Static Context Header Compression (SCHC) and fragmentation for LPWAN, application to UDP/IPv6
Summary: Has 2 DISCUSSes. Needs one more YES or NO OBJECTION position to pass.
Roman Danyliw Discuss
(1) Section 12. The introductory text needs a bit more precision. Specifically: -- Per “Wireless networks are subjects to various sorts of attacks , which are not specific to SCHC.”, which other security considerations are being cited here? An alternative construct would be to state that “SCHC Packets rely on the security mechanisms of … [insert relevant references]” -- Section 12. “[W]e’ll assume that an attacker was able to break into the network”, what is that precisely? Is this simply join the network? -- Section 12. Per “Our analysis equally applies to legitimate nodes ‘going crazy’”, what does that mean – compromised nodes? unexplained behavior?
(2) Section 5.2. The text notes that the “SCHC F/R and C/D on the Network side can be located in the NGW or somewhere else …”. Given the reference architecture (per Figure 1) to what part of the architecture does “somewhere else” refer? (3) Section 7.4 and 7.5, was there any WG discussion around extensibility if one wanted to add additional MOs and CDAs in the future (I have no leading suggestions on what one of these extensions might be)? Is the thinking to write another draft which updates this RFC? (4) Section 184.108.40.206. What happens if a given window doesn’t have the same number of tiles as the others? I assume you silently drop the frames. It might be worth saying that. (5) Section 8.2.3. A citation is needed for “Reassembly Check Sequence”. (6) Section 8.2.4. Per “if windows are used and what the value of WINDOW_SIZE is”, to clarify, WINDOW_SIZE is actually set via profile (per Section 220.127.116.11), and this text is simply stating that there might be a per rule WINDOW_SIZE? (7) Section 8.4.3. Per “All tiles MUST be of equal size, except for the last one, which MUST be of the same size or smaller than the regular ones. If allowed in a Profile, the penultimate tile MAY be exactly one L2 Word smaller than the regular tile size.”, it seems like these two sentences conflict. The first sentence appears to state that all MUST be of equal size (but the last one) but the second sentence then says, the second from last tile could be shorter. (8) Section 12.1. Per “As a consequence, SCHC Decompression does not amplify attacks, beyond adding a bounded …”, but also a slight increase in processing to conduct the decompression too, no? Section 12. Do LPWAN environments have the equivalent of NIDS that which could be evaded with SDHC fragmentation per Joe Salowey’s SECDIR review (https://mailarchive.ietf.org/arch/msg/secdir/p-D9T5Z2nOJ9DHox1nqLCkd2z0A) and Section 3.7 of https://tools.ietf.org/html/draft-ietf-intarea-frag-fragile-15? (9) Editorial ** The term “on the network side” is used a number of places in the document. This isn’t precisely defined anywhere. ** Section 1. Perhaps s/computer or smartphone/general-purpose computer or smartphone/, as the Devs are computers. ** Section 3. This section provides a list and simple definition of elements of the architecture and depicts their relationship in Figure 1. -- Inconsistent with the others, the Application Server has no explanation in the bulleted list -- The LPWAN-AAA is depicted in Figure 1, but not enumerated in the bulleted list of elements ** In multiple places. Typo. s/occurence/occurrence/g ** Section 7.3. Typo. s/Inded/Indeed/ ** Section 7.5.1 and 7.5.2. Typo. s/aplying/applying/ ** Figure 3 and 24: Perhaps note that the SCHC ACK is optional/as needed (given that it isn’t used by all of the modes)
Benjamin Kaduk Discuss
I wavered a lot about whether to ballot Discuss or No Objection; there are a lot of important technical and clarity-of-writing points that remain in the Comment section, but only a few points seemed to merit elevating to the Discuss level. That said, this remains a generally clear and useful document, so I'm looking forward to seeing it further improved. (1) I'm concerned about Section 8.2.4's recommendation for the use of a sequential counter: A sequence counter that is incremented for each new fragmented SCHC Packet, counting from 0 to up to (2^T)-1 and wrapping back to 0 is RECOMMENDED for maximum traceability and avoidance of ambiguity. It seems like there may be substantial privacy and security considerations, here -- draft-gont-numeric-ids-history has some background about similar cases in the past and links to other documents with analysis and guidance for future protocols. Shall we discuss to what extent those concerns apply here? (2) In Section 18.104.22.168, does the use of the All-1 fragment to signify the end of the packet, combined with the lack of an explicit "number of fragments" field, imply that the RCS value is the only thing (at this protocol level) preventing an attacker from inserting, from off-path, additional fragments between the penultimate "legitimate" fragment and the final fragment? (I understand that the LPWAN radio technologies generally do have some physical-layer cryptographic mechanisms, though they sometimes involve shared symmetric keys.) If the RCS is to play this pivotal a role, we need to at least document that, and arguably give stronger guidance about how it should be computed. (3) There are several places (noted, for the most part, in the Comment section) where we say that some field is optional. I think this means "optional at the profile level" as opposed to "optional at runtime", but we should be clear in the document about that. (4) There's an internal inconsistency in Section 8.4.3: In ACK-on-Error mode, windows are used. All tiles MUST be of equal size, except for the last one, which MUST be of the same size or smaller than the regular ones. If allowed in a Profile, the penultimate tile MAY be exactly one L2 Word smaller than the regular tile size. We need to reword this, as the subsequent text contradicts the initial "MUST".
It's perhaps a little interesting/surprising to see this document describe itself as just "header compression [with some fragmentation support]". Is this intended (after profiling) to be the entire IPv6 adaptation layer for the LPWAN technologies in question, or would there need to be an additional adaptation layer? If yes, would the fragmentation be a better fit there? If no, perhaps the document should reframe itself as such? Some discussion in the security considerations about detecting malformed packets by unknown Rule ID prompted me to wonder about whether there is any possibility of SCHC (i.e., IPv6) traffic coexisting with non-IP LPWAN traffic on the same (device) interface. My naive expectation is that a device would need separate interfaces for IP and non-IP traffic, but I'm not sure. Is there any benefit from mentioning such scenarios in this document? Section 1 Header compression is needed for efficient Internet connectivity to the node within an LPWAN network. The following properties of LPWAN nit: s/the node/a node/ or s/the node/nodes/ -- there's more than one node within a given LPWAN network, in the general case. This document defines generic functionality and offers flexibility with regard to parameters settings and mechanism choices. Technology-specific settings and product-specific choices are expected to be grouped into Profiles specified in other documents. Having looked briefly at RFC 8376 and the rest of this document, I worry a little bit about enabling vendor-locked "walled gardens" there a specific product defines a custom protcol and does not provide sufficient information for others to interoperate with networks of the corresponding devices. Can we do more to ensure that the resulting profiles/protocols will be interoperable with independent implementations? Section 4 o Padding (P). Extra bits that may be appended by SCHC to a data unit that it passes to the underlying Layer 2 for transmission. SCHC itself operates on bits, not bytes, and does not have any alignment prerequisite. See Section 9. Do we mandate the value of the padding bits? A forward-reference to Section 9 might be helpful. Section 5 Should there be an indication in Figure 3 that the SCHC ACK is optional (as may be made necessary by the radio technology)? Section 5.2 The operation in the Downlink direction is similar to that in the Uplink direction, only reverting the order in which the architecture elements are traversed. nit: s/reverting/reversing/ Section 6 Rule IDs identify the Rules used for Compression/Decompression or for Fragmentation/Reassembly. Is the Rule ID name(number)space shared between C/D and F/R, or do they have distinct Rule ID tables? The scope of a Rule ID is the link between the SCHC Compressor and the SCHC Decompressor, or between the SCHC Fragmenter and the SCHC Reassembler. It seems that Section 7.2 clarifies that this scope is available per-device, and the rule IDs are not shared across all devices in the LPWAN application. Would it be worth putting "per-device" in here as well? o In SCHC F/R, to identify the specific mode and settings of F/R for one direction of traffic (Up or Dw). * When F/R is used for both communication directions, at least two Rule ID values are needed for F/R, one per direction of traffic. It might be worth a forward reference here, or a note that this is so we can tell what header format to use for parsing (e.g., fragment vs. ack). Section 7.2 [...] On the network side, in order to identify the correct Rule to be applied, the SCHC Decompressor needs to associate the Rule ID with the Dev identifier. Similarly, the SCHC Compressor on the network side first identifies the destination Dev before looking for the appropriate compression Rule (and associated Rule ID) in the Context of that Dev. Does this imply that the set of Devices is known in advance at provisioning time, or will part of device onboarding be to synchronize these Rule IDs+device ID state (or are they expected to be determinable algorithmically)? Section 7.3 * The first step is to check the Field Identifiers (FID). If any header field of the packet being examined cannot be matched with a Field Description with the correct FID, the Rule MUST be disregarded. If any Field Description in the Rule has a FID that cannot be matched to one of the header fields of the packet being examined, the Rule MUST be disregarded. This seems to imply that a given Rule must encompass the entire header structure considered as input to compression, since any field in the packet not having a corresponding FID in the Rule means that the Rule is disregarded. It would be good to state this requiremnet more plainly. example could be uri-queries in CoAP. Care needs to be exercised when writing Rules containing FP=0 values. Inded, it may result in decompressed packets having fields ordered differently compared to the original packet. There may be security consequences of this if there is a checksum or other integrity protection on the original packet! * If no eligible compression Rule is found, then the header MUST be sent in its entirety using the Rule ID of the "default" Rule dedicated to this purpose. Sending an uncompressed header may require SCHC F/R. It feels like s/may require/will likely require/ might be justified, given the description of LPWAN technologies here and in RFC 8376. o Compression: each field of the header is compressed according to the Compression/Decompression Actions (CDAs). The fields are compressed in the order that the Field Descriptions appear in the Rule. [...] Compressed in the order of Field Descriptions in the rule, not the order the fields appear in in the packet, interesting. This means that the ordering of fields in the Rule is semantically important (and we should say so explicitly) but perhaps also provides a bit more flexibility of compression in the cases where the protocol header being compressed allows flexibility of representation/field ordering. o Decompression: when decompressing, on the network side the SCHC C/ D needs to find the correct Rule based on the L2 address; in this nit: the L2 address of the Dev. The receiver identifies the sender through its device-id or source identifier (e.g. MAC address, if it exists) and selects the Rule using the Rule ID. This Rule describes the compressed header format and associates the received residues to each of the header fields. For each field in the header, the receiver applies the We could perhaps stand to say a bit more about "associates the received residues to each of the header fields", since even the boundaries between received residues need to be determined based on the Rule ID and any variable field lengths. Section 7.5.3 The not-sent action can be used when the field value is specified in a Rule and therefore known by both the Compressor and the Decompressor. This action SHOULD be used with the "equal" MO. If MO is "ignore", there is a risk to have a decompressed field value different from the original field that was compressed. The security considerations should talk about the consequences of that risk. Section 7.5.5 The mapping-sent action is used to send an index (the index into the Target Value list of values) instead of the original value. This Do we need to say this is zero-indexed? Section 8.1 The L2 Word size (see Section 4) determines the encoding of some messages. SCHC F/R usually generates SCHC Fragments and SCHC ACKs that are multiples of L2 Words. Do we want to say anything about the unusual cases where it does not? Section 22.214.171.124 The figure implies that the tiles need not all be the same length; is that worth stating explicitly (in contrast to Windows, which do need to have a consistent cardinality)? Section 8.2.3 The CRC32 polynomial 0xEDB88320 (i.e. the reverse representation of the polynomial used e.g. in the Ethernet standard [RFC3385]) is I don't think that RFC 3385 is a good reference for how to interpret the hex constant as a CRC polynomial. Given the parenthetical, perhaps it's not trying to be, but I'd suggest having a CRC32 reference. Note that the concatenation of the complete SCHC Packet and the potential padding bits of the last SCHC Fragment does not generally nit(?): I keep trying to read "potential padding bits" as "these bits exist but are potentially padding bits", as opposed to the intended "any padding bits [that may potentially be present]". (Also in the rest of this paragraph.) Section 8.2.4 The Rule ID allows SCHC F/R interleaving non-fragmented SCHC Packets and SCHC Fragments that carry other SCHC Packets, or interleaving SCHC Fragments that use different SCHC F/R modes or nit(?): I don't see how just the Rule ID allows identifying Fragments that carry other Packets, in the general case (i.e., including when the same F/R mode+parameters are used for both packets). The DTag seems necessary in this case. A flow of SCHC F/R messages with a given Rule ID and DTag value pair MUST NOT interfere with the operation of a SCHC F/R instance that uses another Rule ID and DTag value pair. What does "interfere with the operation of" mean? Is this supposed to be at a spectrum level or in the reassembly process? o C (integrity Check): C is a 1-bit field. This field is used in the SCHC ACK message to report on the reassembled SCHC Packet integrity check (see Section 8.2.3). A value of 1 tells that the integrity check was performed and is successful. A value of 0 tells that the integrity check was not performed, or that is was a failure. What is the recipient of this field expected to do in response to a 1 or 0 value? (E.g., some forward references might help.) A perhaps-related question is whether "not performed" is always due to "not all fragments were present" or could be "my software is configured to not check the RCS". Figure 39 suggests that it's the former, but if so that's probably worth saying explicitly. Section 126.96.36.199 The Regular SCHC Fragment format is shown in Figure 13. Regular SCHC Fragments are generally used to carry tiles that are not the last one of a SCHC Packet. The DTag field and the W field are optional. Optional at a Profile level, or at runtime? The Fragment Payload of a SCHC Fragment with FCN equal to 0 (called an All-0 SCHC Fragment) MUST be distinguishable by size from a SCHC ACK REQ message (see Section 8.3.3) that has the same T, M and N values, even in the presence of padding. This condition is met if the Payload is at least the size of an L2 Word. This condition is also met if the SCHC Fragment Header is a multiple of L2 Words. (I think there's an implicit "and the payload is at least one bit long" in here, which may actually go without saying, but I had to think about it while verifying the last sentence.) Section 188.8.131.52 The All-1 SCHC Fragment format is shown in Figure 14. The sender generally uses the All-1 SCHC Fragment format for the message that completes the emission of a fragmented SCHC Packet. The DTag field, the W field, the RCS field and the Payload are optional. At least What does "generally" mean? When would it be used for other things? As above, are W/RCS/Payload optional at the Profile level or at runtime? Section 8.3.2 The SCHC ACK message is shown in Figure 15. The DTag field, the W field and the Compressed Bitmap field are optional. The Compressed As above, optional at the Profile level or runtime? Section 8.3.4 The SCHC Sender-Abort format is shown in Figure 21. The DTag field and the W field are optional. The FCN field is all ones. [same comment] If the W field is present, o the fragment sender MUST set it to all ones. Other values are RESERVED. o the fragment receiver MUST check its value. If the value is different from all ones, the message MUST be ignored. I'm pretty sure there are some other preconditions here, maybe including "the SCHC Fragment has no payload", as ignoring all fragments that are not All-1s is unlikely to work very well. Section 8.3.5 The SCHC Receiver-Abort format is shown in Figure 22. The DTag field and the W field are optional. As above, optional at the Profile level or runtime? o if the value is different from all ones, the fragment sender MUST ignore the message. As above, are there other preconditions here? I guess the SCHC Receiver does not send many types of fragment, so the requirements here may actually be fairly weak. (Perhaps this requirement goes better rhetorically after the final paragraph of this section?) That does raise another question, of whether (when bidirectional traffic is used) it is needed or recommended to have the traffic direction be implicit in Rule ID. Section 8.4.1 For each active pair of Rule ID and DTag values, the receiver MUST maintain an Inactivity Timer. What happens if the receiver is under-resourced to do this? Section 184.108.40.206 Each SCHC Fragment MUST contain exactly one tile in its Payload. The tile MUST be at least the size of an L2 Word. The sender MUST Including the last tile? Section 8.4.2 o Data unit out-of-sequence delivery does not occur between the entity performing fragmentation and the entity performing reassembly Is there an implicit "but data units may be lost or otherwise not delivered" here? Section 220.127.116.11 o upon receiving a SCHC ACK, * if the SCHC ACK indicates that some tiles are missing at the receiver, then the sender MUST transmit all the tiles that have been reported missing, it MUST increment Attempts, it MUST reset the Retransmission Timer and MUST await the next SCHC ACK. Are there any ACK REQs involved here? How will the receiver know to send a second SCHC ACK if only some tiles (potentially not including the last tile of the window) are being retransmitted? o on Retransmission Timer expiration, * if Attempts is strictly less that MAX_ACK_REQUESTS, the fragment sender MUST send a SCHC ACK REQ and MUST increment the Attempts counter. E.g., this text would suggest that after sending the last tile of a window, we wait for the retransmission timer's delay before sending an ACK REQ and thus inherently stall the transaction for that long. (Later on we see that the All-0 Fragment has an implicit ACK REQ semantics, but it's unclear that this works for the last tile of a retransmitted window when the bitmap remains incomplete at the receiver.) Section 18.104.22.168 On receiving a SCHC Fragment with a Rule ID and DTag pair not being processed at that time [...] On reception of any SCHC F/R message, the receiver MUST reset the Inactivity Timer. I think these statements are inconsistent about the scope of the Inactivity Timer. The latter implies that the timer is global to the recipient, but the former implies it is specific to a Rule ID/DTag pair. (Section 8.4.2, of course, is clear that it is per-Rule ID/DTag pair.) + If the Bitmap indicates that all the tiles of the current window have been correctly received, the receiver MUST increment its window counter and it enters the "acceptance phase" for that new window. Is this going to leave us in a bad state if our ACK gets dropped? * on the Bitmap becoming fully populated with 1's, the receiver MUST send a SCHC ACK for this window, it MUST increment its window counter and it enters the "acceptance phase" for the new window. [same comment] o if the window is the last window [...] * on receiving a SCHC Fragment with a W bit equal to the local W bit, [...] + otherwise, the receiver MUST update the Bitmap and it MUST assemble the tile received. If the SCHC Fragment received is an All-1 SCHC Fragment, the receiver MUST assemble the padding bits of the All-1 SCHC Fragment after the received tile. It MUST perform the integrity check. Then - if the integrity check indicates that the full SCHC Packet has been correctly reassembled, the receiver MUST send a SCHC ACK and it enters the "clean-up phase". - if the integrity check indicates that the full SCHC Packet has not been correctly reassembled, It seems that there will be some cases where we know that there remain missing tiles; do we want to say anything about that (and skipping the integrity check validation) here? Section 22.214.171.124 On Retransmission Timer expiration o if Attempts is strictly less than MAX_ACK_REQUESTS, the fragment sender MUST send either the All-1 SCHC Fragment or a SCHC ACK REQ with the W field corresponding to the last window, o otherwise the fragment sender MUST send a SCHC Sender-Abort and it MAY exit with an error condition. Having a heads-up here that there's special behavior for the receiver where the window that gets ACK'd in response to an ACK REQ may be a different window than the one indicated in the ACK REQ would help me out, as there's a few places in this section where that behavior is implicitly relied upon but it's not otherwise stated until we get o the following subsection. In a few places in this section we talk about "the All-1 SCHC Fragment", but I'm not entirely clear on whether this will always include the last tile or, in the case where the profile directs that the last tile be included in a regular fragment, there is some special format for the All-1 fragment that does not include (much) payload. Section 126.96.36.199 On receiving any SCHC F/R message, the receiver MUST reset the Inactivity Timer. As mentioned above, this statement is overly broad (and should be scoped to Rule ID/DTag matching). After receiving an All-1 SCHC Fragment, a receiver MUST check the integrity of the reassembled SCHC Packet at least every time it prepares for sending a SCHC ACK for the last window. As mentioned previously, the receiver may already know it lacks some tiles, which makes checking the integrity kind of pointless. Section 10.7.2 As described in [RFC8065], it may be undesirable to build the Dev IPv6 IID out of the Dev address. Another static value is used instead. In that case, the TV contains the static value, the MO What's the scope/duration of this other static value's usage? Section 12 Do we want/expect the network gateway to be running a firewall that only allows traffic from the Application to be relayed down to the radio network? If so, what kind of authentication mechanism could it use? In a similar vein, I note that some of the examples show the use of link-local IPv6 addressing; if the device is one end of that "link", what node is the other end, and to what extent does the link-local nature of the addressing prevent off-path traffic injection? Wireless networks are subjects to various sorts of attacks, which are not specific to SCHC. In this section, we'll assume that an attacker was able to break into the network despite the latter's security measures and that it can now send packets to a target node. What is Since this is radio, is it implicit that the send-packets ability is "from off-path"? Section 12.1 It feels like we should say something about what the endpoint will do with the bogus packet after SCHC Decompression -- does it just get passed to the application with the application left to do any sanity/authenticity checking? I sympathize with the secdir reviewer's point about mixing secret information with attacker-controlled information as compression input. That said, my sense from reading the document is that compression is applied on a per-protocol-header-field basis, which makes it unlikely that there will be secret data combined with attacker-controlled data, but I would appreciate a confirmation of that. Section 12.2 This is a really great discussion of the risks affecting the fragmentation/reassembly mechanism; thank you! I suppose we could also mention the possibility of a spoofed ACK that claims all data is received when it was not successfully received, though in practice it does not seem like that would be particularly valuable to the attacker (not least since they would probably also need to suppress the legitimate ACK that indicates some fragment loss). I also note the secdir reviewer's remark about fragmentation and packet inspection devices. I mostly expect any such devices to not be at the radio layer for these application traffic flows, but please confirm. Appendix A What is the Rule ID for "no compression applied"? Appendix C Some of these are so hard to follow that I couldn't really verify them completely. I don't really have suggestions for improving them that don't involve using substantially more vertical space, though. Appendix D What about MAX_ACK_RETRIES? Appendix E tiles. If multiple window sizes are supported, the Rule ID may signal the window size in use for a specific packet transmission. Is this really a "may" or a "must"? I don't see what else would be used to determine what width to use when parsing the fragment. Appendix F When the SCHC Fragment sender transmits the All-1 SCHC Fragment, it starts its Retransmission Timer with a large timeout value (e.g. several times that of the initial Inactivity Timer). If a SCHC ACK is received before expiration of this timer, the SCHC Fragment sender retransmits any lost SCHC Fragments reported by the SCHC ACK, or if the SCHC ACK confirms successful reception of all SCHC Fragments of the last window, the transmission of the fragmented SCHC Packet is considered complete. If the timer expires, and no SCHC ACK has been received since the start of the timer, the SCHC Fragment sender assumes that the All-1 SCHC Fragment has been successfully received (and possibly, the last SCHC ACK has been lost: this mechanism [...] This seems like it's no longer a *retransmission* timer for the All-1 fragment, since we don't retransmit when it expires; we just assume success and stop.
Suresh Krishnan Yes
Deborah Brungard No Objection
Alissa Cooper No Objection
Please respond to the Gen-ART review. It seems as though RFC 8376 should be a normative reference given its use in the terminology section.
Mirja Kühlewind No Objection
Thanks for the well-written document! A few quick comments: 1) This text on ECN in sec 10.3: " ECN functionality depends on both bits of the ECN field, which are the 2 LSBs of this field, hence sending only a single LSB of this field is NOT RECOMMENDED." probably belongs in section 10.2 instead, no? 2) If I understand the protocol correctly, I believe it should be a normative requirement that the Inactivity Timer is always larger than the Retransmission Timer? Related to this, Appendix F says: "The initial value of the Inactivity timer is expected to be greater than that of the Retransmission timer, in order to make sure that a (buffered) SCHC Fragment to be retransmitted can find an opportunity for that transmission. One exception to this recommendation is the special case of the All-1 SCHC Fragment transmission." I think this section should be moved into the body of the document. Further, if you need a different timer value for the All-1 SCHC Fragment, you should give this timer a distinct name and value. 3) I also agree with Alvaro that appendix E should be moved into the body of the document if you intent to specify something normatively there. 4) Editorial in Sec 10.11: "...with a strength that is identical or better to the UDP checksum." Not sure what you mean by "better"...? 5) I wondering if you want to say maybe something about pacing out different fragments (mostly when a window is used). I know that any recommendation would be technology dependent but in some cases sending a burst of packets e.g. could overload some network queues; therefore it could be good to at least mention it...? 6) Without having thought too hard about it: is it possible with this compression scheme to specify a rule that increases a counter/sequence number by 1 (given the initial value is known)? Would maybe be nice to say something about this in the document...
Barry Leiba No Objection
Just a couple of things that didn’t show up in other reviews: — Section 3 — LPWAN technologies have similar network architectures but different terminologies. Similar to what? Do you mean “Different LPWAN technologies”, or are you comparing LPWAN technologies to something else? — Section 188.8.131.52 — o their numbers MUST increase from 0 upward, from the start of the SCHC Packet to its end. Just increase? Or increase by 1? The example in Figure 11 shows increasing by 1. If that’s a requirement, it should say. Figure 11 appears to have 29 windows, not 28, as it says.
Alexey Melnikov No Objection
Alvaro Retana No Objection
Please reference the appendices from the text -- only D is referenced. Are E and F intended to be normative?
Adam Roach No Objection
Éric Vyncke (was Discuss) No Objection
Thank you for addressing all my DISCUSS and COMMENTS and writing a useful and clear document. -éric