<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-bruynooghe-n0-quic-nat-traversal-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="n0 QNT">n0 QUIC NAT Traversal</title>
    <seriesInfo name="Internet-Draft" value="draft-bruynooghe-n0-quic-nat-traversal-00"/>
    <author fullname="Floris Bruynooghe">
      <organization>n0 Inc.</organization>
      <address>
        <email>flub@n0.computer</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Transport</area>
    <workgroup>QUIC</workgroup>
    <keyword>QUIC</keyword>
    <keyword>NAT Traversal</keyword>
    <keyword>hole punching</keyword>
    <abstract>
      <?line 55?>

<t>A description of how <eref target="https://github.com/n0-computer/noq">noq</eref> performs NAT traversal for <eref target="https://github.com/n0-computer/iroh">iroh</eref>,
including all current bugs.
This is not yet a specification, though further revisions migth be.</t>
    </abstract>
  </front>
  <middle>
    <?line 65?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document describes how <eref target="https://github.com/n0-computer/noq">noq</eref> currently performs NAT traversal using a QUIC extension.
It is based on <xref target="SEEMANN-QNT"/>, but with heavy modifications.
This is not expected to be the final shape of the protocol, and does not aim to be a specification.</t>
      <t>The NAT traversal described here functions as a QUIC extension which needs to be negotiated in the transport parameters.
Once negotiated the server can share NAT traversal address candidates using ADD_ADDRESS frames.
NAT traversal is initiated by the client using REACH_OUT frames,
and performed using <xref target="QUIC-TRANSPORT"/> PATH_CHALLEGE and PATH_RESPONSE frames in probing packets to achieve NAT traversal.</t>
      <t>The current implementation is combined with <xref target="QUIC-ADDR-DISCOVERY"/> for gathering address candidates and <xref target="QUIC-MULTIPATH"/> for opening multiple paths concurrently,
however these mechanisms are somewhat orthogonal and not not require tight integration.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="nat-traversal">
      <name>NAT Traversal</name>
      <section anchor="establishing-a-connection">
        <name>Establishing a connection</name>
        <t>Both endpoints are expected to be able to establish a QUIC connection already.
This is done via a "relay" path, the transport of this is out of scope.
However in iroh this looks like a normal IP path that uses IPv6 Unique Local Addresses as far as the QUIC stack is concerned.</t>
        <t>Once the connection is established with the extension negotiated the endpoints can perform NAT traversal.</t>
      </section>
      <section anchor="gathering-address-candidates">
        <name>Gathering address candidates</name>
        <t>Both endpoints need to gather address candidates to participate in the holepunching from the same UDP socket that takes part in the holepunching.
This is done using <xref target="QUIC-ADDR-DISCOVERY"/> using a sparate connection to a cooperating server.</t>
        <t>The discovered addresses are propagated up to the application,
which has full control over which ones it decides to use for NAT traversal by passing any desired address candidates into the QUIC stack as NAT traversal address candidates.</t>
      </section>
      <section anchor="negotiation">
        <name>Negotiating Extension use</name>
        <t>Endpoints advertise their support of the extension by sending the max_remote_nat_traversal_addresses (0x3d7f91120401) set to a non-zero variable-length integer.</t>
        <t>The value advertised by the server is not used by the client.
It is only used by the server itself to limit the number of address candidates the application is allowed to use.</t>
        <t>The value sent by the client limits the number of address candidates the server can advertise to the client at any given time.</t>
      </section>
      <section anchor="exchanging-address-candidates">
        <name>Exchanging address candidates</name>
        <t>The server advertises address candidates using ADD_ADDRESS frames.
Any address candidates advertised by the server that exceed the allowed number the client advertised in the transport parameter,
are ignored by the client.
Each ADD_ADDRESS frame uses a unique and monotonically incrementing sequence ID.</t>
        <t>If the server wants to remove an address candidate from the set of address candidates the client can use,
it uses the REMOVE_ADDRESS frame using a sequence ID of a previously sent ADD_ADDRESS frame.
The client ignores an unknown sequence ID in any REMOVE_ADDRESS frames.</t>
        <t>If the server receives an ADD_ADDRESS or REMOVE_ADDRESS frame it closes the connection with the PROTOCOL_VIOLATION transport error.</t>
      </section>
      <section anchor="initiating-nat-traversal">
        <name>Initiating NAT traversal</name>
        <t>The client initiates NAT traversal by sending one or more REACH_OUT frames,
each containing one of the client's address candidates.
At the same time the client sends out probes to all the address candidates the server advertised.</t>
        <t>Upon receipt of a REACH_OUT frame the server also sends out a probe to the client's address candidate advertised in the frame.</t>
        <t>NAT traversal happens in rounds, each round has a sequence ID.
The receipt of a higher sequence ID than the current round implies the termination of the previous round.
This means that any probes which have not yet had a response will no longer be retried.</t>
        <t>If the server sends a REACH_OUT frame the client closes the connection with the PROTOCOL_VIOLATION transport error.</t>
        <section anchor="nat-probes">
          <name>NAT probes</name>
          <t>NAT probes are valid QUIC packets containing a PATH_CHALLENGE frame,
sent off-path to the address candidate provided by the remote endpoint.
They are treated as in <xref section="8.2.1" sectionFormat="of" target="QUIC-TRANSPORT"/>,
except they are not padded to 1200 bytes.
As a result any valid PATH_RESPONSE received for such a challenge does not validate the path.</t>
          <t>Such NAT probes are treated as <em>probing frames</em> as defined in <xref section="9.1" sectionFormat="of" target="QUIC-TRANSPORT"/>.
Since this extension is used together with <xref target="QUIC-MULTIPATH"/> this re-introduces the concept of probing frames even when <xref target="QUIC-MULTIPATH"/> is negotiated.</t>
          <t>Currently these NAT probes are sent using the active CID of the <xref target="QUIC-MULTIPATH"/> PathId they are sent on,
in clear violation of <xref section="9.5" sectionFormat="of" target="QUIC-TRANSPORT"/>.</t>
          <t>Since PATH_CHALLENGE frames are not retransmittable the sending endpoint has to re-send NAT probes if it does not receive a timely response.
For this the normal PTO duration calculation is used,
using the initial RTT for new paths and using no ack-delay since PATH_RESPONSES must be sent immediately.
The exponent of the exponential backoff is the retry count of the probe.
Finally NAT probes are abandoned once a new round is started, or a fixed timeout of 30s elapsed.</t>
          <t>Once a successful response is received from a remote address probing of that remote address stops,
even if there are still other un-responded challenges to the same remote address.</t>
          <t>In combination with <xref target="QUIC-MULTIPATH"/> an acknowledgement for the NAT probe migth be received over another path,
even if no matching PATH_RESPONSE is received.
These acknowledgements do not influence the sending of new challenges when no timely response is received.</t>
        </section>
        <section anchor="probe-responses">
          <name>Probe responses</name>
          <t>Upon receiving an off-path probing packet containing a PATH_CHALLENGE,
the receiving endpoint handles this as any other path validation or liveness probe response as specified in <xref section="8.2.2" sectionFormat="of" target="QUIC-TRANSPORT"/>.
Since the receiving endpoint does not know the reason for this path challenge it always expands the packet to the 1200 byte limit required for path validation.</t>
          <t>When the client receives an off-path PATH_CHALLENGE it always includes a new PATH_CHALLENGE together with the PATH_RESPONSE it must send, turning the response into a new NAT probe.
This has two benefits:</t>
          <ul spacing="normal">
            <li>
              <t>It speeds up opening of new paths,
since as per <xref target="QUIC-MULTIPATH"/> only the client can open a new path a successful NAT traversal can only be acted upon by the client.
Sending a new challenge before the next challenge retry would occur is faster.</t>
            </li>
            <li>
              <t>It enables NAT traversal even for challenges received from addresses not advertised as address candidates by the server.
This can occur when the server is behind an Endpoint Dependent Mapping NAT,
while the client is behind an Endpoint Independent Mapping NAT.</t>
            </li>
          </ul>
        </section>
        <section anchor="successful-nat-traversal">
          <name>Successful NAT traversal</name>
          <t>Once the client receives a PATH_RESPONSE for a NAT probe it sent,
NAT traversal is successful.</t>
          <t>The client now opens a new path using <xref target="QUIC-MULTIPATH"/> over the path.
It does however stil have to validate the path before it can use it,
since only the address is validated as part of the NAT traversal.</t>
        </section>
      </section>
    </section>
    <section anchor="frames">
      <name>Frames</name>
      <t>Receipt of any frame while the extension is not negotiated results in closing the connection with a PROTOCOL_VIOLATION transport error.</t>
      <section anchor="addaddress">
        <name>ADD_ADDRESS</name>
        <t>As per <xref target="SEEMANN-QNT"/>, but with different codepoints:</t>
        <artwork><![CDATA[
ADD_ADDRESS Frame {
    Type (i) = 0x3d7f90..0x3d7f91,
    Sequence Number (i),
    [ IPv4 (32) ],
    [ IPv6 (128) ],
    Port (16),
}
]]></artwork>
        <t>The ADD_ADDRESS frame contains the following fields:</t>
        <dl>
          <dt>Sequence Number:</dt>
          <dd>
            <t>A variable-length integer encoding the sequence number of this address
 advertisement.</t>
          </dd>
          <dt>IPv4:</dt>
          <dd>
            <t>The IPv4 address. Only present if the least significant bit of the frame type
 is 0.</t>
          </dd>
          <dt>IPv6:</dt>
          <dd>
            <t>The IPv6 address. Only present if the least significant bit of the frame type
 is 1.</t>
          </dd>
          <dt>Port:</dt>
          <dd>
            <t>The port number.</t>
          </dd>
        </dl>
        <t>ADD_ADDRESS frames are ack-eliciting. When lost, they <bcp14>SHOULD</bcp14> be retransmitted,
unless the address is not active anymore.</t>
        <t>This frame is only sent from the server to the client. Servers <bcp14>MUST</bcp14> treat
receipt of an ADD_ADDRESS frame as a connection error of type
PROTOCOL_VIOLATION.</t>
      </section>
      <section anchor="removeaddress">
        <name>REMOVE_ADDRESS</name>
        <t>As per <xref target="SEEMANN-QNT"/>, but with different codepoints:</t>
        <artwork><![CDATA[
REMOVE_ADDRESS Frame {
    Type (i) = 0x3d7f94,
    Sequence Number (i),
}
]]></artwork>
        <t>The REMOVE_ADDRESS frame contains the following fields:</t>
        <dl>
          <dt>Sequence Number:</dt>
          <dd>
            <t>A variable-length integer encoding the sequence number of the address
 advertisement to be removed.</t>
          </dd>
        </dl>
        <t>REMOVE_ADDRESS frames are ack-eliciting. When lost, they <bcp14>SHOULD</bcp14> be
retransmitted.</t>
        <t>This frame is only sent from the server to the client. Servers <bcp14>MUST</bcp14> treat
receipt of an REMOVE_ADDRESS frame as a connection error of type
PROTOCOL_VIOLATION.</t>
      </section>
      <section anchor="reachout">
        <name>REACH_OUT</name>
        <artwork><![CDATA[
REACH_OUT Frame {
    Type (i) = 0x3d7f92..0x3d7f93,
    round (i),
    [ IPv4 (32) ],
    [ IPv6 (128) ],
    Port (16),
}
]]></artwork>
        <t>The REACH_OUT frame contains the following fields:</t>
        <dl>
          <dt>Round:</dt>
          <dd>
            <t>The sequence number of the NAT Traversal attempt.</t>
          </dd>
          <dt>IPv4:</dt>
          <dd>
            <t>The IPv4 address. Only present if the least significant bit of the frame type
 is 0.</t>
          </dd>
          <dt>IPv6:</dt>
          <dd>
            <t>The IPv6 address. Only present if the least significant bit of the frame type
 is 1.</t>
          </dd>
          <dt>Port:</dt>
          <dd>
            <t>The port number.</t>
          </dd>
        </dl>
        <t>REACH_OUT frames are ack-eliciting.</t>
        <t>This frame is only sent from the client to the server. Clients <bcp14>MUST</bcp14> treat
receipt of a REACH_OUT frame as a connection error of type
PROTOCOL_VIOLATION.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>TODO Security</t>
      <ul spacing="normal">
        <li>
          <t>Both client and server send data to un-validated addresses provided by the peer,
this should be subject to ani-amplification limits.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>TODO codepoints need registering</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="QUIC-TRANSPORT">
        <front>
          <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
          <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
          <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
          <date month="May" year="2021"/>
          <abstract>
            <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9000"/>
        <seriesInfo name="DOI" value="10.17487/RFC9000"/>
      </reference>
      <reference anchor="QUIC-MULTIPATH">
        <front>
          <title>Managing multiple paths for a QUIC connection</title>
          <author fullname="Yanmei Liu" initials="Y." surname="Liu">
            <organization>Alibaba Inc.</organization>
          </author>
          <author fullname="Yunfei Ma" initials="Y." surname="Ma">
            <organization>Uber Technologies Inc.</organization>
          </author>
          <author fullname="Quentin De Coninck" initials="Q." surname="De Coninck">
            <organization>University of Mons (UMONS)</organization>
          </author>
          <author fullname="Olivier Bonaventure" initials="O." surname="Bonaventure">
            <organization>UCLouvain and WELRI</organization>
          </author>
          <author fullname="Christian Huitema" initials="C." surname="Huitema">
            <organization>Private Octopus Inc.</organization>
          </author>
          <author fullname="Mirja Kühlewind" initials="M." surname="Kühlewind">
            <organization>Ericsson</organization>
          </author>
          <date day="17" month="March" year="2026"/>
          <abstract>
            <t>   This document specifies a multipath extension for the QUIC protocol
   to enable the simultaneous usage of multiple paths for a single
   connection.  It introduces explicit path identifiers to create,
   delete, and manage multiple paths.  This document does not specify
   address discovery or management, nor how applications using QUIC
   schedule traffic over multiple paths.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-quic-multipath-21"/>
      </reference>
      <reference anchor="SEEMANN-QNT">
        <front>
          <title>Using QUIC to traverse NATs</title>
          <author fullname="Marten Seemann" initials="M." surname="Seemann">
         </author>
          <author fullname="Eric Kinnear" initials="E." surname="Kinnear">
            <organization>Apple Inc.</organization>
          </author>
          <date day="3" month="March" year="2024"/>
          <abstract>
            <t>   QUIC is well-suited to various NAT traversal techniques.  As it
   operates over UDP, and because the QUIC header was designed to be
   demultipexed from other protocols, STUN can be used on the same UDP
   socket, enabling ICE to be used with QUIC.  Furthermore, QUIC’s path
   validation mechanism can be used to test the viability of an address
   candidate pair while at the same time creating the NAT bindings
   required for a direction connection, after which QUIC connection
   migration can be used to migrate the connection to a direct path.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-seemann-quic-nat-traversal-02"/>
      </reference>
      <reference anchor="QUIC-ADDR-DISCOVERY">
        <front>
          <title>QUIC Address Discovery</title>
          <author fullname="Marten Seemann" initials="M." surname="Seemann">
         </author>
          <author fullname="Christian Huitema" initials="C." surname="Huitema">
            <organization>Private Octopus Inc.</organization>
          </author>
          <date day="3" month="March" year="2025"/>
          <abstract>
            <t>   Unless they have out-of-band knowledge, QUIC endpoints have no
   information about their network situation.  They neither know their
   external IP address and port, nor do they know if they are directly
   connected to the internet or if they are behind a NAT.  This QUIC
   extension allows nodes to determine their public IP address and port
   for any QUIC path.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-quic-address-discovery-00"/>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 345?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA91a63Ibx5X+P0/RC/2I7AIgUtIqNuM4S5OUhSreloSy63K5
VI2ZBtDLQfd4uocUwpKfJc+SJ9vvnO65AlScrHd/bCqJiMF097l85zuXxmQy
SZ49e5Y8EzPjVWmUn5yWcunFhSzvMvtgxFxtilx6ldBLN8rIjRJ+rZ1Y6lyJ
ZWk3IqMVE28zO9naqqRXJkVpvU1tPt1kwluxUl44L0uvsin2CWfwXktbbqQX
2HAU9vmm3uPbyTcPtrxblbYq8Dc/wnajKYvy1pZCG+21zIVTvirGAguFNflW
GKX4VJVpD2FxiC6dF4vcpnfCLvFR5ZkjQa7o9ZHXPlcjXuZo3UKJdC3NSmV/
EJnKlVdiJBeLUt2PhF7SOaXgNSS2W9vS017HZissTitFamFM40UqDe1FYqhs
LBaV561lqZZVLoz1dJg2vrRZleK9srQli3VryTIspXjQeU7LoKSQlbewlk5l
DrmzqtRmFbQnuXD2VmBzUZkofjDVqTW/g4VNmlcZNJkcHIwErDeakF+dh04m
Wiln/5IE53Khctd8AyeJX+GeuGMQwsEJiy32oh28tTnbFrrDQviDnqZVWZKh
7lXptDV/gC4QMLMp7TaiY4X6KAFAFTSZE/B8RCSd4MRdKTcE1Em5TI/E2vvC
Hb14sdJ+XS2mqd28SOXCvui+hX1+AFLIOaXCTqliWSCHLoMRopNFEYSVItNL
/EGSBriShU7YxI3hICh8TlqQcngnXTemA76fTz9uclboPy/Ox0L5dDqdfkFK
IfoYS0diZA7Ev7+fnYjL47mYl5KsIvNREqAXv7+cj5IU2q9suT2Cf5Y2SaLB
jqKLFmW1Ndau1mpiDiY/VzqdGIkArXcEABJXLTbakbh+W2Dl7Gz+NjHVZqHK
oyTD/kcJUOygUeWOhC8rlUCCVwk8KyEJpDOuAPBHSQMCPCbpR8md2uJhdpSI
CetD//ZUogdrC5sVhFRgOEmAbMQRLUkE/oP4yINKb3NbwunfNTrx97ZcSaP/
glCw5kjALjOTTvkbtZE6PxLLvFr8mzkgBBQVmC1JDDtC30MzvEZyTeY3x5e3
11c38yMBXHx9ALvUX128P5/Pro/n72CayelUK78MltxUudeF9Gt69fbs7OL4
8nICr4T3ggOA4o00Zo/pm/2PT09vJqez25OrP5/d/NBd3B4ls6xUzk0y7VKL
9dskIX83aiSAUJJMJhMhFw5HpD5JjkFYLi11QZYhrlvbB/GjsT//JApV0mLH
vmgkYkz+qEu7/mmcBI4gUgHBNNG5qFZgJY49/Jdoa0tcJFyhUr0EGdFZY6Dd
Vqs1XFcyCQKymvDlxEav/BoUBmFZkr1hCqTWvnqBl5Ig0t99ld5KghE2Osty
lYRcxpRKciVBcIRItSFlgnkWYI7WMlFRUOoTNqoc2yREZxPo02TGiWshiepg
7sfHDiA+fQqM/wDBxVrJ+63Y2Kyx18Ci6iOM6UPaWtSsYii3rWWhyJH0qM6q
YyFNBp1UWCz1Jq4bOGVK2quBMrUFMkhFhIcYZIGEdDsqioe1BpF1M6MB9SDr
kqwxO/iaDEQhwbNIl5TFrkzae5nedKq8p/wI6oVe5VCyCHj6PtNEQi5aHtHy
gSLm7PYWJQeOwP79pWRJrgY8Z52QXXJNHg9b3Jwdn7z7cPV+HjcYJ2TC6G+s
CW89PvaJ4dMnQSTw4eTd8fn52fdnbHd+Almury5vz+J2ZAt4Z0GbFDK9U57t
JUFv6n6gZ/RKHV6a8hthk11GmgDd2AhCMXaiTH3GgGAUuCtJscbg3LUdyRoX
N3QW19lCGVoV2IyYGBvRwaaJhXGCAFHkLhzhlNgoKiq0Q3CQ5xxKlIc1Mhv8
vrYrS1ilAwmP9L9SgcPwnterNRUfyFhljUnKntbcU8Zl3GHZqVqy//A5WAdJ
RFAWQV148f52PhqHf8XlFf99cwa9bs5O6e9bck7zRxLfuH139f78tP2rXXly
dXFxdnkaFuOp6D1KRhfHP4xChI2uruezq8vj81gjdYmEjBAigpQrUSsQ9KRL
2vjCmu9Orv/218PX8MO/3Lw9eXl4+DU8ED58dfj71/jwsFYmnMa1a/hIpVwi
i0JJqnIDG8tCe5m7McUpik7U5hS/MOeXP5JlwJXfLNLi8PW38QEp3HtY26z3
kG22+2RncTDinkd7jmms2Xs+sHRf3uMfep9ru3cefvOnHDEhJodf/enbhDHU
rylQSYkz9BiLXLt1oGvA2aiYBb5DaY4aLyss3BUgPOBcrGSPqnqTmg3bbeAI
1D/ZtuXuzEKmey3x7qhUudyOOJTGA2Jk/g4rbMUfkdILOO9djDE4mVJZeCu3
9g7/r++I0LluycXsmjfGC9KHynd2ff9GvDf650qJc4uWQBwHDlBM5UtAB/+Q
HKwFtEL3o0OQU6uH7iCQNHNlqyNeaUxQcxAXyE1SGLB6a1Ui9kipO5RH/vn+
M3S146K6iwsct4/g8CUyDtohKshUnY6osqwLy9CgcuqhZvP96TWIi9g52NHL
O2xDe+xbPPByL0PssHFdIjjKgb5nUMoD+Ax/EwNyx0ZpMKaBuroj8mj9V3Ky
L+SKrYz+LnZM4IS8rriSkJzX5OyKGMJS3ZML2i0mbsgNBajqSXUWLAbscAro
50+kzEK6oAP6WLyrOxJ1jQ7f2CGq5LBg2l0XEXAZoUMHnTWAIpken9WwwpNP
SXLWxmqGXb12jFRdClcVbVB1cQkl0LFw/UpfbOTHD6XaWK8+oAj/0Ej3obXz
84OPr7LfL78+PHx58Prg8AvustlfxprJX1Rpxb0sNVHDBM0x1bGcyhrv3csc
4ddI2NQesdKJ1V3lhlVJXTsy51d7Fnqn8iWJkutNnGKE9ozU3hcLfXDQ3sga
YJcsOr0nsOO6vlcm8Tnu1x3UqeM6zrHd7RBdBKQVOhVEgKapQqDojzybeIoD
5u3uzc7uHysMaQ6zrxp6ykfMBOpjqiKd1WaLVujq1G7xdOk7ph5Z6BV4e9fp
ZygId4UOfC5FFcicaoGNBW6siZMe9GUll4iBPfAS8fbsFDadLbu6PEjj45hl
AxoQ7KCBKTqcqPxnnByVJidDPjSHMe/QdzdnFyC+HS0iBbYC8vY0R7nXtnL5
NgBvxwDTUBCHA4PpqCyEQe4MFTrdHakcgof3SeB27FGqVAGBvFn3VPDfXhWg
Y5rbWssOhzdZ8Prman51cnX+4c+zq/NjqlI6IOAJXgT6LLQjZJIeNyY9XWPP
MuTPDpNR6oG4G9hkTxOjCFBE/FKb5u1lx3+/2xc9CBLfZkWKzq7H6eRQp1BH
E7IGVaAcHJ8lhDZAYIT3hTXBAUWA2VD83src2c7BMhzd55R9quyJyYioQYO4
pmracJ9W2grnjAXbjj9wDpX9yCIv9aRfo5OBpF0sgjpMb5AZdqOOTkfLgBE2
aOTrcUzo4kM4hLdjlbFRAFHgIoJ3tHyd4RHK9dxlLZGWIRkQZ8C6PB42SBPW
ICtRHYtGpNTsgX4sBOvu90Id678N9kNpHlQIfojqEDMiAeksFA91o9zBr+z2
25ffx/Z6nDBv2OVyEopgux+MdM49Cp2Gd0P6b4pK9mqYkXsU8qFhI0g8Pt5G
Zb+avpwekqeGgwDEGnJE4dsxO3mkgAwhxaKCOMCxIbpccBG6a/Zm0Lk/N4jU
lHEx5qqU2g2kxpzKDNXOdngpqcbIgfIw8S29PTBrR58v60FEIIkv6VlG/XWI
kVbXr/drOk1udegLqBVoqivtQqHi7UpxRd6dTnQHDLyuVJPmZqNBFNsPJ/YF
FIpqBGp89+1GJVTTb0D5k2ZYF+YSAzu4duTDEElpVipOQiqiJ3uOuIZZZ1nr
2AA2Q/NQhAT14IjXvInhrgH/db8BowX3Ydk12KFARfSg7PKh9+RYDaxfI5aZ
ifP5hL7qaquXXNnXQIl4AoqIz2GemiKmCd2VsVO4uAv95PX8ii6QglKoMtIq
bwpHcvM4aY1Y37PdzOeMVqMe4sCISpXwnqFh190kox5YuFb7Gu+3YlM5Hy6y
eOi1URm5NN8GqkUzjtxlOlV9+EznLrAzYl9EDchuW8Cpat9mk0BRGplC9QEm
5AJyWsND2pR7aigQqdrV95JjyrJSLPVHwjhMGBv1VwcAaC4L1zbMkuIVsHZ0
jdcwMYO+jmkqsWRNPzVP1bBnoaUffu28LSilUzSE6zySnfDoieTD3WJlJuFE
op2GL1xNiZzQ+/tSIjBxpihbQt8TB1QtplRx5Spbcb3J7vbrTpQ10/xWWe43
pQny8fSj0cHEqzDSuk9/HWsxAJwank1tNyNbm2UeUm43QmBEcmPHBMwgOHGA
//5RIT9dsyr1G65brNyHHrhNNv2x7ueS1TjxddFwPwhik+VMgzqM2ZurYj4h
cjzTS4lGDMar4dIKyWO/MNwf8jjlrJefZ/K9YjXcQXaPL0mHDZc1YbB4bVYC
38j8QW4pLRSSyomQlcJEJSCwyYOxc42D4JDnBurCHf9BTuuUIN2KvXHBgEdb
MeKltosxPXivn6m4gulj0AdSIkiNha9KUzNeix0TpgHYvAmBWLExMz/Q6NAg
uXp3lCQTga4eTqLbkqpopuwRqkyZ40REesTyArIN45CuCBGLPBgYtGG0XxSG
zdLjoX65y6/TFgvOgTxDChOSbjsqxG2MJtkPJixbUsPBCQMlQOebwL4PtsoR
+SkKX4qvpXSeZyJsAWUonw17GuYEAkEnZAeE2cxl+Farrezl3hFAr40nZdgt
rDnL9VBDqx3GLBSoKCNs1eMlcapg1YxMfIEWIbZr5CXU3nmvOt6/fobFe3ao
meb2CQ91Z69D5A9vmDgxtQysGbF+vHsF1sJh2mszKbwttz8d9PTmmd00YOOl
Tyw3Z5Eo6usgykahJfF2tzytkaObyQH+RP3OkG9AXXsTMtc7sJd5FBtz+u4A
WbzlAipJbjp9Gag09DGtv3o1K19ItQPrUJVz0U/dTh3ww3ZH/rpmBw7ujBUS
KvxDTD91Edz+kiS1wA0POEEcv/zyS9KdT7Ci4pF/0TDfFko811+IP4o4rTyY
Tuu55Zhfua170ssws8Lb4Ysf6ZbgtXj+6uUX4qfOozfi+eHLr5pn16TT88M3
WPWJZWHw7M6pYu5z8ZctNCjjMp5/qQQ1BnLgyZE4fmqCCpqADWoHNG11O3wM
2TIghcRsCGHD5JWQanwECct61hVP+F0X+uxQawY8oZAnrtcrw/fjNADVDdhi
KwxT00k49yAc8KZ7wJvf8oBDHEB2bw5gYAXt8dXuZDOUsqixVa5TTYOlqeDs
CRj7cGUo4pVcnALE5oKLeZNTvA1ij2k2dEiIIxoxTePvJeI4LA6oWcvO2DDM
TbuzmSkwSE+d4KtH7kaT7vjE7IETD106kcdRxQYjM+0GYJys9Sd3/7OgG0wB
Px93rz8TbZ242TtZ/L8OHfVk5MTrzjAhpop47yj1H0Jb0kPb/yKG9pr2n4AR
oyiOwWog1FOxz2PgZcO9rwIaQh/52zDucDT390BzQ2c3BPIEDnrX5EJ6+v3k
/3v6HE7K98D5V6A0lk91bx0KTXHCT59E6Y4X/ymaQyyghtV+Sz+VcTpTYVRD
V2RXp1fNt1Rx8715fUUFLHbmvQKVleQLQDPpFFpNnT2cl6J1KQmgnHrdmot8
GtlUi/+C8HwRYPSEfpHb/MYsXhwGoWfHl8f7BW6ZN1zsl2qlqWfgX3/y7/do
ykN7HDdjAJ4CJI9Hwasq++NoKXOnRp/inp2BwTT5b9boN+zLLgAA

-->

</rfc>
