oct 2002 16:38:56 -0700 (PDT) Received: by raiden.dreamhost.com (Postfix, from userid 17697) id 139479602C; Tue, 22 Oct 2002 16:38:54 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by raiden.dreamhost.com (Postfix) with ESMTP id DA21D96014; Tue, 22 Oct 2002 16:38:54 -0700 (PDT) Old-Date: Tue, 22 Oct 2002 16:38:54 -0700 (PDT) X-Afs-Authentication: NONE From: Ben Feinstein X-X-Sender: benny@raiden.dreamhost.com To: "idwg-public@zurich.ibm.com" , "internet-drafts@ietf.org" Cc: Mike Erlinger , Stuart Staniford , Marshall Rose , Darren New , "jis@mit.edu" , "smb@research.att.com" Subject: draft-ietf-idwg-beep-idxp-07 Message-Id: Mime-Version: 1.0 Content-Type: MULTIPART/MIXED; boundary="557974997-1322378147-1035329444=:29862" Content-Id: X-Diagnostic: Not on the accept list X-Envelope-To: idwg-public Date: Wed, 23 Oct 2002 01:40:47 +0200 (CEST) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --557974997-1322378147-1035329444=:29862 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-ID: Attached is a new version of the IDXP draft. I've made the IESG's requested changes to the best of my understanding. B.1 Significant Changes Since beep-idxp-06 Modified Section 5 to make explicit that each of the IDWG communications protocol requirements is listed and that IDXP relies on BEEP and several BEEP profiles to meet this set of requirements. Added Section 6 describing the ways to extend IDXP. Separated the references into normative and informational sections. Updated document author information. Enjoy, Ben --557974997-1322378147-1035329444=:29862 Content-Type: TEXT/PLAIN; name="draft-ietf-idwg-beep-idxp-07.txt" Content-ID: Content-Description: draft-ietf-idwg-beep-idxp-07.txt Content-Disposition: attachment; filename="draft-ietf-idwg-beep-idxp-07.txt" Content-Transfer-Encoding: BASE64 DQoNCg0KSW50cnVzaW9uIERldGVjdGlvbiBFeGNoYW5nZSAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgQi4gRmVpbnN0ZWluDQpGb3JtYXQgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgQ2lwaGVyVHJ1c3QsIEluYy4NCkludGVybmV0LURyYWZ0ICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHLiBNYXR0aGV3cw0K RXhwaXJlczogQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgICAgIENTQy9OQVNBIEFtZXMg UmVzZWFyY2ggQ2VudGVyDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgSi4gV2hpdGUNCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNSVRSRSBDb3Jwb3JhdGlvbg0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPY3RvYmVy IDIyLCAyMDAyDQoNCg0KICAgICAgICAgICAgVGhlIEludHJ1c2lvbiBEZXRlY3Rpb24gRXhjaGFu Z2UgUHJvdG9jb2wgKElEWFApDQogICAgICAgICAgICAgICAgICAgICAgZHJhZnQtaWV0Zi1pZHdn LWJlZXAtaWR4cC0wNw0KDQpTdGF0dXMgb2YgdGhpcyBNZW1vDQoNCiAgIFRoaXMgZG9jdW1lbnQg aXMgYW4gSW50ZXJuZXQtRHJhZnQgYW5kIGlzIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aA0KICAg YWxsIHByb3Zpc2lvbnMgb2YgU2VjdGlvbiAxMCBvZiBSRkMyMDI2Lg0KDQogICBJbnRlcm5ldC1E cmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5ldCBFbmdpbmVlcmluZw0K ICAgVGFzayBGb3JjZSAoSUVURiksIGl0cyBhcmVhcywgYW5kIGl0cyB3b3JraW5nIGdyb3Vwcy4g IE5vdGUgdGhhdA0KICAgb3RoZXIgZ3JvdXBzIG1heSBhbHNvIGRpc3RyaWJ1dGUgd29ya2luZyBk b2N1bWVudHMgYXMgSW50ZXJuZXQtDQogICBEcmFmdHMuDQoNCiAgIEludGVybmV0LURyYWZ0cyBh cmUgZHJhZnQgZG9jdW1lbnRzIHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocw0KICAg YW5kIG1heSBiZSB1cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVyIGRvY3Vt ZW50cyBhdCBhbnkNCiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5l dC1EcmFmdHMgYXMgcmVmZXJlbmNlDQogICBtYXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIg dGhhbiBhcyAid29yayBpbiBwcm9ncmVzcy4iDQoNCiAgIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50 ZXJuZXQtRHJhZnRzIGNhbiBiZSBhY2Nlc3NlZCBhdCBodHRwOi8vDQogICB3d3cuaWV0Zi5vcmcv aWV0Zi8xaWQtYWJzdHJhY3RzLnR4dC4NCg0KICAgVGhlIGxpc3Qgb2YgSW50ZXJuZXQtRHJhZnQg U2hhZG93IERpcmVjdG9yaWVzIGNhbiBiZSBhY2Nlc3NlZCBhdA0KICAgaHR0cDovL3d3dy5pZXRm Lm9yZy9zaGFkb3cuaHRtbC4NCg0KICAgVGhpcyBJbnRlcm5ldC1EcmFmdCB3aWxsIGV4cGlyZSBv biBBcHJpbCAyMiwgMjAwMy4NCg0KQ29weXJpZ2h0IE5vdGljZQ0KDQogICBDb3B5cmlnaHQgKEMp IFRoZSBJbnRlcm5ldCBTb2NpZXR5ICgyMDAyKS4gIEFsbCBSaWdodHMgUmVzZXJ2ZWQuDQoNCkFi c3RyYWN0DQoNCiAgIFRoaXMgbWVtbyBkZXNjcmliZXMgdGhlIEludHJ1c2lvbiBEZXRlY3Rpb24g RXhjaGFuZ2UgUHJvdG9jb2wgKElEWFApLA0KICAgYW4gYXBwbGljYXRpb24tbGV2ZWwgcHJvdG9j b2wgZm9yIGV4Y2hhbmdpbmcgZGF0YSBiZXR3ZWVuIGludHJ1c2lvbg0KICAgZGV0ZWN0aW9uIGVu dGl0aWVzLiAgSURYUCBzdXBwb3J0cyBtdXR1YWwtYXV0aGVudGljYXRpb24sIGludGVncml0eSwN CiAgIGFuZCBjb25maWRlbnRpYWxpdHkgb3ZlciBhIGNvbm5lY3Rpb24tb3JpZW50ZWQgcHJvdG9j b2wuICBUaGUNCiAgIHByb3RvY29sIHByb3ZpZGVzIGZvciB0aGUgZXhjaGFuZ2Ugb2YgSURNRUYg bWVzc2FnZXMsIHVuc3RydWN0dXJlZA0KICAgdGV4dCwgYW5kIGJpbmFyeSBkYXRhLiAgVGhlIElE TUVGIG1lc3NhZ2UgZWxlbWVudHMgYXJlIGRlc2NyaWJlZCBpbg0KICAgdGhlIEludHJ1c2lvbiBE ZXRlY3Rpb24gTWVzc2FnZSBFeGNoYW5nZSBGb3JtYXQgKElETUVGKSBbNl0sIGENCiAgIGNvbXBh bmlvbiBkb2N1bWVudCBvZiB0aGUgSW50cnVzaW9uIERldGVjdGlvbiBFeGNoYW5nZSBGb3JtYXQg KElEV0cpDQoNCg0KDQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhwaXJlcyBBcHJpbCAyMiwg MjAwMyAgICAgICAgICAgICAgICAgW1BhZ2UgMV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAg ICAgICAgICAgVGhlIElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIgMjAwMg0KDQoNCiAg IHdvcmtpbmcgZ3JvdXAgb2YgdGhlIElFVEYuDQoNClRhYmxlIG9mIENvbnRlbnRzDQoNCiAgIDEu ICAgIEludHJvZHVjdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgNA0KICAgMS4xICAgUHVycG9zZSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA0DQogICAxLjIgICBQcm9maWxlcyAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDQNCiAgIDEuMyAgIFRl cm1pbm9sb2d5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAgNA0KICAgMi4gICAgVGhlIE1vZGVsICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICA2DQogICAyLjEgICBDb25uZWN0aW9uIFByb3Zpc2lvbmluZyAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDYNCiAgIDIuMiAgIERhdGEgVHJh bnNmZXIgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgOA0K ICAgMi4zICAgQ29ubmVjdGlvbiBUZWFyZG93biAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuICA5DQogICAyLjQgICBUcnVzdCBNb2RlbCAgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDkNCiAgIDMuICAgIFRoZSBJRFhQIFByb2Zp bGUgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMQ0KICAgMy4x ICAgSURYUCBQcm9maWxlIE92ZXJ2aWV3ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIDExDQogICAzLjIgICBJRFhQIFByb2ZpbGUgSWRlbnRpZmljYXRpb24gYW5kIEluaXRp YWxpemF0aW9uIC4gLiAuIC4gLiAuIC4gMTENCiAgIDMuMyAgIElEWFAgUHJvZmlsZSBNZXNzYWdl IFN5bnRheCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMg0KICAgMy40ICAgSURY UCBQcm9maWxlIFNlbWFudGljcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IDEyDQogICAzLjQuMSBUaGUgSURYUC1HUkVFVElORyBFbGVtZW50ICAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gMTINCiAgIDMuNC4yIFRoZSBPUFRJT04gRWxlbWVudCAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxNA0KICAgMy40LjMgVGhlIElETUVG LU1FU1NBR0UgRWxlbWVudCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDE0DQog ICA0LiAgICBJRFhQIE9wdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gMTUNCiAgIDQuMSAgIFRoZSBjaGFubmVsUHJpb3JpdHkgT3B0aW9uIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxNg0KICAgNC4yICAgVGhlIHN0cmVhbVR5cGUg T3B0aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDE3DQogICA1LiAg ICBGdWxmaWxsbWVudCBvZiBJRFdHIENvbW11bmljYXRpb25zIFByb3RvY29sIFJlcXVpcmVtZW50 cyAuIC4gMjANCiAgIDUuMSAgIFJlbGlhYmxlIE1lc3NhZ2UgVHJhbnNtaXNzaW9uICAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAyMA0KICAgNS4yICAgSW50ZXJhY3Rpb24gd2l0aCBGaXJl d2FsbHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDIwDQogICA1LjMgICBNdXR1 YWwgQXV0aGVudGljYXRpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g MjANCiAgIDUuNCAgIE1lc3NhZ2UgQ29uZmlkZW50aWFsaXR5ICAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAyMQ0KICAgNS41ICAgTWVzc2FnZSBJbnRlZ3JpdHkgIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDIxDQogICA1LjYgICBQZXItc291cmNl IEF1dGhlbnRpY2F0aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjENCiAg IDUuNyAgIERlbmlhbCBvZiBTZXJ2aWNlICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAyMg0KICAgNS44ICAgTWVzc2FnZSBEdXBsaWNhdGlvbiAgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDIyDQogICA2LiAgICBFeHRlbmRpbmcgSURYUCAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjMNCiAgIDcuICAg IElEWFAgT3B0aW9uIFJlZ2lzdHJhdGlvbiBUZW1wbGF0ZSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAyNA0KICAgOC4gICAgSW5pdGlhbCBSZWdpc3RyYXRpb25zICAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIDI1DQogICA4LjEgICBSZWdpc3RyYXRpb246IFRoZSBJRFhQ IFByb2ZpbGUgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjUNCiAgIDguMiAgIFJlZ2lz dHJhdGlvbjogVGhlIFN5c3RlbSAoV2VsbC1Lbm93bikgVENQIHBvcnQgbnVtYmVyDQogICAgICAg ICBmb3IgSURYUCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gMjUNCiAgIDguMyAgIFJlZ2lzdHJhdGlvbjogVGhlIGNoYW5uZWxQcmlvcml0eSBPcHRp b24gLiAuIC4gLiAuIC4gLiAuIC4gLiAyNQ0KICAgOC40ICAgUmVnaXN0cmF0aW9uOiBUaGUgc3Ry ZWFtVHlwZSBPcHRpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDI2DQogICA5LiAgICBUaGUg RFREcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g MjcNCiAgIDkuMSAgIFRoZSBJRFhQIERURCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAyNw0KICAgOS4yICAgVGhlIGNoYW5uZWxQcmlvcml0eSBPcHRpb24g RFREIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDI4DQogICA5LjMgICBUaGUgc3RyZWFt VHlwZSBEVEQgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjkNCiAg IDEwLiAgIFJlcGx5IENvZGVzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAzMQ0KICAgMTEuICAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDMyDQogICAxMS4xICBVc2Ugb2YgdGhlIFRVTk5F TCBQcm9maWxlICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMzINCg0KDQoNCkZl aW5zdGVpbiwgZXQgYWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAg ICAgICBbUGFnZSAyXQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURY UCAgICAgICAgICAgICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgMTEuMiAgVXNlIG9mIFVu ZGVybHlpbmcgU2VjdXJpdHkgUHJvZmlsZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDMyDQog ICAgICAgICBJbmZvcm1hdGlvbmFsIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gMzMNCiAgICAgICAgIE5vcm1hdGl2ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAzNA0KICAgICAgICAgQXV0aG9ycycgQWRkcmVz c2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDM0DQogICBBLiAg ICBJQU5BIENvbnNpZGVyYXRpb25zICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gMzUNCiAgIEIuICAgIEhpc3Rvcnkgb2YgU2lnbmlmaWNhbnQgQ2hhbmdlcyAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAzNg0KICAgQi4xICAgU2lnbmlmaWNhbnQgQ2hhbmdlcyBT aW5jZSBiZWVwLWlkeHAtMDYgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDM2DQogICBCLjIgICBTaWdu aWZpY2FudCBDaGFuZ2VzIFNpbmNlIGJlZXAtaWR4cC0wNSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g MzYNCiAgIEIuMyAgIFNpZ25pZmljYW50IENoYW5nZXMgU2luY2UgYmVlcC1pZHhwLTA0IC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAzNg0KICAgQi40ICAgU2lnbmlmaWNhbnQgQ2hhbmdlcyBTaW5jZSBi ZWVwLWlkeHAtMDMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDM2DQogICBCLjUgICBTaWduaWZpY2Fu dCBDaGFuZ2VzIFNpbmNlIGJlZXAtaWR4cC0wMiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMzcNCiAg IEIuNiAgIFNpZ25pZmljYW50IENoYW5nZXMgU2luY2UgYmVlcC1pZHhwLTAxIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAzOA0KICAgQi43ICAgU2lnbmlmaWNhbnQgQ2hhbmdlcyBTaW5jZSBiZWVwLWlk eHAtMDAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDM4DQogICBDLiAgICBBY2tub3dsZWRnZW1lbnRz IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMzkNCiAgICAgICAg IEZ1bGwgQ29weXJpZ2h0IFN0YXRlbWVudCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiA0MA0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMg QXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgIFtQYWdlIDNdDQoMDQpJbnRlcm5ldC1EcmFm dCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIw MDINCg0KDQoxLiBJbnRyb2R1Y3Rpb24NCg0KICAgSURYUCBpcyBzcGVjaWZpZWQsIGluIHBhcnQs IGFzIGEgQmxvY2tzIEV4dGVuc2libGUgRXhjaGFuZ2UgUHJvdG9jb2wNCiAgIChCRUVQKSBbOF0g InByb2ZpbGUiLiAgQkVFUCBpcyBhIGdlbmVyaWMgYXBwbGljYXRpb24gcHJvdG9jb2wNCiAgIGZy YW1ld29yayBmb3IgY29ubmVjdGlvbi1vcmllbnRlZCwgYXN5bmNocm9ub3VzIGludGVyYWN0aW9u cy4NCiAgIEZlYXR1cmVzIHN1Y2ggYXMgYXV0aGVudGljYXRpb24gYW5kIGNvbmZpZGVudGlhbGl0 eSBhcmUgcHJvdmlkZWQNCiAgIHRocm91Z2ggdGhlIHVzZSBvZiBvdGhlciBCRUVQIHByb2ZpbGVz LiAgQWNjb3JkaW5nbHksIG1hbnkgYXNwZWN0cyBvZg0KICAgSURYUCAoZS5nLiwgY29uZmlkZW50 aWFsaXR5KSBhcmUgcHJvdmlkZWQgd2l0aGluIHRoZSBCRUVQIGZyYW1ld29yay4NCg0KMS4xIFB1 cnBvc2UNCg0KICAgSURYUCBwcm92aWRlcyBmb3IgdGhlIGV4Y2hhbmdlIG9mIElETUVGIFs2XSBt ZXNzYWdlcywgdW5zdHJ1Y3R1cmVkDQogICB0ZXh0LCBhbmQgYmluYXJ5IGRhdGEgYmV0d2VlbiBp bnRydXNpb24gZGV0ZWN0aW9uIGVudGl0aWVzLg0KICAgQWRkcmVzc2luZyB0aGUgc2VjdXJpdHkt c2Vuc2l0aXZlIG5hdHVyZSBvZiBleGNoYW5nZXMgYmV0d2Vlbg0KICAgaW50cnVzaW9uIGRldGVj dGlvbiBlbnRpdGllcywgdW5kZXJseWluZyBCRUVQIHNlY3VyaXR5IHByb2ZpbGVzDQogICBzaG91 bGQgYmUgdXNlZCB0byBvZmZlciBJRFhQIHRoZSByZXF1aXJlZCBzZXQgb2Ygc2VjdXJpdHkgcHJv cGVydGllcy4NCiAgIFNlZSBTZWN0aW9uIDUgZm9yIGEgZGlzY3Vzc2lvbiBvZiBob3cgSURYUCBm dWxmaWxscyB0aGUgSURXRw0KICAgY29tbXVuaWNhdGlvbiBwcm90b2NvbCByZXF1aXJlbWVudHMu ICBTZWUgU2VjdGlvbiAxMSBmb3IgYSBkaXNjdXNzaW9uDQogICBvZiBzZWN1cml0eSBjb25zaWRl cmF0aW9ucy4NCg0KICAgSURYUCBpcyBwcmltYXJpbHkgaW50ZW5kZWQgZm9yIHRoZSBleGNoYW5n ZSBvZiBkYXRhIGNyZWF0ZWQgYnkNCiAgIGludHJ1c2lvbiBkZXRlY3Rpb24gZW50aXRpZXMuICBJ RE1FRiBbNl0gbWVzc2FnZXMgc2hvdWxkIGJlIHVzZWQgZm9yDQogICB0aGUgc3RydWN0dXJlZCBy ZXByZXNlbnRhdGlvbiBvZiB0aGlzIGludHJ1c2lvbiBkZXRlY3Rpb24gZGF0YSwNCiAgIGFsdGhv dWdoIElEWFAgbWF5IGJlIHVzZWQgdG8gZXhjaGFuZ2UgdW5zdHJ1Y3R1cmVkIHRleHQgYW5kIGJp bmFyeQ0KICAgZGF0YS4NCg0KMS4yIFByb2ZpbGVzDQoNCiAgIFRoZXJlIGFyZSBzZXZlcmFsIEJF RVAgcHJvZmlsZXMgZGlzY3Vzc2VkLCB0aGUgZmlyc3Qgb2Ygd2hpY2ggd2UNCiAgIGRlZmluZSBp biB0aGlzIG1lbW86DQoNCiAgICAgIFRoZSBJRFhQIFByb2ZpbGUNCg0KICAgICAgVGhlIFRVTk5F TCBQcm9maWxlIFs3XQ0KDQogICAgICBUaGUgU2ltcGxlIEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1 cml0eSBMYXllciAoU0FTTCkgRmFtaWx5IG9mDQogICAgICBQcm9maWxlcyAoYy5mLiwgU2VjdGlv biA0LjEgb2YgWzhdKQ0KDQogICAgICBUaGUgVExTIFByb2ZpbGUgKGMuZi4sIFNlY3Rpb24gMy4x IG9mIFs4XSkNCg0KDQoxLjMgVGVybWlub2xvZ3kNCg0KICAgVGhlIGtleSB3b3JkcyAiTVVTVCIs ICJNVVNUIE5PVCIsICJSRVFVSVJFRCIsICJTSEFMTCIsICJTSEFMTCBOT1QiLA0KICAgIlNIT1VM RCIsICJTSE9VTEQgTk9UIiwgIlJFQ09NTUVOREVEIiwgICJNQVkiLCBhbmQgIk9QVElPTkFMIiBp biB0aGlzDQogICBkb2N1bWVudCBhcmUgdG8gYmUgaW50ZXJwcmV0ZWQgYXMgZGVzY3JpYmVkIGlu IFJGQyAyMTE5IFsyXS4NCg0KICAgVGhyb3VnaG91dCB0aGlzIG1lbW8sIHRoZSB0ZXJtcyAiYW5h bHl6ZXIiIGFuZCAibWFuYWdlciIgYXJlIHVzZWQgaW4NCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwu ICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgICBbUGFnZSA0XQ0K DA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAgICAg ICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgdGhlIGNvbnRleHQgb2YgdGhlIEludHJ1c2lvbiBE ZXRlY3Rpb24gTWVzc2FnZSBFeGNoYW5nZSBSZXF1aXJlbWVudHMNCiAgIFs5XS4gIEluIHBhcnRp Y3VsYXIsIFNlY3Rpb24gMy4yIG9mIFs5XSBkZWZpbmVzIHRoZSBtZWFuaW5nIG9mIGENCiAgIGNv bGxlY3Rpb24gb2YgaW50cnVzaW9uIGRldGVjdGlvbiB0ZXJtcy4NCg0KICAgVGhlIHRlcm1zICJw ZWVyIiwgImluaXRpYXRvciIsICJsaXN0ZW5lciIsICJjbGllbnQiLCBhbmQgInNlcnZlciIsDQog ICBhbmQgdGhlIGNoYXJhY3RlcnMgIkkiLCAiTCIsICJDIiwgYW5kICJTIiBhcmUgdXNlZCBpbiB0 aGUgY29udGV4dCBvZg0KICAgQkVFUCBbOF0uICBJbiBwYXJ0aWN1bGFyLCBTZWN0aW9uIDIuMSBv ZiBCRUVQIGRpc2N1c3NlcyB0aGUgcm9sZXMNCiAgIHRoYXQgYSBCRUVQIHBlZXIgbWF5IHBlcmZv cm0uDQoNCiAgIFRoZSB0ZXJtICJEb2N1bWVudCBUeXBlIERlY2xhcmF0aW9uIiBpcyBhYmJyZXZp YXRlZCBhcyAiRFREIiBhbmQgaXMNCiAgIGRlZmluZWQgaW4gU2VjdGlvbiAyLjggb2YgdGhlIEV4 dGVuc2libGUgTWFya3VwIExhbmd1YWdlIChYTUwpIFszXS4NCg0KICAgTm90ZSB0aGF0IHRoZSB0 ZXJtICJwcm94eSIgaXMgc3BlY2lmaWMgdG8gSURYUCwgYW5kIGRvZXMgbm90IGV4aXN0IGluDQog ICB0aGUgY29udGV4dCBvZiBCRUVQLiAgVGhlIHRlcm0gImludHJ1c2lvbiBkZXRlY3Rpb24iIGlz IGFiYnJldmlhdGVkDQogICBhcyAiSUQiLg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KRmVpbnN0ZWluLCBldCBh bC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgIFtQYWdlIDVd DQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAg ICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQoyLiBUaGUgTW9kZWwNCg0KMi4xIENvbm5lY3Rpb24g UHJvdmlzaW9uaW5nDQoNCiAgIEludHJ1c2lvbiBkZXRlY3Rpb24gZW50aXRpZXMgdXNpbmcgSURY UCB0byB0cmFuc2ZlciBkYXRhIGFyZSB0ZXJtZWQNCiAgIElEWFAgcGVlcnMuICBQZWVycyBjYW4g ZXhpc3Qgb25seSBpbiBwYWlycywgYW5kIHRoZXNlIHBhaXJzDQogICBjb21tdW5pY2F0ZSBvdmVy IGEgc2luZ2xlIEJFRVAgc2Vzc2lvbiB3aXRoIG9uZSBvciBtb3JlIEJFRVAgY2hhbm5lbHMNCiAg IG9wZW5lZCBmb3IgdHJhbnNmZXJyaW5nIGRhdGEuICBQZWVycyBhcmUgZWl0aGVyIG1hbmFnZXJz IG9yDQogICBhbmFseXplcnMsIGFzIGRlZmluZWQgaW4gU2VjdGlvbiAzLjIgb2YgWzldLg0KDQog ICBUaGUgcmVsYXRpb25zaGlwIGJldHdlZW4gYW5hbHl6ZXJzIGFuZCBtYW5hZ2VycyBpcyBwb3Rl bnRpYWxseSBtYW55LQ0KICAgdG8tbWFueS4gIEkuZS4sIGFuIGFuYWx5emVyIE1BWSBjb21tdW5p Y2F0ZSB3aXRoIG1hbnkgbWFuYWdlcnM7DQogICBzaW1pbGFybHksIGEgbWFuYWdlciBNQVkgY29t bXVuaWNhdGUgd2l0aCBtYW55IGFuYWx5emVycy4gIExpa2V3aXNlLA0KICAgdGhlIHJlbGF0aW9u c2hpcCBiZXR3ZWVuIGRpZmZlcmVudCBtYW5hZ2VycyBpcyBwb3RlbnRpYWxseSBtYW55LXRvLQ0K ICAgbWFueSwgc28gdGhhdCBhIG1hbmFnZXIgTUFZIHJlY2VpdmUgdGhlIGFsZXJ0cyBzZW50IGJ5 IGEgbGFyZ2UgbnVtYmVyDQogICBvZiBhbmFseXplcnMgYnkgcmVjZWl2aW5nIHRoZW0gdGhyb3Vn aCBpbnRlcm1lZGlhdGUgbWFuYWdlcnMuDQogICBBbmFseXplcnMgTVVTVCBOT1QgZXN0YWJsaXNo IElEWFAgZXhjaGFuZ2VzIHdpdGggb3RoZXIgYW5hbHl6ZXJzLg0KDQogICBBbiBJRFhQIHBlZXIg d2lzaGluZyB0byBlc3RhYmxpc2ggSURYUCBjb21tdW5pY2F0aW9ucyB3aXRoIGFub3RoZXINCiAg IElEWFAgcGVlciBkb2VzIHNvIGJ5IG9wZW5pbmcgYSBCRUVQIGNoYW5uZWwsIHdoaWNoIG1heSBl bnRhaWwNCiAgIGluaXRpYXRpbmcgYSBCRUVQIHNlc3Npb24uICBBIEJFRVAgc2VjdXJpdHkgcHJv ZmlsZSBvZmZlcmluZyB0aGUNCiAgIHJlcXVpcmVkIHNlY3VyaXR5IHByb3BlcnRpZXMgU0hPVUxE IGluaXRpYWxseSBiZSBuZWdvdGlhdGVkIChzZWUNCiAgIFNlY3Rpb24gMTEgZm9yIGEgZGlzY3Vz c2lvbiBvZiBzZWN1cml0eSBjb25zaWRlcmF0aW9ucykuICBGb2xsb3dpbmcNCiAgIHRoZSBzdWNj ZXNzZnVsIG5lZ290aWF0aW9uIG9mIHRoZSBCRUVQIHNlY3VyaXR5IHByb2ZpbGUsIElEWFANCiAg IGdyZWV0aW5ncyBhcmUgZXhjaGFuZ2VkIGFuZCBjb25uZWN0aW9uIHByb3Zpc2lvbmluZyBwcm9j ZWVkcy4NCg0KICAgSW4gdGhlIGZvbGxvd2luZyBzZXF1ZW5jZSBhIHBlZXIgJ0FsaWNlJyBpbml0 aWF0ZXMgYW4gSURYUCBleGNoYW5nZQ0KICAgd2l0aCB0aGUgcGVlciAnQm9iJy4NCg0KICAgICAg ICBBbGljZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQm9i DQogICAgICAgICAgLS0tLS0tLS0tLS0tLS0tLSB4cG9ydCBjb25uZWN0WzFdIC0tLS0tLS0tLS0t LS0tLS0tLT4NCiAgICAgICAgIDwtLS0tLS0tLS0tLS0tLS0tLS0tLSBncmVldGluZyAtLS0tLS0t LS0tLS0tLS0tLS0tLS0tPg0KICAgICAgICAgPC0tLS0tLS0tLS0tLS1zdGFydCBzZWN1cml0eSBw cm9maWxlWzJdIC0tLS0tLS0tLS0tLS0+DQogICAgICAgICA8LS0tLS0tLS0tLS0tLS0tLS0tLS0g Z3JlZXRpbmcgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLT4NCiAgICAgICAgIDwtLS0tLS0tLS0tLS0t LS0tLS0gc3RhcnQgSURYUFszXSAtLS0tLS0tLS0tLS0tLS0tLS0tPg0KDQogICBOb3RlczoNCg0K ICAgWzFdICdBbGljZScgaW5pdGlhdGVzIGEgdHJhbnNwb3J0IGNvbm5lY3Rpb24gdG8gJ0JvYics IHRyaWdnZXJpbmcgdGhlDQogICAgICBleGNoYW5nZSBvZiBCRUVQIGdyZWV0aW5nIG1lc3NhZ2Vz Lg0KDQogICBbMl0gYm90aCBlbnRpdGllcyBuZWdvdGlhdGUgdGhlIHVzZSBvZiBhIEJFRVAgc2Vj dXJpdHkgcHJvZmlsZS4NCg0KICAgWzNdIGJvdGggZW50aXRpZXMgbmVnb3RpYXRlIHRoZSB1c2Ug b2YgdGhlIElEWFAgcHJvZmlsZS4NCg0KICAgSW4gYmV0d2VlbiBhIHBhaXIgb2YgSURYUCBwZWVy cyBtYXkgYmUgYW4gYXJiaXRyYXJ5IG51bWJlciBvZg0KICAgcHJveGllcy4gIEEgcHJveHkgbWF5 IGJlIG5lY2Vzc2FyeSBmb3IgYWRtaW5pc3RyYXRpdmUgcmVhc29ucywgc3VjaA0KICAgYXMgcnVu bmluZyBvbiBhIGZpcmV3YWxsIHRvIGFsbG93IHJlc3RyaWN0ZWQgYWNjZXNzLiAgQW5vdGhlciB1 c2UNCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAz ICAgICAgICAgICAgICAgICBbUGFnZSA2XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAg ICAgICBUaGUgSURYUCAgICAgICAgICAgICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgbWln aHQgYmUgb25lIHByb3h5IHBlciBjb21wYW55IGRlcGFydG1lbnQsIHdoaWNoIGZvcndhcmRzIGRh dGEgZnJvbQ0KICAgdGhlIGFuYWx5emVyIHBlZXJzIGluIHRoZSBkZXBhcnRtZW50IG9udG8gYSBj b21wYW55LXdpZGUgbWFuYWdlcg0KICAgcGVlci4NCg0KICAgQSBCRUVQIHR1bmluZyBwcm9maWxl IE1BWSBiZSB1c2VkIHRvIGNyZWF0ZSBhbiBhcHBsaWNhdGlvbi1sYXllcg0KICAgdHVubmVsIHRo YXQgdHJhbnNwYXJlbnRseSBmb3J3YXJkcyBkYXRhIG92ZXIgYSBjaGFpbiBvZiBwcm94aWVzLiAg VGhlDQogICBUVU5ORUwgcHJvZmlsZSBbN10gU0hPVUxEIGJlIHVzZWQgZm9yIHRoaXMgcHVycG9z ZTsgc2VlIFs3XSBmb3IgbW9yZQ0KICAgZGV0YWlsIGNvbmNlcm5pbmcgdGhlIG9wdGlvbnMgYXZh aWxhYmxlIHRvIHNldHVwIGFuIGFwcGxpY2F0aW9uLWxheWVyDQogICB0dW5uZWwgdXNpbmcgVFVO TkVMLCBhbmQgc2VlIFNlY3Rpb24gMTEuMSBmb3IgYSBkaXNjdXNzaW9uIG9mIFRVTk5FTA0KICAg cmVsYXRlZCBzZWN1cml0eSBjb25zaWRlcmF0aW9ucy4gIFRVTk5FTCBNVVNUIGJlIG9mZmVyZWQg YXMgYSB0dW5pbmcNCiAgIHByb2ZpbGUgZm9yIHRoZSBjcmVhdGlvbiBvZiBhcHBsaWNhdGlvbi1s YXllciB0dW5uZWxzLiAgVGhlIFRVTk5FTA0KICAgcHJvZmlsZSBNVVNUIG9mZmVyIHRoZSB1c2Ug b2Ygc29tZSBmb3JtIG9mIFNBU0wgYXV0aGVudGljYXRpb24gKGMuZi4sDQogICBTZWN0aW9uIDQu MSBvZiBbOF0pLiAgT25jZSBhIHR1bm5lbCBoYXMgYmVlbiBjcmVhdGVkIGEgQkVFUCBzZWN1cml0 eQ0KICAgcHJvZmlsZSBvZmZlcmluZyB0aGUgcmVxdWlyZWQgc2VjdXJpdHkgcHJvcGVydGllcyBT SE9VTEQgYmUNCiAgIG5lZ290aWF0ZWQsIGZvbGxvd2VkIGJ5IG5lZ290aWF0aW9uIG9mIHRoZSBJ RFhQIHByb2ZpbGUuDQoNCiAgIFRoZSBmb2xsb3dpbmcgc2VxdWVuY2Ugc2hvd3MgaG93IFRVTk5F TCBtaWdodCBiZSB1c2VkIHRvIGNyZWF0ZSBhbg0KICAgYXBwbGljYXRpb24tbGF5ZXIgdHVubmVs IHRocm91Z2ggd2hpY2ggSURYUCB3b3VsZCBvcGVyYXRlLiAgQSBwZWVyDQogICAnQWxpY2UnIGlu aXRpYXRlcyB0aGUgY3JlYXRpb24gb2YgYSBCRUVQIHNlc3Npb24gdXNpbmcgdGhlIElEWFANCiAg IHByb2ZpbGUgd2l0aCB0aGUgZW50aXR5ICdCb2InIGJ5IGZpcnN0IGNvbnRhY3RpbmcgJ3Byb3h5 MScuICBJbiB0aGUNCiAgIGdyZWV0aW5nIGV4Y2hhbmdlIGJldHdlZW4gJ0FsaWNlJyBhbmQgJ3By b3h5MScsIHRoZSBUVU5ORUwgcHJvZmlsZSBpcw0KICAgc2VsZWN0ZWQsIGFuZCBzdWJzZXF1ZW50 bHkgdGhlIHVzZSBvZiB0aGUgVFVOTkVMIHByb2ZpbGUgaXMgZXh0ZW5kZWQNCiAgIHRvIHJlYWNo IHRocm91Z2ggJ3Byb3h5MicgdG8gJ0JvYicuDQoNCiAgIEFsaWNlICAgICAgICAgICAgICBwcm94 eTEgICAgICAgICAgICAgICBwcm94eTIgICAgICAgICAgICAgICBCb2INCiAgICAgLS0geHBvcnQg Y29ubmVjdCAtLT4NCiAgICA8LS0tLSBncmVldGluZyAtLS0tLT4NCiAgICAgLS0gc3RhcnQgVFVO TkVMIC0tLT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAtIHhwb3J0IGNvbm5lY3RbMV0gLT4N CiAgICAgICAgICAgICAgICAgICAgICAgIDwtLS0tLSBncmVldGluZyAtLS0tLT4NCiAgICAgICAg ICAgICAgICAgICAgICAgICAtLS0gc3RhcnQgVFVOTkVMIC0tLT4NCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLS0geHBvcnQgY29ubmVjdCAtLT4NCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwtLS0tLSBncmVldGluZyAt LS0tLT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLS0g c3RhcnQgVFVOTkVMIC0tLT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIDwtLS0tLSA8b2s+WzJdIC0tLS0tLQ0KICAgICAgICAgICAgICAgICAgICAgICAgPC0t LS0tLS0gPG9rPiAtLS0tLS0tDQogICAgPC0tLS0tLSA8b2s+IC0tLS0tLS0NCiAgICA8LS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLSBncmVldGluZyAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLT4N CiAgICA8LS0tLS0tLS0tLS0tLS0tLS0tIHN0YXJ0IHNlY3VyaXR5IHByb2ZpbGUgLS0tLS0tLS0t LS0tLS0tLS0tLT4NCiAgICA8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSBncmVldGluZyAtLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLT4NCiAgICA8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIHN0 YXJ0IElEWFAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLT4NCg0KICAgTm90ZXM6DQoNCiAgIFsx XSBJbnN0ZWFkIG9mIGltbWVkaWF0ZWx5IGFja25vd2xlZGdpbmcgdGhlIHJlcXVlc3QgZnJvbSAn QWxpY2UnIHRvDQogICAgICBzdGFydCBUVU5ORUwsICdwcm94eTEnIGF0dGVtcHRzIHRvIGVzdGFi bGlzaCB1c2Ugb2YgVFVOTkVMIHdpdGgNCiAgICAgICdwcm94eTInLiAgJ3Byb3h5MicgYWxzbyBk ZWxheXMgaXRzIGFja25vd2xlZGdtZW50IHRvICdwcm94eTEnLg0KDQoNCg0KDQpGZWluc3RlaW4s IGV0IGFsLiAgICAgICAgRXhwaXJlcyBBcHJpbCAyMiwgMjAwMyAgICAgICAgICAgICAgICAgW1Bh Z2UgN10NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgVGhlIElEWFAgICAgICAg ICAgICAgICAgICAgIE9jdG9iZXIgMjAwMg0KDQoNCiAgIFsyXSAnQm9iJyBhY2tub3dsZWRnZXMg dGhlIHJlcXVlc3QgZnJvbSAncHJveHkyJyB0byBzdGFydCBUVU5ORUwsIGFuZA0KICAgICAgdGhp cyBhY2tub3dsZWRnbWVudCBwcm9wYWdhdGVzIGJhY2sgdG8gJ0FsaWNlJyBzbyB0aGF0IGEgVFVO TkVMDQogICAgICBhcHBsaWNhdGlvbi1sYXllciB0dW5uZWwgaXMgZXN0YWJsaXNoZWQgZnJvbSAn QWxpY2UnIHRvICdCb2InLg0KDQoNCjIuMiBEYXRhIFRyYW5zZmVyDQoNCiAgIEJldHdlZW4gYSBw YWlyIG9mIElEIGVudGl0aWVzIGNvbW11bmljYXRpbmcgb3ZlciBhIEJFRVAgc2Vzc2lvbiwgb25l DQogICBvciBtb3JlIEJFRVAgY2hhbm5lbHMgTUFZIGJlIG9wZW5lZCB1c2luZyB0aGUgSURYUCBw cm9maWxlLiAgSWYNCiAgIGRlc2lyZWQsIGFkZGl0aW9uYWwgQkVFUCBzZXNzaW9ucyBNQVkgYmUg ZXN0YWJsaXNoZWQgdG8gb2ZmZXINCiAgIGFkZGl0aW9uYWwgY2hhbm5lbHMgdXNpbmcgdGhlIElE WFAgcHJvZmlsZS4gIEhvd2V2ZXIsIGluIG1vc3QNCiAgIHNpdHVhdGlvbnMgYWRkaXRpb25hbCBj aGFubmVscyB1c2luZyB0aGUgSURYUCBwcm9maWxlIFNIT1VMRCBiZQ0KICAgb3BlbmVkIHdpdGhp biBhbiBleGlzdGluZyBCRUVQIHNlc3Npb24sIGFzIG9wcG9zZWQgdG8gcHJvdmlzaW9uaW5nIGEN CiAgIG5ldyBCRUVQIHNlc3Npb24gY29udGFpbmluZyB0aGUgYWRkaXRpb25hbCBjaGFubmVscyB1 c2luZyB0aGUgSURYUA0KICAgcHJvZmlsZS4NCg0KICAgUGVlcnMgYXNzdW1lIHRoZSByb2xlIG9m IGNsaWVudCBvciBzZXJ2ZXIgb24gYSBwZXItY2hhbm5lbCBiYXNpcywNCiAgIHdpdGggb25lIGFj dGluZyBhcyB0aGUgY2xpZW50IGFuZCB0aGUgb3RoZXIgYXMgdGhlIHNlcnZlci4gIEEgcGVlcidz DQogICByb2xlIG9mIGNsaWVudCBvciBzZXJ2ZXIgaXMgZGV0ZXJtaW5lZCBpbmRlcGVuZGVudCBv ZiB3aGV0aGVyIHRoZQ0KICAgcGVlciBhc3N1bWVkIHRoZSByb2xlIG9mIGluaXRpYXRvciBvciBs aXN0ZW5lciBkdXJpbmcgdGhlIEJFRVANCiAgIHNlc3Npb24gZXN0YWJsaXNobWVudC4gIENsaWVu dHMgYW5kIHNlcnZlcnMgYWN0IGFzIHNvdXJjZXMgYW5kIHNpbmtzLA0KICAgcmVzcGVjdGl2ZWx5 LCBmb3IgZXhjaGFuZ2luZyBkYXRhLg0KDQogICBJbiBhIHNpbXBsZSBjYXNlLCBhbiBhbmFseXpl ciBwZWVyIHNlbmRzIGRhdGEgdG8gYSBtYW5hZ2VyIHBlZXIuDQogICBFLmcuLA0KDQogICAgICAg ICAgICstLS0tLS0tLS0tKyAgICAgICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0rDQog ICAgICAgICAgIHwgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAg ICB8DQogICAgICAgICAgIHwgICAgICAgICAgfCoqKioqKiBCRUVQIHNlc3Npb24gKioqKioqfCAg ICAgICAgICB8DQogICAgICAgICAgIHwgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAg ICAgfCAgICAgICAgICB8DQogICAgICAgICAgIHwgQW5hbHl6ZXIgfCAtLS0tLSBJRFhQIHByb2Zp bGUgLS0tLT4gfCBNYW5hZ2VyICB8DQogICAgICAgICAgIHwgKENsaWVudCkgfCAgICAgICAgICAg ICAgICAgICAgICAgICAgfCAoU2VydmVyKSB8DQogICAgICAgICAgIHwgICAgICAgICAgfCAgICAg ICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICB8DQogICAgICAgICAgIHwgICAgICAgICAg fCoqKioqKioqKioqKioqKioqKioqKioqKioqfCAgICAgICAgICB8DQogICAgICAgICAgIHwgICAg ICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICB8DQogICAgICAgICAg ICstLS0tLS0tLS0tKyAgICAgICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0rDQoNCiAg IFVzZSBvZiBtdWx0aXBsZSBCRUVQIGNoYW5uZWxzIGluIGEgQkVFUCBzZXNzaW9uIGZhY2lsaXRh dGVzDQogICBjYXRlZ29yaXphdGlvbiBhbmQgcHJpb3JpdGl6YXRpb24gb2YgZGF0YSBzZW50IGJl dHdlZW4gSURYUCBwZWVycy4NCiAgIEZvciBleGFtcGxlLCBhIG1hbmFnZXIgJ00xJywgc2VuZGlu ZyBhbGVydCBkYXRhIHRvIGFub3RoZXIgbWFuYWdlciwNCiAgICdNMicsIG1heSBjaG9vc2UgdG8g b3BlbiBhIHNlcGFyYXRlIGNoYW5uZWwgdG8gZXhjaGFuZ2UgZGlmZmVyZW50DQogICBjYXRlZ29y aWVzIG9mIGFsZXJ0cy4gICdNMScgd291bGQgYWN0IGFzIHRoZSBjbGllbnQgb24gZWFjaCBvZiB0 aGVzZQ0KICAgY2hhbm5lbHMsIGFuZCBtYW5hZ2VyICdNMicgY2FuIHRoZW4gcHJvY2VzcyBhbmQg YWN0IG9uIHRoZSBpbmNvbWluZw0KICAgYWxlcnRzIGJhc2VkIG9uIHRoZWlyIHJlc3BlY3RpdmUg Y2hhbm5lbCBjYXRlZ29yaXphdGlvbnMuICBTZWUNCiAgIFNlY3Rpb24gNCBmb3IgbW9yZSBkZXRh aWwgb24gaG93IHRvIGluY29ycG9yYXRlIGNhdGVnb3JpemF0aW9uIGFuZC9vcg0KICAgcHJpb3Jp dGl6YXRpb24gaW50byBjaGFubmVsIGNyZWF0aW9uLg0KDQoNCg0KDQoNCkZlaW5zdGVpbiwgZXQg YWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgICBbUGFnZSA4 XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAg ICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgKy0tLS0tLS0tLS0rICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLSsNCiAgIHwgICAgICAgICAg fCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICB8 DQogICB8ICAgICAgICAgIHwqKioqKioqKioqKioqKiogQkVFUCBzZXNzaW9uICoqKioqKioqKioq KioqKnwgICAgICAgICAgfA0KICAgfCAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgIHwNCiAgIHwgICAgICAgICAgfCAtLSBJRFhQ IHByb2ZpbGUsIG5ldHdvcmstYmFzZWQgYWxlcnRzIC0tLT4gfCAgICAgICAgICB8DQogICB8IE1h bmFnZXIgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgTWFu YWdlciAgfA0KICAgfCAgIE0xICAgICB8IC0tLS0gSURYUCBwcm9maWxlLCBob3N0LWJhc2VkIGFs ZXJ0cyAtLS0tPiB8ICAgTTIgICAgIHwNCiAgIHwgKENsaWVudCkgfCAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAoU2VydmVyKSB8DQogICB8ICAgICAgICAgIHwg LS0tLS0tIElEWFAgcHJvZmlsZSwgb3RoZXIgYWxlcnRzIC0tLS0tLS0+IHwgICAgICAgICAgfA0K ICAgfCAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICB8ICAgICAgICAgIHwNCiAgIHwgICAgICAgICAgfCoqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqfCAgICAgICAgICB8DQogICB8ICAgICAgICAgIHwgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgfA0KICAgKy0tLS0t LS0tLS0rICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0t LS0tLSsNCg0KDQoyLjMgQ29ubmVjdGlvbiBUZWFyZG93bg0KDQogICBBbiBJRFhQIHBlZXIgbWF5 IGNob29zZSB0byBjbG9zZSBhbiBJRFhQIGNoYW5uZWwgdW5kZXIgbWFueSBkaWZmZXJlbnQNCiAg IGNpcmN1bXN0YW5jZXMgKGUuZy4sIGFuIGVycm9yIGluIHByb2Nlc3NpbmcgaGFzIG9jY3VycmVk KS4gIFRvIGNsb3NlDQogICBhIGNoYW5uZWwsIHRoZSBwZWVyIHNlbmRzIGEgImNsb3NlIiBlbGVt ZW50IChjLmYuLCBTZWN0aW9uIDIuMy4xLjMgb2YNCiAgIFs4XSkgb24gY2hhbm5lbCB6ZXJvIGlu ZGljYXRpbmcgd2hpY2ggY2hhbm5lbCBpcyBiZWluZyBjbG9zZWQuICBBbg0KICAgSURYUCBwZWVy IG1heSBhbHNvIGNob29zZSB0byBjbG9zZSBhbiBlbnRpcmUgQkVFUCBzZXNzaW9uIGJ5IHNlbmRp bmcNCiAgIGEgImNsb3NlIiBlbGVtZW50IGluZGljYXRpbmcgdGhhdCBjaGFubmVsIHplcm8gaXMg dG8gYmUgY2xvc2VkLg0KICAgU2VjdGlvbiAyLjMuMS4zIG9mIFs4XSBvZmZlcnMgYSBtb3JlIGNv bXBsZXRlIGRpc2N1c3Npb24gb2YgdGhlDQogICBjaXJjdW1zdGFuY2VzIHVuZGVyIHdoaWNoIGEg QkVFUCBwZWVyIGlzIHBlcm1pdHRlZCB0byBjbG9zZSBhIGNoYW5uZWwNCiAgIGFuZCB0aGUgbWVj aGFuaXNtcyBmb3IgZG9pbmcgc28uDQoNCiAgIEl0IGlzIGFudGljaXBhdGVkIHRoYXQgZHVlIHRv IHRoZSBvdmVyaGVhZCBvZiBwcm92aXNpb25pbmcgYW4NCiAgIGFwcGxpY2F0aW9uLWxheWVyIHR1 bm5lbCBhbmQvb3IgYSBCRUVQIHNlY3VyaXR5IHByb2ZpbGUsIEJFRVANCiAgIHNlc3Npb25zIGNv bnRhaW5pbmcgSURYUCBjaGFubmVscyB3aWxsIGJlIGxvbmctbGl2ZWQuICBBZGRpdGlvbmFsbHks DQogICB0aGUgcmVwZWF0ZWQgb3ZlcmhlYWQgb2YgSURYUCBjaGFubmVsIHByb3Zpc2lvbmluZyAo aS5lLiwgdGhlDQogICBleGNoYW5nZSBvZiBJRFhQIGdyZWV0aW5ncykgbWF5IGJlIGF2b2lkZWQg Ynkga2VlcGluZyBJRFhQIGNoYW5uZWxzDQogICBvcGVuIGV2ZW4gd2hpbGUgZGF0YSBpcyBub3Qg YWN0aXZlbHkgYmVpbmcgZXhjaGFuZ2VkIG9uIHRoZW0uICBUaGVzZQ0KICAgYXJlIHJlY29tbWVu ZGF0aW9ucyBhbmQsIGFzIHN1Y2gsIElEWFAgcGVlcnMgbWF5IGNob29zZSB0byBjbG9zZSBhbmQN CiAgIHJlLXByb3Zpc2lvbiBCRUVQIHNlc3Npb25zIGFuZC9vciBJRFhQIGNoYW5uZWxzIGFzIHRo ZXkgc2VlIGZpdC4NCg0KMi40IFRydXN0IE1vZGVsDQoNCiAgIEluIG91ciBtb2RlbCwgdHJ1c3Qg aXMgcGxhY2VkIGV4Y2x1c2l2ZWx5IGluIHRoZSBJRFhQIHBlZXJzLiAgUHJveGllcw0KICAgYXJl IGFsd2F5cyBhc3N1bWVkIHRvIGJlIHVudHJ1c3R3b3J0aHkuICBBIEJFRVAgc2VjdXJpdHkgcHJv ZmlsZSBpcw0KICAgdXNlZCB0byBlc3RhYmxpc2ggZW5kLXRvLWVuZCBzZWN1cml0eSBiZXR3ZWVu IHBhaXJzIG9mIElEWFAgcGVlcnMsDQogICBkb2luZyBhd2F5IHdpdGggdGhlIG5lZWQgdG8gcGxh Y2UgdHJ1c3QgaW4gYW55IGludGVydmVuaW5nIHByb3hpZXMuDQogICBPbmx5IGFmdGVyIHN1Y2Nl c3NmdWwgbmVnb3RpYXRpb24gb2YgdGhlIHVuZGVybHlpbmcgc2VjdXJpdHkgcHJvZmlsZQ0KICAg YXJlIElEWFAgcGVlcnMgdG8gYmUgdHJ1c3RlZC4gIE9ubHkgQkVFUCBzZWN1cml0eSBwcm9maWxl cyBvZmZlcmluZw0KICAgYXQgbGVhc3QgdGhlIHByb3RlY3Rpb25zIHJlcXVpcmVkIGJ5IFNlY3Rp b24gNSBvZiBbOV0gc2hvdWxkIGJlIHVzZWQNCiAgIHRvIHNlY3VyZSBhIEJFRVAgc2Vzc2lvbiBj b250YWluaW5nIGNoYW5uZWxzIHVzaW5nIHRoZSBJRFhQIHByb2ZpbGUuDQogICBTZWUgU2VjdGlv biAzIG9mIFs4XSBmb3IgdGhlIHJlZ2lzdHJhdGlvbiBvZiB0aGUgVExTIHByb2ZpbGUsIGFuDQog ICBleGFtcGxlIG9mIGEgQkVFUCBzZWN1cml0eSBwcm9maWxlIG1lZXRpbmcgdGhlIHJlcXVpcmVt ZW50cyBvZg0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIs IDIwMDMgICAgICAgICAgICAgICAgIFtQYWdlIDldDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAg ICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQog ICBTZWN0aW9uIDUgb2YgWzldLiAgU2VlIFNlY3Rpb24gNSBmb3IgYSBkaXNjdXNzaW9uIG9mIGhv dyBJRFhQDQogICBmdWxmaWxscyB0aGUgSURXRyBjb21tdW5pY2F0aW9ucyBwcm90b2NvbCByZXF1 aXJlbWVudHMuDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCkZlaW5z dGVpbiwgZXQgYWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAg IFtQYWdlIDEwXQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAg ICAgICAgICAgICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KMy4gVGhlIElEWFAgUHJvZmlsZQ0K DQozLjEgSURYUCBQcm9maWxlIE92ZXJ2aWV3DQoNCiAgIFRoZSBJRFhQIHByb2ZpbGUgcHJvdmlk ZXMgYSBtZWNoYW5pc20gZm9yIGV4Y2hhbmdpbmcgaW5mb3JtYXRpb24NCiAgIGJldHdlZW4gaW50 cnVzaW9uIGRldGVjdGlvbiBlbnRpdGllcy4gIEEgQkVFUCB0dW5pbmcgcHJvZmlsZSBNQVkgYmUN CiAgIHVzZWQgdG8gY3JlYXRlIGFuIGFwcGxpY2F0aW9uLWxheWVyIHR1bm5lbCB0aGF0IHRyYW5z cGFyZW50bHkNCiAgIGZvcndhcmRzIGRhdGEgb3ZlciBhIGNoYWluIG9mIHByb3hpZXMuICBUaGUg VFVOTkVMIHByb2ZpbGUgWzddIFNIT1VMRA0KICAgYmUgdXNlZCBmb3IgdGhpcyBwdXJwb3NlOyBz ZWUgWzddIGZvciBtb3JlIGRldGFpbCBjb25jZXJuaW5nIHRoZQ0KICAgb3B0aW9ucyBhdmFpbGFi bGUgdG8gc2V0dXAgYW4gYXBwbGljYXRpb24tbGF5ZXIgdHVubmVsIHVzaW5nIFRVTk5FTCwNCiAg IGFuZCBzZWUgU2VjdGlvbiAxMS4xIGZvciBhIGRpc2N1c3Npb24gb2YgVFVOTkVMIHJlbGF0ZWQg c2VjdXJpdHkNCiAgIGNvbnNpZGVyYXRpb25zLiAgVFVOTkVMIE1VU1QgYmUgb2ZmZXJlZCBhcyBh IHR1bmluZyBwcm9maWxlIGZvciB0aGUNCiAgIGNyZWF0aW9uIG9mIGFwcGxpY2F0aW9uLWxheWVy IHR1bm5lbHMuICBUaGUgVFVOTkVMIHByb2ZpbGUgTVVTVCBvZmZlcg0KICAgdGhlIHVzZSBvZiBz b21lIGZvcm0gb2YgU0FTTCBhdXRoZW50aWNhdGlvbiAoYy5mLiwgU2VjdGlvbiA0LjEgb2YNCiAg IFs4XSkuICBUaGUgVExTIHByb2ZpbGUgU0hPVUxEIGJlIHVzZWQgdG8gcHJvdmlkZSB0aGUgcmVx dWlyZWQNCiAgIGNvbWJpbmF0aW9uIG9mIG11dHVhbC1hdXRoZW50aWNhdGlvbiwgaW50ZWdyaXR5 LCBhbmQgY29uZmlkZW50aWFsaXR5DQogICBmb3IgdGhlIElEWFAgcHJvZmlsZS4gIEZvciBmdXJ0 aGVyIGRpc2N1c3Npb24gb2YgYXBwbGljYXRpb24tbGF5ZXINCiAgIHR1bm5lbCBhbmQgc2VjdXJp dHkgaXNzdWVzIHNlZSBTZWN0aW9uIDIuMSBhbmQgU2VjdGlvbiAxMS4NCg0KICAgVGhlIElEWFAg cHJvZmlsZSBzdXBwb3J0cyBzZXZlcmFsIGVsZW1lbnRzIG9mIGludGVyZXN0Og0KDQogICBvICBU aGUgIklEWFAtR3JlZXRpbmciIGVsZW1lbnQgaWRlbnRpZmllcyBhbiBhbmFseXplciBvciBtYW5h Z2VyIGF0DQogICAgICBvbmUgZW5kIG9mIGEgQkVFUCBjaGFubmVsIHRvIHRoZSBhbmFseXplciBv ciBtYW5hZ2VyIGF0IHRoZSBvdGhlcg0KICAgICAgZW5kIG9mIHRoZSBjaGFubmVsLg0KDQogICBv ICBUaGUgIk9wdGlvbiIgZWxlbWVudCBpcyB1c2VkIHRvIGNvbnZleSBvcHRpb25hbCBjaGFubmVs IHBhcmFtZXRlcnMNCiAgICAgIGJldHdlZW4gcGVlcnMgZHVyaW5nIHRoZSBleGNoYW5nZSBvZiAi SURYUC1HcmVldGluZyIgZWxlbWVudHMuDQogICAgICBUaGlzIGVsZW1lbnQgaXMgT1BUSU9OQUwu DQoNCiAgIG8gIFRoZSAiSURNRUYtTWVzc2FnZSIgZWxlbWVudCBjYXJyaWVzIHRoZSBzdHJ1Y3R1 cmVkIGluZm9ybWF0aW9uIHRvDQogICAgICBiZSBleGNoYW5nZWQgYmV0d2VlbiB0aGUgcGVlcnMu DQoNCg0KMy4yIElEWFAgUHJvZmlsZSBJZGVudGlmaWNhdGlvbiBhbmQgSW5pdGlhbGl6YXRpb24N Cg0KICAgVGhlIElEWFAgcHJvZmlsZSBpcyBpZGVudGlmaWVkIGFzDQoNCiAgICAgIGh0dHA6Ly9p YW5hLm9yZy9iZWVwL3RyYW5zaWVudC9pZHdnL2lkeHANCg0KICAgaW4gdGhlIEJFRVAgInByb2Zp bGUiIGVsZW1lbnQgZHVyaW5nIGNoYW5uZWwgY3JlYXRpb24uDQoNCiAgIER1cmluZyBjaGFubmVs IGNyZWF0aW9uLCAiSURYUC1HcmVldGluZyIgZWxlbWVudHMgTVVTVCBiZSBtdXR1YWxseQ0KICAg ZXhjaGFuZ2VkIGJldHdlZW4gdGhlIHBlZXJzLiAgQW4gIklEWFAtR3JlZXRpbmciIGVsZW1lbnQg TUFZIGJlDQogICBjb250YWluZWQgd2l0aGluIHRoZSBjb3JyZXNwb25kaW5nICJwcm9maWxlIiBl bGVtZW50IGluIHRoZSBCRUVQDQogICAic3RhcnQiIGVsZW1lbnQuICBJbmNsdWRpbmcgYW4gIklE WFAtR3JlZXRpbmciIGVsZW1lbnQgaW4gdGhlIGluaXRpYWwNCiAgICJzdGFydCIgZWxlbWVudCBo YXMgZXhhY3RseSB0aGUgc2FtZSBzZW1hbnRpY3MgYXMgcGFzc2luZyBpdCBhcyB0aGUNCiAgIGZp cnN0ICJNU0ciIG1lc3NhZ2Ugb24gdGhlIGNoYW5uZWwuICBJZiBjaGFubmVsIGNyZWF0aW9uIGlz DQogICBzdWNjZXNzZnVsLCB0aGVuIGJlZm9yZSBzZW5kaW5nIHRoZSBjb3JyZXNwb25kaW5nIHJl cGx5LCB0aGUgQkVFUA0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXBy aWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2UgMTFdDQoMDQpJbnRlcm5ldC1EcmFmdCAg ICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIwMDIN Cg0KDQogICBwZWVyIHByb2Nlc3NlcyB0aGUgIklEWFAtR3JlZXRpbmciIGVsZW1lbnQgYW5kIGlu Y2x1ZGVzIHRoZSByZXN1bHRpbmcNCiAgIHJlc3BvbnNlIGluIHRoZSByZXBseS4gIFRoaXMgcmVz cG9uc2Ugd2lsbCBiZSBhbiAib2siIGVsZW1lbnQgb3IgYW4NCiAgICJlcnJvciIgZWxlbWVudC4g IFRoZSBjaG9pY2Ugb2Ygd2hpY2ggZWxlbWVudCBpcyByZXR1cm5lZCBpcw0KICAgZGVwZW5kZW50 IG9uIGxvY2FsIHByb3Zpc2lvbmluZyBvZiB0aGUgcGVlci4NCg0KMy4zIElEWFAgUHJvZmlsZSBN ZXNzYWdlIFN5bnRheA0KDQogICBCRUVQIG1lc3NhZ2VzIGluIHRoZSBwcm9maWxlIE1VU1QgaGF2 ZSBhIE1JTUUgQ29udGVudC1UeXBlIFs0XSBvZg0KICAgInRleHQveG1sIiwgInRleHQvcGxhaW4i LCBvciAiYXBwbGljYXRpb24vb2N0ZXQtc3RyZWFtIi4gIFRoZSBzeW50YXgNCiAgIG9mIHRoZSBp bmRpdmlkdWFsIGVsZW1lbnRzIGlzIHNwZWNpZmllZCBpbiBTZWN0aW9uIDkuMSBhbmQgU2VjdGlv biA1DQogICBvZiBbNl0uDQoNCjMuNCBJRFhQIFByb2ZpbGUgU2VtYW50aWNzDQoNCiAgIEVhY2gg QkVFUCBwZWVyIGlzc3VlcyB0aGUgIklEWFAtR3JlZXRpbmciIGVsZW1lbnQgdXNpbmcgIk1TRyIN CiAgIG1lc3NhZ2VzLiAgVGhlICJJRFhQLUdyZWV0aW5nIiBlbGVtZW50IE1BWSBjb250YWluIG9u ZSBvciBtb3JlDQogICAiT3B0aW9uIiBzdWItZWxlbWVudHMsIGNvbnZleWluZyBvcHRpb25hbCBj aGFubmVsIHBhcmFtZXRlcnMuICBFYWNoDQogICBCRUVQIHBlZXIgdGhlbiBpc3N1ZXMgIm9rIiBp biAiUlBZIiBtZXNzYWdlcyBvciAiZXJyb3IiIGluICJFUlIiDQogICBtZXNzYWdlcy4gIChTZWUg U2VjdGlvbiAyLjMuMSBvZiBbOF0gZm9yIHRoZSBkZWZpbml0aW9ucyBvZiB0aGUNCiAgICJlcnJv ciIgYW5kICJvayIgZWxlbWVudHMuKSBBbiAiZXJyb3IiIGVsZW1lbnQgTUFZIGJlIGlzc3VlZCB3 aXRoaW4gYQ0KICAgIlJQWSIgbWVzc2FnZSB3aGVuIHBpZ2d5LWJhY2tlZCB3aXRoaW4gYSBCRUVQ ICJwcm9maWxlIiBlbGVtZW50LiAgU2VlDQogICBTZWN0aW9uIDMuNC4xIGZvciBhbiBleGFtcGxl IG9mIGFuICJlcnJvciIgZWxlbWVudCBiZWluZyBpc3N1ZWQNCiAgIHdpdGhpbiBhICJSUFkiIG1l c3NhZ2UuICBCYXNlZCBvbiB0aGUgcmVzcGVjdGl2ZSBjbGllbnQvc2VydmVyIHJvbGVzDQogICBu ZWdvdGlhdGVkIGR1cmluZyB0aGUgZXhjaGFuZ2Ugb2YgIklEWFAtR3JlZXRpbmciIGVsZW1lbnRz LCB0aGUNCiAgIGNsaWVudCBzZW5kcyBkYXRhIHVzaW5nICJNU0ciIG1lc3NhZ2VzLiAgRGVwZW5k aW5nIG9uIHRoZSBNSU1FDQogICBDb250ZW50LVR5cGUsIHRoaXMgZGF0YSBtYXkgYmUgYW4gIklE TUVGLU1lc3NhZ2UiIGVsZW1lbnQsIHBsYWluDQogICB0ZXh0LCBvciBiaW5hcnkuICBUaGUgc2Vy dmVyIHRoZW4gaXNzdWVzICJvayIgaW4gIlJQWSIgbWVzc2FnZXMgb3INCiAgICJlcnJvciIgaW4g IkVSUiIgbWVzc2FnZXMuDQoNCjMuNC4xIFRoZSBJRFhQLUdSRUVUSU5HIEVsZW1lbnQNCg0KICAg VGhlICJJRFhQLUdyZWV0aW5nIiBlbGVtZW50IHNlcnZlcyB0byBpZGVudGlmeSB0aGUgYW5hbHl6 ZXIgb3INCiAgIG1hbmFnZXIgYXQgb25lIGVuZCBvZiB0aGUgQkVFUCBjaGFubmVsIHRvIHRoZSBh bmFseXplciBvciBtYW5hZ2VyIGF0DQogICB0aGUgb3RoZXIgZW5kIG9mIHRoZSBjaGFubmVsLiAg VGhlICJJRFhQLUdyZWV0aW5nIiBlbGVtZW50IE1VU1QNCiAgIGluY2x1ZGUgdGhlIHJvbGUgb2Yg dGhlIHBlZXIgb24gdGhlIGNoYW5uZWwgKGNsaWVudCBvciBzZXJ2ZXIpIGFuZA0KICAgdGhlIFVu aWZvcm0gUmVzb3VyY2UgSWRlbnRpZmllciAoVVJJKSBbMV0gb2YgdGhlIHBlZXIuICBBZGRpdGlv bmFsbHksDQogICB0aGUgIklEWFAtR3JlZXRpbmciIGVsZW1lbnQgTUFZIGluY2x1ZGUgdGhlIGZ1 bGx5IHF1YWxpZmllZCBkb21haW4NCiAgIG5hbWUgKGMuZi4sIFs1XSkgb2YgdGhlIHBlZXIuICBP bmUgb3IgbW9yZSAiT3B0aW9uIiBzdWItZWxlbWVudHMgTUFZDQogICBiZSBwcmVzZW50Lg0KDQog ICBBbiAiSURYUC1HcmVldGluZyIgZWxlbWVudCBNQVkgYmUgc2VudCBieSBlaXRoZXIgcGVlciBh dCBhbnkgdGltZS4NCiAgIFRoZSBwZWVyIHJlY2VpdmluZyB0aGUgIklEWFAtR3JlZXRpbmciIE1V U1QgcmVzcG9uZCB3aXRoIGFuICJvayINCiAgIChpbmRpY2F0aW5nIGFjY2VwdGFuY2UpLCBvciBh biAiZXJyb3IiIChpbmRpY2F0aW5nIHJlamVjdGlvbikuICBBDQogICBwZWVyJ3MgaWRlbnRpdHkg YW5kIHJvbGUgb24gYSBjaGFubmVsIGFuZCBhbnkgb3B0aW9uYWwgY2hhbm5lbA0KICAgcGFyYW1l dGVycyBhcmUsIGluIGVmZmVjdCwgc3BlY2lmaWVkIGJ5IHRoZSBtb3N0IHJlY2VudCAiSURYUC0N CiAgIEdyZWV0aW5nIiBpdCBzZW50IHRoYXQgd2FzIGFuc3dlcmVkIHdpdGggYW4gIm9rIi4NCg0K ICAgQW4gIklEWFAtR3JlZXRpbmciIG1heSBiZSByZWplY3RlZCAod2l0aCBhbiAiZXJyb3IiIGVs ZW1lbnQpIHVuZGVyDQoNCg0KDQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhwaXJlcyBBcHJp bCAyMiwgMjAwMyAgICAgICAgICAgICAgICBbUGFnZSAxMl0NCgwNCkludGVybmV0LURyYWZ0ICAg ICAgICAgICAgICAgICAgVGhlIElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIgMjAwMg0K DQoNCiAgIG1hbnkgY2lyY3Vtc3RhbmNlcy4gIFRoZXNlIGluY2x1ZGUsIGJ1dCBhcmUgbm90IGxp bWl0ZWQgdG8sDQogICBhdXRoZW50aWNhdGlvbiBmYWlsdXJlLCBsYWNrIG9mIGF1dGhvcml6YXRp b24gdG8gY29ubmVjdCB1bmRlciB0aGUNCiAgIHNwZWNpZmllZCByb2xlLCB0aGUgbmVnb3RpYXRp b24gb2YgYW4gaW5hZGVxdWF0ZSBjaXBoZXJzdWl0ZSwgb3IgdGhlDQogICBwcmVzZW5jZSBvZiBh IGNoYW5uZWwgb3B0aW9uIHRoYXQgbXVzdCBiZSB1bmRlcnN0b29kIGJ1dCB3YXMNCiAgIHVucmVj b2duaXplZC4NCg0KICAgRm9yIGV4YW1wbGUsIGEgc3VjY2Vzc2Z1bCBjcmVhdGlvbiB3aXRoIGFu IGVtYmVkZGVkICJJRFhQLUdyZWV0aW5nIg0KICAgbWlnaHQgbG9vayBsaWtlIHRoaXM6DQoNCiAg IEk6IE1TRyAwIDEwIC4gMTU5MiAxODcNCiAgIEk6IENvbnRlbnQtVHlwZTogdGV4dC94bWwNCiAg IEk6DQogICBJOiA8c3RhcnQgbnVtYmVyPScxJz4NCiAgIEk6ICAgPHByb2ZpbGUgdXJpPSdodHRw Oi8vaWFuYS5vcmcvYmVlcC90cmFuc2llbnQvaWR3Zy9pZHhwJz4NCiAgIEk6ICAgICA8IVtDREFU QVsgPElEWFAtR3JlZXRpbmcgdXJpPSdodHRwOi8vZXhhbXBsZS5jb20vYWxpY2UnDQogICBJOiAg ICAgICByb2xlPSdjbGllbnQnIC8+IF1dPg0KICAgSTogICA8L3Byb2ZpbGU+DQogICBJOiA8L3N0 YXJ0Pg0KICAgSTogRU5EDQogICBMOiBSUFkgMCAxMCAuIDE4NjUgOTENCiAgIEw6IENvbnRlbnQt VHlwZTogdGV4dC94bWwNCiAgIEw6DQogICBMOiA8cHJvZmlsZSB1cmk9J2h0dHA6Ly9pYW5hLm9y Zy9iZWVwL3RyYW5zaWVudC9pZHdnL2lkeHAnPg0KICAgTDogICA8IVtDREFUQVsgPG9rIC8+IF1d Pg0KICAgTDogPC9wcm9maWxlPg0KICAgTDogRU5EDQogICBMOiBNU0cgMCAxMSAuIDE5NTYgNjEN CiAgIEw6IENvbnRlbnQtVHlwZTogdGV4dC94bWwNCiAgIEw6DQogICBMOiA8SURYUC1HcmVldGlu ZyB1cmk9J2h0dHA6Ly9leGFtcGxlLmNvbS9ib2InIHJvbGU9J3NlcnZlcicgLz4NCiAgIEw6IEVO RA0KICAgSTogUlBZIDAgMTEgLiAxNzc5IDcNCiAgIEk6IENvbnRlbnQtVHlwZTogdGV4dC94bWwN CiAgIEk6DQogICBJOiA8b2sgLz4NCiAgIEk6IEVORA0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAg ICAgICAgICAgICAgW1BhZ2UgMTNdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAg IFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQogICBBIGNyZWF0 aW9uIHdpdGggYW4gZW1iZWRkZWQgIklEWFAtR3JlZXRpbmciIHRoYXQgZmFpbHMgbWlnaHQgbG9v aw0KICAgbGlrZSB0aGlzOg0KDQogICBJOiBNU0cgMCAxMCAuIDE3NzYgMTg1DQogICBJOiBDb250 ZW50LVR5cGU6IHRleHQveG1sDQogICBJOg0KICAgSTogPHN0YXJ0IG51bWJlcj0nMSc+DQogICBJ OiAgIDxwcm9maWxlIHVyaT0naHR0cDovL2lhbmEub3JnL2JlZXAvdHJhbnNpZW50L2lkd2cvaWR4 cCc+DQogICBJOiAgICAgPCFbQ0RBVEFbIDxJRFhQLUdyZWV0aW5nIHVyaT0naHR0cDovL2V4YW1w bGUuY29tL2V2ZScNCiAgIEk6ICAgICAgIHJvbGU9J2NsaWVudCcgLz4gXV0+DQogICBJOiAgIDwv cHJvZmlsZT4NCiAgIEk6IDwvc3RhcnQ+DQogICBJOiBFTkQNCiAgIEw6IFJQWSAwIDEwIC4gMTU5 MiAxODINCiAgIEw6IENvbnRlbnQtVHlwZTogdGV4dC94bWwNCiAgIEw6DQogICBMOiA8cHJvZmls ZSB1cmk9J2h0dHA6Ly9pYW5hLm9yZy9iZWVwL3RyYW5zaWVudC9pZHdnL2lkeHAnPg0KICAgTDog ICA8IVtDREFUQVsNCiAgIEw6ICAgICA8ZXJyb3IgY29kZT0nNTMwJz4naHR0cDovL2V4YW1wbGUu Y29tL2V2ZScgbXVzdCBmaXJzdA0KICAgTDogICAgICAgbmVnb3RpYXRlIHRoZSBUTFMgcHJvZmls ZTwvZXJyb3I+IF1dPg0KICAgTDogPC9wcm9maWxlPg0KICAgTDogRU5EDQoNCg0KMy40LjIgVGhl IE9QVElPTiBFbGVtZW50DQoNCiAgIElmIHByZXNlbnQsIHRoZSAiT3B0aW9uIiBlbGVtZW50IE1V U1QgYmUgY29udGFpbmVkIHdpdGhpbiBhbiAiSURYUC0NCiAgIEdyZWV0aW5nIiBlbGVtZW50LiAg QW4gaW5kaXZpZHVhbCAiSURYUC1HcmVldGluZyIgZWxlbWVudCBNQVkgY29udGFpbg0KICAgb25l IG9yIG1vcmUgIk9wdGlvbiIgc3ViLWVsZW1lbnRzLiAgRWFjaCAiT3B0aW9uIiBlbGVtZW50IHdp dGhpbiBhbg0KICAgIklEWFAtR3JlZXRpbmciIGVsZW1lbnQgcmVwcmVzZW50cyBhIHJlcXVlc3Qg dG8gZW5hYmxlIGFuIElEWFAgb3B0aW9uDQogICBvbiB0aGUgY2hhbm5lbCBiZWluZyBuZWdvdGlh dGVkLiAgU2VlIFNlY3Rpb24gNCBmb3IgYSBjb21wbGV0ZQ0KICAgZGVzY3JpcHRpb24gb2YgSURY UCBvcHRpb25zIGFuZCB0aGUgIk9wdGlvbiIgZWxlbWVudC4NCg0KMy40LjMgVGhlIElETUVGLU1F U1NBR0UgRWxlbWVudA0KDQogICBUaGUgIklETUVGLU1lc3NhZ2UiIGVsZW1lbnQgY2FycmllcyB0 aGUgaW5mb3JtYXRpb24gdG8gYmUgZXhjaGFuZ2VkDQogICBiZXR3ZWVuIHRoZSBwZWVycy4gIFNl ZSBTZWN0aW9uIDUgb2YgWzZdIGZvciB0aGUgZGVmaW5pdGlvbiBvZiB0aGlzDQogICBlbGVtZW50 Lg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhw aXJlcyBBcHJpbCAyMiwgMjAwMyAgICAgICAgICAgICAgICBbUGFnZSAxNF0NCgwNCkludGVybmV0 LURyYWZ0ICAgICAgICAgICAgICAgICAgVGhlIElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9i ZXIgMjAwMg0KDQoNCjQuIElEWFAgT3B0aW9ucw0KDQogICBJRFhQIHByb3ZpZGVzIGEgc2Vydmlj ZSBmb3IgdGhlIHJlbGlhYmxlIGV4Y2hhbmdlIG9mIGRhdGEgYmV0d2Vlbg0KICAgaW50cnVzaW9u IGRldGVjdGlvbiBlbnRpdGllcy4gIE9wdGlvbnMgYXJlIHVzZWQgdG8gYWx0ZXIgdGhlDQogICBz ZW1hbnRpY3Mgb2YgdGhlIHNlcnZpY2UuDQoNCiAgIFRoZSBzcGVjaWZpY2F0aW9uIG9mIGFuIElE WFAgb3B0aW9uIE1VU1QgZGVmaW5lOg0KDQogICBvICB0aGUgaWRlbnRpdHkgb2YgdGhlIG9wdGlv bjsNCg0KICAgbyAgd2hhdCBjb250ZW50LCBpZiBhbnksIGlzIGNvbnRhaW5lZCB3aXRoaW4gdGhl IG9wdGlvbjsgYW5kLA0KDQogICBvICB0aGUgcHJvY2Vzc2luZyBydWxlcyBmb3IgdGhlIG9wdGlv bi4NCg0KICAgQW4gb3B0aW9uIHJlZ2lzdHJhdGlvbiB0ZW1wbGF0ZSAoYy5mLiAgU2VjdGlvbiA3 KSBvcmdhbml6ZXMgdGhpcw0KICAgaW5mb3JtYXRpb24uDQoNCiAgIEFuICJPcHRpb24iIGVsZW1l bnQgaXMgY29udGFpbmVkIHdpdGhpbiBhbiAiSURYUC1HcmVldGluZyIgZWxlbWVudC4NCiAgIFRo ZSAiSURYUC1HcmVldGluZyIgZWxlbWVudCBpdHNlbGYgTUFZIGNvbnRhaW4gb25lIG9yIG1vcmUg Ik9wdGlvbiINCiAgIGVsZW1lbnRzLiAgVGhlICJPcHRpb24iIGVsZW1lbnQgaGFzIHNldmVyYWwg YXR0cmlidXRlcyBhbmQgY29udGFpbnMNCiAgIGFyYml0cmFyeSBjb250ZW50Og0KDQogICBvICB0 aGUgImludGVybmFsIiBhbmQgdGhlICJleHRlcm5hbCIgYXR0cmlidXRlcywgZXhhY3RseSBvbmUg b2Ygd2hpY2gNCiAgICAgIE1VU1QgYmUgcHJlc2VudCwgdW5pcXVlbHkgaWRlbnRpZnkgdGhlIG9w dGlvbjsNCg0KICAgbyAgdGhlICJtdXN0VW5kZXJzdGFuZCIgYXR0cmlidXRlLCB3aG9zZSBwcmVz ZW5jZSBpcyBPUFRJT05BTCBhbmQNCiAgICAgIHdob3NlIGRlZmF1bHQgdmFsdWUgaXMgImZhbHNl Iiwgc3BlY2lmaWVzIHdoZXRoZXIgdGhlIG9wdGlvbiwgaWYNCiAgICAgIHVucmVjb2duaXplZCwg TVVTVCBjYXVzZSBhbiBlcnJvciBpbiBwcm9jZXNzaW5nIHRvIG9jY3VyOyBhbmQsDQoNCiAgIG8g IHRoZSAibG9jYWxpemUiIGF0dHJpYnV0ZSwgd2hvc2UgcHJlc2VuY2UgaXMgT1BUSU9OQUwsIHNw ZWNpZmllcw0KICAgICAgb25lIG9yIG1vcmUgbGFuZ3VhZ2UgdG9rZW5zLCBlYWNoIGlkZW50aWZ5 aW5nIGEgZGVzaXJhYmxlIGxhbmd1YWdlDQogICAgICB0YWcgdG8gYmUgdXNlZCBpZiB0ZXh0dWFs IGRpYWdub3N0aWNzIGFyZSByZXR1cm5lZCB0byB0aGUNCiAgICAgIG9yaWdpbmF0b3IuDQoNCiAg IFRoZSB2YWx1ZSBvZiB0aGUgImludGVybmFsIiBhdHRyaWJ1dGUgaXMgdGhlIElBTkEtcmVnaXN0 ZXJlZCBuYW1lIGZvcg0KICAgdGhlIG9wdGlvbi4gIElmIHRoZSAiaW50ZXJuYWwiIGF0dHJpYnV0 ZSBpcyBub3QgcHJlc2VudCwgdGhlbiB0aGUNCiAgIHZhbHVlIG9mIHRoZSAiZXh0ZXJuYWwiIGF0 dHJpYnV0ZSBpcyBhIFVSSSBvciBVUkkgd2l0aCBhIGZyYWdtZW50LQ0KICAgaWRlbnRpZmllci4g IE5vdGUgdGhhdCBhIHJlbGF0aXZlLVVSSSB2YWx1ZSBpcyBub3QgYWxsb3dlZC4NCg0KICAgVGhl ICJtdXN0VW5kZXJzdGFuZCIgYXR0cmlidXRlIHNwZWNpZmllcyB3aGV0aGVyIHRoZSBwZWVyIG1h eSBpZ25vcmUNCiAgIHRoZSBvcHRpb24gaWYgaXQgaXMgdW5yZWNvZ25pemVkLiAgSWYgdGhlIHZh bHVlIG9mIHRoZQ0KICAgIm11c3RVbmRlcnN0YW5kIiBhdHRyaWJ1dGUgaXMgInRydWUiLCBhbmQg aWYgdGhlIHBlZXIgZG9lcyBub3QNCiAgIHJlY29nbml6ZSB0aGUgb3B0aW9uLCB0aGVuIGFuIGVy cm9yIGluIHByb2Nlc3NpbmcgaGFzIG9jY3VycmVkLiAgV2hlbg0KICAgYWJzZW50LCB0aGUgdmFs dWUgb2YgdGhlICJtdXN0VW5kZXJzdGFuZCIgYXR0cmlidXRlIGlzIGRlZmluZWQgdG8gYmUNCiAg ICJmYWxzZSIuDQoNCg0KDQoNCg0KDQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhwaXJlcyBB cHJpbCAyMiwgMjAwMyAgICAgICAgICAgICAgICBbUGFnZSAxNV0NCgwNCkludGVybmV0LURyYWZ0 ICAgICAgICAgICAgICAgICAgVGhlIElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIgMjAw Mg0KDQoNCjQuMSBUaGUgY2hhbm5lbFByaW9yaXR5IE9wdGlvbg0KDQogICBTZWN0aW9uIDguMyBj b250YWlucyB0aGUgSURYUCBvcHRpb24gcmVnaXN0cmF0aW9uIGZvciB0aGUNCiAgICJjaGFubmVs UHJpb3JpdHkiIG9wdGlvbi4gIFRoaXMgb3B0aW9uIGNvbnRhaW5zIGEgImNoYW5uZWxQcmlvcml0 eSINCiAgIGVsZW1lbnQgKGMuZi4sIFNlY3Rpb24gOS4yKS4NCg0KICAgQnkgZGVmYXVsdCwgSURY UCBkb2VzIG5vdCBwbGFjZSBhbnkgcmVxdWlyZW1lbnRzIG9uIGhvdyBwZWVycyBzaG91bGQNCiAg IG1hbmFnZSBtdWx0aXBsZSBJRFhQIGNoYW5uZWxzLiAgVGhlICJjaGFubmVsUHJpb3JpdHkiIG9w dGlvbiBwcm92aWRlcw0KICAgYSB3YXkgZm9yIHBlZXJzIHVzaW5nIG11bHRpcGxlIElEWFAgY2hh bm5lbHMgdG8gcmVxdWVzdCByZWxhdGl2ZQ0KICAgcHJpb3JpdGllcyBmb3IgZWFjaCBjaGFubmVs LiAgV2hlbiBzZW5kaW5nIGFuICJJRFhQLUdyZWV0aW5nIiBlbGVtZW50DQogICBkdXJpbmcgdGhl IHByb3Zpc2lvbmluZyBvZiBhbiBJRFhQIGNoYW5uZWwsIHRoZSBvcmlnaW5hdGluZyBwZWVyIE1B WQ0KICAgcmVxdWVzdCB0aGF0IHRoZSByZW1vdGUgcGVlciBhc3NpZ24gYSBwcmlvcml0eSB0byB0 aGUgY2hhbm5lbCBieQ0KICAgaW5jbHVkaW5nIGFuICJPcHRpb24iIGVsZW1lbnQgY29udGFpbmlu ZyBhICJjaGFubmVsUHJpb3JpdHkiIGVsZW1lbnQuDQoNCiAgIFRoZSAiY2hhbm5lbFByaW9yaXR5 IiBlbGVtZW50IGhhcyBvbmUgYXR0cmlidXRlIG5hbWVkICJwcmlvcml0eSIsIG9mDQogICByYW5n ZSAwLi4yMTQ3NDgzNjQ3LiAgVGhpcyBhdHRyaWJ1dGUgaXMgUkVRVUlSRUQuICBOb3QNCiAgIGNv aW5jaWRlbnRhbGx5LCB0aGlzIGlzIHRoZSBtYXhpbXVtIHJhbmdlIG9mIHBvc3NpYmxlIEJFRVAg Y2hhbm5lbA0KICAgbnVtYmVycy4gIDAgaXMgZGVmaW5lZCB0byByZXByZXNlbnQgdGhlIGhpZ2hl c3QgcHJpb3JpdHksIHdpdGgNCiAgIHJlbGF0aXZlIHByaW9yaXR5IGRlY3JlYXNpbmcgYXMgdGhl ICJwcmlvcml0eSIgdmFsdWUgYXNjZW5kcy4NCg0KICAgRm9yIGV4YW1wbGUsIGR1cmluZyB0aGUg ZXhjaGFuZ2Ugb2YgIklEWFAtR3JlZXRpbmciIGVsZW1lbnRzIGR1cmluZw0KICAgY2hhbm5lbCBw cm92aXNpb25pbmcsIGFuIGFuYWx5emVyIHN1Y2Nlc3NmdWxseSByZXF1ZXN0cyB0aGF0IGENCiAg IG1hbmFnZXIgYXNzaWduIGEgcHJpb3JpdHkgdG8gdGhlIGNoYW5uZWw6DQoNCg0KICAgICAgIGFu YWx5emVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hbmFnZXIN CiAgICAgICAgICAtLS0tLS0tLS0tLS0tLS0gZ3JlZXRpbmcgdy8gb3B0aW9uIC0tLS0tLS0tLS0t LS0tLS0tPg0KICAgICAgICAgPC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gPG9rPiAtLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0NCg0KICAgQzogTVNHIDEgMTcgLiAxOTg0IDE2NQ0KICAgQzogQ29udGVu dC1UeXBlOiB0ZXh0L3htbA0KICAgQzoNCiAgIEM6IDxJRFhQLUdyZWV0aW5nIHVyaT0naHR0cDov L2V4YW1wbGUuY29tL2FsaWNlJyByb2xlPSdjbGllbnQnPg0KICAgQzogICA8T3B0aW9uIGludGVy bmFsPSdjaGFubmVsUHJpb3JpdHknPg0KICAgQzogICAgIDxjaGFubmVsUHJpb3JpdHkgcHJpb3Jp dHk9JzAnIC8+DQogICBDOiAgIDwvT3B0aW9uPg0KICAgQzogPC9JRFhQLUdyZWV0aW5nPg0KICAg QzogRU5EDQogICBTOiBSUFkgMSAxNyAuIDIwMDEgNw0KICAgUzogQ29udGVudC1UeXBlOiB0ZXh0 L3htbA0KICAgUzoNCiAgIFM6IDxvayAvPg0KICAgUzogRU5EDQoNCg0KDQoNCg0KDQoNCg0KRmVp bnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAg ICAgW1BhZ2UgMTZdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQ ICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQogICBGb3IgZXhhbXBsZSwgZHVy aW5nIHRoZSBleGNoYW5nZSBvZiAiSURYUC1HcmVldGluZyIgZWxlbWVudHMgZHVyaW5nDQogICBj aGFubmVsIHByb3Zpc2lvbmluZywgYSBtYW5hZ2VyIHVuc3VjY2Vzc2Z1bGx5IHJlcXVlc3RzIHRo YXQgYW4NCiAgIGFuYWx5emVyIGFzc2lnbiBhIHByaW9yaXR5IHRvIHRoZSBjaGFubmVsOg0KDQoN CiAgICAgICBhbmFseXplciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBtYW5hZ2VyDQogICAgICAgICA8LS0tLS0tLS0tLS0tLS0tLSBncmVldGluZyB3LyBvcHRpb24g LS0tLS0tLS0tLS0tLS0tLQ0KICAgICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLSA8ZXJyb3I+ IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0+DQoNCiAgIFM6IE1TRyAxIDE3IC4gMTMxMiAxOTQNCiAg IFM6IENvbnRlbnQtVHlwZTogdGV4dC94bWwNCiAgIFM6DQogICBTOiA8SURYUC1HcmVldGluZyB1 cmk9J2h0dHA6Ly9leGFtcGxlLmNvbS9ib2InIHJvbGU9J3NlcnZlcic+DQogICBTOiAgIDxPcHRp b24gaW50ZXJuYWw9J2NoYW5uZWxQcmlvcml0eScgbXVzdFVuZGVyc3RhbmQ9J3RydWUnPg0KICAg UzogICAgIDxjaGFubmVsUHJpb3JpdHkgcHJpb3JpdHk9JzIxNDc0ODM2NDcnIC8+DQogICBTOiAg IDwvT3B0aW9uPg0KICAgUzogPC9JRFhQLUdyZWV0aW5nPg0KICAgUzogRU5EDQogICBDOiBFUlIg MSAxNyAuIDQ1MSA2OA0KICAgQzogQ29udGVudC1UeXBlOiB0ZXh0L3htbA0KICAgQzoNCiAgIEM6 IDxlcnJvciBjb2RlPSc1MDQnPidjaGFubmVsUHJpb3JpdHknIG9wdGlvbiB3YXMgdW5yZWNvZ25p emVkPC9lcnJvcj4NCiAgIEM6IEVORA0KDQoNCjQuMiBUaGUgc3RyZWFtVHlwZSBPcHRpb24NCg0K ICAgU2VjdGlvbiA4LjQgY29udGFpbnMgdGhlIElEWFAgb3B0aW9uIHJlZ2lzdHJhdGlvbiBmb3Ig dGhlDQogICAic3RyZWFtVHlwZSIgb3B0aW9uLiAgVGhpcyBvcHRpb24gY29udGFpbnMgYSAic3Ry ZWFtVHlwZSIgZWxlbWVudA0KICAgKGMuZi4sIFNlY3Rpb24gOS4zKS4NCg0KICAgQnkgZGVmYXVs dCwgSURYUCBwcm92aWRlcyBubyBleHBsaWNpdCBtZXRob2QgZm9yIGNhdGVnb3JpemluZw0KICAg Y2hhbm5lbHMuICBUaGUgInN0cmVhbVR5cGUiIG9wdGlvbiBwcm92aWRlcyBhIHdheSBmb3IgcGVl cnMgdG8NCiAgIHJlcXVlc3QgdGhhdCBhIGNoYW5uZWwgYmUgY2F0ZWdvcml6ZWQgYXMgYSBwYXJ0 aWN1bGFyIHN0cmVhbSB0eXBlLg0KICAgV2hlbiBzZW5kaW5nIGFuICJJRFhQLUdyZWV0aW5nIiBl bGVtZW50IGR1cmluZyB0aGUgcHJvdmlzaW9uaW5nIG9mIGFuDQogICBJRFhQIGNoYW5uZWwsIHRo ZSBvcmlnaW5hdGluZyBwZWVyIE1BWSByZXF1ZXN0IHRoYXQgdGhlIHJlbW90ZSBwZWVyDQogICBh c3NpZ24gYSBzdHJlYW0gdHlwZSB0byB0aGUgY2hhbm5lbCBieSBpbmNsdWRpbmcgYW4gIk9wdGlv biIgZWxlbWVudA0KICAgY29udGFpbmluZyBhICJzdHJlYW1UeXBlIiBlbGVtZW50Lg0KDQogICBU aGUgInN0cmVhbVR5cGUiIGVsZW1lbnQgaGFzIG9uZSBhdHRyaWJ1dGUgbmFtZWQgInR5cGUiLCB3 aXRoIHRoZQ0KICAgcG9zc2libGUgdmFsdWVzIG9mICJhbGVydCIsICJoZWFydGJlYXQiLCBvciAi Y29uZmlnIi4gIFRoaXMgYXR0cmlidXRlDQogICBpcyBSRVFVSVJFRC4gIEEgdmFsdWUgb2YgImFs ZXJ0IiBpbmRpY2F0ZXMgdGhhdCB0aGUgY2hhbm5lbCBzaG91bGQgYmUNCiAgIGNhdGVnb3JpemVk IGFzIGJlaW5nIHVzZWQgZm9yIHRoZSBleGNoYW5nZSBvZiBJRCBhbGVydHMuICBBIHZhbHVlIG9m DQogICAiaGVhcnRiZWF0IiBpbmRpY2F0ZXMgdGhhdCB0aGUgY2hhbm5lbCBzaG91bGQgYmUgY2F0 ZWdvcml6ZWQgYXMgYmVpbmcNCiAgIHVzZWQgZm9yIHRoZSBleGNoYW5nZSBvZiBoZWFydGJlYXQg bWVzc2FnZXMgc3VjaCBhcyB0aGUgIkhlYXJ0YmVhdCINCiAgIGVsZW1lbnQgKGMuZi4sIFNlY3Rp b24gNSBvZiBbNl0pLiAgQSB2YWx1ZSBvZiAiY29uZmlnIiBpbmRpY2F0ZXMgdGhhdA0KICAgdGhl IGNoYW5uZWwgc2hvdWxkIGJlIGNhdGVnb3JpemVkIGFzIGJlaW5nIHVzZWQgZm9yIHRoZSBleGNo YW5nZSBvZg0KICAgY29uZmlndXJhdGlvbiBtZXNzYWdlcy4NCg0KDQoNCkZlaW5zdGVpbiwgZXQg YWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQYWdlIDE3 XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAg ICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgRm9yIGV4YW1wbGUsIGR1cmluZyB0aGUgZXhj aGFuZ2Ugb2YgIklEWFAtR3JlZXRpbmciIGVsZW1lbnRzIGR1cmluZw0KICAgY2hhbm5lbCBwcm92 aXNpb25pbmcsIGFuIGFuYWx5emVyIHN1Y2Nlc3NmdWxseSByZXF1ZXN0cyB0aGF0IGENCiAgIG1h bmFnZXIgYXNzaWduIGEgc3RyZWFtIHR5cGUgdG8gdGhlIGNoYW5uZWw6DQoNCg0KICAgICAgIGFu YWx5emVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hbmFnZXIN CiAgICAgICAgICAtLS0tLS0tLS0tLS0tLS0gZ3JlZXRpbmcgdy8gb3B0aW9uIC0tLS0tLS0tLS0t LS0tLS0tPg0KICAgICAgICAgPC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gPG9rPiAtLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0NCg0KICAgQzogTVNHIDEgMjEgLiAxOTYzIDE1NQ0KICAgQzogQ29udGVu dC1UeXBlOiB0ZXh0L3htbA0KICAgQzoNCiAgIEM6IDxJRFhQLUdyZWV0aW5nIHVyaT0naHR0cDov L2V4YW1wbGUuY29tL2FsaWNlJyByb2xlPSdjbGllbnQnPg0KICAgQzogICA8T3B0aW9uIGludGVy bmFsPSdzdHJlYW1UeXBlJz4NCiAgIEM6ICAgICA8c3RyZWFtVHlwZSB0eXBlPSdhbGVydCcgLz4N CiAgIEM6ICAgPC9PcHRpb24+DQogICBDOiA8L0lEWFAtR3JlZXRpbmc+DQogICBDOiBFTkQNCiAg IFM6IFJQWSAxIDIxIC4gMTExNyA3DQogICBTOiBDb250ZW50LVR5cGU6IHRleHQveG1sDQogICBT Og0KICAgUzogPG9rIC8+DQogICBTOiBFTkQNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGly ZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2UgMThdDQoMDQpJbnRlcm5ldC1E cmFmdCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVy IDIwMDINCg0KDQogICBGb3IgZXhhbXBsZSwgZHVyaW5nIHRoZSBleGNoYW5nZSBvZiAiSURYUC1H cmVldGluZyIgZWxlbWVudHMgZHVyaW5nDQogICBjaGFubmVsIHByb3Zpc2lvbmluZywgYSBtYW5h Z2VyIHVuc3VjY2Vzc2Z1bGx5IHJlcXVlc3RzIHRoYXQgYW4NCiAgIGFuYWx5emVyIGFzc2lnbiBh IHN0cmVhbSB0eXBlIHRvIHRoZSBjaGFubmVsOg0KDQoNCg0KICAgICAgIGFuYWx5emVyICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hbmFnZXINCiAgICAgICAgIDwt LS0tLS0tLS0tLS0tLS0tIGdyZWV0aW5nIHcvIG9wdGlvbiAtLS0tLS0tLS0tLS0tLS0tDQogICAg ICAgICAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tIDxlcnJvcj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0t LT4NCg0KICAgUzogTVNHIDEgMjEgLiAxOTY5IDE3Ng0KICAgUzogQ29udGVudC1UeXBlOiB0ZXh0 L3htbA0KICAgUzoNCiAgIFM6IDxJRFhQLUdyZWV0aW5nIHVyaT0naHR0cDovL2V4YW1wbGUuY29t L2JvYicgcm9sZT0nc2VydmVyJz4NCiAgIFM6ICAgPE9wdGlvbiBpbnRlcm5hbD0nc3RyZWFtVHlw ZScgbXVzdFVuZGVyc3RhbmQ9J3RydWUnPg0KICAgUzogICAgIDxzdHJlYW1UeXBlIHR5cGU9J2Nv bmZpZycgLz4NCiAgIFM6ICAgPC9PcHRpb24+DQogICBTOiA8L0lEWFAtR3JlZXRpbmc+DQogICBT OiBFTkQNCiAgIEM6IEVSUiAxIDIxIC4gMTI5MiA2Mw0KICAgQzogQ29udGVudC1UeXBlOiB0ZXh0 L3htbA0KICAgQzoNCiAgIEM6IDxlcnJvciBjb2RlPSc1MDQnPidzdHJlYW1UeXBlJyBvcHRpb24g d2FzIHVucmVjb2duaXplZDwvZXJyb3I+DQogICBDOiBFTkQNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwuICAgICAg ICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQYWdlIDE5XQ0KDA0KSW50 ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAgICAgICAgICAg T2N0b2JlciAyMDAyDQoNCg0KNS4gRnVsZmlsbG1lbnQgb2YgSURXRyBDb21tdW5pY2F0aW9ucyBQ cm90b2NvbCBSZXF1aXJlbWVudHMNCg0KICAgVGhlIGZvbGxvd2luZyBsaXN0cyBlYWNoIG9mIHRo ZSBjb21tdW5pY2F0aW9ucyBwcm90b2NvbCByZXF1aXJlbWVudHMNCiAgIGVzdGFibGlzaGVkIGlu IFNlY3Rpb24gNSBvZiBbOV0gYW5kLCBmb3IgZWFjaCByZXF1aXJlbWVudCwgZGVzY3JpYmVzDQog ICB0aGUgbWFubmVyIGluIHdoaWNoIGl0IGlzIGZ1bGZpbGxlZC4gIElEWFAgaXRzZWxmIGRvZXMg bm90IGZ1bGZpbGwNCiAgIGVhY2ggb2YgdGhlIGNvbW11bmljYXRpb25zIHByb3RvY29sIHJlcXVp cmVtZW50cywgYnV0IGluc3RlYWQgcmVsaWVzDQogICBvbiB0aGUgdW5kZXJseWluZyBCRUVQIHBy b3RvY29sIGFuZCBhIHZhcmlldHkgb2YgQkVFUCBwcm9maWxlcy4NCg0KNS4xIFJlbGlhYmxlIE1l c3NhZ2UgVHJhbnNtaXNzaW9uDQoNCiAgIFRoZSBbcHJvdG9jb2xdIE1VU1Qgc3VwcG9ydCByZWxp YWJsZSB0cmFuc21pc3Npb24gb2YgbWVzc2FnZXMuICBTZWUNCiAgIFNlY3Rpb24gNS4xIG9mIFs5 XS4NCg0KICAgICAgSURYUCBvcGVyYXRlcyBvdmVyIEJFRVAsIHdoaWNoIG9wZXJhdGVzIG9ubHkg b3ZlciByZWxpYWJsZQ0KICAgICAgY29ubmVjdGlvbi1vcmllbnRlZCB0cmFuc3BvcnQgcHJvdG9j b2xzIChlLmcuLCBUQ1ApLiAgSW4gYWRkaXRpb24sDQogICAgICBCRUVQIHBlZXJzIGNvbW11bmlj YXRlIHVzaW5nIGEgc2ltcGxlIHJlcXVlc3QtcmVzcG9uc2UgcHJvdG9jb2wsDQogICAgICB3aGlj aCBwcm92aWRlcyBlbmQtdG8tZW5kIHJlbGlhYmlsaXR5IGJldHdlZW4gcGVlcnMuDQoNCg0KNS4y IEludGVyYWN0aW9uIHdpdGggRmlyZXdhbGxzDQoNCiAgIFRoZSBbcHJvdG9jb2xdIE1VU1Qgc3Vw cG9ydCB0cmFuc21pc3Npb24gb2YgbWVzc2FnZXMgYmV0d2VlbiBJRA0KICAgY29tcG9uZW50cyBh Y3Jvc3MgZmlyZXdhbGwgYm91bmRhcmllcyB3aXRob3V0IGNvbXByb21pc2luZyBzZWN1cml0eS4N CiAgIFNlZSBTZWN0aW9uIDUuMiBvZiBbOV0uDQoNCiAgICAgIFRoZSBUVU5ORUwgcHJvZmlsZSBb N10gTVVTVCBiZSBvZmZlcmVkIGFzIGFuIG9wdGlvbiBmb3IgY3JlYXRpb24NCiAgICAgIG9mIGFw cGxpY2F0aW9uLWxheWVyIHR1bm5lbHMgdG8gYWxsb3cgb3BlcmF0aW9uIGFjcm9zcyBmaXJld2Fs bHMuDQogICAgICBUaGUgVFVOTkVMIHByb2ZpbGUgU0hPVUxEIGJlIHVzZWQgdG8gcHJvdmlkZSBh biBhcHBsaWNhdGlvbi1sYXllcg0KICAgICAgdHVubmVsLiAgVGhlIGFiaWxpdHkgdG8gYXV0aGVu dGljYXRlIGhvc3RzIGR1cmluZyB0aGUgY3JlYXRpb24gb2YNCiAgICAgIGFuIGFwcGxpY2F0aW9u LWxheWVyIHR1bm5lbCBNVVNUIGJlIHByb3ZpZGVkIGJ5IHRoZSBtZWNoYW5pc20NCiAgICAgIGNo b3NlbiB0byBjcmVhdGUgc3VjaCB0dW5uZWxzLiAgQSBmaXJld2FsbCBtYXkgdGhlcmVmb3JlIGJl DQogICAgICBjb25maWd1cmVkIHRvIGF1dGhlbnRpY2F0ZSBhbGwgaG9zdHMgYXR0ZW1wdGluZyB0 byB0dW5uZWwgaW50byB0aGUNCiAgICAgIHByb3RlY3RlZCBuZXR3b3JrLiAgSWYgdGhlIFRVTk5F TCBwcm9maWxlIGlzIHVzZWQsIFNBU0wgKGMuZi4sDQogICAgICBTZWN0aW9uIDQuMSBvZiBbOF0p IE1VU1QgYmUgb2ZmZXJlZCBhcyBhIG1lY2hhbmlzbSBieSB3aGljaCBob3N0cw0KICAgICAgY2Fu IGJlIGF1dGhlbnRpY2F0ZWQuDQoNCg0KNS4zIE11dHVhbCBBdXRoZW50aWNhdGlvbg0KDQogICBU aGUgW3Byb3RvY29sXSBNVVNUIHN1cHBvcnQgbXV0dWFsIGF1dGhlbnRpY2F0aW9uIG9mIHRoZSBh bmFseXplciBhbmQNCiAgIHRoZSBtYW5hZ2VyIHRvIGVhY2ggb3RoZXIuICBTZWUgU2VjdGlvbiA1 LjMgb2YgWzldLg0KDQogICAgICBJRFhQIHN1cHBvcnRzIG11dHVhbCBhdXRoZW50aWNhdGlvbiBv ZiB0aGUgcGVlcnMgdGhyb3VnaCB0aGUgdXNlDQogICAgICBvZiBhbiBhcHByb3ByaWF0ZSB1bmRl cmx5aW5nIEJFRVAgc2VjdXJpdHkgcHJvZmlsZS4gIFRoZSBUTFMNCiAgICAgIHByb2ZpbGUgYW5k IG1lbWJlcnMgb2YgdGhlIFNBU0wgZmFtaWx5IG9mIHByb2ZpbGVzIChjLmYuLCBTZWN0aW9uDQog ICAgICA0LjEgb2YgWzhdKSBhcmUgZXhhbXBsZXMgb2Ygc2VjdXJpdHkgcHJvZmlsZXMgdGhhdCBt YXkgYmUgdXNlZCB0bw0KICAgICAgYXV0aGVudGljYXRlIHRoZSBpZGVudGl0eSBvZiBjb21tdW5p Y2F0aW5nIElEIGNvbXBvbmVudHMuICBUTFMNCiAgICAgIE1VU1QgYmUgb2ZmZXJlZCBhcyBhIG1l Y2hhbmlzbSB0byBwcm92aWRlIG11dHVhbCBhdXRoZW50aWNhdGlvbiwNCg0KDQoNCkZlaW5zdGVp biwgZXQgYWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQ YWdlIDIwXQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAg ICAgICAgICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgICAgYW5kIFRMUyBTSE9VTEQgYmUg dXNlZCB0byBwcm92aWRlIG11dHVhbCBhdXRoZW50aWNhdGlvbi4NCg0KDQo1LjQgTWVzc2FnZSBD b25maWRlbnRpYWxpdHkNCg0KICAgVGhlIFtwcm90b2NvbF0gTVVTVCBzdXBwb3J0IGNvbmZpZGVu dGlhbGl0eSBvZiB0aGUgbWVzc2FnZSBjb250ZW50DQogICBkdXJpbmcgbWVzc2FnZSBleGNoYW5n ZS4gIFRoZSBzZWxlY3RlZCBkZXNpZ24gTVVTVCBiZSBjYXBhYmxlIG9mDQogICBzdXBwb3J0aW5n IGEgdmFyaWV0eSBvZiBlbmNyeXB0aW9uIGFsZ29yaXRobXMgYW5kIE1VU1QgYmUgYWRhcHRhYmxl DQogICB0byBhIHdpZGUgdmFyaWV0eSBvZiBlbnZpcm9ubWVudHMuICBTZWUgU2VjdGlvbiA1LjQg b2YgWzldLg0KDQogICAgICBJRFhQIHN1cHBvcnRzIGNvbmZpZGVudGlhbGl0eSB0aHJvdWdoIHRo ZSB1c2Ugb2YgYW4gYXBwcm9wcmlhdGUNCiAgICAgIHVuZGVybHlpbmcgQkVFUCBzZWN1cml0eSBw cm9maWxlLiAgVGhlIFRMUyBwcm9maWxlIGlzIGFuIGV4YW1wbGUgYQ0KICAgICAgc2VjdXJpdHkg cHJvZmlsZSB0aGF0IG9mZmVycyBjb25maWRlbnRpYWxpdHkuICBUaGUgVExTIHByb2ZpbGUNCiAg ICAgIHdpdGggdGhlIFRMU19ESEVfRFNTX1dJVEhfM0RFU19FREVfQ0JDX1NIQSBjaXBoZXIgc3Vp dGUgTVVTVCBiZQ0KICAgICAgb2ZmZXJlZCBhcyBhIG1lY2hhbmlzbSB0byBwcm92aWRlIGNvbmZp ZGVudGlhbGl0eSwgYW5kIFRMUyB3aXRoDQogICAgICB0aGlzIGNpcGhlciBzdWl0ZSBTSE9VTEQg YmUgdXNlZCB0byBwcm92aWRlIGNvbmZpZGVudGlhbGl0eS4gIFRoZQ0KICAgICAgVExTX0RIRV9E U1NfV0lUSF8zREVTX0VERV9DQkNfU0hBIGNpcGhlciBzdWl0ZSB1c2VzIGVwaGVtZXJhbA0KICAg ICAgRGlmZmllLUhlbGxtYW4gKERIRSkgd2l0aCBEU1Mgc2lnbmF0dXJlcyBmb3Iga2V5IGV4Y2hh bmdlIGFuZA0KICAgICAgdHJpcGxlIERFUyAoM0RFUykgYW5kIGNpcGhlci1ibG9jayBjaGFpbmlu ZyAoQ0JDKSBmb3IgZW5jcnlwdGlvbi4NCiAgICAgIFN0cm9uZ2VyIGNpcGhlciBzdWl0ZXMgYXJl IG9wdGlvbmFsLg0KDQoNCjUuNSBNZXNzYWdlIEludGVncml0eQ0KDQogICBUaGUgW3Byb3RvY29s XSBNVVNUIGVuc3VyZSB0aGUgaW50ZWdyaXR5IG9mIHRoZSBtZXNzYWdlIGNvbnRlbnQuICBUaGUN CiAgIHNlbGVjdGVkIGRlc2lnbiBNVVNUIGJlIGNhcGFibGUgb2Ygc3VwcG9ydGluZyBhIHZhcmll dHkgb2YgaW50ZWdyaXR5DQogICBtZWNoYW5pc21zIGFuZCBNVVNUIGJlIGFkYXB0YWJsZSB0byBh IHdpZGUgdmFyaWV0eSBvZiBlbnZpcm9ubWVudHMuDQogICBTZWUgU2VjdGlvbiA1LjUgb2YgWzld Lg0KDQogICAgICBJRFhQIHN1cHBvcnRzIG1lc3NhZ2UgaW50ZWdyaXR5IHRocm91Z2ggdGhlIHVz ZSBvZiBhbiBhcHByb3ByaWF0ZQ0KICAgICAgdW5kZXJseWluZyBCRUVQIHNlY3VyaXR5IHByb2Zp bGUuICBUaGUgVExTIHByb2ZpbGUgYW5kIG1lbWJlcnMgb2YNCiAgICAgIHRoZSBTQVNMIGZhbWls eSBvZiBwcm9maWxlcyAoYy5mLiwgU2VjdGlvbiA0LjEgb2YgWzhdKSBhcmUNCiAgICAgIGV4YW1w bGVzIG9mIHNlY3VyaXR5IHByb2ZpbGVzIHRoYXQgb2ZmZXIgbWVzc2FnZSBpbnRlZ3JpdHkuICBU aGUNCiAgICAgIFRMUyBwcm9maWxlIHdpdGggdGhlIFRMU19ESEVfRFNTX1dJVEhfM0RFU19FREVf Q0JDX1NIQSBjaXBoZXINCiAgICAgIHN1aXRlIE1VU1QgYmUgb2ZmZXJlZCBhcyBhIG1lY2hhbmlz bSB0byBwcm92aWRlIGludGVncml0eSwgYW5kIFRMUw0KICAgICAgd2l0aCB0aGlzIGNpcGhlciBz dWl0ZSBTSE9VTEQgYmUgdXNlZCB0byBwcm92aWRlIGludGVncml0eS4gIFRoZQ0KICAgICAgVExT X0RIRV9EU1NfV0lUSF8zREVTX0VERV9DQkNfU0hBIGNpcGhlciBzdWl0ZSB1c2VzIHRoZSBTZWN1 cmUNCiAgICAgIEhhc2ggQWxnb3JpdGhtIChTSEEpIGZvciBpbnRlZ3JpdHkgcHJvdGVjdGlvbiB1 c2luZyBhIGtleWVkDQogICAgICBtZXNzYWdlIGF1dGhlbnRpY2F0aW9uIGNvZGUuICBTdHJvbmdl ciBjaXBoZXIgc3VpdGVzIGFyZSBvcHRpb25hbC4NCg0KDQo1LjYgUGVyLXNvdXJjZSBBdXRoZW50 aWNhdGlvbg0KDQogICBUaGUgW3Byb3RvY29sXSBNVVNUIHN1cHBvcnQgc2VwYXJhdGUgYXV0aGVu dGljYXRpb24ga2V5cyBmb3IgZWFjaA0KICAgc2VuZGVyLiAgU2VlIFNlY3Rpb24gNS42IG9mIFs5 XS4NCg0KICAgICAgSURYUCBzdXBwb3J0cyBzZXBhcmF0ZSBhdXRoZW50aWNhdGlvbiBrZXlzIGZv ciBlYWNoIHNlbmRlciAoaS5lLiwNCiAgICAgIHBlci1zb3VyY2UgYXV0aGVudGljYXRpb24pIHRo cm91Z2ggdGhlIHVzZSBvZiBhbiBhcHByb3ByaWF0ZQ0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4g ICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2UgMjFdDQoM DQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAgICAg ICAgICBPY3RvYmVyIDIwMDINCg0KDQogICAgICB1bmRlcmx5aW5nIEJFRVAgc2VjdXJpdHkgcHJv ZmlsZS4gIFRoZSBUTFMgcHJvZmlsZSBpcyBhbiBleGFtcGxlDQogICAgICBvZiBhIHNlY3VyaXR5 IHByb2ZpbGUgdGhhdCBzdXBwb3J0cyBwZXItc291cmNlIGF1dGhlbnRpY2F0aW9uDQogICAgICB0 aHJvdWdoIHRoZSBtdXR1YWwgYXV0aGVudGljYXRpb24gb2YgcHVibGljLWtleSBjZXJ0aWZpY2F0 ZXMuICBUTFMNCiAgICAgIE1VU1QgYmUgb2ZmZXJlZCBhcyBhIG1lY2hhbmlzbSB0byBwcm92aWRl IHBlci1zb3VyY2UNCiAgICAgIGF1dGhlbnRpY2F0aW9uLCBhbmQgVExTIFNIT1VMRCBiZSB1c2Vk IHRvIHByb3ZpZGUgcGVyLXNvdXJjZQ0KICAgICAgYXV0aGVudGljYXRpb24uDQoNCg0KNS43IERl bmlhbCBvZiBTZXJ2aWNlDQoNCiAgIFRoZSBbcHJvdG9jb2xdIFNIT1VMRCByZXNpc3QgcHJvdG9j b2wgZGVuaWFsIG9mIHNlcnZpY2UgYXR0YWNrcy4gIFNlZQ0KICAgU2VjdGlvbiA1Ljcgb2YgWzld Lg0KDQogICAgICBJRFhQIHN1cHBvcnRzIHJlc2lzdGFuY2UgdG8gZGVuaWFsIG9mIHNlcnZpY2Ug KERvUykgYXR0YWNrcw0KICAgICAgdGhyb3VnaCB0aGUgdXNlIG9mIGFuIGFwcHJvcHJpYXRlIHVu ZGVybHlpbmcgQkVFUCBzZWN1cml0eQ0KICAgICAgcHJvZmlsZS4gIEJFRVAgcGVlcnMgb2ZmZXJp bmcgdGhlIElEWFAgcHJvZmlsZSBNVVNUIG9mZmVyIHRoZSB1c2UNCiAgICAgIG9mIFRMUyB3aXRo IHRoZSBUTFNfREhFX0RTU19XSVRIXzNERVNfRURFX0NCQ19TSEEgY2lwaGVyIHN1aXRlLA0KICAg ICAgYW5kIFNIT1VMRCB1c2UgVExTIHdpdGggdGhhdCBjaXBoZXIgc3VpdGUuICBUbyByZXNpc3Qg RG9TIGF0dGFja3MNCiAgICAgIGl0IGlzIGhlbHBmdWwgdG8gZGlzY2FyZCB0cmFmZmljIGFyaXNp bmcgZnJvbSBhIG5vbi1hdXRoZW50aWNhdGVkDQogICAgICBzb3VyY2UuICBCRUVQIHBlZXJzIE1V U1Qgc3VwcG9ydCB0aGUgdXNlIG9mIGF1dGhlbnRpY2F0aW9uIGluDQogICAgICBjb25qdW5jdGlv biB3aXRoIGFueSBtZWNoYW5pc20gdXNlZCB0byBjcmVhdGUgYXBwbGljYXRpb24tbGF5ZXINCiAg ICAgIHR1bm5lbHMuICBJbiBwYXJ0aWN1bGFyLCB0aGUgdXNlIG9mIHNvbWUgZm9ybSBvZiBTQVNM DQogICAgICBhdXRoZW50aWNhdGlvbiAoYy5mLiwgU2VjdGlvbiA0LjEgb2YgWzhdKSBNVVNUIGJl IG9mZmVyZWQgdG8NCiAgICAgIHByb3ZpZGUgYXV0aGVudGljYXRpb24gaW4gdGhlIHVzZSBvZiB0 aGUgVFVOTkVMIHByb2ZpbGUuICBTZWUNCiAgICAgIFNlY3Rpb24gNyBvZiBbN10gZm9yIGEgZGlz Y3Vzc2lvbiBvZiBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBpbg0KICAgICAgdGhlIHVzZSBvZiB0 aGUgVFVOTkVMIHByb2ZpbGUuDQoNCg0KNS44IE1lc3NhZ2UgRHVwbGljYXRpb24NCg0KICAgVGhl IFtwcm90b2NvbF0gU0hPVUxEIHJlc2lzdCBtYWxpY2lvdXMgZHVwbGljYXRpb24gb2YgbWVzc2Fn ZXMuICBTZWUNCiAgIFNlY3Rpb24gNS44IG9mIFs5XS4NCg0KICAgICAgSURYUCBzdXBwb3J0cyBy ZXNpc3RhbmNlIHRvIG1hbGljaW91cyBkdXBsaWNhdGlvbiBvZiBtZXNzYWdlcw0KICAgICAgKGku ZS4sIHJlcGxheSBhdHRhY2tzKSB0aHJvdWdoIHRoZSB1c2Ugb2YgYW4gYXBwcm9wcmlhdGUNCiAg ICAgIHVuZGVybHlpbmcgQkVFUCBzZWN1cml0eSBwcm9maWxlLiAgVGhlIFRMUyBwcm9maWxlIGlz IGFuIGV4YW1wbGUNCiAgICAgIG9mIGEgc2VjdXJpdHkgcHJvZmlsZSBvZmZlcmluZyByZXNpc3Rh bmNlIHRvIHJlcGxheSBhdHRhY2tzLiAgVGhlDQogICAgICBUTFMgcHJvZmlsZSB3aXRoIHRoZSBU TFNfREhFX0RTU19XSVRIXzNERVNfRURFX0NCQ19TSEEgY2lwaGVyDQogICAgICBzdWl0ZSBNVVNU IGJlIG9mZmVyZWQgYXMgYSBtZWNoYW5pc20gdG8gcHJvdmlkZSByZXNpc3RhbmNlIGFnYWluc3QN CiAgICAgIHJlcGxheSBhdHRhY2tzLCBhbmQgVExTIHdpdGggdGhpcyBjaXBoZXIgc3VpdGUgU0hP VUxEIGJlIHVzZWQgdG8NCiAgICAgIHByb3ZpZGUgcmVzaXN0YW5jZSBhZ2FpbnN0IHJlcGxheSBh dHRhY2tzLiAgVGhlDQogICAgICBUTFNfREhFX0RTU19XSVRIXzNERVNfRURFX0NCQ19TSEEgY2lw aGVyIHN1aXRlIHVzZXMgY2lwaGVyLWJsb2NrDQogICAgICBjaGFpbmluZyAoQ0JDKSB0byBlbnN1 cmUgdGhhdCBldmVuIGlmIGEgbWVzc2FnZSBpcyBkdXBsaWNhdGVkIHRoZQ0KICAgICAgY2lwaGVy LXRleHQgZHVwbGljYXRlIHdpbGwgcHJvZHVjZSBhIHZlcnkgZGlmZmVyZW50IHBsYWluLXRleHQN CiAgICAgIHJlc3VsdC4gIFN0cm9uZ2VyIGNpcGhlciBzdWl0ZXMgYXJlIG9wdGlvbmFsLg0KDQoN Cg0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMg ICAgICAgICAgICAgICAgW1BhZ2UgMjJdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAg ICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQo2LiBFeHRl bmRpbmcgSURYUA0KDQogICBUaGUgc3BlY2lmaWNhdGlvbiBvZiBJRFhQIG9wdGlvbnMgKGMuZi4s IFNlY3Rpb24gNCkgaXMgdGhlIHByZWZlcnJlZA0KICAgbWV0aG9kIG9mIGV4dGVuZGluZyBJRFhQ LiAgSW4gb3JkZXIgdG8gZXh0ZW5kIElEWFAsIGFuIElEWFAgb3B0aW9uDQogICBTSE9VTEQgYmUg ZG9jdW1lbnRlZCBpbiBhIFN0YW5kYXJkcyBUcmFjayBSRkMgYW5kIE1VU1QgYmUgcmVnaXN0ZXJl ZA0KICAgd2l0aCB0aGUgSUFOQSAoYy5mLiwgU2VjdGlvbiA3KS4gIElEWFAgZXh0ZW5zaW9ucyB0 aGF0IGNhbm5vdCBiZQ0KICAgZXhwcmVzc2VkIGFzIElEWFAgb3B0aW9ucyBNVVNUIGJlIGRvY3Vt ZW50ZWQgaW4gYSBTdGFuZGFyZHMgVHJhY2sNCiAgIFJGQy4NCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMg ICAgICAgICAgICAgICAgW1BhZ2UgMjNdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAg ICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQo3LiBJRFhQ IE9wdGlvbiBSZWdpc3RyYXRpb24gVGVtcGxhdGUNCg0KICAgV2hlbiBhbiBJRFhQIG9wdGlvbiBp cyByZWdpc3RlcmVkLCB0aGUgZm9sbG93aW5nIGluZm9ybWF0aW9uIGlzDQogICBzdXBwbGllZDoN Cg0KICAgT3B0aW9uIElkZW50aWZpY2F0aW9uOiBzcGVjaWZ5IHRoZSBOTVRPS0VOIG9yIHRoZSBV UkkgdGhhdA0KICAgYXV0aG9yaXRhdGl2ZWx5IGlkZW50aWZpZXMgdGhpcyBvcHRpb24uDQoNCiAg IENvbnRhaW5zOiBzcGVjaWZ5IHRoZSBYTUwgY29udGVudCB0aGF0IGlzIGNvbnRhaW5lZCB3aXRo aW4gdGhlDQogICAiT3B0aW9uIiBlbGVtZW50Lg0KDQogICBQcm9jZXNzaW5nIFJ1bGVzOiBzcGVj aWZ5IHRoZSBwcm9jZXNzaW5nIHJ1bGVzIGFzc29jaWF0ZWQgd2l0aCB0aGUNCiAgIG9wdGlvbi4N Cg0KICAgQ29udGFjdCBJbmZvcm1hdGlvbjogc3BlY2lmeSB0aGUgcG9zdGFsIGFuZCBlbGVjdHJv bmljIGNvbnRhY3QNCiAgIGluZm9ybWF0aW9uIGZvciB0aGUgYXV0aG9yKHMpIG9mIHRoZSBvcHRp b24uDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwg MjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2UgMjRdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAg ICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0K DQo4LiBJbml0aWFsIFJlZ2lzdHJhdGlvbnMNCg0KOC4xIFJlZ2lzdHJhdGlvbjogVGhlIElEWFAg UHJvZmlsZQ0KDQogICBQcm9maWxlIGlkZW50aWZpY2F0aW9uOiBodHRwOi8vaWFuYS5vcmcvYmVl cC90cmFuc2llbnQvaWR3Zy9pZHhwDQoNCiAgIE1lc3NhZ2VzIGV4Y2hhbmdlZCBkdXJpbmcgY2hh bm5lbCBjcmVhdGlvbjogIklEWFAtR3JlZXRpbmciDQoNCiAgIE1lc3NhZ2VzIHN0YXJ0aW5nIG9u ZS10by1vbmUgZXhjaGFuZ2VzOiAiSURYUC1HcmVldGluZyIsICJJRE1FRi0NCiAgIE1lc3NhZ2Ui DQoNCiAgIE1lc3NhZ2VzIGluIHBvc2l0aXZlIHJlcGxpZXM6ICJvayINCg0KICAgTWVzc2FnZXMg aW4gbmVnYXRpdmUgcmVwbGllczogImVycm9yIg0KDQogICBNZXNzYWdlcyBpbiBvbmUtdG8tbWFu eSBleGNoYW5nZXM6IG5vbmUNCg0KICAgTWVzc2FnZSBzeW50YXg6IGMuZi4sIFNlY3Rpb24gMy4z DQoNCiAgIE1lc3NhZ2Ugc2VtYW50aWNzOiBjLmYuLCBTZWN0aW9uIDMuNA0KDQogICBDb250YWN0 IGluZm9ybWF0aW9uOiBjLmYuLCB0aGUgIkF1dGhvcnMnIEFkZHJlc3NlcyIgc2VjdGlvbiBvZiB0 aGlzDQogICBtZW1vDQoNCjguMiBSZWdpc3RyYXRpb246IFRoZSBTeXN0ZW0gKFdlbGwtS25vd24p IFRDUCBwb3J0IG51bWJlciBmb3IgSURYUA0KDQogICBQcm90b2NvbCBOdW1iZXI6IFRDUA0KDQog ICBNZXNzYWdlIEZvcm1hdHMsIFR5cGVzLCBPcGNvZGVzLCBhbmQgU2VxdWVuY2VzOiBjLmYuLCBT ZWN0aW9uIDMuMw0KDQogICBGdW5jdGlvbnM6IGMuZi4sIFNlY3Rpb24gMy40DQoNCiAgIFVzZSBv ZiBCcm9hZGNhc3QvTXVsdGljYXN0OiBub25lDQoNCiAgIFByb3Bvc2VkIE5hbWU6IEludHJ1c2lv biBEZXRlY3Rpb24gRXhjaGFuZ2UgUHJvdG9jb2wNCg0KICAgU2hvcnQgbmFtZTogaWR4cA0KDQog ICBDb250YWN0IEluZm9ybWF0aW9uOiBjLmYuLCB0aGUgIkF1dGhvcnMnIEFkZHJlc3NlcyIgc2Vj dGlvbiBvZiB0aGlzDQogICBtZW1vDQoNCjguMyBSZWdpc3RyYXRpb246IFRoZSBjaGFubmVsUHJp b3JpdHkgT3B0aW9uDQoNCiAgIE9wdGlvbiBJZGVudGlmaWNhdGlvbjogY2hhbm5lbFByaW9yaXR5 DQoNCiAgIENvbnRhaW5zOiBjaGFubmVsUHJpb3JpdHkgKGMuZi4sIFNlY3Rpb24gOS4yKQ0KDQog ICBQcm9jZXNzaW5nIFJ1bGVzOiBjLmYuLCBTZWN0aW9uIDQuMQ0KDQoNCg0KRmVpbnN0ZWluLCBl dCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2Ug MjVdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAg ICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQogICBDb250YWN0IEluZm9ybWF0aW9uOiBjLmYu LCB0aGUgIkF1dGhvcnMnIEFkZHJlc3NlcyIgc2VjdGlvbiBvZiB0aGlzDQogICBtZW1vDQoNCjgu NCBSZWdpc3RyYXRpb246IFRoZSBzdHJlYW1UeXBlIE9wdGlvbg0KDQogICBPcHRpb24gSWRlbnRp ZmljYXRpb246IHN0cmVhbVR5cGUNCg0KICAgQ29udGFpbnM6IHN0cmVhbVR5cGUgKGMuZi4sIFNl Y3Rpb24gOS4zKQ0KDQogICBQcm9jZXNzaW5nIFJ1bGVzOiBjLmYuLCBTZWN0aW9uIDQuMg0KDQog ICBDb250YWN0IEluZm9ybWF0aW9uOiBjLmYuLCB0aGUgIkF1dGhvcnMnIEFkZHJlc3NlcyIgc2Vj dGlvbiBvZiB0aGlzDQogICBtZW1vDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KRmVpbnN0ZWluLCBldCBh bC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2UgMjZd DQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAg ICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQo5LiBUaGUgRFREcw0KDQo5LjEgVGhlIElEWFAgRFRE DQoNCiAgIFRoZSBmb2xsb3dpbmcgaXMgdGhlIERURCBkZWZpbmluZyB0aGUgdmFsaWQgZWxlbWVu dHMgZm9yIHRoZSBJRFhQDQogICBwcm9maWxlDQoNCiAgICAgPCEtLQ0KICAgICBEVEQgZm9yIHRo ZSBJRFhQIFByb2ZpbGUsIGFzIG9mIDIwMDItMDEtMDgNCg0KICAgICBSZWZlciB0byB0aGlzIERU RCBhczoNCg0KICAgICAgIDwhRU5USVRZICUgSURYUCBQVUJMSUMgIi0vL0lFVEYvL0RURCBSRkMg WFhYWCBJRFhQIHYxLjAvL0VOIj4NCg0KICAgICAgICVJRFhQOw0KICAgICAtLT4NCg0KICAgICA8 IS0tIEluY2x1ZGVzIC0tPg0KDQogICAgICAgPCFFTlRJVFkgJSBCRUVQIFBVQkxJQyAiLS8vSUVU Ri8vRFREIEJFRVAvL0VOIj4NCg0KICAgICAgICVCRUVQOw0KDQoNCiAgICAgICA8IUVOVElUWSAl IElETUVGLU1lc3NhZ2UgUFVCTElDICItLy9JRVRGLy9EVEQgUkZDIFhYWFggSURNRUYgdjEuMC8v RU4iPg0KDQogICAgICAgJUlETUVGOw0KDQogICAgIDwhLS0NCiAgICAgICBQcm9maWxlIFN1bW1h cnkNCg0KICAgICAgICAgQkVFUCBwcm9maWxlIGh0dHA6Ly9pYW5hLm9yZy9iZWVwL3RyYW5zaWVu dC9pZHdnL2lkeHANCg0KICAgICAgICAgcm9sZSAgICAgICBNU0cgICAgICAgICAgICAgICBSUFkg ICAgICBFUlINCiAgICAgICAgID09PT0gICAgICAgPT09ICAgICAgICAgICAgICAgPT09ICAgICAg PT09DQogICAgICAgICBJIG9yIEwgICAgIElEWFAtR3JlZXRpbmcgICAgIG9rICAgICAgIGVycm9y DQogICAgICAgICBDICAgICAgICAgIElETUVGLU1lc3NhZ2UgICAgIG9rICAgICAgIGVycm9yDQog ICAgIC0tPg0KDQogICAgIDwhLS0NCiAgICAgICBFbnRpdHkgRGVmaW5pdGlvbnMNCg0KICAgICAg ICAgICAgIGVudGl0eSAgICAgICAgc3ludGF4L3JlZmVyZW5jZSAgICAgZXhhbXBsZQ0KICAgICAg ICAgICAgID09PT09PSAgICAgICAgPT09PT09PT09PT09PT09PSAgICAgPT09PT09PQ0KICAgICAg ICAgYW4gYXV0aG9yaXRhdGl2ZSBpZGVudGlmaWNhdGlvbg0KICAgICAgICAgICAgIFVSSSAgICAg ICAgICAgYy5mLiwgW1JGQy0yMzk2XSAgICAgICBodHRwOi8vZXhhbXBsZS5jb20NCg0KICAgICAg ICAgYSBmdWxseSBxdWFsaWZpZWQgZG9tYWluIG5hbWUNCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwu ICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQYWdlIDI3XQ0K DA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAgICAg ICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgICAgICAgICAgIEZRRE4gICAgICAgICAgYy5mLiwg W1JGQy0xMDM0XSAgICAgICB3d3cuZXhhbXBsZS5jb20NCiAgICAgLS0+DQoNCiAgICAgPCFFTlRJ VFkgJSBVUkkgICAgICAiQ0RBVEEiPg0KICAgICA8IUVOVElUWSAlIEZRRE4gICAgICJDREFUQSI+ DQoNCiAgICAgPCEtLQ0KICAgICAgIFRoZSBJRFhQLUdyZWV0aW5nIGVsZW1lbnQgZGVjbGFyZXMg dGhlIHJvbGUgYW5kIGlkZW50aXR5IG9mDQogICAgICAgdGhlIHBlZXIgaXNzdWluZyBpdCwgb24g YSBwZXIgY2hhbm5lbCBiYXNpcy4gVGhlDQogICAgICAgSURYUC1HcmVldGluZyBlbGVtZW50IG1h eSBjb250YWluIG9uZSBvciBtb3JlIE9wdGlvbg0KICAgICAgIHN1Yi1lbGVtZW50cy4NCiAgICAg LS0+DQoNCiAgIDwhRUxFTUVOVCBJRFhQLUdyZWV0aW5nICAoT3B0aW9uKik+DQogICA8IUFUVExJ U1QgSURYUC1HcmVldGluZw0KICAgICAgICAgICAgIHVyaSAgICAgICAgICAgICVVUkk7ICAgICAg ICAgICAgICAgICNSRVFVSVJFRA0KICAgICAgICAgICAgIHJvbGUgICAgICAgICAgIChjbGllbnR8 c2VydmVyKSAgICAgICNSRVFVSVJFRA0KICAgICAgICAgICAgIGZxZG4gICAgICAgICAgICVGUURO OyAgICAgICAgICAgICAgICNJTVBMSUVEPg0KDQogICAgIDwhLS0NCiAgICAgICBUaGUgT3B0aW9u IGVsZW1lbnQgY29udmV5cyBhbiBJRFhQIGNoYW5uZWwgb3B0aW9uLg0KICAgICAgIE5vdGUgdGhh dCB0aGUgJUxPQ1MgZW50aXR5IGlzIGltcG9ydGVkIGZyb20gdGhlIEJFRVAgQ2hhbm5lbA0KICAg ICAgIE1hbmFnZW1lbnQgRFRELg0KICAgICAtLT4NCg0KICAgPCFFTEVNRU5UIE9wdGlvbiAoQU5Z KT4NCiAgIDwhQVRUTElTVCBPcHRpb24NCiAgICAgICAgICAgICBpbnRlcm5hbCAgICAgICBOTVRP S0VOICAgICAgICAgICAgICAiIg0KICAgICAgICAgICAgIGV4dGVybmFsICAgICAgICVVUkk7ICAg ICAgICAgICAgICAgICIiDQogICAgICAgICAgICAgbXVzdFVuZGVyc3RhbmQgKHRydWV8ZmFsc2Up ICAgICAgICAgImZhbHNlIg0KICAgICAgICAgICAgIGxvY2FsaXplICAgICAgICVMT0NTOyAgICAg ICAgICAgICAgICJpLWRlZmF1bHQiPg0KDQogICAgIDwhLS0NCiAgICAgICBUaGUgSURNRUYtTWVz c2FnZSBlbGVtZW50IGNvbnZleXMgdGhlIGludHJ1c2lvbiBkZXRlY3Rpb24NCiAgICAgICBpbmZv cm1hdGlvbiB0aGF0IGlzIGV4Y2hhbmdlZC4gIFRoaXMgZWxlbWVudCBpcyBkZWZpbmVkIGluIHRo ZQ0KICAgICAgIGlkbWVmLW1lc3NhZ2UuZHRkDQogICAgIC0tPg0KDQogICA8IS0tIEVuZCBvZiBE VEQgLS0+DQoNCg0KOS4yIFRoZSBjaGFubmVsUHJpb3JpdHkgT3B0aW9uIERURA0KDQogICBUaGUg Zm9sbG93aW5nIGlzIHRoZSBEVEQgZGVmaW5pbmcgdGhlIHZhbGlkIGVsZW1lbnRzIGZvciB0aGUN CiAgIGNoYW5uZWxQcmlvcml0eSBvcHRpb24NCg0KDQoNCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwu ICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQYWdlIDI4XQ0K DA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAgICAg ICAgICAgT2N0b2JlciAyMDAyDQoNCg0KICAgICA8IS0tDQogICAgIERURCBmb3IgdGhlIGNoYW5u ZWxQcmlvcml0eSBJRFhQIG9wdGlvbiwgYXMgb2YgMjAwMi0wMS0wOA0KDQogICAgIFJlZmVyIHRv IHRoaXMgRFREIGFzOg0KDQogICAgICAgPCFFTlRJVFkgJSBJRFhQLWNoYW5uZWxQcmlvcml0eSBQ VUJMSUMNCiAgICAgICAgICItLy9JRVRGLy9EVEQgUkZDIFhYWFggSURYUC1jaGFubmVsUHJpb3Jp dHkgdjEuMC8vRU4iPg0KDQogICAgICAgJUlEWFAtY2hhbm5lbFByaW9yaXR5Ow0KICAgICAtLT4N Cg0KICAgICA8IS0tDQogICAgICAgRW50aXR5IERlZmluaXRpb25zDQoNCiAgICAgICAgICAgICBl bnRpdHkgICAgICAgIHN5bnRheC9yZWZlcmVuY2UgICAgIGV4YW1wbGUNCiAgICAgICAgICAgICA9 PT09PT0gICAgICAgID09PT09PT09PT09PT09PT0gICAgID09PT09PT0NCiAgICAgICBhIHByaW9y aXR5IG51bWJlcg0KICAgICAgICAgICAgIFBSSU9SSVRZICAgICAgMC4uMjE0NzQ4MzY0NyAgICAg ICAgMQ0KICAgICAtLT4NCg0KICAgPCFFTlRJVFkgJSBQUklPUklUWSAgICAgICAgICAiQ0RBVEEi Pg0KDQogICA8IUVMRU1FTlQgY2hhbm5lbFByaW9yaXR5ICAgIEVNUFRZPg0KICAgPCFBVFRMSVNU IGNoYW5uZWxQcmlvcml0eQ0KICAgICAgICAgICAgIHByaW9yaXR5ICAgICAgICAgICAlUFJJT1JJ VFkgICAgI1JFUVVJUkVEPg0KDQogICA8IS0tIEVuZCBvZiBEVEQgLS0+DQoNCg0KOS4zIFRoZSBz dHJlYW1UeXBlIERURA0KDQogICBUaGUgZm9sbG93aW5nIGlzIHRoZSBEVEQgZGVmaW5pbmcgdGhl IHZhbGlkIGVsZW1lbnRzIGZvciB0aGUNCiAgIHN0cmVhbVR5cGUgb3B0aW9uDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhwaXJl cyBBcHJpbCAyMiwgMjAwMyAgICAgICAgICAgICAgICBbUGFnZSAyOV0NCgwNCkludGVybmV0LURy YWZ0ICAgICAgICAgICAgICAgICAgVGhlIElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIg MjAwMg0KDQoNCiAgICAgPCEtLQ0KICAgICBEVEQgZm9yIHRoZSBzdHJlYW1UeXBlIElEWFAgb3B0 aW9uLCBhcyBvZiAyMDAyLTAxLTA4DQoNCiAgICAgUmVmZXIgdG8gdGhpcyBEVEQgYXM6DQoNCiAg ICAgICA8IUVOVElUWSAlIElEWFAtc3RyZWFtVHlwZSBQVUJMSUMNCiAgICAgICAgICItLy9JRVRG Ly9EVEQgUkZDIFhYWFggSURYUC1zdHJlYW1UeXBlIHYxLjAvL0VOIj4NCg0KICAgICAgICVJRFhQ LXN0cmVhbVR5cGU7DQogICAgIC0tPg0KDQogICAgIDwhLS0NCiAgICAgICBFbnRpdHkgRGVmaW5p dGlvbnMNCg0KICAgICAgICAgICAgIGVudGl0eSAgICAgICAgc3ludGF4L3JlZmVyZW5jZSAgICAg ICAgICAgICAgICBleGFtcGxlDQogICAgICAgICAgICAgPT09PT09ICAgICAgICA9PT09PT09PT09 PT09PT09ICAgICAgICAgICAgICAgID09PT09PT0NCiAgICAgICAgYSBzdHJlYW0gdHlwZQ0KICAg ICAgICAgICAgIFNUWVBFICAgICAgICAgKGFsZXJ0IHwgaGVhcnRiZWF0IHwgY29uZmlnKSAgICAi YWxlcnQiDQogICAgIC0tPg0KDQogICA8IUVOVElUWSAlIFNUWVBFICAgICAgICAoYWxlcnR8aGVh cnRiZWF0fGNvbmZpZyk+DQoNCiAgIDwhRUxFTUVOVCBzdHJlYW1UeXBlICAgIEVNUFRZPg0KICAg PCFBVFRMSVNUIHN0cmVhbVR5cGUNCiAgICAgICAgICAgICB0eXBlICAgICAgICAgICVTVFlQRSAg ICAjUkVRVUlSRUQ+DQoNCiAgIDwhLS0gRW5kIG9mIERURCAtLT4NCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwuICAgICAgICBF eHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQYWdlIDMwXQ0KDA0KSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAgICAgICAgICAgT2N0 b2JlciAyMDAyDQoNCg0KMTAuIFJlcGx5IENvZGVzDQoNCiAgIFRoaXMgc2VjdGlvbiBsaXN0cyB0 aGUgdGhyZWUtZGlnaXQgZXJyb3IgY29kZXMgdGhlIElEWFAgcHJvZmlsZSBtYXkNCiAgIGdlbmVy YXRlLg0KDQogICBjb2RlICAgIG1lYW5pbmcNCiAgID09PT0gICAgPT09PT09PQ0KICAgNDIxICAg ICBTZXJ2aWNlIG5vdCBhdmFpbGFibGUNCiAgICAgICAgICAgKEUuZy4sIHRoZSBwZWVyIGRvZXMg bm90IGhhdmUgc3VmZmljaWVudCByZXNvdXJjZXMuKQ0KDQogICA0NTAgICAgIFJlcXVlc3RlZCBh Y3Rpb24gbm90IHRha2VuDQogICAgICAgICAgIChFLmcuLCBETlMgbG9va3VwIGZhaWxlZCBvciBj b25uZWN0aW9uIGNvdWxkIG5vdA0KICAgICAgICAgICAgYmUgZXN0YWJsaXNoZWQuIFNlZSBhbHNv IDU1MC4pDQoNCiAgIDQ1NCAgICAgVGVtcG9yYXJ5IGF1dGhlbnRpY2F0aW9uIGZhaWx1cmUNCg0K ICAgNTAwICAgICBHZW5lcmFsIHN5bnRheCBlcnJvcg0KICAgICAgICAgICAoRS5nLiwgcG9vcmx5 LWZvcm1lZCBYTUwpDQoNCiAgIDUwMSAgICAgU3ludGF4IGVycm9yIGluIHBhcmFtZXRlcnMNCiAg ICAgICAgICAgKEUuZy4sIG5vbi12YWxpZCBYTUwpDQoNCiAgIDUwNCAgICAgUGFyYW1ldGVyIG5v dCBpbXBsZW1lbnRlZA0KDQogICA1MzAgICAgIEF1dGhlbnRpY2F0aW9uIHJlcXVpcmVkDQoNCiAg IDUzNCAgICAgQXV0aGVudGljYXRpb24gbWVjaGFuaXNtIGluc3VmZmljaWVudA0KICAgICAgICAg ICAoRS5nLiwgY2lwaGVyIHN1aXRlIHRvbyB3ZWFrLCBzZXF1ZW5jZSBleGhhdXN0ZWQsIGV0Yy4p DQoNCiAgIDUzNSAgICAgQXV0aGVudGljYXRpb24gZmFpbHVyZQ0KDQogICA1MzcgICAgIEFjdGlv biBub3QgYXV0aG9yaXplZCBmb3IgdXNlcg0KDQogICA1NTAgICAgIFJlcXVlc3RlZCBhY3Rpb24g bm90IHRha2VuDQogICAgICAgICAgIChFLmcuLCBwZWVyIGNvdWxkIGJlIGNvbnRhY3RlZCwgYnV0 DQogICAgICAgICAgICBtYWxmb3JtZWQgZ3JlZXRpbmcgb3Igbm8gSURYUCBwcm9maWxlIGFkdmVy dGlzZWQuKQ0KDQogICA1NTMgICAgIFBhcmFtZXRlciBpbnZhbGlkDQoNCiAgIDU1NCAgICAgVHJh bnNhY3Rpb24gZmFpbGVkDQogICAgICAgICAgIChFLmcuLCBwb2xpY3kgdmlvbGF0aW9uKQ0KDQoN Cg0KDQoNCg0KDQoNCg0KDQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhwaXJlcyBBcHJpbCAy MiwgMjAwMyAgICAgICAgICAgICAgICBbUGFnZSAzMV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAg ICAgICAgICAgICAgVGhlIElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIgMjAwMg0KDQoN CjExLiBTZWN1cml0eSBDb25zaWRlcmF0aW9ucw0KDQogICBUaGUgSURYUCBwcm9maWxlIGlzIGEg cHJvZmlsZSBvZiBCRUVQLiAgSW4gQkVFUCwgdHJhbnNwb3J0IHNlY3VyaXR5LA0KICAgdXNlciBh dXRoZW50aWNhdGlvbiwgYW5kIGRhdGEgZXhjaGFuZ2UgYXJlIG9ydGhvZ29uYWwuICBSZWZlciB0 bw0KICAgU2VjdGlvbiA4IG9mIFs4XSBmb3IgYSBkaXNjdXNzaW9uIG9mIHRoaXMuICBJdCBpcyBz dHJvbmdseQ0KICAgcmVjb21tZW5kZWQgdGhhdCB0aG9zZSB3YW50aW5nIHRvIHVzZSB0aGUgSURY UCBwcm9maWxlIGluaXRpYWxseQ0KICAgbmVnb3RpYXRlIGEgQkVFUCBzZWN1cml0eSBwcm9maWxl IGJldHdlZW4gdGhlIHBlZXJzIHRoYXQgb2ZmZXJzIHRoZQ0KICAgcmVxdWlyZWQgc2VjdXJpdHkg cHJvcGVydGllcy4gIFRoZSBUTFMgcHJvZmlsZSBTSE9VTEQgYmUgdXNlZCB0bw0KICAgcHJvdmlk ZSBmb3IgdHJhbnNwb3J0IHNlY3VyaXR5LiAgU2VlIFNlY3Rpb24gNSBmb3IgYSBkaXNjdXNzaW9u IG9mDQogICBob3cgSURYUCBmdWxmaWxscyB0aGUgSURXRyBjb21tdW5pY2F0aW9ucyBwcm90b2Nv bCByZXF1aXJlbWVudHMuDQoNCiAgIFNlZSBTZWN0aW9uIDIuNCBmb3IgYSBkaXNjdXNzaW9uIG9m IHRoZSB0cnVzdCBtb2RlbC4NCg0KMTEuMSBVc2Ugb2YgdGhlIFRVTk5FTCBQcm9maWxlDQoNCiAg IFNlZSBTZWN0aW9uIDUgZm9yIElEWFAncyByZXF1aXJlbWVudHMgb24gYXBwbGljYXRpb24tbGF5 ZXIgdHVubmVsaW5nDQogICBhbmQgdGhlIFRVTk5FTCBwcm9maWxlIHNwZWNpZmljYWxseS4gIFNl ZSBTZWN0aW9uIDcgb2YgWzddIGZvciBhDQogICBkaXNjdXNzaW9uIG9mIHRoZSBzZWN1cml0eSBj b25zaWRlcmF0aW9ucyBpbmhlcmVudCBpbiB0aGUgdXNlIG9mIHRoZQ0KICAgVFVOTkVMIHByb2Zp bGUuDQoNCjExLjIgVXNlIG9mIFVuZGVybHlpbmcgU2VjdXJpdHkgUHJvZmlsZXMNCg0KICAgQXQg cHJlc2VudCwgdGhlIFRMUyBwcm9maWxlIGlzIHRoZSBvbmx5IEJFRVAgc2VjdXJpdHkgcHJvZmls ZSBrbm93bg0KICAgdG8gbWVldCBhbGwgb2YgdGhlIHJlcXVpcmVtZW50cyBzZXQgZm9ydGggaW4g U2VjdGlvbiA1IG9mIFs5XS4gIFdoZW4NCiAgIHNlY3VyaW5nIGEgQkVFUCBzZXNzaW9uIHdpdGgg dGhlIFRMUyBwcm9maWxlLCB0aGUNCiAgIFRMU19ESEVfRFNTX1dJVEhfM0RFU19FREVfQ0JDX1NI QSBjaXBoZXIgc3VpdGUgb2ZmZXJzIGFuIGFjY2VwdGFibGUNCiAgIGxldmVsIG9mIHNlY3VyaXR5 LiAgU2VlIFNlY3Rpb24gNSBmb3IgYSBkaXNjdXNzaW9uIG9mIGhvdyBJRFhQDQogICBmdWxmaWxs cyB0aGUgSURXRyBjb21tdW5pY2F0aW9ucyByZXF1aXJlbWVudHMgdGhyb3VnaCB0aGUgdXNlIG9m IGFuDQogICB1bmRlcmx5aW5nIHNlY3VyaXR5IHByb2ZpbGUuDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwuICAgICAgICBFeHBpcmVz IEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQYWdlIDMyXQ0KDA0KSW50ZXJuZXQtRHJh ZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAgICAgICAgICAgT2N0b2JlciAy MDAyDQoNCg0KSW5mb3JtYXRpb25hbCBSZWZlcmVuY2VzDQoNCiAgIFsxXSAgQmVybmVycy1MZWUs IFQuLCBGaWVsZGluZywgUi4gYW5kIEwuIE1hc2ludGVyLCAiVW5pZm9ybSBSZXNvdXJjZQ0KICAg ICAgICBJZGVudGlmaWVycyAoVVJJKTogR2VuZXJpYyBTeW50YXgiLCBSRkMgMjM5NiwgQXVndXN0 IDE5OTguDQoNCiAgIFsyXSAgQnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNz IHRvIEluZGljYXRlIFJlcXVpcmVtZW50DQogICAgICAgIExldmVscyIsIEJDUCAxNCwgUkZDIDIx MTksIE1hcmNoIDE5OTcuDQoNCiAgIFszXSAgQnJheSwgVC4sIFBhb2xpLCBKLiwgU3BlcmJlcmct TWNRdWVlbiwgQy4gYW5kIEUuIE1hbGVyLA0KICAgICAgICAiRXh0ZW5zaWJsZSBNYXJrdXAgTGFu Z3VhZ2UgKFhNTCkgMS4wICgybmQgZWQpIiwgVzNDIFJFQy14bWwsDQogICAgICAgIE9jdG9iZXIg MjAwMCwgPGh0dHA6Ly93d3cudzMub3JnL1RSL1JFQy14bWw+Lg0KDQogICBbNF0gIEZyZWVkLCBO LiBhbmQgTi4gQm9yZW5zdGVpbiwgIk11bHRpcHVycG9zZSBJbnRlcm5ldCBNYWlsDQogICAgICAg IEV4dGVuc2lvbnMgKE1JTUUpIFBhcnQgVHdvOiBNZWRpYSBUeXBlcyIsIFJGQyAyMDQ2LCBOb3Zl bWJlcg0KICAgICAgICAxOTk2Lg0KDQogICBbNV0gIE1vY2thcGV0cmlzLCBQLiwgIkRvbWFpbiBu YW1lcyAtIGNvbmNlcHRzIGFuZCBmYWNpbGl0aWVzIiwgU1REDQogICAgICAgIDEzLCBSRkMgMTAz NCwgTm92ZW1iZXIgMTk4Ny4NCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwuICAgICAgICBFeHBp cmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQYWdlIDMzXQ0KDA0KSW50ZXJuZXQt RHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAgICAgICAgICAgICAgICAgT2N0b2Jl ciAyMDAyDQoNCg0KTm9ybWF0aXZlIFJlZmVyZW5jZXMNCg0KICAgWzZdICBDdXJyeSwgRC4gYW5k IEguIERlYmFyLCAiSW50cnVzaW9uIERldGVjdGlvbiBNZXNzYWdlIEV4Y2hhbmdlDQogICAgICAg IEZvcm1hdCBEYXRhIE1vZGVsIGFuZCBFeHRlbnNpYmxlIE1hcmt1cCBMYW5ndWFnZSAoWE1MKSBE b2N1bWVudA0KICAgICAgICBUeXBlIERlZmluaXRpb24iLCBSRkMgWFhYWCwgTW9udGggWVlZWS4N Cg0KICAgWzddICBOZXcsIEQuLCAiVGhlIFRVTk5FTCBQcm9maWxlIFJlZ2lzdHJhdGlvbiIsIFJG QyBYWFhYLCBNb250aA0KICAgICAgICBZWVlZLg0KDQogICBbOF0gIFJvc2UsIE0uLCAiVGhlIEJs b2NrcyBFeHRlbnNpYmxlIEV4Y2hhbmdlIFByb3RvY29sIENvcmUiLCBSRkMNCiAgICAgICAgMzA4 MCwgTWFyY2ggMjAwMS4NCg0KICAgWzldICBXb29kLCBNLiBhbmQgTS4gRXJsaW5nZXIsICJJbnRy dXNpb24gRGV0ZWN0aW9uIE1lc3NhZ2UgRXhjaGFuZ2UNCiAgICAgICAgUmVxdWlyZW1lbnRzIiwg UkZDIFhYWFgsIE1vbnRoIFlZWVkuDQoNCg0KQXV0aG9ycycgQWRkcmVzc2VzDQoNCiAgIEJlbmph bWluIFMuIEZlaW5zdGVpbg0KICAgQ2lwaGVyVHJ1c3QsIEluYy4NCg0KICAgRU1haWw6IEJlbi5G ZWluc3RlaW5AY2lwaGVydHJ1c3QuY29tDQogICBVUkk6ICAgaHR0cDovL3d3dy5jaXBoZXJ0cnVz dC5jb20vDQoNCg0KICAgR3JlZ29yeSBBLiBNYXR0aGV3cw0KICAgQ1NDL05BU0EgQW1lcyBSZXNl YXJjaCBDZW50ZXINCg0KICAgRU1haWw6IGdtYXR0aGV3QG5hcy5uYXNhLmdvdg0KICAgVVJJOiAg IGh0dHA6Ly93d3cubmFzLm5hc2EuZ292Lw0KDQoNCiAgIEpvaG4gQy4gQy4gV2hpdGUNCiAgIE1J VFJFIENvcnBvcmF0aW9uDQoNCiAgIEVNYWlsOiBqY2N3QG1pdHJlLm9yZw0KICAgVVJJOiAgIGh0 dHA6Ly93d3cubWl0cmUub3JnLw0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCkZlaW5zdGVp biwgZXQgYWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAgICAgICAgICAgICAgIFtQ YWdlIDM0XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAgICBUaGUgSURYUCAgICAg ICAgICAgICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KQXBwZW5kaXggQS4gSUFOQSBDb25zaWRl cmF0aW9ucw0KDQogICBUaGUgSUFOQSByZWdpc3RlcnMgIklEWFAiIGFzIGEgc3RhbmRhcmRzLXRy YWNrIEJFRVAgcHJvZmlsZSwgYXMNCiAgIHNwZWNpZmllZCBpbiBTZWN0aW9uIDguMS4gIFRoZSBJ QU5BIGNoYW5nZXMgdGhlIElEWFAgcHJvZmlsZQ0KICAgaWRlbnRpZmljYXRpb24gdG8gImh0dHA6 Ly9pYW5hLm9yZy9iZWVwL0lEWFAiLg0KDQogICBUaGUgSUFOQSByZWdpc3RlcnMgImlkeHAiIGFz IGEgVENQIHBvcnQgbnVtYmVyLCBhcyBzcGVjaWZpZWQgaW4NCiAgIFNlY3Rpb24gOC4yDQoNCiAg IFRoZSBJQU5BIG1haW50YWlucyBhIGxpc3Qgb2Y6DQoNCiAgICAgIElEWFAgb3B0aW9ucywgYy5m LiwgU2VjdGlvbiA3Lg0KDQogICBGb3IgdGhpcyBsaXN0LCB0aGUgSUVTRyBpcyByZXNwb25zaWJs ZSBmb3IgYXNzaWduaW5nIGEgZGVzaWduYXRlZA0KICAgZXhwZXJ0IHRvIHJldmlldyB0aGUgc3Bl Y2lmaWNhdGlvbiBwcmlvciB0byB0aGUgSUFOQSBtYWtpbmcgdGhlDQogICBhc3NpZ25tZW50LiAg QXMgYSBjb3VydGVzeSB0byBkZXZlbG9wZXJzIG9mIG5vbi1zdGFuZGFyZHMgdHJhY2sgSURYUA0K ICAgb3B0aW9ucywgdGhlIG1haWxpbmcgbGlzdCBpZHhwLWphdmEtdXNlcnNAbGlzdHMuc291cmNl Zm9yZ2UubmV0IG1heQ0KICAgYmUgdXNlZCB0byBzb2xpY2l0IGNvbW1lbnRhcnkuDQoNCiAgIFRo ZSBJQU5BIG1ha2VzIHRoZSByZWdpc3RyYXRpb25zIHNwZWNpZmllZCBpbiBTZWN0aW9uIDguMyBh bmQgU2VjdGlvbg0KICAgOC40Lg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KRmVpbnN0ZWluLCBldCBhbC4gICAgICAgIEV4cGlyZXMg QXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2UgMzVdDQoMDQpJbnRlcm5ldC1EcmFm dCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAgICAgICAgICAgICBPY3RvYmVyIDIw MDINCg0KDQpBcHBlbmRpeCBCLiBIaXN0b3J5IG9mIFNpZ25pZmljYW50IENoYW5nZXMNCg0KICAg VGhlIFJGQyBFZGl0b3Igc2hvdWxkIHJlbW92ZSB0aGlzIHNlY3Rpb24gYW5kIGl0cyBjb3JyZXNw b25kaW5nIFRPQw0KICAgcmVmZXJlbmNlcyBwcmlvciB0byBwdWJsaWNhdGlvbi4NCg0KQi4xIFNp Z25pZmljYW50IENoYW5nZXMgU2luY2UgYmVlcC1pZHhwLTA2DQoNCiAgIE1vZGlmaWVkIFNlY3Rp b24gNSB0byBtYWtlIGV4cGxpY2l0IHRoYXQgZWFjaCBvZiB0aGUgSURXRw0KICAgY29tbXVuaWNh dGlvbnMgcHJvdG9jb2wgcmVxdWlyZW1lbnRzIGlzIGxpc3RlZCBhbmQgdGhhdCBJRFhQIHJlbGll cw0KICAgb24gQkVFUCBhbmQgc2V2ZXJhbCBCRUVQIHByb2ZpbGVzIHRvIG1lZXQgdGhpcyBzZXQg b2YgcmVxdWlyZW1lbnRzLg0KDQogICBBZGRlZCBTZWN0aW9uIDYgZGVzY3JpYmluZyB0aGUgd2F5 cyB0byBleHRlbmQgSURYUC4NCg0KICAgU2VwYXJhdGVkIHRoZSByZWZlcmVuY2VzIGludG8gbm9y bWF0aXZlIGFuZCBpbmZvcm1hdGlvbmFsIHNlY3Rpb25zLg0KDQogICBVcGRhdGVkIGRvY3VtZW50 IGF1dGhvciBpbmZvcm1hdGlvbi4NCg0KQi4yIFNpZ25pZmljYW50IENoYW5nZXMgU2luY2UgYmVl cC1pZHhwLTA1DQoNCiAgIE1vZGlmaWVkIHRoZSBwYXJ0IG9mIFNlY3Rpb24gNSByZWdhcmRpbmcg bm9uLXJlcHVkaWF0aW9uIHRvIGluc3RlYWQNCiAgIHJlZmVyIHRvIHBlci1zb3VyY2UgYXV0aGVu dGljYXRpb24sIHBlciBkcmFmdC1pZXRmLWlkd2ctcmVxdWlyZW1lbnRzLQ0KICAgMDkuDQoNCkIu MyBTaWduaWZpY2FudCBDaGFuZ2VzIFNpbmNlIGJlZXAtaWR4cC0wNA0KDQogICBBZGRlZCBzZW50 ZW5jZSB0byBTZWN0aW9uIDMuNCBleHBsYWluaW5nIHRoZSBzaXR1YXRpb24gaW4gd2hpY2ggYW4N CiAgICJlcnJvciIgZWxlbWVudCBtYXkgYmUgaXNzdWVkIHdpdGhpbiBhbiAiUlBZIiBtZXNzYWdl Lg0KDQogICBNb2RpZmllZCBleGFtcGxlcyBpbiBTZWN0aW9uIDQuMSBhbmQgU2VjdGlvbiA0LjIs IGNoYW5naW5nIHRoZQ0KICAgbWVzc2FnZSB0eXBlcyBmcm9tICJSUFkiIHRvICJFUlIiIGZvciB0 aGUgbmVnYXRpdmUgcmVzcG9uc2Ugc2VudCBieQ0KICAgdGhlIGNsaWVudC4NCg0KICAgRml4ZWQg dHdvIGxvY2F0aW9ucyB3aGVyZSB3ZSB3ZXJlIHJlZmVyZW5jaW5nIHRoZSB3cm9uZyBzZWN0aW9u IG9mDQogICB0aGUgcmVxdWlyZW1lbnRzIGRvY3VtZW50Lg0KDQogICBSZW1vdmVkIHJlZmVyZW5j ZXMgdG8gSVAgYW5kIHRoZSAlSVAgYXR0cmlidXRlLg0KDQogICBNb2RpZmllZCBwYXJ0IG9mIFNl Y3Rpb24gNSBkZWFsaW5nIHdpdGggbm9uLXJlcHVkaWF0aW9uIG9mIG1lc3NhZ2UNCiAgIG9yaWdp bi4NCg0KICAgTW9kaWZpZWQgU2VjdGlvbiAxLjMgdG8gZnVydGhlciByZWZpbmUgdGVybWlub2xv Z3kuDQoNCiAgIFJlcGxhY2VkIGFsbCByZW1haW5pbmcgcmVmZXJlbmNlcyB0byAiZW50aXRpZXMi IHdpdGggcmVmZXJlbmNlcyB0bw0KICAgInBlZXJzIi4NCg0KQi40IFNpZ25pZmljYW50IENoYW5n ZXMgU2luY2UgYmVlcC1pZHhwLTAzDQoNCiAgIE1vZGlmaWVkIHJlZmVyZW5jZXMgdG8gSW50ZXJu ZXQtRHJhZnRzIHRvIGNvbnRhaW4gcGxhY2Vob2xkZXJzIGZvcg0KDQoNCg0KRmVpbnN0ZWluLCBl dCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1BhZ2Ug MzZdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgIFRoZSBJRFhQICAgICAgICAg ICAgICAgICAgICBPY3RvYmVyIDIwMDINCg0KDQogICB0aGVpciBmb3J0aGNvbWluZyBSRkMgbnVt YmVycy4NCg0KICAgTW9kaWZpZWQgSURNRUYgZm9ybWFsIHB1YmxpYyBpZGVudGlmaWVyIChGUEkp IGluIHRoZSBJRFhQIERURCB0bw0KICAgcmVmbGVjdCB0aGUgY2hhbmdlcyBpbiBkcmFmdC1pZXRm LWlkd2ctaWRtZWYteG1sLTA2Lg0KDQogICBNb2RpZmllZCBJRFhQIEZQSSBmb3IgdGhlIElEWFAg RFREIHRvIGJlIG1vcmUgaW4gbGluZSB3aXRoIHRoZSBJRE1FRg0KICAgRlBJLg0KDQpCLjUgU2ln bmlmaWNhbnQgQ2hhbmdlcyBTaW5jZSBiZWVwLWlkeHAtMDINCg0KICAgQWRkZWQgSURYUCBvcHRp b24gcmVnaXN0cmF0aW9uIHRlbXBsYXRlIGFuZCByZWdpc3RlcmVkIHR3byBpbml0aWFsDQogICBv cHRpb25zLg0KDQogICBJbmRpY2F0ZWQgdGhhdCB0aGUgSUFOQSBzaG91bGQgY2hhbmdlIHRoZSBw cm9maWxlIGlkZW50aWZpY2F0aW9uIHRvDQogICAiaHR0cDovL2lhbmEub3JnL2JlZXAvSURYUCIg dXBvbiBhZG9wdGlvbiBvZiBJRFhQIGFzIGEgc3RhbmRhcmRzLQ0KICAgdHJhY2sgQkVFUCBwcm9m aWxlLg0KDQogICBSZW5hbWVkIHRoZSAiT3B0aW9ucyIgZWxlbWVudCB0byAiT3B0aW9uIiBhbmQg YWxsb3dlZCBtdWx0aXBsZQ0KICAgIk9wdGlvbiIgc3ViLWVsZW1lbnRzIHdpdGhpbiBhbiAiSURY UC1HcmVldGluZyIgZWxlbWVudC4gIEFsc28gYWRkZWQNCiAgIGF0dHJpYnV0ZXMgdG8gIk9wdGlv biIgZWxlbWVudC4NCg0KICAgTW9kaWZpZWQgSUFOQSBwcm9maWxlIHJlZ2lzdHJhdGlvbiBhbmQg YWRkZWQgVENQIHBvcnQgbnVtYmVyIElBTkENCiAgIHJlZ2lzdHJhdGlvbi4NCg0KICAgUmVvcmRl cmVkIHNvbWUgc2VjdGlvbnMgdG8gaW1wcm92ZSB0aGUgZmxvdyBvZiB0aGUgZG9jdW1lbnQuDQoN CiAgIENoYW5nZWQgSURYUCBEVEQgaWRlbnRpZmllciB0byBiZSBtb3JlIElFVEYtbGlrZSBhbmQg cmVtb3ZlZCBVUkxzDQogICBmcm9tIEVOVElUWSBkZWNsYXJhdGlvbnMuDQoNCiAgIENoYW5nZWQg SURYUCBwcm9maWxlIFVSSSB0byBmYWxsIHVuZGVyIHRoZSAiaHR0cDovL2lhbmEub3JnL2JlZXAv DQogICB0cmFuc2llbnQiIG5hbWVzcGFjZS4NCg0KICAgTW9kaWZpZWQgU2VjdGlvbiAxLjMgdG8g cmVmZXJlbmNlIHRoZSByZXF1aXJlbWVudHMgbGFuZ3VhZ2Ugc3BlY2lmaWVkDQogICBieSBbMl0u DQoNCiAgIEVsaW1pbmF0ZWQgdGhlIHVzZSBvZiB0aGUgImVuZHBvaW50IiB0ZXJtaW5vbG9neSwg aW4gZmF2b3Igb2YgInBlZXIiLg0KDQogICBNb2RpZmllZCBmaWd1cmVzIHRvIG1ha2UgdGhlbSBt b3JlIHVuZGVyc3RhbmRhYmxlLg0KDQogICBNb2RpZmllZCBTZWN0aW9uIDIsIFNlY3Rpb24gMywg YW5kIFNlY3Rpb24gNCB0byB1c2UgdGhlIHJlcXVpcmVtZW50cw0KICAgbGFuZ3VhZ2Ugc3BlY2lm aWVkIGJ5IFsyXS4NCg0KICAgSW5kaWNhdGVkIHRoYXQgdGhlIFJGQyBFZGl0b3Igc2hvdWxkIHJl bW92ZSBBcHBlbmRpeCBCIGFuZCBpdHMNCiAgIGNvcnJlc3BvbmRpbmcgVE9DIHJlZmVyZW5jZSBw cmlvciB0byBwdWJsaWNhdGlvbi4NCg0KICAgRml4ZWQgc2V2ZXJhbCB0eXBvcy4NCg0KDQoNCg0K DQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhwaXJlcyBBcHJpbCAyMiwgMjAwMyAgICAgICAg ICAgICAgICBbUGFnZSAzN10NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgVGhl IElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIgMjAwMg0KDQoNCkIuNiBTaWduaWZpY2Fu dCBDaGFuZ2VzIFNpbmNlIGJlZXAtaWR4cC0wMQ0KDQogICBBZGRlZCBuZXcgTVVTVCBhbmQgU0hP VUxEIGxhbmd1YWdlIGZvciB1c2Ugb2YgVExTIGFuZCBUVU5ORUwNCiAgIHByb2ZpbGVzLg0KDQog ICBNb2RpZmllZCB0aGUgIklEWFAtR3JlZXRpbmciIGVsZW1lbnQgdG8gaW5jbHVkZSBhbiAiT3B0 aW9ucyIgc3ViLQ0KICAgZWxlbWVudC4NCg0KICAgQ2hhbmdlZCBJRFhQIHByb2ZpbGUgVVJJLg0K DQpCLjcgU2lnbmlmaWNhbnQgQ2hhbmdlcyBTaW5jZSBiZWVwLWlkeHAtMDANCg0KICAgQWRkZWQg U2VjdGlvbiA1LCBkZXNjcmliaW5nIGhvdyBJRFhQIGZ1bGZpbGxzIHRoZSBjb21tdW5pY2F0aW9u DQogICBwcm90b2NvbCByZXF1aXJlbWVudHMgb2YgdGhlIElEV0cuDQoNCiAgIE1vdmVkIElEWFAg cHJvZmlsZSByZWdpc3RyYXRpb24gdG8gQXBwZW5kaXggQS4NCg0KICAgQ2xhcmlmaWVkIHRoZSBy b2xlIHRoYXQgdW5kZXJseWluZyBCRUVQIHNlY3VyaXR5IHByb2ZpbGVzIG11c3QgcGxheS4NCg0K ICAgQ2xhcmlmaWVkIGhvdyBJRE1FRiBtZXNzYWdlcyBmaXQgaW50byBJRFhQLg0KDQogICBDbGFy aWZpZWQgaG93IHRoZSBJRFhQIHByb2ZpbGUgY2hhbm5lbHMgYW5kIEJFRVAgc2Vzc2lvbnMgaW50 ZXJhY3QuDQoNCiAgIE1hZGUgdGVybWlub2xvZ3kgY2xhcmlmaWNhdGlvbnMgYW5kIGNoYW5nZXMg Zm9yIG92ZXJhbGwgY29uc2lzdGVuY3kuDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpGZWluc3RlaW4sIGV0IGFsLiAgICAgICAgRXhwaXJlcyBB cHJpbCAyMiwgMjAwMyAgICAgICAgICAgICAgICBbUGFnZSAzOF0NCgwNCkludGVybmV0LURyYWZ0 ICAgICAgICAgICAgICAgICAgVGhlIElEWFAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIgMjAw Mg0KDQoNCkFwcGVuZGl4IEMuIEFja25vd2xlZGdlbWVudHMNCg0KICAgVGhlIGF1dGhvcnMgZ3Jh dGVmdWxseSBhY2tub3dsZWRnZSB0aGUgY29udHJpYnV0aW9ucyBvZiBEYXJyZW4gTmV3LA0KICAg TWFyc2hhbGwgVC4gIFJvc2UsIFJveSBQb2xsb2NrLCBUaW0gQnVjaGhlaW0sIE1pa2UgRXJsaW5n ZXIsIGFuZCBQYXVsDQogICBPc3RlcndhbGQuDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCkZlaW5zdGVpbiwgZXQgYWwuICAgICAgICBFeHBpcmVzIEFwcmlsIDIyLCAyMDAzICAg ICAgICAgICAgICAgIFtQYWdlIDM5XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICAg ICBUaGUgSURYUCAgICAgICAgICAgICAgICAgICAgT2N0b2JlciAyMDAyDQoNCg0KRnVsbCBDb3B5 cmlnaHQgU3RhdGVtZW50DQoNCiAgIENvcHlyaWdodCAoQykgVGhlIEludGVybmV0IFNvY2lldHkg KDIwMDIpLiAgQWxsIFJpZ2h0cyBSZXNlcnZlZC4NCg0KICAgVGhpcyBkb2N1bWVudCBhbmQgdHJh bnNsYXRpb25zIG9mIGl0IG1heSBiZSBjb3BpZWQgYW5kIGZ1cm5pc2hlZCB0bw0KICAgb3RoZXJz LCBhbmQgZGVyaXZhdGl2ZSB3b3JrcyB0aGF0IGNvbW1lbnQgb24gb3Igb3RoZXJ3aXNlIGV4cGxh aW4gaXQNCiAgIG9yIGFzc2lzdCBpbiBpdHMgaW1wbGVtZW50YXRpb24gbWF5IGJlIHByZXBhcmVk LCBjb3BpZWQsIHB1Ymxpc2hlZA0KICAgYW5kIGRpc3RyaWJ1dGVkLCBpbiB3aG9sZSBvciBpbiBw YXJ0LCB3aXRob3V0IHJlc3RyaWN0aW9uIG9mIGFueQ0KICAga2luZCwgcHJvdmlkZWQgdGhhdCB0 aGUgYWJvdmUgY29weXJpZ2h0IG5vdGljZSBhbmQgdGhpcyBwYXJhZ3JhcGggYXJlDQogICBpbmNs dWRlZCBvbiBhbGwgc3VjaCBjb3BpZXMgYW5kIGRlcml2YXRpdmUgd29ya3MuICBIb3dldmVyLCB0 aGlzDQogICBkb2N1bWVudCBpdHNlbGYgbWF5IG5vdCBiZSBtb2RpZmllZCBpbiBhbnkgd2F5LCBz dWNoIGFzIGJ5IHJlbW92aW5nDQogICB0aGUgY29weXJpZ2h0IG5vdGljZSBvciByZWZlcmVuY2Vz IHRvIHRoZSBJbnRlcm5ldCBTb2NpZXR5IG9yIG90aGVyDQogICBJbnRlcm5ldCBvcmdhbml6YXRp b25zLCBleGNlcHQgYXMgbmVlZGVkIGZvciB0aGUgcHVycG9zZSBvZg0KICAgZGV2ZWxvcGluZyBJ bnRlcm5ldCBzdGFuZGFyZHMgaW4gd2hpY2ggY2FzZSB0aGUgcHJvY2VkdXJlcyBmb3INCiAgIGNv cHlyaWdodHMgZGVmaW5lZCBpbiB0aGUgSW50ZXJuZXQgU3RhbmRhcmRzIHByb2Nlc3MgbXVzdCBi ZQ0KICAgZm9sbG93ZWQsIG9yIGFzIHJlcXVpcmVkIHRvIHRyYW5zbGF0ZSBpdCBpbnRvIGxhbmd1 YWdlcyBvdGhlciB0aGFuDQogICBFbmdsaXNoLg0KDQogICBUaGUgbGltaXRlZCBwZXJtaXNzaW9u cyBncmFudGVkIGFib3ZlIGFyZSBwZXJwZXR1YWwgYW5kIHdpbGwgbm90IGJlDQogICByZXZva2Vk IGJ5IHRoZSBJbnRlcm5ldCBTb2NpZXR5IG9yIGl0cyBzdWNjZXNzb3JzIG9yIGFzc2lnbnMuDQoN CiAgIFRoaXMgZG9jdW1lbnQgYW5kIHRoZSBpbmZvcm1hdGlvbiBjb250YWluZWQgaGVyZWluIGlz IHByb3ZpZGVkIG9uIGFuDQogICAiQVMgSVMiIGJhc2lzIGFuZCBUSEUgSU5URVJORVQgU09DSUVU WSBBTkQgVEhFIElOVEVSTkVUIEVOR0lORUVSSU5HDQogICBUQVNLIEZPUkNFIERJU0NMQUlNUyBB TEwgV0FSUkFOVElFUywgRVhQUkVTUyBPUiBJTVBMSUVELCBJTkNMVURJTkcNCiAgIEJVVCBOT1Qg TElNSVRFRCBUTyBBTlkgV0FSUkFOVFkgVEhBVCBUSEUgVVNFIE9GIFRIRSBJTkZPUk1BVElPTg0K ICAgSEVSRUlOIFdJTEwgTk9UIElORlJJTkdFIEFOWSBSSUdIVFMgT1IgQU5ZIElNUExJRUQgV0FS UkFOVElFUyBPRg0KICAgTUVSQ0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxB UiBQVVJQT1NFLg0KDQpBY2tub3dsZWRnZW1lbnQNCg0KICAgRnVuZGluZyBmb3IgdGhlIFJGQyBF ZGl0b3IgZnVuY3Rpb24gaXMgY3VycmVudGx5IHByb3ZpZGVkIGJ5IHRoZQ0KICAgSW50ZXJuZXQg U29jaWV0eS4NCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KRmVpbnN0ZWlu LCBldCBhbC4gICAgICAgIEV4cGlyZXMgQXByaWwgMjIsIDIwMDMgICAgICAgICAgICAgICAgW1Bh Z2UgNDBdDQoMDQoNCi== --557974997-1322378147-1035329444=:29862-- --=-p8X6nlOCFvhLlR58opoW-- From idwg-public-request@semper.org Wed Oct 23 13:12:15 2002 Received: from www.opencard.org (www.opencard.org [195.176.20.76]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA25900 for ; Wed, 23 Oct 2002 13:12:13 -0400 (EDT) Received: by www.opencard.org (Postfix, from userid 503) id F2842348DB; Wed, 23 Oct 2002 19:14:22 +0200 (CEST) Old-Return-Path: Delivered-To: semper-idwg-public@opencard.org Date: Wed, 23 Oct 2002 10:13:42 -0700 From: Mike Erlinger To: intrusion detection wg , internet-drafts@ietf.org Cc: Stuart Staniford , jis@mit.edu, smb@research.att.com Subject: Re: New Req ID Message-Id: <20021023171342.GA4536@cs.hmc.edu> Reply-To: mike@cs.hmc.edu References: <20021023165216.GA29741@cs.hmc.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="DocE+STaALJfprDB" Content-Disposition: inline In-Reply-To: <20021023165216.GA29741@cs.hmc.edu> User-Agent: Mutt/1.3.27i Resent-Message-ID: Resent-From: idwg-public@semper.org X-Mailing-List: archive/latest/559 X-Loop: idwg-public@semper.org Precedence: list Resent-Sender: idwg-public-request@semper.org Resent-Date: Wed, 23 Oct 2002 19:14:22 +0200 (CEST) --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Boy was that stupid. Hopefully, I have attached the .txt file this time. mike On Wed, Oct 23, 2002 at 09:52:17AM -0700, Mike Erlinger wrote: > > A new Requirements ID is attached. It contains changes recommended by > the IESG. Namely: > > Change section 6.17, Message Extensions, to indicate that such > extensions CANNOT affect interoperability > > Change section 6.19, Message Extensions, to indicate that such > extensions CANNOT affect interoperability > > Add a Reference Section and some related anchors > > mike > > > -- > Mike Erlinger, Professor and Chair Computer Science > www: http://www.cs.hmc.edu/~mike > email: mike@cs.hmc.edu > smail: Computer Science Dept., Harvey Mudd College, > 301 E. 12th Street, Claremont, CA, 91711 > 909-621-8912, FAX: 909-607-8364 --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="10.txt" Intrusion Detection Working Group M. Wood Internet-Draft Internet Security Systems, Inc Expires: April 22, 2003 M. Erlinger Harvey Mudd College October 22, 2002 Intrusion Detection Message Exchange Requirements draft-ietf-idwg-requirements-10 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 22, 2003. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract The purpose of the Intrusion Detection Exchange Format Working Group (IDWG) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. This Internet-Draft describes the high-level requirements for such a communication mechanism, including the rationale for those requirements where clarification is needed. Scenarios are used to illustrate some requirements. Wood & Erlinger Expires April 22, 2003 [Page 1] Internet-Draft Requirements October 2002 Table of Contents 1. Conventions Used in This Document . . . . . . . . . . . . 5 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Rationale for IDMEF . . . . . . . . . . . . . . . . . . . 6 2.2 Intrusion Detection Terms . . . . . . . . . . . . . . . . 7 2.2.1 Activity: . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.2 Administrator: . . . . . . . . . . . . . . . . . . . . . . 7 2.2.3 Alert: . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.4 Analyzer: . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.5 Data Source: . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.6 Event: . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.7 IDS: . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.8 Manager . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.9 Notification: . . . . . . . . . . . . . . . . . . . . . . 8 2.2.10 Operator: . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.11 Response: . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.12 Sensor: . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.13 Signature: . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.14 Security Policy: . . . . . . . . . . . . . . . . . . . . . 9 2.3 Architectural Assumptions . . . . . . . . . . . . . . . . 10 2.4 Organization of This Document . . . . . . . . . . . . . . 11 2.5 Document Impact on IDMEF Designs . . . . . . . . . . . . . 12 3. General Requirements . . . . . . . . . . . . . . . . . . . 13 3.1 Use of Existing RFCs . . . . . . . . . . . . . . . . . . . 13 3.1.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2 IPv4 and IPv6 . . . . . . . . . . . . . . . . . . . . . . 13 3.2.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 13 4. Message Format Requirements . . . . . . . . . . . . . . . 14 4.1 Internationalization and Localization . . . . . . . . . . 14 4.1.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 14 4.1.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2 Message Filtering and Aggregation . . . . . . . . . . . . 14 4.2.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 14 5. IDMEF Communications Protocol (IDP) Requirements . . . . . 15 5.1 Reliable Message Transmission . . . . . . . . . . . . . . 15 5.1.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 15 5.2 Interaction with Firewalls . . . . . . . . . . . . . . . . 15 5.2.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 15 5.2.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 15 5.3 Mutual Authentication . . . . . . . . . . . . . . . . . . 16 5.3.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 16 5.4 Message Confidentiality . . . . . . . . . . . . . . . . . 16 5.4.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 16 5.5 Message Integrity . . . . . . . . . . . . . . . . . . . . 16 5.5.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 16 5.6 Per-source Authentication . . . . . . . . . . . . . . . . 17 Wood & Erlinger Expires April 22, 2003 [Page 2] Internet-Draft Requirements October 2002 5.6.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 17 5.7 Denial of Service . . . . . . . . . . . . . . . . . . . . 17 5.7.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 17 5.7.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 17 5.8 Message Duplication . . . . . . . . . . . . . . . . . . . 17 5.8.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 17 5.8.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 18 6. Message Content Requirements . . . . . . . . . . . . . . . 19 6.1 Detected Data . . . . . . . . . . . . . . . . . . . . . . 19 6.1.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 19 6.2 Event Identity . . . . . . . . . . . . . . . . . . . . . . 19 6.2.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 19 6.2.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 19 6.3 Event Background Information . . . . . . . . . . . . . . . 20 6.3.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 20 6.3.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 20 6.4 Additional Data . . . . . . . . . . . . . . . . . . . . . 20 6.4.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 20 6.5 Event Source and Target Identity . . . . . . . . . . . . . 20 6.5.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 20 6.6 Device Address Types . . . . . . . . . . . . . . . . . . . 21 6.6.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 21 6.6.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 21 6.7 Event Impact . . . . . . . . . . . . . . . . . . . . . . . 21 6.7.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 21 6.8 Automatic Response . . . . . . . . . . . . . . . . . . . . 21 6.8.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 21 6.9 Analyzer Location . . . . . . . . . . . . . . . . . . . . 22 6.9.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 22 6.9.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 22 6.10 Analyzer Identity . . . . . . . . . . . . . . . . . . . . 22 6.10.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 22 6.10.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 22 6.11 Degree of Confidence . . . . . . . . . . . . . . . . . . . 22 6.11.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 23 6.11.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 23 6.12 Alert Identification . . . . . . . . . . . . . . . . . . . 23 6.12.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 23 6.12.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 23 6.13 Alert Creation Date and Time . . . . . . . . . . . . . . . 23 6.13.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 24 6.13.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 24 6.14 Time Synchronization . . . . . . . . . . . . . . . . . . . 24 6.14.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 24 6.14.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 24 6.15 Time Format . . . . . . . . . . . . . . . . . . . . . . . 24 6.15.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 25 6.16 Time Granularity and Accuracy . . . . . . . . . . . . . . 25 Wood & Erlinger Expires April 22, 2003 [Page 3] Internet-Draft Requirements October 2002 6.16.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 25 6.17 Message Extensions . . . . . . . . . . . . . . . . . . . . 25 6.17.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 25 6.18 Message Semantics . . . . . . . . . . . . . . . . . . . . 25 6.18.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 25 6.18.2 Scenario: . . . . . . . . . . . . . . . . . . . . . . . . 26 6.19 Message Extensibility . . . . . . . . . . . . . . . . . . 26 6.19.1 Rationale: . . . . . . . . . . . . . . . . . . . . . . . . 26 7. Security Considerations . . . . . . . . . . . . . . . . . 27 Informative References . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . 28 A. History of Significant Changes . . . . . . . . . . . . . . 29 A.1 Significant Changes Since requirements-09 . . . . . . . . 29 B. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 30 Full Copyright Statement . . . . . . . . . . . . . . . . . 31 Wood & Erlinger Expires April 22, 2003 [Page 4] Internet-Draft Requirements October 2002 1. Conventions Used in This Document This is not an IETF standards track document [1] and thus the keywords MUST, MUST NOT, SHOULD, and MAY are NOT as in RFC 2119, [2] but rather: o MUST: This word, or the terms "REQUIRED" or "SHALL", means that the described behavior or characteristic is an absolute requirement for a proposed IDWG specification. o MUST NOT: This phrase, or the phrase "SHALL NOT", means that the described behavior or characteristic is an absolute prohibition of a proposed IDWG specification. o SHOULD: This word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances for a proposed IDWG specification to ignore described behavior or characteristics. o MAY: This word, or the adjective "OPTIONAL", means that described behavior or characteristics are truly optional for a proposed IDWG specification. One proposed specification may choose to include the described behavior or characteristic while another proposed specification may omit the same behavior or characteristic. Wood & Erlinger Expires April 22, 2003 [Page 5] Internet-Draft Requirements October 2002 2. Introduction This document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF), which is the intended work product of the Intrusion Detection Exchange Format Working Group (IDWG). IDMEF is planned to be a standard format which automated Intrusion Detection Systems (IDS) [4] can use for reporting what they have deemed to be suspicious or of interest. This document also specifies requirements for a communication protocol for communicating IDMEF. As chartered IDWG, has the responsibility to first evaluate existing communication protocols before choosing to specify a new one. Thus the requirements in this document can be used to evaluate existing communication protocols. If IDWG determines that a new communication protocol is necessary, the requirements in this document can be used to evaluate proposed solutions. 2.1 Rationale for IDMEF The reasons such a format should be useful are as follows: 1. A number of commercial and free Intrusion Detection Systems are available and more are becoming available all the time. Some products are aimed at detecting intrusions on the network, others are aimed at host operating systems, while still others are aimed at applications. Even within a given category, the products have very different strengths and weaknesses. Hence it is likely that users will deploy more than a single product, and users will want to observe the output of these products from one or more manager(s). A standard format for reporting will simplify this task greatly. 2. Intrusions frequently involve multiple organizations as victims, or multiple sites within the same organization. Typically, those sites will use different IDSs. It would be very helpful to correlate such distributed intrusions across multiple sites and administrative domains. Having reports from all sites in a common format would facilitate this task. 3. The existence of a common format should allow components from different IDSs to be integrated more readily. Thus, Intrusion Detection (ID) research should migrate into commercial products more easily. 4. In addition to enabling communication from an ID analyzer to an ID manager, the IDMEF notification system may also enable communication between a variety of IDS components. However, for the remainder of this document, we refer to the communication as going from an analyzer to a manager. Wood & Erlinger Expires April 22, 2003 [Page 6] Internet-Draft Requirements October 2002 All of these reasons suggest that a common format for reporting anything deemed suspicious should help the IDS market to grow and innovate more successfully, and should result in IDS users obtaining better results from deployment of ID systems. 2.2 Intrusion Detection Terms In order to make the rest of the requirements clearer, we define some terms about typical IDSs. These terms are presented in alphabetical order. The diagram at the end of this section illustrates the relationships of some of the terms defined herein. 2.2.1 Activity: Elements of the data source or occurrences within the data source that are identified by the sensor or analyzer as being of interest to the operator. Examples of this include (but are not limited to) network session showing unexpected telnet activity, operating system log file entries showing a user attempting to access files to which he is not authorized to have access, application log files showing persistent login failures, etc. Activity can range from extremely serious occurrences (such as an unequivocally malicious attack) to less serious occurrences (such as unusual user activity that's worth a further look) to neutral activity (such as user login). 2.2.2 Administrator: The human with overall responsibility for setting the security policy of the organization, and, thus, for decisions about deploying and configuring the IDS. This may or may not be the same person as the operator of the IDS. In some organizations, the administrator is associated with the network or systems administration groups. In other organizations, it's an independent position. 2.2.3 Alert: A message from an analyzer to a manager that an event of interest has been detected. An alert typically contains information about the unusual activity that was detected, as well as the specifics of the occurrence. 2.2.4 Analyzer: The ID component or process that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. In many Wood & Erlinger Expires April 22, 2003 [Page 7] Internet-Draft Requirements October 2002 existing IDSs, the sensor and the analyzer are part of the same component. In this document, the term analyzer is used generically to refer to the sender of the IDMEF message. 2.2.5 Data Source: The raw information that an intrusion detection system uses to detect unauthorized or undesired activity. Common data sources include (but are not limited to) raw network packets, operating system audit logs, application audit logs, and system-generated checksum data. 2.2.6 Event: The occurrence in the data source that is detected by the sensor and which may result in an IDMEF alert being transmitted. For example, 'N' failed logins in 'T' seconds might indicate a brute-force login attack. 2.2.7 IDS: Intrusion detection system. Some combination of one or more of the following components: sensor, analyzer, manager. 2.2.8 Manager The ID component or process from which the operator manages the various components of the ID system. Management functions typically include (but are not limited to) sensor configuration, analyzer configuration, event notification management, data consolidation, and reporting. 2.2.9 Notification: The method by which the IDS manager makes the operator aware of the alert occurrence and thus the event. In many IDSs, this is done via the display of a colored icon on the IDS manager screen, the transmission of an e-mail or pager message, or the transmission of an SNMP trap, although other notification techniques are also used. 2.2.10 Operator: The human that is the primary user of the IDS manager. The operator often monitors the output of the ID system and initiates or recommends further action. 2.2.11 Response: The actions taken in response to an event. Responses may be Wood & Erlinger Expires April 22, 2003 [Page 8] Internet-Draft Requirements October 2002 undertaken automatically by some entity in the IDS architecture or may be initiated by a human. Sending a notification to the operator is a very common response. Other responses include (but are not limited to) logging the activity, recording the raw data (from the data source) that characterized the event, terminating a network, user, or application session, or altering network or system access controls. 2.2.12 Sensor: The ID component that collects data from the data source. The frequency of data collection will vary across IDS offerings. The sensor is setup to forward events to the analyzer. 2.2.13 Signature: A rule used by the analyzer to identify interesting activity to the security administrator. Signatures represent one of the mechanisms (though not necessarily the only mechanism) by which IDSs detect intrusions. 2.2.14 Security Policy: The predefined, formally documented statement which defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements. This includes, but is not limited to, which hosts are to be denied external network access. Wood & Erlinger Expires April 22, 2003 [Page 9] Internet-Draft Requirements October 2002 ________ | | -------- | Data |_________ ________| | __________ | Source | Activity |Sensor | | | |________| | |________| | Operator |_______ | | |__________| | \|/ Event A | _____V___ | /|\ | | | | \ | | Sensor |__ | Notification | |_________| Event | \ \|/ A | V_________ \ V /|\ | | | \ Response | --->| Analyzer|__ | A | | | Alert | /|\ | |_________| | | | | A | | | | /|\ \|/ | | |________________| ____V___ | | | | |_| | | | Manager|_________| | |________| | A Security /|\ _______________ | Policy__________| | | | | Administrator |__| |_______________| The diagram above illustrates the terms above and their relationships. Not every IDS will have all of these separate components exactly as shown. Some IDSs will combine these components into a single module; some will have multiple instances of these modules. 2.3 Architectural Assumptions In this document, as defined in the terms above, we assume that an analyzer determines somehow that a suspicious event has been seen by a sensor, and sends an alert to a manager. The format of that alert and the method of communicating it are what IDMEF proposes to standardize. For the purposes of this document, we assume that the analyzer and manager are separate components, and that they are communicating pairwise across a TCP/IP network. No other form of communication Wood & Erlinger Expires April 22, 2003 [Page 10] Internet-Draft Requirements October 2002 between these entities is contemplated in this document, and no other use of IDMEF alerts is considered. We refer to the communication protocol that communicates IDMEF as the IDMEF Communication Protocol (IDP). The Trust Model is not specified as a requirement, but is rather left to the choice of the IDMEF communications protocol, i.e., a design decision. What is specified are individual security related requirements, Section 5. We try to make no further architectural assumptions than those just stated. For example, the following points should not matter: o Whether the sensor and the analyzer are integrated or separate. o Whether the analyzer and manager are isolated, or embedded in some large hierarchy or distributed mesh of components. o Whether the manager actually notifies a human, takes action automatically, or just analyzes incoming alerts and correlates them. o Whether a component might act as an analyzer with respect to one component, while also acting as a manager with respect to another. 2.4 Organization of This Document Besides this requirements document, the IDWG should produce two other documents. The first should describe a data format or language for exchanging information about suspicious events. In this, the requirements document, we refer to that document as the "data-format specification". The second document to be produced should identify existing IETF protocols that are best used for conveying the data so formatted, and explain how to package this data in those existing formats or the document should specify a new protocol. We refer to this as the IDP (IDMEF Communication Protocol). Accordingly, the requirements here are partitioned into four sections o The first of these contains general requirements that apply to all aspects of the IDMEF specification Section 3. o The second section describes requirements on the formatting of IDMEF messages Section 4. o The third section outlines requirements on the communications mechanism, IDP, used to move IDMEF messages from the analyzer to Wood & Erlinger Expires April 22, 2003 [Page 11] Internet-Draft Requirements October 2002 the manager Section 5. o The final section contains requirements on the content and semantics of the IDMEF messages Section 6 . For each requirement, we attempt to state the requirement as clearly as possible without imposing an idea of what a design solution should be. Then we give the rationale for why this requirement is important, and state whether this should be an essential feature of the specification, or is beneficial but could be lacking if it is difficult to fulfill. Finally, where it seems necessary, we give an illustrative scenario. In some cases, we include possible design solutions in the scenario. These are purely illustrative. 2.5 Document Impact on IDMEF Designs It is expected that proposed IDMEF designs will, at a minimum, satisfy the requirements expressed in this document. However, this document will be used only as one of many criteria in the evaluation of various IDMEF designs and proposed communication protocols. It is recognized that the working group may use additional metrics to evaluate competing IDMEF designs and/or communication protocols. Wood & Erlinger Expires April 22, 2003 [Page 12] Internet-Draft Requirements October 2002 3. General Requirements 3.1 Use of Existing RFCs The IDMEF SHALL reference and use previously published RFCs where possible. 3.1.1 Rationale: The IETF has already completed a great deal of research and work into the areas of networks and security. In the interest of time, it is smart to use already defined and accepted standards. 3.2 IPv4 and IPv6 The IDMEF specification MUST take into account that IDMEF should be able to operate in environments that contain IPv4 and IPv6 implementations. 3.2.1 Rationale: Since pure IPv4, hybrid IPv6/IPv4, and pure IPv6 environments are expected to exist within the time frame of IDMEF implementations, the IDMEF specification MUST support IPv6 and IPv4 environments. Wood & Erlinger Expires April 22, 2003 [Page 13] Internet-Draft Requirements October 2002 4. Message Format Requirements The IDMEF message format is intended to be independent of the IDMEF communications protocol (IDP). It should be possible to use a completely different transport mechanism without changing the IDMEF format. The goal behind this requirement is to ensure a clean separation between semantics and communication mechanisms. Obviously the IDMEF communication protocol is recommended. 4.1 Internationalization and Localization IDMEF message formats SHALL support full internationalization and localization. 4.1.1 Rationale: Since network security and intrusion detection are areas that cross geographic, political, and cultural boundaries, the IDMEF messages MUST be formatted such that they can be presented to an operator in a local language and adhering to local presentation customs. 4.1.2 Scenario: An IDMEF specification might include numeric event identifiers. An IDMEF implementation might translate these numeric event identifiers into local language descriptions. In cases where the messages contain strings, the information might be represented using the ISO/ IEC IS 10646-1 character set and encoded using the UTF-8 transformation format to facilitate internationalization [3]. 4.2 Message Filtering and Aggregation The format of IDMEF messages MUST support filtering and/or aggregation of data by the manager. 4.2.1 Rationale: Since it is anticipated that some managers might want to perform filtering and/or data aggregation functions on IDMEF messages, the IDMEF messages MUST be structured to facilitate these operations. 4.2.2 Scenario: An IDMEF specification proposal might recommend fixed format messages with strong numerical semantics. This would lend itself to high- performance filtering and aggregation by the receiving station. Wood & Erlinger Expires April 22, 2003 [Page 14] Internet-Draft Requirements October 2002 5. IDMEF Communications Protocol (IDP) Requirements 5.1 Reliable Message Transmission The IDP MUST support reliable transmission of messages. 5.1.1 Rationale: IDS managers often rely on receipt of data from IDS analyzers to do their jobs effectively. Since IDS managers will rely on IDMEF messages for this purpose, it is important that IDP deliver IDMEF messages reliably. 5.2 Interaction with Firewalls The IDP MUST support transmission of messages between ID components across firewall boundaries without compromising security. 5.2.1 Rationale: Since it is expected that firewalls will often be deployed between IDMEF capable analyzers and their corresponding managers, the ability to relay messages via proxy or other suitable mechanism across firewalls is necessary. Setting up this communication MUST NOT require changes to the intervening firewall(s) that weaken the security of the protected network(s). Nor SHOULD this be achieved by mixing IDMEF messages with other kinds of traffic (e.g., by overloading the HTTP POST method) since that would make it difficult for an organization to apply separate policies to IDMEF traffic and other kinds of traffic. 5.2.2 Scenario: One possible design is the use of TCP to convey IDMEF messages. The general goal in this case is to avoid opening dangerous inbound "holes" in the firewall. When the manager is inside the firewall and the analyzers are outside the firewall, this is often achieved by having the manager initiate an outbound connection to each analyzer. However, it is also possible to place the manager outside the firewall and the analyzers on the inside; this can occur when a third-party vendor (such as an ISP) is providing monitoring services to a user. In this case, the outbound connections would be initiated by each analyzer to the manager. A mechanism that permits either the manager or the analyzer to initiate connections would provide maximum flexibility in manager and analyzer deployment. Wood & Erlinger Expires April 22, 2003 [Page 15] Internet-Draft Requirements October 2002 5.3 Mutual Authentication The IDP MUST support mutual authentication of the analyzer and the manager to each other. Application-layer authentication is required irrespective of the underlying transport layer. 5.3.1 Rationale: Since the alert messages are used by a manager to direct responses or further investigation related to the security of an enterprise network, it is important that the receiver have confidence in the identity of the sender and that the sender have confidence in the identity of the receiver. This is peer-to-peer authentication of each party to the other. It MUST NOT be limited to authentication of the underlying communications mechanism, for example, because of the risk that this authentication process might be subverted or misconfigured. 5.4 Message Confidentiality The IDP MUST support confidentiality of the message content during message exchange. The selected design MUST be capable of supporting a variety of encryption algorithms and MUST be adaptable to a wide variety of environments. 5.4.1 Rationale: IDMEF messages potentially contain extremely sensitive information (such as passwords) and would be of great interest to an intruder. Since it is likely some of these messages will be transmitted across uncontrolled network segments, it is important that the content be shielded. Furthermore, since the legal environment for encryption technologies is extremely varied and changes often, it is important that the design selected be capable of supporting a number of different encryption options and be adaptable by the user to a variety of environments. 5.5 Message Integrity The IDP MUST ensure the integrity of the message content. The selected design MUST be capable of supporting a variety of integrity mechanisms and MUST be adaptable to a wide variety of environments. 5.5.1 Rationale: IDMEF messages are used by the manager to direct action related to the security of the protected enterprise network. It is vital for the manager to be certain that the content of the message has not Wood & Erlinger Expires April 22, 2003 [Page 16] Internet-Draft Requirements October 2002 been changed after transmission. 5.6 Per-source Authentication The IDP MUST support separate authentication keys for each sender. If symmetric algorithms are used, these keys would need to be known to the manager it is communicating with. 5.6.1 Rationale: Given that sensitive security information is being exchanged via the IDMEF, it is important that the manager can authenticate each analyzer sending alerts. 5.7 Denial of Service The IDP SHOULD resist protocol denial of service attacks. 5.7.1 Rationale: A common way to defeat secure communications systems is through resource exhaustion. While this does not corrupt valid messages, it can prevent any communication at all. It is desirable that IDP resist such denial of service attacks. 5.7.2 Scenario: An attacker penetrates a network being defended by an IDS. Although the attacker is not certain that an IDS is present, he is certain that application-level encrypted traffic (i.e., IDMEF traffic) is being exchanged between components on the network being attacked. He decides to mask his presence and disrupt the encrypted communications by initiating one or more flood events. If the IDP can resist such an attack, the probability that the attacker will be stopped increases. 5.8 Message Duplication The IDP SHOULD resist malicious duplication of messages. 5.8.1 Rationale: A common way to impair the performance of secure communications mechanisms is to duplicate the messages being sent, even though the attacker might not understand them, in an attempt to confuse the receiver. It is desirable that the IDP resist such message duplication. Wood & Erlinger Expires April 22, 2003 [Page 17] Internet-Draft Requirements October 2002 5.8.2 Scenario: An attacker penetrates a network being defended by an IDS. The attacker suspects that an IDS is present and quickly identifies the encrypted traffic flowing between system components as being a possible threat. Even though she cannot read this traffic, she copies the messages and directs multiple copies at the receiver in an attempt to confuse it. If the IDP resists such message duplication, the probability that the attacker will be stopped increases. Wood & Erlinger Expires April 22, 2003 [Page 18] Internet-Draft Requirements October 2002 6. Message Content Requirements 6.1 Detected Data There are many different types of IDSs, such as those based on: signatures, anomalies, correlation, network monitoring, host monitoring, or application monitoring. The IDMEF design MUST strive to accommodate these diverse approaches by concentrating on conveying *what* an IDS has detected, rather than *how* it detected it. 6.1.1 Rationale: Rationale: There are many types of IDSs that analyze a variety of data sources. Some are profile based and operate on log files, attack signatures etc. Others are anomaly based and define normal behavior and detect deviations from the established baseline. Each of these IDSs reports different data that, in part, depends on their intrusion detection methodology. All MUST be supported by this standard. 6.2 Event Identity The content of IDMEF messages MUST contain the identified name of the event (event identity) if it is known. This name MUST be drawn from a standardized list of events (if available) or will be an implementation-specific name if the event identity has not yet been standardized. It is not known how this standardized list will be defined or updated. Requirements on the creation of this list are beyond our efforts. Other groups within the security arena are investigating the creation of such lists. 6.2.1 Rationale: Given that this document presents requirements on standardizing ID message formats so that an ID manager is able to receive alerts from analyzers from multiple implementations, it is important that the manager understand the semantics of the reported events. There is, therefore, a need to identify known events and store information concerning their methods and possible fixes to these events. Some events are well known and this recognition can help the operator. 6.2.2 Scenario: Intruder launches an attack that is detected by two different analyzers from two distinct implementations. Both report the same event identity to the ID manager, even though the algorithms used to detect the attack by each analyzer might have been different. Wood & Erlinger Expires April 22, 2003 [Page 19] Internet-Draft Requirements October 2002 6.3 Event Background Information The IDMEF message design MUST include information, which the sender should provide, that allows a receiver to locate background information on the kind of event that is being reported in the alert. 6.3.1 Rationale: This information is used by administrators to report and fix problems. 6.3.2 Scenario: Attacker performs a well-known attack. A reference to a URL to background information on the attack is included in the IDMEF message. The operator uses this information to initiate repairs on the vulnerable system. 6.4 Additional Data The IDMEF message MUST be able to reference additional detailed data related to this specific underlying event. It is OPTIONAL for implementations to use this field. No requirements are placed on the format or content of this field. It is expected that this will be defined and described by the implementor. 6.4.1 Rationale: Operators might want more information on specifics of an event. This field, if filled in by the analyzer, MAY point to additional or more detailed information about the event. 6.5 Event Source and Target Identity The IDMEF message MUST contain the identity of the source of the event and target component identifier if it is known. In the case of a network-based event, this will be the source and destination IP address of the session used to launch the event. Note that the identity of source and target will vary for other types of events, such as those launched/detected at the operating system or application level. 6.5.1 Rationale: This will allow the operator to identify the source and target of the event. Wood & Erlinger Expires April 22, 2003 [Page 20] Internet-Draft Requirements October 2002 6.6 Device Address Types The IDMEF message MUST support the representation of different types of device addresses. 6.6.1 Rationale: A Device is a uniquely addressable element on the network. (i.e., not limited to computers or networks nor a specific level of the network protocol hierarchy). Additionally, devices involved in an intrusion event might use addresses that are not IP-centric. 6.6.2 Scenario: The IDS recognizes an intrusion on a particular device and includes both the IP address and the MAC address of the device in the IDMEF message. In another situation, the IDS recognizes an intrusion on a device which has only a MAC address and includes only that address in the IDMEF message. Another situation involves analyzers in an ATM switch fabric which use E.164 address formats. 6.7 Event Impact The IDMEF message MUST contain an indication of the possible impact of this event on the target. The IDMEF design document MUST define the scope of this value. 6.7.1 Rationale: Information concerning the possible impact of the event on the target system provides an indication of what the intruder is attempting to do and is critical data for the operator to perform damage assessment. Not all systems will be able to determine this, but it is important data to transmit for those systems that can. This requirement places no requirements on the list itself (e.g., properties of the list, maintenance, etc.), rather the requirement only specifies that the IDMEF must contain a field for specifying the impact and that the IDMEF must define the scope of such values. 6.8 Automatic Response The IDMEF message MUST provide information about the automatic actions taken by the analyzer in response to the event (if any). 6.8.1 Rationale: It is very important for the operator to know if there was an automated response and what that response was. This will help Wood & Erlinger Expires April 22, 2003 [Page 21] Internet-Draft Requirements October 2002 determine what further action to take, if any. 6.9 Analyzer Location The IDMEF message MUST include information which would make it possible to later identify and locate the individual analyzer which reported the event. 6.9.1 Rationale: The identity of the detecting analyzer often proves to be a valuable piece of data to have in determining how to respond to a particular event. 6.9.2 Scenario: Scenario: One interesting scenario involves the progress of an intrusion event throughout a network. If the same event is detected and reported by multiple analyzers, the identity of the analyzer (in the case of a network-based analyzer) might provide some indication of the network location of the target systems and might warrant a specific type of response. This might be implemented as an IP address. 6.10 Analyzer Identity The IDMEF message MUST be able to contain the identity of the implementor and the analyzer that detected the event. 6.10.1 Rationale: Rationale: Users might run multiple IDSs to protect their enterprise. This data will help the systems administrator determine which implementor and analyzer detected the event. 6.10.2 Scenario: Analyzer X from implementor Y detects a potential intrusion. A message is sent reporting that it found a potential break-in with X and Y specified. The operator is therefore able to include the known capabilities or weaknesses of analyzer X in his decision regarding further action. 6.11 Degree of Confidence The IDMEF message MUST be able to state the degree of confidence of the report. The completion of this field by an analyzer is OPTIONAL, as this data might not be available at all analyzers. Wood & Erlinger Expires April 22, 2003 [Page 22] Internet-Draft Requirements October 2002 6.11.1 Rationale: Many IDSs contain thresholds to determine whether or not to generate an alert. This might influence the degree of confidence one has in the report or perhaps would indicate the likelihood of the report being a false alarm. 6.11.2 Scenario: The alarm threshold monitor is set at a low level to indicate that an organization wants reports on any suspicious activity, regardless of the probability of a real attack. The degree of confidence measure is used to indicate if this is a low probability or high probability event. 6.12 Alert Identification The IDMEF message MUST be uniquely identifiable in that it can be distinguished from other IDMEF messages. 6.12.1 Rationale: An IDMEF message might be sent by multiple geographically-distributed analyzers at different times. A unique identifier will allow an IDMEF message to be identified efficiently for data reduction and correlation purposes. 6.12.2 Scenario: The unique identifier might consist of a unique originator identifier (e.g. IPv4 or IPv6 address) concatenated with a unique sequence number generated by the originator. In a typical IDS deployment, a low-level event analyzer will log the raw sensor information into, e.g., a database while analyzing and reporting results to higher levels. In this case, the unique raw message identifier can be included in the result message as supporting evidence. Higher level analyzers can later use this identifier to retrieve the raw message from the database if necessary. 6.13 Alert Creation Date and Time The IDMEF MUST support reporting alert creation date and time in each event, where the creation date and time refer to the date and time that the analyzer decided to create an alert. The IDMEF MAY support additional dates and times, such as the date and time the event reference by the alert began. Wood & Erlinger Expires April 22, 2003 [Page 23] Internet-Draft Requirements October 2002 6.13.1 Rationale: Time is important from both a reporting and correlation point of view. Event onset time might differ from the alert creation time because it might take some time for the sensor to accumulate information about a monitored activity before generating the event, and additional time for the analyzer to receive the event and create an alert. The event onset time is therefore more representative of the actual time that the reported activity began than is the alert creation time. 6.13.2 Scenario: If an event is reported in the quiet hours of the night, the operator might assign a higher priority to it than she would to the same event reported in the busy hours of the day. Furthermore, an event (like a lengthy port scan) may take place over a long period of time and it would be useful for the analyzer to report the time of the alert as well as the time the event began. 6.14 Time Synchronization Time SHALL be reported such that events from multiple analyzers in different time zones can be received by the same manager and that the local time at the analyzer can be inferred. 6.14.1 Rationale: For event correlation purposes, it is important that the manager be able to normalize the time information reported in the IDMEF alerts. 6.14.2 Scenario: A distributed ID system has analyzers located in multiple timezones, all reporting to a single manager. An intrusion occurs that spans multiple timezones as well as multiple analyzers. The central manager requires sufficient information to normalize these alerts and determine that all were reported near the same "time" and that they are part of the same attack. 6.15 Time Format The format for reporting the date MUST be compliant with all current standards for Year 2000 rollover, and it MUST have sufficient capability to continue reporting date values past the year 2038. Wood & Erlinger Expires April 22, 2003 [Page 24] Internet-Draft Requirements October 2002 6.15.1 Rationale: It is desirable that the IDMEF have a long lifetime and that implementations be suitable for use in a variety of environments. Therefore, characteristics that limit the lifespan of the IDMEF (such as 2038 date representation limitation) MUST be avoided. 6.16 Time Granularity and Accuracy Time granularity and time accuracy in event messages SHALL NOT be specified by the IDMEF. 6.16.1 Rationale: The IDMEF cannot assume a certain clock granularity on sensing elements, and so cannot impose any requirements on the granularity of the event timestamps. Nor can the IDMEF assume that the clocks being used to timestamp the events have a specified accuracy. 6.17 Message Extensions The IDMEF message MUST support an extension mechanism used by implementors to define implementation-specific data. The use of this mechanism by the implementor is OPTIONAL. This data contains implementation-specific information determined by each implementor. The implementor MUST indicate how to interpret these extensions, although there are no specific requirements placed on how implementors describe their implementation-specific extensions. The lack or presence of such message extensions for implementation- specific data MUST NOT break interoperation. 6.17.1 Rationale: Implementors might wish to supply extra data such as the version number of their product or other data that they believe provides value added due to the specific nature of their product. Implementors may publish a document or web site describing their extensions; they might also use an in-band extension mechanism that is self-describing. Such extensions are not a license to break the interoperation of IDMEF messages. 6.18 Message Semantics The semantics of the IDMEF message MUST be well defined. 6.18.1 Rationale: Good semantics are key to understanding what the message is trying to Wood & Erlinger Expires April 22, 2003 [Page 25] Internet-Draft Requirements October 2002 convey so there are no errors. Operators will decide what action to take based on these messages, so it is important that they can interpret them correctly. 6.18.2 Scenario: Without this requirement, the operator receives an IDMEF message and interprets it one way. The implementor who constructed the message intended it to have a different meaning from the operator's interpretation. The resulting corrective action is, therefore, incorrect. 6.19 Message Extensibility The IDMEF itself MUST be extensible. As new ID technologies emerge and as new information about events becomes available, the IDMEF message format MUST be able to include this new information. Such message extensibility must occur in such a manner that interoperability is NOT impacted. 6.19.1 Rationale: As intrusion detection technology continues to evolve, it is likely that additional information relating to detected events will become available. The IDMEF message format MUST be able to be extended by a specific implementation to encompass this new information. Such extensions are not a license to break the interoperation of IDMEF messages. Wood & Erlinger Expires April 22, 2003 [Page 26] Internet-Draft Requirements October 2002 7. Security Considerations This document does not treat security matters, except that Section 5 specifies security requirements for the protocols to be developed. Wood & Erlinger Expires April 22, 2003 [Page 27] Internet-Draft Requirements October 2002 Informative References [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. [4] Shirey, R., "Internet Security Glossary", RFC 2828, May 2000. Authors' Addresses Mark Wood Internet Security Systems, Inc 6303 Barfield Road Atlanta, GA 30328 US EMail: mark1@iss.net Michael A. Erlinger Harvey Mudd College Computer Science Dept 301 East 12th Street Claremont, CA 91711 US EMail: mike@cs.hmc.edu URI: http://www.cs.hmc.edu/ Wood & Erlinger Expires April 22, 2003 [Page 28] Internet-Draft Requirements October 2002 Appendix A. History of Significant Changes The RFC Editor should remove this section and its corresponding TOC references prior to publication. A.1 Significant Changes Since requirements-09 Change section 6.17, Message Extensions, to indicate that such extensions CANNOT affect interoperability Change section 6.19, Message Extensions, to indicate that such extensions CANNOT affect interoperability Add a Reference Section and some related anchors Wood & Erlinger Expires April 22, 2003 [Page 29] Internet-Draft Requirements October 2002 Appendix B. Acknowledgements The following individuals contributed substantially to this document and should be recognized for their efforts. This document would not exist without their help: Mark Crosbie, Hewlett-Packard David Curry, IBM Emergency Response Services David Donahoo, Air Force Information Warfare Center Mike Erlinger, Harvey Mudd College Fengmin Gong, Microcomputing Center of North Carolina Dipankar Gupta, Hewlett-Packard Glenn Mansfield, Cyber Solutions, Inc. Jed Pickel, CERT Coordination Center Stuart Staniford-Chen, Silicon Defense Maureen Stillman, Nokia IP Telephony Wood & Erlinger Expires April 22, 2003 [Page 30] Internet-Draft Requirements October 2002 Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Wood & Erlinger Expires April 22, 2003 [Page 31] --DocE+STaALJfprDB-- From idwg-public-request@semper.org Thu Oct 24 07:35:17 2002 Received: from www.opencard.org (www.opencard.org [195.176.20.76]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA02316 for ; Thu, 24 Oct 2002 07:35:16 -0400 (EDT) Received: by www.opencard.org (Postfix, from userid 503) id AA02E348D4; Thu, 24 Oct 2002 13:37:23 +0200 (CEST) Old-Return-Path: Delivered-To: semper-idwg-public@opencard.org Message-Id: <200210241134.HAA02209@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:;;IETF-Announce:;;;, @zurich.ibm.com;;; Cc: idwg-public@zurich.ibm.com From: Internet-Drafts@ietf.org Reply-To: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-idwg-beep-idxp-07.txt Date: Thu, 24 Oct 2002 07:34:15 -0400 Sender: nsyracus@cnri.reston.va.us Resent-Message-ID: <2lOyaC.A.veF.zt9t9@www.opencard.org> Resent-From: idwg-public@semper.org X-Mailing-List: archive/latest/561 X-Loop: idwg-public@semper.org Precedence: list Resent-Sender: idwg-public-request@semper.org Resent-Date: Thu, 24 Oct 2002 13:37:23 +0200 (CEST) --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Intrusion Detection Exchange Format Working Group of the IETF. Title : The Intrusion Detection Exchange Protocol (IDXP) Author(s) : B. Feinstein, G. Matthews, J. White Filename : draft-ietf-idwg-beep-idxp-07.txt Pages : 40 Date : 2002-10-23 This memo describes the Intrusion Detection Exchange Protocol (IDXP), an application-level protocol for exchanging data between intrusion detection entities. IDXP supports mutual-authentication, integrity, and confidentiality over a connection-oriented protocol. The protocol provides for the exchange of IDMEF messages, unstructured text, and binary data. The IDMEF message elements are described in the Intrusion Detection Message Exchange Format (IDMEF) [2], a companion document of the Intrusion Detection Exchange Format (IDWG) working group of the IETF. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-idwg-beep-idxp-07.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-idwg-beep-idxp-07.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2002-10-23133506.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-idwg-beep-idxp-07.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-idwg-beep-idxp-07.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2002-10-23133506.I-D@ietf.org> --OtherAccess-- --NextPart-- From idwg-public-request@semper.org Thu Oct 24 07:36:50 2002 Received: from www.opencard.org (www.opencard.org [195.176.20.76]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA02484 for ; Thu, 24 Oct 2002 07:36:49 -0400 (EDT) Received: by www.opencard.org (Postfix, from userid 503) id 5FD3D348EB; Thu, 24 Oct 2002 13:37:31 +0200 (CEST) Old-Return-Path: Delivered-To: semper-idwg-public@opencard.org Message-Id: <200210241134.HAA02193@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:;;IETF-Announce:;;;, @zurich.ibm.com;;; Cc: idwg-public@zurich.ibm.com From: Internet-Drafts@ietf.org Reply-To: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-idwg-requirements-10.txt Date: Thu, 24 Oct 2002 07:34:06 -0400 Sender: nsyracus@cnri.reston.va.us Resent-Message-ID: Resent-From: idwg-public@semper.org X-Mailing-List: archive/latest/560 X-Loop: idwg-public@semper.org Precedence: list Resent-Sender: idwg-public-request@semper.org Resent-Date: Thu, 24 Oct 2002 13:37:31 +0200 (CEST) --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Intrusion Detection Exchange Format Working Group of the IETF. Title : Intrusion Detection Mesage Exchange Requirements Author(s) : M. Wood, M. Erlinger Filename : draft-ietf-idwg-requirements-10.txt Pages : 31 Date : 2002-10-23 The purpose of the Intrusion Detection Exchange Format Working Group (IDWG) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. This Internet-Draft describes the high-level requirements for such a communication mechanism, including the rationale for those requirements where clarification is needed. Scenarios are used to illustrate some requirements. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-idwg-requirements-10.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-idwg-requirements-10.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2002-10-23133456.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-idwg-requirements-10.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-idwg-requirements-10.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2002-10-23133456.I-D@ietf.org> --OtherAccess-- --NextPart--