<?xml version="1.0" encoding="utf-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 4.0.5) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-oiwa-secure-hybrid-network-03" category="info" submissionType="IETF">
  <front>
    <title abbrev="SHNM Problem statement">Secure hybrid network monitoring - Problem statement</title>

    <author fullname="Yutaka OIWA">
      <organization abbrev="AIST Japan">National Institute of Advanced Industrial Science and Technology (AIST)</organization>
      <address>
        <email>y.oiwa@aist.go.jp</email>
      </address>
    </author>
    <author fullname="Satoru Kanno">
      <organization abbrev="GMO CONNECT">GMO CONNECT Inc.</organization>
      <address>
        <email>kanno@gmo-connect.jp</email>
      </address>
    </author>
    <author fullname="Yumi Sakemi">
      <organization abbrev="GMO CONNECT">GMO CONNECT Inc.</organization>
      <address>
        <email>sakemi-yumi@gmo-connect.jp</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>General</area>
    
    <keyword>Internet-Draft</keyword> <keyword>Hybrid cloud</keyword> <keyword>Multi-cloud</keyword> <keyword>Security monitoring</keyword> <keyword>Telemetry</keyword>

    <abstract>


<?line 58?>
<t>This document presents a problem statement and gap analysis for ensuring and monitoring the security status of networks operating in complex environments, such as hybrid and multi-cloud systems. It identifies a missing capability: verifying the path and security properties of communications across multiple administrative domains while preserving each provider's confidentiality and local policy boundaries. The document also outlines, non-normatively, potential solution directions.</t>



    </abstract>



  </front>

  <middle>


<?line 61?>

<section anchor="introduction"><name>Introduction</name>

<t>Virtualized resources such as cloud computing infrastructure are increasingly replacing traditional network and computing environments such as local servers and on-premises clusters. In such infrastructure, the details of physical resources -- servers, local networks, routers, and so on -- are hidden from users in exchange for flexibility, service redundancy, and lower cost. Cryptographic protocols such as TLS and IPsec are typically used to protect communication into and out of these systems against eavesdropping and tampering.</t>

<t>However, there are many use cases where service still depends on the security nature of underlying physical resources, instead of just encrypting the communication:</t>

<t><list style="symbols">
  <t>Traffic analysis on encrypted communication may reveal partial information of the payload;</t>
  <t>Legal or jurisdictional requirements (such as personal data protection) demand that specific properties (such as governing laws, geographic locations, or operators) be checked;</t>
  <t>Denial-of-service and several other attacks may not be prevented by encryption only.</t>
</list></t>

<t>Such high-security applications need a technical means to continuously check the properties and status of the underlying network and its intermediate nodes. In a non-virtualized, self-managed setting, several existing technologies (e.g., NETCONF and path validation) can obtain this status. However, they are not sufficient for the virtualized, multi-stakeholder setting of modern cloud infrastructure.</t>

<t>This document presents a first-stage problem analysis for ensuring and monitoring the security status of networks operating in complex environments such as hybrid and multi-cloud deployments.</t>

<t>This document provides (1) a problem statement and gap analysis, and (2) a non‑normative outline of potential solution directions. 
It does not define protocol requirements. A companion document, the Path Characteristics Service <xref target="I-D.oiwa-path-characteristics-service"></xref>, elaborates one such solution direction in detail.</t>

</section>
<section anchor="background"><name>Background</name>

<section anchor="multi-cloud-and-hybrid-cloud-systems"><name>Multi-cloud and Hybrid Cloud Systems</name>

<t>The concepts of multi-cloud and hybrid cloud are defined in <xref target="ISO-IEC-5140"/>. In short, a multi-cloud system implements a single service using two or more independently operated cloud services. A hybrid cloud system combines two or more computing environments that differ in their operation, security level, or other aspects, at least one of which is typically a public cloud service. Often, subsystems on a privately operated cloud, on-premises, or edge networks are connected to public cloud infrastructure over a network to form a single hybrid cloud system.</t>

<t>A hybrid cloud is generally adopted when the security or other provisions of a public cloud are not sufficient for some part of the data or for a subsystem component (otherwise, a simple public or multi-cloud environment would suffice). At the same time, the benefits of public cloud systems -- scalability, cost, resilience, maintainability, and so on -- are often still desired (otherwise, a simple on-premises deployment would be enough). These mixed and seemingly conflicting requirements make it difficult to ensure and monitor the security of hybrid cloud systems.</t>

</section>
<section anchor="security-implications-of-hybrid-clouds"><name>Security Implications of Hybrid Clouds</name>

<t>Multi-cloud and hybrid cloud systems require internal communications that flow beyond the boundary of a single cloud. In the simplest case, this can be implemented using authenticated TLS or HTTPS over the public Internet. For high-security systems, it is often implemented using dedicated communication channels, such as VPNs, private peering, or even dedicated optical fiber. To maintain the security of the whole system, monitoring the integrity of these dedicated channels is essential.</t>

<t>Furthermore, IP-based software systems depend on many additional components to keep such communication secure, which also widens the attack surface. For example, if a DNS record is tampered with or misconfigured, traffic intended for a secure channel might instead be routed over public channels; a routing misconfiguration can have the same effect. Standardized network telemetry <xref target="RFC9232"></xref> provides building blocks for collecting such operational status, but systematically enumerating these dependencies and assessing their security impact across administrative boundaries remains difficult today.</t>

</section>
</section>
<section anchor="problem-statement"><name>Problem Statement</name>

<t>Several existing technologies address related aspects of this problem.</t>

<t><list style="symbols">
  <t>SAVNET (Source Address Validation in Intra-domain and Inter-domain Networks) <xref target="SAVNET-CHARTER"></xref> develops mechanisms for source address validation, helping detect and discard packets that carry spoofed source addresses.</t>
  <t>SRv6 network programming <xref target="RFC8986"></xref> lets a source encode an intended packet-processing path as a sequence of segments, enabling per-packet steering within SRv6-enabled domains.</t>
  <t>RPKI <xref target="RFC6480"></xref> provides trust anchors and a public-key infrastructure for validating the authorization of route originations in inter-domain routing.</t>
</list></t>

<t>These technologies each address part of the picture, but none provides what hybrid cloud security most needs: a common, privacy-preserving way to verify the path and security properties of a communication across multiple administrative domains -- confirming, for example, the jurisdictions traversed, the operators involved, and the protection applied -- without forcing any provider to disclose its internal topology or violate its local policy boundaries. A privacy-preserving path-characteristics verification service (see <xref target="I-D.oiwa-path-characteristics-service"></xref>) is one solution direction for this gap. The following aspects, in particular, remain insufficiently addressed.</t>

<section anchor="the-nature-of-multiple-operatorsstakeholders"><name>The Nature of Multiple Operators/Stakeholders</name>

<t>Hybrid cloud systems depend on many resources that are not under the control of the application operator. Public clouds (both IaaS and SaaS) are run by external service providers, each with its own operational policies and its own decisions about maintaining or replacing the hardware and software it provides, as long as its service-level agreements (SLAs) are met.</t>

<t>This makes it undesirable to expose information about every intermediate network node to the application operator. First, detailed design and implementation information about the cloud infrastructure is confidential and a competitive asset of the cloud provider. Moreover, a degree of independence between application operators and cloud service providers is important for the cost-effectiveness, maintainability, and security of the cloud services.</t>

</section>
<section anchor="determination-of-the-correct-states"><name>Determination of the "Correct" States</name>

<t>In a small, hand-crafted network, determining whether the current running state is the intended one is relatively straightforward. In a complex multi-cloud system, however, this is very hard or even impossible -- even if one could observe every detail of the running state of the entire global network. Making that determination also requires knowing the design principles and implicit assumptions behind the operation of each constituent network.</t>

</section>
<section anchor="shared-infrastructure-and-information-leakage"><name>Shared Infrastructure and Information Leakage</name>

<t>Cloud infrastructure is deeply shared among many clients. Although some information about the cloud-side operational status is needed to assess the reliability of a client's applications, exposing raw operational parameters to one client may reveal security-critical information about others. Before any cloud-side status is exposed, it must be processed and filtered so that only the information relevant to that specific client is included.</t>

</section>
<section anchor="virtualized-infrastructure"><name>Virtualized Infrastructure</name>

<t>Many cloud resources -- not only compute nodes but also routers, switches, and VPN endpoints -- are virtualized and provisioned through infrastructure-as-code (IaC) systems. Unlike physical routers and switches, identifying a virtual intermediate node on a traffic path reveals nothing about its physical location, physical properties, or security characteristics. (Consider, for example, how little can be inferred from a traceroute or ICMP ping that traverses a virtual private network.)</t>

<t>Where virtual nodes are present, the physical properties of the underlying infrastructure may need to be traced and verified to ensure security and integrity. This requires cooperation from the virtual-resource or cloud providers and integration with their infrastructure management systems.</t>

</section>
<section anchor="risks-beyond-network-layers"><name>Risks Beyond Network Layers</name>

<t>Today, many networks are operated through complex management systems. As a result, any compromise of the IT-side assets of those management systems poses serious risks to the network layer. Such assets include, but are not limited to, software asset management, software vulnerability management, and identity management.</t>

<t>To correctly evaluate the risks to overall network operation, the risks associated with these management systems must also be taken into account.</t>

</section>
</section>
<section anchor="security-risks-in-hybrid-cloud-environments"><name>Security Risks in Hybrid Cloud Environments</name>

<t>Because there is no common, privacy-preserving way to verify the path and security properties of communications across administrative domains, hybrid cloud environments are exposed to the classes of risk below. Each is, at its core, a consequence of insufficient cross-domain visibility and verification:</t>

<section anchor="invisible-attack-vectors"><name>Invisible Attack Vectors</name>

<t>Current hybrid cloud deployments create numerous blind spots where malicious activities can occur undetected:</t>

<t><list style="symbols">
  <t><strong>Traffic Misdirection</strong>: DNS tampering or routing misconfigurations can redirect secure traffic through compromised or unintended paths without detection</t>
  <t><strong>Virtual Infrastructure Exploitation</strong>: Attacks targeting hypervisors or virtual network components remain invisible to traditional network monitoring</t>
  <t><strong>Cross-Tenant Information Leakage</strong>: Shared infrastructure may enable side-channel attacks or resource-based information disclosure between different cloud tenants</t>
</list></t>

</section>
<section anchor="compromised-trust-assumptions"><name>Compromised Trust Assumptions</name>

<t>The multi-stakeholder nature of hybrid clouds breaks traditional security perimeters:</t>

<t><list style="symbols">
  <t><strong>Fragmented Visibility</strong>: No single entity has complete visibility into the security posture, creating gaps that attackers can exploit</t>
  <t><strong>Unclear Responsibility Boundaries</strong>: Security incidents may go undetected when responsibilities are unclear between cloud providers and users</t>
  <t><strong>Unverifiable Provider Dependencies</strong>: Dependencies on multiple cloud providers expand the attack surface, yet there is no common way to verify that each provider continues to meet the security properties an application relies on</t>
</list></t>

</section>
<section anchor="persistent-security-degradation"><name>Persistent Security Degradation</name>

<t>Without proper monitoring capabilities, security posture deteriorates over time:</t>

<t><list style="symbols">
  <t><strong>Configuration Drift</strong>: Gradual misconfigurations accumulate, creating vulnerabilities that remain undetected</t>
  <t><strong>Stale Security Policies</strong>: Security rules become outdated as infrastructure evolves, but changes go unnoticed</t>
  <t><strong>Delayed Incident Response</strong>: Without a way to verify path and security properties on demand, security incidents can remain undetected for extended periods, allowing attackers to establish persistence</t>
</list></t>

</section>
<section anchor="amplified-attack-impact"><name>Amplified Attack Impact</name>

<t>The interconnected nature of hybrid clouds amplifies the impact of successful attacks, and the absence of cross-domain verification makes that impact harder to bound:</t>

<t><list style="symbols">
  <t><strong>Undetected Lateral Movement</strong>: Without cross-domain visibility into path and operator properties, compromised components can serve as stepping stones into other parts of the hybrid infrastructure unnoticed</t>
  <t><strong>Unattributed Propagation</strong>: When responsibility for each path segment cannot be verified, an incident in one provider can propagate to other components of the hybrid system without clear attribution</t>
  <t><strong>Undetected Exfiltration</strong>: Sensitive data may traverse multiple untrusted networks because the path and its security properties cannot be independently verified</t>
</list></t>

<t>Any solution addressing these problems must carefully balance security monitoring requirements with the protection of sensitive infrastructure information and the preservation of multi-stakeholder operational independence.</t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>This document is a problem statement and does not define a protocol; the considerations below apply to the class of monitoring and verification mechanisms it motivates (see <xref target="I-D.oiwa-path-characteristics-service"></xref> for one such mechanism).</t>

<t><list style="symbols">
  <t>Information disclosure: A monitoring or verification capability necessarily handles sensitive operational data. It needs to avoid becoming a new disclosure channel for provider topology, tenant identities, or other confidential details, and is expected to return only the minimum information needed (for example, a conformance result rather than raw state).</t>
  <t>Probing and reconnaissance: An interface that answers questions about path or security properties can be abused to map otherwise-hidden infrastructure. Such a mechanism ought to constrain its responses to a pre-agreed scope and to resist systematic probing.</t>
  <t>False assurance: A positive verification result that is stale, incomplete, or derived from untrustworthy inputs can give operators unwarranted confidence. Carrying provenance and freshness metadata helps consumers judge how far a result can be relied upon.</t>
  <t>Stale telemetry: Underlying telemetry may lag the actual network state. The trustworthiness of any assurance depends on the timeliness of its inputs, which needs to be made explicit.</t>
  <t>Accountability boundaries: In a multi-stakeholder setting, responsibility for each assertion needs to be attributable to a specific operator within its own scope, so that an incorrect or compromised assertion can be localized.</t>
  <t>Over-reliance on opaque provider assertions: When a provider asserts a property without exposing the underlying evidence, consumers depend on that provider's trustworthiness. Representing the degree of verifiability of each assertion explicitly, rather than assuming it, reduces this risk.</t>
</list></t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions.</t>

</section>


  </middle>

  <back>




    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC6480">
  <front>
    <title>An Infrastructure to Support Secure Internet Routing</title>
    <author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
    <author fullname="S. Kent" initials="S." surname="Kent"/>
    <date month="February" year="2012"/>
    <abstract>
      <t>This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a Resource Public Key Infrastructure (RPKI) that represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers; and a distributed repository system for storing and disseminating the data objects that comprise the RPKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6480"/>
  <seriesInfo name="DOI" value="10.17487/RFC6480"/>
</reference>
<reference anchor="RFC9232">
  <front>
    <title>Network Telemetry Framework</title>
    <author fullname="H. Song" initials="H." surname="Song"/>
    <author fullname="F. Qin" initials="F." surname="Qin"/>
    <author fullname="P. Martinez-Julia" initials="P." surname="Martinez-Julia"/>
    <author fullname="L. Ciavaglia" initials="L." surname="Ciavaglia"/>
    <author fullname="A. Wang" initials="A." surname="Wang"/>
    <date month="May" year="2022"/>
    <abstract>
      <t>Network telemetry is a technology for gaining network insight and facilitating efficient and automated network management. It encompasses various techniques for remote data generation, collection, correlation, and consumption. This document describes an architectural framework for network telemetry, motivated by challenges that are encountered as part of the operation of networks and by the requirements that ensue. This document clarifies the terminology and classifies the modules and components of a network telemetry system from different perspectives. The framework and taxonomy help to set a common ground for the collection of related work and provide guidance for related technique and standard developments.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9232"/>
  <seriesInfo name="DOI" value="10.17487/RFC9232"/>
</reference>
<reference anchor="RFC8986">
  <front>
    <title>Segment Routing over IPv6 (SRv6) Network Programming</title>
    <author fullname="C. Filsfils" initials="C." role="editor" surname="Filsfils"/>
    <author fullname="P. Camarillo" initials="P." role="editor" surname="Camarillo"/>
    <author fullname="J. Leddy" initials="J." surname="Leddy"/>
    <author fullname="D. Voyer" initials="D." surname="Voyer"/>
    <author fullname="S. Matsushima" initials="S." surname="Matsushima"/>
    <author fullname="Z. Li" initials="Z." surname="Li"/>
    <date month="February" year="2021"/>
    <abstract>
      <t>The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header.</t>
      <t>Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet.</t>
      <t>This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8986"/>
  <seriesInfo name="DOI" value="10.17487/RFC8986"/>
</reference>

<reference anchor="I-D.oiwa-path-characteristics-service">
   <front>
      <title>Secure Hybrid Network Monitoring - Path Characteristics Service</title>
      <author fullname="Yutaka Oiwa" initials="Y." surname="Oiwa">
         <organization>National Institute of Advanced Industrial Science and Technology (AIST)</organization>
      </author>
      <author fullname="Satoru Kanno" initials="S." surname="Kanno">
         <organization>GMO CONNECT Inc.</organization>
      </author>
      <author fullname="Yumi Sakemi" initials="Y." surname="Sakemi">
         <organization>GMO CONNECT Inc.</organization>
      </author>
      <date day="7" month="October" year="2025"/>
      <abstract>
	 <t>   &quot;Secure hybrid network monitoring - Problem statement&quot; identifies
   challenges in securing and monitoring networks deployed across hybrid
   and mixed cloud environments.  This document introduces the Path
   Characteristics Service (PCS), a framework that enables applications
   and operators to obtain and evaluate verifiable information about the
   characteristics of the network paths they use.  It outlines a non-
   normative architecture and interfaces for PCS and explains how PCS
   can help address the identified challenges; it does not define
   protocol requirements.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-oiwa-path-characteristics-service-00"/>
   
</reference>

<reference anchor="ISO-IEC-5140" >
  <front>
    <title>Information technology - Cloud computing - Multi-cloud and hybrid cloud vocabulary</title>
    <author >
      <organization>ISO/IEC</organization>
    </author>
    <date year="2024"/>
  </front>
  <seriesInfo name="ISO/IEC" value="5140:2024"/>
</reference>
<reference anchor="SAVNET-CHARTER" target="https://datatracker.ietf.org/wg/savnet/about/">
  <front>
    <title>Source Address Validation in Intra-domain and Inter-domain Networks (SAVNET) Charter</title>
    <author >
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>


    </references>



<?line 187?>

<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>This work is based on results obtained from a project JPNP23013 commissioned by the New Energy and Industrial Technology Development Organization (NEDO).</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA71b7W4bR5b9z6coOD9GCti0x8lmEwULjCLJsWZsWbAUB4Mg
WBS7i2RFzS5OVzdpThBgX2FfcZ9kz723qrqaojxZINgfQSyyu+rW/Tz33GJR
FJPSVbZZnqm+WxRfTzrb1eZMPbszZd8atdrPW1upxnQ71z6otWts51o8rwp1
27p5bdbKd7oza9N0zyZ6Pm/Nll5/ffP22AMl/rV07f5M2WbhJnbTnqmu7X33
8sWLb168nFSubPQaAlStXnSFsztdeBalEFGKIErx4ouJ7+dr6711Tbff4J3r
q/tXkwo7nKmXL15+Vbz49+LFVxPdGn2mvjeNaXU9eTB7vF6dqYnCEa6bzrRY
sbik7fij13LisnZ9xR+87evOFsPfrBnb7TNl8Of3Bmc1Xbuf4LxN9Z+6dg0k
2Rs/mei+W7n2jJ7Df0ot+rqWc/697/SDVu+ufzznb1y71I39p+5wqjN1w//X
NQT1sEzfGeUW6rza6qY0FT6toLrW4oG70hp8prAzJClXjavdcq9Ozq/v7k/T
ysE89KH6q97ohr8xa21rSDojdf9FW9/Nlm72y+aIuHcaJ+7V33TTuCPyfv/2
nbp4d3NzdXEP4crZ4cbZ9/nOD7TcX5ZrV5SuaUzZHd/87/3aQoIHs7Z/3N6e
1yv2WPtQgknj2jVW35qzyYT8Nf2l1PtXF199+fWL8M9vXn7xMvzz62++/or+
eV1csj6Lje5WRbnSrS7hbFCuLT18ut3aktbFk3fviuuri+Lf/vwlr6dUDMLr
uKdrVDcYtVAX5I2qdOtN30kwZl7KPrDK3FhtXannfa3b/TNef3DHoKMzEuI5
hOCPUgh9yX9CVms8nT++ER4+UywyP4hv7s4/3FzdFxevz9/fX70fn+TO9S28
87yqWuO9+qBrW8m5bENR2OqicjBIw8JzWMYPbiTgvTqRDU7VBZSJB+QsnW6X
psMWq67b+LPnz7Guxnrlg2ln1nSLGc73fLd87vUWkf5cz13fPZd3J5NJURRK
zz290E3uV9YrpKCekpXaQFT83yuNfx5kMhZzqTf4v673Hq/BUso0vufkSN9m
ubJbGeVj2qA1ek9x3MSTuQ1yExsS5yWr1uYjFtva1jW0m58q35crpX20K2+Q
mdzvPQTzM3XdKVvhFbuAzSA5J0gsXCLa57aGAGdqC4Mu9lEw8k9eL0mI00Kg
jhaAlJBn3Te2ZHNhybJ1sCBvDjmVrta2saRACg0lRvNqt7L4klUIT8dWRuMA
WHkL8do/eSzbLERSTVKxBDX8tFYbV9tyr2CnptLkejN1vzKDXXTtnYIRa9sY
aKZxTZECtd5P8X4nyyrv6p6drLItYprkn4nJ17aqajOZfMbO56qev51MPti2
6yHQP5FdITt7rU/KLw/CDjHRahwdb1OxRKXBRyXqDam83mOFTa1LVnSrKxty
eSymdOJhrdzcaUNRCKnQtJ5fwGGhVFjVkDjI/vgCVm/klbFAU7ZvZTokOjbl
ZgVXpRWHo0EXYflp2C165VS1UDJ/wd4BnTf0OJ1yBfWZRi1at1a9J9nguOYj
slyzNBwKC7iwFYebqpDtsG1FNm3K/TTYe2da6AAFR120+03nlq3erGxJjtK5
0tWDKu7f3EluuIWfshAo+nQY6BkiVKpz/BbsPHZZiIavWHd9R1qAUryJEaP0
kvy1g39uja/g+ZsYwJ1eIwzwF3zmNSSFklijwdJr3fDOCC0yxo6/iCdFlq9r
qH5jmsqT4kYpoNHsL5AF6jBtzbH42DhTRZIZXdGTv/QkJLwLaoqhOzonaglA
CHDMAvpLaQlbh5dMdaCXtSYP3RoKOSRUChibFRzRFL7a105X32LxN2aJZ2Dc
X3AMX9kyOHRr/tEjwMR1T6LBoDvPX1NCjqbBC6dQy5r1u9Kd8htT2oVYPCad
tMTSQecNnbbWO6hjaZKDkK9yQE9JIEmgrvWnag61rAyyP4t8aRqcq3CLWHFD
ptsSGFSOrKl016FaeNZH4zpaYUN6aUhl831SOumkqffwhjuSb2WXqyKZVG82
dcqRjcGbWko2m3RtND6GGyLrwXq96z3cluUUJQ+HZ/lSiaAvMx/JU4ftKOoQ
oGtTWZQlyF4ZyQWak+J2yGUUgvWigNr10tD5O/KhaVIEYtWLV0WUwXYws+Vs
qlBzgZte8aZcLLapep/C+aGVeUeFuqPqKaLPVB4we44XUq3vyTstZXFKEnS6
kZRS0rDGg1m5GseOopIu1jhf24QkPM50sMmTtXthW9/RmkuT6vj/T9X+V0Ub
6aF2e350ph6fgEslrPDn09+FQCSlnrw8FfP/z3/9d6qKsVpyDfhkdVQTAIjK
YVsyV2UW9FZMxqNAn6lzPjQQOC0RxJaSc0tecjGGvOibJAB/+l3I+OepMjWw
GjRMMARSsDIfy0zKlxIHJ0A9/w6xvGwJO+Cvzx7h4tDeCYC+kxpAqqdkiv5p
07GN159C0+TMohlyQ/XrrzmA/+03qcbA11CGPgLSlCVPWQfvZKQw1I2ewRoc
jLLa2jGgkCqC55EyxOdMFCW8xsYYyRi2goHmhJJGKz6BOTgdV3axQNRxNBsb
EyvUPB1CoUZg15J2JX9SDieMivdrYJ+OzQUtAgMSJvFZpYYj93MkyrH8M/Vu
Aa8klDuPddk17PV2i+M+Ovg0x0EsiqkQ3ik0NR+TG7mADPJdD2AbFRmKmZBb
8TQVwcE2RxQLVztQOE65FIqBTlk5rrfABAeVPymNw9tztYCmDtTyRLr0bm24
VMfKwJWVwJajAyTlsYVhA7x2wrvtoKYpH4hcL+5F/pB5Z+YMauf6ugrbm1N4
VyfHQBuOlm4dkOUcB15YiZixWYMNCVzC7jriQEJ6U8I3+JvYCiR8FA4qHumR
R1DTkWckPOUR9tXxU+XIeMis4Sio6aZx/XJ1ys0EUNvafjRVQAN4i/E69SQ1
wRrExgjUrFGQUHA5PGwJpZGXcN0wedU4sPXimOtQB4K8lFik63UGHPBKnqCQ
mT7Z10c9B1kFDhDkOujZOLQXQNvQw94x9DKxv9qL/wVf53U5g/FRWLMIaIK4
UynwVPChzZTEoERJWkQqUGUpOUwJrkMhr+/vb+8kwhjniJdE2m2mXuGZMZAK
Z5qSugm/svkf71YB9MhOY1BLLUhj6qxj/nB7g79CJgEqZUgvOQMYL1sIMctg
bWHnpoWbuOSdj+xKf++AUGIbMT3EDWSJZfa0N7nEQUY6n/FeyjHc4lXfkl9T
kp6izynmmvoaDxXsKBKitaUeKEbwDSWb1FmmuGes+WDMRrQwVpHwqdOQnrmb
3lEn7llyQcN4r11oysxkIfNRkwFgE3KVy5s7eFzpWs560iVRsrMo+pRTrOfe
folNkKi70JGQRlDFqpishF8OqsBLy1WX2h34F/eelXhOzC1Bbd/idfqadJ1t
FuwP91yhlRvylUFFK+Fqd8TK6rbi3j4l+0jaqp8CjffzgLzmva2JG1dzdBsP
AhYBg2ojGYJVmwokASrGiFO81wVj6S7UPdMAHgW0GN1BqnoZQb+GJwhXI6U3
+RucHwApEi8HfMvAksAmQr3kSarS1K98lqj4uwgf0cR8EvvrwNS1QGFkiFDk
xZ1h9oBHiU4JxJ86+QNIvlP105hG/BmKAtxwGyRhQx5g/dqHasi7RUGHpmSq
VqbeSJJgOoB2q+AoMD7KJ1rDiHbwCSzvN84tONDyBY2Xs73ffpW8BYdG/7mm
asH+Qlzvz8A8guTkdVgUfQr2HDxe9kR1cmWwsHBu/BZSNxP3UKw3y8D2GRTE
mh+EiuR1eJekLg40qIwkK/hBbBFoNxb5/e3frlk8Iqgzd+Y5CwQrgU2Dy4XQ
Kh7Qox2gIlJx1GlIakIbB8KdBOYgRczbJSq4lBor506GDYHKDRq5/cjJmBOM
BsyBDeCiEFgUSo2THkROsSPDjavgMJDB+aj39mc4GiU9cgbO/OW+yLjIHTp9
JEjhQX8XCaoPcujvZEGBYTg9tWuuOYs8l9K2OZFCBtJExHHWxJeJ1IBGt67e
0uc6FO+BThHmAS6AvcgziOTCPqU0tPtEudKBKQhq583AHVDa6txG5gpkceso
3vmBJ9nY82M6PdbMiYaHuiM9zgkA1+/tAk8ZA1D397jxEwaBgLfeCEW8QHJ2
Oz557EnggkxulTT+mIYcSYUmQWvG6xLylWAzWuomUXRvo43fRXs8vxsICkC0
18cg2UGRHghXTjwR4DO1E6g84qHrGAAZnZT8YKZuM5Dt1ckcMFhday3E6B3+
ccort33DvNXHYOCo+OgKlGAo8rhiM37fNaNCxjaPdSk+UJkyNCw8QkngiNmZ
Nue6IT/MWTFoETwfEIwdaI2p0NtsKt4iCFlwd6n0sjWRULx7c+7lYKjUkekh
RE4vsgrRFVAaZFD+ccMOnhGZIi5Vu/0BYRbSOhFn9O7Tin9FHNI08AyUbrHl
UspYgqax0h1uzNY91nfa8RAkZGTCcKaznEYIEqScKGtEG87UW8BExxSbhjyk
L3pyoAtKatC6nTHN0UOJcUdt+OAgJBsO5lpgpoGqo/atEDgF6RpEzFMN3AFU
PiArOMguDVki1I344LML11J4PxOgguBiNtOvAaJQ1rF2UdKkfkBwbBReiBP7
ynB3zZv2WArSIxr4O2bOGLEGfM61mXKLDTCH50eKkjihUZwaTlsFQjXye4/5
HMg1cJ2WVceuRiGQugxSJko/OSnytHy04M1L7k/dnKcwwUvFz6JSxgcIH5LP
wIeWtZsPMxs4hX6QECQuZ6RhxvmhUfTqoZE8KQMidmbkdIBR6veSXyMJdOSE
/XojFWpugDyqrDoF23E6gTPzJQVSehRIel2ogm8rjKdljAGHaHlj9INemsnk
4olgqdDPkH1kNb2m5MHJtSQ2gRnJmurfciVMySdCsfBw8yPYnbYhACGkkSBy
sYGpbXDxAAd4zz/5EfE/lfTD9IHejVMq6tuaDMKtGRueV8inMDFs4ONWWtHH
R2DmA0f9ziwcK3Gfn2g4heTBitvoNeE+nmowAA20x8LWHTdu3om/0HAjBMew
Kw5utpQEOncwsAnyk8c3Zd1XsXrmI9SxySeTt0ne8QiSaiFvL9xkmGUw+hO/
jZNIj5pVrkwgu9HaIxCqjbNUKAJhlA0UZGQRmTYy6qpl/xg7V6F9waD95Fpf
nA6z9B+a2j6YbDAnUkiKS4KEcTvPZ3Tc/fFkRgjN2A0z3hSzM9W+4rfZwlQM
05ZxzDUdPhqAKZMYKdceQKiZOrmAS1I6PwCeSFcKjtwR3RPInGZhWnIFHuiy
lKWJ4F5dX7y9VZuUViJK9dlpI7sSw/50MvmR56HxAbEnmSdMZgTiHjnUkanX
QSrgOZ2REIXwLKyYWuCmfBPYuWFARzktsjIEF60f0mHphnTGOsgmU0X0VNLF
uAj7bFV5mSGV9O+PpKbZG1OSIyLwvfUPHuHMvFxog9UbvWdoeU8N/FSy3Ijc
TnR49OhUnx5vo87JVDgFStdUMgYeximtT+Xk+l4SCCOOYAPCUY+XU5RXGK5Z
h1TTsvgBPEVAVZP4M3UnDByvGHKEdHQR/tZ2bYWgnw4gUUDPsHH21baviWIP
eTh/hO3AgTj6gtAiDV0ZVBANg462J0flnB5Fd0yEDBczsqHH8BzEcqVlnUcj
H9cPZ1vOWuScgKnxBkKJUs8iTTL6V8yPlmQ0mLrKBjOTyXem1HTRQO4eUIly
f2x3e/yKz/GedjpuvkcjJLJRKDzRJcqaqyizBTgqdIIObaauNE+GeGZECa9k
zlMzhsgYkbxPUyxV5BUopQc/GCI/XYT4jO718CNIcufCaH6ACzgKqosADEfn
yGaxim7wUDIjyo58nKiYimiiLl7zAB6FUPSdJixsWZE8Ci+hYM5dHc+e+FLG
55/HaxlvqdsP/evnn58xlZqumXAX9QSvKasjRfPbkT2N1SRPAhLXjDxh0oGC
6lY+8QMiHV14IuFCwT7EZ1cfoRErbQ3Jeh6uSciFOxJytd+Qy3lqJpg7CLk+
hFHGRqe2O9qEvOPIlajsSi1JdsEWvzcNAZAjWJHECuDySI0QbkxRXisizxzv
enDDKmk90Ow56Ak8CS0UWygZjLIbsr90LJRnV7vI1H7PJNv5gJlluPz4YsNw
Byj3QzgbnO/Bj7QzRC38REBk8KtXrV6GsciHFBCklRsXJzohJ67o+hrXiM7k
wcOpaTTeQPgK98ZhQHZe6k3kLVh9VPjIHY14CEvyA/K70a16bxAnTVr+u0Qb
sa0SpY1OowqTtb1auixiZGja5svYAB36sEe0ybFizLfRgkSSFNgJbiMLdpnR
7hyBOQ1PbE1kew4Xx2Ej+TYekUzV3nRHcvOjPKy78SXIeBnIcBFaG9MdGCK/
FDTq4akbYXHZ/W4hHtI0+WZS8CUhEqHDAcVC2MuC+agq3QplNHnoAtJB2ngH
g4d48L/gexejucslDtmRQr/HvpQFHmcwFMAe6sVimW/lJd1Geiyki8EpeMO7
TsMu6Yi3gaQaOVbbU/86NyU1gDhzFYYXh/nBMKEaZjVybdGLHwKX2DLseGkI
yVAbI+4avZsTT9SqPjD0p4ttE26/ZdoegkFy/MHZA3iPiZwMUlHhTFRniklC
vUgxKFd+xdfv2CtKw15yTv08g+NQD695rCTpibuV4cLEU7lJhzUChyJzKRpc
9CU1los+JdiBqdZzH6v5uIDn1LCweWz7sCqxJ0JaM/McfO6HQStvYFkaX72F
X1IKzE3yFFLgZJfsE5mwUUeVl9CsgJFlhKHRdMfNyC1R3zm6XMPLhmsduu1S
CxOUd+B6Yxf7AbruWjvnaSey1EYvU8X98VEm3IszcBahY4SJEYkXbi7GFmgq
E6jgt7ZR2RCl5eNswmZcjEX67MDjI4R7JRE/SBqOgkcckRnn6iOxC206yR26
MaE0+coKJf3YRg4ZF+CYiufA7XEgR+Q72E3Y4sexNShhfGcqqmQyOUfvkwYJ
gfQfJrJhpBkQfImKQz892au5runnNvmcKSXQ0S2R2Bfk0xke68XDH3JaObuT
BjuM4xOz9hg45KxSzvbORn1F7P11AiH55UL79I8aDi//6XT979s4qMgWFjzP
xWk/gvxyYTPp6RCj58NcYqgQEVuuMv+X4RAHQ7oamFY85Sno9VE8Bxibi0Wo
NZdq+JUEfJBSGqBLvWfiueamN1oyNwK5NP/wgkePTBxuna2kCgkr1JhdDioj
Gl24Np/PyRhuGrBl7Gcj0RNDNJsYhKv9of1ljJJuvLUGPtYMpB71cut+PXK6
QHWejOghbsL4mYav7BNtoHBY4dWpQumd+AwULb8CjBamWyFNoy30hneh6zAM
JpgUAGTjd1Sq0OL5LhsmcXDnbNY4rimo9Txe81/rjUo3wIrwW4SDC8GBfBi8
QlGH1IU72MzxN5xJQn4VEEbObgoePiHplRBBAtPxpTWfX+vg8OHJdqFeod1n
4gJYRw5OEEo8ZeRfQZtS6PiyNN+qaSIyZ0PDGfBiIONCUkQ67FZUwDZ9qEbL
wQ2p/+qbnW6xu9yIEh+h6zsXdMWB57PwM/KrcAV+AVFWNMKhoZrmrEy3Jngk
5anx9eqXnu5UElu4oGwfhQ/mYAwKvA3lkQoEnKXrNGfqh4G/Gy7ZUOKvdbhN
UI66RfYoGeMOJ7YsIRHudNEp6vfwdxUESuv0qMy2SU/xilOKyzk1hhVzFDzb
IMHPhZaJYT/Muc9k8PPklfTpk6WZGI82BVjcOZbLOKnUA5WekEi42hFHruyB
00TQS0UXMovJyAyrDHsG+/D0nkhwOuQ7eGHBMwyGYjQF1AjBIfmk132AHfrw
u1AxKCj3CQikcccBY2u24n/TzJ2GiTgfJvsp2IG9Z4DZgSUeRlRxvhl7ujSK
OdB4NC39ECxPWjzFYjKZb6BWvczirTCYXDuvz2/O/0XdpC4aDR4/qUc/KJsD
9dIi5yWN1mpTyVWeya9nTb+e05zlP54tKE08+y0syl6P/wv9kJKDDz+nGNh4
aOoXsvhfb29uX37x4s9fcIMpP3yWX6iQim5QYq7QSi33YbKWfhqc/Rz4Uu5S
8VneZb+eVSc3V5fvkM//FxzTBgIRPgAA

-->

</rfc>

