cisco.packet.leakage.txt

`Date: Tue, 13 Apr 1999 14:57:11 -0000  
From: [email protected]  
To: [email protected]  
Subject: Cisco security notice: Input Access List Leakage with NAT  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
Cisco IOS(R) Software Input Access List Leakage with NAT  
  
Revision 1.2  
For release Tuesday, April 13, 1999, 08:00 AM US/Pacific  
  
Cisco internal use only until released on www.cisco.com  
==============================================================  
  
Summary  
=======  
A group of related software bugs (bug IDs given under "Software Versions and  
Fixes") create an undesired interaction between network address translation  
(NAT) and input access list processing in certain Cisco routers running  
12.0-based versions of Cisco IOS software (including 12.0, 12.0S, and 12.0T,  
in all versions up to, but not including, 12.0(4), 12.0(4)S, and 12.0(4)T, as  
well as other 12.0 releases). Non-12.0 releases are not affected.  
  
This may cause input access list filters to "leak" packets in certain NAT  
configurations, creating a security exposure. Configurations without NAT are  
not affected.  
  
The failure does not happen at all times, and is less likely under  
laboratory conditions than in installed networks. This may cause  
administrators to believe that filtering is working when it is not.  
  
Software fixes are being created for this vulnerability, but are not yet  
available for all software versions (see the section on "Software Versions  
and Fixes"). This notice is being released before fixed software is  
universally available in order to enable affected Cisco customers to take  
immediate steps to protect themselves against this vulnerability.  
  
Who Is Affected  
===============  
If you are using input access lists in conjunction with NAT on an interface  
of a Cisco IOS router running any 12.0-based version of Cisco IOS software  
earlier than the fixed versions listed in the table under "Software Versions  
and Fixes", then you are affected by this vulnerability. Non-12.0 releases  
are not affected.  
  
Both input access lists and NAT must be in use on the same router interface  
in order for this vulnerability to manifest itself. If your configuration  
file does not contain the command "ip access-group <acl> in" on the same  
interface with "ip nat inside" or "ip nat outside", then you are not affected.  
The majority of routers are not configured to use NAT, and are therefore not  
affected. NAT routers are most commonly found at Internet boundaries.  
  
Affected Devices  
- --------------  
Cisco devices that run Cisco IOS software, and are affected by this  
vulnerability, include the following:  
  
* Cisco routers in the 17xx family are affected.  
* Cisco routers in the 26xx family are affected.  
* Cisco routers in the 36xx family are affected.  
* Cisco routers in the AS58xx family (not the AS52xx or AS53xx) are  
affected.  
* Cisco routers in the 72xx family (including the ubr72xx) are affected.  
* Cisco routers in the RSP70xx family (not non-RSP 70xx routers) are  
affected.  
* Cisco routers in the 75xx family are affected.  
* The Catalyst 5xxx Route-Switch Module (RSM) is affected. The Catalyst  
5xxx switch supervisors themselves are not affected; only the optional  
RSM module is involved.  
  
Cisco devices which run Cisco IOS software, but are not affected by this  
vulnerability, include the following:  
  
* Cisco routers in the 8xx family are not affected.  
* Cisco routers in the ubr9xx family are not affected.  
* Cisco routers in the 10xx family are not affected.  
* Cisco routers in the 14xx family are not affected.  
* Cisco routers in the 16xx family are not affected.  
* Cisco routers in the 25xx family are not affected.  
* Cisco routers in the 30xx family are not affected (and do not run 12.0  
software).  
* Cisco routers in the mc38xx family are not affected.  
* Cisco routers in the 40xx family are not affected.  
* Cisco routers in the 45xx family are not affected.  
* Cisco routers in the 47xx family are not affected.  
* Cisco routers in the AS52xx family are not affected  
* Cisco routers in the AS53xx family are not affected.  
* Catalyst 85xx Switch Routers are not affected (and do not support NAT).  
* GSR12xxx Gigabit Switch Routers are not affected (and do not support  
NAT).  
* Cisco 64xx universal access concentrators are not affected.  
* Cisco AGS/MGS/CGS/AGS+ and IGS routers are not affected (and do not run  
12.0 software).  
* LS1010 ATM switches are not affected.  
* Catalyst 2900XL LAN switches are not affected.  
* The Cisco DistributedDirector is not affected.  
  
If you are unsure whether your device is running classic Cisco IOS software,  
log into the device and issue the command "show version". Cisco IOS software  
will identify itself simply as "IOS" or "Internetwork Operating System  
Software". Other Cisco devices either will not have the "show version"  
command, or will give different output.  
  
If you are not running Cisco IOS software, then you are not affected by this  
vulnerability. Cisco devices which do not run Cisco IOS software, and are  
not affected by this vulnerability, include the following:  
  
* 7xx dialup routers (750, 760, and 770 series) are not affected.  
* Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are not  
affected.  
* WAN switching products in the IGX and BPX lines are not affected.  
* The MGX (formerly known as the AXIS shelf) is not affected.  
* No host-based software is affected.  
* The Cisco PIX Firewall is not affected.  
* The Cisco LocalDirector is not affected.  
* The Cisco Cache Engine is not affected.  
  
Impact  
======  
The severity of the impact may vary, depending on the device type,  
configuration and environment, from sporadic leakage of occasional packets  
to consistent leakage of significant classes of packets. The environment  
dependencies are extremely complex and difficult to characterize, but  
essentially all vulnerable configurations are affected to some degree.  
Customers with affected devices are advised to assume that the vulnerability  
affects their networks whenever input access lists are used together with  
NAT in 12.0-based software.  
  
This vulnerability may allow users to circumvent network security filters,  
and therefore security policies. This may happen with no special effort on  
the part of the user, and indeed without the user being aware that a filter  
exists at all. No particular tools, skills, or knowledge are needed for such  
opportunistic attacks. In some configurations, it may be also possible for  
an attacker to deliberately create the conditions for this failure; doing  
this would require detailed knowledge and a degree of sophistication.  
  
The conditions that trigger this vulnerability may be frequent and  
long-lasting in some production configurations.  
  
Software Versions and Fixes  
===========================  
This vulnerability is created by bugs in interface hardware drivers. These  
bugs affect the drivers for all interface types on affected platforms. The  
majority of these driver bugs are grouped under Cisco bug ID CSCdk79747.  
Additional bugs IDs include CSCdm22569 (miscellaneous additional drivers),  
and CSCdm22299 (Cisco 1400 and 1700 platforms; of these two, only the 1700  
actually suffers packet leakage).  
  
A related bugs is CSCdm22451, which describes a problem with the original  
fix for CSCdk79747.  
  
All four of these bugs are, or will be, fixed in the software releases  
listed in the table below.  
  
Many Cisco software images have been or will be specially reissued to  
correct this vulnerability. For example, regular released version 12.0(3) is  
vulnerable, as are interim versions 12.0(3.1) through 12.0(3.7) The first  
fixed version of 12.0 mainline software is 12.0(4). However, a special  
release, 12.0(3b), contains only the security vulnerability fixes, and does  
not include any of the other bug fixes from later 12.0 interim releases.  
  
If you were running 12.0(3), and wanted to upgrade to fix this problem,  
without taking the risk of instability presented by the new functionality  
and additional bug fixes in the 12.0(4) release, you could upgrade to  
12.0(3b). 12.0(3b) represents a "code branch" from the 12.0(3) base, which  
merges back into the 12.0 mainline at 12.0(4).  
  
In every case, these special releases are one-time spot fixes, and will not  
be maintained. The upgrade path from, say, 12.0(3b), is to 12.0(4).  
  
Note that fixes are not yet available for some affected releases. Cisco is  
releasing this notice before the general release of fixed software because  
of the possibility that this vulnerability may be exploited in the interim.  
All fix dates in the table are estimates and are subject to change.  
  
+-------------+---------------+--------------+-------------+---------------+  
| | | | Projected | |  
| | | Special spot | first fixed |Projected first|  
| | | fix release; | regular or | fixed regular |  
| Cisco IOS | | most stable | interim** | maintenance |  
|Major Release| Description | immediate | release (fix| release (or |  
| | | upgrade path | will carry |other long term|  
| | | (see above) | forward into| upgrade path) |  
| | | | all later | |  
| | | | versions) | |  
+-------------+---------------+--------------+-------------+---------------+  
| Unaffected releases |  
+-------------+---------------+--------------+-------------+---------------+  
|11.3 and | | | | |  
|earlier, all |Unaffected |Unaffected |Unaffected |Unaffected |  
|variants |early releases | | | |  
+-------------+---------------+--------------+-------------+---------------+  
| | 12.0-based releases |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0 |12.0 mainline |12.0(3b) |12.0(4), |12.0(4), |  
| | | |April 19, |April 19, 1999*|  
| | | |1999* | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0S |ISP support: | |12.0(4)S |12.0(5)S |  
| |7200, RSP, | |(treated as |June 21, 1999* |  
| |GSR12000. In | |interim** and| |  
| |field test. | - |released to | |  
| | | |field testers| |  
| | | |on request | |  
| | | |only | |  
| | | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0T |12.0 new |12.0(3)T2, |12.0(4)T, |12.0(4)T, |  
| |technology |April 14, |April 26, |April 26, 1999*|  
| |early |1999* |1999* | |  
| |deployment | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0DB |12.0 for Cisco | | |Unaffected; not|  
| |6400 universal | | |supported on |  
| |access | | |affected |  
| |concentrator | - | - |platforms. |  
| |node switch | | | |  
| |processor (lab | | | |  
| |use) | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(1)W5(x) |12.0 for | | |Unaffected; not|  
| |Catalyst 8500 | - | - |supported on |  
| |and LS1010 | | |affected |  
| | | | |platforms |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(0.6)W5 |One-time early | | |Unaffected; not|  
| |deployment for | | |supported on |  
| |CH-OC12 module | - | - |affected |  
| |in Catalyst | | |platforms. |  
| |8500 series | | | |  
| |switches | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(1)XA3 |Short-life | |Merged |Upgrade to |  
| |release; merged| | |12.0(3)T2 or |  
| |to 12.0T at | - | |12.0(4)T |  
| |12.0(2)T. | | | |  
| | | | | |  
| | | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(1)XB |Short-life |Unaffected |Merged |Unaffected; not|  
| |release for | | |supported on |  
| |Cisco 800 | | |affected |  
| |series; merged | | |platforms. |  
| |to 12.0T at | | |Regular upgrade|  
| |12.0(3)T. | | |path is via |  
| | | | |12.0(4)T |  
| | | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(2)XC |Short-life | |Merged |Upgrade to |  
| |release for new| | |12.0(3)T2 or |  
| |features in | | |12.0(4)T |  
| |Cisco 2600, | | | |  
| |Cisco 3600, | - | | |  
| |ubr7200, ubr900| | | |  
| |series; merged | | | |  
| |to 12.0T at | | | |  
| |12.0(3)T. | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(2)XD |Short-life | |Merged |Upgrade to |  
| |release for | | |12.0(3)T2 or |  
| |ISDN voice | - | |12.0(4)T |  
| |features; | | | |  
| |merged to 12.0T| | | |  
| |at 12.0(3)T. | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(x)XE |Short-life |12.0(2)XE3, |Merged |Upgrade to |  
| |release for |April 13, | |12.0(3)T2 or |  
| |selected |1999* | |12.0(4)T. |  
| |entreprise | | | |  
| |features; | | | |  
| |merged to 12.0T| | | |  
| |at 12.0(3)T | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(2)XF |Short-life spot|Unaffected |Merged |Unaffected; not|  
| |release of 12.0| | |supported on |  
| |for the | | |affected |  
| |Catalyst | | |platforms. |  
| |2900XL LAN | | |Regular upgrade|  
| |switch; merged | | |path is via |  
| |to 12.0T at | | |12.0(4)T. |  
| |12.0(4)T. | | | |  
+-------------+---------------+--------------+-------------+---------------+  
|12.0(2)XG |Short-life | |Merged |Upgrade to |  
| |release for | | |12.0(4)T |  
| |voice modules | - | | |  
| |and features; | | | |  
| |merged to 12.0T| | | |  
| |at 12.0(4)T. | | | |  
+-------------+---------------+--------------+-------------+---------------+  
  
* All dates are tentative and subject to change  
  
** Interim releases are subjected to less internal testing and verification  
than are regular releases, may have serious bugs, and should be installed  
with great care.  
  
Getting Fixed Software  
- --------------------  
Cisco is offering free software upgrades to remedy this vulnerability for  
all affected customers. Customers with service contracts may upgrade to any  
software version. Customers without contracts may upgrade only within a  
single row of the table above, except that any available fixed software will  
be provided to any customer who can use it and for whom the standard fixed  
software is not yet available. As always, customers may install only the  
feature sets they have purchased.  
  
Note that not all fixed software is available as of the date of this notice.  
  
Customers with contracts should obtain upgraded software through their  
regular update channels. For most customers, this means that upgrades should  
be obtained via the Software Center on Cisco's Worldwide Web site at  
http://www.cisco.com.  
  
Customers without contracts should get their upgrades by contacting the  
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:  
  
* +1 800 553 2447 (toll-free from within North America)  
* +1 408 526 7209 (toll call from anywhere in the world)  
* e-mail: [email protected]  
  
Give the URL of this notice as evidence of your entitlement to a free  
upgrade. Free upgrades for non-contract customers must be requested through  
the TAC. Please do not contact either "[email protected]" or  
"[email protected]" for software upgrades.  
  
Workarounds  
===========  
This vulnerability may be worked around by changing the configuration to  
avoid using input access lists, by removing NAT from the configuration, or  
by separating NAT and filtering functions into different network devices or  
onto different interfaces. Each of these changes has significant  
installation-dependent complexity, and must be planned and executed with a  
full understanding of the implications of the change.  
  
If the configuration of a router is changed to eliminate NAT, or to change  
the interfaces on which NAT is applied, as a means of avoiding this  
vulnerability, the router must be reloaded before the change will have the  
desired effect.  
  
Exploitation and Public Announcements  
=====================================  
Cisco knows of no public announcements or discussion of this vulnerability  
before the date of this notice. Cisco has had no reports of malicious  
exploitation of this vulnerability. However, the nature of this  
vulnerability is such that it may create security exposures without  
knowingly being "exploited" as the term is usually used with respect to  
security vulnerabilities.  
  
This vulnerability was reported to Cisco by several customers who found it  
during in-service testing.  
  
Status of This Notice  
=====================  
This is a final field notice. Although Cisco cannot guarantee the accuracy  
of all statements in this notice, all of the facts have been checked to the  
best of our ability. Cisco does not anticipate issuing updated versions of  
this notice unless there is some material change in the facts. Should there  
be a significant change in the facts, Cisco may update this notice.  
  
Distribution  
- ----------  
This notice will be posted on Cisco's Worldwide Web site at  
http://www.cisco.com/warp/public/770/iosnatacl-pub.shtml . In addition to  
Worldwide Web posting, the initial version of this notice is being sent to  
the following e-mail and Usenet news recipients:  
  
* [email protected]  
* [email protected]  
* [email protected] (includes CERT/CC)  
* [email protected]  
* comp.dcom.sys.cisco  
* [email protected]  
* Various internal Cisco mailing lists  
  
Future updates of this notice, if any, will be placed on Cisco's Worldwide  
Web server, but may or may not be actively announced on mailing lists or  
newsgroups. Users concerned about this problem are encouraged to check the  
URL given above for any updates.  
  
Revision History  
- --------------  
Revision 1.0, First release candidate version  
16:40 US/Pacific  
8-APR-1999  
  
Revision 1.1, Remove extraneous editor's comments  
18:20 US/Pacific  
8-APR-1999  
  
Revision 1.2, Typographical cleanup, clarification of affected releases  
12:00 US/Pacific in summary section, remove extraneous bug reference.  
9-APR-1999  
  
Cisco Security Procedures  
=========================  
Complete information on reporting security vulnerabilities in Cisco  
products, obtaining assistance with security incidents, and registering to  
receive security information from Cisco, is available on Cisco's Worldwide  
Web site at  
http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This  
includes instructions for press inquiries regarding Cisco security notices.  
  
- ------------------------------------------------------------------------  
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be  
redistributed freely after the release date given at the top of the text,  
provided that redistributed copies are complete and unmodified, including  
all date and version information.  
- ------------------------------------------------------------------------  
-----BEGIN PGP SIGNATURE-----  
Version: Big Secret  
Comment: For info see http://www.gnupg.org  
  
iQEVAwUBNxNXfnLSeEveylnrAQHUqwf/bKI4zIa23ZbhKgn6pzlDxCmeKBxtDrxa  
B4hNQf9p07YPsNrA/LYepYmNJAQpZz4uXflBVU/cKeQE8o8/AvbxgUvGuV7MY4La  
Wafn7UbR26Vfixvk6ZzWPy8NnB5OGuL6Z7VEH3MW7UwNX8MPhKSLd6nCMA2Ily14  
nVvKbylroSJhyFSvI1TizJYh/jjIqMudxPBIftNYIuUNpeLZkQ6B0p/CxScJ6AAT  
Ze5+6KX4DMVKCb0uTV/+Hzayf67Z78eoxVSvA+Nj1CCE7J3nr8VC9qsJE0ItTbO9  
xv0AoJ4MfrscQzT12hbIii9pvDCe3gW1e7E8PGMVFGo3V4WMGsIilA==  
=XF+D  
-----END PGP SIGNATURE-----  
-----BEGIN PGP PUBLIC KEY BLOCK-----  
Version: Big Secret  
Comment: For info see http://www.gnupg.org  
  
mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl  
IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3  
nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF  
vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z  
i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2  
oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg  
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj  
aXNjby5jb20+iQEVAwUTNeY8KkZi51ggEbh5AQE64Af9HKKrj19Z5URxpZu1J/IG  
LpIJUsix8IHAudPCw/sNc7yipqwHVSDUGu1UKIEnQHP0jeAX98seyMCFdFzxChzc  
ZbUMXoa0H8nDhlHrAHUKWY66slfdDTBDV8ICdGTOZ9XcQOvoOAL8xhZJ0HTBcdM4  
b2w3ECgEdxPiPhL0+gBbqZ4c1YQzVnxKG20G1Vs/NtIJW1nQrapCI5EysQO/srUL  
u1J/BHsVKfSjayROrQVGWU5pnpxiCr8PRivWFOEXu1xcJLs05wiVvuWmA3x8v8Bt  
c9xPx3bnpAiiaKOKDqZh0eja6+7/pYWnTdpXwXdS+lwNBneVLLF4I1IOs412BNpa  
TIkBFQMFEDXPH5py0nhL3spZ6wEBPzgH/Axh9Q8T4Gviyhcqn+pSk+Ug55nkzrvQ  
+IZx3v9eFbvgBX5q16pRifhniuppTUzkklvOKeQ0Oz7MG6ekDSQcP9PAAJL8Kik5  
6MB1HbQTNxkr3qTBJELmXBRT7a6G4F2KzoEbphtS27p4v1MrJ2MWcc5HHrUpD8mE  
s4x9WhxXfPQSTRmJ9XcvIbv852y1bVMXwISt7TzpQuxH8oBLDhdlQu51ANd7hlAa  
7N+M8CYvxmpYCgxlPh8XhAuZZmMSVbtX7TMvoPtFRkwaV0kitxvfch36JMrGK/0b  
AedGRFGSqa8+bZmCBFABsn+pziHwuXLZhsJ14e8V+zqacxZe2apOQ4mIPwMFEDXP  
IpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9vZg3u0d5lx3l+  
QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdvpzjHfETEZyml  
eUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8jj2e1+mUyXA1  
AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJmTnKsXntAYcm  
g7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5vBgg5vesDLb4  
O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3EWfasJzFjjxS  
rXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJHk/WXKbunvRK  
DIS0USBDaXNjbyBTeXN0ZW1zIHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVn  
IHJlcG9ydGluZyA8c2VjdXJpdHktYWxlcnRAY2lzY28uY29tPokBFQMFEDXPIS9y  
0nhL3spZ6wEBGHEH/2CYREeuDDx1lrlqKcTuSn13eyuVasAC4nIRkuY5T+ipAHq0  
p2fwQ0QyxGvMD8naoEiTwtO4tHWEfqaqG/txt0draa+//mX/qr865K/4qtDe2n6d  
Dz3uBy/wUn5i76302dthoUnbHpxug1NkKqop/FHYk9GztBMFlF+5COlBk5fYtYzD  
2Nrhc5oA8lPBmJNAcM9ifVIEzYHEnJIcdoqrwGKCz91xxAjW+XnyWtiJ80mRDJx8  
88qF5lmmmkopgrxrRwikHprFMsSzT9Vqt3Rts7PtPPOaSBlEcGgKOhN5PcWnpIar  
MeytrOkctsTjrqMaOEKudgaGgDrIgsBc6iYHwaaIPwMFEDXPIuWWgad8PVLgfxEC  
L9wAoOo4XEm03MsnyprNhw85ALRew0gZAKD6eXHl1C1ywrNTiWDH0SfR0j9qdokB  
FQMFEDXPJG8Mj7Lhmx7xKQEBcEQH/2mE5RbDsiZ++EAtWleejNT720qAEUQCtPdj  
yFRFiNhbc0yUhmoQ9dZKdujxKQWpZJt/5h7ax4VtPm3JtbQz8jgrugJYPYeERQSA  
qyimvjXwa4AFDsGwC1chtN+HnJwsixpLiHqx8k4CxKtPiKCVjLmZI3n+jZYXtlqb  
73pMXOEzOMuKNkM8eteUO29b/h++rN6WPGlS4Ua9t4/sxy7yz6m6FLHzwudub6wl  
ZfDrBZJuhsOq81j7P+QJ0pAi9fjsyn0Kh4LfjFefcp+9AmRgYFW4N/RTcKLlakkq  
rj6iCGUMm174zA4vYEohi1ottOEfAxDtF+uLVM5+ONUc6s+1kns=  
=l8tP  
-----END PGP PUBLIC KEY BLOCK-----  
  
`