<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc comments="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-singh-macneil-geneve-firewall-metadata-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Geneve Firewall Metadata">Geneve-based Firewall Metadata for Overlay Networks</title>
    <seriesInfo name="Internet-Draft" value="draft-singh-macneil-geneve-firewall-metadata-00"/>
    <author initials="P." surname="Singh" fullname="Prashant Singh">
      <organization>Hewlett Packard Enterprise</organization>
      <address>
        <email>prashant.singh@hpe.com</email>
      </address>
    </author>
    <author initials="E." surname="MacNeil" fullname="Erin MacNeil">
      <organization>Hewlett Packard Enterprise</organization>
      <address>
        <email>erin.macneil@hpe.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <keyword>Geneve</keyword>
    <keyword>firewall</keyword>
    <keyword>security metadata</keyword>
    <keyword>overlay</keyword>
    <keyword>DDoS</keyword>
    <keyword>chain of custody</keyword>
    <abstract>
      <?line 43?>

<t>This document specifies a mechanism for embedding security-related
metadata within the Geneve header (RFC 8926). It allows a security
Enforcement Point to attach a cryptographically signed, verifiable
attestation of how it handled a packet, so that downstream Enforcement
Points and tunnel endpoints can confirm that security policy was
actually executed on the data path -- detecting policy bypasses and
divergence between Enforcement Points that should agree -- while each
Enforcement Point continues to enforce its own policy independently.
This validation of execution complements the management plane's
validation of intent. The document presents two operational models.
The primary model is the "End-to-End Attestation Model", fully
compliant with RFC 8926, where an ingress tunnel endpoint adds and
cryptographically signs metadata, and an egress endpoint verifies it.
This enables downstream nodes to verify and audit that policy was
executed consistently, while still applying their own policy
independently. The second part of this document presents a proposal
for a future extension to the Geneve standard. This proposed extension
would allow trusted transit devices to participate in the metadata
chain, enabling a hop-by-hop "chain of custody" for enhanced,
real-time security responsiveness within the data center fabric.</t>
    </abstract>
  </front>
  <middle>
    <?line 66?>

<section anchor="intro">
      <name>Introduction</name>
      <t>In modern data centers, a significant volume of traffic is
encapsulated in overlay protocols like Geneve. This includes both the
high volume of "East-West" traffic between internal services and the
"North-South" traffic that is routed to and from the data center edge.
Securing this encapsulated traffic requires a distributed approach
where policy is enforced at the tunnel endpoints. While these
enforcement points (e.g., firewalls integrated into a hypervisor's
vSwitch or running on a DPU) can enforce local policy, they lack a
standardized way to share the security context of a packet with other
security devices in the network path.</t>
      <t>This document specifies a new Geneve option to carry this security
context as metadata. This metadata, inserted by an ingress tunnel
endpoint (e.g., a vSwitch with a distributed firewall), provides a
signed attestation of the packet's security disposition. This allows
other nodes in the path to make more intelligent, context-aware
decisions.</t>
      <t>The primary contribution is the verification model these attestations
enable: rather than delegating trust to an upstream device, each
Enforcement Point applies its own policy and uses the attested
metadata to verify and audit that policy was executed consistently
across the path. This validates <em>execution</em> on the data path and
complements the control or management plane -- the centralized
system(s) that provision and distribute security policy to each
Enforcement Point, such as an SDN controller, orchestrator, or
security policy manager -- which validates <em>intent</em> (that the correct
policy was provisioned). It supports detection of policy bypasses and
of action divergence scoped by Policy ID.</t>
      <t>This document describes two models for the use of this metadata:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong>The End-to-End Attestation Model (RFC 8926 Compliant):</strong> An
ingress endpoint adds and signs metadata. Transit devices, such as
intermediate firewalls in a service chain, MAY read this metadata.
While these transit EPs <tt>MUST NOT</tt> modify the Geneve options, they
<strong>MAY</strong> perform validation on the metadata. This can range from
stateless "Conformance Checking" (e.g., dropping a packet that
lacks required metadata) to full cryptographic verification of the
HMAC signature, provided the EP has access to the relevant key.
Once the metadata is verified, the transit EP can trust it and
take immediate action. Such actions can include raising an alarm
for a detected action mismatch, policy mismatch, or policy
violation. The EP can also use the <tt>Policer State</tt>, <tt>Severity</tt>,
and <tt>Threat ID</tt>
information to track potentially malicious flows for DDoS
mitigation purposes. This adds a significant layer of security
within the path. The final egress endpoint then performs the
ultimate verification to ensure end-to-end integrity. This model
provides a verifiable, end-to-end statement of security context
with robust options for intermediate validation and enforcement.</t>
        </li>
        <li>
          <t><strong>The Chain-of-Custody Model (Proposed Extension):</strong> This document
also puts forth a proposal for a future extension to the Geneve
standard. In this model, select, trusted transit devices would be
permitted to add their own signed metadata blocks. This would
create a hop-by-hop, verifiable audit trail, enabling more dynamic
and granular security responses within the network fabric. This
proposed extension is detailed in (#future-extension).</t>
        </li>
      </ol>
      <section anchor="choice-of-geneve">
        <name>Choice of Geneve for Encapsulation</name>
        <t>The selection of Geneve as the encapsulation protocol for this
framework was deliberate, based on its superior, built-in support for
extensible metadata. While other overlay protocols exist, Geneve's
design is uniquely suited to this use case.</t>
        <ul spacing="normal">
          <li>
            <t><strong>VXLAN <xref target="RFC7348"/>:</strong> The original VXLAN specification provides no
native mechanism for carrying metadata. Its header is fixed,
lacking a format for options or TLVs.</t>
          </li>
          <li>
            <t><strong>VXLAN-GPE:</strong> While VXLAN-GPE extended VXLAN to add a "Next
Protocol" field, its primary purpose is to enable service chaining
and new data-plane protocols, not to provide a generic container
for arbitrary metadata TLVs.</t>
          </li>
          <li>
            <t><strong>Geneve <xref target="RFC8926"/>:</strong> In contrast, Geneve was designed from its
inception with a flexible, extensible option format. It provides a
standardized way to insert one or more variable-length, typed
options (TLVs) directly into the header. This makes it the ideal
and most natural choice for carrying the kind of rich, structured
security metadata defined in this document.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
<xref target="RFC2119"/>.</t>
      <ul spacing="normal">
        <li>
          <t><strong>Enforcement Point (EP):</strong> A node in the network that applies
security policy to packets (e.g., a firewall).</t>
        </li>
        <li>
          <t><strong>Chain of Custody:</strong> A verifiable record of the sequence of EPs
that have processed a packet.</t>
        </li>
        <li>
          <t><strong>Firewall Metadata:</strong> Information related to the security
processing of a packet, such as the action taken, the filter that
matched, and the identity of the EP.</t>
        </li>
        <li>
          <t><strong>Security Metadata Domain:</strong> The set of Enforcement Points that
share key material and namespace configuration for the firewall
metadata defined in this document. The domain boundary is an
operational decision: the operator defines which EPs participate
by provisioning them with shared HMAC keys. An EP that has not
been provisioned with the relevant key material is outside the
Security Metadata Domain and MUST NOT be expected to produce or
verify attestations. This concept is analogous to the
"IOAM-Domain" defined in <xref target="RFC9197"/>.</t>
        </li>
      </ul>
    </section>
    <section anchor="firewall">
      <name>Firewall Use Case</name>
      <t>The primary use case for this metadata is to allow an Enforcement
Point (EP) to embed a verifiable attestation of a packet's security
disposition within the packet itself. This allows downstream nodes to
verify and audit that security context. Each EP MUST apply its own
security policy independently; the metadata enables cross-correlation
and auditing of those independent decisions, not delegation of
enforcement. These enforcement points (EPs) can take several forms:</t>
      <ul spacing="normal">
        <li>
          <t>Virtual Switches (vSwitches) with integrated firewalling</t>
        </li>
        <li>
          <t>Cloud-native firewalls (e.g., security groups)</t>
        </li>
        <li>
          <t>SmartNICs/DPUs offloading security functions</t>
        </li>
        <li>
          <t>Service-chained virtual or physical firewalls</t>
        </li>
      </ul>
      <t>Each of these nodes can inspect the packet and insert a Geneve TLV
indicating the action taken (e.g., allow, deny, log), the policy
that was applied, and its own identity. A downstream node
(e.g., the destination host, a network tap, or another firewall) can
then be programmed to inspect this metadata. The downstream node does
not trust the upstream decision in place of its own; it enforces its
own policy and uses the metadata to verify and audit consistency
across EPs.</t>
      <t>This mechanism complements, rather than replaces, the centralized
control or management plane. The management plane validates <strong>intent</strong>
(that the correct policy was provisioned to each EP); this metadata
validates <strong>execution</strong> (that the policy was actually applied on the
data path). This is valuable because:</t>
      <ul spacing="normal">
        <li>
          <t>Intent may be provisioned correctly while execution diverges
(e.g., a software bug, stale rule, or hardware fault).</t>
        </li>
        <li>
          <t>Out-of-band validation of execution is costly (packet sampling,
log analysis), less reliable (clock skew and race conditions when
correlating events across EPs), and incomplete (bounded by the
sampling rate).</t>
        </li>
      </ul>
      <t>This enables several key security capabilities:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Verification of Enforcement:</strong> The downstream node can verify
that the packet has been stamped by all expected security nodes,
proving it passed through all required checkpoints.</t>
        </li>
        <li>
          <t><strong>Detection of Policy Bypasses:</strong> If a packet arrives missing a
TLV from an expected enforcement point, it indicates a potential
bypass due to misconfiguration, a policy routing error,
implementation failure, or a malicious attack. This capability
enables alarms such as:  </t>
          <artwork><![CDATA[
"Policy violation detected: Expected inspection from node
 0x192A44B1 (FW02-Datacenter-Core) is missing, indicating a
 bypass -- POLICY_VIOLATION_BYPASS."
]]></artwork>
        </li>
        <li>
          <t><strong>Detection of Action Mismatches:</strong> The metadata allows for the
detection of conflicting actions, scoped by the <tt>Policy ID</tt>
(Sub-TLV Type 6). Divergence is interpreted as follows:  </t>
          <ul spacing="normal">
            <li>
              <t><strong>Same <tt>Policy ID</tt>, different Action -&gt; ALARM.</strong> If two EPs
both reference the same <tt>Policy ID</tt> but record conflicting
actions for the same packet (e.g., one ALLOW, one DENY),
this indicates that two EPs that SHOULD agree do not --
typically due to a failed configuration push, stale rules,
or compromise. This is reported as a
<tt>POLICY_ACTION_MISMATCH</tt>:      </t>
              <t>
"Policy violation detected: Mismatching action from node
 0x192A44B1 (FW02-Datacenter-Core) (allowed a packet which
 should have been dropped) -- POLICY_ACTION_MISMATCH."</t>
            </li>
            <li>
              <t><strong>Different <tt>Policy ID</tt>, different Action -&gt; no alarm.</strong> If
the EPs reference different <tt>Policy ID</tt> values, they are
applying different policies at different points in the
hierarchy (e.g., a perimeter allow policy and a downstream
microsegmentation policy). An ALLOW/DENY divergence here is
intentional policy layering and does NOT trigger an alarm.</t>
            </li>
          </ul>
        </li>
        <li>
          <t><strong>Auditing and Compliance:</strong> The collected metadata can be stored
for subsequent analysis, enabling cross-vendor auditing,
compliance verification, and supporting zero-trust security
models.</t>
        </li>
      </ul>
    </section>
    <section anchor="ddos">
      <name>DDoS Use Case</name>
      <t>The generic metadata mechanism defined in this document is a powerful
building block that can be applied to a wide range of use cases beyond
the primary firewall verification scenario.</t>
      <ul spacing="normal">
        <li>
          <t><strong>Inband Metadata-Driven Mitigation:</strong> Because the threat
metadata travels inband with the packets themselves, a downstream
node can act directly on each marked packet, using the embedded
signal to drive its own resource-allocation, scheduling, and
state-retention decisions for that traffic.</t>
        </li>
        <li>
          <t><strong>Distributed DDoS "Heat Map" and Real-time Mitigation:</strong> The
metadata can be used to create a distributed "heat map" of a DDoS
attack. An EP acting as a policer/rate-limiter, when experiencing
a high rate of traffic (above configured allowed limits), can
embed its <tt>Filter Node ID</tt>, its <tt>Policer State</tt> (e.g., "red"),
<tt>Threat ID</tt>, and <tt>Session ID</tt> into the metadata of the (allowed)
packets it forwards. This provides a granular, per-packet signal
about network stress. The division of labor across these fields
is deliberate: <tt>Threat ID</tt> identifies <em>what</em> the traffic is,
<tt>Policer State</tt> is each node's <em>objective</em> report of its own
congestion, and <tt>Severity</tt> is the <em>aggregate magnitude</em> a
downstream node computes from many such reports. This enables a
powerful two-tiered analysis model:  </t>
          <ul spacing="normal">
            <li>
              <t><strong>Tactical Mitigation:</strong> A downstream aggregation EP can
monitor this metadata. If it observes a "red" <tt>Policer State</tt>
from multiple distinct upstream <tt>Filter Node ID</tt>s for the
same flow (e.g., matching the same <tt>Session ID</tt>, <tt>Filter ID</tt>,
or <tt>Threat ID</tt>), it can raise the <tt>Severity</tt> accordingly and
perform immediate, localized mitigation, such as shunting the
flow to a scrubbing appliance or applying a more aggressive
filter. Because Severity escalates as corroborating reports
accumulate, a single threshold on Severity lets
further-downstream nodes act without re-counting the
underlying reports.</t>
            </li>
            <li>
              <t><strong>Strategic Analysis:</strong> Concurrently, this metadata can be
exported via telemetry or packet mirroring to a central
controller, which aggregates the data from all EPs to build a
global, real-time visualization of the attack's path and
intensity, enabling strategic response and detailed forensic
analysis.</t>
            </li>
          </ul>
        </li>
        <li>
          <t><strong>Intelligent Load Balancing:</strong> Downstream load balancers and
routing nodes can utilize the <tt>Policer State</tt> or <tt>Severity</tt>
metadata to dynamically route traffic away from stressed security
nodes or congested paths. This enables both security and routing
elements to use the security signal as a routing metric,
optimizing network performance and resilience by steering traffic
toward less-stressed or alternate routes. This allows for
real-time, distributed, and autonomous mitigation of DDoS and
overload scenarios.</t>
        </li>
      </ul>
    </section>
    <section anchor="enforcement">
      <name>Enforcement Model: Verify-or-Drop</name>
      <t>Each enforcement point (EP) MUST apply its own security policy
independently. Verification of upstream security metadata is an
<strong>additional</strong> capability layered on top of independent enforcement;
it is not a prerequisite for, nor a replacement of, an EP's own
inspection. An EP never delegates its enforcement decision to an
upstream EP based on the metadata it carries.</t>
      <t>A key property of this model is that the <strong>absence</strong> of an expected
attestation is itself a security event. When an EP cannot verify the
metadata it expects (because the attestation is missing, was stripped
in transit, or fails the integrity check defined in (#security)), its
behavior is determined by local policy:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Strict mode ("Verify-or-Drop"):</strong> Unverifiable or missing
expected metadata is treated as absent, triggering a
<tt>POLICY_VIOLATION_BYPASS</tt> alarm and, optionally, a packet drop.
This is appropriate for high-security environments (e.g., PCI
compliance zones).</t>
        </li>
        <li>
          <t><strong>Permissive mode:</strong> The EP logs the event, enforces its own
policy independently, and forwards the packet. This is appropriate
during migration, key rotation, or in multi-tenant environments
where not all EPs are provisioned for all security domains.</t>
        </li>
        <li>
          <t><strong>Non-participant nodes:</strong> An EP that has never been provisioned
with the relevant key material simply forwards the packet with the
metadata intact. The metadata passes through opaquely, as any
other Geneve option would.</t>
        </li>
      </ul>
      <t>In all cases, the EP enforces its own security policy regardless of
whether it can verify the metadata.</t>
    </section>
    <section anchor="geneve-option">
      <name>Proposed Geneve Option for Firewall Metadata</name>
      <t>This document proposes a new Geneve option to carry firewall metadata.
The option would be structured as a TLV, with a new Option Class to be
assigned by IANA.</t>
      <t>The proposed format for the option is as follows:</t>
      <artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Option Class         |      Type     |R|R|R| Length  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
~                       Firewall Metadata                       ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      <section anchor="metadata-format">
        <name>Firewall Metadata Format</name>
        <t>The <tt>Firewall Metadata</tt> field is composed of a sequence of sub-TLVs,
as defined in (#subtlv-format). When security verification is required,
these sub-TLVs are grouped into authenticated blocks using the
<tt>Authentication Tag</tt> sub-TLV (Type 5), which acts as a container. An
Enforcement Point (EP) <strong>MUST</strong> append its authenticated block to the
end of the option data. This creates a sequential, verifiable chain of
attestations. Because blocks accumulate rather than overwrite, a
verifier can parse the attestations from multiple EPs in a single
packet and correlate their decisions (see (#ddos)).</t>
        <section anchor="subtlv-format">
          <name>Firewall Metadata Sub-TLV Format</name>
          <t>Each piece of metadata within the Firewall Metadata option is encoded
as a sub-TLV with the following format:</t>
          <artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Type     |     Length    |            Reserved           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
~                              Value                            ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
          <ul spacing="normal">
            <li>
              <t><strong>Type (8 bits):</strong> The type of metadata being carried. The initial
types are defined in this document.</t>
            </li>
            <li>
              <t><strong>Length (8 bits):</strong> The length of the <tt>Value</tt> field in bytes.</t>
            </li>
            <li>
              <t><strong>Reserved (16 bits):</strong> MUST be set to zero by the sender and
ignored by the receiver.</t>
            </li>
            <li>
              <t><strong>Value (Variable Length):</strong> The data for the sub-TLV.</t>
            </li>
          </ul>
        </section>
        <section anchor="subtlv-types">
          <name>Firewall Metadata Sub-TLV Types</name>
          <t>The following Sub-TLV Types are defined.</t>
          <section anchor="proposed-sub-tlv-types">
            <name>Proposed Sub-TLV Types</name>
            <ul spacing="normal">
              <li>
                <t><strong>Type 1: Filter Node ID:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 4</t>
                  </li>
                  <li>
                    <t>Value: A 32-bit opaque identifier for the enforcement point
that inserted the metadata. The value is unique within the
administrative domain and assigned via the management plane.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 2: Filter ID:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 4</t>
                  </li>
                  <li>
                    <t>Value: A 32-bit identifier for the specific filter or policy
rule that was matched by the packet.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 3: Filter Action:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 1</t>
                  </li>
                  <li>
                    <t>Value: An 8-bit value indicating the action taken by the
firewall. Examples include:
                    </t>
                    <ul spacing="normal">
                      <li>
                        <t>0: Allow</t>
                      </li>
                      <li>
                        <t>1: Deny/Drop</t>
                      </li>
                      <li>
                        <t>2: Rate-Limit</t>
                      </li>
                      <li>
                        <t>3: Log</t>
                      </li>
                      <li>
                        <t>4: Forward (e.g., to a different service chain)</t>
                      </li>
                    </ul>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 4: Timestamp:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 8</t>
                  </li>
                  <li>
                    <t>Value: A 64-bit timestamp in NTP format indicating when the
action was taken. This format is a 64-bit unsigned fixed-point
number, with the integer part in the first 32 bits and the
fractional part in the last 32 bits.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 5: Authentication Tag (HMAC):</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 16</t>
                  </li>
                  <li>
                    <t>Value: A cryptographic signature to ensure the integrity and
authenticity of the metadata added by a single EP. When an EP
adds a block of sub-TLVs, this <strong>MUST</strong> be the final sub-TLV in
that block. The HMAC is calculated over the entire sequence of
sub-TLVs in the current EP Metadata Block, from the first
sub-TLV to the Authentication Tag sub-TLV itself. For the
calculation, the <tt>Value</tt> field of the Authentication Tag is
temporarily zeroed out. The resulting HMAC is then truncated
to 128 bits and placed in this field. The HMAC input <strong>MUST</strong>
also include the Geneve Virtual Network Identifier (VNI), so
that a signed block cannot be replayed onto a different packet
or virtual network.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 6: Policy ID:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 4</t>
                  </li>
                  <li>
                    <t>Value: A 32-bit opaque identifier that links the enforcement
action to a named <strong>security profile</strong>. While the <tt>Filter ID</tt>
identifies a specific rule on a node (the "what"), the
<tt>Policy ID</tt> identifies the security profile that the rule is
part of (the "why"). This is critical for auditing and
compliance. For example, this ID could represent a profile
named <tt>pci-dss-v4.0</tt>, <tt>tenant-blue-web-tier</tt>, or
<tt>iot-device-isolation</tt>. A central management system would be
responsible for mapping these opaque 32-bit IDs back to their
meaningful profile names.</t>
                  </li>
                </ul>
              </li>
            </ul>
          </section>
          <section anchor="recommended-additional-sub-tlv-types">
            <name>Recommended Additional Sub-TLV Types</name>
            <t>For enhanced functionality and broader use cases, the following
additional Sub-TLV types are recommended:</t>
            <ul spacing="normal">
              <li>
                <t><strong>Type 7: Session ID:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 8</t>
                  </li>
                  <li>
                    <t>Value: A 64-bit unique identifier for the flow or session to
which the packet belongs. This allows for easier correlation
of metadata across multiple packets of the same flow. This
identifier is typically a 64-bit hash of the packet's 5-tuple
(source/destination addresses, protocol, and
source/destination ports). The specific hash function is
implementation-dependent; the resulting ID is treated as an
opaque value used for correlation.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 8: Threat ID:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 4</t>
                  </li>
                  <li>
                    <t>Value: A 32-bit identifier if the packet is associated with a
known threat (e.g., from a threat intelligence feed).</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 9: Severity:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 1</t>
                  </li>
                  <li>
                    <t>Value: An 8-bit unsigned integer representing the aggregate
severity, or intensity, of an event along the path (0 =
informational, 255 = critical). Severity expresses
<em>magnitude</em>, complementing the <tt>Threat ID</tt> (which threat)
and <tt>Filter Action</tt> (the response taken). It is intended to
be <strong>computed by aggregation</strong> rather than set from a single
node's subjective opinion: an EP MAY raise the Severity it
records when it observes corroborating evidence from
multiple upstream EPs for the same flow (e.g., several
distinct <tt>Filter Node ID</tt>s each reporting a <tt>Policer State</tt>
of "red" for the same <tt>Session ID</tt> or <tt>Threat ID</tt>). Severity
thus escalates monotonically along the path as evidence
accumulates. An EP that raises Severity MUST do so by
appending its own authenticated block with the new value and
MUST NOT alter an upstream EP's block (see (#security)).</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 10: Policer State:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 1</t>
                  </li>
                  <li>
                    <t>Value: An 8-bit enumerated value reflecting the
instantaneous congestion state of a policer or rate-limiter
at the enforcing node. Unlike <tt>Severity</tt>, this is an
objective, locally-measured fact about a single node:
                    </t>
                    <ul spacing="normal">
                      <li>
                        <t>0: Green  (normal; within the configured rate)</t>
                      </li>
                      <li>
                        <t>1: Yellow (approaching the configured rate limit)</t>
                      </li>
                      <li>
                        <t>2: Red    (exceeding the configured rate limit)
Values 3 through 255 are reserved.</t>
                      </li>
                    </ul>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 11: Key ID:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 4</t>
                  </li>
                  <li>
                    <t>Value: A 32-bit identifier for the cryptographic key used to
generate the <tt>Authentication Tag</tt>. This sub-TLV <strong>MUST</strong> be
included within the authenticated block of sub-TLVs if signing
is enabled. It allows a verifier to select the correct key for
signature validation.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 12: Metadata Size Exceeded:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 4</t>
                  </li>
                  <li>
                    <t>Value: The 32-bit <tt>Filter Node ID</tt> of the Enforcement Point
that failed to add its full metadata due to size
constraints. This explicitly signals which EP in the chain
encountered the issue.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t><strong>Type 13: Metadata Rollover:</strong>
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Length: 4</t>
                  </li>
                  <li>
                    <t>Value: The 32-bit <tt>Filter Node ID</tt> of the Enforcement Point
that performed a "metadata rollover" action. This indicates
that the EP verified, logged, and removed the preceding
metadata chain before adding its own to conserve space.</t>
                  </li>
                </ul>
              </li>
            </ul>
          </section>
        </section>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>The primary security consideration for this proposal is the integrity
and authenticity of the firewall metadata. If an attacker can forge or
modify this metadata, the entire "chain of custody" concept is
compromised.</t>
      <t>To ensure a baseline of interoperable security, implementations of
this specification <strong>MUST</strong> support HMAC-SHA256-128 (HMAC-SHA256
truncated to 128 bits) as the default authentication algorithm. Future
versions of this specification may consider the inclusion of
post-quantum secure algorithms as they become standardized. The use of
this authentication tag is <strong>STRONGLY RECOMMENDED</strong> for any
deployment.</t>
      <t>The keys used for the HMAC must be securely managed and distributed
only to trusted enforcement points.</t>
      <section anchor="critical-bit">
        <name>Use of the Critical Option Bit</name>
        <t>The high-order bit of the main Geneve Option <tt>Type</tt> field is the
Critical (<tt>C</tt>) bit. Implementations of this specification SHOULD allow
the setting of the <tt>C</tt> bit to be a configurable policy at the
enforcement point.</t>
        <t>When the <tt>C</tt> bit is set on this option, it signals to any Geneve-aware
node that processes the option (including intermediate Enforcement
Points and the final tunnel endpoint) that understanding this security
metadata is critical. If a receiving node does not understand the
option, it MUST drop the packet. This enforces a "fail-safe" security
posture, which may be desirable in high-security environments as it
prevents potentially unverified traffic from being processed.</t>
        <t>Operators should be aware that enabling the <tt>C</tt> bit can have
operational consequences. During a deployment or migration, if
enforcement points begin setting the <tt>C</tt> bit before all Geneve-aware
nodes in the path (including other EPs and tunnel endpoints) are
upgraded to understand this option, the non-compliant nodes will drop
traffic. Therefore, the decision to enable the <tt>C</tt> bit should be made
based on the specific security requirements and operational maturity
of the environment.</t>
      </section>
      <section anchor="crypto-key-mgmt">
        <name>Cryptographic Algorithm and Key Management Standardization</name>
        <t>The integrity of the <tt>Authentication Tag</tt> sub-TLV, and thus the entire
chain of custody, is critically dependent on the secure management of
the cryptographic keys used for the HMAC.</t>
        <section anchor="hmac-agility">
          <name>HMAC Algorithm Agility</name>
          <t>To ensure a baseline of interoperable security, implementations of
this specification <strong>MUST</strong> support HMAC-SHA256-128 (HMAC-SHA256
truncated to 128 bits) as the default authentication algorithm.</t>
          <t>However, to accommodate environments with higher security
requirements, implementations <strong>SHOULD</strong> also support stronger
algorithms such as HMAC-SHA384. The <tt>Key ID</tt> sub-TLV allows EPs to
signal which key, and by extension which algorithm, is in use,
enabling algorithm agility across a fabric. Future versions of this
specification may consider the inclusion of post-quantum secure
algorithms as they become standardized.</t>
        </section>
        <section anchor="key-mgmt">
          <name>Key Management</name>
          <t>The distribution of keys <strong>MUST</strong> be performed via a secure,
out-of-band control or management plane channel. In any practical
deployment, especially in large-scale data centers, manual key
management is insecure and operationally infeasible. Therefore,
implementations of this specification <strong>SHOULD</strong> support automated,
centralized key management protocols to handle the full lifecycle of
the keys:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Secure Generation and Distribution:</strong> Keys must be generated
with sufficient entropy and securely distributed to all trusted
Enforcement Points (EPs) and verifiers without risk of
interception.</t>
            </li>
            <li>
              <t><strong>Automated Key Rotation:</strong> Keys should be rotated at regular,
defined intervals. To prevent service disruption during rotation,
the system MUST support overlapping keys, where both the old and
new key are considered valid for a short transition period. The
<tt>Key ID</tt> sub-TLV is critical for enabling the verifier to select
the correct key during this period.</t>
            </li>
            <li>
              <t><strong>Rapid Key Revocation:</strong> The key management system MUST provide a
mechanism to immediately revoke and replace a key that is known or
suspected to be compromised.</t>
            </li>
          </ul>
          <t>For further guidance on best practices, implementers should refer to
established standards such as <xref target="NIST.SP.800-57"/>.</t>
          <t>To enhance security in multi-tenant or segmented environments,
operators should have the ability to scope keys. Using a single,
global key for the entire fabric is <strong>NOT RECOMMENDED</strong> as it creates
a single point of compromise. Instead, a keying system could provide
separate keys on a per-tenant, per-security-domain, or
per-service-chain basis. Each such key scope effectively defines a
distinct Security Metadata Domain ((#terminology)): only EPs provisioned
with a given key participate in that domain and can produce or verify
its attestations. The <tt>Key ID</tt> sub-TLV provides the necessary
mechanism for verifiers to select the appropriate key for a given
signature.</t>
          <t>A future extension to this specification <strong>MAY</strong> consider defining a
protocol for dynamic, in-band key negotiation and establishment,
similar in concept to IKE for IPsec. Such a mechanism could simplify
deployments in highly dynamic environments but introduces significant
protocol complexity and new security considerations that are beyond
the scope of this foundational document.</t>
        </section>
      </section>
      <section anchor="replay">
        <name>Replay Attack Mitigation</name>
        <t>An attacker could capture a valid packet with signed metadata and
reinject it into the network at a later time. The inclusion of the
<tt>Timestamp</tt> sub-TLV (Type 4) is intended to mitigate this threat.
Verifiers <strong>SHOULD</strong> maintain a policy to reject packets with
timestamps that are outside of a small, locally configured time
window. This prevents the acceptance of stale packets that could be
part of a replay attack.</t>
      </section>
      <section anchor="alarm-codes">
        <name>Standardization of Alarm Codes</name>
        <t>While this document describes the types of security violations that
can be detected (such as a <tt>POLICY_VIOLATION_BYPASS</tt>), it does not
standardize specific, machine-readable alarm codes for such events. A
future document could define a registry of standardized codes (e.g.,
<tt>POLICY_ACTION_MISMATCH</tt>) and messages to promote interoperability
between different vendors' monitoring and analysis systems.</t>
      </section>
    </section>
    <section anchor="operational">
      <name>Operational Considerations</name>
      <section anchor="mtu">
        <name>MTU and Fragmentation</name>
        <t>Adding metadata to a Geneve packet increases its size, which can cause
the outer IP packet to exceed the MTU of the underlay network. Since
performing IP reassembly at intermediate network nodes is
operationally infeasible, fragmentation of the outer packet <strong>MUST</strong>
be avoided.</t>
        <t>The operational considerations related to MTU differ significantly
between the two models presented in this document.</t>
        <section anchor="mtu-e2e">
          <name>MTU in the End-to-End Attestation Model</name>
          <t>In the RFC 8926-compliant "End-to-End Attestation Model", only the
single ingress tunnel endpoint adds metadata. This simplifies MTU
management considerably. Network operators <strong>MUST</strong> configure the MTU
of inner packets (e.g., on source VMs) to account for:</t>
          <ol spacing="normal" type="1"><li>
              <t>The overhead of the outer IP and UDP headers.</t>
            </li>
            <li>
              <t>The base Geneve header.</t>
            </li>
            <li>
              <t>The maximum metadata size that a single ingress EP is configured
to add.</t>
            </li>
          </ol>
          <t>If an ingress EP determines that adding its desired metadata would
exceed the configured option space, its behavior is determined by
local policy. It <strong>SHOULD</strong> forgo adding the full metadata block and
instead attempt to add only a <tt>Metadata Size Exceeded</tt> sub-TLV. If
even this is not possible, the EP must either drop the packet or
forward it without any metadata, based on its security policy.</t>
        </section>
        <section anchor="mtu-coc">
          <name>MTU in the Chain-of-Custody Model (Proposed Extension)</name>
          <t>The "chain-of-custody" model, proposed as a future extension,
reintroduces the challenge of cumulative metadata growth, as multiple
EPs in a service chain may add metadata. In this model, the MTU of
inner packets must be configured to account for the maximum
anticipated metadata overhead from the <em>entire</em> service chain.</t>
          <t>When an intermediate EP in this model finds that adding its metadata
would exceed the available space, it has two configurable strategies:</t>
          <ol spacing="normal" type="1"><li>
              <t><strong>Forgo and Signal (Default):</strong> The EP <strong>SHOULD</strong> forgo adding its
intended metadata and attempt to add only a <tt>Metadata Size
Exceeded</tt> sub-TLV. This signals the failure to downstream
verifiers and identifies the specific EP that encountered the size
limit.</t>
            </li>
            <li>
              <t><strong>Rollover and Re-chain (Advanced):</strong> Alternatively, an EP <strong>MAY</strong>
be configured to perform a "metadata rollover". In this mode, the
EP first verifies the entire chain of existing metadata. If valid,
it logs the verified metadata locally and then removes all
preceding metadata from the Geneve option. It then adds its own
metadata, along with a <tt>Metadata Rollover</tt> sub-TLV. This sub-TLV
serves as a verifiable "seam" in the chain, informing the final
verifier that a rollover occurred and that the full chain must be
reconstructed from that node's local logs.</t>
            </li>
          </ol>
        </section>
      </section>
      <section anchor="high-perf">
        <name>High-Performance Implementation Considerations</name>
        <t>A key consideration for this proposal is the ability to generate and
sign metadata at line rate without impacting performance. This is
readily achievable on modern SmartNICs, DPUs, and programmable ASICs
using a template-based hardware pipeline model. This approach avoids
per-packet software intervention for established flows.</t>
        <t>The process relies on an internal, programmable metadata structure,
often called a Packet Header Vector (PHV) or packet descriptor, that
accompanies the packet as it is processed by the hardware pipeline.</t>
        <ol spacing="normal" type="1"><li>
            <t><strong>Firewall Stage:</strong> The firewall or ACL block performs its lookup.
Instead of modifying the packet directly, it writes its results
(e.g., <tt>Filter ID</tt>, <tt>Action</tt>) into designated fields within the
PHV.</t>
          </li>
          <li>
            <t><strong>Metadata Transport:</strong> The PHV, now enriched with the firewall's
decision, is passed along with the packet to the next stage in the
pipeline.</t>
          </li>
          <li>
            <t><strong>Tunnel Encapsulation Stage:</strong> The encapsulation block reads the
action from the PHV. If metadata is required, it reads the
firewall results from the PHV, combines them with live data from
other hardware resources (such as a high-precision clock for the
<tt>Timestamp</tt> and a crypto engine for the <tt>HMAC</tt>), assembles the
final Geneve option, and adds it to the packet.</t>
          </li>
        </ol>
        <t>This hardware-centric, template-based approach enables the creation of
dynamic, per-packet metadata at line rate. Such pipelines are commonly
exposed by programmable SmartNIC/DPU software development kits.</t>
      </section>
    </section>
    <section anchor="future-extension">
      <name>Proposal for a Future Extension: The Chain-of-Custody Model</name>
      <t>The End-to-End Attestation model, as described in this document,
provides a robust and RFC 8926-compliant mechanism for verifying the
security context of a packet as determined by the ingress tunnel
endpoint. However, the restriction that transit devices <tt>MUST NOT</tt>
modify Geneve options limits the potential for real-time, hop-by-hop
security collaboration within the network fabric.</t>
      <t>This document therefore puts forth a proposal for a future extension
to the Geneve standard that would relax this constraint for explicitly
trusted devices. This proposed "Chain-of-Custody Model" would allow
designated Enforcement Points (EPs) along the network path to append
their own authenticated metadata blocks.</t>
      <section anchor="rationale">
        <name>Rationale and Benefits</name>
        <t>Enabling a chain of custody would unlock several powerful
capabilities:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Granular Path Visibility:</strong> A per-hop signed record shows
exactly which EPs inspected the packet, what each decided, and
when (via the <tt>Timestamp</tt> sub-TLV, Type 4), enabling precise
localization of a bypass or action divergence to a specific hop
rather than only detecting that one occurred somewhere on the
path.</t>
          </li>
          <li>
            <t><strong>Enhanced Forensics and Auditing:</strong> A complete, hop-by-hop record
of security actions taken on a packet provides an invaluable data
source for forensic analysis after a security incident and for
demonstrating regulatory compliance.</t>
          </li>
        </ul>
      </section>
      <section anchor="rfc8926-mod">
        <name>Proposed Modification to RFC 8926</name>
        <t>To enable this model, a future revision of RFC 8926, or a new
standards-track document, would need to introduce a mechanism to allow
trusted devices to modify Geneve options. This could be achieved, for
example, by defining a new "Trusted" bit in the Geneve option header
or by specifying that EPs sharing a common, secure key management
system are implicitly trusted to add to, but not modify, existing
options from other EPs.</t>
        <t>This change would represent a significant evolution of the Geneve
standard and requires careful consideration of the security
implications. However, the capabilities it would unlock merit its
consideration by the IETF community. The proposed model is
conceptually similar to the In Situ Operations, Administration, and
Maintenance (IOAM) framework defined in <xref target="RFC9197"/>, which also uses a
hop-by-hop approach to embed telemetry data within packets. Applying
this proven concept to security metadata is a logical next step.</t>
        <t>In this multi-EP model, the per-EP <tt>Authentication Tag</tt> (Type 5)
SHOULD additionally bind each EP's block to the preceding accumulated
option data -- for example, by including the previous block's
Authentication Tag (or a hash of the option data so far) in the HMAC
input. This converts the independently signed blocks of the
End-to-End Attestation Model into a cumulative, hop-by-hop chain, so
that deletion, reordering, or cross-packet splicing of an upstream
EP's block is detectable by the verifier. This binding is not
required in the End-to-End Attestation Model, where a single EP adds
a single block, and it changes only the bytes covered by the HMAC,
not the sub-TLV wire format.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document requests IANA to assign a new Option Class from the
"Geneve Option Class" registry for the firewall metadata defined in
this document.</t>
      <t>This document also requests that IANA create and maintain a new
registry called "Firewall Metadata Sub-TLV Types" for the <tt>Type</tt> field
of the sub-TLVs defined in (#subtlv-format). The registration policy for
new types should be "IETF Review".</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8926">
          <front>
            <title>Geneve: Generic Network Virtualization Encapsulation</title>
            <author fullname="J. Gross" initials="J." role="editor" surname="Gross"/>
            <author fullname="I. Ganga" initials="I." role="editor" surname="Ganga"/>
            <author fullname="T. Sridhar" initials="T." role="editor" surname="Sridhar"/>
            <date month="November" year="2020"/>
            <abstract>
              <t>Network virtualization involves the cooperation of devices with a wide variety of capabilities such as software and hardware tunnel endpoints, transit fabrics, and centralized control clusters. As a result of their role in tying together different elements of the system, the requirements on tunnels are influenced by all of these components. Therefore, flexibility is the most important aspect of a tunneling protocol if it is to keep pace with the evolution of technology. This document describes Geneve, an encapsulation protocol designed to recognize and accommodate these changing capabilities and needs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8926"/>
          <seriesInfo name="DOI" value="10.17487/RFC8926"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC7348">
          <front>
            <title>Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks</title>
            <author fullname="M. Mahalingam" initials="M." surname="Mahalingam"/>
            <author fullname="D. Dutt" initials="D." surname="Dutt"/>
            <author fullname="K. Duda" initials="K." surname="Duda"/>
            <author fullname="P. Agarwal" initials="P." surname="Agarwal"/>
            <author fullname="L. Kreeger" initials="L." surname="Kreeger"/>
            <author fullname="T. Sridhar" initials="T." surname="Sridhar"/>
            <author fullname="M. Bursell" initials="M." surname="Bursell"/>
            <author fullname="C. Wright" initials="C." surname="Wright"/>
            <date month="August" year="2014"/>
            <abstract>
              <t>This document describes Virtual eXtensible Local Area Network (VXLAN), which is used to address the need for overlay networks within virtualized data centers accommodating multiple tenants. The scheme and the related protocols can be used in networks for cloud service providers and enterprise data centers. This memo documents the deployed VXLAN protocol for the benefit of the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7348"/>
          <seriesInfo name="DOI" value="10.17487/RFC7348"/>
        </reference>
        <reference anchor="RFC9197">
          <front>
            <title>Data Fields for In Situ Operations, Administration, and Maintenance (IOAM)</title>
            <author fullname="F. Brockners" initials="F." role="editor" surname="Brockners"/>
            <author fullname="S. Bhandari" initials="S." role="editor" surname="Bhandari"/>
            <author fullname="T. Mizrahi" initials="T." role="editor" surname="Mizrahi"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>In situ Operations, Administration, and Maintenance (IOAM) collects operational and telemetry information in the packet while the packet traverses a path between two points in the network. This document discusses the data fields and associated data types for IOAM. IOAM-Data-Fields can be encapsulated into a variety of protocols, such as Network Service Header (NSH), Segment Routing, Generic Network Virtualization Encapsulation (Geneve), or IPv6. IOAM can be used to complement OAM mechanisms based on, e.g., ICMP or other types of probe packets.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9197"/>
          <seriesInfo name="DOI" value="10.17487/RFC9197"/>
        </reference>
        <reference anchor="NIST.SP.800-57" target="https://doi.org/10.6028/NIST.SP.800-57pt1r5">
          <front>
            <title>Recommendation for Key Management: Part 1 - General</title>
            <author initials="E." surname="Barker" fullname="Elaine Barker">
              <organization/>
            </author>
            <date year="2020" month="May"/>
          </front>
          <seriesInfo name="NIST Special Publication" value="800-57 Part 1 Revision 5"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA91963PbSJLnd/wVFfSHFnWEWnY/xq2OvTi1JHcrxg+tJXuu
4+JiBBJFCmcQ4KAAyRyv52/ffNYDpDzdM3MXF+vdmJYoolCVlZX5y2fleZ71
VV/bE/Ozbey9zeeFs6V5UXX2oahr88r2RVn0hVm2nXlzb7u62JrXtn9ouw8u
K+bzzt7rs7tPZWW7aIo1jF52xbLPXdWs7vJ1sWhsVecrfuNSnsrX8lR+fJwt
it6u2m57YlxfZm6YryvnqrbptxsY7fLi5kVWbboT03eD658dH/9w/CyDZ+Fv
z46ffZ8f/yE/fpq5vmjKPxd128DnW+uyTXVi/lffLmbGtV3f2aWDn7Zr/mHR
rte26d3/zj7YLayvPMmMyWVt9KPOlH5xdjF0Vb81Om36tGUS0c/n5+01/bC4
K6rGtEuzgMm25TYrhv6u7Xj8qnEn5urIXCNt4BNjmGJXXeHuiqaP/tB2qxPz
i32obd+bq2LxoehKc9H0ttt0lbP0HbsuqvrEbOTpIyL5/7jb2CNYX3jhxZF5
VSxewzZEr7zoYJrxx7/jhRaePZKd9a9r2m5d9NW9xaW+fXH27OnTH+TH5z88
+/4kq5rl6Ct/+Obb5/LjD09/+AP++Pry+ubo+uro+fFx/h19Yoww7eSt5W2D
DQDuIC79o93CIppiZXE7gZBF15unspNdUU9ogLAF+C9Q5aei+2A7+dgTpoYN
tPHfPK8d58ff0ScOKGAdLkgHxXmb641dVEVtroZ5XS1olieGV6Ize2vvK+Rt
wwP1RbeyMO+7vt+4k6+/LtvqCDbi66fHR98fP3v+dUqOTf+0+y7L8jw3xdz1
XbHos+zmrnIGzt6AFDAOp7CEyZkCmBWYsancmkhl13NblsAhnpvzztawtDJT
rjYPVX8HbNHfWT3md7YobWcOYIsMbuP0yFz2Bs5F+4Cv0KGyC9zcBe2CuWor
+N++NUXfF4s7+Nqi2276dtUVmzugS11vjatWjS1nBo4QTLeY1zaDb1s4xbS3
cH7u2gdT9QZWUNYgpQqzAZ60PR5nmGDRw5ofGiCCLdYmentGb4e5NaXph6ax
tQGO2fCHi6KBo9/A2V7zGP5gb1rYsa15KEDQLfqB5mg/wl+BPqZlkhCJNkV/
Z2ADStvbRY/klEfn203hnKU3ZyUwOexss7BmDgLU2sbsUMjJFO7aoYb1rTpr
ceCHu6q2xgLh9hAVJg/vHOAtQF7LfwYqOQO00IlUTWk3sGZ4qt4eMX/cF3VV
etLywvAXOFCbml7gaIlrf5bMpi4a+5XL0kdhEvDHI3OD9FCm23TW8RAPrWk3
cPDw63AQ1m1pa4dzsPClal10W/7MVPy+yUVT5n2bw3/MabT/r/BLk5lZDrAR
Gc2yQvmIDGqUF2dAK9tZIDhMC8jn3HjHTVGWvCH7OdB5gT4jhoGRLA/kR2AG
BYJXvdDSNsiuLua/BqZLW0Lf3vJYQwnsS1scMZfnKdhJV7meNmkmm+76ChRq
sdnUW2QsIFDVRTubpTtLewAM3MLLNihdYHv6RBj4fQG27dpN64o6Q1EAGn7o
B6Cc/QgTIHHUt/GpJ2UK8h/fAQPywzBp//3sgZkW5QDrZfgrCCT4IxxMkHEL
pgfOq1pUcGiATfkUeRVKmnLG5MTlFnDkN/l8m8N/zGSsRycsxBqQBwsQHBnQ
vc77am3DGYbVbpCq97AI2MJImNHJXVhUZmZZzLtqccRidF2VIF2y7Im5bPqu
LYcFsd+nJxX++jnLLhti2K6JxwAAURD/AGcskC3v2xooThsA2Ac+BP7O4PQX
GzeQiMXFC1xAagIsaWtn6uqDklwoXTWLekBemrfA6DD17K5a3UXjTy4K1+d/
goMy8e9SCYNns8NjB+qJd4CEIAwyeQ0Q6C6/bkERhueIN+GlXUsciQIbvr/s
2vUO0Wy5skfZNVGaOJPOQbQ+HbOzfxkAOSHLlcDeXTWnsYGnuxZFGp9YlVRO
ZRh8o6eXjkX2kfkTHQ34G2AQGwlEEekH9mh1NPNwzREV4Jwz0XFN5g5wJBAE
YCCKs2vgC1BKwEwdvAtXAxtemPOrd1PSDypV6xbkhMx0hu/fmho0kCkyPR3V
X+EdD7Cj8BYAYB3NMrAjymo4MLhrqrxYfsHWArLw39PjIrzaMOAmRXP0JfXe
2Ac9r+2ml0O8KDqQsbQ/XjfrRIog7oTdgvQDSGQ7pNl8uytPMy8NhdqFUTLS
gtK91q2YzpDV7ytkZyAaKXwzUvK4YCbNV2HCOBrImwq/JBNlwJER5UTaCrlI
H8PC1wWcpXXbWWKAuq5A+/Yz3YS8eID9yUqgHoovR4QNOgm/RdPHaYlqYsHP
KE6UFjFhvAQ85KgMTgwwHE4NjhRIClvbVUHYgEQjnywzbERb8IbPHtPxKP9Z
4SRqHc/mgPgCJ8dziKHbb1A+Zq/yAbzTtc55YgrFRe3D+w49XDjcRUKkW0cg
gqjZ1njExngCAQ59BT4BeI4nKHNbmMn6wE1lvsgzpJNwIYGxdrAaIqC9FASI
OCDsRPlnrs9f64Rq281gUgvYRXh539Jv2XhYnnInUAzGiSjB6OfQHNBMea1d
Bzgwi6jsF2BLRstu2GxA/jrFjMz6+2Ajigr+QgQg3QIgFR3MK37k8nxHLsCB
WACZLEMwhl2kMHGOwDUeGyi/nGTZ0yNjDg/xGHwJhAXob84Uhk1PDg/NaUMW
jEqKHcg1AljAVik88Lskw4CaWduyQqQQC3MyMkidGQEMr05/BTVTlOmCjmiY
SFl4OHJx5cztq3dgn71+c3OLxMFTEqEdlp6OhTwNc3gIL4E1gt5AmzWBzymK
kdOCigNet7KkPtlGBCqCIADSTM5aNn1xN8/u7OIDEG2isrQEcLVh/CNKApmL
hkB941Sllv6dU2R9RMapXZVKLBauNMwvr07PaDcKBH1eKhM0AOqAiQUbtliQ
vGcYCIahvUdg88FumbBvcO7xwlFMCjYuZ6y6Pb2JHCz64HdkbLZ1QUJXa91k
ZvQjc01cQL8wHQUDAT0rR3QBHqiLjqnK8JUPEqoTPi1rMHILUEczf4j9B/B9
Qc/4+H3V1oXqFatTLWqwKfGU4DJu6ZSBALjGDbydmdtriwvtt7cz9iYAb9/e
3AEL9nAUb4V9xbchULpDpLBpUVpUZG2sgYMWVTvAqSTTGdchPiMDs+2rFT+8
GTqE2k71Hh2mBGsChITJwfZ6/Y5DRGBXhTieI0SDY4sGvtMoZzvPJEMNYBr3
JeEisjIdmQosI+A/grDgzYoiUE7QIEHfR4b9LH6WTgWJrGgFqqX9SgCSzpF7
5GQStRIJER1I3I4IF4JofOYF2xlKjLxd5mdsRKhIu1KD5kINGhJpiUzlvUbO
2Aw9TYGQjhpS5rcYUioIxJi6bERm4SxA/sEpW4C2esx+YhtrzqPAhgGbKE4v
y8g6FGjlT+YcoOsH5SAahEZYIMfaxMyK/S+KGeDY1ZFVRpCq3DbFulp49geJ
0wDw73ZsL5uYXQplxeSiCSmfjAxKFCdwquHdbCwdPGHK5v4bU9jZJ09gS1vU
BcA9Ir1xHy68KcLW24K+hBvPfufPDPeY4CId5fGCMYtNRlATTVQozHrZFWtL
i0EVD9sHyhaNjJlhJzquALgEVD0QFJHFfKjqPoeViPbHoTJZDFI7KBDWWQxt
d21E+xEQ0ExmC/YLnC7YbiTX0FR/GSx6MoZK+IK4CwXZAiYF9DokXfb+f748
fW0+fRKP6+fPzOvwzq5akYjgb4hxsfA04LPctOI2Rs/tyKlI5gaxiV/OJZBB
vIYwmWX1Ea111Was51hW0gB6wuHHm5fvXTrn/OerC5wrU8h/xFyDCoznLQei
MJPXKkSuhH4TmICtQUHh5ijaFxlLQL8Vd04KMmCantfRzKJIBQNYvzMzIAxB
eyEUvB+ZDRidxBk6kbugsrp5BSerCxGEdLnCjLRHiLV4jy4bhq5F4ABhPzny
ZKvD0kQHLSzbgWKULWtgHhbAge/EVOQtIHgaGWmxuIqtW7YOgcktgXoUCfdF
R2Ijr22z6kHRYrSGBY3u6QEucQpQFhFyvWVzHA8bs4dqD4AFaOzQX2AeRe1J
v25BBxBqAR7lM51yHT4CPFXieQbCwywA2Q8LFBylOOpHgRugHWhFljGJswyl
i7lBIdu0dbvaghTpw28iQAAOGYwWAaZDQDmZ8X8RWOLPby/+/d3l24tz/Pn6
l9OXL/0P/I0Mfnnz7qX8HX8KT569efXq4vU5PwyfmtFHAEgn5KTMJm+ubi7f
vD59OdlZhCEnRAs6g9XlprOEkpw3EHDhGbEZxmc+f/YcuGuHHlxcMdAng3vs
niALSEzVlNTBPGM864LXwLsG/GvP1M0nGppfGGkl4B0guPoKHGBhMorgd8D1
jCtxJnfFPZ1NRLFRtMC/ZydcyecroDaJhaj+TsCVjEu+omUciRAzkyxyViwI
chvGw0tQAOwSYJlEgBTBsnjlkNkBHgLFZHEXV36610pMH5M9b9dAKZXczhKA
eiSmwPtBHinkWIR1HcalSJyBHnOwAMuBkNXQhWgaz9rHPc1vODUSCMC5mXk7
oOQgv17RiCgIwQB1vpzQe/gv8FIe2omxjcZa5DSmQebbYFPLqV+zjKM1lmzg
wEoB85w2COqFJVB3MTHm6B+NDHN+fGzqBErBClpAfSjWFSA/tiVEVZUCePLs
xw0bJ6wbygHZlVWBemgiD5IakC1JbyZdASIHTQXmRXpycvnm9FXOb5zE20Fn
GaOndJafhLj8O9BwZwADQJDpnn5OvV4KFDzKSYw71Krk3i+a3fgaCQfSnhhV
TOD+2MVX7Dr4ssjBl1ouZP+CQrP1MvH87Qu2ZPv9XWOj4shcFMRYvEkUXVHf
2o7zJ4mw/JgavBr3IXdZTo4fhouZn4FIiP6O4EUYy/O+oAb1EBKFYq82nSdn
zT5HNxwN9lCTIe3QKGUzZO1OWG68rzoMXRr2zcJUD+71xylzfOQcV6ZArIMP
n9XtUOaC8oIHRmS3J9Sqa4eNm9Ij18BG/evLM/f1+dU7IOgSbNsiCTGDfdSw
ac8PMMjKCWTBHO5lwmik320dRubCq7OMNo6FI9CE9509BAhV+5hnCrJLCaUU
CpUAfmDIjACtgIVYSnu1hBw2gz1ptjMDJ2/K4lu8BsRTCLpY14n4Vt+sinAQ
PGMWzWR48pfCgaga3nDgjX5G7ntRpMWGvBRFwyaA15G41IyM9TmpNtg3dJ4I
HhMCVKlP345nAb+Dfiakyq5o9AcGRzRzJcoRQLesVmVpPyIkEzYkX3T2mC/6
iy5o72leeEcz8LH6L4MxEfmQZ4kzvbM0M/bOJX7jL7iZmRQ7zufIk6uu3MNs
x5dr9vty1d8M85/+mFI+iwcO3vLYTxyN6fMLhKPEpZh5p/pUg4HkhR9IqM7t
ogCKy0G/pMnDArfCG36SsgYYXfIIfKhfPMqMmTwic+2yx9AI2KsrRM8FQq4B
bQYgK2jXkv64LIa6B9CG734z9GhYz3GPH0srIIXmcBYHcj5dgb7jZiWmYLsi
NQdH3sFxIy8pSFPWHwcL9F8Y98E+ECN1AlbKis2KBzgS7NBQEQyHG847Bbo9
i03loDbMWT2MS/iEPemqVnVayHJ2qmypkl5lLEKDoFaKTTGvapiMVbkL5urI
9RopTIVs44OJgoyPS0CxkUBD9EKoBfZkLf5/VOseXfgJkVycBf8brAYOHkUV
EGeCvF7d0aPekbxAH7TEV3UF53FsQgINP0lsgrByFMUE8wuYyRnK00OLnl4O
4pYNUgyi6ix3FBma4kakMjkKvZdUsB6+0pQD2THwggSlzuj7NDcMWtPGd13b
8eorFSGCaIuqJn83OeqCA5aykj54x73sJu+C7jw5nJ0CfNhmI/8mQhrvSPa+
6BNzoYsW8UyTQIKQOtARzPHHpz88O/3225+emoMXfzp+lp/Dwec4e34GpvUU
j4+QdmYiBVaEMYRMeW6u3ry8PPv1z+8v37w8RbPwzz/9enV6fX002buxp/zT
K3GP89bexEJc8JaYA5z/Fo+A+wEU4AktJHASQlTBg771zvGD62GeI3fcbDfW
YArZeYhuVW5sqi5bmoIQXewhsFricUFdV8ul7ZCtZE35fzenL0/fvjpiZsU4
mFqIRDFMqOgsPSOhDDcaFGRgr/ZmtEw/hAYp1FSi5+VIiEBFDwmY+2/+xD+e
X7z+dTrzA/Sc4qG8z0ee58m/iFOAc8HKlrBinofntxtJXpLzURCTc0A3suU2
g7uLhbkLU0DvCQhE4MrK2aBnQMu2ndA/sNmtMNfpGXHWq8vrV6c3Z7/c/sbz
oFwWWOUfOw4HxJORVc+2YhhCUujIB0Ayk2JqtpxGB2S0Bjwfgb3OPTP9XR5r
WhYOzGbR1lraxsBh5b4xSaELmNmityYwl2Z9hedI0lGuR598SuYAm0z+8bsK
NFW3uNsG1Y6eaDjWAKTYjouwWxFpIz/EukLlaVdBgvITU7Kqiau/RoaOY9OU
zVOFU8aoiu19eR/FqziOVxIaJTu576oVRtk1uOf10KnaUfh1jTgvrMqpBYbx
Sch6iYWKdI45a616/fCAumHOzqLeI40oqsE2HGCGEpWDvHImqELfmYTCGE6I
Mx+H+Kvt2pxBdeIs0pxHsMUxwBfb4WXZOrHB1VXsVxGg8GO+FvINAFUfbLcc
6gwDDGRrUbiH5YeQQoElSYiHimKpGJsG8a02P4KLLWCqrI8cAmp6pDFAB4ex
6KrWb9FlQ+BP/SD5OaIBVCoaxcTN+okBK0eGKViaepQAxt9bivDTYN4foz5D
dPI4W99bSrYbsasHUCBWgn8Z5koAfY2p26X30g1OrT9OgVbXMAbEa6RRifP3
Jl1nXTsAZMnx1OjeO/TcDQRgfTybQpk5qq1GBJ/Y+KIgil6z4gLIitKkiDkm
v2AU+VWxmRB7vfVJjSkxb+Skj3l+cLzLPrQX52FN7nDsNY5NbhgfblYAxL6y
QnS5U2xlu68RDed1ta56TJlBwE2Irqvg0PvYiKHURPxqnPh4UMzb++BctJIk
Cv+l8RCXL8Q5yL4jpPvtC/aVvsZ9JdFLn6aReJVsExh0Ilo1isPzAb29tlQ7
QsLWBxw83cTTqhplyqhZWK6ikBQYPKV65aJ4toY8ZyhXc7VqiIeYHGBd9N6o
R151TizySvKZ4OU1fK0zIeMKnW8YoJIIThxZPIkXJ44Gyvw7fADWOtSUC8k2
FXKMKIa2DJ4IPC9fwZPt/P8gkru3h6LxI4NfhB/ICRfkXch90LS4w2IF6GSF
u74uVk3VDyWMxphhx8QBUTog0iG1D+b4lhE1v1uJ7DE3b4bINwRGcBQscZAI
cJatCTC8QfZFt1F6YBJvjM4Y94AzPoLOa2EFY+/nEeJHYIZ2jkFB2n3iuTF5
/Si8PMygAAOEziCYnX3ws4zZO4XXJEsQSmJmiDK5B04BqEacPfND4i8xuIt4
ZkqmFmcmVZrcEvazWCDQhVfUWy/SaAMk58ln6sw4FZbigSFTJUQ/3N3QqIMt
kIQSw1H/uEU3zOckYjaqWPEMKN4pOJ5Im+QweTuMQUs88qpE526sg/mw+ejI
C9DCqWIbSVgrwuygPClHmXO2YbmsjwAz1uR68aPWNnpuOXTog8p3/M6ocVBZ
tWQr5It2z+LRzdDx6pTVE2MGsw/tCs7tqTA2suxZ2wCK6KQgIHXHs7j344Ms
ZrR+X4EitWj09qC+0YvKcmldoVVM08ItEK+Zfz7Oh+Swiz/ULuR3si0PaIDM
k5YyGsrIOljV7byoZyZk4oOcG5BRkvRe1jZfuZAvqgMQWHRA+giYOU8bzShh
3KipIcCa+MwibLCQMEInPv3XvGyL0vwEvEJqC6l8HvYTfdVmTn+0nfMzU8dC
cDfD78j9+7LD6Mj5MzVCOK3mzZDJRln2XmIXGFknCrOqiBw6HuE4ttZIIhOe
6e/GMpOsWu8JIm8ZT58VrM/KDelt/suCf0jv65qRj6rFzEfx19VfiRSaks6i
gY4wvcs6oAxXOcGAvWWgL2tkt1aL+pQ8fLlfKR7/mmoVgCJEF5dGe5YSL/Os
NYuRjdTqDH3btGv06ET5c8B0BKx0NymhBjdaUSwj8zhwSjlhJ4ZceNu87QDP
thtA65Hr6rPEIna8WRwH2w0sjaPh49Kdsb/Qq4rdhAUOph4eFiU7QIsa2Di4
rdi+Ei8yzJtqtELgKZrxj1lFNgQ6FTCPzZI/EM4fBQAxMIV+MvG3S4rejKJ/
V18xQgh+LQWPGGfpNJwlOesxkXyEgVLgM79MeNTnTaVZpT1ldwDOgX06Jc8r
JovZTsPkigIYj4jPFKgDuhr4EEiDWDc4IJOqwspJbDGqXGTPMWZh2YYXi2ce
aSSxDBTs8fR4ZGcO5pGFM3qL996hvx/5Fr0RGRp0nOJHPkl03bC49QmV7JmN
LcCDJzrRKelzl83tXXFftZ1kzFGOCvve4ooV75m+xhPdE83MwSRl8gnld7xr
ouAtBlN48plompG1jWQna4N9RUh2SmEkcz54KW8f8UvesrmP53MmiUIoHWfB
t4O+G845VucUFQ+BjVowp5LdkYf9a+6rrm1Y0Al6ujq7HNvyf20b60LeyRXS
jeAGkUbdC7D7dbuSlMB7WlocA/M4eV+4mMWSWhCRMXu0byUMmLmcal2t1L+N
DN+1vfxGaa+MLHPQlQUd6LBcGoMrquhQi67GiE0cE6IEtLqO6msojSCozNdt
k/ukC3gHKR/O8U+zKei0j3MpeBZfzqdw6Jvf7iOOfzJVnnAkAGkdpb5pqZTQ
mEa7KSgBcsalHqw4OYia1kVRDuwRFfMhHcj/MdPs9/H+7iQyITDqSopRtUss
YKM3CLQOQiKqRAAF4zOMZSZvfNrdnn4Ln55IewSe7+dxdYeky/6doi/vvQkT
oSTPiAbsJ9MMOdb9Ny/fzzRjEEeXmZ7VBdcDAO6EnzjfEITM5enrU189JWuM
8jn78MbKpd78v/3tb5k5Nrv/nu757Nmez77Bx5/Cn74x35rvzPfmD+a5+eH3
fJb9t/yf/L/sP8J8EkrpP/k7hTro97f0f+YlpUnC7//aOfxD//4j+9sjf9nl
zf3//vYvmMM/TwfkKMwJ3531C+bIT098nxHmUfG+3u48cct+GI5cr5mtW8YJ
IePQcRzLzTLKqIyV9DDv63t5yVTQhBckiTu1ChU9s4xdQDouSW5KsPHFqwMm
gPQUMColsT84NLPb0/B3HPumWN3qaOaAePC7qbfxELXQkff5yQjj9lQgEqg9
PERYC0oAlJaVlJc909EkNdv4JE05/3F5FCEG58mJ4d6k9kCrvbM0NU4tf1l4
MOaTFBHE+A9AaDTxM6lJ6kg6g1LbBWhu5K9Blcl1ZuQdyKKMIs0wsFJtEVy8
B84CniKP/pQrE/axoQY+PTsmfKJWxaayzF/7+nDsDhrEK/Bli+5s2lTddq+J
WfIiq/Dr/quJ4CBi6X9VwHoRzP/eWnLilf9i0fN/TwTLv/cYKPzSF/4/EsHi
isX9OHhu5ujlV0CNVQEJa88txd/IxisZ31VN5fM/8PssBx9P1OfXyX6PX8jl
CCqKbomMXrg3gGDQ2SBDeN44ePp9GIWs+TnnWINwwzifZjY4xPqddy4AKMKY
o/61g2OMoVEdnrfw4L1USgiH+pn6Vls0Mp/evytJbog+XpAQuUSphfOefjki
Jg8fodPkm8lGPj0xqdcapu19mLySE/Ot/4TWemJOzTfP8jn6zgmbh7BF51e6
40OJYujYj0IbESSQmghGsfNQ+RRJyeANLMEarsiJiKZdGTK0PYYln+me7MCj
ZPnP/PJ/78r3LFkLq7QkIK1JxX+YpWF8qqlUCihfjUoZaH7f+PlxasK+OT7d
mWNjntMchZJfyI2NcuTwn9oWR+biI6bMWd+q5MR/B190DC9BLkw+BFY6t832
a3Q5JH8AIr/FSONLjAwmf4HlvWxXyUffnqAaJW+iZta2FPHUxIikgmuaUAue
vanWllLp9lHq+e5ufv8tUarXx1B4vL65Ulsnoh2FRxMmZELiThIxBQTpk6is
ZfSh0UIuLJPL0+PQDOs5eehVoZObyHbc7EfgAWyM64H1SHz5fi9+2zqeC7qF
oofAYPHPpGz1HSx9B1KaAyywmO5lse93KZcWpfu686iWOPV5xSEBDzCjspiQ
mlZK9qYP5FxcxY67SApQ1TTj0xi3sybxyHZuhYbUNEdEYRWig3QgaRQWQFRn
QkmD9UL63iD2FLHWwxmJzYUQ3FN4L+SXMA+VJOjafsK3zELzHdrX8QhanLRn
i/zspXbixSjAqFMmt9KuZhRS7xk4Su7pLRhGHWizektaEZc/iI+msw7xNBwH
JRJlrvfd0JCxEAZpzdNnzwO7krc5aHmaTkztZjP0fsfCDmNdtjYK6EMrB62A
kK6V5jII44P3ry+n2D0u3d5Cy6eZW8T3O7fsCN+Si3okaFgex1FXrWOQQEl6
pr4/CY07/lklSlOuq+aDG+vSsfShOWOxVwnzCC6trgUdZA8Po75KcSw5xOZC
vkER9BepKWqXRPH9A3x6gukIEy6a8I/HKW/RUEkASuYSvPg0esRv2tRMX7Od
RJnxCxiD60WiDK5ElgTnLx8Hy5pLhMDlOXwBXWKwz9wmjYv7cUpBBBP9bjeL
Ki8xX+zbo2OMvbMrNp/DbuUPdk5pCrczLfKi9Vdtn3Mdf145SY28xSoRicXG
8IMb4KTl/vhP+5khdlxSlQM3CmGngTCHsMrluTPzwpvjVZjK2hZYNYcpFUpx
qgFULOi7asJKT32MaYwMX0TN13xRT1Fr1HHetVTx7dPLZqkJmhW7Iweo34Up
nCRH5w8nJmQ9/D7FLRhxDxqj1ATMEJSR+yAR2FESOafntm6b1W500tjCkZMh
qgLz8iCydiTTx/saNNVIy1k17SPqjZCcPoryhLRfDxzuCudtHF9e913eD5uI
ew84ke3ruPoI9oGCsG7mK9lnyanZ8wxlMEyl36CKApqBMkKSAppk4ec+QPKj
2EiqJ+AAjmJJEQmZtxmmDuJijomdStjnAO807eUfButVTE12Xrt2UdHs2D3u
p/ehwTgBZzX6BnSULaEfhh5kWLJusRNUMuMfTnzeye9D7h4xKhj04svDeE3l
CFsqb5J4kk+6kEjpPck+5HMhAFrVx+bfojwNXyaNbrtn331n/s3LX+CLkJfz
ccPMFYB7yBGbRTVeOtc4w+1ADx9+Mo3yO0qvoNjUuWWF4PNDCGNzpy0pJiBZ
Fh3rOUaIJRmNAWTICAMYGPsS0eiXrRR3oNcFnEMHQEty6IBLwdbEemYOG1Nf
Kp9p5YkSWTZcW8AVTEmCWZrDZDHnkBhHe0mRHFcZEgXRR7UIcQKZ1C75x31W
2m4yGqUIcqISJ2Q9lueG/ScpES55a5JyOUpBC8wRoa7BRRlc6xbwVtuogEvZ
EHvWCTEifKNO4LTcm0jvAt3JjVO22C54Ht7OzmyukeJw3z6ftje5MCDGUiiW
kb7am7JYkt5+lCvBg4iLOMTvUxHw9FhwodL59wkCC+ah5UpenmBnl7V0JI6R
WNVgQw/4f4uZMiG/k9OXpUBbpoE9MaPM30C0PkKbmht1ZN411MA06o8lFS6p
LNfzInmE9TYHSOIoALnEbDrOnPU2HY6941T4ucOgszmgJuP1j7GDPMo0piK+
sevhV0vVDwfaglRlz+g5Tk9On0b/BHuOD+zHBUjx3/gs7ZUz3/hINYpMBjrs
cBxxAswSG5n/CzxNqe2NIXhJEfdzo8IDiWiYffEjwTpqUEbGcsRTZHiV8Tbs
O0aR6Y3qlbqYRfVUPo+tTJuK+xAO9lWllk1CdC7PxVUtI6wdPAyhHHVEYNjI
4EnFVL4L2k6Am7+F4Ih7hORj4elbd4xjaKmRKVVa0qgIJQ+17wvtNbicy8HU
IvMFExULboLLSX8fN1gQ1NeavBeaZnjXAvq+/BAYHxqwkErcqZVzw8jP+fSb
iDRvEa4D9f8fUUXSCamwa+Jp0ckkJr5D4E1SNpeOIUkcoRNh3a5WmiLY2XV7
L2vfoHe+jNkvZNdS8HFul5SHXCbaAbMrEGV02BUb26ZQdofvBXKG9lkpPU7I
Ly9/GbXaiJtShAdC4w3fVa4aZYRJb4ldr9hutgeV6DaSbysBUHjBirqP+K6X
SdffyHG1p+F26EmShZpBlF033pNXUBpfjRcmSHN4StaTjlq85tnIJKA0Gu5Q
nDQc85JGO6ahAyi//uX02Xff5+gzOog+yLxnKfYoTbUbT2mpZD2WSmT91KsW
pnS3PjIvqL0choudzMnsmRNW2OuWycaA6JNqjgy2rM//MoB6HSRz04ZXOJkL
lugD+WzSWIuNKW7MyrQYzbQn1xvm7928ffP655e/xv2ggEbk9Wi2GZhXdbuV
BlY4JrbBCSZTr360NdapzWVTbK1tbstRk90ya5t6yy0suSnhbicS7sP3TpvK
WnOmrhhJiPmpwlC3GggoIeQ0UOIeIGBMIqt6799FvkvTpG5RNkUpGQho/FsO
bs9upzgAcPwOY+3bRK2qpcAEu6D60KoFtODZLc2HG2cVoZgWuVirJnvJchhR
A4jxJ/H/+3Go93bPqa3YSGjDXteq92KbsmG3eg0P96Ymj5p2QKY2Vi7Opjhg
pUuyKe6E+djVF96vPeqoLl2WqUSBONL3c/f553Gup+4iSxcJcSoE5HJO9JeG
4YhM0ZIZhmNGdRTK0iR2ybwD8Y8aMnfF0k7CPPB4UQE/aznpdoHN73hrgG2+
kApaYEZfBmKfO0PEzViHRvWFz8cnm49j076LGOztG+lS5bTGGBnkgVu9F30o
W4i3H+UuliJncfMrUiIcGgB1fs55n9hXS48vZ976PNBqua/Z/dyuqsazb/xS
1V6gEHa4Ku2VHjES50pSyuie21KmVJ88bGBObE+nuxxxNllKbZOHezr4tQ94
nQXufaaFkCj2OpqqNsYJ+eHSiDFeVSD6GuaQJSnj3hMV9SCltCrZfsxHiq8i
QYiIXCWHPuIVaSyaQOdTFeM0UHrNEJprIsl9w1F6OAfhm69Xa5V3IcalkuYL
+VraF25Q1z6q5WyslWfxocRGAD7TX8nCaihyL5OG2WMa7FETkn5AGiNQ4HTF
lQafntyti0Ve8K+f/0vggCz7pX1A+5XDyQt0RLfYyicVJuQQQGFjQ8/bLOa3
3cWB6ia9gxl0GK3S1YCqRSO8yyKkoKV0urBvnn/LCOGW7cKQ1CdGEpdkZVLD
w/IRtpR5aL6N+upK7p++a8Y+Mtz6WRauXgncLnstjuvC9+5lvGTGeCn7HXjJ
7MFL2W/ES8yYo3P46cnowHkgIy8kLo/DvcHkwDQQqQIBSrRRU6MvXV+ANfog
JKmVM2rwTSf1pxEQmxnr+CIw6nlqarzjK0eHlx1dIgPDD9xeKIveRBukaDKV
YjTgEmMPcLBiYZrtHq19SCjiSWVHLKPCNP1ylkXNtSR7P6ze9yOGU8JXcjHE
QDO2rpZ2sV3UVkUNkv0kaWVp5UI2Pn2wqPNopzAh6o+4UwpS1UcRlRa4AfVH
xSVNsD0bjjt5OBsXvnPnQkWwNMaeRpncT4+6WIm/wYXCzsp90Ag+CTPprBt1
qRCqEUu+lYINv5Cgt6iWw9L1Np1dUQE5jRqy22D0exAQsJvYLpK98ZrKAqvq
BsmmZcjga0MyNoGtRg8JZ+mmchtpjhbiZuhNWXqrkMHaV/Vooo/zA3cj8WfX
Sm8v6XIO6+l6LV6ikBB2uWYrhsbYkVPjCG2ClHYdPH41sZOnjC4bkhcq/d8W
m0pob++lS4Pm1Y1YN6aPb9WcsQNAW25gSz0td8ZSTRjzg5Y4cmO8gobVG5M4
ACQ+KDe40PBzbk1qK2PgVIqJzWqoSq5/RneD61V82Fh92AA2qZkMynlMQQLy
OUwKU7EYtManT+k1gdQJlHQzxWsDQBrXElEQlPq9kKEX9N0sa8fAl5rrkKNP
6g5x77DtkzRefcedwMSLO8u4OliddbGngTUKW7ejRseoK6kPgySMZ94rzNWW
1H8qdC+6bGBrC3T24HuofJg3myP7stuZs5uCXJ6kDih9AXs4MBG4n4O/EpEz
BimWz59HDSsR41RO+okS8akxHBHBLpfs5SZMxh1ti8wHXR5tHntwELeZnk5P
DBng1AY3KrGS+pwVNVqhosjxxWp0IaLPdqTkd997VvvMUc7NqPfsHozhu15w
BASNoaJDszDu/B6EZuqljYv1dPNl4pn31FJt5/6rE/bBQbqLxcMKIi9XGiZ9
+qXYGlumsSLH1zd21YLV5/WOP0mkqWFG6wrvMaga7+2CWVz+8YJGvLwCvtAb
SpJmlcheVNOGZA2q36lNilzA00lxJHYYq+SmOWwwGO71CGvhMOlHTa1A8bzf
fSgFsNS9MTTzYX5U/b+knsxiA8W9zjHxAxOc8MYfzBsJ/TMAVnHuE4Cq09if
SKteFJueET8riLiKb3wRBWqYDmxqDABx2z9JYNOCcsq/wlBeR4mWmg4eQUb0
Jtz63M1xccu301HIV0vBLa+eg8lH2XvPrBECwsPS04GJWpZ3liareRq4rMzn
gEYE1+7QXCO0Brzhw1txdAgfhcPblJriYbxDgg7LAlmu0PIiatgWGiBhQyfN
CdJcKCnQ3moTH9rJsT2Kjf6oyvaMzPBPT6jmNsdiEUwW18yvRy6Qkqx9l9zQ
4vu7SYdxaUDkL+I58FduPV76yw1J1GcUX6PnjzxiYgzRYV8l4CFqJ00roblL
Yy8sxCcaHpnTTKSIXwhTjEUwUWuFyHAr9A03G/CAHCzPHmt0x/hwjQJwJRda
gu5pexubuNw9Ui9hDGmC3F3MfaVNZrSpme9mw8qKGxK8iVwVO0GFyAL4TBv+
6uYdDfWiK6J2bZ+erPsBDy2HMOJGFL4nsqa3NKhhnVS9YtxJvWx0RS4WXZEw
wd4MKAf91VSAKih0RmyC0xDPBrc8KbY+BRKvsl7YTAwuSvi5wn4Oztn1vCaH
auLHVJEgDiuXPWb2YKpNvGotOqOZyjR9vii66+5bvOxK3ONjn1xE5+gGAFwY
b2Qsouuwy3RIwk1rkoLzyLUSsmHihPviZWu0hbl9ZvnqUfy+Xr8Wedf+3q25
7MMHySng6Yu3445uMhOthtmaMOnYLvXkmmMHC82wDUDR29le/imTZOQTavz+
uNAuU/LNzPtXbqoemKGhWmK+oo42DcAG3hmS7jXwE56Bd+dXcqEInKRn/AA6
o9IbrI+yb7Qp9MdqPazD6XDc2qWIUhCUXhhXdZE4R7jPMVwsJl/GF2XCV30z
BlUTIZJIPutYM/KtTNFRinSGOPwp2siN0B5t+ZDFLR8oiB7pN4z9tToLb6yn
t0SRiq4YRhM0XDMCwjA1cRGI8/2Rc6+KMTKQoTz2yR8YENi0Tk6rRGjJtrcV
2UGjcACCbekMgApCjXD0r4RQZXrNUlqiv3vIfsfFX3LmFu1CnEgcCcWHfSRU
LuzyBe+k58b4dUZYx2M7CcfXWJBm2YNLaUt8iZKQdNW1D3h5ThFyRLNQjxoX
tJBrDbclivem14kFiZylh03dKjEuSU6ahOHoYGRFo4ZFxK/+BPoChUO25g7T
WWo4rGhGUaorLxm5ewuo53L3nPiG6pwLHZ2P4r4AoE7uZD0X1JIChXASr9MG
UtScG6+4xMtf+CSAsLhmh+nBOfuFp1Hfj8dOjl6vFGBmjG9/06Hh5/ecHJG4
EhTEI8o9q6l31KhDazC4qK/5KKlegyGaDTdO/QipJZSrJLfkoSdF0i2k/6RY
ugen5T3levMNQNKsicxbaQmkdhkPusNd2kVub2ZHyrpR5QAMywVN/tb1yG/g
QyF0Jdro0rElmyPSCw+Yw7dx8aE+Pw/F6RKtbCRPhPK7+XmfLBIe8oyfdN8g
mUtjkC6NW8TEV8tTVqPY8Lc76TY7DMG/8SjagjC9U9FMHDDGJEn7mUmirhf3
lfamjBxurOd0J0y7oGKkUmghCTV8tyhLHZYdPAzmrzbcP8R6UVD0mhrLyggJ
z2bJLxicvYp6hqXh+l2cS9Fc5JzP2vvpN6bLRD4pn9+Gmo2uygvHlUpnLKfs
qZYBuCMdUKPuZr7MBK+ZL7HeCa0Se88tkvyV8P7+kxleH+44+qI3ddB3T6/h
r9kgvjGUFIgxc1Zm/nqFTbXh2BnJRi02kHxFBrAui9uO6qUN7D2W/rPkZo0c
hXTRaGjVstBLFiz7wMJ98bN0zgEZaaeYGQA4kH1YRFZTttYVz+MXvubvPZiA
8O6Dq1/eT6MmhGxSbuieZbIZKbq2KRo919pogTx+vKtyfZcUvu4Q6CiIdE1/
Att35ds3+aQomMXp2UvBOP6uUzyeddt+GKTBlDoQqWSDEqT07OgSpLUwqRtq
McGDcBWD6AXBsnFHTnMrqepT9nnwhX1y7Q62e92pXQbaBZnsJQRdmYwefV0g
fA0btT2ATMT77mzUOFnX/pVMS0PrFPGT2yAiQRSt0jtlPmJ0EsiZNBePaP8N
T++GzYj00s1kH9LbNHkX8CSF62aThvA9r4zEeJx84vukIPlHz/utlr1IRqJa
g7lAcb0srKaKcJXlPApnQHg+097PLvZnsFTqNFOBbydJGrjGDipur87BdqDD
Co+1QqxbjO+iG0SsYJusB4FJolykzyErFt0lXwxOQkJnnlPsDv0nIxnjpYh2
jORUAOsvn/Je00i+7JWY4gdVdnASL1qvEfJk2JJUTm4iTFRE4g1RQW6VsMi6
3ZBZ+YGLkLUpgb9ZVwLOHqhzxukjwP7TznWxAuYfsZQFMo8uRkxN91kWtX+W
C4kJJO0a5Htc4ypKsth3i/eRxXei8QTiHn4cM4/N9UzN9SMTUhW4/oVa+5Hn
XJqNJ9cHhzvPNfszve9cGnIzV2l2FC0garsZ7gqOF1JTH2sm5eP3/Y7bmPUa
rv5dNypnyY3K3onHa36QOFldfOTNC1nTrA99ynSmCY1CntDhmxl3sp+zJvIK
Th6M5PjjEWVfwuLbpmLaFdoHVHuCfjW5uDnNmR/f38xOenFWcTTyJ6DBEvfs
0xP1YqGn6MLncZhxvpBMf2j4TiW50MhfIrD3MqOf9XbnK5z4exB7DK+4sTbK
CWAHdfbLfSnuDsAGSTL7sdD7p+Q+R2kbqonY0pb/gcwUFE2oqUrJ2eaIPwLq
A23Uscf9PzPi/o86B7OEZmkqDaujOwjlwhxqvs7x9HCJBbep9oWN0qQi6TDV
UFiv9/U1hVyGq/DZtWvLIfY2qE66iD3cryrFsy+kgzHbcXrdBdNW76qKz51Q
mEaMPfJ6Gw336+CoJguVILYQ4/krxMiwJpOCXW54PrSdcnBKF0sqaYqDxgsy
NrW7paQvrPmgSdNtzGwAoLeNi66Jf73D5RWKoOhaeZWiyMrLBclTkFKaVCaZ
gMG54eVCZ0M3fR1Drnhq7IMPKrgcJoetVFWYy0ForJUb9MRRkwT29M7LsbCg
yNI+Gepv79TcUDITkJeXdN23VJzPt1HUkiJ6kxt+w4Qzhptd01IclxksDZsr
E3tuPffhucLbT+XUkxqeafJfmgGRSVCcDIa1LyHxt87LdfLtjKKT6Lzjpc68
oZ2pxiCM5bNGVcAj9QA0PuyU00e+c2Pv23qIHfa8WL9hkm1BgA87bICmGEYu
+nAJsCTg8Wo0lp1ox1iwEXiPxeAay9XIsZOOL/r38uLmBZF0aOhqRzGgmI+1
+XAm8WK+yk/jyKKrLgEPV/0QojpgG55GrYkE22WvCnIqkXF8gDe8Tk24aH7/
Ja++mx/mFNIdjEUWCQuP9/zdrKE/fNxaTnyDR+ZU+vBnalijJzeKhe9vSI1W
PuX2iNFgN0cSsKjEk5mjzzc4JlFrwCd7E2C1UWGmifq+VwBQdo7Xe8u9i760
UrGwd9OEotAyi9oP4v1Py7j1w3xrQvqzDHFPt8LRwGA77Wt/Q9IlLrmPXwHb
sCy6qZ5hhPgZdS0JN/sCV/Za1xM1DE46j2hPgOyL8SFuChm5khNNIW4g1/Kt
pdiWm3mts1R1QS2psZCebj9SZwJJBLnaOlSyZhG5Jeyw6Pkqym2SxCXLxH0i
dykHd/1dg78h6qXZaVFbH7J6QvbPnLvj8M2rIm+cD3NxUzcg9L2NurHhRsz4
5tM7G3VH7Kx0YiKjA9vZ7jqiQIEVO114cUkwccfP4D5QS7F9bXPVFs0maV0L
/XUSgtLjS7f3XbidjeOJ6axIDvip0b7T/PRKIIxfh0QHVJH+7eLOmfydbnOh
3Dsuy9E8el/g+cV+qDdksKy8+NOMC9SSSD1OOAhpkxOSwW/hbNqHCaw5h4OM
7U2y/wQ1D6IOxZoAAA==

-->

</rfc>
