Internet-Draft                                                    V Modi
Category: Experimental                                      Novell, Inc.
Expires: February 3, 2000                                 August 5, 1999


                  LDAP Extensions for Proxy Connection
                draft-vmodi-ldapext-proxy-connect-00.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.htm.

   This Internet-Draft will expire on February 3, 2000.

Copyright Notice

   Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

   This document describes the LDAP extensions which allow LDAP client
   to connect to a DSA via an intermediate proxy / chain of proxies.
   (DSA is an X.500[1] term for directory server) 

Specification Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
   this document are to be interpreted as described in RFC 2119[3]. 

   LDAP client is the software which provides access to LDAP directory
   via Lightweight Directory Access Protocol(LDAP)[2]. In this draft
   sometimes the word "client", is used for LDAP client. 

   DSA is the directory server which serves LDAP clients and allow them
   to access the directory information. 


Modi                    Expires February 3, 2000                [Page 1]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


   LDAP proxy server is the software which in itself is not the
   directory but can serve the LDAP client by connecting to DSA on
   behalf of client. In this draft sometimes the word "proxy" or 
   "LDAP proxy" is used for LDAP proxy server. 

Table of Contents

   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.    Problem Description  . . . . . . . . . . . . . . . . . . . .  4
   3.    Proposal Overview  . . . . . . . . . . . . . . . . . . . . .  5
   3.1   Usage  . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
   3.1.1 Client Configuration . . . . . . . . . . . . . . . . . . . .  7
   3.1.2 Application Configuration  . . . . . . . . . . . . . . . . .  8
   4.    ASN.1 Definition of Extensions . . . . . . . . . . . . . . .  9
   4.1   ProxyConnectRequest  . . . . . . . . . . . . . . . . . . . .  9
   4.1.1 Processing ProxyConnectRequest . . . . . . . . . . . . . . . 10
   4.2   ProxyConnectResponse . . . . . . . . . . . . . . . . . . . . 11
   5.    Security Consideration . . . . . . . . . . . . . . . . . . . 15
   6.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16
         References . . . . . . . . . . . . . . . . . . . . . . . . . 17
         Author's Address . . . . . . . . . . . . . . . . . . . . . . 17
         Full Copyright Statement . . . . . . . . . . . . . . . . . . 18





























Modi                    Expires February 3, 2000                [Page 2]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


1. Introduction

   Directory is at the heart of many powerful and distributed
   applications today. More and more information on Internet and
   Intranet is getting organized in directories. The protocol most
   widely used to access the directory information is LDAP[2].  As the
   number of LDAP client increases, the directory server (DSA) will be
   loaded more, hence the performance degradation. So there is a need
   to cache the directory information at the location other than the
   original directory server to improve the performance and provide
   disconnected operation. Also the organizations would like to monitor
   increasing LDAP traffic coming in to and/or going out of corporate
   Intranet for security and management reasons.  So the LDAP client
   must be able to connect to DSA via intermediate software called
   proxy. This will ensure that all LDAP request and response exchanges
   between client and DSA happen via proxy, and thus allowing the proxy
   to monitor/control the LDAP traffic and/or cache the contents of
   LDAP requests and/or responses. 

































Modi                    Expires February 3, 2000                [Page 3]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


2. Problem Description

   In LDAP, client opens an LDAP connection to DSA. Once the connection
   between LDAP client and DSA is established both of them uses that
   connection to exchange requests and responses. However, as discussed
   earlier it should be possible for LDAP client to be able to connect
   to DSA via one or more LDAP proxies. Version 3 of LDAP specification
   does not include specifications for the proxy connection. 











































Modi                    Expires February 3, 2000                [Page 4]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


3. Proposal Overview

   The LDAP client instead of directly connecting to DSA, first
   connects to the LDAP proxy server and sends the ProxyConnectRequest,
   an extended LDAP request, the ASN.1 definition of which, is
   specified in this draft. The ProxyConnectRequest in addition to
   other parameters contains the URL of the DSA, using which the proxy
   tries to connect to it. The result of this operation is passed back
   to the client as ProxyConnectResponse. Once the connection between
   'client and proxy' and 'proxy and DSA' is established, all the
   requests from client to DSA go via proxy and in the same manner all
   the responses from DSA to client go via proxy. Following Figure 1
   shows the normal communication sequence between client and DSA. 

            +-------------+                     +-------------+
            | LDAP Client |<------------------->|     DSA     |
            +-------------+   LDAP Connection   +-------------+

         +=======================================================+
         |           Client         |            DSA             |
         |=======================================================|
         |                                                       |
         | LDAP Open Connection  ------>                         |
         |                                                       |
         |                       <------ Opens LDAP Connection   |
         |                                                       |
         |-------------------------------------------------------|
         |                                                       |
         | LDAP Message(Request) ------>                         |
         |                                                       |
         |                       <------  LDAP Message(Response) |
         |                                                       |
         |-------------------------------------------------------|
         |                                                       |
         |        . . .          ------>                         |
         |                                                       |
         |                       <------        . . .            |
         |                                                       |
         |-------------------------------------------------------|
         |                                                       |
         | LDAP Unbind           ------>                         |
         |                                                       |
         |                       <------  Closes Connection      |
         |                                                       |
         +=======================================================+

                                Figure 1
               Communication between LDAP Client and DSA
                       without LDAP Proxy Server


Modi                    Expires February 3, 2000                [Page 5]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


   Following Figure 2 shows the communication between LDAP client and
   DSA via LDAP Proxy. 



          +-------------+      +------------+      +-------------+
          | LDAP Client |<---->| LDAP Proxy |<---->|      DSA    |
          +-------------+      +------------+      +-------------+


         +========================================================+
         |     Client     |    LDAP Proxy     |        DSA        |
         |========================================================|
         |                                                        |
         | LDAP Open                                              |
         | Connection  ------>                                    |
         |                     Opens LDAP                         |
         |              <----- Connection                         |
         |                                                        |
         |--------------------------------------------------------|
         |                                                        |
         | ProxyConnect                                           |
         | Request having                                         |
         | URL of DSA  ------->                                   |
         |                     LDAP Open                          |
         |                     Connection   ------->              |
         |                                          Opens LDAP    |
         |                                  <------ Connection    |
         |                                                        |
         |                     ProxyConnect                       |
         |            <------- Response                           |
         |                                                        |
         |--------------------------------------------------------|
         |                                                        |
         | LDAP Message                                           |
         | (Request)   ------->                                   |
         |                    LDAP Message                        |
         |                    (Requests)   -------->              |
         |                                                        |
         |                                          LDAP Message  |
         |                                 <------- (Response)    |
         |                    LDAP Message                        |
         |            <------ (Response)                          |
         |                                                        |
         |--------------------------------------------------------|
         |                                                        |
         |  . . .     -------->                                   |
         |                     . . .     --------->               |
         |                                                        |


Modi                    Expires February 3, 2000                [Page 6]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


         |                               <--------     . . .      |
         |            <------- . . .                              |
         |                                                        |
         |--------------------------------------------------------|
         |                                                        |
         | LDAP Unbind  ------>                                   |
         |                     Closes                             |
         |                     Connection                         |
         |                                                        |
         |                     LDAP Unbind  -------->             |
         |                                          Closes        |
         |                                          Connection    |
         |                                                        |
         +========================================================+


                              Figure 2
              Communication between LDAP Client and DSA
                        via LDAP Proxy Server


   This proposal defines an extended request, called
   "ProxyConnectRequest" and an extended response, called
   "ProxyConnectResponse" using which the LDAP client will be able to
   connect to DSA via LDAP proxy or chain of LDAP proxies. 

3.1 Usage

   There are two ways in which this proposal can be used. One requires
   changes in the existing client and the other one in the LDAP
   application. 

3.1.1 Client Configuration

   The LDAP client can be configured to make connection to LDAP proxy
   upon receiving LDAP open connection request (usually in the form of
   an API) from an application. It must then send ProxyConnectRequest
   having the URL of the DSA specified by the application in the LDAP
   open connection request, to the LDAP proxy. Depending upon the
   contents of the ProxyConnectResponse from proxy, client can decide
   the reply of LDAP open connection request to the application. 

   The client must have a way of specifying the proxy configuration
   parameters. The parameters are explained in ASN.1 definition of
   ProxyConnectRequest and ProxyConnectResponse. 

   The advantage of this configuration/usage is that the redirection of
   LDAP requests and responses is transparent to application.
   Applications need not know about proxy. However the disadvantage is


Modi                    Expires February 3, 2000                [Page 7]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


   that the existing clients need to be modified. 

3.1.2 Application Configuration

   To make use of proxy, application must ask the client to open an
   LDAP connection with proxy instead of DSA. The application then
   should send ProxyConnectRequest having URL of the DSA along with
   other parameters to proxy, before sending any other request.
   Depending upon the contents of ProxyConnectResponse application can
   decide to continue or close the connection with proxy. 
   Depending upon the implementation of proxy, if the application,
   after opening the connection with proxy, sends any other request
   before sending ProxyConnectRequest and before getting valid response
   from proxy, the proxy may reply with an error, or may close the
   connection, or may serve the request from the cached entries of
   directory, if it has any. 

   The advantage of this configuration/usage is that the client need
   not change in order to make use of proxy. However the disadvantage
   is that the application must change and must know the details of
   proxy. 






























Modi                    Expires February 3, 2000                [Page 8]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


4. ASN.1 Definition of Extensions

   This sections describes the ASN.1 definition of ProxyConnectRequest
   and ProxyConnectResponse. This release is the first attempt to
   capture all the required parameters of the extended request and
   response for proxy support. Comments on the design and utility of
   these definitions are specifically invited from all reviewers. 

4.1 ProxyConnectRequest

   The ASN.1 definition of ExtendedRequest as per LDAP(V3)
   specification[2] is as follows. 

          ExtendedRequest ::=  [APPLICATION 23] SEQUENCE {
              requestName  [0] LDAPOID,
              requestValue [1] OCTET STRING OPTIONAL
          }

   requestName(LDAPOID) of ProxyConnectRequest is TBD. The definition
   of requestValue is as follows. 


          requestValue ::=  SEQUENCE {
              dsaAddress              LDAPURL,
              requiredProxyRoute      SEQUENCE of LDAPURL,
              currentProxyRoute       SEQUENCE of LDAPURL,
              allowDynamicRouting     BOOLEAN DEFAULT FALSE
          }

          where,
          LDAPURL ::=
            LDAPString -- limited to characters permitted in URLs


   Parameters of ProxyConnectRequest's requestValue are: 

   - dsaAddress: specifies the URL of the DSA(directory server) to
      which client wants to connect via the list of proxies specified
      in the requiredProxyRoute. 

   - requiredProxyRoute: specifies the URLs of the proxies via which to
      connect to DSA in the correct order. 
      (This is usually known as chaining of proxies. Here, the client
      connects to one proxy which in turn connects to another proxy and
      so on, thus forming the chain of proxies. The chain ends with the
      connection to DSA.) 
      If the allowDynamicRouting flag is FALSE, this parameter must
      contain URL of the proxy receiving this request as the first
      entry in the sequence. However if the allowDynamicRouting flag is


Modi                    Expires February 3, 2000                [Page 9]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


      TRUE, the sequence may or may not contain the URL of the proxy
      receiving this request. 

   - currentProxyRoute: contains the information about the current
      route from client to the proxy receiving this request. Each proxy
      after serving ProxyConnectRequest and before forwarding it to
      next proxy in the chain, adds its own URL to this parameter. This
      helps in determining the loopback in the proxy chain. This
      parameter must be set only by LDAP proxies and not by LDAP client
      or application. 

   - allowDynamicRouting: specifies whether the proxy can dynamically
      determine the next proxy in the chain during initial connection
      setup with DSA, for which this proposal is to be used. If the
      value of this parameter is TRUE, actual route between DSA and
      LDAP client obtained after ProxyConnectRequest and
      ProxyConnectResponse exchanges can be different than the one
      specified in the requiredProxyRoute parameter. 


   LDAP client/application specifies the list of proxies via which to
   connect to DSA in requiredProxyRoute parameter. This require
   client/application to know all the proxies in the chain. However
   this is not ussally the case because .. 

   1.  client/application may know only the immediate proxy. 

   2.  proxy chain or route to different DSAs will most likely to be
       different. 

   In such cases allowDynamicRouting flag should be set to TRUE. This
   gives flexibility to proxies in determining the next proxy in the
   chain. 

4.1.1 Processing ProxyConnectRequest

   Each LDAP proxy server upon receiving ProxyConnectRequest must .. 

   1.  verify that servicing of the received ProxyConnectRequest is not
       going to form loopback in the proxy chain. This can be done by
       checking the presence of its URL in currentProxyRoute. If there
       is a possibility of loopback the proxy must terminate the
       connection from which the ProxyConnectRequest is received;
       either, without sending the error message or after sending the
       error message via ProxyConnectResponse. 

   2.  remove its URL from requiredProxyRoute list, if present. Add its
       URL to the currentProxyRoute list. 

   3.  determine the next proxy in the chain. 


Modi                    Expires February 3, 2000               [Page 10]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


       If allowDynamicRouting flag is FALSE, and requiredProxyRoute
       list is not empty, the next proxy in the chain is the first
       entry in the list. 
       If allowDynamicRouting flag is FALSE, and requiredProxyRoute
       list is empty the proxy chain ends. 
       If allowDynamicRouting flag is TRUE, the proxy can determine the
       next proxy in the chain from its configuration parameters or by
       some other mechanism. OR proxy may decide to end the proxy
       chain. 

   4.  try to connect to the next proxy if identified, and send the
       ProxyConnectRequest to it, if connected and wait for
       ProxyConnectResponse from it. From the status of the connection
       and/or contents of the ProxyConnectResponse from the next proxy,
       create ProxyConnectResponse and send it to the previous
       proxy/LDAP client connected to it. 
       OR 
       connect to DSA if next proxy is not identified. From the status
       of the connection create ProxyConnectResponse and send it to the
       previous proxy/LDAP client connected to it. 

4.2 ProxyConnectResponse

   LDAP proxy must reply to ProxyConnectRequest received from LDAP
   client or previous proxy by sending ProxyConnectResponse. The
   response must include the result of opening the LDAP connection with
   next proxy or DSA. It must also contain the necessary information
   about the proxy server. Components of ProxyConnectResponse obtained
   from the later proxies in the chain are also passed on to the
   previous proxies to make sure that client receives information about
   all the proxies and connections via which it is connected or
   attempted to connect to DSA. 

   The ASN.1 definition of ExtendedResponse as per LDAP(V3)
   specification[2] is as follows. 

          ExtendedResponse ::=  [APPLICATION 24] SEQUENCE {
              COMPONENTS OF LDAPResult,
              responseName [10] LDAPOID OPTIONAL,
              response     [11] OCTET STRING OPTIONAL
          }

   responseName(LDAPOID) of ProxyConnectResponse is TBD. The definition
   of response is as follows. 







Modi                    Expires February 3, 2000               [Page 11]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


          response ::= SEQUENCE {
              proxyServerInfo   ProxyServerInformation,
              connection        ProxyConnection,
              previousResponses PreviousProxyConnectResponses
          }

   where, 

   - proxyServerInfo: gives various information about proxy server like
      its URL, brand information, cache parameters - if available etc.
      Following is the ASN.1 definition of ProxyServerInformation. 


          ProxyServerInformation ::= SEQUENCE {
              proxyAddress      LDAPURL,
              cacheAvailability BOOLEAN,
              brandInfo         BrandInformation,
              cacheAttrs        CacheAttributes OPTIONAL
          }

       where, 

      - proxyAddress: is the URL of the proxy server. 

      - cacheAvailability specifies whether the proxy can cache
         contents of LDAP requests and responses or not. 

      - brandInfo: identifies the name of the proxy server software,
         its version, name of the company owning it and contact
         information such as email, phone number, URL etc. 

          BrandInformation ::= SEQUENCE {
              name         LDAPString,
              version      LDAPString,
              organization LDAPString,
              contactInfo  LDAPString
          }

      - cacheAttrs: this parameter must be present if cacheAvailability
         flag is TRUE. It must be ignored if cacheAvailability flag is
         FALSE. This parameter specifies various cache parameters. The
         ASN.1 definition of CacheAttributes is as follows. 









Modi                    Expires February 3, 2000               [Page 12]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


          CacheAttributes ::= SEQUENCE {
              identification OCTET STRING,
                                 /* Cache Identification         */
              type ENUMERATED {
                  readOnly  (0), /* Cache is readOnly            */
                  readWrite (1)  /* Cache is both read and write */
             },

              storage ENUMERATED {
                  transient  (0), /* Cached objects are transient  */
                  persistent (1)  /* Cached objects are persistent */
              },

              encryptedStore BOOLEAN DEFAULT FALSE,
                                 /* Cached object storage is      *
                                  * encrypted.                    */
              authorizationSupport BOOLEAN DEFAULT FALSE
                                 /* cache supports authorization  *
                                  * and access control            */
          }

   - connection: describes the status of the LDAP connection from the
      proxy whose information is specified in proxyServerInfo to either
      next proxy in the chain or DSA.  Following is the ASN.1
      definition of ProxyConnection. 

          ProxyConnection ::= SEQUENCE {
              dsaAddress LDAPURL,
              connectionState  ENUMERATED {
                 notConnected (0), /* Could not connect to the   *
                                    * ldapServer.                */
                 connected    (1), /* Connected to ldapServer.   */
                 lazyConnect  (2), /* will connect on            *
                                    * receiving any further      *
                                    * request.                   */
              }
          }


   - previousResponses: Each proxy in the chain sends
      ProxyConnectRequest to next proxy in the chain. Necessary
      components of the ProxyConnectResponse from the next proxy must
      be included in the ProxyConnectResponse to the previous
      proxy/client connected to it. Thus this parameter contains
      components of ProxyConnectResponse from each proxy ahead of this
      proxy in the chain. Following is the ASN.1 definition of
      PreviousProxyConnectResponses. 




Modi                    Expires February 3, 2000               [Page 13]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


          PreviousProxyConnectResponses ::=
                SEQUENCE OF PreviousProxyConnectResponse

          PreviousProxyConnectResponse
          {
              COMPONENTS OF LDAPResult COMPONENT OF ProxyConnectResponse,
              proxyServerInfo COMPONENT OF ProxyConnectResponse,
              connection COMPONENT OF ProxyConnectResponse
          }


       ProxyConnectResponse generated by last proxy in the chain which
      is connected to DSA will have no entries in
      PreviousProxyConnectResponses parameter. Every other proxy in the
      chain upon receiving ProxyConnectResponse from the proxy ahead in
      the chain, must copy the entries of PreviousProxyConnectResponses
      from it to the same parameter of ProxyConnectResponse it is
      creating. Also it must add the ProxyConnectResponse entry
      containing the required components of ProxyConnectResponse
      received from proxy ahead in the chain to the
      PreviousProxyConnectResponses parameter of the
      ProxyConnectResponse it is creating. 





























Modi                    Expires February 3, 2000               [Page 14]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


5. Security Consideration

   When LDAP client is connected to DSA via one or more proxies, each
   request(including BindRequest) and response goes via the proxies.
   Thus the proxy has access to all the information within requests and
   responses. The client must trust the proxy that it will not misuse
   the information knowingly or otherwise. The client should verify the
   ProxyConnectResponse and should terminate the connection in case it
   does not trust any proxy in the chain. Also if client intends to
   access sensitive information from the DSA and if there are proxies
   in the chain which caches the information but does not provide
   authorization and access control to the cached entries, it should
   terminate the connection. 
   However the proxy can provide false information to the client in
   ProxyConnectResponse, so the ultimate security is the trust
   relationship. 



































Modi                    Expires February 3, 2000               [Page 15]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


6. Acknowledgements

   I sincerely thank Ed Reed for reviewing this proposal and providing
   valuable suggestions.  I also thank my team members Anasuya Devi,
   Ganesh S P, Deepa P and Vijay K N, for reviewing the early versions
   of this document and providing valuable comments. Special thanks to
   Ganesh S P and Deepa P for pointing out grammatical and spelling
   errors.











































Modi                    Expires February 3, 2000               [Page 16]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


References

   [1]  ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models
        and Services", 1993.

   [2]  Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access
        Protocol (v3)", RFC 2251, December 1997.

   [3]  Brander, S., "RFC Key Words", RFC 2119, March 1997.

   [4]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H. and T.
        Berners-Lee, "Hypertext Transfer Protocol - HTTP/1.1", RFC
        2068, January 1997.

Author's Address

   Vipul Modi
   Novell, Inc.
   Novell Product Group Bangalore
   49/1 & 49/3 G. B. Pallya
   7th Mile, Hosur Road
   Bangalore, Karnataka  560068
   India

   Phone: +91 80 572 1876/62/56 Ext:2015
   Fax:   +91 80 572 180
   EMail: mvipul@novell.com
   URI:   http://www.novell.com























Modi                    Expires February 3, 2000               [Page 17]


Internet-Draft    LDAP Extensions for Proxy Connection       August 1999


Full Copyright Statement

   Copyright (C) The Internet Society (1999). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC editor function is currently provided by the
   Internet Society.



















Modi                    Expires February 3, 2000               [Page 18]


