<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-rosomakho-idr-bgp-masque-tunnel-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="BGP MASQUE Tunnel Encapsulation">BGP Signaling of MASQUE Tunnel Encapsulation</title>
    <seriesInfo name="Internet-Draft" value="draft-rosomakho-idr-bgp-masque-tunnel-00"/>
    <author fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <author fullname="Alvaro Retana">
      <organization>Futurewei Technologies, Inc.</organization>
      <address>
        <email>aretana@futurewei.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="29"/>
    <area>Routing</area>
    <workgroup>IDR Working Group</workgroup>
    <keyword>bgp</keyword>
    <keyword>masque</keyword>
    <keyword>tunnel</keyword>
    <abstract>
      <?line 50?>

<t>This document defines BGP Tunnel Encapsulation Attribute tunnel types for
MASQUE CONNECT-TCP, CONNECT-UDP, CONNECT-IP, and CONNECT-ETHERNET. It also
defines URI Template and ALPN Sub-TLVs for advertising the MASQUE proxy endpoint,
the HTTP request target template, and the application-layer protocol constraints
used to establish the corresponding MASQUE tunnel.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://yaroslavros.github.io/bgp-masque-tunnel/draft-rosomakho-idr-bgp-masque-tunnel.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-rosomakho-idr-bgp-masque-tunnel/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        IDR Working Group mailing list (<eref target="mailto:idr@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/idr/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/idr/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/yaroslavros/bgp-masque-tunnel"/>.</t>
    </note>
  </front>
  <middle>
    <?line 58?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The BGP Tunnel Encapsulation Attribute
<xref target="BGP-TUNNEL-ENCAP-ATTR"/> allows BGP speakers to advertise the
tunnel encapsulation information associated with reachability information
carried in BGP UPDATE messages. It is used to indicate that traffic associated
with a route can be carried using a particular tunnel encapsulation and to
provide the parameters needed to establish or use that tunnel.</t>
      <t>MASQUE defines mechanisms for proxying traffic using HTTP. These mechanisms
include proxying UDP payloads using CONNECT-UDP <xref target="CONNECT-UDP"/>,
proxying IP packets using CONNECT-IP <xref target="CONNECT-IP"/>, proxying TCP
connections using CONNECT-TCP <xref target="CONNECT-TCP"/>,
and proxying Ethernet frames using CONNECT-ETHERNET
<xref target="CONNECT-ETHERNET"/>. These mechanisms allow
traffic to be carried over HTTP/1.1 <xref target="H1"/>, HTTP/2 <xref target="H2"/>, or HTTP/3 <xref target="H3"/> connections to a MASQUE
proxy and are applicable to environments such as SD-WAN, data center
interconnect, VPN services, and other overlay connectivity deployments.</t>
      <t>In some deployments, BGP is already used as the control plane for advertising
reachability and associated tunnel encapsulation information. Allowing BGP to
advertise MASQUE tunnel encapsulation parameters enables a BGP speaker to signal
that traffic associated with a route is reachable through a MASQUE proxy using
one of the template-driven CONNECT mechanisms. This document defines BGP Tunnel Encapsulation
Attribute tunnel types for CONNECT-TCP, CONNECT-UDP, CONNECT-IP, and
CONNECT-ETHERNET.</t>
      <t>This document also defines a URI Template Sub-TLV for the BGP Tunnel
Encapsulation Attribute. The URI Template identifies the MASQUE proxy endpoint
and provides the template used to construct the HTTP request target for the
corresponding CONNECT request. In addition, because MASQUE tunnels can be
established over different HTTP versions, this document defines an ALPN Sub-TLV
that can be used to indicate the application-layer protocols supported or
preferred for use with the advertised tunnel.</t>
      <t>This document does not define new BGP NLRI, does not define a new MASQUE
protocol mechanism, and does not define a new proxy authentication or
authorization mechanism. The NLRI to which the Tunnel Encapsulation Attribute is
attached identifies the traffic, service, or reachability information to which
the MASQUE tunnel applies. Authentication and authorization of the MASQUE proxy
remain the responsibility of the endpoints and the applicable HTTP and TLS mechanisms.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses terminology from <xref target="BGP-TUNNEL-ENCAP-ATTR"/>,
<xref target="CONNECT-UDP"/>, <xref target="CONNECT-IP"/>, <xref target="CONNECT-TCP"/>, and
<xref target="CONNECT-ETHERNET"/>.</t>
      <dl>
        <dt>MASQUE proxy:</dt>
        <dd>
          <t>An HTTP proxy that supports one or more of the MASQUE CONNECT mechanisms
identified by the tunnel types defined in this document.</t>
        </dd>
        <dt>MASQUE tunnel:</dt>
        <dd>
          <t>A tunnel established using one of the CONNECT mechanisms identified by the
tunnel types defined in this document.</t>
        </dd>
        <dt>URI Template:</dt>
        <dd>
          <t>A URI Template as defined by <xref target="URI-TEMPLATE"/>. In this document, a URI
Template is carried in the URI Template Sub-TLV and is used to construct the
HTTP request target for a MASQUE tunnel.</t>
        </dd>
        <dt>ALPN:</dt>
        <dd>
          <t>Application-Layer Protocol Negotiation, as defined by <xref target="ALPN"/>.</t>
        </dd>
      </dl>
    </section>
    <section anchor="masque-tunnel-encapsulation">
      <name>MASQUE Tunnel Encapsulation</name>
      <t>A Tunnel Encapsulation TLV using one of the tunnel types defined in this
document identifies a MASQUE proxy and the corresponding HTTP request target
using the URI Template Sub-TLV defined in <xref target="uri-template-sub-tlv"/>. The URI
Template determines the MASQUE proxy endpoint and is used to construct the HTTP
request for the corresponding CONNECT mechanism.</t>
      <t>An ALPN Sub-TLV, defined in <xref target="alpn-sub-tlv"/>, <bcp14>MAY</bcp14> be included to indicate the
application-layer protocols supported or preferred for use when connecting to
the MASQUE proxy.</t>
      <t>The tunnel types defined in this section identify the MASQUE mechanism used to
carry the traffic associated with the BGP route. The NLRI to which the Tunnel
Encapsulation Attribute is attached determines the traffic, service, or
reachability information to which the MASQUE tunnel applies.</t>
      <t>A Tunnel Encapsulation TLV whose tunnel type is one of the MASQUE tunnel types
defined in this document is referred to as a MASQUE Tunnel Encapsulation TLV.
A MASQUE Tunnel Encapsulation TLV <bcp14>MUST</bcp14> contain exactly one URI Template Sub-TLV
and <bcp14>MAY</bcp14> contain at most one ALPN Sub-TLV.</t>
      <t>Only the following Sub-TLVs are applicable to MASQUE Tunnel Encapsulation TLVs:</t>
      <table anchor="masque-allowed-sub-tlvs">
        <name>Sub-TLVs allowed for use with MASQUE Tunnel Encapsulation TLVs</name>
        <thead>
          <tr>
            <th align="left">Sub-TLV</th>
            <th align="left">Code</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Color</td>
            <td align="left">4</td>
          </tr>
          <tr>
            <td align="left">DS Field</td>
            <td align="left">7</td>
          </tr>
          <tr>
            <td align="left">URI Template</td>
            <td align="left">TBD5</td>
          </tr>
          <tr>
            <td align="left">ALPN</td>
            <td align="left">TBD6</td>
          </tr>
        </tbody>
      </table>
      <t>All other Sub-TLVs not explicitly listed above are not defined for use with
MASQUE Tunnel Encapsulation TLVs. Receivers <bcp14>MUST</bcp14> ignore these Sub-TLVs when
validating MASQUE-specific semantics. Future specifications <bcp14>MAY</bcp14> define
additional Sub-TLVs for use with MASQUE Tunnel Encapsulation TLVs.</t>
      <t>If a MASQUE Tunnel Encapsulation TLV contains no
URI Template Sub-TLV, or contains more than one URI Template Sub-TLV,
it <bcp14>MUST</bcp14> be ignored.</t>
      <section anchor="connect-tcp-tunnel-type">
        <name>CONNECT-TCP Tunnel Type</name>
        <t>The CONNECT-TCP Tunnel Type indicates that traffic associated with the route is
to be carried using CONNECT-TCP <xref target="CONNECT-TCP"/>. This tunnel type is applicable
to routes or service-specific information that identify TCP connectivity or TCP
flow steering.</t>
        <ul empty="true">
          <li>
            <t>Name: MASQUE CONNECT-TCP Tunnel
Type: TBD1
Length: 0</t>
          </li>
        </ul>
      </section>
      <section anchor="connect-udp-tunnel-type">
        <name>CONNECT-UDP Tunnel Type</name>
        <t>The CONNECT-UDP Tunnel Type indicates that traffic associated with the route is
to be carried using CONNECT-UDP <xref target="CONNECT-UDP"/>. This tunnel type is applicable
to routes or service-specific information that identify UDP connectivity or UDP
flow steering.</t>
        <ul empty="true">
          <li>
            <t>Name: MASQUE CONNECT-UDP Tunnel
Type: TBD2
Length: 0</t>
          </li>
        </ul>
      </section>
      <section anchor="connect-ip-tunnel-type">
        <name>CONNECT-IP Tunnel Type</name>
        <t>The CONNECT-IP Tunnel Type indicates that traffic associated with the route is
to be carried using CONNECT-IP <xref target="CONNECT-IP"/>. This tunnel type is applicable to
routes that identify IP reachability, such as IP prefixes, VPN-IP routes, or
other service-specific IP reachability information.</t>
        <ul empty="true">
          <li>
            <t>Name: MASQUE CONNECT-IP Tunnel
Type: TBD3
Length: 0</t>
          </li>
        </ul>
      </section>
      <section anchor="connect-ethernet-tunnel-type">
        <name>CONNECT-ETHERNET Tunnel Type</name>
        <t>The CONNECT-ETHERNET Tunnel Type indicates that traffic associated with the
route is to be carried using CONNECT-ETHERNET <xref target="CONNECT-ETHERNET"/>. This tunnel
type is applicable to routes that identify Ethernet or Layer 2 service
reachability, such as EVPN or other service-specific Layer 2 reachability
information.</t>
        <ul empty="true">
          <li>
            <t>Name: MASQUE CONNECT-ETHERNET Tunnel
Type: TBD4
Length: 0</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="uri-template-sub-tlv">
      <name>URI Template Sub-TLV</name>
      <t>The URI Template Sub-TLV identifies the MASQUE proxy endpoint and provides the
template used to construct the HTTP request target for the MASQUE tunnel. The
URI Template Sub-TLV is carried in a MASQUE Tunnel Encapsulation TLV.</t>
      <t>The URI Template Sub-TLV has the following format:</t>
      <figure anchor="fig-uri-template-sub-tlv">
        <name>URI Template Sub-TLV</name>
        <artwork type="ascii-art"><![CDATA[
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |   Type=TBD5   |           Length              |               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               |
 ~                     URI Template Value                        ~
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      </figure>
      <dl>
        <dt>Type:</dt>
        <dd>
          <t>TBD5</t>
        </dd>
        <dt>Length:</dt>
        <dd>
          <t>The length, in octets, of the URI Template Value field.</t>
        </dd>
        <dt>URI Template Value:</dt>
        <dd>
          <t>A UTF-8 encoded URI Template <xref target="URI-TEMPLATE"/>.</t>
        </dd>
      </dl>
      <t>The URI Template Value <bcp14>MUST</bcp14> be a syntactically valid URI Template. The URI
Template <bcp14>MUST</bcp14> be in absolute form and <bcp14>MUST</bcp14> include non-empty scheme, authority,
and path components. The URI Template <bcp14>MUST</bcp14> satisfy the URI Template requirements
of the MASQUE mechanism identified by the enclosing MASQUE Tunnel Encapsulation
TLV.</t>
      <t>The authority component of the URI Template identifies the MASQUE proxy endpoint
to which the receiver establishes the HTTP connection. The path and query
components of the expanded URI identify the request target used for the
corresponding CONNECT mechanism.</t>
      <t>If the URI Template Value is not a syntactically valid URI Template, if it is
not in absolute form, if it does not include non-empty scheme, authority, and
path components, or if it is otherwise not usable with the MASQUE mechanism
identified by the enclosing MASQUE Tunnel Encapsulation TLV, the MASQUE Tunnel
Encapsulation TLV <bcp14>MUST</bcp14> be ignored.</t>
      <t>The Tunnel Egress Endpoint Sub-TLV defined by <xref target="BGP-TUNNEL-ENCAP-ATTR"/> is not used with MASQUE
Tunnel Encapsulation TLVs because the authority component of the URI Template
identifies the MASQUE proxy endpoint and provides the information necessary
to establish the corresponding HTTP connection.</t>
    </section>
    <section anchor="alpn-sub-tlv">
      <name>ALPN Sub-TLV</name>
      <t>The ALPN Sub-TLV indicates the application-layer protocol or protocols that are
supported or preferred for use with the tunnel described by the enclosing Tunnel
Encapsulation TLV. When used with a MASQUE Tunnel Encapsulation TLV, the ALPN
Sub-TLV identifies the HTTP version or versions that can be used to establish
the corresponding MASQUE tunnel.</t>
      <t>The ALPN Sub-TLV has the following format:</t>
      <figure anchor="fig-alpn-sub-tlv">
        <name>ALPN Sub-TLV</name>
        <artwork type="ascii-art"><![CDATA[
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |   Type=TBD6   |           Length              |               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               |
 ~                       ALPN ProtocolNameList                   ~
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      </figure>
      <dl>
        <dt>Type:</dt>
        <dd>
          <t>TBD6</t>
        </dd>
        <dt>Length:</dt>
        <dd>
          <t>The length, in octets, of the ALPN ProtocolNameList field.</t>
        </dd>
        <dt>ALPN ProtocolNameList:</dt>
        <dd>
          <t>A sequence of one or more ALPN protocol identifiers, encoded as a TLS ALPN
<tt>ProtocolNameList</tt> as defined in <xref section="3.1" sectionFormat="of" target="ALPN"/>.</t>
        </dd>
      </dl>
      <t>The ALPN ProtocolNameList field contains one or more non-empty ALPN protocol
identifiers. The order of ALPN protocol identifiers indicates preference, with
the most preferred protocol listed first.</t>
      <t>When the ALPN Sub-TLV is present in a MASQUE Tunnel Encapsulation TLV, the
receiver <bcp14>MUST</bcp14> use one of the advertised ALPN protocol identifiers when
establishing the HTTP connection to the MASQUE proxy. If none of the advertised
protocol identifiers is supported by the receiver, the MASQUE Tunnel
Encapsulation TLV <bcp14>MUST</bcp14> be ignored.</t>
      <t>A MASQUE Tunnel Encapsulation TLV <bcp14>MUST</bcp14> contain at most one ALPN Sub-TLV. If more
than one ALPN Sub-TLV is present, the MASQUE Tunnel Encapsulation TLV <bcp14>MUST</bcp14> be
ignored.</t>
      <t>If the ALPN Sub-TLV is malformed, including if it contains an empty
ProtocolNameList or an empty protocol identifier, the MASQUE Tunnel
Encapsulation TLV <bcp14>MUST</bcp14> be ignored.</t>
    </section>
    <section anchor="use-with-bgp-nlri">
      <name>Use with BGP NLRI</name>
      <t>The tunnel types and Sub-TLVs defined in this document are used with the BGP
Tunnel Encapsulation Attribute. This document does not define new BGP NLRI or
new procedures for associating tunnel encapsulation information with routes.</t>
      <t>The NLRI to which the Tunnel Encapsulation Attribute is attached identifies the
traffic, service, or reachability information to which the MASQUE tunnel applies.
The tunnel type in the Tunnel Encapsulation TLV identifies the MASQUE mechanism
used to carry that traffic.</t>
      <t>The following examples illustrate possible uses:</t>
      <ul spacing="normal">
        <li>
          <t>A route that identifies IP reachability, such as an IP prefix or VPN-IP route,
can use the CONNECT-IP, CONNECT-TCP, or CONNECT-UDP Tunnel Types to indicate that matching IP, TCP, or UDP traffic packets are
carried using the correspondind CONNECT mechanism.</t>
        </li>
        <li>
          <t>A route that identifies Ethernet or Layer 2 service reachability, such as an
EVPN route, can use the CONNECT-ETHERNET Tunnel Type to indicate that matching
Ethernet frames are carried using CONNECT-ETHERNET.</t>
        </li>
      </ul>
      <t>Specifications or deployment profiles that use the tunnel types defined in this
document may define additional rules for their use with particular AFI/SAFI
combinations or service models.</t>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>The tunnel types and Sub-TLVs defined in this document allow BGP to advertise
MASQUE tunnel encapsulation parameters associated with BGP routes. Operators
<bcp14>MUST</bcp14> ensure that these attributes are propagated only within routing domains
where the advertised MASQUE proxy information is intended to be used.</t>
      <t>A URI Template carried in BGP can reveal information about proxy names, service
structure, or internal topology. Operators <bcp14>MUST</bcp14> apply BGP import and export
policy to avoid leaking MASQUE tunnel encapsulation information outside the
intended administrative scope.</t>
      <t>Multiple MASQUE tunnel candidates can be advertised by including multiple Tunnel
Encapsulation TLVs, each containing a single URI Template Sub-TLV. This can be
used to advertise alternative MASQUE proxies. Selection among available tunnel
candidates is left to local policy and outside the scope of this specification.</t>
      <t>A BGP Tunnel Encapsulation Attribute <bcp14>MAY</bcp14> contain both MASQUE Tunnel Encapsulation
TLVs and Tunnel Encapsulation TLVs of other tunnel types defined by <xref target="BGP-TUNNEL-ENCAP-ATTR"/> or
subsequent specifications. This document does not define any preference between
MASQUE and non-MASQUE tunnel types. Selection among available tunnel types is
determined by local policy and the procedures applicable to the associated
AFI/SAFI.</t>
      <t>Operators should consider the stability of URI Template values when
attaching MASQUE Tunnel Encapsulation TLVs to routes.
Frequent changes to URI Templates, can increase route churn.
Deployments that advertise the same MASQUE proxy parameters for many routes
should consider existing BGP mechanisms and service-specific profiles that avoid
unnecessary repetition.</t>
      <section anchor="uri-template-length">
        <name>URI Template Length</name>
        <t><xref target="URI-TEMPLATE"/> does not define a general maximum length for a URI Template.
When a URI Template is carried in the URI Template Sub-TLV, the length of the
URI Template Value is constrained by the Sub-TLV encoding and by the size of the
BGP UPDATE message in which the Sub-TLV is carried.</t>
        <t>The URI Template Sub-TLV uses a two-octet Length field. This allows the URI
Template Value to be longer than 255 octets. However, long URI Template Values
can significantly increase the size of the enclosing BGP UPDATE message and
can affect propagation across BGP sessions where BGP Extended Messages
<xref target="BGP-EXTENDED-MESSAGES"/> are not used.</t>
        <t>URI Template Values <bcp14>SHOULD NOT</bcp14> exceed 1024 octets and should be kept as short as practical.</t>
        <t>Deployments that carry URI Template Sub-TLVs <bcp14>SHOULD</bcp14> use BGP Extended Messages
<xref target="BGP-EXTENDED-MESSAGES"/> on the BGP sessions over which the
corresponding routes are propagated. If BGP Extended Messages are not available, URI Template
Values <bcp14>MUST</bcp14> be kept small enough that the complete BGP UPDATE message,
including all path attributes, NLRI, and protocol overhead, does not exceed
4096 octets.</t>
        <t>If the URI Template Value exceeds the receiver's supported or configured
limit, the receiver <bcp14>SHOULD</bcp14> ignore the enclosing MASQUE Tunnel Encapsulation TLV.</t>
        <t>If the length of the URI Template results in the BGP UPDATE exceeding the
maximum message size, the result may include a lack of reachability, as detailed
in <xref target="BGP-EXTENDED-MESSAGES"/>. If BGP Extended Messages are partially supported,
the BGP Tunnel Encapsulation Attribute may be discarded <xref target="BGP-EXTENDED-MESSAGES"/>,
as it is eligible under the "attribute discard" approach of
<xref target="BGP-ERROR-HANDLING"/>, which would result in the information
not reaching the intended recipients.
# Security Considerations</t>
        <t>The security considerations of <xref target="BGP-TUNNEL-ENCAP-ATTR"/>, <xref target="CONNECT-UDP"/>,
<xref target="CONNECT-IP"/>, <xref target="CONNECT-TCP"/>, <xref target="CONNECT-ETHERNET"/>, <xref target="URI-TEMPLATE"/>, and
<xref target="ALPN"/> apply.</t>
        <t>This document defines BGP signaling for MASQUE tunnel encapsulation parameters.
It does not define a new authentication or authorization mechanism for MASQUE
proxies, and it does not change the security properties of the MASQUE
mechanisms identified by the tunnel types defined in this document.</t>
        <t>Authorization to use the MASQUE proxy, including authorization to reach the
requested target or to carry the traffic associated with the route, is enforced
by the MASQUE proxy and the applicable mechanisms. Implementations <bcp14>MUST NOT</bcp14>
treat possession of a BGP route or Tunnel Encapsulation Attribute as sufficient
authorization to use a MASQUE proxy.</t>
        <t>Misconfiguration, route leaks, or malicious injection of BGP routes carrying
MASQUE tunnel encapsulation information can cause traffic to be directed to an
unintended MASQUE proxy. This can result in traffic interception, denial of
service, policy bypass, or loss of connectivity. Operators should apply the same
route filtering, origin validation, session protection, and import/export policy
controls used for other BGP routes carrying tunnel encapsulation information.
For more details, see Section 11 of <xref target="BGP-TUNNEL-ENCAP-ATTR"/>.</t>
        <t>The URI Template Sub-TLV can reveal information about proxy hostnames, service
structure, tenant identifiers, or internal topology. Such information can be
sensitive. Operators should ensure that routes carrying MASQUE Tunnel
Encapsulation TLVs are distributed only within the administrative scope where
the corresponding MASQUE proxy information is intended to be visible.</t>
        <t>The URI Template carried in BGP is used to construct an HTTP request target.
Implementations <bcp14>MUST</bcp14> validate the URI Template before use and <bcp14>MUST</bcp14> apply the
processing rules in this document and in the applicable MASQUE specification.
Implementations <bcp14>MUST NOT</bcp14> expand or use a URI Template in a way that creates a
request target outside the scope intended by the received route and local
policy.</t>
        <t>The ALPN Sub-TLV can constrain the application-layer protocols used to establish
a MASQUE tunnel. If an ALPN Sub-TLV is present, receivers <bcp14>MUST</bcp14> use only one of
the advertised ALPN protocol identifiers for the corresponding tunnel. Ignoring
an ALPN constraint could cause a receiver to use an HTTP version or transport
that the advertising speaker did not intend to support for that tunnel.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to update the "BGP Tunnel Encapsulation" registry group as
specified in the following sections.</t>
      <section anchor="bgp-tunnel-encapsulation-attribute-tunnel-types">
        <name>BGP Tunnel Encapsulation Attribute Tunnel Types</name>
        <t>IANA is requested to allocate the following values from the "BGP Tunnel
Encapsulation Attribute Tunnel Types" registry:</t>
        <table anchor="masque-tunnel-types">
          <name>MASQUE BGP Tunnel Encapsulation Attribute Tunnel Types</name>
          <thead>
            <tr>
              <th align="right">Value</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="right">TBD1</td>
              <td align="left">CONNECT-TCP</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="right">TBD2</td>
              <td align="left">CONNECT-UDP</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="right">TBD3</td>
              <td align="left">CONNECT-IP</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="right">TBD4</td>
              <td align="left">CONNECT-ETHERNET</td>
              <td align="left">this document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="bgp-tunnel-encapsulation-attribute-sub-tlvs">
        <name>BGP Tunnel Encapsulation Attribute Sub-TLVs</name>
        <t>IANA is requested to allocate the following values from the 192-252 range in the "BGP Tunnel
Encapsulation Attribute Sub-TLVs" registry:</t>
        <table anchor="masque-tunnel-subtlvs">
          <name>MASQUE BGP Tunnel Encapsulation Attribute Sub-TLVs</name>
          <thead>
            <tr>
              <th align="right">Value</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="right">TBD5</td>
              <td align="left">URI Template</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="right">TBD6</td>
              <td align="left">ALPN</td>
              <td align="left">this document</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <displayreference target="H1" to="HTTP/1.1"/>
    <displayreference target="H2" to="HTTP/2"/>
    <displayreference target="H3" to="HTTP/3"/>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="BGP-TUNNEL-ENCAP-ATTR">
          <front>
            <title>The BGP Tunnel Encapsulation Attribute</title>
            <author fullname="K. Patel" initials="K." surname="Patel"/>
            <author fullname="G. Van de Velde" initials="G." surname="Van de Velde"/>
            <author fullname="S. Sangli" initials="S." surname="Sangli"/>
            <author fullname="J. Scudder" initials="J." surname="Scudder"/>
            <date month="April" year="2021"/>
            <abstract>
              <t>This document defines a BGP path attribute known as the "Tunnel Encapsulation attribute", which can be used with BGP UPDATEs of various Subsequent Address Family Identifiers (SAFIs) to provide information needed to create tunnels and their corresponding encapsulation headers. It provides encodings for a number of tunnel types, along with procedures for choosing between alternate tunnels and routing packets into tunnels.</t>
              <t>This document obsoletes RFC 5512, which provided an earlier definition of the Tunnel Encapsulation attribute. RFC 5512 was never deployed in production. Since RFC 5566 relies on RFC 5512, it is likewise obsoleted. This document updates RFC 5640 by indicating that the Load-Balancing Block sub-TLV may be included in any Tunnel Encapsulation attribute where load balancing is desired.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9012"/>
          <seriesInfo name="DOI" value="10.17487/RFC9012"/>
        </reference>
        <reference anchor="CONNECT-UDP">
          <front>
            <title>Proxying UDP in HTTP</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9298"/>
          <seriesInfo name="DOI" value="10.17487/RFC9298"/>
        </reference>
        <reference anchor="CONNECT-IP">
          <front>
            <title>Proxying IP in HTTP</title>
            <author fullname="T. Pauly" initials="T." role="editor" surname="Pauly"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="A. Chernyakhovsky" initials="A." surname="Chernyakhovsky"/>
            <author fullname="M. Kühlewind" initials="M." surname="Kühlewind"/>
            <author fullname="M. Westerlund" initials="M." surname="Westerlund"/>
            <date month="October" year="2023"/>
            <abstract>
              <t>This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9484"/>
          <seriesInfo name="DOI" value="10.17487/RFC9484"/>
        </reference>
        <reference anchor="CONNECT-TCP">
          <front>
            <title>Template-Driven HTTP CONNECT Proxying for TCP</title>
            <author fullname="Benjamin M. Schwartz" initials="B. M." surname="Schwartz">
              <organization>Meta Platforms, Inc.</organization>
            </author>
            <date day="20" month="March" year="2026"/>
            <abstract>
              <t>   TCP proxying using HTTP CONNECT has long been part of the core HTTP
   specification.  However, this proxying functionality has several
   important deficiencies in modern HTTP environments.  This
   specification defines an alternative HTTP proxy service configuration
   for TCP connections.  This configuration is described by a URI
   Template, similar to the CONNECT-UDP and CONNECT-IP protocols.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-connect-tcp-11"/>
        </reference>
        <reference anchor="CONNECT-ETHERNET">
          <front>
            <title>Proxying Ethernet in HTTP</title>
            <author fullname="Alejandro Sedeño" initials="A." surname="Sedeño">
              <organization>Google LLC</organization>
            </author>
            <date day="12" month="April" year="2026"/>
            <abstract>
              <t>   This document describes how to proxy Ethernet frames in HTTP.  This
   protocol is similar to IP proxying in HTTP, but for Layer 2 instead
   of Layer 3.  More specifically, this document defines a protocol that
   allows an HTTP client to create a tunnel to exchange Layer 2 Ethernet
   frames through an HTTP server with an attached physical or virtual
   Ethernet segment.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-masque-connect-ethernet-09"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="URI-TEMPLATE">
          <front>
            <title>URI Template</title>
            <author fullname="J. Gregorio" initials="J." surname="Gregorio"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="M. Hadley" initials="M." surname="Hadley"/>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="D. Orchard" initials="D." surname="Orchard"/>
            <date month="March" year="2012"/>
            <abstract>
              <t>A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6570"/>
          <seriesInfo name="DOI" value="10.17487/RFC6570"/>
        </reference>
        <reference anchor="ALPN">
          <front>
            <title>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension</title>
            <author fullname="S. Friedl" initials="S." surname="Friedl"/>
            <author fullname="A. Popov" initials="A." surname="Popov"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="E. Stephan" initials="E." surname="Stephan"/>
            <date month="July" year="2014"/>
            <abstract>
              <t>This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7301"/>
          <seriesInfo name="DOI" value="10.17487/RFC7301"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="H1">
          <front>
            <title>HTTP/1.1</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document specifies the HTTP/1.1 message syntax, message parsing, connection management, and related security concerns.</t>
              <t>This document obsoletes portions of RFC 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="99"/>
          <seriesInfo name="RFC" value="9112"/>
          <seriesInfo name="DOI" value="10.17487/RFC9112"/>
        </reference>
        <reference anchor="H2">
          <front>
            <title>HTTP/2</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="C. Benfield" initials="C." role="editor" surname="Benfield"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection.</t>
              <t>This document obsoletes RFCs 7540 and 8740.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9113"/>
          <seriesInfo name="DOI" value="10.17487/RFC9113"/>
        </reference>
        <reference anchor="H3">
          <front>
            <title>HTTP/3</title>
            <author fullname="M. Bishop" initials="M." role="editor" surname="Bishop"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9114"/>
          <seriesInfo name="DOI" value="10.17487/RFC9114"/>
        </reference>
        <reference anchor="BGP-EXTENDED-MESSAGES">
          <front>
            <title>Extended Message Support for BGP</title>
            <author fullname="R. Bush" initials="R." surname="Bush"/>
            <author fullname="K. Patel" initials="K." surname="Patel"/>
            <author fullname="D. Ward" initials="D." surname="Ward"/>
            <date month="October" year="2019"/>
            <abstract>
              <t>The BGP specification (RFC 4271) mandates a maximum BGP message size of 4,096 octets. As BGP is extended to support new Address Family Identifiers (AFIs), Subsequent AFIs (SAFIs), and other features, there is a need to extend the maximum message size beyond 4,096 octets. This document updates the BGP specification by extending the maximum message size from 4,096 octets to 65,535 octets for all messages except for OPEN and KEEPALIVE messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8654"/>
          <seriesInfo name="DOI" value="10.17487/RFC8654"/>
        </reference>
        <reference anchor="BGP-ERROR-HANDLING">
          <front>
            <title>Revised Error Handling for BGP UPDATE Messages</title>
            <author fullname="E. Chen" initials="E." role="editor" surname="Chen"/>
            <author fullname="J. Scudder" initials="J." role="editor" surname="Scudder"/>
            <author fullname="P. Mohapatra" initials="P." surname="Mohapatra"/>
            <author fullname="K. Patel" initials="K." surname="Patel"/>
            <date month="August" year="2015"/>
            <abstract>
              <t>According to the base BGP specification, a BGP speaker that receives an UPDATE message containing a malformed attribute is required to reset the session over which the offending attribute was received. This behavior is undesirable because a session reset would impact not only routes with the offending attribute but also other valid routes exchanged over the session. This document partially revises the error handling for UPDATE messages and provides guidelines for the authors of documents defining new attributes. Finally, it revises the error handling procedures for a number of existing attributes.</t>
              <t>This document updates error handling for RFCs 1997, 4271, 4360, 4456, 4760, 5543, 5701, and 6368.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7606"/>
          <seriesInfo name="DOI" value="10.17487/RFC7606"/>
        </reference>
      </references>
    </references>
    <?line 492?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+Vc627bSJb+X09Rq/xYYFayI9txJ8aku92x0xHg2B5b6d7e
xQJDkSWpJhSpZVG21XbyLPMs82R7zqkLq3iRFM8MMMCm0bZJkXU51+9cSoPB
gJWyTMUJ7/308zW/lbMsSmU24/mUfzy9/dOncz5eZZlI+XkWR0u1SqNS5lmP
RZNJIe7MaxufjKNSzPJifcJVmTCW5HEWLWDCpIim5aDIVb6IPs/zgUyKwWS2
HCwi9b8rMShpsMHLl0ytJgupFAxWrpfw4uh8/J7zFzxKVQ4LkFkilgJ+ZGWv
z3sikWVeyCjFi9HpT/ArL+Cvm/H7HstWi4koTlgCazphcZ4pkamVOuFlsRIM
tnPIokJEMOpNviqBDj12nxefZ0W+WsLN0dkN/xWukUA/470e+yzW8ERywviA
w+rxl94A/qX3wO5EtoLpOPfG6cGl3k6vNiKHAWSKG0uKH6Uop3t5McPbURHP
4fa8LJfqZH8fn8Jb8k7s2cf28cb+pMjvldiH9/fxvZks56sJvLmOgNppdAc/
9xuUxieBZUKV3hzeG3t6mD2ZN9/d34mXe/NyAdOwaFXO8wIpBlNyPl2lqZaI
38xs/MYORA/AvqJM/k7idML/S8VRKgr6RGhKrd3EP/6uP92L80Vz/NP0Dmbg
N6KMsqhl6PerclWIeyH5WMTzLE/zmRSqz0dZvOfPByKCI/w4tc/TdIxlebGA
oe6A10xm0+qK8w/DExrh7Qm/ef/uzXB4QJeJVMs0AtX4MB5f7w/3hvjoQe3R
w5ZH8fUPh7UHj1oePGRsMBjwaKLKIopLxsZzqTgo4WoBCsMTMZWZUBy1uE19
+WlZFnKyKoURZhJaxWFzzGj9u6vLy/N348H43XXfXXw68y5G8HeUJe76fPzh
/ObyfLzHRyVpMbPL+HQzAtovliiI9MrpxfUlv11NBuOLX2hWHiV3oiilQo0p
58LanmWRP6w5mIFlLrOyz/AjJAAvBEigKnkZFTMBv8zoekX4VLRcpjKm3Q6A
bqLAsco8zlOOBgLIBgMqtlICns85jBVNUqnm9HKcF4VQyzxLcD1mLUbcNeUX
MklSwdgLEKOyyJNVjDMhH8QOVGePj/8GTw3Gn4B0F4Pzy3en14PT8fjmLbL8
5fDgyxegYAr6ToOppYg+i0LhQi2hBC6UGe6JYBonpPB3pFQeS6BMwu9B04Fu
UTyPJjKV5dp/EOx5UUh4SmY05afrs9PxOV8IpaKZUMRTkDBLLrDOSFxcRATU
BzsxlbE3GaPJIg62Dx6Ko4xP8JeeYkVcjvgygo3EsOqCt+6DWJkz4NudTGi/
+ArofIm0yIRI6rwDQVopuyjLLsM+K4wLMAJgHdRCCx5JGEmd2YReHQrZHgdu
wnDVG6D/cbqCtbi3QCNgUes0jxJlXvWUhQOfvUvi7sGb11++9JkbYYQDxJ9F
WX9/FLw+0m8fvT6Ct6v5QT3R4WWC5K8+BHzqjwGXb0eDM/IrA3QGE6kG5u1B
GS9xXUh0N/o50LzIQL+mSPb66FbhmTeFvVfNY5yFnUaYIb98aZJXyzyznADW
elKTg9w7gwq7+jBEQmiziZcHeJmbRw7xziFokU8b1B6jzJr8JGFg9q2xmKSC
5Cm7k0WeoSVVXK1iEGTFb88Gv55e9jlgjIjH8BE4K4k/zQx9/gvYNCWKOxmj
d8Ghc9wrLRwskFvKHaoegJs0X9MUIKKjjIOrE/7dPqmhRJqAziZrrXqwEG2f
0OikHGxeJur2kwU6TlusjMA2g7EH7hR4gGzG+UH9KoMT2MHaEJ5iigwJCQv3
bRfSVREMZR0mgwcmAzZutoE8mcPN2dxxz7gFkkaWAwUA1iJZrBcYJAU46MwK
qidhKHPf4ihZt6Pc3UOyhoes+2v0lm4tUegvjZukKcvAu7AO70KKFQ4iEUfL
KeCebu9qVR+NrQro6cy+9pzg63iXIzarZKEHtYwwD4M3AeueAKSHdfdByeNo
VZcvZbwGc9bd2oBETqeiQLLRAuAWBhGgMGUra2EUH25o8TMeqcWdbUIOaA2W
y7xAaQWktCwELKSAi6lxPCTCNIZVmqTyQzXJy2FtWW7XCe7snlh7eXEz6jc+
jejzynZpIOPkWpub9peMpQN0jiKg94Wr13jdoORqKC08uAokzP1cxnpHW2Ck
VCwqS1BYhBChsBlV71vjSFa6C4e4SZknp0b1iDGIRU7DzZCJC3Zj7IEv5mAV
AeZndF9LppJmevO01QNVx5BogkjU8P744ta3J4gA3+XZHS4HfQw+cobkJ9lW
GhBCNMkxnFS89/HT7RhDWPzNL6/o75vzP30a3Zyf4d+3H04vLtwfzDxx++Hq
08VZ9Vf15rurjx/PL8/0y3CXB7dY7+Ppbz0tHb2r6/Ho6vL0oseJDIH9KYTx
tuTSQLBLcjaA4FUMHDa48N313/46PEJEAVDkYDh8Aw5WX7wefge4BDgnMuP6
snRtLoGSawakFIDzYBTw8aB+S1mC0eujQ1Pz/D7j4CkFUPMP/42U+Z8T/sdJ
vBwefW9u4IaDm5ZmwU2iWfNO42VNxJZbLdM4agb3a5QO13v6W3Bt6e7d/OMP
KSroYPj6h+9Z3TKAIQHFEcVCUqy6BvCVL4DOrQEDQrbHR8/7IAqqboxq1+Cr
8AY6peqmdUsAyRxaJp05YRBdZ1r2tRkh42mMoOLkegu+yAtRU7mm54Ug1tmF
hE/W2jT4PlVbraQhndWi9OO0KodCPO+g0amHB5qraK4BEzY7rsL3qHoRYWBb
vQxDg17Ap4Px+cfrC4ikELwfv/ruJcLeUW3ovnb5sJLKXyvuBWRl3Z1bTICa
5kVlgXvGVEKHg44aIS16SNqS5/suyPddW2dzKWZ5KSPtsht7xQFwj98dvhyS
HL3YlD6ECdsdCm6qwcZN/GFObTyvU8OJ1pyHmKSFOGzl8g+t5PbmfnxcFXLg
AKeCJ8r0zgQ1xE33diK0Mm/CXhs5SUtldqkWB7YjrMqPA41D5NMP1x+ly6xa
dx/W9Zt2ABThNmAR2xUW8RZYBH7AhT9I4JzVKbGnPeVGVVQ6kLOcXvvkdPu2
JKSExtoHII1Yw6Jpijg2454uqE0BmsU9NUa34R62FffwbtyzUWvu57kK6IdL
85QoHJIIzLpsnY6+DBMxavZUqmsBe7C4LY9w8uQYuyIQEw9RXAJIwDW2aRuF
IyiU9gXwPIscFABf8OUa6HKFaAN3Oc1t9Oqyi834fssy1QljT07nnwDeJYI/
wS3M+5mfDG+nIN5P/Iiuzm75eynSBG58RzeCLT3x8U9nr+g+rZyuj+H68YS/
MAkSyn2IxKokyBBWcN72qo3oB8JgY9teel9AagBx6VSEGwujBPGARJHIA3Cg
BPgmEGARwaooIpyPbZtvj9+IWEgMyjS7IeZHeFBSqsfNjxaB3UWpTKKySrEO
1FLEElVVAVhHgA/j6fQ9tx9FGmejYOgFMhtIRmmYUt6ZRpiAmW6XcCuISD3W
JrEU2LiHFnrbEGh2SXifyVITCe0u0SlBz/kiyN+Z5YxBY7WN7PjQWWvVlZSt
rJ7NsbAwxdaWPAyQo0mf1KxMpV04Ho2tkBTG7lVcDewdrtFZcpwryI/B65ja
nILIc5BNUcDKgDbf80uq+TSLFNZQf0/EOEEFG8LFhchm5fyEvwzoiqnZTrrW
PvyH01XnhQPI/k+jK85Vpyvc25WuFSl8uh500nW0gayjfy5VR9e1sGcbTREj
GJqGNBtdB9mJvksBY6Ye3KJ8wPzuL9eXOKcegVy7NrEN5tSGC5KtnYQftdH9
sJPuNoLrpn7bE9/AA+ayspt44CZpjS19frBWfvBWfrgiBMiujkkOLJVZO6PO
MRUPT3dwxA7iv8x2YkuNij5zjmrMaY8gHl+0hg2aV61v7JK55fXMLXt+5rYW
GiIqbnV2tRB1B3zYvce5KWtU6E3zAoDY169fgaOxlIOoKCGkfcmb/4Yt9w5a
7h3S+0P47BBQ2yt+DFDtNX/zLfcY/4/B3/kfA/THSW7eEijkdG3/aREK1/3E
a9fPWEVziK8tFOIhf36J0pVofQz+fWWNhX3rv+dspEFOkBCC0VM5G7Qpl8XR
bZKH6Jg0mJEOv2LMqDBeg0CmdNVHAc/jUmBVzoRTLXSaIv6vpYn0RyZZNH4/
eI1lsxzD6+Cpx0c/V0T5k4ay6EksXIy4WgPQjDEJngKCJywdvNCSiXBYM8PO
kTxFk46aRvZDo3VT384gyIe3wF0pCG0X2FehE+xgZnWdKAIpjfPFEsAt1jCb
JScaT4H+KxOpB5+i8ZGFoFInC0PUKpRvJgyBemmuvKaM1uxSZW7cqqu1tnJw
p/pYEKIXJszxMpCqsq1V2VlThsiFdAOTW6xZRThXfHhYwsdGLoIER81Mk0Hf
XGXzc0CjTnGVOgrcLkgg/lMuMSnA8IW68NiPXfVpFxmiDHRNhih8slNp332P
ZWccc6UIIjhIWBcV9kxR4RS2eSO2pntc7iKI08ZeVWwGbADcYf1xPWFIOdKO
/L1lBDHWi1dZZ7zqCqbl7hLOnoUjgsgCBBq7gUB8t/RL1TUA0ZCfsAEUFCQf
NSmDJ3xkurGXK/fTkIQbo0KwbflIK0YmOKiqXA3Z6ZKHPf4rJjUrpm0FQFrM
cJesA9v55WxcuK1s87aStWMA296w1iDv/2PAdcz/tQAX15yxZRYMOy4kmPvm
v39FwOXrsQVavqTVANbx7gCrnSoWY7V+qmGWQn+ZxZT49guU9IqzG071CpjS
YjLKc2OBn7SU8z/XZ/izX/iiKsqtqUkc7g1xQnzRwbcNW6jShP4SK48ZLJZ5
i9VwIi8SbCybdm/Ks6Da/iFJ+jqHi+SlTHplGd0QJhM8lYXCkicZubJhnWlQ
RZWCHUK/vs4gWMBEnhTNsFed8PplurdESWNn92ylruZt0DY2ikscYFDWOh1r
J55f0pqsA8D3XLjwjeWRzmoH7gWlhbnccgdvWhbaNekE8IFb6GjayvFFlKKT
EEnfIDxkgIZrTphhQSS/rCH1WHU2H7Yx97lEfcE/WX9um6daCokIa1xpoLPo
hXWPyp+b4mA7Cgta7Xbt6sIcoWnIikWyKkwboc22kTxva+fWPdyUJTNG5hmd
WryjU4s9r1NrU8WyxgrbzNApje0otYL5Lp1lirtV1tKQo0I04iEC6AsDyTRd
Yb8/7H2ZKyUxkMAeGwA7fwB/oTObfsoRZ+9MAoMUuzwwksfPA/fBZyBMs9jc
7wMNukW97tFatUE1u+uB3PFcd4r3uX0dX7P5Wts+jsiX11KzdXCYtEaJ3XTY
kHztJBAsgjKwmiatFGlNR3fuHAcsw050VNbNSWjY1m1YM4QtVA3WqIZTmdps
s13gbr0mi2jtmiyr6mOxSo1Ow0jSCzW8gw6n70f7t/ADUwATmVUrs0RdABJJ
dV/h1VIUkRn7HfYrJuZaPd/GoXaYzu7KC4b9Vd2d3fXCgGueAFiiF5sXipGV
xgN4hT2JQbXfyFogzTwg/zKa0Vi6VxAGhOUW+oAerBi7NRW7x77AOkQIglff
JElFDYyZ6V8x4RI53yADUjvsghJaiDsBdA7OzkxgMWYWPGqmnGFkOpcOO9RJ
C2yaRC6V+ZJa9jxyaKeFBnGtO/oXCCuIXeIB/2TwiozXxJC7XCaAiaPPjShu
g0+ARSpzPoa53UfJQoJyo9kD0MJVnC+xvfLjKi0lWMXa4ECABEvxwnZd+9Se
rD2Hv7ADdDlphNNgFiwm0Cd9UEHT9uS/8aCm2dva9+rQQZQSbWkXHt+pD/hW
pAb0RYscJ7rDw5NUS9Kr8/YFc6RiWuLgaR4DrwzZqVm1oqCmlMaJiAJ9C0Jy
tMOROr9pZZJvbkBgurUDG4s70z0YyFAlq9U4bcwtAeSA6EyHRGWth2Ibdomy
tRc7AHfKewEA3GwGl4zxSktf0XbGmC2gSbU9U7SRBmeQIx5eCquFZBWqI2fW
tGI/kNM+Nc9XOtwi86lZXEZV53cgk3eYGTWBhgZJO+QPVVW53GPvC0NrdK4z
7c79KZT2h6BQ4D2VrW3H81UB4nVWHf8xuSz/sB9XYINC2+fZZnQ7C2SZXgmr
b1w8gDWwx3r8I1dA5UaFNPSNZJYY7t4kAMFYLkUpbXKvVuvUET5j9aJGy/mE
mciAUSks/EEuVguTDjA9qkExQ0eitaMxu3XJ6tjCDK0DwJYaDQ1mD4ZWUZ8N
gChFQMYsc58p+buNKFnzzCQuqcLHzarppoIotYBHvLzPB5QWsVkqnf7QemvO
h5b1Io/ejfZ+KSgfCT2I3MGrVybHssc/5PeCQll8oKU4oNBy0nktMhcZ9og5
ka1t3UuWthAB8/w4FiBVsAjO65NpiAuA4/qQmFA606ndPd46fzCe7KM5ggry
9AOaufP/HFPP/eDj+e3t6c/nt9h2/Pr4FZ4/sK1rxuu3bIxXjf6gErGACYYv
D44MZbQ2aM2Z4LmNZWlOKBT0x7IwhRIYvKGsOiZp46ebFRFh1+Za94YmPHON
qo5MdA7KCVetDGSaKEKQRWmD1qkd0ZyR7oeVA0M4G3wTUdQCj3GIjI7lWZBH
FYgUzFGLIPRZhSHwVV0Qc5Cwb849mQKEye3DLuciSrzjUJpl7Ojlm2MrzJtq
XPpxFeRv/r3WrgxKP5UzcC8JS+VCmrSJy1YZzlVtjLsXlqqlBcanXgiFV0pl
DZhHOb14E8QxayKtYqEG2qXiCBST2NJbxFOICXG+MEaj7CXgkhQ2S+nLDqHb
Ii0Uz1C10FFSH83fARzhMkGKEqlAX3DkzkX0GSxXFwNFKmc6bs+sE+854bFj
9RAeFDmCz3zqrMXNzdXN4MPp5dnF6PJnOqFw/PIY+921+tyTrhsSGh74x+JR
6IiGNph2CBskRC6lPsD7AhBPvKIqXFugpuyHcfAh8qf7WE+9R9A/59NxrKet
7arfaC6wx390rlqHJs3jid7BWOW+PgYd826x4h4btSBKyoc1jiLyjqOI3nTM
YH5tIfxqs8ZZ2ilZMqPZQ9wkVNj9zjYdBNr5GNBpsFpwtDZ34EMzP0ka1V8g
gTJJcSruY9Cjy/t54ae3Np9dMPkV1A+UWADJbLJurKTtNKN/IHqENhu3Zjur
zXE7VsIyS0qZabeDtIyqmJ9adDfrOrrOFS4f1YQ1yIB0C4/qYIQKymwssjlr
pGfDqFi3CIDrgRHzFdrMv5gwI596yQhNPswb7RpCI0IxJfXguwcSCVpempA0
AwjstD8sL7gQ1jMkZiD9HQHgM2kvIHRgONE+uRSriXYm6yXwmDaYIiyCHfmN
u35GwQAUnVOwgYHp0ATYXlJTL44ERjPjtssep7ecRBerKWcUipIS+zohYVbE
zJcMqKrlREehLYTe/rUC7L0tcmkHRLkUwW35bDjcaAw3YeUdkjfzXJXdCRzg
aOSfHytUV1LnFlOcdbmZwGACzDpmKFq45CfC6lTbUu/QzjbBLA7pU5gp0zmx
ZpZHY+juroBdsmZ3ktLkbWSvpc5az6xFWVuHKbiENlNj5FM0odFETHNdk6ka
1JzQM0oLKMJhOvHaTHZmLi70bJ8hQy2z02UFTWOW/WaZegCKIel9ZCoRGB8R
8ma1nq1mfsnROywuJsbY4YyUCzHJwbYeDrJZNmDd0iajWtpG6odAEfLVvish
KCYW4bkeXcA157fAnu1cxW0/v+gWgTgbTbddSvVlTfAnZTQizQiH0K0nyRoN
NPBepijH6kIU/3um7FeTJDIxjWvIFPqmEg1rzVr9LxN6wUenl6cNlEc36dSc
8+ewqqWT614XMu7BKzPU4LX+Gjk8dG9Es8pqVEUtcwRS6bTLDnDbLy11LBMT
Ce7LL6qpTC6MDp/XttB5GtKfrdoZnafTAdkTP6NeK3KHcHXj0otP7GkwGJzg
D/qf0Rm5IZ6/8w75PNVU3Dx24D2GlbGOxw69x0adTx15T7k6VfNZ7+ie+VJD
jRxNF4xRrm9kEfbL7MZYm1r4+5g6fHMwOHh1wAsC0UbcduG0nf4fwuVXvHFe
spUzx9ydn9zODbWa+Mcod+eH29oX/VVvEwilqYUx/pzl9xA6z3TX8uOJ/t5J
kbztTaNUCWp2ujq74pF7Elzo/wFiRKZwjVMAAA==

-->

</rfc>
