<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc comments="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-singh-macneil-ioam-firewall-metadata-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="IOAM Firewall Metadata">IOAM Data Fields for Firewall and Security Metadata</title>
    <seriesInfo name="Internet-Draft" value="draft-singh-macneil-ioam-firewall-metadata-00"/>
    <author initials="P." surname="Singh" fullname="Prashant Singh">
      <organization>Hewlett Packard Enterprise</organization>
      <address>
        <email>prashant.singh@hpe.com</email>
      </address>
    </author>
    <author initials="E." surname="MacNeil" fullname="Erin MacNeil">
      <organization>Hewlett Packard Enterprise</organization>
      <address>
        <email>erin.macneil@hpe.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <keyword>IOAM</keyword>
    <keyword>firewall</keyword>
    <keyword>security metadata</keyword>
    <keyword>DDoS</keyword>
    <keyword>chain of custody</keyword>
    <abstract>
      <?line 34?>

<t>This document defines a new IOAM Namespace and associated Data Fields
for carrying firewall and security-related metadata within the In-situ
Operations, Administration, and Maintenance (IOAM) framework (RFC 9197).
The mechanism allows each security Enforcement Point on a path to
attach a verifiable attestation of the action it took on a packet.
This lets downstream Enforcement Points and other nodes confirm that
security policy was actually executed on the data path -- detecting
policy bypasses and detecting divergence between Enforcement Points
that are expected to agree -- while each Enforcement Point continues to
apply its own policy independently rather than delegating enforcement.
This validation of execution complements the management plane's
validation of intent. The metadata also enables real-time signaling of
policer states for DDoS mitigation. To ensure the authenticity and
integrity of this information, this document leverages the integrity
protection mechanisms defined in the IOAM data integrity
specification (draft-ietf-ippm-ioam-data-integrity).</t>
    </abstract>
  </front>
  <middle>
    <?line 53?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The In-situ Operations, Administration, and Maintenance (IOAM)
framework <xref target="RFC9197"/> provides a mechanism for collecting operational
and telemetry information within the packet as it traverses the
network. While IOAM defines data fields for performance metrics like
timestamp, queue depth, and node identifiers, it does not currently
define fields specific to security enforcement.</t>
      <t>In modern overlay networks, verifying that traffic has traversed a
specific chain of security functions (e.g., firewalls, IDPS) and
enforcing policy based on the state of upstream devices is critical.
This document extends IOAM to support these security use cases by
defining a new IOAM Namespace for "Security Metadata" and a set of
data fields to carry information such as Filter IDs, Actions, Threat
Levels, and Policy IDs.</t>
      <t>The primary contribution of this document is the model these fields
enable, not the fields alone: by carrying a per-EP, verifiable record
of the action taken, the data path itself becomes evidence that policy
was executed as provisioned. This validates <em>execution</em> and
complements the control or management plane -- the centralized
system(s) that provision and distribute security policy to each
Enforcement Point, such as an SDN controller, orchestrator, or
security policy manager -- which validates <em>intent</em> (that the correct
policy was provisioned). In particular, it supports
detection of policy bypasses (an expected attestation is absent) and
detection of action divergence scoped by Policy ID (Enforcement Points
that should agree record conflicting actions).</t>
      <t>By leveraging the IOAM framework, this proposal benefits from IOAM's
existing encapsulation mechanisms and the proposed
integrity protection mechanisms <xref target="I-D.ietf-ippm-ioam-data-integrity"/>,
avoiding the need for a bespoke security metadata protocol.</t>
    </section>
    <section anchor="conventions">
      <name>Conventions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="namespace">
      <name>IOAM Security Namespace</name>
      <t>This document defines a new IOAM Namespace:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Namespace-ID:</strong> TBD (To be assigned by IANA)</t>
        </li>
        <li>
          <t><strong>Name:</strong> Security_Metadata</t>
        </li>
        <li>
          <t><strong>Description:</strong> A namespace for carrying data fields related to
security enforcement, policy verification, and threat signaling.</t>
        </li>
      </ul>
      <t>IOAM nodes operating within this namespace <bcp14>MUST</bcp14> support the data
fields defined in (#fields).</t>
      <t>The set of Enforcement Points that share key material and namespace
configuration for this metadata is referred to as the <strong>Security
Metadata Domain</strong>. The domain boundary is an operational decision:
the operator defines which EPs participate by provisioning them, and
any Validator, with the symmetric key material used for integrity
protection ((#integrity)). Each participating node has its own unique
key, as required by <xref target="I-D.ietf-ippm-ioam-data-integrity"/>. An EP that
has not been provisioned with the relevant key material is outside the
Security Metadata Domain and <bcp14>MUST NOT</bcp14> be expected to produce or verify
attestations. Membership in the Security Metadata Domain is scoped to
the <tt>Security_Metadata</tt> Namespace-ID: a node <bcp14>MAY</bcp14> simultaneously
participate in other IOAM namespaces (for example, performance
monitoring or path tracing), and it reacts to this metadata only for
packets carrying the <tt>Security_Metadata</tt> Namespace-ID for which it has
been provisioned. This concept is analogous to the "IOAM-Domain" defined
in <xref target="RFC9197"/>.</t>
    </section>
    <section anchor="fields">
      <name>Data Fields for Security Namespace</name>
      <t>The following data fields are defined for use within the
Security_Metadata namespace. This section defines the <em>semantics</em> and
natural size of each field. How these fields are encoded on the wire
as IOAM-Data-Fields <xref target="RFC9197"/> -- including how short fields are packed
to meet IOAM's 4-octet alignment, and which fields are carried in each
encoding -- is defined separately in (#encoding). Unless a specific
encoding states otherwise (for example, the compact profile in
(#enc-b)), the natural sizes given below apply.</t>
      <section anchor="filter-node-id">
        <name>Filter Node ID (32-bit)</name>
        <t>A 32-bit opaque identifier for the enforcement point that inserted the
metadata. The value is unique within the administrative domain and
assigned via the management plane. Note that while IOAM defines a
<tt>node_id</tt>, this field allows for a specific identifier for the
security function if distinct from the forwarding node.</t>
      </section>
      <section anchor="filter-id">
        <name>Filter ID (32-bit)</name>
        <t>A 32-bit identifier for the specific filter or policy rule that was
matched by the packet.</t>
      </section>
      <section anchor="filter-action">
        <name>Filter Action (8-bit)</name>
        <t>An 8-bit value indicating the action taken by the firewall. Examples
include:</t>
        <ul spacing="normal">
          <li>
            <t>0: Allow</t>
          </li>
          <li>
            <t>1: Deny/Drop</t>
          </li>
          <li>
            <t>2: Rate-Limit</t>
          </li>
          <li>
            <t>3: Log</t>
          </li>
          <li>
            <t>4: Forward (e.g., to a different service chain)</t>
          </li>
        </ul>
      </section>
      <section anchor="timestamp">
        <name>Timestamp (64-bit)</name>
        <t>A 64-bit timestamp in NTP format indicating when the action was taken.
This format is a 64-bit unsigned fixed-point number, with the integer
part in the first 32 bits and the fractional part in the last 32 bits.</t>
      </section>
      <section anchor="policy-id">
        <name>Policy ID (32-bit)</name>
        <t>A 32-bit opaque identifier that links the enforcement action to a named
<strong>security profile</strong>. While the <tt>Filter ID</tt> identifies a specific rule
on a node (the "what"), the <tt>Policy ID</tt> identifies the security profile
that the rule is part of (the "why"). This is critical for auditing and
compliance. For example, this ID could represent a profile named
<tt>pci-dss-v4.0</tt>, <tt>tenant-blue-web-tier</tt>, or <tt>iot-device-isolation</tt>. A
central management system would be responsible for mapping these opaque
32-bit IDs back to their meaningful profile names.</t>
      </section>
      <section anchor="session-id">
        <name>Session ID (64-bit, OPTIONAL)</name>
        <t>A 64-bit unique identifier for the flow or session to which the packet
belongs. This allows for easier correlation of metadata across multiple
packets of the same flow. This identifier is typically a 64-bit hash of
the packet's 5-tuple (source/destination addresses, protocol, and
source/destination ports). The specific hash function is
implementation-dependent; the resulting ID is treated as an opaque
value used for correlation.</t>
        <t>Session ID is <bcp14>OPTIONAL</bcp14>. It provides explicit per-flow correlation,
which is most valuable for forensic correlation of benign (non-threat)
traffic, where no <tt>Threat ID</tt> is present to group on. <tt>Threat ID</tt>
((#threat-id)) and Session ID correlate different things and do not
substitute for one another: <tt>Threat ID</tt> groups packets by <em>which
threat</em> they match, while Session ID groups packets by <em>which flow</em>
they belong to. In encodings where space is constrained (the compact
trace-bit profile, (#enc-b)), Session ID <bcp14>MAY</bcp14> be omitted; in that
case per-flow correlation falls back to the existing IOAM flow context
and the underlay 5-tuple, and DDoS aggregation relies on the
<tt>Threat ID</tt> in the DDoS word.</t>
      </section>
      <section anchor="threat-id">
        <name>Threat ID (32-bit)</name>
        <t>A 32-bit identifier if the packet is associated with a known threat
(e.g., from a threat intelligence feed).</t>
      </section>
      <section anchor="severity">
        <name>Severity (8-bit)</name>
        <t>An 8-bit unsigned integer representing the aggregate severity, or
intensity, of an event along the path. Severity expresses <em>magnitude</em>
("how significant is this"), complementing the <tt>Threat ID</tt> (which
identifies <em>which</em> threat) and the <tt>Filter Action</tt> (which records the
<em>response</em> taken). A value of 0 is informational; 255 is critical.</t>
        <t>Severity is intended to be <strong>computed by aggregation</strong> rather than set
from a single node's subjective opinion. An Enforcement Point <bcp14>MAY</bcp14>
raise the Severity it records when it observes corroborating evidence
from multiple upstream EPs for the same flow -- for example, multiple
distinct <tt>Filter Node ID</tt>s each reporting a <tt>Policer State</tt> of "red"
((#policer-state)) for the same <tt>Session ID</tt> or <tt>Threat ID</tt>. In this way
Severity escalates monotonically along the path as evidence
accumulates, giving downstream nodes and collectors a ready-made
gradient of how distributed and intense an event is, without each
node having to re-derive it.</t>
        <t>An EP that raises the Severity <bcp14>MUST</bcp14> do so by appending its own data
fields with the new value; it <bcp14>MUST NOT</bcp14> alter the fields contributed by
an upstream EP, so that the integrity of each EP's contribution
((#integrity)) is preserved.</t>
      </section>
      <section anchor="policer-state">
        <name>Policer State (8-bit)</name>
        <t>An 8-bit enumerated value reflecting the instantaneous congestion
state of a policer or rate-limiter at the enforcing node. Unlike
<tt>Severity</tt>, this is an objective, locally-measured fact about a single
node:</t>
        <ul spacing="normal">
          <li>
            <t>0: Green  (normal; within the configured rate)</t>
          </li>
          <li>
            <t>1: Yellow (approaching the configured rate limit)</t>
          </li>
          <li>
            <t>2: Red    (exceeding the configured rate limit)</t>
          </li>
        </ul>
        <t>Values 3 through 255 are reserved.</t>
      </section>
      <section anchor="overflow">
        <name>Handling Metadata Overflow</name>
        <t>This namespace does not define specific data fields for indicating
metadata space exhaustion. Instead, implementations <bcp14>MUST</bcp14> utilize the
standard <strong>Trace Option-Type Flag: Bit 0 (Overflow)</strong> as defined in
<xref target="RFC9197"/>, Section 4.2. When an IOAM node cannot add its security
metadata due to lack of space in the packet, it <bcp14>MUST</bcp14> set this Overflow
flag to indicate that the trace data is incomplete.</t>
      </section>
    </section>
    <section anchor="encoding">
      <name>IOAM Encoding of Security Metadata</name>
      <t>(#fields) defines the security metadata fields and their natural
sizes. Because <xref target="RFC9197"/> does not provide a TLV container for IOAM
trace data -- IOAM-Data-Fields are fixed-format, and their presence is
signaled by bits in the IOAM-Trace-Type bitmap -- the security
metadata must be mapped onto an IOAM-compatible encoding. This section
defines three candidate encodings, all compatible with the integrity
protection described in (#integrity) except where noted.</t>
      <t>The first two encodings carry the security metadata as IOAM-Data-Fields
within a Trace Option-Type. This is deliberate: it is the Trace
Option-Types whose Integrity-Protected variants chain the Integrity
Check Value (ICV) hop by hop ((#integrity)), which is exactly the
cumulative "Chain of Custody" this document relies on.</t>
      <t>To satisfy IOAM's requirement that data be aligned on 4-octet
boundaries, the three single-octet fields (Filter Action, Severity,
and Policer State) are packed into a single 32-bit word, used by all
encodings:</t>
      <artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Filter Action |   Severity    | Policer State |   Reserved    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      <section anchor="enc-a">
        <name>Encoding A: Opaque State Snapshot</name>
        <t>This document specifies the IOAM "Opaque State Snapshot" field defined
in <xref target="RFC9197"/> (signaled by IOAM-Trace-Type bit 22) as the primary
encoding. This field exists to carry arbitrary, schema-defined
per-node state, and consists of a 1-octet Length, a 24-bit Schema ID,
and a variable-length opaque data block.</t>
        <t>Because bit 22 is already defined, this encoding consumes no new
Trace-Type bits. It is carried as part of each node's node-data within
a Trace Option-Type, so it inherits the hop-by-hop ICV chaining of
(#integrity) for free, and its variable-length block can carry the
full-size fields of (#fields), including the 64-bit Session ID.</t>
        <t>The one consideration it introduces is schema distribution. <xref target="RFC9197"/>
leaves Schema ID distribution to an out-of-band mechanism, so the
metadata is not self-describing on the wire. To make it interoperable
rather than operator-private, this document defines a single fixed
schema for the Security_Metadata namespace and seeks a Schema ID
assignment for it ((#iana-schema)); within the Security Metadata Domain
the schema is provisioned alongside the namespace configuration and
per-node keys that are already required.</t>
        <t>The schema places the fields in the following order: Filter Node ID,
Filter ID, Policy ID, the packed Action/Severity/Policer word,
Timestamp, Threat ID, and -- when present -- Session ID.</t>
      </section>
      <section anchor="enc-b">
        <name>Encoding B: Packed IOAM-Trace-Type Bits (Compact Profile)</name>
        <t>This encoding defines new IOAM-Trace-Type bits (from those available
for assignment via the IETF Review process <xref target="RFC9197"/>), each signaling
a fixed 4-octet word of security data:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Firewall word 1:</strong> Filter Node ID (32 bits).</t>
          </li>
          <li>
            <t><strong>Firewall word 2:</strong> Filter ID (32 bits).</t>
          </li>
          <li>
            <t><strong>Firewall word 3:</strong> Filter Action (8 bits) + Policy ID (24 bits).</t>
          </li>
          <li>
            <t><strong>DDoS word:</strong> Threat ID (16 bits) + Severity (8 bits) +
Policer State (8 bits).</t>
          </li>
        </ul>
        <t>Timestamp reuses the existing IOAM timestamp data fields <xref target="RFC9197"/>.
Session ID is omitted ((#session-id)); per-flow correlation falls back
to the IOAM flow context and the underlay 5-tuple, and DDoS
aggregation uses the Threat ID. The profile therefore requires four
new Trace-Type bits (or three, if the deployment reuses the existing
IOAM <tt>node_id</tt> in place of a distinct Filter Node ID).</t>
        <t>It is compact and fixed-format, suiting high-rate hardware data paths,
and inherits the ICV chaining of (#integrity). Its principal cost is that
it permanently consumes scarce, globally shared Trace-Type bits,
giving it the highest IANA and working-group cost of the three. To
avoid spending a new bit on the DDoS word, an implementation <bcp14>MAY</bcp14>
instead carry it in the existing IOAM "namespace specific data" field
<xref target="RFC9197"/>, at the cost of consuming that single namespace slot.</t>
      </section>
      <section anchor="enc-c">
        <name>Encoding C: Dedicated Option-Type or Sub-TLV Structure</name>
        <t>This encoding defines a dedicated, TLV-structured carriage for the
security metadata, analogous to the Sub-TLV design in the companion
Geneve specification. Each field or group of fields is a
type-length-value element, making it self-describing on the wire via
an IANA type registry, supporting optional and variable fields
(including the full-size Session ID), and avoiding any Trace-Type bits.</t>
        <t>Its cost is the heaviest standardization effort of the three: it
requires a new IOAM Option-Type or an agreed sub-TLV structure plus an
associated IANA registry. A new, custom Option-Type is also not
automatically covered by the Integrity-Protected Option-Types of
<xref target="I-D.ietf-ippm-ioam-data-integrity"/>; to retain the integrity
leverage it would need to be registered in that document's "IOAM
Integrity Protection Methods" registry, and until then does not
inherit the hop-by-hop ICV chaining for free.</t>
      </section>
      <section anchor="comparison">
        <name>Comparison and Discussion</name>
        <t>The three encodings trade standardization cost against flexibility.
Encoding A consumes no new Trace-Type bits, can carry all fields at
full width, and inherits the integrity chain-of-custody of (#integrity)
for free; its main cost is schema distribution, for which this
document defines a fixed schema whose registration mechanism is left
to working-group discussion ((#iana-schema)). Encoding B offers a
compact, fixed-format hardware encoding at the cost of new, globally
shared Trace-Type bits and reduced field widths. Encoding C offers
self-describing, registry-based interoperability at the cost of the
heaviest standardization effort.</t>
        <t>For concreteness, this document specifies Encoding A in full and uses
it as the primary encoding. The authors believe it offers the best
balance for an initial specification, but the choice among the three
-- and whether more than one should ultimately be standardized -- is
left open for working-group discussion, and a future revision will
record the resulting consensus.</t>
      </section>
    </section>
    <section anchor="use-cases">
      <name>Use Cases</name>
      <section anchor="firewall">
        <name>Firewall Use Case</name>
        <t>The primary use case for this metadata is to allow an Enforcement
Point (EP) to embed a verifiable attestation of a packet's security
disposition within the packet itself. This allows downstream nodes to
verify and audit that security context. Each EP <bcp14>MUST</bcp14> apply its own
security policy independently; the metadata enables cross-correlation
and auditing of those independent decisions, not delegation of
enforcement. These enforcement points (EPs) can take several forms:</t>
        <ul spacing="normal">
          <li>
            <t>Virtual Switches (vSwitches) with integrated firewalling</t>
          </li>
          <li>
            <t>Cloud-native firewalls (e.g., security groups)</t>
          </li>
          <li>
            <t>SmartNICs/DPUs offloading security functions</t>
          </li>
          <li>
            <t>Service-chained virtual or physical firewalls</t>
          </li>
        </ul>
        <t>Each of these nodes can inspect the packet and insert IOAM data fields
indicating the action taken (e.g., allow, deny, log), the policy
that was applied, and its own identity. As is inherent to IOAM trace
data, each EP appends its own fields, so a downstream node sees the
accumulated attestations of all EPs on the path and can correlate
them. A downstream node (e.g., the destination host, a network tap, or
another firewall) can then be programmed to inspect this metadata. The
downstream node does not trust the upstream decision in place of its
own; it enforces its own policy and uses the metadata to verify and
audit consistency across EPs.</t>
        <t>This mechanism complements, rather than replaces, the centralized
control or management plane. The management plane validates <strong>intent</strong>
(that the correct policy was provisioned to each EP); this metadata
validates <strong>execution</strong> (that the policy was actually applied on the
data path). This is valuable because:</t>
        <ul spacing="normal">
          <li>
            <t>Intent may be provisioned correctly while execution diverges
(e.g., a software bug, stale rule, or hardware fault).</t>
          </li>
          <li>
            <t>Out-of-band validation of execution is costly (packet sampling,
log analysis), less reliable (clock skew and race conditions when
correlating events across EPs), and incomplete (bounded by the
sampling rate).</t>
          </li>
        </ul>
        <t>This enables several key security capabilities:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Verification of Enforcement:</strong> The downstream node can verify
that the packet has been stamped by all expected security nodes,
proving it passed through all required checkpoints. This differs
from proof-of-transit mechanisms (such as the IOAM POT
Option-Type <xref target="RFC9197"/>), which prove only that a packet
<em>traversed</em> a predefined set of nodes: a node can satisfy
proof-of-transit while its security function is disabled,
fail-open, or applying a stale rule. By attesting the action
actually taken (the <tt>Filter Action</tt> and <tt>Policy ID</tt>), this
metadata validates that the security function <em>executed</em> and
records <em>what it decided</em>, not merely that the node was on the
path.</t>
          </li>
          <li>
            <t><strong>Detection of Policy Bypasses:</strong> If a packet arrives missing a
TLV from an expected enforcement point, it indicates a potential
bypass due to misconfiguration, a policy routing error,
implementation failure, or a malicious attack. This capability
enables alarms such as:  </t>
            <artwork><![CDATA[
"Policy violation detected: Expected inspection from node
 0x192A44B1 (FW02-Datacenter-Core) is missing, indicating a
 bypass -- POLICY_VIOLATION_BYPASS."
]]></artwork>
          </li>
          <li>
            <t><strong>Detection of Action Mismatches:</strong> The metadata allows for the
detection of conflicting actions, scoped by the <tt>Policy ID</tt>
((#policy-id)). Divergence is interpreted as follows:  </t>
            <ul spacing="normal">
              <li>
                <t><strong>Same <tt>Policy ID</tt>, different Action -&gt; ALARM.</strong> If two EPs
both reference the same <tt>Policy ID</tt> but record conflicting
actions for the same packet (e.g., one ALLOW, one DENY), this
indicates that two EPs that <bcp14>SHOULD</bcp14> agree do not -- typically
due to a failed configuration push, stale rules, or
compromise. This is reported as a <tt>POLICY_ACTION_MISMATCH</tt>:      </t>
                <t>
"Policy violation detected: Mismatching action from node
 0x192A44B1 (FW02-Datacenter-Core) (allowed a packet which
 should have been dropped) -- POLICY_ACTION_MISMATCH."</t>
              </li>
              <li>
                <t><strong>Different <tt>Policy ID</tt>, different Action -&gt; no alarm.</strong> If the
EPs reference different <tt>Policy ID</tt> values, they are applying
different policies at different points in the hierarchy (e.g.,
a perimeter allow policy and a downstream microsegmentation
policy). An ALLOW/DENY divergence here is intentional policy
layering and does NOT trigger an alarm.</t>
              </li>
            </ul>
          </li>
          <li>
            <t><strong>Auditing and Compliance:</strong> The collected metadata can be stored
for subsequent analysis, enabling cross-vendor auditing,
compliance verification, and supporting zero-trust security
models.</t>
          </li>
        </ul>
        <t>In cases of detected policy bypass or action mismatch, the Enforcement
Point can utilize <strong>IOAM Direct Export <xref target="RFC9326"/></strong> to immediately send
the conflicting packet headers and metadata to a security collector
for forensic analysis, even if the packet itself is subsequently
dropped.</t>
      </section>
      <section anchor="ddos">
        <name>DDoS Use Case</name>
        <ul spacing="normal">
          <li>
            <t><strong>Inband Metadata-Driven Mitigation:</strong> Because the threat
metadata travels inband with the packets themselves, a downstream
node can act directly on each marked packet, using the embedded
signal to drive its own resource-allocation, scheduling, and
state-retention decisions for that traffic.</t>
          </li>
          <li>
            <t><strong>Distributed DDoS "Heat Map" and Real-time Mitigation:</strong> The
metadata can be used to create a distributed "heat map" of a DDoS
attack. An EP acting as a policer/rate-limiter, when experiencing
a high rate of traffic (above configured allowed limits), can
embed its <tt>Filter Node ID</tt>, its <tt>Policer State</tt> (e.g., "red"),
<tt>Threat ID</tt>, and <tt>Session ID</tt> into the metadata of the (allowed)
packets it forwards. This provides a granular, per-packet signal
about network stress. The division of labor across these fields
is deliberate: <tt>Threat ID</tt> identifies <em>what</em> the traffic is,
<tt>Policer State</tt> is each node's <em>objective</em> report of its own
congestion, and <tt>Severity</tt> is the <em>aggregate magnitude</em> a
downstream node computes from many such reports. This enables a
powerful two-tiered analysis model:  </t>
            <ul spacing="normal">
              <li>
                <t><strong>Tactical Mitigation:</strong> A downstream aggregation EP can
monitor this metadata. If it observes a "red" <tt>Policer State</tt>
from multiple distinct upstream <tt>Filter Node ID</tt>s for the same
flow (e.g., matching the same <tt>Session ID</tt>, <tt>Filter ID</tt>, or
<tt>Threat ID</tt>), it can raise the <tt>Severity</tt> accordingly
((#severity)) and perform immediate, localized mitigation,
such as shunting the flow to a scrubbing appliance or applying
a more aggressive filter. Because Severity escalates as
corroborating reports accumulate, a single threshold on
Severity lets further-downstream nodes act without re-counting
the underlying reports.</t>
              </li>
              <li>
                <t><strong>Strategic Analysis:</strong> Concurrently, this metadata can be
exported via telemetry (e.g., using IOAM Direct Export
<xref target="RFC9326"/>) or packet mirroring to a central controller, which
aggregates the data from all EPs to build a global, real-time
visualization of the attack's path and intensity, enabling
strategic response and detailed forensic analysis. This
provides a valuable piece of telemetry to the central
controller. The message can effectively say, "A distributed
attack with Threat ID 123 has been detected, originating from
sources A, B, and C, and flowing towards target Y." This
provides the central controller with a real-time "attack
path," allowing it to construct a global "attack graph" and
make more intelligent, strategic decisions.</t>
              </li>
            </ul>
          </li>
          <li>
            <t><strong>Intelligent Load Balancing:</strong> Downstream load balancers and
routing nodes can utilize the <tt>Policer State</tt> or <tt>Severity</tt>
metadata to dynamically route traffic away from stressed security
nodes or congested paths. This enables both security and routing
elements to use the security signal as a routing metric,
optimizing network performance and resilience by steering traffic
toward less-stressed or alternate routes. This allows for
real-time, distributed, and autonomous mitigation of DDoS and
overload scenarios.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="enforcement">
      <name>Enforcement Model: Verify-or-Drop</name>
      <t>Each enforcement point (EP) <bcp14>MUST</bcp14> apply its own security policy
independently. Verification of upstream security metadata is an
<strong>additional</strong> capability layered on top of independent enforcement;
it is not a prerequisite for, nor a replacement of, an EP's own
inspection. An EP never delegates its enforcement decision to an
upstream EP based on the metadata it carries.</t>
      <t>A key property of this model is that the <strong>absence</strong> of an expected
attestation is itself a security event. When an EP cannot verify the
metadata it expects (because the attestation is missing, was stripped
in transit, or fails the integrity check defined in (#integrity)), its
behavior is determined by local policy:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Strict mode ("Verify-or-Drop"):</strong> Unverifiable or missing
expected metadata is treated as absent, triggering a
<tt>POLICY_VIOLATION_BYPASS</tt> alarm and, optionally, a packet drop.
This is appropriate for high-security environments (e.g., PCI
compliance zones).</t>
        </li>
        <li>
          <t><strong>Permissive mode:</strong> The EP logs the event, enforces its own
policy independently, and forwards the packet. This is appropriate
during migration, key rotation, or in multi-tenant environments
where not all EPs are provisioned for all security domains.</t>
        </li>
        <li>
          <t><strong>Non-participant nodes:</strong> An EP that has never been provisioned
with the relevant key material simply forwards the packet with the
metadata intact. The metadata passes through opaquely, as any
other IOAM data field would.</t>
        </li>
      </ul>
      <t>In all cases, the EP enforces its own security policy regardless of
whether it can verify the metadata.</t>
    </section>
    <section anchor="integrity">
      <name>Integrity Protection</name>
      <t>The security metadata defined in this document is sensitive. If
modified by an attacker, it could allow malicious traffic to bypass
security checks or trigger false alarms. Because the data path may
traverse untrusted or semi-trusted segments, the authenticity and
integrity of these attestations <bcp14>MUST</bcp14> be protected.</t>
      <t>Therefore, implementations of this namespace <strong><bcp14>MUST</bcp14></strong> carry the
Security_Metadata data fields within one of the Integrity-Protected
Option-Types defined in <xref target="I-D.ietf-ippm-ioam-data-integrity"/>, rather
than within an unprotected IOAM Option-Type. That document does not
add an "integrity flag" to an existing header. Instead, it defines new
Integrity-Protected Option-Types -- corresponding to the Pre-allocated
Trace, Incremental Trace, POT, and E2E Option-Types of <xref target="RFC9197"/> --
and inserts an <strong>Integrity Protection header</strong> between the IOAM
Option-Type header and the IOAM-Data-Fields. The Integrity Protection
header carries:</t>
      <ul spacing="normal">
        <li>
          <t>a <strong>Method ID</strong> identifying the integrity method;</t>
        </li>
        <li>
          <t>a <strong>Nonce</strong> (12 octets); and</t>
        </li>
        <li>
          <t>an <strong>Integrity Check Value (ICV)</strong>.</t>
        </li>
      </ul>
      <t>The integrity method is AES-GMAC (Method ID 0), and the ICV is the
full 16-octet GMAC authentication tag; it <bcp14>MUST NOT</bcp14> be truncated. The
12-octet nonce is constructed from a Key ID, the Encapsulating Node
ID, and a per-packet counter, so that a key-nonce pair is never
reused.</t>
      <t>Each participating node uses its own unique symmetric key, distributed
only to that node and to any Validator that must verify its
contribution. When the Integrity-Protected Pre-allocated Trace or
Incremental Trace Option-Type is used, each Enforcement Point folds
the security data fields it appends into the ICV by computing the GMAC
over the received ICV concatenated with its own immutable data fields.
This produces a cumulative, hop-by-hop chain that a Validator can
verify to confirm that the attestation contributed by each Enforcement
Point on the path is intact and was not altered by a later node. This
is the cryptographic realization of the "Chain of Custody" described
in this document.</t>
      <t>The Direct Export (DEX) Option-Type <xref target="RFC9326"/> carries no
IOAM-Data-Fields and is explicitly out of scope for this integrity
mechanism; security metadata that must be integrity protected
therefore <bcp14>MUST NOT</bcp14> rely on DEX as its carrier. DEX retains its role in
exporting already-collected metadata to a collector ((#firewall)).</t>
      <t>The scope of this verifiability is bounded by the Security Metadata
Domain ((#namespace)): only nodes provisioned with the relevant key
material can produce or verify these attestations. Operators <bcp14>SHOULD</bcp14>
scope key material to the smallest practical domain (for example,
per-tenant or per-security-zone) rather than using a single global key
for the entire deployment, which would create a single point of
compromise.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document makes the following requests of IANA.</t>
      <section anchor="iana-namespace">
        <name>IOAM Namespace-ID</name>
        <t>IANA is requested to assign a new IOAM Namespace-ID for
"Security_Metadata" from the "IOAM Namespace-ID" registry.</t>
      </section>
      <section anchor="iana-schema">
        <name>Security Metadata Schema ID (Encoding A)</name>
        <t>For the Opaque State Snapshot encoding ((#enc-a)), IANA is
requested to assign a Schema ID identifying the fixed Security_Metadata
schema defined in this document (the field order given in
(#enc-a)). Because <xref target="RFC9197"/> scopes Schema IDs to an IOAM-Namespace
and does not define a global Schema ID registry, the exact
registration mechanism is an open item for working-group discussion;
one option is to record the assignment within the Security_Metadata
namespace definition.</t>
      </section>
      <section anchor="iana-tracebits">
        <name>IOAM-Trace-Type Bits (Encoding B)</name>
        <t>If the compact trace-bit profile ((#enc-b)) is adopted, IANA is
requested to assign new bits in the "IOAM Trace-Type" registry, via
the IETF Review process, for the firewall and DDoS words defined in
(#enc-b).</t>
      </section>
      <section anchor="iana-typereg">
        <name>Security Metadata Type Registry (Encoding C)</name>
        <t>If the dedicated TLV encoding ((#enc-c)) is adopted, IANA is
requested to create a "Security Metadata Type" registry enumerating
the field types defined in (#fields); and -- to retain integrity
protection -- a corresponding entry would be required in the "IOAM
Integrity Protection Methods" registry defined in
<xref target="I-D.ietf-ippm-ioam-data-integrity"/>.</t>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>This document defines IOAM data fields that influence security
enforcement, so the authenticity and integrity of these fields is
paramount. Forgery, tampering, and replay are addressed by carrying
the Security_Metadata fields within an Integrity-Protected Option-Type
as described in (#integrity); that mechanism, defined in
<xref target="I-D.ietf-ippm-ioam-data-integrity"/>, provides the AES-GMAC
authentication, the per-node ICV chaining, and the nonce-based replay
protection on which this document relies. This document does not
define its own cryptography and does not restate those guarantees.</t>
      <t>The scope of any compromise is bounded by the Security Metadata Domain
((#namespace)). Because each participating node uses its own unique
symmetric key, the disclosure of one node's key allows an attacker to
forge only that node's contribution, not the attestations of other
nodes on the path. Operators <bcp14>SHOULD</bcp14> scope key material to the smallest
practical domain (for example, per-tenant or per-security-zone) rather
than provisioning a single global key, which would create a single
point of compromise.</t>
      <t>The data fields themselves are opaque, locally scoped identifiers
(for example, <tt>Filter Node ID</tt>, <tt>Policy ID</tt>, and <tt>Threat ID</tt>) and are
carried without encryption, as is normal for IOAM data fields. Without
the operator's out-of-band mapping, an on-path observer cannot derive
their semantics; the residual exposure is limited to correlation
(observing that flows share a classification) and is no greater than
that of ordinary IOAM telemetry. The aggregate <tt>Severity</tt> value
((#severity)) is computed by a node from many upstream reports;
integrity protection ensures it is not altered in transit, but
downstream nodes that act on it inherently trust the originating and
aggregating nodes to report it honestly, which is why all
participating nodes must be members of the same Security Metadata
Domain.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9197">
          <front>
            <title>Data Fields for In Situ Operations, Administration, and Maintenance (IOAM)</title>
            <author fullname="F. Brockners" initials="F." role="editor" surname="Brockners"/>
            <author fullname="S. Bhandari" initials="S." role="editor" surname="Bhandari"/>
            <author fullname="T. Mizrahi" initials="T." role="editor" surname="Mizrahi"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>In situ Operations, Administration, and Maintenance (IOAM) collects operational and telemetry information in the packet while the packet traverses a path between two points in the network. This document discusses the data fields and associated data types for IOAM. IOAM-Data-Fields can be encapsulated into a variety of protocols, such as Network Service Header (NSH), Segment Routing, Generic Network Virtualization Encapsulation (Geneve), or IPv6. IOAM can be used to complement OAM mechanisms based on, e.g., ICMP or other types of probe packets.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9197"/>
          <seriesInfo name="DOI" value="10.17487/RFC9197"/>
        </reference>
        <reference anchor="I-D.ietf-ippm-ioam-data-integrity">
          <front>
            <title>Integrity Protection of In Situ Operations, Administration, and Maintenance (IOAM) Data Fields</title>
            <author fullname="Frank Brockners" initials="F." surname="Brockners">
              <organization>Cisco Systems, Inc.</organization>
            </author>
            <author fullname="Shwetha Bhandari" initials="S." surname="Bhandari">
              <organization>Databricks</organization>
            </author>
            <author fullname="Tal Mizrahi" initials="T." surname="Mizrahi">
              <organization>Huawei</organization>
            </author>
            <author fullname="Justin Iurman" initials="J." surname="Iurman">
              <organization>University of Liege</organization>
            </author>
            <date day="11" month="May" year="2026"/>
            <abstract>
              <t>   In Situ Operations, Administration, and Maintenance (IOAM) records
   operational (including telemetry) information in packets while they
   traverse a path in the network.  RFC 9197 specifies data fields for
   IOAM (a.k.a IOAM-Data-Fields) and associated data types.  This
   document specifies integrity protection of IOAM-Data-Fields for
   Intra-IOAM-Domain use cases.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ippm-ioam-data-integrity-19"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9326">
          <front>
            <title>In Situ Operations, Administration, and Maintenance (IOAM) Direct Exporting</title>
            <author fullname="H. Song" initials="H." surname="Song"/>
            <author fullname="B. Gafni" initials="B." surname="Gafni"/>
            <author fullname="F. Brockners" initials="F." surname="Brockners"/>
            <author fullname="S. Bhandari" initials="S." surname="Bhandari"/>
            <author fullname="T. Mizrahi" initials="T." surname="Mizrahi"/>
            <date month="November" year="2022"/>
            <abstract>
              <t>In situ Operations, Administration, and Maintenance (IOAM) is used for recording and collecting operational and telemetry information. Specifically, IOAM allows telemetry data to be pushed into data packets while they traverse the network. This document introduces a new IOAM option type (denoted IOAM-Option-Type) called the "IOAM Direct Export (DEX) Option-Type". This Option-Type is used as a trigger for IOAM data to be directly exported or locally aggregated without being pushed into in-flight data packets. The exporting method and format are outside the scope of this document.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9326"/>
          <seriesInfo name="DOI" value="10.17487/RFC9326"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA6196XbjRpbm/3iKGPlHkWyCTslZrrKyT/UoJbmsM7lorLRr
fPr0KQWJIIlJEGAjQMl0VtazzLPMk83dYgOpzPTMuBZLFAFE3LjLd1cURaH6
qq/tub55e/FaX5ne6O8rW5dOL9sOfuzso6lrbZpS39nFrqv6vX5te1PCN5WZ
zzv7INeG74Y/l+2iMRu4d9mZZV+4qlmti41ZNLaqi6o1m2Ip1xQbuaZ49kwt
TG9Xbbc/164vldvNN5VzVdv0+y2u8/rd96radue673auP3v27LtnZwquhb+d
PTv7tnj2p+LZqXI9LPnvpm4b+HxvndpW5/rf+3Yx1a7t+s4uHfy03/APi3az
sU3v/kO9t/vHtivPldYF7Yt+8OukX5yng180fXp11d7RD4u1qRrdLvUClteW
e2V2/brt+I5V48717UzfIS3gE62ZQredcWvT9Mkf2m51rn+wj7Xte31rFu9N
V+rrprfdtqucpe/Yjanqc72Vq2dE4v+63toZ7Cg+8HqmX5vFGyB78sjrDpaZ
fvw7Hmjh2pmcZHhc03Yb01cPFrf64/eXZ6en38mPfz7903P58bvT7/6EP94U
V7PK9sui2m43zA3EABU8cIXkPVdVsxzc8rtvzr49V6ooCm3mru/Molfq3bpy
Gnhth0eoS7usGuu00Y19ZM58A/t1W7OwxMbGuXZRAb+UKbsrZPeF6bo9kDCc
N13gz7vobE2X+XPXj1W/BiL2a6tvGuDvfqfebm0HK24b4KqLclM1FS4TP5jS
zV4b3GBjGljNCFc31ssO1gdM916PYIsaCTSewa4sPAiYCe6w0bCW9tFpaxbr
yH/XSJ+FpW3ftnBf3Taw763p17pvlel7/LrRD3Bcy8rMayBA31sQDVwPsiiu
HGiIv1U9XNO+97dYvLf9jEkL/ID0fWxgJ9ZsDh/raGct3KzTTVsC8RdtAyTc
wP1Nr8J6t21dLfb60Th86A72tNf2V/grErVlOhJdaQdwxqXtLayuWSm5dL7f
wvFZfmD4qy6BQ7qVRZrObf9obXNkkQoXo01n4ZlbuBCe2bfarDpr8VmP6wro
QwQ+pCvsBx60gwcjXbdbWHgF2waa+E1VTWm3Fv6v6eGPcOJIDHhiA8us7crQ
Om28sdD2wdRVGY6DiYG/gDxta/qiI7JsTGNWvKJtbRr7B6fyS4mr+plmthH+
NLVr4aF48k7D2dVFX22sdtWqgYthQe2SKQtrRa6wrPVRlelN1Vcruj3cFO/i
dkA6YhjQZ/CsaoFnCgehgsgyS8G2guQi2/eZfNYWzgr2wvsKl6pt19JxwnYC
2zuR5lJ7KUNxpq3FCx0cJrD3gkkxYlvzSc0C0kUqZFOVZW2V+gqkt+/acseP
//BVhb9+VCSDItj69wu2ioL94YNovo8fQVm3D1VJGirKN2mftq6FoVv/MFMr
vHlvkRn6bp9SNlU/LLCg20iOOwM0dkxi1YBEwBpm+m/E4UxCUZJEymW09/BY
uj1uAp9XLUD8q/dWId8Ah2y2U/2fO7sDObXbfs07R5HXFXI+HAM8d4prKFu4
fdOC6Oy6joRC8UP94/yxoRAGDZEJiLoBVoB7d8DgsJ/a7LXsBR5BOo10NYk1
bHmJN1sDBfz2QdUH5ohWOTxruWvovJ0e2dlqNg1KH+5+c3V7Nybe5hXhc7wK
Mi5qKxIavOtuK8qxtA8gTnAMoAThMcCW9WxgoeyvwCdAAToJ3P1uuwVIgjd0
Nq5vB78sDJ7iXGiHqzhq1vDoTg7g2QmbO7hjj4KenjU8lWxdxk5uh9bCgUGs
weYDDZDTF8Ly79awvV69AulFAuGdb5kg8L0ZiwrAhI2Bm6K27Kr5LlqZdPuV
aDQ42Vr2zKtSrKmmxDb4FVmsgLj5Ptpng5xaXN9OU9vW2QUgN5Wbtd68t6SD
UtMCutvWS7AVoGaBvhblEVmeWInPWaGVCsYJfiaxRRhqS9SyUXfDDSZBcU+I
aYbamwjS1oCwDhQ5mh76CnzSwQ1/swB59663m5Eby4L8k9nqod5B4iasIqwJ
p4r2Sx3Yr2k4W7BHd1dv/IJq201hUQs4BNRlLf12YK95yZ0YSbhPsnE2OxM9
YimkvYK8AyxLjH1CuvEMFCocQgeSsatNR7pCBMApsejMNUOTP4K1B8ud4hg4
CgCDsAyW2OwmwgUJQHALUK4lclPgXz16Ci24dburSwEJzF+EbeBC0tN8e4cG
5eXemzZWSqJpgw0QOwi02LbO1MB8Dcg0MMiyazf0XbDp9lc4XUYKC7N1QKGh
QSRrQLKG97Gp8T1uQT98+CzS/vhxqsxDW5V+5Y0FCqFSMbBMt23f20Onhx7X
gs2aoQG9bJsHNACoTj98tYi/iRUFt0qjX+X0yeuf7t6dTPnf+s1b+vnH6//+
082P11f4890PF69ehR+UfOPuh7c/vbqKP8UrL9++fn395oovhk919pE6eX3x
ywkrrJO3t+9u3r65eHXCeCLVSogLQX7mDEnA47Es98BODhT5nDHIy8vb//2/
Tp8DUf+LODhg0PkXdHHgl8e1FUDQNgAE+Veg6R5hozUd3gUdCzjeqjekSh2y
GSBJQIwWiDn5d6TMf5zrf50vtqfP/yIf4IazDz3Nsg+JZoefHFzMRDzy0ZHH
BGpmnw8ona/34pfsd0/35MN//bcawUBx+ud/+4siCIbSEmxYtG0fvmr8zx9/
j68HbuIEHNbJJHxS3FydTyb63UsQ+Hd01KBYAAqzNri5eHMxTi7Br/rl/D2E
NPjvV8QTW2Rw/NqFbjJTHMxUanK98wgOBDrSxyDP1Os8NmqLBF32ZH4jckd0
hNtld0vgIjwxQEIgU1wU8U8CM2hhShaWQOzRV/zZWAw6I4djDp9oR5QaFG1A
ELBkw/5yeK4iN3C1YyhLpKGFBRVSIVmWFgwG+2JsLScTT3fl6a6v2g3gt8mE
HZySftPzdteUCDgqMmwJaIZNLcjinCu8I/8FHu8Zhu3Y9a0TU1RtEcfN99FU
iSrcEPkBg+/1z2z10EgilRn/7TcMk3Mq7Jzoz6PuzWj0VXRFwCBeo88Z14FP
Jki9JjTPXuauqQB3Y3SKFEZn/3NXdcy4X6TgZ/oCfOJbdsjxxoix5ugoJ8Y5
7guY1T5gOCrbFpC53fUOwBI5FgeAU06J3SFRWShmqb+9JT/LIhRiCK8SU+5m
cK/NHMD7utp6n+/Jx8ByxJiDTOE37w/k9V5n0o+KAikL+glEabOre0Bg7c6B
c5LyAToK5L+ziPk7AATBM7W/GkR309RZUhvgGGAN8t06icB0Bv2GMQswwByQ
4EVP2DuXAjIUcCfFTpyL+uNLNkV8xvwMz4CjVcNjFbgKwrgAp42FBTD1CjbO
i7H6BHdaMF1PvEYAaJE6rmTnhwHiowqblYhY/mWLoauhNkTF4RUP3gednejO
qoM9x1OQ3TgRJi/RpDichdOAY3QMwxvTg+6p4ah/IyeNgju0gJn+oX3MnA8O
DDULYI/g3T2CiCnDjlqBOy9k56k7X2CMdVHvCDyBHUdjDlo2uSsda6mA1BsL
CpWhnn5etCATADxq0Oms/ZFP+CSTq5EZKlbPBO5pjfgsfHDU3s4CBwPzYmQK
Fbn/GuiXn5raOjSS3hmO95CgD3H7YwXEyDmc8fwGNkBeyBLjB1Wj6O7FfDzm
b6RkdnoFUBtUs4VD1xQpQ775yjuVb1D8EHF/c1bMK0DsyC34lwIFs6hK4JoL
zX8EtW1A6SWhBTEhNjWaYDMxQkcGqWqc7UjRAA95+WKTAT4L3sqJJk1jJyaJ
5jwE40Jq3+ODh8ocDcPNYEO9+I2Ph+EVo+5xW3+vynuB/3SwPprLCDuEKA73
qQ6CFbpakgcILNez50COcts9mq70liOj+FFi53Q+QuCwKL6AlBpjk25X+w2D
rgHbAN4j2aEYhsqefyFG78+DJbDrhMtoNP3NH1FTEvIR9Ze68f4pPlADppM5
1SkWQQ/6np3rCyQx/XJ6rq9ss//6Cjwm+uDsXP8IbF+8qjZVT598c65ftSv6
8fm5/p6p6cNCCEyA5kvAKXjuwGEY4eGA0ph2+s4Hx/To2+d+myFiRpTmz3X4
EIX0zbtbzdGXdNPoMaQ7Rweadi9hJH8FCrTcddcImy6rX21ZsEA0OzSkCVYh
NGA7snTetgIlXQ9soOdVH33LZcfPBplOv1yb+F0+4sSDjizGfPJZUSYWAij7
3h1ItD9zJDzq/VJNJjEowXoIoSAHNMlIBma/j89IVR6xraLcBiGAEVm9R1jD
iWix+7CZ7BYkDINnqxDsIGGoGEWihfG33Z+MxU4lcUCWdzAUHDrwcaIKAcQM
uS5VvHAdkHVB4YfOgjvqiDJBDTNd7reLqiidKx6ez56BjrmnCHRfzEGSikc7
L3og9T1GdfR91fYFRyeLyrUcWbgHXKgk9JQqN45AgceOj58jHnRbgGcVhtmW
FMXabkVCnZXDVXLUN1dOz0EPCLao4NvWIJ5e7ups+cJEd5ayu8RFzNBT7R1G
5CfHf/cMFXi+esI2LNHywM9yHS6DjWpUUArNU7NyckaJOrbG4b0oiFWH5EpM
qCy6FkwpIscKDiogNok5OtgVPd8fflwdRj33W2QDsNBBcgGurTE2G5cGyOCP
Rb+Dm+uRa3cgEl+Dhwccw4sxZQlnAVubhvgLeyhHvksxtTGbvyAH9MRoTUBz
+lAlXVSELNYLcQQc7hWOGo4H94BuKAdEyeOig2fFHZyehHhwwsnxwvX+YGf6
po+ZEHAQakwnUVSXzi+5x1QJugW6t47NhPGMCP+zwJeL4YnNbQMqUY8a2BL7
zmMlOYIpqlgAVk2r7zmqzTKPsTmWMuCYVdfuthpzX8l3FHhufDNgxvFYiiLC
9vwSbGItEGSsJF3ZotOF9QxwRD3Gb3EDANDhrwTAzrP10Aqc9hwGpm9CdFC8
ggkFlTTZ36lgj2QtT11N3DlRdC0LAeyWYrIeEzohD4N59hsQGxHKHCWIEOkJ
ugTZWKR6qhNkmCwG3S1QIi2YW+CdF2xPwA/F7MbRI9dLTMOkWkSHyChHVfkC
sGi/9sqbrR3wLWWJRIAYUFMy06xWneVsJvq2qNgZ46uMBdjO0RUYrGT9FL6Q
GrnABk/gqGqZpuVQx8SqA7LIRr9v0LHnGymfgkJEZ3y0By12De4Bxa2XFqPn
ojHRdQZ7FEGVk49SPBVggVj+aEcCuBKyoInj6ykBQEF9x78tUc7tAxkfZhfa
Vr+exWWA+LJS0pONWYEjDEhsokYn5A3BEiiW5TM/lUOLGzMkwc9NDmLEnJ6Y
YebeiVBmHKDKfYYy/ZUSquf850SMl50wjgKNeCFYE3b3TOfpalO/0Gd//GOe
v1Nhq/RlTN9xNGOO0SrcC2WJQMoSRptMsjIAB2ZHjherdNAGAhABdQ8K4X+i
M/uAhhQcEVQ6F0cKGFCMFMihsxIW8Uvqw3YJOyLamiNKpTqMrmvnrQQHfZ6L
1+GNWMxdYjwsOADelKGfmTmFwfgFP+Q+d+7upU4F2A0sEKfrGF3Bd+7Q47xH
yp90tjxBlSoVCAU5o6BWsyXcRz1yTzAmsgmpLUJKj2Yfj8g6ODNyazctKNa2
8UY3Y1+0YIEeZrHYbXZ00RQdWIpWxIIXDrIiy0mKvu0QW8Lfyn2xMaVVq86U
FZ4U7Au5PibpSo7+kETZKEuVY2Te7np26yXiR48GxuosWOIOeaJCdyoG7zRx
gMtZgIJtYF9cSzy4RROON/LRwzTcG/wBDJmTGLxAlgnxOkNHmaRfQzaXOBy0
bcowWE2nAxzOCkG4lOb2Dy7LB6s8+hnMLrBrmTgVnlMSFZexSarnLLg6GN9F
P53EurNLX0jBq8JiQAn14WJWCJJgKSF7b7SvggEOwzsVNfqG8LtsLFYBkH+N
IRWsirj3J+DdewlEe4Ge6rol5isAAmP9DAAkjKWYOZ67VwR09tFz/WuH8TuE
LqCSQBslkQofT4f74CrH3r/9xSKC1SM4+a4FsvudD76vaVfj4ATDx/DPyP66
ANvymWvUz0hap79BFdzuVmvSkhigyk/vB2B3Ki0Kkbu3QCJSJB++auVHn8iJ
GYpQLiJFIgGvDitUoqccAjwCVeyva7NzXLB0A0cO0jnVObp1zObAiJho5wgL
1omitz+ZvEM8o99SWqd4t99a/X1tVuf6JfDYMz3y+xiDYjdp2kQl4UDEPQyt
n8/O0EO1GEnSIVejwRDiNgHHk3R61zJuptxRIrJG7IPlKgzD0iqfaZBXzM8Q
3/m1qSWsGC8XMtkom4TWtE+7gN4mC9xTsIjXd+2jgvDYw6D7hxBShNMLiaIs
/nqYI/ZxTLbW4ApKrFBRrHCmX9qFwdBvGlANrCDuAcjJu1c/kxJBEMqOHlXm
JlsqisMoLTInR0TYuk+TdTAQIoCrOKnG9pviIEmxWUFMwdwAfwO/1xdsHJ7c
BrgPEQE6xxRExgAGn31BmLkn/9mTMQ9kq0hIrDUANimpxiLi8innjeON8sjO
MMuU5a1TnatR3rd98IJ6Et13IRrUP7aJM8BlQsdP90hoXIm2gjMbSlMMiJSA
wOeksc+RlaUgiC5QyQWIZ1qHFXiy9OKWt0eKvqsMJiK5rosrcD0VLtcWhIcU
lh7dXP48Bpu8xdPFf+X2Z6qDcwkAZ4G1m6gVBA6g/T259JVjl1zPfTKoHAj+
BFIRbDBc5pZ7H+aXTN3G+hg1UQ5zzzWDc1QVnApQks+sEIWQyBIrsJGQbIEI
1CiDvdOABKYqFGZ5CzpOchDIKW0EoOK2oKszZfcd0UNdh/yAA6v0z3/+U4H6
O/zn9MhnZ0c++wYvP4U/faOf6z/qb/Wf9J/1d7/nM/Uvxf/jf9Q/BuHof8DC
AnyCf/4xgB349x/FsNHf/z+sASmJJjLo2YtzkA+Ki/JD7xqzdWvQfKRrC3NQ
7yBWUdQtKe2To3c4kUTD8UyeHqUq74ia02dnY5+Nl6I+NVBbfH/yypNyQtPB
1R18HXDhYm03pvAr2EqKh1NOU0HT4GU6Dp8ZfSos/so2Kyot1WccJLujOwHi
Z+42LPygAYuavuqDyyxZgLjeYzmWWBbeDQGzmgC7p4kgtpAKw8XsNmR6EBqr
nCKOAlaVC+k4E4O+BHTFmaMsVtIboI4oQsLMqPeaNfIfkxlUUzHfF6ihQGOx
WpMK7Ux5U9AL1ILPKrsDahAF0IBE3a2Wu7ouKA0qCgRj1d6GT5MEJi5FYpPR
8RLzgKEqOrJS6ix4E1w5zSWvfOjR/SEwlnCeqq1BvzQcafZVzQYTsHHRLos5
bjAUsomjEdN6+DhECVjJWYixI4LF3C0Vrm/A55eF2o4KQYBWKvXMfXVIAaz+
QMzZP1FlJHqTQIWSvXpv9RMpa+kise/xHmHrkl2kRxCy7ck2mcYUfOvxOAP/
T9VBUPBYFlNlxZbs8vp6jWQ9eV0Oho+DeL63e6nuQbPhZcbXm/i6IH7atqaq
iMRX9GmlkPMH04KBzTxAMFUhXTONOaRphLilqOmvvYr+2mtnslXqXaxGD+EA
FgiqUaXyBw7lwu8ZH6fq9+U5dTnB04Yq8CXK1ehSMt+3HN0ci1qee7UcVIdn
EF+ENtCmWDfCmVpEM+bBVDXxIKWDIg/4HDM2uIHteajgbnCYC8zdJyIE4spd
QL4UTBlmyFBRgDTKKt2RWUI5XGjTo6+dYv3aYW6elj2eHb3kLLnk89/+Jvl2
SAXzBfpf0gTi2fP8NiEKSzV7MQZ7+m24OomD+s+otm4YQfA3jnwDDL3zUZQ8
shwztKkDk5XB5BkNiWqj7MZMFYruZwLbSgLbB/Fs/fl4tkrj2WEjgUic8vGp
NlR0FvMkXorRkd51Crn1gFFJmZF5kQh2abd1uxege0AzLkIMRQ4o/6QU2KKH
AGHOYHgSYkxFwnBfuafmdpwlXVerdUFxiDU46Y9UNuTL+B3jgcyMDmxn5vig
CUf9CEuqtgZdKSfOh+kVJ582puEGroAGHBjRBZBjVbdzCiNS0WM5pNxUSdiw
Ym8b1w18RFWlXNfTdu/h7wUnlujRkjQkeqOp4hpsBHkcveOqVsqeDxITyAmD
0AZFhysOe/jejpC5z1n8JBqCLMwioDEPZ4Sqfl4w0yW03fhIdrxh3fYDNXuJ
9RccjSiz6AqWj+3mBTr3d323W/TYYMY6dvGkjgWu8jebYlygcP5S3nZlVvaw
fMaDhulh6ZtfAkAIzBiGSBtwJsbi1V9tA2pGZ11mUrPJGBieJdnCZTCDWPqD
7cqCyQqOS9paynwBkwivfAK9oEHAaCuxEN4MBHCFaAnBNdfycquYlGogl3ks
6DtqRjmyizAw6jCpTwz1/1jqOsS+KK8ukRfgb8BxFTK4j59VvzEb2uWy7XLe
RidfBd2T1GoPmAH2So0WJaZE6EzC2YJW2WEYSSVpNKKLJwnmdOC+U2663mS3
JuzvOPtqdvBX00tKYIEByVi9dCzQkMUjAIx/UbXtCw7h9z40EQM0vvtRk9+N
1RXUa8GpJN4MrUhSpAGEgmtBNZoqrFHfxlgPIMJ1W7qThEPwTHdNX1GLVROC
akq05Sd9Du9jsCATDOoqJ/1HV5UDGjtulFyEv0m1J4csYvgInEH2+TImIU4y
K4P6CmwfqKd5VcOeZir6xkOH7EDjJi4Oog0fauzJ2QEJKn1/YmYgYoqCtouO
hvTpD82F8mR4QW4WFQV6ETji50yTQlz0H9QR/4FxmlzMwS05sUGfj6a262WP
ICG3HGUk/9BbmCXQFjaztJilUmJjp5mBjdY0KNiBoidh8kZPHTd6RF34HLy/
UpQhkd0lK7mUlaiBppsGXi24ozLxz4gXhgtCff4ZrQP8+j3VnzQLbN8Bmruh
LxcjKAmnwcESz5DMOKwm7AfRjyxoyx3QmAOcY+iPcnSe3njNHFaogG7URbtk
xQaC1WMJfWZGphpYhze5brGm0Gx8ipLkSOGYA6oJtuStblrqwEaXFVMk3JuG
2dgNF/7OU0mzJVcIK+Qj9HG5AeMpbhIrAIQgfdtZaTl8rOpaSedbXhCE8old
4VTGpX8CXr6kbtUPXwENC+pc/SiFoOIQ+O9QESh/9jHvHPU9r8d7RTA8QIku
k6XHFafHR9e3Y2qB3GDQ+1NTD0ystQpRfKDEtnXVE33V3DCal4sdJIj7VnFL
A5MSC/0EJXkYIghf4MP1LWdxsnkCB92X2WABLsoKNPGt/VSVViR+hgorEBzM
vmdyr9Ah46aSd6u9QwFWLu3DRo53R0quHVIcfC5Uw1hYwTUkXOa4ceJv/lx1
OOhB3wFNsc1Ujx78j2NOYLDCJYvumQIdC7z4sm53ZdFwHD50Z/u63EAornXi
tOYdsFH/5ubSfX11+xMabPCsDJe6H/R98wVczluQNaBKb14wFjyv947rNv2j
laKDY23krB92QfKNkt2nPMOmBwvSk7EFgss+VeQs2yMum8K5NHtMI6+kTFW6
k30BNjFPZcsYDsR8PxfO9IiKHGf71lKO1oqXS7kWRsSSp5eygdhyxEuluJsZ
MjtGs7i6JpZOZE25HNMFmceaktbLEpZdYNwXDbcvlsPw1Qbh2/ARvvyanNBY
1QiMjJk8PwoAiLaloiUpoguHJYy5pmYEdIaByTYbxlrxtBINQ4yuhqsI2Uia
NsR+eez1ZxHK3F4gn4J7UFGFyEykqci0NzS5NMPCov5QrD8kRA7mZ++LT4Gi
M/GOIl5IOs6nWdlRZzlKJ80cSZf5J5rSZYzIsFU96fv2jd8TddD5rY93fvvu
dFj/+EVOeZXeOLbSp13lx0bHCOv7Sr4QF0hKr0Ot6JzTAaKVbmjxsMG98EZY
pOyBOndpHkyYyCIt5E5xzQTLKAjHsiccNd8BpAHmr7konEquA8haGrCZEtl6
m0S3n5r+UrGzBasYiTJxWHyFsIkeD+qAHFnQTxi+p/YeTEPSVkcLSgC49/aR
AZpEfMuKBRPjo3SXYC+oNIyGFUQW821roU5Ajyg9Gbwl7mKVZXE5yiw47WyW
vEHAJsJoA82WER6AsBCU/DlpeB10nHL4zx6oB5Ru6SDElUROYYJhjyM1wlEw
L6Q2Yy9iWBApcaYrcQI75jR0oAzFLnhpaLpcYH6ZbaCwGhf8Mm9QrBfuBIcM
/wVxw1LKtCN/5IcxhPDf7dt3dGnqteYhX/YrcH2W+wU5RO/r2fHiSZh7MqE+
ARtbwxjR4z5DCySST1LVfuv5gpn/0xqVtGwckSMecsmEW5qqLhBjEt8ToOEI
VpSImX65FwuRmz26QRBqsYHHajuRH5MujTFje7o86NCoSQJDHC5/4ud6cJsg
3sBXUE4eqY+M4REw+4TR0QbMpyc6pVKQhKiMRPcQBbEoVoUO8WQIhaz5pUyy
QI6+iShUY9QKk2I05g6pRrfD+AfXiyZjLw5A2JSjfBwRc1TIhqoNXA26CQ/P
8DVF8IAs8zP1hW97DVzOeqDr2o7PdBBfxCMGz4APGFQnFuxjGI2mjL33PaZe
uJmpvCIAXwggoR9CAlLvawNOhDQPlTSkyFAvW57ra79psda0CCQIEj/cQT/7
9fS7s4vnz1+e6tH3f3t2RtUoaOdsV1yCw0QlhkLaadpoZeI9hEzgL92+fXVz
+cvff755++oCOxX+/vKX24u7u9nJ0YOVhMZrEGvqg3NeWSUTuEJrieeTbD7J
kWEi02RESZ83JrHtGcUWK3T6r+JsE6lOjtMrJBPnSc5buKO62njXadKvIDsq
/qIvXl38+HrGrIolQWATAsHmALW4c1/G5vhi3aSHCl3bw4kp4Ray2bzYVwRC
rCs6uRevXr39G/94df3ml1TmiUcD57No8jr5F5lnwbNbuPmCard8F064iUiH
IRa35SA7ut25dWrZHaFNfy1aR+DJyiXlTVz3LE0yQBNmqYtL4qfXN3evL95d
/nD/hVLgeSsyyP+dEIyIE8kxFipzjX24hYQT1mBD2HCWXYt1bONELAZ7QKmI
bHUVmOizvNW0rBI8e63jVvD4ImeVx+7JVb6MaPecphaDE480XEeiQr2AffYp
ObDi5K8rgCndYr0XzotMijmhCoQZK4Ep8pAA+Mwp2lSInOwq6MtwD75iTDX9
xM1fIyOnE4moDs83Fvi+S3bz/E1qs7eddA2yS4Kl2n1XrbCvAwPnRE6vpC6S
JkOK33KToddOUsWeTrJEOEDhI2AWtogomNirBKCHmj8Ebk5ZqVMAiKIOABzL
pK9xqrxY8DOPzDJJkhe/2a4t2LMKkRi8noaDOR4BxzPQQFd6ocgnQ5E9kqlH
Iivs6xxGiHCTvvZ3MuGBtxW5LGBrMGvBmOubs28/fgRSoaOIHmPF0TUHG1W+
QtrrbI82rSkp3NqUmT9n0tiPtA6orG8toSv2zQ/6hnhOWeWSk8BBeiyZHJ6n
pGASWSvLFuNuzAg3DfkZvmKkuOqoO/91mO2ILOFLpXzc0fQ5piJcWSN/0s1C
2alvLkMHHtb5gCKZCgXPmvVgE/O8ZSXOVcvDDABGdFh/4euad85DQwrilcKK
XOqA9CylJYK96c5y12OBsuk5DKPh5Y58pYDuqOasoJiwqFeJfYn5iQMEI4BL
OjiIxCc/YHL9tdnyWL0fwzTNnJjvRJcNJYvKK7FOjhootclaRE7WeO8N3pvC
kzJLWAdwxf0fRnCCiw0LX6fdClOufUG02FWgWrxGNJSO5nJ+jF3JrMSRmaM7
kRT8extB90MXEBYvY3+pkBjoPuz1mfKng/YeseDU4jNmlZA07rAayDp7qDA1
i4ZIBtHbrbFgbGa5qvczD7wHlkzVXIEHw7PlsATDO9DEQ0wO6r7w8SPkVedk
rlAlUW94eA1f67xD3KdjCgl45FXMWRdh1rUmnZqB6JW4mkOKVS6rI5yEHpKJ
4AmJLVGMmFWs72MJ5JReFJ+jncT2vtiWJ7D3wJvmHjaZRrfBJDChdX62J3LA
83wYcC4dNnUDIanRnJqdWJ2xBs9g5ztkXwyn5gKTBf7SuhZgeM9+bBJows4w
ZnezzBreDPPckLzhLnnnWyhQCSG9w1a2FKDG21C7DTN5gGcRBiecPU1nE2TQ
MeGZMblxqClif19ynmaBMBpLLSIioHIj/oJ0Iss4omizpPuIUkFxmm9ENz4M
4da72IZJO2PLteh2cypKoEAbGfPEuU9AEuWl6Ohg2xSqxw3H7o4jrXkmYvi8
R1EYTse48jQWXqJ1ApyKRReRMcLdaU71ctdh8LM4bN+DY/Ydd50tFi1vOtwm
Vlztk3XMMscJ87R2BVJ8IWyODHzZNmHG7XSQtGLlH55hfxXPgGr9wkxfYSS2
foewJFyewJMxj5ki1bap0GmXxkHjY7zZjM8c6we9wHqCExMUapCAPZYj7Coc
VCMp4GmcHh3uAqpyh9yVDxMng/UHF4P9STOxR46RAwNBfY+uH+zNntgBSmI9
FLF1VPoh0rutLAfiI33FtAhhEsbzBPJjs53D0gw8NAueAqlfBH4G1n5ykVrs
SEraL2OiWKR4evZNDEB62IrCX60ojYE1Fl27iXQgGOP0xVS/ZG1+yf9aShlt
35Kt070Bn6HXv8xOniBEss9kf77lPI4AP+GFxxvAcU1PGAD4MrZWWv93WKEn
jOAvRCO7XZ8EhIX/UKU16YLYuI6lfOGQA+yaRXwavqhftabULyltDitAybqK
MoxZPC05dcbZHLaTsFVMxCW9fYdNx12iVQcYF7DlvjEbKQzC+0abbR7NngWE
wUISPQ4Yl/wQscmEaKkMIrOaFDUJ/gCF5nn5DLHCwOBWezQeviwImJCf3zMP
HmR1jkVgm+o3IoXgmnSUN9dpOKAMz8iHG/aWHUrZI8fQicsonVCEnaLKR3Xe
II4guhyOTZEQqjDXNJUUqSvY9W3TbjBeGC0RCilPZ5DTpCnfeNAOWNh0Vcul
BWkn/GuCFZryBfui7Qqc6kRFg+E7HyVLezgjjCoEDlPuwznKKku5z/QwORHA
wmFHHPX/qsnElJxtMTWwcQyKsh8vKat2y3P7Y0o+WfELxY1x1CuKwXxKPoAa
pdIIDEp3JM+U3Ntw5zlVhVLDNWLEGDX17gPWMXY+0S9JyZRIIZ1JbRgq6fLO
h57H3fbSDoPndEFpni2V8CRvAuAx31USjwfqzKn3Ekgj4yUk0qsGU53F/U2c
aEpTxbZahohII0mc5g0ivdzZ6dE88XEHTwmxYYznI9+ib40dU5IJoYg3hgYP
C8iwzTAbn5p1FmImeG6xp7/t2GEAMdpUMm+WsJlwXMiD3aFI90Q0PTrJufxk
jDrxpyapa8HULa9eCbwYhHUGE3toSvbUx41iEPz+ibD3PceVUECnodAUUU4I
ImIoYsb5Ct//jj3o2w4BKGFnquBOpt0+VF3bsKYT3HN7eTMMGv3WNpYq9pks
t0g3xpZIGh/HguOv25VUpD/Q1oYZd3FUDitpxL6KE5nEM2bHdsI+045ItqlW
Pn2CHN+1vfxG3ensXBQ8hyvbLt0jNN0GrEXdmUkGmgrG4G+xe4O6fKLNfNM2
RZhWioPeKK+HnlQcEkETXknch8NAeRWfnvPqMPWzP0accGVuPYHtAV4PXj4i
Y9t9BpWb9GqeXwv+JWv8PoxZjeUxXBjLwT8ele18/QLs76CmYlgwhdC2Kykn
3i6Vr50T/yrqiehDygtADstqP0R5/ugHIg81fvaCksFrDhwBX+BadFMVcC5G
BTgT3QhytDwBn+e8cYg5ptY8/kA4TrHOWBxGuocwhw8CL02N8JkybbMsphff
e7Axe+WzxFgdjIFXNvHObqrC/y5xbKH55173gpGRrPKHLCzXVTDy5a4xbkI5
HMngLUVsIphM8BZkOX0D42F3XdqeIwV7mCUSP+RIKXfeWp6c25dNyJeqGkVV
Nb7LHQczh20eFLWjQCQ13LEIG6c/wLUnkZI4t+FE+h9DtwZHldNpFn3aa6Y+
W69eFFzkgb5VKQ4iUue2CzFToAtV9U7hKQvuUwcNIB/dvn3HevL67HpYCT8Y
gqtiuRvNQGFsfyBSvCU4Wv+eJl8DkZ6OfCs0Qg2HDLCiOXZ/JVcKLBG7apCj
qEQenDN4tkTowojleAwb+taLcNWblnHK6PRMU3OdG78gGaAv5Ls8mDowmUi7
5PD+qBsuru+Kv76+uNSjsDL9bDyNe778WeJ4XM9++q1099FFQSaNFA6u8iE+
c3Redg2dL9e1nZ7J9U3bpHPddsQ1Mpjqv9nYiHkd30ABZMJ4mPJNliYNrFIg
BdWYHwRk0JgU/JitqQj6kC1S1ECG2uCpiedUE5ePPM9HrGeuheJCGHks3YCo
1+psXDv/mYZziPZHYJbOJBJA+VQLSCYt0s4NPs+BvAybTnCz06feKLZsMZSc
OXmpRsMKdF+P6UPjyBL4EhwK1XreRXZQ6DiJPV/YCkcWUD9HSwzQxKFzoT50
s9n1hCCTZ8p82a1v5zY6TsGYpr0ifuQGnXUkMwZrvXltszfAHaDufKTUAYlU
eJldKBvl9KjvFXyUAfbkmIpF1Rgr7GQ+EwVHJAy+6PbbvqV4BQWaDmJWRyZ8
hOEpamjXRaTzvOHo6vp/jI9Ub1GozisjWJo6nFHTlDx7hAdgYmpsR6F+qgGJ
ZfCxgygUkr04gkYiq89TtRNMFDKcNIMGXUGVTUAN2IOWNw7wisHy4Gfcx8R/
6FqeAM6BTHIguEO8OJJT5mikT3tixDrU5oYXTNAuPQLwng37ypXTecXhkReQ
ypsA4NYBPYzH51whx1GZz77eQAXYi/jw4PUERwDOTN4Fhx0gXGSieB8ZiBah
dQDnamxZ2XY+/yEDxrNR69SAL04Dv4ct+EwFOkPjrKiXI8UhLC6hOdxMHJDe
V13avetLCLnpLGQh5Q4cHwG4nNSzECzGHrvLdOYD9ndg19HBbBKM/sksgND9
j0ELKwM+8Facsc7f04KvMOBbFumLXujJlfO38C8IoR7NY697kTchqJMDpHgS
56SfHFwTW+b8aM3hkIU4qmIUW4bGfsnce/WRG4/wEccHuoQuqxFPSDUYH5At
quNbjM8dwhXuIjt8N41vSnvKIxnxxdyziiiJR/WHgf7UQnZsIhdxdzK0w+lk
slWgpgq1KckctxA3jtuJPYrEqDh1ST3dBcfzOXDUiN18soHphSL4v/VhHerA
DG1LyZyFIyM1Ig2TiXT0xj0ZYixcezgjInbcBZag3gpsj0MuXkplPPe5H0zM
9fww50mIpoT1I2j4FGtIU3ioXmKmjitLu0CxhZigw+FMiWkcmJ2+7Db0mGcT
7vwqnxISosiP8tiEKpeRKvANWFekSWjjpkrXoYAsvoQgQYsdvvtQ55QIMyIx
VBbFoB+6gmEmzgs/TSQ28h6dsoYdegMfC7Mv+3R0ulSNp8f1hW28+ZDBL3nN
DyrtQIwDxe1NypMv0ho2Kml5rcYSnBp6eZ5Pe2RvreLJPAeBAn0kUBAa5PE1
BGaDvgONvl9ZUghYqt/50h0Ob0uFn8w9L9PXQKqjMjwICqCe+rSfrGia4xPT
8l4IpopziH7vmUzz7Jx3/FTuw0l3lx/Dk/ZjR6eQnCrpl2XipLyInYuh/Xg4
n843KhzEIkRRe9cgQct7nWn0zvK8VG4lXO3g/GCT1g2hHDpfEUZ8CYzzg4xy
GBdtkf1yd1EN3EXSNGAj6pZeXwzLQyshRTaI1ySJlQTksI9ziRyZNFrIBanT
GF9TOmx7o6CmkqRg9GEOYaP+PGxUn4aN+gthI0etspebHUGPn8SIymNEnWHE
d2s7UBi+GJDklqO+YQ6uL21P3has8g0d1pdl1cRU6ZQUznA8orPKz2ULQ5Ub
4mQuj3KcSsN5umF6aOb66r/xZdnb4v7g8lFk/M4LyrJRCB4nz3HdUefTUDyz
Ge9SUUyV30YVXqVQldhais4TcSM2+VPlHluzpH13xDcOc1aWxKT8vj2wNzVC
AZ+SHHsnssHXFljTi5fAPaLIj1g7hN3V3PrpyyKklT3UiCUFR1RgrfISIxnX
EwadswjGcrGQLpTKmRfH30zK7xF3Oklv1nHkhc+4gYgNOzH9VLIFBQb8+Dye
1hN7M9MSC+qi9AVloUiADDp57fj+DcwzUTYojAF9XPMMzEN94+KEV35JXfba
j6ecU3nXOI18+j9+VF3Nb4MAAA==

-->

</rfc>
