rfc9490.original.xml   rfc9490.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.22 (Ruby 3.1. <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.1 (Ruby 3.0.2
4) --> ) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-iab-m-ten-workshop-02" category="info" consensus="true" submissionType="IAB" to -iab-m-ten-workshop-02" category="info" consensus="true" submissionType="IAB" to
cInclude="true" sortRefs="true" symRefs="true" version="3"> cInclude="true" sortRefs="true" symRefs="true" version="3" number="9490">
<!-- xml2rfc v2v3 conversion 3.18.0 --> <!-- xml2rfc v2v3 conversion 3.18.1 -->
<front>
<title abbrev="M-TEN workshop report">Report from the IAB workshop on Manage <front>
ment Techniques in Encrypted Networks (M-TEN)</title> <title abbrev="M-TEN Workshop Report">Report from the IAB Workshop on Manage
<seriesInfo name="Internet-Draft" value="draft-iab-m-ten-workshop-02"/> ment Techniques in Encrypted Networks (M-TEN)</title>
<seriesInfo name="RFC" value="9490"/>
<author initials="M." surname="Knodel" fullname="Mallory Knodel"> <author initials="M." surname="Knodel" fullname="Mallory Knodel">
<organization>Center for Democracy &amp; Technology</organization>
<address> <address>
<email>mknodel@cdt.org</email> <email>mknodel@cdt.org</email>
</address> </address>
</author> </author>
<author initials="W." surname="Hardaker" fullname="Wes Hardaker"> <author initials="W." surname="Hardaker" fullname="Wes Hardaker">
<organization/> <organization/>
<address> <address>
<email>ietf@hardakers.net</email> <email>ietf@hardakers.net</email>
</address> </address>
</author> </author>
<author initials="T." surname="Pauly" fullname="Tommy Pauly"> <author initials="T." surname="Pauly" fullname="Tommy Pauly">
<organization/> <organization/>
<address> <address>
<email>tpauly@apple.com</email> <email>tpauly@apple.com</email>
</address> </address>
</author> </author>
<date year="2023" month="August" day="14"/> <date year="2024" month="January"/>
<keyword>encryption</keyword> <keyword>encryption</keyword>
<keyword>network management</keyword> <keyword>network management</keyword>
<abstract> <abstract>
<t>The “Management Techniques in Encrypted Networks (M-TEN)” workshop was convened by the Internet Architecture Board (IAB) from 17 October 2022 to 19 Oct ober 2022 as a three-day online meeting. The workshop was organized in three par ts to discuss ways to improve network management techniques in support of even b roader adoption of encryption on the Internet. This report summarizes the worksh op's discussion and identifies topics that warrant future work and consideration .</t> <t>The "Management Techniques in Encrypted Networks (M-TEN)" workshop was conven ed by the Internet Architecture Board (IAB) from 17 October 2022 to 19 October 2 022 as a three-day online meeting. The workshop was organized in three parts to discuss ways to improve network management techniques in support of even broader adoption of encryption on the Internet. This report summarizes the workshop's d iscussion and identifies topics that warrant future work and consideration.</t>
<t>Note that this document is a report on the proceedings of the <t>Note that this document is a report on the proceedings of the
workshop. The views and positions documented in this report are those workshop. The views and positions documented in this report are those
of the expressed during the workshop by participants and do not of the expressed during the workshop by participants and do not
necessarily reflect IAB views and positions.</t> necessarily reflect IAB views and positions.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>About This Document</name>
<t>
The latest revision of this draft can be found at <eref target="https://
intarchboard.github.io/m-ten-workshop-public/draft-iab-m-ten-workshop.html"/>.
Status information for this document may be found at <eref target="https
://datatracker.ietf.org/doc/draft-iab-m-ten-workshop/"/>.
</t>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/intarchboard/m-ten-workshop-public"/>.<
/t>
</note>
</front> </front>
<middle> <middle>
<section anchor="intro">
<section anchor="intro">
<name>Introduction</name> <name>Introduction</name>
<t>The Internet Architecture Board (IAB) holds occasional workshops
designed to consider long-term issues and strategies for the
Internet, and to suggest future directions for the Internet
architecture. This long-term planning function of the IAB is
complementary to the ongoing engineering efforts performed by working
groups of the Internet Engineering Task Force (IETF).</t>
<t>User privacy and security are constantly being improved by increasingly strong and more widely deployed encryption. This workshop aims to discuss ways to improve network management techniques in support of even broader adoption of encryption on the Internet.</t> <t>User privacy and security are constantly being improved by increasingly strong and more widely deployed encryption. This workshop aims to discuss ways to improve network management techniques in support of even broader adoption of encryption on the Internet.</t>
<t>Network management techniques need to evolve to work effectively and re <t>Network management techniques need to evolve to work effectively and re
liably in the presence of ubiquitous traffic encryption and support techniques t liably in the presence of ubiquitous traffic encryption and to support user priv
hat enhance user privacy. In an all-encrypted network, it is not viable to rely acy. In an all-encrypted network, it is not viable to rely on unencrypted metada
on unencrypted metadata for network monitoring and security functions, troublesh ta for network monitoring and security functions, troubleshooting devices, and p
ooting devices, and passive traffic measurements. New approaches are needed to t assive traffic measurements. New approaches are needed to track network behavior
rack network behaviors, e.g., by directly cooperating with endpoints and applica s, e.g., by directly cooperating with endpoints and applications, increasing use
tions, increasing use of in-band telemetry, increasing use of active measurement of in-band telemetry, increasing use of active measurement approaches, and priv
approaches, and privacy-preserving inference techniques.</t> acy-preserving inference techniques.</t>
<t>The aim of this IAB online workshop from October 17-19, 2022, has been <t>The aim of this IAB online workshop from October 17-19, 2022, has been
to provide a platform to explore the interaction between network management and to provide a platform to explore the interaction between network management and
traffic encryption and initiate new work on collaborative approaches that promot traffic encryption and to initiate work on collaborative approaches that promote
e security and user privacy while supporting operational requirements. As such t security and user privacy while supporting operational requirements. As such, t
he workshop addressed the following questions:</t> he workshop addressed the following questions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>What are actionable network management requirements?</li> <li>
<li>Who is willing to work on collaborative solutions?</li> <t>What are actionable network management requirements?</t>
<li>What are the starting points for collaborative solutions?</li> </li>
<li>
<t>Who is willing to work on collaborative solutions?</t>
</li>
<li>
<t>What are the starting points for collaborative solutions?</t>
</li>
</ul> </ul>
<section anchor="about-this-workshop-report-content"> <section anchor="about-this-workshop-report-content">
<name>About this workshop report content</name> <name>About This Workshop Report Content</name>
<t>This document is a report on the proceedings of the workshop. The <t>This document is a report on the proceedings of the workshop. The
views and positions documented in this report are those of the views and positions documented in this report are those of the
expressed during the workshop by participants and do not necessarily workshop participants and do not necessarily
reflect IAB views and positions.</t> reflect IAB views and positions.</t>
<t>Furthermore, the content of the report comes from presentations given <t>Furthermore, the content of the report comes from presentations given
by workshop participants and notes taken during the discussions, by workshop participants and notes taken during the discussions,
without interpretation or validation. Thus, the content of this without interpretation or validation. Thus, the content of this
report follows the flow and dialog of the workshop but does not report follows the flow and dialog of the workshop but does not
attempt to capture a consensus.</t> attempt to capture a consensus.</t>
</section> </section>
</section> </section>
<section anchor="workshop-scope-and-discussion"> <section anchor="workshop-scope-and-discussion">
<name>Workshop Scope and Discussion</name> <name>Workshop Scope and Discussion</name>
<t>The workshop was organized across three days with all-group discussion slots, one per day. The following topic areas were identified and the program co mmittee organized paper submissions into three main themes for each of the three discussion slots. During each discussion, those papers were presented sequentia lly with open discussion held at the end of each day.</t> <t>The workshop was held across three days with all-group discussion slots , one per day. The following topic areas were identified, and the program commit tee organized paper submissions into three main themes for each of the three dis cussion slots. During each discussion, those papers were presented sequentially with open discussion held at the end of each day.</t>
<section anchor="day1"> <section anchor="day1">
<name>“Where we are” - Requirements and Passive Observations</name> <name>"Where We Are" - Requirements and Passive Observations</name>
<t>The first day of the workshop agenda focused on the existing state of <t>The first day of the workshop focused on the existing state of the re
the relationship between network management and encrypted traffic from various lationship between network management and encrypted traffic from various angles.
angles. Presentations ranged from discussing classifiers using machine-learning Presentations ranged from discussing classifiers using machine learning to reco
to recognize traffic, to advanced techniques for evading traffic analysis, to us gnize traffic, to advanced techniques for evading traffic analysis, to user priv
er privacy considerations.</t> acy considerations.</t>
<t>After an introduction that covered the goals of the workshop and the <t>After an introduction that covered the goals of the workshop and the
starting questions (as described in <xref target="intro"/>), there were four pre starting questions (as described in <xref target="intro"/>), there were four pre
sentations, followed by open discussion.</t> sentations followed by open discussion.</t>
<section anchor="traffic-classification-and-network-management"> <section anchor="traffic-classification-and-network-management">
<name>Traffic classification and network management</name> <name>Traffic Classification and Network Management</name>
<t>Many existing network management techiques are passive in nature: t <t>Many existing network management techniques are passive in nature:
hey don't rely on an explicit signals from end hosts to negotiate with network m they don't rely on explicit signals from end hosts to negotiate with network mid
iddleboxes, but instead rely on inspecting packets to recognize traffic and appl dleboxes but instead rely on inspecting packets to recognize traffic and apply v
y various policies. Traffic classification, as a passive technique, is being cha arious policies. Traffic classification, as a passive technique, is being challe
llenged by increasing encryption.</t> nged by increasing encryption.</t>
<t>Traffic classification is commonly performed by networks to infer w <t>Traffic classification is commonly performed by networks to infer w
hat applications and services are being used. This information is in turn used f hat applications and services are being used. This information is in turn used f
or capacity and resource planning, Quality-of-Service (QoS) monitoring, traffic or capacity and resource planning, Quality-of-Service (QoS) monitoring, traffic
prioritization, network access control, identity management, and malware detecti prioritization, network access control, identity management, and malware detecti
on. However, since classification traditionally relies on recognizing unencrypte on. However, since classification commonly relies on recognizing unencrypted pro
d properties of packets in a flow, increasing encryption of traffic can decrease perties of packets in a flow, increasing encryption of traffic can decrease the
the effectiveness of classification.</t> effectiveness of classification.</t>
<t>The amount of classification that can be performed on traffic also <t>The amount of classification that can be performed on traffic also
provides a useful insight onto how "leaky" the protocols used by applications ar provides useful insight into how "leaky" the protocols used by applications are
e, and points to areas where information is visible to any observer, which may b and points to areas where information is visible to any observer, who may or may
e malicious or not.</t> not be malicious.</t>
<t>Traditionally, classification has been based on experts crafting sp <t>Frequently, classification has been based on specific rules crafted
ecific rules, but there is also a move toward using maching learning to recogniz by experts, but there is also a move toward using machine learning to recognize
e patterns. "Deep learning" machine learning models generally rely on analyzing patterns. "Deep learning" machine-learning models generally rely on analyzing a
a large set of traffic over time, and have trouble reacting quickly to changes i large set of traffic over time and have trouble reacting quickly to changes in
n traffic patterns.</t> traffic patterns.</t>
<t>Models that are based on closed-world data sets also become less us <t>Models that are based on closed-world data sets also become less us
eful over time, as traffic changes. <xref target="JIANG"/> describes experiments eful over time as traffic changes. <xref target="JIANG"/> describes experiments
that showed that a model that performs with high accuracy on an initial data se that show that a model that performed with high accuracy on an initial data set
t became severely degraded when running on a newer data set that contained traff becomes severely degraded when running on a newer data set that contains traffic
ic from the same applications. Even in as little time as one week, the traffic c from the same applications. Even in as little time as one week, the traffic cla
lassification would become degraded. However, the set of features in packets and ssification would become degraded. However, the set of features in packets and f
flows that were useful for models stayed mostly consistent, even if the models lows that were useful for models stayed mostly consistent, even if the models th
themselves needed to be updated. Models where the feature space is reduced to fe emselves needed to be updated. Models where the feature space is reduced to fewe
wer features showed better resiliency, and could be retrained more quickly. Base r features showed better resiliency and could be retrained more quickly. Based o
d on this, <xref target="JIANG"/> recommends more work and research on determini n this, <xref target="JIANG"/> recommends more work and research to determine wh
ng which set of features in IP packets are most useful for focused machine learn ich set of features in IP packets are most useful for focused machine-learning a
ing analysis. <xref target="WU"/> also recommends further research investment in nalysis. <xref target="WU"/> also recommends further research investment in Arti
Artificial Intelligent (AI) analysis for network management.</t> ficial Intelligence (AI) analysis for network management.</t>
</section> </section>
<section anchor="preventing-traffic-analysis"> <section anchor="preventing-traffic-analysis">
<name>Preventing traffic analysis</name> <name>Preventing Traffic Analysis</name>
<t>Just as traffic classification is continually adapting, techniques <t>Just as traffic classification is continually adapting, techniques
to prevent traffic analysis and obfuscate application and user traffic are conti to prevent traffic analysis and to obfuscate application and user traffic are co
nually evolving. An invited talk from the authors of <xref target="DITTO"/> shar ntinually evolving. An invited talk from the authors of <xref target="DITTO"/> s
ed a novel approach with the workshop for how to build a very robust system to p hared a novel approach with the workshop for how to build a very robust system t
revent unwanted traffic analysis.</t> o prevent unwanted traffic analysis.</t>
<t>Usually traffic obfuscation is performed by changing the timing of <t>Usually traffic obfuscation is performed by changing the timing of
packets or adding padding data. The practices can be costly and negatively impac packets or by adding padding to data. The practices can be costly and negatively
t performance. DITTO demonstrated the feasibility of applying traffic obfuscatio impact performance. <xref target="DITTO"/> demonstrated the feasibility of appl
n on aggregated traffic in the network with minimal overhead and in line speed.< ying traffic obfuscation on aggregated traffic in the network with minimal overh
/t> ead and inline speed.</t>
<t>While traffic obfuscation techniques are today not widely deployed, <t>While traffic obfuscation techniques are not widely deployed today,
this study underlines, together with the need for continuous effort to keep tra this study underlines the need for continuous effort to keep traffic models upd
ffic models updated over time, the challenges of classification of encrypted tra ated over time, the challenges of the classification of encrypted traffic, as we
ffic as well as opportunities to further enhance user privacy.</t> ll as the opportunities to further enhance user privacy.</t>
</section> </section>
<section anchor="users-and-privacy"> <section anchor="users-and-privacy">
<name>Users and privacy</name> <name>Users and Privacy</name>
<t>The Privacy Enhancements and Assessments Research Group is working <t>The Privacy Enhancements and Assessments Research Group (PEARG) is
on a document to discuss guidelines for how to measure traffic on the Internet i working on a document to discuss guidelines for measuring traffic on the Interne
n a safe and privacy-friendly way (<xref target="I-D.irtf-pearg-safe-internet-me t in a safe and privacy-friendly way <xref target="I-D.irtf-pearg-safe-internet-
asurement"/>). These guidelines and principles provide another angle onto the di measurement"/>. These guidelines and principles provide another view on the disc
scussion of passive classification and analysis of traffic.</t> ussion of passive classification and analysis of traffic.</t>
<t>Consent for collection and measurement of metadata is an important <t>Consent for collection and measurement of metadata is an important
consideration in deploying network measurement techniques. This consent can be e consideration in deploying network measurement techniques. This consent can be g
xplicitly given as informed consent, or can be given by proxy or be only implied iven explicitly as informed consent, given by proxy, or may be only implied. For
. For example, a user of a network might need to consent to certain measurement example, a user of a network might need to consent to certain measurement and t
and traffic treatment when joining a network.</t> raffic treatment when joining a network.</t>
<t>Various techniques for data collection can also improve user privac <t>Various techniques for data collection can also improve user privac
y, such as discarding data after a short period of time, masking out aspects of y, such as discarding data after a short period of time, masking aspects of data
data that contain user-identifying information, reducing the accuracy of collect that contain user-identifying information, reducing the accuracy of collected d
ed data, and aggregating data.</t> ata, and aggregating data.</t>
</section> </section>
<section anchor="discussion"> <section anchor="discussion">
<name>Discussion</name> <name>Discussion</name>
<t>The intents and goals of users, application developers, and network <t>The intents and goals of users, application developers, and network
operators align in some cases, but not others. One of the recurring challenges operators align in some cases, but not in others. One of the recurring challeng
that came up was not having a clear way to understand or communicate intents and es that was discussed was the lack of a clear way to understand or to communicat
requirements. Both traffic classification and traffic obfuscation attempt to ch e intents and requirements. Both traffic classification and traffic obfuscation
ange the visibility of traffic without cooperation of other parties: traffic cla attempt to change the visibility of traffic without cooperation of other parties
ssification is a network attempting to inspect application traffic without coord : traffic classification is an attempt by the network to inspect application tra
ination from applications, and traffic obfuscation is an attempt to hide that sa ffic without coordination from applications, and traffic obfuscation is an attem
me traffic as it transits a network.</t> pt by the application to hide that same traffic as it transits a network.</t>
<t>Traffic adaptation and prioritization is one dimension in which the <t>Traffic adaptation and prioritization is one dimension in which the
incentives for cooperation seem most clear. Even if an application is trying to incentives for cooperation seem most clear. Even if an application is trying to
prevent leaking metadata, it could benefit from signals from network about sudd prevent the leaking of metadata, it could benefit from signals from the network
en capacity changes that can help it adapt its application quality, such as bitr about sudden capacity changes that can help it adapt its application quality, s
ates and codecs. Such signalling may not be appropriate for the most privacy-sen uch as bitrates and codecs. Such signaling may not be appropriate for the most p
sitive applications, like Tor, but could be applicable for many others. There ar rivacy-sensitive applications, like Tor, but could be applicable for many others
e existing protocols that involve explicit signaling between applications and ne . There are existing protocols that involve explicit signaling between applicati
tworks, such as Explicit Congestion Notification (ECN) <xref target="RFC3168"/>, ons and networks, such as Explicit Congestion Notification (ECN) <xref target="R
but that has yet to see wide adoption.</t> FC3168"/>, but that has yet to see wide adoption.</t>
<t>Managed networks (such a private corporate networks) was brought up <t>Managed networks (such as private corporate networks) were brought
in several comments as a particularly challenging area for being able to meet m up in several comments as particularly challenging for meeting management requir
anagement requirements while maintaining encryption and privacy. These networks ements while maintaining encryption and privacy. These networks can have legal a
can have legal and regulated requirements for detection of specific fraudulent o nd regulated requirements for detection of specific fraudulent or malicious traf
r malicious traffic.</t> fic.</t>
<t>Personal networks that enable managed parental controls have simila <t>Personal networks that enable managed parental controls have simila
r complications with encrypted traffic and user privacy. In these scenarios, the r complications with encrypted traffic and user privacy. In these scenarios, the
parental controls being operated by the network may be as simple as a DNS filte parental controls that are operated by the network may be as simple as a DNS fi
r, and can be made ineffective by a device routing traffic to an alternate DNS r lter, which can be made ineffective by a device routing traffic to an alternate
esolver.</t> DNS resolver.</t>
</section> </section>
</section> </section>
<section anchor="day2"> <section anchor="day2">
<name>“Where we want to go” - Collaboration Principles</name> <name>"Where We Want to Go" - Collaboration Principles</name>
<t>The second day of the workshop agenda focused on the emerging techniq <t>The second day of the workshop focused on the emerging techniques for
ues for analysing, managing or monitoring encrypted traffic. Presentations range analyzing, managing, or monitoring encrypted traffic. Presentations covered adv
d from discussing advanced classification and identification, including machine- anced classification and identification, including machine-learning techniques,
learning techniques, for the purposes of manging network flows, monitoring or mo for the purposes of managing network flows or monitoring or monetizing usage.</t
netising usage.</t> >
<t>After an introduction that covered the goals of the workshop and the starting questions (as described in <xref target="intro"/>), there were three pr esentations, followed by open discussion.</t> <t>After an introduction that covered the goals of the workshop and the starting questions (as described in <xref target="intro"/>), there were three pr esentations, followed by open discussion.</t>
<section anchor="first-party-collaboration-for-network-management"> <section anchor="first-party-collaboration-for-network-management">
<name>First party collaboration for network management</name> <name>First-Party Collaboration for Network Management</name>
<t>It is the intention of encryption to create a barrier between entit <t>It is the intent of end-to-end encryption of traffic to create a ba
ies inside the communication channel and everyone else, including network operat rrier between entities inside the communication channel and everyone else, inclu
ors, considering end-to-end encryption of traffic. Any attempt, therefore, to ov ding network operators. Therefore, any attempt to overcome that intentional barr
ercome that intentional barrier requires an intent to collaborate between the in ier requires collaboration between the inside and outside entities. At a minimum
side and outside entities. Those entities must, at a minimum, agree on the benef , those entities must agree on the benefits of overcoming the barrier (or solvin
its to overcoming the barrier (or solving the problem), that costs are proportio g the problem), agree that costs are proportional to the benefits, and agree to
nal to the benefits, and to additional limitations, or safeguards, against bad b additional limitations or safeguards against bad behavior by collaborators inclu
ehaviour by collaborators including the inclusion of other non-insiders <xref ta ding other non-insiders <xref target="BARNES"/>.</t>
rget="BARNES"/>.</t> <t>The Internet is designed interoperably, which means an outside enti
<t>The Internet is designed interoperably, which means an outside enti ty wishing to collaborate with the inside might be any number of intermediaries
ty wishing to collaborate with the inside might be any number of intermediaries and not, say, a specific person that can be trusted in the human sense. Addition
and not, say, a specific person that can be trusted in the human sense. Addition ally, the use of encryption, especially network-layer or transport-layer encrypt
ally the use of encryption, especially network-layer or transport-layer encrypti ion, introduces dynamic or opportunistic or perfunctory discoverability. These r
on, introduces dynamic or opportunitistic or perfunctory discoverability. These ealities point to a need to ask why an outside entity might make an engineering
realities both point to a need to interrogate the reason why any outside entity case to collaborate with the user of a network with encrypted traffic and to ask
might make an engineering case to collaborate with the user of a network with en whether the trade-offs and potential risks are worth it to the user.</t>
crypted traffic, and whether the tradeoffs and potential risks are worth it to t <t>However, the answers cannot be specific, and the determinations or
he user.</t> guidance need to be general as the encryption boundary is inevitably an applicat
<t>However, the answers cannot be specific and the determinations or g ion used by many people. Trade-offs must make sense to users who are unlikely to
uidance need to be general as the encryption boundary is inevitably an applicati be thinking about network management considerations. Harms need to be preemptiv
on used by many people. Tradeoffs must make sense to users who are unlikely to b ely reduced because, in general terms, few users would choose network management
e thinking about network management considerations. Harms need to be preemptivel benefits over their own privacy if given the choice.</t>
y reduced because in general terms few users would choose network management ben <t>Some have found that there appears to be little, if any, evidence
efits over their own privacy if given the choice.</t> that encryption causes network problems that are meaningful to the user. Since
<t>Some have found that there appears to be little if any actual evide alignment on problem solving is a prerequisite to collaboration on a
nce solution, it does not seem that collaboration across the encryption
that encryption is causing user-meaningful network problems. Since
alignment on problem-solving is a prerequisite to collaboration on a
solution it does not seem that collaboration across the encryption
boundary is called for.</t> boundary is called for.</t>
</section> </section>
<section anchor="second-and-third-party-collaboration-for-network-manage ment"> <section anchor="second-and-third-party-collaboration-for-network-manage ment">
<name>Second and third party collaboration for network management</nam <name>Second- and Third-Party Collaboration for Network Management</na
e> me>
<t>Even with the wide-scale deployment of encryption in new protocols <t>Even with the wide-scale deployment of encryption in new protocols
and techniques that prevent passive observers of network traffic from knowing th and of techniques that prevent passive observers of network traffic from knowing
e content of exchanged communications, important information such as which parti the content of exchanged communications, important information, such as which p
es communicate and sometimes even which services have been requested may still b arties communicate and sometimes even which services have been requested, may st
e able to be deduced. The future is to conceal more data and metadata from passi ill be able to be deduced. The future is to conceal more data and metadata from
ve observers and also to minimize information exposure to second parties (where passive observers and also to minimize information exposure to second parties (w
the user is the first party) by, maybe counterintuitively, introducing third-par here the user is the first party) by, maybe counterintuitively, introducing thir
ty relay services to intermediate communications. As discussed in <xref target=" d-party relay services to intermediate communications. As discussed in <xref tar
KUEHLEWIND"/>, the relay is a mechanism to separate (using additional levels of get="KUEHLEWIND"/>, the relay is a mechanism that uses additional levels of encr
encryption) two important pieces of information: knowledge of the identity of th yption to separate two important pieces of information: knowledge of the identit
e person accessing a service is separated from knowledge about the service being y of the person accessing a service is separated from knowledge about the servic
accessed. By contrast a VPN uses only one level of encryption and does not sepa e being accessed. By contrast, a VPN uses only one level of encryption and does
rate identity (first party) and service (second party) metadata.</t> not separate identity (first party) and service (second party) metadata.</t>
<t>Relay mechanisms are termed "oblivious", there is a future for spec <t>Relay mechanisms are termed "oblivious", there is a future for spec
ifications in privacy-preserving measurement (PPM), and protocols like Multiplex ifications in privacy-preserving measurement (PPM), and protocols like Multiplex
ed Application Substrate over QUIC Encryption (MASQUE) are discussed in the IETF ed Application Substrate over QUIC Encryption (MASQUE) are discussed in the IETF
. In various schemes, users are ideally able to share their identity only with t . In various schemes, users are ideally able to share their identity only with t
he entity they have identified as a trusted one. That data is not shared with th he entity they have identified as a trusted one. That data is not shared with th
e service provider. However this is more complicated for network management, but e service provider. However, this is more complicated for network management, bu
there may be opportunities for better collaboration between the network and, sa t there may be opportunities for better collaboration between the network and, s
y, the application or service at the endpoint.</t> ay, the application or service at the endpoint.</t>
<t>A queriable relay mechanism could preserve network management funct <t>A queriable relay mechanism could preserve network management funct
ions that are disrupted by encryption, such as TCP optimisation, quality of serv ions that are disrupted by encryption, such as TCP optimization, quality of serv
ice, zero-rating, parental controls, access control, redirection, content enhanc ice, zero-rating, parental controls, access control, redirection, content enhanc
ement, analytics and fraud prevention. Instead of encrypted communication betwee ement, analytics, and fraud prevention. Instead of encrypting communication betw
n only two ends and passive observation by all on-path elements, intermediate re een only two ends with passive observation by all on-path elements, intermediate
lays could be trusted parties with limited information for the purposes of colla relays could be introduced as trusted parties that get to see limited informati
boration between in-network intermediary services' support.</t> on for the purpose of collaboration between in-network intermediary services.</t
>
</section> </section>
<section anchor="visible-optional-network-management"> <section anchor="visible-optional-network-management">
<name>Visible, optional network management</name> <name>Visible, Optional Network Management</name>
<t>In encrypted communications, out of all of the possible network man <t>Out of all of the possible network management functions that might
agement functions that might be ameliorated by proxying, the ability to control be ameliorated by proxying, the ability to control congestion in encrypted commu
congestion has been researched in depth. These techniques are realized based on nications has been researched in depth. These techniques are realized based on T
TCP performance enhancing proxies (PEP) that either entirely intercept a TCP con CP performance-enhancing proxies (PEPs) that either entirely intercept a TCP con
nection or interfere with the transport information in the TCP header. However, nection or interfere with the transport information in the TCP header. However,
despite the challenge that the new encrypted protocol will limit any such in-net despite the challenge that the new encrypted protocol will limit any such in-net
work interference, these techniques can also have a negative impact on the evolv work interference, these techniques can also have a negative impact on the evolv
ability of these protocols. Therefore, instead of manipulating existing informat ability of these protocols. Therefore, a new approach was presented where, inste
ion, a new approach was presented where additional information is send using a ad of manipulating existing information, additional information is sent using a
so-called side-car protocol independent of the main transport protocol that is u so-called sidecar protocol independent of the main transport protocol that is us
sed end-to-end <xref target="WELZL"/>. E.g. side car information can contain add ed end to end <xref target="WELZL"/>. For example, sidecar information can conta
itional acknowledgements to enable in-network local retransmission faster end-to in additional acknowledgments to enable in-network local retransmission or faste
-end retransmission by reducing the signaling round trip time.</t> r end-to-end retransmission by reducing the signaling round-trip time.</t>
<t>Taking user privacy benefits for granted, there is a need to invest <t>Taking user privacy benefits for granted, there is a need to invest
igate the comparable performance outputs of various encrypted traffic configurat igate the comparable performance outputs of various encrypted traffic configurat
ions such as use of an additional "side-car" protocol, or explicit encrypted and ions such as the use of an additional sidecar protocol, or explicit encrypted an
trusted network communication using MASQUE in relation to existing techniques s d trusted network communication using MASQUE in relation to existing techniques
uch as TCP performance enhancing proxies (PEP), etc.</t> such as TCP PEPs, etc.</t>
</section> </section>
<section anchor="discussion-1"> <section anchor="discussion-1">
<name>Discussion</name> <name>Discussion</name>
<t>One size fits all? On the issue of trust, different networks or dev <t>One size fits all? On the issue of trust, different networks or dev
ices are going to have different requirements for the level of trust that they h ices will have different trust requirements for devices, users, or each other, a
ave in devices, users or each other, and vice versa. For example, imagine networ nd vice versa. For example, imagine two networks with really different security
ks with really different security requirements, like protecting children in a ho requirements, like a home network with a requirement to protect its child users
me versus a national security institution. How could one network architecture so versus a national security institution's network. How could one network architec
lve the needs of all use cases?</t> ture solve the needs of all use cases?</t>
<t>Does our destination have consequences? It seems sometimes that the <t>Does our destination have consequences? It seems sometimes that the
re may be consequences many years down the line of ubiquitous, strong encryption re may be future consequences caused by the ubiquitous, strong encryption of net
of network traffic because it will cause a reaction by intermediaries to find w work traffic because it will cause intermediaries to poke holes in what are supp
ays to poke holes in what are supposed to be long-term solutions for user privac osed to be long-term solutions for user privacy and security.</t>
y and security.</t> <t>Can we bring the user along? While there has been a focus on the go
<t>Can we bring the user along? While there has been a focus on the go od reasons why people might collaborate across the encryption barrier, there wil
od reasons for why people might collaborate across the encryption barrier, there l always be others who want to disrupt that in order to exploit the data for the
will always be others who want to disrupt that because they are motivated to ex ir own gain, and sometimes exploitation is called innovation. High-level policy
ploit the data for their own gain, and sometimes this is called innovation. What mitigations have exposed how powerless end users are against corporate practices
high-level policy mitigations have done is to expose how powerless end users ar of data harvesting. And yet interfaces to help users understand these lower-lay
e to corporate practices of data harvesting. And yet interfaces to help users un er traffic flows to protect their financial transactions or privacy haven't been
derstand these lower layer traffic flows to protect their financial transactions achieved yet. That means that engineers must make inferences about user wants.
or privacy haven't been achieved yet. That means that engineers are having to m Instead, we should make these relationships and trade-offs more visible.</t>
ake inferences about what users want. Instead we should be making these relation
ships and tradeoffs more visible.</t>
</section> </section>
</section> </section>
<section anchor="day3"> <section anchor="day3">
<name>“How we get there” - Collaboration Use cases</name> <name>"How We Get There" - Collaboration Use Cases</name>
<t>The third day focused on techniques that could actually be used to <t>The third day focused on techniques that could be used to
improve management of encrypted networks. A central theme of all of improve the management of encrypted networks.<br/>
the presentations about potential proposed paths forward included some The potential paths forward described in the presentations included some
element of collaboration between networks and subscribing clients that element of collaboration between the networks and the subscribing clients that
simultaneously want both privacy and protection. Thus, the central simultaneously want both privacy and protection. Thus, the central
theme in the third day became negotiation and collaboration.</t> theme of the third day became negotiation and collaboration.</t>
<section anchor="establishing-expected-contracts-to-enable-security-mana gement"> <section anchor="establishing-expected-contracts-to-enable-security-mana gement">
<name>Establishing expected contracts to enable security management</n <name>Establishing Expected Contracts to Enable Security Management</n
ame> ame>
<t>When thinking about enterprise networks where client behavior is <t>For enterprise networks where client behavior is
potentially managed, <xref target="COLLINS"/> proposes "Improving network potentially managed, <xref target="COLLINS"/> proposes "Improving network
monitoring through contracts", where contracts describe different monitoring through contracts", where contracts describe different
states of network behavior.</t> states of network behavior.</t>
<t>Because network operators have a limited amount of time to focus on <t>Because network operators have a limited amount of time to focus on
problems and process alerts, contracts and states let the operator problems and process alerts, contracts and states let the operator
focus on a particular aspect of a current situation or problem. The focus on a particular aspect of a current situation or problem. The
current estimate for the number of events a Security Operations Center (SOC) ope rator can handle current estimate for the number of events a Security Operations Center (SOC) ope rator can handle
is about 10 per hour. Operators must work within the limits imposed is about 10 per hour. Operators must work within the limits imposed
by their organization, and must pick between options that frequently by their organization and must pick among options that frequently
only frustrate attackers -- entirely preventing attacks is potentially only frustrate attackers -- preventing attacks entirely is potentially
impossible. Finally, operators must prioritize and manage the most impossible. Finally, operators must prioritize and manage the most
events possible.</t> events possible.</t>
<t>Validating which alerts are true positives is challenging because l ots <t>Validating which alerts are true positives is challenging because l ots
of weird traffic creates many anomalies and not all anomalies are of weird traffic creates many anomalies, and not all anomalies are
malicious events. Identifying what anomalous traffic is rooted in malicious events. Identifying which anomalous traffic is rooted in
malicious activity with any level of certainty is extremely malicious activity with any level of certainty is extremely
challenging. Unfortunately, applying the latest machine learning challenging. Unfortunately, applying the latest machine-learning
techniques has only produced mixed results. To make matters worse, techniques has produced mixed results. To make matters worse,
the large amounts of Internet-wide scanning has resulted in endless the large amounts of Internet-wide scanning has resulted in endless
traffic that is technically malicious but only creates an information traffic that is technically malicious but only creates an information
overload and challenges event prioritization. Any path forward must overload and challenges event prioritization. Any path forward must
succeed in freeing up analyst time to concentrate on the more free up analyst time to concentrate on the more
challenging events.</t> challenging events.</t>
<t>The proposed contract solution is to define a collection of accepta ble <t>The proposed contract solution is to define a collection of accepta ble
behaviors categorized into an envelope of different states that might behaviors that comprises different states that might
include IP addresses, domain names, and indicators of compromise. include IP addresses, domain names, and indicators of compromise.
Deviation from a contract might indicate that a system is acting Deviation from a contract might indicate that a system is acting
outside a normal mode of behavior, or even a normal mode of outside a normal mode of behavior or even that a normal mode of
behavior is suddenly missing. An example contract might be "this behavior is suddenly missing. An example contract might be "this
system is expected to update its base OS once a day", and if this system is expected to update its base OS once a day". If this
doesn't occur then this expectation has not been met and the system doesn't occur, then this expectation has not been met, and the system
should be checked as it failed to call home to look for (potentially should be checked as it failed to call home to look for (potentially
security related) updates.</t> security-related) updates.</t>
<t>Within the IETF, the Manufacturer Usage Description Specification <t>Within the IETF, the Manufacturer Usage Description Specification
(MUD) {?RFC8520} specification is one subset of contracts. Note that (MUD) <xref target="RFC8520"/> is one subset of contracts. Note that
contracts are likely to only succeed in a constrained, expected contracts are likely to succeed only in a constrained, expected
environment maintained by operational staff, and may not work in an environment maintained by operational staff and may not work in an
open internet environment where end users are driving all network open Internet environment where end users drive all network
connections.</t> connections.</t>
</section> </section>
<section anchor="zero-knowledge-middleboxes"> <section anchor="zero-knowledge-middleboxes">
<name>Zero Knowledge Middleboxes</name> <name>Zero-Knowledge Middleboxes</name>
<t>The world is not only shifting to increased encrypted traffic but i s <t>The world is not only shifting to increased encrypted traffic but i s
also encrypting more and more of the metadata (e.g. DNS queries and also encrypting more and more of the metadata (e.g., DNS queries and
responses). This makes network policy enforcement by middleboxes responses). This makes network policy enforcement by middleboxes
significantly more challenging. The result is the creation of a significantly more challenging. The result is a
significant tension between security enforcement and privacy significant tension between security enforcement and privacy
protection.</t> protection.</t>
<t>A goal for solving this problem should include not weakening <t>Goals for solving this problem should include
encryption, should enable networks to enforce their policies, and enabling networks to enforce their policies, but
should ideally not require newly deployed server software. Existing should not include the weakening of encryption nor the deployment of new server
solutions fail with at least one of these points.</t> software. Existing
solutions fail to meet at least one of these points.</t>
<t>A cryptographic principle of a "zero-knowledge proof" (ZKP) <xref t arget="GRUBBS"/> <t>A cryptographic principle of a "zero-knowledge proof" (ZKP) <xref t arget="GRUBBS"/>
maybe one path forward to consider. A ZKP allows a third party to may be one path forward to consider. A ZKP allows a third party to
verify that a statement is true, without revealing what the statement verify that a statement is true without revealing what the statement
actually is. Applying this to network traffic has been shown to allow actually is. Applying this to network traffic has been shown to allow
a middlebox to verify that traffic to a web server is actually a middlebox to verify that traffic to a web server is
compliant with a policy without revealing the actual contents. This compliant with a policy without revealing the actual contents. This
solution meets the above three criteria. Using ZKP within TLS 1.3 solution meets the three criteria listed above. Using ZKP within TLS 1.3
traffic turns out to be plausible.</t> traffic turns out to be plausible.</t>
<t>An example engine was built to test ZKP using encrypted DNS. Clien ts <t>An example engine using encrypted DNS was built to test ZKP. Clien ts
were able to create DNS requests that were not listed within a DNS were able to create DNS requests that were not listed within a DNS
block list. Middleboxes could verify, without knowing the exact block list. Middleboxes could verify, without knowing the exact
request, that the client's DNS request was not in the prohibited list. request, that the client's DNS request was not on the prohibited list.
Although the result was functional, the computational overhead was Although the result was functional, the computational overhead was
still too slow and future work will be needed to decrease the ZKP still too slow, and future work will be needed to decrease the ZKP-imposed
imposed latencies.</t> latencies.</t>
</section> </section>
<section anchor="red-rover-a-collaborative-approach-to-content-filtering "> <section anchor="red-rover-a-collaborative-approach-to-content-filtering ">
<name>Red Rover - A collaborative approach to content filtering</name> <name>Red Rover - a Collaborative Approach to Content Filtering</name>
<t>The principle challenge being studied is how to deal with the inher <t>The principle challenge being studied is how to handle the inherent
it
conflict between filtering and privacy. Network operators need to conflict between filtering and privacy. Network operators need to
implement policies and regulations that can originate from many implement policies and regulations that can originate from many
locations (e.g. security, governmental, parental, etc). Conversely, locations (e.g., security, governmental, parental, etc.). Conversely,
clients need to protect user's privacy and user security.</t> clients need to protect their users' privacy and security.</t>
<t>Safe browsing, originally created by Google, is one example of a <t>Safe browsing, originally created by Google, is one example of a
mechanism that tries to meet both sides of this conflict. It would be mechanism that tries to meet both sides of this conflict. It would be
beneficial to standardize this and other similar mechanisms. beneficial to standardize this and other similar mechanisms.
Operating systems could continually protect their users by ensuring Operating systems could continually protect their users by ensuring
that malicious destinations are not being reached. This would require that malicious destinations are not being reached. This would require
some coordination between cooperating clients and servers offering some coordination between cooperating clients and servers offering
protection services. These collaborative solutions may be the best protection services. These collaborative solutions may be the best
compromise between the tension of privacy vs protection based services compromise to resolve the tension between privacy services and protection servic es
<xref target="PAULY"/>.</t> <xref target="PAULY"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="conclusions"> <section anchor="conclusions">
<name>Conclusions</name> <name>Conclusions</name>
<t>Looking forward, the workshop participants identified that solving the <t>Looking forward, the workshop participants identified that solving the
entire problem space with a single approach will be challenging for entire problem space with a single approach will be challenging for
several reasons:</t> several reasons:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The scalability of many solutions will likely be an issue as some <li>
solutions are complex or expensive to implement.</li> <t>The scalability of many solutions will likely be an issue as some
<li>Collaboration between multiple parties will be required for many solutions are complex or expensive to implement.</t>
</li>
<li>
<t>Collaboration between multiple parties will be required for many
mechanisms to function, and the sets of parties required for different mechanisms to function, and the sets of parties required for different
use cases might be disjoint.</li> use cases might be disjoint.</t>
<li>There is an unanswered question of whether or not network operators </li>
be willing to participate and allow technologies into their environment <li>
requirements in exchange for technologies that prove their clients are <t>There is an unanswered question of whether or not network operators
being good net-citizens. If so, some of these solutions might be required are willing to participate by allowing new encryption technologies into their e
to exist before networks allow a certain type of increased encryption; nvironment in exchange for technologies that prove their clients are being good
consider the example of TLS Encrypted Client Hello being blocked by net-citizens. If so, some of these solutions might be required to exist before n
some network operators.</li> etworks allow a certain type of increased encryption; consider the example of TL
S Encrypted Client Hello being blocked by some network operators.</t>
</li>
</ul> </ul>
<t>The breadth of the problem space itself is another complicating <t>The breadth of the problem space itself is another complicating
factor. There is a wide variety of network architectures, and each factor. There is a wide variety of network architectures, and each
has different requirements for both data encryption and network has different requirements for both data encryption and network
management. Each problem space will have different encumbrances of management. Each problem space will have multiple, different encumbrances:
multiple types; for example, technical, legal, data ownership, for example, technical, legal, data ownership,
and regulatory concerns. New network architectures might be needed to and regulatory concerns. New network architectures might be needed to
solve this problem at a larger scope, which would in turn require solve this problem at a larger scope, which would in turn require
interoperability support from network product vendors. Education about interoperability support from network product vendors. Education about
various solutions will be required in order to ensure regulation and various solutions will be required in order to ensure regulation and
policy organizations can understand and thus support the deployment of policy organizations can understand and thus support the deployment of
developed solutions.</t> developed solutions.</t>
<t>After new technologies and related standards are developed and deployed , <t>After new technologies and related standards are developed and deployed ,
unintended consequences can emerge that weren't considered during the unintended consequences can emerge.
design of the protocol. These lead to effects in multiple directions: These lead to effects in multiple directions:
on one hand, exposed protocol values not intended for network management on one hand, exposed protocol values not intended for network management
might be used by networks to differentiate traffic; on the other hand, might be used by networks to differentiate traffic; on the other hand,
changes to a protocol might have impact on private network deployments changes to a protocol that break existing use cases might have an impact on priv
that break existing use cases. While making decisions on technology ate network deployments.
While making decisions on technology
direction and protocol design, it is important to consider the impact on direction and protocol design, it is important to consider the impact on
various kinds of network deployments and their unique requirements. various kinds of network deployments and their unique requirements.
When protocols change to make different network management functions When protocols change to make different network management functions
easier or harder, the impact on various deployment models ought to be easier or harder, the impact on various deployment models ought to be
considered and documented.</t> considered and documented.</t>
</section> </section>
</middle> </middle>
<back> <back>
<references> <displayreference target="I-D.irtf-pearg-safe-internet-measurement" to="LEAR
MONTH"/>
<references anchor="sec-informative-references">
<name>Informative References</name> <name>Informative References</name>
<reference anchor="BARNES" target="https://github.com/intarchboard/m-ten-w orkshop/blob/main/papers/Barnes-Whats-In-It-For-Me-Revisiting-the-reasons-people -collaborate.pdf"> <reference anchor="BARNES" target="https://www.iab.org/wp-content/IAB-uplo ads/2023/11/Barnes-Whats-In-It-For-Me-Revisiting-the-reasons-people-collaborate. pdf">
<front> <front>
<title>Whats In It For Me? Revisiting the reasons people collaborate< /title> <title>What's In It For Me? Revisiting the reasons people collaborate< /title>
<author initials="R." surname="Barnes" fullname="Richard L. Barnes"> <author initials="R." surname="Barnes" fullname="Richard L. Barnes">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="CASAS" target="https://github.com/intarchboard/workshop -m-ten/blob/main/papers/Casas-AI-driven-real-time-QoE-monitoring-encrypted-traff ic.pdf"> <reference anchor="CASAS" target="https://www.iab.org/wp-content/IAB-uploa ds/2023/11/Casas-AI-driven-real-time-QoE-monitoring-encrypted-traffic.pdf">
<front> <front>
<title>Monitoring User-Perceived Quality in an Encrypted Internet</tit le> <title>Monitoring User-Perceived Quality in an Encrypted Internet - AI to the Rescue</title>
<author initials="P." surname="Casas" fullname="Pedro Casas"> <author initials="P." surname="Casas" fullname="Pedro Casas">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="COLLINS" target="https://github.com/intarchboard/worksh op-m-ten/blob/main/papers/Collins-Improving-Network-Monitoring-Through-Contracts .pdf"> <reference anchor="COLLINS" target="https://www.iab.org/wp-content/IAB-upl oads/2023/11/Collins-Improving-Network-Monitoring-Through-Contracts.pdf">
<front> <front>
<title>Improving Network Monitoring Through Contracts</title> <title>Improving Network Monitoring Through Contracts</title>
<author initials="M." surname="Collins" fullname="Michael Collins"> <author initials="M." surname="Collins" fullname="Michael Collins">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="DERI" target="https://github.com/intarchboard/workshop- m-ten/blob/main/papers/Deri-nDPI-Research-Proposal.pdf"> <reference anchor="DERI" target="https://www.iab.org/wp-content/IAB-upload s/2023/11/Deri-nDPI-Research-Proposal.pdf">
<front> <front>
<title>nDPI Research Proposal</title> <title>nDPI Research Proposal</title>
<author initials="L." surname="Deri" fullname="Luca Deri"> <author initials="L." surname="Deri" fullname="Luca Deri">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="ELKINS" target="https://github.com/intarchboard/worksho p-m-ten/blob/main/papers/Elkins-Performance-Monitoring-in-Encrypted-Networks-PDM v2.pdf"> <reference anchor="ELKINS" target="https://www.iab.org/wp-content/IAB-uplo ads/2023/11/Elkins-Performance-Monitoring-in-Encrypted-Networks-PDMv2.pdf">
<front> <front>
<title>Performance Monitoring in Encrypted Networks</title> <title>Performance Monitoring in Encrypted Networks: PDMv2</title>
<author initials="N." surname="Elkins" fullname="Nalini Elkins"> <author initials="N." surname="Elkins" fullname="Nalini Elkins">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Ackermann" fullname="Mike Ackermann"> <author initials="M." surname="Ackermann" fullname="Mike Ackermann">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Tahiliani" fullname="Mohit P. Tahiliani "> <author initials="M." surname="Tahiliani" fullname="Mohit P. Tahiliani ">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Dhody" fullname="Dhruv Dhody"> <author initials="D." surname="Dhody" fullname="Dhruv Dhody">
<organization/> <organization/>
</author> </author>
<author initials="T." surname="Pecorella" fullname="Prof. Tommaso Peco rella"> <author initials="T." surname="Pecorella" fullname="Prof. Tommaso Peco rella">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="GRUBBS" target="https://github.com/intarchboard/worksho p-m-ten/blob/main/papers/Grubbs-Zero-Knowledge%20Middleboxes.pdf"> <reference anchor="GRUBBS" target="https://www.usenix.org/conference/useni xsecurity22/presentation/grubbs">
<front> <front>
<title>Zero-Knowledge Middleboxes</title> <title>Zero-Knowledge Middleboxes</title>
<author initials="P." surname="Grubbs" fullname="Paul Grubbs"> <author initials="P." surname="Grubbs" fullname="Paul Grubbs">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Arun" fullname="Arasu Arun"> <author initials="A." surname="Arun" fullname="Arasu Arun">
<organization/> <organization/>
</author> </author>
<author initials="Y." surname="Zhang" fullname="Ye Zhang"> <author initials="Y." surname="Zhang" fullname="Ye Zhang">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Bonneau" fullname="Joseph Bonneau"> <author initials="J." surname="Bonneau" fullname="Joseph Bonneau">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Walfish" fullname="Michael Walfish"> <author initials="M." surname="Walfish" fullname="Michael Walfish">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
<refcontent>31st USENIX Security Symposium (USENIX Security 22)</refcont ent>
</reference> </reference>
<reference anchor="JIANG" target="https://github.com/intarchboard/workshop -m-ten/blob/main/papers/Jiang-Towards-Designing-Robust-and-Efficient-Classifiers -for-Encrypted-Traffic-in-the-Modern-Internet.pdf"> <reference anchor="JIANG" target="https://www.iab.org/wp-content/IAB-uploa ds/2023/11/Jiang-Towards-Designing-Robust-and-Efficient-Classifiers-for-Encrypte d-Traffic-in-the-Modern-Internet.pdf">
<front> <front>
<title>Towards Designing Robust and Efficient Classifiers for Encrypte d Traffic in the Modern Internet</title> <title>Towards Designing Robust and Efficient Classifiers for Encrypte d Traffic in the Modern Internet</title>
<author initials="X." surname="Jiang" fullname="Xi Jiang"> <author initials="X." surname="Jiang" fullname="Xi Jiang">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Liu" fullname="Shinan Liu"> <author initials="S." surname="Liu" fullname="Shinan Liu">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Naama" fullname="Saloua Naama"> <author initials="S." surname="Naama" fullname="Saloua Naama">
<organization/> <organization/>
skipping to change at line 392 skipping to change at line 400
</author> </author>
<author initials="P." surname="Schmitt" fullname="Paul Schmitt"> <author initials="P." surname="Schmitt" fullname="Paul Schmitt">
<organization/> <organization/>
</author> </author>
<author initials="N." surname="Feamster" fullname="Nick Feamster"> <author initials="N." surname="Feamster" fullname="Nick Feamster">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="KNODEL" target="https://github.com/intarchboard/worksho p-m-ten/blob/main/papers/Knodel-Guidelines-for-Performing-Safe-Measurement-on-th e-Internet.pdf"> <reference anchor="KNODEL" target="https://www.iab.org/wp-content/IAB-uplo ads/2023/11/Knodel-Guidelines-for-Performing-Safe-Measurement-on-the-Internet.pd f">
<front> <front>
<title>Guidelines for Performing Safe Measurement on the Internet</tit le> <title>(Introduction) 'Guidelines for Performing Safe Measurement on t he Internet'</title>
<author initials="M." surname="Knodel" fullname="Mallory Knodel"> <author initials="M." surname="Knodel" fullname="Mallory Knodel">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="KUEHLEWIND" target="https://github.com/intarchboard/wor
kshop-m-ten/blob/main/papers/Kuehlewind-Relying-on-Relays.pdf"> <reference anchor="KUEHLEWIND" target="https://www.ericsson.com/en/blog/20
22/6/relays-and-online-user-privacy">
<front> <front>
<title>Relying on Relays</title> <title>Relying on Relays: The future of secure communication</title>
<author initials="M." surname="Kühlewind" fullname="Mirja Kühlewind"> <author initials="M." surname="Kuehlewind" fullname="Mirja Kuehlewind"
>
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Westerlund" fullname="Magnus Westerlund "> <author initials="M." surname="Westerlund" fullname="Magnus Westerlund ">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Sarker" fullname="Zaheduzzaman Sarker"> <author initials="Z." surname="Sarker" fullname="Zaheduzzaman Sarker">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Ihlar" fullname="Marcus Ihlar"> <author initials="M." surname="Ihlar" fullname="Marcus Ihlar">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="June"/>
</front> </front>
</reference> </reference>
<reference anchor="LEI" target="https://github.com/intarchboard/workshop-m -ten/blob/main/papers/Lei-Encrypted-Traffic-Classification-Through-Deep-Learning .pdf"> <reference anchor="LEI" target="https://www.iab.org/wp-content/IAB-uploads /2023/11/Lei-Encrypted-Traffic-Classification-Through-Deep-Learning.pdf">
<front> <front>
<title>Encrypted Traffic Classification Through Deep Learning</title> <title>Encrypted Traffic Classification Through Deep Learning</title>
<author initials="Y." surname="Lei" fullname="Yupeng Lei"> <author initials="Y." surname="Lei" fullname="Yupeng Lei">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Wu" fullname="Jun Wu"> <author initials="J." surname="Wu" fullname="Jun Wu">
<organization/> <organization/>
</author> </author>
<author initials="X." surname="Sun" fullname="Xudong Sun"> <author initials="X." surname="Sun" fullname="Xudong Sun">
<organization/> <organization/>
</author> </author>
<author initials="L." surname="Zhang" fullname="Liang Zhang"> <author initials="L." surname="Zhang" fullname="Liang Zhang">
<organization/> <organization/>
</author> </author>
<author initials="Q." surname="Wu" fullname="Qin Wu"> <author initials="Q." surname="Wu" fullname="Qin Wu">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="PAULY" target="https://github.com/intarchboard/workshop -m-ten/blob/main/papers/Pauly-Red-Rover-A-collaborative-approach-to-content-filt ering.pdf"> <reference anchor="PAULY" target="https://www.iab.org/wp-content/IAB-uploa ds/2023/11/Pauly-Red-Rover-A-collaborative-approach-to-content-filtering.pdf">
<front> <front>
<title>Red Rover</title> <title>Red Rover: A collaborative approach to content filtering</title >
<author initials="T." surname="Pauly" fullname="Tommy Pauly"> <author initials="T." surname="Pauly" fullname="Tommy Pauly">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Barnes" fullname="Richard Barnes"> <author initials="R." surname="Barnes" fullname="Richard Barnes">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="WELZL" target="https://github.com/intarchboard/workshop -m-ten/blob/main/papers/Welzl-The-Sidecar-Opting-in-to-PEP-Functions.pdf"> <reference anchor="WELZL" target="https://www.iab.org/wp-content/IAB-uploa ds/2023/11/Welzl-The-Sidecar-Opting-in-to-PEP-Functions.pdf">
<front> <front>
<title>The Sidecar</title> <title>The Sidecar: 'Opting in' to PEP Functions</title>
<author initials="M." surname="Welzl" fullname="Michael Welzl"> <author initials="M." surname="Welzl" fullname="Michael Welzl">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="WU" target="https://github.com/intarchboard/workshop-m- ten/blob/main/papers/Wu-mten-taxonomy.pdf"> <reference anchor="WU" target="https://www.iab.org/wp-content/IAB-uploads/ 2023/11/Wu-mten-taxonomy.pdf">
<front> <front>
<title>Network Management of Encrypted Traffic</title> <title>Network Management of Encrypted Traffic: Detect it don't decryp t it</title>
<author initials="Q." surname="Wu" fullname="Qin Wu"> <author initials="Q." surname="Wu" fullname="Qin Wu">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Wu" fullname="Jun Wu"> <author initials="J." surname="Wu" fullname="Jun Wu">
<organization/> <organization/>
</author> </author>
<author initials="Q." surname="Ma" fullname="Qiufang Ma"> <author initials="Q." surname="Ma" fullname="Qiufang Ma">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="DITTO" target="https://nsg.ee.ethz.ch/fileadmin/user_up load/publications/ditto_final_ndss22.pdf"> <reference anchor="DITTO">
<front> <front>
<title>Ditto - WAN Traffic Obfuscation at Line Rate</title> <title>ditto: WAN Traffic Obfuscation at Line Rate</title>
<author initials="R." surname="Meier" fullname="Roland Meier"> <author initials="R." surname="Meier" fullname="Roland Meier">
<organization/> <organization/>
</author> </author>
<author initials="V." surname="Lenders" fullname="Vincent Lenders"> <author initials="V." surname="Lenders" fullname="Vincent Lenders">
<organization/> <organization/>
</author> </author>
<author initials="L." surname="Vanbever" fullname="Laurent Vanbever"> <author initials="L." surname="Vanbever" fullname="Laurent Vanbever">
<organization/> <organization/>
</author> </author>
<date year="2022" month="April"/> <date year="2022" month="April"/>
</front> </front>
<refcontent>Network and Distributed Systems Security (NDSS) Symposium</r
efcontent>
<seriesInfo name="DOI" value="10.14722/ndss.2022.24056"/>
</reference> </reference>
<reference anchor="I-D.irtf-pearg-safe-internet-measurement">
<front>
<title>Guidelines for Performing Safe Measurement on the Internet</tit
le>
<author fullname="Iain R. Learmonth" initials="I. R." surname="Learmon
th">
<organization>HamBSD</organization>
</author>
<author fullname="Gurshabad Grover" initials="G." surname="Grover">
<organization>Centre for Internet and Society</organization>
</author>
<author fullname="Mallory Knodel" initials="M." surname="Knodel">
<organization>Center for Democracy and Technology</organization>
</author>
<date day="10" month="July" year="2023"/>
<abstract>
<t> Internet measurement is important to researchers from industry
,
academia and civil society. While measurement of the internet can
give insight into the functioning and usage of the Internet, it can
present risks to user privacy. This document describes briefly those
risks and proposes guidelines for ensuring that internet measurements
can be carried out safely, with examples.
</t> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.i
</abstract> rtf-pearg-safe-internet-measurement"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-irtf-pearg-safe-internet- <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.316
measurement-08"/> 8.xml"/>
</reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.852
<reference anchor="RFC3168"> 0.xml"/>
<reference anchor="HARDAKER" target="https://www.iab.org/wp-content/IAB-up
loads/2023/11/Hardaker-Encrypted-Traffic-Estimation.pdf">
<front> <front>
<title>The Addition of Explicit Congestion Notification (ECN) to IP</t <title>Network Flow Management by Probability</title>
itle> <author initials="W." surname="Hardaker" fullname="Wes Hardaker">
<author fullname="K. Ramakrishnan" initials="K." surname="Ramakrishnan <organization/>
"/> </author>
<author fullname="S. Floyd" initials="S." surname="Floyd"/> <date year="2022" month="August"/>
<author fullname="D. Black" initials="D." surname="Black"/>
<date month="September" year="2001"/>
<abstract>
<t>This memo specifies the incorporation of ECN (Explicit Congestion
Notification) to TCP and IP, including ECN's use of two bits in the IP header.
[STANDARDS-TRACK]</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="3168"/>
<seriesInfo name="DOI" value="10.17487/RFC3168"/>
</reference> </reference>
</references> </references>
<section anchor="positionpapers">
<section anchor="positionpapers">
<name>Position Papers</name> <name>Position Papers</name>
<t>Interested participants were openly invited to submit position papers o n the workshop topics, including Internet-Drafts, relevant academic papers, or s hort abstracts explaining their interest. The papers below constitute the inputs that were considered relevant for workshop attendees and that focused the discu ssions themselves. The program committee grouped the papers by theme as such.</t > <t>Interested participants were openly invited to submit position papers o n the workshop topics, including Internet-Drafts, relevant academic papers, or s hort abstracts explaining their interest. The papers below constitute the inputs that were considered relevant for workshop attendees and that focused the discu ssions themselves. The program committee grouped the papers by theme.</t>
<section anchor="motivations-and-principles"> <section anchor="motivations-and-principles">
<name>Motivations and principles</name> <name>Motivations and Principles</name>
<t>Richard Barnes. “What’s In It For Me? Revisiting the reasons people c <t>Richard Barnes. "What's In It For Me? Revisiting the reasons people c
ollaborate.” <xref target="BARNES"/></t> ollaborate." <xref target="BARNES"/></t>
<t>Iain R. Learmonth, Gurshabad Grover, Mallory Knodel. “Guidelines for <t>Mallory Knodel. "(Introduction) 'Guidelines for Performing Safe Measu
Performing Safe Measurement on the Internet.” (Additional rationale) <xref targe rement on the Internet'." (Additional rationale) <xref target="KNODEL"/></t>
t="KNODEL"/></t> <t>Qin Wu, Jun Wu, Qiufang Ma. "Network Management of Encrypted Traffic:
<t>Qin Wu, Jun Wu, Qiufang Ma. “Network Management of Encrypted Traffic: Detect it don't decrypt it." <xref target="WU"/></t>
Detect it don’t decrypt it.” <xref target="WU"/></t>
</section> </section>
<section anchor="classification-and-identification-of-encrypted-traffic"> <section anchor="classification-and-identification-of-encrypted-traffic">
<name>Classification and identification of encrypted traffic</name> <name>Classification and Identification of Encrypted Traffic</name>
<t>Luca Deri. “nDPI Research Proposal.” <xref target="DERI"/></t> <t>Luca Deri. "nDPI Research Proposal." <xref target="DERI"/></t>
<t>Wes Hardaker. “Network Flow Management by Probability.”</t> <t>Wes Hardaker. "Network Flow Management by Probability." <xref target=
<t>Xi Jiang, Shinan Liu, Saloua Naama, Francesco Bronzino, Paul Schmitt, "HARDAKER"/></t>
Nick Feamster. “Towards Designing Robust and Efficient Classifiers for Encrypte <t>Xi Jiang, Shinan Liu, Saloua Naama, Francesco Bronzino, Paul Schmitt,
d Traffic in the Modern Internet.” <xref target="JIANG"/></t> Nick Feamster. "Towards Designing Robust and Efficient Classifiers for Encrypte
<t>Yupeng Lei, Jun Wu, Xudong Sun, Liang Zhang, Qin Wu. “Encrypted Traff d Traffic in the Modern Internet." <xref target="JIANG"/></t>
ic Classification Through Deep Learning.” <xref target="LEI"/></t> <t>Yupeng Lei, Jun Wu, Xudong Sun, Liang Zhang, Qin Wu. "Encrypted Traff
ic Classification Through Deep Learning." <xref target="LEI"/></t>
</section> </section>
<section anchor="ideas-for-collaboration-and-coordination-between-devices- and-networks"> <section anchor="ideas-for-collaboration-and-coordination-between-devices- and-networks">
<name>Ideas for collaboration and coordination between devices and netwo <name>Ideas for Collaboration and Coordination between Devices and Netwo
rks</name> rks</name>
<t>Michael Collins. “Improving Network Monitoring Through Contracts.” <x <t>Michael Collins. "Improving Network Monitoring Through Contracts." <x
ref target="COLLINS"/></t> ref target="COLLINS"/></t>
<t>Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, Michael Walfish. <t>Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, Michael Walfish. "
Zero-Knowledge Middleboxes.” <xref target="GRUBBS"/></t> Zero-Knowledge Middleboxes." <xref target="GRUBBS"/></t>
<t>Mirja Kühlewind, Magnus Westerlund, Zaheduzzaman Sarker, Marcus Ihlar <t>Mirja Kuehlewind, Magnus Westerlund, Zaheduzzaman Sarker, Marcus Ihla
. “Relying on Relays: The future of secure communication.” <xref target="KUEHLEW r. "Relying on Relays: The future of secure communication." <xref target="KUEHLE
IND"/></t> WIND"/></t>
<t>Tommy Pauly, Richard Barnes. “Red Rover: A collaborative approach to <t>Tommy Pauly, Richard Barnes. "Red Rover: A collaborative approach to
content filtering.” <xref target="PAULY"/></t> content filtering." <xref target="PAULY"/></t>
<t>Michael Welzl. “The Sidecar: ‘Opting in’ to PEP Functions.“ <xref tar <t>Michael Welzl. "The Sidecar: 'Opting in' to PEP Functions." <xref tar
get="WELZL"/></t> get="WELZL"/></t>
</section> </section>
<section anchor="other-background-material"> <section anchor="other-background-material">
<name>Other background material</name> <name>Other Background Material</name>
<t>Pedro Casas. “Monitoring User-Perceived Quality in an Encrypted Inter <t>Pedro Casas. "Monitoring User-Perceived Quality in an Encrypted Inter
net AI to the Rescue.” <xref target="CASAS"/></t> net - AI to the Rescue." <xref target="CASAS"/></t>
<t>Nalini Elkins, Mike Ackermann, Mohit P. Tahiliani, Dhruv Dhody, Prof. <t>Nalini Elkins, Mike Ackermann, Mohit P. Tahiliani, Dhruv Dhody, Prof.
Tommaso Pecorella. “Performance Monitoring in Encrypted Networks: PDMv2.” <xref Tommaso Pecorella. "Performance Monitoring in Encrypted Networks: PDMv2." <xref
target="ELKINS"/></t> target="ELKINS"/></t>
</section> </section>
</section> </section>
<section anchor="participants"> <section anchor="participants">
<name>Workshop participants</name> <name>Workshop Participants</name>
<t>The workshop participants were Cindy Morgan, Colin Perkins, Cullen Jenn <t>The workshop participants were <contact fullname="Cindy Morgan"/>, <con
ings, Deborah Brungard, Dhruv Dhody, Eric Vyncke, Georg Carle, Ivan Nardi, Jari tact fullname="Colin Perkins"/>, <contact fullname="Cullen Jennings"/>, <contact
Arkko, Jason Livingood, Jiankang Yao, Karen O'Donoghue, Keith Winstein, Lars Egg fullname="Deborah Brungard"/>, <contact fullname="Dhruv Dhody"/>, <contact full
ert, Laurent Vanbever, Luca Deri, Mallory Knodel, Marcus Ihlar, Matteo, Michael name="Éric Vyncke"/>, <contact fullname="Georg Carle"/>, <contact fullname="Ivan
Ackermann, Michael Collins, Michael Richardson, Michael Welzl, Mike Ackermann, M Nardi"/>, <contact fullname="Jari Arkko"/>, <contact fullname="Jason Livingood"
irja Kühlewind, Mohit P. Tahiliani, Nalini Elkins, Patrick Tarpey, Paul Grubbs, />, <contact fullname="Jiankang Yao"/>, <contact fullname="Karen O'Donoghue"/>,
Pedro Casas, Qin Wu, Qiufang, Richard Barnes, Rob Wilton, Russ White, Saloua Naa <contact fullname="Keith Winstein"/>, <contact fullname="Lars Eggert"/>, <contac
ma, Shinan Liu, Srinivas C, Toerless Eckert, Tommy Pauly, Wes Hardaker, Xi Chase t fullname="Laurent Vanbever"/>, <contact fullname="Luca Deri"/>, <contact fulln
Jiang, Zaheduzzaman Sarker, and Zhenbin Li.</t> ame="Mallory Knodel"/>, <contact fullname="Marcus Ihlar"/>, <contact fullname="M
atteo"/>, <contact fullname="Michael Collins"/>, <contact fullname="Michael Rich
ardson"/>, <contact fullname="Michael Welzl"/>, <contact fullname="Mike Ackerman
n"/>, <contact fullname="Mirja Kühlewind"/>, <contact fullname="Mohit P. Tahilia
ni"/>, <contact fullname="Nalini Elkins"/>, <contact fullname="Patrick Tarpey"/>
, <contact fullname="Paul Grubbs"/>, <contact fullname="Pedro Casas"/>, <contact
fullname="Qin Wu"/>, <contact fullname="Qiufang Ma"/>, <contact fullname="Richa
rd Barnes"/>, <contact fullname="Rob Wilton"/>, <contact fullname="Russ White"/>
, <contact fullname="Saloua Naama"/>, <contact fullname="Shinan Liu"/>, <contact
fullname="Srinivas C"/>, <contact fullname="Toerless Eckert"/>, <contact fullna
me="Tommy Pauly"/>, <contact fullname="Wes Hardaker"/>, <contact fullname="Xi Ch
ase Jiang"/>, <contact fullname="Zaheduzzaman Sarker"/>, and <contact fullname="
Zhenbin Li"/>.</t>
</section> </section>
<section anchor="program-committee"> <section anchor="program-committee">
<name>Program Committee</name> <name>Program Committee</name>
<t>The workshop program committee members were Wes Hardaker (IAB, USC/ISI) , Mallory Knodel (IAB, Center for Democracy and Technology), Mirja Kühlewind (IA B, Ericsson), Tommy Pauly (IAB, Apple), Russ White (IAB, Juniper), Qin Wu (IAB, Huawei).</t> <t>The workshop program committee members were <contact fullname="Wes Hard aker"/> (IAB, USC/ISI), <contact fullname="Mallory Knodel"/> (IAB, Center for De mocracy and Technology), <contact fullname="Mirja Kühlewind"/> (IAB, Ericsson), <contact fullname="Tommy Pauly"/> (IAB, Apple), <contact fullname="Russ White"/> (IAB, Juniper), <contact fullname="Qin Wu"/> (IAB, Huawei).</t>
</section> </section>
<section numbered="false" anchor="acknowledgments"> <section anchor="iab-members" numbered="false">
<name>IAB Members at the Time of Approval</name>
<t>Internet Architecture Board members at the time this document was appro
ved for publication were:</t>
<ul empty="true" spacing="compact">
<li><t><contact fullname="Dhruv Dhody"/></t></li>
<li><t><contact fullname="Lars Eggert"/></t></li>
<li><t><contact fullname="Wes Hardaker"/></t></li>
<li><t><contact fullname="Cullen Jennings"/></t></li>
<li><t><contact fullname="Mallory Knodel"/></t></li>
<li><t><contact fullname="Suresh Krishnan"/></t></li>
<li><t><contact fullname="Mirja Kühlewind"/></t></li>
<li><t><contact fullname="Tommy Pauly"/></t></li>
<li><t><contact fullname="Alvaro Retana"/></t></li>
<li><t><contact fullname="David Schinazi"/></t></li>
<li><t><contact fullname="Christopher Wood"/></t></li>
<li><t><contact fullname="Qin Wu"/></t></li>
<li><t><contact fullname="Jiankang Yao"/></t></li>
</ul>
</section>
<section anchor="acknowledgments" numbered="false">
<name>Acknowledgments</name> <name>Acknowledgments</name>
<t>TODO acknowledge.</t> <t>We wish to acknowledge the comments and suggestions from <contact fulln ame="Elliot Lear"/> and <contact fullname="Arnaud Taddei"/> for their comments a nd improvements to this document.</t>
</section> </section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA8193XLkRrLePZ6iggpbQ0d3z0ob9jmHGw4tRVJaSvNDDWc0
u7rZQAPV3ViigT4ogJzWxETsO5yb4wj7TXznN9kncX6ZWT9AN1ej9Ths3WjY
AApVWVmZX36ZVZjP51lf9bU9Myev7K7terPq2q3pN9Zcn39tHtruzm3anWkb
8zxv8rXd2qY3r22xaap/HawzVWOumqLb73pbmhe25yfMk+fz11cvTk+yfLns
7D21zj/E9jp+2UlW5L1dt93+jBpatVlWtkWTb6k7ZZev+nmVL+fbeW+buX9y
/psvMzcst5VzVdv0+x3dSz3NmmG7tN1ZVlKDZ1nRNs42bnBnpu8Gm1EPfpt9
ZvLO5mfm/NXVOf2BFtddO+zOzNtvzVv6q2rW5lv8kt3ZPV0uzzIzN1aGR2/D
X40M0WyDNLJ72wz0zs+MCc3hD+nbuF36eZtXNW75vX2Xb3e1XRTtFr/nXbE5
M5u+37mzp0+Ti0+pOWq66jfDkgRZNT1uXbZ5Vz6dyGY3LOuqOKHbaxKD6+l2
32D62EIaW1Tt8QaePib8xabf1idZlg/9pu0gHXqVoakjOT9fmO+btrQ1/7Qa
6lom8nle1zTB6cW2W+dN9XMOmZ6ZC5Kh7cyq7cyl3bZFlxd78x9Fx9q6Xe/5
GSty295xM78vyn5BzYx68HZh/kCjy+9sN+nDW1LU0SVtrbL96vcbveAWNLej
Bl8vzE0+1PtJa6/b7XafXNHGTvodfvp9vtOJI0E1bbelYd6TemRQ8PCXMV+f
v3pxdXvGLdDUrG0fZ1/nB5P/d6b76bJul0/p5c3TXb6jATz9Ou8a6+ZvN3nv
5tfN/Lqff9N28+d2/sreV67qSRPntLbntA4cLZH5zrbU2XnR1nW+bDtSmsWu
XEmfxCygrb/99b85c92Y695Qc+a5/crE9thWaHtG2jNJe9xW0Bf+b67/Vymb
VwsjHQ+/i5xfVQXmxjwbXecFbs6H9eB68+Vvvvwyo58vzm/Pf6Usg86zUA9l
eZG73M3Pr+dlRzPWQGT1vK+2dv5DezXftk3Vtx3kab35m/e0bFZVMRXh83Cv
eeNsN7+xXWGpzdL8MOR11e9hRPPUjl5jRbA2/qLwbhaGezqR3Y0tuza5clxq
L589u37xqeVGc09dm19vd117DwGpV5hHOcxfb8gcrjfzCzLhtN57N5VZeNr7
lFSK+rQJT3+EnMg8ac8mknoOLbP16OpRaV1evbr+tKK6tF01by5vrml5Oovn
5jddu2tdXk/lgbuMv8v4uz5i3LR48JrJoJ8NRR5/Pzrcq2fff3LduKrvoBq0
ANgUNoVNlaJq5mEJeKWhmy+f3385FUfSQqoYR8HIRwjpxcJI1yZiekHLs6nG
144o1nlB7oM60xyo1p09uHjk+df5pqorconT59tN1WOFT2+YtnFJk7xpy/3k
+ctNN9yPrkwfhIezRdtZstdTC9K1qwX7OjLtk7uOKsy3r958/fUnVphvu2G5
dPOfbNfOCUA81LZc2//w5W+eV2VZ22X7zh5YjvG9Jrnz46ypvHIqDPLs4yvT
J89JDbphqgHnXe6G9ML0sT8tzE+bvFlPnvuTHf08feo78oht09h8mDz3Xevs
bjO5eETj3ub1qnKbR0xhevXoVH93ff7i208709+RepNfaB/oZje/tK5aNzAK
r9olvXmeN+X8Cs61IrQ4v6hzgv+rih6ckx1IzMZrccGwJcA5zwksdoSD1J9O
dUVfZ8LrjLyOvHFpwutM8jqGqdHG6OtgeACD5HW/xn3/cWF45JOZ+GM1+nn6
1O3CPKumc3+7qRpCEfHCkade5Pl2utBv87od8tGl6ZPfkL51bfNz1bSTh7/p
YINd0U5vOLKybovNtur7Y0trfOmIef7G5lvXK3qPD7+oirvxtaP6+v2Ll5dX
zz6twko8M/92qOh/FWA3NFEdEzT3Nl+RAhIwHjqOE+et6ORjyhhbYiWLLRm0
ZJKWEI1zhP7xejaOzpIlfxidHZfgm6s/PLt6e/3i8hNLcbCb2j5UtLxf2XoP
uZGY6J/5/sCy6w0YvdzwkeP+X/9TX3Fg7rq/5IeXj5lLC/2qh8Mm8nUzuMPr
0zZ+Iu3Pu7sD/f0p39hy+PlnWnrN+I4jvbje1Pm0geckaupAvHR09p5dfWLk
+sxWR4yut5MFR/YB5F9au5s/I+QKCzud1ENbOm4lgH20YnwrHzHz5Fmpl1O/
OuwsaVC8cMSzvj1wqkMTfzxiwG8P3P4fh7LFun3U7T877vafweb/Xc//w5H+
/VCF/h2d/ZvzN8/+9Gnnn8kPWqa0att7CmnPEwqBItt5vqPwLad4pm/pCpkp
Mn+rqqZFckQFqBnDzXzErI4omSiCKSXz60mGX2IY3l49++kTe5C3tv65plVi
57dk+Yu8m7/c9RoIkdxurm7m3wxNgVVwYAvpKaNPfZwV5Jc9hvfCteNDf/OJ
xz3Mt+Cx+vxd27Tb/XRsIeKPhHO7OjQUHzHuX1gtn2D50xueTwHVD9Wwwjp+
/neCpcvr169fHhdr49YLaxe23/y8KDZPadnYvCQc8HRwtvvzsKvbvHwqRC1b
SPe0JOjU/nlF8K/+c1M69+VBvHyJO8zcvD1/Eezsy+VqcGpk855sT2PNq49m
7J7b6sCbvWprAOf00vTJH2GVG0LJ03X4Y0U4kmZ6fPWI3fwxb5b2/uDdz3IC
R/T86LKKftdVtUp+Pp+bfOmYNsoyrKK//fW//wOZjb/99X/EZMZD7gxZuXvb
0J3L/QibUfBXUBRvi576R4EZbM2T6/OvTyXR8sU/mZdF3y5txx00NEtf/Mv4
J2o8pyY7a+dlvif0A4xottbCVizYEox6ouw6dYWjEnrO7PKud2i7rBzBBUf3
7fnvimk2eySrYfqRJNyw4+wQLUSSbmOWZN5pnkxetpwa4QshUTIFqOhl5TTp
Q21tt3lHPXR8k+/85853jzWSFInsW9Mj7kJfd1WB+0lTKWajqKM3q4Flyh3H
7Uj60CMdq/Qiy160vZUnery9bIuBR1ZBoNoX7ShJobC2JIE6jIR+ykLOgyV8
X9kHx2/ZteC9QXb7Br2k4wjzDi+mWDyTxox9t+usc3RnOXSeNA+zRiqDGaJo
c0fjkteUrWnaPmssRVeOpFXvqfFVTXrEibkj/VmIdm+Z8MiyzyD9ri0HdiDm
/WcV/vyQZeCgacDVPfIsaMHZgjrV77nbEGJPvaD3LS1zaqIirNi0RsH00890
mRYRQA5a2LaYB4Qve1NaslB7uj+qg05/GG9ebf+faiOpxt99Q0OqgP7Y+7am
7tC/+Ga7WpH4Cd7UIreOorV8We999I8ptmAk6e3Dkpqq+pawuWYF0g6x1HUM
yXtZV22zYVpzSKZpgewLRQgUrMV0gxfTzFSs06QupBbUIe5xh17Sq4YmPrC1
fU4mMef4Mgg50qcjZVh56DGjEbTkbizNXcsZn9LeV6SWM9E/oHVISYe5jXGq
W5DdfDAeDNIIoWGQrsgXVvgudGRpN/l91XbUrl2sFzMoXFl1JHIaSdG2O17Z
9PoHwh0kpnLXVn61IOfm3eEsUVNIEdNBiGqJ+3pbU8/6bn/sppwnNx1A0nUd
rMzHnKe6uxfOeWU7nvY4kwtxLaTnYk1odrBo1XSHdcAewNv6L/5p/sW/zNjk
z8yG7PjSkmaTlDgRUlJrZlfnPTgB1s13tMzYzFjqAil2Lut8SdLEg0fWEAvg
uDJWpAMVOUt67EGUnS6MIH06i6yn9NcWBjZaD2onVVrzsCHo4vWcA/edGue8
Jv2k9RHU5NzRfcVmbBbzslSjiZ9X1Jv2Ac1AwjzTZ1n2nzhByXolAmD9PzL4
9H1f8WMtFs1DhazPOqzxg2G7th74ZV+l70KHyEzKsFQPsagefTb77DNzvmwH
9UWTOgijMRLU5ld7KjPyVNk/6Km82/tHPZVJPFX2y57qm6Gjhjs4jhm/QiXg
xxTksgUdhnUi1rWXNW7WyMlm1J3QtYN+Uaegq/kdrYZkLBFjuFkGU4JJ4RVE
b5DmCUKZ+7yuSkESFHVuBnekm5XLtJ+inIJnVvQvEUyV1+16OktmSe8rW8sG
O8v73m53PfSvyHeMZ3ITqlcWcONv/YO3BS0gbvkyjEEMzSP4Ly+61jnFgCWc
LJtOeBGuVEnxlqvbnsbYkn2iVYq7BfjEZccQjEtoqB0yeRGelWJaRDvXXb7F
vIHPpdfG3nD0Z2LtDjw5nAD3DvEhWtgq+2nJ0njJaf8nfV2YS5lUvjVenak+
S7ApPVXdsXBvZD2o1ySDvUiDZNqkjW9sXRrGjBZOhqEEv4EkwsuYAoa3G7T6
YCENRAJz8yoxLyyNG3WLL5dwFKq17z+jVr74IJO2qjoKCBnSTzSEbFZTwktT
n6jPuvLtu8qxvSHD09u4UGppfFPtfsn4RyTg3QCvrHtatAAqFLOSk1+Ym9FK
I6i9pif4Ti8m6kSR5EQG/mVLUiL3Nq+VoxMUUrRrTL9/4wy/5uU9IE6ZYh+e
9Pu85Ae1d9T7eu8qxw+NXMsI6mOZnK9QQ0QQqUpBLzuqAtSSOpF1m9cHdjNo
b7DowcOYJ6TspXVFVy3FeL5/Lzj6wykbBFaDDstk6MYmaqZLR5DzRMtYkz4L
oXgxpjzZeh3WmWUUp+6jGjyCkkWcsOsemVGvmxym5Qw9JlDVNp/3ASCSzIAl
yHRSZFatGwiIJxvKTytJAsfGrltBCLxowrtjdnXGho3C9N7mZWid/t4BNMNN
Etiz0tqBWgQQtw/auGvRJ+jjcSnNJDAO8NOr0gxeU0KXYkPL3LL6joKXNDSh
tXh8EirHVoww2x4WEbhL2mk8FYCIBeCPgE7ejyCoIumOYTLPhXQIy1mDoVAN
Jq+C9Ru6hu8QJJGTvDysIr0i/SKISQiwwdqa+dKhebua38qLzJMf2tvTBM/P
gnRp2dAvvZbczcL05QV8Nju1rq1natHppVGnBPdu8/oBwygtmAx2in8g1aaF
NSOlAfidSI/eXFYC9ThyrRHE0+9+5lkaSWhCjoOE3PNdq6AqqItifzo7Pnu8
kv30kSKXlm8SfBbCtQZjpDvHXfQYfdsO4s+nI2DbkQNRJ/MvQxOVrV0A59BE
mrrVUEPjq/UGeI30Y0NQ4IQM4t3+xPvHviWQ6GSiSZvGagM0JFCJISVspfhb
tjQTnUEFnkZ7MAwtexrMCAFvcljbHCE8po7WEVYUgr62F42PkzObDjzEHstc
vQ/ZBwsCqUBZKHsgWtN4wHRD7Ve+GEMgVsglJz3k0BkJ9pGDWJvjDmIHKNSR
MTcnnOrxd514xxKf2yJXSRiQZrbz+qW2jBwG61ZuatCqtAj7VEngCgyK+ETM
FHBaH92ihrFQ618Vd9QgMBlSMcI5hLXk+0n2WPrR+6ggCKyoCYGUKNQkLMER
t4M6s2SWFqCWBuOcV5m0V5Ev0HcvyOVwvcWHD8ETOZmSSuAGv58c2QM7OfRF
JKRxmuiuYr8N6SaW/cBVtmL+JfirQ0fRxXwL2cFxMqVDoA4xO6khLeGBTRA/
jHiR0aI+qQ6XfGDVTGEGe1i0m6r8wlyBwMFCd4YMWg99rnCTYyxKcOZOkHd/
3Ew/tAPJWIXqO5pYJ36rKMHKshfk2fQWBlqwUugOahE6rLMCK6yaRsAAjNaW
vGGt4MP1bByZfqoET2y9Otits/W9EklCddBCHHago6lvqjaypjlikI7RssoL
XkIEV4ZCHlyxgEPXdZoJ6AHv0C8VWdam2M+UARVh0AUSF08BU3Oq0UiBBUAJ
WBU1C+twS+pUOiXzPKna+ZrDtmHrj4oEJmHYxhyR7PVNFG5nWWapRD2oPVjU
HuxB39++oS7xakn6tZKQMfaoakjGvQTKjTnvEIsUUGQQfRTWr3Hlyfn1aWh7
THwFH6dojHDvPfzfEQSaZd9xWZB7TA0r8aJVM7BBysucU3mzEb0Hd8GvOGif
Rd1qQma0QiKtEp4Rlja8i1lKTgWcYyHdVwzw8/ouLjvJ5rATfP+eU08kX7fJ
AYtpDZP9qQO/I3ZihI8hNXgy6PFQITwytLbI7EqxlNvTYtimwxuah7xJ44ww
uaCfpdvBJCdpqMqNoRabQB+4k1lgsxPhQQvGtxRsKf+HIZK4dceEGOCX+vBC
Fq9g63WuPG61pcaCkURUspDcHCn7FlQ4athLv0rJ31ZcsA22EGg11ZV0IJi3
9brDexIpKE/sFZAFjeVELpp9wAbIWeg4w0wh+VkyGFn2lpm0Yy9K1IupnBbx
JOiYCRs/E9bH9UO5p+mh0IkrjRBZrS0vqzDtzH4LmcVKBuhAWIq56tbcwTcH
rlcsmVq21I8xV+Lh9xH0lTD0qZogXq9rNv7MGg5wTbJ0/PI/yo/LAkZmw6U8
rUC8Gw0ar+TJGKOfO0deWP4OtdW8UccoRxf8XKDkkrTFelywpStE6eM4W+Pk
g2Bah4qulFBedWTGS3ASNH9P3r//6np+uai6fjXfUbfWczwwr7SNeUJRUyDK
Ck+gN+mPNt0U1Y6ARqSQSTM2HCdTpC8IdUyJyeqSiOpIUBrMVYRUJPoLpqv6
QIBKhCBxQ1q0tooJCLZ4WHw0x0jljeJ5iEj0dhTmJk0lTLtEU4V2Qde6D2hJ
nkwUQqEEPNvS3zszHGXx/XITyM2ufbfHhSXEI/aBHCw5bWx80U1ZMwH7HVuB
JBQG6vepI98h/JOwM9itUV4hoeJ7Ap7ixRhe/aUVBxtaJgn/qDHxhC9hUSYS
LzhF5GIiLV0jM2HYc8myEir39tLkwp0AW3RsCquWaS9ZydvcyTIY4P8QzPP0
85Mp3OOXzZUT3GtmxIcrM4E03pRHALry/bcClAXHeNsZTLqs7yntWTEXK9oe
mB10A9maxIWW5JVqxJeaxfFTJvkIOEaKkdasdw4wsiCUpFENTCmvGdK0l03C
utEAuhHH4HzEuAXUYyYWDyOnxbNZAOnw8gaZxUUOPXv9jnkGsnTs+tMxjXMk
X7cw0I8zRsfcQ0ovczjBvefAMTgy/5znwkOqTcyBWAxm1y1vp3wM/8SloG/V
EE8poNGMHHknFFIuMmwZZ/QeG5/YkWSUG5g5CYgwEYljqRh1kZnp3WhtefqH
IVuU5pgywYsQjpQIuZzaKIHAkoBD7Up1b30WKErQWYJGDIJZAXy8s+J+JxKp
AC33KjKPo8AccMCrdpNTvR7kN3ZV6XbdEW8XZoHTTW4oaUlGOslHtIHe2Nh6
h2Z5/Ialk3TrX4VmisZjWTEkchpvlLZwqIBELMCdqCXSFxCy1LQhCRO6DdlI
oOT64PmQ6ah8hjGZ8hqbZ163nazDENnoTQjYOUBj5kMX6GuOqICDAkkaCRce
MMFjTulPGE/c6bnzAx7P831RBlf+afJ8a2GKzYu2j6vhydXFi1OC2l+9+ubi
t1/8l3/+8MFzJHnP/MresraScjBQC4ULCyZ583XM7jvzRF4rAusBZLsdb60M
t5yytVlynWwP4wNDhvCXcKWET5hVYUuRJBvqvKv3wXSxfSInxAIVotJXEaDK
6LEsquZ3kbmB/Z8wcwm48fgkjIjVDtRLTUa+VlO3HmoGkaNXsJfznCOsUWCe
Vl0+lEPNwKJLSK4IS25IJzjVHAlbqa/gwW1VzCQRUPa1J0Gd9MxRsEFSgvgS
ddDKgwPYOsl8c7lGz2N2ZBjgvDV9ePg2kbfYi1g9FmNU5vBo7hyQiJVZvHxx
a6SaVsN+QTHbvIQpCrwn04tarEGx2jCKbJk0JL8HRAldQpugmWl1dId5LoRz
eGTdSrrrIua5aV5uItLkDNeXmuFyFLwjD/rxKa6t7STeGwMdxZ2Ip3neWGRd
WrpyMCkfmcYKqagjDtXnN32+gQZZD+XxVFfo7yxYud1A69RJ8LPVONbPK1NO
s3QAMhzbV1qRQgL6/yCtpeWDvzav9Q2nNmFs9mlJBHz7UQImy6652KEPoO6w
iAsQBkgZCfJlTuDLdsFmc9aiYv7JCQCwCahiaExur7Fia2AZ9/DmFLvadFoP
cOEsBCaiYyXqsm1THk9BgIDZezCiYlxJgUPLsTFzlOqHdJBkCvxg1PA5nW4f
PcSt9GG4IiYnEV0JZM7/9lKAvUUGPEhlOzjkcZgYBt0wbOmvNWZW152CCZd0
1EN137snNHFOiCafySAzumV1YW10SvjB3aPeh8emAaZvX4Fcy7SN3lKTpQ2q
hZdQpLsesC0PncyRUKROlL48bOiYGApSAXqPM6hgrB58MCvotWmbuQiM7n7/
Xo5e+PBBU0AxNOdFQYiA1wT9yIqwRI5EUyo2Z1AwFjkKCdxGoVs6X4FS0cmS
EBH2nPREDiyR4jTQqrasyFHYULtCcCMHrRtd3o4d2igx1Xc0tb6qx5rNgH1E
QFSWlLFMMnC4qmVuUXdnxnLjfIcq/7zO9+hWJ2gZU6k/pc95c0TdLfdNvgUs
71LOhuwM/wRiDYWE2GMGMwHtyiX28LAAByuIni4R4XDqi3UkBNMsoK4FmZac
NkFzspfE13gyRMrb/M5ybhuG18oCLjg1+MgcHUb0x7296DCF6qxZmpkobbta
+SqnXgpMTFe5O1kT1Bw1VfV+PeBdpHyjJAUJ+wHqSTOr0DlMvDfknn9Xl0bi
BeXDbJgXFcgMSYsxWc01LMFUUUBATpdmghPOhAt6Ll+dRCI+M8nQWg704By8
jhHGRKTLeuZLMwAHOVtJsS2gu+TPoKK0Mu4EUyIeOVK1MCnmwEktW5eOiPwP
x5PM2PrcCJJU0GhSfT9iSMchY+J7xEFDsWlbd7QmMJg9IS43tiINeGhClQlF
acIMCZvZEo6iWbuFFWeQuII8fYU5hx47sHVOu63pLI719ihPpFiKnA9gRWEz
BaNhcsBi5YOvR+3A8QFaIG/iu642FwEXIs6MWQu/IVQvzr2R5oicJMduhSKs
ieZ7ljrzRYpQT1+WJlGrGvb0iVBRlupVlupVgZiC+WPFArcCAkWHq678VbCA
g+WYkCDRzSn0r63yg55XTMXYcA1rjPuk7HdcY+3ja091+tQ5Yyjfj1Hy8q7R
IrhxDaB9J/F0OYYbqEEO3GaatfcRpLgTJVVG/A9XjpCGgXxzkl70qTYtJ2HV
4wQ9ptay/UecQCa3rtm7aPC2hJh4sWgpn+yXqJwSlAUZXsn2CQ3YpBXiXHJ5
IB4m58AwIjYElEDmPh0gBdat0N+th/9+lE9iwpNtreK9VcSKp2R2gPD3nK4Z
Gt4u2A+VrPzodWQiSJfmokuogdtHAXmPwS61nyBBKTZWxOqxb9zdjEjdl9Xt
ZQ1tLea4clsZE70SjT4ZNH6IQAYsoxur46khXUp0YVehSlacfhDaGWuXHFeh
GD4U4ujf6vqlXkf4RB0u+ug7VUZdldZyrTi24W4N77kd6MXXewlFc2Q3zY83
LzA3TrjvltOzyA2Ol5gU/QZLoQIJXX4ymtGkEso8STSCLnllI0PB+7mjpDWZ
xVNoTsiuVUB+7sTHJjwvqs4wHd5TqmOsgglPC/VT/v3Jzc3zU1/S7y0FM07P
h7pHKPuO3nyeeMXbYSnJQHEWP7y5vvDbw5jxeX5++8Obq1Pu+Ei7OPlz9fob
JgV8cZsruNR1po4ql2paSR3r6uX0rDqlqA6NL1sVE8w/clEfW4W0Ipd3jSk8
pJmECch747MvPHWSAA7N+WnSbFEXqigkd1hpaUCgRDRNeGi304IgZTDG6Twh
mriEYewH0ggn8JhNqViYYVIyJ5h57XMs2GX8iNAZ4W4n+2G6sXopm6i6cRQa
hN0vsbqHZrUbdkrSpGDYG/XXFzcGNN62csoYKHvKxJV0dGZ+xvk0spNldsgH
zQ5q8miKeBMMN+hdj42pzJmwIz22x3E1C4gx7+G4Uu9aazJHKddxeOzlzvoF
k8UVF+n2njbWMTOvRK6GgqpdDohcC1s3G5tdFrqLzK1XRu8PWO84+uOFEn3I
MQLluJpUzdzPXRJERVfwud99oljkR6mYmxlhWyM3OOYimsfkhAh1YMfP41fb
TIioemTXyUSNYgC4tXXVBsqP045SLgIV19yMeGloAf7vieZQnufrYMTMECDq
Nz6kmlQFcISFEvxQoAZVTWoeVJ+UMH/H3vrm6uZUGdNKE+99xeVgLOqC3kcW
Bg0VOG2o8CuSr66YQfKGJUSS4wpGWeZoAYUPib2ZIQzfVRrthQxbQNqM8Ea1
o2zBeTOPaBQjbl6XUxXRzVoz5WcTSYXsKZvSPFSJ+BoRz1Eig5An6TNuJ3gR
zUII71PFlUdyrnaguJlJ8umJUYqUq+mSOpzcJRsXtFwswRuTalBnG19oSeCg
nSsQR2RF/+6ilKqGdAW7rONuG9l9EWYp3CpclRarJvTX+/d8HMKHDwtztVgv
+CUGL0n7BHn63HDS7bwI+ETLF1vPySdzVbcFbxLjTumGEbPKccxK2pHJDcv9
OM8cszudhGpdteO0NpgfSa2NthWEgBAmaN1xDdMIc0RGAqVnVWAk4BPzjgeR
LisyFrtB8uXe8x9mD0hGq2o9aPgbvInflDgS3omfzpMwSUyahXxWbF5SpmJy
vVTHRl+URYALVqPfSiLbC1VDkwWS+rmPMB4zY/viSOYeaXSHuIElTVr6lXmp
nKZzg0DgjhnLslrxcu1jCofzQbGsft0q7cZrNt5/kERC8wHLcvPBmnjs1MR9
rYLKwjYkKICARcYaiITySUVItUVWIslxsfHrBNLFfoXNkmkHNdeJCdWtEsWm
qstO62LNBoQDXjqwCvodlKEtWJmqH0JZvrrctkkwVHoIgZNdzVrq5bw7g8Jx
5cNXWXYJeA+utYSaN74w/F72h/MeKhLUVzgRFlSBS0LWhA5R7Jc+IqzSnlmS
ElwLT0zVTDZNz/zu8jHRPg3NAwfUi+2Xv3It5RaDMGFXUUlWgcDTPee7lkS/
aWspXn3wYI9xgwsMVN3i4FxqJ+7pZLUaWY90+zTKomjpPlDEFXYe8s05mvrK
aEUfiyl4dM2HeU+zbtsynKyLt4Hw1BN2BUmkROZRasbT9yGpAylhL8feMSrn
xDkzdz7DpyhXptHLl1eJVPP2nIQuwxbkSjxy2FYeWTRw97MJn+EDCXVOVdO0
97rJkvfWojx9LuuU9/+AzWUzyxKXRQ69Fg6DyQbLhXc7Qg4d19RbTcb6gsgk
Xx5rQn0BE0VAbMilerbkvLzAhFyZBC6PkPaSoh1x+siCdUbY8cAWSTF565ez
CgSHszRcnMwOKy8Cheu1B4PDvizRBFquFocu7OXwDGBHzj0oayictgxRK4zA
yICVDfvRnYb/rNNKiNIkx3iAlNNtPDrfijvslZKPmwqdL77x/C9iQN16EhLF
sDoPoJ516R/LEr/x9kWSxL/VJLGQgsgRp8ngCWEnFk0oVD6ZQiBJ32a+1C0B
3aM4xxvkhTHnBlU6TBQj+o4wPus3kySnii5y+ZzVchy99BtejbyxRTJPVlQ8
00Do8XgleAc5AGLJCVjZTVmFrRyZq7ZDTWpmyRByRSioak6NJIbGe4vp/mQZ
YSYjVIgdRaw7O/xuPs/mjHqrLvvKITugiS1sNykkHNIjlxPYFhxRGkS93XAY
P+L+reyyrtJaEIG1Mv5wBASt7yzIvvYNl9iwoGdWf/jgp8SZk3hYtDabJYn1
Xs+PCz0/mfmXhrH4VHj01Blvsh3xwb5zJJ+v1S4eFhJq7ODD2ri7jDe1wPmo
hc88me9nk6P+vMZGq1nSNdYU6Ustqyu8LQveIi3s0SJNSWWhSpFxB+GDwJno
m1lvbOZvgRncplVaMUHJVAKwx62f6Ze+vs354/uf3L68OA1d0xKfBifRVH41
ffEb3lpOJodCPW0CMuOMUsi4VR4TbAEPQZ3SssukLgaeJfl2gO5NxOM7HAQa
WIxdEnOvOtnyXe8zZjdWAH/iMfseGwmoB/N5jG53cReI3MAOK9HGjPsk9s98
U+kmunY8nFA+aHX/JBQ4FL9lKtHQDkp85byBsLVGVEGcWDdYPT0BJYbwn0np
lnfS2BSP84YeLFZ7iC64ZkJxV960qJSKSWY2gMmvnc1iKZV0kqbqOinqFYTE
T6SH22DTUtsKk5M0wUeqSIYcBw9QFwII17Lonll2+64HGCbhJiOjN79BPNkP
qFCCkOOeC2gIf+LiYCNRlviOTa5U9k6y1TQR1TuuMXNkYTG01+o1t7yrj4v+
nZ1l0j42EMoKZkPg6wTmXLLnCtmKyy+RBoWJQR0/reUsVFppEC39KtSgeQmB
KeUu+oni6o8QRWdgm3Him9jpWGysCaxRlSp8HHK2IOW8h4I2ZhS54dAQ9I6W
g2xF3mlVVR9ME6eEGiW5G1VW0ohU2VQnxHUHp+jNlYnJRDngiaLpRk60CEXq
fNAO2CP4jiwc+mP0SzB6cJmUp9lGCrcZr8UgSsxhZNQydcPYe+YPjSEjWrbM
a+B8OK08IeCP4Fe3QiFo79otuaNFdkmhX1p9HIckSFufVA4q93ueKlFx0jpf
hIDtVN2WE2sl99uPUOJ03owwuSVL3J7W60JFKs708Jz6OHPaK/JYJ3wMSexO
8NTIy/O+HK7pBfNnXt4aTDGKAvP9iYpEDzJBQgfws0VpPuZez4mR9uLOYKlN
sNjO0McKM359FtFksbFkWUutu17lVa3bImBvOJ6lP+q2vWNv8yS1rkmIzAWh
pzoMKN3b6B+QUhHI8zxvhlXOoW1HIBN29pL9uURAt2luKHvy/M3lqeHC3H/+
z1/+5sM4deTLvAHNrOI4/4EKY8J5clninjtrYrkDL+RksclRLroVcxbmJiO9
rii8ZbDo62dDPV04Ion0fLXy++91V5fwmPRbxpV3fkeQSVsUdDOOg/ARE3Zp
deC8s8jbOsV8ODvfHD87358zQ/Or6SMZ7KZaxUJ/2X1/7KARPhvCZcyv+vCU
d3J36iDxD89G+iT0E5wDxpWpnMoRt5XR8t6BUXCnjGCQliIL7mKVhASOFka0
0EKPfXpSRcaHvWPO+Zg7SWqN3M5rzgDDpPssNVtnb77SBsisy4YADz6C/qYd
SPekJcgdWSrUbkoSM1TXVc5jNB+geQPHOmBxpBFszigJJTfa0QFYitK5H4qf
/LEarFd+xfrcI5pXZgpcdHqan1QAUCdXPU6CICFdKUWYJZQILXR19bx5wfW8
nCJLzsca8LC55zgsaLeRAyqkglhg6wknyWIem6TRrk7Mk5++v0FZvXxp4sOH
TEoF+Myi1Ofp/ivJYVLYR49B8RGY56MiFIofaVCEbIJZh2vxR28Bds3CFhXA
QuGSH3waItydhci04kAzwpRKT08Z81aB8cF2buZbuXtZHtUUP6Z9S+u2SQWW
fkLEA/HLM8nMQillDvxSOBwCp5mkIElTik4XU6wHQu2/04QUn+XAtcBkV1GW
kQOcMX8M4Spuf/3s1nyx+G1EPkMHjmPofR1XjQInwbuJUxM6Q/YwDFUtVXKA
dmh6SI/8ID0ka0CvvpB4OeMiZZ8x1/JgqWTnyph0Vz90u66YDtfuciF9tqxb
Ch1whdpNLJ5yDjIHUQ3SQiAaQNFn+q5ZTE9JNPu5S7sSNoSFwyLbDcX+6A6/
Ozuv8YL1RstP2PjgGZ9CzGt/Atl2N/TeR4Rtw3RrJhVAfdvihCw5gyw9I/VB
64PiqQSj81JI2pmGW4ytGz59RxxDOKLbzEGjHD0Y0OcrOe/pz/r2QNEv75jM
k0oUbEhGuQKpse6fhSlKK2fJmVXscVeky30ws+EN450m4fDoGI9pzibjDRS8
tr0NTHeexIARoSvh0HXF+yIYDiJ4ypCS0up59kve0M/IhJNk2PdiknxOn/Mf
8FEXOBqYwgqKYDJP9PhEkmcJ4ak/dyOGh+nihE/mr0AsO7JinCnWLtYhdGD8
8G3brms5A4kr3HWJsddKCpnEoigfzpt8mGByfJSNP7LSyxwRYB8O2sgkSSZc
ZmuYD8Vu0p+tPMUV6Zww9ntoYlnPInsZTvEUzOiXWXqgwZg5FQzDJReOD3yT
yskYQSUpCj1glCEqZ/2Qv0GZkz+AFq9SB5fJVs9046HXrfSwUT9hvo5JigRX
otzRlYeSA0EPzppHjoL0SREpi3d9FqOQUfWLhxXYkK1Kce8S1k9z+f612fv3
fMw/F7V/BpXTInhCbs8IZ2Mo6h7FjBw/NzEpIJJNlLHiPxOGJCITPqxEHQ0f
CWzTMyTE1KShI70+87vSNKtxlmVzBlso6kxy6kxWRJFpXp9RNlfPa6Ywl7xT
AkByX59k32laFGKUM3zD+l9kU2raC36rxV9JjYqMQ3WmDHsOs6RWjQ8naIrI
SEkxVa9HWUlLoxYizRiSbjGiKyv3F6lhmuuORtnlOjRSIk5t+I08eIGvRJfT
nQ4pSVqv6SmnYbq11pSBh3AT+NimbKKRMvWqS8OKbJRTBc+hta9CGKYN+PNh
7z3oDIuog/lATzi3BS6lYJIMZZnXK5rNmezADogxWTdePl6SmU9T048ot0jY
dR5THnbe40usUnM5CVCo4d9lHip6l+4NJtBMPABeEIf5g6W21bowcmCzK7bk
QPRKkyzppWUfjrMcLyAKzm29kikWsxm3HJKFQWDbdmJUfBEC00+oJ7CyWo4l
eZXwgP3LNrzn/9HUOFt+jrcmNZ6BTI8H5RDqx/Ke2gAE9eMEPDU1bJfycShQ
HGFlYS7c7+S4R588D8zYTHaEzqQ7BI3J2m6q3SxLHDV2kjBTxWeF8QHTRwUQ
FSbgncxnvpMAi2E/U33ksHDAqt/r86CBl5zL551Gsi1IrJU/xnu09Vroxp7A
Y1NCD0hs9LfmW8CFZ6EQdGzkUlNTAYawXrbi+2yCVTh6U3ifUuJSxpRkKsUe
4U3+vPHNpHo+88cjlLE3YeshKpJGa1sPPme84X2/UgyhGS4Q9gfPZEPDu9lK
f/SGrwRAR3nDp40oHQyUX482PYI4k41ZyRri4hdf8IZPZLCceO8rm6egcaF8
ktwNb3qwnJmYafo4qR+7z+vBepSuXX5kZ0JQLr9bJo24wzLgOkiNhn7nOVVZ
5dyFLOzGb3mzhvZDGpeqlFB75rd/+87EOXSCiGBm7mLhTvAsCy020AwvYf5K
jt/1eVb5yHIQ06gqWjfE+TPmYyV7EmMLUPcdDapNbytHCbSkx95NAt8xVz8+
60Kyh7Ey259doWT9QV3Q0ZLLDOc1iWPEF378PqsoUd/RZDXogUaykZ6D1ixR
Ryl890dp6/cWlnlxB8h1o6dbmxs5ePj9Z/68azmJ+AMKS2lJ2VgE61EXx6fg
87i4Ug/wauWo5D4cm+1PNFY1CgBOPo2R7mMNiYpLHNjoUENc23vMWl7kpd3y
KYZyHAp4Jz72xX8UhRnfWvfza/W5dlsP1pJeLG3NlUZae+QPoudytxh0J8IL
feBKlrBHued1Zr1GIGGnZQD96GSi9Fw9f8LX9KxpPtRan/Td3GuyP5f6NalY
eC5lLJU/4iEelZRl4w9CLWQb/P/ZN7AXKIeI205JEYBKXi34c2Zbinw2M/Pt
QK4ux0bXbwGcSFnHn+bjjvzjnwjkLjyJW0KNZ5ktCDX5PiJ6Jl9HmulHj2bJ
t4y4Ax/5aaYzc8mHNsiesoZk1zPXsOcTRlQcOOSPZ+Pil7beHz0sjOIa/xFj
7trxLyTru/DtZrwt/RD8aEDfQJuTUZHeUBNLv1WVWsky/1HOWfKpzdno85mz
I9/DnI2+cDkbf7KS+/B/+SukKgI96THL4jfw4jTHD9bN0o/QzfRrWdzNf+xL
ffr2Z1fXOtvXJQ60nXwsIdShHInGQ71nchZLlk0+2809/HUfDdeehYKSLEu+
8jtLPt07C5/jnU0+sDubfjKXu/H4F4j1lYG/zqafoJwdflFyduwjkbPRhx/5
rQdfxzxLN/3xDpRi6Ca74bRD6f43ilnix/Rm5og5DGTg2a/jAvVlylPEKeTP
z8lK2ISv2p3R3/8u38MjvSYLgiZvrm5M/CQePRAr0Vm3XjK0gkdeS8E3Clq6
Kq9xGkzZteYid7kMItEMHBuID7cWtkLJnZ6sLWm2ZJWFYwL+9td/M+fXfi83
mZxi8Cb+4vz2nCd29OXw2eRL4LMjX/aepV/rnj329W3u+q/5+PmZke+nS/fk
m+4srPhZiREUIdSS/Plh8nmJQ9RyQUq7p14gBJlhMVIvqH8y6osB5I/5znKh
BP1waaEptHxoVa2ZihoN+qojo/LjviE5kUO01ChNWIcI8ZqQA5lYMg60BAm2
0bq8u2vxb2yLfMa5zbal9mCg72C//pTT5e9BxZqXn1+2TbveIJvzPTazmLe8
MQPlqc9QiHy1puivnx18Q45+8S5m6o7HCxB/EQJpoz1I53psqeIPurRcm9zE
a+GIvhzaiSMaNFG6m7zv4Gxe593O7mdmZN6S9eCtfPD201U/g0MiodU9uvoK
Z1++RaA9dX4jt0g6SRjLmYsZqbHW5l5hRP3MjCxM6pNn+PL1xQYpCXW1R40f
XMFPFCIsK7yNGc8bRYMXHg1OVfcALW4t6ttUj9NO8Pf5ZubN7cXT69vr0+nU
62Wte4Mju7Tbtug8b/86xFSnhxOnD0PTHU386UgWehHpQ3uaClovkLeuCNWe
+gnTn/8w5A+2OmUxnIfdNRIZvj+TMj5b/teTVV47e4I1/fLyZboPZ5H9b1Jy
f4EIigAA
</rfc> </rfc>
 End of changes. 95 change blocks. 
716 lines changed or deleted 452 lines changed or added

This html diff was produced by rfcdiff 1.48.