<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-radext-radiusdtls-bis-17" category="std" consensus="true" submissionType="IETF" obsoletes="6614, 7360" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="RadSec: RADIUS over TLS and DTLS">RadSec: RADIUS over Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-radext-radiusdtls-bis-17"/>
    <author initials="J.-F." surname="Rieckers" fullname="Jan-Frederik Rieckers">
      <organization abbrev="DFN">Deutsches Forschungsnetz | German National Research and Education Network</organization>
      <address>
        <postal>
          <street>Alexanderplatz 1</street>
          <city>Berlin</city>
          <code>10178</code>
          <country>Germany</country>
        </postal>
        <email>rieckers@dfn.de</email>
        <uri>www.dfn.de</uri>
      </address>
    </author>
    <author initials="M." surname="Cullen" fullname="Margaret Cullen" role="editor">
      <organization>Painless Security</organization>
      <address>
        <postal>
          <street>4 High Street, Suite 206</street>
          <city>North Andover, MA</city>
          <code>01845</code>
          <country>USA</country>
        </postal>
        <email>margaret@painless-security.com</email>
      </address>
    </author>
    <author initials="S." surname="Winter" fullname="Stefan Winter">
      <organization abbrev="RESTENA">Fondation Restena | Restena Foundation</organization>
      <address>
        <postal>
          <street>2, avenue de l'Université</street>
          <city>Esch-sur-Alzette</city>
          <code>4365</code>
          <country>Luxembourg</country>
        </postal>
        <email>stefan.winter@restena.lu</email>
        <uri>www.restena.lu</uri>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>RADIUS EXTensions</workgroup>
    <keyword>RADIUS</keyword>
    <keyword>TLS</keyword>
    <abstract>
      <?line 56?>

<t>This document defines transport profiles for running RADIUS over Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS), allowing the secure and reliable transport of RADIUS messages.
RADIUS/TLS and RADIUS/DTLS are collectively referred to as RadSec.</t>
      <t>This document obsoletes RFC6614 and RFC7360, which specified experimental versions of RADIUS over TLS and DTLS.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-radext-radiusdtls-bis/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        RADIUS EXTensions Working Group mailing list (<eref target="mailto:radext@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/radext/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/radext/"/>.
      </t>
    </note>
  </front>
  <middle>
    <?line 62?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines transport profiles for running RADIUS over Transport Layer Security (TLS) <xref target="RFC8446"/> <xref target="RFC5246"/> over TCP, and Datagram Transport Layer Security (DTLS) <xref target="RFC9147"/> <xref target="RFC6347"/> over UDP, allowing secure and reliable transport of RADIUS messages.
RADIUS/TLS and RADIUS/DTLS are collectively referred to as RadSec.  This document obsoletes <xref target="RFC6614"/> and <xref target="RFC7360"/>, which specified experimental versions of RADIUS over TLS and DTLS.</t>
      <t>RADIUS is a widely deployed Authentication, Authorization and Accounting (AAA) protocol defined in <xref target="RFC2865"/>, <xref target="RFC2866"/>, and <xref target="RFC5176"/>, among others.
Deployment experience has shown several shortcomings, such as dependency on the unreliable transport protocol, UDP, and a lack of confidentiality for large parts of RADIUS messages.
Additionally, the confidentiality and integrity mechanisms in RADIUS rely on the MD5 algorithm <xref target="RFC1321"/>, which does not meet modern security expectations.
Although RadSec does not remove the MD5-based mechanisms, it adds confidentiality and integrity protection through the TLS layer.
For an experimental version of RadSec without the need for MD5 see <xref target="RFC9765"/>.</t>
    </section>
    <section anchor="conventions-and-terminology">
      <name>Conventions and Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following terminology is used in this document:</t>
      <dl>
        <dt>RadSec:</dt>
        <dd>
          <t>A collective term for RADIUS/TLS and RADIUS/DTLS.</t>
        </dd>
        <dt>RADIUS/TLS:</dt>
        <dd>
          <t>A RADIUS exchange transmitted using TLS over TCP.</t>
        </dd>
        <dt>RADIUS/DTLS:</dt>
        <dd>
          <t>A RADIUS exchange transmitted using DTLS over UDP.</t>
        </dd>
        <dt>RADIUS/UDP:</dt>
        <dd>
          <t>RADIUS transported over UDP as defined in <xref target="RFC2865"/>.</t>
        </dd>
        <dt>RADIUS packet:</dt>
        <dd>
          <t>As defined in <xref section="3" sectionFormat="comma" target="RFC2865"/>.</t>
        </dd>
        <dt>RADIUS packet type:</dt>
        <dd>
          <t>As defined in <xref section="4" sectionFormat="comma" target="RFC2865"/>.</t>
        </dd>
        <dt>(D)TLS handshake message:</dt>
        <dd>
          <t>As defined in TLS <xref target="RFC8446"/> and DTLS <xref target="RFC9147"/>.</t>
        </dd>
        <dt>TLS record:</dt>
        <dd>
          <t>As defined in TLS <xref target="RFC8446"/>.</t>
        </dd>
        <dt>DTLS record:</dt>
        <dd>
          <t>As defined in DTLS <xref target="RFC9147"/>.  A DTLS record is always contained in one UDP datagram.</t>
        </dd>
        <dt>(D)TLS connection:</dt>
        <dd>
          <t>A single (D)TLS communication channel (with DTLS this is a synonym for association).</t>
        </dd>
        <dt>UDP datagram:</dt>
        <dd>
          <t>A UDP packet, including the header and data.</t>
        </dd>
        <dt>UDP (datagram) data:</dt>
        <dd>
          <t>The data payload of a UDP datagram.</t>
        </dd>
        <dt>RadSec client:</dt>
        <dd>
          <t>A RadSec instance that initiates a new connection.</t>
        </dd>
        <dt>RadSec server:</dt>
        <dd>
          <t>A RadSec instance that listens on a RADIUS-over-(D)TLS port and accepts new connections.</t>
        </dd>
        <dt>RadSec endpoint:</dt>
        <dd>
          <t>A RadSec client or server</t>
        </dd>
        <dt>RadSec peer:</dt>
        <dd>
          <t>A RadSec endpoint connected to the RadSec endpoint that is the primary subject of discussion.</t>
        </dd>
      </dl>
      <t>Whenever "(D)TLS", "RADIUS/(D)TLS" or "RadSec" is mentioned, the specification applies for both RADIUS/TLS and RADIUS/DTLS.
Where "TLS" or "RADIUS/TLS" is mentioned, the specification applies only for RADIUS/TLS.  Where "DTLS" or "RADIUS/DTLS" is mentioned, it only applies to RADIUS/DTLS.</t>
    </section>
    <section anchor="radsec-packet-and-connection-handling">
      <name>RadSec Packet and Connection Handling</name>
      <t>This section defines the behavior of RadSec endpoints for the establishment and handling of (D)TLS connections and sending and receiving RADIUS packets.</t>
      <t>Server implementations <bcp14>MUST</bcp14> support both RADIUS/TLS and RADIUS/DTLS.
Client implementations <bcp14>SHOULD</bcp14> implement both, but <bcp14>MUST</bcp14> implement at least one of RADIUS/TLS or RADIUS/DTLS.</t>
      <section anchor="portusage">
        <name>RadSec Packet Format, Default ports and shared secrets</name>
        <t>The format of RADIUS packets in RadSec is unchanged from the format specified in <xref target="RFC2865"/>, <xref target="RFC2866"/> and <xref target="RFC5176"/>.</t>
        <t>IANA has reserved server ports for RADIUS/TLS and RADIUS/DTLS.
Since authentication of peers, confidentiality, and integrity protection are provided by the (D)TLS layer, the shared secret for the RADIUS packets is set to a static string, which is different for each of TLS and DTLS (see <xref target="shared_secrets"/>).
The calculation of security-related fields such as Response-Authenticator, Message-Authenticator or encrypted attributes <bcp14>MUST</bcp14> be performed using the static shared secret.</t>
        <table anchor="shared_secrets">
          <name>RADIUS shared secrets for RadSec</name>
          <thead>
            <tr>
              <th align="left">Protocol</th>
              <th align="left">Server Port</th>
              <th align="left">Shared Secret</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">RADIUS/TLS</td>
              <td align="left">2083/tcp</td>
              <td align="left">"radsec"</td>
            </tr>
            <tr>
              <td align="left">RADIUS/DTLS</td>
              <td align="left">2083/udp</td>
              <td align="left">"radius/dtls"</td>
            </tr>
          </tbody>
        </table>
        <t>RadSec does not use separate ports for authentication, accounting and dynamic authorization changes.
The client source port used for RadSec connections is not fixed -- it is typically an ephemeral port picked by the client Operating System.
For considerations regarding the multipurpose use of one port for authentication and accounting see <xref target="radius_packets"/>.</t>
        <t>RadSec clients <bcp14>MAY</bcp14> open multiple connections to the same RadSec server and RadSec servers <bcp14>MUST</bcp14> be able to accept multiple connections from a single client.</t>
        <t>RadSec endpoints <bcp14>MUST NOT</bcp14> use the old RADIUS/UDP or RADIUS/TCP ports for RADIUS/DTLS or RADIUS/TLS.</t>
      </section>
      <section anchor="dtls-requirements">
        <name>(D)TLS requirements</name>
        <t>RadSec clients <bcp14>MUST</bcp14> establish a (D)TLS session immediately upon connecting to a new server, that is without any non-protected negotiations such as done by SMTP STARTTLS or other signalling prior to the (D)TLS handshake.
All data received over a TCP or UDP port assigned for RadSec is opaque for the RADIUS client or server application and must be handled by the TLS or DTLS implementation.
Closing TLS connections and discarding invalid UDP datagrams are done by the (D)TLS implementation.</t>
        <t>RadSec does not provide for negotiation of (D)TLS in ongoing RADIUS communication.
Instead, a server port is configured to always require (D)TLS.  Connection attempts to a (D)TLS port which do not use (D)TLS are not accepted by the server.
As RADIUS has no provisions for capability signaling, there is also no way for a server to indicate to a client that it should transition to using TLS or DTLS.
Servers and clients therefore need to be preconfigured to use RADIUS/(D)TLS for a given endpoint.
This action has to be taken by the administrators of the two systems.</t>
        <t>Implementations <bcp14>MUST</bcp14> follow the recommendations given in <xref target="RFC9325"/>, especially in regards to TLS versions, recommended cipher suites, and TLS session resumption.
Additionally, the following requirements have to be met for the (D)TLS connection:</t>
        <ul spacing="normal">
          <li>
            <t>Negotiation of a cipher suite providing for confidentiality as well as integrity protection is <bcp14>REQUIRED</bcp14>.</t>
          </li>
          <li>
            <t>The endpoints <bcp14>MUST NOT</bcp14> negotiate compression.</t>
          </li>
          <li>
            <t>The connection <bcp14>MUST</bcp14> be mutually authenticated (see <xref target="mutual_auth"/>).</t>
          </li>
        </ul>
        <t>RadSec endpoints <bcp14>MUST NOT</bcp14> use the 0-RTT feature of (D)TLS.</t>
      </section>
      <section anchor="mutual_auth">
        <name>Mutual authentication</name>
        <t>RadSec servers <bcp14>MUST</bcp14> authenticate clients, and RadSec clients <bcp14>MUST</bcp14> authenticate servers.
RADIUS is designed to be used by mutually trusted systems.
Allowing anonymous clients would ensure privacy for RadSec traffic, but would negate all other security aspects of the protocol, including security aspects of RADIUS itself, due to the fixed shared secret.</t>
        <t>RADIUS/(D)TLS allows for the following modes of mutual authentication, which will be further specified in this section:</t>
        <ul spacing="normal">
          <li>
            <t>TLS-X.509-PKIX</t>
          </li>
          <li>
            <t>TLS-PSK</t>
          </li>
        </ul>
        <t>Independent of the chosen mode of authentication, the mutual authentication <bcp14>MUST</bcp14> be performed during the initial handshake.
Alternative methods, such as post-handshake certificate-based client authentication (see <xref section="4.6.2" sectionFormat="comma" target="RFC8446"/>) with TLS 1.3 or renegotiation with TLS 1.2, <bcp14>MUST NOT</bcp14> be used to achieve mutual authentication.</t>
        <section anchor="tlsx509pkix">
          <name>Authentication using X.509 certificates with PKIX trust model (TLS-X.509-PKIX)</name>
          <t>All RadSec server implementations <bcp14>MUST</bcp14> implement this model.
RadSec client implementations <bcp14>SHOULD</bcp14> implement this model, but <bcp14>MUST</bcp14> implement either this model or TLS-PSK.</t>
          <t>If implemented, the following rules apply:</t>
          <ul spacing="normal">
            <li>
              <t>Implementations <bcp14>MUST</bcp14> allow the configuration of a trust base (i.e., a set of trusted Certification Authorities (CAs)<xref target="RFC5280"/>) for new TLS connections.  This list <bcp14>SHOULD</bcp14> be application-specific and not use a global system trust store.</t>
            </li>
            <li>
              <t>Certificate validation <bcp14>MUST</bcp14> include the verification rules as per <xref target="RFC5280"/>.</t>
            </li>
            <li>
              <t>Implementations <bcp14>MAY</bcp14> indicate their trust anchors when opening or accepting TLS connections.
See <xref section="7.4.4" sectionFormat="comma" target="RFC5246"/> and <xref section="6" sectionFormat="comma" target="RFC6066"/> for TLS 1.2 and <xref section="4.2.4" sectionFormat="comma" target="RFC8446"/> for TLS 1.3.</t>
            </li>
            <li>
              <t>When the configured set of trusted CAs changes or updated revocation information becomes available (e.g., fetching of a new CRL), implementations <bcp14>MUST</bcp14> reassess the continued validity of the certificate path of all connected peers.  This can either be done by caching the peer's certificate for the duration of the connection and re-evaluating the cached certificate or by renegotiating the (D)TLS connection, either directly or by opening a new (D)TLS connection and closing the old one.</t>
            </li>
            <li>
              <t>Implementations <bcp14>SHOULD NOT</bcp14> keep a connection open beyond the validity period of the peer certificate.  At the time the peer certificate expires, the connection <bcp14>SHOULD</bcp14> be closed and then possibly re-opened with updated credentials.</t>
            </li>
          </ul>
          <t>RadSec endpoints <bcp14>SHOULD NOT</bcp14> be preconfigured with a set of trusted CAs by the vendor or manufacturer that are enabled by default.
Instead, the endpoints <bcp14>SHOULD</bcp14> start off with an empty CA set as the trust base.
The addition of a CA <bcp14>SHOULD</bcp14> be done only when manually configured by the administrator.
This does not preclude vendors or manufacturers including their set of trusted CAs in their products, but the enabling of those lists should require an explicit act by an administrator.</t>
          <t>RadSec clients <bcp14>MUST</bcp14> follow <xref target="RFC9525"/> when validating RadSec server identities. RadSec servers also follow <xref target="RFC9525"/> when validating RadSec client identities with some additional rules.</t>
          <t>Specific details are provided below:</t>
          <ul spacing="normal">
            <li>
              <t>Certificates <bcp14>MAY</bcp14> include a single wildcard in the identifiers of DNS names and realm names, but only as the complete, left-most label.</t>
            </li>
            <li>
              <t>RadSec clients validate the server's identity to match their local configuration, accepting the identity on the first match:
              </t>
              <ul spacing="normal">
                <li>
                  <t>If the expected RadSec server is associated with a specific NAI realm, e.g., by dynamic discovery <xref target="RFC7585"/> or static configuration, that realm is matched against the presented identifiers of any subjectAltName entry of type otherName whose name form is NAIRealm as defined in <xref section="2.2" sectionFormat="comma" target="RFC7585"/>.</t>
                </li>
                <li>
                  <t>If the expected RadSec server was configured as a hostname, or the hostname was yielded by a dynamic discovery procedure, that name is matched against the presented identifiers of any subjectAltName entry of type dNSName <xref target="RFC5280"/>.  Since a dynamic discovery might by itself not be secured, implementations <bcp14>MAY</bcp14> require the use of DNSSEC <xref target="RFC4033"/> to ensure the authenticity of the DNS result before considering this identity as valid.</t>
                </li>
                <li>
                  <t>If the expected RadSec server was configured as an IP address, the configured IP address is matched against the presented identifier in any subjectAltName entry of type iPAddress <xref target="RFC5280"/>.</t>
                </li>
                <li>
                  <t>The Common Name RDN <bcp14>MUST NOT</bcp14> be used to identify a server.</t>
                </li>
                <li>
                  <t>Clients <bcp14>MAY</bcp14> use other attributes of the certificate to validate the server's identity, but they <bcp14>MUST NOT</bcp14> accept any certificate without validation.</t>
                </li>
                <li>
                  <t>Clients which also act as servers (i.e., proxies) may be susceptible to security issues when a ClientHello is mirrored back to themselves.  More details on this issue are discussed in <xref target="security_considerations"/>.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>RadSec servers validate the certificate of the RadSec client against a local database of acceptable clients.
The database may enumerate acceptable clients either by IP address or by a name component in the certificate.
              </t>
              <ul spacing="normal">
                <li>
                  <t>For clients configured by DNS name, the configured name is matched against the presented identifiers of any subjectAltName entry of type dNSName <xref target="RFC5280"/>.</t>
                </li>
                <li>
                  <t>For clients configured by their source IP address, the configured IP address is matched against the presented identifiers of any subjectAltName entry of type iPAddress <xref target="RFC5280"/>.</t>
                </li>
                <li>
                  <t>Some servers <bcp14>MAY</bcp14> be configured to accept a client coming from a range or set of IP addresses.  In this case, the server <bcp14>MUST</bcp14> verify that the client IP address of the current connection is a member of the range or set of IP addresses, and the server <bcp14>MUST</bcp14> match the client IP address of the current connection against the presented identifiers of any subjectAltName entry of type iPAddress <xref target="RFC5280"/>.</t>
                </li>
                <li>
                  <t>Implementations <bcp14>MAY</bcp14> consider additional subjectAltName extensions to identify a client.</t>
                </li>
                <li>
                  <t>If configured by the administrator, the identity check <bcp14>MAY</bcp14> be omitted after a successful <xref target="RFC5280"/> certification path validation, e.g., if the client used dynamic lookup there is no configured client identity to verify.  The client's authorization <bcp14>MUST</bcp14> then be validated using a certificate policy extension <xref section="4.2.1.4" sectionFormat="comma" target="RFC5280"/> unless both endpoints are part of a trusted network.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Implementations <bcp14>MAY</bcp14> allow configuration of a set of additional properties of the certificate to check for a peer's authorization to communicate (e.g., a set of allowed values presented in  subjectAltName entries of type uniformResourceIdentifier <xref target="RFC5280"/> or a set of allowed X.509v3 Certificate Policies).</t>
            </li>
          </ul>
        </section>
        <section anchor="tlspsk">
          <name>Authentication using TLS-PSK (TLS-PSK)</name>
          <t>RadSec server implementations <bcp14>MUST</bcp14> support the use of TLS-PSK.
RadSec client implementations <bcp14>SHOULD</bcp14> support the use of TLS-PSK, but <bcp14>MUST</bcp14> implement either this model or TLS-X.509-PKIX.</t>
          <t>Further guidance on the usage of TLS-PSK in RadSec is given in <xref target="RFC9813"/>.</t>
        </section>
      </section>
      <section anchor="connecting-client-identity">
        <name>Connecting Client Identity</name>
        <t>In RADIUS/UDP, clients are uniquely identified by their IP addresses, as the shared secret is associated with the origin IP address.
With RadSec, the shared secret has a fixed value and multiple distinct RadSec clients can connect from the same IP address.
This requires changing the method of identifying individual clients from RADIUS/UDP.</t>
        <t>Depending on the trust model used, the RadSec client identity is determined as follows.</t>
        <t>With TLS-PSK, a client is uniquely identified by its TLS-PSK identifier (<xref section="6.2" sectionFormat="comma" target="RFC9813"/>).</t>
        <t>With TLS-X.509-PKIX, a client is uniquely identified by the tuple of the issuer and the serial number of the presented client certificate.</t>
        <t>In practice, identification of unique clients is not always necessary and could be based on the subject of the presented certificate or a subjectAltName entry.
While this identification technique could match multiple distinct certificates and therefore distinct clients, it is often sufficient, e.g., for the purpose of applying policies.</t>
        <t>Note well: having identified a connecting entity does not mean the server necessarily wants to communicate with that client.
For example, if the Issuer is not in a trusted set of Issuers, the server may decline to perform RADIUS transactions with this client.</t>
        <t>Additionally, a server <bcp14>MAY</bcp14> restrict individual clients or groups of clients to certain IP addresses or address ranges.
One example of this can be to restrict clients configured by DNS name to only the IP address(es) that this DNS name resolves to.</t>
        <t>A client connecting from outside the allowed range would be rejected, even if the mutual authentication otherwise would have been successful.
To reduce server load and to prevent probing the validity of stolen credentials, the server <bcp14>SHOULD</bcp14> abort the (D)TLS handshake immediately with a TLS alert access_denied(49) after the client transmitted identifying information, i.e., the client certificate or the PSK identifier, and the server recognizes that the client connects from outside the allowed IP address range.</t>
        <t>See <xref section="6.2.1" sectionFormat="comma" target="RFC9813"/> for further discussion on this topic.</t>
      </section>
      <section anchor="tls_session_resumption">
        <name>TLS Session Resumption</name>
        <t>Session resumption lowers the time and effort required to start a (D)TLS connection and increases network responsiveness.
This is especially helpful when using short idle timeouts.</t>
        <t>RadSec clients and servers <bcp14>SHOULD</bcp14> implement session resumption.
Implementations supporting session resumption <bcp14>MUST</bcp14> cache data during the initial full handshake, sufficient to allow authorization decisions to be made during resumption.
For RadSec servers, this should preferably be done using stateless session resumption as specified in <xref target="RFC5077"/> for TLS 1.2 or <xref target="RFC8446"/> for TLS 1.3, to reduce the resource usage for cached data.</t>
        <t>When establishing a (D)TLS connection with session resumption, both client and server <bcp14>MUST</bcp14> re-authorize the connection by using the original, cached data.
In particular, this includes the X.509 certificate (when using a PKIX trust model) as well as any policies associated with that identity such as restrictions on source IP address.
The re-authorization <bcp14>MUST</bcp14> give the same result as if a full handshake was performed at the time of resumption.</t>
        <t>If cached data cannot be retrieved securely, resumption <bcp14>MUST NOT</bcp14> be done, by either immediately closing the connection or reverting to a full handshake.
If a connection that used session resumption is closed by the server before the resumed DTLS session can be established, the RadSec client <bcp14>MUST NOT</bcp14> re-attempt session resumption but perform a full TLS handshake instead.</t>
      </section>
      <section anchor="application-layer-protocol-negotiation">
        <name>Application-Layer Protocol Negotiation</name>
        <t>RadSec clients <bcp14>SHOULD</bcp14> use Application-Layer Protocol Negotiation (ALPN) to signal RadSec support.  The ALPN name assigned to RadSec is "radius/1.0".  Clients implementing ALPN for RadSec <bcp14>MUST</bcp14> use that name.</t>
        <t>A client which signals RadSec support via the ALPN name "radius/1.0", but which does not receive any ALPN response from the server, <bcp14>MUST</bcp14> treat the connection as RadSec.  A client which signals RadSec support via the ALPN name "radius/1.0" and receives an ALPN resonse of "radius/1.0" <bcp14>MUST</bcp14> treat the connection as RadSec.</t>
        <t>RadSec servers <bcp14>SHOULD</bcp14> implement support for ALPN.  A server which does not receive an ALPN name from the client <bcp14>MUST</bcp14> treat that connection as RadSec.  Servers which do not support ALPN will not send any ALPN name in response.  Servers which support ALPN <bcp14>MUST</bcp14> echo back an ALPN name which is compatible with both the ALPN list that the client sent, and with the servers configuration.</t>
        <t>Where both parties agree on the ALPN name "radius/1.0", the connection <bcp14>MUST</bcp14> be treated as RadSec.</t>
        <t>That is, the presence (or not) of the ALPN name "radius/1.0" does not change the behavior of RadSec clients or servers.  However, using ALPN will assist with future changes to RADIUS, and as such, its use is <bcp14>RECOMMENDED</bcp14>.</t>
        <t>Other ALPN names are possible, such as "radius/1.1" <xref target="RFC9765"/>.  RadSec implementations are not required to support <xref target="RFC9765"/>, but implementation of ALPN for RadSec <bcp14>MUST NOT</bcp14> prevent the use of future ALPN names for RADIUS.  The ALPN negotiation requirements in this section are compatible with the rules in <xref section="3" sectionFormat="comma" target="RFC9765"/>.</t>
      </section>
      <section anchor="radius_packets">
        <name>RADIUS packets</name>
        <t>The use of (D)TLS transport does not change the calculation of security-related fields (such as the Response-Authenticator) in RADIUS <xref target="RFC2865"/> or RADIUS Dynamic Authorization <xref target="RFC5176"/>.
Calculation of attributes such as User-Password <xref target="RFC2865"/> or Message-Authenticator <xref target="RFC3579"/> also does not change.</t>
        <t>The changes to RADIUS implementations required to implement this specification are largely limited to the portions that send and receive packets on the network and the establishment of the (D)TLS connection.</t>
        <t>The RadSec specification does not change the client/server architecture of RADIUS.
RadSec clients transmit the same packet types on the connection they initiated as a RADIUS/UDP client would, and RadSec servers transmit the same packet types on the connections the server has accepted as a RADIUS/UDP server would.
As noted in <xref target="portusage"/>, RadSec uses the same port for Authentication and Accounting packets.
As non-exhaustive example, a RadSec client can transmit packets of type Access-Request, Accounting-Request, Status-Server, Disconnect-ACK over the same connection, and a RadSec server can transmit packets of type Access-Accept, Access-Reject, Access-Challenge, Accounting-Response, Disconnect-Request.</t>
        <t>However, special considerations apply for mixing Authentication and Accounting packets over the same connection.
Traditional RADIUS/UDP uses different ports for Authentication and Accounting, where RadSec uses the same connection for all RADIUS packets.
Due to the use of one single port for all packet types, clients might send packets to the server which it cannot process.
Without a response from the server, the client has to wait for the requests to time out before reusing the request ID, leading to resource exhaustion of the limited ID space.</t>
        <t>A server <bcp14>MAY</bcp14> therefore respond with a Protocol-Error packet as defined in <xref section="4" sectionFormat="comma" target="RFC7930"/>, to alleviate this situation and signal that it was unable to process a packet.
The Error-Cause attribute of this packet <bcp14>SHOULD</bcp14> be set to the value 406 ("Unsupported Extension"), if the server does not support the packet type, or the value 502 ("Request Not Routable (Proxy)"), if the request cannot be routed.
Future specifications may recommend other Error-Cause attribute values for specific scenarios.</t>
        <t>RadSec clients <bcp14>MUST</bcp14> accept Protocol-Error as a valid response and thus stop any retransmission of the original packet over the current connection.
Further details of handling the Protocol-Error reply on the client side are outside of the scope of this document, see <xref target="I-D.dekok-protocol-error"/> for a more detailed description of Protocol-Error.</t>
        <t>Note that sending Protocol-Error in response to unwanted packets replaces the use of CoA-NAK, Disconnect-NAK and Accounting-Response in these situations as specified in <xref target="RFC6614"/>.
See further details in <xref target="unwanted_packet_handling"/> below.</t>
        <t>RadSec clients, for both reliability and compatibility reasons, <bcp14>SHOULD NOT</bcp14> mix authentication and accounting requests within the same connection. RadSec clients <bcp14>SHOULD</bcp14> use a separate pool of connections on which to send accounting packets in the event the RadSec server does not support sending Protocol-Error.</t>
      </section>
      <section anchor="detecting-live-servers">
        <name>Detecting Live Servers</name>
        <t>RadSec implementations <bcp14>MUST</bcp14> utilize the existence of a TCP, TLS or DTLS connection where applicable in addition to the application-layer watchdog defined in <xref section="3.4" sectionFormat="comma" target="RFC3539"/> when determining the liveness of each connection.</t>
        <t>As RADIUS is a "hop-by-hop" protocol, proxies hide information about the topology downstream to the client.
While the client may be able to deduce the operational state of the next-hop (i.e., proxy), it is unable to determine the operational state of any hops beyond it.
This is particularly problematic for topologies that aggregate multiple routes for differing realms behind a proxy where the absence of a reply could lead to a client to incorrectly deduce that the proxy is unavailable when the cause was an unresponsive downstream hop for a single realm.
A similar effect may also be seen on home servers that use different credential backends for each realm they service.</t>
        <t>To avoid these issues, RadSec clients <bcp14>MUST</bcp14> only mark a connection 'DOWN' (as labeled by <xref section="3.4" sectionFormat="comma" target="RFC3539"/>) if one or more of the following conditions are met:</t>
        <ul spacing="normal">
          <li>
            <t>The network stack indicates that the connection is no longer viable; such as the destination being no longer routable or the underlying TCP connection being closed by the peer.</t>
          </li>
          <li>
            <t>The transport layer, D(TLS), provides no usable connection</t>
          </li>
          <li>
            <t>The application-layer watchdog algorithm has marked it 'DOWN'.</t>
          </li>
        </ul>
        <t>When a client opens multiple connections to a server, it is also possible that only one of the connections is unresponsive, e.g., because the server deleted the DTLS connection shared state or the connection was load balanced on the server side to a backend server that is now unresponsive.
Therefore, the liveness check <bcp14>MUST</bcp14> be done on a per-connection basis, and a failure on one connection <bcp14>MUST NOT</bcp14> lead to all connections to this server being marked down.</t>
        <t>RadSec clients <bcp14>MUST</bcp14> implement the Status-Server extension as described in <xref target="RFC5997"/> as the application level watchdog to detect the liveness of the peer in the absence of responses.
RadSec servers <bcp14>MUST</bcp14> be able to answer to Status-Server requests.
Since RADIUS has a limitation of 256 simultaneous "in flight" packets due to the length of the ID field (<xref section="2.4" sectionFormat="comma" target="RFC3539"/>), it is <bcp14>RECOMMENDED</bcp14> that RadSec clients reserve ID zero (0) on each connection for Status-Server packets.
This value was picked arbitrarily, as there is no reason to choose any other value over another for this use.</t>
        <t>For RADIUS/TLS, the endpoints <bcp14>MAY</bcp14> send TCP keepalives as described in <xref section="3.8.4" sectionFormat="comma" target="RFC9293"/>.
For RADIUS/DTLS connections, the endpoints <bcp14>MAY</bcp14> send periodic keepalives as defined in <xref target="RFC6520"/>.
This is a way of proactively and rapidly triggering a 'Connection DOWN' notification from the network stack.
These liveness checks are essentially redundant in the presence of an application-layer watchdog, but may provide more rapid notifications of connectivity issues.</t>
      </section>
      <section anchor="client-timers">
        <name>Client Timers</name>
        <t>RadSec clients may need to reconnect to a server that rejected their connection attempt and retry RADIUS packets which did not get an answer.
The following sections define the client behavior.</t>
        <section anchor="reconnection-attempts">
          <name>Reconnection attempts</name>
          <t>RadSec endpoints establish a (D)TLS connection before transmitting any RADIUS packets.
Therefore, in addition to retransmission of RADIUS packets, RadSec clients also have to perform connection retries.</t>
          <t>Except in cases where a connection attempt with session resumption was closed by the RadSec server, RadSec clients <bcp14>MUST NOT</bcp14> immediately reconnect to a server after a failed connection attempt.
A connection attempt is treated as failed if it fails at any point until a (D)TLS connection is established successfully.
Typical reconnections <bcp14>MUST</bcp14> have a lower bound for the time in between retries.
The lower bound <bcp14>SHOULD</bcp14> be configurable, but <bcp14>MUST NOT</bcp14> be less than 0.5 seconds.
In cases where the server closes the connection on an attempted TLS session resumption, the client <bcp14>MUST NOT</bcp14> use TLS session resumption for the following connection attempt.</t>
          <t>RadSec clients <bcp14>MUST</bcp14> implement an algorithm for handling the timing of such reconnection attempts that includes an exponential back-off.
Using an algorithm similar to the retransmission algorithm defined in <xref section="2.2.1" sectionFormat="comma" target="RFC5080"/> is <bcp14>RECOMMENDED</bcp14>.
If a different algorithm is used, it <bcp14>SHOULD</bcp14> include a configurable lower and upper bound for the time between retries, a configurable timeout after which the client gives up reconnecting, and a jitter.</t>
          <t>When a reconnection attempt is queued on a reconnection timer, adding subsequent RADIUS packets to be sent <bcp14>SHOULD NOT</bcp14> trigger an immediate reconnection attempt or reset the reconnection timer.
Instead, the algorithm <bcp14>SHOULD</bcp14> continue as it would have without the new RADIUS packet.
However, a client <bcp14>MAY</bcp14> reset the timeout for giving up reconnecting when a new RADIUS packet is queued.</t>
          <t>Where the connection to a RadSec server is configured to be static and always kept open, the reconnect algorithm <bcp14>SHOULD</bcp14> have an upper limit for the time between retries (e.g., 60 seconds) and not give up trying to reconnect.</t>
        </section>
        <section anchor="client_retransmission_timers">
          <name>RADIUS packet retransmission</name>
          <t>RadSec clients <bcp14>MUST</bcp14> implement timers for managing packet retransmissions and timeouts, such as the ones defined in <xref section="2.2.1" sectionFormat="comma" target="RFC5080"/>.
Other algorithms than the one defined in <xref target="RFC5080"/> are possible, but any timer implementation <bcp14>MUST</bcp14> have similar properties of including jitter, exponential backoff and a maximum retransmission count (MRC) and/or maximum retransmission duration (MRD).</t>
          <t>The following description uses "retransmission" to mean the sending of the exact same packet over the same connection and "retry" to mean the sending of a new RADIUS packet with the same logical contents, but over a different connection or with other details changed.
When a packet is retransmitted, the previously encoded packet contents are sent without change.
When a packet is retried, it goes through the usual RADIUS processing (e.g., allocation of a new RADIUS ID, new Authenticator) and is re-encoded and re-signed.</t>
          <t>When a connection fails or is closed, a RadSec client <bcp14>SHOULD</bcp14> retry packets over a different connection, either a different connection to the same server or a different configured server in the same load-balancing/failover pool.
In order to keep the timers consistent, the timers associated with a packet <bcp14>SHOULD NOT</bcp14> be changed when a packet is moved from one connection to another.
At least the MRD timer <bcp14>SHOULD</bcp14> be preserved to prevent packets staying in the queue indefinitely due to regular connection closure.
A RadSec client <bcp14>MUST</bcp14> associate a packet with exactly one connection until either the connection is closed, in which case the association moves to a new connection, or the timers reach MRC or MRD, in which case the packet is discarded.</t>
          <t>The requirements for actions from timers differ for RADIUS/TLS and RADIUS/DTLS.</t>
          <t>As UDP is not a reliable transport, RADIUS/DTLS clients <bcp14>MUST</bcp14> retransmit packets when indicated by the timers to deal with packets dropped by the network.
When the timers reach MRC or MRD, the packet is discarded.</t>
          <t>Since TCP is a reliable transport, RADIUS/TLS clients <bcp14>MUST NOT</bcp14> retransmit packets when indicated by the timers.
They <bcp14>SHOULD</bcp14> still run the full timer algorithm to determine if the maximum retransmission count (MRC) has been reached.
RADIUS/TLS clients will then use MRC or MRD to determine that a packet has not received a response and the ID of this packet can be re-used for new packets.</t>
          <t>See <xref target="duplicates_retransmissions"/> for more discussion on retransmission behavior.</t>
        </section>
      </section>
      <section anchor="dtls-connection-limits-and-timeout">
        <name>(D)TLS connection limits and timeout</name>
        <t>While RADIUS/UDP could be implemented mostly statelessly (except for the requests in flight and possibly <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/> deduplication), both TCP/TLS as well as DTLS require additional state tracking of the underlying (D)TLS connection and are thus subject to potential resource exhaustion.
This is aggravated by the fact that RADIUS client/servers are often statically configured and thus form long-running peer relationships with long-running connections.</t>
        <t>Implementations <bcp14>SHOULD</bcp14> have configurable limits on the number of open connections.
When this maximum is reached and a new (D)TLS connection is needed, the server <bcp14>MUST</bcp14> either drop an old connection in order to open the new one or else not create a new connection.</t>
        <t>The close notification of (D)TLS or underlying connections are not fully reliable, or connections might be unnecessarily kept alive by heartbeat or watchdog traffic, occupying resources.
Therefore, both RadSec clients and servers <bcp14>MAY</bcp14> close connections after they have been idle for some time (no traffic except application layer watchdog).
This idle timeout <bcp14>SHOULD</bcp14> be configurable within reasonable limits and it <bcp14>SHOULD</bcp14> be possible to disable idle timeouts completely.</t>
        <t>On the server side, this mostly helps avoid resource exhaustion.
For clients, proactively closing connections can also help mitigate situations where watchdog mechanisms are unavailable or fail to detect non-functional connections.
Some scenarios or RADIUS protocol extensions could also require that a connection be kept open at all times, so clients <bcp14>MAY</bcp14> immediately re-open the connection.
These scenarios could be related to monitoring the infrastructure or to allow the server to proactively send packets to the clients without a preceding request.</t>
        <t>The value of the idle timeout to use depends on the exact deployment and is a trade-off between resource usage on clients/servers and the overhead of opening new connections.
Very short timeouts that are at or below the timeouts used for application layer watchdogs, typically in the range of 30-60s can be considered unreasonable.
In contrast, the upper limit is much more difficult to define but may be in the range of 10 to 15 min, depending on the available resources, or never (disabling idle timeout) in scenarios where a permanently open connection is required.</t>
      </section>
      <section anchor="behavior-on-dtls-connection-closure-of-incoming-connections">
        <name>Behavior on (D)TLS connection closure of incoming connections</name>
        <t>If an incoming (D)TLS connection or the underlying transport channel is closed or broken, then there is no way to send a RADIUS response packet to the client.
The RadSec server behavior then depends on the types of packets being processed, and on the role of the server.</t>
        <t>A RadSec server <bcp14>MUST</bcp14> discard or stop all requests that are associated with the closed connection.  This requirement also applies to proxied requests which are associated with the incoming request.
As no response can be sent over the now-closed (D)TLS connection, any further processing of those requests is pointless.
A discarded request may have a cached RADIUS response packet (<xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>), in which case the cached response also <bcp14>MUST</bcp14> be discarded.
If there is no cached response packet, then the request might still be processed by the home server.
The RADIUS proxy <bcp14>MUST</bcp14> discard any response to these requests and <bcp14>SHOULD</bcp14> stop processing the requests.</t>
        <t>A home server which receives Access-Request packets <bcp14>MUST</bcp14> behave as defined above for a proxy and discard those requests and stop processing them.
Where a RADIUS packet is part of a multi-packet authentication session (e.g., EAP), the underlying authentication session could be continued, or the underlying authentication session data could be discarded.
The server may be able to receive and process another packet for that authentication session via a different incoming connection.
It is difficult to make more recommendations for managing partially processed authentication sessions, as such recommendations depend strongly on the authentication method being used.
As a result, further behavior is implementation defined and outside the scope of this specification.</t>
        <t>A home server which receives other kinds of packets (for example Accounting-Request, CoA-Request, Disconnect-Request) <bcp14>MAY</bcp14> finish processing outstanding requests, and then discard any response.
This behavior ensures that the desired action is still taken, even if the home server cannot inform the client of the result of that action.</t>
      </section>
      <section anchor="malformed-packets-and-unknown-clients">
        <name>Malformed Packets and Unknown clients</name>
        <t>The RADIUS specifications say that an implementation should "silently discard" a packet in a number of circumstances.
This action has no further consequences for UDP based transports, as the "next" packet is completely independent of the previous one.</t>
        <t>When TLS is used as transport, decoding the "next" packet on a connection depends on the proper decoding of the previous packet.
As a result the behavior with respect to discarded packets has to change, since a malformed RADIUS packet could impact the decoding of succeeding packets.</t>
        <t>With DTLS, the "next" packet does not depend on proper decoding of the previous packet, since the RADIUS packets are sent in independent DTLS records (see <xref target="radius_packet_handling"/>).
However, since both TLS and DTLS provide integrity protection and ensure that the packet was sent by the peer, a protocol violation at this stage implies that the peer is misbehaving.</t>
        <t>Subject to the discussion below, implementations of this specification <bcp14>SHOULD</bcp14> treat the text on "silently discard" packets in the RADIUS specifications as "silently discard the packet and close the connection".
That is, the implementation <bcp14>SHOULD</bcp14> send a (D)TLS close notification and, in the case of RADIUS/TLS, the underlying TCP connection <bcp14>MUST</bcp14> be closed if any of the following circumstances are seen:</t>
        <ul spacing="normal">
          <li>
            <t>Connection from an unknown client</t>
          </li>
          <li>
            <t>Packet where the RADIUS <tt>Length</tt> field is less than the minimum RADIUS packet length</t>
          </li>
          <li>
            <t>Packet where the RADIUS <tt>Length</tt> field is more than the maximum RADIUS packet length</t>
          </li>
          <li>
            <t>Packet where an Attribute <tt>Length</tt> field has the value of zero or one (0 or 1)</t>
          </li>
          <li>
            <t>Packet where the attributes do not exactly fill the packet</t>
          </li>
          <li>
            <t>Packet where the Request Authenticator fails validation (where validation is required)</t>
          </li>
          <li>
            <t>Packet where the Response Authenticator fails validation (where validation is required)</t>
          </li>
          <li>
            <t>Packet where the Message-Authenticator attribute fails validation (when it occurs in a packet)</t>
          </li>
        </ul>
        <t>After applying the above rules, there are still situations where the previous specifications allow a packet to be "silently discarded" upon receipt, but in which it is reasonable that a connection <bcp14>MAY</bcp14> remain open:</t>
        <ul spacing="normal">
          <li>
            <t>Packet with an invalid code field (see <xref target="radius_packets"/> for details)</t>
          </li>
          <li>
            <t>Response packets that do not match any outstanding request</t>
          </li>
          <li>
            <t>A server lacking the resources to process a request</t>
          </li>
        </ul>
        <t>These requirements reduce the possibility for a misbehaving client or server to wreak havoc on the network.</t>
      </section>
      <section anchor="cross-protocol-considerations">
        <name>Cross Protocol Considerations</name>
        <t>A client may be configured to use multiple servers, and therefore needs to be able to distinguish servers from one another.  Those servers may use different transport protocols, in any combination.  For example, a client may be configured with a RADIUS/UDP server, and RADIUS/DTLS server, and a RADIUS/TLS server all at the same time.  These servers may share IP addresses, but not the same UDP or TCP ports.  These considerations also affect RADIUS servers.</t>
        <t>RADIUS implementations <bcp14>MUST</bcp14> be able to distinguish servers by at least the 3-tuple of:</t>
        <ul spacing="normal">
          <li>
            <t>protocol (one of RADIUS/UDP, RADIUS/DTLS, or RADIUS/TLS)</t>
          </li>
          <li>
            <t>server IP address,</t>
          </li>
          <li>
            <t>server port number.</t>
          </li>
        </ul>
        <t>Implementations <bcp14>MUST NOT</bcp14> exchange both insecure and secure traffic on the same UDP or TCP port.  It is <bcp14>RECOMMENDED</bcp14> that implementations make it impossible for such a configuration to be created.</t>
        <t>Where a server accepts packets on multiple different 3-tuples (protocol, server IP address, server port number), it <bcp14>MUST</bcp14> track clients independently for each 3-tuple combination.  A RADIUS client has no way of knowing if different 3-tuple combinations are all managed by the same RADIUS server.  Therefore, the server behavior has to be compatible with the clients expectations.</t>
        <t>When a server receives a packet from a source IP address on a 3-tuple, it <bcp14>MUST</bcp14> process that packet according to the profile for that 3-tuple.  This requirement means that (for example), a server can be configured to accept RADIUS/UDP traffic on multiple UDP ports, and then have a completely different (and non-overlapping) set of clients configured for each port.</t>
        <t>While this behavior is not required by previous specifications, it codifies long-standing practices.  As such, existing server implementations likely do not need to do anything in order to support the requirements of this section.</t>
      </section>
    </section>
    <section anchor="radiustls-specific-specifications">
      <name>RADIUS/TLS-specific specifications</name>
      <t>This section discusses all specifications that are only relevant for RADIUS/TLS.</t>
      <section anchor="sending-and-receiving-radius-traffic">
        <name>Sending and receiving RADIUS traffic</name>
        <t>The TLS layer of RADIUS/TLS provides a stream-based communication between the two peers instead of the packet-based communication as with RADIUS/UDP.
As a result, the way RADIUS packets are sent and received has to change.</t>
        <t>Instead of relying on the underlying transport protocol to indicate the start of a new packet, the RADIUS/TLS endpoints have to keep track of the packet borders by examining the header of the received RADIUS packets.</t>
        <t>After the TLS connection is established, a RADIUS/TLS endpoint <bcp14>MUST NOT</bcp14> send any data except for RADIUS packets over the connection.
Since the RADIUS packet header contains a <tt>Length</tt> field, the end of the current RADIUS packet can be deduced.
The next RADIUS packet <bcp14>MUST</bcp14> be sent directly after the current RADIUS packet, that is, the endpoints <bcp14>MUST NOT</bcp14> add padding before, between, or after RADIUS packets.</t>
        <t>When receiving RADIUS packets, a RADIUS/TLS endpoint <bcp14>MUST</bcp14> determine the borders of RADIUS packet based on the <tt>Length</tt> field in the RADIUS header.
Note that, due to the stream architecture of TLS, it is possible that a RADIUS packet is first received only partially, and the remainder of the packet is contained in following fragments.
Therefore, RADIUS/TLS endpoints <bcp14>MUST NOT</bcp14> assume that the packet length is invalid solely based on the currently available data in the stream.  More data may come at a later time.</t>
        <t>It is <bcp14>RECOMMENDED</bcp14> that RADIUS/TLS implementations pass a RADIUS packet to the TLS library as one unit, instead of in multiple fragments.  This behavior avoids unnecessary overhead when sending or receiving (especially if every new write generates a new TLS record) and wait times on the other endpoint.</t>
      </section>
      <section anchor="duplicates_retransmissions">
        <name>Duplicates and Retransmissions</name>
        <t>As TCP is a reliable transport, RADIUS/TLS endpoints <bcp14>MUST NOT</bcp14> retransmit RADIUS packets over a given TCP connection.
However, if the TLS connection or TCP connection is closed or broken, retries over new connections are permissible.
RADIUS request packets that have not yet received a response <bcp14>MAY</bcp14> be transmitted by a RADIUS/TLS client over a new connection.
As this procedure involves using a new connection, the ID of the packet <bcp14>MAY</bcp14> change.
If the ID changes, any security attributes such as Message-Authenticator <bcp14>MUST</bcp14> be recalculated.</t>
        <t>Despite the above discussion, RADIUS/TLS servers <bcp14>SHOULD</bcp14> still perform duplicate detection on received packets, as described in <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>.
This detection can prevent duplicate processing of packets from non-conforming clients.</t>
        <t>RADIUS clients <bcp14>MUST NOT</bcp14> perform retries by sending a packet on a different protocol or connection proactively.
However, when a connection fails, a RADIUS client <bcp14>MAY</bcp14> send packets associated with that connection over a different configured connection or server.
This requirement does not, therefore, forbid the practice of putting servers with the same IP address and port number but different protocols into a failover or load-balancing pool.
In that situation, RADIUS requests <bcp14>MAY</bcp14> be sent to another server that is known to be part of the same pool.</t>
      </section>
    </section>
    <section anchor="dtls_spec">
      <name>RADIUS/DTLS-specific specifications</name>
      <t>This section discusses all specifications that are only relevant for RADIUS/DTLS.</t>
      <section anchor="radius_packet_handling">
        <name>RADIUS packet handling</name>
        <t>The DTLS encryption adds an overhead to each packet sent.
RADIUS/DTLS implementations <bcp14>MUST</bcp14> support sending and receiving RADIUS packets of 4096 bytes in length, with a corresponding increase in the maximum size of the encapsulated DTLS packets.
This larger packet size may cause the UDP packet to be larger than the Path MTU (PMTU), which causes the packet to be fragmented.
Implementers and operators should be aware of the possibility of fragmented UDP packets.
For details about issues with fragmentation see <xref target="RFC8900"/>.</t>
        <t>RADIUS/DTLS endpoints <bcp14>MUST</bcp14> send exactly one RADIUS packet per DTLS record.
This ensures that the RADIUS packets do not get fragmented at a point where a re-ordering of UDP packets would result in decoding failures.
The DTLS specification mandates that a DTLS record must not span multiple UDP datagrams (<xref section="4.3" sectionFormat="comma" target="RFC9147"/>).
A single UDP datagram may, however, contain multiple DTLS records.
RADIUS/DTLS endpoints <bcp14>MAY</bcp14> use this behavior to send multiple RADIUS packets in one UDP packet.</t>
        <t>For the receiving RADIUS/DTLS endpoint, the length checks defined in <xref section="3" sectionFormat="comma" target="RFC2865"/> still apply.
That is, a receiving RADIUS/DTLS endpoint <bcp14>MUST</bcp14> perform all the length checks, but <bcp14>MUST</bcp14> use the length of the decrypted payload of the DTLS record instead of the UDP packet length.
Exactly one RADIUS packet is encapsulated in a DTLS record, and any data outside the range of the RADIUS length field within the decrypted payload of a single DTLS record <bcp14>MUST</bcp14> be treated as padding, as it would be with a RADIUS/UDP packet, and be ignored.  RADIUS implementations <bcp14>MUST NOT</bcp14> discard packets simply due to the existence of padding.
For UDP datagrams containing multiple DTLS records, each DTLS record <bcp14>MUST</bcp14> be parsed individually.</t>
        <t>If a RADIUS packet needs to be re-transmitted, either as retransmission due to a missing response by the client or as retransmission of a cached response by the server, the RADIUS/DTLS endpoints <bcp14>MUST</bcp14> re-process the RADIUS packet through DTLS.
That is, for the purpose of retransmissions, RADIUS/DTLS endpoints cache the RADIUS packet, as a RADIUS/UDP endpoint would, and do not cache the DTLS record that contains the RADIUS packet.</t>
      </section>
      <section anchor="server-behavior">
        <name>Server behavior</name>
        <t>When a RADIUS/DTLS server receives packets on the configured RADIUS/DTLS port, all received packets <bcp14>MUST</bcp14> be treated as being RADIUS/DTLS.
RADIUS/UDP packets <bcp14>MUST NOT</bcp14> be accepted on this port.</t>
        <t>Some servers maintain a list of allowed clients per destination port.
Others maintain a global list of clients that are permitted to send packets to any port.
As such, a RADIUS/DTLS server <bcp14>MUST</bcp14> maintain a "DTLS Required" flag per client.</t>
        <t>This flag indicates whether or not that client is required to use DTLS.
When set, the flag indicates that the only traffic accepted from the client is over the RADIUS/DTLS port.  All non-DTLS traffic <bcp14>MUST</bcp14> be silently discarded.</t>
        <t>This flag is normally set by an administrator.
However, if the server receives DTLS traffic from a client, it <bcp14>SHOULD</bcp14> notify the administrator that DTLS is available for that client.
A server <bcp14>MAY</bcp14> automatically mark the client as "DTLS Required".</t>
      </section>
      <section anchor="client-behavior">
        <name>Client behavior</name>
        <t>When a RADIUS/DTLS client sends packet to a RADIUS/DTLS port, all packets <bcp14>MUST</bcp14> be DTLS.
RADIUS/UDP packets <bcp14>MUST NOT</bcp14> be sent to this port.</t>
        <t>RADIUS/DTLS clients <bcp14>SHOULD NOT</bcp14> probe servers to see if they support DTLS transport.
Instead, clients <bcp14>SHOULD</bcp14> use DTLS as a transport layer only when administratively configured.</t>
      </section>
    </section>
    <section anchor="implementation-considerations">
      <name>Implementation Considerations</name>
      <t>This section discusses topics related to the internal behavior of RadSec implementations that should be considered by RadSec implementers.</t>
      <section anchor="radius-implementation-changes">
        <name>RADIUS Implementation Changes</name>
        <t>The RADIUS packet format is unchanged from <xref target="RFC2865"/>, <xref target="RFC2866"/> and <xref target="RFC5176"/>.
Specifically, all of the following portions of RADIUS remain unchanged when using RadSec:</t>
        <ul spacing="normal">
          <li>
            <t>Packet format</t>
          </li>
          <li>
            <t>Permitted codes</t>
          </li>
          <li>
            <t>Request Authenticator calculation</t>
          </li>
          <li>
            <t>Response Authenticator calculation</t>
          </li>
          <li>
            <t>Minimum packet length</t>
          </li>
          <li>
            <t>Maximum packet length</t>
          </li>
          <li>
            <t>Attribute format</t>
          </li>
          <li>
            <t>Vendor-Specific Attribute (VSA) format</t>
          </li>
          <li>
            <t>Permitted data types</t>
          </li>
          <li>
            <t>Calculation of dynamic attributes such as CHAP-Challenge, or Message-Authenticator</t>
          </li>
          <li>
            <t>Calculation of "encrypted" attributes such as Tunnel-Password.</t>
          </li>
        </ul>
        <t>The use of (D)TLS transport does not change the calculation of security-related fields (such as the Response-Authenticator) in RADIUS <xref target="RFC2865"/> or RADIUS Dynamic Authorization <xref target="RFC5176"/>.
Calculation of attributes such as User-Password <xref target="RFC2865"/> or Message-Authenticator <xref target="RFC3579"/> also does not change.</t>
        <t>The changes to RADIUS implementations required to implement this specification are largely limited to the portions that send and receive packets on the network, and to the establishment of the (D)TLS connection.
The fact that RADIUS remains largely unchanged ensures the simplest possible implementation and widest interoperability of the specification.
This reuse includes the usage of the outdated security mechanisms in RADIUS that are based on shared secrets and MD5.
The use of MD5 here is not considered a security issue, since integrity and confidentiality are provided by the (D)TLS layer.  See <xref target="security_considerations"/> of this document or <xref target="RFC9765"/> for more details.  See also <xref section="1" sectionFormat="comma" target="RFC9765"/> for a discussion of issues related to the continued use of MD5, even in situations where its use is known to be safe.</t>
        <t>Note that for RADIUS/DTLS the DTLS encapsulation of RADIUS means that UDP datagrams include an additional overhead due to DTLS.
This is discussed further in <xref target="dtls_spec"/>.</t>
        <section anchor="unwanted_packet_handling">
          <name>Differences from RFC 6614 unwanted RADIUS packet handling</name>
          <t>The previous specification of RADIUS/TLS in <xref target="RFC6614"/> recommended sending a reply to unwanted RADIUS packets that depends on the request type:</t>
          <ul spacing="normal">
            <li>
              <t>For unwanted CoA-Requests or Disconnect-Requests, the servers should respond with a CoA-NAK or Disconnect-NAK, respectively.</t>
            </li>
            <li>
              <t>For unwanted Accounting-Requests, the servers should respond with an Accounting-Response containing an Error-Cause attribute with the value 406 ("Unsupported Extension").</t>
            </li>
          </ul>
          <t><xref target="RFC6614"/> also recommended that a RADIUS/TLS client observing this Accounting-Response should stop sending Accounting-Request packets to this server.
This behavior, however, could lead to problems, especially in proxy fabrics, since the RADIUS client cannot determine whether the reply came from the correct server or a RADIUS proxy along the way.</t>
          <t>Compared to the <xref target="RFC6614"/> recommended replies (CoA-NAK, Disconnect-NAK and Accounting-Response), the Protocol-Error packet is explicitly only applicable to one RADIUS hop and must not be forwarded, which gives the RADIUS client the opportunity to re-route the unwanted packet to a different RADIUS server.
This also is backwards compatible with existing implementations, since RADIUS clients must ignore any incoming RADIUS packets with an unknown packet type.
Therefore, these <xref target="RFC6614"/> recommended reply message types are now replaced with the Protocol-Error packet type.</t>
        </section>
      </section>
      <section anchor="forwarding-radius-packets-between-udp-and-tcp-based-transports">
        <name>Forwarding RADIUS packets between UDP and TCP based transports</name>
        <t>When a RADIUS proxy forwards packets, it is possible that the incoming and outgoing links have substantially different properties.
This issue is most notable in UDP to TCP proxying, but there are still possible issues even when the same transport is used on both incoming and outgoing links.
<xref section="1.2" sectionFormat="comma" target="RFC2866"/> noted this issue many years ago:</t>
        <artwork><![CDATA[
A forwarding server may either perform its forwarding function in a
pass through manner, where it sends retransmissions on as soon as it
gets them, or it may take responsibility for retransmissions, for
example in cases where the network link between forwarding and remote
server has very different characteristics than the link between NAS
and forwarding server.
]]></artwork>
        <t>These differences are most notable in throughput, and in differing retransmission requirements.</t>
        <section anchor="throughput-differences-lead-to-network-collapse">
          <name>Throughput Differences lead to Network Collapse</name>
          <t>An incoming link to the proxy may have substantially different throughput than the outgoing link.
Perhaps the network characteristics on the two links are different, or perhaps the home server is slow.
In both situations, the proxy may be left with a difficult choice about what to do with the incoming packets, if the rate of incoming packets exceeds throughput on the outgoing link.</t>
          <t>As RADIUS does not provide for connection-based congestion control, there is no way for the proxy to signal on the incoming link that the client should slow its rate of sending packets.
As a result, the proxy generally will accept the packets, buffer them, and hope that they can be sent outbound before the client gives up on the request.  Other courses of action are possible, but are implementation specific.  See <xref target="I-D.dekok-protocol-error"/> for more discussion on this topic.</t>
        </section>
        <section anchor="differing-retransmission-requirements">
          <name>Differing Retransmission Requirements</name>
          <t>Since UDP datagrams can be lost, RADIUS/UDP and RADIUS/DTLS transports are required to perform retransmissions as per <xref section="2.2.1" sectionFormat="comma" target="RFC5080"/>.
In contrast, RADIUS/TCP and RADIUS/TLS transports are reliable, and do not perform retransmissions.
These requirements lead to an issue for proxies when they send packets across protocol boundaries with differing retransmission behaviors.</t>
          <t>When a proxy receives packets on an unreliable transport, and forwards them across a reliable transport, it receives retransmissions from the client, but <bcp14>MUST NOT</bcp14> forward those retransmissions across the reliable transport.
The proxy <bcp14>MAY</bcp14> log information about these retransmissions, but it does not perform any other action.</t>
          <t>When a proxy receives RADIUS packets on a reliable transport, and forwards them across an unreliable transport, the proxy <bcp14>MUST</bcp14> perform retransmissions across the unreliable transport as per <xref section="2.2.1" sectionFormat="comma" target="RFC5080"/>.
That is, the proxy takes responsibility for the retransmissions.
Implementations <bcp14>MUST</bcp14> take care to not completely decouple the two transports in this situation.
See <xref target="radius_packet_handling"/> for details on retransmitting RADIUS packets over DTLS.</t>
          <t>That is, if an incoming connection on a reliable transport is closed, there may be pending retransmissions on an outgoing unreliable transport.
Those retransmissions <bcp14>MUST</bcp14> be stopped, as there is nowhere to send the reply.
Similarly, if the proxy sees that the client has given up on a request (such as by re-using an Identifier before the proxy has sent a response), the proxy <bcp14>MUST</bcp14> stop all retransmissions of the old request and discard it.</t>
          <t>The above requirements are a logical extension of the common practice where a client stops retransmission of a packet once it decides to "give up" on the packet and discard it.
Whether this discard process is due to internal client decisions, or interaction with incoming connections is irrelevant.
When the client cannot do anything with responses to a request, it <bcp14>MUST</bcp14> stop retransmitting that request.</t>
        </section>
        <section anchor="acct-delay-time-and-event-timestamp">
          <name>Acct-Delay-Time and Event-Timestamp</name>
          <t>In order to avoid congestion, it is <bcp14>RECOMMENDED</bcp14> that RadSec clients which originate Accounting-Request packets (i.e., not proxies) do not include Acct-Delay-Time (<xref section="5.2" sectionFormat="comma" target="RFC2866"/>) in those packets.
Instead, those clients <bcp14>SHOULD</bcp14> include Event-Timestamp (<xref section="5.3" sectionFormat="comma" target="RFC2869"/>), which is the time at which the original event occurred.
The Event-Timestamp <bcp14>MUST NOT</bcp14> be updated on any retransmissions, as that would both negate the meaning of Event-Timestamp, and create the same problem as with Acct-Delay-Time.</t>
          <t>Not using Acct-Delay-Time allows for RADIUS Accounting-Request packets to be retransmitted without change.
In contrast, updating Acct-Delay-Time would require that the client create and send a new Accounting-Request packet without signaling the server that the previous packet is no longer considered active.
This process can occur repeatedly, which leads to multiple different packets containing effectively the same information (except for Acct-Delay-Time).
This duplication contributes to congestion of the network, if one or more RADIUS proxies performs retransmission to the next hop for each of those packets independently.
See <xref target="proxy_rationale"/> for a more detailed explanation of the problem and its implications.</t>
          <t>Additionally, the different properties of the RADIUS/TLS transport as well as cross-protocol proxying change the assumption of a negligible transmission time of the RADIUS packet, on which the value of Acct-Delay-Time is based.
While a single UDP packet may have a negligible transmission time, application data sent via TLS could arrive at the server with a significant delay due to the underlying TCP retransmission mechanism.
If the packet is proxied from RADIUS/TLS to RADIUS/DTLS or RADIUS/UDP, the proxy has to retransmit on its own without changing the value of Acct-Delay-Time, which again introduces non-negligible transmission delays.</t>
          <t>Using Event-Timestamp instead of Acct-Delay-Time also removes an ambiguity around retransmitted packets for RADIUS/TLS.
Since there is no change to the packet contents when a retransmission timer expires, no new packet ID is allocated, and therefore no new packet is created.</t>
          <t>Where RadSec clients do include Acct-Delay-Time in RADIUS packets, the client <bcp14>SHOULD</bcp14> use timers to detect packet loss, as described in <xref target="client_retransmission_timers"/>.
Where RadSec clients do include Acct-Delay-Time in RADIUS packets, the client can rely on the Event-Timestamp to signal delays, and therefore <bcp14>SHOULD NOT</bcp14> update the Acct-Delay-Time. If the timer has determined that the original packet has been completely lost, the client <bcp14>SHOULD</bcp14> then create a new RADIUS packet with the same information, and <bcp14>MAY</bcp14> update Acct-Delay-Time.
This behavior ensures that there is no congestive collapse, since a new packet is only created if following hops have also given up on retransmission.
The Event-Timestamp is then interpreted as the time at which the event occurred.  Where Acct-Delay-Time exists, it is then interpreted as the delay between the event and when the packet was sent. Systems <bcp14>MUST NOT</bcp14> subtract the Acct-Delay-Time from Event-Timestamp to derive a time at which the event occurred; that time is exactly Event-Timestamp.  The existence of Acct-Delay-Time instead serves as an additional indication of delays in sending the packet.
Leaving the Acct-Delay-Time static reduces the granularity of Acct-Delay-Time to the retransmission timeout, compared to the different approach of updating the Acct-Delay-Time on each retransmission.</t>
        </section>
      </section>
      <section anchor="additional-verification-of-peers">
        <name>Additional Verification of Peers</name>
        <t>There are numerous trust models in PKIX environments, and it is beyond the scope of this document to define how a particular deployment determines whether a client is trustworthy.
Implementations that want to support a wide variety of trust models should expose as many details of the presented certificate to the administrator as possible so that the trust model can be implemented by the administrator.
As a suggestion, at least the following information from the TLS connection and the X.509 client certificate should be exposed:</t>
        <ul spacing="normal">
          <li>
            <t>Originating IP address</t>
          </li>
          <li>
            <t>Certificate Fingerprint</t>
          </li>
          <li>
            <t>Issuer</t>
          </li>
          <li>
            <t>Subject</t>
          </li>
          <li>
            <t>all X.509v3 Extended Key Usage</t>
          </li>
          <li>
            <t>all X.509v3 Subject Alternative Name</t>
          </li>
          <li>
            <t>all X.509v3 Certificate Policy</t>
          </li>
        </ul>
        <t>Similar to the PKIX trust model, clients using TLS-PSK may have additional policies to determine whether a client should be allowed to connect.
Therefore, in TLS-PSK operation, at least the following information from the TLS connection should be exposed:</t>
        <ul spacing="normal">
          <li>
            <t>Originating IP address</t>
          </li>
          <li>
            <t>TLS-PSK Identifier</t>
          </li>
        </ul>
      </section>
      <section anchor="tcp-applications-are-not-udp-applications">
        <name>TCP Applications Are Not UDP Applications</name>
        <t>Implementers should be aware that programming a robust TCP-based application can be very different from programming a robust UDP-based application.</t>
        <t>Additionally, differences in the transport like head-of-line blocking and the possibility of increased transmission times should be considered.</t>
        <t>When using RADIUS/UDP or RADIUS/DTLS, there is no ordering of packets.
If a packet sent by an endpoint is lost, that loss has no effect on subsequent packets sent by that endpoint.</t>
        <t>Unlike UDP, TCP is subject to issues related to head-of-line blocking.
This occurs when a TCP segment is lost and a subsequent TCP segment arrives out of order.
While the RADIUS endpoints can process RADIUS packets out of order, the semantics of TCP makes this impossible.
This limitation can lower the maximum packet processing rate of RADIUS/TLS.
In severe cases, this may have a noticeable effect on all authentications that run over the congested connection, especially authentications with multiple round trips such as EAP-based authentications.
In contrast, when a RADIUS/UDP or RADIUS/DTLS packet is lost, only this authentication session is affected.
Additionally, due to the architecture of TCP as reliable stream transport, TCP retransmissions can occur significantly later, even multiple seconds, after the original data was passed to the network stack by the application.
In contrast, RADIUS/UDP packets are usually received either quickly, or not at all, in which case the RADIUS/UDP stack triggers a retransmission of the packet on the application layer.
This can impact or distort the accuracy of RADIUS attributes for timing which assume a negligible network delay, namely Acct-Delay-Time.</t>
      </section>
      <section anchor="dtls-session-management">
        <name>DTLS Session Management</name>
        <t>Where RADIUS/TLS can rely on the TCP state machine to perform session tracking, RADIUS/DTLS cannot.
As a result, implementations of RADIUS/DTLS may need to perform session management of the DTLS session in the application layer.
This subsection describes logically how this tracking is done.
Implementations <bcp14>MAY</bcp14> choose to use the method described here, using a 5-tuple per connection, or another, equivalent method.
DTLS 1.3 provides Connection IDs, and an equivalent extension is available for DTLS 1.2 <xref target="RFC9146"/>.
When Connection IDs or any other tracking method are used for connection tracking, note that IP address based policies <bcp14>MUST</bcp14> still be applied for all incoming packets, similar to the mandated behavior for TLS Session Resumption in <xref target="tls_session_resumption"/>.
This is to prevent circumventing IP address based restrictions, if a client opens the connection from the allowed IP address range, but then moves to another, untrusted network.</t>
        <t><xref section="2.2.2" sectionFormat="comma" target="RFC5080"/> already mandates a duplicate detection cache.
The session tracking described below can be seen as an extension of that cache, where entries contain DTLS sessions instead of RADIUS/UDP packets.</t>
        <section anchor="server-session-management">
          <name>Server Session Management</name>
          <t>A RADIUS/DTLS server using the 5-tuple method <bcp14>MUST</bcp14> track ongoing DTLS sessions for each client, based on the following 5-tuple:</t>
          <ul spacing="normal">
            <li>
              <t>source IP address</t>
            </li>
            <li>
              <t>source port number</t>
            </li>
            <li>
              <t>destination IP address</t>
            </li>
            <li>
              <t>destination port number</t>
            </li>
            <li>
              <t>protocol (fixed to <tt>UDP</tt>)</t>
            </li>
          </ul>
          <t>Note that this 5-tuple is independent of IP protocol version (IPv4 or IPv6).</t>
          <t>Each 5-tuple points to a unique session entry, which usually contains the following information:</t>
          <dl>
            <dt>DTLS Session:</dt>
            <dd>
              <t>Any information required to maintain and manage the DTLS session.</t>
            </dd>
            <dt>DTLS Data:</dt>
            <dd>
              <t>An implementation-specific variable that may contain information about the active DTLS session.
This variable may be empty or nonexistent.</t>
            </dd>
            <dt/>
            <dd>
              <t>This data will typically contain information such as idle timeouts, session lifetimes, and other implementation-specific data.</t>
            </dd>
          </dl>
          <section anchor="session-opening-and-closing">
            <name>Session Opening and Closing</name>
            <t>Session tracking is subject to Denial-of-Service (DoS) attacks due to the ability of an attacker to forge UDP traffic.
RADIUS/DTLS servers <bcp14>SHOULD</bcp14> use the stateless cookie tracking technique described in <xref section="4.2.1" sectionFormat="comma" target="RFC6347"/> for DTLS 1.2 and <xref section="5.1" sectionFormat="comma" target="RFC9147"/> for DTLS 1.3.
DTLS sessions <bcp14>SHOULD NOT</bcp14> be tracked until a ClientHello packet has been received with an appropriate Cookie value.
Server implementation <bcp14>SHOULD</bcp14> have a way of tracking DTLS sessions that are partially set up.
Servers <bcp14>MUST</bcp14> limit both the number and impact on resources of partial sessions.</t>
            <t>Sessions (both 5-tuple and entry) <bcp14>MUST</bcp14> be deleted when the DTLS session is closed for any reason.
When a session is deleted due to it failing security requirements, the DTLS session <bcp14>MUST</bcp14> be closed, any TLS session resumption parameters for that session <bcp14>MUST</bcp14> be discarded, and all tracking information <bcp14>MUST</bcp14> be deleted.</t>
            <t>Since UDP is stateless, the potential exists for the client to initiate a new DTLS session using a particular 5-tuple, before the server has closed the old session.
For security reasons, the server <bcp14>MUST</bcp14> keep the old session active until either it has received secure notification from the client that the session is closed or the server decides to close the session based on idle timeouts.
Taking any other action would permit unauthenticated clients to perform a DoS attack, by reusing a 5-tuple and thus causing the server to close an active (and authenticated) DTLS session.</t>
            <t>As a result, servers <bcp14>MUST</bcp14> ignore any attempts to reuse an existing 5-tuple from an active session.
This requirement can generally be reached by simply processing the packet through the existing DTLS session, as with any other packet received via that 5-tuple.
Non-compliant, or unexpected packets will be ignored by the DTLS layer.</t>
          </section>
        </section>
        <section anchor="client-session-management">
          <name>Client Session Management</name>
          <t>RADIUS/DTLS clients <bcp14>SHOULD NOT</bcp14> send both RADIUS/UDP and RADIUS/DTLS packets to different servers from the same source socket.
This practice causes increased complexity in the client application and increases the potential for security breaches due to implementation issues.</t>
        </section>
      </section>
    </section>
    <section anchor="security_considerations">
      <name>Security Considerations</name>
      <t>As this specification relies on the existing TLS and DTLS specifications, all security considerations for these protocols also apply to the (D)TLS portions of RadSec.</t>
      <t>For RADIUS however, many security considerations raised in the RADIUS documents are related to RADIUS encryption and authorization.
Those issues are largely mitigated when (D)TLS is used as a transport method, since encryption and authorization is achieved on the (D)TLS layer.
The issues that are not mitigated by this specification are related to the RADIUS packet format and handling, which is unchanged in this specification.</t>
      <t>A few remaining security considerations and notes to administrators deploying RadSec are listed below.</t>
      <section anchor="mixing-secure-and-insecure-traffic">
        <name>Mixing Secure and Insecure Traffic</name>
        <t>It is <bcp14>RECOMMENDED</bcp14> that servers do not accept both secure and insecure traffic from the same source IP address.  Allowing RADIUS/UDP and RADIUS/DTLS from the same client exposes the traffic to downgrade attacks and is <bcp14>NOT RECOMMENDED</bcp14>.</t>
        <t>Administrators of a client can place servers into a load-balance or fail-over pools, no matter what the combination of values in the 3-tuple which identifies a server. However, administrators should limit these pools to servers with a similar security profile, e.g., all UDP, or all (D)TLS. Mixing insecure traffic with secure traffic will likely create security risks.</t>
      </section>
      <section anchor="radius-proxies">
        <name>RADIUS Proxies</name>
        <t>RadSec provides authentication, integrity and confidentiality protection for RADIUS traffic for a single hop between two RADIUS endpoints.
In the presence of proxies, intermediate proxies can still inspect the individual RADIUS packets, i.e., "end-to-end" encryption on the RADIUS layer is not provided.
Where intermediate proxies are untrusted, it is desirable to use other RADIUS mechanisms to prevent critical RADIUS attributes from inspection by such proxies.
One common method is to protect user credentials by using the Extensible Authentication Protocol (EAP) and EAP methods that utilize TLS.
However, in typical use cases there still remain attributes potentially containing confidential data (such as personally identifiable information or cryptographic keys) which cannot be protected from inspection by proxies.</t>
        <t>Additionally, when RADIUS proxies are used, the RADIUS client has no way of ensuring that the complete path of the RADIUS packet is protected, since RADIUS routing is done hop-by-hop and any intermediate proxy may be configured, after receiving a RADIUS packet via RadSec from one endpoint, to forward this packet to a different endpoint using the RADIUS/UDP transport profile.
Since with RADIUS/UDP, the packet is sent in cleartext, an eavesdropper can observe the packet over the RADIUS/UDP hops.
There is no technical solution with the current specification that enforces that a RADIUS packet is transported only via secure RADIUS transports over the whole path.
If the confidentiality of the full contents of the RADIUS packet across the whole path is required, organizational solutions need to be in place that ensure that every intermediate RADIUS proxy is configured to forward the RADIUS packets using RadSec as transport.</t>
        <t>One possible way to reduce the attack surface is to reduce the number of proxies in the overall proxy chain.
For this, dynamic discovery as defined in <xref target="RFC7585"/> can be used.</t>
        <section anchor="loopback-attack-on-endpoints-acting-as-server-and-client">
          <name>Loopback-Attack on endpoints acting as Server and Client</name>
          <t>RadSec endpoints that are configured to act both as client and server, typically in a proxy configuration, may be vulnerable to attacks where an attacker mirrors back all traffic to the endpoint.
Therefore, endpoints that are capable of acting as both client and server <bcp14>SHOULD</bcp14> implement mitigations to avoid accepting connections from itself.
One example of a potentially vulnerable configuration is a setup where the RadSec server is accepting incoming connections from any address (or a wide address range).
Since the server may not be able to verify the certificate subject or subject alternate names, the trust is based on the certificate issuer and/or on the contents of the certificate policies extension <xref section="4.2.1.4" sectionFormat="comma" target="RFC5280"/>.
However, in this case, the client certificate which the RadSec endpoint uses for outgoing connections on the client side might also satisfy the trust check of the server side.
Other scenarios where the identification of an outgoing connection satisfies the trust check of an incoming one are possible, but are not enumerated here.</t>
          <t>Either through misconfiguration, erroneous or spoofed dynamic discovery, or an attacker rerouting TLS packets, a proxy might thus open a connection to itself, creating a loop.
Such attacks have been described for TLS-PSK <xref target="RFC9257"/>, dubbed a selfie-attack, but are much broader in the RadSec case.
In particular, as described above, they also apply to certificate based authentication.</t>
          <t>Server implementations <bcp14>SHOULD</bcp14> therefore detect connections from itself, and reject them.
There is currently no detection method that works universally for all use-cases and TLS implementations.
Some possible detection methods are listed below:</t>
          <ul spacing="normal">
            <li>
              <t>Comparing client or server random used in the TLS handshake.  While this is a very effective method, it requires access to values which are normally private to the TLS implementation.</t>
            </li>
            <li>
              <t>Sending a custom random number in an extension in the TLS client hello.  Again, this is very effective, but requires extension of the TLS implementation.</t>
            </li>
            <li>
              <t>Comparing the incoming server certificate to all server certificates configured on the proxy.  While in some scenarios this can be a valid detection method, using the same server certificate on multiple servers would keep these servers from connecting with each other, even when this connection is legitimate.</t>
            </li>
          </ul>
          <t>The application layer RADIUS protocol also offers some loop detection, e.g., using a Proxy-State attribute.
However, these methods are not capable of reliably detecting and suppressing these attacks in every case and are outside the scope of this document.</t>
        </section>
      </section>
      <section anchor="usage-of-null-encryption-cipher-suites-for-debugging">
        <name>Usage of NULL encryption cipher suites for debugging</name>
        <t>Some TLS implementations offer cipher suites with NULL encryption, to allow inspection of the plaintext with packet sniffing tools.
Since with RadSec the RADIUS shared secret is set to a static string ("radsec" for RADIUS/TLS, "radius/dtls" for RADIUS/DTLS), using a NULL encryption cipher suite will also result in complete disclosure of the whole RADIUS packet, including the encrypted RADIUS attributes, to any party eavesdropping on the conversation.
Following the recommendations in <xref section="4.1" sectionFormat="comma" target="RFC9325"/>, this specification forbids the usage of NULL encryption cipher suites for RadSec.</t>
        <t>For cases where administrators need access to the decrypted RadSec traffic, different approaches should be used, like exporting the key material from TLS libraries according to <xref target="I-D.ietf-tls-keylogfile"/>.</t>
      </section>
      <section anchor="possibility-of-denial-of-service-attacks">
        <name>Possibility of Denial-of-Service attacks</name>
        <t>Both RADIUS/TLS and RADIUS/DTLS have a considerable higher amount of data that the server needs to store in comparison to RADIUS/UDP.
Therefore, an attacker could try to exhaust server resources.</t>
        <t>With RADIUS/UDP, any invalid RADIUS packet would fail the cryptographic checks and the server would silently discard that packet.
For RadSec, the server needs to perform at least a partial TLS handshake to determine whether or not the client is authorized.
Performing a (D)TLS handshake is more complex than the cryptographic check of a RADIUS packet.
An attacker could try to trigger a high number of (D)TLS handshakes at the same time, resulting in a high server load and potentially a Denial-of-Service.
To prevent this attack, a RadSec server <bcp14>SHOULD</bcp14> have configurable limits on new connection attempts, and where configured, <bcp14>MUST</bcp14> enforce those limits.</t>
        <t>Both TLS and DTLS need to store connection information for each open (D)TLS connection.
Especially with DTLS, a bogus or misbehaving client could open an excessive number of DTLS connections.
This connection tracking could lead to a resource exhaustion on the server side, triggering a Denial-of-Service.
Therefore, RadSec servers <bcp14>SHOULD</bcp14> have a configurable limit of the number of connections they can track, and where configured, <bcp14>MUST</bcp14> enforce those limits.
When the total number of connections tracked is going to exceed the configured limit, servers <bcp14>MAY</bcp14> free up resources by closing the connection that has been idle for the longest time.
Doing so may free up idle resources that then allow the server to accept a new connection.</t>
        <t>RadSec servers <bcp14>MUST</bcp14> limit the number of partially open (D)TLS connections and <bcp14>SHOULD</bcp14> expose this limit as configurable option to the administrator.</t>
        <t>To prevent resource exhaustion by partially opening a large number of (D)TLS connections, RadSec servers <bcp14>SHOULD</bcp14> have a timeout on partially open (D)TLS connections.
A limit of a few seconds is recommended, implementations <bcp14>SHOULD</bcp14> expose this timeout as a configurable option to the administrator.
If a (D)TLS connection is not established within this timeframe, it is likely that this connection is either not from a valid client, or it is from a valid client with unreliable connectivity.
In contrast, an established connection might not send packets for longer periods of time, but since the endpoints are mutually authenticated, leaving a connection available does not pose a problem other than the problems mentioned before.</t>
        <t>A different means of prevention is IP address filtering.
If the IP address range that the server expects clients to connect from is restricted, then the server can simply reject or drop all connection attempts from outside those ranges.
If every RadSec client is configured with an IP address range, then the server does not even have to perform a partial TLS handshake if the connection attempt comes from outside every allowed range, but can instead immediately drop the connection.
To perform this lookup efficiently, RadSec servers <bcp14>SHOULD</bcp14> keep a list of the accumulated permitted IP address ranges, individually for each transport.</t>
      </section>
      <section anchor="tls-connection-lifetime-and-key-rotation">
        <name>TLS Connection Lifetime and Key Rotation</name>
        <t>The RadSec TLS connections may have a long lifetime.
Especially when dealing with high volume of RADIUS traffic, the encryption keys have to be rotated regularly, depending on both the amount of data which was transferred, and on the encryption method.
See <xref section="5.5" sectionFormat="comma" target="RFC8446"/> and <xref target="I-D.irtf-cfrg-aead-limits"/> for more information.</t>
        <t>Implementers <bcp14>SHOULD</bcp14> be aware of this issue and determine whether the underlying TLS library automatically rotates encryption keys or not.
If the underlying TLS library does not perform the rotation automatically, RadSec implementations <bcp14>SHOULD</bcp14> perform this rotation manually, either by a key update of the existing TLS connection or by closing the TLS connection and opening a new one.</t>
      </section>
      <section anchor="connection-closing-on-malformed-packets">
        <name>Connection Closing On Malformed Packets</name>
        <t>If malformed RADIUS packets are received or the packets fail the authenticator checks, this specification requires that the (D)TLS connection be closed.
The reason is that the connection is expected to be used for transport of RADIUS packets only.</t>
        <t>Any non-RADIUS traffic on that connection means the other party is misbehaving and is potentially a security risk.
Similarly, any RADIUS traffic failing authentication vector or Message-Authenticator validation means that two parties do not have a common shared secret.
Since the shared secret is static, this again means the other party is misbehaving.</t>
        <t>On the other hand, a third party should not be able to trigger such a connection closure, e.g., by sending a RADIUS packet with attributes the RadSec server does not understand.
If a RadSec endpoint would close the connection when receiving such packets, an attacker could repeatedly send such packets to disrupt the RadSec connection.
Leaving the connection open and ignoring unknown attributes also ensures forward compatibility.</t>
      </section>
      <section anchor="migrating-from-radiusudp-to-radsec">
        <name>Migrating from RADIUS/UDP to RadSec</name>
        <t>Since RADIUS/UDP security relies on the MD5 algorithm, which is considered insecure, using RADIUS/UDP over insecure networks is risky.
Migrating from RADIUS/UDP to RadSec is therefore recommended.
Within this migration process, however, there are a few items that need to be considered by administrators.</t>
        <t>Firstly, administrators may be tempted to simply migrate from RADIUS/UDP to RadSec with (D)TLS-PSK and reuse the RADIUS shared secret as (D)TLS-PSK.
While this may seem like an easy way to upgrade RADIUS/UDP to RadSec, the cryptographic problems with the RADIUS/UDP shared secret render the shared secret potentially compromised.
Using a potentially compromised shared secret as TLS-PSK compromises the whole TLS connection.
Therefore, as defined in <xref section="4.1.3" sectionFormat="comma" target="RFC9813"/>, any shared secret used with RADIUS/UDP before <bcp14>MUST NOT</bcp14> be used with RadSec and (D)TLS-PSK.
As implementation note, it is also strongly recommend to not reuse the configuration option for the RADIUS/UDP shared secret in the existing user interfaces for the (D)TLS-PSK too.
Instead, these should be separate input fields in order to prevent accidental reuse of an existing shared secret when switching to (D)TLS-PSK.</t>
        <t>When upgrading from RADIUS/UDP to RadSec, there may be a period of time, where the connection between client and server is configured for both transport profiles.
If the old RADIUS/UDP configuration is left configured, but not used in normal operation, e.g., due to a fail-over configuration that prefers RadSec, an attacker could disrupt the RadSec communication and force a downgrade to RADIUS/UDP.
To prevent this it is <bcp14>RECOMMENDED</bcp14> that, when the migration to RadSec is completed, the RADIUS/UDP configuration is removed.
RadSec clients <bcp14>MUST NOT</bcp14> fall back to RADIUS/UDP if the RadSec communication fails, unless explicitly configured this way.</t>
        <t>Special considerations apply for clients behind a NAT, where some clients use RADIUS/UDP and others use RadSec.
A RADIUS server might not be able to detect if a RadSec client falls back to RADIUS/UDP; they will appear with the same source IP address to the server and use the same shared secret.
It is therefore <bcp14>NOT RECOMMENDED</bcp14> to use both RADIUS/UDP and RadSec clients behind a NAT at the same time.</t>
      </section>
      <section anchor="client-subsystems">
        <name>Client Subsystems</name>
        <t>Many traditional clients treat RADIUS as subsystem-specific.
That is, each subsystem on the client has its own RADIUS implementation and configuration.
These independent implementations work for simple systems, but break down for RADIUS when multiple servers, fail-over and load-balancing are required.
With (D)TLS enabled, these problems are expected to get worse.</t>
        <t>In these situations, clients should use a local proxy that arbitrates all RADIUS traffic between the client and all servers.
This proxy will encapsulate all knowledge about servers, including security policies, fail-over and load-balancing.
All client subsystems should communicate with this local proxy, perhaps via an internal API, or over a loopback address.</t>
        <t>The benefit of this configuration is that there is one place in the client that arbitrates all RADIUS traffic.
So long as the proxy implements RadSec, other subsystems that do not implement RadSec do not need to be updated to support it.  They can instead leverage the functionality of the local proxy to leverage the benefits of (D)TLS.
(D)TLS connections opened by the proxy can remain open for a long period of time, even when client subsystems are restarted.
The proxy can be configured to do RADIUS/UDP to some servers and RadSec to others.</t>
        <t>Delegation of responsibilities and separation of tasks are important security principles.
By moving all RadSec knowledge to a (D)TLS-aware proxy, security analysis becomes simpler, and enforcement of correct security becomes easier.</t>
      </section>
    </section>
    <section anchor="design_decisions">
      <name>Design Decisions</name>
      <t>Many of the design decisions of RADIUS/TLS and RADIUS/DTLS can be found in <xref target="RFC6614"/> and <xref target="RFC7360"/>.
This section will discuss the rationale behind significant changes from the experimental specification.</t>
      <section anchor="design_supported_transports">
        <name>Mandatory-to-implement transports</name>
        <t>With the merging of RADIUS/TLS and RADIUS/DTLS the question of mandatory-to-implement transports arose.
In order to avoid incompatibilities, there were two possibilities: Either mandate one of the transports for all implementations or mandate the implementation of both transports for either the server or the client.
As of the time writing, RADIUS/TLS is widely adopted for some use cases.
However, TLS has some serious drawbacks when used for RADIUS transport.
Especially the sequential nature of the connection and the connected issues like head-of-line blocking could create problems.</t>
        <t>Therefore, the decision was made that RADIUS servers must implement both transports.
For RADIUS clients, that may run on more constrained hardware, implementers can choose to implement only the transport that is better suited for their needs.</t>
      </section>
      <section anchor="design_trust_profiles">
        <name>Mandatory-to-implement trust profiles</name>
        <t><xref target="RFC6614"/> mandates the implementation of the trust profile "certificate with PKIX trust model" for both clients and servers.
The experience of the deployment of RADIUS/TLS as specified in <xref target="RFC6614"/> has shown that most actors still rely on RADIUS/UDP.
Since dealing with certificates can create a lot of issues, both for implementers and administrators, for the re-specification the goal was to create an alternative to insecure RADIUS transports like RADIUS/UDP that can be deployed easily without much additional administrative overhead.</t>
        <t>As with the supported transports, the assumption is that RADIUS servers are less constrained than RADIUS clients.
Since some client implementations already support using certificates for mutual authentication and there are several use cases, where pre-shared keys are not usable (e.g., a dynamic federation with changing members), the decision was made that, analog to the supported transports, RadSec servers must implement both certificates with PKIX trust model and TLS-PSK as means of mutual authentication.
RadSec clients again can choose which method is better suited for them, but must, for compatibility reasons, implement at least one of the two.</t>
      </section>
      <section anchor="design_changes_in_tls">
        <name>Changes in application of TLS</name>
        <t>The original specification of RADIUS/TLS does not forbid the usage of compression in the TLS layer.
As per <xref section="3.3" sectionFormat="comma" target="RFC9325"/>, compression should not be used due to the possibility of compression-related attacks, unless the application protocol is proven to be not open to such attacks.
Since some attributes of the RADIUS packets within the TLS tunnel contain values that an attacker could at least partially choose (i.e., username, MAC address or EAP message), there is a possibility for compression-related attacks, that could potentially reveal data in other RADIUS attributes through length of the TLS record.
To circumvent this attack, this specification forbids the usage of TLS compression.</t>
        <t>Since usage of 0-RTT may have implications on forward secrecy and replay protection, this specification prohibits its use.
Protection against replay attacks is necessary, since a replayed RADIUS packet in the early data would be processed as new packet.
The additional effort that is needed to protect 0-RTT data against replays outweighs the benefit of the reduced processing time.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="service-name-and-transport-protocol-port-number-registry">
        <name>Service Name and Transport Protocol Port Number Registry</name>
        <t>Upon approval, IANA should update the Reference and the Assignment Notes to radsec in the Service Name and Transport Protocol Port Number Registry at <eref target="https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml">https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml</eref>:</t>
        <t>For TCP:</t>
        <ul spacing="normal">
          <li>
            <t>Service Name: radsec</t>
          </li>
          <li>
            <t>Port Number: 2083</t>
          </li>
          <li>
            <t>Transport Protocol: tcp</t>
          </li>
          <li>
            <t>Description: Secure RADIUS Service</t>
          </li>
          <li>
            <t>Assignment notes: The TCP port 2083 was already previously assigned by IANA for "RadSec", an early implementation of RADIUS/TLS, prior to issuance of the experimental RFC 6614.
[RFCXXXX] updates RFC 6614 (RADIUS/TLS).</t>
          </li>
          <li>
            <t>Reference: [RFCXXXX] (this document)</t>
          </li>
        </ul>
        <t>For UDP:</t>
        <ul spacing="normal">
          <li>
            <t>Service Name: radsec</t>
          </li>
          <li>
            <t>Port Number: 2083</t>
          </li>
          <li>
            <t>Transport Protocol: udp</t>
          </li>
          <li>
            <t>Description: Secure RADIUS Service</t>
          </li>
          <li>
            <t>Assignment notes: The UDP port 2083 was already previously assigned by IANA for "RadSec", an early implementation of RADIUS/DTLS, prior to issuance of the experimental RFC 7360. [RFCXXXX] updates RFC 7360 (RADIUS/DTLS).</t>
          </li>
          <li>
            <t>Reference: [RFCXXXX] (this document)</t>
          </li>
        </ul>
      </section>
      <section anchor="tls-application-layer-protocol-negotiation-alpn-protocol-ids">
        <name>TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs</name>
        <t>IANA is requested to update the "TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry at <eref target="https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids">https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids</eref> to update one entry, and change the reference from <xref target="RFC9765"/> to THIS DOCUMENT.</t>
        <ul spacing="normal">
          <li>
            <t>Protocol: RADIUS/1.0</t>
          </li>
          <li>
            <t>Identification Sequence: 0x72 0x61 0x64 0x69 0x75 0x73 0x2f 0x31 0x2e 0x30
  ("radius/1.0")</t>
          </li>
          <li>
            <t>Reference: [RFCXXXX] (This document)</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC5246">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
            <author fullname="T. Dierks" initials="T." surname="Dierks"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2008"/>
            <abstract>
              <t>This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5246"/>
          <seriesInfo name="DOI" value="10.17487/RFC5246"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC6347">
          <front>
            <title>Datagram Transport Layer Security Version 1.2</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="January" year="2012"/>
            <abstract>
              <t>This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6347"/>
          <seriesInfo name="DOI" value="10.17487/RFC6347"/>
        </reference>
        <reference anchor="RFC2865">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="S. Willens" initials="S." surname="Willens"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2865"/>
          <seriesInfo name="DOI" value="10.17487/RFC2865"/>
        </reference>
        <reference anchor="RFC2866">
          <front>
            <title>RADIUS Accounting</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2866"/>
          <seriesInfo name="DOI" value="10.17487/RFC2866"/>
        </reference>
        <reference anchor="RFC5176">
          <front>
            <title>Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="M. Chiba" initials="M." surname="Chiba"/>
            <author fullname="G. Dommety" initials="G." surname="Dommety"/>
            <author fullname="M. Eklund" initials="M." surname="Eklund"/>
            <author fullname="D. Mitton" initials="D." surname="Mitton"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5176"/>
          <seriesInfo name="DOI" value="10.17487/RFC5176"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9325">
          <front>
            <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="November" year="2022"/>
            <abstract>
              <t>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases.</t>
              <t>RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="9325"/>
          <seriesInfo name="DOI" value="10.17487/RFC9325"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC6066">
          <front>
            <title>Transport Layer Security (TLS) Extensions: Extension Definitions</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <date month="January" year="2011"/>
            <abstract>
              <t>This document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6066"/>
          <seriesInfo name="DOI" value="10.17487/RFC6066"/>
        </reference>
        <reference anchor="RFC9525">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <reference anchor="RFC7585">
          <front>
            <title>Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)</title>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="M. McCauley" initials="M." surname="McCauley"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>This document specifies a means to find authoritative RADIUS servers for a given realm. It is used in conjunction with either RADIUS over Transport Layer Security (RADIUS/TLS) or RADIUS over Datagram Transport Layer Security (RADIUS/DTLS).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7585"/>
          <seriesInfo name="DOI" value="10.17487/RFC7585"/>
        </reference>
        <reference anchor="RFC3579">
          <front>
            <title>RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="September" year="2003"/>
            <abstract>
              <t>This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from the RADIUS server, encapsulated within EAP-Message attributes. This has the advantage of allowing the NAS to support any EAP authentication method, without the need for method- specific code, which resides on the RADIUS server. While EAP was originally developed for use with PPP, it is now also in use with IEEE 802. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3579"/>
          <seriesInfo name="DOI" value="10.17487/RFC3579"/>
        </reference>
        <reference anchor="RFC7930">
          <front>
            <title>Larger Packets for RADIUS over TCP</title>
            <author fullname="S. Hartman" initials="S." surname="Hartman"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>The RADIUS-over-TLS experiment described in RFC 6614 has opened RADIUS to new use cases where the 4096-octet maximum size limit of a RADIUS packet proves problematic. This specification extends the RADIUS-over-TCP experiment (RFC 6613) to permit larger RADIUS packets. This specification compliments other ongoing work to permit fragmentation of RADIUS authorization information. This document registers a new RADIUS code, an action that required IESG approval.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7930"/>
          <seriesInfo name="DOI" value="10.17487/RFC7930"/>
        </reference>
        <reference anchor="RFC3539">
          <front>
            <title>Authentication, Authorization and Accounting (AAA) Transport Profile</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Wood" initials="J." surname="Wood"/>
            <date month="June" year="2003"/>
            <abstract>
              <t>This document discusses transport issues that arise within protocols for Authentication, Authorization and Accounting (AAA). It also provides recommendations on the use of transport by AAA protocols. This includes usage of standards-track RFCs as well as experimental proposals. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3539"/>
          <seriesInfo name="DOI" value="10.17487/RFC3539"/>
        </reference>
        <reference anchor="RFC5997">
          <front>
            <title>Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This document describes a deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, enabling clients to query the status of a RADIUS server. This extension utilizes the Status-Server (12) Code, which was reserved for experimental use in RFC 2865. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5997"/>
          <seriesInfo name="DOI" value="10.17487/RFC5997"/>
        </reference>
        <reference anchor="RFC5080">
          <front>
            <title>Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes</title>
            <author fullname="D. Nelson" initials="D." surname="Nelson"/>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="December" year="2007"/>
            <abstract>
              <t>This document describes common issues seen in Remote Authentication Dial In User Service (RADIUS) implementations and suggests some fixes. Where applicable, ambiguities and errors in previous RADIUS specifications are clarified. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5080"/>
          <seriesInfo name="DOI" value="10.17487/RFC5080"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6614">
          <front>
            <title>Transport Layer Security (TLS) Encryption for RADIUS</title>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="M. McCauley" initials="M." surname="McCauley"/>
            <author fullname="S. Venaas" initials="S." surname="Venaas"/>
            <author fullname="K. Wierenga" initials="K." surname="Wierenga"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6614"/>
          <seriesInfo name="DOI" value="10.17487/RFC6614"/>
        </reference>
        <reference anchor="RFC7360">
          <front>
            <title>Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="September" year="2014"/>
            <abstract>
              <t>The RADIUS protocol defined in RFC 2865 has limited support for authentication and encryption of RADIUS packets. The protocol transports data in the clear, although some parts of the packets can have obfuscated content. Packets may be replayed verbatim by an attacker, and client-server authentication is based on fixed shared secrets. This document specifies how the Datagram Transport Layer Security (DTLS) protocol may be used as a fix for these problems. It also describes how implementations of this proposal can coexist with current RADIUS systems.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7360"/>
          <seriesInfo name="DOI" value="10.17487/RFC7360"/>
        </reference>
        <reference anchor="RFC1321">
          <front>
            <title>The MD5 Message-Digest Algorithm</title>
            <author fullname="R. Rivest" initials="R." surname="Rivest"/>
            <date month="April" year="1992"/>
            <abstract>
              <t>This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This memo provides information for the Internet community. It does not specify an Internet standard.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1321"/>
          <seriesInfo name="DOI" value="10.17487/RFC1321"/>
        </reference>
        <reference anchor="RFC9765">
          <front>
            <title>RADIUS/1.1: Leveraging Application-Layer Protocol Negotiation (ALPN) to Remove MD5</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>This document defines Application-Layer Protocol Negotiation (ALPN) extensions for use with RADIUS/TLS and RADIUS/DTLS. These extensions permit the negotiation of an application protocol variant of RADIUS called "RADIUS/1.1". No changes are made to RADIUS/UDP or RADIUS/TCP. The extensions allow the negotiation of a transport profile where the RADIUS shared secret is no longer used, and all MD5-based packet authentication and attribute obfuscation methods are removed.</t>
              <t>This document updates RFCs 2865, 2866, 5176, 6613, 6614, and 7360.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9765"/>
          <seriesInfo name="DOI" value="10.17487/RFC9765"/>
        </reference>
        <reference anchor="RFC4033">
          <front>
            <title>DNS Security Introduction and Requirements</title>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="R. Austein" initials="R." surname="Austein"/>
            <author fullname="M. Larson" initials="M." surname="Larson"/>
            <author fullname="D. Massey" initials="D." surname="Massey"/>
            <author fullname="S. Rose" initials="S." surname="Rose"/>
            <date month="March" year="2005"/>
            <abstract>
              <t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4033"/>
          <seriesInfo name="DOI" value="10.17487/RFC4033"/>
        </reference>
        <reference anchor="RFC9813">
          <front>
            <title>Operational Considerations for Using TLS Pre-Shared Keys (TLS-PSKs) with RADIUS</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="July" year="2025"/>
            <abstract>
              <t>This document provides implementation and operational considerations for using TLS Pre-Shared Keys (TLS-PSKs) with RADIUS/TLS (RFC 6614) and RADIUS/DTLS (RFC 7360). The purpose of the document is to help smooth the operational transition from the use of RADIUS/UDP to RADIUS/TLS.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="243"/>
          <seriesInfo name="RFC" value="9813"/>
          <seriesInfo name="DOI" value="10.17487/RFC9813"/>
        </reference>
        <reference anchor="RFC5077">
          <front>
            <title>Transport Layer Security (TLS) Session Resumption without Server-Side State</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="H. Zhou" initials="H." surname="Zhou"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document describes a mechanism that enables the Transport Layer Security (TLS) server to resume sessions and avoid keeping per-client session state. The TLS server encapsulates the session state into a ticket and forwards it to the client. The client can subsequently resume a session using the obtained ticket. This document obsoletes RFC 4507. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5077"/>
          <seriesInfo name="DOI" value="10.17487/RFC5077"/>
        </reference>
        <reference anchor="I-D.dekok-protocol-error">
          <front>
            <title>Standardising Protocol-Error</title>
            <author fullname="Alan DeKok" initials="A." surname="DeKok">
              <organization>InkBridge Networks</organization>
            </author>
            <date day="3" month="July" year="2026"/>
            <abstract>
              <t>   We extend and standardise the Protocol-Error packet Code, first
   defined in RFC 7930 for the Remote Authentication Dial In User
   Service (RADIUS) protocol.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-dekok-protocol-error-01"/>
        </reference>
        <reference anchor="RFC9293">
          <front>
            <title>Transmission Control Protocol (TCP)</title>
            <author fullname="W. Eddy" initials="W." role="editor" surname="Eddy"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies the Transmission Control Protocol (TCP). TCP is an important transport-layer protocol in the Internet protocol stack, and it has continuously evolved over decades of use and growth of the Internet. Over this time, a number of changes have been made to TCP as it was specified in RFC 793, though these have only been documented in a piecemeal fashion. This document collects and brings those changes together with the protocol specification from RFC 793. This document obsoletes RFC 793, as well as RFCs 879, 2873, 6093, 6429, 6528, and 6691 that updated parts of RFC 793. It updates RFCs 1011 and 1122, and it should be considered as a replacement for the portions of those documents dealing with TCP requirements. It also updates RFC 5961 by adding a small clarification in reset handling while in the SYN-RECEIVED state. The TCP header control bits from RFC 793 have also been updated based on RFC 3168.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="7"/>
          <seriesInfo name="RFC" value="9293"/>
          <seriesInfo name="DOI" value="10.17487/RFC9293"/>
        </reference>
        <reference anchor="RFC6520">
          <front>
            <title>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension</title>
            <author fullname="R. Seggelmann" initials="R." surname="Seggelmann"/>
            <author fullname="M. Tuexen" initials="M." surname="Tuexen"/>
            <author fullname="M. Williams" initials="M." surname="Williams"/>
            <date month="February" year="2012"/>
            <abstract>
              <t>This document describes the Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols.</t>
              <t>The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6520"/>
          <seriesInfo name="DOI" value="10.17487/RFC6520"/>
        </reference>
        <reference anchor="RFC8900">
          <front>
            <title>IP Fragmentation Considered Fragile</title>
            <author fullname="R. Bonica" initials="R." surname="Bonica"/>
            <author fullname="F. Baker" initials="F." surname="Baker"/>
            <author fullname="G. Huston" initials="G." surname="Huston"/>
            <author fullname="R. Hinden" initials="R." surname="Hinden"/>
            <author fullname="O. Troan" initials="O." surname="Troan"/>
            <author fullname="F. Gont" initials="F." surname="Gont"/>
            <date month="September" year="2020"/>
            <abstract>
              <t>This document describes IP fragmentation and explains how it introduces fragility to Internet communication.</t>
              <t>This document also proposes alternatives to IP fragmentation and provides recommendations for developers and network operators.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="230"/>
          <seriesInfo name="RFC" value="8900"/>
          <seriesInfo name="DOI" value="10.17487/RFC8900"/>
        </reference>
        <reference anchor="RFC2869">
          <front>
            <title>RADIUS Extensions</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="W. Willats" initials="W." surname="Willats"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes additional attributes for carrying authentication, authorization and accounting information between a Network Access Server (NAS) and a shared Accounting Server using the Remote Authentication Dial In User Service (RADIUS) protocol described in RFC 2865 and RFC 2866. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2869"/>
          <seriesInfo name="DOI" value="10.17487/RFC2869"/>
        </reference>
        <reference anchor="RFC9146">
          <front>
            <title>Connection Identifier for DTLS 1.2</title>
            <author fullname="E. Rescorla" initials="E." role="editor" surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <author fullname="A. Kraus" initials="A." surname="Kraus"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document specifies the Connection ID (CID) construct for the Datagram Transport Layer Security (DTLS) protocol version 1.2.</t>
              <t>A CID is an identifier carried in the record layer header that gives the recipient additional information for selecting the appropriate security association. In "classical" DTLS, selecting a security association of an incoming DTLS record is accomplished with the help of the 5-tuple. If the source IP address and/or source port changes during the lifetime of an ongoing DTLS session, then the receiver will be unable to locate the correct security context.</t>
              <t>The new ciphertext record format with the CID also provides content type encryption and record layer padding.</t>
              <t>This document updates RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9146"/>
          <seriesInfo name="DOI" value="10.17487/RFC9146"/>
        </reference>
        <reference anchor="RFC9257">
          <front>
            <title>Guidance for External Pre-Shared Key (PSK) Usage in TLS</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="J. Hoyland" initials="J." surname="Hoyland"/>
            <author fullname="M. Sethi" initials="M." surname="Sethi"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document provides usage guidance for external Pre-Shared Keys (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446. It lists TLS security properties provided by PSKs under certain assumptions, then it demonstrates how violations of these assumptions lead to attacks. Advice for applications to help meet these assumptions is provided. This document also discusses PSK use cases and provisioning processes. Finally, it lists the privacy and security properties that are not provided by TLS 1.3 when external PSKs are used.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9257"/>
          <seriesInfo name="DOI" value="10.17487/RFC9257"/>
        </reference>
        <reference anchor="I-D.ietf-tls-keylogfile">
          <front>
            <title>The SSLKEYLOGFILE Format for TLS</title>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="9" month="June" year="2025"/>
            <abstract>
              <t>   A format that supports logging information about the secrets used in
   a TLS connection is described.  Recording secrets to a file in
   SSLKEYLOGFILE format allows diagnostic and logging tools that use
   this file to decrypt messages exchanged by TLS endpoints.  This
   format is intended for use in systems where TLS only protects test
   data.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-keylogfile-05"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="RFC6613">
          <front>
            <title>RADIUS over TCP</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>The Remote Authentication Dial-In User Server (RADIUS) protocol has, until now, required the User Datagram Protocol (UDP) as the underlying transport layer. This document defines RADIUS over the Transmission Control Protocol (RADIUS/TCP), in order to address handling issues related to RADIUS over Transport Layer Security (RADIUS/TLS). It permits TCP to be used as a transport protocol for RADIUS only when a transport layer such as TLS or IPsec provides confidentiality and security. This document defines an Experimental Protocol for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6613"/>
          <seriesInfo name="DOI" value="10.17487/RFC6613"/>
        </reference>
      </references>
    </references>
    <?line 1068?>

<section anchor="changes-from-rfc6614-radiustls-and-rfc7360-radiusdtls">
      <name>Changes from RFC6614 (RADIUS/TLS) and RFC7360 (RADIUS/DTLS)</name>
      <t>The following list contains the most important changes from the previous specifications in <xref target="RFC6613"/> (RADIUS/TCP), <xref target="RFC6614"/> (RADIUS/TLS) and <xref target="RFC7360"/> (RADIUS/DTLS).</t>
      <ul spacing="normal">
        <li>
          <t>The protocols RADIUS/TLS and RADIUS/DTLS are now collectively referred to as RadSec.</t>
        </li>
        <li>
          <t><xref target="RFC6614"/> referenced <xref target="RFC6613"/> for TCP-related specification, RFC6613 on the other hand had some specification for RADIUS/TLS.
These specifications have been merged into this document, and therefore removes <xref target="RFC6613"/> as normative reference.</t>
        </li>
        <li>
          <t>RFC6614 marked TLSv1.1 or later as mandatory, this specification now references <xref target="RFC9325"/> for recommended TLS versions, which mandates TLS 1.2 and recommends TLS 1.3</t>
        </li>
        <li>
          <t>RFC6614 allowed use of TLS compression, this document forbids it.</t>
        </li>
        <li>
          <t>RFC6614 only requires support for the trust model "certificates with PKIX" (<xref section="2.3" sectionFormat="comma" target="RFC6614"/>).  This document changes this.  For servers, TLS-X.509-PKIX (<xref target="tlsx509pkix"/>, equivalent to "certificates with PKIX" in RFC6614) and TLS-PSK (<xref target="tlspsk"/>) is now mandated and clients must implement at least one of the two.</t>
        </li>
        <li>
          <t>The recommendation for TLS-X509-FINGERPRINT (<xref section="2.3" sectionFormat="comma" target="RFC6614"/>) is removed since the model has not been implemented by any known implementation of the experimental RADIUS/(D)TLS specifications.</t>
        </li>
        <li>
          <t>The mandatory-to-implement cipher suites are not referenced directly, this is replaced by a pointer to <xref target="RFC9325"/>.</t>
        </li>
        <li>
          <t>The specification regarding steps for certificate verification has been updated.</t>
        </li>
        <li>
          <t><xref target="RFC6613"/> mandated the use of Status-Server as watchdog algorithm, <xref target="RFC7360"/> only recommended it.  This specification mandates the use of Status-Server for both RADIUS/TLS and RADIUS/DTLS.</t>
        </li>
        <li>
          <t><xref target="RFC6613"/> only included limited text around retransmissions, this document now gives more guidance on how to handle retransmissions and retries, especially across different transports.</t>
        </li>
        <li>
          <t>The rules for verifying the peer certificate have been updated to follow guidance provided in <xref target="RFC9525"/>.  Using the Common Name RDN for validation of server certificates is now forbidden.</t>
        </li>
        <li>
          <t>The response to unwanted packets has changed. Endpoints should now reply with a Protocol-Error packet, which is connection-specific and should not be proxied.</t>
        </li>
      </ul>
      <t>The rationales behind some of these changes are outlined in <xref target="design_decisions"/>.</t>
    </section>
    <section anchor="proxy_rationale">
      <name>Rationale for Event-Timestamp vs. Acct-Delay-Time</name>
      <t>This appendix gives an example of a setup where using Acct-Delay-Time in Accounting-Requests can cause or contribute to congestion in proxy environments.</t>
      <t>The Acct-Delay-Time attribute is intended to carry information about the delay between the time of the event (e.g., when the traffic was measured) and the time when the Accounting-Request was sent.
If an Accounting-Request does not receive an answer, the client can resend the request with an updated Acct-Delay-Time.</t>
      <t>The example setup here consists of three RADIUS endpoints.
Client A acts as a simple RADIUS client, Proxy B acts as RADIUS proxy and Server C acts as RADIUS server.
The connection A-B uses RADIUS/TLS, B-C uses RADIUS/UDP.</t>
      <t>In this scenario, Client A sends accounting updates that are proxied via Proxy B to Server C.
Unknown to the client and the proxy, Server C may be able to accept a high load, but also has extreme high latency in those situations.</t>
      <t>RADIUS does not have link-layer signaling, so there is no way for the server to signal that it received the packet and is processing it.
Without any response, a client has to assume that the packet was lost and triggers a retransmission.
While RADIUS/TLS forbids retransmissions, since it is based on a reliable transport protocol, a RADIUS packet with an updated Acct-DelayTime attribute is not a retransmission per RADIUS definitions, and therefore permissable.
Since it is a new RADIUS packet, a new ID might also be allocated.</t>
      <t>Now, the following scenario might happen (simplified):</t>
      <ul spacing="normal">
        <li>
          <t>Client A sends an Accounting-Request with ID 1 to Proxy B via RADIUS/TLS</t>
        </li>
        <li>
          <t>Proxy B proxies the Accounting-Request and sends it with ID 101 to Server C via RADIUS/UDP</t>
        </li>
        <li>
          <t>Server C receives the Accounting-Request and adds the request to its processing queue.</t>
        </li>
        <li>
          <t>Client A did not receive a response and and after a second sends a new Accounting-Request with ID 2 and an Acct-Delay-Time of 1s to Proxy B</t>
        </li>
        <li>
          <t>Proxy B proxies the Request and sends it with ID 102 to Server C</t>
        </li>
        <li>
          <t>Proxy B also retransmits the Request with ID 101 to Server C, because it did not receive a response</t>
        </li>
        <li>
          <t>Server C receives retransmission of packet with ID 101, recognizes it as duplicate</t>
        </li>
        <li>
          <t>Server C also receives packet with ID 102, and adds it to the processing queue, since it is not a duplicate packet</t>
        </li>
        <li>
          <t>Client A still did not receive a response and sends a new Accounting-Request with ID 3 and Acct-Delay-Time of 2s to Proxy B</t>
        </li>
        <li>
          <t>Proxy B proxies the Request and sends it with ID 103 to Server C</t>
        </li>
        <li>
          <t>Proxy B also retransmits the Requests with ID 101 and ID 102 to Server C, because those requests did not receive a response</t>
        </li>
        <li>
          <t>Server C recognizes the requests with ID 101 and 102 as duplicates, but has to add 103 to its processing queue.</t>
        </li>
      </ul>
      <t>This scenario is simplified and includes only one accounting event, to give a basic understanding of the problem.
If the client wants to send updates for multiple accounting events, each of these updates will generate their own packets.
Especially in scenarios where the server is already under high load, this behavior contributes to congestion and could eventually lead to congestive collapse.</t>
      <t>One cause of the problem is that RADIUS does not have the possibility for a client to signal explicitly that it has given up on a request.
Implicitly, a client could indicate that it has given up by re-using the same ID, in which case a RADIUS proxy will also stop retransmissions on the next connection.
In the case of proxying from a reliable transports to unreliable transports (e.g., from RADIUS/TLS to RADIUS/UDP or RADIUS/DTLS), the proxy is in charge of retransmissions over the unreliable transport.
In the given scenario, re-using the same ID would stop the retransmission of the outdated packets.
But if there are multiple hops with mixed transports (e.g., first RADIUS/TLS, then RADIUS/UDP, then RADIUS/TLS again, then RADIUS/UDP again), this is not possible.
There is no guarantee that a proxy will also re-use the ID on the next hop, making it impossible for proxies down the path to reliably detect that the client has given up.
The first proxy would stop retransmissions because the client re-used the same ID, but the next two proxies have no way of knowing that the client has given up on the packet if the ID was not re-used, and will continue retransmitting the packet until it gets an answer or its timed out.
Until this happens, it cannot use the ID for another request, and if the ID space is exhausted, it must open a new connection to the server, or drop incoming requests.</t>
      <t>If instead the Accounting-Request packets used Event-Timestamp instead of Acct-Delay-Time, the packet content does not need to be updated, and it can be retransmitted using the well-defined retransmission rules.
Any retransmission will be treated as duplicate, and the server can process the event once and send one response after.</t>
      <t>Other solutions to this problem, e.g., adding a globally unique identifier to requests that can be used by implementations to detect duplicate packets based on content instead of link-layer headers, would require changes in the RADIUS protocol and are therefore out of scope for this document.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Thanks to the original authors of RFC 6613, RFC 6614 and RFC 7360: Alan DeKok, Stefan Winter, Mike McCauley, Stig Venaas and Klaas Wierenga.</t>
      <t>Thanks to Arran Curdbard-Bell for text around keepalives and the Status-Server watchdog algorithm.</t>
      <t>Thanks to Alan DeKok for his constant review of this document over its whole process and his many text contributions, like text around forwarding issues between TCP and UDP based transports.</t>
      <t>Thanks to the following people for their feedback and suggested text changes: Alexander Clouter, Mark Donnelly, Fabian Mauchle, Valery Smyslov, Heikki Vatiainen, Paul Wouters.</t>
    </section>
    <section numbered="false" anchor="notes-to-rfc-editor">
      <name>Notes to RFC Editor</name>
      <t><em>This section is to be removed before publishing as an RFC.</em></t>
      <ul spacing="normal">
        <li>
          <t>The references to RFC8446 can be replaced with RFC9846 if I-D.ietf-tls-rfc8446bis is published before this document.</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+2963IbV5Yu+B9PkUNHTJEVACyJkmyrT59umpTampJkHlEq
V0VHhzsBJIAsApnozAQpVJXnWebvvMbMi51132vvTFByd9VMxMR0dJRFALlz
X9del299azKZjIqqK7vDi1GW3bx88+pFdvKv719d/gH+799ORvDNpoCP3ueL
m2L+Int/cfX6401W3xVN9qHJq3ZXN132Jj/A3/CDfQMtZacf3tycZXm1yK7y
Ll81+faB317hj09G+WzWFHfH3vTmhpuDf5yM5nlXrOrm8CJru8VoVM/aelN0
Rfsie/788dNx9s3580ej0aKeV/kW+r5o8mU3KYtuOWnyRfGpw/+U+3bRbdrJ
rGwnj78ZtfvZtmzbsq66ww6eef3yw6sR9OZ8lDdFDr3S/p6M7uvmdtXU+x32
lfv48g8figofbk9Gt8UBfrGA2ZzIEPBf0O/RXVHtC5zlB57OMn7/yU/wlrJa
Zf+Cv8XPt3m5gc95BP+Mo5nWzepkNMr33bpusN1JxgP+3/Jq8qopFkVT3mbv
y2J+WzQtfJ9l8MSL7KrYd+18XbTZq7qBf+yrVVsV3Z+zv2b/UjTbvMre5R10
J99k74u2yJv5mib/5WI/py+yd0WHs0BNtl1TFN2L7GJTfIJfFc1uk0Nbj+nL
eb2A/jx+9Pibb/lv3GfZ90WzKSv5wb7qcCX5zQf6sOCxNtLzf14sq+mioK90
l1y9ekd/w5q8yO7v76f2G52Et3mzgrXrssv9ZlNUYfjXeVltira1LRgN42n2
Q7laZzf05zi72ZddkT159Nx1/x3s4nV2US1wa46ztxduqI8ef/v0WTyyjzcX
flRb6dc/76Qfk1b6MZ3XW/plU+ORKxZlVzduRDddsYTF+amsuqIJ43lVVwte
FlitrqhyWEf91yvoBH8ZDfLJOMtpN2aLItv85mNVwkjasvu//083lKfnz5+5
Ub+EnTJp983kYvPnouuKeJBv9p+K7azeNys/1pZ6PL2nHv9zw52abvbRUr5/
efPh5buLeDndb0dVDVujgy6+GI3Kaun+Gk0mE2gHhpXPu9How7psMzj2+y1I
NBjasqxgk3cmeXZNvSxhyjNoI2v2VYUH7O8k0GCGN5v6Ht/QrYuM1rigFppi
U+azTeE6Vi+1G1vYEPmqaKcj/uBrlXzy5xX9DS3Na9jVc5yHzQGaXBYNHPis
q7O8zViCTtMJMTmZgXhHSckNv7pEeTnO7tclHPR2V8zLZQltFZ92IEDwSRAE
tD9AQrmu9gTzlJZjWy4Wm2I0+suLPy1hB8CWmBf/eAIiaQkdPPllNPoqew17
pgZhQvvy775qf/nL/wJj/Pbp0+e//CJ/PHtCf/DTl9fjX7Wy0sZ3j59+Yw0+
P6c/qMGPV9du8f/fWPgsO7bwf/nLP8naQ2+xdf4AN8Avv/xNtoB0P4P359l9
ucBeLordpj5AexdwVaGywdfImP6um/LPLL6wkYs5iRScudOLi4szXP2uhjHL
xlhkZSVz/uTb58+w0/bXc/yLB0WL/Pgb/mRbQ2s1vLmB2b2ivtC08OiKal5k
a5i8dl3fV7BeMCYYLfzVdCCQoSftOGv3eAe2OJIC7rhqfsigw3iw99XAsmqn
x7IZoE95tsnntzh387pawrzAIPMN7irc1hu4FIpslzddO7gnLhZwGdCVvDmM
6b1pK/gOFLMr2qnbYr7Oq7Ldtjhf0lyDayHdfnv1DPYoKFFlt97KLnh8/uRx
2AWLGvZLVXfQFlyiW7gSmirTq4rmbt7RumH3NrCOe7g2eQOGZ5tiC3tE3ziZ
5S2sYOjcOCu7LF8s2s8MB+ezIHEBTTX0JmwSd94Gj+h0BJoMPDO4YWlCuV/3
Jfazo4erArqCc49T0RaFTMJ33+CumqKYuqyrO+wR7nnszwdQUcqq3tSrA0qt
IgNVL0Ndr81O3n68+XAy5v9m736kf79/+T8+vn7/8gr/ffPDxZs39o+R/OLm
hx8/vrkK/wpPXv749u3Ld1f8MHyaRR+NTt5e/PGEN9bJj9cfXv/47uLNCS51
Fx18lBcgGWYFzWWzA7UDBp23o0XRzptyxsfp+8vr/+v/gNtADtLjx9+ZXPv2
8TcoKe7h1PLb6gr2EP8Jk3gY5bsdKIjYCmzNbJ7vSph5WFc7T3DqCpjN3/4r
zsy/vcj+22y+e/z0v8sHOODoQ52z6EOas/4nvYd5Egc+GniNzWb0eTLTcX8v
/hj9rfPuPvxv/wR6bZFNHn/7T/99xHtkWZsaELYPSsd9y7MfrRjoNGL+jECj
drKenqbtevx6MOGLX3IDcvKLT3jiViKitmWH22DfYq+wHb0HQwNXv6KFK2sC
hF1oAv7AFuR5k43wmP6WBaqT6ibUwzWyA6EJGit2ZfjHY7yeSTKc959jY+pL
Hn5KD59eneFgYKSLdp3fFiqB+03gz6gZ0Sv0AuQPWTdABewNit052YOfaQJ+
ffXQz3utZ7A67gm6cTf3+YGEaZfrczVsSJzshag3YZjws4qHz0uNqwnXmH27
3e4ruaozXP2q2GSnKEL5tbRx6ZpvD1VdHXh75m1bz0t66Axe5d/Mb8FPeHVA
+lfzzX6hOvK6ANu2oanER+TpU338jD7FRvBc4b+hncOmzhco4fN0kCLy55uS
zhXtZf6orNoux1u/W+cd/AU3a47KUQ53wr2bldBIWzSwZx9oZFOiudLi7ZrL
lp/gNp/IZJJWQGrAfF7s4JKP39SGV4F6savLpMc8CDD3pCf2612RdEsf18ZZ
NcTZTX/Ag2/pux3cmXlzADVn9id4COdzUbbzPTlEoG8/gcBHvSg74fHQHcXH
XD7Avonn5gRb3fLFWSxYWxGVUjYTXBowIFboZ6CYPSjTfsIbJDsJL7HffvmL
6NaKhSccH2n5Km36aqBt0FOoEW0RJjWWvF/pBF+z5MFxXNoCZz/A33A3rMTc
aeVjs3ag67Nind+V0I+gr+hi8VThj8AsBl2zbNd8v8NL1tIyPtY72Ky4tNAO
/oKNkHlR3jkTis8i7sAb2ltZud1tClKhuAW6p9v9jvbwZ5frkrdq2ojcw/Yx
NTTOZqCMUfvhCzxNRd52JLhMF6aXhQXUSU9n/RU5B8bZVbHM95uOzp3MwTpH
OwkmHpSgFqzT7Cv8co/i/Re9qvFhp3/L1JAKLace7u2Kb0JQHpt6S4siDwa7
Kb7NxvbHc7O6zD6BUby+eHdBFkhT0PFeyCmX3n/u0r8pUQzlkWmFg0DZAJpY
olmPj6vWqC3Cn3fw60U2O9DQZEeRli0nzE+k7ct0xnCLd2SVZi3ugTn6nmDX
qXWBOk+5BOMVlxwbKXL4FHrtrcnslPVyfuXPsna//AIXC67XPN/M9xsbr9om
E7BzchR8sBQb0M3VdntfgAJStcXEWaE1+u/4jo8/xr0GZl5z2JHG3EHnYa8W
chpAoQY7A5fdtCCaGhmpnyFY379eqw3710zO2DWeJfiLf3nDc/nX0V8n+n/h
X/YHfO33wV+zJ4++Pf+6m+/gn+gWblH0uh9duV/tF/qrct9+jY5v/Ckegnhu
M3L3/6N6puNDwzuRZfwvdgWZrQcKLfwSbFiYfLd188Tmz4OFTzf9ocq3MGl5
5ArgI9bKOrNIYVcSX6WkPIfuRBKv5O4sy0/wm8kERTdec4cddGGDIhzMxN0a
hA2a+Wyul7BrbcvL636EFc6pmzcHuNy3bGPCi1o4H42ItaZY5Y0pMFsQOeVu
3+xqmAqcDtiVKMXoJf25UIVAp4M3O6/Rz3KSWKf1WgBswYs/ZvWuqOR9myIa
vlz3bb61O1/ECUkO/0nYzey/qEU9GW6YxF2uWiJ3pq+3SJtoSOEMYFfqjUks
1NGcOLu87su4q1jSm6AXSdQU/7EvG7oq2v7M4KvtioTOykNtQZoM3DJwYFHZ
g22w3+E+k/HhAtaiAPLcjE1BUqdBXh1gY1UTkZiwYapiVXelbAVzEeGKw1a6
efvhOrv5cPH+gwyIPFAwfSv04uAbQetC6Vl7QWumBzpVNqzl8pWthlOOlhq2
R4o06ZUtNhofCOh3vcv/Y1+kEjpVJVmjcRtyu4e7d1awXhFOhQyCVie+3PHO
r82WTHUP1CPliJTVHVxBi0hRb+nW0TlzE5G+oydu5Kai8bmFcGoQGT+r2uk6
kU0zHb0GHR5sjjHu6nDj4tzRpbnaq2eVzSrZetI8KJBOv4MbotiiYk/byGv9
6k0zGSlf4rjxIz5yYaK5J7D8rfYaVYOq5gGzBxbHPM93+awkZxnvKbpdO9Jp
yRRs8ZUZ9JxFjw4ROliCOogxVO6s7Aje7h26bfZwYMlgL9nlVntfQSOO3hsR
IbjIev7o7fA28a6x62mH9qmfTpyEyHqQDq5gk1cmSKasKec8vzgH3FwHh6PS
ycoXW7DfMP4Ddza5TvHT7r4GmxSFNqq1r4f0WXbL0K+xeyAXJE7WSjfMzfzd
+RPS4QpS7+gGge9Y8FOfcADqGx+H1mCs83JHRx5jiC0rXl4agbq3hz1DW7Hv
4A2OIy/yYCLu1Ke3dfrXgEk/+m32Lj4XedQjOUH4hiXfbLEHFiRfASIob4e1
RVgbddZN4VV4UQ/cAXoy8SrZwk4Qi5J/H3prF9F23+35lg5XJcykKIL87c/4
HWmBX3D5PJqAAM6WRd5hGMaEA98pb6m95Fomtci9Kfsl8QPIW3wP9QSM/SUb
3UrRr6WdqQuWLAoR4ry2pODAJrf56BqQy6iL6b6+0O2Rk/Ol3rf2wns6wUXV
7kmjL+/y+cFfDnBclmAjs/nFP4Z1wo6hE1fuKfX057jvOztbIbQRnDdDv9WR
dW2xWY6zxb7Qm44Vs1RJjgUChc+C1RvOAsYhqP3t0NKpdXFfwjhgFpf7hgfj
LbPOGeB0SuCFkz9Mnz36bnL9u9d/kA+ub34HoqPSgE+n45+vQbmrqB90pJL3
sxo40LUBw2Gxb1RzZCfUJr7+u6KpKNKNJ31dL1wcCjTMbhLclPOi6djrUUiM
RYR60gc5RuJzdN7P6fPpEzhRpOuQjHo8PUdRD+aZEyHu2yfjcNR0u5L+uC6L
uyNTQGfuqyQIKFcLzb8fB+tdGa4I732a8g3FdN1qndFpBXvmE3yyuy0/4WlF
zSlWfQd9GsHnQFuC2p/GKuXn/Rjh0UFvRlHSBgy/wlmV/YV30zL8Vl1YTvDv
MeyNCtqBNurgTZbbRaa3rJP3PHO4JbLTclpMWdXhzSwC5dLmHJ+SiGyHPq7T
y4v2TAPm3z7C/cHK1n2q6WnEGd2gOkVoVQTVcqKOORKQqgrBnb+pZxhtJakm
3W3hLi/wjghdKzJSHd1JYunDMh5WOIxAJq3Fg5b53k+HZhBMqaANrYuykT7k
FRx0kPQY6iJjizxsjWhrA8ruFNFzdLoUYBCO1zfTp9MQcCe8wKPn7nt0Cy15
X+DRcr9Lj+kTaif89hwHhd7ZaAOQXI0XGbRJsalxFPvdgq7VprirZdoMWAP/
nqEOg5N4l5cbMg1Pi+kKNs+y6OCAs6+RjaXL92/OxsPHqynAMEGclXQNZm0P
76SFxMtCBapb5F3ekROIYonmwCZHlm6xOZrvfKhmwXCY59wvuqHg579po3b1
Hlm4w9HFCgj7RicFdG/PZj/9ANpFaeraQp/1wQtG+WlPAxtrPxegvM07jL3T
o7qbeAJ7j4lCXZtXCc1nGObQ9g3Rzey2KHao4IV2yEUwKw41tEenRCceQ+T1
wi50mC4/QIwrcYS8K7fF4E8wzA5jasfpJIajjwNAxxm/u8ILqy1nhFiZYMfg
O5LvuhPnCFck3XMgFhINtGdRUDt9sQY7XowEUOcX7NHb5tV+CRYFPNewwYNW
WFHhHid1a8F+Y2cadpFeK/1ou5zAO0t5OWxJUOQP8FLqRs57Pghf9mPlouPz
6YHfhumifWyxdeonaX1umEMWz1TBU2YTFywVechtOuY2jriVzdCskYqE3+0Y
pNXyxcYTgZ4VPv8dKkIk8Vu1GdVAZiAGiH5Ed8w77Dp8lPR80HcjZplYXs/Q
8uIZUfGPtnx8s9O2wftqmjq3yAT+FS3qlW8t8uq2IAtt7eCuogsGwyV6oy2K
DuRkm/jPC3gt3dqXXqnhC4cXyXxpoK4u0EkiUy89AH2VTdqrdzeEAG1FSOWb
Lf/NC8NxKRWzKCG6YpxtimU32YKamIEER73mt6lZIhNQOK8DiE0Z/QG1ObgO
5mvZDBu4KDaxijF2t2HodmcYo2XZoNqGjSA6GcQXSxzGDhWLdCVbCx67U62T
/O7iNQ8dxCrdRXhaxXeMPib0jR1kmb959i0uM/q42COfdJtOPs8jqmXYQZRV
qxyDumLlFC2pZOlaoBNQoqSgoL9DJ2uBCFg6EYddwdYTfX5PBwQXigJE+CoY
xHt67QDyATsdrvonqI9Pv2DW7vPIW5VjGBte3OF7x5nce/oB/fqAYREWKPnA
FMIOnhdwURYyT/Tc33yaFu9u6NNIQQMNimNZA93alqs1SRK2KEnczRRXuxhQ
QeCgqTwinB674+Es3by8FKzX00fn57BPYKeLrUwCVs0Tp6PgCURvzQbfSf4t
jQPw3i/ducnlZP0nF6/KXl+jtEFXiUP68Q/CV79mRQid9bkFKa8vpOVYZ8ZB
4OV1WW+3iPynsMLVu0HrT155MGcjP37p4ha0DKQVuZjagCYIrT0sn+xSOoSu
SPQCx+rbUgd+MCHifrHPgG4LvK0QuiY3iNhMcCQ+wXVwBjN+oE23b0nuSdDE
3B9l2+4LsRlyaf6HAu4fWq2yaWq6yBEHyr6QLWzlO7y5sre4qfQiqSsF10B7
7CBnNIaKC33jz3E4im2c5BaMpjFSZJceF6IOA9lLuQh89NOT+YiHmqaX7AG5
Q3AeFYxDv8IJKqo9xtbQm9R7wFT3g9/LrBfnLGrwCgNtCC/iKu0zrxvF4aS9
WEHSm7J3cP4fFGKf6aKoXRzL/Jsf9S/r90Nn/Qa1HfNzwomdFWk0RE6ZbhkG
SWt4sCGUYG2aZRgH7fPXsrXnsFvG7mTzISZD/sD3jgvF+q0iomLfNEVAOYk/
Os+2xXZWNPqrh/oyVtsk6oBpPL/q1X//VRnyW+jZ97pp+oJPnWSWJeJZo7dy
RX3GzBjH6h3sRJBgsjdqwYLmy46Ck+0etkfbLvcbQbnQKNwhxgkjOz+IY1Xp
yqWferpVVBHY1PXtfhfCW1XtOx1r7qS78laasnzi7+H2iFEGtORkns7MwWSA
jjz2TNRgzhzChIbBxe6Zx+Sg2XOCGYGlgvFI9gEbjuqaoyAy5dId806xe2/A
tSd72i0+XFM77PLRG5UXjoNt4iWJJwR/YyFS8/qEd2Ff2IWD95zb6lU2tLe1
J7i7oU3Ugt8XLPpeB+3EbxMJVEZvI2fv3XnkDbzG5cAr+SGfsrhZ2WUM/zBf
8a697QV1Hoa9OQ3SnLdf5Cg+3sCvcxcHjzeM+JWENVZ72LGoMGsuCuKY3Cti
4JqLa1Kiw7ePGTH91VcWyIZJE/zeazlKGANx4I2x3Wq4mWFN/2OPWAoTde6K
S4RtOwAeG7D4yOHVlKvS68HT0U/4HQ9lCIW2JrOHA0u0OQXJICgW0J5gbKDa
JRYw+hJFjAcwHwFn/LvJxSKmhHhRDfBDcRmccZWtjHNYlHflAgMg+iZqPUwj
Yr0psES+lMp5i3jRUfSNB7QzE3AUMOSEArYb2M2BbomfJEjDe8xuaUIuDi4X
GFRhw4RjeRq2ifNUU5jIvyVszC96GY10j4siIop03MZfxhgHAxXS3eNB0KjK
4VVC3KE7TAAt56BS6OsCDpJ7Yksh8DDBdMDaI/yv4YyjObmx4DLgIJqsjENF
J72J3cL54P2OCOYSDYVgJVrvumK+lt7Rm1n96O/bKC4mUyVAi/AbjUAz3q2G
+7iCDmGgF7/QO1Zd4QpTQ0GLASYCJIlUhTl9V6PhBLbLC0Qc0K4O6xjczPC5
7EiXLpZXXq/SGS7RuZlXDJHxt4yc+7wzrQS15+JTjlLRlILXvE9k9dCiDSFx
0e7oF22kVaI9sijmlJUDr5XYa5SUkgtYSbpRttaNBJRhCBp2LSCedd4NHXbo
PWX40+Vn0JiaVjGPBBtHY1TBbATz+GNV6PB5z0nYY0ZjsDc/bALhT8kzSJNn
bzxFM1b0a2jWfg3f1WiKwmM48KDb2zqTCAMzGnVOVhHlfmYt+16PTlP8iVwd
sOHovlk+EBMnT8B92erjBG6ZFbRxVY0EAYyDXuzntqqU80HHAFFR+BqCg81U
LPsQU9vVG2jPxReiDSLXdD7TS7qXAuQxg+KUZIRC0TB4q21/hqbhXJw+/e5M
9GCnxvqEqfiWsIAbbHLyM7inEtGC38TyuWe/YExkVZV/pmyC2H6SVWyPr6Ez
c2g5KRugyI5cAdPHEoRUfEVIFjHfRVfvyjlrFzhdN4J5em+YJ1DGUBf7WdBQ
Pwc01C/48hQilWFHmzYEpnD4xXKJ6yaXM+0HDs3kR+JqICkxLImiitVufAOi
wlE3Crc9/L+De62LzQ7tGfLrsGpJ2cGwGhvuDE5pP6LBqRdsSfdwA0MgsFT/
F+WRITa9CSHVkQKUDBMdgJNArx2mZOyuA4Y1omkRWwAgLEszGBGPlS8Kbdl3
9VVAE8kQx7zuEgraUWZ6jhE/DW/JzHV4lHCjDQwJXW9xEgXuv2ePvvkmiZDX
TZR95wLiY5aRJC7IByAGhyjHjJwkX4rkmFH03DDDbPn1Nw9Hgno9HrONp84z
W3CNgE90dos0VAqiOiQOsMabb8Zx31Cxgd1cYpZDI/MrwSM+CD3UTHbqNmne
Q8+ceVQfOiT0xh/Qw3OnbirsSO8e2iAwiJ4biwOdbtzO0F6VkgneyoWD7nRE
F6I1G+9UcowHoFTu4tEg0v0+RASNmzO8JyUyAHZBg1ikhcQI8ApPT4/4r3F7
UkBJzC8v8n0k3gfXUeDeFU2AjscjmGLHonA8zSj5NAY2PmkddZuigDXaIBt5
j5Nx5SGkohbY9h02G2ysuDAMVB7qBNqjqiHJeJKrkIPiLNUvHLiHeTIszcXB
TntCUQQh2sJf1kJ2evHm+t0ZyXbCOZvcYekoLh78EasyBofHHD2zfjX35fH0
0QlCt9UaUJGL60htOJwkzRsDSSUQ5nUjIcugPrVJp7K7MqeFCN3yHRDkZcyz
IDB/Opf0mFxNhbNNJTWBHVdwk3XpvvQkIH+LnrqcQTI9rGfUMTiM0Y+/pF89
MG3/apSe4Urg62goGjE7Nmeu/zZdfvtrr/Lu2HQpoD0C7GtfqHWCldKnBWbu
6DpxcKGy9eq1FTXCOSrzdc2BoKjnlhuHQZCcA0wkjumWsVUimF2q5LVk5OFy
mSNFZzjyHvKVB0KF2qT7BVd21RTmRzq2aZM1VUQrTS27IRzzECXPjJ3FDBfF
KcIH6+5MTekje86WVzkH1oPZsc7eUkB1lv0AaiKdEb4Dw7qhWIBpo8lZ7gkN
rog4S+YVqhZO5hmTZwSPP0HdjRQCRvcjXRPWe3HtMsSpCCjdMKjHJzG9SGaS
KVH5NCskUmll+/gWWILET+PUDIowFP1qJzlHpMyCG0ZIw4qkqhPGUS5CAqYW
eqJ459LVRZDM4Hn8pk/bgJm8UQopmgdJKhxn6UrnRUULnDtDm+YLM0RPdcHo
6hxMEz1zPDoutTckqmVXEqmIOY2iTN/LuDsuAq4d+AgbeXINWxVpZdIXDSeq
crDo/Nk3yNpCQexkJqY8b73N3tt7fs8lAOckrR7WmRiLQD/alGDbBpYBslfI
fEABIHLSbhDLDxZBo0aYmrJxdrsIiZ4yLgPSayTq2uAuIDnxtea7NfN1iUks
kg8i+z3VU9RsDxqroxSxAUT6XXEwMgkB4risR72K0TqKskRUSP/aF7ZeTyQH
uCaSpa/WqxNfTXllMD9qX4UceBAp0qN9K+YF98Ku4n7yqmPrMhoBar+aFJ/W
OdgduOjmyssTvRS1Vxu2bQ0JGF2Qa2XyHjYlbIuxe1f47Aa27r6d3IhadIVo
IZqfycXl7zhd0sbhgblMyBXHf76kMxc0xePQN3R12Z+X6xyZJldF0lmWJ1H3
ZASwk+2+En9DmmFMzlma/235iW60L1mGo2MHAw2lqkQM3SahRQ8p+SEt98H3
YcIN6hKDO8cdDoo5bjaJjJ+OrkJakMuXFlhkSJuGJ/1hCFEoRoWRmNGRa/6z
1xfLTg1DQrdpRImyeh9Qs512JfmH93kZcu4aXkR+Jdmme8OHNUWw7uV32esr
hGXmCzEZzTOhRyXg0lWovr6CbZHP2exw3ufg/ufOG1xSDajJSwQb6aSlaEPC
SH53/iiiPxqLS6i4KxkthGK/7PZh2cX80kRRtNH3lWaOy8RiZJleyp4A6sbk
MqdkD73uzKkt3QswaOGMEB8u7I2nj55npycfK1GBYAAvNQJ/cmaxAZkZk/0+
6Or2jcEhue1nj55A23ISs3fw3HtYQE53gHn8dDhzr9A1dP4F+HEB8vQVa1HR
NdRS4MFSQQXxNjwZEkzHTWVg13ZeVHlT1gNORc75YQhOstok9znF2vY036z7
Fv3gOzJZ0C9CUq5t3Y5TD5TOl8mPPtxlavFnw6stAwsNearjfjXFLhAPqrWC
HmjUI9QbLf0ACbkLG0Rp0cZK0Pd6cjVdFLf17UTzECcFvkN8gHm2DTg6dAkR
zd1Oj1bcL41ymaaC3U+67qw6ylyuMIJVBGGDQ4Pz2XoJdllfTN5d/C6S9/B3
IjntXhCYG5Jn6GlrBxyhRts5Jc/8MlkC+o12TzTmn3VRYHYIjt7bTeNAwcQs
lqWRL6oez5+g05zSm10iBtxHnyG0MAGJ0knQfOl9lBpzzj+UezqReiPcmab+
oFeWpDtBMOM3O+Ye0ivN9Inv/J7EGN4GbJ9cFZ2Ewt6gViMmvk3pIH5k38H8
ifO3+EQkYXOOuTLvrGdV8N5mulQlfQ4FEsY7NXtEBKRPriN6HhDI3Xy9qFd9
YX/+7Pw7Z3FNldPRQAR6cjcSB8EuEiNPpHUHSgIC252s691kdpjAf05cXrCg
ZbM1HmufVpbPlHsTZBHzIC7q+wpJqfOtDkuDrxo0N4kh2Fu9bxbBxV/vRFtC
AFznoK0Vcr1D7zyO93CmEfJwdxmU4nhzKDmhpVYTqsouhIqCj35D8HlodUtp
B6Qo8FBLDcvlq1XDudYW5qebhG8AVsD47OSbLb4ODg4qq9R32Ri0/LM27CWW
sIwhQA0jJnZAwod53UgSmk1croBFbJjnw/L97i2lkG6re0amI9etRsv80uEU
C8cEa27U+SnqLKDIwLxgoA4RFLiGZKLSXV9QtHDtAafqJHeaaIjcksMMDmgb
CKM4iYNML2yiJFXpAwz+ri4XIlYZlT1OBQ2dT4qQb3M0Qf35+83Vjz+9+012
CsOm7Bn2yx89S2eoJVAGV8MXkOy/kMkLbfPpZQ/PFikthQRBbWDYavNbS0b1
QdwI41rV2aYGG6NBxy0s1T9k3nkBFx5IKM3ixDeH3zeq3YgWtEeyfgZ+IKOM
j03Rk3FAAvGCytsQnC7CC3Z1ypTnkv1EvQSrchYxCMnDD8itQEiM6jYuCwqx
TpZDY3W2sTGPsD1KgpSbGs/Hnfad+uh4dmn1hWYuNa7pQITtbllHBZ8Ir3YW
G6LVxY9SQa4wtc7F8b2cxw2GYIZZvkEgX4AccdMcp8exyNY3EhfhJqrq+6ib
pHWzaTCOBbqAdsVlK/mGhANtJn7p87Zs1UBegjggLwmziKauX1QCTNqEjF1d
AHENShyLyBt4RVFyHFFsvdupiM17h70le8YRGAte+rvvMEwsJ8HTGoFNU2zC
NhOJP+96V55udNUbnJBVNbCdDpKBeA6tqr1nnp24/6oNKWOfY/fJ2eIzz+CT
Z89RdMLOzqsCmT1OoEPLDRq7J6bbOEoN9Dpw5jT+BVYjOTYRwtcTWJRBbneg
c2vznkoWRRgJsck/F02dnT46w92QqAYkj+PBmoVPlyQbXBTUZaq1vJmVIEUQ
FKbYUMN1s67JeOW6bjkgxhYUt8M0WBV/xMY48ykjNDZiDkvTd9F2JlURBR5m
TOcbjmv1NhT5qZ98d+4l/bdTUr/dK5Lj3h59H6dcg0qQvtQpasTM/+wJYf4/
GLcu8jchmWNT50r6Tw7VfFcuiBamXK1YY8iz3zhCKr7BYJKCb9T8G9GVQyKj
TSUF31MIUaOrlxK3F1hLJOTlWFSH1KMH5DrHKvDuV84uuiRpCFEPW6/i34WM
KgEps9T/UG692m2eIGheSacoPZxQve4eyCTr80/CiksgZR8KlMA4u6sxMSPh
tJS4IPc5WxHHqxz2aUL13aoY5AX2aqzGsQS4/r7od6EdSIAfILWLLmyGCSjU
jGmB0hFEl0NiUfS9AvGzPfWJrlMlo1LUgOsSwy9w6V5+ImdFWVHST6vGzdDc
H0HZcJ5kpI5EMnhYt8PrySM5hneF5q0s2WPQ7xSqsQNdRYhbiHvK06AGon+Q
s8E7Qdgg2TKapZvBpStbj95wuMfNAdaLSStD14NlSVOfMyoOLHg4muaXJF9k
ibuiu0cl25YCN6l/wNE1aISY4peWmCD4mA2zeMB2fzTFWgmozbYET/Ir6vQW
Wqs21XbIQaATWBzjQovcrhGd1/DvB0iihhbxM+oGdsy0T2wxcmjBjArrASnb
zdChFZ1M4VnMgUCJjGq6TOrlcjr6yNgs/z61kuQ2T85i+F2aMv7skU8/eiLA
zDRaTUCkYE+F5qQIAekCCsIwagK/I2TToGTc73bD+y3ZbOO0CYFJynkTx01Y
6BVdifudm1uMLrAe+idEzzZB/x+afxwN6Fd71qGT3+DLETG7YLqyPah18Ft4
bSLiO7FMq847uuSOxTUzeTLcB3J2khN7XQz0IKEVCSshL1OSHELFdR4THRcu
uY/7PQ1BJLONBKNeBOQcPo4rtmL272SqNWm513iYVwOOpIHPuhdL6zFozowc
mVaUcy9u8VpAI24cz1d/YljYVbL7SFd+cPdp5trzRyqtzox3imCImErYHCwQ
Iy/WOzkaf3waEZbAU/xz/MXPtMLtL5+1a+hnHNDLq3wVvJXJmyTRQ9DF48jM
r5Ez/oukwVSwKjalIsillcFG0IiK8CwzYb+lvqegk3AbqRiL8xAD4wwf43FP
LiKPDh/0bf4JrJ5tKgHJrZudvn1/Scv4Nc3d4C+N4Al+fHU2TUuw+HgAxSpP
4udPiPUkJLBIgpZyOCA7gI/MHwuycl0eUiKPtjh01AJwC9tDr6FwrnTsrCe2
F+YAdv6xCJRKTdRRaEDo6qcqPcO5tsF3Rj6HMKESLM4N5vFjHUCNdVg3aG+Q
iFShpDCTwfZLuWBWNSkEoXjTvt3nISDM0UMq+yVJp5tNHXK4otnCOCr+mQB0
CN/fEomX9Fw4vRgO6txHznDl+FUTALh9lILIILYJovj68DIY79eRVfIE3SIv
696PA48bC9TK74t8MWGHEczX1ziEmrmL6w0pZXWzYP8DcYKpjGQcYEsxiG7s
P+6z7sSBWdECtezBfbrMWOJLqiEkbiLyhtBuBC1a6zrgm+F0ijQJOujOyh/4
tB6Zb7g9JGuGnqcbCZ2lKL5KUu/FHdIUK/TE+17gwu6RUTCtp8KxVB19GBPN
Ah138Q+6xliTtzzd1D2rm6jU4BRqyHzbh8I4NGNtYBz3e8fdag1uZvS0gOAj
/Nf7q6GGw0II1zbt9Q8StDawHjnoPZW7vIK33edLS120RNyt6ZNZv+zdOHaL
+PsvSBpnTlM28kIYfjU3lDtFLjoQD7QS5vCCe2UXfmqJ88Z/eHTSjk8Tu+LQ
HUTelgcG1RsTA+p/1bjIBDsEFjnEpTZ7YctCvD2fiaD/RMEpTaX7/CWJPsUZ
60OUGxEVlTSWYHx7x+kihZuuNCKGhqzOHlORG+564eEzCuJ7fZUCPCRLAUSx
1W3Abe8rz2B0f7FnD1LRJrpVK+H9bR2ocMSgTCYh8q4MWNukOkaa1UgijR6q
p6mMjpo1Qyo1kAaWvgT/Pi3Ys9HDA5mzll5k1IeazZSqaU9geBiVM//ZmaQV
wbbkwxiSdq5cDYSI+IMiDFgH99apLC7EM5wPRwUCCR4iOc4oeutOlLMBhJJz
Ta5WTX7n9ziyDIoX2dca+Nr4+CgyRmnJZAukDIeGVSFfEkatJlrulZzyhNrF
7bAud5KvG/0oYmPtJdN5UyI2bnlPKCTVMs+JPzNqUwQN8fHwGSxbPWKiwQ5T
eqLQLIqFFalyOWLKEdoQPIfIPv2D7jan/qgBKNHGYtMyXnxOvqihEmYf1sLG
GTuDA4Qa+WDDPvGOJgWjkzfKZCPdUf5nQs2G280ne5N5R75u3CDrIm+6GeZg
1C7iZ0zk9Xy+3x0ky5A2Xeyu5LpTx/MriRCHRhkNQJNxDy61mLI2CW6FkWcy
H0+rWruSyaGO4keRO/tMz4DL/jziSlPgC4c0/G4jZdU/FiKTNYo4Rn34/FLj
dkTH4OjHXpxQ8gNFTmHOaith8MFj7BiqxlF0QRPe/DzOyV2FDl9oFta7KwnB
4ABL7AK0dXX1Z5koJEALMG0Y/u2icAgXXu6ruYiy6MgxHZXC4Rzc3uoCO44j
FtzU0UD9R9dX5CsPjgdy0sq1iyZ2HdXYiZ3HEzt/EZqWkVvWwXlIg+cUAzT/
6goruYfk3GUDenCzFwh6E3Jx3ZIypNJWZQjiGi5yhbIi/2uxcNArOf8SNxPG
Db9vpRwH09ybEGRTdxFKJYtthZwL+aJAR6ZzuUQJtqRvU7+C3BfFAK0UrPGo
wpXgCWkdxN8j2SOnV9vON6Zelh6EZfN+rTbUgzp+bDE4ZzWgxIwQgrBldv5o
8vyRsSwoBBu5oKpwdtnjDWYwLh9Lcu+QwsOHPhrRUlCYYIYr7XOKAmkUbFb0
3v/4Ef7u8TM4W2ADLFJumHB6TDqSFOaijKcsL5ikI6wtpayEnalhF+jwNkf3
y+aQXnFZILqRJM/vLeuqGrjWxLASLw/TwLnFpORcdJrqd/0W+lCUgC3RkqMh
NxbXvqlvxWFYRVFjjJMaEDBUvBbdVFHAMcbsQw8QaFlmHaPjolMhiRhLO4eM
ahDfRbHQCsm8tHXguFEyzGCAeg1AzBGmq0UtAI0Cg5bb1h8gSpJp8WjKzLMV
8dElXstQtpLheQsHzmT6yyPvsMUziXIhUXqZWjkz5BEyh1hV30+kdwO86OhL
VACr8/wYqXRQpFuOn20Isn8RLDfDY+N5klCYpIEfWfrTIz7SJ4yG6FnV0lqw
bnAaDT4TLEgmeA2kdMljWulW92voOGcudFKpxDaRKtMOFicb1e69T4d44zCq
O6CUO7qTbBLzEOmj/eVm3FsttD3dW2VCLPc3zsexMyBTwmsQnNL5DOu+C9Uc
ddkVA0uXmRS5fte2Wvw174ckAo8e4b8mmukQ45E1Wig+xZcX12fjVOAcecQu
cg3KLMYD0urIw0xFoC243fIhXPAJnjVkMi9CLoVgXGRwbGfmR0eJmdzejTgg
k2G/dlp7066nLVW65mySuBRWEqVoBAoSNutwT6T+u4ZKfYssUrEYKFhuISsg
aUd41Vi+4t1OUicX0oixCQ8T12WbhiVsI6JIdow3cYJBlLXxuRPAiwH29SK6
BU6Xga5qMEsNEwLsj34S2Bkpm+jHbNeROIRed3nl1bnAWloNnn6xTGxamNba
YUmxyhSZ2nbfswSiomoxY5OfCMl6YTC3D9sq0SqTedBfeSetS4mtfCMsHtcy
XziCj9UtXBGmKo68hEsyadpcCGEp/BqtsXDNnLTlhvUZmZMT556moKbZ9POy
me+3XLm77VeYAwGuWwt1QAoSzwWajZ4hpoUzFSXwGp4g1PzEyadgrJGXOiki
pVEWruvBfgWqWCiabN56B+QCzpDVGI3fVCfxjERj4UhcaCB9vcaP3eGiH9gG
IjWgIS6kTixTuYB190tiHAcHxggAJwL3rS17LLpZKMI65nPdkaFvBH5h+yX4
Bn/SgvPjgfFbAofIlbr6wjFrT7t1r3axxbfKKlo7cb3N64ZSxvvFWl2+zZmL
yfOL2KHnixsrGG64FnO1CKT0eZTKdk8E5VXnkdljvmbZIoZxSpK50rzBhl+x
O7P00oChrujAaXnFqxU6Y4MrkBYo+FvJ8OpT7Q8KU1U5AhtIBwuHCzRwXJN0
nWFBgIQK6aN+XrRuTgpQOJnGbBSJEFHViA0H1Vb7DjNofmyU5MKIniJNj0Pq
VXMUpbjkjJJ+noCXT7ITC65S57CdTLWNsSgvReE3UgU94LFkJv/9DQGE/11w
wVipyyBdFFKAywfdmfFZZVTxr2p2y2xF2qx4Sb+kWeRBsZzIpOG1SFlzYxAW
mazSIjt9hP96fDbUT8ewIHwuGtVbSvBDOjU4SNF0Y7oFjhi7amSn/IT7xFnR
g72yzL+/ecvDDBEh13TwFRU6ItH/SuWB7Oo8A22IsZFKD0ozSno9EXposVna
paRF9PyBkeBNjzOzzznTHI5H74AXIB2oUjNpYZh7T7wnVUjsZhe8ulf7/j5G
Qm2ReBPdHXSWdOKkeJMWJkbUgELnh4txc5IWAytwBd7Hdp7IVtlrzOZK57yv
ysHDltK9kaiNqFLs4ImTqvUpcThGkV3HdsdeZM7ZlITYINv7tZ8xox0m7xZN
6HqesHII6rqBJgMx12XETuDYsMScmfcq/Vp+jvEExgS2GBhR5F0eHOCoQu9R
I1YvouELFFGAvo66Dblj2IM4dSz4kvRubMdaDAUUtJlkSkFLEeNsfnxMgo/o
kWuM04B59HnuY8iKO8Z4niP7QKcdk+4kQ6IUooRNG88A7jB7WuqqW0F1ayll
kyBnECfj6S2rtWitGO1QIutnFgfLd3h8x/lESZ7pvJlqcirZVp5R3M3aOC78
jidMpstVyggf0tKycn+szjMG6YtPQgZDOlhZMR+ghI/onxr7qaujU4q1K4ZT
ZtL5InO6pM81pkPRJsLvJUz+vO05eBcAlgGcTnn+rUkXNI0DObRuc5lsUEpD
Em5/2gYmjdOAhB4Nsw+NIzuovUI+QpAKXdX47FwkpeXFkJLEFdRQyDO97PfY
N8TaDp4Kcjg4JkSqOOT3Km9un+WWem9DtfAhOiqrRUNFmXINGAs6LNDpCued
uV+4wEmP85KNMBlSmFGV3bRHVEWdo/UgsFMx0JblpgiuHWlmyJGLKEJpzrsc
zhwzdYhf9Ou1OJnltrttJ/xcbVp1MahjNdiyYQlPGU9bTdDnuwEdAUZ1plTc
A9TUtonoMI08Kbr34kTcZ7PDMe2BphkNvCUaNIQCsAtWueBRCF4olRsl33Nq
zmC1h015S+Pjm1sTiRaIXzt0a0GeWSjeE4xEV7GZQhZ+/8rJs1AENx7NiB0R
SqOmxZ5IR0rVJgsIUPJqU2yKO8zJiuFbfHXfSBApEHBRsUPjPsc9wJ4XvJc4
WhYZNSGfN8841VurSxt9O5uFHAkkI+++5nqtShZq9jedgMHncwFz+PoIkbsP
n0dxcsxQdwxji9ghQdUBrB9IAuuiaoNRJ7uqKG0+VAa2mp+CsXCOfT9jIWNL
c6MYhEniNZoKuI1wO9HdiUc5kDBgjNQVMdKBpclcop53sn5Hc4rGsf6hPQz3
o7FZktvagZqS+Q6cMM6ffDPsRtFBoPcciyNBH2KjzlIl07pKib+IJRqTFogD
HT1Ayc9UR6HtYPV2HRf7UONS4LDsp21aQbkFOro4a2SmSBTe7aSq8At6C0M3
Se/EWSbdA8sRM1HoDkmz8eLyFKkVHvlQeBmmgelm7POGhb8hpcQjTYxNqzhh
fiAQw0U+bZOSVLJIQSCpZwvMbWvvKqUtwkkIwRWybPIVCdUIBzR41MJ6tciR
3POYSXo0sWezpdfWGxT30TzKHsF9Y+F2OhEKvqbJslp9+A3q53MqD0sV83La
biXRBB9RFl3/0ytol7dtb4ZloUhAl7OGCpWQ2xjLmnRjL2VLd5uHyRNFwu5Y
ggS1Dqp1CLgMcgZYjkLjtvCpo8MHTa6gkpwoBu8b2DjZqqio4l8rwjF4ShmW
T7RpBLLRyeZYii6hEOwY/pOtqRgDipk3DyBECaD8pTjega3jkLxDYi+X8kmx
W895eSVq0sc3JI7AQTSDpi3VXDAlgsRwLg5KBT6JiuW1SHLkeqBbB1WYQzGM
0pWybb4qBdVe7AGEddwpoPCiZRXH6sTioeLaIUo7n2LaO4cKtkNJiD25pF8b
cYGwlDJGwAprDjClDru69B6AkQvXKplVVzD6slPiHPRgBa92tDESTmp2a2l2
s+0+Aa4ZBFlmOQj4Hp3AMeiBFvC29vC+09yH8L4YJKELTgYJquCoZtfNNrh4
nDXfg6zraHTPzQ525M3UIYvGkUGqThQBPz0+zR2E++Ekm3Dt+RTFCNY2WIPA
H6aBnBurABiduYCbSGwojReNgwOKONBmpYQSxHagad53zmJok+wsZ/8xyNus
avLO9CcPLx8uFKAJO3WT5PKEFB7mpFN3qm7RgJiQU9wKv5MCBRJ2GI4OsCGs
gAkbAL8r2CdXDxkoWDhvQdVa4PPsl7+twXJlFkuiQko4jd4+HGnLhBT6iqX6
vDlIIZHFglKw7WrDGs9kfXLTLeG/vL/uwfJ/7UOWlOOKffrou+dwoDpmu2a1
Y6xOQ6LgIrZONie5Eo1qFxoraZEuTjMOq3m+a1mKScwwolUhDmaDh9CTpJEY
QxEZ9d6/Lk9YhOYaC3G+/fAxO72G/z0bGwrKmFyjx1WtIOCTJUcIxJN50+rG
asCgz/A+D3RY3jmN9OPWmOtny8hkzV1kyjitq0zU7fKUAk60SNG33z0i5pRo
UZN7nqSNz+uK9xuGjV2QVya5h6FIll1cBivyENmIOGmGFHsFXiKEuJGS4TB8
N2bJ9JYAfFmF4LUwMAl3AzuWoyjrNkdojZHL+f6DNtiym7jd5YmnB7XXVZNv
W8HFfff46Te+kOk5hbAvlM/NP4JbbJytVdyL9h6a92Hy6bHVkErgsftH4ZvW
VDLTJdNQhYkTvp9gJYdTGb9RuLDYDBB+mzTzGXnWI1Z6uf0p/OVCyPln3iXe
P62jImHG6N2OYUNPaszgBOuPkox0igMRhMkXfnkTB4s769zYdPTy6Fanfe2E
C8X9XOMSt1CfgAdQGWbZnQXpPRugjuxzcBzGEugHM1BLQgzvccSGMCsGYjBq
zmOfEVy9qrDQOhZZeCCigbqQoggsyxR/efAWckTaKT1iERUfIzkGxHI2dBLG
fP0MDRluZi7sroUEKcGDWDviRfORMhAmUe62phy7pG7NiBcGOfqA82vYEhD/
eggK9h+m1UohrVGFosgBNiRzoaPBE55uQ80HZw3AjthAjcrE3BsfeSWXQ+u9
aNzjxLfT6gj5RZKHNvxqqTLK3qzeG9TjGsUhLKbQDwyG+IKL7YhvTXVa/xSb
sAwNj82NoaPDwMlIveodF3cM8KLW4gG1ZLiJmz4qB48uHBL2OZegcUWa1cxg
6FUgoeRmiIMien61qUHttWas6oIqi2TwdpJAkya/MK9Sw8A19u8PzrGUdLeX
ntCX7yW8cJItN/mKemwVP+nGp48DESfc33S2uHZN5iqVejyGhrt5tn9iT4pc
PEmDpklwfU4JxtgKpOWLSud5TbcEhjioJlE1uZJyKNSY+UN7cIp4kGgMNVty
62DoBj0BVVz7ve/iSDdw9GIJknHXPbMQYakGasvzbFwJ+jF43iwipmsTEeDn
+67eWg4pEbi6GUOkWLzUEYPcg8czVFNatE75zY+cxvQQftFhU7PNH7Sh1HnH
v4C0wo4mtybNlxfkYGaKrgR7vBzb0AC59pUkFucpmyvvSrbiw0JJbqAJJ7Ic
44h7DxtyxEakyqCtT5AjVB4aEpj+N1DoKb2/2TpeO4S+pmvBBk6fYWxDMC7T
TrPDKUIgB7z9NheqaCW/oP3t6vKM7Q+sQ4m3SFTx50aVdXaGbzZ9yJ9VzAle
foErhbe6oo48PI9i4m7i3yYzEcjUEjxpCMLmqiJ5CNNDP3orAMEUwvdWrNb0
8wDls979Hk5U3Ux0RtxPTn9/c3E2NAzSPSnrCvGPcfGkhZRbGnANXv5wce2L
sRwrndRv9ERcCHg5DDT8Ab3mG6vPNP3/C1L9f7Qg1VirS5MJ8IVFqXBMPQoE
Psqt9S6c6eBXKNjuIF++htsSkDKX9UPFigUl+VqCK4XaiFNZxPVJ5et8yVjJ
0pWqH/tukXMJdfG0u8TtsL9MK7N4mfJag32nKR1vr55N/XmAv7OQGNd5KZ2H
95FrRzHyAQnPFSjgshHqd/qsKRSQYOAgWQa6uKjsIrqDtPGfY/Ab7tmkrojV
Eeaieo5khP1P0iRtYvtdcBI8trIjnpRkqf6q5IazRDI3Q5pyU/Wxs674oPfj
tvmyiCqXJI7UYLgEA1+6JavpcESxDWvkj5VnFjEXqliSaqsxC4he6wtLnCF/
ivmKpbjfV9mVOMQpnQYvUZjNDCuahKIqD3h/j1U2Uf/vMEwoQbPEdVRCahpt
ZI2AcCkFX+sl5YgkhG+cZ6OhOLyr6Gp+RaQa0oDL/yIGg34KWFST3vynSW0n
qSuTtECVZiRDR0Ix6fv7OWlf8r5qsFiN83PAL4YrGlmg5AtqOEFv/ZoId0NY
mAh2EEUnZ1TwgSAzZTvYVxkWZZbqAvfnImZVMMr6JJUu8nj6MhtS7wMdPC5E
XknS6zKfNaDsDmQbhRJ4nL6kuA+1NnlbUVmPuKYtF/KImOOi1OAc0XAKmYLp
vUQEZBPE0LEjgC8j6sxfWb9IMmqHK4+VhLLEGuPsh0RwRahqg6Q2wTW5JgYc
57aekfZ4T2arRiaYJ7Y/j3Sb0f5CXMSBM2onVFmFr724chObdCFIF+NLJS8Q
9yJuAXgCO9GvymugwkRx0eVOQrA0MHZOkgvD8nNTonE5f5reo10G4ZLWd2gf
Xk+8z0lFE+4CJvS5z6RslUvzH14+fiUaT694IQZ6q+g/vEtyodZP8yQTS1sP
B7dpLrBhzBEbhzJTks27qvEPuABuBWeHlL5drlT1UfBVqEjtymr3RSY8ObjL
tLwS4WJrhntj78jzPGPK3SjJJahofMvTBW71chjLbzaAJnQiSpLB50cHMh2Z
Jek0DCIH43qdXej/FrfPocgx8raq4cb53+H/Rhc6ow7nivFA8Q1rSAIVC/dD
Zd6hGMCIQEjqlt0iAUczNoVEvCIpTy1DONua/1t2oxXfk8WWbK+SEykwxVid
yD5FpefZhQ9Hmk5d9inGtXgBTpptPjce1u63MGUjVxyVAEsOOQD6K6jqRYMH
eO4y4aJW313cjHImuo6ndcoTLsk4C6faUHWfZGvJdO72EqLAAJ+r8xR53D2a
WDSnD/Z4pETpBfRO5uOy3mxA3ytGowtHuULjCWDzT4fAmHHszITuhmmJtup0
BCb6Gt4VrUc6pXUABPNBzRuXtEA7Y+ea8enmeAlTubrXcmyCcjxORkLs9EtN
5XK8BvN1jTgODiDfkyAhPHef2CRIHwHcSsmv9AeEjKUITJigenB6XKE0M301
23cZYWgMD42WMAOAkF8IMzi6hNzGgiI0dvQAcjlO6UKy4mlxeFGFMOUOz7+O
UdUiC773cNf8Ogb44T7hWuqcUhDwARTSJB5RPva4zddItKAdOcQ8MfuOKeS1
cEXoqRHBx6o1WGJMZA36R9MyDY8k7g9wVTc9A1rtAjMSP1dKcoBrkgQweS8j
m4buxPgUv3enWDlGk3ghz8ambgMyUW/QyJqzO5RG5T0iHsgV0YZzFEaKIg2T
gkdEVqpcX0avH3y7MgC6cNmRbkyHMhWtWlQlFxnOtNYL1Ds0ITvL55SBaBg0
2jg5QdfoLB8Vpaq6u9we3sxDoTepbtdHjTr5z3eadmgYZFp2ofl0YZLATlJn
Q16SKTdOsqj8Uj4R6WunYgMTM9DFH5E5fLjwYr9hyad13kpDLljVJaPzGJ7F
FAZVHZma4zN5bO6D/IkwFQ/MzVA74UAcPw8RQYBIWNBX2iGFhdcg2eyDyYek
8syJY1VCyy6TClR1yoHTS9KdtVJkjV17U2HIPUY34dOSI1ZcRjAOAZoFdGcD
L2OqtqRsy8CCerZrvqvkPlbuuiE1sQpX5dBS4UIM7X4LZ3bEAJ2WDBPlUALF
ZjljcgpVJMDYS7l0a9sWUYHFkLfIIG++fSzpOrjjZ0QEudcKLq/JO7ksKeRv
Fxm/Yq0sHQF7fdbb0Y7vLZkr8c9uAtOZ588qldhR0vG9jKU0SiseEIrmWY3D
7ZawuwJ0tWpMoih0WOR0CAZi0OA5mQKwfykzDGb9REpqnBjtTCDk8D3+yVwb
gYTb0iRLK2hnkUDpEr5JZBVVZIZv5eYn+T/EPEipHo1iTR1DeOJ1cel9xnRD
Rf7YP9AoaZPmdNJ6JYdLyoop3SbqBRfzeTe5Kjb5YYLVymgiXiKkm/4EpXu7
G0VE/czTGrTALy3Pxz4Rqd3dDbFPBZYqLoErqiheuGd6g6vfN+32KSMrY4v0
GTHmsYiqA/FBVNqGaHjjkLO+I5kG947v/DvOiZVPOB5YtBNRb9650kFWs5zh
8kRh0WiSWPoiH3/f7zjqUVdZvyK6kjrlBjlDC6Timr34WvSfC4YzeQnfcULF
bN4A8RBammMyzezMl+hub+dglLj1yXgPOzBnhd+e4uDxNToixY/mYei1ikd1
HLr+9AjXdLVQ1hyqxnGsY9YHNlg0y9Fj1Tvvwg+uw1C71gePyM8t7hyVHqhO
0/qj5CcYFMp83iqodNLkDKTO69Q5tzaXKma8g62h16Y87XsycUoN7bjcebol
qop5qcHUsyrVEnNMigg7Xxkqu6L99ISzGPeUFKmFmAlraHSaAT/rsvpVpaDb
6GcteF1YRMuFwTBY+Wm3yavcd9u2NTFZM/+egv7RBLYIEq4EPjDklYtxpLHN
4WnvScMzQ808dD60Trl/Owtl44ndgHww/cLmCzd4DF9VkGBdOeliZEPp4SCX
cMsFdTCHPfcoadm8jpb0oX6MI75igjuQzoBMjhxeJkLrpiFmyM6fG3F44Jmi
eBddlNBHD15N6KiSjWOhXsu/cvSaQhLLkTq3OHVknYbQIzF5xNqPrypJnhJi
2b+vYpmk4uDYdOspzlc58bF1TY2pwC1h3o7NLc0E7kIutpfeBQ453Re4FIDi
Ai0YCN3OytWew8/ksYjFq6ViJen3lhUdiGFlp9Z+pq2m0r0WtuttEeR52IEU
bvHudpnnmCxXtlomScmHu0CrE/0YdfWEZCRRJRb1UT0gAAHM2eNuA4cp88Vb
iNldYUF1O5gV92AhtV+mf+OO4h2BDACqpaa7IrjUePukM+rQeKxAUCvpbZ7J
WeK1W+dtiO0twmVnqosFu6Vgi7MQ2TfUn2nE2sT1HuLAeZyn5m4uHhDlXnD/
e5rIw+yhYS/LHUaVNNjrHJgf411HIT/ZenjBBdzbGg0NlpF45rzlFW+IYX2O
tcKK7QHQHQT5PKwpJgpilvHOSvcPxfMsDHWseRaznvSCmyeMjhoaCVfjNLs5
gMzZOhxou58hK0Q3tItY7g5sUEwfolvlc2P8B1k1ubA06Slpkpl04iSH/qFi
YUn3DnkXY3yI4JoVlkdHhwAt4gYIszEdvSnyO/0sfY/Uh2QyM57pFewCLOYl
KKf0ieFyqcJ+P+ZorQt8uxKoO0pdJRXJdOChPtVS6jzdkBQSDRpO9ntYFg86
uS6oRPUHCx1We5AGqNx2DQaBtzXME83S9e9e/wEO2l3Z1BXZ72MtDUIn8VCL
QyOmLTb8UigusBYyPVCr5lQAzVVvMAkUwOy5Q5dTn0AF7daHviOLDaGc36VA
45zAaHBnN2UhCDQ/Lok2YJ3HlljBKV5p/ikjZG05V26OuuBSmFZ4rWKIeO5i
wm0dpKh7qTrUfcmm2QDcXCIc7X5lpnZEXBbkk1f5zXM7UEIJP/7D9Nmj7+ye
ccMJIGWejAWhg34Ugx1fE/KIEY7qHn1VouWza0pi9nyN7nJErAo7K/wL/Ub0
4rtzRtRg1P93xSH7iBH/5AdK6nqxIecKye53cD8kP/MduK5BMz2M1ImmS0M7
1s18QJezCYtpxNc3v3MqcDgnO2xS6hD0IS95Eq2aFZZewoYT12h1CIiystdx
9ul/dUF/5Xrpy4MjkCQDKtsXQbFvswsQAWjko4XgvxjFWbRp3ixThzU1hoy2
Ak+rZzjz8AYJHXoDQs5AEuumsQ62At3pt9Kz3Xx4W/L6XMpAecuERZN6OdlQ
lRNQSG81EE8HPU771cTnRd8cagdB/Rp4EPx7iJXFwMc4YuozbYOLyvkxlUEZ
63RrLhimVIvSlbPWqmR27BQg5GsoHm1Zg4WSMcNTjtLkY0WzQ6aRMJO4Mmt9
kOjgNIpSJvysYidga21BucbaaSGadN3zP2ITskXvO1XfaYgUSDnYzBD2iXSV
OVfS8IFrQ3GEW8QRzEm242u3FDthwIqxIGrSOuKzw37l0uLkV4tzCRznhUar
vYX1GjWMO1xwAoho9Stnd9fo36b4Qlg9Yt2Mag3IDYdVGD2/Fd4OEa1EhO9L
myCV29xLbCh2DVap08jByws7avGziUvuPspI6u9yp1rzVuUcMsKrDVeFwG9o
/FRFIT7ZwVXQo4DCYHAbwj7CFOWCc32PgnfDOb8EmjI5F35GFd/xwVJl7rGj
6TKziFwh9zmTIgUVTrEmoCvOb+1+97JrKLDt07CoGllLSbYhk1IAUv+xL+e3
OC+S6cfFwYaKw3j+V+qKlIhv+zZ8THojpmevSpWcjTnXOECrAAN6oLQoy2CO
s5rPDw7H7bI1KCxZknAXbwkTYUXeJ508UtHHWQW3P0xC3xuNwAbcaTeygd4S
HyeKEXMdODRuYlST0KFalFtQnInILCAVdEtqmcqkYCwFZRIIygDXvH8Gz7uS
NaZv2Vq/o+x5OxcPLwUJUi2qwF6LVqNqWF+PKpCR8izkzaSWYzmHXiiYiI7q
movzaMK/lDgJHhGc2bFRKD0ThtRd0URCCLVhJnuB4wQb9i7HBE9pbTqiET6e
ngfmRkcb//qq1bx+/2wIEfYSMKW5J8Kx8d3jp8/FL1MlDXPHFDFgkyKj5FMn
LKC+PrRthMryGRyxDgtMUxolBCcVk7iklVR922wG8FxtrLgKVcYiODjwUb/T
3xfmQib/FCUx8Hc/N/adsTaVra9UzdT9+M9YTZRRwD/huM6VvXQZtF1kJW/1
3oko/ml/igbsGmy41IaAU301ad0Z+4oUdHgscHkfJ6GCd4BwXxwCmUg+yHVF
ifFawyg+yW4fc3U+Q3sVlbgMkkh0Lon2ii4tKqajUj4Rf1YjMtG+UJeoqyTf
D4mti0hoiAd9byWw9LDJbnWEyKAIEFgh7o2FWAzI43kEg8Uh7ZIN0aMNDp85
7ij40GfPR79O0+rDI4Fee1l+YmH47zA//37m84RIWulIyygahNP6+toVEIGb
jCJdr6/vnuLJhv8+x1SNlzhoE02sKVKkfF+VoHTatsDFtPibXrcRecKgWQYT
5W+eF6MX2QXh5IPh5gFwIbMfswZouXtifipNXoFCwe0lV0qgvEJvRqghwNSO
3P4glkoCkcnbSDBYS4KIKUBwHFirqMTXhvbBC6ZmZF2H6lFYfcqhN6sqGVWF
Hducb8plIXVMCVxOgvjYWPGdfGy+sgPzo5TkxKcvuQgsVuZODnpsxFzBI/kG
jRY8fYgnOb2qb85QN8mJZMdpmMEERAci/YDRDzDEFUfPhEUgpg1KOPn0ArVK
3DBZ9W3pil+DvFrzfkziDQiIfH4eMx0RACy+7CyLO2ZFepb+8lzuW5MLLkIw
k/5gth/cCBvM3yJh8UMBG7/n9jdVVHM/yEW5a5AND25aGh9FyDBsO0BgHVW3
zpV73WYk7mYg2bCKbkj+sN9p43LVcllTgj+Q8s3sduSeFB01VH+VimjUnr1p
avunzU6pHZUdXN4IhMRZqKlYbMjLbi70WFsz2sylaBpc9GMaaNvth9qS4ok6
otFi9L6knXrE1Lj/trhaD5NR+u+DMoBjBkWa3DdGWZE2Y+Qbon7hUbfz5E54
MhVTDx3mKk684yXSanXaOW5h4ERNicJAGVh7IU4UjVE1TecyfqYc9g7N5nIo
ZAEUmGYy7xUxLtrM4rJECYY8LubBjp9VGcpHRMywks+FHQmp0RAVY0o5Uswl
3N8vMinSFQdbC7Wi9CG7xiMRC0I9F4dWjIgVmAxT1WCN62CAO0YcZ5nkGQhH
EX1jBhOm+j47zfYtUfClUBntc24TRyz80XvP0usvMqdaf75dKhr0CS8pCdrv
+R2W3qad07pT8vL40vM0m6j9hZQBAiUxiRSSjTLHVlKFNCGE6jQqlUqvscGo
wmrIs7ZhED1BG0L6jezXSJKKAJVcUk/2FVd/cDH8ezEshD5M3QtXIcGc9Uxh
kRnSMz9D4kJoKa5kfxzx79BcwYcbFcGx2K7oj23N0TVBRAmwUzgcg7uVQ8uf
KOs+QkN6E5jzk/iRNhEzS3/OZ7ykAbUZ30fs3SSWmBt9JOGHwbzuY6n6I6MZ
jhO60R8VSKRth0R19dJKEcRJqn1I6uGIyGwLR9NqBZMPqroIy0DE1EKgBCEg
tARWyRDeRuTFySubvGS6N+941YCe5VmoT9gcs4HaVE68UXooaFocyp4LA+RS
ucrtVpVxuCqTnv2HrR8N5D/0RnIUzNdlcResnoiJgWxE6Y9pG1QSyzo0Owyt
bzL6HkZLOXkov0jg7w4nGtg1DELfK/C6LO6FlSPSCNJCSVTdRDB7UQSxlchq
IOPhKS/bTq1fqXxafsLf3IRqQ6+19NAHLb5xhCVej7sAdCXdilPhQnNWySgi
30qlQ7AhmSyMra4HBFDcisgIDoe1Gv2h11FC3X21avJFYRo/dawlceeGRUGl
aBJr5wGhYAMmJNvAhSrZ0SMTLhL1OCo4Q+zFDIna4t3VSIrfOqophC8hrdkC
V1p4SHaMhu1aK6EzzYzuLFl1CU2xUiwyAzvBeQeOIjo3x5NtLinzM864DjVK
JIoKieuKz85Ud0xvXanZ3mebjVatETBQ0MHK9jYmvbpmECncULxjQ2GXKGgw
/gwFiytQ6iDJtv0IOCpgSISiGkbmvu5FmITmWnEAQrDJ3eRuYPXYUtjPCQGL
24TdfzBDXJEWxYzxZvbAXwx5P4F3Trp6Av858WKtjiQwc5+VUbLmQiFog90h
p6Y62hQ0RAWWldyAeF5IRTHqFWPX8Z5DmG9K1hhw7ONZlNGShnpgN4D0YTr6
sbKUDvFeqVeSVgq70OD+kEWkFJagWAoRB3b3Io4eWcG/UyyazhkMF9fyDhHq
e1gL5JymeFxgCazUj0Hjn6siYQn0wm7mRmkqRvB8SEKH7T72klgiDmjULUex
7BBLtnWwptDVjGuNge8dnHewQA7tmYVyKqGYkJlSsGs82TbPSeSMrtMEoK1O
bk+JOlwTjYB1ljsiQotgf7B3Awtwj7LXupoQTCDNhQtB4NmbzA4TJdRgrolk
B1v6dOD000hc4DdOGWhRsxYJYuUYHcdy7ZIYy5g9MaiyFm0P29BdRlEhJpSZ
iqVNKkSNvdVQSgwe2QI2BdizxSfKN8yK/K5oFw0mjXFxNGaNKaKQXMKtib1A
bKIATQRPwD4l3NRtvdmH7CNaPCkuFKsyggaAGZkHeu7ektp4tXYOTrGI+iBe
NTHQ+nq/rje8WQy8ncpqJRrcw5EznPHgznL5k6Fdz22KF9UK5NafJUvA5qC1
4NuM0Ld8icvIQ/FqLhcTbcGICKSMKsVF26hHAu5ZEKM66XBGURgaUAzPGlmz
VhyVVRQQoM0Su1m2yfehTLweadEacNqJ7JN6CyK8FK8HbvOxURGim6emoeZ9
evFvnn2LDGMSF9m3TKEJN/Sbut4hxczkgrtXVw6GgbYcnsNWoxvsnC3Z2uRJ
CL82VTstACi6I/lwSsWqGoGzeZ3LkN0blakcq6y422/QqJfrTVU+K+BsTt1t
iZn0TJ2j7i5VGclwM5CMA3MNjSPf0csk2Z9ngobSG4clmhlPoNga7PLUHDtW
pdN0QZb8XVtslnylKv8IZz6668nNQFzJs2QdEtRLX+mZVyjQWoTXD6YtioPl
YKG+U1KpCGwZRf/OfOE1R/Uid5qu0B3iUoXm26MSxYFPVUn5n7ngAgvCBYj7
jlF+mu9iDNWuJbLxaFd+TeW4VRJF0sY/YMHcEA7kwOQTH5gkt/z0KUZaI72C
MRJtEeP6XfMBDp0cjoycIaihWgKyn/g6cogQ1/22XK07dga0sMStzCPPCfH4
G/Mizz8+JVTXWTsvqrwpa09co4pKgAn7dGgPQqTXlWZtRS/0SdpUDXmQ/YJK
nRPomExp7AOG79jBavQ+xO/ljzkSYFQF4pRxa4B5s0Q3eireBIUQjntTqAbi
HFhjkyU8k+TVxFh3XByIHPR48MZsxrDasQGhCFuctD2RMhTaoGBJiOpIAJ8w
mAJRePLsG2TlXexnM2Ga3MBUTszpKhO0xaZnTU1FCtUXI4kmsMHIOgme8SR5
hbKuaQ8eEm+R34tDcC+KiAwWIA3JHZJuIik0R8TUWHiO/iRm0NapK6GQXVW7
8L3YB5LZ2tyiu6REs5UEm8Io4JxMWGcnMq9+ZZwpc8LbPZu+oO25Q16MRpOM
aejKaqAKOUi0BQxs79xi+F7077Tr/LagfA2rFkuClm5Zy9Q011VpxWNZ1LYk
+cUFIMgoOh3Ceb5ryjuHOu+Pdgo9tzKqMLFtBx2V/oq6QPFnD6IJI1DlH0N+
6HzBFLaxjSIeA29N630vb3+4b2FW2RQWwaDlgGNgPTtC028i3UsT+PHc2rRj
MgexM5lQ6xSshndNxiUV030wdgo++6P6naqrXnl4CapotMgVQ6fdr8dBM/Y5
01XwUI6JjVVKV3RvU6xAHwDTUOmHe8Avp5Oy6UtHu0a7peUJQKkUxqneHA3h
oI/lMLkh8JsZt+4C49H4Q8LVJkzFEbDlQV8hsXhMumhCqKQNvjZYGFatCZhI
pl5TRMVahtNG2DX0UZmA331888Y7Rublju6wfanYwkUx269WDAjAiRgqmEUT
lTxLS5Q0P5atiExUwdZWmOQGMR2YykyPKla7QlovHD463GKLkGW2MxQiamI2
DcUGlQwjxGFBW6cnTb6AX50kyZvj7IRpVr5GEtvoW3SPnoUFf2jehCeLs0m1
rJNZ+XiVbup2H2pjseGV5CNznqMeIuMm7/uJxlYVA66sgzN7WUtQrYyEfScx
W/UEd5RCJbyRspZqtHx3/uSZ18oe49U64LbnCnoJwfTnt1UURPE8f4nrlYzM
IM/xLaGykO4AtjDGA2leUV4Be2gImI8+7cZyv24LdIkgfx2GulDWhKKrJd8n
oXa78IeVRbecwC6ZwMObeoX+CiE8zq7jrIc+UEYO8Wj0vQsIaiDL++OtCrsE
KFBarEGlQr17i5QLlHdHVPkhCt5wJVEpGIQ44kJ3IAynZcUreDwiQ8yrdpyB
3jWk3RSf1jkqo1YBRLAfmKGRumfY6cRXQ5KfSk2iK5/3ZeSjk+Jcmjuiye7M
XpcUM+Hxam7hK9tQ48E5sCC8ZgflhleJtI3h3CQr/uLLsmhQDG35a26eJYME
w0KbRDjaqJ/vU2bEigOjZ6MzqS50cWxNBHkOT+CecD6MtA+tEQgQRSml1rNo
YnNUW5B5o2pdXNkyWL95fx/DzgmebM5DEFU7T8xfD1EyuwM3M4VUyAaLC8ca
KmGsubVN7K4kFIO42DLmuuC2pnKqoriwuqr4MHjtwCeGGXvGLgRMPcv/y5AF
QhcQpx7l2axesdkEVhUDjIOqywvGtk9FNJIgG+68w+kqfo2y1Q5ApRP66dxO
oZ5OF9pwhulYNwpv0KFldEW2/bq1Cbasv3RGZGLD8UZLp+SPNIL/xFIaeVNX
d3BYj7xFwHYwaWxPk7iaF4JXciouNeuQMBd/BGlfICmQA7PNDgS10bvBrwNX
WRbcHgGFFHe14bQhqQB+Rd1oa/LL6Bvo9+E1KrArUYhisI+EffslmEfJAjm0
XuLHNIDf8HZmQSvrK+m6nSVpkb/Qr3a9U5Od3KlxXq2XA0N7cnZIuiOWPkIV
+mLL9fEz+1FgWlldfX64WEXKtmxOUADJQmJ3t7Fn9xNPBiZJ30w4ii+fKMpC
7PVNQ49WbaRwlRTlZUuEGmqkUWK/AdsdtyVgOmxSanLxXayQdSZmLtuhb1my
OYI+bfoOtJkkxwoFmuuy6wS7faj+qOfzXFLZY2J1giu5RFsI5QfdRzNiiVK/
pnODk8em26fJd6TKCadA5FUKaSyB15KQc0ZbJIkqeg8rjX+GSw4tFMpNS5iR
oFNy8QwKEdBWl9l22RmgBHYkZkNZ8yR1o6enMRSt9ZBBGYu4fFpLH5HwYiTf
KS7OqDpxCKHJ1gi14MB9KsE7sxOJcpGK8VCf2aaMaFeSEI2ilPtJKWnfbPrJ
OKcjGwEih1WwcpmKXek6KlBF0n/urubJuOQYyqaTxJFyK5EnVB9xauL2WYuR
XrEErOtbENgFGhUlqZ3H5BC5KkJFxE6y9bZSWjVUMkxni3AOoehn0D18TAvT
yWFuXLbVGwH6k+zGfP/3NQspqWHGnUwFvcuMpQIRmi4QazRrcq8ySRstMqmE
d/Vmv3UZuMHYcnYpdg0j7LbICPvEnlHy02ovPJycdCJ2qWHLE0OGXXX3Gt6D
s9coeFqhf+GlmvvGfGZYCvrp04iw8JlVZmOjrQGjbb5sVpMcE65ZzfCsz04f
nCYZ+rLkcWVro+UnwsvBSh6eicusykNSxpBnq+1NKNseJk6OtNUj8CXDvtYC
Uv5N42OF9WR40UGwJrZ5teen5W7B7Hkym4VOSKuWe1Sm55FtUrVqgE0jKAao
9FA+JVVuDL+S1JTsR4TebrCfsMG4FF5LZXO39mkSOmZwoYCElU1dbyU1R/O4
Cp7Uax6Eooqr1qR5/063FAJGRDI2nrmFDPgRXdqKSebjYymTARURzmDgW6aa
P5gohZRoCSZLNVZ/L0v9p8Lg0w0V4oosF4HxxcZfBDCL2HXR2k/RYJJzkaSl
30Ev6uZ49TjSQ/KoozhV9zVfFYWBIs0cIfBT5PWLgqM9dyB5AWVJmVXuS2aE
4AXuN3hZod0HzVABaXxCvExJEFYtdMYu+ZUQH6A6kmcHV4dqgNPLIab6wWU7
/iQesLDDQlTNNBLKzpSQ/eA6RPI/wH8YambhvJ4LInBtsornf8/49bbZS50A
VSfclevZoLycYDt5wUD8kqiiuRCOmwDyrCpBmcJFtD4Ped0UhLtqOKjoqQyl
2Av3SbNsfFJ/yGbxeHMsaZdvVtCpbr11sGPHTqrYzfEAXQmF/RTbKYm5bHjA
cYL+fkFfhZdMQoTOYJmSB06NhS23VBuHhytf1RkpFRtAJdGS0SlzYJ64pmrs
j0WHbQlbjA5+7KkVnAjpauJtYcWUe1Q8MDLa4ixCKZ7L8c19xLiQnGbQD8ID
gc5EeEDaAtR8cvQSEqw9KCRov2PI8lA3xgNeObMNDPHlt0rUowYXoxkQPDHE
cQtNbku6Fz5qGtbwD/oj1vkJP/LQrYGilObWTUBJFC7/9vF55OBH5mUW5/GL
6SpKMHiaJhZRK4ffCUQLltEv0kWbpoogzF6NWoZbdA1oqEzQwftb+fPDfojB
N2JvqyPm6PKUSd4IoWMJl4aIsJBB57ZhV9cRt3URCstRfjvm/yEQpsJyMFK+
tXTU3uoSAZOAACD5RkbBWA7rStxREsQtzON8Lc4sP4fCh0Tb+EFxkTDz52Jx
B4M7oFMirYVh232MVWwF4myxBp+CNltTVjHZz/Wsh5mi4j3eEYiGG11jggbg
WL2n9+LLUtKOcpcTEDcu5FkFhW91Ovp32OAdtd3uK58RxW7J3KU7pNGTxAc+
TN8+DsmtQUJHsl0jhBGIeHjmmKQWJEjCjxoKiqD1Twi8qLNqXA8OFiezRf4I
Sqx2pfs8ohAHyLUFb9hy7CXPEByGuD6kU6BFlcRP9e7ig+46CqkH7rhotJbB
Lt9IoPDC7gGBvJmLyelbApwpne4jOxlnpB2Ykn9gJzWHbHeg0zQJiWovlUZd
e21AZVpeOj0Qq6Ovu/jiTrJjNFdgMDUwXl0/kb2ATlTl/mY/a5lzdDR6iwK9
Q2khAF7zNCHkyuLJzHpDDxlVgKuNQr4J+0WCmVtT6TcmeB4s5xwSSnQXa4kg
z0SRWqTEWESJh/RNJkNiOYE5iLd0KH06Cp2xFFYydnICO+Iyi+j+dbWVWJVS
a66ocF+Z6DddAJ/w5tqKIpsNQsckswUvCle3TKdcLg/Ksc2QvFlxxYJ6nZWo
TJGKu0ltKk8666RzAPa0gRf/k2zoUAaYyGSomDAMaKW10WyCAtog5C0JWvPh
2YNzubFqHbY/bKRBwlhpWPKv2cjHVggOwe95FSqAXFy/Jk81v5jwNwwploQ2
9njNigr0ms6cMT1RGRMYI2qSgepxGuzn5x+hb+w9Eypgga/rng33DNuIbi64
arDU2zCIshxu+dyp31qhwnGulh2z9R4iv+YGlXolPtFSjlECQLTF6vgBmbk2
BF6mo4EgEVpkISFaAOJE/EWZPGSwcfIXTU6qZARcVn+P8MEDc7Xp1EsS2o+y
U6R+X6zmtKFqYOvFJXzF1wfyvxSbYmWY26igUykwR1HjFIiUt1KuEMkLG6yR
6FP54JygZIGmvz8g9xLJD9wr/Opwvkg9Eb2N3YWy3a2xHJbq0BLTLzu2Wco1
YyHIIL1DGcxC5V9NwZaHwLYpOTs9uyqQeA/+IyVzKMl6QR/+bHV0fpELQTYI
fx3K7CRVs1M4iizMkkgOk5La4mXFdIfz54+MKEuJ1EgeSU09dk9q2Qm913w5
A07ldTnvKG6bcstKdJrYi7Y+0VfVzQGz/cIhc2Vo3WxYNeqfw/e/CI6FFLSi
WQl/6AOTgb+kWieydbaf6wKWERB4cVL9h8Cb5r4oBYMPm+aeVHR0gBmkCL59
kQmaW0i7uHSIcM+H1xk7WorWCw/iE8lVDe3Eir1wXil+3BSfiHGEjDvtApWR
wcRGR/MnyeeYzoD+xEVNTgK63fEcW7qgA01yXKi1g04VYhZNfj/T1JMquEnT
hKkotsG9JmpUVFmrvHPwuwFOZ/mIMAWUyP4A1S2bEpKGqyrCdJQUa7YjRpGN
LZkR6zwpPq1lom3vJAsx9YwDolMIYS1aecRjWinYqELHDFn8oI8uUAS5wDa+
Cw9z4CYMLxVWUc/027EaiDpIpzC+hVrMpQCtPnMQcWRqIvrDSN/8rN/8EteE
N1a64Y3aWY6EPJ+dRBkheKBTzuqTYLuqWhasXM78E2mjmcm8fMaonkgFiw0U
PZFIm3eNKiqvEVH1zjmjXNJhmT3Tm5PskIwCcTFiO3cVIDY19Yd36ZhHhcOL
FprUxMhXN3bFDCdp6mKRrWo4JPdcxsUKPlmaUHknpdqOpirSafGXNTP+Vcxv
hBOJxKtwcwmQClVRSspwdOGuw/hC1ALx/DGpTbDQVJK71/N5cyWBVAtMzhql
KjCHWDgrBAqIT5guibNZeyJVWRRVYWMHcLRuFGIkHEMaFrFSI1xpnJQ0l0Ct
NvMO14ptSwoNKop835L1eyr8ApazsyzUKpddpCV3tgUCbtqzhwTTmPSTemXG
7uBEJ0HxIekVzcHggdRkE/b8tgFmMThbPZ8Hh3GcMGPXfMiIHxRaW7Yiscdj
YSZ18YPAZBVGY9hRf9ne12J3i75SVlFuAZIpv7nx0k4Um59LEHwblHYoboz6
OD6KsaCxIA8DrjkcrHhrcgjH5LaOkeXCFUGNYd3n7PP1j8eBLLpfHZNfQuju
Hpwod4uAm82T1CUJF5ZjwbYqGghs+OAryZ4gyyekf0UH0MWBhhKa2wCc4ino
9nCVb4xUUfKB2N7rOQRtjQOaTDaVlFBEp3FFQKy3F5fmEILtwwQJFNQ8c2z0
eTRhus+OzpiEa4lZzMUE0LuoNAhoc3WOViIKDHJu36aoVoFJACcBnenNglyV
gao2ixC7X4rsZ/vQxmA8dfaDR5P3Hz4EyIkvDZdxoxSvI/fY/CChnh2W1QkM
I4Pdga/XMJMd+5r2qElfB04SEgNtp21ZmgxmEGAULMfcRa1TxD9KUQIWIsC4
toBR1NkvsTRmTgpljlhdcNdWsVx6hQkVI2GoFlIOnh5qPO4ykevfF+Vq3Xr7
XJeRc9WtZipFBsTtl72+eHeRMmyhVMo03wCrfbCYNZXOSD6u8a93jMF8X6zw
yj2MRh93tRBRwokZ8xvUexUKYL0vpDqEac4XLYo5EpjvlEKJc210dv+zfcLD
+a/rrtu1L77++v7+flrCDTWtm9XXub2z/brl1ieUyTzBVieML33oq+mndbfd
/Nvp37P1sxec6vLh8po4gf00vJApgo/dyF9kTx59e46VRnoT9CLr5jv45orS
UknLeaFkU7KlpX34kVsSYrV6QXWfkKyd2sSX0N2vOowW40QzjR5l9w9tAZRg
J3wBnwjLBp6Vvmbuc6p2DRJuS9mL3CnVkVEPd1OGevN0lMFN9b/evHzzClRo
3mytfZudhpbPpjA624Iv3FOnUcrbGc88aKJ/i5nfL/6LM0/s1X/3mb/6lVOP
TpvpkYnH72zir37dzAuG0VW+mbyhjEs77O+KVY1Mpdj/04s31+/OwnevrxDX
heMXShIuzUGBfJNCJ/+1F5wgRPFXiBjM+bIU3e6wKyasVBz9ggXAV/lmV1kZ
0wlcrF8gcP5m7zpzc8bMPcTSTXGZUEe1MXlOjjfBCXzzHFGU8PyHH17fZFc/
Xn58+/LdhymepXAsZHc8nj7CilUx3cENuV5wozz69M0T+J/nj/F/nuL/fIef
PcP/OYf/eQL6w6dz/PZJgf96BMIg43RNzMqE1k/Ojm69D8nWm0wmFPDDK/LS
OxTFQo9kCbv32HkZ73XW0QNpOYF9I0JzMuyDv7jnvLTyxjE9pXcXnOMAtDuX
16BDekdCr6NMK0N+1vRgothae07LB1yYbEJigslmY4WPaRMofUxr8dffynaQ
LtlWWYTPzwVJixWqVLeNhjyWqT/XAGLA08H/LMTTlyqhUe0fioO0RTqVgSEC
nbfkiiGLxe2ItKanVnr1S0BUXYT/vXOngaSd7Jlt3mCuEfTl7vH0Mar+VOBG
Kt2x62tQfcV5thbbYIzJnDk8FwlM4eFvFWpmnjDPVG4P6cfnrqeKihfASaK4
j+PJMWW/7PxoyRdoaFf1bqjzyBvxJ8OG/olWecfmfPUJrPJOQS3fCT052DX4
8pXxRLTkDZ5QqboJORBOqUTHJ/h7d1t+QiPWlTWBpT/aHywUy905izwP3OCu
vaUS9y2tl5UNITkpDofEy3HUL8DnME6vNtaSP+BAXr1+9y8v31+/f/3uA77+
yCw5wIdLkOFZZ265ThLS4vqHGOZh7OSw4zRWAfiISQAwPlw6lCMBjji3W71S
Tj4sSoxdbQ6B/oIsnrl0k4tJcDjEnQp9a4q8XuWciQ2KwI69at7le+ercVqq
noRUWYiF027LyxYuLR9yOOzbiVJuIdqlm68X9cqjP32cS89IOL4Sre1JgMiZ
Pfg680wfl9npGOjtUhRZEhxxQEijkFatbkWgxAcf9/mKCsRR4GC1LxesKFZc
6Khmst201morAogqt8QF0phSLuRN+QCGHIr9RjyizFJlTOBFQhISxLqLivNV
HHqqjJ2h0MN3z2gHZdlHyze4ZKw4WZ3vr97xywPeHJZiiB5F5AALR1Bqwqmm
SDIzfVZYItWRiRNfPnMRT7OXlshmjrV72v8HZYxVHWryEonTjADCI4wlPhVq
eFDEInLUSdV2gUVYcNVQQ3S18slHx7IIWuEM2QRkaC9gTJwGoAVotBYnLq1O
fAfSOikmRk5Pinn/HCK95O8sCSSGYPdPsvEIC+lI1zyVGnvSB6p9w0eYNwTf
Tt6zYSCxkZyOVsN5iuQak6Q6qfpKZIWEM/C1d2XiejXh1b3GZXOk0iq2lzdN
XJ4mVIfpV4mmkKjKXXK+ibveQIHG7csecAS3L87MrcIhVf1tf+ih2DTh/odm
JziQJQ+G/J9Ve6+VHKNS6YTpZ5NAXiBpf3oO+7XjOHDGy8grqJneLZWooOFj
LnSfDlhgaxcYHeMy04r5ikIxY+bZyb6330VUkpTPzIf4Mv2FMDxTJ13A92Ly
PbPDeX/F95PL6EMKyzGwC2W6MCGNM+t1SxpYblNuxnOotsKnk0BOOgbYRNrb
6eijpDmIm90BvAx2Mw6DU0yvkjFqsjhl7CFAS8jOEFGN0ghuA6zOIN/nWO9b
CgHUEVJtqmUMwmYhCQzy4XbCREkoHXKmXqdyzIEmFRH2qhmGRHb+vThEXaGG
zhKwLN8oeDZRCf1JAoNc74XF7Tjwhq85PCnFDi2nytVet8qoRws0atqAu21V
De5dmqx5lTElYh6KZEY4aJLn4yOZPENnqC9riPs9LSi5C35/gvOXgi+MDRvK
Om0pKqihE0HYk+c6IRriD19fedJDqb48Z6Vp9K6+ZxERjGA9BfLUmiR6dkqn
lmLhZ+RrS4/IoGCiaYEOPMYF1dNBdMO2LuxqoC+Un/WIIORYPmX1u5YfPfbH
zTcOh1t8gvSN7M8Hm88XEhRR2cg8hn4Dw+d7MhttAhblIha+QYdgnuaFMDDn
QkugU0bL88CsPZHn+wXsl9nj1k3pkTn8zMQ98RPnmhB6K9meXdzWkXnH4kJ8
PcMrjk/I4Hr0S6v6Q8XvGpMavqrKPxc0Csx60VqGvlHpu7Tca+fJOCxz2Vnk
M1ndWCTwcQ2VE7nR6AR0jIB7cBt84Zqf048HFvzJf33Bz/8TC95GK07lLnp7
Jyy+kA7oo1+8EXRl3dHrvxjf6tdd4OJ6XSwWOsThEyugRZVupcAyGd4jBXLQ
1OLcW2ZhDfc+qXZEyLbikcBNATpdSMsUVKHsJ4SKBQ5vod/IhQWCNDBVJBg8
IrD29IUKzzftXp8izCXXYmJXedkQRt9qZzqIHBI9DhDXOvpiCVLQYLymQVqR
1VUNWnebqN2cA4AmC/WaeQ+Uy0h/R/xQm02+IzA9VTjIxVR2k5ZCemJtJcUp
MDw5VEYTlcRluKh2grsEVw6vaL3faZ9xZV/+tVNCeDhI5MA8m0PNUKmvScKH
+foqLS2dx7psoBBsu3rXs73FfVqhme9T/qSuBrUoXOYHyxIb0lZatmCHvhAL
xSeYEaAiwmH3CBIDSpwMJrQ0m5VQXCZjUEL7odfbUHgeg9I9NJfKEdcJt8dw
GW5QJlntsu3//b6TjCjBXtkRwyIAUtmdq6r2pwWzYCOzoQt1IaxKQRV5cpQD
Nvodf3wWnGNCWEMMu3EhgtU+b9DVIDst7+0Vmhw+ADArfpPAgJDJncsOcrBC
OHzxdOj1sGCsolQBIIb8iJY06NlOC9edzsYVz4t0LCxLuvjhLrC2uPOL+JBI
oWMeBAGhpat00kNZDbSe4qoa/Q4aw62gPZY6Ufe5GsaTfatkIzSrKM3Kau+2
VGekkdIM1y+EOV0Rz4Ta1EyyxNxNC9x7aON1RDRRtqIvt5T6KuVI3MItQ6Vv
FUDcp9DldidlDIRlS6rQkG9aiLYTQr0oa21sNEHGG6w36pSINDTH5IgaHCoy
wOBSb5Ar2JyoKFHlDqGKD8K7nwMjozbwqFsFCmzoUtwXm81EE5yT00++xilx
ZCTfaNE/SoRjZI+pDWZTeaIlURecF6dW7Avd1qgNBHUOtXm8w2gZQ9UMDUvJ
VWZ1oRZC/rDa1DO6GqWushWqavhAit7jMbW0CrMUDNC6hMhUMXU2rC6DWzVn
7iPmlsIv98L6QKEg8x/GlewCe7LQEQeblFjalsJJvJTyGREpMewVTZ8hh9zo
Ly8YQFMs/vFkCeKtOCH3YV7dWgqmASeZjZPTVxgpcj4OmBEJ7RKO4UV2sckx
S+Z39e04u+mKJfz1EwUgxtlbBC6/nV/msGfQ39KVq+z3cPPk7O3+3Qb/9VOJ
bu1VPvW9uWhgZ2WX+2Yxy5vF5HvYkDxM54hHsqh8Ix5P3lyx+78faojfYR2n
piXdraWYM0aYkTQnYXsW4gnUk7m6i+xgCrgSVwImh4oWwXobexQIwu07L7g9
LjVEORHq30QkEbZHrAC0q7zDP1mx4EHYFfUuECiCZrqE488ZfkQnsloJ1oN6
x/sNF6/4lJMGermBPUWLlje32RUKOiIoepXPyhz5gfbzNZZF+H2+QY6wm+2h
3dR34+yHory9LeHjrkTIN1zI17Dc2U/UGletNOQabpqXi7Krm+Hd+NsoxYmL
ysw0sqwsctluTwx5UsIkp/jj9LcjCyVYTJjfiBRWQeBJoIxpFZC0Ab6EayBi
IG6Wc3xoxvqDvC68Pzlq/xMMe+DC9nEBAA==

-->

</rfc>
