<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-englishm-moq-relay-dos-01" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MoQ Relay DoS">Denial-of-Service Considerations for Media over QUIC Relay Deployments</title>
    <seriesInfo name="Internet-Draft" value="draft-englishm-moq-relay-dos-01"/>
    <author fullname="Mike English">
      <organization>Cloudflare</organization>
      <address>
        <email>ietf@englishm.net</email>
      </address>
    </author>
    <author fullname="Lucas Pardue">
      <organization>Cloudflare</organization>
      <address>
        <email>lucas@lucaspardue.com</email>
      </address>
    </author>
    <author fullname="Aman Sharma">
      <organization>Meta</organization>
      <address>
        <email>amsharma@meta.com</email>
      </address>
    </author>
    <author fullname="Ian Swett">
      <organization>Google</organization>
      <address>
        <email>ianswett@google.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Web and Internet Transport</area>
    <workgroup>Media Over QUIC</workgroup>
    <keyword>moq</keyword>
    <keyword>denial-of-service</keyword>
    <keyword>relay</keyword>
    <keyword>resource exhaustion</keyword>
    <abstract>
      <?line 60?>

<t>The Media over QUIC Transport (MoQT) protocol
presents denial-of-service risks
that differ in character
from those facing typical request-response protocols.
MoQT relays forward, fan out, and optionally cache media content
on behalf of publishers and subscribers.
This document complements the MoQT Security Considerations,
focusing on the unique considerations for relays.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://englishm.github.io/moq-relay-dos/draft-englishm-moq-relay-dos.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-englishm-moq-relay-dos/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Media Over QUIC Working Group mailing list (<eref target="mailto:moq@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/moq/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/moq/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/englishm/moq-relay-dos"/>.</t>
    </note>
  </front>
  <middle>
    <?line 72?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Media over QUIC Transport protocol <xref target="MOQT"/>
enables media delivery through intermediary relays
that forward, fan out, and optionally cache content for subscribers.
Unlike request-response protocols
where the server's work is roughly proportional to the client's request,
MoQT has amplification properties,
in the sense that a single SUBSCRIBE can trigger backend lookups,
upstream Transport Session establishment,
and ongoing media delivery
that can significantly exceed the cost of the request itself.
This asymmetry is relevant to the denial-of-service risks
discussed in this document.</t>
      <t><xref target="BCP72"/> requires that protocol specifications
identify potential denial-of-service (DoS) attacks
and describe foreseeable risks with due diligence.
The MoQT transport specification already addresses
resource exhaustion, stream limits, flow control,
and some relay-specific concerns.
This document provides more detailed analysis of the threat landscape —
particularly for relay deployments
where the amplification properties of the protocol are most relevant —
along with operational guidance for implementers and operators.</t>
      <section removeInRFC="true" anchor="motivation">
        <name>Motivation</name>
        <t>This work was motivated by discussion
at the MoQ Working Group interim meeting in February 2026.
The working group decided that detailed DoS analysis
and operational guidance warranted a separate document
rather than additions to the transport specification.</t>
      </section>
      <section anchor="scope">
        <name>Scope</name>
        <t>This document covers denial-of-service
and resource exhaustion threats to MoQT relay deployments.
Authentication, authorization, and billing mechanisms are out of scope,
though they can be critical tools for DoS mitigation in practice
and are referenced where relevant.
Content filtering mechanisms and their resource costs
are also deferred to future work.</t>
        <t>Where this document identifies potential changes
to the transport protocol that could improve DoS resilience,
those are noted
but left to proposals against the transport specification.
While both this document and the transport specification
are under active development,
this document also catalogs mechanisms
that are currently load-bearing for DoS resilience
(<xref target="load-bearing-mitigations"/>)
so that changes elsewhere
do not inadvertently weaken existing protections.</t>
      </section>
      <section anchor="relationship-to-the-transport-specification">
        <name>Relationship to the Transport Specification</name>
        <t>The MoQT transport specification <xref target="MOQT"/> already covers
stream limits, flow control, priority and starvation, timeouts,
and some relay-specific concerns
(state maintenance, SUBSCRIBE_NAMESPACE with short prefixes).
This document does not replace any of that.
It adds threat analysis,
documents which existing mechanisms are load-bearing
for DoS prevention,
and provides operational guidance for relay deployments.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>This document provides operational guidance
for MoQT relay implementations and deployments.
It does not modify or override
protocol requirements specified in <xref target="MOQT"/>.</t>
      <t>This document uses the following terms:</t>
      <dl>
        <dt>Relay:</dt>
        <dd>
          <t>A MoQT intermediary that receives content from publishers
and forwards it to subscribers,
potentially caching content
and serving multiple subscribers
from a single upstream subscription.</t>
        </dd>
        <dt>Control Plane:</dt>
        <dd>
          <t>MoQT operations that establish, modify, and tear down state:
SUBSCRIBE, PUBLISH, FETCH, PUBLISH_NAMESPACE,
SUBSCRIBE_NAMESPACE, SUBSCRIBE_TRACKS, REQUEST_OK,
REQUEST_UPDATE, TRACK_STATUS, and related messages.
These often require coordination with backend systems
for routing, authorization, and state management.</t>
        </dd>
        <dt>Data Plane:</dt>
        <dd>
          <t>MoQT operations involved in delivering MoQ Objects
to subscribers:
QUIC stream management, object framing, and flow control.</t>
        </dd>
      </dl>
    </section>
    <section anchor="threat-model">
      <name>Threat Model</name>
      <t>MoQT relay deployments face resource exhaustion risks
from several categories of actors.
How severe these risks are in practice depends on the deployment model,
authentication requirements,
and trust relationships between participants.</t>
      <section anchor="actors">
        <name>Actors</name>
        <t>This section uses "misbehaving" rather than "malicious"
to describe problematic actors.
A relay's defenses need to handle
both deliberate attacks and innocent misconfiguration
or buggy implementations —
from the relay's perspective,
the distinction often does not matter.</t>
        <t>Note that a relay acting maliciously
with respect to content integrity or confidentiality
(interception, manipulation, selective suppression)
is a media security concern rather than a DoS concern
and is out of scope for this document.</t>
        <section anchor="misbehaving-subscriber">
          <name>Misbehaving Subscriber</name>
          <t>Subscribers tend to face fewer authentication constraints,
which can create a broader attack surface.
In broadcast scenarios —
which are a significant near-term deployment model for MoQT —
subscribers may be minimally authenticated
or entirely unauthenticated.
A malicious subscriber can issue requests
that force relays or publishers to commit resources
(subscriptions, buffer allocations, backend lookups),
manipulate flow control to cause excessive buffering,
rapidly create and cancel subscriptions
to generate processing overhead,
or subscribe to content with no intent to actually consume it.</t>
          <t>The impact a misbehaving subscriber can have
depends on where they sit in the topology.
If subscribers connect through a relay
operated by the content provider (or its CDN),
the operator can impose limits and terminate abusive sessions
with full context about what legitimate behavior looks like.
If subscribers connect to third-party relays,
the relay may have less information
to distinguish attacks from unusual but legitimate usage.</t>
        </section>
        <section anchor="misbehaving-publisher">
          <name>Misbehaving Publisher</name>
          <t>Publishers are usually more constrained than subscribers.
They tend to have business relationships with the relay operator,
face stronger authentication requirements,
and their traffic patterns are more predictable and visible.
That said, a malicious or compromised publisher can
flood namespace advertisement state
(forcing relays to propagate and store
large numbers of namespace registrations),
publish at rates that overwhelm downstream relays and subscribers,
or exploit protocol features
to force resource commitment without delivering useful content —
for example,
opening many subgroup streams and keeping them active.</t>
        </section>
        <section anchor="misbehaving-relay">
          <name>Misbehaving Relay</name>
          <t>In relay chains or meshes,
a misbehaving relay can cause upstream load
through fan-out amplification,
create namespace advertisement loops,
or fail to enforce resource limits in either direction —
failing to protect downstream clients from a misbehaving publisher,
or failing to protect upstream publishers
from the aggregate load of a large downstream audience.
A compromised relay in a chain effectively acts
as both a misbehaving subscriber (to its upstream peers)
and a misbehaving publisher (to its downstream peers)
at the same time.</t>
        </section>
      </section>
      <section anchor="amplification-properties">
        <name>Amplification Properties</name>
        <t>MoQT has significant amplification properties.
A single SUBSCRIBE message can cause a relay
to perform backend lookups,
establish an upstream subscription to the publisher,
and begin forwarding
a potentially unbounded stream of media objects.
The server-side work can be disproportionately large
relative to the effort required to trigger it —
potentially much larger than in request-response protocols like HTTP,
where the server's cost is roughly proportional to the request.</t>
        <t>This has a direct implication for how limits need to be designed.
Per-session limits are necessary but may not be sufficient:
if an attacker can open many sessions cheaply,
per-session limits just move the problem.
Effective protection requires limits scoped to something
that is expensive for an attacker to obtain in quantity —
an authenticated identity, a billing account, or similar.
The specifics of authentication and billing are out of scope here,
but session-level controls alone may not be sufficient —
they could be one layer of a defense-in-depth strategy.</t>
      </section>
    </section>
    <section anchor="control-plane-considerations">
      <name>Control Plane Considerations</name>
      <t>MoQT relay deployments require authoritative answers
to routing questions:
which namespaces have been registered via PUBLISH_NAMESPACE,
where a subscription should be forwarded,
and whether an incoming request is permitted.
Every relay — regardless of deployment size —
maintains state to answer these questions.
The cost of maintaining that state
and the consequences of getting it wrong
both grow with the scale of the deployment.</t>
      <t>On a single relay node, authoritative state is local:
lookups and updates are bounded by CPU and memory.
As deployments grow to multiple nodes,
that state must be shared —
through replication, coordination,
or some partitioning scheme —
and the per-operation cost tends to increase accordingly.
MoQT is designed to support distribution at scale
through third-party relay networks
(see <xref target="MOQT"/>, Section 1.1.4),
so this document focuses on the cost profile
where these pressures are most acute.</t>
      <t>In general,
operations that read authoritative state
tend to be cheaper than operations that write or update it,
and this asymmetry tends to widen
as the number of nodes sharing that state grows —
particularly when those nodes are geographically distributed.
Understanding the cost profile of different operations
is important for setting appropriate limits.
Examining costs through the lens of each control message type
is a practical way to do this,
particularly for write-heavy operations.</t>
      <section anchor="authoritative-state-and-coordination-costs">
        <name>Authoritative State and Coordination Costs</name>
        <t>Several MoQT control messages create or modify authoritative state
that the relay uses for routing and resource management:</t>
        <dl>
          <dt>PUBLISH_NAMESPACE:</dt>
          <dd>
            <t>Registers a namespace as actively published.
The relay must record this
so that incoming subscriptions can be matched
to the correct publisher.
In a multi-node deployment,
this registration must be visible to other nodes
that may receive subscriptions for the same namespace.</t>
          </dd>
          <dt>SUBSCRIBE:</dt>
          <dd>
            <t>Requests content for a Full Track Name
(Track Namespace + Track Name).
The relay must look up the registered namespace,
determine where the content can be sourced,
and may need to establish an upstream forwarding path.
Each subscription creates ongoing state
that must be maintained for the lifetime of the subscription.</t>
          </dd>
          <dt>SUBSCRIBE_NAMESPACE:</dt>
          <dd>
            <t>Registers interest in content matching a namespace prefix.
This inverts the namespace-advertisement flow:
instead of matching a subscription against registered namespaces,
the relay must match incoming PUBLISH_NAMESPACE messages
against registered namespace subscriptions.
The state cost can be similar to PUBLISH_NAMESPACE
but evaluated in the reverse direction.</t>
          </dd>
          <dt>SUBSCRIBE_TRACKS:</dt>
          <dd>
            <t>Requests the relay create a subscription (via PUBLISH) for
every Track in namespace(s) that begin with a namespace prefix,
including new Tracks as they are published. This can quickly
create a large number of subscriptions with only a single message
from the subscriber as well as causing the Relay to maintain state
to identify new Tracks in the namespace.</t>
          </dd>
        </dl>
        <t>At the smallest scale,
these operations are local lookups and writes.
At larger scales,
they may require coordination across nodes —
whether through consensus protocols,
centralized registries, or other mechanisms —
all of which are implementation-defined
and outside the scope of MoQT itself.
The specific costs depend on the deployment architecture,
but the relative ordering is consistent:
control plane operations that touch authoritative state
can be significantly more expensive per message
than data plane forwarding.
This cost differential means the control plane
may warrant particular attention
when designing resource exhaustion defenses.</t>
      </section>
      <section anchor="rapid-request-cycles">
        <name>Rapid Request Cycles</name>
        <t>Rapidly creating and canceling subscriptions
forces repeated setup and teardown work at the relay —
and potentially at upstream publishers —
while the attacker pays only the cost
of sending small control messages.
This is analogous
to the HTTP/2 "Rapid Reset" attack <xref target="HTTP2-RAPID-RESET"/>,
where attackers exploited the asymmetry
between the cost of sending RST_STREAM
and the server-side cost of stream setup.</t>
        <t>The risk is not limited to subscription churn.
Any control message that triggers work at the relay
can be abused through rapid repetition. REQUEST_UPDATE
can change the priority, which may force reordering
of internal scheduling structures.</t>
        <t>Implementations that track request rates per session
can reduce the rate at which they provide more bidirectional
streams, thereby limiting the number of new requests.
As a more disruptive measure, implementations can detect
and terminate sessions exhibiting excessive churn
without making progress on useful data transfer.</t>
        <section anchor="update-coalescing">
          <name>Update Coalescing</name>
          <t>REQUEST_UPDATE messages change properties
of an existing subscription —
most commonly the priority,
which may force reordering of internal scheduling structures.
The recipient of a REQUEST_UPDATE
can coalesce multiple pending updates
for the same subscription
before applying them
(see <xref section="10.9" sectionFormat="of" target="MOQT"/>).
For example, if a subscriber sends
100 REQUEST_UPDATEs changing the priority of a subscription
before the relay has processed them,
only the final value needs to be applied.</t>
          <t>Rapid REQUEST_UPDATE messages
still consume network and parsing resources,
but coalescing prevents them
from causing proportional scheduling work
at the relay.</t>
        </section>
      </section>
      <section anchor="namespace-advertisement-flooding">
        <name>Namespace Advertisement Flooding</name>
        <t>Because namespace advertisement state
may need to be globally registered,
an attacker who can publish (or a compromised publisher)
can flood the namespace store with PUBLISH_NAMESPACE messages.
These are write-heavy operations
against authoritative state
(see the read/write cost asymmetry
discussed in <xref target="control-plane-considerations"/>),
and in systems using consensus protocols
with per-transaction overhead,
a flood of PUBLISH_NAMESPACE messages
can quickly exhaust capacity.
SUBSCRIBE_NAMESPACE can have a similar cost profile:
each namespace subscription registers matching state
that must be evaluated against every incoming PUBLISH_NAMESPACE.</t>
        <t>Imposing limits on active namespace advertisements
and namespace subscriptions —
both per session and per authenticated identity —
limits the impact a single actor can have on the namespace store.</t>
      </section>
    </section>
    <section anchor="data-plane-considerations">
      <name>Data Plane Considerations</name>
      <t>Data plane resource exhaustion targets the Object forwarding path:
memory consumed by buffered objects,
bandwidth spent on delivery,
and processing capacity for framing and scheduling.</t>
      <section anchor="slow-subscribers">
        <name>Slow Subscribers</name>
        <t>A relay MUST NOT reorder or drop objects
on a multi-object stream when forwarding to subscribers,
absent application-specific information
(see <xref section="9.4" sectionFormat="of" target="MOQT"/>).
Without such information,
a subscriber that consumes data more slowly than it is produced
will cause data to accumulate at the relay.
That memory pressure could affect other subscribers
on the same relay
(see <xref target="flow-control-limitations"/> and <xref target="resource-isolation"/>).
This can happen because the subscriber's network is slow,
because the subscriber's application isn't consuming data
fast enough, or because the subscriber is deliberately
not consuming data at all.</t>
        <t>Objects sent on QUIC streams are reliably delivered,
so the relay's only mechanism to bound buffering
is to terminate the subscription entirely
by resetting the stream.
The relay cannot selectively drop individual objects
while keeping the subscription active,
which means any resource bound requires full termination —
creating a denial-of-service risk
where the only defense disrupts service.
Objects sent as datagrams can simply be dropped
when a buffer forms,
which naturally limits accumulation
but does not eliminate the processing cost
of receiving and discarding them.</t>
        <t>A relay also cannot apply QUIC flow control backpressure
to the upstream publisher on behalf of one slow subscriber
without affecting other downstream subscribers of that track.</t>
        <t>Relays that detect and handle slow subscribers
can limit this accumulation. Options include canceling
subscriptions that fall too far behind the live edge,
and imposing per-subscriber buffer limits
(see <xref section="8" sectionFormat="of" target="MOQT"/>).</t>
      </section>
      <section anchor="join-time-buffering">
        <name>Join-Time Buffering</name>
        <t>When a subscriber joins a live stream
and requests historical data —
to build a decode buffer
or start from a past random access point —
the relay needs to deliver that past data
while live data continues to arrive.
If the subscriber's bandwidth is limited,
the historical delivery takes time
during which live objects queue at the relay.
For high-bitrate streams,
this transient buffering spike can be significant.</t>
        <t>This is not inherently an attack —
it happens in normal operation.
But it creates a window that an attacker could exploit
by joining many streams simultaneously
with constrained receive windows.
Limiting the amount of data buffered per subscriber
during join operations contains this risk.
When limits are exceeded,
a relay can cancel the subscription,
skip ahead to the live edge,
or reduce delivery quality.</t>
      </section>
      <section anchor="flow-control-limitations">
        <name>Flow Control Limitations</name>
        <t>QUIC flow control (<xref section="4" sectionFormat="of" target="RFC9000"/>) protects receivers
from memory exhaustion,
but its protections have limits that are worth understanding:</t>
        <dl>
          <dt>Within a single MoQT session:</dt>
          <dd>
            <t>QUIC flow control operates at the connection and stream level.
MoQT's prioritization mechanism intentionally allows
higher-priority subscriptions to consume resources
at the expense of lower-priority ones —
that is by design for media delivery.
But it means a single high-priority subscription
can starve other subscriptions within the same session,
and QUIC flow control will not prevent it.</t>
          </dd>
          <dt>Across multiple MoQT sessions:</dt>
          <dd>
            <t>Flow control on one session does not prevent
a slow subscriber on that session
from causing resource accumulation
that affects other sessions at the same relay.
A relay must manage cross-session resource allocation
independently.</t>
          </dd>
        </dl>
        <t>MoQT does not currently provide
per-subscription resource isolation.
Within a session,
a single subscription can consume
an unbounded share of buffer memory,
outbound bandwidth, and scheduling priority.
Across sessions,
a single session can similarly dominate
relay-wide memory and bandwidth
unless the relay imposes application-layer limits.
Relays can implement fairness policies across sessions —
such as per-session buffer caps
or weighted bandwidth allocation —
to prevent one subscriber's behavior
from degrading service for others.</t>
      </section>
    </section>
    <section anchor="relay-dual-role-considerations">
      <name>Relay Dual-Role Considerations</name>
      <t>Relays are simultaneously subscribers (to upstream publishers)
and publishers (to downstream subscribers).
This dual role creates DoS considerations
that don't apply to original publishers or end subscribers.</t>
      <section anchor="resource-isolation">
        <name>Resource Isolation</name>
        <t>A relay serving multiple clients
must prevent one client's behavior
from degrading service for the others.
In practice this means
per-client limits on active subscriptions,
namespace advertisements, and concurrent streams;
independent buffer management per downstream subscription
(so a slow subscriber doesn't cause backpressure
on other subscribers' data);
and fairness policies for shared resources
like memory, bandwidth, and backend query capacity.</t>
        <t>These two goals sit in tension:
the more independently a relay handles each downstream subscription,
the less sharing and coalescing it can do upstream,
limiting its ability to scale efficiently.
Operators need to navigate this tradeoff
for their particular deployment.</t>
        <t>That said,
propagating per-subscriber resource pressure upstream
degrades service for every other subscriber on that stream.
If one subscriber is slow,
the relay needs to handle that locally —
dropping data, canceling the subscription,
or adjusting delivery —
rather than reducing the rate
at which it receives data from the publisher.</t>
      </section>
      <section anchor="upstream-load-protection">
        <name>Upstream Load Protection</name>
        <t>Data plane traffic can aggregate efficiently at relays:
multiple downstream subscriptions to the same content
collapse into a single upstream subscription,
and cached objects are served from local state.
Control plane traffic is a different story.
If many downstream subscribers simultaneously
request historical data,
issue REQUEST_UPDATE messages,
or churn through subscriptions,
the relay may need to forward
a high volume of control messages upstream.
This fan-in of control traffic from many downstream sessions
can overwhelm upstream publishers or relays
even when data plane traffic is well-managed.</t>
        <t>Effective defenses include
rate-limiting control messages forwarded upstream,
aggregating or deduplicating upstream requests where possible,
and shedding downstream load
rather than passing it through to upstream peers.</t>
      </section>
      <section anchor="multi-publisher-fan-out">
        <name>Multi-Publisher Fan-Out</name>
        <t>When a relay serves content from multiple publishers,
subscriber operations can fan out upstream
in ways that may not be obvious
from the subscriber's perspective.
Multi-publisher scenarios introduce additional
fan-out and resource isolation considerations
that need further analysis.
This section will be expanded in future revisions.</t>
      </section>
    </section>
    <section anchor="operational-recommendations">
      <name>Operational Recommendations</name>
      <t>Appropriate limits depend on deployment architecture,
hardware capacity, and expected traffic patterns.
The recommendations in this section
are expressed as general principles;
operators will need to determine specific thresholds
for their deployments.</t>
      <section anchor="cost-tracking">
        <name>Cost Tracking</name>
        <t>Tracking resource consumption per transport session —
and, where possible, per authenticated identity —
gives operators the visibility needed to detect abuse.
Useful signals include
the rate of control messages over time,
the number of active subscriptions and namespace advertisements,
buffered data per subscriber,
and the ratio of control plane activity to useful data transfer.</t>
        <t>Sessions or identities
that consume disproportionate resources
relative to the data transfer they facilitate
are candidates for throttling or termination.</t>
      </section>
      <section anchor="rate-limiting">
        <name>Rate Limiting</name>
        <t>Rate limits are the primary defense
against control plane flooding.
A few properties matter
for MoQT relay deployments specifically:</t>
        <t>Rate limits are most effective
when scoped per-client or per-authenticated-identity,
not just globally.
A purely global rate limit
can be consumed by a single attacker,
denying service to everyone else.
Scoping limits per deployment unit —
per customer account or per content namespace —
further isolates abuse
so that problems in one context do not affect another.</t>
        <t>Per-client limits and systemic circuit breakers
serve different purposes and both contribute to a complete defense.
Per-client limits prevent individual abuse.
Circuit breakers protect the backend
when many clients simultaneously generate
legitimate but excessive load,
as happens during flash crowd events.</t>
        <t>When declining individual requests due to overload,
explicit protocol feedback
(for example, REQUEST_ERROR with <tt>EXCESSIVE_LOAD</tt> in <xref target="MOQT"/>)
is preferable to silent failure.
Clear overload signaling helps legitimate peers back off quickly.</t>
        <t>Traffic characteristics vary across deployments
and evolve over time
as usage patterns and hardware capabilities change.
Limits calibrated relative to observed legitimate traffic patterns
for the deployment tend to be more robust than fixed values.</t>
      </section>
    </section>
    <section anchor="load-bearing-mitigations" removeInRFC="true">
      <name>Tracking Protocol Load-Bearing Mitigations</name>
      <t>Several MoQT protocol mechanisms serve as mitigations
against resource exhaustion,
even if some of them were not originally designed
with that as their primary purpose.
It is worth documenting these explicitly
so that proposed changes to the protocol
can be evaluated for their security impact,
since removing or weakening a mechanism
that happens to be load-bearing for DoS prevention
could reintroduce risks that were previously mitigated.
When evaluating protocol changes,
it is worth considering
whether existing mitigations are being preserved,
replaced with equivalent mechanisms,
or inadvertently weakened.</t>
      <table>
        <thead>
          <tr>
            <th align="left">Mechanism</th>
            <th align="left">Threat Mitigated</th>
            <th align="left">Notes</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">QUIC bidi Stream Limits</td>
            <td align="left">Rapid request flooding; unbounded state commitment</td>
            <td align="left">Limits outstanding requests a peer can issue. Any proposal to remove or change this needs to provide equivalent protection.</td>
          </tr>
          <tr>
            <td align="left">QUIC uni Stream Limits</td>
            <td align="left">Stream exhaustion</td>
            <td align="left">Baseline protection. When used as the primary request-limiting mechanism, configuration needs to account for security implications.</td>
          </tr>
          <tr>
            <td align="left">QUIC Flow Control</td>
            <td align="left">Receiver memory exhaustion</td>
            <td align="left">Protects individual receivers but does not provide cross-session fairness or state exhaustion protection.</td>
          </tr>
          <tr>
            <td align="left">Subscription Timeouts</td>
            <td align="left">Idle resource consumption</td>
            <td align="left">Lets relays reclaim resources from inactive subscriptions.</td>
          </tr>
          <tr>
            <td align="left">MAX_AUTH_TOKEN_CACHE_SIZE</td>
            <td align="left">Memory consumption</td>
            <td align="left">Bounds total per-session bytes of registered authorization token aliases/values</td>
          </tr>
          <tr>
            <td align="left">Control message length limit (2^16-1)</td>
            <td align="left">Oversized control-message parsing DoS</td>
            <td align="left">Bounds the size of each control message</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This entire document addresses security considerations
for MoQT relay deployments. It complements the MoQT Security Considerations.
(see <xref target="MOQT"/>, Section 13)
The focus is on denial-of-service threats and resource exhaustion;
authentication, authorization, and billing are out of scope
but can be essential parts of a complete defense.
In particular,
the amplification properties
described in <xref target="amplification-properties"/>
mean that effective DoS protection
may require per-identity or per-account limits
beyond what the transport protocol alone can provide.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <displayreference target="RFC9000" to="QUIC"/>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="MOQT">
          <front>
            <title>Media over QUIC Transport</title>
            <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
              <organization>Cisco</organization>
            </author>
            <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
              <organization>Google</organization>
            </author>
            <author fullname="Ian Swett" initials="I." surname="Swett">
              <organization>Google</organization>
            </author>
            <author fullname="Alan Frindell" initials="A." surname="Frindell">
              <organization>Meta</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document defines Media over QUIC Transport (MOQT), a publish/
   subscribe protocol that runs over QUIC and WebTransport.  MOQT
   leverages the features of these transports, such as streams,
   datagrams, priorities, and partial reliability.  MOQT operates both
   point-to-point and through intermediate relays, enabling scalable
   low-latency delivery.  Despite its name, MOQT is media agnostic and
   can be used for a wide range of use cases.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-moq-transport-19"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <referencegroup anchor="BCP72" target="https://www.rfc-editor.org/info/bcp72">
          <reference anchor="RFC3552" target="https://www.rfc-editor.org/info/rfc3552">
            <front>
              <title>Guidelines for Writing RFC Text on Security Considerations</title>
              <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
              <author fullname="B. Korver" initials="B." surname="Korver"/>
              <date month="July" year="2003"/>
              <abstract>
                <t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
              </abstract>
            </front>
            <seriesInfo name="BCP" value="72"/>
            <seriesInfo name="RFC" value="3552"/>
            <seriesInfo name="DOI" value="10.17487/RFC3552"/>
          </reference>
          <reference anchor="RFC9416" target="https://www.rfc-editor.org/info/rfc9416">
            <front>
              <title>Security Considerations for Transient Numeric Identifiers Employed in Network Protocols</title>
              <author fullname="F. Gont" initials="F." surname="Gont"/>
              <author fullname="I. Arce" initials="I." surname="Arce"/>
              <date month="July" year="2023"/>
              <abstract>
                <t>Poor selection of transient numerical identifiers in protocols such as the TCP/IP suite has historically led to a number of attacks on implementations, ranging from Denial of Service (DoS) or data injection to information leakages that can be exploited by pervasive monitoring. Due diligence in the specification of transient numeric identifiers is required even when cryptographic techniques are employed, since these techniques might not mitigate all the associated issues. This document formally updates RFC 3552, incorporating requirements for transient numeric identifiers, to prevent flaws in future protocols and implementations.</t>
              </abstract>
            </front>
            <seriesInfo name="BCP" value="72"/>
            <seriesInfo name="RFC" value="9416"/>
            <seriesInfo name="DOI" value="10.17487/RFC9416"/>
          </reference>
        </referencegroup>
        <reference anchor="RFC9775">
          <front>
            <title>IRTF Code of Conduct</title>
            <author fullname="C. S. Perkins" initials="C. S." surname="Perkins"/>
            <date month="March" year="2025"/>
            <abstract>
              <t>This document describes the code of conduct for participants in the
Internet Research Task Force (IRTF).</t>
              <t>The IRTF believes that research is most effective when done in an
open and inclusive forum that encourages diversity of ideas and
participation. Through this code of conduct, the IRTF continues to
strive to create and maintain an environment that encourages broad
participation, and one in which people are treated with dignity,
decency, and respect.</t>
              <t>This document is a product of the Internet Research Steering Group
(IRSG).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9775"/>
          <seriesInfo name="DOI" value="10.17487/RFC9775"/>
        </reference>
        <reference anchor="HTTP2-RAPID-RESET" target="https://www.cve.org/CVERecord?id=CVE-2023-44487">
          <front>
            <title>HTTP/2 Rapid Reset Attack</title>
            <author>
              <organization/>
            </author>
            <date year="2023"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 756?>

<section numbered="false" anchor="contributors">
      <name>Contributors</name>
      <ul spacing="normal">
        <li>
          <t>Ian Swett</t>
        </li>
        <li>
          <t>Aman Sharma</t>
        </li>
        <li>
          <t>Cullen Jennings</t>
        </li>
        <li>
          <t>Will Law</t>
        </li>
        <li>
          <t>Luke Curley</t>
        </li>
        <li>
          <t>Mike Bishop</t>
        </li>
        <li>
          <t>Mo Zanaty</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="use-of-generative-ai">
      <name>Use of Generative AI</name>
      <t>Anthropic's Claude (Sonnet 4.6 and Opus 4.6)
and OpenAI's GPT-5.3 Codex
were used to assist with organizing source materials,
structuring the document, and drafting text.
All AI-generated content was reviewed and approved by the author.
This disclosure follows the guidance in <xref target="RFC9775"/>,
applied voluntarily to this IETF document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA5Vd7ZLbRnb9j6dAjX9YqpCU7XV2s7O1FY9Go/VkLUurGcWp
/IgCEk0SKxDgooEZT2RV5SHyhHmSnHPv7UaD5MibKpc1QwL9cT/P/eie+Xye
9VVfu/P87IVrqqKet+v5jevuqpXLL9vGV6Xrir7CT/m67fJXrqyKvL1zXf6X
d9eX+VtXFw/5C7ev24eda3p/lhXLZefuMOCr9i/h+/bmLFsVvdu03cN5XjXr
NsvKdtUUO8xcdsW6n7tmU1d+u5vv2r/NO742L1s//+rrzA/LXeU91tA/7PH8
9dXty6wZdkvXnWclRj3PVlifa/zgz/O+G1yG6X+TFZ0rsIyf3DIvmjK/bnrX
Na7Pb7ui8fu268+y+7b7sOnaYc/lytZeh62dZR/cA74vz7N8nmNR/KeMNPJK
I34oi9UffDt0IJz7eVsMnlTL7lwzYIF5/ug0ea7bOvsJi6maTf4nPsnPd0VV
43PM/V3l+vWi7Tb8uOhWW3y87fu9P3/2jE/xo+rOLcJjz/jBs2XX3nv3DO8/
43ubqt8OS7wZSP1sQmo+UoOavk8GD48u9OVF1U5fevY55i22/a4+y7Ji6Ldt
RzpiijxfD3WtnD97VX1w+ZW+fCZfYvFFU/2XiNx5flm3Q7nG9px86Ywi3OZ3
cWng6dmJsX8YVoXP3xRdObj/x9g1X/tO/r+Xdxerdndq/Itd0eQ326LbFaeG
f+X6YjJwsfPy8Hc7fPPYoNcc8971/akh/9S2m/qAEhBlPv7dRr7TYbOmxTw9
BIKC9+r1X26hNPMXC+UViSd86oMe4KG3Ly9//9VXX53L4GXl92DhuQholmXU
12TA55dvfvfNub30u9/9I3/8/vb2zTfztxdvrl/M317dXN3qSMG28Otn3+Rv
i31VwiZ4aOFF3xerD7rNvug2DmIXpO7+/n6xgjhTki//9eqtW0EP/7kq/4hf
5t989c1v5t9+++0//U4XSwOQ80OsdD6f58XSY2erPstut+7IYEXlz5/APt0+
zfdd27erts72UF9asGMlz7vKf/BZvy160Ga9xlhVk6/ATUzjumzdtbscIu5d
vi5WVGFodLUqaliEvw1QKKgE5oSJirP5Rcbp1XaIab2HsM3wfpO3Qz8Ti9Xu
yfeirh/yVbHCZnayGRi7HgvN2iZfum1Rr/N2ne+HJbXBdV5ehc30q66CicRM
t9sKu2pXAy00Xt/tayfGGosGhbiOG7cauqp/OLD5s2yN1zy3hNn49NBU2BLX
cOgadCsL48KuKkvIavYF7W7XlsNKzOGv8CSQJ//4kWL76VPmmmJZO29bL10N
IewesBQYyc0WfAAD5Dt8qCtQPv2dFDVaygYmNHvX1LRNjzMwuwexndCEYuK6
L31Od5KD1rI2zIGHuS2ZMu9beXhVV5gQD9vQMxWELWxVAcZUawgO35CXHV52
4ELV2ERcguyvyMmV2uU3757fXL69fn6FHeGprtpsQNcldMthw3Xbfhj2GAH/
6+EPdwmxb5w41RyLKER4KBOzTOjUbFoyfUp1pSyn8dWmkZU2Pbbpfl45V+ru
Wt9THPmzbTCveu/qtYlh4R92MIDgFunkaneHMQJtHtM8GCRIocccQohEmiFu
Hz+KQfr0SSaswCmlUJQlv3erSFafQWybvlqDOy1ZjwlPzPsEkOVpXoiN8kKS
0qlwUFRgKBzFUpeX38M35vAUMA51tXHNyi1UzsnYaGWn68iLGuwoH/KiLDGe
dz47AR9muXGtrnYgI6S5bu9FaLu2Vlb5dudU8udhAj6wAtY5Un2Q5A7bhzZh
D9hRDycCohYQzwePB41xUC4HAtYY3q+Kvcv/97//J4Mz7KvVAH8Jjkd9xyAR
+iUa8Zgkhxkib+B9sRgISRQFzlXUEEAlK98sTIM2Q1UW2JlMXwUrFkyePtlS
ebMvvgDx4a/kzezjeed2MDdV061XfzwjQjz7lCltRGXvC5JEngc5lg+5CRxf
BiHMSuYTgKamp9pBR1zPTyGaL92yG2iJ4I5+qzJwb+8I/AO1VqB/qQIa6Q9Z
izzIxq0cbBrmDKLEBUL3HdiBxUbWZvgN1OfADUWqUrtsevWIDCqhblaYLjty
Enek6zHe5fJOCKrJjMw4OrZUOhbZBWAgFU4nh0EWWGjoRu3zsqprtTvwrk3l
d14kBPabkuO50hmskJh+DPYgxgg6Cc3sxeH2LUyzyAeJCp2pNiqDFcUQ7jrs
gcN2Dq6c6lrmKrpBCBfZZfALVU0uHyypEWNXdSMlaPc8Iw7otW+xb4zckdEt
0F0/dCoIIPhPpiMpsc0iUT9Gm8TZNrAKRyyMuqPWuB3qksoA1Xayaaypoo9Z
KangMLisBgOX2RKErN1aDK44J4/l5sWmqBrff15UftpCVvNl228PVm/UeOxN
IcrQACvkJP8d7c6dq9u9epuDsUg8vAcDsPEJydXzcCTAFLCMXqdui3K+dIVw
J3B83Hz25OPH9JH5KAz+06enmW+NgErn3NXeiRQgMCW1IDFFCSXodbZ7V8Ch
QuIrL9pOLjjBNGZvGOnKr9tqH/Qu8bUTkvy6dwj4J7oJVcjsc+4Aa6paAXHi
FwCq70y1+mrnoEP+1z1G9gTvwa4gvKAC0PDMRojx/seLV1c3by4ur9Q4+60K
pFtXPzv/9NDdlC3oSlJ2MAMFtKRoHtQDFFCx656GygdvEwzgLAvvwzhvq9V2
pPmBVUi5mwUBwGLuqEHYtmw2urxHHckJS0XYCgtgA6nCv8AmGzWrh8bys3PI
yhKTGP1WMY49mfw6IdyuLYlUMALZ32GSLKq/oR2llDFSEVIQnsXhQgfvFPOv
2xqSI5EK4LM/zzJJ1ODf8/xCVztB1qIpnVs56K8fQTPjnjHwYGoCmzHk7YH7
qAcJqp7hiWjgDIJzDSGg0ffF05DbQ91XoFU6Ah6RSSP6jbDWHtqbX7tUncjf
AMQ42ZZsKjLIMGKEvjMjtbqhHkIFqt03uWgDY9moA7P8zbvnP1zffD/LX17d
Xn4ffx+VY5Y+n3ycfHj79uLyzzez/O3VX95d3dy+f/1nvhR+e/fmxcUtnpen
3t/cXty+u9GVUYYIAXaAjAXM1gJvwZjAyLdr0DAIBUiKiBkWTIyJ6GqICPyD
791OKEnhh1kAJU8642AJGkxkWPsFTPNnaFo1d219p0JoQQM5Sez0evlXmEtO
O5UJ0laCQOPjON0sb+UdcLzY6RopXYnFU0W9VfvxqsWMWXYafDAudydxiwYY
IlQelqOj59VEpcFVOC3BlN9jXnlCEK4P2J+GKMEWnBRU9iFcHtdAAXPE7BMU
NNFitViAp4qHozvxgDj9vQN7FYRX+0LNFNzOhSzPFN2rR1I9P9tVnvkBKtNZ
nuLDs11RY5R28GeEFzGygWlBUMNEzypu+0KJ+aUXTNNw4MYpsMFQDPEFEpDb
SyeQ1IIm4VbVNO1KNg9A3TbrajOorGSQveWw2RzbQ+J/S6i4ODdEjBaO8IGQ
gZEWXYLuViV/tJlYgOtAnR9hakKwrBJBHtGyhO3XD5noBqN7Sho2FWwbzd9G
nClWKksv1W7ho+yJGMeV26uyQGar/VCb6iDY1ZVCzPdMKjGMeJox9rV42odk
i3ndCXMKcWP2jQgEA7MEAIveHgbBXzDiGfmd30QNy7LxZ1g9mgCCUurD2t0T
lU0FkpkdoJJK5FEdMEH2ikoG5ubLDm6XrwmbsceOY8FtNfrVqoD0ejAdfrlV
duooAo7TzAEEqejm9DJHapJHp8n3E3MBWj8Q8MMgVDtxIsnyAXDxGn8Bux8A
OiffUZYj5xMTJNurvB9ixmJMIa1cyNBh4CTFJoKyAwaLNoXIKXFBwGbLQTKF
WGRrqYfZYVrm6SyLsuMmpk1mgI1yklyBCEGcdEBaQkR7+6qkBzWuYMgVwUY9
8YMSPGxco3oJ7ZaRmMuDGdsCVs6yNO2Vir+oRdOKGmh+BrozqNfGwBA7uPeF
AlloML6kdCcCeEBffApgPdrGmCp4gET0ueW3ekQkQP4PkKZ16iQ4ZyMKamk/
U+hMfY/G7H2SzjNE1uVPmCmA/b988eNTtRwhTaBs3+0ZICmcNtff7eg3QdTl
IGT3qsFeTQVz9TrNz9jykop5T2Gp3QbgcMcXlQaYgVz2OfOIj2+IgULVlXNa
9pDB1IWqyaK8k3iYwPs8ZuJhQWm5FRgPkMpodsV2Ds3gwa1c4724soGY4YS1
eBMkO8veJHlkBm5emS4Jo2gaNIPRHGaZwcxgX2TJJGDDZU+dmdBx3GFgyCwT
o4QZ2mZzbJdOOEoJwbGgNSOYvZj9xltKqaPAw9queknU8fm7ylf4mSsFw3xR
lTMKbTQJYugZSEOOscOo7pSUDMrZljmrNH4voYzEhnhQjJZApewJLQbpaTbD
gmyE16ajHtt0Wc1qR64FTIEY46gdeEUSC7EgsLaGnOibpTl1Z1RfKFC9E4xq
wMnmPEj+i4a7n2FdqyRzsIbVGDpNLgQrFxMZNGu7YAMo3wmSg0GCAkQ1E18t
EzDhB9cMXjbqYRHpYRma9dIV6to+OLeXuGPrdpYQOCGQEo1k9CkqI4j7qkY4
BEptmRGfWht7in5KjGYMCxgjZsFqrItmzg1NspOzzIzoY7wF4/dKx3VRiWF2
zQHRzH7AirlKPHkJSVVwIiTCe7LnNqQNUsZpQcCHwCbdVhTBOP3BMHGfSRQW
wVOx2UCeuDVSQbBsrrKXzF4MZaUZ64uJ9FuwSjwixM8dnI+wqxYc5bPCazbo
Ubv/BAslWcZFOqzvqabfTu8zvpOsMLyl+SkPLkk+w+DvJNH8Jiaas7GqkiKO
x/LS3P1RPcVirESsgtshB1xHU3xcaIkhJcT9dHgaskMJdyX3Cd1vQvTMlEYx
CZaHBs6mYfLYhgQ/FU5qmKQW2GpRcxbnNLdtGVLWdMdqVE8uiixkapvvXFgV
+MykjplbMeahqFSpxqer2g1AdjKQwdeq+UzNTHyh1Ipnp8pnUjz6lfKZDR5S
G1I2M3WTUCLwlmZpCzxlqhliFlLCUSKIB9+QUFYECxCAqVJHnMS0B90nHTDD
iiXxPD0NtfU8q9bkrzpdwzg0fmb5DDJAdVyxrx9gyI+n+ivDPJYlQkWEsdci
uwp6lqQYx8qWvSuBgGyIybyeWRTFrCAJrD3iNA5AGqSLxOPtsqcy47+/DVAI
BiFScGmmONpS0j3zITEpX6xWkEDG5QCNWAfYbjJnWUSNl6duO83qH6byc4rA
TJLSRpt5zdxwAMFgR9027jQLZN1aA5AUOL7ks1BP7FRsnQWs86qZA3kyXUnP
6ggvLcE3pogO6t6P5hFCfsXSJb2qjjRhdOJOLaGSi5RyqHMLf6J78QaOnKRr
6O8d9ewOmnwik6RqUkwNiN+GLZu5cKXaEDwt/kcUEeZcfaOVYSWMhvhILHQl
ZXTdICjJlWAcAZkgXhKP+eq/tAAoKWFxw5oYYkwg+7Z8SNyxCkWoBIfX1OkX
ASuFqoF0buHVZqXplo3rtZoG/EEgqOkF4Ij7ETf6VVG7UEoclwq2vm7G1KDu
rUE4OTtgl64f9GBkVp9nZrtFVod9KUCLshoMLoKLyzfv5OudA7SEAF34iVjI
+kCQmLPktILjw4bxlVcJ3hZkt0qv4hKmx2NVLM3caXzGdL0kfviR+FiYlZ0z
xVUy0r7ERJzSvpdYi/60IcKh+1qtZOxN/WDtJ0wimDnUvNxeahGMK+DDB9Xg
Xgkel3sUsMBi9vQ1jIGdi+nnGbtKZIivF18vvgWclZpLmpCW7hIXs2Wybpi9
dYXpooMQDwLBJGIdC8bFaugJAoARNcStZ9lhepelk1O8z0KYwtIhTXTwXocD
3OM9R3unYgGpDKHHpJUhkvqedpPIiLtRhC8An9IgnJ9qgciNPy6vY+uNNRTp
q9z1xrUbxP1b1jnrh5FH1OZ3rK9hyKY0bD0hpWi09C2R5uMemZNiBNz1RWiB
Me0r9vS9XSXgUVwOLMbPTMNqvt5L71AQBwanjWivK5guMsMa8BPbGzX9ZVlS
ePN7SA0DWBWI2XF3gVB+Dt7cPSQrNtA34ehNH8KryzTpfSkV2ezGkroi7gcr
8yF/wrhCKy0nhWVr2FOFXQQ2yZ3nk5L4mL8+RzB9aM8la/7WjD4pkgQd3sIh
Ah9DhqWl90MuQBPDVGIhG74MVcxo7Sf5nwD+EPxDzEtNvqt0dIKYIgTlRNc0
nmLB5pS6xMCxNiEin8an0aJZXC3wQryPyKy8Uih+ssrRweI0j2mQPhICLI4Q
3MilSblJr1aRv2Qi5rZjDvJHvIvpnoy/KUn/Ifn+6QlS0u5Ds4230RPHpXDb
pdOMkBtTVnEhRl3lfDmz+pWgFYObp4OBEeMza7Hlyq6oOBMfr6LpYyuWymIg
qpE+OFdXRmoivnGMj4J/PCiMnahLHQil5LYFMDRxpyJAIuuJxGrdV+laSfEH
wZSZvvDQfBpLM8XJig/bDZzGpMnQk/2HpoRTjPEqkBNmyjijHhypXlR6sukz
Y0+FNEiNmmsxqoHrioDJ5aO58BJBrbsr6kHhdGPLZRHfjemBCUO0JjiV+XGT
MQE/odKTBDY+pQxgaifQTkUfE8edPfFPVXo00hQ4dczPmbBnVQ8in42715Ho
7jRfS180GijlPWkCYLz6UD/g9bjUNNMlqH+i/9rf1TCfEDCb8SiUeRP55QhY
wb2D1hde4vHg6vSMAdGXacOoK20eu/2SnRg3UpNzYdkF1hScN8QjeVjvUlSg
fQf0YCloFGfFJEIfYmF5XxO5D2YCTxRmi1XXem8+XislzipB6lvjuYYxhp5l
LKjBpQGXl8Egs0lUugTk7aRPQrvpahJ/rMJMS24Ijta0INp5NvSSOlCYzRgN
bypUjF2cY8BnSEDz+idKnnIsgTHsEOK8IM/iXkEJTStWXhuKfS9+M7jpvURm
h5isb5lzOOWoo2amzamSCh5j4r3QR6VMIF/JkrbONNpl62QRfY/IiV1ZO1c0
PjqBuMiMLLYGvXzEMgy9tYckE0inWFuDsuNSdCiwWj+R9cpr8Hb5sKqZ1Xqb
Fn4C+NDSz5H3zyRLSae9d2KFgO7g7UKDg/Q3SIpoAm9CVJFmeYqTmcZQ26ut
5zOkGfZSL6NeByCaUfedglNRsSMkZgQnSmzY/NUOsfPNzg6cJYcHzkL18ePH
o4MHiDtC0GwL8iEBbj3KEbdnoayedi6Hdb69uX1/c/v26uJVDLLS3Fp83PJ7
JK3Vw9gYwJ0wZSHgOQRXqXffDh2s/0XzcAyXRcg15eaPGRSknOUp2ZDFkEId
slrjxMVBM4m8pr1ulm/SXrGZ2QUKcMhqB70k2wQNMP/GoLMcVMr6bhCdpqhe
H9TvbfnkTsg8aOmCmmdpHlkMvO6w0sVY34AtRWymVfBUfZdV9JhFbT1wMHg0
dg7BuRA5eIMk6oLFDxVdidgL63uufDfsxW5AnRlWzo66ELhAQr9Vn02rgjG1
B8WtljrtWKIVtmahcLIrPlir4KaTxEoTCihidKT3by2tCqx/vNMQ87Kl52AZ
Cdo+YWEStigfx/w1OVUk3YkTWZPkjSCXdreLehkFIHtcAPK/QwAUU6+qvSTl
JPF2SvJ0V27MkOxNzyzhkk2igXT90FK23DMmrR9C6ShkGmKG4avF78VVSeYB
YP9lUpbKmaxNgQR13Gdff/XVwVKNskGUYj9luz7AXWFNo9lkItoq7GpmdrMs
0hr+FQQkGnQSGnjLPXBLFaO8zIzbaX5D4iu1mVJ4t2yLGHL4Gp/6E69udhWF
KDREeiWbwKoAnib59YS9HD1LbY56pDGwupiA+pcsjYq8PndaJ/l8mTQNkECE
Td0uxcuMaHyWpWnr+20r+hiKoU8k/jtZqn0qwqa12gnE09KrQs7HQwORZmuY
Pp2AyELocAp/iEwq0YrymeaOxE+MHmdykuXjR7P9cwER8+mhKoixJpsIaLVp
L1e+nUCF2pzALKBYlcI6o2KfR2FEgSR/JjJKYHwAJqA86AclWJwKHWNvh0B4
DYjSzNN5Jhmh08FVZLgfg8Ak4xJi3DGKCrTXAOfxUE+9Uiu0soKJgG1h1SOy
qQcvHokCxYRKIjpxYqp/00aFpHIi79jsfdolY6GONNiN9GubUwKrlYqx6/Ko
TPFiRK8nT2XIwUpdwGvrppwmH84zTWkH6yLZbu00ws9WWoRRwWbvq5JFlL3Y
+djg+RD7rEN3UZAYSUlY86b2JUQTYydP2PCUdKdlodswf/Xu5jb/8fVt8EWM
bUpYq7Agnn0MuSrrEjUgJjg72eNhB3Kx9BKZ7GPKfWyCT7trDvzL7xffTtzL
T+bi/SBJh/geNS1xNHZEQyjr1esLBPHYufgGFmq0NCNnJBGF3YupFzOqKIGt
V6thpz1iU6ssjSzGv5Ait3JYIWVECwjTDmoTNHGzCihtq8zNzINBEsENdkiY
9/FjELB55Vvt5xFSxATAFkR1xKa6+mnw/qWPfouNqpgLQvXYkwl38HTzZaAh
GUqiZGs2GbqGyFfi3tMjaXkjNKbWDxkR+XQkEhTOh6Ujlazcm3gnTcneTgvV
VbFk5l0Fn27KtyM7vrSgJ0bf4t9YQho795gGZ1gT4eRhhi52L2ZLOsSQj5fH
ZC0BcFm/C3cUG065NipJBWQF8MwGsKAvGqYlzTcHyTZrrTUoKEEuC9nRpug+
YhlauuDCLgLGHGPSRw5yJjV/oZQFvAGQ+9weXkyZUajmbDpyQk+fAtZJGyi3
u6fSUOuL0HJJbYzNqw1bnQRfhBJ/0CbBcUNy2sLxiciW1KJZDKt57GDO6MuD
ldmydB/Nlx1jEu4IbFVpmjR4snEk6GwIdY+D7HxyyJsFbqpOIuMx2FCFF9Cu
LUhjB03aeGjHbzRCW9i5D4vaNOCRvWlv9+FkihCEjlYCS2i5yF/vwzEApg/d
mJfIpt5Uu2uZBuhbtiJTf+H9S8tfwxu6cuMM/ARHLh0Uo2obq5Wnh9b6nya2
mq7mX9qqmd8yLf486iLP4jXTwOCvLevbhS5CqWcnHi0fi03DL0sJS8yHlHGh
5kNFm8vznayc6OKkeAsP3IfWrn0hwXBT8rcVhSvfY8LYyhCrqRYhmKFResnL
YvxUl2WJsgZKVNUMTt4puk5a6q7Xx2Z1dOKVD5kJ7TVNtxWP2BcfOCRolpWD
RIOqUDKx2RUW/YdDr8TQa1tttnOExxLZh4BdD/sJQJVgMZpFgAo2Bh3n70Kb
j2VTqmbr7PRfDBCEeJBH9T6S3JXrL+oRtS+y5wOPoceaSoFAAFy4t9MBaR+P
OE/LF9EGUyLGjkZzBzBAgB4AXckZgrQ5NtS7dBaEFT+kGYpixzYaKcqSfRFs
7SeeOhCdC0hzoOS2dGFoQQ5mdaGCnHQw6YF8iaMmrZHSIX5o/OHFPlT7vGCg
EOqDiRLKCTnJ1ETJ+NsgxyBUs17SRIRemh9G2JB//OJRRJFlx/bwyai+ArXs
RhJocGiE8oGuocnRkE9yXF7sOamQHM+09umAxO0cKZAImDakdfPzTGBdlfSQ
SObb8L4UZo7XbS3oPiiBdXaHACH0obKvicUkjsgDLZpasPNWCWbQhvvKLqng
4YF7VqyoTzCAMSNxYFDbmBwYzyPkYUWa/JZMPkZLR4E/0djGyooQKB5+lyy1
oPfp/Q9cv2mSQYRAJ1H3k4tjOaho9DSqm8LRpAxUJaDUyB3KqccUF4RMc2Cp
DT2JcKG1lJhfSlnnhXcvJ2xr1JtaLBcxgI3JyQ+9n8ZoRWxWC1WqkE6JYGmC
MIy06p59oEDIIqZdrWY+8zzACKtrNtKEyt3FFsJxqni6RMp2WokRC7mwHra4
s/HktOVWs8SlhoDcho0If5GoROBL5Po0o100QQiZvUnaVbfS97cOLlu1FoZl
6A0dB7c0O4gSYwJuEbgb6JYuwkhiwLDSFpKyVSSX6Tnne0klq7ko0imzoZGe
t9H76pGQSQwy16bC0AhjkMnOj9RW2S6qrlGPzvMEHGC6ZDvJxNKVz9N2UCML
omZPY3vvoEtypCV665HJAW8EyRcRnrh4O3uiBrJ0AM1adTEYvg5FQqkyhevZ
YM/nb9v6OL1gWyUDpz5vginZtH2iPqSd3km96Il0/JyCpfHoOGOWjisJrtoO
w6WrUqzaMixUcM3Gk67aSJI1mU7Ogh1chaQn9U3Kr4OUw1edCG5HPH90JNl6
9jPR0JQZ8Xafv4cREggZM66TM6Ti2cXCiorqmMeZrOl5s+yxxJZqFQ8UqgEI
KOYPWWIvonLG9iWBI8fc2lt2pD1hH2lqJFiXWHwS4NDcHqYivhT88/QPIibH
+iP9aNosOTo1aSA3C3JoOEIrPjAp81kxb2lJ3f6+zTct77sIJ85YEqZfJx8k
LTMxoPHUqMZCXpvbHqGIwmgxJaHNT6ke8/CVdo6Uo6rMsli4EuC2rIiqJGMl
Da4utDrTmL8Ot9vE1HkD+dposKqounTteh3qKFWX1qEnTbLj8acsHE86EWBF
XxATS2HdmUqz8xNh1qTsIZNHn2nZi+v1gdEa00EnIiALQ2UEabuoNa8qcX/I
4cySAvgxuGWxoGSvvTweICwHSU/dCsQNA3TSoBzKkVVy84EA9tiaknTPZVLA
M8H4gcdt3kQEOsnShuNqlIXxgE7CajnrJWb3PIv25hGpixf8CH4I1yis2rqG
M6E49+2vXJWgQbbchRazvWruWesuda/a8CKp+UW8WWG6nUqPYYQeU0aTeopT
4qZHchEHYVQoFx/E2LNMD+c+UhwTDkvdNdbCDwxj0iiWVJ4sRwwgQfCa37X1
oE1zR02igXDmo3iKjCHZ+GQgggYlhxsOx0fliEg8uXeqnyJeopfRoWgquzwW
nUrboOZqq1k9HM+MxEP6loOhkLt5tDNHe4vnBxKrFMRSckm0HeVgUEjKtfG8
oaVENKkH0CRdoHbFDMRJ3F1CCDmKl+rcvtDsWjWe650ACRc99itJ9MejqflL
sOD10McMzuilD28nGcvNkcyzLDVPSWDNyqFeFjiaOvbJxfxYcg6lXd7xzGh2
ok1tel3BItPFjxm98Wx8ZTcjunhjV1Fn8ZBi2lUcQclJLCQivR46O/qh9+gs
pldCSNC0lGCwEFjOs2Z6MxXgS+VDd3X+OrnDhhdv7uA1yoAHL476wpPmr0cb
v+AQy3u5vMl8svprxqUraY45OMIbmwrSyePVf7ajTBMd4p1YG/ThGACjhmZF
pgPixEvhLGo05R+7emPxh9cQ+W1blz5xodNbgb74QrrKtY1QMojhp/T8LEMg
DYnkWMF4wZPhfWuwmh0qzq/VEjfigcYNUeqk9VphQyMZn7A5pnHZILTI3mnH
CUN6Yp9gF2LbzSmLJ1dzMvOnxnNsqTmFPPNp4fQAfGYxvaWWbIIO4jnuXEQu
XYuaPJnPQNEjrTM3Ib7iSX+lFxti0srb0eHHBFAeHn+cDK+tSLzTta701JII
cVNWekhIBQWOvq/NWCY1kdDGh+lC+o99HqPmFF1sxdrxtKHZ7thiMCXF2ros
eFR17e7TSxX1xpPDi6bS80nxcjEAqPPjVUh3UDzgq9UUO2KYBCC8AgO/TUR0
Hg8KSnFNzjSGhg6udD/IVRz6kQqczBu62NKq81gat2zsDEizeUijJrbUE78R
QvLCtkXG2wuTOr8ELaMdGppwZpURNhbX7uQeupVmYGVD0WGMMiyHts2equll
PE99itfG2XlNMUsS+NmVEHZ5nJVfi0YAMUThzVEgV8TLmAgHq241YK3LjvfM
8aI3OrMEUYGQlpdgpNP2dsxGDgBJ3t/u9e0jBlicmDNmzMYKoZmJy4MFxCPm
lFCLrFQwBOCEQ+sHWYFw2UiWXofBTvjYIUcUMOMJqZCvtzT3ui78llmu+zLX
hqWFuffSYTLJwSerjuiD164y/odU6NDM3QNLT247cCV3IPczjE1hAU9evX37
+q12Bv3n1b9dXt3cXP/r1fsfXl+8+M/0MjW5wWcvV0YWdtrFV7WlfuqBvRqX
Ne8NC0sxk8uFA/HtfXoRh2AbISts3jr03CzEoWh4EC6XZkPfyud3NBCWUUqv
XBU/KpdujUab1JWbPpI7MaSkl3hhcRpVbCW0CgVBUF0t9UqV1DK2S4sHkj0c
eu3YwZfoX3LOTgJsKM0gF00Sa1U/89grm+IUeURn+iZwjoHU/Lld8fhqvL8x
//jFo1c7Pnbb6+QgWJSNpFVeNY43wY6jZeNJkeO7eRWlV2s9oanHbXaA5nrb
ZkxJ1SGjLs0dcoS16O00BaN0s/6m4HL/n95Ly2u17KCkRaZyHZCKN+KlxBTx
zTJeZRnuFwg3m5utHRupRoATr6LS9iRg46qRFlBQ0Fya3nypdf1ILvWvQYeV
wycv5BzvY8y0tta5EfbqFWp60tLpjS13ei9XYALDG7ECtnhrW1Tm2X5nWZWQ
LABkuttwnGK8QTKRITnh66xFUsV7ltlNlaXaA7Y7YF45ARUFRQLOU5eDSij2
S/4q1nJ+iXfThc3gI95K5vNf8OA570k/+AcfS8GDHc/5jaUTVDV/sSMBIUwO
gOAPk6sh9JhSvMPll/A2D3aE86HReBZiiMYLsBY5G9LDxbBkq6qSXI0Tescr
P+ZnQpd2Qqix8rYYtwM/fLQb+z3pVvslf1545nHcZBTh/2AgPwVM4aKJGN5G
Js3yyW1z44KD69fDrqPsh1S/TxY9qWz+wmBIio/HZUd8+SaUKCc+yqqV+aTL
JNBsWtGJ+U9tGugnbXyHNL1JCy+3drkrVnFd1u50KAI5cL0PlwRhZXVR7UYY
rMEyhPoEvtcpX1382/uLd7ffv799/eerH99fXlx+f/X+5vrfr3JKfNJBGOZ7
TpEkzXuGZGm946HXo/7J6bvJ7ZN4h1ftwhNBGvwz9RCyiMuDoxIQuE2/tYaU
J9/8x9e/nX/9FHPzr6t4OR8Vqs/hjdAvTdM0rpHxO685eOwE8y/ShvnI30iw
FgVt3EquMg73uk+u+0vfexyvL/Lr/9/faVg8evL+N08lmJaD9nKTYHOiOStc
3v3I5d5/OLi08rNXdx9e8qH96OaBvLdzVMxN63UhJ3DrdZPkrjUEfezinixc
XmkN1ZPn5uNznz5lLKior4mRjnmomKhND+pRZGP8HUIfsx7WdbR0CERKvf+N
izxxR7deYCLd66r22tF7ffHjxWkxivLDAwVNq08W8aJp+dsaAmbDDSaMAHgD
6MdzDdNd+cezNSJ9AT3zPP5BGfyc/MUa/HY51NCf/F9cQ+fu8clPTJH8UNzj
xx+GDw5PdLV7wG/yZ3qeV37b7vlbm/97gRj3gWt4p40Ff1LgT5peXJ9ey0XD
UHlfrb70+WVdsEHsyQ2bJfr828VvRYZe7yGk+EUrh6+BLS6u8fSf3tzO/3Hx
G+y3dD9nghT07BPsueepQTtKqn8sR+LFcBifCLrgoclwZCXk+AOdVXjlL+PI
V4jhELeCDhfX8xDNlOO1iIWXdJm7lz+bUOpFCXfjBYSqGKGaWflV3UrtRC9c
VkWOt0+LxNof0eGxNTsOIrnopgeO0tqmuFz+0avkws//A0cgSMK5awAA

-->

</rfc>
