<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-kohbrok-ipsecme-mls-gike-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MLS-GIKE">MLS for IPsec Group Key Exchange</title>
    <seriesInfo name="Internet-Draft" value="draft-kohbrok-ipsecme-mls-gike-00"/>
    <author fullname="Konrad Kohbrok">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>konrad@ratchet.ing</email>
      </address>
    </author>
    <author fullname="Raphael Robert">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>ietf@raphaelrobert.com</email>
      </address>
    </author>
    <author fullname="Valery Smyslov">
      <organization>ELVIS-PLUS</organization>
      <address>
        <email>svan@elvis.ru</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>IP Security Maintenance and Extensions</workgroup>
    <keyword>encryption</keyword>
    <keyword>group key exchange</keyword>
    <abstract>
      <?line 52?>

<t>This document describes a profile that uses the Messaging Layer Security (MLS) protocol as the group key-management substrate for Group Key Management using IKEv2 (G-IKEv2).
The intent is to preserve the operational model of G-IKEv2, including IKEv2 transport, GSA policy distribution, a central GCKS, and the IPsec ESP data plane, while replacing GDOI-style group key distribution with an MLS group.
The resulting design can be read as G-IKEv2 where MLS produces the per-epoch group secret used to key the IPsec ESP Data-Security SA.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://kkohbrok.github.io/draft-kohbrok-ipsecme-mls-gike/draft-kohbrok-ipsecme-mls-gike.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-kohbrok-ipsecme-mls-gike/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        IP Security Maintenance and Extensions Working Group mailing list (<eref target="mailto:ipsec@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ipsec/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/ipsec/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/kkohbrok/draft-kohbrok-ipsecme-mls-gike"/>.</t>
    </note>
  </front>
  <middle>
    <?line 59?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>G-IKEv2 <xref target="RFC9838"/> defines group key management for IPsec group traffic using IKEv2 <xref target="RFC7296"/> exchanges between Group Members (GMs) and a Group Controller/Key Server (GCKS).
The GCKS distributes group policy in a Group Security Association (GSA) payload and distributes traffic keys in a Key Download (KD) payload.
This gives operators a familiar centralized control point for authorization, policy, rekey, and member exclusion.</t>
      <t>MLS <xref target="RFC9420"/> is a group key agreement protocol that maintains a group state across epochs.
Members authenticate and agree on each epoch by processing MLS handshake messages.
Applications can then derive key material from the MLS exporter defined in Section 8.5 of <xref target="RFC9420"/>.</t>
      <t>This document proposes using MLS to replace the TEK machinery inherited by G-IKEv2 from GDOI-style group key distribution.
G-IKEv2 remains the authenticated unicast transport between each GM and the GCKS for the registration
to the group and optionally for unicast delivery of MLS structures. The GCKS can also optionally provide delivery
of MLS data structures using multicast Rekey SA, in which case the maintenance of this SA, including key management, retains.
The GSA payload remains the source of IPsec policy, traffic selectors, transforms, Sender-ID parameters, activation delay, and deactivation delay.
The ESP data plane and the SPD/SAD model remain the IPsec data plane described by <xref target="RFC4301"/> and <xref target="RFC4303"/>.</t>
      <t>The main change is that traffic keys are no longer downloaded by the GCKS in KD Group Key Bags.
Instead, every GM that is an MLS member derives the Data-Security SA keys for the current MLS epoch with the MLS exporter.
The GCKS does not hold an MLS member leaf and therefore does not derive the exported traffic keys.
The existing KD payload is still used for delivering keys for Rekey SA (in case it is employed)
and is reused for GCKS-originated MLS objects and Sender-ID material for Data-security SAs.
GM-originated MLS objects use the existing Notify payload with profile-defined notification data.</t>
      <t>This document is descriptive and is not a complete normative specification.
Several details needed for interoperability are intentionally stated as design constraints or open issues.
This document leaves several optimizations and deployment variants as TODOs or open questions.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<dl>
        <dt>GCKS:</dt>
        <dd>
          <t>Group Controller/Key Server, as defined by G-IKEv2.</t>
        </dd>
        <dt>GM:</dt>
        <dd>
          <t>Group Member.</t>
        </dd>
        <dt>Candidate GM:</dt>
        <dd>
          <t>A device that has authenticated to the GCKS but has not yet entered the MLS group.</t>
        </dd>
        <dt>Founding GM:</dt>
        <dd>
          <t>The first GM in an MLS group created for a G-IKEv2 group.</t>
        </dd>
        <dt>DS:</dt>
        <dd>
          <t>MLS Delivery Service.</t>
        </dd>
        <dt>AS:</dt>
        <dd>
          <t>MLS Authentication Service.</t>
        </dd>
        <dt>Data-Security SA:</dt>
        <dd>
          <t>The ESP SA used to protect group data traffic.</t>
        </dd>
        <dt>External sender:</dt>
        <dd>
          <t>An entity authorized by the MLS <tt>external_senders</tt> GroupContext extension to send external Proposals to the group.</t>
        </dd>
        <dt>Path refresh:</dt>
        <dd>
          <t>An empty MLS Commit with an UpdatePath that refreshes the committer's leaf and direct path.</t>
        </dd>
        <dt>PartialGroupInfo:</dt>
        <dd>
          <t>The structure defined by <xref target="I-D.ietf-mls-ratchet-tree-options"/> that lets a committer upload only the parts of GroupInfo the DS cannot reconstruct from public handshakes.</t>
        </dd>
      </dl>
    </section>
    <section anchor="mls-concepts-used-by-this-design">
      <name>MLS Concepts Used by This Design</name>
      <t>This section summarizes the MLS concepts needed to read the rest of the document.</t>
      <t>An MLS group has a group state that advances through monotonically increasing epochs.
Each epoch represents a specific membership, public ratchet tree, transcript state, and set of derived secrets.
Only one Commit is accepted for a given epoch transition, so the Delivery Service (DS) normally provides ordering for handshake messages.
Section 5.2 of <xref target="RFC9750"/> discusses this DS sequencing role.</t>
      <t>Each MLS member occupies one leaf in a public ratchet tree.
The ratchet tree is the data structure MLS uses to update group secrets efficiently when members are added, removed, or refreshed.
This draft maps one IPsec GM to one MLS leaf.</t>
      <t>A KeyPackage is the object that a prospective member publishes so that an existing member can add it to a group.
See Section 10 of <xref target="RFC9420"/>.
The KeyPackage contains the protocol version, cipher suite, an init key used to encrypt a Welcome, and a LeafNode carrying the member credential and public encryption key.
In this draft, a Candidate GM sends a KeyPackage to the GCKS during registration.</t>
      <t>MLS represents pending group changes as Proposals and applies them through Commits.
The proposal types relevant to this draft are Add, Remove, and the empty Commit with an UpdatePath described in Section 12.4 of <xref target="RFC9420"/>.
An Add proposal introduces a KeyPackage into the group.
A Remove proposal removes an existing leaf.
An empty Commit with an UpdatePath refreshes the committer's leaf and direct path without proposing an application-visible membership change.</t>
      <t>A Welcome message carries the encrypted information a newly added member needs to join the epoch created by an Add Commit.
See Section 12.4.3.1 of <xref target="RFC9420"/>.
The Welcome contains an encrypted GroupInfo object.
The GroupInfo is a signed snapshot of the epoch, including the GroupContext, the signer, and the confirmation tag.
The joining client also needs the public ratchet tree before it can process the Welcome.
MLS allows this tree to be carried in the Welcome as a <tt>ratchet_tree</tt> extension or to be provided by another channel, such as a caching service on the DS.
See Sections 12.4.3.1 and 12.4.3.3 of <xref target="RFC9420"/>.
This document uses the second option: the GCKS tracks the tree from MLS PublicMessages and sends it to the joining GM outside the Welcome.</t>
      <t>MLS allows an entity outside the group to send certain Proposals if the group has configured that entity in the <tt>external_senders</tt> GroupContext extension.
See Section 12.1.8 of <xref target="RFC9420"/>.
This draft uses that mechanism to let the GCKS propose Add and Remove operations without making the GCKS an MLS member.
Because an external sender is not a group member, it can propose changes but cannot create a regular Commit for the group.</t>
      <t>MLS distinguishes delivery from authentication.
The MLS architecture describes a Delivery Service that orders and relays messages, and an Authentication Service that is responsible for member identities and credentials.
See <xref target="RFC9750"/>.
In this profile, the GCKS acts as DS, AS, and MLS external sender.
OPEN QUESTION: What protocol changes are required to split the DS, AS, and external-sender roles across separate components?</t>
      <t>MLS exposes an exporter that derives application key material from the epoch's <tt>exporter_secret</tt>.
See Section 8.5 of <xref target="RFC9420"/>.
This draft uses that exporter to derive IPsec Data-Security SA keying material.
MLS is not used to carry IPsec packets or application data in this design.</t>
    </section>
    <section anchor="scope">
      <name>Scope</name>
      <t>This document describes a deliberately narrow profile.
Commit generation, candidate delivery, founder upload, and member upload use per-member unicast IKE SAs.
Ordered Commit fan-out can use either per-member <tt>GSA_INBAND_REKEY</tt> or multicast <tt>GSA_REKEY</tt>.
If multicast <tt>GSA_REKEY</tt> is used and the deployment needs future control-plane messages hidden from removed members, the G-IKEv2 Rekey SA uses LKH as described in Appendix A of <xref target="RFC9838"/>.</t>
      <t>The GCKS is the only entity authorized to propose structural membership changes.
Members do not propose Add or Remove operations for other members.
Members acting as group senders can refresh their own MLS contribution by sending an empty Commit with an UpdatePath.</t>
      <t>New members join through Add plus Welcome.
This profile does not define joining through External Commit, as defined in Section 12.4.3.2 of <xref target="RFC9420"/>.
OPEN QUESTION: Should External Commit be specified for joining, resynchronization, or both, and what GCKS validation is required?</t>
      <t>MLS membership is distinct from data-plane sender authorization.
A GM that intends to send ESP traffic on a Data-Security SA indicates that role with the <tt>GROUP_SENDER</tt> notification defined in Section 4.7.4 of <xref target="RFC9838"/>.
A GM that does not request sender authorization can still join the MLS group and derive the epoch's Data-Security SA keys, but it is not authorized to emit ESP traffic for that SA.
This draft keeps the Sender-ID machinery of G-IKEv2 for authorized senders using counter-based ESP modes.
This is G-IKEv2 policy authorization and nonce-space partitioning, not per-sender traffic-key separation.</t>
      <t>The GCKS is a single instance for a group.
GCKS replication and failover are out of scope.</t>
      <t>The group uses one current ESP Data-Security SA per MLS epoch for the relevant group traffic selectors.
The previous epoch's SA can overlap during rollover according to the GWP_ATD and GWP_DTD policy attributes.
This profile does not define AH Data-Security SAs.
TODO: Decide whether AH Data-Security SAs need explicit support or explicit exclusion.</t>
    </section>
    <section anchor="design-overview">
      <name>Design Overview</name>
      <t>The design keeps the G-IKEv2 policy plane and key distribution plane for Rekey SA, but replaces the key-distribution plane for Data-security SAs.
The GSA payload defined in Section 4.4 of <xref target="RFC9838"/> continues to describe the Data-Security SA policy, traffic selectors, transforms, Sender-ID parameters, and rollover timing.
The KD payload defined in Section 4.5 of <xref target="RFC9838"/> is no longer used to carry TEK key material, but continues to carry KEK key material.
For the purpose of key distribution for Data-security SAs this profile reuses KD bags for two GCKS-originated purposes: KD Member Key Bags carry <tt>GM_SENDER_ID</tt> attributes and member-scoped MLS objects, and KD Group Key Bags carry group-scoped MLS objects associated with an epoch-bound Data-Security SA SPI.
This use of KD for MLS objects carries no <tt>SA_KEY</tt>, <tt>WRAP_KEY</tt>, or <tt>AUTH_KEY</tt> material.
MLS objects that flow from a GM to the GCKS use the Notify payload instead of KD.</t>
      <t>The GCKS creates a per-group MLS external-sender signing key.
The public key and credential for that signing key are installed in the MLS <tt>external_senders</tt> GroupContext extension.
Members use this extension to verify that Add and Remove Proposals originated from the GCKS.</t>
      <t>OPEN QUESTION: should this key be the same as the signing key used by GCKS to sign multicast Rekey messages or they may differ?</t>
      <t>The GCKS is not an MLS member.
It does not hold an MLS leaf private key, path secrets, epoch secrets, or exporter output.
It tracks the public ratchet tree and GroupInfo state needed to act as a DS.
Because it has no MLS epoch secrets, it can perform public checks but cannot verify MLS membership MACs or confirmation tags.</t>
      <t>A designated GM commits GCKS-authored external Proposals.</t>
      <t>OPEN QUESTION: should we specify how the GCKS selects the designated committer? I think not - this is the GCKS local matter.</t>
      <t>How the GCKS selects the designated committer is out of scope of this document. However, for the purpose
of requestong a GM the GCKS must have a unicast IKE SA with this GM. In most cases these GMs will
be those that act as group senders.</t>
      <t>All MLS Proposals and Commits in this profile are sent as MLS PublicMessages.
This lets the GCKS reconstruct the public tree from the handshake stream.
This is the <tt>distributionService</tt> ratchet-tree representation described in Section 3 of <xref target="I-D.ietf-mls-ratchet-tree-options"/>.
The PublicMessages are still protected on the wire by within the IKEv2 Encrypted payload.</t>
      <t>Committers upload <tt>PartialGroupInfo</tt> as defined in Section 4 of <xref target="I-D.ietf-mls-ratchet-tree-options"/>.
The upload carries the GroupInfo signature and non-<tt>ratchet_tree</tt> GroupInfo extensions.
The GCKS reconstructs the rest of the GroupInfo from its tracked public state and the observed Commit.
The GCKS also maintains the public ratchet tree locally and sends it to new members in the Welcome exchange.
The first founder upload is the only exception to the reconstruction rule, because there is no previous epoch from which the GCKS can reconstruct the tree.</t>
    </section>
    <section anchor="mapping-from-g-ikev2-to-mls-gike">
      <name>Mapping from G-IKEv2 to MLS-GIKE</name>
      <t>The following table summarizes the intended mapping.</t>
      <table>
        <thead>
          <tr>
            <th align="left">G-IKEv2 concept</th>
            <th align="left">MLS-GIKE concept</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">GCKS</td>
            <td align="left">GCKS plus MLS DS, AS, and external sender.</td>
          </tr>
          <tr>
            <td align="left">GM</td>
            <td align="left">MLS group member with one leaf in the MLS tree.</td>
          </tr>
          <tr>
            <td align="left">Group ID (<tt>IDg</tt>)</td>
            <td align="left">MLS <tt>group_id</tt>, bound to the G-IKEv2 group.</td>
          </tr>
          <tr>
            <td align="left">GSA payload</td>
            <td align="left">Reused for Rekey SA and Data-security SA policy.</td>
          </tr>
          <tr>
            <td align="left">KD Group Key Bag</td>
            <td align="left">Retained for GCKS-to-GM group-scoped MLS objects for Data-security SAs and for Rekey SA key delivery.</td>
          </tr>
          <tr>
            <td align="left">KD Member Key Bag</td>
            <td align="left">Retained for <tt>GM_SENDER_ID</tt> and GCKS-to-GM member-scoped MLS objects for Data-security SAs and for GM-related keys for Rekey SA.</td>
          </tr>
          <tr>
            <td align="left">Notify payload</td>
            <td align="left">Used for MLS objects that are not KD downloads.</td>
          </tr>
          <tr>
            <td align="left">Rekey SA</td>
            <td align="left">Optional. Protects multicast <tt>GSA_REKEY</tt> delivery.</td>
          </tr>
          <tr>
            <td align="left">KEK for ESP Data-Security SA key delivery</td>
            <td align="left">Not used.</td>
          </tr>
          <tr>
            <td align="left">TEK key material</td>
            <td align="left">Derived from the MLS exporter.</td>
          </tr>
          <tr>
            <td align="left">
              <tt>GSA_REKEY</tt> exchange</td>
            <td align="left">Optional multicast fan-out for ordered MLS control material.</td>
          </tr>
          <tr>
            <td align="left">
              <tt>GSA_AUTH</tt> and <tt>GSA_REGISTRATION</tt> exchanges</td>
            <td align="left">Reused with <tt>N(MLS_OBJECT)</tt> in requests and KD-carried MLS objects in responses.</td>
          </tr>
          <tr>
            <td align="left">
              <tt>GSA_INBAND_REKEY</tt> exchange</td>
            <td align="left">Reused for GCKS-to-GM unicast delivery of epoch-bound GSA updates and related MLS objects.</td>
          </tr>
          <tr>
            <td align="left">
              <tt>GSA_MLS_REQUEST</tt> exchange</td>
            <td align="left">New GCKS-to-GM exchange asking a designated GM to commit a GCKS-authored Proposal.</td>
          </tr>
          <tr>
            <td align="left">
              <tt>GSA_MLS_UPLOAD</tt> exchange</td>
            <td align="left">New GM-to-GCKS exchange delivering MLS objects.</td>
          </tr>
          <tr>
            <td align="left">Member exclusion</td>
            <td align="left">GCKS sends an external Remove Proposal. A designated GM commits it.</td>
          </tr>
          <tr>
            <td align="left">Sender-ID</td>
            <td align="left">Reused for counter-based ESP nonce partitioning.</td>
          </tr>
          <tr>
            <td align="left">GWP_ATD and GWP_DTD</td>
            <td align="left">Reused to manage Data-Security SA rollover.</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="group-creation">
      <name>Group Creation</name>
      <t>MLS groups are created by an initial member.
See Section 11 of <xref target="RFC9420"/>.
Because the GCKS is not an MLS member, the first GM to join a configured but empty G-IKEv2 group becomes the MLS founder.</t>
      <t>When the GCKS is configured for a new group, it generates a per-group MLS external-sender signing key pair.
The public key and credential for that pair are placed in an <tt>mls_group_template</tt> object carried in KD.
The template also carries the MLS cipher suite, the MLS group identifier, required capabilities, and any other GroupContext extensions required by GCKS policy.</t>
      <t>The first Candidate GM authenticates to the GCKS with the MLS-GIKE variant of <tt>GSA_AUTH</tt>.
The GCKS returns the normal GSA policy and the <tt>mls_group_template</tt> object.
The founder creates a one-member MLS group using the template values.
The founder then uses <tt>GSA_MLS_UPLOAD</tt> to send <tt>N(MLS_OBJECT)</tt> notifications carrying an <tt>mls_group_info</tt> object containing a full <tt>GroupInfo</tt> and an <tt>mls_ratchet_tree</tt> object containing the initial public ratchet tree to the GCKS.</t>
      <t>The GCKS verifies that the founder's GroupContext matches the template, verifies that the uploaded tree hash matches the GroupInfo tree hash, and verifies the founder's GroupInfo signature against the founder's LeafNode signing key.
The GCKS cannot verify the MLS confirmation tag.
The uploaded GroupInfo becomes the GCKS baseline for public tracked state.</t>
    </section>
    <section anchor="registration">
      <name>Registration</name>
      <t>A Candidate GM authenticates to the GCKS using the same IKEv2 authentication machinery used by G-IKEv2.
The request carries <tt>IDg</tt>, an <tt>N(MLS_OBJECT)</tt> notification containing an <tt>mls_key_package</tt> object, and a <tt>GROUP_SENDER</tt> notification only if the GM intends to send Data-Security SA traffic.</t>
      <t>The <tt>mls_key_package</tt> object contains an MLS KeyPackage.
The KeyPackage identifies the MLS protocol version and cipher suite supported for this join.
If the GCKS cannot accept those MLS parameters, it rejects the exchange with <tt>NO_PROPOSAL_CHOSEN</tt>.
The identity in the KeyPackage LeafNode credential <bcp14>MUST</bcp14> be bound to the IKE identity authenticated in the exchange.
For example, a basic credential identity can equal <tt>IDi</tt>, or an X.509 credential can contain a subjectAltName matching <tt>IDi</tt>.</t>
      <t>The GCKS then asks the designated GM to create an MLS commit message and once this message is received,
the GCKS responds to the registration request. The response carries a GSA payload that describes policy and the <tt>mls_welcome</tt> message.
If the GM requested sender authorization and the Data-Security SA uses a counter-based ESP mode, the response also carries a KD Member Key Bag containing one or more <tt>GM_SENDER_ID</tt> attributes as specified by Section 4.5.3.3 of <xref target="RFC9838"/>.
The GCKS then distributes the <tt>mls_commit</tt> to existing members.</t>
    </section>
    <section anchor="adding-a-member">
      <name>Adding a Member</name>
      <t>After registration, a Candidate GM has an IKE SA to the GCKS and has received the initial non-installable GSA policy, but it is not yet an MLS member.
The GCKS drives the join by sending an external Add Proposal to a designated committer.</t>
      <figure anchor="fig-add-member-flow">
        <name>Adding a Member</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="656" viewBox="0 0 656 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 40,48 L 40,448" fill="none" stroke="black"/>
              <path d="M 152,80 L 152,304" fill="none" stroke="black"/>
              <path d="M 152,336 L 152,448" fill="none" stroke="black"/>
              <path d="M 304,72 L 304,96" fill="none" stroke="black"/>
              <path d="M 304,128 L 304,184" fill="none" stroke="black"/>
              <path d="M 304,240 L 304,304" fill="none" stroke="black"/>
              <path d="M 304,328 L 304,352" fill="none" stroke="black"/>
              <path d="M 608,48 L 608,448" fill="none" stroke="black"/>
              <path d="M 40,80 L 144,80" fill="none" stroke="black"/>
              <path d="M 152,128 L 296,128" fill="none" stroke="black"/>
              <path d="M 160,158 L 304,158" fill="none" stroke="black"/>
              <path d="M 160,162 L 304,162" fill="none" stroke="black"/>
              <path d="M 160,240 L 296,240" fill="none" stroke="black"/>
              <path d="M 152,286 L 296,286" fill="none" stroke="black"/>
              <path d="M 152,290 L 296,290" fill="none" stroke="black"/>
              <path d="M 48,334 L 152,334" fill="none" stroke="black"/>
              <path d="M 48,338 L 152,338" fill="none" stroke="black"/>
              <path d="M 152,400 L 600,400" fill="none" stroke="black"/>
              <path d="M 160,430 L 600,430" fill="none" stroke="black"/>
              <path d="M 160,434 L 600,434" fill="none" stroke="black"/>
              <path d="M 136,320 C 144.83064,320 152,327.16936 152,336" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="608,400 596,394.4 596,405.6" fill="black" transform="rotate(0,600,400)"/>
              <polygon class="arrowhead" points="304,288 292,282.4 292,293.6" fill="black" transform="rotate(0,296,288)"/>
              <polygon class="arrowhead" points="304,128 292,122.4 292,133.6" fill="black" transform="rotate(0,296,128)"/>
              <polygon class="arrowhead" points="168,432 156,426.4 156,437.6" fill="black" transform="rotate(180,160,432)"/>
              <polygon class="arrowhead" points="168,240 156,234.4 156,245.6" fill="black" transform="rotate(180,160,240)"/>
              <polygon class="arrowhead" points="168,160 156,154.4 156,165.6" fill="black" transform="rotate(180,160,160)"/>
              <polygon class="arrowhead" points="152,80 140,74.4 140,85.6" fill="black" transform="rotate(0,144,80)"/>
              <polygon class="arrowhead" points="56,336 44,330.4 44,341.6" fill="black" transform="rotate(180,48,336)"/>
              <g class="text">
                <text x="40" y="36">Candidate</text>
                <text x="156" y="36">GCKS</text>
                <text x="284" y="36">Designated</text>
                <text x="340" y="36">GM</text>
                <text x="400" y="36">(committer)</text>
                <text x="588" y="36">Existing</text>
                <text x="640" y="36">GMs</text>
                <text x="152" y="52">|</text>
                <text x="304" y="52">|</text>
                <text x="84" y="68">GSA_AUTH</text>
                <text x="180" y="68">{N(MLS_OBJECT:</text>
                <text x="312" y="68">mls_key_package)}</text>
                <text x="224" y="116">GSA_MLS_REQUEST</text>
                <text x="348" y="116">{N(MLS_OBJECT:</text>
                <text x="468" y="116">mls_proposal)}</text>
                <text x="220" y="196">GSA_MLS_UPLOAD</text>
                <text x="340" y="196">{N(MLS_OBJECT:</text>
                <text x="452" y="196">mls_commit),</text>
                <text x="352" y="212">N(MLS_OBJECT:</text>
                <text x="464" y="212">mls_welcome),</text>
                <text x="352" y="228">N(MLS_OBJECT:</text>
                <text x="508" y="228">mls_partial_group_info)}</text>
                <text x="188" y="276">&lt;empty</text>
                <text x="228" y="276">or</text>
                <text x="268" y="276">error&gt;</text>
                <text x="92" y="324">{GSA(epoch</text>
                <text x="216" y="324">KD(mls_welcome,</text>
                <text x="356" y="324">mls_ratchet_tree)}</text>
                <text x="268" y="372">GSA_INBAND_REKEY/GSA_REKEY</text>
                <text x="492" y="372">{GSA(epoch),KD(mls_proposal,</text>
                <text x="364" y="388">mls_commit)}</text>
                <text x="304" y="420">|</text>
                <text x="304" y="452">|</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
Candidate        GCKS         Designated GM (committer)              Existing GMs
    |             |                  |                                     |
    | GSA_AUTH {N(MLS_OBJECT: mls_key_package)}                            |
    +------------>|                  |                                     |
    |             |                  |                                     |
    |             | GSA_MLS_REQUEST {N(MLS_OBJECT: mls_proposal)}          |
    |             +----------------->|                                     |
    |             |                  |                                     |
    |             |<=================+                                     |
    |             |                  |                                     |
    |             | GSA_MLS_UPLOAD {N(MLS_OBJECT: mls_commit),             |
    |             |                  N(MLS_OBJECT: mls_welcome),           |
    |             |                  N(MLS_OBJECT: mls_partial_group_info)}|
    |             |<-----------------+                                     |
    |             |                  |                                     |
    |             | <empty or error> |                                     |
    |             +=================>|                                     |
    |             |                  |                                     |
    | {GSA(epoch), KD(mls_welcome, mls_ratchet_tree)}                      |
    |<============+                  |                                     |
    |             |                  |                                     |
    |             | GSA_INBAND_REKEY/GSA_REKEY {GSA(epoch),KD(mls_proposal,|
    |             |                    mls_commit)}                        |
    |             +------------------------------------------------------->|
    |             |                  |                                     |
    |             |<=======================================================|
    |             |                  |                                     |
]]></artwork>
        </artset>
      </figure>
      <t>In multicast fan-out mode, the final per-member <tt>GSA_INBAND_REKEY</tt> exchanges to existing GMs are replaced by one <tt>GSA_REKEY</tt> to the GMs that share the Rekey SA.</t>
      <t>The GCKS signs the Add Proposal with its MLS external-sender key.
The Proposal is carried in <tt>GSA_MLS_REQUEST</tt>.
The designated committer verifies the Proposal using the <tt>external_senders</tt> extension in its current MLS group state.
It creates a Commit that references the Proposal, includes an UpdatePath, creates a Welcome for the candidate, signs a GroupInfo for the new epoch without a <tt>ratchet_tree</tt> extension, and uploads the Commit, Welcome, and PartialGroupInfo to the GCKS as <tt>N(MLS_OBJECT)</tt> notifications in <tt>GSA_MLS_UPLOAD</tt>.</t>
      <t>The designated committer treats the new epoch as tentative until the GCKS orders the Commit.
If the GCKS rejects the Commit, the committer discards the tentative epoch.
If the GCKS accepts it, the GCKS allocates a fresh Data-Security SA SPI, stores the public state, responds to the candidate with the Welcome, GSA, and GCKS-tracked ratchet tree, and fans the GSA, Proposal, and Commit to existing GMs including the committer using <tt>GSA_INBAND_REKEY</tt>.
If multicast fan-out is enabled, the GCKS can instead send the GSA, Proposal, and Commit to existing GMs using <tt>GSA_REKEY</tt>.
The Welcome, ratchet tree, Proposal, and Commit are carried as MLS objects inside KD.
The GSA sent at this point is the GSA that GMs use for SAD installation after MLS acceptance.</t>
      <t>The Proposal is included in the fan-out because the Commit references the Proposal by hash.
Receivers need the referenced Proposal object in order to validate and apply the Commit.
See Section 12.4 of <xref target="RFC9420"/>.</t>
      <t>The Candidate GM decrypts the Welcome using the init key corresponding to the KeyPackage sent during registration.
It validates the GroupInfo and verifies that the supplied ratchet tree has the tree hash committed by the GroupInfo.
It then derives the ESP keys for the new Data-Security SA.</t>
    </section>
    <section anchor="removing-a-member">
      <name>Removing a Member</name>
      <t>The GCKS removes a member by sending an external Remove Proposal to a designated committer.
The Proposal is carried in <tt>GSA_MLS_REQUEST</tt>.
The designated committer creates a Commit that references the Remove Proposal and uploads the Commit plus PartialGroupInfo to the GCKS as <tt>N(MLS_OBJECT)</tt> notifications in <tt>GSA_MLS_UPLOAD</tt>.</t>
      <t>If the GCKS accepts the public state transition, it allocates a fresh Data-Security SA SPI and fans <tt>GSA</tt> plus KD-carried <tt>mls_proposal</tt> and <tt>mls_commit</tt> objects to the remaining GMs using <tt>GSA_INBAND_REKEY</tt> or <tt>GSA_REKEY</tt>.
The removed GM does not receive any new Data-Security SA keying material.
If multicast <tt>GSA_REKEY</tt> is used, the removed GM can receive the fresh GSA policy and MLS control material, but cannot derive the new MLS epoch secret or the new ESP key.
In unicast fan-out mode, if the removed GM's IKE SA is still available, the GCKS sends the <tt>mls_proposal</tt> and <tt>mls_commit</tt> objects without the fresh GSA to the removed GM so it has an authenticated indication that it has been removed.
The removed GM can verify the Remove proposal and Commit structure but cannot derive the new epoch.
The GCKS then tears down the IKE SA to the removed GM if appropriate.</t>
      <t>There is no separate KEK-then-TEK rekey step.
The MLS Remove Commit creates the new epoch, and the removed member cannot compute the new epoch secret.
The removed member still knows the previous epoch's ESP key and any Sender-ID values it was assigned.
While remaining members continue to accept packets protected under the previous Data-Security SA during the GWP_DTD overlap, there is a residual acceptance window for packets from the removed member.
This profile identifies that rollover window.
It does not specify tighter exclusion behavior.</t>
    </section>
    <section anchor="member-initiated-path-refresh">
      <name>Member-Initiated Path Refresh</name>
      <t>A GM acting as group sender and having a persistent IKE SA with the GCKS can refresh its MLS contribution by creating an empty Commit with an UpdatePath.
This is the MLS mechanism used here for member-initiated post-compromise recovery.
The Commit contains no Proposals.</t>
      <t>The GM sends the Commit and PartialGroupInfo to the GCKS using <tt>GSA_MLS_UPLOAD</tt> with <tt>N(MLS_OBJECT)</tt> notifications.
If the Commit's epoch matches the GCKS current epoch, the GCKS orders it, allocates a fresh Data-Security SA SPI, and fans <tt>GSA</tt> plus a KD-carried <tt>mls_commit</tt> object to every GM including the author using <tt>GSA_INBAND_REKEY</tt>.
If multicast fan-out is enabled, the GCKS can instead fan the ordered Commit out using <tt>GSA_REKEY</tt>.
The author applies its own Commit only when it receives the GCKS-ordered copy.</t>
      <t>If another Commit has already been accepted for that epoch, the GCKS rejects the later Commit with <tt>MLS_COMMIT_REJECTED</tt> and a stale-epoch indication.
The member then processes the winning Commit through normal fan-out and can retry the refresh in the new epoch.</t>
    </section>
    <section anchor="esp-key-derivation-and-rollover">
      <name>ESP Key Derivation and Rollover</name>
      <t>For each accepted MLS epoch, every GM derives the keying material for the current Data-Security SA using the MLS exporter.
The provisional exporter label is:</t>
      <artwork><![CDATA[
MLS-GIKE ESP key
]]></artwork>
      <t>The exporter context includes a domain separator and the SPI from the GSA:</t>
      <artwork><![CDATA[
context = "ESP" || SPI
]]></artwork>
      <t>The string <tt>"ESP"</tt> is the three-octet ASCII string <tt>0x45 0x53 0x50</tt>.
The SPI is the four-octet ESP SPI from the GSA encoded in network byte order.
The context is not NUL-terminated.</t>
      <t>The exported value is split into ESP encryption and integrity key material using the same left-to-right convention used for Data-Security SAs in Section 3.4 of <xref target="RFC9838"/>.
For AEAD ESP transforms, the length and split rules are the AEAD-specific rules for the selected transform.</t>
      <t>The GCKS allocates a fresh Data-Security SA SPI for every accepted MLS epoch.
This is necessary because two exporter outputs can be valid during GWP_ATD and GWP_DTD overlap.
Receivers need the SPI to distinguish packets protected with the old epoch key from packets protected with the new epoch key.</t>
      <t>For counter-based ESP modes, this draft inherits the Sender-ID rules from Section 2.5 of <xref target="RFC9838"/>.
The GCKS includes <tt>GWP_SENDER_ID_BITS</tt> when required by Section 4.4.3.1.2 of <xref target="RFC9838"/>.
A GM authorized as a receiver installs the Data-Security SA inbound.
A GM authorized as a sender installs the Data-Security SA outbound and uses its assigned Sender-ID bits when constructing ESP nonces.
The GCKS allocates <tt>GM_SENDER_ID</tt> values in the KD Member Key Bag for authorized senders when required by Section 4.5.3.3 of <xref target="RFC9838"/>.
A GM that is not authorized as a sender <bcp14>MUST NOT</bcp14> install the Data-Security SA outbound.
Implicit-IV ESP transforms remain prohibited for multi-sender Data-Security SAs as described in Section 2.7 of <xref target="RFC9838"/>.</t>
    </section>
    <section anchor="optional-multicast-fan-out-with-gsarekey">
      <name>Optional Multicast Fan-Out with GSA_REKEY</name>
      <t>Deployments of this profile <bcp14>MAY</bcp14> use <tt>GSA_REKEY</tt> for multicast delivery of ordered MLS control material to GMs that share a G-IKEv2 Rekey SA.
When this mode is enabled, MLS remains the only source of Data-Security SA traffic keys.
The GCKS <bcp14>MUST NOT</bcp14> distribute ESP Data-Security SA key material in <tt>GSA_REKEY</tt>.
Any KD Group Key Bag associated with an ESP Data-Security SA carries only MLS objects and no <tt>SA_KEY</tt>, <tt>WRAP_KEY</tt>, or <tt>AUTH_KEY</tt> material for that Data-Security SA.</t>
      <t>The G-IKEv2 Rekey SA is used only to protect and authenticate multicast control-plane delivery.
The Rekey SA <bcp14>MAY</bcp14> be managed using the LKH mechanism described in Appendix A of <xref target="RFC9838"/>.
When LKH is not used, a removed GM that still knows the current Rekey SA key can read later <tt>GSA_REKEY</tt> messages protected by that Rekey SA.
Deployments that cannot accept this exposure use per-member <tt>GSA_INBAND_REKEY</tt> after removals or rotate the Rekey SA using a mechanism that excludes the removed GM.
If a deployment requires future multicast control-plane messages to be hidden from a removed GM, the GCKS <bcp14>MUST</bcp14> rotate the Rekey SA using LKH or another specified broadcast-encryption mechanism.</t>
      <t>Ordered Commit fan-out can use the following <tt>GSA_REKEY</tt> shape:</t>
      <artwork><![CDATA[
GSA_REKEY {
  GSA(epoch),
  KD Group Key Bag for ESP SPI {
    MLS_OBJECT(mls_proposal),
    MLS_OBJECT(mls_commit)
  },
  [AUTH]
}
]]></artwork>
      <t>A removal that also rotates the Rekey SA can use the following shape:</t>
      <artwork><![CDATA[
GSA_REKEY {
  GSA(epoch),
  GSA(new Rekey SA),
  KD Group Key Bag for ESP SPI {
    MLS_OBJECT(mls_proposal),
    MLS_OBJECT(mls_commit)
  },
  KD(<LKH-wrapped Rekey SA material>),
  [AUTH]
}
]]></artwork>
      <t>The KD material for the new Rekey SA is wrapped according to LKH so that only remaining GMs recover the new Rekey SA key.</t>
      <t>The removed GM can receive and parse this <tt>GSA_REKEY</tt> if it is protected by the old Rekey SA.
This does not give it the new Data-Security SA key, because that key is derived from the MLS epoch created by the Remove Commit.
If LKH excludes the removed GM from the new Rekey SA, the removed GM cannot decrypt later <tt>GSA_REKEY</tt> messages protected by that new Rekey SA.</t>
      <t>The designated MLS committer never provides the GCKS with a Rekey SA key or a Data-Security SA key.
The committer provides only MLS Commit material.
The GCKS remains responsible for Rekey SA key generation and any LKH state.</t>
    </section>
    <section anchor="mls-object-carriers-and-exchanges">
      <name>MLS Object Carriers and Exchanges</name>
      <t>This profile does not define a separate IKEv2 payload type for each MLS object.
GCKS-to-GM MLS objects that are delivered as part of policy or epoch-bound state use the KD payload defined in Section 4.5 of <xref target="RFC9838"/>.
MLS objects that are not KD downloads use the Notify payload defined in Section 3.10 of <xref target="RFC7296"/>.
Both carriers use the same object wrapper.
The wrapper contains an object-type discriminator and an opaque object:</t>
      <artwork><![CDATA[
enum {
  mls_key_package(1),
  mls_group_info(2),
  mls_partial_group_info(3),
  mls_group_template(4),
  mls_proposal(5),
  mls_commit(6),
  mls_welcome(7),
  mls_ratchet_tree(8),
  (65535)
} MlsGikeObjectType;

struct {
  MlsGikeObjectType object_type;
  opaque object<V>;
} MlsGikeObject;
]]></artwork>
      <t>For KD, this profile defines a multi-valued <tt>MLS_OBJECT</tt> attribute for both the Group Key Bag and Member Key Bag registries.
Each attribute value contains one <tt>MlsGikeObject</tt>.
KD-carried <tt>MLS_OBJECT</tt> attributes <bcp14>MUST</bcp14> appear only in messages sent by the GCKS.
Group Key Bags carry group-scoped MLS objects associated with an epoch-bound Data-Security SA SPI, such as Commit fan-out paired with a fresh GSA.
Member Key Bags carry GCKS-originated member-scoped objects and objects that are not associated with a Data-Security SA SPI, such as Welcomes, founder bootstrap state, ratchet trees, and removal notices sent without a fresh GSA.
This use of KD for MLS objects carries no <tt>SA_KEY</tt>, <tt>WRAP_KEY</tt>, or <tt>AUTH_KEY</tt> material.</t>
      <t>The bag type is semantically significant.
A receiver <bcp14>MUST</bcp14> treat an <tt>MLS_OBJECT</tt> in a Group Key Bag as bound to the Data-Security SA identified by the Group Key Bag Protocol and SPI fields.
A receiver <bcp14>MUST</bcp14> treat an <tt>MLS_OBJECT</tt> in a Member Key Bag as scoped to the authenticated peer and current G-IKEv2 group context, not to a Data-Security SA SPI.
An implementation <bcp14>MUST</bcp14> reject an <tt>MLS_OBJECT</tt> that appears in a bag type other than the one specified for that use.</t>
      <t>For Notify, this profile defines an <tt>MLS_OBJECT</tt> Notify Message Status Type.
The Notification Data contains one <tt>MlsGikeObject</tt>.
Notify-carried <tt>MLS_OBJECT</tt> values are used for GM-to-GCKS uploads and for <tt>GSA_MLS_REQUEST</tt>.</t>
      <table>
        <thead>
          <tr>
            <th align="left">MLS object use</th>
            <th align="left">Carrier</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Candidate request carrying <tt>mls_key_package</tt></td>
            <td align="left">
              <tt>N(MLS_OBJECT)</tt></td>
          </tr>
          <tr>
            <td align="left">Founder response carrying <tt>mls_group_template</tt></td>
            <td align="left">KD Member Key Bag</td>
          </tr>
          <tr>
            <td align="left">Founder upload carrying <tt>mls_group_info</tt> and <tt>mls_ratchet_tree</tt></td>
            <td align="left">
              <tt>N(MLS_OBJECT)</tt></td>
          </tr>
          <tr>
            <td align="left">Commit request carrying <tt>mls_proposal</tt> to a designated committer</td>
            <td align="left">
              <tt>N(MLS_OBJECT)</tt></td>
          </tr>
          <tr>
            <td align="left">Designated-committer upload carrying <tt>mls_commit</tt>, optional <tt>mls_welcome</tt>, and <tt>mls_partial_group_info</tt></td>
            <td align="left">
              <tt>N(MLS_OBJECT)</tt></td>
          </tr>
          <tr>
            <td align="left">Welcome delivery carrying <tt>mls_welcome</tt> and <tt>mls_ratchet_tree</tt> to the candidate</td>
            <td align="left">KD Member Key Bag</td>
          </tr>
          <tr>
            <td align="left">Existing-member fan-out carrying <tt>mls_proposal</tt> and <tt>mls_commit</tt> with the epoch-bound GSA</td>
            <td align="left">KD Group Key Bag</td>
          </tr>
          <tr>
            <td align="left">Removal notice carrying <tt>mls_proposal</tt> and <tt>mls_commit</tt> without a fresh GSA</td>
            <td align="left">KD Member Key Bag</td>
          </tr>
          <tr>
            <td align="left">Member path-refresh upload carrying <tt>mls_commit</tt> and <tt>mls_partial_group_info</tt></td>
            <td align="left">
              <tt>N(MLS_OBJECT)</tt></td>
          </tr>
          <tr>
            <td align="left">GCKS fan-out of an ordered path-refresh <tt>mls_commit</tt> with the epoch-bound GSA</td>
            <td align="left">KD Group Key Bag</td>
          </tr>
        </tbody>
      </table>
      <t><tt>mls_key_package</tt> contains an MLS KeyPackage and an explicit MLS protocol version.
The IKE layer treats the KeyPackage as opaque except for policy checks needed by the GCKS.</t>
      <t><tt>mls_group_template</tt> contains the values needed by the first GM to create the initial MLS group.
It is not a GroupInfo.</t>
      <t><tt>mls_group_info</tt> contains a full MLS GroupInfo.
It is used only on the founder bootstrap path and does not carry the MLS <tt>ratchet_tree</tt> GroupInfo extension.</t>
      <t><tt>mls_partial_group_info</tt> contains the PartialGroupInfo structure from Section 4 of <xref target="I-D.ietf-mls-ratchet-tree-options"/>.
It is used after every Commit-driven epoch transition.
Its <tt>ratchet_tree_presence</tt> field is <tt>no_ratchet_tree</tt>, because this profile does not carry the <tt>ratchet_tree</tt> extension in GroupInfo objects.</t>
      <t><tt>mls_proposal</tt> contains an MLS PublicMessage containing a Proposal from the GCKS external sender.
This profile uses it only for Add and Remove Proposals.</t>
      <t><tt>mls_commit</tt> contains an MLS PublicMessage containing a Commit.
If the Commit references a GCKS-authored Proposal, the referenced Proposal is delivered with it unless the receiver already has it.</t>
      <t><tt>mls_welcome</tt> contains an MLS Welcome.
The Welcome's encrypted GroupInfo does not contain a <tt>ratchet_tree</tt> extension in this profile.</t>
      <t><tt>mls_ratchet_tree</tt> contains the public ratchet tree vector defined in Section 12.4.3.3 of <xref target="RFC9420"/>.
The founder sends it to the GCKS during bootstrap, and the GCKS sends it to a newly added GM alongside the Welcome.
The recipient verifies the tree against the <tt>tree_hash</tt> in the relevant GroupInfo before using it.</t>
      <t><tt>GSA_AUTH</tt> is reused as the initial G-IKEv2 registration exchange with an <tt>N(MLS_OBJECT)</tt> notification carrying an <tt>mls_key_package</tt> object.</t>
      <t><tt>GSA_REGISTRATION</tt> is reused for the same MLS-GIKE registration content when a GM joins another group over an established IKE SA.
The response carries a non-installable GSA, optional KD for Sender-ID, and a KD-carried <tt>mls_group_template</tt> object only for the founder case.</t>
      <t><tt>GSA_INBAND_REKEY</tt> is reused for GCKS-to-GM unicast delivery of epoch-bound state and related MLS objects.
The GCKS uses it to deliver Welcomes and ratchet trees to newly added members and to fan out ordered Commits with the epoch-bound GSA.
When the message installs a new Data-Security SA, it carries the GSA payload and the relevant KD-carried MLS objects.
When the message only delivers a removal notice without a fresh GSA, the GSA payload is omitted.
The response follows the <tt>GSA_INBAND_REKEY</tt> response shape in Section 2.4.2 of <xref target="RFC9838"/> and is empty unless it carries an error Notify.</t>
      <t><tt>GSA_REKEY</tt> is optionally reused for multicast fan-out of ordered MLS control material.
When it carries MLS-GIKE Data-Security SA state, it carries the GSA payload and KD-carried MLS objects.
It <bcp14>MUST NOT</bcp14> carry <tt>SA_KEY</tt> material for ESP Data-Security SAs in this profile.
If the message also rotates the G-IKEv2 Rekey SA, the Rekey SA key material is generated by the GCKS and carried according to the Rekey SA key-management method in use, such as LKH.</t>
      <t><tt>GSA_MLS_REQUEST</tt> is a new GCKS-initiated IKEv2 request/response exchange.
The GCKS uses it to send an external Proposal to a designated committer.
The response is empty unless the designated committer immediately returns an error Notify.
The designated committer uploads the resulting Commit material separately with <tt>GSA_MLS_UPLOAD</tt>.</t>
      <t><tt>GSA_MLS_UPLOAD</tt> is a new GM-initiated IKEv2 exchange.
It is used by the founder to upload the initial GroupInfo and ratchet tree, by a designated committer to upload tentative Commit material, and by a member to post a path-refresh Commit and PartialGroupInfo to the GCKS.
The request carries <tt>N(MLS_OBJECT)</tt> notifications.
The response is empty on success or carries an error Notify on rejection.</t>
      <t><tt>MLS_COMMIT_REJECTED</tt> is a new Notify Message Error Type defined by this document.
At least stale epoch, invalid signature, unauthorized proposal, tree validation failure, and unauthorized identity need to be distinguishable rejection reasons.</t>
      <t><tt>MLS_OBJECT</tt> is a new Notify Message Status Type defined by this document that contains an MLS object</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations of G-IKEv2 <xref target="RFC9838"/>, MLS <xref target="RFC9420"/>, and the MLS architecture <xref target="RFC9750"/> apply.
This section highlights the issues most specific to this integration.</t>
      <t>The GCKS does not hold an MLS leaf in this design.
A passive compromise of the GCKS does not by itself reveal MLS epoch secrets, exporter output, or ESP Data-Security SA keys.
This is the main security improvement over a design in which compromise of a GCKS-held KEK exposes previous rekeys.</t>
      <t>The previous statement has an important limit.
In this profile, the GCKS is also the MLS DS, AS, and external sender.
A compromised GCKS can authorize an attacker-controlled KeyPackage and ask an honest designated committer to add it.
Traffic after that malicious Add is visible to the attacker leaf.
OPEN QUESTION: How should this profile split the AS from the GCKS and rotate the external-sender key?</t>
      <t>The GCKS can perform public validation of MLS handshakes but cannot perform all member-side MLS validation.
In particular, it cannot verify MLS membership MACs, confirmation tags, epoch secrets, exporter output, or ESP keys.
Members remain the cryptographic acceptance authority for MLS Commits and Welcome processing.
This document does not specify recovery if the GCKS accepts a public state that members later reject.
OPEN QUESTION: What repair, rollback, or resynchronization behavior is required for that case?</t>
      <t>The GCKS orders Commits.
Commit authors keep the resulting epoch tentative until the GCKS fans the ordered Commit back to them.
This avoids requiring rollback when a tentative Commit loses a race or is rejected.</t>
      <t>All Proposals and Commits are MLS PublicMessages in this profile.
This exposes MLS handshake metadata to the GCKS, which is already the G-IKEv2 control point and delivery service.
The messages are still confidentiality-protected on the wire by the IKEv2 <tt>SK{}</tt> envelope between each GM and the GCKS.
When optional multicast fan-out is used, ordered Commit material can also be visible to a removed GM in the <tt>GSA_REKEY</tt> message that removes it.
This does not disclose the new Data-Security SA key, because that key is derived from the new MLS epoch.
Without LKH or another Rekey SA rotation mechanism, a removed GM that still knows the current Rekey SA key can also read later <tt>GSA_REKEY</tt> messages protected by that Rekey SA.
If future multicast control-plane confidentiality from the removed GM is required, the GCKS rotates the Rekey SA with LKH or another specified broadcast-encryption mechanism.
The MLS committer never supplies the Rekey SA key, which avoids giving the committer a direct way to corrupt the GCKS's multicast Rekey SA state.</t>
      <t>The Sender-ID mechanism remains security-critical for multi-sender ESP with counter-based modes.
Reusing MLS exporter output without Sender-ID partitioning would risk key and nonce reuse.
This draft therefore keeps <tt>GROUP_SENDER</tt>, <tt>GWP_SENDER_ID_BITS</tt>, and <tt>GM_SENDER_ID</tt> where required by <xref target="RFC9838"/> for authorized senders.
Because this profile uses a shared Data-Security SA key, receiver-only authorization is enforced as local IPsec policy and GCKS authorization, not by withholding the ESP traffic key from receivers.</t>
      <t>Every accepted MLS epoch uses a fresh Data-Security SA SPI.
This lets receivers distinguish old-key and new-key packets during the activation and deactivation overlap controlled by GWP_ATD and GWP_DTD.</t>
      <t>Removal has a residual acceptance window during that overlap.
A removed member cannot derive the new epoch key, but it can still know the previous epoch's ESP key and Sender-ID values.
If receivers keep accepting the old ESP SA during GWP_DTD, packets from the removed member can still be accepted until the old SA is deleted.
OPEN QUESTION: Should removal require zero overlap, receiver-side Sender-ID filtering, explicit old-SA deletion policy, or a combination of these mechanisms?</t>
      <t>A member-issued path-refresh Commit <bcp14>MUST</bcp14> contain an empty proposal vector and a populated UpdatePath.
The GCKS rejects member-authored Commits that carry Add, Remove, Update, PreSharedKey, GroupContextExtensions, or proposals by reference.
This preserves the rule that only the GCKS proposes structural or policy changes.</t>
      <t>A designated committer can deny service by refusing to commit a GCKS-authored Proposal.
The mitigation specified here is for the GCKS to retry with another appropriate GM on its choice.</t>
      <t>The IKE identity and MLS credential need an explicit binding.
If the GCKS authorizes an IKE identity but accepts an unrelated MLS credential in the KeyPackage, authorization is split across layers in a way this draft does not intend.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document names several new protocol codepoints but does not assign final values.
If standardized, the draft is expected to request new IKEv2 Exchange Type values for <tt>GSA_MLS_REQUEST</tt> and <tt>GSA_MLS_UPLOAD</tt>.
The existing <tt>GSA_AUTH</tt>, <tt>GSA_REGISTRATION</tt>, <tt>GSA_INBAND_REKEY</tt>, and <tt>GSA_REKEY</tt> exchange types are otherwise reused.
It is not expected to request new IKEv2 Payload Type values for MLS objects.
MLS objects are carried in the existing KD and Notify payloads.
It is expected to request a new <tt>MLS_OBJECT</tt> Group Key Bag Attribute and a new <tt>MLS_OBJECT</tt> Member Key Bag Attribute.
It is expected to request a new IKEv2 Notify Message Status Type value for <tt>MLS_OBJECT</tt>.
It is expected to request a new IKEv2 Notify Message Error Type value for <tt>MLS_COMMIT_REJECTED</tt>.
It is also expected to register the MLS exporter label used for ESP key derivation.</t>
    </section>
    <section anchor="open-questions">
      <name>Open Questions</name>
      <t>This section records issues intentionally left open in this document.</t>
      <t>The exact binding between <tt>IDg</tt> and the MLS <tt>group_id</tt> needs to be settled.
The simplest approach is to make them equal subject to MLS length constraints.
A derived value with a domain separator is another option.</t>
      <t>The external-sender key needs a rotation procedure.
OPEN QUESTION: Can a GCKS-authored <tt>GroupContextExtensions</tt> Proposal replace the <tt>external_senders</tt> extension for this purpose?</t>
      <t>The designated committer policy needs review.
The policy specified before uses the lowest non-blank eligible leaf because it is deterministic and easy to specify,
but then it was changed as a GCKS local matter - no explicit policy specified in the protocol.</t>
      <t>The rejection code structure for <tt>MLS_COMMIT_REJECTED</tt> needs to be specified.
This could be a single Notify with a subcode or separate Notify types.</t>
      <t>The final MLS exporter label needs review.
This document uses <tt>MLS-GIKE ESP key</tt> as a descriptive placeholder.
The final string should be checked against MLS Exporter Labels registry guidance and IPsec/IKE naming practice.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC7296">
          <front>
            <title>Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="C. Kaufman" initials="C." surname="Kaufman"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="October" year="2014"/>
            <abstract>
              <t>This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). This document obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 to be an Internet Standard.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="79"/>
          <seriesInfo name="RFC" value="7296"/>
          <seriesInfo name="DOI" value="10.17487/RFC7296"/>
        </reference>
        <reference anchor="RFC9420">
          <front>
            <title>The Messaging Layer Security (MLS) Protocol</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="R. Robert" initials="R." surname="Robert"/>
            <author fullname="J. Millican" initials="J." surname="Millican"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9420"/>
          <seriesInfo name="DOI" value="10.17487/RFC9420"/>
        </reference>
        <reference anchor="RFC9838">
          <front>
            <title>Group Key Management Using the Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
            <author fullname="B. Weis" initials="B." surname="Weis"/>
            <date month="November" year="2025"/>
            <abstract>
              <t>This document presents an extension to the Internet Key Exchange Protocol Version 2 (IKEv2) for the purpose of group key management. The protocol is in conformance with the Multicast Security (MSEC) Group Key Management architecture, which contains two components: member registration and group rekeying. Both components are required for a Group Controller/Key Server (GCKS) to provide authorized Group Members (GMs) with IPsec Group Security Associations (GSAs). The GMs then exchange IP multicast or other group traffic as IPsec packets.</t>
              <t>This document obsoletes RFC 6407.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9838"/>
          <seriesInfo name="DOI" value="10.17487/RFC9838"/>
        </reference>
        <reference anchor="I-D.ietf-mls-ratchet-tree-options">
          <front>
            <title>Ways to convey the Ratchet Tree in Messaging Layer Security</title>
            <author fullname="Rohan Mahy" initials="R." surname="Mahy">
              <organization>Rohan Mahy Consulting Services</organization>
            </author>
            <date day="19" month="March" year="2026"/>
            <abstract>
              <t>   The Messaging Layer Security (MLS) protocol needs to share its
   ratchet_tree object to welcome new clients into a group and in
   external joins.  While the protocol only defines a mechanism for
   sharing the entire tree, most implementations use various
   optimizations to avoid sending this structure repeatedly in large
   groups.  This document describes a way to convey these improvements
   in a standardized way and to convey the parts of a GroupInfo object
   that are not visible to an intermediary server.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-mls-ratchet-tree-options-00"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC4301">
          <front>
            <title>Security Architecture for the Internet Protocol</title>
            <author fullname="S. Kent" initials="S." surname="Kent"/>
            <author fullname="K. Seo" initials="K." surname="Seo"/>
            <date month="December" year="2005"/>
            <abstract>
              <t>This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer. This document obsoletes RFC 2401 (November 1998). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4301"/>
          <seriesInfo name="DOI" value="10.17487/RFC4301"/>
        </reference>
        <reference anchor="RFC4303">
          <front>
            <title>IP Encapsulating Security Payload (ESP)</title>
            <author fullname="S. Kent" initials="S." surname="Kent"/>
            <date month="December" year="2005"/>
            <abstract>
              <t>This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4303"/>
          <seriesInfo name="DOI" value="10.17487/RFC4303"/>
        </reference>
        <reference anchor="RFC9750">
          <front>
            <title>The Messaging Layer Security (MLS) Architecture</title>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="S. Inguva" initials="S." surname="Inguva"/>
            <author fullname="A. Duric" initials="A." surname="Duric"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>The Messaging Layer Security (MLS) protocol (RFC 9420) provides a group key agreement protocol for messaging applications. MLS is designed to protect against eavesdropping, tampering, and message forgery, and to provide forward secrecy (FS) and post-compromise security (PCS).</t>
              <t>This document describes the architecture for using MLS in a general secure group messaging infrastructure and defines the security goals for MLS. It provides guidance on building a group messaging system and discusses security and privacy trade-offs offered by multiple security mechanisms that are part of the MLS protocol (e.g., frequency of public encryption key rotation). The document also provides guidance for parts of the infrastructure that are not standardized by MLS and are instead left to the application.</t>
              <t>While the recommendations of this document are not mandatory to follow in order to interoperate at the protocol level, they affect the overall security guarantees that are achieved by a messaging application. This is especially true in the case of active adversaries that are able to compromise clients, the Delivery Service (DS), or the Authentication Service (AS).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9750"/>
          <seriesInfo name="DOI" value="10.17487/RFC9750"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81963Ibx5nofzzFLF11TG0ASLKk2GEcO7BIy1yKIkNS8Ult
bQkDoEmMNZhBpgekGct5ln2W82Tnu/ZtBiRlJ7tRVWICmOnL19/91qPRaNAW
bWn2sp3j1+fZZd1kh6fWzLNXTb1ZZ0fmNjv4cb7MqyuzM8hns8Zc86OjV4dH
BzuDed6aq7q53cuK6rIeDBb1vMpXMNyiyS/b0ft6OWvq96NiDWOuzGhV2tFV
8d6MnjwZ2M1sVVhb1FV7u4Y3Dg8uvs2yT7K8tDXMUVQLszbwf1W7M8x2zKJo
66bIS/xwOPkG/gNr3Tk8u/h2Z1BtVjPT7A0WsJq9wbyurKnsxu5lbbMxA1jx
s0HemBxGPTfzTVO0tzuDm7p5f4WbhG8PTzP9ITvOi6o1VV7NTZZXC9g+fMJV
2p3Be3MLry32BtkoM9W8uV238AN+opEy+D0zAq7Btak2sJos+9hZsowBsvM9
LLGorvgs8PtVXpQIGoTmHwvTXo7r5gp/yJv5En5Ytu3a7j1+jM/hV8W1Getj
j/GLx3AaN9Y8phEe45tXRbvczODd93JWj+8+OXynBDDbNphP3x3zaOOivmeU
e34eL9tVuTMY5Jt2WTcIbpg1yy43ZcnYdVRXTb6A/9D79CNsMa+Kv+V4InvZ
6bI2VfFjdvZ/9ulXw6B7T+/9scnb+dK0YwBud+yzfL3MTZmd1YBT7cPHRkDD
yPRyQ++O5/WqO/6f89I0t9n56taW9XXP+Aev/3x4Pjp9/fY8HN5e59UfTXld
2HGzGQyqulnB89eEYWffvvz8s9/9Vv783fPPnuifXzz7Av88HO0TIhCEZfej
tjFmVBMK273BAAk4HvP5sydP/Z/PdMzPX8Dwg/F4PBiMRqMsn9m2yeftYHCx
LGwGHGCzAqLNFsbOm2JmbJZn66a+LEqTtcu8zTYWvmuXJjs21uZXiOGv81vT
eOrYBQbzCF9q63ldZjk/7mhstMqr/MrQLMBFcPrWEO/yXOvYP7KxOAWwq+vP
st1XI/rj0RhWazIiwjaDZbc1zGesaa4NTVavTUPnkZfZql4APtSXmbw8hPfm
5Wbhh4UVVHZdN+0we3U+ydZ1Wcxvs0UBSytmGxxmCFCYw1wNjPfq5dH5kMge
Z2J+e3B+mgH7AlCVeWWG2c0S4dUY+DgnHrB/cjiy7W0ZwCGaILsB2oNBM+Tj
9AhvETa1KVscAg6kuKqyOTwzw++BgACysieY0DSGXga4LzZzOSMAw8is6/lS
poW1NobOcIEww1XEm9iHTYzcSZ5PAEsITVbFYlGaweCT7BCggDMQ7xzo/D/9
JPj688+w0suiggX4nQYn7mUU/wwgvbws5tEx02BIEjCYMmQLu25vjKkES44N
Cg0LKHFsH9Fp5PLLyxpXWAKZPkZUOkekaOA5ODbBG/zTQ9+tVM69qNxQDhAT
a+t5QRgFI51PAL3z27LGM4CZw6F0P7Bty0PhIvbrm4oe3z3ad++OmeSugGSt
YGzdIL1d5quiLPJGUa74GxzXnLcFqywEjMxfhfEMZflDQA2YmxF0RUBCGJYb
FE9wmogifFjAZwC+BU7oTyq/ArZCB+Xol6h+hRIP/uefti2SbT5vamszwjE7
Huip4NJgkGJOz+Dh4LgZQM/kgIyMkrNbnARQlY4eFwYnvbDL/L2BlSNzMTDk
ZL0ucRzkc4T9ODLgWANgE+RqDaoW2WVTr5gzwVDmRyRo2Dxj4wLPAo6TTvCL
8QvkBwEYxin7g4Wta+R0G7c4oBcmaGYxFwdHMDVI6QrlQVEBARYtzAO7UqKg
Bd1L+mNHRA0Ki4opN4TgIttU8IdtPady1EDwfHXs+BHhNmJHS9zjqiD+irQK
6/d8GB9n4ZGX5S29oHMAtwTQwp4ARLhvGACofQOcaJw56sGDQFUvHARgdl0s
jBtgIAMQY/SjCEhXyNdowjNEWOA1yJiRc8KG4HuG8irQtGC4Fg+Jn1QWHvMX
RH/CU6F0ZOdCqSF0bb1peETmRUo7Sr3WlIArQI1DBjnKVvj7HDXaZnS4D4M2
oA4AfsG3ID2La+YNsPVcaG9h0u95SbGocOd2frr/+HyyL9KK1xrw5uANlcyE
aoTDKOmBlHEo/fxMcJohmDEPJUmJ1BwxKdCts6rOyhqeAHIRTsXDO4yCMY72
AwH9TX4FID6sbAuCaJgZQhhAQxoeeQpLMmFATK0M+lTC8CIUY+HrBumPSJi4
BAnGlKpDPl7DwFXdZsu6XCTzlia/VAg3BuYw/nHhIDiyjLqI4MJTmB+BgBDN
jvYdIsH24LuyZDGKKxeMF3Tk3ShWZ7sIf8TngiBjVuuyvjWLRwNcGHzRGDcO
bmgELB20KiJ73Eo9+wFQ0dI2PP55pgevEUitByms/dXxtnE2VjctO3tTt8Xl
rdsdwVs0vpEyzwqfES5MuNhhmPg3IeYaVdBM9oaABs2phj0DsWRO7c3s2szd
iOPBOSIQ7GaBxFvCe8YsBCZI/w1JxxkIRdgf4itrfsp4SBSROqRKEsgKOEt4
yqKdCW9XsBq7MXacLBswBBHTyvzIzVYiUa2QMR4XPXudA8RxSJjo4mT/xI/9
VxiZXhmjhgQKyDWvjofYRyAW9JlJEhEDLVELtvjb8wu0ifG/2ZsT+vvs4E9v
D88O9vHv8+8mr1+7PwbyxPl3J29f7/u//JsvT46PD97s88vwbRZ9Ndg5nvxl
h/nTzsnpxeHJm8nrnYw4TQgVBDGIixkDugHVmuE78LwH3vnm5en/+++nz4Hn
/Bswnc+ePv0dMCH+8MXTz5/DB9BKK56truCc+CMg3+0gX69N3pCCBIQ0z9dF
C+JkiKC1S2BBGRIsQPPf/xMh81972Zez+frp86/kC9xw9KXCLPqSYNb9pvMy
A7Hnq55pHDSj7xNIx+ud/CX6rHAPvvzy6xLILBs9/eLrr0DhRjawN9i7S58d
MrYzdXqVAyD26ti/yuoYfPkSzqBA/0rGP0/g3etiLibdMreJviG6AjFY0FLo
CaTlWzAeDKKEWTieLNbK4Nt6U5FE5ikQ0S+LBuQ7iAU858C2ycAKoXlIjXX6
ko60T7vHp/dVF8Fdw3rhx4n7ceKXjGzJP5KKGF0Oil5gyGr9oIYLLFGWRBJW
BACMgS6dBs1HSzyXgFbh3okFiebthSSuZ2rknXf8jp3yMeABwk+ZUS8RTo6P
ZPpCdkrqJlBAFmppsIzTHLgxiC7Qm5a6htUaXVAw4ct6tQKhoqbj2zWeML1B
xyqvidyd08Mw36fWy8VF0SAE1vAOTda0IFNo0YfVZa1wc7pbiHE//XSvWwI4
AC0EeL9lMcAryDZrEjXEFMhMhYktmeg6NasKpGci3sEqiaXDMlirXm9moLF5
g4E5LwMFdMU1DPfW8kKJ4e+TYBChZcUOsJvVKsdjtO4M5/q2SCBS+vOFaNOA
zKSEGscqESFDxCZSiiwkgkC+uEYVFueBn66WoObBtmrUuFGAgTYLs5BarJbU
gbeTwOpA3wZJHic4RcWxy2I9VGjIGWR4BqK4kkDmlTAjtob2wNrPQhwCMN8J
nkUNTEiQCnW4OYLCUSnaqZUsicYu2O60clgJqWa7++ePWOIHxgHKzAVrSjhq
n8GnVtqL8WfeSvv8BRqrYDbNN5YdUHioYJwYkL0V+ViARyLxE+ACHbCezzfr
AieGzRHik1XeAzLxuATfsMJsEguGRmc3WA2oTGw1dK+AjodMpIATE6Gnh0WC
NV8AYqGdsqqv8Q8Ag1KqugTIvwo63ppXLT79Y5wPP+P8uBNEPtTGT/P5+/zK
rZY1PUE8BDziDGldAhLaOzEGOjt8rPL6oDxEFt5igVorTJsrRzoHqOgJPX3S
MaMRgsGK0GnhjC7nUQA0sYQ682INch7osGD0zFBPIvVIebT46WH+700JDESw
OM9ew/7fgK0E62yaW1w3mYuydpBPyKqBs+LTctbe549ToPUiag9CGz18oZQk
Bm3ZfaO7CaXiYkNIHFrY4l0JyBUjIPiUCD1xZAGL8PyedoMuDmZCK8chmA7F
DFnL8xRbQJOhNMBQWl6RQxjErskCUOqMcMs7KVlkbBcXkVrnTvez8fPO+QKz
gxn8egrxBpoEVPB9JMgmsib/JuO/jVCPkdrJuO0L/jjRRiPUG/Xq4EyI3N6x
NLoubDErTcBU5bSIxAT1lEcRysl5KVIR6MQDXyN/qcwNED/RumIlihTiGT/U
YtszM1VlCGRVzuDljSfEBscxfjZ+2ktyukJHbwhVtzIvVZk1iPXsviUfIMpH
FAgVcJ1l7QQdLTH0t7T6qqg1Q3ao4NuNxzhYCCh/Ao02v+IpceM4xrwsyMxA
B5JABZG8y5LBBCGrHbAA+ZG4C+lp2fKYaA5ETH0jUoHeY+uFD2qRCbgVSiSj
pzLPO3x+Gihn6Imgt0VkycHU6EMgrKhMCVJvAydHA83JCXiVWZF7dSXKS3R+
1h8gwkg+POs5zdAQc8EWiwqQuuz2PBvC2M17foT2TcoRQuSUgHksUlVEP3K0
olU+pqcBzA6Iw6LrLgJsCNnc6b7ho+LCF212bhpEvoC5FZfBY6gaEVpcbdh8
yFsdU87nwQp0hzKejr/YAklijAJG9GMbPMHCrnDVJWKZQlI8vkR/CC3hVy6S
ZB0XWeXvHSHgm5HPaTz4xsxzdLIQY4uMCO8RYYjwG8MAu2kFLuCxaVX/ZRYB
L4K82ZRgOAtrVLeZmgvkbmVmumEJ77y5hBl5ZDIxUdIpY7gZjSFW8n3or6PV
ERRJh2OkatCzaZ36JuK52mKcOf8gcO81wJSYLm5CWGRBYrstBGO9HLd85IEy
6OW3OKuGwYnM2Uuzfz7MJhKsY/dhdB6g9Z4evMn+9PbgHE3yvex7XJ1TU5y8
blD3/+umaFgnsSA3WqFxP76OPZKzRnXUanzEGnQYtySqYN+oHHzNp4W+R6ti
UEIWBCT1mQZiaku4g1g0iL6pDvCO9dBpTCZ9UY9eGvHrqNVLyhpon+uWNEZZ
EvNiQXLV4Eg/Uzc7MCvDPrlwW6ReOycUWWpkzp3PgfruCkwjcs+QPg3I2gom
qm8UG8YDIZErUwkFD5GaRMFTshgC9m3ovNgmjeJmYqYiMWMgVb+VOMnh0QH7
Wk+QGszC0WRejWomXXrVFCQ5ghGmr84n7w7ffDN5s//u7ODo4C9ThIgPiNDv
/ANg+WX/LwhngrGK3MBTyTL1ckPkLIHDEUcPlFCzZQG6ScVYJLaIqj9CSeKV
cY5swpDXR9+Jo9VrjJM1Kbo/ZhOPYBQKlhAERxDEOEE7s+tGYXcMsT+1szB0
n6pjQYhxUROahWybvO4p10buwrJbRguilHPSOnPrzDeSOnRyomHimgsY4KZS
94AP2YNaYEXBz+9VWQEUb8yNMwRFBWRVnzTqcmO96L0I+FoYskDvi5Pb+rpz
VfHkkWsw0edB5fiswwQSJngOQq5cpKOiQiS+B/EIyDLQkrW31RwWU7lYNPw8
A6AzNd0gUyEcuM5LJD9cDckA5qnCCYPDRnonKabuHuQQgsDCXqPgN9oXLviE
oQHWs0krQaefxnVIM+9wsQLOEN2ewv6Qcfuo0/TV2cnb03fn6Nc9myaBkC6Q
n48/D60moQK/OneWuHn0J/VthxCQQ0zOVPAuJo5K+OCVcP/euNqQlAh255Dm
EVGcwXMN4cPqBCwTEz8C2fDemDWTbxiB0ti3T62J0hLMwhEUR3znwGkBp0az
HNkWzovBTg3JFD6ZRRIxYpjgtiv0zo3sGmPw6DMkDxThILECGFvAKRsaIecS
2csGesiO0Oaprko0Vm1LEWZxdLEyRY9hxF+PG1dwmRdljfkkqBQgl4fNWxRT
MjYfEXFK9NRoOLMvtQbXG8Q5fcxebPs4P8ZFpNUhYK6LemPd8cN4iDW4tjJf
O/dEXcpy53NQ2ohriBPj+9N3k4t92hT+vQ9/K9xbzWa5hxFNvutsCl852T/Z
A8VxjlbCDVhYyHv7HiUxhdoGzFpgLtiaMhvqxn8XZq58Ik7c7OQalUlzwxCX
kJ9H0QSLfJi9k3PFP4XBWqYXSfPg4TBjbctbPXHXNOmgl0WkDILESlFt2KOo
orU/Wv7rMhVQYVeUwEhnJYZ5EN3uXfGLdMXETzRnIFb1MDEmVFQZptEW+cGj
5MHx4FuhgfWmIaEOk3YOrRfwkSHAEXWLm5rlV5JbcFN3ousyi93DJ1kncLkN
ssTpq2Nh/e8O96cBZQRq4ojoPwqyM6Q7CRMyKBF2z1sgtznLzCycAkHkPZqh
jtrFhfPTQ6HQDQMLZsTNhmOqrwpOawq6I2qOw2z6/dnkVP6G56eTtxff0cdE
lddBSCZclqBdsxUpvmhnb2lOQZJKUHB6CK8sZL5szlJqKcCPGV1onykbR8qW
pAphe+wioky1yD70oit4R1IFgLmXpfcCfVSoziuLvEdM4AjDeJj1cXnLMyee
A+8GCXDOGW0IBwBJontZ1r1oHtyAcAGbs9dKPW26v42EuNgVVNNvncQqp/Ez
cSG9IUldXprm61ggkoYQOzMO2/4EG3KzrhvMbyIWOWRHqwRAhiLT3Efm6WxV
gtRcb1oaOvBe9Tn/SDY5LyWH03xcDrR3dsChp02dLoXGqgPJ6lahfhbTIJfU
KWE+XETgbZFDTZTS48lLgmHq2rTkI2YxRGcMxMEeacssh/UY0xfu3YoBN6pt
3wLYbzylMbuXqJSf0nnAv84OEXuq93RiI8YkMb1ogLKeo2GVt5RFNfjuYwbH
gUKdx2XkuWhoBuMZSk+4jFk55gKKylujvcQKscy72lg8NkwbSqxr1cNROTwe
Z4eA3bVtKZ2KlmkxVIOeubIcEK3UViOujB2RYYcHBTo1uUejAIzEWpwPQgUJ
8g9Lnmrb41QV3kvRbbeXMFId4LV3zuKXPuwJT5p85VVgMjlCeSeOs2kWBth9
jEkNkZ74jfiWHxClZ96aeoxx72SDSJ6EWahr+wasNmQ7eDiapUgq14ELObgU
Z3HDtMRC2Z8yTfMMplss1ucfuQMZPwzPBOyD0BkdImJJjJIIgH/UcXgb5BkG
B2s76QD+XTpjxCXibcYFHyVdWnw19YxqFXykx01DMRGfbb2NNRIZl7cdv34V
+BiSqIdm0vNknJoTO79iH82PGP0XMcf7dQDAb5sNulxnwncpwVK0wtg2YYhw
Wq+jEvawxJTCIXjM4sjXa0oQoPRp0eZb4uhUt8ZC6xL12BuyaHL0IifJHOwG
QJ8WjwYjf3CDSZZH9sGN6b8afBiNRvQ/fAEXK/8hDw0lJfV4fdWjnNFbxzxy
5OZnVhYmIagyQhvnF+l5UNp3p4f7V9NHMsyUxnlXLEBdY1VQla8ocYqHCIyP
D6ABuNxS58bLVZW0HbOCh0j1VhoH0THMUm3rEWxzqyrbr6WTBR2uhbR7ccW6
yWNVPJ09VclRR/AL2qqS37OiV8cjjGQg6+pk8PLCEt32A+cXpeo2yx7KqG5x
L5pObXkQt/EP2Ykkzo9RFrX0cr+fN4EPGE04aa9HIQRnRksmFZHfTO0yeGBf
soB6Kyf4rXAlykGC1QdrVr83OVzFJe58pnXpTQs/LtodfIQyzavD84uzCWpC
fjbr8ZhIaPoGC8zenXzzHwcvLx5NkZJEs7Bido007hueDD1GQSdjgyXEbvhg
h2dJWjbjV1+RRGijIflxSpAPjyUZ2MHkuA/MXAXlL5obPcXBpO6X3FLkMU+0
TbSo2UmbJxqnqjnJnG9PX59M9rtTHtOEyOzcL0Fqe2cPx0l5kXJKSZ0J4p+J
STTOtinMIAtpaO+/iE6i60Ikl2DkDBQ+2OPfckO1tZSMdElI3SM4CsgiScFF
e5Xq3RxXZwUpTt2gLG8XtkiC1N3EjW+87NxugnEsxiXSavZIHobS0XTh8EMk
EFA4g+D3yY0i7UEUfo9JaeG8wWjsBEVFgkYhs0mCaB9nssOpFM2D7XZ8mGBK
vreFpAxPQed7x+KvxcoJWMNUE9yC7A50L+A8+gyrUaEiSJwoSjeLveoceb4s
EOIu2DvP11x1UPjI9q1Ek/r9BT6q4exyEa2DQO2KEs3CzGsbuVXC0hfWUqQE
AVHJM9BISQUNV9RGTr0MK1pV+7wDqKIcilro/TSgt2j00sOM3fptCPfrvJQq
Cz8Kbo9d4h0GpEGalKeHYRbrU/xihCjIdFBk4MwnZo9Yrg2TBfYFJyXQy7HW
332dtUem5D7VOzih0KdFToNCg0it3/+nNsaVFQ1mI7gNe15nnZyqkgyajHYZ
vRqkSuvvjKLBSJ01pJbQFRoZ6WpdamXH/aa6e+AkcbTVm/Dl9uBnD5kS1xcA
L6fyB2QFzlxm44msJjIKzsJSxsHkoSTkUZR8aMwd4yyYIJLl/GlaTXGxNC5S
p9yEVHPKVr0LayOEFMwDOL5bc4KkIp6ms94VZiRzTFKpqJYiDnB2RJgvYrhQ
Yu+ZOcoVxBP02ZudNF7HHD0vTZN5ma8HDFbjOSJRyK+CoosyGtoEmTjVXPw3
NHwQtSgwIvOD80w51US0wZN3p2cnpyfnk9fvXn53AhAUhii5RC67LNiPTx72
gojKimYmNrCQ57px4hIZTeF0VvW35OTMsdQNk4kBrdG56Cdw46DxCzgFXwEq
FeyCh6/+7/jFk9+FL+BzckgYq9zQsU3K9g1iMrECRC4aI2RExG5BU+z48URT
lFQyTWggvVEzW7lUay6ebv2WYvVzg6bCcBB4ulCbXljvH/AUqkTDFcOqdzsS
yiMzVdKdNK2nT1jdsA9jqkvySHSsU7lwc0/cuDeSRhIp3xKVHqqLhxceqRN5
j5EaUDua+JjOg3mrd8SPbJBOMbsNY21xXqikEMTHG3UcUCDxWZJQTZL5uTpm
suBcFVk7cNFLdOqG59bJgqd6lkq9sSFnRbjir4oZkdxE95oEXsg58yqIXMYZ
CVhRlsQc3FYXvmqYlN4k4UaNC4y7nLoE+To2j5zzGkDw97//Pctze30V1MPJ
P5pP/+1HNLPrhniURf8OFMivji31evkQ/Rx/2vZVz78PMpgqeNlPoZzZyxKG
/ujn+wf7zSj499WvXtk9b/6awRKzuG/vWkIQbrxvsGjTW3f+4JV1H/vlg335
h/Tfb/5FVpbFKnof/JkeHg1/ycq6owlrj4b7xYOtObIQGAiPfu4/gA5u/Msc
wJdsyqM20TR189WvGOw3HTT736SAnwC1dslZBod9tL8bnP4wSy2zbVxNBvvy
Htr5VyH0LPUxPnb+1AgeAg5lbcMHriwLCXKrHHgYc3zYv6/+N5jjw/79g1cG
2sLgp73sk8viapQvFuL+GFEaDHVd/MNOolHt/DzAooSuS9xrlJcFaix354J7
x3eoyWGcmysRxEE243rd0EGv+tmxuBHskjo5wFculhEYCqjksHYVaVBkVqEv
ts+951wB7vHCho64jlt7HCTpJdkEkaPCject9p4kHZ97A3PhGsN+MUHVNWWX
eO+VpDBrVbyBV+bJvFrixqUYPm97GAyjkVTXrEa1yKHAMg8DwfIQOlJ9JxvE
hu21Z+wNYKcJL09TuqPq1zR+Huvl9h5vWnhK4ocbD7afEiYoiOXtt4K5SJx9
cG0ysJ+K0i9AioP86mOLPzTldXcETDcjVnnnzUI9ZDoNzRyPxW4DjBqExT8l
Bsf5xDiHvy9xDo6srRttkxfE6Icdw9ZXjTiHrDuOV5gz6mOQ4raKC/E5b1hI
jV7wSOezTzrEHpdcBs0TiEC6fCMpFVHegxlrFRphiwBGc4pWcHYeOZE+bmnB
EnTuixAq8f57h6ToifANya7xkToqMFSfPtqOnITTSnYOdcArHDyZrnldTJzY
SEvNT3YCkKVLlW6EMpjtLUgfMjJhAc65ozAMshx0/VvYCHJldMWOB2dsFzeS
5szuBHkn4LbijCsqphvKKeQqCeNqw28jYkqLgvta2ZnYil8YysuJCmcDRuuq
7ud1I8gfZIoHfjM6ht7K98PWLTt1Tyc+afFuo3ewLBJaIYeC5oKwy1vx3rcj
04E5g9A3A+Q30YETdRRDptXT1fITjknGDpEgjiLF6Zq8scX1kMQ17/I+/IOE
5oOEWrqsfqnCGS3/DGHSx6NTPhv1EEGG8CC27ZkpTjvlLQQR/2moRUtqQegb
c3ka6rNc5VoEbbdyVsqRTpmd1swhefmiHqJ5ihL24V23YPK+6j71Q7q5JHPK
aPkPgyoJ8vWlXQzDDNegfgjXmebKZgHtCEFRua1mP8R6rYQm/CI/teowdK3y
8mtsaj2LqnQ5TcC5Lx9waqpBxRv3Z6lAsrUmAmOfh8Rtv9C4CpeL8XMz7KUp
I3TOF2EehLvSThaBVPM9YrYDW/SY2KELkphqGm9cOmXWuzOANUgEmLkpODJ2
ESTeuSrjo4OjEQ47wpwf6gcLKzNrX+8tW5BVK0+JVuh7OcTVoa4kvV6tN22y
LcGfGILyHiPC+4obNfSUMAmmuTi7zwHhqDKe1U1OZRLUq2I8+F7aLCsRa+aj
FptwmjiFlrT02CezuuC0X0mHXkXWEcpKEolUWBEeM+SxKh80FgzoeO0CcLVa
YMEEBjVlbpdmFUMmqbKKgm1cj8gFOzxinJOvSeJtcbVso1ycmVnmsKuGUyrZ
dj0k9zxunrqonHGN64DrE/urYcXPL4JyjcE+S1234wTtKK+TSVNNyLRmlrDt
oUWzYV40xwi0fwPFaukIfP+AUeE2CKTZjhBHAeaF5exVyqJj7UgQX0OgQDxh
Tv7FMmgBFAjMe42vQIKEaQ69eWuRIHV2Dc/0qSbPRhF/grAYvEKjqdVF5b8P
NID6RGneEaYxDyZTQJu9xhYKh93+4ebJJbd8dimFchT47hYzRBaiXZUQD5Gv
6ovaiZLjyiRJPXxHOs28Xt+yJqOtX+R9kiolNoW7ZakRtUnjBgrJ2YQmL2Z7
NBHGTxErsHXk4QVsA5HjQPJasedYXhrp4O4lF29T2CqJD2mMIxsBRkHs0GmI
XCcuCUEKeQrYE722za3aJ0y5VSqsgIUgd6ZW5qbRrsZU7CTcacDxb2y+5gDi
1IqgQXCoqyfaUKcJcE/IVpGt2wyYuvVYTkp1tUagchjUtvco+DdweVQiauhL
6fMrb8wlS8d7g4DZUg9lka514wQj6qO+oAv7TNKAOsQfsh2YZyf78AGf9HNh
6Bbxln6dKneDU8KKBhBNbTY5f3l46J578uPzF9mTH188w/97IkiOcxcux6eR
F6nDZbIqbARVi1FbmRZvTgE23ApF8Whu1yxV3rx9PQJgrLhobRyBaMHSmFQ7
aoRCrb5w4qC/GrX/hSGv6OSirOMkI6c0ly1mnTYowHAd0jrXN1fu1g2HRS49
1faIiJODyb6WtruiWKI/U12RmFnI8rGOgT2r5AmF90auxyL/pmjJ5VGUkCVj
ht7UB9ovOBgTQ5dMvLirDJJz3tx618NNnZbQWb0Mgixv1VX6El9FZ+l1SuCi
sOrYdw3q0ZWclMcSQGZHeKjcinP7014vJAuCTmZLF4BhFjSyk276acsBOQ6c
VM//s05pcqBZOxqeIiBcHsa7bw4vzqcsA8JszaBAG/t0hZ0ywj4OQX+DnJU/
hql6nLa0OS8qyizaMog2iLpzCDh2zk4ie96KbFN1OADUDL+n/fmSHUANly8d
1jV5vE2SVVTpluypTsrLll4Pd4C1P7MlaN3RaVIRwkb7PiuQ7oYRqBsrbiIw
Ovxzwgm0vT5g7LKYFSq7STnRQEeX66RdbzwKft5te/OJr5A4djrPtyB5TzYi
9p3WMhjsu8491pVUqjVwPPkLuTVD34BbbKcU4a66C6TyJDKUd5r8jDU1HNO/
MEMu1M+4u6W/RYFUKX+VwrZExKCdPmGcO0ifxbS9nMWtXj1NqulNwELsVCr1
VND3jqypXLSDtMv+R5bKe72vx81Im04bKWnnJu5/7BtRk84X3pziDzlu4uRK
gmh8Ny7iysxIacMikLTYtMlbTg/t3USYgK8GHb2GxPCcO4JxKTHsVX2LqrxY
0wR9nhXgEJ1dgbqXIDMpqfdoGdII/ZRmjlJlPlhw6HxJOnb1ePRySX2DnXCF
PpjZ0q45AChDMA+7BnKDNJErsXOGLJw87MMlbNC14tp2ng4C3HgybM0Vgjsw
KYiGti8ZT40UVTZdgkzDps4XuIJRoK257WE5+t3NzFjf1MrL8BSBo6yNaMBB
jsMgy4I0B/jUoVmtZkNF5CcK4XszOUqKoNc7v0ryA/z0M/7+n0ig/zX4mdXt
iR4xHxylcTLUbAy2/v09dE/4CXUdHe5/YqNH+7tfwjGPbhq8S2Hht6J86atH
XXhcsCTvWFzh4pHcddCobRAilTaMJtYVe8/Fw9Idj3W/Hp+qd5djwXijDTYi
N/il5IomvIE1Uc8epEegeMWwVXkmPRq3+eHD2uWcw1/UfbCvIjJt0xt4gYMQ
N8JnC2vw44WQ6XPus8OYm15/FKsMB+7G832ud0udiPGgXEt2x1VYZsaMm6rB
+gColqMO6ju8q1AVHuKjHWF8jbSItA1oNLPv3OhcwoSCriYE5zhht9RLEujS
k1TvPLWDu/tX5d5jLi2jNCP9ds3rMdpMXqujgqrM3rJfkcysumI2IkpViczg
eEGpKEfBlOl8bAemngY9fWXH21rz9MwBJo/v5863740H34AAEW2p8YOR5S4O
QWYV4keQD1FtCT83IphiakdTkF9B/Cj4wDr/60bHE25rqs2KmGSS7Lz7lLha
XAS2+5n7spsAuvsseUNrrnaf+7eE8e6+cF8xXu/+1n0hmYq7n7tvwiSe3S/o
693fvnjx7MWjwc/ZcWlfFe8No+cF7P33g4E0O8BtdX6W7b9r6dEsBsqXf/7q
9+mYv2eOjib10f4wNhr0BsZcbBoy5RbsaWSJEtQiEKJjt0YfXvf6NAYTY7NP
4v6F0Usq/EDsGHJnT9lp0ZpBbQ/dy73LsazbyAVBXPtUecZHKQjBzWRAkv/s
Hlu+2XeiFGHJqhvHByS1Z1S6prT/WNyrILRAesm6s/J7Fit5Hta3uJ3VdYsp
G2uX6RTkXmh7ONGXMDoxV3j7zLVgk/+sxmPESGaAacQx6LoWsGhauSqFahIx
bIJ3r0y884WQhnLVqNwuRK3gQk9vJ8Z1Xl1vjQbh4rwTN8Cpu90Wr2VDv15h
yoX9qCUlhIUVQYwKsqg4cL02EoxT8yqu9Z5rN35EFUpD6W8XN6myAkvUVq55
EJsSFKLorJMRkEhRbjN1B8OWBTwg4Zkq7Q+rtwWL348F0DZGlcwr0kqaEWXn
sNSNzZBPspx5E9ZH4kbv4To8Xj/nET9XznajaweinRA0b0Y7hfQk6ww+BJhP
JPFBFZKkn4zPygqrSikK0q3T/NAJGeIQ3woxR0V1foS0rLu3o0owTNAzKR2k
cKXTPXXT/YtzyXF9m/MJHlvTpLYM6wuyRp1LpOI5JFo5dPeSxvWDQ7+drqaw
bVOaMOccbfGUrjZxC6Q6WaTbjkTrydRt4W3vfih20mSc3z3tSNLX04e60YS8
/uPmScTB1k3JV9gdcKTxxbtO7pccEN95K9CqL0mnFDdGNO+vANagS57b66dV
sXVtbPsKppmRYTCypOvTgzzrcCSrmiD34+J8ErYnpHGhdESMdKJBLy+IbmMS
the/HfYZkUJh/FrLOl2WPSWhuNssgpTMQYd/eDBxWwYcI87hjNyh0mKuq7JQ
f0nqfa1WHGtVaqTf381NV9eHWBFoOikePq0rCj59TH+6YJ/se+QgIDPMEVW6
di9Xw9dsvLN33PgPOwKSyoGjTqs65jmhb6PP/vWQ23oLTlF1rg2yDoCONaQ0
EPUQjHtyuGTUqAVq90qOyGKXIBejBqL+th6rujSl7o9YWFKk0M3v3tZUSd03
3aTuwgaOAKmnyTZVqXcXORVRE0kwqQTXMIglSrqL4H4Al8eNqUI9Nz35s3Yd
BO466xBPdBnx4/FVbj19Ua6pD/UdNw/0XXbkKT29nSi8Zc1xAZ+UGGSQ6g11
4ZVbGGLF7tTdW43YDzkv1nQFVVSDxE1ng54oU6I4zEOfahzUtWcPO5rQHVXs
eedT9M3N/AXPuY14qb/0PWibEPe2uLfFSNoXp6fNh64m7q0WXzvtXDouPyZa
FJkWaAVSYwkELVbjWxddYAOE28zDFiz2Y8TLhxaSI6gw7zSB6OkSEChuYlO6
qLa2SkkT1LZ0h3IsIxQn2DhWIRIHhHou4n5Yxzff2LOv15t3eSorow7vNJSz
0Pnt0BaXVp7JDXL8IPyEOXGk60TBGrtVpxn7hl+up4dmGuS9HnJplhw0Ug0a
dvjEYKGF/pZ7PbPSocj2rca2vAbao1gOO7NjE2IuCUkQi+M2klHePWH3HEV1
4gj+806yB6cwWclQFd4dwAQxHcuzxVT1ZKbYpHhMcRKHWN0EyHui9gLEYGZH
pB0DX7w695zctsMCDcVF5qX7vfht4nhRX0C90zrZiVPXWSYNvaVR8WEckItj
/9Z1oIsUXclhlCqy9IqLcKwRB8UpKrsygGUkoOBYvL/s9dF3eopRX8ZCaYSY
gs8wVvZNpu5jh11xm92U9KnYLqwgemjpkBs/xcl2ua1Z92plFgXfjaV94TpY
e7Ht7bBcCOZGtPUZpe5gNH5S3koua7cWqJMM7eF53IGmB16gL6ttou3kajUg
I3Ea1ZvFBYjYnXFLcasfy9WZJntksUNDaMZtTdnlmA4fWpcPzBHf0lTs7uTw
fgygK6zndCMmJtb1c6aMujH9wKwOz6M33dgdSuJ5O6CRKEAR3P0dN30fTPCK
b+RplK7srwzlvETXbm4IKBvkdq29Gk3qo78bCi/Zoecpzy18x/XQ4vRFypYI
MhdJi3CbxXwTS+AbxM7XLXsNvIxbNyu5J4lezjyUrqxTnviypipWuYVMEn/1
x3n0Y3iBUiCBON8q0Je98nucXtkYXpJNFaPj+KbzZXG1LDHDVnRQa9H2p176
LtlV7xLmvN3OhUnbr4FIb+5DcWMtklJQf1EHJYFuKIAuqC2mxLsBro04GJJL
G5KkV4obbMsWs3HBiKRtyyMFruWaRQArq3p3EDzF/cnj9Yrdt0QrG9su61WN
rlyIKqu0XsR9S1KYZpECNJgYdoB6Ulmwpbn14kpEzVIuVL+v1TjA2a934Qsn
HLlQ8VvbYnpuMxK9Au9BSR1V9j0+uawrQ2puP5vkq8ABvpLTx04MvlM1Ry8X
bh2tc9iC3qascQxZg1zvnFx4gTdQhNeeqOnvb9mcnCc+A77GyOU+9fSoCC82
6bnyI+A1cM4IaHcjQ3QRiL6G2aYarUODEt/wY9CBklNpjnez6j0jd98kMuze
I9K5NWUb6jPW6cU0ksxKPmZ0A9RAvOslHpEvRhOcaG9dmE5NBoSlOrilikRu
hYou3UzrzbScyvWlDEt986TQly/e5dVyTgvz6P77VxuDcdUh1b3NAHFo2507
Bl19W3iToI87oaEXIoGUR7lL1VVYE1ws3R6WqDrii9vW5cI1dEjqknDFgvh6
rUd+XRcLXaTeykbPiUXd0T1KvhIW1Jg59RKkLf5A+T5yh0n//SUYw+reU9LV
zS9ctiTbE8GFJKAc53Qfa6CyDIU9Fr7yKdTg1WThvgx8PaHYynInthYsda4W
IRqQfpeAnaOtV420S83RmZ4f/fTzNDPVtSnxDpqZaW+wDItSddDtEziIxHiq
tzerd2XWyTE6DZc4KrJkrLPwfC3KgtXrq7uJWplU53M3Ab7oI0xUw3yYsra+
ivZXZKpFhdywc7Glk1RQZxQRA42yP39Vbi/bd78iwRfsxXuyZBNk6ZbT4lF4
ZhAW4PWlfJLB8osTZS+W2vc4TqqTvhbJXHSKTETCDa6K625rF9BIYOWYVJXf
clf/ptms/SXln9rO7V5q9osWEtzP6XKWNdlONaHRHP4f0ym6VQ8oXQgucZWO
3NOJ3fP1IoBENjnXTXTxoOvJn92QgG8K0DW0xJs795NvJLpsFA+CPap8p2Pc
GnnYW8wjcd24gOWGqoPDUpTQv9NfvhJ25U/jEDlXTfQkCdHxqlN/RE6uuAkt
VVHAjHP2A/MlXHIntm/bwEI0fHGoajKCFxVvxZnw1lZXiaUrQJX0YEuNmW5l
e4laeK2VGzGqD4N1jNwpmpsR9/rnKrCgYh4LyoNK0YUJvtB7SgO1FPtud2vX
YCsapl7m99Tau7nz1pe8Tbb0L+jryiDclhvU+kt4kf1x2OOulgVpuwJiaR6A
pGLwmhVAaEhRQvgkLN6DTQ/vaxkQLG5m/Cl7HQWH5lRukMWG9Ib+a57VAytk
kv3NNLXvceBwmtRev0MgipYuBRn6IDdiBe4E56N7UqXfLyUQA4+bYdqbqNwt
Xd3mWJT9GlP1tYYfjdNFr2+F/JMuoKXtA1wjDolAcZhgXa837I+P+wkkNdky
qQvuqSolWiS6QcGqGUrAcSiDYVMrc07c4AhRJmzwf+DugqC9r52mNrv1wUIX
5zR0EZj42TalyHiuDNK1yh3nNrwaPUwDkJvR41sIg5ZBObZIqpw2JguR8qD7
745h5Q1Y+RWfnxeS2gFDwyx6DyWXlEsMiyVr0LUE5XQt7fuWdeE6ccXN1rWN
je+HTj6fMK1iVlBHpqQnnPJ017jajYmE7WwU7GYTRmzCTu1pw/hhl52zeZrP
m9pazuCQBDkS3V6aOVWP2/bDVgefZIeTN5MeD1FocVX5irIvgfho6zc+gQSr
uUnXZlvVzcCFoNJiMuBBeLn1Im8WKOdYKZIqW7IBpKS5di5JnEuu89NoJLnE
JGGkNwcuc3c4Rc7fC7LOpXGcD4oOe657GvaEbIZ+2PR+JkxBZEOC0OuGW3zQ
ZVdBasrd2zuVoEi6uygqEuUOBz3rXPt/2d0RS604zd7qYvoWwj7IyDMZZx1N
XGI1c7TO40m6lXv+/lkZAHf4PzmVm846mPEXDhw4kZNxUz+0TkDWRDwLBqSl
uijSP7nFgwuwqUReuDYVUo0LduCfcKEBsVnnJ8bIkVW3KFGqC95hgwKwII1P
k/COb0FwvGtUeJEzR+mWkMhh62/xI06mxX7WtG2psUxLubm2ZXaZs81Nt1W9
J1VlJRdHyGUQciuiNjXgYm+8O5ISkdVCZJhLzninmUXhA/lsJ7ttdbxqsu7c
247kMQLdxXTUi5d51ZEo034xOfVBMGluy+b0Xe1f3ZUicr/s13d0MBU5yYtH
Dc7cSMsQ/iEw+jSTQwRyWd8Qy6ir0QxM0PeZKYsrcgGQ43vmLx0mRYtbZiBD
mLPHNrdkxonTbDiYbaRjoXSyYmYmZe6d63mzESbPO2nXWa2wIJULrsZOwx9z
usPHp65tI7oYHXV40VDmpCXOqFgK8Lt0lUSCT4CJNE/d+GIqeYJ4tLv3qlL3
fky46amEMpDvjEqbtkwZXFzFvCa3GSENmkcaLeXppIGKeJdhD5QxifCWHB9c
z4Gu5zWux2rqy20Gts6CnadwlGSrPcZVgGDGQdcNWjOku4xGI3L7Df4/mmet
iJCrAAA=

-->

</rfc>
