tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 6797

 Errata 
Proposed STD
Pages: 46
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: WEBSEC

HTTP Strict Transport Security (HSTS)

Part 1 of 3, p. 1 to 14
None       Next RFC Part

 


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                         J. Hodges
Request for Comments: 6797                                        PayPal
Category: Standards Track                                     C. Jackson
ISSN: 2070-1721                               Carnegie Mellon University
                                                                A. Barth
                                                            Google, Inc.
                                                           November 2012


                 HTTP Strict Transport Security (HSTS)

Abstract

   This specification defines a mechanism enabling web sites to declare
   themselves accessible only via secure connections and/or for users to
   be able to direct their user agent(s) to interact with given sites
   only over secure connections.  This overall policy is referred to as
   HTTP Strict Transport Security (HSTS).  The policy is declared by web
   sites via the Strict-Transport-Security HTTP response header field
   and/or by other means, such as user agent configuration, for example.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6797.

Page 2 
Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................4
      1.1. Organization of This Specification .........................6
      1.2. Document Conventions .......................................6
   2. Overview ........................................................6
      2.1. Use Cases ..................................................6
      2.2. HTTP Strict Transport Security Policy Effects ..............6
      2.3. Threat Model ...............................................6
           2.3.1. Threats Addressed ...................................7
                  2.3.1.1. Passive Network Attackers ..................7
                  2.3.1.2. Active Network Attackers ...................7
                  2.3.1.3. Web Site Development and Deployment Bugs ...8
           2.3.2. Threats Not Addressed ...............................8
                  2.3.2.1. Phishing ...................................8
                  2.3.2.2. Malware and Browser Vulnerabilities ........8
      2.4. Requirements ...............................................9
           2.4.1. Overall Requirement .................................9
                  2.4.1.1. Detailed Core Requirements .................9
                  2.4.1.2. Detailed Ancillary Requirements ...........10
   3. Conformance Criteria ...........................................10
   4. Terminology ....................................................11
   5. HSTS Mechanism Overview ........................................13
      5.1. HSTS Host Declaration .....................................13
      5.2. HSTS Policy ...............................................13
      5.3. HSTS Policy Storage and Maintenance by User Agents ........14
      5.4. User Agent HSTS Policy Enforcement ........................14
   6. Syntax .........................................................14
      6.1. Strict-Transport-Security HTTP Response Header Field ......15
           6.1.1. The max-age Directive ..............................16
           6.1.2. The includeSubDomains Directive ....................16
      6.2. Examples ..................................................16

Top      ToC       Page 3 
   7. Server Processing Model ........................................17
      7.1. HTTP-over-Secure-Transport Request Type ...................17
      7.2. HTTP Request Type .........................................18
   8. User Agent Processing Model ....................................18
      8.1. Strict-Transport-Security Response Header Field
           Processing ................................................19
           8.1.1. Noting an HSTS Host - Storage Model ................20
      8.2. Known HSTS Host Domain Name Matching ......................20
      8.3. URI Loading and Port Mapping ..............................21
      8.4. Errors in Secure Transport Establishment ..................22
      8.5. HTTP-Equiv <Meta> Element Attribute .......................22
      8.6. Missing Strict-Transport-Security Response Header Field ...23
   9. Constructing an Effective Request URI ..........................23
      9.1. ERU Fundamental Definitions ...............................23
      9.2. Determining the Effective Request URI .....................24
           9.2.1. Effective Request URI Examples .....................24
   10. Domain Name IDNA-Canonicalization .............................25
   11. Server Implementation and Deployment Advice ...................26
      11.1. Non-Conformant User Agent Considerations .................26
      11.2. HSTS Policy Expiration Time Considerations ...............26
      11.3. Using HSTS in Conjunction with Self-Signed Public-Key
            Certificates .............................................27
      11.4. Implications of includeSubDomains ........................28
            11.4.1. Considerations for Offering Unsecured HTTP
                    Services at Alternate Ports or Subdomains of an
                    HSTS Host ........................................28
            11.4.2. Considerations for Offering Web Applications at
                    Subdomains of an HSTS Host .......................29
   12. User Agent Implementation Advice ..............................30
      12.1. No User Recourse .........................................30
      12.2. User-Declared HSTS Policy ................................30
      12.3. HSTS Pre-Loaded List .....................................31
      12.4. Disallow Mixed Security Context Loads ....................31
      12.5. HSTS Policy Deletion .....................................31
   13. Internationalized Domain Names for Applications (IDNA):
       Dependency and Migration ......................................32

Top      ToC       Page 4 
   14. Security Considerations .......................................32
      14.1. Underlying Secure Transport Considerations ...............32
      14.2. Non-Conformant User Agent Implications ...................33
      14.3. Ramifications of HSTS Policy Establishment Only over
            Error-Free Secure Transport ..............................33
      14.4. The Need for includeSubDomains ...........................34
      14.5. Denial of Service ........................................35
      14.6. Bootstrap MITM Vulnerability .............................36
      14.7. Network Time Attacks .....................................37
      14.8. Bogus Root CA Certificate Phish plus DNS Cache
            Poisoning Attack .........................................37
      14.9. Creative Manipulation of HSTS Policy Store ...............37
      14.10. Internationalized Domain Names ..........................38
   15. IANA Considerations ...........................................39
   16. References ....................................................39
      16.1. Normative References .....................................39
      16.2. Informative References ...................................40
   Appendix A. Design Decision Notes .................................44
   Appendix B. Differences between HSTS Policy and Same-Origin
               Policy ................................................45
   Appendix C. Acknowledgments .......................................46

1.  Introduction

   HTTP [RFC2616] may be used over various transports, typically the
   Transmission Control Protocol (TCP).  However, TCP does not provide
   channel integrity protection, confidentiality, or secure host
   identification.  Thus, the Secure Sockets Layer (SSL) protocol
   [RFC6101] and its successor, Transport Layer Security (TLS) [RFC5246]
   were developed in order to provide channel-oriented security and are
   typically layered between application protocols and TCP.  [RFC2818]
   specifies how HTTP is layered onto TLS and defines the Uniform
   Resource Identifier (URI) scheme of "https" (in practice, however,
   HTTP user agents (UAs) typically use either TLS or SSL3, depending
   upon a combination of negotiation with the server and user
   preferences).

   UAs employ various local security policies with respect to the
   characteristics of their interactions with web resources, depending
   on (in part) whether they are communicating with a given web
   resource's host using HTTP or HTTP-over-Secure-Transport.  For
   example, cookies ([RFC6265]) may be flagged as Secure.  UAs are to
   send such Secure cookies to their addressed host only over a secure
   transport.  This is in contrast to non-Secure cookies, which are
   returned to the host regardless of transport (although subject to
   other rules).

Top      ToC       Page 5 
   UAs typically announce to their users any issues with secure
   connection establishment, such as being unable to validate a TLS
   server certificate trust chain, or if a TLS server certificate is
   expired, or if a TLS host's domain name appears incorrectly in the
   TLS server certificate (see Section 3.1 of [RFC2818]).  Often, UAs
   enable users to elect to continue to interact with a web resource's
   host in the face of such issues.  This behavior is sometimes referred
   to as "click(ing) through" security [GoodDhamijaEtAl05]
   [SunshineEgelmanEtAl09]; thus, it can be described as "click-through
   insecurity".

   A key vulnerability enabled by click-through insecurity is the
   leaking of any cookies the web resource may be using to manage a
   user's session.  The threat here is that an attacker could obtain the
   cookies and then interact with the legitimate web resource while
   impersonating the user.

   Jackson and Barth proposed an approach, in [ForceHTTPS], to enable
   web resources to declare that any interactions by UAs with the web
   resource must be conducted securely and that any issues with
   establishing a secure transport session are to be treated as fatal
   and without direct user recourse.  The aim is to prevent click-
   through insecurity and address other potential threats.

   This specification embodies and refines the approach proposed in
   [ForceHTTPS].  For example, rather than using a cookie to convey
   policy from a web resource's host to a UA, it defines an HTTP
   response header field for this purpose.  Additionally, a web
   resource's host may declare its policy to apply to the entire domain
   name subtree rooted at its host name.  This enables HTTP Strict
   Transport Security (HSTS) to protect so-called "domain cookies",
   which are applied to all subdomains of a given web resource's host
   name.

   This specification also incorporates notions from [JacksonBarth2008]
   in that policy is applied on an "entire-host" basis: it applies to
   HTTP (only) over any TCP port of the issuing host.

   Note that the policy defined by this specification is distinctly
   different than the "same-origin policy" defined in "The Web Origin
   Concept" [RFC6454].  These differences are summarized in Appendix B.

Top      ToC       Page 6 
1.1.  Organization of This Specification

   This specification begins with an overview of the use cases, policy
   effects, threat models, and requirements for HSTS (in Section 2).
   Then, Section 3 defines conformance requirements.  Section 4 defines
   terminology relevant to this document.  The HSTS mechanism itself is
   formally specified in Sections 5 through 15.

1.2.  Document Conventions

   NOTE:  This is a note to the reader.  These are points that should be
          expressly kept in mind and/or considered.

2.  Overview

   This section discusses the use cases, summarizes the HSTS Policy, and
   continues with a discussion of the threat model, non-addressed
   threats, and derived requirements.

2.1.  Use Cases

   The high-level use case is a combination of:

   o  Web browser user wishes to interact with various web sites (some
      arbitrary, some known) in a secure fashion.

   o  Web site deployer wishes to offer their site in an explicitly
      secure fashion for their own, as well as their users', benefit.

2.2.  HTTP Strict Transport Security Policy Effects

   The effects of the HSTS Policy, as applied by a conformant UA in
   interactions with a web resource host wielding such policy (known as
   an HSTS Host), are summarized as follows:

   1.  UAs transform insecure URI references to an HSTS Host into secure
       URI references before dereferencing them.

   2.  The UA terminates any secure transport connection attempts upon
       any and all secure transport errors or warnings.

2.3.  Threat Model

   HSTS is concerned with three threat classes: passive network
   attackers, active network attackers, and imperfect web developers.
   However, it is explicitly not a remedy for two other classes of
   threats: phishing and malware.  Threats that are addressed, as well
   as threats that are not addressed, are briefly discussed below.

Top      ToC       Page 7 
   Readers may wish to refer to Section 2 of [ForceHTTPS] for details as
   well as relevant citations.

2.3.1.  Threats Addressed

2.3.1.1.  Passive Network Attackers

   When a user browses the web on a local wireless network (e.g., an
   802.11-based wireless local area network) a nearby attacker can
   possibly eavesdrop on the user's unencrypted Internet Protocol-based
   connections, such as HTTP, regardless of whether or not the local
   wireless network itself is secured [BeckTews09].  Freely available
   wireless sniffing toolkits (e.g., [Aircrack-ng]) enable such passive
   eavesdropping attacks, even if the local wireless network is
   operating in a secure fashion.  A passive network attacker using such
   tools can steal session identifiers/cookies and hijack the user's web
   session(s) by obtaining cookies containing authentication credentials
   [ForceHTTPS].  For example, there exist widely available tools, such
   as Firesheep (a web browser extension) [Firesheep], that enable their
   wielder to obtain other local users' session cookies for various web
   applications.

   To mitigate such threats, some web sites support, but usually do not
   force, access using end-to-end secure transport -- e.g., signaled
   through URIs constructed with the "https" scheme [RFC2818].  This can
   lead users to believe that accessing such services using secure
   transport protects them from passive network attackers.
   Unfortunately, this is often not the case in real-world deployments,
   as session identifiers are often stored in non-Secure cookies to
   permit interoperability with versions of the service offered over
   insecure transport ("Secure cookies" are those cookies containing the
   "Secure" attribute [RFC6265]).  For example, if the session
   identifier for a web site (an email service, say) is stored in a
   non-Secure cookie, it permits an attacker to hijack the user's
   session if the user's UA makes a single insecure HTTP request to the
   site.

2.3.1.2.  Active Network Attackers

   A determined attacker can mount an active attack, either by
   impersonating a user's DNS server or, in a wireless network, by
   spoofing network frames or offering a similarly named evil twin
   access point.  If the user is behind a wireless home router, an
   attacker can attempt to reconfigure the router using default
   passwords and other vulnerabilities.  Some sites, such as banks, rely
   on end-to-end secure transport to protect themselves and their users
   from such active attackers.  Unfortunately, browsers allow their
   users to easily opt out of these protections in order to be usable

Top      ToC       Page 8 
   for sites that incorrectly deploy secure transport, for example by
   generating and self-signing their own certificates (without also
   distributing their certification authority (CA) certificate to their
   users' browsers).

2.3.1.3.  Web Site Development and Deployment Bugs

   The security of an otherwise uniformly secure site (i.e., all of its
   content is materialized via "https" URIs) can be compromised
   completely by an active attacker exploiting a simple mistake, such as
   the loading of a cascading style sheet or a SWF (Shockwave Flash)
   movie over an insecure connection (both cascading style sheets and
   SWF movies can script the embedding page, to the surprise of many web
   developers, plus some browsers do not issue so-called "mixed content
   warnings" when SWF files are embedded via insecure connections).
   Even if the site's developers carefully scrutinize their login page
   for "mixed content", a single insecure embedding anywhere on the
   overall site compromises the security of their login page because an
   attacker can script (i.e., control) the login page by injecting code
   (e.g., a script) into another, insecurely loaded, site page.

   NOTE:  "Mixed content" as used above (see also Section 5.3 in
          [W3C.REC-wsc-ui-20100812]) refers to the notion termed "mixed
          security context" in this specification and should not be
          confused with the same "mixed content" term used in the
          context of markup languages such as XML and HTML.

2.3.2.  Threats Not Addressed

2.3.2.1.  Phishing

   Phishing attacks occur when an attacker solicits authentication
   credentials from the user by hosting a fake site located on a
   different domain than the real site, perhaps driving traffic to the
   fake site by sending a link in an email message.  Phishing attacks
   can be very effective because users find it difficult to distinguish
   the real site from a fake site.  HSTS is not a defense against
   phishing per se; rather, it complements many existing phishing
   defenses by instructing the browser to protect session integrity and
   long-lived authentication tokens [ForceHTTPS].

2.3.2.2.  Malware and Browser Vulnerabilities

   Because HSTS is implemented as a browser security mechanism, it
   relies on the trustworthiness of the user's system to protect the
   session.  Malicious code executing on the user's system can
   compromise a browser session, regardless of whether HSTS is used.

Top      ToC       Page 9 
2.4.  Requirements

   This section identifies and enumerates various requirements derived
   from the use cases and the threats discussed above and also lists the
   detailed core requirements that HTTP Strict Transport Security
   addresses, as well as ancillary requirements that are not directly
   addressed.

2.4.1.  Overall Requirement

   o  Minimize, for web browser users and web site deployers, the risks
      that are derived from passive and active network attackers, web
      site development and deployment bugs, and insecure user actions.

2.4.1.1.  Detailed Core Requirements

   These core requirements are derived from the overall requirement and
   are addressed by this specification.

   1.  Web sites need to be able to declare to UAs that they should be
       accessed using a strict security policy.

   2.  Web sites need to be able to instruct UAs that contact them
       insecurely to do so securely.

   3.  UAs need to retain persistent data about web sites that signal
       strict security policy enablement, for time spans declared by the
       web sites.  Additionally, UAs need to cache the "freshest" strict
       security policy information, in order to allow web sites to
       update the information.

   4.  UAs need to rewrite all insecure UA "http" URI loads to use the
       "https" secure scheme for those web sites for which secure policy
       is enabled.

   5.  Web site administrators need to be able to signal strict security
       policy application to subdomains of higher-level domains for
       which strict security policy is enabled, and UAs need to enforce
       such policy.

       For example, both example.com and foo.example.com could set
       policy for bar.foo.example.com.

Top      ToC       Page 10 
   6.  UAs need to disallow security policy application to peer domains,
       and/or higher-level domains, by domains for which strict security
       policy is enabled.

       For example, neither bar.foo.example.com nor foo.example.com can
       set policy for example.com, nor can bar.foo.example.com set
       policy for foo.example.com.  Also, foo.example.com cannot set
       policy for sibling.example.com.

   7.  UAs need to prevent users from "clicking through" security
       warnings.  Halting connection attempts in the face of secure
       transport exceptions is acceptable.  See also Section 12.1 ("No
       User Recourse").

   NOTE:  A means for uniformly securely meeting the first core
          requirement above is not specifically addressed by this
          specification (see Section 14.6 ("Bootstrap MITM
          Vulnerability")).  It may be addressed by a future revision of
          this specification or some other specification.  Note also
          that there are means by which UA implementations may more
          fully meet the first core requirement; see Section 12 ("User
          Agent Implementation Advice").

2.4.1.2.  Detailed Ancillary Requirements

   These ancillary requirements are also derived from the overall
   requirement.  They are not normatively addressed in this
   specification but could be met by UA implementations at their
   implementor's discretion, although meeting these requirements may be
   complex.

   1.  Disallow "mixed security context" loads (see Section 2.3.1.3).

   2.  Facilitate user declaration of web sites for which strict
       security policy is enabled, regardless of whether the sites
       signal HSTS Policy.

3.  Conformance Criteria

   This specification is written for hosts and user agents.

   A conformant host is one that implements all the requirements listed
   in this specification that are applicable to hosts.

   A conformant user agent is one that implements all the requirements
   listed in this specification that are applicable to user agents.

Top      ToC       Page 11 
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

4.  Terminology

   Terminology is defined in this section.

   ASCII case-insensitive comparison:

      means comparing two strings exactly, codepoint for codepoint,
      except that the characters in the range U+0041 ..  U+005A (i.e.,
      LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the
      corresponding characters in the range U+0061 ..  U+007A (i.e.,
      LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are considered to
      also match.  See [Unicode] for details.

   codepoint:

      is a colloquial contraction of Code Point, which is any value in
      the Unicode codespace; that is, the range of integers from 0 to
      10FFFF(hex) [Unicode].

   domain name:

      is also referred to as "DNS name" and is defined in [RFC1035] to
      be represented outside of the DNS protocol itself (and
      implementations thereof) as a series of labels separated by dots,
      e.g., "example.com" or "yet.another.example.org".  In the context
      of this specification, domain names appear in that portion of a
      URI satisfying the reg-name production in "Appendix A.  Collected
      ABNF for URI" in [RFC3986], and the host component from the Host
      HTTP header field production in Section 14.23 of [RFC2616].

      NOTE:  The domain names appearing in actual URI instances and
             matching the aforementioned production components may or
             may not be a fully qualified domain name.

   domain name label:

      is that portion of a domain name appearing "between the dots",
      i.e., consider "foo.example.com": "foo", "example", and "com" are
      all domain name labels.

Top      ToC       Page 12 
   Effective Request URI:

      is a URI, identifying the target resource, that can be inferred by
      an HTTP host for any given HTTP request it receives.  Such
      inference is necessary because HTTP requests often do not contain
      a complete "absolute" URI identifying the target resource.  See
      Section 9 ("Constructing an Effective Request URI").

   HTTP Strict Transport Security:

      is the overall name for the combined UA- and server-side security
      policy defined by this specification.

   HTTP Strict Transport Security Host:

      is a conformant host implementing the HTTP server aspects of the
      HSTS Policy.  This means that an HSTS Host returns the
      "Strict-Transport-Security" HTTP response header field in its HTTP
      response messages sent over secure transport.

   HTTP Strict Transport Security Policy:

      is the name of the combined overall UA- and server-side facets of
      the behavior defined in this specification.

   HSTS:

      See HTTP Strict Transport Security.

   HSTS Host:

      See HTTP Strict Transport Security Host.

   HSTS Policy:

      See HTTP Strict Transport Security Policy.

   Known HSTS Host:

      is an HSTS Host for which the UA has an HSTS Policy in effect;
      i.e., the UA has noted this host as a Known HSTS Host.  See
      Section 8.1.1 ("Noting an HSTS Host - Storage Model") for
      particulars.

   Local policy:

      comprises policy rules that deployers specify and that are often
      manifested as configuration settings.

Top      ToC       Page 13 
   MITM:

      is an acronym for "man in the middle".  See "man-in-the-middle
      attack" in [RFC4949].

   Request URI:

      is the URI used to cause a UA to issue an HTTP request message.
      See also "Effective Request URI".

   UA:

      is an acronym for "user agent".  For the purposes of this
      specification, a UA is an HTTP client application typically
      actively manipulated by a user [RFC2616].

   unknown HSTS Host:

      is an HSTS Host that the user agent has not noted.

5.  HSTS Mechanism Overview

   This section provides an overview of the mechanism by which an HSTS
   Host conveys its HSTS Policy to UAs and how UAs process the HSTS
   Policies received from HSTS Hosts.  The mechanism details are
   specified in Sections 6 through 15.

5.1.  HSTS Host Declaration

   An HTTP host declares itself an HSTS Host by issuing to UAs an HSTS
   Policy, which is represented by and conveyed via the
   Strict-Transport-Security HTTP response header field over secure
   transport (e.g., TLS).  Upon error-free receipt and processing of
   this header by a conformant UA, the UA regards the host as a Known
   HSTS Host.

5.2.  HSTS Policy

   An HSTS Policy directs UAs to communicate with a Known HSTS Host only
   over secure transport and specifies policy retention time duration.

   HSTS Policy explicitly overrides the UA processing of URI references,
   user input (e.g., via the "location bar"), or other information that,
   in the absence of HSTS Policy, might otherwise cause UAs to
   communicate insecurely with the Known HSTS Host.

Top      ToC       Page 14 
   An HSTS Policy may contain an optional directive -- includeSubDomains
   -- specifying that this HSTS Policy also applies to any hosts whose
   domain names are subdomains of the Known HSTS Host's domain name.

5.3.  HSTS Policy Storage and Maintenance by User Agents

   UAs store and index HSTS Policies based strictly upon the domain
   names of the issuing HSTS Hosts.

   This means that UAs will maintain the HSTS Policy of any given HSTS
   Host separately from any HSTS Policies issued by any other HSTS Hosts
   whose domain names are superdomains or subdomains of the given HSTS
   Host's domain name.  Only the given HSTS Host can update or can cause
   deletion of its issued HSTS Policy.  It accomplishes this by sending
   Strict-Transport-Security HTTP response header fields to UAs with new
   values for policy time duration and subdomain applicability.  Thus,
   UAs cache the "freshest" HSTS Policy information on behalf of an HSTS
   Host.  Specifying a zero time duration signals the UA to delete the
   HSTS Policy (including any asserted includeSubDomains directive) for
   that HSTS Host.  See Section 8.1 ("Strict-Transport-Security Response
   Header Field Processing") for details.  Additionally, Section 6.2
   presents examples of Strict-Transport-Security HTTP response header
   fields.

5.4.  User Agent HSTS Policy Enforcement

   When establishing an HTTP connection to a given host, however
   instigated, the UA examines its cache of Known HSTS Hosts to see if
   there are any with domain names that are superdomains of the given
   host's domain name.  If any are found, and of those if any have the
   includeSubDomains directive asserted, then HSTS Policy applies to the
   given host.  Otherwise, HSTS Policy applies to the given host only if
   the given host is itself known to the UA as an HSTS Host.  See
   Section 8.3 ("URI Loading and Port Mapping") for details.



(page 14 continued on part 2)

Next RFC Part