rfc8903xml2.original.xml   rfc8903.xml 
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.8 -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ <!-- updated by Chris 07/20/20 -->
<!ENTITY RFC8612 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8612.xml">
<!ENTITY RFC8782 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8782.xml">
<!ENTITY RFC8783 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8783.xml">
<!ENTITY I-D.ietf-dots-multihoming SYSTEM "https://xml2rfc.tools.ietf.org/public
/rfc/bibxml3/reference.I-D.ietf-dots-multihoming.xml">
]>
<?rfc rfcedstyle="yes"?> <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.8 -->
<?rfc toc="yes"?> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc tocindent="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc docmapping="yes"?>
<rfc docName="draft-ietf-dots-use-cases-25" category="info"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft -ietf-dots-use-cases-25" number="8903" submissionType="IETF" category="info" con sensus="true" obsoletes="" updates="" xml:lang="en" tocInclude="true" sortRefs=" true" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 2.47.0 -->
<front> <front>
<title abbrev="DOTS Use Cases">Use cases for DDoS Open Threat Signaling</tit <title abbrev="DOTS Use Cases">Use Cases for DDoS Open Threat Signaling</tit
le> le>
<seriesInfo name="RFC" value="8903"/>
<author initials="R." surname="Dobbins" fullname="Roland Dobbins"> <author initials="R." surname="Dobbins" fullname="Roland Dobbins">
<organization>Arbor Networks</organization> <organization>Arbor Networks</organization>
<address> <address>
<postal> <postal>
<street></street> <street/>
<city></city> <city/>
<code></code> <code/>
<country>Singapore</country> <country>Singapore</country>
</postal> </postal>
<email>rdobbins@arbor.net</email> <email>rdobbins@arbor.net</email>
</address> </address>
</author> </author>
<author initials="D." surname="Migault" fullname="Daniel Migault"> <author initials="D." surname="Migault" fullname="Daniel Migault">
<organization>Ericsson</organization> <organization>Ericsson</organization>
<address> <address>
<postal> <postal>
<street>8275 Trans Canada Route</street> <street>8275 Trans Canada Route</street>
<city>Saint Laurent, QC</city> <city>Saint Laurent,</city>
<region>Quebec</region>
<code>4S 0B6</code> <code>4S 0B6</code>
<country>Canada</country> <country>Canada</country>
</postal> </postal>
<email>daniel.migault@ericsson.com</email> <email>daniel.migault@ericsson.com</email>
</address> </address>
</author> </author>
<author initials="R." surname="Moskowitz" fullname="Robert Moskowitz"> <author initials="R." surname="Moskowitz" fullname="Robert Moskowitz">
<organization>HTT Consulting</organization> <organization>HTT Consulting</organization>
<address> <address>
<postal> <postal>
<street></street> <street/>
<city>Oak Park, MI</city> <city>Oak Park</city>
<region>MI</region>
<code>48237</code> <code>48237</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<email>rgm@labs.htt-consult.com</email> <email>rgm@labs.htt-consult.com</email>
</address> </address>
</author> </author>
<author initials="N." surname="Teague" fullname="Nik Teague"> <author initials="N." surname="Teague" fullname="Nik Teague">
<organization>Iron Mountain Data Centers</organization> <organization>Iron Mountain Data Centers</organization>
<address> <address>
<postal> <postal>
<street></street> <street/>
<city></city> <city/>
<code></code> <code/>
<country>UK</country> <country>United Kingdom</country>
</postal> </postal>
<email>nteague@ironmountain.co.uk</email> <email>nteague@ironmountain.co.uk</email>
</address> </address>
</author> </author>
<author initials="L." surname="Xia" fullname="Liang Xia"> <author initials="L." surname="Xia" fullname="Liang Xia">
<organization>Huawei</organization> <organization>Huawei</organization>
<address> <address>
<postal> <postal>
<street>No. 101, Software Avenue, Yuhuatai District</street> <street>No. 101, Software Avenue, Yuhuatai District</street>
<city>Nanjing</city> <city>Nanjing</city>
<country>China</country> <country>China</country>
</postal> </postal>
<email>Frank.xialiang@huawei.com</email> <email>Frank.xialiang@huawei.com</email>
</address> </address>
</author> </author>
<author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka"> <author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka">
<organization>NTT Communications</organization> <organization>NTT Communications</organization>
<address> <address>
<postal> <postal>
<street>GranPark 16F 3-4-1 Shibaura, Minato-ku</street> <street>3-4-1 Shibaura, Minato-ku</street>
<city>Tokyo</city> <extaddr>GranPark 16F</extaddr>
<region>Tokyo</region>
<code>108-8118</code> <code>108-8118</code>
<country>Japan</country> <country>Japan</country>
</postal> </postal>
<email>kaname@nttv6.jp</email> <email>kaname@nttv6.jp</email>
</address> </address>
</author> </author>
<date year="2020" month="September"/>
<date year="2020" month="July" day="05"/>
<area>Security</area> <area>Security</area>
<workgroup>DOTS</workgroup> <workgroup>DOTS</workgroup>
<keyword>Internet-Draft</keyword>
<abstract> <keyword>example</keyword>
<t>The DDoS Open Threat Signaling (DOTS) effort is intended to provide <abstract>
<t>The DDoS Open Threat Signaling (DOTS) effort is intended to provide
protocols to facilitate interoperability across disparate DDoS protocols to facilitate interoperability across disparate DDoS
mitigation solutions. This document presents sample use cases which describe Mitigation solutions. This document presents sample use cases that describe
the interactions expected between the DOTS components as well as DOTS the interactions expected between the DOTS components as well as DOTS
messaging exchanges. These use cases are meant to identify the messaging exchanges. These use cases are meant to identify the
interacting DOTS components, how they collaborate, and what are the interacting DOTS components, how they collaborate, and what the
typical information to be exchanged.</t> typical information to be exchanged is.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="introduction" numbered="true" toc="default">
<section anchor="introduction" title="Introduction"> <name>Introduction</name>
<t>At the time of writing, distributed denial-of-service (DDoS) attack
<t>At the time of writing, distributed denial-of-service (DDoS) attack
mitigation solutions are largely based upon siloed, proprietary mitigation solutions are largely based upon siloed, proprietary
communications schemes with vendor lock-in as a side-effect. This can communications schemes with vendor lock-in as a side effect. This can
result in the configuration, provisioning, operation, and activation of result in the configuration, provisioning, operation, and activation of
these solutions being a highly manual and often time-consuming process. these solutions being a highly manual and often time-consuming process.
Additionally, coordinating multiple DDoS mitigation solutions Additionally, coordinating multiple DDoS Mitigation solutions
simultaneously is fraught with both technical and process-related simultaneously is fraught with both technical and process-related
hurdles. This greatly increases operational complexity which, in turn, hurdles. This greatly increases operational complexity, which in turn
can degrade the efficacy of mitigations that are generally highly dependent on  can degrade the efficacy of mitigations that are generally highly dependent on
a timely reaction by the system.</t> a timely reaction by the system.</t>
<t>The DDoS Open Threat Signaling (DOTS) effort is intended to specify
<t>The DDoS Open Threat Signaling (DOTS) effort is intended to specify
protocols that facilitate interoperability between diverse DDoS protocols that facilitate interoperability between diverse DDoS
mitigation solutions and ensure greater integration in term of Mitigation solutions and ensure greater integration in terms of
attack detection, mitigation requests, and attack characterization patterns.</t> attack detection, mitigation requests, and attack characterization patterns.</t>
<t>As DDoS solutions are broadly heterogeneous among vendors, the
<t>As DDoS solutions are broadly heterogeneous among vendors, the
primary goal of DOTS is to provide high-level interaction amongst primary goal of DOTS is to provide high-level interaction amongst
differing DDoS solutions, such as detecting DDoS attacks, differing DDoS solutions, such as detecting DDoS attacks,
initiating/terminating DDoS mitigation assistance, or requesting the initiating/terminating DDoS Mitigation assistance, or requesting the
status of a DDoS mitigation.</t> status of a DDoS Mitigation.</t>
<t>This document provides sample use cases that provided input for the req
<t>This document provides sample use cases that provided input for the requireme uirements <xref target="RFC8612" format="default"/> and design of
nts <xref target="RFC8612"/> and design of the DOTS protocols <xref target="RFC8782" format="default"/><xref target="RFC878
the DOTS protocols <xref target="RFC8782"/><xref target="RFC8783"/>. The use cas 3" format="default"/>. The use cases are not exhaustive, and future use cases ar
es are not exhaustive and future use cases are e
expected to emerge as DOTS is adopted and evolves.</t> expected to emerge as DOTS is adopted and evolves.</t>
</section>
</section> <section anchor="terminology-and-acronyms" numbered="true" toc="default">
<section anchor="terminology-and-acronyms" title="Terminology and Acronyms"> <name>Terminology and Acronyms</name>
<t>This document makes use of the same terminology and definitions as
<t>This document makes use of the same terminology and definitions as <xref target="RFC8612" format="default"/>. In addition, it uses the terms define
<xref target="RFC8612"/>. In addition it uses the terms defined d
below:</t> below:</t>
<dl newline="true" spacing="normal">
<t><list style="symbols"> <dt>DDoS Mitigation System (DMS):</dt><dd>A system that performs DDoS
<t>DDoS Mitigation System (DMS): A system that performs DDoS mitigation. Mitigation. The DDoS Mitigation System may be composed of a cluster of
The DDoS Mitigation System may be composed of a cluster of hardware hardware and/or software resources but could also involve an orchestrator that
and/or software resources, but could also involve an orchestrator that may make decisions, such as outsourcing some or all of the mitigation to
may take decisions such as outsourcing some or all of the mitigation another DDoS Mitigation System.</dd>
to another DDoS Mitigation System.</t> <dt>DDoS Mitigation:</dt><dd>The action performed by the DDoS Mitigation System.
<t>DDoS Mitigation: The action performed by the DDoS Mitigation System.</t> </dd>
<t>DDoS Mitigation Service: designates a service provided to a <dt>DDoS Mitigation Service:</dt><dd>Designates a service provided to a
customer to mitigate DDoS attacks. Each service subscription usually involve Ser customer to mitigate DDoS attacks. Each service subscription usually involve
vice Service Level Agreement (SLA) that has to be met. It is the responsibility of
Level Agreement (SLA) that has to be met. It is the responsibility of the DDoS Service provider to instantiate the DDoS Mitigation System to meet
the DDoS Service provider to instantiate the DDoS Mitigation System to these SLAs.</dd>
meet these SLAs.</t> <dt>DDoS Mitigation Service Provider:</dt><dd>Designates the administrative
<t>DDoS Mitigation Service Provider: designates the administrative entity entity providing the DDoS Mitigation Service.</dd>
providing the DDoS Mitigation Service.</t> <dt>Internet Transit Provider (ITP):</dt><dd>Designates the entity that
<t>Internet Transit Provider (ITP): designates the entity that delivers delivers the traffic to a customer network. It can be an Internet Service
the traffic to a customer network. It can be an Internet Service Provider Provider (ISP) or an upstream entity delivering the traffic to the ISP.
(ISP), or an upstream entity delivering the traffic to the ISP.</t> </dd>
</list></t> </dl>
</section>
</section> <section anchor="use-cases" numbered="true" toc="default">
<section anchor="use-cases" title="Use Cases"> <name>Use Cases</name>
<section anchor="use-case-1" numbered="true" toc="default">
<section anchor="use-case-1" title="Upstream DDoS Mitigation by an Upstream Inte <name>Upstream DDoS Mitigation by an Upstream Internet Transit Provider<
rnet Transit Provider"> /name>
<t>This use case describes how an enterprise or a residential customer
<t>This use case describes how an enterprise or a residential customer
network may take advantage of a pre-existing relation with its ITP in order to m itigate a DDoS attack targeting its network may take advantage of a pre-existing relation with its ITP in order to m itigate a DDoS attack targeting its
network.</t> network.</t>
<t>For clarity of discussion, the targeted network is indicated as an en
<t>For clarity of discussion, the targeted network is indicated as an enterprise terprise
network, but the same scenario applies to any downstream network, including network, but the same scenario applies to any downstream network, including
residential and cloud hosting networks.</t> residential and cloud hosting networks.</t>
<t>As the ITP provides connectivity to the enterprise
<t>As the ITP provides connectivity to the enterprise
network, it is already on the path of the inbound and outbound traffic of network, it is already on the path of the inbound and outbound traffic of
the enterprise network and well aware of the networking parameters the enterprise network and is well aware of the networking parameters
associated to the enterprise network WAN connectivity. This eases both the associated with the enterprise network WAN connectivity. This eases both the
configuration and the instantiation of a DDoS Mitigation Service.</t> configuration and the instantiation of a DDoS Mitigation Service.</t>
<t>This
<t>This
section considers two kinds of DDoS Mitigation Service between an section considers two kinds of DDoS Mitigation Service between an
enterprise network and an ITP:</t> enterprise network and an ITP:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>The upstream ITP may instantiate a DMS upon
<t>The upstream ITP may instantiate a DDoS Mitigation System (DMS) upon
receiving a request from the enterprise network. This typically receiving a request from the enterprise network. This typically
corresponds to the case when the enterprise network is under attack.</t> corresponds to a case when the enterprise network is under attack.</li>
<t>On the other hand, the ITP may identify an enterprise network as the <li>On the other hand, the ITP may identify an enterprise network as t
he
source of an attack and send a mitigation request to the enterprise DMS source of an attack and send a mitigation request to the enterprise DMS
to mitigate this at the source.</t> to mitigate this at the source.</li>
</list></t> </ul>
<t>The two scenarios, though different, have similar interactions betwee
<t>The two scenarios, though different, have similar interactions between n
the DOTS client and server. For the sake of simplicity, only the first the DOTS client and server. For the sake of simplicity, only the first
scenario will be detailed in this section. Nevertheless, the second scenario is also in scope for DOTS.</t> scenario will be detailed in this section. Nevertheless, the second scenario is also in scope for DOTS.</t>
<t>In the first scenario, as depicted in <xref target="fig-1"/>, an ente
<t>In the first scenario, as depicted in Figure 1, an enterprise network rprise network
with self-hosted Internet-facing properties such as Web servers, with self-hosted Internet-facing properties such as web servers,
authoritative DNS servers, and VoIP servers has a DMS deployed to authoritative DNS servers, and Voice over IP (VoIP) servers has a DMS deployed t
o
protect those servers and applications from DDoS attacks. In addition to protect those servers and applications from DDoS attacks. In addition to
on-premise DDoS defense capability, the enterprise has contracted with on-premise DDoS defense capabilities, the enterprise has contracted with
its ITP for DDoS Mitigation Services when attacks its ITP for DDoS Mitigation Services when attacks
threaten to overwhelm the bandwidth of their WAN link(s).</t> threaten to overwhelm the bandwidth of their WAN link(s).</t>
<figure anchor="fig-1">
<figure><artwork><![CDATA[ <name>Upstream Internet Transit Provider DDoS Mitigation</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
+------------------+ +------------------+ +------------------+ +------------------+
| Enterprise | | Upstream | | Enterprise | | Upstream |
| Network | | Internet Transit | | Network | | Internet Transit |
| | | Provider | | | | Provider |
| +--------+ | | DDoS Attack | +--------+ | | DDoS Attack
| | DDoS | | <================================= | | DDoS | | <=================================
| | Target | | <================================= | | Target | | <=================================
| +--------+ | | +------------+ | | +--------+ | | +------------+ |
| | +-------->| DDoS | | | | +-------->| DDoS | |
| | | |S | Mitigation | | | | | |S | Mitigation | |
skipping to change at line 243 skipping to change at line 218
| | | | | | | | | |
| +------------+ | | | | | +------------+ | | | |
| | DDoS |<---+ | | | | DDoS |<---+ | |
| | Mitigation |C | | | | | Mitigation |C | | |
| | System | | | | | | System | | | |
| +------------+ | | | | +------------+ | | |
+------------------+ +------------------+ +------------------+ +------------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS server functionality * S is for DOTS server functionality
]]></artwork>
Figure 1: Upstream Internet Transit Provider DDoS Mitigation </figure>
]]></artwork></figure> <t>The enterprise DMS is configured such that if the incoming Internet
<t>The enterprise DMS is configured such that if the incoming Internet
traffic volume exceeds 50% of the provisioned upstream Internet WAN traffic volume exceeds 50% of the provisioned upstream Internet WAN
link capacity, the DMS will request DDoS mitigation assistance from the link capacity, the DMS will request DDoS Mitigation assistance from the
upstream transit provider. More sophisticated detection means may be considered upstream transit provider. More sophisticated detection means may be considered
as well.</t> as well.</t>
<t>The requests to trigger, manage, and finalize a DDoS Mitigation betwe
<t>The requests to trigger, manage, and finalize a DDoS Mitigation between en
the enterprise DMS and the ITP is performed using DOTS. The enterprise the enterprise DMS and the ITP are made using DOTS. The enterprise
DMS implements a DOTS client while the ITP implements a DOTS server DMS implements a DOTS client while the ITP implements a DOTS server,
which is integrated with their DMS in this example.</t> which is integrated with their DMS in this example.</t>
<t>When the enterprise DMS locally detects an inbound DDoS attack target
<t>When the enterprise DMS locally detects an inbound DDoS attack targeting ing
its resources (e.g., servers, hosts, or applications), it immediately its resources (e.g., servers, hosts, or applications), it immediately
begins a DDoS Mitigation.</t> begins a DDoS Mitigation.</t>
<t>During the course of the attack, the inbound traffic volume to the en
<t>During the course of the attack, the inbound traffic volume to the enterprise terprise network exceeds the
network exceeds the 50% threshold, and the enterprise DMS escalates the DDoS Mitigation. The
50% threshold and the enterprise DMS escalates the DDoS mitigation. The
enterprise DMS DOTS client signals to the DOTS server on the upstream ITP enterprise DMS DOTS client signals to the DOTS server on the upstream ITP
to initiate DDoS Mitigation. The DOTS server replies to the DOTS client to initiate DDoS Mitigation. The DOTS server replies to the DOTS client
that it can serve this request, and mitigation is initiated on the ITP that it can serve this request, and mitigation is initiated on the ITP
network by the ITP DMS.</t> network by the ITP DMS.</t>
<t>Over the course of the attack, the DOTS server of the ITP periodicall
<t>Over the course of the attack, the DOTS server of the ITP periodically y
informs the DOTS client on the mitigation status, informs the DOTS client on the mitigation status,
statistics related to DDoS attack traffic mitigation, and related statistics related to DDoS attack traffic mitigation, and related
information. Once the DDoS attack has ended, or decreased to a certain information. Once the DDoS attack has ended or decreased to a certain
level that the enterprise DMS might handle by itself, the DOTS server level that the enterprise DMS might handle by itself, the DOTS server
signals the enterprise DMS DOTS client that the attack has subsided.</t> signals the enterprise DMS DOTS client that the attack has subsided.</t>
<t>The DOTS client on the enterprise DMS then requests that the ITP term
<t>The DOTS client on the enterprise DMS then requests the ITP to terminate inate
the DDoS Mitigation. The DOTS server on the ITP receives this request the DDoS Mitigation. The DOTS server on the ITP receives this request
and once the mitigation has ended, confirms the end of upstream DDoS and, once the mitigation has ended, confirms the end of upstream DDoS
Mitigation to the enterprise DMS DOTS client.</t> Mitigation to the enterprise DMS DOTS client.</t>
<t>The following is an overview of the DOTS communication model for this
<t>The following is an overview of the DOTS communication model for this use case:</t>
use-case:</t> <ol spacing="normal" type="1">
<li>A DDoS attack is initiated against resources of a
<t><list style="numbers"> network organization (here, the enterprise), which has deployed a
<t>A DDoS attack is initiated against resources of a DOTS-capable DMS -- typically a DOTS client.</li>
network organization (here, the enterprise) which has deployed a <li>The enterprise DMS detects, classifies, and begins the DDoS
DOTS-capable DMS - typically a DOTS client.</t> Mitigation.</li>
<t>The enterprise DMS detects, classifies, and begins the DDoS <li>The enterprise DMS determines that its capacity and/or capability
Mitigation.</t> to mitigate the DDoS attack is insufficient and sends a DOTS DDoS Mitigation req
<t>The enterprise DMS determines that its capacity and/or capability uest via its DOTS
to mitigate the DDoS attack is insufficient, and sends via its DOTS client to one or more DOTS servers
client a DOTS DDoS Mitigation request to one or more DOTS servers residing on the upstream ITP.</li>
residing on the upstream ITP.</t> <li>The DOTS server, which receives the DOTS Mitigation request,
<t>The DOTS server which receives the DOTS Mitigation request
determines that it has been configured to honor requests from the determines that it has been configured to honor requests from the
requesting DOTS client, and honors the request by orchestrating requesting DOTS client and does so by orchestrating
its own DMS.</t> its own DMS.</li>
<t>While the DDoS Mitigation is active, the DOTS server <li>While the DDoS Mitigation is active, the DOTS server
regularly transmits DOTS DDoS Mitigation status updates to the DOTS regularly transmits DOTS DDoS Mitigation status updates to the DOTS
client.</t> client.</li>
<t>Informed by the DOTS server status update that the attack has <li>Informed by the DOTS server status update that the attack has
ended or subsided, the DOTS client transmits a DOTS DDoS Mitigation ended or subsided, the DOTS client transmits a DOTS DDoS Mitigation
termination request to the DOTS server.</t> termination request to the DOTS server.</li>
<t>The DOTS server terminates DDoS Mitigation, and sends the <li>The DOTS server terminates DDoS Mitigation and sends the
notification to the DOTS client.</t> notification to the DOTS client.</li>
</list></t> </ol>
<t>Note that communications between the enterprise DOTS client and the
<t>Note that communications between the enterprise DOTS client and the upstream ITP DOTS server may take place in band within the main Internet
upstream ITP DOTS server may take place in-band within the main Internet WAN link between the enterprise and the ITP; out of band via a separate,
WAN link between the enterprise and the ITP; out-of-band via a separate,
dedicated wireline network link utilized solely for DOTS signaling; or dedicated wireline network link utilized solely for DOTS signaling; or
out-of-band via some other form of network connectivity such as a out of band via some other form of network connectivity such as
third-party wireless 4G network connectivity.</t> third-party wireless 4G network connectivity.</t>
<t>Note also that a DOTS client that sends a DOTS Mitigation request
<t>Note also that a DOTS client that sends a DOTS Mitigation request may also be triggered by a network admin that manually confirms the
may be also triggered by a network admin that manually confirms the
request to the upstream ITP, in which case the request may be sent from request to the upstream ITP, in which case the request may be sent from
an application such as a web browser or a dedicated mobile application.</t> an application such as a web browser or a dedicated mobile application.</t>
<t>Note also that when the enterprise is multihomed and connected to
<t>Note also that when the enterprise is multihomed and connected to
multiple upstream ITPs, each ITP is only able to provide a DDoS multiple upstream ITPs, each ITP is only able to provide a DDoS
Mitigation Service for the traffic it transits. As a result, the Mitigation Service for the traffic it transits. As a result, the
enterprise network may be required to coordinate the various DDoS Mitigation enterprise network may be required to coordinate the various DDoS Mitigation
Services associated to each link. More multi-homing considerations are Services associated with each link. More multihoming considerations are
discussed in <xref target="I-D.ietf-dots-multihoming"/>.</t> discussed in <xref target="I-D.ietf-dots-multihoming" format="default"/>.</t>
</section>
</section> <section anchor="use-case-2" numbered="true" toc="default">
<section anchor="use-case-2" title="DDoS Mitigation by a Third Party DDoS Mitiga <name>DDoS Mitigation by a Third-Party DDoS Mitigation Service Provider<
tion Service Provider"> /name>
<t>This use case differs from the previous use case described in <xref
<t>This use case differs from the previous use case described in Section target="use-case-1"/> in that the DDoS Mitigation Service is not provided
3.1 in that the DDoS Mitigation Service is not provided by an upstream by an upstream
ITP. In other words, as represented in Figure 2, the traffic is not ITP. In other words, as represented in <xref target="fig-2"/>, the traffic is no
t
forwarded through the DDoS Mitigation Service Provider by default. In forwarded through the DDoS Mitigation Service Provider by default. In
order to steer the traffic to the DDoS Mitigation Service Provider, some order to steer the traffic to the DDoS Mitigation Service Provider, some
network configuration changes are required. As such, this use case is network configuration changes are required. As such, this use case is
likely to apply to large enterprises or large data centers, but as for likely to apply to large enterprises or large data centers but, as for
the other use cases is not exclusively limited to them.</t> the other use cases, is not exclusively limited to them.</t>
<t>Another typical scenario for this use case is for there to be a relat
<t>Another typical scenario for this use case is for there to be a relationship ionship
between DDoS Mitigation Service Providers, forming an overlay of DMS. When between DDoS Mitigation Service Providers, forming an overlay of DMS. When
a DDoS Mitigation Service Provider mitigating a DDoS attack reaches its a DDoS Mitigation Service Provider mitigating a DDoS attack reaches its
resources capacity, it may chose to delegate the DDoS Mitigation to resource capacity, it may choose to delegate the DDoS Mitigation to
another DDoS Mitigation Service Provider.</t> another DDoS Mitigation Service Provider.</t>
<figure anchor="fig-2">
<figure><artwork><![CDATA[ <name>DDoS Mitigation between an Enterprise Network and a Third-Party DDoS Mitig
ation Service Provider</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
+------------------+ +------------------+ +------------------+ +------------------+
| Enterprise | | Upstream | | Enterprise | | Upstream |
| Network | | Internet Transit | | Network | | Internet Transit |
| | | Provider | | | | Provider |
| +--------+ | | DDoS Attack | +--------+ | | DDoS Attack
| | DDoS | | <================================= | | DDoS | | <=================================
| | Target | | <================================= | | Target | | <=================================
| +--------+ | | | | +--------+ | | |
| | | | | | | |
| | +------------------+ | | +------------------+
skipping to change at line 370 skipping to change at line 332
| | | | | | | |
| +------------+ | | +------------+ | | +------------+ | | +------------+ |
| | DDoS |<------------>| DDoS | | | | DDoS |<------------>| DDoS | |
| | Mitigation |C | | S| Mitigation | | | | Mitigation |C | | S| Mitigation | |
| | System | | | | System | | | | System | | | | System | |
| +------------+ | | +------------+ | | +------------+ | | +------------+ |
+------------------+ +------------------+ +------------------+ +------------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS server functionality * S is for DOTS server functionality
]]></artwork>
Figure 2: DDoS Mitigation between an Enterprise Network and Third </figure>
Party DDoS Mitigation Service Provider <t>In this scenario, an enterprise network has entered into a prearrange
]]></artwork></figure> d
DDoS Mitigation assistance agreement with one or more third-party DDoS
<t>In this scenario, an enterprise network has entered into a pre-arranged
DDoS mitigation assistance agreement with one or more third-party DDoS
Mitigation Service Providers in order to ensure that sufficient DDoS Mitigation Service Providers in order to ensure that sufficient DDoS
mitigation capacity and/or capabilities may be activated in the event Mitigation capacity and/or capabilities may be activated in the event
that a given DDoS attack threatens to overwhelm the ability of the that a given DDoS attack threatens to overwhelm the ability of the
enterprise’s or any other given DMS to mitigate the attack on its own.</t> enterprise or any other given DMS to mitigate the attack on its own.</t>
<t>The prearrangement typically includes agreement on the mechanisms
<t>The pre-arrangement typically includes agreement on the mechanisms
used to redirect the traffic to the DDoS Mitigation Service Provider, as used to redirect the traffic to the DDoS Mitigation Service Provider, as
well as the mechanism to re-inject the traffic back to the Enterprise well as the mechanism to re-inject the traffic back to the Enterprise
Network. Redirection to the DDoS Mitigation Service Provider typically Network. Redirection to the DDoS Mitigation Service Provider typically
involves BGP prefix announcement or DNS redirection, while re-injection involves BGP prefix announcement or DNS redirection, while re-injection
of the scrubbed traffic to the enterprise network may be performed via of the scrubbed traffic to the enterprise network may be performed via
tunneling mechanisms (e.g., GRE). The exact mechanisms tunneling mechanisms (e.g., GRE). The exact mechanisms
used for traffic steering are out of scope of DOTS, but will need to be pre-arra used for traffic steering are out of scope of DOTS but will need to be prearrang
nged, while in some contexts such changes could be detected and considered as an ed, while in some contexts such changes could be detected and considered as an a
attack.</t> ttack.</t>
<t>In some cases, the communication between the enterprise DOTS client a
<t>In some cases the communication between the enterprise DOTS client and nd
the DOTS server of the DDoS Mitigation Service Provider may go through the DOTS server of the DDoS Mitigation Service Provider may go through
the ITP carrying the DDoS attack, which would affect the communication. the ITP carrying the DDoS attack, which would affect the communication.
On the other hand, the communication between the DOTS client and DOTS On the other hand, the communication between the DOTS client and DOTS
server may take a path that is not undergoing a DDoS attack.</t> server may take a path that is not undergoing a DDoS attack.</t>
<figure anchor="fig-3">
<figure><artwork><![CDATA[ <name>Redirection to a DDoS Mitigation Service Provider</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
+------------------+ +------------------+ +------------------+ +------------------+
| Enterprise | | Upstream | | Enterprise | | Upstream |
| Network | | Internet Transit | | Network | | Internet Transit |
| | | Provider | | | | Provider |
| +--------+ | | DDoS Attack | +--------+ | | DDoS Attack
| | DDoS | |<----------------+ | ++==== | | DDoS | |<----------------+ | ++====
| | Target | | Mitigated | | || ++= | | Target | | Mitigated | | || ++=
| +--------+ | | | | || || | +--------+ | | | | || ||
| | | | | || || | | | | | || ||
| | +--------|---------+ || || | | +--------|---------+ || ||
skipping to change at line 422 skipping to change at line 380
| | | | | || || | | | | | || ||
| +------------+ | | +------------+ | || || | +------------+ | | +------------+ | || ||
| | DDoS |<------------>| DDoS | | || || | | DDoS |<------------>| DDoS | | || ||
| | mitigation |C | |S | mitigation |<===++ || | | mitigation |C | |S | mitigation |<===++ ||
| | system | | | | system |<======++ | | system | | | | system |<======++
| +------------+ | | +------------+ | | +------------+ | | +------------+ |
+------------------+ +------------------+ +------------------+ +------------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS server functionality * S is for DOTS server functionality
]]></artwork>
Figure 3: Redirection to a DDoS Mitigation Service Provider </figure>
]]></artwork></figure> <t>When the enterprise network is under attack or at least is reaching i
ts
<t>When the enterprise network is under attack or at least is reaching its
capacity or ability to mitigate a given DDoS attack, the DOTS capacity or ability to mitigate a given DDoS attack, the DOTS
client sends a DOTS request to the DDoS Mitigation Service Provider to client sends a DOTS request to the DDoS Mitigation Service Provider to
initiate network traffic diversion as represented in Figure 3 – and initiate network traffic diversion -- as represented in <xref target="fig-3"/> -
DDoS mitigation activities. Ongoing attack and mitigation status - and
DDoS Mitigation activities. Ongoing attack and mitigation status
messages may be passed between the enterprise network and the DDoS messages may be passed between the enterprise network and the DDoS
Mitigation Service Provider using DOTS. If the DDoS attack has stopped or the Mitigation Service Provider using DOTS. If the DDoS attack has stopped or the
severity of the attack has subsided, the DOTS client can request the severity of the attack has subsided, the DOTS client can request that the
DDoS Mitigation Service Provider to terminate the DDoS Mitigation.</t> DDoS Mitigation Service Provider terminate the DDoS Mitigation.</t>
</section>
</section> <section anchor="use-case-3" numbered="true" toc="default">
<section anchor="use-case-3" title="DDoS Orchestration"> <name>DDoS Orchestration</name>
<t>In this use case, one or more DDoS telemetry systems or monitoring
<t>In this use case, one or more DDoS telemetry systems or monitoring devices monitor a network -- typically an ISP network, an enterprise
devices monitor a network typically an ISP network, an enterprise
network, or a data center. Upon detection of a DDoS attack, these DDoS network, or a data center. Upon detection of a DDoS attack, these DDoS
telemetry systems alert an orchestrator in charge of coordinating the telemetry systems alert an orchestrator in charge of coordinating the
various DMSs within the domain. The DDoS telemetry systems may be various DMSs within the domain. The DDoS telemetry systems may be
configured to provide required information, such as a preliminary configured to provide required information, such as a preliminary
analysis of the observation, to the orchestrator.</t> analysis of the observation, to the orchestrator.</t>
<t>The orchestrator analyzes the various sets of information it receives
<t>The orchestrator analyses the various sets of information it receives from DD from DDoS
oS telemetry systems and initiates one or more DDoS Mitigation
telemetry systems, and initiates one or more DDoS mitigation strategies. For example, the orchestrator could select the DMS in the enterprise
strategies. For example, the orchestrator could select the DDoS network or one provided by the ITP.</t>
mitigation system in the enterprise network or one provided by the ITP.</t> <t>DMS selection and DDoS Mitigation techniques may
depend on the type of the DDoS attack. In some cases, a manual confirmation
<t>DDoS Mitigation System selection and DDoS Mitigation techniques may
depend on the type of the DDoS attack. In some case, a manual confirmation
or selection may also be required to choose a proposed strategy to or selection may also be required to choose a proposed strategy to
initiate a DDoS Mitigation. The DDoS Mitigation may consist of multiple initiate a DDoS Mitigation. The DDoS Mitigation may consist of multiple
steps such as configuring the network, or of updating already instantiated steps such as configuring the network or updating already-instantiated
DDoS mitigation functions. Eventually, the coordination of the DDoS Mitigation functions. Eventually, the coordination of the
mitigation may involve external DDoS mitigation resources such as a mitigation may involve external DDoS Mitigation resources such as a
transit provider or a Third Party DDoS Mitigation Service Provider.</t> transit provider or a third-party DDoS Mitigation Service Provider.</t>
<t>The communication used to trigger a DDoS Mitigation between the DDoS
<t>The communication used to trigger a DDoS Mitigation between the DDoS
telemetry and monitoring systems and the orchestrator is performed using telemetry and monitoring systems and the orchestrator is performed using
DOTS. The DDoS telemetry system implements a DOTS client while the DOTS. The DDoS telemetry system implements a DOTS client while the
orchestrator implements a DOTS server.</t> orchestrator implements a DOTS server.</t>
<t>The communication between a network administrator and the orchestrato
<t>The communication between a network administrator and the orchestrator r
is also performed using DOTS. The network administrator uses, for example, a web is also performed using DOTS. The network administrator uses, for example, a web
interface which interacts with a DOTS client, while the orchestrator interface that interacts with a DOTS client, while the orchestrator
implements a DOTS server.</t> implements a DOTS server.</t>
<t>The communication between the orchestrator and the DMSs is performed
<t>The communication between the orchestrator and the DDoS Mitigation using DOTS. The orchestrator implements a DOTS
Systems is performed using DOTS. The orchestrator implements a DOTS client while the DMSs implement a DOTS server.</t>
client while the DDoS Mitigation Systems implement a DOTS server.</t> <t>The configuration aspects of each DMS, as well as the
instantiations of DDoS Mitigation functions or network configuration, are
<t>The configuration aspects of each DDoS Mitigation System, as well as the not part of DOTS. Similarly, the discovery of available DDoS Mitigation
instantiations of DDoS mitigation functions or network configuration is functions is not part of DOTS and, as such, is out of scope.</t>
not part of DOTS. Similarly, the discovery of available DDoS mitigation <figure anchor="fig-4">
functions is not part of DOTS; and as such is out of scope.</t> <name>DDoS Orchestration</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork><![CDATA[
+----------+ +----------+
| network |C (Enterprise Network) | network |C (Enterprise Network)
| adminis |<-+ | admini- |<-+
| trator | | | strator | |
+----------+ | +----------+ |
| |
+----------+ | S+--------------+ +-----------+ +----------+ | S+--------------+ +-----------+
|telemetry/| +->| |C S| DDoS |+ |telemetry/| +->| |C S| DDoS |+
|monitoring|<--->| Orchestrator |<--->| mitigation|| |monitoring|<--->| Orchestrator |<--->| mitigation||
|systems |C S| |<-+ | systems || |systems |C S| |<-+ | systems ||
+----------+ +--------------+C | +-----------+| +----------+ +--------------+C | +-----------+|
| +----------+ | +----------+
-----------------------------------|----------------- -----------------------------------|-----------------
| |
| |
(Internet Transit Provider) | (Internet Transit Provider) |
| +-----------+ | +-----------+
| S| DDoS |+ | S| DDoS |+
+->| mitigation|| +->| mitigation||
| systems || | systems ||
+-----------+| +-----------+|
* C is for DOTS client functionality +----------+ * C is for DOTS client functionality +----------+
* S is for DOTS server functionality * S is for DOTS server functionality
]]></artwork>
Figure 4: DDoS Orchestration </figure>
]]></artwork></figure> <t>The DDoS telemetry systems monitor various aspects of the network tra
ffic and perform
<t>The DDoS telemetry systems monitor various aspects of the network traffic and
perform
some measurement tasks.</t> some measurement tasks.</t>
<t>These systems are configured so that when an event or some measuremen
<t>These systems are configured so that when an event or some measurement t
indicators reach a predefined level their associated DOTS client sends a indicators reach a predefined level, their associated DOTS client sends a
DOTS mitigation request to the orchestrator DOTS server. The DOTS DOTS mitigation request to the orchestrator DOTS server. The DOTS
mitigation request may be associated with some optional mitigation hints mitigation request may be associated with some optional mitigation hints
to let the orchestrator know what has triggered the request. In particular, it i to let the orchestrator know what has triggered the request. In particular, it
s possible for something that locally to one telemetry system looks like an atta is possible for something that looks like an attack locally to one
ck is not actually an attack when seen from the broader scope (e.g., of the orch telemetry system is not actually an attack when seen from the broader sco
estrator)</t> pe (e.g., of the orchestrator).</t>
<t>Upon receipt of the DOTS mitigation request from the DDoS telemetry
<t>Upon receipt of the DOTS mitigation request from the DDoS telemetry system, the orchestrator DOTS server responds with an acknowledgment to
system, the orchestrator DOTS server responds with an acknowledgment, to
avoid retransmission of the request for mitigation. The orchestrator avoid retransmission of the request for mitigation. The orchestrator
may begin collecting additional fine-grained and specific information may begin collecting additional fine-grained and specific information
from various DDoS telemetry systems in order to correlate the from various DDoS telemetry systems in order to correlate the
measurements and provide an analysis of the event. Eventually, the measurements and provide an analysis of the event. Eventually, the
orchestrator may ask for additional information from the DDoS telemetry orchestrator may ask for additional information from the DDoS telemetry
system; however, the collection of this information is out of scope of DOTS.</t> system; however, the collection of this information is out of scope of DOTS.</t>
<t>The orchestrator may be configured to start a DDoS Mitigation upon
<t>The orchestrator may be configured to start a DDoS Mitigation upon
approval from a network administrator. The analysis from the approval from a network administrator. The analysis from the
orchestrator is reported to the network administrator via, for example, a web orchestrator is reported to the network administrator via, for example, a web
interface. If the network administrator decides to start the mitigation, interface. If the network administrator decides to start the mitigation,
the network administrator triggers the DDoS mitigation request using, for exampl e, a the network administrator triggers the DDoS Mitigation request using, for exampl e, a
web interface of a DOTS client communicating to the orchestrator DOTS web interface of a DOTS client communicating to the orchestrator DOTS
server. This request is expected to be associated with a context that server. This request is expected to be associated with a context that
provides sufficient information to the orchestrator DOTS server to infer, elabo rate and coordinate provides sufficient information to the orchestrator DOTS server to infer, elabor ate, and coordinate
the appropriate DDoS Mitigation.</t> the appropriate DDoS Mitigation.</t>
<t>Upon receiving a request to mitigate a DDoS attack aimed at a
<t>Upon receiving a request to mitigate a DDoS attack aimed at a
target, the orchestrator may evaluate the volume of the attack as target, the orchestrator may evaluate the volume of the attack as
well as the value that the target represents. The orchestrator may well as the value that the target represents. The orchestrator may
select the DDoS Mitigation Service Provider based on the attack select the DDoS Mitigation Service Provider based on the attack
severity. It may also coordinate the DDoS Mitigation performed by the severity. It may also coordinate the DDoS Mitigation performed by the
DDoS Mitigation Service Provider with some other tasks such as, for DDoS Mitigation Service Provider with some other tasks such as, for
example, moving the target to another network so new sessions will not example, moving the target to another network so new sessions will not
be impacted. The orchestrator requests a DDoS Mitigation by the selected be impacted. The orchestrator requests a DDoS Mitigation by the selected
DDoS mitigation systems via its DOTS client, as described in Section DMSs via its DOTS client, as described in <xref target="use-case-1"/>.</t>
3.1.</t> <t>The orchestrator DOTS client is notified that the DDoS Mitigation is
effective by the selected DMSs. The orchestrator DOTS
<t>The orchestrator DOTS client is notified that the DDoS Mitigation is server returns this information to the network administrator.</t>
effective by the selected DDoS mitigation systems. The orchestrator DOTS <t>Similarly, when the DDoS attack has stopped, the orchestrator DOTS
server returns this information back to the network administrator.</t> client is notified and the orchestrator's DOTS server indicates the end of the
DDoS Mitigation to the DDoS telemetry systems as well as to the network a
<t>Similarly, when the DDoS attack has stopped, the orchestrator DOTS dministrator.</t>
client is notified and the orchestrator’s DOTS server indicates <t>In addition to the DDoS orchestration shown in <xref target="fig-4"/>
to the DDoS telemetry systems as well as to the network administrator , the selected DMS can return a mitigation request to the
the end of the DDoS Mitigation.</t>
<t>In addition to the above DDoS Orchestration, the selected DDoS
mitigation system can return back a mitigation request to the
orchestrator as an offloading. For example, when the DDoS attack becomes severe and orchestrator as an offloading. For example, when the DDoS attack becomes severe and
the DDoS mitigation system’s utilization rate reaches its maximum the DMS's utilization rate reaches its maximum
capacity, the DDoS mitigation system can send mitigation requests with capacity, the DMS can send mitigation requests with
additional hints such as its blocked traffic information to the additional hints, such as its blocked traffic information, to the
orchestrator. Then the orchestrator can take further actions such as orchestrator. Then the orchestrator can take further actions such as
requesting forwarding nodes such as routers to filter the traffic. In requesting forwarding nodes (e.g., routers) to filter the traffic. In
this case, the DDoS mitigation system implements a DOTS client while the this case, the DMS implements a DOTS client while the
orchestrator implements a DOTS server. Similar to other DOTS use cases, the offl orchestrator implements a DOTS server. Similar to other DOTS use cases, the offl
oading scenario assumes that some validation checks are followed by the DMS, the oading scenario assumes that some validation checks are followed by the DMS, the
orchestrator, or both (e.g., avoid exhausting the resources of the forwarding n orchestrator, or both (e.g., avoid exhausting the resources of the forwarding n
odes or inadvertent disruption of legitimate services). These validation checks odes or inadvertent disruption of legitimate services). These validation checks
are part of the mitigation, and are therefore out of the scope of the document.< are part of the mitigation and are therefore out of the scope of the document.</
/t> t>
</section>
</section> </section>
</section> <section anchor="security-considerations" numbered="true" toc="default">
<section anchor="security-considerations" title="Security Considerations"> <name>Security Considerations</name>
<t>The document does not describe any protocol, though there are still a f
<t>The document does not describe any protocol, though there are still a few ew
high-level security considerations to discuss.</t> high-level security considerations to discuss.</t>
<t>DOTS is at risk from three primary attacks: DOTS agent impersonation, t
<t>DOTS is at risk from three primary attacks: DOTS agent impersonation, traffic raffic
injection, and signaling blocking.</t> injection, and signaling blocking.</t>
<t>Impersonation and traffic injection mitigation can be mitigated through
<t>Impersonation and traffic injection mitigation can be mitigated through current secure communications best practices, including mutual authentication. P
current secure communications best practices including mutual authentication. Pr reconfigured mitigation
econfigured mitigation
steps to take on the loss of keepalive traffic can partially mitigate steps to take on the loss of keepalive traffic can partially mitigate
signal blocking, but in general it is impossible to comprehensively signal blocking. But in general, it is impossible to comprehensively
defend against an attacker that can selectively block any or all traffic. defend against an attacker that can selectively block any or all traffic.
Alternate communication paths that are (hopefully) not subject to blocking Alternate communication paths that are (hopefully) not subject to blocking
by the attacker in question is another potential mitigation.</t> by the attacker in question is another potential mitigation.</t>
<t>Additional details of DOTS security requirements can be found in
<t>Additional details of DOTS security requirements can be found in <xref target="RFC8612" format="default"/>.</t>
<xref target="RFC8612"/>.</t> <t>Service disruption may be experienced if inadequate mitigation actions
are applied. These considerations are out of the scope of DOTS.</t>
<t>Service disruption may be experienced if inadequate mitigation actions are ap </section>
plied. These considerations are out of the scope of DOTS.</t> <section anchor="iana-considerations" numbered="true" toc="default">
<name>IANA Considerations</name>
</section> <t>This document has no IANA actions.</t>
<section anchor="iana-considerations" title="IANA Considerations"> </section>
<t>No IANA considerations exist for this document.</t>
</section>
<section anchor="acknowledgments" title="Acknowledgments">
<t>The authors would like to thank among others Tirumaleswar Reddy; Andrew
Mortensen; Mohamed Boucadair; Artyom Gavrichenkov; Jon Shallow, Yuuhei
Hayashi, Elwyn Davies, the DOTS WG chairs, Roman Danyliw and Tobias Gondrom as w
ell as
the Security AD Benjamin Kaduk for their valuable feedback.</t>
<t>We also would like to thank Stephan Fouant that was part of the initial
co-authors of the documents.</t>
</section>
</middle> </middle>
<back> <back>
<references title='Informative References'> <displayreference target="I-D.ietf-dots-multihoming" to="DOTS-MULTIHOMING"/>
&RFC8612; <references>
&RFC8782; <name>Informative References</name>
&RFC8783; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC
&I-D.ietf-dots-multihoming; .8612.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC
.8782.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC
.8783.xml"/>
</references> <!-- [I-D.ietf-dots-multihoming] IESG state I-D Exists -->
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.i
etf-dots-multihoming.xml"/>
</references>
<section anchor="acknowledgments" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>The authors would like to thank, among others, <contact fullname="Tirum
aleswar Reddy.K"/>, <contact fullname="Andrew
Mortensen"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Artyom
Gavrichenkov"/>, <contact fullname="Jon Shallow"/>, <contact fullname="Yuuhei
Hayashi"/>, <contact fullname="Elwyn Davies"/>, the DOTS WG Chairs (at the
time of writing) <contact fullname="Roman Danyliw"/> and <contact fullname
="Tobias Gondrom"/>, as well as
the Security AD <contact fullname="Benjamin Kaduk"/> for their valuable feedback
.</t>
<t>We also would like to thank <contact fullname="Stephan Fouant"/>, who
was one of the initial coauthors of the documents.</t>
</section>
</back> </back>
<!-- ##markdown-source:
H4sIALWHAl8AA809a3MbN5Lf8StQtXW11orkxnYeLiW3G8VOvN7Eci7SXu4+
ghyQRDQz4A5mSDOR/8v9lvtl1w8Ag3nRsry3d6xULHEGQHej392A5vO5qE2d
6wv5N6flSjnt5NpW8sULey3f7HQpb7aVVrW8NptS5abcCLVcVnp/IV+8ubmm
Uc9xlMjsqlQFTJRVal3Pja7X88zWbt44PaeJ508+E0IomO5CXutVU5n6KA4b
nkncHi7kq7LWVanr+QucQ6xUfSFNubZCrGwGa1/IBmZ9JnbmQkhZrVc6c/UR
oT8CBFLWdpX8aMpMl3X4wtmqrvTaxd+PRefXujKr+PLKFgWMjU9NCajHZQDV
Qu12BBB+I1RTb22FMOFn7v/FYTDDTwv5wi6X8HP8ngn1k81VmQ0e2gqmvayW
sAtXuj7Y6rZ9BlBqXV/E39ulVkDM0e9tpse/b8q6OsJOABpqZysdH+lCmfxC
VhkD9rVCWBawLeP4vVjI12ajmrzu4fdClUbng4eE37dAbeds2cdMPnvyxWfy
plKlA74qVaaATE2tu3jKa2XKWv6gmgp2aSb/7XkXX/nptfzkm8+HyPKUfUwz
AnRRMKBfaw/bArhgcktfW3drD6b+dbCpS13VI48J7b/c3MjntnSwDIrSPbdV
vlG38kdV3c7k61d9TJ89efrFENG/XV8O9nNTfJ2rpVts63q+YiCmUbxayBut
No3u4XdlbvsPCLNXlS0Ba1getga2vlbyuUZxdnKwx5N4TvHv+IOA6vd9TGFZ
BPBrAzAVHiTAdNHcjuP6w0L+h1E9RH8wqtx0vucdbNRBmwFKV3YhH3/yeCav
7bo+gI6Tl3tdNnom/7PZNkANI18Y1jE9nK9U+UvKCy2vbk05YNXvQDJuF28N
qGIA7+stQTO9i98vYMPc1vza3Pbx+17hvyOPCc0rYtSiaEoDWtjYcqCD5EsA
BZlSPv78O/l0/un8sbzemiXIpAI+BdhrO79tetje2Nuj7W3u40+ezZ89fvxs
SIK/qp0q+yS4JcC/Lut6//nilx2YlPl8LoGx60oBdcXNVp8wX/IRWpszqddg
5mppHBCq1mApMjAZclfZvcm0gH/BgNjc4ZdrtTK5qVWt6d3K7nSllvjVUapV
ZZ2TmXE7VeEbuLIoTA26BMkGZidviH4gT1tYDWxHg6YFltIOTYx0qtjlWjbR
/h62ZrWVmXaryiy1qLd+XcAOJ5L67U6vagB4CeZBA474Bllj4IOdLWlWBfPo
PMd/ybwW2jm1QQLot6st8I4miACGZGXk20IrgA7QNmg9zfqI04sIAEzQW2om
t/aALx3hyxw0jEVCzCTatsMWaI+z4hz1cQfMlJNFrwomD6yz1BGkbMGbWZgs
y7UQ4A9UNmsIb/nb70zy6zvxr8lHiMuayFAb4Gm7lgdwLgDWGe4MSN2yQXoB
QiA4c7ueO13tzUoDM8B2nUlV12p1O7ptBH2uqo3Oj3IJVMpks8MXTG51NkOO
2VXg7KjqKFYdgZFutdUF7qeptxK0QQYWPber2zkoSNgWBXNkeg6MCLvpuWMF
7A58AZoZqEQIgaJemw3IFM45YwZ18CMhR5zID5DauD97ht+ukW9gY1tElho3
T8mt2WwBl0KVDWwGjgOVhVwEpGO7UOCLsNIKeGYhLrPM4Awqz48zgMdWGQo3
vlOgHUPmJXkbI59wBl9SpbaNg1UBx3Wlms22ZrIsLfyv1qttSayB0PiF55XO
gY8ysW0qYIYgPxsUZ5yoXMFPyLSRCDAeuTLXb1EySYpmRMamKmfgTJbAAJtK
ZcSNqABgydURuaWFHAQ+sOxGlzAxIB0olumdJpdS2vK//wsoiRSD7wEO5tAl
yQp4lq7WxeLjNJEDGQfhSzURAnZKFwV1kJk9mN0TqojIrGGjEUsESlc024bp
SDTTVYFMxJIBqMMeMaMlE1b67412qAGI+/hVkGRUFOBE/cpv7eABePWwgSCl
jgnSFa9lZVWGdNaIEdIdmEWqwgKRWG5gCdQgIGkFCJrcWNhr2DfSRMYlmpv2
ap7rvc5TpcmTuVpkBsStIi3WgWMmXQNKF8TSoxreYKzcDDQgIE5s/0ckThCB
Pucr50DjqHIFGhDk3ZMI30QE4EkNqAHoqj+S+KVrIAijEQNBnOAfZ4Dmrqkp
aEPmwwVNpSl6kb/99uefvnv+7PPHT969oz2C6YD9vHZg8rUM5t/+4hm8HX9+
+u4d2YmelShtDVp7qxrAba9p7nVTI0N13hPRVsEWAVCgRoNFwn1Tmd3hQ+LH
vc33IOZgz2+Ivja3myM9ugQjWx4LgPB3dftoDo/myj/qmoOuaeiStVC3ABtC
CbtA4opuUN1bMtNr2nBiUSdSQi4gTAXIWSlKU+Ncjo0PTOJ4KOitpc7t4UKI
P/BOv2555JoUBMj/6+szCPW8wvDbqiu0jm7IHlGbDGcqFEo/22S0UMRfqxw2
ByQbfgGRzNApFYDaH4FRXHBSwdbYpgJ1O5NgItHxymE3cgfWv6T9AGIAG4Mh
Q++qJh5TtcD1aqAj4Loia+Si+ECwRlMixzuLxriCCfNA7BYhARyhgI22uppA
azFCuwviRS/UnlboCbHmnZhHjm4CuwAXXiZACZJJ9o5BlC6EUqyAkoBLhb95
DHRHPSzktwrwD6Nds0TnbUcLNa4hKxIo6hcWP5CSugQFTNIqH13/cHnGTLBV
zntGhQbX4BVZB5ZuB86HM17jBzlGSK67kBOsEAOAKkK1pU/QB94E91CTAwVi
AWC4MdLHFX70K3RIh9OrDGTIEKegUkD3sSYLBq97DTg1KSwo/xDzP5wAANEK
S8lHr25+PBssyCswzTKdk90jigAIaN5p92TcvZLTKURQdAeWxN5x0T5+4tGr
6x/PSI3Da80OAx9VhEX9egGvZEX8FUYi24mYHwPdFRNho8oK3g0r9Gm0RJ0k
4+NpKrVrzB+/Q0965OP1YVDTMc5w5MbDOhS1g6V1LLvIcxwKoH/lSSk8KWXU
BCrbA6epjWblA9HNHPwwtnzkySEi5PIZMEywm+hlgCvZEyqVihXMDAaDpoBB
Im6fEN8BZCvwylkI0MkHyBz5J7QZNA6kN4BJzlWGnjlaG9dFM0zMOjCaBLfS
JawAHLTb5UaTRKoSNt4eSr8TcSB4o3mDPC5SaqEhWeW2yYC0TAk/IPhCxClA
imjqwf0u0fvYE1vbwOQDQA1pBJUDFBlQgEMFcLS2Qc+acglBNFtWUMn8S+BR
rzaSjQ50opiNwkYyD34y/5SiAnDuCnTTnABPx66M8sZ9YsKfL686SHkvnj13
dv7BLeoEOQQE4xC0F0c0gTlGtIdkrhaOvVRcErehAhIfrATIM3K6pjRa8Jwh
+pogCuqJmx/JmpMzFGURdg9lINW0I2AmBp/CR2CTlQaCUEDmfUQIjGwxQUdP
Nh9B5xhqVmwLMheoT9J82Pp8wAgeKPUlChxLF+n4N/w2m2GIwbNZZEpCK+QA
unohUsaxV0s+BO1QGUQXieY0Um4kYhhhGCCNSBVBjfgqL440vw+ocEODaFJY
YCGalOzXUzJ4q8D2QNhpQD90Eyd+m1vfdwVyDZaXYa1Amy/kd96PdqjUACOY
CKQfk1dgCMqc/Yy1qSCWiAriYEBilqhKa2VycskZfs+OC3kFtr6CkRDHciiD
jywuG+YgcSa/C76DqI6rMAAk8varsl02DplxtAIcUfOS36EIafl4Nr5bgrSv
0/l6juoIxsRyC0aVHPKDS1Wjrgvu3M966UkDIRCXOTD6RPP+4uo6PiIS/rt9
9WP4hlwYhbuKIOb2SFqColmgCe4a5ib8uyRgqGRD5oQkoetfpT43TGTLOZiY
wvgwF51uCGhRCHY+HJ71OQwhAppTlhCgQWqIYItiyWuoHBzLlAcEeIcCZspc
WYAeHuYstUtA42CyqINNRdoPQv3bR+4M45qQyDwfWuXzU8/iwDv5bYtP+Cr+
EB2E+FUy0JeSZPuw/WHgUKQDB59kYHQ8xlbsonPeGZh+iO6XnIHrvXHHD+n3
O/nVVIjX+lCD8TfkCTx0/BT0nU06H0G7S6/4+p8iQv7d9wwMaFzDTwln3n8g
/ueNz4et+ME43k0/+78dOMDjvgO7e/VVK6TvH5ju1fMpvh8b2Nur+w4c4nif
gR+shkQyzR/kc0rmeisVTOm6KVeci8XQr/P+ded91v299+OAYMou7hP19BQ3
uwld1wKXDk4m6H6ybhQ1muAuryxlvcMqIvjKELM3BVUotAZf67NP/iV4xTEV
TyWBPpSg+gWqfrJIq2iPEBZyF4InNJ0/jP6giLPXHvUQ42MZukL/aLfFUIvD
m5irpVKOa5ND7BLrTPjakHeoQhaXnLLKbDa6mmF1AGI5tutrg9vz65hjm3pU
PYoHL55CPZfkahoXikicWEziG9opTHZy+lJ1WOuwBd+qnXLwGnOU4OqZz6Zj
Rtvbem+SaQnvnum3lFkFOvw84jbjm7kld9vTlOLGEFmNxqnkUMSkmnykF5vF
rPWS0O9ynFBI3J0zjucKIA7GD+DdL/XGlG5Ib4D0RRNTDitYpU1jMiizTvTX
Y+LpMC2wN3Ibsjh6OW5r8yxuY48w2gFhYh6mn6vEfRW9EelWUhInj5FLqhB8
LJsGWIIyWYaDqz5FiIXSCSodo/Weny9Y4jn3Q28zG3gBYGZPRJF4iJfNAlwI
TiCaTzoiNwKCsDdvcP3TO9NBdd0mADQ49JmP7bg+6vrgBxDSig6VE2ZUViAF
4KSvmiH6HQ71nNAOZnRDkS2pyS4gKFwl+UI/A7rPVJ0i/s00l98yn2KDsEGZ
UnDhheg8wjSFwbofRpkgyEA9EBaIRgaEEZE9hlOk9IjLJBBi5hXztqH6NiRf
b8IaJb9VgX4/kHl8kUe3KdZTbNfyh+TYnkSj5S5BmZhA2GQPE7qShQo7r6kw
2woCVfMS1TsaQqcIexKsbZ7bA+XQSH9h0LI3+hDYL1Tz28q1LGwGu8gVJeNE
yCleCPF4IS87XNGREbVRmAdJFCCmBKK82GqjylAVfLQFU9SP0c5878OWI1sO
G5VAEOcU2eWM5bzNhHSNBOD8pG9VfBBKCnyGWUOwsGujfdDqVW3YY9HVtk8H
k8XZkDtCLQ61frDz0tdY2ki0l9fQQwK6BoXTUPoiJE6c3BtFM1P/RkhVMLZ9
O5zkVcAfQQEt0DFIGNRxZhL5YETFAqqfDnmaNyNhZ/94uLAYUoQ2cYlZtcTx
Avi2tmzroq51cpJKabKhTA8aEyogjCmoj7YuFSyvPZReFX+2kD9Hf6FPLRQE
zEfqoeqp9KbJVYV5HvS1ikD/wRy+ktvsMraCrbURkRU/x7RFr0KVkLczxZg2
E9wNgAU7r9YSgIMSjGCOs4aIxeph+i0BBqD9YsgAUQe6/rQpn+LulbY266A/
hqYXsx9XNmDZ65NJ25hSse1l6DqeMBndBNJYh9jlaoUO0HxJuWxw/HwjTYF9
idG9D5mZqcUT7/VLTKBj0xDNiEKJZUJu95oB44eywsGAMQUJiE4Vzd/UBn3n
DFsNsFmkDYBCHwjMX4n+Elw6pawsMhAq0jBtp0YQ8nQKrJSpsjmAhb0vCIp2
Tn76cnTYwu8GZRy54WVoWXlz1aTI+7iC5+C4gflctflhLAjybNxulB87Rk70
GDLdXmrdYQ1Eme1U+P3SjiJOUCAC886tR91SBeKcJbaXHByaaKxmtftV2CUq
iGTckCxj6XTQHtT3tLWFb13wpOUUZ+yJSpEBY6OxQOyDIUokkzVLOlfUwMSH
8kTo7QhOnKlDJOjAHjuu0cGy3CQz4t57evneEFLDsY+LKbvHjHIzEHMRk6Dd
ag8hg/ztI1BCer7lGDpEmip2+AhfoOM89W+//fnV/MWiPSEQyAmD373DGGek
/okFkCrDLmjg7/dVptNC6JN7F0KphNBaJKxh7okog1opoXHNUTb4CI9l4PIT
FW7cd+yaiZ0FXNUNXCLQCmOWm4Ueti1zlOGHeIY7RTtJ/iezLkfQ3AIY5aAq
alvYVlQXOQVQpNYSA9w19r4jBCJWZV2tdZfzgmZ/z4wz0l8iUT1Jec93n0ru
P2GOJDZGqZ2x0xwpDu5nbm5RcdZciKUfqB8zkUmHss1fZth5vuLOcy7oKso6
ibbM1XYo+S2B6DdvHPgDMHtuwJjGkib1jlz6LpXQvxprNsFDTsENwlpp38Gh
Yvnbbc1OBHvzPhIC8Kj4qULITnuuqNaN/o3EfIWYLIe2OxviDKozpm4n9ixu
kQI1OYbeXW9zVYaV7IrqNIAIBAR6M9VGAlpvspOnBxHS86Hpx5jTfFgR5KE1
kIeWQD6qAvKRBZCPrH/cH/RRlCdI9bBxp1lhetzY539zvbsB79+XLgOp/UfQ
81RJYLK0M1r1iJ9h9Up2Bk5WPa4nq1fvKXpMFq8eiuD/35JHsOsXUzl2NAOJ
4rtKmlPINUpX5s/9fCXfXYDdCm1jwWi3B2eqanLzTUl5P2zzUlVFZzfEiVKG
il2OlIpPcxRp3DLlAEej2Gka8x3sHKzEDMqg7X0yMYNZ4hDE8MmJ0LoBvsU+
JoyV3IBrUHbTqb4LwA3bAFTszex547933El49G6InxVzkL38kF+EuospqeFT
eQm1iZZtEoz7z9CpioQO2WKN/pZxBeXxyK+B/QOfa1U/zLNTToSDRZ35eea5
KX/pT70kivH8LQeLq9Da9JOHJ00dvM+xaTuhfFutk9+8xEY6vTZvgcilBSnz
hKioVaVqV5n5WlIEF9340A2+qpolevg9wkxHVW1lCwJ3UTcQC9LxjpbyoQ70
8qdvz3xC8S1w3GBvyHX0y5LvTX4b9uGBG4u9SNQY5M89sHNLtcRS88YuOyyS
BTSxpQjTCdj8ot/WvrknuOHc883dSxzE+pDWVwt9u6TvGZPcjcTzqdD43k0f
3y+f03Zhdcsh7/dpFR4ACRGOCFn3FaB97HQZh7oLJxEO3NtOp62GQC/ERCfc
NGr9/BTl/vrpKMVdmZwT5WiDevA2duCTt67xAz3jBzrGD/SLH+gWf4xXPOYU
fzWgRgLO+Xni1Y76xPDxvAac3gHhTt7RBB8Cd2/03f1o9RGDIzh3Cf73HTz6
zT9l5TFf+QMGDx3mfyi1P8iz7A/+MP95MLiY8KGve88wljs/7w12Jxzp9JkP
BM/PH4jzQ9XUP8uZ9r7004u+a/H+jMl4K8hEBzX5c7XMtXKk3SmpEk4rRLcT
X/I+Yfekw8CtbKs7odzXycH3qzfv9ZGsiG0TAYPgXvAZURyGZ+ensoxP6Wk5
4tpzIcHgsdw3pTdmbeP3oEXBHz9vHe6domzwhKuQdt7HyuwpVNOeolfrvgvA
nQG13e24moZ+ucOO7NZPH+shGBbbsHEk7gJMco8taGtoY5sWkt1v2lImnXSP
2eun09nrELaF5OOsW/rFaWuNPVJ1dfTi7/gxMIVF31JkmpP7/qukcjPvlNhL
PM/UnnaZOD3D9ZU2/7oAn8OWST9ae4Qj4fdwUHkIq8rxJpX+AURDGeSKDxp1
TqPjjsQ6xuvr37u0/JdZLAD6Euc4bZg1RbdcHaozsXaSdMrMkkLTDot/uNHV
UShQR0dnXOAtu0Rt5Yd46U1x8uFdB02ew/vXASuna5o0vUHB1G2FPvbND6nJ
BdugD9yQV5KTmQSD3pB043kI3yc3GwDugwcHi63a4kfnzDmbHTMp4rYiUNKq
iPfoRwpBPhvE64WjQoNsNN0mgEKKOyr41H4Ih4GpdSfSCL53GtTM8NAKX4/g
q5VMFyzEx6WRW6hQ2C+sbS3mzBWdpqDTuJ6cx45CHvb2tayZIENJeIzFHEWA
obgIW6R37SmNwLIh/ElFknqIMl8D8AfGktNKQ90eTCoeasUsSMMXP3AwFMSN
pRklrugCG065QqAJcQNQsD99W21Iate9vlZWJR9S8fMi1I3WQsLDV6en+1db
1m3lhuxYVJWtUvImqauTBv2tou1vHdU292hzFd0lJvpdRxGPKcNuJd60ymWI
hAgnkKY7dccnw+PvVKxq9QTV3fnOmDW2Y/ieXH8Wy9+Iorp9Pm17bxeqh+A9
2KDUkeiUt/2unmxQPr0PYtCePK61XDt0ApPOGUi8/4OVPdXax+ecpdf81HRN
T3Jksj3yOCbdKGPjBVrjBBWqQfBCsmkhr/lAXdAEWNDHvCf5T2qv4NlyeA+M
aFcL1e9k0i/54JdXBMZ10lzpealuPHEuO5/0rbuIEUZPyefRMHN+1h3oeZpi
tvPuI7/z3QrEEKi7YQY+CaJGPycmk9e9EOq8/1YPzKhh/kgh2596axI9rtMI
9K47vtV1FLXC+Dcp34cv28296yB8FxRku1R3/a8YreS1E7SUgwjy/Hk/FD0/
QfDRz11/nXT8uJfd+dwNvvlQAD7y/UeTZ2DOAoIfTpJJjrrX8BMcdY/P+SmO
ui8IUxx1XxCmOOo+GYreDOcPzVj4jw+7P/VFwE5UKERyodRI8OJDuBAqJAYk
8Qhj/E8XbbHFE+T3FlphNY3rSsrxFQU3fIVYcH0q3TlElfbIYUi499WW/nzC
X72ALbyUIuFwyd+TI8OZATydk3SZpTT3aRByqk4cJ+8Y6tTCxsZWMTI4lADb
pfmgNHVg7nirOg374Mc47OnO+cqU7rK3pT3wtXd0iUvsi0zaFynYQENoVthr
HG5zgGDBGTSia0/Desv+PKaY/Dkk39898CZza2+dxE6p5Ai+N7ngcTUhjPdP
aMscekqx2Y3u4MKmZKox+YJViF8TBM/wnhKiHsScu7pzimCEuHH+LtsK5/2X
U9sm4w0H7C9i2gnJm+tsU5DPiI1He2vwGIvvg6ZLQAJQEQhb9U8ndZ1MZoEN
phZsnvvrv1S89w5PwOn5plLEr9T4TLezYeNdG4kLwrXTSDkU07R+TXc45D4z
JBKBceEePO4LLWU/oUCiNgjPugEDxafulpBPUElTB6c350u8EAazZCH2y/M2
j0OZp04awo1WKcdSG+2BxCTPAn5rVY9EaHRbhtohMXAjEOKJqIb3NZIqHizo
R2qV3tkqubVkPKrZG3U6qImJxvHxeDNWxgcDGLW6c+xnJqaHeqUxerQu8jQF
KX0IBbY7t2EX59vS/GUbLaFmmdCaotWa7fklaZKLR31nY09jqlBhJp0l2vvr
2t6M3tWfJ6WfTv2tkf2kDreK+tp0aF0mIhJzgGs/djowVVa921ambx1Shhq7
a0xMUKlwRE0hD2vgyCY2UPMRy242udcrge8nBz148jb17kbCTcxg9dJrp1t5
6UyeT3b5a01DqpvuvYppq14DeH/m/t1q7891J1aT22XRiwhJHuJUETm1sPt4
cRZTIbkNLkgFAFnqA7CD4yvmuNfB1gJ4D2JpusZjhGTxaNFIusdf0EkEHUl9
BS2dnrxqDyK5yf5vaosYAJJKHttiPHeWTXeKQ+DNt8Hi9So9WIdXrDKsIwRI
GxHAMDZV6Yb6Om3KmVCnQiRBfzwJMVFXmTDlYgT/sezT711H9sNlXeRnDS1U
65Im6Y8TuPjz6dlEj8mCiinJ9TK+kcvu9YgjPhvuy0jGm0tFSHwm9YlrkLoW
ittt7Hqdg0MGQtJLwY/uw1KDZkdNi5Ku2+6aUZYBUvOhJA8LaoCkHRw0xFtT
NIXoXVwwOpc/St0t+UUBpCt2Et+DPOeY9sW1lngfctJsNbQPHeKAnN1sx/J7
CAb126ybinRIuPIpLJYeL/SnJOg+NpsliegK/9JAxXd+m7zunn2goxE1X9Ls
9Emi/MNyuyHrRn4/4UVP4wEGL3SRV5I765xrinAYk5QyGB+ThRMYenXL8Ryf
Dk7OJ76+Hkoy1RHosjYfF7DTHe5/9Yq8c+oXvxjQmap3KsOrsJAamXFVswse
ZQ7+d20K5EZ/jaY7CzeUj8Mecok9z4qzinzneKXXtu2fI7kN3ikXBflSWNJ1
/i+S0N9nSI4v/fY755/MuwebJq+cZVMQL5zNrOZALFgP6gEN1+7GG8wIWoIb
SIoqTa71QSTXGQcw+uer8HQGH6/Cilm4WRf8CoPeP3vBlcYSG1+e7G+y8n/A
RW1IPRdg750tg4JjlhexO9If94xXV5PcknIC1ZmOZeUepfmXUCxL23Hp4s3g
e8WjSgKwqzjYXzVVL7OPh0Qd1odQrpHF4oWLsmhquse8AQKWdWjnA7dEJwFG
p7iJlTNULnTDGyuTHC/xB6a41Xqn8F7PiAOCS7E6hdABan9FQaQDN2OCU+Av
DfchvSliUE/xXgGeHkDJR40E3VnWnpqP4bnmW3a9bs3ZH8Db53ExbiDmO3WD
ZhKXORXb6n49BHsPkxvNH22B99cNIHJGDOmaJTfr2oiI8HogQgI4seL056a9
j7azKMKmkxkB9mvviveX4bl4TXdk384N1Z4b1nRdiSm7Fy2LcPwwVRU+esRY
pAKlukJnbE16BeZFEvTaVMIl43yLZxZUyvCQ4qiW4OIHcvnl1WVPNYzf4npl
Jb3bW4AuQ21PjEXNI4BonazGYFpWJ3z3nvNtrJTpIQOpylt/UzptjJM3pmoK
lWsHuhf7n7Ljl/KyzCpQJq8x7i3BXH8pX9utQuf+G9usVKZMBS9V9RGUxUu1
rwxo2fLW7r+Uf0VPf6vQSOCfMmm22oi/qKNyWzOT3+aHI/6tl70Jpoh2+ueX
2KFh8AjbT7ZQ+EZ5zM2BzyrYpQFT+9ICSBjLRweOPJaohC9fyG90+YvC88Pf
q6y5DefqTEVhFFWb1lpnS77J8md/aneMPNcg8fAD+FGNCoebD7Bwaj+4Lp+L
lZ0HSvdshEM2+B9tAT9wMGsAAA==
</rfc> </rfc>
 End of changes. 94 change blocks. 
545 lines changed or deleted 320 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/