<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-shang-campus-agent-scope-down-01" category="info" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Campus Agent Scope-Down">Campus Agent Identification and Scope-Down Access Control</title>
    <seriesInfo name="Internet-Draft" value="draft-shang-campus-agent-scope-down-01"/>
    <author initials="C." surname="Shang" fullname="Chao Shang">
      <organization>Huawei</organization>
      <address>
        <email>chao.shang@huawei.com</email>
      </address>
    </author>
    <author initials="W." surname="Jiang" fullname="Weiyu Jiang">
      <organization>Huawei</organization>
      <address>
        <email>jiangweiyu1@huawei.com</email>
      </address>
    </author>
    <author initials="X." surname="Liang" fullname="Liang Xia">
      <organization>Huawei</organization>
      <address>
        <email>frank.xialiang@huawei.com</email>
      </address>
    </author>
    <author initials="S." surname="Yue" fullname="Shengnan Yue">
      <organization>China Mobile</organization>
      <address>
        <email>yueshengnan@chinamobile.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup/>
    <keyword>AI Agent</keyword>
    <keyword>Scope-Down Authorization</keyword>
    <keyword>Network Enforcement</keyword>
    <keyword>Task Context</keyword>
    <keyword>Least Privilege</keyword>
    <keyword>BNG</keyword>
    <abstract>
      <?line 56?>

<t>AI agents operating in enterprise campus networks execute user-delegated
Tasks by invoking multiple tools and services, often without continuous user
supervision.  Traditional authorization models assume stable applications and
human-driven interactions, creating a mismatch when applied to autonomous
agents that can chain actions across heterogeneous systems.</t>
      <t>Campus environments also contain heterogeneous and legacy services across
diverse protocols, making per-service agent-aware authorization difficult to
deploy consistently.  Similar problems can also appear in residential access
networks where home AI agents, smart-home hubs, and personal devices share a
subscriber line and are connected through a broadband network gateway (BNG).</t>
      <t>This document describes the problem space for campus agent access control and
argues that agents require task-bound privilege reduction ("scope-down") and
that enforcement can be provided by in-path network devices in order to
preserve compatibility with existing systems.  It also describes a home
network and BNG use case where the access provider or home gateway can provide
a coarse but useful network-level boundary for agent traffic.</t>
    </abstract>
  </front>
  <middle>
    <?line 77?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Enterprise campus networks increasingly carry traffic generated by AI agents
acting on behalf of users.  These agents may retrieve internal documents,
query knowledge bases, invoke APIs, and automate workflows across multiple
services.</t>
      <t>Unlike conventional applications, agents may be instantiated per task and
autonomously chain operations based on intermediate results.  Permissions that
are safe for human operation may therefore become unsafe when exercised by an
autonomous actor operating at machine speed.</t>
      <t>Existing standards such as OAuth 2.0 <xref target="RFC6749"/> and JSON Web Tokens
<xref target="RFC7519"/> provide identity and delegation primitives.  However, these
mechanisms alone do not address task-bound privilege reduction or enforcement
in heterogeneous campus environments.</t>
      <t>Deployable campus agent security therefore requires two capabilities:</t>
      <ul spacing="normal">
        <li>
          <t>recognition of agent-generated traffic</t>
        </li>
        <li>
          <t>enforcement of task-bound privilege scope</t>
        </li>
      </ul>
      <t>This document focuses on these capabilities in managed networks.  The primary
example is an enterprise campus network, but the same architectural problem
also appears in home networks when multiple AI agents, smart devices, and
ordinary applications share the same subscriber access and public address.</t>
    </section>
    <section anchor="example-campus-network-architecture">
      <name>Example Campus Network Architecture</name>
      <figure anchor="fig-campus">
        <name>Example campus network architecture</name>
        <artwork type="ascii-art"><![CDATA[
                    +----------------------+
                    |   Private Cloud RS   |
                    +----------^-----------+
                               |
                    +----------------------+
                    |   Public Cloud RS    |
                    +----------^-----------+
                               |
                         +-----+-----+
                         |   Gateway  |
                         +--+------+--+
                            |      |
                            |      +-------------+
                            |                    |
                            v                    v
+------------------------------------+  +----------------------+
|        Campus Network              |  |   Branch Network     |
|                                    |  |                      |
|      +--------------------+        |  |    +-------------+   |
|      |     Core Switch    |        |  |    |   Switch    |   |
|      +----+----------+----+        |  |    +--+---------++   |
|           |          |             |  |       |         |    |
|     +-----+----+  +----+----+      |  |    +--+--+   +--+--+ |
|     | Switch   |  | Switch  |      |  |    | App |   |Agent| |
|     +----+-----+  +----+----+      |  |    +--+--+   +--+--+ |
|          |              |          |  |       |         |    |
|       +--+--+        +--+--+       |  |    +--+--+   +--+--+ |
|       | App |        |Agent|       |  |    |User |   |User | |
|       +--+--+        +--+--+       |  |    +-----+   +-----+ |
|          |              |          |  |                      |
|       +--+--+        +--+--+       |  |                      |
|       |User |        |User |       |  |                      |
|       +-----+        +-----+       |  |                      |
|                                    |  |                      |
|  +--------------+  +-------------+ |  |                      |
|  | Resource Svr |  | IdP / AS    | |  |                      |
|  +--------------+  +-------------+ |  |                      |
+------------------------------------+  +----------------------+
]]></artwork>
      </figure>
    </section>
    <section anchor="home-network-and-bng-use-case">
      <name>Home Network and BNG Use Case</name>
      <t>A residential user may deploy several AI-capable systems in the same home
network, including a voice assistant, a smart-home hub, a personal computer
agent, a mobile-device agent, and automation components embedded in cameras,
televisions, or home appliances.  These agents may all share the same Wi-Fi
network, home gateway, NAT state, IPv6 prefix, and subscriber access line.</t>
      <t>From the perspective of an upstream network, these agents may be difficult to
distinguish because their traffic is aggregated by the home gateway and then
carried over a subscriber session to the broadband network gateway (BNG).  A
BNG normally enforces policy at the granularity of a subscriber line, access
session, IPv4 address, IPv6 prefix, or service profile.  This granularity is
useful for broadband access control, but it is too coarse when different home
agents perform different tasks.</t>
      <t>For example, a home assistant may need to access an approved weather API and a
vendor cloud for device control.  A parental-control agent may need to access
a limited set of policy and reputation services.  A personal productivity
agent may need to access calendar and email services.  These agents should
not automatically inherit the same Internet reachability merely because they
share the same home network and subscriber line.</t>
      <t>The BNG use case is not intended to move all application authorization into
the access network.  Instead, it illustrates a coarse network-level
scope-down boundary that can complement application-layer authorization and
home-gateway controls.  A home gateway or trusted agent runtime may provide
an Agent-ID, task indication, or locally derived policy context to a provider
or home-network enforcement function.  The BNG or a provider-managed
policy-enforcement point can then apply limited reachability constraints such
as allowed destination classes, mandatory security gateway paths, time-bound
access, or blocking of high-risk destinations for selected agent traffic.</t>
      <figure anchor="fig-home-bng">
        <name>Home network agent traffic aggregated at a BNG</name>
        <artwork type="ascii-art"><![CDATA[
 +---------------- Home Network ----------------+
 |                                              |
 |  +--------+   +-----------+   +------------+ |
 |  | Agent  |   | Smart Hub |   | User Apps  | |
 |  +---+----+   +-----+-----+   +------+-----+ |
 |      |              |                |       |
 |      +--------------+----------------+       |
 |                     |                        |
 |              +------+-------+                |
 |              | Home Gateway |                |
 |              +------+-------+                |
 +---------------------|------------------------+
                       |
               Subscriber Session
                       |
              +--------+--------+
              |       BNG       |
              +--------+--------+
                       |
              Provider / Internet
]]></artwork>
      </figure>
      <t>This use case introduces the following requirements:</t>
      <ul spacing="normal">
        <li>
          <t>the access network should not treat all traffic behind the same subscriber
line as having identical agent authorization semantics;</t>
        </li>
        <li>
          <t>the BNG or provider-managed enforcement point should be able to consume a
minimal policy context for selected agent traffic where available;</t>
        </li>
        <li>
          <t>policy should remain bounded by the subscriber's service agreement,
parental-control settings, user consent, and applicable provider policy;</t>
        </li>
        <li>
          <t>task-specific limits should be time bounded and revocable without changing
the subscriber's basic network attachment; and</t>
        </li>
        <li>
          <t>privacy-sensitive task details should not be disclosed to the provider when
coarse destination or service-class constraints are sufficient.</t>
        </li>
      </ul>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119"/>
and <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown
here.</t>
      <dl>
        <dt>Agent:</dt>
        <dd>
          <t>Software that performs tasks on behalf of a user or principal and may
autonomously invoke services or tools.</t>
        </dd>
        <dt>Agent Identifier (Agent-ID):</dt>
        <dd>
          <t>A verifiable identifier associated with a specific agent instance.</t>
        </dd>
        <dt>Principal:</dt>
        <dd>
          <t>The human user or entity on whose behalf the agent operates.</t>
        </dd>
        <dt>Authorization Server (AS):</dt>
        <dd>
          <t>The OAuth authorization server issuing tokens.</t>
        </dd>
        <dt>Resource Server (RS):</dt>
        <dd>
          <t>A server hosting protected resources.</t>
        </dd>
        <dt>In-Path Network Device (ND):</dt>
        <dd>
          <t>A network device positioned on the traffic path capable of enforcing policy
decisions.</t>
        </dd>
        <dt>Broadband Network Gateway (BNG):</dt>
        <dd>
          <t>A provider network function that terminates or manages broadband subscriber
sessions and can apply subscriber-level policy.  In this document, a BNG is
considered an example of an in-path network device for the home-network use
case.</t>
        </dd>
      </dl>
    </section>
    <section anchor="problem-statement">
      <name>Problem Statement</name>
      <t>Traditional authorization models assume stable applications and human-driven
workflows.  Agents violate these assumptions by dynamically selecting targets
and chaining tools across systems.</t>
      <t>Without task-bound constraints, agent-driven workflows introduce several
risks:</t>
      <ul spacing="normal">
        <li>
          <t>over-broad aggregation of internal data across multiple systems</t>
        </li>
        <li>
          <t>cross-boundary exfiltration when generated output is transmitted externally</t>
        </li>
        <li>
          <t>unsupervised tool chaining across services without user review</t>
        </li>
        <li>
          <t>machine-scale amplification of data access or operations</t>
        </li>
      </ul>
      <t>Campus environments also contain heterogeneous services and legacy protocols,
making it operationally infeasible to require each service to implement
agent-aware authorization.</t>
      <t>Residential access networks introduce a related form of aggregation.  A home
gateway and BNG may see a subscriber line, IP address, prefix, or access
session, while multiple home agents behind that subscriber attachment may have
very different tasks and risk profiles.  Treating the entire home network as
one authorization subject can over-authorize agent traffic and can make it
hard to apply task-specific controls such as child-safety policy, vendor-cloud
restriction, or mandatory secure egress.</t>
    </section>
    <section anchor="architecture">
      <name>Architecture</name>
      <figure anchor="fig-arch">
        <name>Scope-down authorization through an in-path network device</name>
        <artwork type="ascii-art"><![CDATA[
 Principal      Agent        Network      Auth         Resource
    |        Application     Device       Server        Server
    |             |             |            |             |
    | OAuth req   |             |            |             |
    |--------------------------------------->|             |
    |             |             |            |             |
    |             |             |  OAuth token             |
    |             |             |<-----------|             |
    |             | resource request + Agent-ID            |
    |             |------------------------->|             |
    |             |             |            |             |
    |             |       policy evaluation  |             |
    |             |             |            |             |
    |             | request + scoped token   |             |
    |             |------------------------->|             |
]]></artwork>
      </figure>
      <t>In the home-network use case, the Network Device may be a home gateway, a BNG,
or a provider-managed enforcement point associated with the subscriber
session.  The same principle applies: the enforcement decision should be based
on the identified agent traffic and the task-bound policy, not merely on the
subscriber line or shared public address.</t>
    </section>
    <section anchor="deployment-models">
      <name>Deployment Models</name>
      <t>Different deployment models are possible.</t>
      <t>Model A: Network Device performs token validation and policy enforcement
without issuing new tokens.</t>
      <t>Model B: Network Device obtains a reduced-scope token through OAuth Token
Exchange <xref target="RFC8693"/> or via Authorization Server policy decisions.</t>
      <t>Model C: In a home-network deployment, a home gateway, BNG, or provider-managed
enforcement point applies coarse reachability constraints for selected agent
traffic based on a subscriber policy profile and minimal task or Agent-ID
context.  This model is useful when not every home device, cloud service, or
legacy protocol can consume agent-aware application tokens.</t>
      <t>This document does not define a new OAuth grant type or token format and
relies on existing OAuth mechanisms.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>Deployments must address several threats.</t>
      <t>Agent identity spoofing: Deployments <strong>MUST</strong> ensure that Agent-ID cannot be
forged or reused across devices.</t>
      <t>Token replay: Deployments <strong>SHOULD</strong> bind tokens to the Network Device as
audience and <strong>MAY</strong> use mutual TLS or channel binding to reduce replay risk.</t>
      <t>Network bypass: Network architectures <strong>SHOULD</strong> enforce that agent traffic
cannot bypass the Network Device through fabric policies, VRF isolation, ACL
enforcement, home-gateway policy, or subscriber-session policy.</t>
      <t>BNG policy confusion: In the home-network use case, a BNG or provider-managed
enforcement point <strong>MUST NOT</strong> treat all agents behind the same subscriber
attachment as having the same task authorization when more specific policy
context is available.  Conversely, a provider network <strong>MUST NOT</strong> infer
sensitive task details beyond what is required for coarse network enforcement.</t>
      <t>Intent mis-modeling: Scope-down mechanisms ensure that authorization does not
expand privilege beyond the original delegation but cannot eliminate risks
caused by incorrect intent interpretation.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Deployments may log Agent-ID and authorization decisions for auditing.</t>
      <t>Operators <strong>SHOULD</strong> minimize collection of unnecessary personal data and
avoid storing sensitive token contents.</t>
      <t>Deployments <strong>SHOULD</strong> consider using short-lived or per-task Agent-IDs and
<strong>SHOULD</strong> distinguish Principal identifiers from Agent-IDs in audit logs.</t>
      <t>In the home-network and BNG use case, provider-visible policy context can
reveal household behavior, device types, user objectives, or the presence of
specific agents.  Deployments <strong>SHOULD</strong> minimize the disclosure of task
content to the access provider and use coarse policy classes, local home-
gateway enforcement, or pairwise identifiers where possible.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document makes no requests of IANA.</t>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors thank members of the research community for discussions on agent
identity and authorization models in campus networks.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
      <reference anchor="RFC6749" target="https://www.rfc-editor.org/info/rfc6749" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml">
        <front>
          <title>The OAuth 2.0 Authorization Framework</title>
          <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
          <date month="October" year="2012"/>
          <abstract>
            <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6749"/>
        <seriesInfo name="DOI" value="10.17487/RFC6749"/>
      </reference>
      <reference anchor="RFC7519" target="https://www.rfc-editor.org/info/rfc7519" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml">
        <front>
          <title>JSON Web Token (JWT)</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <author fullname="J. Bradley" initials="J." surname="Bradley"/>
          <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
          <date month="May" year="2015"/>
          <abstract>
            <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7519"/>
        <seriesInfo name="DOI" value="10.17487/RFC7519"/>
      </reference>
      <reference anchor="RFC8693" target="https://www.rfc-editor.org/info/rfc8693" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8693.xml">
        <front>
          <title>OAuth 2.0 Token Exchange</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
          <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
          <author fullname="J. Bradley" initials="J." surname="Bradley"/>
          <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
          <date month="January" year="2020"/>
          <abstract>
            <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8693"/>
        <seriesInfo name="DOI" value="10.17487/RFC8693"/>
      </reference>
      <reference anchor="RFC9068" target="https://www.rfc-editor.org/info/rfc9068" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9068.xml">
        <front>
          <title>JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</title>
          <author fullname="V. Bertocci" initials="V." surname="Bertocci"/>
          <date month="October" year="2021"/>
          <abstract>
            <t>This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9068"/>
        <seriesInfo name="DOI" value="10.17487/RFC9068"/>
      </reference>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8VbbXPbRpL+Pr9iSvlwiUXIL5t11tq7q1VkO9aWX3SmfNl8
uaohMCRnBWK4GIA0L3J++z3dMwMMQMqylds7VsURCWCmu6dfn25kWSYa05T6
VJ6r1bp18myhq0ZeFPjXzE2uGmMrqapCTnO71tlzu63kWZ5r5+S5rZralkLN
ZrXejFbobxeFzSu1whZFreZN5paqWmQ535wpujlzfHOBm7NHjwU21Qtb706l
qeZWuHa2Ms6Bjma3xioXL65eCrOuT2VTt6558ujRs0dPhKq1OpVTnbe1aXZi
a+vrRW3b9ak8OhLiWu/wS3EqZCbPLjyJ9HfKVNssbW3+mzmma291Q6vIFyCi
zvUqPHKl3DWzrj/y99dauUZe1mZjSr3Q9NOPb38SQvF6tKOQ+MzbsvRSOF8q
K6ckBL5gKtMYVTpcOOEfXFv7G/t7bL1QVSDtVL5q1VYbvqBXypSnMseSJyzX
vyz54kluV/s7/6zNrpV/Nftb/zzaur/nrq3/TnduaeHHn937Nd0n/2bUaOe/
jXZ+/cU7z2tVXZ98xDLmLsanS10tKlXJX1o92n862j/eMdz9fGkqJd/YGc44
pWHXahfW/ktO96z4FqZCFNDjU/nk0ZOn2aMfskdPhahsvcKKGw21kO9fnj95
/PjZqVw2zdqdPnw4M7MTo5v5CfZ+uG5npckf1vOcfv+4Kh/Weq5rXeX6BE+e
0KMn+Nkv9KfHP3x/z4Xo0X6hpz98f1+K6NF+oR/+eG/W6NGEtafP/nBf1vBo
v9CzR0//dM+F6FFeKIO/pH+kmrmmVnkjBNwJOzEn4UpqnC7U3FQSv+h6XRun
pXd1svL+xEn9EV6q0bJ1us4KDa8BRSkEORYnZzs8vbHXtMyqLRuzLrVsrC0d
e2E8sjHwvhNp542u5NbAy7SNzOGQTNVa7EPLwmmu6U7ymidSXtWqMKTJqpQq
9XNyZUEAlnauXWnpGjXDdmq9LoPr513Fsl2pKivg47ClIc7AOl2dyBx+l3lW
El4a2p0v5RYm4RfRBWinLW1lVyBOBFE1SwWaYZDwXBBWWA3/ry0Cy1JjB4s7
NfHjdq7RK3ciRAgwutqY2lYrXglGbJl7Wmf4IMmLhJvvOrGFHUQBTmoczbq2
jc0h3IlcKZY5xJaFu/25ZmqL2DISW2HmCI44HrAnCr0u7Y6IcAakVk25g8yn
ZmVKVdMWkOnKMbtMLSSjcQH01toZjrR0LhxURaclECK2XVocS6diEwkJ103G
vy7bGX4gJkGz47MttOcSoYBIptDp8trMdC1LU2m+ma6A1ErnDZ3OEkFyscTp
zWqrihndEUiQpJZbtZPfIp59B/FfLY2TCOYtSR57+aXpMHXkUrq1guAQMKPW
M+GBOT4nZAysU6petDpoQtCKWv+jNSCvgSVkM9sSazGu4mLRsprIb4/6fOHo
O16MV9F9oGZhz5isDSRceLPK1qpZduxFYeEckBpARDjKNU4Eh08SWuFmA2eO
bIKtDGaL0yUViQop5UXjT7SXheITi6fIAof0yCZBEv7xp0oSCyIJFNagwR92
lDpxEC4KBXoU6esMpo61ENkiG1mpN7qULC1V71j0XubwT6SkJ95hrUxRIHaJ
b+QFnUGQpRAvbvdTpiLjdmC5JHJqrB7WlGRiNXktEmynnoLsGAKyJPulKudw
UuyOSFZXS4g2nvQKDNa6qQ2I9w6F1TfolpuIf7Qa211XdlvqAqc/g/Cg7ewa
YRCXF0H1ybXA6UCwIHle2m3nRKLzFNH2IYgPVWmuWf03ZHXeHybObpLSNyPK
4BHJPInTNakIJX+svZ1LI9mwEwvun/wYUVuQGJi1lS5oBbJ20ESyuMSPPqX1
BkDZq3Rq7i2HvW2/HBPTkN7gIiShc1KTtuL72dUioNS5cf40VJUQR54VK/aR
CWayUpSpYL+11gWE8qLTa/AKHSrgP1p4ceXkO0qK5ZOTR/LXX0Ny8OkTy/2v
03dvkU/O5BXOo3KCr1PgxvWgtdK7tmbHD4Q4R/xA21aGsiASxSu7hQ7UE+LQ
abHSEGaFQEKe3YLKwsrKwsyKoiZzucM1gNfEC4i9kJDvRxBI4Dk7cA59A6/l
QjWRSD+4KBCyRdhRa8Uewmh3KsQDXM3tojKelHmIH72tBOvBjamrwo0HuWIn
N/a6c/wBSyDdYoENaCBXBtXBtp0TD5bHMod7EPojGASfhsLj7UnKhD0NuSmH
rBgxAyrTIGK0NSwm+HqRBDPemt1XGr+qPoMZh7DofdmKBfwvcmcY/CDz8FGs
IyIJZsF3cuzj1C3qxwk5uBeBx5AuxDrurGcCYv3tt9+g4bkxGajhlH78Oc4O
fo4P3nyD/6gGJDs/L21byPdT+vmulf/rzpXTTf6X6PQiS8j8P6EzWfL4rnWI
zJ9CILxjuUDk8V103dxJW3/TUKRftO7ox88+sjn4o7jlIEfH+pkD70gZaf6Y
XrrvR1TPcPLpLTfiIC8HGL7lvm6BgxQejxc43rvcLeD/d04ed4rkC4TKZNe4
AP0zvDykINng+DYK+nuOBxQkZIz/HMrgZnhLXOB4sO3xmIYhBcfJX3GBm561
m/TbzXCBG3m2XnveGdW6GVJwnN2fggN8jyRyhwzSxQ98/RIKevb818DjSAYf
kON5GYS/vp6CrKMgu58MRp+vpOBzC/TsHfj6hRRkQwqyr6Pgs587Fhj5gj3/
dXzXAjfyvXa2Rbokp5va331RXMqH8szHrn8uBb/bKyPTEL+eym/mJqLekiH3
fzuKicow90qzLX30iTKaV5RZvR3VlFADOHrkzOJsACRQwcU1Q8AlHOXX+P3s
IuNkERuGCpaSti69SutWKrTysi08rrOxDIY4QjdQDSFlG8EQ9EuHQVDl3CKt
9FAPXfKYaOYzPhl/7os3ypbpKaT7VHvp1UwXVLODOkgGtKMebFA+eDiLoK9Q
KnO2iDCmD9aXqizHKeTPJntpeibTensi355dUQnU6Im8uNw8RZqr5+ajp3Q/
9yQ8Bdnmy9quPAAC/tc4M5Q1nPpXsl27BvXzqs+pmzGJKDGHSJKvxFrjllTn
KYIN8JCpu8Kb8vbFovaQIZV7tPcANyBy8WMlqGInAM5uiOqUBRQQJEmC5ujx
u5AfKc8EKRyj1yXq3VC9OLm2SCR3VFTSOgukFG2puGIiEcgR/DSJGFfYn+X8
fUzdR1K3dQTtqN6YE6hOZwz+022MEwEOocK5Z2SIN/lqxjQkvcbaCKZwhULy
J6S38QYQDgeniQVXyVUq0ai8eEklprfbSUB7etPgQ610QD1jkUJ6ipIYv261
olKS8AtvAGKjq4LAMs7FiYdgJYFykr1cK6JAlVkHn3F1ur+XUJAzSmtNODEX
lvGAsFetYZbe2DpEhFePhrsOqNCG+me3bQGLLDWhBLwmd0HS5QZG6Ja2LQvB
5Xuw9Jz1x1QQgknqywtGgEAy7AX1f0DdYPq63KWGsBMjg05LzrGhBgul6ncA
wUEJiCSCZqrC87bC6bC/SOrPEeKL261IcLuwKYGAFZypKiasYGXZUmOgYSgw
6NkAqRM9dtmDdj0cbkmxuNJPSMlKtSMbHhDEuDzYzzrA0GuHP9WBS7C1b5WC
WX+udYtQgRvofDuMsfJt0ezi+cTjXKYqAgFsjqX1p1do6gMUUbdy3wplFenQ
TBFcdBbPJgU85m3FaE2AJuhwCLTsHs4ChiH8Dln67NqagO42scmw65R+oD0E
x+MkDGtimy+FIkiptFtNYBT52RB5Spiv5gYADqOx9a7HfaIACTfGHSQzD9MI
rwUslxkEw60D2NvSLJZZbdx1uoVjw3aIYHl/BD06O0Ii9vKIYfTfzy9uS11u
zdf4iW6bPus9/J2TYZ8h+c6+T7TllGGcV+0sfOesFMm644ys2+N4uOY4086O
B3v4fG5I7h79Az7kmNxB2dezNHziliVvkVX6OR7ucXz3Ezf+ACOcsc/PffY4
nG3eHPw1+wyEsQdUTHsHOvVh+ksf7TXqtl0jm2Tx913j1u0vYyPlYRdOBqk3
u6MZzDQk368GoSO1yTTDouYU0Ut5OGcffRgJbZTQAJtb8i3kBgJEzOAyo8L7
USOERo5DlCM2HHzi9jO9ND6JGwOfYNn38Zxcqg13mjnrz1VMCoYxwiFA02X3
50BG8LVjTyv3XWygEBkqVwwNN1m5SUwTHCtTmRXlDMMYcLufC40vtUHCQAsS
QeHhsFNNyUSIiX1q2/P+L072fdlaM60TkLKXHSH1oSQazpkrISK7rzh8UCWO
usabJ4MlRDA8ZfE0+eSjiksEwSEz0udTqo31i3VteJrBMTzAskf9TDms2mlc
0yBYERN/5lD+gJF/hXAHah23R3wULnQDmblUZbhscMgZnU9fQgPWs0NZLbYP
uUca6fqUOuOgNwiR3IFq6agMaGIc/Yq6VJUt7WLn06hrvaM+W+Hk0ZsP06uj
if+/fPuO/37/4j8+XLx/8Zz+nr46e/26+8PfIfDl3YfX4Tr91T95/u7Nmxdv
n/uH8asc/fTm7Jcj3ys4end5dfHu7dnrI1++pt0Rzg2t79xxZ0OzIrquQctF
JfeqaH7m0ydBx8jfaQzm0yeWnlcVWyGz8F8p80y69mSrqKQNlI76F3w020qQ
gkNuHCRPxamc2nmz9dkqDDxUFL6D5YYtUuU1lQ0ThbdZK26RU3qGkxy0GkMD
tJtnoNSOhkPixt3kHtb7NuZz3xE5ZxJ1IC6wvpr+LiiCzX2Hk9vcSnYW4C3Y
N0Fz4u0ykkcLkkb4VmWkPrT7wNt2aalb7Tlk/8dL+T4kt2IH43YINfWGKZ5+
F5f2vcexP+PbjHMtOb+Ge49YrAeIwjrvp4Hn8ATI4RYnzXt471SHR+jxiyq7
pMmAmGM99zXYt2+j5IYjA/AYjnt8vsdL7EUvxwMGEWXByXq/yjuzl8FxFhAu
4xjY+MeuYI1b/5RW3n7zzrIjFTF/9orVsJVyxWHr0P5zSSk8iB6h8vats1zF
BLq/J4wTeGq5uBma2MSHQyq8pZ94AWXsDmNVHNCPw9MWHCEiZNEVB9AfWg1R
lf3OZZglmRIYw31c8TsHmGQ6wCS6UQGqlHypujG2pNZdQGhosXVo5aPg2VVq
FUpXH91Y+VS90DTzQJKkAQCvkTyo5ScQ+sGln0N4SPq8ie8NUwdxvqqfZOhS
jIjhCSotfFJBqE7Gp9ylK6Hr3I9TqEaNpyEiUViBL2RdDao/zk3ZhJEDhkb6
xjVoX7cePqlV5RAX6VdEfN6o3GG1toojZxyTEIc7oURxRJ8VgyW7DcRQo7dY
IIwlZI4QBkmq1M8fg6vADGdR/UQDhPjVY2H9LFg/H9bPgYkwB2aafo8AWsxp
GCYkQ3FUiSrOLi/B7ybW7+LW4THvr0ZzX+nUTTx0hV1Klj9jUTxQ0J10V+WL
FPgj06Si3ml9CH+7uOzRtgRoG8Ny26UBl53KeIzLG0qXm8LzpKBol83w9khO
tdjQBM8IQPNpE9XHAdRj0CiOEJJjIKnUY2DHCRoFGcWCdvZ3mCJ7MTaGeFmP
s/ng6nCwCHyNWKraA1rs+oY5X8RQugkY6GRZZDRqg8DmveJEetAuY9BOQJpN
bfIOJhnBCOBo0U0mfHYEoQuuvp4Jxbb/DDq5HBjjJ4Y+kRZYVId3OBZ9QkTz
nxAkB9+Gj8s7vo0uhYd9xIZl3OPh2wrX0effD+/8u8j+7MOeJ040vvbhf00L
8y94OGYk7FugVPK4A+TufPj/XWChltMbVbZB7f7pO/dyYky16I7pCx7+coGl
GAJ15iJ+MO1x3KFj6kZqb0uCCEu4qA6mQZwEccExTkZDu0iNmlacjU3EQfz0
QFU/TvaHRWqMAAGYZfAhVCQxqdLuNLjpfumY0SalMg9AipAcd8XGGBMIrarB
+FtwsVTmBvzfr7I3y0zVLDUDDo6A+Yk+pu4NJ4hCPO8iUdFfjNljzUk9R3c8
z4/Is9PxGfQ1HCsadN0U/QtS0QSS+cOY6cSCpdLbvmjxu/y4t4udUdLiOPxT
HlD416PCplG7vGPi6Uvx4iPjDjpUsk+f/QGVLOSzMUoerLMCqWkp4qk5P6WM
Xw31spfXZE//SPsOIUrigO55/YnIxK1g/T6IJDpkLM7VDnKbwE3IKHzlHPAp
RlCwXnSkIiBVsZfI5y89rEddRM57Sfc0Zy/MqzfaSejRhVyPmBaj5DF0cAJK
lqZ/STTujn80TW+1b0sVyMoo12Fd8YdMDU8YzW6tfblPajDnN4kYEIGRGD8R
2k2o++f6WVq2ifhuHL28xmVbzJ97Y6E6wfXDtnFyADqHDK3HGLrBXre2kHm1
OJXpGg8eECr0gKZcXRvxjy6UQUgewxLggbyUpSKgpYMNhUIYDSUZMa811la7
8R4eQcIuM05IWawRDBtZFPJH1RaGXudh7QCBZ7/gSXK4q7ZpweLV6ykRQgKr
aJyeel9czwUjDERw7grC4gaz3RoutTfhdHRjQGQwh+R1h24aOAqElzpEfjT5
uZrVhDGQuhvqWP3n+5fQXapcOfk8O3+dmp2fb+jag9GzknX15X4cBQgFv+BG
f4/qzlvH7799Plyp23DlA17AKwcBf5BKj32Py4t96DspMXr4u7vRD+YPfJ0f
QKYRwi69DyBMhKtpmCIC0ic0bljxW0Elx9U92GVAOVWDFC8PQrUzvbPgYktn
bbrXWnx/f9gTTqMFA1ENRyXjMvZMbFpJopFMx6e2NXo3KbgSoT+u1WCiPNBF
QsPtC+NfGerm8mlIIiijJvC74pcWCHEQ3IEPb9Hktq6p8DKe2A5pjcXtN34Q
Or/D0UAlS7vo/UIYCEoZieHJv9TSEgJULbDDOy7MbT2wMHb5VP3BEzNG43GD
lt50gpITxNG/J8VgArVxN9bAp2MtfgGiP052PKwn6SsCe74nImAwBl4A1DdZ
ye1xMgdYAitGZNK/TZc8nw789PVfj86CdRow6p8n+JkEQbLz0OW+YY5fOpr0
dkkjVNz8GPZtcOoIIxuNvZGvOL20nMaRkdl6ErE7ikCxq2K5+KZ3ONij+A6E
duxi7VwMIWQq8m8RYHdqtEJoapBeh5ciRDiC6NjHL00Rq8ymt6rIVmzp88iC
F04Hkww8JB2SMvWW3oBIpe67VUlK+I28OHt7tqfRwyBOCAOZXqxMHLFBz/ni
P+9eZ2Ix+J6KV3l+Dai6hoGvZrS/9ag5SZRrjtyuVm1FIZdnhCCnNgC5lAxx
jjR42+YgRurn6dJXvMK7YTOVX4v/AQEZDocLQAAA

-->

</rfc>
