<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 4.0.0) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-jholland-quic-multicast-09" category="exp" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Multicast QUIC">Multicast Extension for QUIC</title>
    <seriesInfo name="Internet-Draft" value="draft-jholland-quic-multicast-09"/>
    <author initials="J." surname="Holland" fullname="Jake Holland">
      <organization>Akamai Technologies, Inc.</organization>
      <address>
        <postal>
          <street>150 Broadway</street>
          <city>Cambridge, MA 02144</city>
          <country>United States of America</country>
        </postal>
        <email>jakeholland.net@gmail.com</email>
      </address>
    </author>
    <author fullname="Lucas Pardue">
      <organization/>
      <address>
        <email>lucaspardue.24.7@gmail.com</email>
      </address>
    </author>
    <author initials="M." surname="Franke" fullname="Max Franke">
      <organization>TU Berlin</organization>
      <address>
        <postal>
          <country>Germany</country>
        </postal>
        <email>m.franke@ravim.de</email>
      </address>
    </author>
    <author initials="K." surname="Rose" fullname="Kyle Rose">
      <organization>Akamai Technologies, Inc.</organization>
      <address>
        <postal>
          <street>145 Broadway</street>
          <city>Cambridge, MA 02144</city>
          <country>United States of America</country>
        </postal>
        <email>krose@krose.org</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>TSV</area>
    <workgroup>QUIC Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 83?>

<t>This document defines a multicast extension to QUIC to enable the efficient use of multicast-capable networks to send identical data streams to many clients at once, coordinated through individual unicast QUIC connections.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://GrumpyOldTroll.github.io/draft-jholland-quic-multicast/draft-jholland-quic-multicast.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-jholland-quic-multicast/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        QUIC Individual Draft mailing list (<eref target="mailto:quic@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/quic/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/quic/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/GrumpyOldTroll/draft-jholland-quic-multicast"/>.</t>
    </note>
  </front>
  <middle>
    <?line 87?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document specifies an extension to QUIC version 1 <xref target="RFC9000"/> to enable the use of multicast IP transport of identical packets for use in many individual QUIC connections.</t>
      <t>The multicast data can only be consumed in conjunction with a unicast QUIC connection.
When the client has support for multicast as described in <xref target="transport-parameter"/>, the server can tell the client about multicast channels and ask the client to join and leave them as described in <xref target="channel-management"/>.</t>
      <t>The client reports its joins and leaves to the server and acknowledges the packets received via multicast after verifying their integrity.</t>
      <t>The purpose of this multicast extension is to realize the large scalability benefits for popular traffic over multicast-capable networks without compromising on security, network safety, or implementation reliability.
Thus, this specification has several design goals:</t>
      <ul spacing="normal">
        <li>
          <t>Re-use as much as possible the mechanisms and packet formats of QUIC version 1</t>
        </li>
        <li>
          <t>Provide flow control and congestion control mechanisms that work with multicast traffic</t>
        </li>
        <li>
          <t>Maintain the confidentiality, integrity, and authentication guarantees of QUIC as appropriate for multicast traffic, fully meeting the security goals described in <xref target="I-D.draft-krose-multicast-security"/></t>
        </li>
        <li>
          <t>Leverage the scalability of multicast IP for data that is transmitted identically to many clients</t>
        </li>
        <li>
          <t>Rely on Multipath QUIC (<xref target="I-D.draft-ietf-quic-multipath"/>) to provide multicast for clients</t>
        </li>
      </ul>
      <t>This document does not define any multicast transport except server to client and only includes semantics for source-specific multicast.</t>
      <section anchor="conventions-and-definitions">
        <name>Conventions and Definitions</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
        </t>
        <t>Commonly used terms in this document are described below.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Term</th>
              <th align="left">Definition</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">SSM</td>
              <td align="left">Source-specific multicast, as described in <xref target="RFC4607"/></td>
            </tr>
            <tr>
              <td align="left">ASM</td>
              <td align="left">Any-source multicast, as distinguished from SSM in <xref target="RFC4607"/></td>
            </tr>
            <tr>
              <td align="left">(S,G)</td>
              <td align="left">A tuple of IP addresses (Source IP, Group IP) identifying a source-specific multicast channel as described in <xref target="RFC4607"/></td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section anchor="multicast-channel">
      <name>Multicast Channel</name>
      <t>A QUIC multicast channel (or just channel) is a one-way network path that a server can use as an alternate path to send QUIC connection data to a client.</t>
      <t>Multicast channels are designed to leverage multicast IP and to be shared by many different connections simultaneously for unidirectional server-initiated data.</t>
      <t>One or more servers can use the same QUIC multicast channel to send the same data to many clients, as a supplement to the individual QUIC connections between those servers and clients.
(Note that QUIC connections are defined in <xref section="5" sectionFormat="of" target="RFC9000"/> and are not changed in this document; each connection is a shared state between a client and a server.)</t>
      <t>Each QUIC multicast channel has exactly one associated (S,G) that is used for the delivery of the multicast packets on the IP layer. Channels only support source-specific multicast (SSM) and do not support any-source multicast (ASM) semantics.</t>
      <t>Channels carry only 1-RTT packets.
Packets associated with a channel contain a Channel ID in place of a Destination Connection ID.
(A Channel ID cannot be zero length.)
This adds a layer of indirection to the process described in <xref section="5.2" sectionFormat="of" target="RFC9000"/> for matching packets to connections upon receipt.
Incoming packets received on the network path associated with a channel use the Channel ID to associate the packet with a joined channel.</t>
      <t>A client with a matching joined channel always has at least one connection associated with the channel.
If a client has no matching joined channel, the packet is discarded.</t>
      <section anchor="packet-number-encoding-for-channel-packets">
        <name>Packet Number Encoding for Channel Packets</name>
        <t>QUIC packet number encoding in <xref section="17.1" sectionFormat="of" target="RFC9000"/> encodes a truncated packet number by carrying only the least significant bits of the full packet number.
The sender selects a packet number length large enough for the receiver to reconstruct the full packet number, and the receiver decodes it as the value closest to the next expected packet number in that packet number space.
This sender-side mechanism is not suitable for multicast channel packets, because a single channel packet can be received by many clients with different receive, loss, and acknowledgement states.</t>
        <t>Channel packets therefore use a fixed packet number length of four bytes.
A server MUST encode the packet number of a channel packet as a four-byte truncated packet number, using the packet number encoding described in <xref section="17.1" sectionFormat="of" target="RFC9000"/>.
Before header protection is applied, the Packet Number Length bits of byte 0, that is, the bits with mask 0x03, MUST be set to 0b11 to indicate a four-byte Packet Number field.
A server MUST NOT select the packet number length for a channel packet based on acknowledgement state from any individual associated unicast connection.</t>
        <t>A client reconstructs the full packet number for a channel packet using the packet number reconstruction algorithm in <xref section="17.1" sectionFormat="of" target="RFC9000"/>, applied to the channel packet number space.
The expected packet number used for reconstruction is the next packet number after the largest packet number of any channel packet from which the client has successfully removed packet protection in that channel packet number space.</t>
        <t>Before a client has successfully removed packet protection from any packet in a channel packet number space, it uses the From Packet Number of the applicable MC_KEY frame as the next expected packet number for reconstruction.</t>
        <t>If a client cannot reconstruct packet numbers for a channel because the encoded packet numbers are too far from its expected packet number, it MUST discard the affected packets.
If this happens, the client SHOULD leave the channel and send an MC_STATE frame with State LEFT and Reason Code UNSYNCHRONIZED_PROPERTIES.</t>
      </section>
      <section anchor="latency-spin-bit-in-channel-packets">
        <name>Latency Spin Bit in Channel Packets</name>
        <t>Channel packets are unidirectional server-to-client packets, and clients can not send packets
on a multicast channel.
Therefore, the latency spin bit algorithm from <xref section="17.4" sectionFormat="of" target="RFC9000"/> does not apply to channel packets.</t>
        <t>The spin bit has no semantics in this extension and MUST NOT be assigned another meaning by endpoints unless specified in a future extension.</t>
        <t>In channel packets, a server MUST disable the spin bit as specified in <xref section="17.4" sectionFormat="of" target="RFC9000"/>.
A client MUST ignore the value of the spin bit in received channel packets.</t>
      </section>
      <section anchor="channel-using-multipath-quic">
        <name>Channel using Multipath QUIC</name>
        <t>From the point of view of the client, each Multicast QUIC channel is handled as an additional path from the server. A client keeps its unicast connection with the server open during all the transmission. Additionally, the server can inform the client about an additional path where it will receive multicast content. All mechanisms, except those listed below, follow <xref target="I-D.draft-ietf-quic-multipath"/>.
TODO: either rely the current Multipath QUIC draft (the client must create the new path itself) or extend the draft to allow the server to initiate the creation of the second path.</t>
        <t>The first major change concerns the encryption of the multicast path. To keep the unicast path between the client and the server secure, the multicast path MUST use a different key and MAY use a different algorithm, that is common between all clients. As such, each path is encrypted differently, differing from the current version of <xref target="I-D.draft-ietf-quic-multipath"/>. NB: there are discussions within the Multipath QUIC draft to integrate this feature to strengthen the security of MPQUIC. Secondly, a client MUST NOT send any data on the multicast path with the server.</t>
        <t>Leveraging Multipath QUIC for Multicast QUIC provides interesting properties from the client's point of view. For example, the client can seamlessly receive data from the multicast and the unicast path. This enables efficient unicast fall-back and unicast retransmissions. Leaving the multicast channel is performed by closing the multicast path with the server.</t>
        <t>This draft imposes the Multiple Packet Number Space version of Multipath QUIC (See <xref section="5" sectionFormat="of" target="I-D.draft-ietf-quic-multipath"/>). Each channel possesses its own packet number space. To enable clients to detect lost packets, packet numbers in channels SHOULD be continuous.</t>
        <t>The use of any particular channel is OPTIONAL for both the server and the client.
It is recommended that applications designed to leverage the multicast capabilities of this extension also provide graceful degradation for endpoints that do not or cannot make use of the multicast functionality (see <xref target="graceful-degradation"/>).</t>
        <t>The server has access to all data transmitted on any multicast channel it uses, and could optionally send this data with unicast instead.</t>
        <t>No special handling of the data is required in a client application that has enabled multicast.
A datagram or any particular bytes from a server-initiated unidirectional stream can be delivered over the unicast connection or a multicast channel transparently to a client application consuming the stream or datagram.</t>
        <t>Client applications should have a mechanism that disables the use of multicast on connections with enhanced privacy requirements for the privacy-related reasons covered in <xref target="I-D.draft-krose-multicast-security"/>.</t>
      </section>
    </section>
    <section anchor="transport-parameter">
      <name>Transport Parameters</name>
      <t>Support for multicast extensions in a client is advertised by means of QUIC transport parameters:</t>
      <ul spacing="normal">
        <li>
          <t>name: multicast_server_support (TBD - experiments use 0xff3e808)</t>
        </li>
        <li>
          <t>name: multicast_client_params (TBD - experiments use 0xff3e800)</t>
        </li>
      </ul>
      <t>If a multicast_server_support transport parameter is not included, clients MUST NOT send any frames defined in this document.</t>
      <t>If a multicast_client_params transport parameter is not included, servers MUST NOT send any frames defined in this document.</t>
      <t>The multicast_server_support parameter is a 0-length value.
Presence indicates that multicast-capable clients MAY send frames defined in this document, and SHOULD send MC_LIMITS (<xref target="client-limits-frame"/>) frames as appropriate when their capabilities or client-side limitations change.</t>
      <t>The multicast_client_params parameter has the structure shown below in <xref target="fig-transport-parameter-format"/>.</t>
      <figure anchor="fig-transport-parameter-format">
        <name>multicast_client_params Format</name>
        <artwork><![CDATA[
multicast_client_params {
  Reserved (6),
  IPv4 Channels Allowed (1),
  IPv6 Channels Allowed (1),
  Max Aggregate Rate (i),
  Max Channel IDs (i),
  Max Joined Count (i),
  Hash Algorithms Count (i),
  Cipher Suite Count (i),
  Hash Algorithms List (16 * Hash Algorithms Count),
  Cipher Suite List (16 * Cipher Suite Count)
}
]]></artwork>
      </figure>
      <t>The Reserved, IPv4 Channels Allowed, IPv6 Channels Allowed, Max Aggregate Rate, Max Channel IDs and Max Joined Count fields are identical to their analogous fields in the MC_LIMITS frame (<xref target="client-limits-frame"/>) and hold the initial values.</t>
      <t>A server MUST NOT send MC_ANNOUNCE (<xref target="channel-announce-frame"/>) frames with addresses using an IP Family that is not allowed according to the IPv4 and IPv6 Channels Allowed fields in the multicast_client_params, unless and until a later MC_LIMITS (<xref target="client-limits-frame"/>) frame adds permission for a different address family.</t>
      <t>It is valid for both IPv4 Channels Allowed and IPv6 Channels Allowed to be set to zero in the transport parameter.
This indicates that the client supports this extension but does not initially permit joining multicast channels using either IP address family.</t>
      <t>The Hash Algorithm Count field contains the number of entries in the Hash Algorithm List field.
The Cipher Suite Count field contains the number of entries in the Cipher Suite List field.
An endpoint MUST treat multicast_client_params as malformed if the parameter length is inconsistent with these counts.</t>
      <t>The Cipher Suite List field is in order of preference, with the most preferred value first.
It contains values from the "TLS Cipher Suites" registry in the "Transport Layer Security (TLS) Parameters" registry group <xref target="IANA.tls-parameters"/>.
It lists the cipher suites the client is willing to use for multicast channel packet protection and header protection.
A server MUST NOT send an MC_ANNOUNCE to this client for any channels using unsupported cipher suites.
If the server does send an MC_ANNOUNCE with an unsupported cipher suite, the client SHOULD treat it as a connection error of type MC_EXTENSION_ERROR.</t>
      <t>The Hash Algorithm List field is in order of preference, with the most preferred value first.
It lists the hash algorithms the client is willing to use to check integrity of data in multicast channels.
It contains values from the Named Information Hash Algorithm Registry:</t>
      <ul spacing="normal">
        <li>
          <t><eref target="https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg">https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg</eref></t>
        </li>
      </ul>
      <t>A server MUST NOT send an MC_ANNOUNCE to this client for a channel using a hash algorithm that was not included in the Hash Algorithm List.
If the server sends such an MC_ANNOUNCE, the client SHOULD treat it as a connection error of type MC_EXTENSION_ERROR.</t>
    </section>
    <section anchor="extension-overview">
      <name>Extension Overview</name>
      <t>A client has the option of refusal and the power to impose upper bound maxima on several resources (see <xref target="flow-control"/>), but otherwise its join status for all multicast channels is entirely managed by the server.</t>
      <ul spacing="normal">
        <li>
          <t>A client MUST NOT join a channel without receiving instructions from a server to do so.</t>
        </li>
        <li>
          <t>A client MUST leave joined channels when instructed by the server to do so.</t>
        </li>
        <li>
          <t>A client MAY leave channels or refuse to join channels, regardless of instructions from the server.</t>
        </li>
      </ul>
      <section anchor="channel-management">
        <name>Channel Management</name>
        <t>The client tells its server about some restrictions on resources that it is capable of processing with the initial values in the multicast_client_params transport parameter (<xref target="transport-parameter"/>) and later can update these limits with MC_LIMITS <xref target="client-limits-frame"/> frames. Servers ensure the set of channels the client is currently requested to join remains within these advertised client limits as covered in <xref target="flow-control"/>.</t>
        <t>The server asks the client to join channels with MC_JOIN (<xref target="channel-join-frame"/>) frames and to leave channels with MC_LEAVE (<xref target="channel-leave-frame"/>) frames.</t>
        <t>The server uses the MC_ANNOUNCE (<xref target="channel-announce-frame"/>) frame before any join or leave frames for the channel to describe the channel properties to the client, including values the client can use to ensure the server's requests remain within the limits it has sent to the server, as well as the secrets necessary to decode the headers of packets in the channel.
Sending an MC_ANNOUNCE before an MC_JOIN ensures the client can establish the necessary state required to join and retire any connection IDs that might collide with channel IDs.
MC_KEY frames provide the secrets necessary to decode the payload of packets in the channel.
<xref target="fig-client-channel-states"/> shows the states a channel has from the client's point of view.</t>
        <t>Joining a channel after receiving an MC_JOIN frame is OPTIONAL for clients.
Client responses to join, leave, and retire requests are described in <xref target="client-response"/>.</t>
        <t>The server ensures that in aggregate, all channels that the client has currently been asked to join and that the client has not left, declined to join or retired fit within the limits indicated by the initial values in the transport parameter or last MC_LIMITS (<xref target="client-limits-frame"/>) frame the server received.</t>
        <t>This extension does not define an application-layer catalogue or content-selection protocol.
Application protocols determine what content, service, program, representation, or other application context is relevant to a connection.
The multicast extension merely provides a transport mechanism by which the server can describe channels that are available in that context and request that the client join or leave them.
A server is not expected to announce every multicast channel that it operates to every client.
The set of channels announced to any specific client can be limited by application-layer state, prior application requests, receiver limits, server policy, or any combination of these.</t>
        <t>For example, a server may provide a video stream in different resolutions, with each available resolution being carried in a different multicast channel.
The server would only announce the channel that offers the best available quality while remaining under the limits set by the client.
In this case, this could happen without any involvement of the client-side application.</t>
        <figure anchor="fig-client-channel-states">
          <name>States a channel from the client's point of view.</name>
          <artwork><![CDATA[
                            o
                            |
----------------------->|   | Receive MC_ANNOUNCE and/or MC_KEY
^                       |   |
|                       |   |
|  Receive MC_JOIN (and v   v
|     unable to join) +----------+
|<--------------------*          |
                      | unjoined | Receive MC_RETIRE
--------------------->|          *------------------------>|
^                     +----*-----+                         |
|                          | Receive MC_JOIN               |
|                          |   (and able to join)          |
|                          |                               |
|                          v                               v
|                     +----------+                    +---------+
|    Receive MC_LEAVE |          |                    |         |
|     (or error case) |  joined  | Receive MC_RETIRE  | retired |
|<--------------------*          *------------------->|         |
                      +----------+                    +---------+

*: Each transition except the initial receiving of MC_ANNOUNCE
   and MC_KEY frames causes the client to send an MC_STATE frame
   describing the state transition (for LEFT or DECLINED_JOIN, this
   includes a reason for the transition).

"able to join" means:
- Both MC_KEY and MC_ANNOUNCE have been received
- Result will be within latest advertised client limits
- Nothing preventing a join is active (e.g. a hold-down timer,
  administrative blocking, etc.)
]]></artwork>
        </figure>
        <t>When the server has asked the client to join a channel and has not received any MC_STATE frames <xref target="client-channel-state-frame"/> with State DECLINED_JOIN, LEFT, or RETIRED, it also sends MC_INTEGRITY frames (<xref target="channel-integrity-frame"/>) to enable the client to verify packet integrity before processing channel packets.
A client MUST NOT decode a channel packet unless it has received an applicable MC_ANNOUNCE (<xref target="channel-announce-frame"/>) frame and an applicable MC_KEY (<xref target="channel-key-frame"/>) frame for the channel, and has received a matching packet hash in an MC_INTEGRITY frame for that packet.</t>
        <t><xref target="fig-frame-exchange"/> shows the frames that are being exchanged about and over a channel during the lifetime of an example channel.</t>
        <figure anchor="fig-frame-exchange">
          <name>Example flow of frames for a channel. Frames in square brackets are sent over multicast.</name>
          <artwork><![CDATA[
Client                                        Server

MC_LIMITS/initial_limits  --->

                                              MC_ANNOUNCE
                                              MC_KEY
                                       <----  MC_JOIN

MC_STATE(JOINED)  --->

                                              MC_INTEGRITY
                                       <----  [STREAM(...)]
MC_ACK  --->                                  ...
...                                    <----  MC_KEY
...
MC_LIMITS  --->

                                       <----  MC_LEAVE

MC_STATE(LEFT)  --->

                                       <----  MC_JOIN

MC_STATE(JOINED)  --->

                                              MC_INTEGRITY
                                       <----  [STREAM(...)]
MC_ACK  --->                                  ...
...

                                       <----  MC_LEAVE

MC_STATE(LEFT)  --->

                                       <----  MC_RETIRE

MC_STATE(RETIRED)  --->
]]></artwork>
        </figure>
        <t>TODO: incorporate server-side state diagram and explanation, latest proposed sketch at <eref target="https://github.com/GrumpyOldTroll/draft-jholland-quic-multicast/issues/62">https://github.com/GrumpyOldTroll/draft-jholland-quic-multicast/issues/62</eref></t>
      </section>
      <section anchor="channel-key-management">
        <name>Channel Key Management</name>
        <t>Multicast channel keys are channel-scoped rather than connection-scoped.
The same channel secret will be shared by receivers on many different QUIC connections, and clients can join a channel after it has started or leave before it ends, or miss key updates while not joined.
The regular QUIC Key Update mechanism (<xref section="6" sectionFormat="of" target="RFC9001"/>) can not cover such cases.
A server uses MC_KEY frames (<xref target="channel-key-frame"/>) to provide authorized receivers with channel packet protection secrets, to identify the packet number from which each secret applies, and to rotate channel keys independently of the unicast connection's 1-RTT keys.</t>
        <t>Each channel key generation is identified by a Key Sequence Number.
A server MUST generate continuous Key Sequence Number values for each channel.
The first MC_KEY frame for a channel MAY use any non-zero Key Sequence Number.
An MC_KEY frame MUST NOT use Key Sequence Number 0.</t>
        <t>A client that is not joined to a channel might not receive every MC_KEY frame for that channel, and can therefore observe gaps in Key Sequence Number values.
While joined, a client can also observe gaps due to packet loss or reordering.</t>
        <t>Secrets with even-valued Key Sequence Numbers have a Key Phase of 0 in channel 1-RTT packets, and secrets with odd-valued Key Sequence Numbers have a Key Phase of 1.
A client MUST NOT attempt to decrypt a channel packet unless it has an applicable channel secret for that packet number and Key Phase.
If no applicable secret is available, the client MAY retain the packet briefly in case an applicable MC_KEY frame arrives later, subject to the client's buffering limits.
The client MUST NOT acknowledge such a packet in an MC_ACK frame unless it later becomes able to process the packet.</t>
        <t>If a joined client receives channel packets for which it has no applicable channel secret, and an applicable MC_KEY frame does not arrive before the client discards those packets, the client SHOULD leave the channel and send an MC_STATE frame with State LEFT and Reason Code UNSYNCHRONIZED_PROPERTIES.</t>
        <t>If a client receives two different secrets with the same Channel ID and Key Sequence Number, it SHOULD close the connection with a connection error of type MC_EXTENSION_ERROR.</t>
        <t>Servers SHOULD update channel secrets regularly.
To limit the exposure of data after receivers have left a channel or lost authorization, servers SHOULD periodically send key updates using only unicast.</t>
        <t>Clients MUST delete old channel secrets and the keys derived from them after receiving a newer applicable MC_KEY frame.
Deleting old keys prevents later compromise of a client from discovering an otherwise uncompromised key, thus improving the chances of achieving forward secrecy for data sent before a key rotation.
A client MAY retain an old secret briefly to process reordered or delayed packets.
For this experimental specification, it is RECOMMENDED that clients delete old secrets 10 seconds after receiving a newer secret, or after 3 seconds without receiving any packet that uses the old secret, whichever is shorter.
Clients MUST NOT retain old channel secrets for more than 60 seconds after receiving a newer applicable MC_KEY frame.</t>
        <t>The delay values for this specification are somewhat arbitrary and allow for implementation-dependent experimentation.
One of the target discoveries for experimental evaluation is to determine good default delay values to use, and to understand whether there are use cases that would benefit from a negotiation between server and client to determine the delays to use dynamically.
(A poor delay choice results in either overhead from dropping packets instead of decoding them with old keys for too short a delay or in extra forward secrecy exposure time for too long a delay, and the purpose of the delays are to bound the forward secrecy exposure without inducing unreasonable overhead.)</t>
      </section>
      <section anchor="client-response">
        <name>Client Response</name>
        <t>A client reports how it has responded to server requests to join, leave, or retire channels using MC_STATE (<xref target="client-channel-state-frame"/>) frames.
MC_STATE frames are sent whenever the client's state for the channel changes.</t>
        <t>If a client joins a channel after receiving an MC_JOIN frame, it MUST send an MC_STATE frame with State JOINED.
If the client does not join, it MUST send an MC_STATE frame with State DECLINED_JOIN and an appropriate Reason Code.
Declining an MC_JOIN request is a state change for the channel even though the client does not join the multicast channel.</t>
        <t>After leaving a channel in response to an MC_LEAVE frame, a client MUST send an MC_STATE frame with State LEFT and Reason Code REQUESTED_BY_SERVER.</t>
        <t>After retiring a channel in response to an MC_RETIRE frame, a client MUST send an MC_STATE frame with State RETIRED and Reason Code REQUESTED_BY_SERVER.
Retiring a joined channel also leaves that channel; the client does not send a separate MC_STATE frame with State LEFT.</t>
      </section>
      <section anchor="channel-packet-acknowledgment">
        <name>Acknowledging Channel Packets</name>
        <t>Clients that receive and decode packets on a multicast channel acknowledge those packets on the unicast connection using MC_ACK (<xref target="channel-ack-frame"/>) frames.</t>
        <t>An MC_ACK frame acknowledges packets only in the packet number space of the channel identified by its Channel ID.</t>
        <t>MC_ACK generation is controlled by the MC_ACK policy advertised in the MC_ANNOUNCE frame for the corresponding channel.
The Max ACK Delay, Ack-Eliciting Threshold, and Reordering Threshold fields of MC_ANNOUNCE apply separately to each multicast channel packet number space.</t>
        <t>A client SHOULD send an MC_ACK for a channel when either:</t>
        <ul spacing="normal">
          <li>
            <t>the number of ack-eliciting channel packets received since the last MC_ACK for that channel is greater than the Ack-Eliciting Threshold; or</t>
          </li>
          <li>
            <t>Max ACK Delay has elapsed and at least one ack-eliciting channel packet has been received since the last MC_ACK for that channel.</t>
          </li>
        </ul>
        <t>A client MAY send an MC_ACK earlier than required by these rules.</t>
        <t>A client MUST send the first MC_ACK for a newly joined channel without intentional delay after receiving and processing an ack-eliciting packet on that channel.</t>
        <t>A client SHOULD use the Reordering Threshold to determine when receipt of out-of-order channel packets causes an immediate MC_ACK, following the behavior defined for ACK_FREQUENCY (<xref target="I-D.ietf-quic-ack-frequency"/>), applied to the channel packet number space.</t>
        <t>All channel packets that require acknowledgment MUST be acknowledged at least once.
When MC_ACK frames are sent less frequently, clients need to retain ACK range information long enough to avoid permanently omitting acknowledgment of received channel packets.</t>
        <t>ACK_FREQUENCY and IMMEDIATE_ACK frames defined by <xref target="I-D.ietf-quic-ack-frequency"/> do not affect MC_ACK generation unless a future extension explicitly defines such behavior.
The ACK policy for MC_ACK frames is instead defined by the MC_ANNOUNCE frame for the corresponding channel.</t>
        <t>After sending ack-eliciting channel packets, a server can determine that a client is receiving packets for a multicast channel when it receives MC_ACK frames for that channel.
It is up to the server to decide how long to wait before treating the absence of MC_ACK frames as evidence that the client is not receiving packets on the channel, and to take appropriate steps such as sending an MC_LEAVE frame.</t>
        <t>A client that is willing to remain joined to a channel SHOULD NOT leave the channel solely because it receives no channel data for an extended period.
This enables multicast-capable networks to perform popularity-based admission control for multicast channels.</t>
      </section>
      <section anchor="data-carried-in-channels">
        <name>Data Carried in Channels</name>
        <t>Data transmitted in a multicast channel is encrypted with symmetric keys so that on-path observers without access to these keys cannot decode the data.
However, since potentially many receivers receive identical packets and identical keys for the multicast channel and some receivers might be malicious, the packets are also protected by MC_INTEGRITY (<xref target="channel-integrity-frame"/>) frames transmitted over a separate integrity-protected path.</t>
        <t>A client MUST NOT decode packets on a multicast channel for which it has not received a matching hash in an MC_INTEGRITY frame over a different integrity-protected communication path.
The different path can be either the unicast connection or another multicast channel with packets that were verified with an earlier MC_INTEGRITY frame.</t>
        <t>Note that MC_INTEGRITY frames MAY be carried in packets on multicast channels, however such packets will not be accepted unless another accepted MC_INTEGRITY frame contains its packet hash.
Hashes of packets containing hashes of other packets can thus form a Merkle tree <xref target="MERKLE"/> with a root that is carried in the unicast connection.</t>
        <t>See <xref target="data-integrity"/> for a more complete overview of the security issues involved here.</t>
        <t>A client is not required to buffer unauthenticated packets indefinitely.
A client MAY discard unauthenticated packets when doing so is necessary to bound memory use.
A client SHOULD use the channel's Max Rate and Max Authentication Delay values to size the buffer it is willing to allocate for unauthenticated packets on that channel.</t>
        <t>If a packet has not become authenticated within Max Authentication Delay after it was received, the client MAY discard the packet.
If this occurs persistently, or if the number of unauthenticated packets exceeds the client's local buffering capacity, the client SHOULD leave the channel and send MC_STATE(LEFT) with reason AUTHENTICATION_DELAY_EXCEEDED.</t>
        <t>A client MAY decline to join a channel, or MAY leave a joined channel, if the Max Authentication Delay value is larger than the client is willing to support.</t>
      </section>
      <section anchor="stream-processing">
        <name>Stream Processing</name>
        <t>Stream IDs in channels are restricted to unidirectional server initiated streams, or those with the least significant 2 bits of the stream ID equal to 3 (see <xref section="2.1" sectionFormat="of" target="RFC9000"/>).</t>
        <t>Multicast channels do not define independent QUIC stream ID spaces.
STREAM frames received on a multicast channel are processed as regular STREAM frames for the associated QUIC connection.
Stream IDs are therefore allocated from the same connection-wide stream ID space, whether stream data is sent on the unicast path or on one or more multicast channels.</t>
        <t>A server that sends STREAM frames on one or more multicast channels associated with the same QUIC connection is responsible for coordinating stream ID allocation across the unicast paths of all potential multicast receivers, and across all relevant multicast channels.</t>
        <t>Using disjoint stream ID ranges for different channels is one possible implementation strategy, but is not required by this specification.</t>
        <t>When a channel contains, or may soon contain, streams with IDs that exceed the stream ID limit implied by the client's server-initiated unidirectional MAX_STREAMS value, the server MUST NOT send MC_JOIN to instruct the client to join that channel and SHOULD send a STREAMS_BLOCKED frame, as described in Sections <xref target="RFC9000" section="4.6" sectionFormat="bare"/> and <xref target="RFC9000" section="19.14" sectionFormat="bare"/> of <xref target="RFC9000"/>.</t>
        <t>If the client is already joined to a channel that carries streams that exceed or will soon exceed the client's unidirectional MAX_STREAMS, the server SHOULD send an MC_LEAVE frame.</t>
        <t>If a client receives a STREAM frame with an ID above its MAX_STREAMS on a channel, the client MAY increase its unidirectional MAX_STREAMS to a value greater than the new ID and send an update to the server, otherwise it MUST drop the packet and leave the channel with reason "MAX_STREAMS_EXCEEDED".</t>
        <t>Since clients can join later than a channel began, it is RECOMMENDED that clients supporting the multicast extensions to QUIC be prepared to handle stream IDs that do not begin at early values, since by the time a client joins a channel in progress the stream ID count might have been increasing for a long time.
Clients should therefore begin with a high initial_max_streams_uni or send an early MAX_STREAMS type 0x13 value (see <xref section="19.11" sectionFormat="of" target="RFC9000"/>) with a high limit.
Clients MAY use the maximum 2^60 for this high initial limit, but the specific choice is implementation-dependent.</t>
        <t>The same stream ID may be used in both one or more multicast channels and the unicast connection.  As described in <xref section="2.2" sectionFormat="of" target="RFC9000"/>, stream data received multiple times for the same offset MUST be identical, including when the data is received on different multicast channels or on both multicast and unicast paths.
If it's not identical it MAY be treated as a connection error of type MC_EXTENSION_ERROR.</t>
      </section>
    </section>
    <section anchor="flow-control">
      <name>Flow Control</name>
      <t>The values used for unicast flow control cannot be used to limit the transmission rate of a multicast channel because a single client with a low MAX_STREAM_DATA or MAX_DATA value that did not acknowledge receipt could block many other receivers if the servers had to ensure that channels responded to each client's limits.
Instead of terminating a connection if its MAX_DATA gets exceeded (as described in <xref section="19.9" sectionFormat="of" target="RFC9000"/>), a client must be able to robustly handle multicast packets that would exceed its MAX_DATA without aborting the connection, either by increasing its MAX_DATA as needed to keep up with received multicast packets or by dropping the packet and leaving the channel (resulting in unicast fallback).
If a server detects that a client's MAX_DATA is about to be exceeded, it MUST instruct the client to leave channels to prevent any further MAX_DATA violations.</t>
      <t>Instead, clients advertise resource limits via MC_LIMITS (<xref target="client-limits-frame"/>) frames and their initial values from the transport parameter (<xref target="transport-parameter"/>).
The server is responsible for keeping the client within its advertised limits, by ensuring via MC_JOIN and MC_LEAVE frames that the set of channels the client is asked to be joined to will not, in aggregate, exceed the client's advertised limits.
The server also advertises the expected maxima of the values that can contribute toward client resource limits within a channel in an MC_ANNOUNCE (<xref target="channel-announce-frame"/>) frame, and the client also ensures that the set of channels it's joined to does not exceed its limits, according to the advertised values.
The client also monitors the packets received to ensure that channels don't exceed their advertised values, and leaves channels that do.</t>
      <t>The sequence numbers carried in MC_JOIN allow the client to determine whether a join request is based on state that is synchronized between the client and server.</t>
      <t>If the server asks the client to join a channel that would violate the client's limits, and the MC_JOIN frame contains the client's current MC_LIMITS Sequence Number, the client SHOULD send an MC_STATE frame (<xref target="client-channel-state-frame"/>) with State DECLINED_JOIN and Reason Code PROPERTY_VIOLATION.</t>
      <t>If the server asks the client to join a channel that would violate the client's current limits, but the MC_JOIN frame contains an older MC_LIMITS Sequence Number, the client SHOULD send an MC_STATE frame with State DECLINED_JOIN and Reason Code UNSYNCHRONIZED_PROPERTIES.</t>
      <t>If the MC_JOIN frame refers to an MC_KEY Sequence Number that the client has not yet received, the client SHOULD send an MC_STATE frame with State DECLINED_JOIN and Reason Code UNSYNCHRONIZED_PROPERTIES.</t>
      <t>If the actual contents sent in the channel violate the advertised properties from MC_ANNOUNCE, clients SHOULD leave the channel and send an MC_STATE frame with State LEFT and Reason Code LIMIT_VIOLATION.</t>
      <t>After processing an MC_LIMITS frame, if the set of channels that the client is currently requested to join no longer fits within the client's current limits, the server MUST send MC_LEAVE frames for one or more channels.
For this purpose, the requested set includes channels for which the server has sent MC_JOIN and has not received an MC_STATE frame with State LEFT, DECLINED_JOIN, or RETIRED.</t>
      <t>The server is responsible for selecting which channels to leave so that the remaining requested set fits within the client's current limits.
The server MUST NOT send new MC_JOIN frames that would cause the requested set to violate the client's current limits.</t>
    </section>
    <section anchor="congestion-control">
      <name>Congestion Control</name>
      <t>Both the server and the client perform congestion control operations, so that according to the guidelines in <xref section="4.1" sectionFormat="of" target="RFC8085"/>, mechanisms for both feedback-based and receiver-driven styles of congestion control are present and operational.</t>
      <t>All frames defined by this document other than MC_ACK are ack-eliciting.
Packets containing those frames are considered in-flight and count toward congestion control limits as described in <xref target="RFC9002"/>.
MC_ACK frames are treated the same as ACK frames for congestion control and loss recovery purposes and do not make a packet ack-eliciting and thus a packet containing only them does not count as in-flight.</t>
      <t>The server maintains a full view of the traffic received by the client via the MC_ACK (<xref target="channel-ack-frame"/>) frames and ACK frames it receives, and can detect loss experienced by the client.
Under sustained persistent loss that exceeds server-configured thresholds, the server SHOULD instruct the client to leave channels as appropriate to avoid having the client continue to see sustained persistent loss.</t>
      <t>Under sustained persistent loss that exceeds client-configured thresholds, the client SHOULD reduce its Max Rate and tell the server via MC_LIMITS frames, which also will result in the server instructing the client to leave channels until the client's aggregate rate is below its advertised Max Rate.
Under a higher threshold of sustained persistent loss, the client also SHOULD leave channels, using an MC_STATE(LEFT) frame with the "HIGH_LOSS" reason, as well as reducing the Max Rate in MC_LIMITS.</t>
      <t>The unicast connection's congestion control is unaffected.
However a few potential interactions with the unicast connection are worth highlighting:</t>
      <ul spacing="normal">
        <li>
          <t>if the client notices high loss on the unicast connection while multicast channel packets are arriving, the client MAY leave channels with reason "HIGH_LOSS".</t>
        </li>
        <li>
          <t>if the client notices congestion from unicast this MAY also drive reductions in the client's Max Rate, and a lack of unicast congestion under unicast load MAY also drive increases to the client's Max Rate (along with an updated MC_LIMITS frame).</t>
        </li>
      </ul>
      <t>Hybrid multicast-unicast congestion control is still an experimental research topic.
Implementations SHOULD follow the guidelines given in <xref section="4.1.1" sectionFormat="of" target="RFC8085"/> under the assumption that applications using QUIC multicast will operate as Bulk-Transfer applications.</t>
    </section>
    <section anchor="data-integrity">
      <name>Data Integrity</name>
      <t>TODO: import the <xref target="I-D.draft-krose-multicast-security"/> explanation for why extra integrity protection is necessary (many client have the shared key, so AEAD doesn't provide authentication against other valid clients on its own, since the same key is given to multiple clients and as the client count grows so does the chance that at least one client is controlled by an attacker.)</t>
      <section anchor="packet-hashes">
        <name>Packet Hashes</name>
        <t>TODO: explanation and example for how to calculate the packet hash.
Note that the hash is on the encrypted packet to avoid leaking data about the encrypted contents to those who can see a hash but not the key.
(This approach also may help make better use of <xref target="I-D.draft-ietf-mboned-ambi"/> by making it possible to generate the same hashes for use in both AMBI and QUIC MC_INTEGRITY frames.)</t>
      </section>
    </section>
    <section anchor="recovery">
      <name>Recovery</name>
      <t>TODO: Articulate key differences with <xref target="RFC9002"/>.
The main known difference is that servers might not be running on the same devices that are sending the channel packets, therefore the RTT for channel packets might use an estimated send time that can vary according to the clock synchronization among servers and the deployment and implementation details of how the servers find out the sending timestamps of channel packets.
Experience-based guidance on the recovery timing estimates is one anticipated outcome of experimenting with deployments of this experimental extension.</t>
      <t>All frames defined in this document except MC_ACK are ack-eliciting and are retransmitted until acknowledged to provide reliable, though possibly out of order, delivery.</t>
      <t>Note that recovery MAY be achieved either by retransmitting frame data that was lost and needs reliable transport either by sending the frame data on the unicast connection or by coordinating to cause an aggregated retransmission of widely dropped data on a multicast channel, at the server's discretion.
However, the server in each connection is responsible for ensuring that any necessary server-to-client frame data lost by a multicast channel packet loss ultimately arrives at the client.</t>
      <t>To minimize the amount of additional packets sent on a multicast channel when retransmitting frames, the server SHOULD use Forward Erasure Correction (FEC) techniques following guidelines from <xref target="I-D.draft-michel-quic-fec"/>. Instead of retransmitting the frames directly, the server sends FEC repair packets on the multicast channel. As such, an individual repair packet can recover different losses on distinct clients, thus minimizing the amount of data sent on a multicast channel. The scheduling of these repair packets is implementation-dependent and hence out of scope of this document.</t>
    </section>
    <section anchor="connection-termination">
      <name>Connection Termination</name>
      <t>Termination of the unicast connection behaves as described in <xref section="10" sectionFormat="of" target="RFC9000"/>, with the following notable differences:</t>
      <ul spacing="normal">
        <li>
          <t>On the client side, if the associated unicast connection is terminated for any reason, including receipt or transmission of a CONNECTION_CLOSE frame, all multicast channel state associated with that connection MUST be discarded.
If the client is joined to any multicast channels for that connection, it MUST leave those channels.
Connection termination does not require the client to send MC_STATE frames for the affected channels.
After the unicast connection is terminated, MC_STATE frames cannot be delivered on that connection.</t>
        </li>
        <li>
          <t>The server MUST NOT rely on receiving per-channel leave or retire state for cleanup.</t>
        </li>
        <li>
          <t>For determining the liveness of a connection, the client MUST only consider packets received on the unicast connection. Any packets received on a multicast channel MUST NOT be used to reset a timer checking if a potentially specified max_idle_timeout has been reached. If the unicast connection becomes idle, as described in <xref section="10.1" sectionFormat="of" target="RFC9000"/>, the client MUST terminate the connection as described above.</t>
        </li>
      </ul>
      <section anchor="stateless-reset">
        <name>Stateless Reset</name>
        <t>As clients can unilaterally stop the delivery of multicast packets by leaving the relevant (S,G), channels do not need stateless reset tokens.
Clients therefore do not share the stateless reset tokens of channels with the server. Instead, if an endpoint receives packets addressed to an (S,G) that it can not associate with any existing channel,
it MAY take the necessary steps to prevent the reception of further such packets, without the need to signal to the server that it should stop sending.</t>
        <t>If a server or client detect a stateless reset for a channel, they MUST ignore it.</t>
      </section>
      <section anchor="connection-migration">
        <name>Connection Migration</name>
        <t>If the unicast connection migrated, e.g. due to a change of the NAT binding or because the UE has changed to a different network, the client properties might change.
For example, the client might switch from a network that supports both IPv6 and IPv4 multicast to a network that only supports IPv4. As such, it MUST immediately send an MC_LIMITS frame after it has noticed that it migrated.
The client MAY rejoin any previously joined channels, if its limits still allow it to. It MUST send MC_STATE(LEFT) frames with reason LIMIT_VIOLATION for any channels it does not rejoin.</t>
        <t>The server SHOULD take notice of migrating clients as the delay that is being caused by rejoining a multicast group can lead to exceeding the expected MAX_ACK_DELAY, which a server might interpret as a loss of multicast connectivity.
Instead, the server SHOULD treat all multicast channels of a client whose unicast connection just migrated as if it had just joined these channels initially and allow for ample time before expecting the first MC_ACK frames.</t>
      </section>
    </section>
    <section anchor="new-frames">
      <name>New Frames</name>
      <section anchor="channel-announce-frame">
        <name>MC_ANNOUNCE</name>
        <t>Once a server learns that a client supports multicast through its transport parameters, it can send one or multiple MC_ANNOUNCE frames (type=TBD-11..TBD-12) to share information about available channels with the client.
The MC_ANNOUNCE frame contains the properties of a channel that do not change during its lifetime.</t>
        <t>MC_ANNOUNCE frames are formatted as shown in <xref target="fig-mc-channel-announce"/>.</t>
        <figure anchor="fig-mc-channel-announce">
          <name>MC_ANNOUNCE Frame Format</name>
          <artwork><![CDATA[
MC_ANNOUNCE Frame {
  Type (i) = TBD-11..TBD-12 (experiments use 0xff3e811/0xff3e812),
  ID Length (8),
  Channel ID (8..160),
  Source IP (32..128),
  Group IP (32..128),
  UDP Port (16),
  Cipher Suite (16),
  Header Secret Length (i),
  Header Secret (..),
  Integrity Hash Algorithm (16),
  Max Rate (i),
  Max Authentication Delay (i),
  Max ACK Delay (i),
  Ack-Eliciting Threshold (i),
  Reordering Threshold (i)
}
]]></artwork>
        </figure>
        <t>Frames of type TBD-11 are used for IPv4 and both Source and Group address are 32 bits long. Frames of type TBD-12 are used for IPv6 and both Source and Group address are 128 bits long.</t>
        <t>MC_ANNOUNCE frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID of the channel that is getting announced.</t>
          </li>
          <li>
            <t>Source IP: The IP Address of the source of the (S,G) for the channel.  Either a 32-bit IPv4 address or a 128-bit IPv6 address, as indicated by the frame type (TBD-11 indicates IPv4, TBD-12 indicates IPv6).</t>
          </li>
          <li>
            <t>Group IP: The IP Address of the group of the (S,G) for the channel.  Either a 32-bit IPv4 address or a 128-bit IPv6 address, as indicated by the frame type (TBD-11 indicates IPv4, TBD-12 indicates IPv6). This address MUST be a valid SSM destination address as specified in <xref target="RFC4607"/>.</t>
          </li>
          <li>
            <t>UDP Port: The 16-bit UDP Port of traffic for the channel.</t>
          </li>
          <li>
            <t>Cipher Suite: A value from the "TLS Cipher Suites" registry in the "Transport Layer Security (TLS)  Parameters" registry group <xref target="IANA.tls-parameters"/>.
  The cipher suite determines the AEAD algorithm used for packet protection, the hash function used for key derivation, and the header protection algorithm for channel packets, as described in <xref section="5" sectionFormat="of" target="RFC9001"/>.
  The value MUST match a value provided in the Cipher Suite List of the multicast_client_params transport parameter; see <xref target="transport-parameter"/>.</t>
          </li>
          <li>
            <t>Header Secret Length: Provides the length of the Header Secret field.</t>
          </li>
          <li>
            <t>Header Secret: A secret used to derive the header protection key for channel packets.
  The header protection key is derived from this secret using the cipher suite identified by the Cipher Suite field and the <tt>"quic hp"</tt> label, as described in <xref section="5.1" sectionFormat="of" target="RFC9001"/>.
  The header protection algorithm is the algorithm defined by <xref target="RFC9001"/> for the AEAD associated with the Cipher Suite used by this channel.
  The Header Secret is not used to derive packet protection keys or IVs.</t>
          </li>
          <li>
            <t>Integrity Hash Algorithm: The hash algorithm used in MC_INTEGRITY frames.
            </t>
            <ul spacing="normal">
              <li>
                <t><strong>Author's Note:</strong> Several candidate IANA registries, not sure which one to use?  Some have only text for some possibly useful values.  For now we use the first of these:
                </t>
                <ul spacing="normal">
                  <li>
                    <t><eref target="https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg">https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg</eref></t>
                  </li>
                  <li>
                    <t><eref target="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18">https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18</eref></t>
                  </li>
                  <li>
                    <t>(text-only): <eref target="https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml">https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml</eref></t>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
          <li>
            <t>Max Rate: The maximum rate in Kibps of the payload data for this channel. Channel data MUST NOT exceed this rate over any 5s window, if it does clients SHOULD leave the channel with reason "MAX_RATE_EXCEEDED".</t>
          </li>
          <li>
            <t>Max Authentication Delay: The maximum time, in microseconds, that a client is expected to buffer a multicast channel packet before the packet becomes authenticated by an accepted MC_INTEGRITY frame.
  The delay is measured from receipt of the channel packet until the packet becomes authenticated.
  See <xref target="buffering-unauthenticated-packets"/>.</t>
          </li>
          <li>
            <t>Max ACK Delay: The maximum amount of time, in microseconds, that a client can intentionally delay sending an MC_ACK frame for ack-eliciting packets received on this channel.
  This value is used similarly to max_ack_delay (<xref section="18.2" sectionFormat="of" target="RFC9000"/>), but applies
  only to MC_ACK frames for this channel.
  A client SHOULD NOT intentionally delay an MC_ACK for this channel beyond this value.</t>
          </li>
          <li>
            <t>Ack-Eliciting Threshold: The maximum number of ack-eliciting channel packets that a client can receive on this channel without sending an MC_ACK.
  This field has the same semantics as the Ack-Eliciting Threshold field of ACK_FREQUENCY (<xref target="I-D.ietf-quic-ack-frequency"/>), except that it applies only to MC_ACK frame generation for this channel.
  A value of 0 requests that every ack-eliciting channel packet be acknowledged immediately.
  A value of 1 corresponds to the default QUIC behavior of acknowledging after receiving two ack-eliciting packets.</t>
          </li>
          <li>
            <t>Reordering Threshold: A packet-count threshold used to determine when receipt of out-of-order channel packets causes an immediate MC_ACK.
  This field has the same semantics as the Reordering Threshold field of ACK_FREQUENCY (<xref target="I-D.ietf-quic-ack-frequency"/>), except that it applies only to this channel's packet number space and to MC_ACK frames for this channel.</t>
          </li>
        </ul>
        <t>A client MUST NOT use the channel ID included in an MC_ANNOUNCE frame as a connection ID for the unicast connection.
If it is already in use, the client SHOULD retire it as soon as possible.
As the server knows which connection IDs are in use by the client, it MUST wait with the sending of an MC_JOIN frame until the channel ID associated with it has been retired by the client.</t>
        <t>If a client receives an MC_ANNOUNCE frame with a Group IP that is not within the SSM destination address range as outlined in <xref target="RFC4607"/>, it SHOULD close the connection with a connection error of type MC_EXTENSION_ERROR.</t>
        <t>As all the properties in MC_ANNOUNCE frames are immutable during the lifetime of a channel, a server SHOULD NOT send an MC_ANNOUNCE frame for the same channel more than once to each client except as needed for recovery.</t>
        <t>A server SHOULD send an MC_ANNOUNCE frame for a channel before sending an MC_KEY frame for that channel.</t>
        <t>A server MUST NOT send an MC_JOIN frame for a channel unless it has sent, or is sending in the same packet, both an applicable MC_ANNOUNCE frame and an applicable MC_KEY frame for that channel.</t>
      </section>
      <section anchor="channel-key-frame">
        <name>MC_KEY</name>
        <t>An MC_KEY frame (type=TBD-01) is sent from server to client, either with the unicast connection or in an existing joined multicast channel.
It carries a channel packet protection secret and identifies the packet number from which that secret applies.</t>
        <t>A server SHOULD NOT send MC_KEY frames for channels except those the client has joined or will be imminently asked to join.</t>
        <t>MC_KEY frames are formatted as shown in <xref target="fig-mc-channel-key-format"/>.</t>
        <figure anchor="fig-mc-channel-key-format">
          <name>MC_KEY Frame Format</name>
          <artwork><![CDATA[
MC_KEY Frame {
  Type (i) = TBD-01 (experiments use 0xff3e801),
  ID Length (8),
  Channel ID (8..160),
  Key Sequence Number (i),
  From Packet Number (i),
  Secret Length (i),
  Secret (..)
}
]]></artwork>
        </figure>
        <t>MC_KEY frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID for the channel associated with this frame.</t>
          </li>
          <li>
            <t>Key Sequence Number: The key generation identified by this frame.
  This value MUST NOT be 0.</t>
          </li>
          <li>
            <t>From Packet Number: The first channel packet number for which the secret in this frame is applicable.
  The secret applies to channel packets with packet numbers greater than or equal to From Packet Number and with the Key Phase corresponding to this Key Sequence Number as described in <xref target="channel-key-management"/>, until superseded by an MC_KEY frame for the same channel with a higher Key Sequence Number.
  When the Key Sequence Number increases, the From Packet Number MUST increase.</t>
          </li>
          <li>
            <t>Secret Length: Provides the length of the secret field.</t>
          </li>
          <li>
            <t>Secret: A channel packet protection secret.
  Packet protection keys and IVs for channel packets are derived from this secret using the cipher suite identified in the corresponding MC_ANNOUNCE frame and the <tt>"quic key"</tt> and <tt>"quic iv"</tt> labels, as described in <xref section="5.1" sectionFormat="of" target="RFC9001"/>.
  This secret is not used to derive the header protection key.</t>
          </li>
        </ul>
      </section>
      <section anchor="channel-join-frame">
        <name>MC_JOIN</name>
        <t>An MC_JOIN frame (type TBD-02) is sent from server to client and requests that the client join the channel identified by Channel ID.
The client uses the channel's transport addresses and properties from the corresponding MC_ANNOUNCE frame.
The MC_KEY Sequence Number field identifies the channel key generation that the server expects the client to have available when processing channel packets.</t>
        <t>A client cannot join a multicast channel without first receiving an applicable MC_ANNOUNCE frame and an applicable MC_KEY frame for that channel.</t>
        <t>MC_JOIN frames are formatted as shown in <xref target="fig-mc-channel-join-format"/>.</t>
        <figure anchor="fig-mc-channel-join-format">
          <name>MC_JOIN Frame Format</name>
          <artwork><![CDATA[
MC_JOIN Frame {
  Type (i) = TBD-02 (experiments use 0xff3e802),
  ID Length (8),
  Channel ID (8..160),
  MC_LIMITS Sequence Number (i),
  MC_STATE Sequence Number (i),
  MC_KEY Sequence Number (i)
}
]]></artwork>
        </figure>
        <t>MC_JOIN frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID for the channel that the client is requested to join.</t>
          </li>
          <li>
            <t>MC_LIMITS Sequence Number: The most recent Client Limits Sequence Number processed by the server when constructing this join request.
A value of 0 indicates that no MC_LIMITS frames have been processed by the server.</t>
          </li>
          <li>
            <t>MC_STATE Sequence Number: The most recent Client Channel State Sequence Number for this channel processed by the server when constructing this join request.
A value of 0 indicates that no MC_STATE frames have been processed by the server.</t>
          </li>
          <li>
            <t>MC_KEY Sequence Number: The Key Sequence Number for the channel key generation that the server expects the client to use when joining the channel.
This field MUST NOT be 0; a client that receives an MC_JOIN with an MC_KEY Sequence Number of 0 MUST treat this as a connection error of type MC_EXTENSION_ERROR.</t>
          </li>
        </ul>
        <t>If a client receives an MC_JOIN for a channel for which it has not received both an applicable MC_ANNOUNCE frame and an applicable MC_KEY frame, it MUST send an MC_STATE frame with State DECLINED_JOIN and Reason Code UNSYNCHRONIZED_PROPERTIES.</t>
        <t>Client responses to MC_JOIN are described in <xref target="client-response"/>.</t>
      </section>
      <section anchor="channel-leave-frame">
        <name>MC_LEAVE</name>
        <t>An MC_LEAVE frame (type=TBD-03) is sent by a server to request that the client leave the given channel.
MC_LEAVE does not retire the channel and the server can later send another MC_JOIN for the same channel as long as it is not retired.</t>
        <t>MC_LEAVE frames are formatted as shown in
<xref target="fig-mc-channel-leave-format"/>.</t>
        <figure anchor="fig-mc-channel-leave-format">
          <name>MC_LEAVE Frame Format</name>
          <artwork><![CDATA[
MC_LEAVE Frame {
  Type (i) = TBD-03 (experiments use 0xff3e803),
  ID Length (8),
  Channel ID (8..160),
  MC_STATE Sequence Number (i)
}
]]></artwork>
        </figure>
        <t>MC_LEAVE frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID for the channel that the client is requested to leave.</t>
          </li>
          <li>
            <t>MC_STATE Sequence Number: The most recent Client Channel State Sequence Number for this channel processed by the server when constructing this leave request.
A value of 0 indicates that no MC_STATE frames have been processed by the server.
This value allows the client to ignore leave requests that are based on stale client channel state.</t>
          </li>
        </ul>
        <t>A client that receives an MC_LEAVE for a channel that it has already left, declined to join, or retired MUST ignore the frame.</t>
        <t>A client that has received an MC_JOIN or MC_LEAVE for the same Channel ID with a greater MC_STATE Sequence Number MUST ignore the MC_LEAVE frame.</t>
        <t>Otherwise, the client MUST leave the channel immediately.
Client responses to MC_LEAVE are described in <xref target="client-response"/>.</t>
      </section>
      <section anchor="channel-integrity-frame">
        <name>MC_INTEGRITY</name>
        <t>MC_INTEGRITY frames (types TBD-04 and TBD-05; experiments use 0xff3e804 and 0xff3e805) are sent from server to client and are used to convey packet hashes for validating the integrity of packets received on the multicast channel.</t>
        <t>MC_INTEGRITY frames are formatted as shown in <xref target="fig-mc-channel-integrity-format"/>.</t>
        <figure anchor="fig-mc-channel-integrity-format">
          <name>MC_INTEGRITY Frame Format</name>
          <artwork><![CDATA[
MC_INTEGRITY Frame {
  Type (i) = TBD-04..TBD-05 (experiments use 0xff3e804 and 0xff3e805),
  ID Length (8),
  Channel ID (8..160),
  Packet Number Start (i),
  [Packet Hashes Length (i)],
  Packet Hashes (..)
}
]]></artwork>
        </figure>
        <t>MC_INTEGRITY frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID for the channel whose packet hashes are being provided.</t>
          </li>
          <li>
            <t>Packet Number Start: The packet number of the first channel packet covered by the Packet Hashes field.</t>
          </li>
          <li>
            <t>Packet Hashes Length: The length in bytes of the Packet Hashes field.
This field is present only when the frame type is TBD-05.</t>
          </li>
          <li>
            <t>Packet Hashes: A sequence of packet hashes.
The first hash corresponds to the packet with packet number Packet Number Start in the packet number
space of the channel identified by Channel ID.
Each subsequent hash corresponds to the next packet number in that packet number space.</t>
          </li>
        </ul>
        <t>For frames of type TBD-04, Packet Hashes Length is not present and the
Packet Hashes field extends to the end of the packet.
Therefore, an MC_INTEGRITY frame of type TBD-04 MUST be the final frame in the packet.</t>
        <t>Each hash has the length determined by the Integrity Hash Algorithm in the corresponding MC_ANNOUNCE frame.
The Packet Hashes field MUST contain a non-zero integer multiple of the hash length for the channel.</t>
        <t>A client that receives an MC_INTEGRITY frame whose Packet Hashes field is empty, or whose Packet Hashes field length is not an integer multiple of the hash length for the channel, MUST treat this as a connection error of type MC_EXTENSION_ERROR.</t>
        <t>Packet hashes are calculated as described in <xref target="packet-hashes"/>.</t>
      </section>
      <section anchor="channel-ack-frame">
        <name>MC_ACK</name>
        <t>MC_ACK frames (types TBD-06 and TBD-07; experiments use 0xff3e806..0xff3e807) are sent by a client to acknowledge packets received on a multicast channel.
MC_ACK extends the ACK frame defined by <xref section="19.3" sectionFormat="of" target="RFC9000"/> by adding a Channel ID.
Frames of type TBD-07 also contain ECN counts.</t>
        <t>MC_ACK frames are formatted as shown in <xref target="fig-mc-channel-ack-format"/>.</t>
        <figure anchor="fig-mc-channel-ack-format">
          <name>MC_ACK Frame Format</name>
          <artwork><![CDATA[
MC_ACK Frame {
  Type (i) = TBD-06..TBD-07 (experiments use 0xff3e806, 0xff3e807),
  ID Length (8),
  Channel ID (8..160),
  Largest Acknowledged (i),
  ACK Delay (i),
  ACK Range Count (i),
  First ACK Range (i),
  ACK Range (..) ...,
  [ECN Counts (..)],
}
]]></artwork>
        </figure>
        <t>MC_ACK frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID for the channel whose packets are being acknowledged.</t>
          </li>
          <li>
            <t>Largest Acknowledged: The largest packet number being acknowledged in the packet number space of the channel identified by Channel ID.</t>
          </li>
          <li>
            <t>ACK Delay: The time delta between receipt of the largest acknowledged channel packet and transmission of this MC_ACK frame, encoded as described for ACK frames in <xref section="19.3" sectionFormat="of" target="RFC9000"/>.</t>
          </li>
          <li>
            <t>ACK Range Count, First ACK Range, and ACK Range: These fields have the same encoding and semantics as the corresponding fields of ACK frames defined by <xref section="19.3" sectionFormat="of" target="RFC9000"/>, except that packet numbers refer to the packet number space of the channel identified by Channel ID.</t>
          </li>
          <li>
            <t>ECN Counts: ECN counts for packets received on the channel, encoded as described for ACK frames with ECN counts in <xref section="19.3" sectionFormat="of" target="RFC9000"/>.
This field is present only when the frame type is TBD-07.</t>
          </li>
        </ul>
      </section>
      <section anchor="client-limits-frame">
        <name>MC_LIMITS</name>
        <t>MC_LIMITS frames are sent by a client to update the multicast channel
limits that were initially provided in the multicast_client_params
transport parameter (<xref target="transport-parameter"/>).
The server applies these limits as described in <xref target="flow-control"/>.
Each processed MC_LIMITS frame replaces the previously active client limits.</t>
        <t>MC_LIMITS frames are formatted as shown in <xref target="fig-mc-client-limits-format"/>.</t>
        <figure anchor="fig-mc-client-limits-format">
          <name>MC_LIMITS Frame Format</name>
          <artwork><![CDATA[
MC_LIMITS Frame {
  Type (i) = TBD-09 (experiments use 0xff3e809),
  Client Limits Sequence Number (i),
  Reserved (6),
  IPv4 Channels Allowed (1),
  IPv6 Channels Allowed (1),
  Max Aggregate Rate (i),
  Max Channel IDs (i),
  Max Joined Count (i),
}
]]></artwork>
        </figure>
        <t>MC_LIMITS frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>Client Limits Sequence Number: The sequence number of this limits update.
Before the first MC_LIMITS frame from the client, the implicit Client Limits Sequence Number is 0.  The first MC_LIMITS frame sent by the client MUST use Client Limits Sequence Number 1, and each subsequent MC_LIMITS frame MUST increase the Client Limits Sequence Number by 1.
An MC_LIMITS frame MUST NOT use Client Limits Sequence Number 0.</t>
          </li>
          <li>
            <t>Reserved: Reserved bits for future use.
These bits MUST be set to 0 by the client and MUST be ignored by the server.</t>
          </li>
          <li>
            <t>IPv4 Channels Allowed: A 1-bit field set to 1 if the client currently permits the server to request joins for IPv4 channels, and set to 0 otherwise.</t>
          </li>
          <li>
            <t>IPv6 Channels Allowed: A 1-bit field set to 1 if the client currently permits the server to request joins for IPv6 channels, and set to 0 otherwise.</t>
          </li>
          <li>
            <t>Max Aggregate Rate: The maximum aggregate rate, in Kibps, allowed across all channels that the client is concurrently requested to join.</t>
          </li>
          <li>
            <t>Max Channel IDs: The maximum number of channel IDs for which the client retains channel state.
Retired channel IDs do not count against this value.</t>
          </li>
          <li>
            <t>Max Joined Count: The maximum number of channels that the client can be asked to join concurrently.</t>
          </li>
        </ul>
        <t>A server MUST ignore an MC_LIMITS frame whose Client Limits Sequence Number is less than or equal to the largest Client Limits Sequence Number it has already processed on the connection.</t>
      </section>
      <section anchor="channel-retire-frame">
        <name>MC_RETIRE</name>
        <t>An MC_RETIRE frame retires a channel by Channel ID and causes the client
to discard any state associated with that channel.</t>
        <t>MC_RETIRE frames are formatted as shown in <xref target="fig-mc-channel-retire-format"/>.</t>
        <figure anchor="fig-mc-channel-retire-format">
          <name>MC_RETIRE Frame Format</name>
          <artwork><![CDATA[
MC_RETIRE Frame {
  Type (i) = TBD-0a (experiments use 0xff3e80a),
  ID Length (8),
  Channel ID (8..160)
}
]]></artwork>
        </figure>
        <t>MC_RETIRE frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID for the channel that the client is requested to retire.</t>
          </li>
        </ul>
        <t>A client that processes an MC_RETIRE frame MUST retire the channel immediately and discard all state associated with that channel.
Client responses to MC_RETIRE are described in <xref target="client-response"/>.</t>
      </section>
      <section anchor="client-channel-state-frame">
        <name>MC_STATE</name>
        <t>MC_STATE frames are sent from client to server to report the client's
state for a multicast channel.</t>
        <t>MC_STATE frames are formatted as shown in <xref target="fig-mc-client-channel-state-format"/>.</t>
        <figure anchor="fig-mc-client-channel-state-format">
          <name>MC_STATE Frame Format</name>
          <artwork><![CDATA[
MC_STATE Frame {
  Type (i) = TBD-0b..TBD-0c (experiments use 0xff3e80b and 0xff3e80c),
  ID Length (8),
  Channel ID (8..160),
  Client Channel State Sequence Number (i),
  State (8),
  Reason Code (i),
  Reason Phrase Length (i),
  Reason Phrase (..)
}
]]></artwork>
        </figure>
        <t>MC_STATE frames contain the following fields:</t>
        <ul spacing="normal">
          <li>
            <t>ID Length: The length in bytes of the Channel ID field.</t>
          </li>
          <li>
            <t>Channel ID: The channel ID for the channel whose state is being reported.</t>
          </li>
          <li>
            <t>Client Channel State Sequence Number: The sequence number of this state update for the channel.
Before the first MC_STATE frame for a channel, the implicit Client Channel State Sequence Number is 0.
The first MC_STATE frame sent by the client for a channel MUST use Client Channel State Sequence Number 1, and each subsequent MC_STATE frame for that channel MUST increase the Client Channel State Sequence Number by 1.
An MC_STATE frame MUST NOT use Client Channel State Sequence Number 0.</t>
          </li>
          <li>
            <t>State: The client channel state being reported.
The following values are defined:  </t>
            <ul spacing="normal">
              <li>
                <t>0x1: LEFT</t>
              </li>
              <li>
                <t>0x2: DECLINED_JOIN</t>
              </li>
              <li>
                <t>0x3: JOINED</t>
              </li>
              <li>
                <t>0x4: RETIRED</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Reason Code: A code describing why the reported state was reached.</t>
          </li>
          <li>
            <t>Reason Phrase Length: The length of the Reason Phrase field.</t>
          </li>
          <li>
            <t>Reason Phrase: Optional diagnostic text describing the state change.
This field MUST NOT affect protocol behavior.</t>
          </li>
        </ul>
        <t>A server MUST ignore an MC_STATE frame whose Client Channel State Sequence Number is less than or equal to the largest Client Channel State Sequence Number it has already processed for that channel.</t>
        <t>If a server receives an MC_STATE frame with an undefined State value, it SHOULD close the connection with a connection error of type MC_EXTENSION_ERROR.</t>
        <t>Frames of type TBD-0b use reason codes defined by this specification.
These reason codes describe channel state changes caused by QUIC multicast transport behavior, local transport policy, or server requests.</t>
        <t>Frames of type TBD-0c carry application-defined Reason Code values.
As with application protocol error codes in <xref section="20.2" sectionFormat="of" target="RFC9000"/>, the application protocol using this extension defines the semantics and allocation policy for these values.</t>
        <t>If State is JOINED or RETIRED, the frame type MUST be TBD-0b and the Reason Code MUST be REQUESTED_BY_SERVER (0x1).</t>
        <t>If State is LEFT or DECLINED_JOIN and the frame type is TBD-0b, the Reason Code field is set to one of the following values:</t>
        <ul spacing="normal">
          <li>
            <t>0x0: UNSPECIFIED_OTHER</t>
          </li>
          <li>
            <t>0x1: REQUESTED_BY_SERVER</t>
          </li>
          <li>
            <t>0x2: ADMINISTRATIVE_BLOCK</t>
          </li>
          <li>
            <t>0x3: PROTOCOL_ERROR</t>
          </li>
          <li>
            <t>0x4: PROPERTY_VIOLATION</t>
          </li>
          <li>
            <t>0x5: UNSYNCHRONIZED_PROPERTIES</t>
          </li>
          <li>
            <t>0x6: ID_COLLISION</t>
          </li>
          <li>
            <t>0x10: HELD_DOWN</t>
          </li>
          <li>
            <t>0x12: MAX_RATE_EXCEEDED</t>
          </li>
          <li>
            <t>0x13: HIGH_LOSS</t>
          </li>
          <li>
            <t>0x14: EXCESSIVE_SPURIOUS_TRAFFIC</t>
          </li>
          <li>
            <t>0x15: MAX_STREAMS_EXCEEDED</t>
          </li>
          <li>
            <t>0x16: LIMIT_VIOLATION</t>
          </li>
          <li>
            <t>0x17: AUTHENTICATION_DELAY_EXCEEDED</t>
          </li>
        </ul>
        <t>If a server receives an MC_STATE frame of type TBD-0b with an undefined Reason Code, it SHOULD close the connection with a connection error of type MC_EXTENSION_ERROR.</t>
        <t>(Author's note TODO: consider whether these reasons should be added to the QUIC Transport Error Codes registry (<xref section="22.5" sectionFormat="of" target="RFC9000"/>) instead of defining a new registry specific to multicast.)</t>
      </section>
      <section anchor="retransmission-of-information">
        <name>Retransmission of information</name>
        <t>In addition to the mechanisms used for retransmission described in <xref section="13.3" sectionFormat="of" target="RFC9000"/> and <xref section="5.2" sectionFormat="of" target="RFC9221"/> the following rules apply to the newly introduced frames:</t>
        <ul spacing="normal">
          <li>
            <t>As the properties carried in MC_ANNOUNCE frames can not change during the lifetime of a channel, information contained in them can be retransmitted without any special considerations.</t>
          </li>
          <li>
            <t>Since conditions of the client or channel can have changed by the time a retransmission of an MC_JOIN, MC_LEAVE or MC_RETIRE channel becomes necessary, a retransmission might no longer be required or even appropriate. A retransmission SHOULD only occur if the channel in question should still be joined/left/retired.</t>
          </li>
          <li>
            <t>Retransmission of information contained in MC_ACK frames MUST be handled exactly as with regular ACK frames.</t>
          </li>
          <li>
            <t>For MC_KEY, MC_LIMITS, and MC_STATE, retransmissions MUST include the most up-to-date information.</t>
          </li>
          <li>
            <t>For MC_INTEGRITY, a server MUST retransmit packet hashes that are still needed to authenticate channel packets that the server expects receivers to process.
For this purpose, a packet hash is still needed while the corresponding channel packet is within the buffering interval implied by the channel's Max Authentication Delay, unless the server has channel-specific or application-specific information that receivers are no longer expected to buffer or process that packet.
A server SHOULD NOT retransmit MC_INTEGRITY information for packets that it no longer expects receivers to buffer or process.
The same packet hash MAY be sent in more than one MC_INTEGRITY frame.
Servers SHOULD prioritize retransmission of MC_INTEGRITY information whose absence is likely to cause receivers to exceed the Max Authentication Delay advertised for the channel.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="frames-carried-in-channel-packets">
      <name>Frames Carried in Channel Packets</name>
      <t>Multicast channels will contain normal QUIC 1-RTT data packets (see <xref section="17.3.1" sectionFormat="of" target="RFC9000"/>) except using the Channel ID instead of a Connection ID.  The packets are protected with the keys derived from the secrets in MC_KEY frames for the corresponding channel.</t>
      <t>Data packet hashes will also be sent in MC_INTEGRITY frames, as keys cannot be trusted for integrity due to giving them to too many receivers, as described in <xref target="I-D.draft-krose-multicast-security"/>.</t>
      <t>The set of frames that can appear in a channel packet is restricted.
A server MUST NOT send a frame in a channel packet unless the frame is valid in a QUIC 1-RTT packet and either:</t>
      <ul spacing="normal">
        <li>
          <t>the definition of the frame explicitly permits its use in channel packets; or</t>
        </li>
        <li>
          <t>the frame operates only on state that is shared by all receivers of the channel; receiving it will have the same effect for all receivers.</t>
        </li>
      </ul>
      <t>A frame is not permitted in a channel packet if processing the frame depends on state that is specific to an individual receiver, path, or unicast connection.
This includes, but is not limited to, frames that are part of the cryptographic handshake, address validation, connection ID migration, flow control or connection termination.</t>
      <t>A frame is also not permitted in a channel packet if it is defined only for client-to-server use, or if it would require the server to respond to a single client via the multicast channel (e.g., PATH_CHALLENGE).</t>
      <t>A client that receives a frame in an authenticated channel packet that is not permitted SHOULD close the connection with a connection error of type MC_EXTENSION_ERROR.</t>
      <t>For example, frames such as ACK, CRYPTO, NEW_TOKEN, STOP_SENDING, MAX_DATA, MAX_STREAMS, NEW_CONNECTION_ID, RETIRE_CONNECTION_ID, PATH_CHALLENGE, PATH_RESPONSE, CONNECTION_CLOSE, and HANDSHAKE_DONE are not permitted in channel packets because their semantics are tied to an individual QUIC connection.</t>
      <t>On the other hand, PADDING and PING frames are permitted in channel packets because they do not affect receiver-specific state.
STREAM, RESET_STREAM, and DATAGRAM frames are permitted when they carry data scoped to the multicast channel.
MC_ANNOUNCE, MC_INTEGRITY, MC_KEY and MC_RETIRE frames are permitted because they operate on multicast channel state independently of any individual associated unicast connection.</t>
      <t>MC_JOIN and MC_LEAVE are not permitted in channel packets because their semantics depend on state specific to an individual associated connection, including MC_LIMITS and MC_STATE sequence numbers.</t>
    </section>
    <section anchor="implementation-and-operational-considerations">
      <name>Implementation and Operational Considerations</name>
      <section anchor="constraints-on-stream-data">
        <name>Constraints on Stream Data</name>
        <t>Note that when a newly connected client joins a channel, the client will only be able to receive application data carried in stream frames delivered on that channel when they have received the stream data starting from offset 0 of the stream.</t>
        <t>This usually means that new streams must be started for application data carried in channel packets whenever there might be new clients that have joined since an earlier stream started. If the server deems it convenient, it could also send preceding data for that stream over the unicast connection to catch the client up.</t>
        <t>With broadcast video, this usually means a new stream is necessary for every video segment or group of video frames since new clients will join throughout the broadcast, whereas for video conferencing, it could be possible to start a new stream whenever new clients join the conference without needing a new stream per object.</t>
      </section>
      <section anchor="application-use-cases">
        <name>Application Use Cases</name>
        <t>There are several known applications that could benefit from using multicast QUIC, either with their own custom application-layer transport or with one of the transports discussed in <xref target="data-use-cases"/>.  A few examples include:</t>
        <ul spacing="normal">
          <li>
            <t>Existing multicast-capable applications that are modified to use QUIC datagrams instead of UDP payloads can potentially get improved encryption and congestion feedback, while keeping existing error recovery techniques (e.g. techniques based on the forward error correction (FEC) framework in <xref target="RFC6363"/>).
            </t>
            <ul spacing="normal">
              <li>
                <t>An external tunnel could supply this kind of encapsulation without modification to the sender or receiver for some applications, while retaining the benefits of multicast scalability</t>
              </li>
              <li>
                <t>Using QUIC datagrams in place of UDP packets could usefully support existing implementations of file-transfer protocols like FLUTE <xref target="RFC6726"/> or FCAST <xref target="RFC6968"/> to enable file downloads such as operating system updates or popular game downloads, but adding encryption, packet-level authentication, and congestion control as provided by QUIC.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Conferencing systems, especially within an enterprise that can deploy multicast network support, often can save significantly on server costs by using multicast</t>
          </li>
          <li>
            <t>The traditional multicast use case of broadcasting of live sports with a set-top box would benefit from an interoperable system such as these QUIC extensions that can fall back to unicast transparently as needed, for example if there are a few customers who installed a non-multicast-capable home router.</t>
          </li>
          <li>
            <t>Smart TVs or other video playing in-home devices could interoperate with a standard sender using multicast QUIC, rather than requiring proprietary integrations with TV operators.</t>
          </li>
        </ul>
      </section>
      <section anchor="data-use-cases">
        <name>Data Transport Use Cases</name>
        <t>This section outlines considerations for some known transport mechanisms that are worth highlighting as potentially useful with multicast QUIC.</t>
        <section anchor="server-push">
          <name>HTTP/3 Server Push</name>
          <t>HTTP/3 Server Push is defined in <xref section="4.6" sectionFormat="of" target="RFC9114"/>.</t>
          <t>Server push is a good use case for multicast transport because the same data can be pushed to many different receivers on a multicast channel.
Applications designed to work well with server push can leverage multicast QUIC very effectively with only a few extra considerations.</t>
          <t>A QUIC connection using HTTP/3 can use multicast channels to deliver server-initiated streams that implement HTTP/3 Server Push.</t>
          <t>Applications expecting to use server push with multicast SHOULD use a high MAX_PUSH_ID in order to work with channels that have been active for a long time already when the connection is first established.
Servers SHOULD NOT allow clients to remain joined to channels if their MAX_PUSH_ID will be exceeded by push streams that are to be sent imminently.</t>
          <t>If a client receives data from a push ID that exceeds its MAX_PUSH_ID causing an H3_ID_ERROR on a multicast channel, it SHOULD leave the channel with reason 0x1000108 (computed by adding the H3_ID_ERROR value 0x0108 to the Application-defined Reason start value 0x1000000).
This SHOULD NOT cause a close of the whole connection but MAY cause a stream error and reset of the stream.</t>
          <t>TODO: flesh out this principle for application-level error code assignment in general for known error code values, and specifically all HTTP/3 ones? (Or is there a better approach?)</t>
        </section>
        <section anchor="webtransport">
          <name>HTTP/3 WebTransport Streams</name>
          <t>WebTransport over HTTP/3 is defined in <xref target="I-D.draft-ietf-webtrans-http3"/>.</t>
          <t>Popular data that can be sent with server-initiated streams and carried over WebTransport is a good use case for multicast transport because the same server-to-client data can be pushed to many different receivers on a multicast channel.</t>
          <t>A QUIC connection using HTTP/3 and WebTransport can use multicast channels to deliver WebTransport server-initiated streams.</t>
          <t>However, because the WebTransport Session ID is a client-specific value, the bytes that carry the WebTransport Session ID value within the stream would need to be carried over unicast, since it's not the same for different clients.</t>
          <t>For this situation, note that the Session ID is a variable length integer, and that a variable length integer can be encoded in any size that's big enough to hold it.  In particular, it's possible to use the largest size of any Session IDs of any of the WebTransport sessions of any clients (or 8 octets, the maximum size for a variable length integer), and that all clients receiving stream data on a channel will need to use the same size for the Session ID so that the rest of the stream data will be at the same offset for every client.</t>
        </section>
        <section anchor="datagrams">
          <name>Datagrams</name>
          <t>DATAGRAM frames in channel packets are subject to the max_datagram_frame_size transport parameter defined in <xref target="RFC9221"/> on each associated QUIC connection.
A server MUST NOT send MC_JOIN to a client for a channel that carries DATAGRAM frames unless that client advertised max_datagram_frame_size with a non-zero value.</t>
          <t>A server MUST NOT send MC_JOIN to a client for a channel if the server expects that channel to carry DATAGRAM frames larger than the max_datagram_frame_size value advertised by that client.
If the server later sends larger DATAGRAM frames on that channel, clients whose advertised max_datagram_frame_size is exceeded will process this as specified by <xref target="RFC9221"/>, which can result in termination of their associated QUIC connections.</t>
          <t>Using DATAGRAM frames can align well with existing multicast UDP-based applications, since a datagram API in a QUIC application offers similar functionality to a UDP API for sending and receiving packets.</t>
          <t>However, at the time of this writing, HTTP/3 datagrams <xref target="RFC9297"/>, including WebTransport datagrams as defined by <xref target="I-D.draft-ietf-webtrans-http3"/>, generally cannot be delivered over multicast channels, since the demuxing of WebTransport datagrams uses a Session ID based on a client-specific value (the HTTP/3 Session ID comes from the Stream ID of the client-initiated stream that issued the initial extended CONNECT request).</t>
          <t>It is therefore hoped that an extension or revision to WebTransport and HTTP/3 datagrams can be adopted in a future version of their specifications that make it possible to use a server-chosen Session ID value for demuxing WebTransport datagrams (and HTTP/3 datagrams in general).</t>
          <t>Such a value could for instance be sent in an HTTP/3 response header, and as long as it is unique within the connection and avoids collision with any client-initiated stream ID values, it could still be used to multiplex data associated with different HTTP/3 traffic and different WebTransport sessions carried on the same connection.
Then by choosing the same server-chosen session ID for all the connections, the server would be able to use the same channel to carry the identical complete datagrams, including the server-chosen Session ID, to multiple receivers that the server asks to join the same channel.
Such a change could either replace the current client-chosen definition for Session ID in server-to-client datagrams, or could add new HTTP/3 frame types that allow a server-chosen Session ID when the client has advertised support for this extended functionality.</t>
        </section>
      </section>
      <section anchor="moving-clients-between-channels">
        <name>Moving Clients Between Channels</name>
        <t>MC_LEAVE and MC_RETIRE take effect immediately when processed by the receiver.
These frames do not provide a mechanism for draining a channel up to a packet-number boundary.</t>
        <t>A server that wants to minimize loss when moving receivers away from a channel SHOULD stop scheduling new data on the old channel before sending MC_LEAVE or MC_RETIRE, or provide any required replacement data over the associated unicast connection or another channel.</t>
        <t>For example, when switching receivers from one channel to another, a server can stop sending new application data that is important for those receivers on the old channel, send any transition data on the unicast connection or the new channel, and then send MC_LEAVE or MC_RETIRE for the old channel.</t>
      </section>
      <section anchor="graceful-degradation">
        <name>Graceful Degradation</name>
        <t>Clients with multicast QUIC support can stop accepting multicast for a variety of reasons.</t>
        <t>Applications like live broadcast-scale video that rely on multicast QUIC may benefit from anticipating that clients might stop using multicast and providing data feeds with similar content that can scale even if many clients stop using multicast, for example by ensuring that a lower-bitrate rendition can still be delivered over unicast to all or most of the clients simultaneously, and ensuring that the server has a way to make the client start using the low-bitrate version when it switches to unicast.</t>
        <t>While some existing Adaptive Bitrate video players might have an easy way to provide this, other video players might need specialized logic to provide the server a way to control what bitrate individual clients consume.
Although under ideal conditions it may often be possible using features like server push (<xref target="server-push"/>) to use unmodified existing HTTP-based video players with multicast QUIC, in practice it may require extra development at the application level to make a player that robustly delivers a good user experience under variable network conditions, depending on the scalability gains that multicast transport is providing and the Adaptive Bitrate algorithms the player is using.</t>
        <section anchor="circuit-breakers">
          <name>Circuit Breakers</name>
          <t>Operators of multicast QUIC services should consider that some networks may implement circuit breakers such as the one described in <xref target="I-D.draft-ietf-mboned-cbacc"/>, or similar network-level safety features that might cut off previously operational multicast transport under certain conditions.</t>
          <t>The servers will notice the transport loss from the lack of MC_ACK frames from receivers in a network that cut off multicast transport, but it may be beneficial when possible in a transport cutoff event correlated across many clients to pace the recovery response according to aggregations of the affected clients so that a sudden unicast storm doesn't overload the network further.</t>
        </section>
      </section>
      <section anchor="server-scalability">
        <name>Server Scalability</name>
        <t>Use of QUIC multicast channels can provide large scalability gains, but there still will be significant scaling requirements on server operators to support a large client footprint.</t>
        <t>Servers, possibly many of them, still will be required to maintain unicast connections with all the clients and provide for handling MC_ACK frames from the clients, delivering MC_INTEGRITY frames, managing the clients' channel join states, and providing recovery for lost packets.</t>
        <t>Further, the use of multicast channels likely requires increased coordination between the different servers, relative to services that operate completely independently.</t>
        <t>For large deployments, server implementations will often need to operate on separate devices from the ones generating the multicast channel packets, and will need to be designed accordingly.</t>
        <t>Because multiple MC_ACK frames can be bundled for efficiency, servers SHOULD retain information needed for loss recovery for at least the channel's Max ACK Delay plus half the RTT between client and server.
The MC_ACK policy advertised in MC_ANNOUNCE controls when clients send MC_ACK frames for a channel.
Clients MAY send MC_ACK frames more frequently than this policy requires, but SHOULD avoid sending them less frequently.
Servers should choose Max ACK Delay, Ack-Eliciting Threshold, and Reordering Threshold values that balance uplink load against the need for timely loss, congestion, ECN, and liveness feedback.</t>
      </section>
      <section anchor="address-collisions">
        <name>Address Collisions</name>
        <t>Multicast channels at the network layer are addressed with a source IP, a destination group IP address, and a destination UDP port.</t>
        <t>This creates a number of potential address collision considerations that are worth mentioning:</t>
        <ol spacing="normal" type="1"><li>
            <t>If properties change for the data being used in a channel (for example, new video encoding settings might result in a change to the expected max rate for a video feed), a server might reuse the same network addresses in a new QUIC multicast channel, and might send a join for the new channel and a leave for the old channel to clients that can support the new max rate.  If they arrive together, this could be handled by the client without making a change to the IGMP or MLD membership state, as an optimization that can prevent the need for some recovery, or even by reusing the same UDP socket.  Doing so does not change any requirements for the channel state management at the QUIC layer, and as long as the situation is transient, should not result in leaving due to Excessive Spurious Traffic even if some packets were reordered or may still be in flight.</t>
          </li>
          <li>
            <t>As described in <xref section="6" sectionFormat="of" target="RFC4607"/>, link-layer addresses can be linked to the low-order bits of multicast addresses, and may be the same for different group destinations.  Collisions in the link-layer addressing, even with traffic that comes from other sources, can cause congestion or receiver CPU load for colliding channels that might be different from that seen with other channels that were delivered with apparently the same network paths.</t>
          </li>
          <li>
            <t>Even though multicast QUIC uses only source-specific multicast, older networks with devices that don't have IGMPv3 or MLDv2 support can propagate the joins as any-source multicast. If there are active senders sending to that destination, this can cause network congestion and CPU load due to discarding packets from the wrong source, even though at the application layer the UDP socket won't receive those packets from the wrong source.</t>
          </li>
          <li>
            <t>If different channels use the same (S,G) but different UDP ports, they will share the same multicast forwarding tree in an IP network. This is often useful when the data in the channels are linked, for example if MC_INTEGRITY frames are carried on one channel for packets carried on another channel, because it provides some fate-sharing for the linked data.  However, for data that is not so linked, it would generally be a disadvantage to share the (S,G) because the network link of any receiver joined to one of those channels but not the other would receive both packets and throw away the data for the un-joined port, causing extra congestion and CPU load for the receiving device.</t>
          </li>
        </ol>
      </section>
      <section anchor="buffering-unauthenticated-packets">
        <name>Buffering Unauthenticated Packets</name>
        <t>Clients need to buffer multicast packets that have been received but not yet authenticated if they want to process those packets after the corresponding MC_INTEGRITY information arrives.
The amount of memory needed for this buffer is a function of the channel rate, the delay in receiving integrity information, packet reordering, and implementation policy.</t>
        <t>Max Authentication Delay is a channel property because the amount of receiver buffering required for unauthenticated packets depends on the channel's rate, the way integrity information is distributed for that channel, and the latency requirements of the application data carried on that channel.
For example, a low-latency media channel might require integrity information to arrive quickly, while a file-transfer or software-update channel might tolerate a larger authentication delay in exchange for lower unicast integrity traffic or larger integrity blocks.</t>
        <t>Servers SHOULD choose Max Authentication Delay values that are appropriate for the channel's media or application latency requirements and for expected receiver memory constraints.
Servers SHOULD send and retransmit MC_INTEGRITY information so that, under normal operating conditions, receivers can authenticate packets within the advertised Max Authentication Delay.
The exact scheduling of redundant transmission and retransmission is implementation-dependent, but the advertised Max Authentication Delay defines the default interval during which receivers are expected to retain unauthenticated packets.
Clients MAY use local policy to impose a smaller buffering limit than the value advertised by the server, in which case they might discard unauthenticated packets or leave the channel.</t>
        <t>The usefulness of retransmitting MC_INTEGRITY information depends on whether receivers are still expected to have the corresponding multicast packets buffered.
Once receivers are expected to have discarded a packet, retransmitting integrity information for that packet is unlikely to help those receivers process application data.</t>
        <t>This consideration is especially important when MC_INTEGRITY information is sent on the unicast connection and retransmitted for individual receivers.
It is also important for channels carrying delay-sensitive unreliable data, such as DATAGRAM frames for real-time applications.
For such channels, servers can reduce wasted work by sending integrity information redundantly near the original packet transmission and by avoiding late retransmission of integrity information after the packet's expected usefulness has expired.</t>
      </section>
      <section anchor="spurious-channel-traffic">
        <name>Spurious Channel Traffic</name>
        <t>A client can receive multicast packets that it cannot associate with a joined channel, that cannot be authenticated using accepted MC_INTEGRITY information, or that cannot be decrypted using an applicable channel
secret.
Such packets can be caused by corruption, loss or delay of control information, misconfiguration, or injection by an attacker.</t>
        <t>A client MAY discard such packets without further processing.
If spurious traffic is persistently received for an (S,G) used by one or more joined channels, and the traffic interferes with reception or causes excessive resource use, the client MAY leave the affected channels and send MC_STATE with State LEFT and Reason Code EXCESSIVE_SPURIOUS_TRAFFIC.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>(Authors comment: Mostly incorporate <xref target="I-D.draft-krose-multicast-security"/>.  Anything else?</t>
      <t>e.g. if a different legitimate quic connection says someone
else's quic multicast stream is theirs, that's maybe a problem
worth protecting against.  Maybe we need a periodic asymmetric
challenge?  I'm thinking send a public key on the multicast
channel and in the unicast channels send an individualized MAC
signed with the private key and verify it with the public key,
so that in addition to validating that the unicast server knows
the contents of the multicast packets via the hashes it supplies,
the multicast stream provides a way for the client to validate
that the unicast stream is authorized to use it for data transport
via proof they know the private key corresponding to the public
key that arrived on the multicast channel.
Note this doesn't prevent unauthorized receipt of multicast
data packets, but does prevent a quic server from lying when
claiming a multicast data channel belongs to it, preventing
legit receivers from consuming it.</t>
      <t>alternatively, can the multicast channel just periodically say
what domain name is expected for the quic connection and get the
same crypto guarantee of a proper sender via the domain's cert,
which was already checked on the unicast channel?)</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>TODO: MC_EXTENSION_ERROR error code</t>
      <t>TODO: lots</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="I-D.draft-krose-multicast-security">
          <front>
            <title>Security and Privacy Considerations for Multicast Transports</title>
            <author fullname="Kyle Rose" initials="K." surname="Rose">
              <organization>Akamai Technologies, Inc.</organization>
            </author>
            <author fullname="Max Franke" initials="M." surname="Franke">
              <organization>TU Berlin</organization>
            </author>
            <author fullname="Jake Holland" initials="J." surname="Holland">
              <organization>Akamai Technologies, Inc.</organization>
            </author>
            <date day="7" month="May" year="2025"/>
            <abstract>
              <t>   Interdomain multicast has unique potential to solve delivery
   scalability for popular content, but it carries a set of security and
   privacy issues that differ from those in unicast delivery.  This
   document analyzes the security threats unique to multicast-based
   delivery for Internet and Web traffic under the Internet and Web
   threat models.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/squarooticus/draft-krose-multicast-security.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-krose-multicast-security-07"/>
        </reference>
        <reference anchor="I-D.draft-ietf-mboned-ambi">
          <front>
            <title>Asymmetric Manifest Based Integrity</title>
            <author fullname="Jake Holland" initials="J." surname="Holland">
              <organization>Akamai Technologies, Inc.</organization>
            </author>
            <author fullname="Kyle Rose" initials="K." surname="Rose">
              <organization>Akamai Technologies, Inc.</organization>
            </author>
            <author fullname="Max Franke" initials="M." surname="Franke">
              <organization>TU Berlin</organization>
            </author>
            <date day="17" month="October" year="2025"/>
            <abstract>
              <t>   This document defines Asymmetric Manifest-Based Integrity (AMBI).
   AMBI allows each receiver or forwarder of a stream of multicast
   packets to check the integrity of the contents of each packet in the
   data stream.  AMBI operates by passing cryptographically verifiable
   hashes of the data packets inside manifest messages, and sending the
   manifests over authenticated out-of-band communication channels.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-mboned-ambi-05"/>
        </reference>
        <reference anchor="I-D.draft-ietf-mboned-cbacc">
          <front>
            <title>Circuit Breaker Assisted Congestion Control</title>
            <author fullname="Jake Holland" initials="J." surname="Holland">
              <organization>Akamai Technologies, Inc.</organization>
            </author>
            <author fullname="Kyle Rose" initials="K." surname="Rose">
              <organization>Akamai Technologies, Inc.</organization>
            </author>
            <author fullname="Max Franke" initials="M." surname="Franke">
              <organization>TU Berlin</organization>
            </author>
            <date day="17" month="October" year="2025"/>
            <abstract>
              <t>   This document specifies Circuit Breaker Assisted Congestion Control
   (CBACC).  CBACC enables fast-trip Circuit Breakers by publishing rate
   metadata about multicast channels from senders to intermediate
   network nodes or receivers.  The circuit breaker behavior is defined
   as a supplement to receiver driven congestion control systems, to
   preserve network health if misbehaving or malicious receiver
   applications subscribe to a volume of traffic that exceeds capacity
   policies or capability for a network or receiving device.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-mboned-cbacc-06"/>
        </reference>
        <reference anchor="I-D.draft-ietf-quic-multipath">
          <front>
            <title>Managing multiple paths for a QUIC connection</title>
            <author fullname="Yanmei Liu" initials="Y." surname="Liu">
              <organization>Alibaba Inc.</organization>
            </author>
            <author fullname="Yunfei Ma" initials="Y." surname="Ma">
              <organization>Uber Technologies Inc.</organization>
            </author>
            <author fullname="Quentin De Coninck" initials="Q." surname="De Coninck">
              <organization>University of Mons (UMONS)</organization>
            </author>
            <author fullname="Olivier Bonaventure" initials="O." surname="Bonaventure">
              <organization>UCLouvain and WELRI</organization>
            </author>
            <author fullname="Christian Huitema" initials="C." surname="Huitema">
              <organization>Private Octopus Inc.</organization>
            </author>
            <author fullname="Mirja Kühlewind" initials="M." surname="Kühlewind">
              <organization>Ericsson</organization>
            </author>
            <date day="17" month="March" year="2026"/>
            <abstract>
              <t>   This document specifies a multipath extension for the QUIC protocol
   to enable the simultaneous usage of multiple paths for a single
   connection.  It introduces explicit path identifiers to create,
   delete, and manage multiple paths.  This document does not specify
   address discovery or management, nor how applications using QUIC
   schedule traffic over multiple paths.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-quic-multipath-21"/>
        </reference>
        <reference anchor="IANA.tls-parameters" target="https://www.iana.org/assignments/tls-parameters">
          <front>
            <title>Transport Layer Security (TLS) Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="I-D.ietf-quic-ack-frequency">
          <front>
            <title>QUIC Acknowledgment Frequency</title>
            <author fullname="Jana Iyengar" initials="J." surname="Iyengar">
              <organization>Fastly</organization>
            </author>
            <author fullname="Ian Swett" initials="I." surname="Swett">
              <organization>Google</organization>
            </author>
            <author fullname="Mirja Kühlewind" initials="M." surname="Kühlewind">
              <organization>Ericsson</organization>
            </author>
            <date day="5" month="February" year="2026"/>
            <abstract>
              <t>   This document specifies an extension to QUIC that enables an endpoint
   to request its peer change its behavior when sending or delaying
   acknowledgments.

Note to Readers

   Discussion of this draft takes place on the QUIC working group
   mailing list (quic@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/search/?email_list=quic.  Source
   code and issues list for this draft can be found at
   https://github.com/quicwg/ack-frequency.

   Working Group information can be found at https://github.com/quicwg.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-quic-ack-frequency-14"/>
        </reference>
        <reference anchor="RFC8085">
          <front>
            <title>UDP Usage Guidelines</title>
            <author fullname="L. Eggert" initials="L." surname="Eggert"/>
            <author fullname="G. Fairhurst" initials="G." surname="Fairhurst"/>
            <author fullname="G. Shepherd" initials="G." surname="Shepherd"/>
            <date month="March" year="2017"/>
            <abstract>
              <t>The User Datagram Protocol (UDP) provides a minimal message-passing transport that has no inherent congestion control mechanisms. This document provides guidelines on the use of UDP for the designers of applications, tunnels, and other protocols that use UDP. Congestion control guidelines are a primary focus, but the document also provides guidance on other topics, including message sizes, reliability, checksums, middlebox traversal, the use of Explicit Congestion Notification (ECN), Differentiated Services Code Points (DSCPs), and ports.</t>
              <t>Because congestion control is critical to the stable operation of the Internet, applications and other protocols that choose to use UDP as an Internet transport must employ mechanisms to prevent congestion collapse and to establish some degree of fairness with concurrent traffic. They may also need to implement additional mechanisms, depending on how they use UDP.</t>
              <t>Some guidance is also applicable to the design of other protocols (e.g., protocols layered directly on IP or via IP-based tunnels), especially when these protocols do not themselves provide congestion control.</t>
              <t>This document obsoletes RFC 5405 and adds guidelines for multicast UDP usage.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="145"/>
          <seriesInfo name="RFC" value="8085"/>
          <seriesInfo name="DOI" value="10.17487/RFC8085"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC9002">
          <front>
            <title>QUIC Loss Detection and Congestion Control</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="I. Swett" initials="I." role="editor" surname="Swett"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes loss detection and congestion control mechanisms for QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9002"/>
          <seriesInfo name="DOI" value="10.17487/RFC9002"/>
        </reference>
        <reference anchor="RFC9221">
          <front>
            <title>An Unreliable Datagram Extension to QUIC</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document defines an extension to the QUIC transport protocol to add support for sending and receiving unreliable datagrams over a QUIC connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9221"/>
          <seriesInfo name="DOI" value="10.17487/RFC9221"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.draft-ietf-webtrans-http3">
          <front>
            <title>WebTransport over HTTP/3</title>
            <author fullname="Alan Frindell" initials="A." surname="Frindell">
              <organization>Facebook</organization>
            </author>
            <author fullname="Eric Kinnear" initials="E." surname="Kinnear">
              <organization>Apple Inc.</organization>
            </author>
            <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
              <organization>Google</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   WebTransport [OVERVIEW] is a protocol framework that enables
   application clients constrained by the Web security model to
   communicate with a remote application server using a secure
   multiplexed transport.  This document describes a WebTransport
   protocol that is based on HTTP/3 [HTTP3] and provides support for
   unidirectional streams, bidirectional streams, and datagrams, all
   multiplexed within the same HTTP/3 connection.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-webtrans-http3-15"/>
        </reference>
        <reference anchor="I-D.draft-michel-quic-fec">
          <front>
            <title>Forward Erasure Correction for QUIC loss recovery</title>
            <author fullname="François Michel" initials="F." surname="Michel">
              <organization>UCLouvain</organization>
            </author>
            <author fullname="Olivier Bonaventure" initials="O." surname="Bonaventure">
              <organization>UCLouvain, WEL RI</organization>
            </author>
            <date day="23" month="October" year="2023"/>
            <abstract>
              <t>   This documents lays down the QUIC protocol design considerations
   needed for QUIC to apply Forward Erasure Correction on the data sent
   through the network.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-michel-quic-fec-01"/>
        </reference>
        <reference anchor="RFC4607">
          <front>
            <title>Source-Specific Multicast for IP</title>
            <author fullname="H. Holbrook" initials="H." surname="Holbrook"/>
            <author fullname="B. Cain" initials="B." surname="Cain"/>
            <date month="August" year="2006"/>
            <abstract>
              <t>IP version 4 (IPv4) addresses in the 232/8 (232.0.0.0 to 232.255.255.255) range are designated as source-specific multicast (SSM) destination addresses and are reserved for use by source-specific applications and protocols. For IP version 6 (IPv6), the address prefix FF3x::/32 is reserved for source-specific multicast use. This document defines an extension to the Internet network service that applies to datagrams sent to SSM addresses and defines the host and router requirements to support this extension. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4607"/>
          <seriesInfo name="DOI" value="10.17487/RFC4607"/>
        </reference>
        <reference anchor="RFC6363">
          <front>
            <title>Forward Error Correction (FEC) Framework</title>
            <author fullname="M. Watson" initials="M." surname="Watson"/>
            <author fullname="A. Begen" initials="A." surname="Begen"/>
            <author fullname="V. Roca" initials="V." surname="Roca"/>
            <date month="October" year="2011"/>
            <abstract>
              <t>This document describes a framework for using Forward Error Correction (FEC) codes with applications in public and private IP networks to provide protection against packet loss. The framework supports applying FEC to arbitrary packet flows over unreliable transport and is primarily intended for real-time, or streaming, media. This framework can be used to define Content Delivery Protocols that provide FEC for streaming media delivery or other packet flows. Content Delivery Protocols defined using this framework can support any FEC scheme (and associated FEC codes) that is compliant with various requirements defined in this document. Thus, Content Delivery Protocols can be defined that are not specific to a particular FEC scheme, and FEC schemes can be defined that are not specific to a particular Content Delivery Protocol. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6363"/>
          <seriesInfo name="DOI" value="10.17487/RFC6363"/>
        </reference>
        <reference anchor="RFC6726">
          <front>
            <title>FLUTE - File Delivery over Unidirectional Transport</title>
            <author fullname="T. Paila" initials="T." surname="Paila"/>
            <author fullname="R. Walsh" initials="R." surname="Walsh"/>
            <author fullname="M. Luby" initials="M." surname="Luby"/>
            <author fullname="V. Roca" initials="V." surname="Roca"/>
            <author fullname="R. Lehtonen" initials="R." surname="Lehtonen"/>
            <date month="November" year="2012"/>
            <abstract>
              <t>This document defines File Delivery over Unidirectional Transport (FLUTE), a protocol for the unidirectional delivery of files over the Internet, which is particularly suited to multicast networks. The specification builds on Asynchronous Layered Coding, the base protocol designed for massively scalable multicast distribution. This document obsoletes RFC 3926. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6726"/>
          <seriesInfo name="DOI" value="10.17487/RFC6726"/>
        </reference>
        <reference anchor="RFC6968">
          <front>
            <title>FCAST: Object Delivery for the Asynchronous Layered Coding (ALC) and NACK-Oriented Reliable Multicast (NORM) Protocols</title>
            <author fullname="V. Roca" initials="V." surname="Roca"/>
            <author fullname="B. Adamson" initials="B." surname="Adamson"/>
            <date month="July" year="2013"/>
            <abstract>
              <t>This document introduces the FCAST reliable object (e.g., file) delivery application. It is designed to operate either on top of the underlying Asynchronous Layered Coding (ALC) / Layered Coding Transport (LCT) reliable multicast transport protocol or the NACK-Oriented Reliable Multicast (NORM) transport protocol.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6968"/>
          <seriesInfo name="DOI" value="10.17487/RFC6968"/>
        </reference>
        <reference anchor="RFC9114">
          <front>
            <title>HTTP/3</title>
            <author fullname="M. Bishop" initials="M." role="editor" surname="Bishop"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9114"/>
          <seriesInfo name="DOI" value="10.17487/RFC9114"/>
        </reference>
        <reference anchor="RFC9297">
          <front>
            <title>HTTP Datagrams and the Capsule Protocol</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="L. Pardue" initials="L." surname="Pardue"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document describes HTTP Datagrams, a convention for conveying multiplexed, potentially unreliable datagrams inside an HTTP connection.</t>
              <t>In HTTP/3, HTTP Datagrams can be sent unreliably using the QUIC DATAGRAM extension. When the QUIC DATAGRAM frame is unavailable or undesirable, HTTP Datagrams can be sent using the Capsule Protocol, which is a more general convention for conveying data in HTTP connections.</t>
              <t>HTTP Datagrams and the Capsule Protocol are intended for use by HTTP extensions, not applications.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9297"/>
          <seriesInfo name="DOI" value="10.17487/RFC9297"/>
        </reference>
        <reference anchor="MERKLE">
          <front>
            <title>Secrecy, Authentication, and Public Key Systems</title>
            <author initials="R." surname="Merkle">
              <organization/>
            </author>
            <date year="1983"/>
          </front>
          <seriesInfo name="Computer Science Series, UMI Research Press, ISBN: 9780835713849" value=""/>
        </reference>
      </references>
    </references>
    <?line 1258?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Thanks to Louis Navarre on his comments and text contributions to the multipath and FEC sections.</t>
      <t>Thanks to Johannes Cram for his work on the picoquic reference implementation and helpful feedback.</t>
      <t>Thanks to Martin Duke, Sam Hurst, Kyle Rose, Michael Welzl and Momoka Yamamoto for their helpful reviews and comments.</t>
      <t>This work has been supported by the Federal Ministry of Research, Technology and Space of Germany in the programme of “StartUpConnect”  Project QUICast, project identification number 16KIS2650 and programme “Souverän. Digital. Vernetzt.” Joint project 6G-RIC, project identification number (PIN): FKZ 16KISK030</t>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA92973YbR5Yn+B1PkSt9MOUGYFKSZZvVXdUUSVksSxRXpOz2
9OlhJ4AEmRaQicpMkELJ6jMPsnvOftgn2X2TeZK9fyNuRGaClLs8U7N1TrdF
ABkZcePGjfv3d0ej0aDJm0W2nzx4vV40+TStm+T4Q5MVdV4Wybyskv/93cnh
g0E6mVTZTfAz/mJWTot0CQPMqnTejH65LheLtJiN/rLOp6Ol/ni0+91gmjbZ
VVlt9pPsw2oAYz0Z5KtqP2mqdd083t39bvfxIK2ydD+5OP9xcFtW76+qcr3a
pxclP8HfeXGVfI+fDd5nG/jBbD85KZqsKrJmdISvHwzqBl5+mS7KAqa0yepB
vUyr5vIv67LJ6v2kKAerfD/516acDpO6rJoqm9fwr80S//Fvg8FNVqyz/cEg
SeTlD3iZSdJsVkimk2KW3+SzdbpI6JX41TLNF/AVLvmf86yZj8vqCj9Pq+k1
fH7dNKt6/6uv8Gf4UX6TjfVnX+EHX02q8rbOvsIBvsIHr/Lmej2BR7+v1svV
5s1idlEBXb/aSmN8cAE0rhvzznCAMQ88zsvtQ23/dnzdLBcPBoN03VyX1f4g
GcGbkyQvgMB/Hicv+SH6jFnjz+n7LPgYFr6fHLxPgSLJRTa9LspFeZVnsBMn
xXRMP6lhazJYyd7Xu8nzqkxnt+mGvpjmDbDQYbqcVPnsKhsmrw+S3cd7T5/y
t+W6aJDH3hV5k82S8wYpkpTz5GCZVTB9+lXGO/YLzEuWOAYe+ucr/Hg8LZe6
pPl6seAlvFrDypOztJqtMzvEAj9f0cfjx0/H37THILK8HicvqrR4nxmqvE4/
2A+JJhfvkudZtcgL+47leE4/++cqvcmX41kWrvT7rFqmxSZ43w/j5G1Z27f9
sFlk/rPP2YCnX/9uG/C+ggn9M/1/PAyDQVHCWho4IHQET0ZHY+ZE+okRJ3U2
XVc4j+BXeKhGywmc/dkIppf3fzudpNNpx9ee0Vdpc00/ODg9GDeLegSbDIQE
aVPrc/6JdPp+NK+yv6yzYkpzevvi8Nvdb7+Wf363u7vr/7nn//lY//n4MXw6
yIt5z/rpVbfZpAFGqEd4uJ+Es1/m0+tswbOZZ1MZ9+mz3W/kn8+ePHui//zm
8TP953fPvtU57O09ddP5jh57ffz2h1fH+7Rjek2cZ9Mqm26GyQGc/qzA/Wjg
qhgmcIiSs/VkkU+TH7JNcr6pm2xZP6CHnaSg/42YR9+Ok9dZ9X7BHFkDc2Q1
UgBeclguV2sgdXI+zYGkWXJO3w6Td69PkrdZnaHUTM6qrEaOPX9+up989w0Q
/MnX3+w9+fbpd/zWGXAe8O933z4ZDEajUZJOgKfTKdwSF9d5ncDNtV7CCpJZ
Ns8L4NE0cQwGV5TegU3JFxD8NyvSCZwiWHeSzec5zq1J1nWG3O15c5qu6Gcg
UfASq/HJOgPq5DOm1wJnltIBS5f0NZ7fZLrA8WAaTVLCmodwlOCKy4sUj1Fz
DdfR1TVQzl0/68Lfw/DbosimuBP1mFe7zGczoO3gId6RVTlb07fx2utVNs3n
Oa6+6Fj0DbA7/r2XfPwojPzpU0SKmADJyVlCfLqC+xW/8etewUHJYImoV+Bj
ecFLN6vqWM0FvMSPTrSbwmzLYrFJJhn+uIbFzHA0+Pcv64KeTG7hroM97SHT
ePATsC8tgAmfXIOAr9crmjVO0L8Svphl9bTKJ/yWjx/d+rxY+PRpSKMBIwPV
aIZNtljYN6STct2YcafXKUxnUdPZSev39rdA419KeBd+tcjSG6L1smMqMsgI
CJleZbipnz4J0WSoKsOZ1kkO/4dj1n5Q4j4za5rI9H1R3i4ykO01fae7Buc+
A9E0S25ye1RA/MCT8HQ+36CGBo/kFcwNtD0U0TKX1bpalcwpDXJg11HLaTpw
Khb5X5m3QF+6gskB76STfAGjwYYXcFyFh1blag0/QXbD85iUuIYtJxFZArcA
rudVVS7zGucLL9brZKg/Tep0nuHf8JJ8uVoQXUnQwfQWuUxmDCtb10NekJwk
FofMTBlMB087yLWrIrkq00WNcn0EImyE7J8iGUCQwX+BNnWuJ2qZ4abm9ZJ3
iumf8N1AV2l4NnHEs6qEA5Ql80V5i1wOJ35BD8O/YR9pTvqxGb65BmlDC6bT
4jdFKIpDv05hL+H/mDvLYs7nOV0Qwdw+8w2QBrdCcrWG4wG/yPy0YbHpCqi/
qnKQbNFJk9cOSfPawEyzRljK7RHTMT4Fd6sKnz7hYl7RnlwxnS1fxRIM50Wi
hkiEnIlHfpk3KI2dRIM5RuKbtxc+h9W/VkWCV75jp9mhbnz69AhHW8lW+ung
XHT4+O4qgbRFqZdYgjMJyCliOPswzVaNHnN4i4ok2DMSpHkxXayBqPATWA48
zyesLtfVNBspc/ux4Vg/fJgclsUNkqIUoXKEs8jpbz72YKghf81qsBzfnV88
GPJ/k9M39O+3x0CZt8dH+O/zlwevXrl/DOQX5y/fvHt15P/lnzx88/r18ekR
PwyfJsFHgwevD35+wEz54M3Zxcmb04NXDxJiY0tAsDiRHJOMOLlaVRlucFoP
AgZ7fnj2//xfe0+B0f43uAYf7+19B9cg//Ht3jdP4Y9bYPuhJyf/CUy2GQC3
g76CowC/wL2wyhtg4CEehPq6vAVZkVXZePCPf1rgBo6e/emPg8EANKAlDQRy
Am5/UPHr7rn7aU4yOPuwLb+CRl8tk1/NZiS/Dn7dH8n//L9a/4OfJefnr+HZ
8759H3ZcQaJpAhVwgAMa4KDYjJh54mfzGs/0Oq+v4fk5iGF6ZcdAO+fD7x/h
UEmzBhGMRxQOZjqbod4HnLrDk4QPh+wWgH89krPJV1Haz796+d6xHFCfvMfj
kB8ZDA74QLcH24Ej88vaf/AIJUcKLJGNwHxytwvJBBIsqdUX5E5IkVPQrYHy
kX8qGmSkw4iAKmEUPs6w+687tAtmE7iDkJVKuPlFBgYCD1mXD0J9DU8AP21Y
sM3y+Rw4tGisWpbUOT6dFlm5roFNSaMr8lle8Q/g2uOFjYgFSYfF2cIM3wCX
o9AvK1U7ard6ksqgT/XRVwnhfqcUsCKY2CwlXY4vblVytqiZsO7mNiOFELUU
nRfdoDzqeLBzWjYZb1vrcaYximBhonPZoq+Rbb3qTHck/BZFNi7qin8fnOs/
JFkKWoHZZ2Ii2ZYaDWo33dQKcmWm8aPB4BiH6KEiKifZB7CE6JpCnqvLKe8R
nzm980j44NYi9Wag+MDgG1bhLPeogliyjgDMtEg3MA09MDXLRFWu+8/kDkiC
R7SUWUkk0kfSDmmS7Bzgr919Bazl3jdNK5wovnVv9PbiQqc4HpzJXM2axVBQ
6qCahOpOqtNPTo5wj1aLdEpCKAXJijKMVZxDv00nR8AkB/Yx4GtcBhyqv2YV
nrziqrmG7aFLHCQZ7ivRiuykwh0f5VjQBaYg7GIJ5Zhr/DhkL9Km0mZ6jdJP
twVve8Oq6xVpsaDLr0BgnBSgDNtfOy1fdjOQWf1U09NrFo+CSX9vDAl9Ek0R
GEcGGKNUFV6WH7iFhL8E4QiytCYuBjYFO6ZuiI3NgYnnSaqrvuhk7o8NDlKU
fa8a2mnndHcBZ82yGWs/zEvJ6Xo5gR08BkrOcAzcBCWDsNtgQEdRRir4gUwf
CPZ075vxXrip9DvyTzQVGLe0qnAkENXE8WzOoFKKthMRBsU+mSWw2EnO5gN+
iwp2OMqYFDYUrzBinS1gPvjO8E3MwWKXZQX5JFRACOdUbMShWQ7znTY9r2Nl
KXhulvFCczK58aubdLFGOxZkcu3EeAEWI8YQYIItSpAsTZvo0xr+zMZ86niB
o5pUbLWEcHNZ3oByhmZYaJYo58kZGcKBnqZ0WydoQi6y6Bd0n00yf5b0LlUf
DzGlv1jld8MEFloPYyucHTXkR/Uyzp9uVB/neJnyhOb5hxZVZNdg6+cgRGE2
NNSB6h6kkTOXWYaXh0niReujCxbHGuFYfXw5hCmp+dbD+j2CrXUIxoPnvMjr
LEX+BMHYmMsRbvo8m/FxDU/lK166sj5Nd3eoNxw/QV+yAYxemN0Pu0+GTBTU
hjJivN3J3h7+F4U0LjVYf/jKeZ4tZjF50UDhQ9VBDtkfZLoWqSdpzcK4kyNY
gY58aEb6qffLOr68oDWntO45pt2T6ttXMyCJ4cVVCbb39fKO3R3qDuoRj14X
H+Os7/g7hSWaSF57yRE+wd4r52uq4++R+/HghhMiqt9e59Prtgdxijc2+y+q
bFne+ElaphU5tXWhyvPpb3iB4wu9vYr2Ltq3DVHqrmtx+b3Ap0OulnuDNmpK
MvL14eUPxz/Dm1ART+s7ZXN7X2CJ9jIWbcneHcEIdcSMKoXJIU/iaxY/wOZ9
mczBAieS4FHvnh9RgM6qXPO8XpDR5rc1qQ+krl+jYV+ICJEViI/COWy9zgIi
nSwXuBiAbucXBxfHQjkSPBQmS14dv7ign76Fu5t0S5DI707Pfz49fPn2zenJ
fzk+ujx7++bs+O3FyfE5KyGv4MFiuknOV+inyGmnW9pHfGkgWbrNtaYcyVrc
ZWeMILrY6KLMnGOyHuBJb9+WdFD5ahrKAeOZ1jjTCV7yTjzQ1gQC4mmoAzk/
F/IfOd2iO1nczG5sUey8N0utLO9uxnU52TwhM4ht5BRedI2e5AyUA5BzcHvD
clegGgIF1sUCNXINnMz4ZM3XzbrK/ODI2UVbb0iDOwH4zEVRPFGisbdQZewl
OY0Hs0dx4RUnObNu7LzwKkmbfujPc9o8rjv0Xw4GJBVI6CMpcPSbPLvVt/BM
hmy8hmki7mV0bIrZglxs5OiYzXJhQHrRXF8hlmziVvg+y1Ycw2jfaV7JF/KW
cDKT2boiJ5AEYcSBW9P2JAfuxYtNK3DDgdh26KZjwrfI4yg5bnN4j1DXHgaw
JtEzkxwsrOd9qB5Z9jcs8rpRF94QpNwC3fh3uovhhL05erOfZDmxa5WJ5j9d
V6RWRv5nGinZMatakquqytRAK2A36fdA5mwxf4R+GmJploU8AJp1ND9DNFKM
2M/DM8AxcWOUA1Gkz2hsOajzvIJ3L9Nf0LdNjhAk1TSrilrlebVZ2TGsvwGG
SS5K4gmOQRb+G+PKyax3xEyXYgIilcJh+SCxJu31c/Rik7Q4+Ln1nRNiTqnE
8NKyLLyPBt2+4kRKDugGv5ZjwsSudbXoJNOBkS35D7Ip9Vzo3mr0B4hzN58k
p8/32VBgRxXcb2s6B6z2Smynk11oZzHEw1sLc53D1q7Za44hbNRchdguRAOT
en2Gg4yTc9p5XEwayCrWh+lC3LAXT/wN0X5EJxu4R0I4bQFF2kEkeCSYUrN3
n9w2V/jhKqsajHp7utLcvqhD2TZOXtARSDEGGNz0KCbqLF3iZUCKGB98Wokb
1ARJhQEtowIL04VEofTaphTIj+bAOaMJyGd6XD+tMivJgKVegbah6njbZoU3
wGJRnrEdisZ0+9c9tOZgEzFCvsT4bW04ZREbPueoSFrOjANg51kWu0bvioiN
E/JkutuqRNd/nfFNgNGTLs0ZZYNkKKjiAtw6y1A5RhvbKDeRvpgX3m8uyhyn
GADjrMu1qhmS88D6NXDSlMLQhuQacSKenJTh7aTMoE77E5IaqPYul+idmEls
gFVt9tp1OvCjHcdwN0Yz86x2cXaj7ixqH1yE8zzNwIaAceGfMxbWOFev6NAc
xA9bVqqcLzGXb11nbak8l8QLCgwnOzXttb5nZN6DuyraGtODPHlk1cjlIm59
E3EldW3Txd5stYiWWq4X8NuVXuwaLEAmxhGJwfUc5WBjZCm68k5LVrnSBWsn
5Ebj5dFjtDnAmZVqe3qr+A1iapFjnfhuZiOlBzQMrH+JhIyYhpwxYq61Yyax
kk45Q+peEo88kudGjNgO3YhMpo5QCsWGU75qbBApWBYn17gYPL9eQuO4IHRI
tZ6iwCbuxDWaQalxszFPsdpbd2cP8Uudt5q2LCvg+SkaYVV+k043uh1LOtrq
f5QvR6AHEe0qMqLwOmYi3TtRAHXh5MLFzs9c5l/y8WFX5s9gcN6ZN+TOXh2w
Dbn+b/ACqsU1CHaGT5DwQXubcjhIvpRMTjf+JXPLpQZJdi6eHyUjsm6rnEmD
1N39MJ8/yb7d/fZR1xg8p0t6VX3XELuPxGDvnUPH5NW3KhkGs6GTyW1FgCzi
2kbSgsjYuPX6cPr3ervG9n7L24NUtHjtwTvTZHckbj2yxcYDTFekZEZ1IYqI
becrOfqAukmTu2NiLPzkuqIHXh9evjp5fXJxjkknPNxokYMsrUc0FqaayKBR
Ps6tKHN5Fd0nmoLCnnMaTA47q+8t6oRb44lzLa4i9vCgJslpEGT88CGd51ej
joM24hQoOqD/8R//Meh710dMY81od2bJzrNHQ0yVPbt56uORB2jA4Jd7+uWz
3i8xT/vg6qrKrpA+b/H/7eTuGx/vqu3Hf+Y40iFmQ+vnL9P6GgYXc6EOvzzM
V2jDna9zGH/rY69yjH3uPYPD3DliezjzRPs1jwafiJgf95OH2+nOOcD/9KCP
7C/oVw8+MSPoBgy7ST/sJvqwg9zDFqHJFoupTG53dm35jFP2J+d466aL8go0
OP2dGj3upLA3rv+84Euvy8VMUgnwhl7w2a7Jp9729vNBPDg9ffPu9PCYhpZk
TdSlQF3KWqeRQ58uxYX9MHDbn5wlL9JlTgY+G5nkDBNOBeWJUoWv1H9OJMcJ
d3N2SIKe/Ryqq4uNjyZfULAaj/C9xQvHuOEyEWtFHLjGeualgqmDi0P5TosD
suYzrzt3H97+9UkeC0duKPIuS+24ICQsGAllY+mJeK9jfXqyNul3wg+wP7TY
hgLJuCEd2b68qeK08RlNngZ4fMKjbVlcExTE4e688zBXTJLXpUYDkAyQyBSO
3yFvPmf0tnzRqFfhTAg+CqgyNr3XAqbApguxTvO5hJT0qpALlLYHNVH0kml+
APyyzrjcRK2ynknx83CDzXgpqyoj7sOghzN5l2QV0jeoK7L/lJxUZJ85qvCB
9yb+g4tX58GL6wegeF7By6uNEuuB1yVfUbLHuTpKduDpR0bBNM9S/RkqrO0C
FLwAYU7oNORtmvL7a3q/5d28Jr+kSAZU5bYFtm38iKRdHGvtDmq6qIaTdCSF
0BHGs5iL1ROdgHUhRwu90XYFEmNx9iGdsq73sLQsekfqis0wP+YSwzZ2Emx8
yWGuzYruheN/uTg+PQcz/vL47ds3b7sP5t+WzfyWXuNrUn+1b91UCodk0/c+
GxsnwLZr0SGCtrP0aYqH8USLkYA00ZrfCo9yMvs/aq3h7e3tOId7lusaKZhC
JsRXaHPMRrkfsP3J+AMWFT7EVY9g1X/svVDvwWkmJ4mTQENasoC/TUO7YIvY
jNkR58Fe3Gg2f2t2e2hKcd/Am9EjaaL3qkiXzk0OfLWu04VzMK3gNmTnPDnv
EjgkmC0EMnMGYvdDvky5+oHrFOASohS7Wp03WEwwkqoBuNKHdOVRaOw2x+od
qSehTIS1BGcxytG+8sjN2eQUoeBCFTJ8A18jaKcHLRcx18C4HdUCDna3cu6U
iyZHXhRy+ZVJXY7bQ3OANkz2qtn20QHjGfYNBzYaj+aGoTD3XM4lLUC/GqJ4
T6sZqVWU8RdPPqCICci9dtU9QWkPVhixK1RdixSnqsslJh/B4LkMTil/ur2s
QnKoQkxOkleUa4hEdeIqVHPvUBg7ze+dnmIp1qdZnaTs39VMgke1WJeiDHtd
s0fVFNUZQw1s2MOJWUsYFFVAWJrbmlCKSixlwf6kjEJwumUVlqgG8RGM+3i3
jYwiM00jL1N4ckJvZ1q/DyYSM4lb9p/fnJxaowF/1TbfC3EJByzoKHd88GNg
eNDv4kHC+bkkkM+zXUDj5mQVuOhpPWUls5KZqpvO5HJr9leY8+OjM5oNJJFl
ltXIoMKPUTxGjlyw/7ikL2rd4Fr21Ya9ZAslZ6A2+eL8NKWT32IpnzousAQW
ngBJDuclrTa8FJc+x2oTHXDNt9DqKc2MOIcrRCw7S2VHQrf9vJbWSmEpcGzz
+lrCtjoRzglzzmpbRAhTzmV7pjZlWb1Q+dU16gSgV8wkJ2XqLe7xwCb71C6M
cB9yrNLNokxn28jBHh853cpnnPEI5xvdQ+oyIgvN3we4Y3eF8AaDP4st5p/j
rC9/ixiKMzPHIRxXBHComXMg0YqaeRRpPGRmH1paO6YLC3W4bJMXq+PEQsLv
e8q5W+oRGXI42Qu00FhFgnixNqHwc/0+YoWuh1AXWmRzOGWwdYu8MI/QfdYQ
Q83zpuvoiO3sbszua6PrekAhgZrC/T0K5kbWXBYNVHrbvF0WZ+MTI065hz/Q
J7SmchTJ0xhxjiaOgWZPCQcCjB4TENFPawongqlfoM80dYke7F/OUemHn2KI
BC/9Ffl+GymVR72PjP8o0tJg8hwFmxbZTcpyKA1SNwMPq1nvMiPVykW7U0Ns
H32ZbEzOokl3cWI4ZCvk2vQGQUtQQ3AZizJP5nNi8BZDhfIfvlgay1F8Vy4J
DxcpV0qSUYFJR7BKNBa8GdhJU8pvNYZ60XHb67Dyjo2r0bWidCJszNzb5hKS
ObiZeRlumJ7uoU9gZ47VEAPIIfgxFxGz2F1OtGqEw4s1es2DDAOnvC5Tt53w
If6n1PAb0NamjtflYk1KnpiZlFji983/AJaKsg4rBVzemh+oO39Pp3PLkVWs
LXCbFVzmuEEljsWSeoJs4SfxlzVHhYH9aEp4B7MLYKbZtyxKcAtFiLjouEQ7
YG6Z1FpPJbqICZjOJuAk6JtyccP50UFaGkctzPZJCCHZ8r9y67e/DnqKKP/4
K34LRjJnhNj7Hc7MV2UlibOD/9o3Mo3+613fmhewpogn8ga+vZFn14LRwGL8
UfIPfo7/MPj1H7vm/qVdX9/714UYTsEi3x5fnLw97ibKH81ivuwrPv3jrz0U
oXnzY/+wZTv6CJZEu0HE+qyHE6ZtSM37P7ztf1sfvrnj4Zueh+1Gb//+H3gE
Qx22GMy4na/wH+oCsPKVXRp4TrFsV83rLjbBD1Wn+PVuXuzimT/aOXTT53Po
MPhynzON6OLkqmmXouk1Gq8yYnqTP9o4g5TjPUZNpvT02NjrTgPHAeQe9tkW
ZBH7+eygJko54vDfo+PDVyenx0fEzywXcQxXx59K/oOzu/xAmH7zwHLzA05B
2B+MkuclW464ijQKYFE6B+mUqnkNEOyghpuD018nmWqHDETWazDDc6dlw1WK
VUYQAqSfk+KA0fMpgiAlO9n4aowOvHIxG80wSNzkoOpggDOdgeqFXkiCS0om
i3KK+HDDJGum40dBRLPTrtBg5nlsUtxlTmB88yef8egTmFjNbtv1xupAn7ro
2i4PG6+tkBVqbx4Ec3YOD1MxEHEBMgfpG3zMjqimgRK/2GkJLzo5vTj+/u3J
hWNSY9o797FXukOsH780xnvx1SXqdxYT1jiTWonmbS+fWIvtMiMOQIppbkgW
laF8jpsiLToGQG43z77PNvFjkfdi6DbTzyquvGW/M9lcHYSXEV2tIpxJNoPp
2xHIHkqrCOxf2TGnnbNCpz+duSx1SQjz9JRUeFa05hmeIs5fVM3TlOHi0REr
957/Y8fbYOCMuK9EXF6KVpegvB5sVafa/4uk6+c9ifrVPX9Nl0+imgGtgg7j
Dv55fPToN8/ebfhnzuRfzy/eHh+83hmPx4/+DadzcPgDT+LuIeCZAfzfZ7xN
iIUPeiP885bsRyLtwZAQ5dHnEvD/j/vxP52Uop374eSC0BHtfRkKIL0oj0VQ
EMIUVhJ7r66TM4RyuWSPTw02H4qoypSckXM1BOmi+5TLWDDGX61KqjSQRFiy
2lgPmuWcQYvSLfuwWqSFeFNE1UC3cYmKBtzDDVrAjY9MCuwpGOBffQ6i6ld5
XYOJ/9Wzx38MgjGIb+gDMsnHh/beMDhsHWgsWErCtHBX+7RcYbJqSh4hEO02
/1W+FVMcbw0dh72uTu3ymC3qjKCYTwTgEsOWtGv7Yo2F/KTqGm9SirA7x47c
9fA1Khekd2CeD5XLcDynFosfNR42B3gpVXZFyc80ISTnOw7/eF/Vjq8TeOaL
3vbwQtYaRIq4cBwWbQ5b0U5qd6iL913vBnGLYSrzv1LusFIxcIW38yTE+z2k
KKtAD4nbO6h99QXD5J+R7eOyZ9kHhE0oidcDZsmLWbbCsgBy6YpXo53nDYoq
Q53gQ2MBgDEDJVdZgc4zKYeWuebi9mLMTkYwzaSeI872kAFsOUTXYy6fAC1C
M4mxqfsKSofDoL2rsQLOLeAEUPpW9+yKcBynTuLjXRPbtbXvNo9OLFV2t8o8
OCBiVHVxOLambuu45UClZB0ILEM5ISImV+mKBGM/yRCTEk8LT8dUTE1TKd8I
xpqtyYATRkPoCHbVUwYKqHuw2nOJzbBjEOysEb1p1jWJWtP18bszOPCkIu6a
kpgQS2coRc3mDeVs9tkv2OsyCNKmyZarRiJJWBp3l3EQqvSRlIxUbVf7X8z8
XCjLoyjtKPI02qPqyQxSPJBV4QeKjaiADVWezQlRj8RSt7EhtkhV5QjCSWHw
IYiyyS8EEFGGBuhkrWWArE+PbQqAp5nHh5DkFFv7z4FGUFz4zZ54HIKfYPER
2sHiFVDgIb8uzb3XpAmHIJHREiIrj0jO8s4XY/du0LDfKuPp+vJvopjePGYv
pGYfZ4yZLo5H2xk5/8OK8y20gaNTc1uaCzk4PY3e8QZDSVk0Okpk18t6CB2H
1xMVRH9uvpEmUMjAkpIRblWtdzdmql6UzJH0dlDKSgq8a+qZDbK6048xRnOW
UZfAlDi9ekWnq8OZYDVKORPATdopq2Ksa4d7JNeiq0qSKo9ZtshgJZi8Ha9G
U6XoqkW5eaOohA3h7caBYqyR9pG7mFHHgyN8Fc1nMeNBxcFVa7KLYs8Klphm
ruErkYlRqZGQtE+1Whf+MRoWGRuu33xJuouY9lOqkqLEA7h38+xG0KhuEcyi
ZuBuD2xKyrhmHBBBSfuQNM+2iMMJLVTgOylnZIXcPKwhAsnTjYXNeEEyOK9N
cREWtFnU3KEkJRkgT7ldZTPNPur+7e1KcXndu1cqY0pFe3niHmnnkxnIFHq1
c+D6lw5ZsGUSzKyvMfG0GocshxJZCNfFdnNFQCSF/9ndi+hlOLoLiNpW8eqA
JCYDDIT8LXuPJnlTYbIGSV6q55+3wI5HTvO0u8YsQjCOrIw2iJzTeO5V5c9u
dIaTc9qnVONy+PyqLGcYqE/RjxyshNNbnXZM0ULq8IGpemIvaVE7Kn1kBkh+
J4UIBS1aEwOL7KrEwsrcVOebmlzv3fSTa5S6OptktinSJcsigvtblcrusMtl
PqWQKyyFlD3J8keyYFqQHHMwVVcWc09KUUlyZoKMReKHtSqVJLSxZckch8Fb
emlJqGfZB9jO1mF3Mpk8fvr8oiTGosc9DFuA0O0Wrfi4lDNKPsi+V+hZAntl
PeXgLkcgOMFQKIDYlGhKM6nfSvoL2tBRQkwAU8UFGNdYH6a+YPzZjJV2lw4i
6TZxSo5LYIkz0N1lv7Pd4+4T5WJPvfNqYO5oplW4TnMTjK4o840dK3WkIgg0
+71zlDxe0d26C7vOXCKz6kyqVTG17j9cEHUwupurIjQqEl6JmFAULUFTRxja
1Fm9V21q4e2JWh1CDfZNPkxLtZiSc64jSW/CBDDK8BTeo+QQH/sU4oZwFb9R
PUR86+PzC6DU858vz4/f/nj81k2KWPIes5KI6W+clvj57jezt35KLczNunQt
A4zB+4fOLeFpwX8w0avJ7qAaZzofOPMFJxAhWBkfG8vMkbd2xNWmty/NTk12
gpLl4JIBqe0qh7fWU2BCKC5JR2W9EyJoV9nQE7WDiVNsDyITLOiz4F+2cGVD
HcgWLqlFGSbw4mCoxdsO44H6qkPPj6QlL3y6nvyM05VszNbXSLoIWxQNKyuR
xCbSx+Yp1XHCqEd8y8D2jo5h/JyU44treAyjukNhTPVZ+G+0SDGMswv+l3IW
K6DkZeotaoow9Q4ic9BWleDeBM4oqgjgO3x/MPiSs209MCCsKXNrii1gFxgE
LplqOwv2femLAghA2JorgmISLzA+0EO1P8CVhtMJaMzoE4t0VUttZACOu22u
9GQQ17/nnC05XbG6p2UGVmKuy3FJycx0cMCq9UJKZ1sirbGeQr8toAovNrFo
8noH5l8yTgZrRu0bdGYD02kRUUWooWgeHYtUy1gM7k6+DdRHYiABW0aWgYmO
yvmIi8RijpF0EQQgWy6zWS6iE9avmGBq6U0yMKZz0jsZEgDpA7+7fEFy/fTw
Z+020dOkisp5Pgd0c3Dg044N9izJWtrYJJTIDj/ViLmAJXFQyqOwQtEoVOSf
kvkSGJYagUXGUxbrCp+tSHEw5WSs4go+Md6kN2U+o9LctBA/OgLLEBeE06Yq
ql6IvJDEVIAMhurRCdxtdhG6K8Dqd+yCAuwwzGTSFthag91CGKQgGHIuLEY7
WJHbT3mDxbAR7HNOPTTzzL3pYab8m0S+KDW1FjZsE40mzZXTj72xRS0RfIWO
P7vWr9h1f3PtlnG0hSttSy4uNF+vog5I7HHGaBBaG8RG8NFtmjtfCVX06UFM
J4zpIbeU4WOQxRhUYjEapkfnNgXILq4M6iKc3dsg5pJVr2HLVlqBWHuax0ps
V7jDVI5KKUxX8MP3Wulwl9blIqPiAkZftUQvPC4nI6FR6rNgCGYzceRJyb0C
n21vnSbgZdrrCZOTGBIZM8AYVEAbG3XWNguy5RFO59CnPitmwGBwFGNN5d0a
YgDTRypsvQExjTV2bJ7XpaRBFyPCPJNgTeXdTB7kim9AekyAtUzFDDfKeFne
ZlR+xHfxqqTrjVygFNb1jlXVdtuN1tKg7Zx3InRZS+wG58pBHZmDYCDFlyke
5nJdW0h8ltaKK9ZkWjQZJDttTy/TjCYL9cWpS8548E/5lwiQZG8m2R3Kfkdw
wmbk+USu7RlcMlPvzu+aKoK6ke3A5SM0cXLZuaeIWaQUQfxFPQYHnSbBpm1L
QGTJ4Ga+Rd8YJerlrmFD4bSy9oIICk1bnHSlCqKOh2Ui/hgZQrdP3hBlaOaC
9PpbylmQthh4IlYMdCZYI1IZo593kN0VrqO9Y1Lt4MjA/8+Cwjv5re4lf8mv
8FpXwc50EjOpNKVEMY810NwDU5Mu06QqSy9MDSG6d4yCKjgMHmnP/9KpI2UX
MLr22a8tNd4GNZVhIjgPRasbZtIxyrO/u1B83R/HDLEGwHdk8+54Siqg7lAZ
ejEDJV7Rr/sepZt2ViJJ4eDnUeGfFJdnsDJqXjXuVZ6FS76oyYwhXCXF9Ql7
i4p5433CtbYHlEXm8c2G/uypet761tFW88kbZ0wi5lEMjCbhEJLk3DtVlzZz
axJEW6FjCzOuMVYFFy+nsPWEnCOgJwtpRjiPbNC+1WHuejazuedAaKTKwoST
8b6dUu++zwqTRjlpdDIk2fzg3cXL49OLk8MDLJ68PDp+dfDz5fG/HB4fH6H/
MeI0rjRsZ0rTUn1lfeyNGioZtvMKMgWB+huDuhNCQ8BDWFE45yKrM2cnwhHm
j7BW1tZpp5Uvss8kQNEBqZ54NEdp+UrLYyeTC/y2u7U8Dvq11DqHJMNiKnzb
E8Vp0ESpx1FbhUfd/cDE5JDSSJNexOlY/k1k+oH+xPmPegnYBkGdnjSf/s0w
35rsFQ6jeohpVtFq0WoIn3K4X3Jq9ID7UK1kx/nMuVtOHQzWMnRxI/lC4T05
MTGU4qzDVfhxaVqWdSqYLlGKJArn2ofLvXOUzp5Fvhda2A1MvMS5tqpxrYJJ
KrtFC5ko+jetSsnnsAvkYDE2/VD10kzN6YHakoaGSAnnXCpUO6nxjtwrIN5+
ocoJPx+y03nrTVc5JQCKvSLzrVCjxqtU65FdbRiGJL7yyG6NY55jKdVoNfeS
ZEWQFHUpBkSKIRDtyUwb4GrjWZZGx5ATH3COuTebfeDnDiDX1wf/cskMcs7C
KsCgb2HIUciEoLhNT6WoziRwJsaAkKmw4/nl81dvDn84PnLxhL7mYnXydPyM
xtn7brwXNx6IIkkYxVkAZWabTnOSp0bKUu37XhvSoj6OWiHthiG3o2c/+QLC
tX26oTncmZKTBkfV6cl4fiblDePc2P0qg5squtTBVsOrMNNOBX2bTvTha6rl
9UUYfsn90ZUoPEoITGGxeCTTpSpXNngQtI8OTQW5sR+YWbmb+gEqrmR2tpKD
F36uthPLVXp3+obcs230cQOUq53HJ3iJoAnIvHRNXSP88QvhqeH1qD40ZNuo
pqiGsxxNioD3Blvzgsv1NefNn3NCmBND2BfAyTZru7dUPEU5cplGogQE2d9a
PE0xJK5zaufOdTLL9MOlnItLYBo8D7rzvKSAdTCBa/fD3hPhn0gLwOMa6QHB
O0lwmWwVybelHUFMqPUyefxfn+36NBI7U36aRTDRyVXUc+pDXvemkCjABZ4x
T16UwZOMGzdhlxIsP7zrooyw9I3GkGB/hZ6eYo+jZonDQAlwWs1Sse1xM72a
QtMu53MsUFfXtvOsWGgaBdA10OFeX9pSbl+LrkEUCBsHBBc22Qg5ykSCL3PO
nbxR85wclKx6fW4G4OBh8gJTgQ7Fo/bxYYBkxDsohpjrteXaFdje477zJXcw
tpmCtn9BQj6ect6pSrbb7PHpFXbG9/mDcXl0cHHAhsO/8L/5eAjm+Iz97CbM
q2EZRhOgClL2rLF/wHvBcgv/hnmMswBmKDV7GOSlcPa7M74kd/fEJ/uw3zuV
4ler4s3drUMrufImHQIT917aePi/C8++SRmgdi/odJEk36qcwCeLjUrXdkdX
k0olt3IwLefXnBix7pcxVHfWZGMFZjBEygEdJhj1c1mv9H6yJzJsNEtDujSq
jvvOpkQiJ+1wTpZ027QNNrC/xiNpCqp4k9QoQuss/Q66SaO6Q6WWDDSrG+NT
aHr0tAili3InKTmU4cfXFVHL829eLhhjm9pJEdv4OJiL0ztkNwXRuMnTz0IA
Z3maV0mE2+Nsq88CdgtwQzpsFdxktz3+PGPht13VzKGpUPutmitYZWku7yjU
8Awe0nbkN4eJNMmMwqqOyWGEuNSlkLbmGSybfOLuJ9LRSAFvFHmRpYqDMku5
zoMEaA73Kx5RyrRz+mq4y0K0QIeJ8MTuLof26X/yFpp5gD7VRU26fzzhXOKP
ERK6ey1sakM5LXu5iN6/LIERy8qWH5h7tE/2zsriC2usIep3/K6h14hryxyk
SzoILsm116Ywxs3reM91wOpKGlUvQ6pYgi7XzXXzFHAHcSTXm2J6XcGqsfas
p3+Vg4UM0Uj74AQj64uFOEuULGRlt1PCCSESWoAH7Z5xLcacmGlVKLRdij3Z
ancmX27NPLRJbVJ+8fPljydvXpEH8ncgly7diSdRhXvIxmnzAWj6byfVvSlx
R11Ke74ESVz7rEPMMI+r1Ppw4zZZ0+3l/h+3mHTaoFdUQNjEoRfCDAa7aQRD
3A0sAPTVy/b3qB0ibghYlXMowhSlqEHB0Guj8QXXSjLYhm9acBo4lqaay2Qr
o8cOKtdpxF7Ac7JivP3m3YKuAEQSzXlAP7M6c2jMRjT7UK15vQPqtKpAB7LK
HTsyjOFTPHBKiMbYocUITiAZfLkvcq29mqfpALxKRTwL13tP2ge6RegcRF9R
cJIDpd33xw3fiwAud8s2gqA+RC6pybjwVuHUfWhsw+db25y5RA7/rDMWGdaP
K9KVbC294WqdY8OrguEFvMnz1EU9vt399mu0632bTd9CYg5KAar6mjxS+Brv
0QyrvvBK3iw4QNwxRY5qEIojA6zolNOFJMe1c7+CJj1iVZLjTFKF0irKyxwP
ztpxaw4UmfQ46oQwE7Dh0XxBrilpf0Y3GmuN7TV4sOLIemRr8TE6dtvZeOpO
cF4QeD7KrOqiF6pZZc1t7ahwWo492xviuKNuci7mGiaNMfusa/+9IQrlSTdY
IuN0T159WnuihIcYT6Bcydzn3IbawZTB9oteeAQOfTI7Gp8pvT3Xm2Zus+y8
r9nXh/tmhFoRlxFSZQR++I4AEmsw01PiKh8Q5keNE90FHYBM8/xqTZ5TzUqt
u9zk97NSowZRLpvy2ljZUqbOuADcGjTL+qeNMaLPWZiqh/0LCxUO+MV6Ko57
m1uAcOmWDqGhzNsl1X1siEhTX0I4ywPILwfdHpKgTT7unBPajq69ESc41dr7
KrR/derKBey/JRmiucbAvb0kDAhDqwmUGJ+kszaqho3rmzsTR3rw8uT7l5ev
3pyfP5DYQYCMTTRXajiq50aB0d6ZXdAVHRIEszMLbb/u0uHw8GKXYheupMau
qe0W2O0bJll2W1bwAyQjCQiYLvewyINoFkiTHOto2V1OuAq9NSCMb9JXfCAZ
cli0TuB0UbCoC7VdwzKe2uP+GRqyke6qE6SbB99A+073G29Qo90IA4bU7ZI4
b7LAnrOUXOLWq69hxFb9goC9o/doBCyCb7d5PjsphUtc+xYKbs3io4jpCy83
kyo3LsBRx5QMw8AHyI1FWHuK13ZaoQpZrvLpeHASRCicci9ttyNd44p0g1jj
iHQOA2Sb1vV6ufI9QYO+mHzUKMDlWYaEjCAb40l6vl68H1HLoHmIEc0KGeWr
njjAvY8Po9wyB6e05I6M19k9215aWCXRuzdSV+rx/Qz0TZD6tUOec2cYipUk
sERUsA4McnB8cEQXNjpqLOqOSeBJr/COVnWJG4GpFVYW2vZ3aCpUSCnB+vVc
dwsYz4VxnLu0mCmAv7uuUGG4qhBdrxYnlpp2mrUd1NAYyyqoocJQaNPgga+k
vFX6Iks+4seHUrTGKYhuhyy9GdZKILaA9ph9jm190gW2iW0USt8kO/pUTfyK
M1WdpPKZylrMrtc2LOc9pWcQRAN7sYMHnA1Nx5eSlK5L6XedaTcddHoUJT8K
pB8PdiilmxSFVG9PjO1dZ4sVq3mTrGkYmqmzaflyAiSejdLlJAdWxK6oPE/Q
nlxGCMzIgRC5nZe8TopE1ZkLIh68fn5CVKXT1pHNSluF0LSsnn58qJqq258D
adLbMHtp8G6qffoCxfmC4qfwdgwwFebHVO/OaUGVSaqW6Fi1LkSh9SuaZTe5
69MiBTGzOKJhEU4qD4eCAD2kkkf3EL+UgZWwfUS+5Iw0qrbKl+pLhS9vCBUg
tr6mFB7zfkrh2iXKcV2YGnyzbLUoN0s1laI8nhnW7SzIzroWcasDgOU0S5Qj
3aIxDtvAyaiNv8PX5Bw75VlMO5TddICFpM4AgYEILlMW7xKOUhQ+2G88o5dT
vid2vHNXiGuJ4xdmG2xblANNZOi2CePGrYow3GcPstCiNEObIS/NGG1hlUEx
q+BxhSqi+ic5PhuiLKY/Y/HZULtHb4Ksb0csiSUzjgi8wEfyzFwo/YEBeqiI
QhtrMaQLeSdQfdcZmTiSH87ythmrX+Pi4F+Q8UaCUnjbKdczP9NaG9JjUuBC
IofwA31TR+x5mLjQh7SQwXRdrNnGzXW1GYFFIAHfrZl6LpLFhxtBznz3Frbf
mnLkQGEcPYikhNTWW+hKmip+ueTKWEWXCvyCqISDZAYreqlZ1HCI11z5ls5m
ueQqqdzQzMjemqsudui0NnF/Xgh4xHGVUgDnEIvJmFY7L44PH4GFNr0u8r8w
jIlWPBptjLRce3csEYllwbV1YCqAJE5MgD2anOMx3E188WITzJQTN2EiCDmR
5lWYK96FMID5JljcMKSqTeBkOIJrUjnN8yRW5WSZFBDcL84MBdaC+U1dppSg
+8guuVozt08ev6d7Z8YJ+T2AMrO16WZPoeJgXVvSddinysVtLDcIi9LJPdMV
m5yEyvMXmtNQFsBq/o9+5EKuWMy6HFMurWE3St1xhp7nErhQSciYa5pqtt8E
kTT0nDkfukm57ZgW3tsyf8l04bIrNn19xo8r762SWN6kyeGb09PjQ0qGPwRr
zuM4dDXKk6hgOxM4DSam+UdSQIDWcSsd06RhFh0dVWxFpMnX0PwFjXOg9uc9
+GaXG7OxzgOnlcChPyQoGWhlf4t9b97CQZAeVgn2ZNga1mcdye3GwdZonWNk
iy6POjXRKbUMnioz0Z8mm8NE8WAyHtxlCl8V6xWN+6KsXCTYY26DVSI9/9KA
4NYhgLMgv6Y6eNuh795bEQSRA666O0XfLdikZ6GRjNkuhLCfUDtRUr+pJsbU
HkrGH+cxXOazRXaJj6CMMDACKcoeEMVbzjwDDuIAW7KQ4eRHRQ1tmjmG4G+M
x8eOSrm8lOL2kENAVG+GXcob0NVqZydSI7kipzRXXnAjKbWqMOF02jlJcDfb
xCOXIb9zPvz+0bBVfUFV7LWbB1O/Kd9nRT02WCaq2stTZE/zjdX5aBAR9FUE
nDmQuBSinKHftU+zy4R2TitpQC7yg9eQaBMmxd91YkodOegtoJvMVXwPB5KW
SCXMOBfbqw6LmE0OlCjrmWtnqglRtnpw6JLOeDSeI9bNuG7vQS1G3mgeLu2j
aJuaCi6/dA3e1C2ftugb4IIQD24k1euqYBBkadhpxHR+Vck92H8OlvQjlGXU
60IwXVMFQ5JL8/QAzmrOinJZubxI/OrdMTd9u+YWAPSw1zGkkjo4NCbgLV3/
6Nlx2InKPMC/qoHwsA8OSo0GFstWW6Rrt3YuHKC27f6k0NSC50jauYfx50ah
crl0ioWh2I/toHiIU83O0ZnbfyVxCJtKwIbSEm9DPIjlzS14kXqoyZjaoYpd
jAt22MOi4Fw1YUC85UQPXbtR3L/dHjtv7J2K8wkjWdpaGM8UL5ZEErMbHj51
edUqt9JNoqlG2gSM5D6Zc9qq3t4U3H0cT/oik3RXisWoeHPJbJisiKgYVOnn
Yicu5kacQy76FeFd15S2yzehuZfkPNzkzWbsMx3bNgR3U+5pMmzhNG9Jdek4
b79gDqxyBEUL58w3M/5K9SbuLu92hBMjFzFcIvvryH8i6BBMGGdsBBg2igT1
MDnNbgUqn4SGzdnzSFdRyt5g8AaVcUdb2JiqiJJU/WEyx+66IjcAMm9HImc9
VJlO7Ku5G+o+bQGB1MkO5o//08Xzo9He3nhM/31MOOp8O1kYFmlI4vrAte8m
tUovrrtAR4LkMyO3eKttwpZckCI2pd8JH1vudyJwWNFacMI8XWEHbLYi7n7s
hbCcjuLtoPIn7Jdgh6PNTD4OkuQCk+t38kfJPyUhiZId7yqi7Plk98N8/iT7
dm/vK/3X40fY2+jkKHmVFVdAoZ1v6QMP6gWfjMd7z3bp43POBz05S3aePIaP
H/Ovv6ezG3/67ugsOcOd39l7xoPmK7xcz9c5RmTkw5fUuzZh3HA3i7zju53x
mCfrQgNR63Qd0kd9cvd3Z9Gu/d6BWsmHPUBY+nUnEBN8N/gUdLbo2E1tb9He
zBfEFtieQppaaOUEb6uCjrJlSFcdyga6AWVj8G/eDFGo6JknUtiLITDXMCMY
+3Fr7Gf3HBs22wzeyfFypCLjmcHWMBiafOn5b5+spAVzATrWN03mKpINU9LT
Y3rWf8oPT/2vIuw6vZCuMgFi0m6dPJBjbh4H2PlAFqoV0fwD+YtV1Ag7cpwk
x+xoTIHsI6CMbJSOhF8AzfSbZ/rNkPNIora20oCWDrgwgf6GtZeh7l/w8bNH
vCI9l30L4jv3f4n1JBztkdc6qC8J152fv0bDq1EHgePQ2liPmnj09NnuNyhS
kUIqo5hCe89oHU5wIWUkTSemC7OeEWj7iZb/uCKGBxevzoPf1JjHcIU95Bzk
4oMLd0G+ou6v5wrBsQNPP0qSM3dtmod54z5+PDk4PRg3i9qXQ9S8MjoI/Oaa
xK1LFeebjeKiqZOc7uS32o0MfaxvDmdFUCjl1xSjQgRzAdPWcAz3I7eRW/+q
jlDRNmv866AViy6NCU1cQMg5rrJVQhIOICW4cl7ltWvS6rSVS9YHLomCnfrK
HxIud+wsPmFG6LrE9hHRgZsjN16myevDB4w0C75AnhL0c3WaMGB8D5VxPzro
q1TrfiBvodATPIG81QUBLTOFIKAtOtNyHDP8+wN0lSfXqwf/noBORoGO/u22
vhez4ds4KmcC+w8CMDw3lDvCzPsd2AfBItRa4fa//tRftHZPgAGiHWo37iEw
LLxdf6x5r/sUGRZGdOaiI5p3oULRaDjel18eUFODL2rsdZntfwl3GgaNUiqO
nOVU0I0iQwUJNQIiLw/BaZMlVTI8CrzuT6jvUbgbnZCU/ohtuCkXGT93UT74
7XytNVxwY6BVX4C9cpu5Ol82SzQosC/txEa+Ydbt7e04T4t0XFZXX8Hm5FcF
qa1fFbDC2cio+O1Pxh+um+XiIRJsBAT742eMHsrO6E8ZN/xwtPetf8EOUmSE
tHm0f4+30QxVjI7oWVxM/xc8gz8St6hWy9yhhdMCWJb8kE9W7l5fpRvKk3KI
eAETO42JvnaeWVfGhDHEtFGwsWKTfI3WUzErb8Uzwb6COwsVWjX/bxG00hT8
66q6dPNwlWhOUY3cMkdIEO5cMIwsUQmNKzSOQDVtCV+ani7uE2lKEyAcScJN
P0CYygX2e8A8lhlFG0WiGjTWdj6FSdfcNgl8BQN7OTClUYTEJEDVtV5KgVkT
0tMH9u5F2SmFGh3YLeF/4kpDHEgPNE2Oig6g2ziuEEtW+NvhKJG8q/NlTp1f
KMEq/XAJw1zyu027tr1vo0L7R1wjJb3OYGiWXmUnRGc4iRg7DE9G19JD/GY7
CuzfpizkINFyeDt6DMpwY+4L9dzeH4VkjAjrnNetvXIk5+v6Wnx3jJaQLSlH
xXn0+qxhfham+9lQwK7VNbtMZa86d8qi03bvGXMNNQ/zPRkon5vCJ1uhqGPE
YOP9jQbfM1C0LtdU24gIhoigJPMGGnj5GBkauzJ1HhFmli73AmqDktYndRdu
G7zu8TeGgf4sJukHVf89OMRywRcOljHArhc027tOfQeqZwQZiM4EqRSbdVQ9
S0ggQr9AN0XZF1cWUA2LY5QX3HvGxEFcdQGFf3NyZxNiUVq7HMUxxhKN4xq5
rtYaMTsbdtjwW8KqDx/6INhhE8aTANC81QvEVhl4GsVadR6EaBuDxu6Tg7oR
kroILCAczttoGyqakrY+ZwBjdsN04CwsNDvOeAR+nxZnB4xfFrmT8471yf4s
l2tJK+lpoW0SxqJghavR6yRfACyjm+ZbQpXkmwwwRPQIesiMOSUjcMaeRaHr
aG3QfrlFbyLNK7yT+ptc2jeFxYgttgzfE3ZsrInVy0rw92aCzeFowiJkyF7P
/pbvd3R1710Ch13wJ2H/Xg22xN1FfdRjd++RwwwkjdJDh+sBlvTGbeUo3LaJ
ShUkZi6hp442NicePa3VBrPVi9aAPs/zzGIodDSjlcRk24y2g5EsFJ1pqWuc
G7W/H9xR9UXisjJFeZvQucoFid9hcUigM3zHZwRoaPfopzZEg2P1Rmd293qj
MrDLnxOL6erqKsGJF0huqQgIv+kMs5j4Sn/4wq/VBDD8Un3sIqTm/zznf9zV
qe3xQbVGzbcvu+jJY8atjCPnlx3FmDA242mX39DeFn4BO0eiU6YnJ6pGZ49T
Yd6bcBWESCE1RcMTRpIiUvoMerfDHQmAATE3Q5FfOziKmuKpuPENdsNuDaqn
dTFr2wtoec10NYebmbWNeo0Vh3QRTTY9t0Z0vxkcOnhlZ1fnJPlJEdS6pumq
y1gz66CEADDxzySWdG9PcN1yAXvf712CF39/1u1npGyYH+sudzBJuP+Ey1dr
+YKN7r4gjf8XZvXg3+lD+SC/UYfw9gBAp0fYz7fb+9rrH3f3MOkM/iLGqyC6
iY1WseNCpbuP77iKpdDfGqHmbnKt4xyEUiBNvDgLUodcS1Bv7vg4habO1dpt
KMAWucdOuVSILgQWNt+iy10nH0lGA95ENGFvXAx+wy25XYIGGaoGgKQVu/DW
meTaCnpOdz8CdHWwPA36GP6NVbkI/+IzVAbms5bOQKP1Kw39qRy7n5fA0QsJ
5HIhNL+5//suNtma+WDWbHQHs+RAebCEvUN7+O26w+CzVIcOpJsWvg2N2Ute
8fKVwpcwBmfcJq84xy+mp4czF3NZjhSdFszWNlAAknuvU8L+B8Yf5gPptIqi
bOEPGJDZntfq2jo5o3dpSmCGv2kJltht+jsvOcjav/eKO3id19ulKcRs85vE
47oWmahJkkHWgfHFBQrmH7wPxbajrK2BrMXvPUeYSMfp7ZTzSFT+DYiuW/w5
fLQDC317Y5y/gSX+n+sye19QsEOHmEi9VGtxO/I4pG6Fii7Di7jWw5+cWsLQ
Vl4vobBapJgY+CvrJHjiNRMq2/OaicIBxnLMx+y4it2xmXuJyQpuXKGNASIz
7Eypu6m2ZHN9dey2t7TztJbW0LX4Qv2rZnzNBlBfvffsoHXPCt1aFy2P13/T
Pum/aZ987k3be5H2X5V22uautLMOLsuAPP+L3Ja0xr/HK4WPw+94pxj3AGV0
x7JfKjuCeZiifAvl6aGpg0q+VgO+SAILvwQiWAMsKH01FrHI5s1Q2+U4Hcc0
Np8FtSgut6/1/mvTj8jeAtwZ0k/HiQbDfWK7q1Oi90TFM2k1YXjTSNeCdilX
O20hiP/1yHUe/rMEu08Z8MI9bk9HR7rVA41EfM3iiVN+6Z9f/yHpk1T8K/3r
60e+x2m/yeoSgPHjsrjJtLjPwl1QtqXvRelBWkwDtLh0sKtJetcyP8OIMnRr
CXg/br+Qf8oZ8rtf9wv7mISfI/pD7xDIKsyBZ/PpX0OcFu+H/TfzoHy53R8b
08DcFjEJghujRfe/k1vj1rRAV5YjoUfVQ5rXSaN20JeHD12nMrFO7ypFsLyA
Dgnv59+1W1up0DlQEEJHOFJBdaRItuveYHKjczntX7cnwSmhIv/cqROCqfOX
l0wJhB0ZC/JI2//bybhdreHhNfdoDm+dWUlyjGHFej3hyffPrsAcw3Ba2mqo
u000ZhtqyytT07D7dNi5faplWmhNeO+gY+eki6ybGlUrzQ05yHPG9bLDpKdj
ZzAll7jOjIkVpOLDL4JhB0QtIpGmXAjDuQwPx7u95TD389Oy969r9TRXlQ4p
EK0Y/TWrSpb6manYEprQdGWarXT57WpJTDUWBl2TwiS/5arh3oT9P1sEey3p
a5856eHfwho+awk0B7A16/B6h7BdXnvA/BVTp+cgQAcRfKrVFZ55XeGbfl3h
2Xis//zGKApkQXrN1HYxuWfNv0N2dafoOvMgpWGStmkm8iTI5KN5zDhJIBAo
HVVMu98wCJiy7PHhKSOu1eOYTJ9ThIe0bmkZOFa/fvFM9Itv+vWLZ8PEk/1z
lItX2F8SqHxgc9a0Zq1VxAYfvKW0l0PKGNP4MN0P/svWr1H1SMbjMaksSEd6
nFUS0FT6a9wcsWyVm6NVoIiY7fg7VEGs8mHTA2nMrj2Qmck34VXVHqbzWv3c
SxVmEuX3Uo7QLFs0qevpECUf6wSDyUTKEV2JEa4M43uaXRsigF85i6UY0tQi
ERfbTrdbguHRYcydQ4duTH/SQmspMqkN8CMyGE1JYcxa+YnhTSgDcGZiB5b2
lnmHuYlRDJ36GkS61m/eX3/29o08M6VabXvL3V732R9SAs3Ad+3Xb1Zlv/Ee
To49wG3W0SOInVpBdKLvStIGhV0m5kCgE3xTcl9PH5eI9VSCDX57CyKXdEGM
2ouBHjQ6A9qSzud9RzHiRJWtFulU06s8egQiEd94l67i6HfS8a47L9yRtvOU
B+y/+L7rv/C+40tta9TL1VYTIeFa43puqjg91LSvA7wf8Ms9/fJZ75dUAuGw
r+OacH/Wavvxnzl3zNyY7fuug1DWXWvpFPprgy25897bSq59SfQJegc5WS1s
x6cED+5zX+3iQCICBvP5ApJTSC4ebDc7ze+KV8ILd8fW+IwH1xMc+9+QRbYP
vccXQBbZj/ELgiQcVge2Dgtz2aP8/ja2S5AFvn2UXZLSyrD7nnWpJh6F7Xzd
rNm1JtY5Jl8TTryYgtIdYzeiDvUa07aP5NvsClF2Hg30EexRJTPLaXnDXgTp
7Zu1rNCkbIIschM14s6lDnNA8y+HcsnK7F1nWJ1X+1T+nvN6dr95tQVCVBgV
AOUPXWXdkB32WdCT2mWidnXCKYstzXDcXIwI6isEmhopFWYDuiArI5ZEgQCU
o+yptyMoagm3rhDka1uqJBOzQvCOmbXXj6FALKuxebYBRVoJ3eK97wBaYqX8
Tumz4D66Udqi1XjvGCKMf/hrWLUqi+XHigw37jFmOUdGomCt/ErvcPyFzakO
VD7p1eHTvWjKA0xrY+BFKsfcBtloPez2zZ9l8uo6Wve/jNh//6f99396byu3
37wMJmbu22BewX0b0uDvxM68K0DKy2z5zJQn1WkWcBadoo4gvcUyozY4ykiL
7difykg9ATB592dFwDh45/R+3VTbeo/2LIiqhpEri/HprwPXdUD7Pgw8UGan
Y6rzLffTjaNZt44ID9t/QibiGpr2n5RJEHqafpZ36F5xck37py9lPJvo4tRw
+ujsukKNKiwZCL/riVT1U8ycXUuw4OiGMKt/HyeXLyPmLodsxwworqH7bMB2
xZ1HF+u2A3amS4+3+Uxt3MiWEr+dPUiXH0TKvH1Dhy4fZhTEmv329/Ur+PGy
rGjqV/i3vy3U++0butT+7WOx9k/fCet0pGS0uEQo67hY+vGyLCX3kxTG7H7Y
208Q1FH+erwfZqjJx0/2E/zr+Ej+frqvPQXZNnEHm0oK8ICLyOZegryPOj2Z
8y2lbTCmrhklkAXBSZMDFv7On7Hg8/3kzUpA3+FqAs2vBgHN4CJmZqT002SQ
nFdZ5Hxyu8WAzpTmX07LhavB3q5jBhmAVsW882zcW9O8Y6Q+hbMj3dwix0aR
s1YmY8odk9iNya8mBvt9qlu7wjATOkAC/IH81m5RKKBcDPhBvrP2E6xVRGeJ
WaE2aKJRayPvtVM+GCaLcoqb5P15JUhDjiA6onKuVc+KplQMubGdkUa6JHtx
anfpA3Gsmt97/mSq8ioDd+vj3QjGgoV35yBapUOYJ9IBRKis5rJzfgt+qA5B
i9eLpfaTRi4715uNBYppTzqMHbvqm5At12RQSw79CRX9n1+A1Hr+8+X58dsf
j98mOyDcHkUvpZ618Mp2Gm6PU3kybL3TeabFAUDoovNIb+Alk96w+2F3HzN7
z44PT16cwDvfXLw8fjsQ4dsx84FI4oOj1yenJ+cXbw8uTn48vnz+6s3hDwMR
x2dv31y8OXzzio/JQIRyu1c0ffP1fn9mMf3g2T6oIpcw3KuTc31oD2b98vjV
0eXRm5/kE5hTC2SHv4EZud5u/AnMBn9yfo5TPz979/bkzbvzS1jLixcnh/yT
r3k4WODxwevzaESYUoQpzJ9/A3R5BwQ8vTg5pI8Zpdc/fV9RFgmUtmQze/77
SLYdh6VVYK8a7s/kcPK133pjJFetuN/o+pjN2JbDqZCI8jh/x/TyQxIADtHP
wNk8fjz+OpADj6j3ozQYIQJwPBw78boBVKS6VmQoDqU52NtWWxqDnjU4KVwb
Fp2x6WfrwP6i3jZ96PlP4gg+nl9bzudk3OPHiMoWnsxqjQ1xUeRtfELQ7QLB
MZqqxB6bMzEJ4PSOkoMWTi9XrStSWguKVIDk+Rq5B8KChRYWG8RFjpbq5wp7
JWkVGrlqcFO4SzjxjTbVGyXn1EwO0ZZybtRXBj5QU7WJL7nWro1X3gtMs007
Wg75LNuhz1XlfFsx253zSZCmHET+sD2g9g7T5t2TTLtuUHk9Aunbbq3j5CAe
QY4mhQjL6XRdOX+v+iiKhK5fKmxV6Hwp2+dC/q8wH/krVxgw2s7R4U6FqQZ6
J8GrZ9hML/uQThkTQPHKrtagx5kYKb7uBZPvh+Ofh95ByWaLCq5htOzaGSiI
GsOnChPa1ytstzRj2DYPYedf4nKhDL6HeneEzaI0Sd+1jagmUB2YtWPgwboh
pIxnXcuRtEm1dEogtbSrl3pqZ+FbYcrbuUtpO+oepRrkQTNyB23GAO432GwV
TVeDGnOtBbB9wHFDBf0wS9N2BeSGUDlZBp0u/eeWkWyuWsUmmj8JHWBzpavc
s6kB4054C7OdQQacfb+N82uafjyBaMdaM5HQtAc44Q2TdmtkyyP8m8GByToh
7s6lZZ4sAY475hliS6+2COpdEJtaKRj50qdwkb/PWNZzg4lgLQ6SMOvH8Dbt
i9tJhw8V7frQXwtqlknj88HgdRvYn0BD1OdU4OwXfIvvjbDdIQEn6r7sMDqs
uwC/GT+JGsg80nQRX1tvHFHmbk9tM4+TIwmo2oQkKWa3qKVU7h+V8yusgAIN
RRAqvccSSHbk16by5Zb7T9SlZZiOVHIq46fp+K5ITbWutZmVLxeQpiNXuXav
WdJtXyLIH3W8EiboAga4T2NZ172C8p5k5a7fJBz7LGUwnA55BFRpqpxbQPeh
Dvms3dYIRvo4eA4GqaZfGy4y2VaM3kMGCT7IOp7tYcZDYftW9OOZ0GguzuO8
iAX8H0AG6ICiVHPHX4FQ4zoibcOI8ptb52KaDfUg14MY5iv9wRTW59JKOErC
YocMuQTtQOSQcTShHGxaRCOYaq29mFtcAL8MbhhXdyzAqMBxczyewxDGbq7J
8u+CZCP3ktzYNWNIykwpm4JE/TBgJzqTaeWxPbGlbXlVpatrxDyGvQWqvsfb
UkDItIIG4bJDrLilNu+BN2C3D20yTc6CoqMNWkhPOp/3IipXWqohRbwwd/2I
UDkRnicwurKSR25JL7MN12wIhgQJ99vB3fLVadjwvjNFK9nB9kPD5Ozg4uXl
4cuDV6+OT78/frQlU9wcuiJCaI0WaYHhPDn+9s4v271IuII6R4HQAv1xmBy+
/fns4s0wOT3+6fLizQ/HoJCfX7w5uzw/Pj06Of1+SBb20cHFwdDa2vx708bv
5Ggobpj405B48vfb4/OzN6fn8GfcCpA11pcHp0fnLw9+OL48enN6LEpNxDex
smj6P+WVdS4hL+TZrH3kSNAFUXNpi8hlwXg0cL5HSAia1hn+w8Tj7jufjeY0
iCNYz7rX6CQhgsmLpDw/vrjUv/DVuAXfvz143f16TWvciBeQe2Fia0pn4fck
v4v1OYzUermQxXpoh+n9q4NlasN2NMp6+jgC/bWb5mLDtuDGbsrW9pMG10Sm
5sscfzOD8Hy8rO6X0WZuQYNI1/XSZ4ZYuyuOo3G7o5OwAzQ+8GYl9je86zCw
x7WNGtz7oO9x89VzLPtYJqgN2W7FxAup+CRkmpm2i5eMpCj4pv2h8KIkYYvu
IektrqC91sdL7GXcGDXPxCUot7pMutiksuk1lw9LWjDHUWgM5lws6+LGuaAr
lvM5akm7Do6Kfkn6E4Ewrylndpml2vgJnU78I2z5VJOSR0OKkrdtKTHT4JQz
bpyHObrsapiQy8fBi0sV8Y26AvB+mXJP8bSC31S6OJmEawEp19Msy5aELkBF
rYWDO53SfUa3Jul0KyTYzPWpd1EYGb2UaXYBK5Lx0oRJWdSb8ye8VSZVmc7o
EUw7LodsRoeUTQ1Z6eJyPQvn7GOBf9HTMNerpTiIXPcW/kYvICKPpSBxngBP
UWMu7WXoZoZd1DJ0YnKRLw0H6+OmtkASQ7CJw/0nBiaih9N3m2rn4HGvdNjM
OcoK6fIWjLJCG3byC1CY80cODFu9w2gdIrINuP5OkkS40wGWNRSWC1Xxl+kX
oPdINgmbY16W4pXVQtIEaYYDToHVsQ2h8RgsqF+LDyuV8pAJObgvuZn3uq7V
ikEmG4HAHE1xIdhEOgFlDtYvCoXTQzEWPEqOFbLTWzvTdEVipL1UJMeynHFN
gUDK0HWML73C5HZrdGK3G2kYwA5S23v1ClXGJabMo6+sIPVWBeoUvRDstZvD
Fk7gUA/F7/M+y1Y4W4c0ytqU6/Vumm6TGmg/cCgH7Bnm9t0aNIuadxPPU3dH
hfJ99uTZE8rHp/4MBwWFxypq1blmdyr7F9fsYsaj+D7nuk5YXrqqsTRPNULk
TiakcJ5r91nM2MeiyobvimG3Q8nBGZpqxQgPRh0J62m6SCf5AuxXnvs74s7W
viVUBeA3ThC8aVXciMN3uPT0D3tu06vnMLMRMehcUPIwssgemeTFq3eYq0UU
/ebxs0+fcLEvDg/ACuYPv3v2LTrvS6AacSGOBorYbcF8pGow6yw4g3oDHLeU
vBbqg7IqV+RqvSKjTh8V6H6u+fMcN1To8wWc84VV/13nIcOPajshTLaWe0is
eIzH6dAIN5kZvDgTdz2WsrBTknrWUivJvM68AwGUmkVpe1xrj1GhO5hN8wYh
RrDHIV5d2AKEuIj1ssJh5pQ1N/KNRBHO8YLlB8cHUtt/Es8zig3cRSfDBacb
tYNERI4YNXC/j7AT7aT8IFZcIAWlOJZCKLSVslO6hRziIj50oWbjTJmjjY9n
nyRNYaPwqaQ/O/joIV9nLOEkCiDiOyXhx1IWnQ631yUJKRgdM/Ko+rgt+67x
xMGd1hCO5yg5X+J1dPEj8RcbGnybwaHZsF95RM/Mspt8mum58et3rYXxZitm
KHrksHdfFvDEteKlsm0saAXAMXDoqc8XOr3k2NHYFz/KsShZWX1IWqYJELr7
Lfn4MLonRC+rFdKZkczrKMDkpRHfhv6OMoE9d1UA58KsECF1gQpYznhM9haQ
Bj80+5ACNP+HycuLi7OvniTsIk7O1vU1TJ15fLSCv2DeHT8xXogghvh0/Ez9
p3t7T8mbJ4+t5LE0uSrLmT8Ic20g2soB8W2LyTclGimF7XAwviDJ6ehbGBvX
V09l84G9c2cZHm8eiaTAbbYQYtVm2tzaFpWUqyyiYkKXIvvN4MUif9haSEUr
gEW1woiDg9jMFjYVYlNn8brDPK0ZKpVMCZnkiCvkOAWM1Xt2o+jN0bHJOANL
CdOKlrUOu/6Ie8Qbg79ieF5ygZy9O395SU7xhFtVOJri02HBgQdckhI4TkIk
QDEOjkpulatLNHSiPDLMbYQbA0RJXlOmWxTjoPQyar3rrBG02ZYYFdC2vaWf
FQs0UBjtShR/nGMZfA8RPQIqkx/F+NcdWHkfoB4bKdwZm4aDV3HHE3oPO4bt
PPAgCBjqyyfwAXuxejjcplRsb+yEqSi7u3u73yY703K5Wmu/pJlr3GzfxthX
ux/oAVGmDvqTqti60IfwRfC/R+KnNXvEhzwV157o3nCDLIItR70Co176a7E0
WLVk1F4JGISGMGV+zEElv07YcqK6V1DPCUcisnlFP/FJXolvAIZczXiQjHvI
wtn8lPOSpIBJU+SoBzTwkBw/sC7qPyU7byrpe0d35yRrGi48BXVgev2nR4FY
/imb+MvlXNju48PbbOIkJQjo4Fdk7srjsZj2ARjq3qLDjLD92ROS1mei2RGT
Ok1BmdtIxg6hwyUw7DKgWQTz+s/IfnllU0pm+t/qMrhLCuOKgkXcTywHj/SR
C97+srzNKLRhFxxuecaBWZSrtZMl3j8q+aFkm2waHylDZ+e2wfhgmvi9egBI
qSoyCY1n4X6KjjgUT0XecIqV3yfcUE9/kbzibufs0bxZi95fOM8cPh4v9Cat
ctITXTkAgcBoo1JqodXzG+ULLaInYwAMK4x345Mw6UmOBgp1OkdYa2x2lDdj
7E9NIaEcUV6qIS/Q+kx0jzRdmMYUX61fQa0fiTyK2EFyTOQ3ej3tAIm+Tcpp
Q11VG1O1Ry/hC7JnxY8sWTD8LWP6cJ/1IpY2tnSriR92eXzm9LXR9tSl3zUM
uIZSl1+hN2dqeEPcld4r5toIPRQ9muzkwSB26Xd4H8lrtCYfk/Pjpx8u1di+
pCcvecc7sAACmejz2TB0lJLl5NzZrVBIT1hZve8URussrHAHE1Pd4iW6yHOq
p8YmR/QtTcwdh+6kZaC/eY554H71IMfGVU0OU5Qu8RLoSIg5tW0/BEPTr47S
g9y6qbmWmYSHpXWviN8cedOH3nvKGSt3EzKvvY5HrOszgfKoE7VrTEssM9Rm
XWRD1thMLg8CvXI48moLU6GAZI9RvDLKeADLrjB2SdZyJ6I3acSut9CDJe52
54NKDs5OTCqDdfeXKLNrbdro+kWn6NNihkGXFT5P9qlr/jQzMsbD/rt7Tc6/
ZmcSOW8rapo31DvWe8iEsN9xQy8XPArEp/91GkG+3KHbDFV/w+iPy3ExMZmb
rOq41pWKnNuxXH8QZ03PpLgZnxWXzifac3knO6Rpq4HmnuP0TpcUJEEt+CLI
Nm2pFRpAr9cSPxL0FIHywrpwjixr4QRl8jdOI6UCtWsOkNJ1UpgqBfKa3uS1
+FMDGlB4Ot5RrSaflSuX1SCoCqiXBQckKCwRqbNM31PvvPgO1uzK0RSPeNHW
bEgR0e3q2audzil7RR8pc742HcrZ48TpUOhjmmY2qwqtMx5MC2iljQlfzi28
7DU5za0OZrRQeuKmzNGvXy4WTHJJpd/07r0uvzZRH5eOqwixCqP3ga/quIbY
q2+yGjhFc+RWLkHWL7t1GqctmtZsYZZOhmWdcLrK0qUGWQ1f9rP2+6m5SCGB
REVSUGiXux/paQFiubu66FjM2AeNUQV0kzSZ5wErfPxb2rw2tOS06Y9Rem5a
v68dlkI8rbHymCS2865JJEuAg3jxjMCgmy+zMflmSCmrRhfdZpMskQxXiqPO
ZhS9k+32tTrq3yAvypYT5300vombuXQ1oOEgvp0kCm4ZqTUv6So5lBv8uSCh
OTiSjw+X9AtZUD0SrDQtVa4ttnqYpdGgLJEEN1tab7vY+Gxl3U2tcNMYviRq
cWQCjUr1yrLIqVKt8FCuW6/4/pQYiMLKlWt0UQdoGpylkIqvCjQIuIxBOVkg
ZglNkpduk5pv0416kvR92s4RwwY1FoGuF/gQ7rBq/5TKs/CpV1FLx87Cg6Gk
JfOyi42vJBAeXTqz3MXbt6asUBK3NBrw9niQl0WLrkEqTa/DdXP6QxEcbRnL
ZN5TCIfIIAtDGrRyHDThLF8il6aFMmoZZDS3qTbUXgkbNjFyP6T8uHvNzbWE
+HUYKZIrnJLeUfWhZph5P5+X7ysgPTr4jzBSwdmJcEiu5OPRzH/8SVtd1F3R
AHdMHdW4aXqoaXorNGPkcCmfir3JFIikeJYLco0wSppJTEfSAzmgFk1kmW7i
KBd8na8Uu9yZCrVkndBs4xiPNNSC1/m8EHKusgtL9FwMNrp0RVo5TZIqY8AY
WloDves1YVQMRAcoSlqYRC4KBB6qEDeJ4lNVJjVDQmW5mSMl1EXiSrr40EdW
ejPbTSfHWaRFRlByUocfvD2qogCrPJVm7O+DppvsqvUJ7ohtpzNWLY2OImwI
n0bGEpF5YrIMhcopauXMk4NZuiLX/nMdykXz8EDx1nFDMTS7641OT4UM3hXD
ViTQP0tOCwn7gpycwbyvODnNj+CvYB1dw8u3SCFdpUllU/JivGaNtRMHC0wm
uLqmAsYK9QYuCtPir7whjuWosU2xYYLOsxTVXTkSNqiy8/GjDbN9eqSKy7pw
GSCOmng5i40X0qLjKBP01arCyAo56Wh+mv3L0agZerrLFcls4RQrGNkRrqyS
ysvk1JaTdY2hYeFa69WtBKqYcoSYXs5jpXF2T7qhZBiSRSWKkc+kSAjgSsyA
Dh9xXpvzrYXGLaZLFVJbqg15IZTEBc+J7+kwr6ZroNNzkGbvYUWDwRsN8oaJ
HiwoYdMoAC31bq6wlHPO8BDIWmuivI/CTeU9E3mPjdPTddZbLkEW7XICv5mN
phOQzGjPoiEuckxeKBGMOp2jeHasxzSkQzNdoyCZWxDK0iRXdhGa93EK6lzK
UGCyfa5Qg+Nu7EgsieeC/ClWYJwhu8B8A64zsp3d8Wt/3TJquXAMC2eZeMcM
Jdu/kZtDLg8q3mTdTk8kjernBUPiiCjsG85PEmhvhokLhD9KFVXEXSqUs/Ng
Q8pKm6YqDp0tDeX8ZpdtWjsnKigr6xmYIk7owy1TLal3U/EFx3IwtUa0BqbH
fF2hUGQFQEK65+bguPC9OU2f0MVEPpgIdMGFLyh9TAQnOdrah5EJzYErvrzU
z2uSZOgxVtdI4jBIks+bcfkTlIMoSkcqr3ReybLBMF3j0gfg3bKNG94YJuxy
GE3EaaUkvHKuAmsrYppgo3al7IpXGtiDQJWmCr0fMat5bqiyUH7aLq6ijriu
Ixw/9YXTXskupBxrCSB6weZ4DaezKB08NQVVmA/YEl7z7nZsrJTpCWVqh7uD
kou4lmW+gk6To8uZ+bVSnw4HtWctvQQkFtbkG7WjqeLb5LKLVs8bzOlXS6aa
cESc4Mbp1nSfamDC5M/XGfrxG58H5HYDw6uuaZ/Qup1tL/QbShNkE/0gTUzy
QdyJpvk/l/Ccs/UjDHT2ck3WXJdMKiG6TPAe3AydhBTLjDMKg9JKKbyVPa7D
XU+p2Vvd2Di+FtE60PjVYo2A2guB8rm4cPtpMEl9Lyu3AoEUMeZ6VH0v+pJY
oE58ialiD4WNJIydqYFR+45fU83qvGK8KMrmTKUxtsxI2ZVljpCOPGLOnMPz
z5A+fiCfB6K3M3qaspBaQ0R/Hx1TPR4OdHENL8Ig4FAaB1L+SvCNIj0Rx09A
LpKGAxpT8T4hAe3xODNmKDLZ8iUeB9zToclxHCJsN78LxUZBS5A0XEmZlpKz
Q/X9oedD6tBGziFIzo72gU+b4LpglYcS9aTd8MwlypXrCtZxcoZW8wwnJ8KA
89NPzvQRcWEGv6EcVhDeWnAwpV5flBDvUNFcJporovPezCjvLcppQ3kAn8Mm
YBb1HpUGWKwIdpapXUz2HYN1reu4fG5nbp0KaHuzCu0Q5+usQT5Qw8IHcpxT
TrvIaNn4Etip8jiFksUPW/jI+B90tMAZqbviWz+LrnPbczMz6cXS5QpWui/m
bV+CbBJn/XS4DHzbMJMEqlewjqVLw2g4SROQDhU35i6vMr1wcs2/NHgMIayc
S8JO33uHmCflyfevz8jHAcd6mVH1z3W+4luQSoexnB10+WX+V1PPz0oKa2zB
SSO1W8Xm0KFbTDZE/8DTjHxbl1TcnyRHJTFA6btlyjSNi4s1mBhPkGuifKt7
PXa0i3TmWn5/moImQFDEhRxHVNYi4oqbaCr/4U6S+4Jrro8/UEUtbMX5Cux8
UN8x85Sc8+qxIDq4Gh1U1CqWZgz5gRqyczsgE1Ha6HiQPB4jIEsPMIymdD59
tkuhOZR6UkLh2VguQfzOF9ehK4GTASetrHn3qHA4K+89qSQskIz4qWHzjHQU
x3p7ZhRpJOpwVYjQS+pKnDbHbgaWhyir00JyzUxmuq0ZODx7x3Kfym9xHrYW
PzC5JlafEmUFDcVM5xT4QG3jA+8XUkgyTctuiROsjcYeYk/GyfENaXHks4hM
V4pOUmoqr9SHIo1HCwRGVnkTloNCmVH4ZiWaJuS6wVN880TO8c3jwImI0jq9
0j4PUl+H53ozknvHYx2JqNGEcs4J5ezt2t/3YjMZLlBR5LbLeBl025C53HbJ
SRIoXRO19mrkbVWSSMApCusINbs8JeIYsWIFbjAkkBYINkFrms7XwMY9JRqY
3Cllh+D22Dkffv+INCL/S72HOSS2YZ2WAAH8c4EH91ZW3lSZlmTDTS+UGzNQ
Y16LBq754xrjoZtW45VO46j04LfKBPraRZpIoXXkW9QU85MoUOAT5nIXi6lZ
9s0RqRZXT843kdkilHDuIDZcdgKJGBsDQOkLd4EuxZXO+8yBCeVT5DUozGDr
pnyfeWLL/phsPqeFoaYoKV9OivhEZFd4hrzi6Iobrfl1TAAt5WfWoh7bLieK
fGAVxurI16mbpURYFyN5HztNNKvY5ad3Hhh92qd5sCxgPfW5Q/15V4Rl/QLR
AmqrQwYarcPfjGTmJjDhTDFGwvFsGyDp+Oxx321cKLVBVI5gIrkoMRhYM7BI
0bFM503WBa7Si4bDOpEg9KRLwuTH6y0Dy2ZjDToSULIeymzUqGfcTIi7FnCe
CZp0eWGI7vFXzCS0sErveLrrcPdCi1pMKqwR70PiyS2uvajZm4CP/RId93rI
J+d1mRM6R7gBSmKD/RFasn7ht+mme6WUyIxgeflk3WRtoFUXRaN8sWIa6W7q
heurb44yyMZhGJKiOCMdmALHjlaq47NzvXvu6BNkDRp+NX2PwRquLUyjQj7S
Y+cNyOdsJCDS4XuacsF+kFRz4cJiOs852QdjIVEQynnB/CRVGVLvjIX5mSzg
Lqu9/81BcBh7uouTrJ1Md7nHl4tVaNh6JmZUet65hbi/fLWICebYUI7c1IMA
tIpBJFI7uxdwl7hmh+L4FggpXw1pAxjeYz2NgE28Eu7ze4yXpY9+LE8I2c5G
7+nYzTBloGjC/m7BqvgjDmYbATBy3jjnwb3PXAJQWvh3ylaJoLsJACPnP4Y4
axZdTbxdPUIh9BOhrGHAX3ECYV/15arkhK8l1hNaqUPAPuo56kss1QAFBcU0
WVNhOfhUaV+FPsGFxyMupJHgB2tH5MChLXJgklvvDiMJFYw0JCCbaJaMDqYp
vJ7aFySTBwui3qCLqn9jaERZOpVp8gjDeBXdMs0JYA++tS48INx1tlglcQ6F
3ryxGHYOJOsQopxcX9TrszNIE+0lLRVYUlO7pCcFIxQDHt+sBTgFzMl5kQQ0
EaaHmKhJVW1YK4ITM6ozSgS5wTdXYL1R5BPXOHSxvjjHl/FZ08WI695MFgVf
Q/ScyUYVycYZx4iqioDvlL2HaibwvJpL3RvnxMgCtZRUfERVfkUdjRWEKZYw
WBaGvlc6dpzJ0Abx7Hqd16t46C9qz4Tm8GB+AnzOEKEU1lIHh6LtiaPDQEwx
BVgR7lEU80ZTfV0qkro+RRU2cC9pY/KCQ0kg5XeUEJPNerlvmDi1xCQYUxm8
H8QBXCBryOsHDPknqYDe/im4Akfx0vHsr6WknuIElOS6oOwDl9gQzAf2B1E7
8qt15WeYF79oWd2G5tM0+MbK4nehOFa5WNtJqVtPgpAG5o0y92vdN9Ut0KOP
OSR1k0k/LdHYyXNaiMWkKyQzqOLoQLhDtVfx3NB4FaGwc/ivlLDEnhppxZQ5
lxn8jL0OhI1mHJW4VC/ffaTWGbfFzEUwGLaI3sbQ54R7zkEDD2Tej88NJB5g
zJbBDltYRgJcjaJwibf3fvK6pFyLvIC9BwGEr7wnjCK2ydg0lDgHq8j+NBgQ
Wkc+JwNWnQeL7Ark1RLHReXUCso63bBNDZsywCHg7NJvDPCFQ71pMIW75mP0
BeU9kKUM3AFsvhywT18QMOkYcLhkjG0b8ae34stNkVvycob5xvUGiIB4jgPY
iwVWPGV/SpKTL9B/AtY0e+7J471aT+BEIX6lCn4Px2B943l0K+gWi35obgFK
KHp9cDiQeKCD7ARV9gaphe/CITHqO98wnKL+xM1mONA4fx4CdSuUoE3VchkA
HD3ACtN6wFc+Jak5M6Yt7BSpT0A/MU9rzY1Mh4PwCYXoUZ8J50U5xdz1aJIJ
ZoP29Nyep8SsRCnJXMob41PRPIsBzg5eWIohjgtrkTJUa7QDLxFygN+LPVHZ
brkd9ZyC9oXWomRQaLSAlTuZrmms7BnFIsOynkwxAR0gZeaX3SE33mLDGnBW
DKaLFLRRinP4abGN6ZJsMQxAWQ85aFkyLDwyoDMYZ7dy/hkjdYLUSBcEhcMQ
A+yf7g5v/4K4XnqGSHWCczy4Zb8tVb8Xgjrp7mHd/VgAIHtfESRjNuCMdULI
TK7WKextkwngOrsLFGtDWZFfBqIAE4eGA9a8b03XFDBupu/9ZkZnksqgk5OD
04NYSHJNdxvU0RRja+H3okSM4NFoRCAnOKDv+k1W5eDjPscqs9k/PZiDnpc9
+AS6aFpwvv6rcg10Ok1vgPEo94C11KW3SKnxDd286JjgOKaBFUSvPP3uxfGh
An9w3pS+4s8lrRf0HKzPopwTLJFCVU4Is8qnJe0MNadm7OU2Qh4q3OinNWFk
/5LXhBqXHK0RzfQc3vNyXaGn/4cNqCBvCRH8NWxPCuzzU7b4K8vK1+WyfJ8m
P6fLdFnCIMIleeXehSlk2a2UfQtVVJenFaBWR246CQt4m+xFNqNS+td5wS0Q
MMCU1aCPTq+HyQUiSpWL8opF7Lm23v4+q5aMiijyA9Fal1xa9t//2/9xjnms
71aCw/zf/9v/mSRnVUk1ohj9oODGSj7Qzt1ihkjEeu/ZDyfnj599vatZODI+
Dl6u4XD+v/93MU6OQFlu0sU4+RGOZNb8tRnju7DrZuPGf/b96C1mYm5/387Z
yemj/eTFD/+FX/3D7pNdZl7b5H08+P8AKybDuHtvAQA=

-->

</rfc>
