<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-tcpm-rst-diagnostic-payload-03" category="exp" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="RST Diagnostic Payload">TCP RST Diagnostic Payload</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-tcpm-rst-diagnostic-payload-03"/>
    <author fullname="Mohamed Boucadair">
      <organization>Orange</organization>
      <address>
        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author fullname="Jason Xing">
      <organization>Tencent</organization>
      <address>
        <email>kerneljasonxing@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area/>
    <workgroup>TCP Maintenance and Minor Extensions</workgroup>
    <keyword>service diagnostic</keyword>
    <keyword>service function</keyword>
    <keyword>troubelshooting</keyword>
    <keyword>diagnostic</keyword>
    <keyword>serviceability</keyword>
    <keyword>root cause</keyword>
    <keyword>anomaly</keyword>
    <abstract>
      <?line 61?>
<t>This document specifies an experimental diagnostic payload format returned in TCP
   RST segments. Such payloads are used to share with an endpoint the
   reasons for which a TCP connection has been reset.  Sharing this
   information is meant to ease diagnostic and troubleshooting.</t>
      <t>This specification builds on provisions that are already present in RFC 9293 "Transmission Control Protocol (TCP)".
   As such, this document does not require any change to RFC 9293.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    TCP Maintenance and Minor Extensions  mailing list (tcpm@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tcpm/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/boucadair/draft-boucadair-tcpm-rst-diagnostic-payload"/>.</t>
    </note>
  </front>
  <middle>
    <?line 70?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>A TCP connection <xref target="RFC9293"/> can be reset by a peer for various
   reasons, e.g., received data does not correspond to an active
   connection.  Also, a TCP connection can be reset by an on-path
   service function (e.g., Carrier Grade NAT (CGN) <xref target="RFC6888"/>, NAT64
   <xref target="RFC6146"/>, or firewall) for several reasons.  Typically, a Network
   Address Translator (NAT) function can generate an RST segment to
   notify an endpoint upon the expiry of the lifetime of the
   corresponding mapping entry or because an RST segment was received
   from a peer (<xref section="2.2" sectionFormat="of" target="RFC7857"/>).</t>
      <t>A TCP connection can also be
   closed by a user or an application at any time.  However, the peer
   that receives an RST segment does not have any hint about the reason
   that led to terminating the connection.  Likewise, the application
   that relies upon such a TCP connection may not easily identify the
   reason for the connection reset. Troubleshooting such events at
   the remote side of the connection that receives the RST segment may
   not be trivial.</t>
      <t>This document fills this void by specifying an experimental format of the
   diagnostic payload returned in an RST segment. This design is
   backward compatible with TCP as further clarified in <xref target="bc"/>.</t>
      <t>The generic procedure for processing an RST segment is specified in
   <xref section="3.5.3" sectionFormat="of" target="RFC9293"/>. Only the deviations from that procedure
   to insert and validate a diagnostic payload is provided in <xref target="payload"/>.</t>
      <t>This document specifies the format and the overall approach to ease
   maintaining the list of codes while allowing for adding new codes as
   needed in the future and accommodating any existing vendor-specific
   codes.  An initial version of error codes is available in <xref target="initial"/>.
   However, the authoritative source to retrieve the full list of error
   codes is the IANA-maintained registry (<xref target="causes"/>).</t>
      <t><xref target="examples"/> provides a set of examples to illustrate the use of TCP RST
   diagnostic payloads.</t>
      <t><xref target="socket-api"/> provides an informative discussion of socket API considerations.
   Implementation and experimental validation are detailed in <xref target="sec-validation"/>.</t>
      <t>Experiment goals are listed in <xref target="sec-goals"/>.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document makes use of the terms defined in <xref section="4" sectionFormat="of" target="RFC9293"/>.</t>
      <t>SEG.LEN is defined in <xref section="3.3.1" sectionFormat="of" target="RFC9293"/>. SHLD-2 is defined in <xref section="3.5.3" sectionFormat="of" target="RFC9293"/> while <bcp14>MUST</bcp14>-12 is defined in <xref section="3.6" sectionFormat="of" target="RFC9293"/>.</t>
      <t>This document uses the following terms:</t>
      <dl>
        <dt>RST diagnostic payload:</dt>
        <dd>
          <t>The payload of an RST message that conveys diagnostic data.</t>
        </dd>
        <dt>RST with diagnostic payload:</dt>
        <dd>
          <t>An RST segment that includes diagnostic payload.</t>
        </dd>
        <dt>Reset reason information:</dt>
        <dd>
          <t>Refers to a reset reason code and a Private Enterprise Number (PEN). The PEN can be omitted if it is set to 0.</t>
        </dd>
      </dl>
    </section>
    <section anchor="sec-goals">
      <name>Experiment Description &amp; Goals</name>
      <t>The main objective of this experiment is to have a common format
  of RST diagnostic payload that would be used as basis for consistent
  testing and evaluation in a variety of deployment contexts
  (Internet, data centers, application clients/servers provided and managed by the same entity,
  clients and servers software owned by distinct entities, etc.).</t>
      <t>Experiments reports are encouraged to share the main lessons
  learned in these experimentations. Specifically, the following items are of interest:</t>
      <dl>
        <dt>Delivery and on-path device interference:</dt>
        <dd>
          <t>Identify and share issues (or lack thereof) related to the delivery of RST with diagnostic payload.</t>
        </dd>
        <dt>CPU/load impact:</dt>
        <dd>
          <t>Assess CPU/load impact (or lack thereof) of handling RSTs, including when a mix of RSTs with and without diagnostic payload are sent by an endpoint.</t>
        </dd>
        <dt>Standard reset reasons:</dt>
        <dd>
          <t>Assess whether the list of code reasons (<xref target="causes"/>) reflects observed reset cases.</t>
        </dd>
        <dt>Integration of socket API extensions:</dt>
        <dd>
          <t>Exercise the socket API extensions and identify any required adjustement (<xref target="socket-api"/>).</t>
        </dd>
        <dt>Operational guidance:</dt>
        <dd>
          <t>Strengthen the operational guidance for deploying RSTs with diagnostic payload.</t>
        </dd>
      </dl>
    </section>
    <section anchor="payload">
      <name>RST Diagnostic Payload</name>
      <section anchor="compact">
        <name>Payload Format</name>
        <t>This section defines the message format to convey RST diagnostic payload. This format is designed to minimize the length of the payload.</t>
        <t>The format of the RST diagnostic payload is shown in <xref target="format-1"/>.</t>
        <figure anchor="format-1">
          <name>Structure of the RST Diagnostic Payload</name>
          <artwork><![CDATA[
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             0x33AA            |          reason-code          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                              pen                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
        </figure>
        <t>The RST diagnostic payload comprises a magic number that is used to
   unambiguously identify an RST payload that follows this
   specification.  The magic number <bcp14>MUST</bcp14> be set to 0x33AA.</t>
        <t>The descriptions of other fields shown in <xref target="format-1"/> are as follows:</t>
        <dl>
          <dt>reason-code:</dt>
          <dd>
            <t>This field takes a value from an available registry (IANA or vendor-specific).</t>
          </dd>
          <dt/>
          <dd>
            <t>Value 0 is reserved and <bcp14>MUST NOT</bcp14> be used.</t>
          </dd>
          <dt/>
          <dd>
            <t>The reason code is taken from the "TCP Failure Causes" registry  <xref target="IANA-TCP"/> if "pen" is set to 0.</t>
          </dd>
          <dt/>
          <dd>
            <t>It is <bcp14>RECOMMENDED</bcp14> that implementations support all codes defined in <xref target="initial"/> provided in <xref target="causes"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>If the "pen" is not set to 0, then the reason code refers to a registry of the entity identified by the "pen" parameter.</t>
          </dd>
          <dt>pen:</dt>
          <dd>
            <t>Includes a Private Enterprise Number (PEN) <xref target="Private-Enterprise-Numbers"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>The reserved PEN value "0" is used to indicate that the reason code refers to the IANA-maintained registry (<xref target="causes"/>).</t>
          </dd>
        </dl>
        <t>SEG.LEN <bcp14>MUST</bcp14> be 8 for an RST with diagnostic payload.</t>
      </section>
      <section anchor="behavior">
        <name>Behavior</name>
        <t>Malformed RST diagnostic payloads that include the magic
   numbers 0x33AA <bcp14>MUST</bcp14> be silently ignored by the receiver.
   RSTs that carry such malformed diagnostic payloads are handled like an RST without payload.</t>
        <t>A peer that receives a valid diagnostic payload may pass the reset
   reason information to the local application in addition to the
   information (<bcp14>MUST</bcp14>-12) described in <xref section="3.6" sectionFormat="of" target="RFC9293"/>. The reset reason
   information may also be logged locally, unless a local policy
   specifies otherwise.  How the reset reason information is passed to an application
   and how it is stored locally is implementation-specific.</t>
        <t>Because new codes may be supported by a sender, receivers <bcp14>SHOULD NOT</bcp14>
   discard received RST diagnostic payloads with an unknown reason code unless
   configured otherwise.</t>
        <t>Vendor-specific registries may be maintained by applications. It is out of scope to describe
   how an implementation associates a PEN with a vendor-specific registry.</t>
      </section>
    </section>
    <section anchor="examples">
      <name>Some Examples</name>
      <t><xref target="fig-1"/> depicts an example of an RST diagnostic payload that is
   generated to inform the peer that the TCP connection is reset because
   an ACK was received from that peer while the connection is still in
   the LISTEN state (<xref section="3.10.7.2" sectionFormat="of" target="RFC9293"/>).</t>
      <figure anchor="fig-1">
        <name>Example of an RST Diagnostic Payload with Reason Code</name>
        <artwork><![CDATA[
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             0x33AA            |             0x0005            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           0x00000000                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      </figure>
      <t>An RST diagnostic payload may also be sent by an on-path service
   function.  For example, the following diagnostic payload is returned
   by a NAT function upon expiry of the mapping entry to which the TCP
   connection is bound (<xref target="fig-2"/>).</t>
      <figure anchor="fig-2">
        <name>Example of an RST Diagnostic Payload to Report Connection Timeout</name>
        <artwork><![CDATA[
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             0x33AA            |             0x0010            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           0x00000000                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      </figure>
      <t><xref target="fig-3"/> illustrates an RST diagnostic payload that is returned by a
   peer that resets a TCP connection for a reason code 1234 (0x4D2) defined by a
   vendor with the private enterprise number 32473 (0x7ED9).</t>
      <figure anchor="fig-3">
        <name>Example of an RST Diagnostic Payload to Report Vendor-Specific Reason Code</name>
        <artwork><![CDATA[
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             0x33AA            |             0x04D2            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           0x00007ED9                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      </figure>
      <t><xref target="fig-3"/> uses the Enterprise Number 32473 defined for documentation
   use <xref target="RFC5612"/>.</t>
    </section>
    <section anchor="ops-cons">
      <name>Operational Considerations</name>
      <section anchor="bc">
        <name>Backward Compatibility</name>
        <t>Returning diagnostic data in an RST segment is consistent with
   the provision in <xref section="3.5.3" sectionFormat="of" target="RFC9293"/> for RST segments, especially:</t>
        <blockquote>
          <t>TCP implementations <bcp14>SHOULD</bcp14> allow a received RST segment to
include data (SHLD-2).</t>
        </blockquote>
        <t>Also, this document does not change the conditions under which an RST
   segment is generated (<xref section="3.5.2" sectionFormat="of" target="RFC9293"/>).</t>
      </section>
      <section anchor="multiple-rsts">
        <name>Multiple RSTs</name>
        <t>Per <xref section="3.6" sectionFormat="of" target="RFC9293"/>, one or more RST segments can be sent
   to reset a connection.</t>
        <t>Sending more RST segments to reset a connection can be used
   to mitigate deployment contexts where some on-path devices may
   discard RSTs with payload data.</t>
        <t>Whether a TCP endpoint elects to send more
   than one RST with only a subset of them that include the diagnostic
   payload is implementation-specific for clients and policy-based for servers (see <xref target="sec-man"/>).</t>
      </section>
      <section anchor="sec-man">
        <name>Manageability</name>
        <t>TCP server implementations should support the following parameters:</t>
        <ul spacing="normal">
          <li>
            <t>A parameter to control the activation of RSTs with diagnostic payload.</t>
          </li>
          <li>
            <t>A parameter to expose the set of reason codes that are supported by an implementation.</t>
          </li>
          <li>
            <t>A parameter to control whether "empty" RSTs are also sent together with an RST with diagnostic payload.</t>
          </li>
          <li>
            <t>A rate-limit of RSTs with diagnostic payload.</t>
          </li>
          <li>
            <t>Counters to track sent/received RSTs with diagnostic payload.</t>
          </li>
          <li>
            <t>Counters to track received invalid RSTs with diagnostic payload.</t>
          </li>
        </ul>
      </section>
      <section anchor="maintenance">
        <name>Maintenance</name>
        <t>As new reason codes may be added to the IANA registry, there is a risk that the codes
  that are supported by an implementation do not match the latest version in the registry. Deviations can be detected using the exposure parameter in <xref target="sec-man"/>.</t>
        <t>It is <bcp14>RECOMMENDED</bcp14> to proceed with regular software updates to align with the latest version in the registry.</t>
      </section>
    </section>
    <section anchor="socket-api">
      <name>Socket API Considerations (Informative)</name>
      <t>This section describes how the socket API  can  be extended to provide a way
for an application to use the functionality described in this document.</t>
      <t>This section is informational only.</t>
      <t>The API described in this section can change in a non-backwards compatible way
during the evolution of this document due to changed functionality or gained
experience during the implementation.</t>
      <section anchor="socket-options">
        <name>Socket Options</name>
        <t><xref target="socket-options-table"/> provides an overview of the <tt>IPPROTO_TCP</tt>-level socket
options defined in this section.</t>
        <table anchor="socket-options-table">
          <name>Socket Options</name>
          <thead>
            <tr>
              <th align="left">Option Name</th>
              <th align="left">Data Type</th>
              <th align="left">Set</th>
              <th align="left">Get</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>TCP_RST_REASON_ENABLE</tt></td>
              <td align="left">
                <tt>uint32_t</tt></td>
              <td align="left">X</td>
              <td align="left"> </td>
            </tr>
            <tr>
              <td align="left">
                <tt>TCP_RST_REASON_CODE</tt></td>
              <td align="left">
                <tt>struct tcp_rst_reason</tt></td>
              <td align="left">X</td>
              <td align="left">X</td>
            </tr>
          </tbody>
        </table>
        <section anchor="enable-the-sending-of-the-diagnostic-payload-tcprstreasonenable">
          <name>Enable the Sending of the Diagnostic Payload (<tt>TCP_RST_REASON_ENABLE</tt>)</name>
          <t>Using <tt>setsockopt()</tt> with the <tt>IPPROTO_TCP</tt>-level socket option with the
name <tt>TCP_RST_REASON_ENABLE</tt> enables or disables the sending of the
diagnostic payload using a reason-code and pen.
The <tt>option_value</tt> of type <tt>uint32_t</tt> specifies the pen in host byte order
to use.
When 0 is used (<xref section="3" sectionFormat="of" target="RFC9371"/>), the reason-codes from the registry
specified in <xref target="causes"/> are used.
When 0xffffffff is used (<xref section="3" sectionFormat="of" target="RFC9371"/>), the sending is disabled.
The default is that the sending of a diagnostic payload is disabled.
An implementation might not support the use of an <tt>option_value</tt> different
from zero and 0xffffffff.</t>
          <t>For accepted sockets, this socket option is inherited from the listening socket.</t>
        </section>
        <section anchor="get-or-set-the-diagnostic-payload-as-code-tcprstreasoncode">
          <name>Get or Set the Diagnostic Payload as Code (<tt>TCP_RST_REASON_CODE</tt>)</name>
          <t>Using <tt>getsockopt()</tt> with the <tt>IPPROTO_TCP</tt>-level socket option with the
name <tt>TCP_RST_REASON_CODE</tt> allows the caller to retrieve the reason-code and
the pen of the diagnostic payload in the received RST segment, which terminated
the corresponding TCP connection.</t>
          <t>Using <tt>setsockopt()</tt> with this socket option allows the caller to provide
reason-code and pen to be sent as part of the diagnostic payload when the
application triggers the sending of a RST segment by using <tt>close()</tt>.
In addition to using <tt>close()</tt> in combination with the <tt>SOL_SOCKET</tt>-level
socket option with name <tt>SO_LINGER</tt>, the application can just provide the
<tt>TCP_RR_RST_ON_CLOSE</tt> flag in <tt>trr_flags</tt>. This way the application can
trigger the sending of a RST segment by calling <tt>setsockopt()</tt> once followed
by <tt>close()</tt>.</t>
          <t>For accepted sockets, this socket option is inherited from the listening socket.</t>
          <t>The following structure is used as the <tt>option_value</tt>:</t>
          <sourcecode type="c"><![CDATA[
struct tcp_rst_reason {
        uint16_t trr_flags;
        uint16_t trr_code;
        uint32_t trr_pen;
};
]]></sourcecode>
          <dl>
            <dt><tt>trr_flags</tt>:</dt>
            <dd>
              <dl>
                <dt>This field is reported as 0 for <tt>getsockopt()</tt> calls. For <tt>setsockopt()</tt></dt>
                <dd>
                  <t/>
                </dd>
                <dt>calls, the following flag can be used:</dt>
                <dd>
                  <t/>
                </dd>
                <dt><tt>TCP_RR_RST_ON_CLOSE</tt>:</dt>
                <dd>
                  <t>When this flag is set, calling <tt>close()</tt> triggers the sending of a RST segment
similar to case, where the <tt>SOL_SOCKET</tt>-level socket option with name
<tt>SO_LINGER</tt> is used to enable lingering with the linger time of 0.
When this flag is cleared, the corresponding functionality is disabled.</t>
                </dd>
              </dl>
            </dd>
            <dt><tt>trr_code</tt>:</dt>
            <dd>
              <t>The reason-code in host byte order to be interpreted in combination with
the PEN provided in <tt>trr_pen</tt>. In case of <tt>trr_pen</tt> being
zero, <tt>trr_code</tt> refers to a value in the registry defined in
<xref target="causes"/>.</t>
            </dd>
            <dt><tt>trr_pen</tt>:</dt>
            <dd>
              <t>The PEN in host byte order to is used in combination with the reason-code
specified in <tt>trr_code</tt>.
When this socket option is used with <tt>setsockopt()</tt>, it is an error to use
zero as a value for <tt>trr_pen</tt> as long as <tt>trr_code</tt> is not
zero.</t>
            </dd>
          </dl>
          <t>When <tt>getsockopt()</tt> with this socket option is performed on a socket, which
has not received a RST with a diagnostic payload containing a reason-code and
pen, zero is provided as the <tt>trr_code</tt> and <tt>trr_pen</tt>.
When <tt>setsockopt()</tt> with a <tt>trr_code</tt> and <tt>trr_pen</tt> of zero
is performed, the special handling of RST segments sent during the ungraceful
termination of the TCP connection is disabled.</t>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t><xref target="RFC9293"/> discusses TCP-related security considerations. In
   particular, RST-specific attacks and their mitigations are discussed
   in <xref section="3.10.7.3" sectionFormat="of" target="RFC9293"/>.</t>
      <t>The presence of vendor-specific reason codes may be used
   to fingerprint hosts.  Such a concern does not apply if the reason
   codes are taken from the IANA-maintained registry.  Implementers are,
   thus, encouraged to register new codes within IANA instead of
   maintaining specific registries.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="causes">
        <name>New Registry for TCP Failure Causes</name>
        <t>This document requests IANA to create a new registry entitled "TCP
   Failure Causes" under the "Transmission Control Protocol (TCP)
   Parameters" registry group <xref target="IANA-TCP"/>.</t>
        <t>Values are taken from the 1-65535 range.</t>
        <t>The assignment policy for this registry is "Expert Review"
   (<xref section="4.5" sectionFormat="of" target="RFC8126"/>). See more guidance at <xref target="de"/>.</t>
        <t>The registry is initially populated with the values listed in
   <xref target="initial"/>.</t>
        <table anchor="initial">
          <name>Initial TCP Failure Causes</name>
          <thead>
            <tr>
              <th align="center">Value</th>
              <th align="left">Description</th>
              <th align="left">Specification (if available)</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">0</td>
              <td align="left">Reserved</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">1</td>
              <td align="left">Illegal option length</td>
              <td align="left">
                <xref section="3.1" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">2</td>
              <td align="left">Data available or received when application cannot read data anymore</td>
              <td align="left">
                <xref section="3.6.1" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">3</td>
              <td align="left">ABORT process</td>
              <td align="left">
                <xref section="3.10.5" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">4</td>
              <td align="left">Segment received in CLOSED state</td>
              <td align="left">
                <xref section="3.10.7.1" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">5</td>
              <td align="left">ACK segment received in LISTEN state</td>
              <td align="left">
                <xref section="3.10.7.2" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">6</td>
              <td align="left">ACK segment received in SYN-SENT state and <tt>SEG.ACK</tt> is not acceptable</td>
              <td align="left">
                <xref section="3.10.7.3" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">7</td>
              <td align="left">ACK segment received in SYN-RECEIVED state and <tt>SEG.ACK</tt> is not acceptable</td>
              <td align="left">
                <xref section="3.10.7.4" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">8</td>
              <td align="left">In window SYN segment received in synchronized state without <xref target="RFC5961"/> support</td>
              <td align="left">
                <xref section="3.10.7.4" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">9</td>
              <td align="left">Unexpected security compartment</td>
              <td align="left">
                <xref section="A.1" sectionFormat="of" target="RFC9293"/></td>
            </tr>
            <tr>
              <td align="center">10</td>
              <td align="left">Malformed message</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">11</td>
              <td align="left">Not authorized</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">12</td>
              <td align="left">Resource exceeded</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">13</td>
              <td align="left">Network failure</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">14</td>
              <td align="left">Reset received from the peer</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">15</td>
              <td align="left">Destination unreachable</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">16</td>
              <td align="left">Connection timeout</td>
              <td align="left">ThisDocument</td>
            </tr>
            <tr>
              <td align="center">17</td>
              <td align="left">Too much outstanding data</td>
              <td align="left">
                <xref section="3.6" sectionFormat="of" target="RFC8684"/></td>
            </tr>
            <tr>
              <td align="center">18</td>
              <td align="left">Unacceptable performance</td>
              <td align="left">
                <xref section="3.6" sectionFormat="of" target="RFC8684"/></td>
            </tr>
            <tr>
              <td align="center">19</td>
              <td align="left">Middlebox interference</td>
              <td align="left">
                <xref section="3.6" sectionFormat="of" target="RFC8684"/></td>
            </tr>
          </tbody>
        </table>
        <t>Note that codes in the 10-16 range can be used by service functions (CGN, firewall, proxy, etc.).</t>
        <ul empty="true">
          <li>
            <t>Note to the RFC Editor: Please replace ThisDocument with the RFC number assigned to this document.</t>
          </li>
        </ul>
      </section>
      <section anchor="de">
        <name>Guidelines for the Designated Experts</name>
        <t>Criteria that should be applied by the designated experts include
   determining whether the proposed registration duplicates existing
   entries and whether the registration description is clear and fits
   the purpose of this registry.</t>
        <t>The designated experts may approve registration once they checked
   that the new requested code is not covered by an existing code and if
   the provided reasoning to register the new code is acceptable.  A
   registration request may supply a pointer to a specification where
   that code is defined.  However, a registration may be accepted even
   if no permanent and readily available public specification is
   available.</t>
        <t>Registration requests are to be sent to <eref target="mailto:rst-diag-review@ietf.org">rst-diag-review@ietf.org</eref>
   and are evaluated within a three-week review period on the advice of
   one or more designated experts.  Within the review period, the
   designated experts will either approve or deny the registration
   request, communicating this decision to the review list and IANA.
   Denials should include an explanation and, if applicable, suggestions
   as to how to make the request successful.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="IANA-TCP" target="https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#">
          <front>
            <title>Transmission Control Protocol (TCP) Parameters</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="Private-Enterprise-Numbers" target="https://www.iana.org/assignments/enterprise-numbers">
          <front>
            <title>Private Enterprise Numbers</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC9293">
          <front>
            <title>Transmission Control Protocol (TCP)</title>
            <author fullname="W. Eddy" initials="W." role="editor" surname="Eddy"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies the Transmission Control Protocol (TCP). TCP is an important transport-layer protocol in the Internet protocol stack, and it has continuously evolved over decades of use and growth of the Internet. Over this time, a number of changes have been made to TCP as it was specified in RFC 793, though these have only been documented in a piecemeal fashion. This document collects and brings those changes together with the protocol specification from RFC 793. This document obsoletes RFC 793, as well as RFCs 879, 2873, 6093, 6429, 6528, and 6691 that updated parts of RFC 793. It updates RFCs 1011 and 1122, and it should be considered as a replacement for the portions of those documents dealing with TCP requirements. It also updates RFC 5961 by adding a small clarification in reset handling while in the SYN-RECEIVED state. The TCP header control bits from RFC 793 have also been updated based on RFC 3168.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="7"/>
          <seriesInfo name="RFC" value="9293"/>
          <seriesInfo name="DOI" value="10.17487/RFC9293"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC5961">
          <front>
            <title>Improving TCP's Robustness to Blind In-Window Attacks</title>
            <author fullname="A. Ramaiah" initials="A." surname="Ramaiah"/>
            <author fullname="R. Stewart" initials="R." surname="Stewart"/>
            <author fullname="M. Dalal" initials="M." surname="Dalal"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>TCP has historically been considered to be protected against spoofed off-path packet injection attacks by relying on the fact that it is difficult to guess the 4-tuple (the source and destination IP addresses and the source and destination ports) in combination with the 32-bit sequence number(s). A combination of increasing window sizes and applications using longer-term connections (e.g., H-323 or Border Gateway Protocol (BGP) [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5961"/>
          <seriesInfo name="DOI" value="10.17487/RFC5961"/>
        </reference>
        <reference anchor="RFC8684">
          <front>
            <title>TCP Extensions for Multipath Operation with Multiple Addresses</title>
            <author fullname="A. Ford" initials="A." surname="Ford"/>
            <author fullname="C. Raiciu" initials="C." surname="Raiciu"/>
            <author fullname="M. Handley" initials="M." surname="Handley"/>
            <author fullname="O. Bonaventure" initials="O." surname="Bonaventure"/>
            <author fullname="C. Paasch" initials="C." surname="Paasch"/>
            <date month="March" year="2020"/>
            <abstract>
              <t>TCP/IP communication is currently restricted to a single path per connection, yet multiple paths often exist between peers. The simultaneous use of these multiple paths for a TCP/IP session would improve resource usage within the network and thus improve user experience through higher throughput and improved resilience to network failure.</t>
              <t>Multipath TCP provides the ability to simultaneously use multiple paths between peers. This document presents a set of extensions to traditional TCP to support multipath operation. The protocol offers the same type of service to applications as TCP (i.e., a reliable bytestream), and it provides the components necessary to establish and use multiple TCP flows across potentially disjoint paths.</t>
              <t>This document specifies v1 of Multipath TCP, obsoleting v0 as specified in RFC 6824, through clarifications and modifications primarily driven by deployment experience.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8684"/>
          <seriesInfo name="DOI" value="10.17487/RFC8684"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6888">
          <front>
            <title>Common Requirements for Carrier-Grade NATs (CGNs)</title>
            <author fullname="S. Perreault" initials="S." role="editor" surname="Perreault"/>
            <author fullname="I. Yamagata" initials="I." surname="Yamagata"/>
            <author fullname="S. Miyakawa" initials="S." surname="Miyakawa"/>
            <author fullname="A. Nakagawa" initials="A." surname="Nakagawa"/>
            <author fullname="H. Ashida" initials="H." surname="Ashida"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>This document defines common requirements for Carrier-Grade NATs (CGNs). It updates RFC 4787.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="127"/>
          <seriesInfo name="RFC" value="6888"/>
          <seriesInfo name="DOI" value="10.17487/RFC6888"/>
        </reference>
        <reference anchor="RFC6146">
          <front>
            <title>Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers</title>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="I. van Beijnum" initials="I." surname="van Beijnum"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>This document describes stateful NAT64 translation, which allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. One or more public IPv4 addresses assigned to a NAT64 translator are shared among several IPv6-only clients. When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6146"/>
          <seriesInfo name="DOI" value="10.17487/RFC6146"/>
        </reference>
        <reference anchor="RFC7857">
          <front>
            <title>Updates to Network Address Translation (NAT) Behavioral Requirements</title>
            <author fullname="R. Penno" initials="R." surname="Penno"/>
            <author fullname="S. Perreault" initials="S." surname="Perreault"/>
            <author fullname="M. Boucadair" initials="M." role="editor" surname="Boucadair"/>
            <author fullname="S. Sivakumar" initials="S." surname="Sivakumar"/>
            <author fullname="K. Naito" initials="K." surname="Naito"/>
            <date month="April" year="2016"/>
            <abstract>
              <t>This document clarifies and updates several requirements of RFCs 4787, 5382, and 5508 based on operational and development experience. The focus of this document is Network Address Translation from IPv4 to IPv4 (NAT44).</t>
              <t>This document updates RFCs 4787, 5382, and 5508.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="127"/>
          <seriesInfo name="RFC" value="7857"/>
          <seriesInfo name="DOI" value="10.17487/RFC7857"/>
        </reference>
        <reference anchor="RFC5612">
          <front>
            <title>Enterprise Number for Documentation Use</title>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <author fullname="D. Harrington" initials="D." surname="Harrington"/>
            <date month="August" year="2009"/>
            <abstract>
              <t>This document describes an Enterprise Number (also known as SMI Network Management Private Enterprise Code) for use in documentation. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5612"/>
          <seriesInfo name="DOI" value="10.17487/RFC5612"/>
        </reference>
        <reference anchor="RFC9371">
          <front>
            <title>Registration Procedures for Private Enterprise Numbers (PENs)</title>
            <author fullname="A. Baber" initials="A." surname="Baber"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="March" year="2023"/>
            <abstract>
              <t>This document describes how Private Enterprise Numbers (PENs) are registered by IANA. It shows how to request a new PEN and how to modify a current PEN. It also gives a brief overview of PEN uses.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9371"/>
          <seriesInfo name="DOI" value="10.17487/RFC9371"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
      </references>
    </references>
    <?line 507?>

<section anchor="sec-validation">
      <name>Implementation and Experimental Validation in Linux</name>
      <t>Questions and concerns have been raised regarding whether RST with payload affects the normal termination of flows across different software platforms, operating systems, middleboxes, etc. Even though <xref section="3.5.3" sectionFormat="of" target="RFC9293"/> explicitly allows this behavior, a full implementation is needed to widely verify if unexpected cases can happen in the real world.</t>
      <t>The overall design in Linux is to pre-allocate a large enough zeroed buffer, put a reset reason code in the first byte and sent it out to verify whether the RST with payload can be possibly declined by any equipment in between two sides and the other side successfully parses the RST with payload.</t>
      <section anchor="implementation">
        <name>Implementation</name>
        <t>The following implementation is accomplished on top of Linux 6.16:</t>
        <dl>
          <dt><strong>Payload Attachment</strong>:</dt>
          <dd>
            <t>Allocate a 1000-byte data payload attached to all generated RST packets.</t>
          </dd>
          <dt><strong>Reason Code Encoding</strong>:</dt>
          <dd>
            <t>The first byte of the payload is used to store a predefined reset reason code that is listed in include/net/rstreason.h file, while the remainder of the payload is zero-padded. The reason code is generated by the existing mechanism called <eref target="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d5115a55ffb52">TCP reset reasons</eref>.</t>
          </dd>
          <dt><strong>Handling of Reset Types</strong>:</dt>
          <dd>
            <t>The implementation distinguishes between the two primary reset scenarios in <tt>tcp_send_active_reset()</tt> and <tt>tcp_v4_send_reset()</tt> respectively:
</t>
            <ul spacing="normal">
              <li>
                <t>For an <strong>Active Reset</strong>, initiated proactively by the local system, the payload is placed in the linear area of the socket buffer (<tt>sk_buff</tt>).</t>
              </li>
              <li>
                <t>For a <strong>Passive Reset</strong>, sent in response to an unexpected or invalid incoming packet, the payload is stored in the non-linear (paged) area of the <tt>sk_buff</tt>.</t>
              </li>
            </ul>
          </dd>
        </dl>
        <t>Complete patch is shown in <xref target="patch"/>.</t>
        <figure anchor="patch">
          <name>Complete Patch</name>
          <artwork><![CDATA[
diff --git a/include/net/tcp.h b/include/net/tcp.h
index b3815d104340..0b32257774c8 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -62,6 +62,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
 #define MAX_TCP_OPTION_SPACE 40
 #define TCP_MIN_SND_MSS                48
 #define TCP_MIN_GSO_SIZE       (TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE)
+#define PAYLOAD_LEN 1000

 /*
  * Never offer a window over 32767 without using window scaling. Some
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 84d3d556ed80..49250e6bd6a1 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -741,6 +741,7 @@ static bool tcp_v4_ao_sign_reset(const struct sock *sk, struct sk_buff *skb,
 static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb,
                              enum sk_rst_reason reason)
 {
+       u32 len = sizeof(struct tcphdr) + REPLY_OPTIONS_LEN + PAYLOAD_LEN;
        const struct tcphdr *th = tcp_hdr(skb);
        struct {
                struct tcphdr th;
@@ -757,6 +758,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb,
 #endif
        u64 transmit_time = 0;
        struct sock *ctl_sk;
+       char buffer[len];
        struct net *net;
        u32 txhash = 0;

@@ -786,7 +788,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb,
        }

        memset(&arg, 0, sizeof(arg));
-       arg.iov[0].iov_base = (unsigned char *)&rep;
+       memset(&buffer, 0, len);
+       arg.iov[0].iov_base = (unsigned char *)buffer;
        arg.iov[0].iov_len  = sizeof(rep.th);

        net = sk ? sock_net(sk) : skb_dst_dev_net_rcu(skb);
@@ -911,6 +914,10 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb,
                ctl_sk->sk_mark = 0;
                ctl_sk->sk_priority = 0;
        }
+       memcpy(buffer, (char *)&rep, arg.iov[0].iov_len);
+       /* put rst reason into the first byte in payload */
+       buffer[arg.iov[0].iov_len] = reason;
+       arg.iov[0].iov_len += PAYLOAD_LEN;
        ip_send_unicast_reply(ctl_sk, sk,
                              skb, &TCP_SKB_CB(skb)->header.h4.opt,
                              ip_hdr(skb)->saddr, ip_hdr(skb)->daddr,
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index b616776e3354..c07dd009a0de 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3628,12 +3628,14 @@ void tcp_send_fin(struct sock *sk)
 void tcp_send_active_reset(struct sock *sk, gfp_t priority,
                           enum sk_rst_reason reason)
 {
+       u32 len = MAX_TCP_HEADER + PAYLOAD_LEN;
+       char payload[PAYLOAD_LEN];
        struct sk_buff *skb;

        TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTRSTS);

        /* NOTE: No TCP options attached and we never retransmit this. */
-       skb = alloc_skb(MAX_TCP_HEADER, priority);
+       skb = alloc_skb(len, priority);
        if (!skb) {
                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTFAILED);
                return;
@@ -3641,8 +3643,13 @@ void tcp_send_active_reset(struct sock *sk, gfp_t priority,

        /* Reserve space for headers and prepare control bits. */
        skb_reserve(skb, MAX_TCP_HEADER);
+       skb_put(skb, PAYLOAD_LEN);
        tcp_init_nondata_skb(skb, tcp_acceptable_seq(sk),
                             TCPHDR_ACK | TCPHDR_RST);
+       memset(payload, 0, PAYLOAD_LEN);
+       payload[0] = reason;
+       skb_store_bits(skb, 0, payload, PAYLOAD_LEN);
+       TCP_SKB_CB(skb)->end_seq += PAYLOAD_LEN;
        tcp_mstamp_refresh(tcp_sk(sk));
        /* Send it off. */
        if (tcp_transmit_skb(sk, skb, 0, priority))
]]></artwork>
        </figure>
      </section>
      <section anchor="experimental-validation">
        <name>Experimental Validation</name>
        <t>To ensure a thorough evaluation, a multi-layered experimental methodology was designed, progressing from basic functional checks to complex, real-world compatibility and stability tests. The whole implementation has been deployed in Tencent's production environment for almost six months.</t>
        <section anchor="functional-verification">
          <name>Functional Verification</name>
          <t>The basic functionality test is using iperf or iperf3 to construct a normal termination senario. The <tt>tcpdump</tt> tool with <tt>-X</tt> option effectively helps to show the <tt>[RST+]</tt> flag and the 1000-byte payload, confirming that the kernel correctly generated and transmitted the augmented RST packets.</t>
          <t>Two servers, designated as Client A and Server B. The test is conducted as following:</t>
          <ol spacing="normal" type="1"><li>
              <t>Start the <tt>iperf3</tt> server on Server B (<tt>iperf3 -s</tt>).</t>
            </li>
            <li>
              <t>Initiate a connection from Client A to Server B (<tt>iperf3 -c [IP_of_B]</tt>).</t>
            </li>
            <li>
              <t>After the connection is established, one of the <tt>iperf3</tt> processes is terminated using the <tt>kill</tt> command, triggering the kernel to send an RST packet.</t>
            </li>
            <li>
              <t>Simultaneously, <tt>tcpdump</tt> is run on either host to capture the reset packet using the filter: <tt>'tcp[tcpflags] &amp; tcp-rst != 0' -X -nn -vv -S</tt>.</t>
            </li>
          </ol>
        </section>
        <section anchor="compatibility-verification">
          <name>Compatibility Verification</name>
          <dl>
            <dt><strong>Hardwares and Kernels</strong>:</dt>
            <dd>
              <t>Tests were conducted on various Linux distributions (e.g., Ubuntu or CentOS) with different kernel versions. The physical hosts were equipped with a range of network interface cards (NICs), including Intel <tt>i40e</tt>, <tt>ixgbe</tt>, and Mellanox <tt>mlx5</tt>.</t>
            </dd>
            <dt><strong>Virtualization</strong>:</dt>
            <dd>
              <t>The mechanism was tested in a virtualized environment where the VM used a <tt>virtio_net</tt> driver and the host employed DPDK to redirect packets in the host.</t>
            </dd>
            <dt><strong>Middleboxes</strong>:</dt>
            <dd>
              <t>Tests were performed with Layer 4 (L4) and Layer 7 (L7) gateways placed between the client and server to verify correct packet parsing and forwarding.</t>
            </dd>
            <dt><strong>Wide Area Network (WAN)</strong>:</dt>
            <dd>
              <t>The setup was tested over long-haul international links to simulate complex conditions, including China-to-Singapore (RTT &gt; 30ms) and China-to-Germany (RTT &gt; 200ms).</t>
            </dd>
          </dl>
          <t>In conclusion, across all complex environment tests, the RST packets with payloads were successfully received by the peer. No instances of packets being dropped or mishandled by intermediate middleboxes, gateways, or diverse hardware and software configurations were observed.</t>
        </section>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The "diagnostic payload" name is inspired by <xref section="5.5.2" sectionFormat="of" target="RFC7252"/>
  that was cited by Carsten Bormann in the tcpm mailing list.</t>
      <t>Thanks to Jon Shallow, Neal Cardwell, Lars Eggert, Eric Dumazet, Rick Jones, Yoshifumi Nishida, Li Jinghui, and Gleb Smirnoff for the review and comments.</t>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact fullname="Michael Tüxen">
        <organization/>
        <address>
          <email>tuexen@fh-muenster.de</email>
        </address>
      </contact>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1963bbRrLufzxFj7xWQskkrbtkZXKRJcXRRJa8RTmXk5Ul
gUCTxAgEOLhIYmzvZzkPcn6d82KnvqpuoEFCtjNJ9o9ztmZNLIKN7urquld1
qdfreUVUxPpArVwdvVaXgyt1HPnjJM2LKFCv/Xmc+uGK5w+Hmb6jQY8NCPxC
j9NsfqD0w8zzwjRI/CnNGmb+qOhFuhj1imA27WV50Qur93szeb+3vuXl5XAa
5XmUJsV8Rm+enlx96yXldKizAy+k6Q+8IE1yneRlfqCKrNQeAbTl+Zn2CbAV
7z7NbsdZWs7MXl75UVLoxE8CrfwkVK+iJM3UyQM9wyr5iner5/RSeOCpnsp1
dhfRyBo49+moTIKCXsKzgtYY6jifpGkRJWM8an3JH0ZxVMzxJKOhKvDLXOOT
n6RTP557nueXxSTNsL6n6GdUxrGg7VU6oX9D9SItAz/0o4y/T7Oxn0S/+YDk
QF1kfjLW/IWe+lF8oKbyVn9o3/om5TH9IJ16y4tcRVlJgOj83s/UpQ7Decsq
5+lt5PPzIC2TAid8moTmkVn3Nk3CglYb4+Mji/3Dz9NE/cQIW1rkStMhJUVj
Tp0lOv4n3nqgl9y5QQdFFg3Loh13UTDxdayu/s//etCJO2dRanryzWjSm5ZE
BIXO+qH2PCKLKQFyRxSm1Onh+WGPyOeAXzS8cUVozA11qiOsnsbqdZYWaUC/
dGj4KrFCRsvTnDm/yRSrRn6cyxEVfjbWxYGaFMUsP3j27P7+vh/5id8nTDzz
aeZxMiUU5M+ITYgt7FwLH/sPk2IaPyH80vLRHa3ROyEiz2ZZlOveOXNL3gDd
DFP1MGWG/TEwdb1sYubzomRUo9Lzej2i9WFeZH7AR3s1iXJFkqHEDCqf6SAa
RTonfoDQ0FmE537scJMy8kHJvCrTRUlkEaooUYR0TAqBlOsxA9VXgzKY2Jdo
4kwr4rlQFanKJ/h0HxUTXi8JZymJB1VMeN8kQ4jQcqyj7idEQMrHAkTzSaKZ
89XEz9VQ64TG5rroKzWgGYkyaYqIcVntngbTRqfax/ypoqldscKyiGUIcZ6R
IX2vwo9BSyDzDMsopo3Qb7MsvYtYbtGChArsxo8J7nBO3xFItBhh5fLbI/V8
8/kWicCP0+xKH8se0qKEti5vpD6fMKWjSVIg/V9lhNWSuSLOInmCXdmF+nLO
0ygMY+KlJyQdaKWwFHHJ8y9i8u3bv9HbePn9e5KKtEstSFXDOeF9pnXGB3FH
+E3L3DmfrtL9cb9LHwNNRBaCfP0a0iDNaJ5ZmvCJ08REeDTMY+Fll6eTO4zz
tLt8wkugJIR4Yr5ighkWVYHqCCxHfpZFBPHLzA+Jtw6vVOfo5fkq7fJr2uXu
/v7++/ddPN/dxjTm8cb2Lh7TLkeE23s/jld5z7m+0xnxgNkwAXs1nxE1xPEc
EJ/rAmqO0RqGBGkusin2SRaqDq2yWgOI/Yx1QvMVOD2XVQg/mIOQFo3mDYYo
CX3gCrBklM1VOuJPcTTSBTGo+SwotdgGF0z92Qz/augI7GuoWeEtLnxPbGSP
D7OMsnRqD73z9u3AnMVmfxNLAVd7+zt779+v9tuJCZsk6ZXSegxUnILhmZBo
9QyQYMRsFlueAvMQKWM3hN7v0nugvMu7BBSYhTnMQJkv7qAit4l/J1wxAeJ8
0rosT8zZVfPEIoBIXE6jxC9EZOgmRZ5Ft/qeZKmA4UDrQBNDVvLxgF2XyXfq
zxksWj2K5yoKCVicbkPEMZE1l7cC7aopk2QVwg0JVsKZAILNTVMip5ymt7Th
TNVEHL50MUcQGqoDn5EKv4v82JF9lewZRXGcizy6SyM+TpGLcwC2qC+Mcqgp
s0WBuJqjeZ59s7aGblMiyod+cEtGUUhbmxL/R4QWUR1AORHwqMxoqYyojUQU
6TCe9u3bYfD+vd2OFtYDCFka6LAkCQrc8ycSyrIPFzu18Of5RFhYftjq7/S3
sMVadPbVRRLz8RLwhMmClQPzEx9DtS4fXUpTEj8UrH7u/DgKWSq04YoAYW0T
2n2ZL+rNtetxQGLOgnUcfUxZmsWg6Cz1iZ6MPsQ0U9jn9H/LEHGU8yEGKZ0F
tHAMDRen9xgA1PkhS5pE35sxPh9WorWBlAEoizITg98P6PimaSg8B0bVD7QG
PhBVh2nWs8pWxBlNCeVARJBEBVEmjcpYexJQOssIAlmWdu/fkUHpgywYQeYF
IEgtiBQx8aOCrSKVp2UWsP4kgiS1QY8EaMKR3T8vVUGE1TCE7VKLMg2CHtN4
ErUkNFnQ5pWMfPtWP/jTWYxH9iQJZAW1hvnNl0wTcVzCQCsEDshrGmE8wXZW
yu0ieRrc6qLnz6LGMolyzEB6Pw/K3GJRXlGHr08hNCBDMiFbxtspwGKeFjlN
R9jgc0O1/F0GoidUxJZGcx306gGWVE+q99U4JTXBLwLR7mv8Db/xBIYSJB6z
EgA41iM+XPrseeBq8hkVnMZcrbx6M7ha6cq/6vyCf788+Y83p5cnx/h98N3h
2Vn1i2dGDL67eHN2XP9Wv3l08erVyfmxvExPVeORt/Lq8Gf6BlCtXLy+Or04
PzxbEbJ3+RE7LKAOVSQmusZmiVXodALymmTnL45e/+//ubFtbLHNjY3ndIjy
YX9jb5s+3E90IqulEDPykYhk7hEza/IYIUmJbAMiADodss1IMJLyuCdTWWea
sLn2CzDz64H6+zCYbWx/ZR5gw42HFmeNh4yz5SdLLwsSWx61LFNhs/F8AdNN
eA9/bny2eHce/v3rmBhS9Tb2v/7Ka5GPU/8Wejuv1CUMAeibUZRYKrRSfntB
wvN0g5OX/bOTcxU98tJWf6u/sagaBt+dHfc2P/DOkjoxEhcn1Nv40Ju7bUA2
9wxxZNSBFeC86wPPumzLcoW91gPWnFYR0TpGR05JZfpwPKDYAvDoPHfngB/Q
ryZnVf3oCocLljCmjJIgLiG+lt8y07JTYGwox9Mzc17qEekK9jqM/2CGQoaL
MnrcE1ed1yfnq33eOv1m/ZB0GhUsp0YqEutAsz+5zoLKkWzHzNgzPp7P1EuW
c2+f1JING8Dc0B4qHf5Ts1ck5EjT1jKWdU1q7FrFyjMxGp2moPHtJycovE/L
OATc7HHDWSY7VDxqlvUkcznCU+jc6GMS7ySxS+MxkzRhj08X7HSEehanc4YK
4R79UEDZd06BvEQXXXH9Ag5DQPY4Bn5AljJCFPDYcCqVMYMlp35ChMQmJQg0
98mngcAv5l1P2Vd5pH09T0fFPaQqiTZ5MWQrIijkRTJ9yC8tgr6o3/pg4OjM
0qwQraOTgJQ/r12FIwp7KqSO4e7R6zGJ1qQyZ3LtqkBRlWpgQwTsFDbZLCr0
VNYjHLICIHQT2x2T+0C7mRuBzl4tm42B0RNEvwjCHXgH6tR6DowFBjTK85K4
o0OHGZNtjEUznY5W4Zb4hXFw2BA1yxhieYQTCVFHr988E2uTLOygwLqHeQ6H
duGblkVp8gnBFmPDtAqhX/gXn6GniJKm0YOBIbdBn5B/gZPWQsLYJMdQhg13
mAAdFPQqfAGXr3MHXlqRnYFFG7YKKrkWGj0cxcSAOTEiE5idNyCrGKYVCHws
VtGCxaSryDUWP3nQWQAZwlTcNoq3HNVnObeRHNpt+E8y+9jWAnSuJQcivpgZ
u4yMrnFJJpUhjEFBNDIugGE27luGMb8L79rT+QARPFGPZBxIflmng0Y9qR5/
K+7F2yfsmAXFeydwZhSUaC1RP1ZtGK+EiFR0xyOCzLiCZnTlFAp5k/MeTaPf
BOEx48Fq9IamuKq9IPP1I1IzsuYS61d5pbfBCvU/6YfDsetq+Wej5dlmy7Mt
M8MGfbtFpsWO2lV7al89/z3PMMfT3h/8HyZ514Bt/WFr6/DQfeJ8L3zTYx6q
v/+LIFn6mRF1f/DnT4KEz/jtgXpiT14i9l9+TlxWBuzEOvSzzCKfv6/I7REC
A4/AzIDvN/XH9I1E6o3Jk9vYOKYpE386jMZlWuZu7MiYXw1FL8omr+LejYh1
35oaznJs9A91Zb/w2dfMEtbmS44tpyxNR5FG5LuVQyT4nVtIxKp0qKYyJcHM
mEcVbITDwIhLbWKOiePF1940/GwEDRciBKt9mfMHnmAd2IPcZgHOyUXj2FgD
qF9bs64lCAOLQElsmEZLqvJbggMHfsRqYqUGh7ZtE1K0bbIEV4g8V5rGIC90
ygfquDHmkBsuNQL9M1gk4rhxeKFh5FdxjIUAkFVfdjGhywoWBPQsPGyQJE4c
1OpC10A2uzP0LeaXJbqoNs5kgSr7JSRDz8z5nlqj/aO2tfrl8WzZr42jMkcK
M1xoZWV9xWEVQkcISjeeyOO7/J0hG+vjWVbZl4BX8hEjijTjC03mepRmPM0r
PwaX0FrtIiFveDvG/BxL/Mtk8axorpiWnMKkgEygubL6bEyQN+sbp8tMHfgZ
bZBDx9MKmDZAwMJsxNH3cXSr3c3CRmvo1EPJDyyE5SUg1Cb5EAqf+XluICXa
dCLgbp7OnFSckjHd8CHgjoRh5AxaTPF1jKe8qhqBlQ95yhWNWTNycU7AbZIZ
BNMYvgKDBju/TOAk0K4F2FlKsM4d+UsYYcmJNILkNerdt20dUV5Cka5yZc2k
A4QayV7rehZ89gYYPGlKlkpOynm9MLmfOlSLnYGaRP7YDA1Z3CECpZaYclXH
biT6mAdiept832NkbfO6ZXKbQGG4TCmIM0nAEek47KRGFQP8Q1PaW1aNasgd
PgboNbLIIRPhC6qFxR6QXQycWrLA/MAkIqMLEU5y+oKIpAmLMGJ/2cai7qkE
h1jMg5Rc1hMbxH37pAr2mrgsbZGVJFnhUVCY9DoPcQIqj3nxotJt1tCIPBBN
lR+rJd9C/smoxMJm/oSK1OHR942kn5uhwHQSdlrIIzHJRaSkosQmns5OB1eE
oryA9O24bLax3t+r04XCa6v/31vR/P36+vpO4/v/Eiua1+Wfx8f86VY0qN6a
0CdL9N7iYjKzXYqgOCJBYQzqw0cZxJXOTqzARlNMgQAntU0KnuQweayW/RZj
Ne0+oc1Uch4SQhIlBVVOn/O/zdR8M/NODCsFLIZDm8UPWGCYliTbOyIoNv+b
VSqS3Whs/v9tVtn8XayCeh8OZSI/ZknpKppq0nmfu3oHeYQ6p5h/XNvUiXnQ
utj3taVH2iRfLnRg07ih4jc2t7ZVZ/1h+5jNsVHkTijaVNidlZjxFeoKNuuo
bm1u721hnr2T4+f/zRZCnoTTv4AYl1Zq/ghb4BgeH/NXsMXWv8kWxn60kfkW
tVLzR5UcW3ZWhQAtAXMo1aTUKrscZrXUkO3sbmyarLVyI7ZHjcw6GYjpLO8h
BSOh1Be2tuXI1LZwlTINGwbvTaoLHLmgoDjbslQ7AwaukzvMYtZcq+oVP554
xD7dMs6u0mz6wtWQ2A4dz7/KtNDv8eErlgeLkQ3jOHDBCEsHx2NoFr19Vfm/
vKmOpEptfRmXBj5SCWmrH8VWFe8wJ/8i1FXVaGILJxwM1dZ0p4mIzSYiVsWj
f1XGRQTag1fNQL2m+T/gV3bJBNGIWU3JSWtg0qYSc1NczXUnMNF9t/xMIhDa
1PEtzdH6kp0ZcREz85TwMYZgbUndIUmCDAtcl2b2KbdVYdbXq1MGVlXUyd0f
TapFVEJVs6glo4K0mkaKLzU1TxO2znQdROFKBnI7y6GphaHZpssxEbecX7m2
2SNOryQ5ndShOOe9oZ8bNra5xE6utak6mfpJfeSclPQrVrTfc+aWdiqvL0fz
JpxztUG9pnVZF40zD60hiGIfmUwIlwRzkRIywlXO6cNJm5apyB5NbSZK8Ooo
Z6deuen9L7rDrVNbKG2SbUVPZ8V8RWCUGug8FWu8SMcyxgYDPhg7k7XAlr04
ItL9tI0f4Q6EDfFlSEpi6WeutPndM1QvR4kEtD6WNHviXm3B2R7mHGlpIN2E
LfwwrLOzHNu2wYSu5FO5mk2RErqtHXuewVOfenAkIFk8Tv3C+B3ICedFVT8X
2XiwCWOo47pe0ciRkA48wAJlbusBmaoQFa8JoirZYuZhmdAS+E6l9FEbF4+W
LWM/q/P45Sxk4xRxrxhFn5Vp+BG4oWoHdap1QdF2Tuu6t1UwcZ1VRelYI0Up
kaGc40ILCVzGCFDCmVxzeiYcTyd1T9JytFzUTGPK3BYTiq/oszBpBCcbeq2/
ABXkWx0fJEMC0rIvVW8AbHmm3NEFRjdyGUdCstGW0OaNGloCPiyz6oTv0ri0
UmdB55YcQ5NZw4U90fbHHIrzpDgChQvKmXdRroBlzLldzEwtX5X1TuVJr0Ai
aKGSEeWrdxGxlnG1b25OX7++vLi6uCapfHPTi/Wdjs3heWYiN6PiYonAeGeW
V+eoOlmwZtUxrJGr+WzxG3w3INDfqZf4L81yc0PLX5OYuL48ORxcnF+fnB++
ODu5uVH4riTZsLV5XdDHhVl+qqzu1lmOLo5P+CV8l3MWUhXB7DrLi2uRLbzC
T/VcbDe34dGY0StNrK8QLcT5lyux4v+tsEH6hOxgeYUQbK0Qg+8Wm7vz6OZX
Pe8NCw8CnvxGWplA6qwSzBV/f+j8lGygGuzhNtkHUK0Z6hzESKaL/C4a0N2C
1+L6ioizHmyvKhGbaSKSKwZTYLnmFBSthblAGI3DbRZeI21NFDehpUhIF7AH
STR5Ihf63o9Iyq1XmSzXEK0Cp1t7G2SRdJ2sVk90SZWstJLQcwvVnfxgdePK
LvgwMj+fvrLFH6SB4DUUrBBf+WQaS0G00VQOsh8rZa8nOVxSXNNoPCkkfenY
UKZWk/h/6SDCaMSFUoXHOPlNZykfXb1RYnOE/Pwg0DPoMyGu3PgUTVJjiUtK
OCrqsLgpT2b/S0b3hUvA/DQxJMEjrOHn7HC2sIhwtsMg47+OQYwU8W2RAJkT
9LtYc42i9wXy9ywVG95vO02rj5d9u66NeppbNlrma95RasaR+h+TF0vn1bon
oy+8Fm42ddhsnfpIt2XFB3Z3b/LmXkOvZ9F4zObiIrW7ji1ZZaXZCl+Awi76
3mkzh7k0Avgk5TzkW0nOwdKYwcXZ9eDi6PuTK0sEXgsRGAIYXFyfnZ6/PLm8
uVm6v8S2AYrNKhMGOzREc8l0A5o5uxiAaEaxPwZUNzdFll3jU04bkUIOsh3a
JvcMhj6KIJxY62mnUraGsyWqoZENJP4F3HzV8NPyqtzHikg/N6fQFD4HHI9U
gdeqmtVbzyp66IiN3WsaYZH4Rft3oNXmV1At/BVR7xfe+y+wouc1jgOFgE5l
TWSrXAXwdXZ3lwQMkJ/3ORmyiH9U3eLbxewI04ITZUDRxyN0g68O1I/CP4CM
yYhrZLrOudeE/0lcxYjJyTeE8wBb1Mf9PAlkPMYlbaISXMJzNTjFLSoRU0IB
TM1GbO2Q8CNlb15KtU/LTgOUDeuwq5aFXtN0bihEc7AgA3uuTbG8bFC0XC1p
kSKexACR0nYLiWQ5Ii0w9WnCGMW2nOc0ubQIgGrtKhfARg2RFOcsOGiO6e2p
RtmS5yxhNwro2jdoj+Yx+eigyFONS3sNgHFY9VEtCQtegudcZImuqbpA5p7v
nYkVZ7ACNqsq2ZihauzRV3EK4zJvok6KtMwEhA4Gq8mkj2o9FIrozJTyQAua
743K9XAxXu6JG7Xs15GXVqMMMR1z72/JCPZmuGbE23SvIVYi0dkTlKxLUWZT
+fKm/A++CArEgp67UWOLShi6rjY3Ze1VbDQXX7XyPMtknPmBHpWxV933TSuT
ZrlgwuFFVHbogKYiLm1GFkz+wImYm1t1ZJrTlD1bg5/b1xfu1hGrSRwzo1NA
KKSLTdTRS78oyFnP7aXNKLOhXKkiz6pbfBLqXYjnc/XF4tXUqrhTWhMEzObL
ZS3L8Sonnjxi2TfLEOEFk+Jy5kBuPgfQ2VlSR+ZhFMxRH1mzpyS+2ZGHwG5W
XT5Wmtd3biFC1tCrXQkll0hLNK5wyDskMeoqJ1AboYfjbBEajPAlJkzgXnZt
qTLi8+fXFo+eLH91TgtcWhkHll+uGUVJvEi7lutYqPvXhEBZAaqMUMS3fyVs
aGbmOkzU462YuoHFslTJdEjV6se7S3DmogpCO0Wt3KSnUdlqirAg0lqPa6O3
u7OztaOkm01FXHU/EhNxN7fb2SYxi9HvK3wlpyAUIpazgrcdL3S7v2OJd39j
cxcxeWJELYmQ6loDLh28DbVL2u4SpnCWaHCWzkphx0pd3Mm+qmunws7OnWFP
vTOFxe8al7n+nJ939YUhKVwkNqkqn1dNOEi9O+jh58D8+6f+fMKcgMBk2d/x
ZTsuw/3Tft4xRxxbhmgdAgg2zOhT8u7GCIHKQZjrHn8MgobQXEiB1hBsmtEc
DawL1ImuK/0qV5yabpAoYJMsw2UfJt8PQLDbBgNDsGVGH764uLyy/Qr+0N4f
wcF6zXkVCAzBthk9MN6bkyFRbPIfmzLAPw7B3hIaGIIdi4Oj7ysf0oWiUYz4
RyHYbINg9yMQDH4+7w1Ozq8MDGzToIqcxltzz7itTD8fhmAxI88Q7H0CBJcn
RyenP1Tn8YlQtECw3QbBvhl9CtubbId7rNkKSz5PgkmWJtFvsIMYFltILobT
zvNd1MTaMN+nQvDcQPAmQaYhWLCypjCpHhUon04Hhx+QB1KU9s4p7beX2v7o
zyfLxA0ZfY6zlG4Wv/05svmTIdiU0aQXpH+Gfgik6cd/GQRbMtr0X1IjYxn9
8Z9PhmBbRtuL6M1ialOa/ddCsCOjj/kCt2ieMiGlE0wWRcxfBcGujHaKEAsp
QvwDi/8+CPbM6DRVU/gitHaOC8JcLgXV++9D0Frhs7+7v92UB/sy+k3iyFXj
trKl+tdD8FxGv+KWb8P0oXGB/N9f/1MhQM7Rdugx1Xqn5uOyX2Sq787Tomoe
wU11JHC0sd4jmmKvwg01cr+phXZvObd161bt2rqwjB7m7s1/9ZVZR6ot0CHv
JIzQpFK9jrkLYKZnsU+TNoit8hPwgqlEFc/GVm40k/bIBZFbomO+5mz7eR3z
VWV2PMTdgUtIDgsDdoSgdBb5ggJTNjQ0sfT6TldYz6HNHKYsigu0tIQ0zC37
wt55JzzMuOmacYhMTUgp9qnOq65LmARF6tLzMWxM0nzX8YFscJPfGEXcBUKW
LTOuOrKlA06Vhqouli5uh0v40YvqbmFJTgLQtGhxqINbE4SwaUZxk9mJ1mF1
k1NaDt7prKqLqfpLVVmgaNQoiAwZTQhPcMTICSLYZezkNXejJ5VcX3PgNdDw
hmDUcF0bV8NJCNNfaCTJYetqT3YREy912+D5zXVsGZFNgKAfHAeBRrR9yB0S
OpzeSnhjITrP1V7LrBwSESyAIleMqkG2v8ry5nKnl5Gp8FJ/tw2Eexl789+g
tTCak35lL61xrw3pK2KccK5JKSaZ1r17rVFwxTUdqBxJOaLJaaWQ2V2iNW49
5TIVEbp+lGmFcp3ZuvamYAvt3eM+k46kgNHQIDdLSOZLLCDnzVjociOWMmH0
mXaj9FIgxbVG1hgguP0EkIDQCucKjnUSoR+M4Xlb5Sgt9GI/qVptdXGkxqkc
4q5KXo7H0PTSloQjsKnUK6Xc08isK2SYlwG8xFEZm36gKP/hmGZLU68Tt6nX
D3VTL/hVUVI+mAJIp5uX5/1HaWDhGUz8L5dWNdKV1Y+MDPKz0BVRVSy6avUx
Gkm5KDgOWjNWC7HaEad5/SBL87xO+dcFZIS4Avo279oeGIjqzdFRgx5NrV60
fWHUyR0nAdJyPPlIKTQOJQoi3Lf161v2tEO55Av25F5xC3UMEEZiEOP6D3TD
HEVsuMFPp1rWzgt3GWFVN0EXL6fEjbBAlm0cmvykbdxn2yLao5EOQbNM9wBf
IFHEGE2DSbTzBhFKh0AsgTbSkmXR2hPJtuuLMpt+kZ47KJku+C4lrWP24CqK
peM0ept0QR4NY+SAgri6/4Gef/8qo9nUtMcdkv0OaiErnltYVkFv03WA21rW
xIx4np/Zev3FpUUXNwl8Mbu7fFDclZBOOZ9IOqVIZyACQe9uf2P3wPPW1mxN
xyFi8xNMsLbGPWdqrG+sr6/3GHNseFbkzW+Ya710gnX1uXRy4AQ2urOtOZcU
1ElCp0IAyypXzZNptjlxM5d8Lxiah3Sgyb0tH7W96lP33TNi6Fmii2e0igzu
T9D3k1Os9kZohsbdHHReBgF01ptxfWu/rc9CvW9j3VTKeapRVhjlU6niCNUv
sBsb7X1+7dgG2OOo6Esvcm6BTRrtWR5Mn8U4rmfyBcY8I0SQwApz+aaPR5Db
9M/XUfhluLOxsePv7IxGwx2+arC29p2bU+K1UfuX1wewWGQr0JcgnLwmZBoI
Yp6RQPWzudlFHugEzZPZ0L1BoQCS3NfSDvmaxyA5xuEafHu3LQOqbzK+gYHR
9grGU07eE6+trR1K/zAGem2ta4LfwDQ3+ZS3LNbltroIx+7iGbI1XNX1gG1h
6NEZ2PM2mUgRJqpzk99e4/cbacdhYFJgF+J+FybbD1sS4bk2l9wdUZhmVcE1
kWM6lZp5SWwugGluvxswUd1qQO3MkAxabYBcwYgmV+B0MptpMpRGNzv+8LO6
3Q/0jOr1iHCU/8xlEDogYo3h8jMPrPGghlv7Gzvhxvr21vZ6v78+3Nrc3Nnb
29sO9iEidre3pRF7y/tPnz5tnfebb1Rvd7O7q57Sf/cUfeQuvKAU+NvX935U
dEwVCk5IreW3IINCQm/yK3vmq1946olIBvXq8CdUlV1LD8XrwevDoxO1vV4P
wJevTumb8+PrV4PBone4vb889OXg4npw+j9OzJDO4hS91lVXvad2oteHP59d
HB5fo/kGBCrR+rM1LtQ/hz1Mhzri+yYm/gi1qLY293b3qviilFWZ73MidvRz
50v6zSMFeqPZ3TZwfI1f+gEhv+WpOdb97XAr3NnZ1eE+Hev2882ddb07DHf9
jeaxts0gB9v2DY52b3sDZ4t/+HBxaGSlD1PcBhFp4KfX0PtGICCfXKilA7cP
hN7xbNj17GwVxTRly++a6oM/mlxlvOCUQMk/q5566z01o8qtTWRv1Jek2n/T
6ahTF09NwmyVRMjlyeuznw15DJgOnrpUUddHNUCX99UaWQNf8jbpU4egXq3H
m5Fvl/bRnKKYfCGnsrPHp7Kz3ziVPwOPT1DhNKoLvXa3cfUE+duCGZq2sL4E
t0waFPF1fvtFhU/SnJkRx78QXn9deo2ITq3Rf5y6MjqC4mHi5xNZR3a7v0vb
fLq3v9/d/5N3a34k8sE/U7LLaZbPyEztokORIQX6uErn1TOj6GM/Su9+Wf8V
/1zj8hYB3CkTE4rhra+tfpbpWY0PO7U1d2l2QstqPeATZ5X3a6QtvAYSrmmY
IOgXE1qkGg6s09e36mtGzzV9JmpcVQf0bHgdEouE+g5Pr7OgNHSKY3i+waLg
+cZ2d2P9rzmHin2Yknpf0SiyVG6bNNcyiCyalPMsjYHvXcwHs3nHIr7jHE+3
BX3OkTxbY68E5m3VF8f40Y7RSzramgBrz6p3Dekvz/8rwSmzPXr2OMSnX7YL
l8iYaOzns0SbxfOOoIMQfPsxaQiUq8+g6Abfv7g+esFn3Ptqon2ynvuT7X46
Kz42R1RLMToBsqwJrY1nIT/7gFojfUiYXVZs9rm1WHY3dvf2dvXW1s52vx+s
74Xh+vpzfx03+R9VbdUcLcqt+g40vbW7ud/d2FRP5Zfthv3CSCbNv2i+kNJo
jmnYyksUPx6RKaQsiX4Qsb9XT1mD5buTw+OTy0Vl1JDDhj5/cUYsC2SXKx2J
gSVOz4+uB1eHV4OOKzS6xrp6cX3x5op8xoEraIh3zi+uTvB3oTjabi89VV4n
B3YRyoSlhHp/0TMcx+iDk6y4JXBotxxFIBofdpr77lbIdRh38ZUYtYLOuIqQ
R6rzN5Bsi/I9P7l6dN9np+dvfuKdEyBc/vDt4enZyfHqsqCSthVfGIIjS2of
9La91d3YWqa330dLLq5NJYzKZ77prSocba4Zk5RAPMpekh1GheC4IgES/qan
XYclRBPJTdReEwvJKIeenK2zFUmu3jU5QIg48BHweHxTx6tpz/9ifH5Y3BAY
3x1fXqO64J39QNS2uqRbDZWzbm1CZgdaPlhvE8LYGTtw10CPAEwzVbO2T7kk
SXGOtLFHBThwMCXtOZ0RxkeE9EmHz/8WqHCwSIeKS24c5BqNGqcFsmUfy9pm
guCuqmC2pL5ad60Qz9LkwSp/8zWefi4NHx4Jt3reFSrP+YYtwuNpxuG7uiU3
go1T9CLoxf6ckxyNv8Yw1fROmMbpeM79vWyvXE6MjTPzN044P41O4IFTiC45
llzudwPihy5HIHscgawujMpteA4LFvZuPO7n5hLvuZ+k8VKUpPorXdKEQLx2
8+flPueCYvOnqWjrd1GWSvUgX6iNp6gEz6MHNSV+muTm3tW3Ndg/IBxpe+Rx
oG9xZxZEiZFxABC5WQ424Jctc6fdCAG/LQCdS+xGNonwTFhOZzf0Iq7Bc7l4
76cbW5mmOZgtEZeJjmfSBcFeK775hTjq6a/mYo0NddaBw4oJuDNeNpX8gkl6
SXBLbhMEiEjXETX5E2ZCpdwlDgmUkstyluKMVwi1SvuDrpsWwW01bpmgDnm+
gfQ4eCH7tkhEn40yMOOrsOqB522gGrjwzZW9G8Huje2UQJix86mO+VL1csSN
NlHjayJWzZYWTKsVTITHlikC9cvp6+t0dP3iV0y2heTcyObvmrXdGlQrcV7T
oWPUhNWU1pm/8VJdXHOuwN/cRnF8wwkgTtGYeyv2a3NCtu9F1axX7hltA0MR
ONhPNPf17TrkhIxpibynTUnxPQi+5jLj20gSf0U0USZ0wBpFMYF7oG4+p+l+
of/z1aBf1WeQgvgTn+pvZLR/rno/qV6SqN7dneoNbgw/NdvONFkKUdEsRI5F
FNz3vEEbE+WU4L0WhWeoguA3fybORNBDrqgeliZnL3+j7c2wTIoSXHhEh3sx
WLXtFWxqx2DSXPw3AmY2mefosi/V57IyZxNmtrrXN7UDdLKJqQySWgho64Bv
v3fOT4/yVbdDPTq8x0QF2+v6hk4kehgP8Qt3EdZx7Cfpg7qZxg87Nxwn/iHK
ipIki/ytzDo8XEexIX0LbWPrvrqzb0BkO1Kuvrr0wytz00zdYHCUwga6UWGG
JpyVnGCK0FMjR49fH38vGeswgkCwLG7DohjNAL+q819LB1dfJGH8nUGxqG3V
Odte5WXlwR492FtVaCZz78+rMLEb85ZuK87faXDSRUZiWbpFBsf+wQla/F7y
gwzqj0j3HCJ4awu7Oj8enq/WSCbyL2cugjkAiCs2vYlfxnLaiW2YEEeJaLUc
bAf5YtSb0y7IpYSjCXF8r0h7A/rkz5BK6VxeXamv1Nb6NBeMVGNecq59bkds
rmMI/8EATofGZS46W7KW0uBZFndpgPVnt0pn2TN001rmqBpZsKrezET1UW3W
hw+AWw4oO+LO3XY2vsNF1JQypyCRTlLQ9PqlCRhpRAMsgRvZUnviXblVD3ZE
l2ARCXLYNgdre7maWyoMsv2TCnyb4jBAK1haUq7qkLEktTU6/HKF/97pSt1A
fWX5ltKK3G7l2v58Fpkajzp7u2P7N8nfKNzc2Xz/3rZMAb0EkUk9HRH5FUS1
L7hAq8q44q8h41YIp4CQGbN1K76hoX9Ah004C9wl8kRjLyBCo/TojOZUJ1AF
RVed4I/MHZdT/zekLi4j8ivoXaDz5zSfRKNyGqlzOgCy++jNSP2DVpyUkUic
l4R7NZhGWULWaFVMZMoJJNU+lb+t6v1fFHliTSx6AAA=

-->

</rfc>
