http://www.cisco.com/warp/public/770/land-pub.shtml
That URL will be updated with future versions. We probably won't send the
whole text out again.
Important differences between this notice and the last one:
o There are definitely versions of classis Cisco IOS software that are
badly affected by the land.c attack.
o The notice contains detailed information about which IOS versions are
affected.
o Catalyst 5000s, and probably other Catalyst switches, are affected.
o Various editing and advice changes... nothing really substantive.
-- John B.
-----BEGIN PGP SIGNED MESSAGE-----
Field Notice:
TCP loopback DoS Attack (land.c) and Cisco Devices
November 22, 1997, 08:00 AM US/Pacific, Revision 2
=========================================================================
Summary
=======
Somebody has released a program, known as land.c, which can be used to
launch denial of service attacks against various TCP implementations. The
program sends a TCP SYN packet (a connection initiation), giving the target
host's address as both source and destination, and using the same port on
the target host as both source and destination.
Classic Cisco IOS software (used on Cisco routers with product numbers
greater than 1000, on the CGS/MGS/AGS+, and on the CS-500) is vulnerable to
this attack, depending on the software version. See the section on
"Affected Cisco IOS Software Versions" in this document for information on
affected versions.
Cisco IOS/700 software (used on Cisco 7xx routers) is also vulnerable. The
7xx vulnerability is more devastating than the classic Cisco IOS software
vulnerability, but probably less dangerous for most customers, since
firewalls separate most 7xx routers from the Internet.
Cisco Catalyst 5000 LAN switches are vulnerable. Other Cisco Catalyst
LAN switches are probably also vulnerable.
The PIX firewall appears does not appear to be affected. Initial testing of
the Centri firewall tends to indicate that it is not affected.
We're working on characterizing other products' vulnerability to attack.
Updates will be issued as information becomes available.
Who is Affected
===============
All Cisco IOS/700 software and Cisco Catalyst systems that can be reached
via TCP from untrusted hosts are affected. Cisco IOS software systems that
are running vulnerable versions and that can be reached via TCP from
untrusted hosts are affected. In all cases, the TCP ports reachable by the
attack must be ports on which services are actually being provided (such as
the TELNET port, for most systems). The attack requires spoofing the
targets's own address, so systems behind effective anti-spoofing firewalls
are safe.
Impact
======
This vulnerability allows attackers to deny service to legitimate users and
to administrators. Recovery may require physically visiting the affected
hardware. Appropriate firewalls can block this attack.
Classic Cisco IOS Software
- ------------------------
Classic Cisco IOS software versions fall into three groups in terms of
vulnerability. Highly vulnerable releases may hang indefinitely, requiring
hardware resets, when attacked. Moderately vulnerable releases will not
accept any new TCP connections for about 30 seconds after receiving an
attack packet, but will recover and will continue to forward packets.
Largely invulnerable releases will continue to operate normally with
negligible performance impact. See the section "Affected Cisco IOS Software
Versions" in this document for information on exactly which versions are
affected.
A configuration workaround for classic Cisco IOS software can prevent the
problem entirely, subject to performance restrictions, for any version from
9.21 onward. Cisco has already released software fixes that protect some
Cisco IOS software versions, and plans to release those fixes for other
affected versions.
Cisco IOS/700 Software and 7xx Systems
- ------------------------------------
Cisco 7xx systems subjected to the attack will hang indefinitely and must be
physically reset. A configuration workaround for Cisco IOS/700 software can
prevent the problem entirely. Cisco plans to release a software fix for this
problem.
Cisco Catalyst LAN Switches
- -------------------------
Cisco Catalyst switches subjected to the attack will hang indefinitely and
must be reset. Not all Catalyst products have been tested, but this is
definitely true of the Catalyst 5000 series, and is expected to be true of
all Catalyst switches. The only workaround is to remove the IP address from
the Catalyst switch, or to protect the switch by firewalling it using router
access lists or dedicated firewall products. Cisco plans to release a
software fix for this problem.
Other Cisco Products
====================
Initial tests indicate that the PIX firewall is not vulnerable to this
attack. Tests have been conducted with versions 4.1.3.245 and 4.0.7.
Initial tests indicate that the Centri firewall (build 4.110) is not
vulnerable to this attack with no exposed services configured. We have not
yet tested the Centri product with exposed services.
Cisco IOS Software Details
==========================
Affected Cisco IOS Software Versions and Software Upgrades
- --------------------------------------------------------
There are two bugs that make Cisco IOS software vulnerable to this attack.
Fixes exist in the field for both bugs. Bug ID CSCdi71085 makes systems
highly vulnerable to the attack. Bug ID CSCdi87533 makes systems moderately
vulnerable. Bug ID CSCdj61324 is a newly-created bug ID that is being used
as a tag for integration of the fix for CSCdi87533, plus a largely cosmetic
change that prevents even the temporary creation of a half-open
connection.The fix for CSCdj61324 has not yet been integrated into any
released code, but is not necessary if the fix for CSCdi87533 is present.
CSCdi71085 and CSCdj87533 divide Cisco IOS software versions into three
vulnerability classes. Versions that do not have the fix for bug ID
CSCdi71085 are highly vulnerable, and may hang indefinitely, requiring
hardware resets, when attacked. This includes all releases before release
10.3, as well as early 10.3, 11.0, 11.1, and 11.2 versions.
Versions in which CSCdi71085 has been fixed, but in which CSCdi87533 is
still present, are moderately vulnerable to the attack. These versions will
not accept any new TCP connections for about 30 seconds after any attack
packet is received, but will not hang completely, will continue to forward
packets without interruption, and will recover with no long-term effects.
CSCdi87533 has thus far been fixed only in 11.2-based releases; the fix was
integrated in 11.2(3.4), 11.2(3.4)F, and 11.2(3.4)P.
Versions in which both CSCdi71085 and CSCdi87533 have been fixed are largely
invulnerable to this attack. These versions will create half-open TCP
connections upon receiving attack packets, but will continue to accept
legitimate TCP connections, and will delete the half-open connections within
about 30 seconds. The performance impact of such a half-open connection
during its lifetime is believed to be negligible.
Future versions in which CSCdj61324 has been fixed will be invulnerable to
the attack, and will not create half-open connections in response to attack
packets. We believe the security advantage of the CSCdj61324 fix over the
CSCdj87533 fix to be negligible; CSCdj61324 is largely a placeholder to be
used for integrating fixes in future non-11.2 releases.
If you believe that there is any possibility of hostile attack against your
system, and if you cannot protect yourself using the configuration
workaround given above, we strongly recommend that you upgrade to a versions
containing the fix for CSCdi71085, since the impact of CSCdi71085 under this
attack is very high. The fix for CSCdi71085 is available for releases based
on 10.3, 11.0, 11.1, and 11.2, and has been in the field for quite some
time. Users of 11.2-based releases should upgrade to post-11.2(4) versions,
thereby getting the fix for CSCdi87533 as well.
Cisco intends to release fixes for CSCdj61324 (equivalent to CSCdi87533) on
non-11.2 releases. The timetable for releasing these fixes has not yet been
set.
At the time of this writing, the following releases are recommended:
First released versions with
all existing fixes (*= fix for Recommended for most
Base Release CSCdi87533) installations
------------ ------------------------------ --------------------
10.3 10.3(16) 10.3(19a)
11.0 11.0(12), 11.0(12a)BT 11.0(17), 11.0(17)BT
11.1 11.1(7), 11.1(7)AA, 11.1(7)CA, 11.1(15), 11.1(15)AA,
11.1(9)IA 11.1(15)CA, 11.1(15)IA
11.2 11.2(4)*, 11.2(4)F*, 11.2 11.2(10), 11.2(9)P,
11.2(4)F1
Before 10.3 End of engineering 10.3(19a)
As with any software upgrade, you should make sure your system configuration
is supported by the new software before upgrading. It's especially important
to make sure that your system has sufficient memory to support the new
software. Upgrade planning assistance is available from Cisco's Worldwide
Web site at http://www.cisco.com/.
Workaround for Classic Cisco IOS Software
- ---------------------------------------
Classic Cisco IOS software users can use input access lists on their
interfaces to prevent the attack packets from entering their TCP stacks.
Input access lists are available in all Cisco IOS software versions from
9.21 onward. Using an input access list will prevent the attack entirely,
but may have unacceptable performance impacts on heavily loaded high-end
routers. Traffic will still be fast-switched, but higher-speed switching
modes may be disabled by the use of the input access lists. Use care in
deploying this workaround on heavily loaded routers.
If you have no existing input access lists, create a new IP extended access
list. Use a presently-unused number between 100 and 199. The access list
must have an entry for each IP address configured on the system. Deny
packets from each address to itself. For example:
access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
If you have existing access lists, you'll need to merge the new entries in
an appropriate way, generally at the top of the list. The access list should
be applied incoming on all interfaces, so a fragment of a total router
configuration might look like this:
interface ethernet 0
ip address 1.2.3.4 255.255.255.0
ip access-group 101 in
!
interface ethernet 1
ip address 5.6.7.8
ip access-group 101 in
!
access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Cisco IOS/700 Software Details
==============================
All Cisco IOS/700 software versions are vulnerable to this attack. Cisco
plans to release a software fix. The time of release has not been set.
Workaround for Cisco IOS/700
- --------------------------
Add the following configuration command to any profile that may be active
when connected to a potentially hostile network:
set ip filter tcp in source <7xx IP address> destination <7xx IP address> block
This will completely protect the 7xx system. We believe that 7xx
configurations in which this command has unacceptable performance or other
impact are extremely rare if they exist at all.
Cisco Catalyst LAN Switch Details
=================================
Cisco Catalyst 5000 LAN switches are vulnerable to attack. Other Cisco
Catalyst LAN switches are believed to be vulnerable. Cisco plans to release
software fixes for the vulnerability. The time of release has not been set.
The attack may be avoided by not assigning an IP address to the Catalyst
switch. However, this has the effect of disabling all remote management.
Depending on its location in the network, it may be possible to protect the
switch with router access lists or dedicated firewalls. An example of an
appropriate Cisco router access list entry for specifically protecting an
individual switch would be:
access-list 101 deny ip <switch-address> 0.0.0.0 <switch-address> 0.0.0.0
Note that this is not a complete access list. Other, more general filters
are feasible.
Using Cisco Products to Protect Other Systems
=============================================
We do not believe that this attack can be used against systems behind our
dedicated firewall products, the PIX and Centri firewalls, unless
general-purpose tunnels have been enabled through the firewalls. Such
configurations are not recommended and we believe them to be uncommon.
Properly designed anti-spoofing access lists at border routers can be used
to prevent the attack from entering a private network from the Internet. Use
the access lists to filter out packets whose IP source addresses are on your
internal net, but which are arriving from interfaces connected to the
outside Internet.
Exploitation and Public Announcements
=====================================
Cisco has had multiple reports of this vulnerability.
Most exploitation seems to be using the original program, which sends one
packet at a time. Floods of invalid packets have not been reported.
This issue has been widely discussed in a variety of Internet forums.
Exploitation code is widely available to the public.
Cisco first heard of this problem on the morning of Friday, November 21.
Distribution of this Notice
===========================
This notice is being sent to the following Internet mailing lists and
newsgroups:
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* nanog@merit.edu
Updates will be sent to some or all of these, as appropriate.
This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Service and Support" section. The URL will be
http://www.cisco.com/warp/public/770/land-pub.shtml
The copy on the Worldwide Web will be updated as appropriate.
Cisco Security Procedures
=========================
Please report security issues with Cisco products to
security-alert@cisco.com.
Revision History
================
Revision 1, 14:00,
21-NOV-1997 Initial revision
Revision 2, 08:00 Add information about highly vulnerable
22-NOV-1997 IOS versions. Add detailed information about
affected version numbers. Add specific bug IDs.
Add upgrade recommendations. Add first
information about Catalyst LAN switches. General
editing and reformatting.
This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNHcosQyPsuGbHvEpAQH1NQf+OJAF/qMwaCSwYysR5qu36iZ3K04bAJ9r
MsqAxdlY10yyN//L2P8Ntz3AYOtOih6EZKBYmmz/kyTp7zMr2J3ZCw01O5s2LfTX
1McIBV8kzf0kMYh4c+0rsjqS6jlXC0OakCNav6P+rO13nb+FTfhWoDOzcFCxr4sB
5gQqAClQyvWhempObDRpLE0gHKnLyyB4wWkhBDbA9tQz4TmTDfwRiIDeWAuuYY7k
87BqS5a7g7G2MZRmeiKIJV8F66USN4vSpAJxIdzXAyyUjxZBdv9B4BHCb9/LUvTM
cHr06PppMDm4mNJAP3sedVtOnQHR/rEPuBMfKAE6xg8zyyNvG/B93w==
=SKCo
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ
blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL
Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz
FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk
AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+
nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y
KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97
IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz
xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0
ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp
cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu
Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65
Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM
gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT
I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4
cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ
DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts
p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN
L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p
HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5
qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq
d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf
UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ
AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B
wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E
t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5
SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP
7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT
ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ
cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp
c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI
Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE
J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au
S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem
juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh
kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV
iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ
8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02
yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem
vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE
Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv
dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD
BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py
4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE
xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA
yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m
YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP
sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB
meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ
5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT
YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw
R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL
2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z
D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7
PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5
fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY
46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3
gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY
eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq
sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu
3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r
khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz
OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA
8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx
Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD
drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg
cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0
eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH
CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u
scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT
0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI
yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE
NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld
CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4
qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC
GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA
lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d
fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg
E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3
jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV
e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99
OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D
V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1
qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp
Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z
R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ
NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw
6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa
GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3
+ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy
iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq
3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW
NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r
xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf
WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo=
=OrTt
-----END PGP PUBLIC KEY BLOCK-----